Password Managers are the Hot Targets 

Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.

There are many lessons that we all need to learn from these recurring incidents. This post is to uncover few points that we have seen have not been discussed by the info-sec community and the industry.

The Catch-22 – Phish or no Phish?

LastPass warned its users of an increased likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks against online accounts associated with their LastPass vault.

Password Managers getting phished is an alarming situation

This statement goes against what all the password managers like LastPass claims – “use of password manager protects users from phishing attacks“.

In recent times there have been more incidents where password managers have been proved vulnerable to phishing attacks. You can find more details in this article Popular password managers auto-filled credentials on untrusted websites 

The Impact

In their blog post, Lastpass reported that customer’s personal information like email, phone number, billing address, IP address have been compromised. That is not all, what LastPass has not talked about is the additional information they collect from their users using their mobile app. 

The screenshots below show the permissions that Lastpass app takes on a user’s phone.

Permission take by LastPass app on an Android device

These permissions enable the application provider like LastPass (other password managers take similar types of permission on user’s device) to collect more information about the user than probably needed. 

User Information collected by LastPass app

In case of a breach, like what happened with LastPass, the severity of the incident and privacy impatc will be more if any additional information collected from the user’s phone is also leaked.

The Passwords

Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors. 

Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network. 

While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of  using secret key and Password Authenticated Key Agreement systems, which makes 1Password’s systems next to impossible to crack. 

With the device specific keys mentioned by 1Password, we feel syncing of the passwords across multiple devices becomes a risky affair. Since passwords need to be decrypted on another device and it needs the user chosen master password as well as the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords (encrypted just with the user chosen master password), in transit. 

Conclusion

After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are. 

Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.

For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless

Resolution 2023 | Making World Password Free

While password management companies are fighting with each other, the bottom line of major incidents in 2022 is –  Passwords are the biggest risk even if you are storing them with Lastpass or any other password manager.

Image Credit – Pramod Gosavi’s LinkedIn post

As industry is adopting Zero Trust Architecture, the time is right to #GoPasswordless. In this first blog of the year, we at PureID present 3 strongest points to make your organisation password free in this brand new year 2023.

Best Protection from Phishing & Social Engineering

We have seen Uber getting breached due to MFA bypass and social engineering attacks. Stored credentials stolen from Okta & Twilio were exploited by 0ktapus hacking group, triggering serious supply chain attacks with a blast radius extending to 130+ organisations. 

In another incident, credentials phished from DropBox resulted in unauthorised access of 130+ github repositories.

A well designed passwordless authentication solution is a must if you are looking for authentication solution resistant to social engineering & phishing attacks

Zero Trust Access

When you are taking the next flight, you must appreciate the multiple checks that are carried out at the airport as part of Zero Trust Security Model. Not just the traveller’s identity is verified, but each and every piece of luggage you carry is checked for possible risk that can aboard the plane. 

Image Credit – Boston Globe

When a user authenticates to access an enterprise service or network, the traditional solutions stop at the user’s Identity verification. The risk coming from the connecting user’s device is not verified. In another incident involving Okta again, the customer support executive of Sykes, connected to Okta’s service portals with a compromised device, enabling the Lapsus$ Extortion Group to access and leak some details from Okta’s apps and system.

Most of the MFA, passwordless solutions, FIDO keys fail to provide the user’s device risk posture and hence provide incomplete security. Check how PureAUTH provides ZeroTrust Passwordless Authentication

Convenience meets Security

I couldn’t fix your break, so I made your horn louder – Steven Wright.

That is exactly how the industry approaches the pain of authentication. Since authentication using Passwords + MFA is painful, the applications are designed to provide session cookies that are valid for months. In recent incident with CoudSek, its employee’s Jira account was accessed with stolen session cookies. 

With well designed Passwordless solutions, authentication becomes so convenient and smooth that enterprises can enforce shorter sessions and frequent authentication without putting users in any distress. The shorter session span reduces the risk of stolen cookies getting abused.

With the above points and a quick recap of last year’s incidents, we wish you all a safe & secure new year. Looking forward to be your partner in your #ZeroTrustJourney, for which the first step is #GoPasswordless.

With best wishes from PureID family, Happy New Year 2023…

Dropbox Employees Phished, GitHub Repositories Exposed

Dropbox disclosed a security breach on October 14th 2022, resulted due to Phishing Emails. The email was impersonating a third-party service used by its employees. The attack resulted in credential leaks of employees, which enabled the threat actors access to their Github accounts. The hackers stole the content from 130 repositories, consisting information about Dropbox employees, users, and vendors.

Phishing email impersonating CircleCI

The Incident

Phishing campaign initiated by adversary targeted multiple Dropbox Employees. The emails were crafted to mimic communication from CircleCI , which is a Continuous Integration and Delivery Platform. The phishing link redirected users to a landing page where they were asked to enter their GitHub username and password.

CircleCI login options
CICircle Login page

On a fake GitHub page, the employees were requested their Hardware Authentication Keys to provide an OTP for 2 step authentication. Adversaries used these credentials to access some less secure repositories of Dropbox, containing some API keys, and customised tools.

CircleCI login page
Github Login Page

The adversaries are not traced yet, as they used VPNs to hide their tracks.

The incident details shared by Dropbox
The incident details shared by Dropbox

The Impact

Dropbox breach is a direct result of phishing, which was not contained by 2FA or MFA solutions the firm normally has in place.

Furthermore, the laws of the United States allow authorities to have access to user data under Patriot Act and such, hence the firm can also store user information. In the past, there have been multiple instances at Dropbox where user data was compromised. However, in this particular case, the company is claiming that no core app code was compromised. For more details, visit here.

Previous Incidents

Dropbox is not the sole victim of brand impersonation phishing attacks. Earlier, other organisations such as Sony Pictures, BenefitMall, and JP Morgan Chase have fallen victim to the same. Furthermore US Power grid and John Podesta are also highly notable examples of Phishing Attacks.

IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organisations an average of $4.65 million. Phishing using brand impersonation is becoming quite popular as well. LinkedIn is used for this purpose 52% of the time, while DHL, Google, Microsoft and FedEx also hold a considerable proportion of it. You can find more about the stats here.

Mitigation

Millions of phishing emails are sent daily. Many spam mails slips through spam filters and when that happens, you must be able to rely on your employees to stay vigilant and act responsibly. That is the reason why many companies opt for Employee Awareness Training Plans.

When training campaigns cannot keep pace with the new trends, and URL-checking anti-phishing measures is proving to be far more intrusive. The best option right now is to switch to Password-less Systems with Zero Knowledge Encryption.

With PureAuth Password-less authentication, you can effectively mitigate the risk of having your password compromised by phishing and a number of other methods. 

Feel free to explore further blogs by us related to Phishing and Github . Stay safe. #Gopasswordless

ISO/IEC 27001 Compliance with PureAUTH

PureID’s passwordless authentication platform PureAUTH, is a cloud based Single Sign On (SSO) solution. PureAUTH uses certificates (digital signatures) provided by an organisation, to uniquely identify its users, in a secure way. 

PureAUTH can be used as a secure, cryptography or certificate based alternative to Passwords and Two Factor (2FA) or Multi Factor Authentication (MFA) solutions, as prescribed by various standards.

In this article we discuss

How PureAUTH Works

Traditionally, applications authenticate users using passwords. For additional security along with passwords, 2FA or MFA are also sent to application on the same channel. This authentication method is found to be vulnerable to phishing and other man in the middle attacks. An adversary can trick users to share passwords and 2FA/MFA token, on a phishing page and use it to impersonate user, and gain unauthorised access to the application.

Traditional systems use same channel for authentication & application access

PureAUTH provides a secure alternative to passwords and 2FA /MFA based authentication. Organisation’s user is provided with an AuthVR5 authenticator app which holds cryptographic keys, certificates (digital signatures), seeds (for generating Pseudo Random token), which are unique for every user.

AuthVR5 sends out of the channel authentication request, directly to the PureAUTH server which consists of user’s certificate and one time token which is bound to the user’s session with the application.

PureAUTH uses out of channel authentication with non reusable token & certificate

Since the authentication request is sent out of the channel, the data in the request cannot be obtained by phishing, neither it can be used for any other session apart from the one it was generated for.

NOTE :

The authorisation & session management remains unaffected by introduction of PureAUTH. The user authentication security is enhanced by PureAUTH with the use of certificates (digital signatures), extensive logging, and risk assessment of user’s device, from which the application is being accessed.

Standards around User Authentication & Access Control

PureAUTH provides the required controls and complies with recommendations of various Industry and Regulatory standards, for user authentication and access control. Few widely used standards that PureAUTH complies with are as follows –

  1. ISO/IEC 27001/2
  2. SOC2 Standards
  3. PCI DSS
  4. HIPAA

ISO/IEC 27001 compliance with PureAUTH

ISO/IEC 27001 is the world’s best-known and widely exercised standard for Information Security Management Systems (ISMS). The annexure A, section 9 of ISO/IEC 27001, is all about access control procedures. The aim of Annex A.9 is to safeguard access to information and ensure that employees can only view information that’s relevant to their work.

Annexure A 9.4.2 Secure log-on Procedures

From Annexure A.9, we are focusing on section A 9.4.2, according to which

Access to systems and applications must be controlled by a secure log-on procedure to prove the identity of the user. This can go beyond the typical password approach into multi-factor authentication, biometrics, smart cards, and other means of encryption based on the risk being considered.

Secure log on should be designed so it cannot be easily circumvented and that any authentication information is transmitted and stored encrypted to prevent interception and misuse.

How PureAUTH helps with Annexure A 9.4.2 

In this section we answer a few relevant questions that are part of ISO 27001 Standard’s questionnaire form, that can help our customers applying for similar standards.

ISO 27001/2 STANDARDS Why it is needed How PureAUTH helps
Do you adopt multi factor authentication (MFA) for secure user access?Makes access controls more robust and enhances their effectiveness to verify a user’s identity.Yes, PureAUTH is an authentication solution that uses multiple factors like cryptographic signatures & device fingerprints to securely identify user
Do you give all users unique login credentials?Ensures that nobody can log on to the system without uniquely identifiable credentials.Yes, the certificate or digital signatures are unique for every user and device fingerprint is unique for every device
Do you enforce the secure use of passwords and verify a person is the one claimed?Strengthens unique network login credentials with context-aware access restrictions and user reminders which help verify that a person seeking access to the network and the information within is genuinely who they say they are.Not Applicable for PureAUTH, as it is a passwordless authentication solution that uses cryptographic keys, certificates (digital signatures) to identify user
Do you restrict users from sharing logins?Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.Yes, PureAUTH uses digital signatures embedded & paired to user’s personal device secured by further layer of device based authentication. This makes sharing of signatures with other user and using it from another device impossible.
Do you restrict network access on a job-role basis?Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job.Yes, PureAUTH supports policy based regulation of user access that considers user’s role, device risk and sensitivity of the application being accessed
Do you review network access for employees who change roles in the organisation?Enables administrators to easily change access rights (permanently or temporarily) for individual users groups of users or organisational units.Not Applicable, Authorisation is managed outside of the scope of PureAUTH
Do workstations automatically log users off the network following a period of inactivity?Automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing information from unattended workstations. What’s more UserLock can set authorised time frames for certain users’ access and force workstations to log off outside these hours.Yes, PureAUTH supports Single Log Out (SLO) and respects the session timeouts enforced by respective applications

Why Choose PureAUTH

PureAUTH passwordless authentication solution is not only compliant with all leading (and upcoming) industry and regulatory standards, but is also the most secure authentication and access management platform. Some of its advantages over traditional Passwords & Multi Factor Authentication solutions are as follows

Risks PureAUTH Passwords + MFA
PhishingUnaffected by PhishingVulnerable to Phishing attacks
Social EngineeringUnaffected by social
engineering or insider attacks
Vulnerable to Social Engineering
Account SharingNot possible, compliantAccount sharing is possible
Admin/Tech Support Completely self serviceable. No admin assistance or tech-support neededDependency on Admin, tech support for resetting of
passwords and MFA device

Conclusion & further support

Just like Passwords and Two-factor or Multi Factor authentication systems, PureAUTH Passwordless authentication solution can be used to ensure secure access to the most sensitive information systems, applications, and programs like Engineering & Dev-Ops resources, security systems, VPNs, PAM solutions, SaaS services, cloud consoles, communication suites, CRM solutions etc.

For further information on compliance & certification, you can visit https://trust.pureid.io

Jenkins 0 days & Your Supply Chain Security

The Security team of Jenkins announced 34 zero-day vulnerabilities in 24 of its plugins, which has rocked the world. The vulnerabilities range from XSS, stored-XSS, to passwords and token disclosures. The list of vulnerable plugins and overview of their impact can be found in this Bleeping Security article.

Jenkins 0 Days and its Impact

The various Jenikns’ plugins have varying impacts. Based on what plugin your organisation is using, it may see varying degrees of risk to its Jenkins setup and can result into compromise of its supply chain. 

Here we are listing few common vulnerabilities and their impacts

VulnerabilityMaximum ImpactAffected Plugins
Stored XSSCredential theft, account takeoverPlot Plugin, build-metrics Plugin, Rich Text Publisher Plugin, Matrix Reloaded Plugin, eXtreme Feedback Panel Plugin, Validating Email Parameter Plugin, Deployment Dashboard Plugin, 
XSS (Cross Site Scripting)Credential theft, account takeoverGitLab Plugin, TestNG Results Plugin, Project Inheritance Plugin, Recipe Plugin
CSRF (Cross Site Request Forgery)Credential reste, token theft, account takeoverXebiaLabs XL Release Plugin, Matrix Reloaded Plugin, Recipe Plugin, XPath Configuration Viewer Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Missing Permission ChecksCredential theft, Unauthorised actionsXebiaLabs XL Release Plugin, requests-plugin, build-metrics Plugin, Recipe Plugin, Deployment Dashboard Plugin, RQM Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Passwords stored in Plain TextMass Credential theftDeployment Dashboard Plugin, Skype notifier Plugin, Jigomerge Plugin, Elasticsearch Query Plugin, Cisco Spark Plugin, RQM Plugin, hpe-network-virtualization Plugin
Tokens, API Kyes or secrets Stored in Plain TextSession Takeove / rAccount TakeoverBuild Notifications Plugin, RocketChat Notifier Plugin, OpsGenie Plugin

Remediation

Applying patches is the best and recommended way to fix vulnerabilities. In this incident, Jenkins is yet to provide fixes for many of the vulnerabilities and still remains a potentially risky, zero-day candidate. 

Shodan project lists more than 150,000 sites running vulnerable Jenkins.

In absence of patches, disabling the vulnerabile plugins is the best option from the security side, but disastrous if it affects the organisation’s engineering processes.

In such cases we always recommend strong Passwordless authentication. Absence of credentials make most of the attacks irrelevant even in the presence of vulnerable plugins.

Better prepare for 0 Day attacks

You cannot stop 0-day attacks and cannot predict them coming. What helps is sticking to security basics and best practices. Other proactive things an organisation can do is to adopt Passwordless Authentication for its entire Software Engineering infrastructure.

Passwordless solutions like PureAUTH also contain the impact of session takeovers arising from token theft with the use of XSS, by enforcing convenient but regular logins.

Making your Software Engineering Infrastructure passwordless can contain the impact of 95% of such 0-day vulnerabilities without any security configuration change.

Citrix ADM Incident; 3 Lessons Industry can Learn

A critical vulnerability in Citrix’s Application Delivery Management (ADM) technology was reported & patched this week. 

Tracked with CVE-2022-27511, Citrix reported that, if left unattended, exploitation of the vulnerability could enable remote attackers to reset admin passwords. (reference: Citrix ADM vulnerability)

Overview

Citrix ADM is a virtual appliance, that gives centralized management solution. It simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that are getting ran across multiple instances. 

Citrix ADM is known to ship with a built-in admin account nsroot, with default credentials nsroot (reflecting its legay of NetScaler).

As a best practice, admins change the default passwords to restrict unauthorised access.

Image Source – Citrix Documents

Citrix has documented various means to restore default admin password by resetting ADM node. 

With the exploitation of CVE-2022-2751 vulnerability, an adversary can force Citrix-ADM to restore the nsroot account’s default credentials as a recovery measure from a system corruption, on the very next reboot.

The Problem

Right from network gears, management consoles, virtual appliances we have seen all systems being shipped with a root account with default credentials. 

We have also witnessed that system restore option resoters the default credentials even if admins change them for security reasons.

This has been an industry standard practices from ages. With more options for authentication and evolving threat landscape its time industry should also evolve and change the way factory-default-restores support more secure (or hard to exploit) options. 

Here are a few learnings from suh incidents that we can draw & work for better securing our systems.

Lession 1 : Restrict Remote Access by Default

By default remote access to admin accounts of devices/appliances should be restricted.  Since restoration of default credentials at any time will make system vulnerable to unauthorised access.

Disabling the remote access as part of default setting triggered with restoration of default passwords can restrict the possibility of exploitation by a remote / external threat actor to a great extent. 

This we can see very commonly in Ubuntu, a debian based system.

Extracts from /etc/ssh/sshd_config file from a Ubuntu 22.4

Lesson 2 : Federate Authentication

Its always better to maintain credentials at a centralised location. This consolidates and optimise the efforts to securely manage and protect them. This also reduces or eliminates the need for restoring the default credentials of devices.

Down side of this being the centralised credential store becomes a single point of failure for all your systems and appliances in your network. This leads to our third and final learning.

Lesson 3 : Eliminate Passwords

Moving away from password based authentication drastically reduces the attack surface of any enterprise. You can choose PKI / certificate based authentication for better security. 

Adopting passwordless authentication goes long way in protecting your systems from unseen future vulnerabilities which might be triggered due to use of passwords or default credentials.

PureAUTH Identity and Trust Platform

Citrix ADM incident CVE-2022-27511 is an another example of the risks associated with passwords. Eliminating passwords using a true passwordless solution like PureAUTH protects organisations from future, unforeseen vulnerabilities.

To learn more, about how PureAUTH is used by various organisations to secure access to their assets and Build Trust in all relevant user actions, schedule a demo with us.

Know Your Code Infrastructure (CIx)

You must be familiar with IaC (Infrastructure as a Code). If not, Stackify has a very good primer on this topic. Code Infrastructure (CIx) simply involves all the tools and systems involved in the Software Development Life Cycle (SDLC process) of an organisation.

Recent supply chain attacks makes it evident, that adversaries world over are targeting the CIx (in other words SDLC tools) of the global software manufacturers. This write up will briefly explain various attacks on Code Infrastructure (CIx) components with the references of some recent supply-chain incidents.

What Is Code Infrastructure (CIx)? 

Code Infrastructure (CIx) comprises of all the distributed applications / systems & artefacts that are involved with or result of each and every step involved in the Software Development Life Cycle (SDLC process). Here is how Code Infrastructure of a typical software engineering organisation looks like –

Components of Code Infrastructure (CIX)

  • Engineering Environment (developer machines and local repositories) 
  • Code Management tools (version control systems, git* or Bit Bucket) 
  • Code Auditing tools (code scanners etc) 
  • Build Systems (build platforms like Jenkins, CICD pipelines) 
  • Code Attestation (Key vaults used for code signing) 
  • Package Distribution Systems ( popular tools like Jfrog)
  • Deployment Platforms  (Cloud services, PaSS/SaaS)

  

Threats to your Code Infrastructure

CIx presents a vast attack surface which is not often properly secured. This is evident In all the recent supply chain attacks that we have witnessed. We have seen all the attacks targeted to one or more CIx components.

IncidentTarget & MethodReference
Target – Build Systems
Method – Insertion of untrusted code
Solarwinds – SunBurst
Target – Code Attestation System 
Method – Stolen Credentials
NVIDIA – Stolen Signing Keys
Target – Deployed Vulnerable Code
Method – Stolen Credential 
Kaseya CVE-2021-30116
Target – Code Management System
Method – Stolen Credentials
NPM Supply-Chain Attack
Target – Deployment Platforms
Method – Stolen Credentials
Mime Cast – Attacks in Cloud 
Quick overview of recent supply-chain attacks

It becomes very crucial for enterprises to pay attention to their CIx and secure the attack vercorts applicable for each of these components.

Attacks on Code Infrastructure, SDLC Tools

How to secure CIx?

The majority of attacks we have seen are due to exploitation of the Identity & Trust framework. In all the cases Identity was managed by conventional passwords and MFA/2FA. The trust breach happened due to leaked signing keys (private keys), access to which was not properly secured.

In the case of Solarwinds we can also see that the build systems built and distributed untrusted code. This happened due to the absence of a Trust framework which can automatically verify that the code being built is a work of a verified/trusted engineer and not a malicious actor.

The careful study of all supply chain attacks in recent times clearly shows the industry needs to move to a better Identity & Trust framework. We need better Identity management to control access to our CIx resources and robust Trust Framework to verify sanctity of the deliverables at each and every level in software engineering, both pre & post built.

PureAUTH Identity & Trust Platform

PureAUTH provides a breach resilient Identity & Trust Platform using its innovative Zero User Data Initiative (0UDI).

To learn more, how PureAUTH is used by various organisations to secure access to their CIx resources and Build Trust in all relevant user actions, schedule a demo with us.

Public Cloud Outages; A New Normal

The Incident

Many Avenger fans would have felt frustrated when they were not able to view the latest Hawkeye series 4th episode when Disney+ was down due to an AWS outage.

Hawkeye disrupted due to Disney+ outage delivered by AWS

The outage also affected the competitor of Disney+ thats Netflix. Condesk, Tinder, Roku and many other services depended on AWS backbone were out last tuesday “US-EAST-1 region” as mentioned by Amazon.

Not just the entertainment providers but  Google, Venmo, DoorDash, Spotify, multiple banks and airline were also affected. The list goes on and shows how bad such outages could be.

25 Nov 2020 & 8th Dec 2021

Similar outage was seen last year, on 25th of November when 24 different AWS regions were down affecting many web services Roku, Adobe, Shopt, a delivery company backed by Target.

Incident graph for AWS outage on 7th Dec 2021 source – DownDetector 

Outages in the past

The outage of public cloud service provider is not just an Amazon thing. We have seen Fastly one of the biggest CDN (content distribution network) going down for hours in June 2021

Though for a short span, Akamai also faced a disruption in July 2021,  on its Edge DNS service, and it took down platforms such as Zomato, Paytm, parts of Amazon, Airbnb, PlayStation Network, Steam, Disney+Hotstar.

Source https://build5nines.com/

In a more disrupting event, Microsoft Azure AD service was down for 14 hours in March this year. This event was 6 months after Azure AD went down blocking access to Azure, Teams, and more over a span of September 28 & 29, 2020 

Conclusion

Industry adopted cloud for better availability and redundancy. CDN companies became the backbone of the internet world wide assuring instant delivery of content and services. As we are seeing the repeated instances of cloud giants going down, this seems to be becoming a new normal.

At PureID what we have learnt is having High availability of a service through a cloud solution provider is not enough, we must provide redundant High Availability clusters with more than one cloud service provider. This may not be a feasible option for many enterprises as spreading data across multiple providers may have its own compliance and governance implications apart from the increase in cost and management overheads.

This is exactly where PureID emerges visionary and a leader as it can deliver its authentication services hosted across multiple public cloud vendors without any compliance or governance worry.

No data, no theft & No-PII so no worries, #GoPassworldess with PureAUTH.

Securing Atlassian & Jenkins Deployment

Atlassian & Jenkins

Atlassian is a globally popular provider of software development and collaboration tools. Jenkins, an open source automation server has more than 200,000 deployments. Both are being actively attacked due to recently disclosed vulnerabilities CVE-2021-26084CVE-2021-39124 in Atlassian products, as they are used in conjunction at many organisations. These security issues pose a serious threat of snowballing into another supply chain attack in 2021(2022?).

Attacks on Atlassian

Check Point Research (CPR) discovered many flaws in Atlassian’s Jira which would allow the attacker to take over a user’s account just by a single click. These security flaws would allow an attacker to perform cross site scripting attacks, CSRF attacks or session fixation attacks. The attacker could gain access to user accounts and acquire confidential information. CPR also found out that once a Jira account was taken over, it was possible to take over the Bitbucket account as well. Atlassian’s Bitbucket which is used by millions was also under this threat. The attacker could have had access to an organisation’s Bitbucket repository which would prove to be detrimental.

Attacks on Jenkins

Jenkins recently discovered a successful attack against its Atlassian Confluence service using CVE-2021-26084. Confluence integrates with Jenkins’ integrated identity system which also powers Jira, Artifactory, and numerous other services. They had to take their affected server offline and reset all the passwords.

Passwords at risk, are risk for Businesses

Patching for CVE-2021-26084CVE-2021-39124 should fix the problem, but it is assumed that due to mass exploitation many organisation’s passwords are being compromised. Patching the servers will solve half of the problem. The other half of the problem which will have a massive impact on the masses is resetting the credentials.

Post incident panic and downtime, cost & support needed to reset passwords can be avoided by going passwordless. This also helps in a big way to stop such vulnerabilities triggering supply chain attacks.

Making Atlassian & Jenkins Passwordless

PureAuth provides a passwordless way to authenticate which eliminates the risk of attacks when compared to an authentication method that uses passwords. The video below demonstrates passwordless authentication to Atlassian using PureAuth.

Passwords & MFA Melting VPNs

The VPN Meltdown

Throughout the March & April month, Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agent (CISA)  has reported numerous  incidents where old vulnerabilities in popular VPNs were exploited by organized (or state sponsored)   hackers, around the world.

Large numbers of malware families & malicious actors across the globe are on the spree of exploiting the old unpatched vulnerabilities in Fortinet as well as Zero-day in Pulse Secure VPN. 

The victims of the attacks are include sensitive segments like government agencies, Defense contractors & financial institutions amongst many others

The Impact

Digital Journal quoted Vinay Sridhara, CTO of Balbix Inc.,  “About 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users. 

“What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he added.

People shifting to remote working has  increased the demand for SSL VPNs, also the attack surface + available targets for APT groups and cybercriminals. 

Credential Compromise

The passwords form both the VPNs Fortigate and Pulse Secure are being compromised using different CVEs.

Many unpatched vulnerabilities form the recent past have allowed an unauthenticated attackers to compromise a vulnerable VPN server. The attacker able to gain access to all active users and their plain-text credentials. 

Attackers could also execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected VPNCVE IDDescriptionImpact
CVE-2019-5591Configuration vulnerability may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server, as default configuration does not verify the LDAP server Identity.Information Disclosure(password files & private keys)
CVE-2019-11510arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable  Pulse Secure VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commandsAccess to passwords
Vulnerabilities giving access to VPN credentials

2FA/MFA Bypass

Its common recommendation & best practice to have 2FA or MFA along with passwords for VPN. Its generally believed that if for some reasons passwords are compromised the VPNs are still safe due to additional factors.

But during these attacks, we have seen that both the VPNs also suffer MFA/2FA bypass vulnerabilities.  This makes the commonly followed best practice and recommendation of having 2FA/MFA pointless. 

Affected VPN CVE IDDescriptionImpact
CVE-2020-12812Improper Authentication vulnerability in SSL VPN 2FA in FortiOS, results in a user to log successfully without being prompted for the 2FA (FortiToken) if they changed the case of their username.Operational Risk, Improper Authentication2FA/MFA Bypass
SlowPulse Malware familySecrete Backdoor access allows hackers to disable or bypass 2FA/MA verificationBypassing single & multi-factor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells
Vulnerabilities allowing to bypass 2FA/MFA

EFFECTIVE SOLUTION: GO PASSWORDLESS

Passwords are by far the weakest link when it comes to security today. Successful attacks involve lost, breached or re-used passwords and we have seen that 2FA/MFA are of no help. 

You cannot avoid the patch but you can definitely avoid passwords & the 2FA/MFA solutions and go passwordless with much more ease and convenience.

Today, the smartest & the most secure way to sign In on any VPN or enterprise applications is by going completely passwordless.

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods.

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.

You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.

REFERENCES