Breach Report & Breach Support

June, reminds us of 2 things, first how fast another year has passed and second – Verizon Data Breach Investigations Report (DBIR).

Since 2008 Verizon has been releasing Data Breach Investigations Report (DBIR) that has provided the world of Infosec valuable insights and detailed analysis of the evolving threat landscape from various viewpoints (industrial segments, geography specifics etc).

Report Highlights

Stolen credentials remain the biggest concern and the reason for 86% breaches over the web. Reports also states that most targeted assets were the servers rather than individual applications or devices.

From VDBIR 2023

On the Rise

In Summary VDBIR 2023 mentions that 50% of total breaches were due to credential fraud, 10% Phishing & rest due to exploitation of vulnerabilities.

Report also mentions ransomware attacks becoming ubiquitous & 50% increase in Social Engineering attacks. 

From VDBIR 2023

Report also has a monthly summary of incidents from 2022, including the incidents involving leaked passwords from Okta and MFA factors from Twilio.

August Summary from VDBIR 2023

PureID #BreachSupport

As the industry is still closely studying the breach report VDBIR-2023, we are working on our latest initiative – Breach Support, through which we intend to help businesses quickly recover from the incidents by removing passwords and adopting Zero Trust Access control with zero impact on business. More details on Breach Support will be shared soon, stay tuned.

Please Note – All the above images are taken as -is from VDBIR 2023, & the last one from PureID Team

Breach Story – Summer 2023

The temperature in May 2023 is high not just due to global warming but also due to the Security Breach at numerous reputed organisations.

Many companies experienced or disclosed data breach in last 10 days. Prominent breaches that has surprised the industry are the ones coming from Discord, a Microsoft Company & Capita, the UK based service gaint.

The other organisations of signifance include Toyota, PharMerica, ScanSource etc.

Organisations named in recent security breach incidents

The Incidents

All of the above companies are yet to disclose the root cause of the breach, but as it always happens compromised user credentials is the most likely reason of the breach.

As the organisations are still carrying out the investigations and getting their PR sorted, it will be interesting to which popular security solutions will be named/blamed for its failure, just like the breach at Okta was blamed for the breach at Twilio, and the failure of DUO Security and Thycotic was blamed for the breach at Uber last year.

If you are interested to study more about these breaches, we have provided the links to the resources below

OrganisationThe IncidentRoot CauseReference
CapitaHackers accessed roughly 4% of its server infrastructure and stole files hosted on the breached systemsUnder InvestigationCapita Breach
DiscordCustomer email ID, messages and attachments were disclosedLeaked Credentials of Support AgentDiscord Breach
LuxotticaInformation of 70 million users leaked onlineUnder InvestigationLuxottica Breach
PharMerica5.8 Million patients medical data leakedNot DisclosedPharmerica Breach
ScanSourceMassive Service outage, yet to know about breached dataUnder InvestigationScansource Incident
Toyota2 Million customers data accumulated over 10 years, leakedAccess key disclosed in code repositoryToyata breach

The Scary Picture

The leaked data from the above organisations is posted in the dark web and is available for sale. Large portion of stolen data is available for free. Tory Hunt, collects data from such sources and makes it available for individuals to learn haveibeenpwned.

https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive

ABC News network has recently lauched a visual summary of the potential scale of the leaked information out there about indivisuals, using the haveibeenpwned service.

Breach Happens

#BreachHappens!!! Its unavoidable. PureID is working to provide immediate relief to organisations who are breached or in middle of security incident, stay tuned to know more.

FinTech Company’s Million+Records Exposed…

Have you ever received a phone call from a seemingly legitimate vendor, who knew all your personal and financial information, and then requested an advance payment or financial assistance from you? If you have, you know how terrifying this situation can be. It only takes one small mistake to send your finances into disarray.

But you are not alone in this struggle. Jaramiah Fowler, a cybersecurity expert, helped avoid this nightmare scenario by his vigilance. Fowler discovered a database containing a million consumers’ personal and financial information, including names, email addresses, postal addresses, phone numbers, payment purposes, sums paid, due dates, and tax ID numbers. The database had invoices from people and companies who paid for their goods and services using an app.This database belonged to NorthOne Bank, a FinTech company used by over 320,000 American businesses

 Jeremiah Fowler  discovered a database that was not password-protected by NorthOne Bank.

About NorthOne

NorthOne is a popular FinTech company that offers integration options with various services, including but not limited to Airbnb, Cash App, Lyft, PayPal, Quickbooks, Shopify, Square, Stripe, Uber, Venmo, and Wave. It is worth noting that NorthOne is not a full service bank. Banking services to NorthOne Bank are provided by The Bancorp Bank.

The Incident

The findings were first reported on January 19th, 2023 and the database remained unsecured until January 31st, 2023. It is unclear how long these records were exposed or who else may have had access to the database. It should also be noted that Bancorp Bank is not at fault or responsible for this breach.

The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF documents. There were basic security controls preventing a full indexing of all documents. There were over a million files in the database that were marked as “production”. In a random sampling of 1,000 invoices, Jeremiah observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care.

Invoices in the exposed Dataset

This is how the data appeared in the compromised dataset. You can clearly see “Powered by NorthOne” in the footer of the image.

How Customers can be targeted ?

The data in the unprotected PDFs contains Tax Identification Number (TIN) along with other personal details of the customers. This TIN can be exploited to file fraudulent federal tax returns and claim refunds from the Internal Revenue Service (IRS).

Someone can misuse the data by using the Employee Identification Number (EID) to apply for loans. Another challenge could be to prove that the application was not authorised.

In order to acquire customers’ trust, a con artist may also pose as a legitimate financial organisation and cite transaction receipts. Consumers’ personal information can be used by other parties to influence them and reveal sensitive information.

What went wrong?

It seems that NorthOne had a database with no protection on. You can learn how to safeguard your database, code repositories, and code infrastructure with PureAUTH‘s Just-in-Time Access Provisioning. You can learn more in our blog titled Know Your Code Infrastructure.

Password Managers are the Hot Targets 

Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.

There are many lessons that we all need to learn from these recurring incidents. This post is to uncover few points that we have seen have not been discussed by the info-sec community and the industry.

The Catch-22 – Phish or no Phish?

LastPass warned its users of an increased likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks against online accounts associated with their LastPass vault.

Password Managers getting phished is an alarming situation

This statement goes against what all the password managers like LastPass claims – “use of password manager protects users from phishing attacks“.

In recent times there have been more incidents where password managers have been proved vulnerable to phishing attacks. You can find more details in this article Popular password managers auto-filled credentials on untrusted websites 

The Impact

In their blog post, Lastpass reported that customer’s personal information like email, phone number, billing address, IP address have been compromised. That is not all, what LastPass has not talked about is the additional information they collect from their users using their mobile app. 

The screenshots below show the permissions that Lastpass app takes on a user’s phone.

Permission take by LastPass app on an Android device

These permissions enable the application provider like LastPass (other password managers take similar types of permission on user’s device) to collect more information about the user than probably needed. 

User Information collected by LastPass app

In case of a breach, like what happened with LastPass, the severity of the incident and privacy impatc will be more if any additional information collected from the user’s phone is also leaked.

The Passwords

Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors. 

Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network. 

While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of  using secret key and Password Authenticated Key Agreement systems, which makes 1Password’s systems next to impossible to crack. 

With the device specific keys mentioned by 1Password, we feel syncing of the passwords across multiple devices becomes a risky affair. Since passwords need to be decrypted on another device and it needs the user chosen master password as well as the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords (encrypted just with the user chosen master password), in transit. 

Conclusion

After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are. 

Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.

For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless

Another Password Manager Breached – Norton

In January, 2023 Gen Digital, a firm previously popular as Symantec and NortonLifeLock , found itself targeted by a significant Credential Stuffing attack. The attack resulted in the compromise of thousands of user accounts.

Just weeks prior to this incident, LastPass, a prominent competitor of Gen Digital in the password manager market, fell victim to a breach. This breach followed a prior cyberattack against LastPass in August. According to LastPass, the hackers leveraged technical data pilfered during the August cyberattack to gain unauthorized access to its cloud storage system.

It’s worth noting the irony here – the very software designed to fortify defences against cyber attacks found itself in the crosshairs of one. To draw a parallel, it’s akin to a scenario where the police station itself becomes the target of a burglary.

Credential Stuffing

Credential stuffing refers to the use of credentials such as username, email id and personal information from previous security breaches. These credentials are fed to other login systems to gain access to other websites. Unlike other cyber attacks, Credential Stuffing does not require brute force. Instead it uses a simple web solution to stuff thousands of stolen credentials into login systems. Credential stuffing is one of the oldest tricks in the book. It’s very easy to fall victim if one uses the same or similar credentials on multiple sites.

Lost one password? Alas you lost them all - Norton Credential stuffing attack.

I recently explored the website “Have I been pwned” and was shocked to see one of my personal email ids compromised in a previous attack. Going through their listing on breached websites made me realise how unsafe our credentials and information are, and how easily one can gain access to it.

Impact of the Incident

In an internal investigation in December 2022, NortanLifeLock detected “unusually large volume” of login attempts. They found that a malicious actor was using a list of credentials obtained from illegal marketplaces on “dark web”.

Nortan commented that 925,000 people were targeted in a credential-stuffing attack. It is probable that the data does contain names, phone numbers and addresses of users. The attackers might also have access to Norton Password Manager users’ private vault data. This vault contains stored passwords for other online accounts. The firm is not commenting on how much customer data actually got a negative impact because of the attack.

Nortan relaeased a warning to it’s users after failing to reject the mass login attempt. They indicated that they “strongly believe that an unauthorised third party knows and has utilised your username and password for your account.” They also suggested the users to use 2 step authentication systems and provided free credit monitoring services to affected users.

Amplification Effect

The Password managers are a hot target because they provide adversaries with an amplified power to gain access to multiple accounts by compromising one password manager account.

As they say putting all the eggs in one basket is a bad strategy. Keeping all passwords in one manager will have a huge impact if compromised.

Passwords are not assets; they represent security vulnerabilities. Rather than locking them away in a vault, consider going passwordless. #GoPasswordless

Resolution 2023 | Making World Password Free

While password management companies are fighting with each other, the bottom line of major incidents in 2022 is –  Passwords are the biggest risk even if you are storing them with Lastpass or any other password manager.

Image Credit – Pramod Gosavi’s LinkedIn post

As industry is adopting Zero Trust Architecture, the time is right to #GoPasswordless. In this first blog of the year, we at PureID present 3 strongest points to make your organisation password free in this brand new year 2023.

Best Protection from Phishing & Social Engineering

We have seen Uber getting breached due to MFA bypass and social engineering attacks. Stored credentials stolen from Okta & Twilio were exploited by 0ktapus hacking group, triggering serious supply chain attacks with a blast radius extending to 130+ organisations. 

In another incident, credentials phished from DropBox resulted in unauthorised access of 130+ github repositories.

A well designed passwordless authentication solution is a must if you are looking for authentication solution resistant to social engineering & phishing attacks

Zero Trust Access

When you are taking the next flight, you must appreciate the multiple checks that are carried out at the airport as part of Zero Trust Security Model. Not just the traveller’s identity is verified, but each and every piece of luggage you carry is checked for possible risk that can aboard the plane. 

Image Credit – Boston Globe

When a user authenticates to access an enterprise service or network, the traditional solutions stop at the user’s Identity verification. The risk coming from the connecting user’s device is not verified. In another incident involving Okta again, the customer support executive of Sykes, connected to Okta’s service portals with a compromised device, enabling the Lapsus$ Extortion Group to access and leak some details from Okta’s apps and system.

Most of the MFA, passwordless solutions, FIDO keys fail to provide the user’s device risk posture and hence provide incomplete security. Check how PureAUTH provides ZeroTrust Passwordless Authentication

Convenience meets Security

I couldn’t fix your break, so I made your horn louder – Steven Wright.

That is exactly how the industry approaches the pain of authentication. Since authentication using Passwords + MFA is painful, the applications are designed to provide session cookies that are valid for months. In recent incident with CoudSek, its employee’s Jira account was accessed with stolen session cookies. 

With well designed Passwordless solutions, authentication becomes so convenient and smooth that enterprises can enforce shorter sessions and frequent authentication without putting users in any distress. The shorter session span reduces the risk of stolen cookies getting abused.

With the above points and a quick recap of last year’s incidents, we wish you all a safe & secure new year. Looking forward to be your partner in your #ZeroTrustJourney, for which the first step is #GoPasswordless.

With best wishes from PureID family, Happy New Year 2023…

Dropbox Employees Phished, GitHub Repositories Exposed

Dropbox disclosed a security breach on October 14th 2022, resulted due to Phishing Emails. The email was impersonating a third-party service used by its employees. The attack resulted in credential leaks of employees, which enabled the threat actors access to their Github accounts. The hackers stole the content from 130 repositories, consisting information about Dropbox employees, users, and vendors.

Phishing email impersonating CircleCI

The Incident

Phishing campaign initiated by adversary targeted multiple Dropbox Employees. The emails were crafted to mimic communication from CircleCI , which is a Continuous Integration and Delivery Platform. The phishing link redirected users to a landing page where they were asked to enter their GitHub username and password.

CircleCI login options
CICircle Login page

On a fake GitHub page, the employees were requested their Hardware Authentication Keys to provide an OTP for 2 step authentication. Adversaries used these credentials to access some less secure repositories of Dropbox, containing some API keys, and customised tools.

CircleCI login page
Github Login Page

The adversaries are not traced yet, as they used VPNs to hide their tracks.

The incident details shared by Dropbox
The incident details shared by Dropbox

The Impact

Dropbox breach is a direct result of phishing, which was not contained by 2FA or MFA solutions the firm normally has in place.

Furthermore, the laws of the United States allow authorities to have access to user data under Patriot Act and such, hence the firm can also store user information. In the past, there have been multiple instances at Dropbox where user data was compromised. However, in this particular case, the company is claiming that no core app code was compromised. For more details, visit here.

Previous Incidents

Dropbox is not the sole victim of brand impersonation phishing attacks. Earlier, other organisations such as Sony Pictures, BenefitMall, and JP Morgan Chase have fallen victim to the same. Furthermore US Power grid and John Podesta are also highly notable examples of Phishing Attacks.

IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organisations an average of $4.65 million. Phishing using brand impersonation is becoming quite popular as well. LinkedIn is used for this purpose 52% of the time, while DHL, Google, Microsoft and FedEx also hold a considerable proportion of it. You can find more about the stats here.

Mitigation

Millions of phishing emails are sent daily. Many spam mails slips through spam filters and when that happens, you must be able to rely on your employees to stay vigilant and act responsibly. That is the reason why many companies opt for Employee Awareness Training Plans.

When training campaigns cannot keep pace with the new trends, and URL-checking anti-phishing measures is proving to be far more intrusive. The best option right now is to switch to Password-less Systems with Zero Knowledge Encryption.

With PureAuth Password-less authentication, you can effectively mitigate the risk of having your password compromised by phishing and a number of other methods. 

Feel free to explore further blogs by us related to Phishing and Github . Stay safe. #Gopasswordless

ISO/IEC 27001 Compliance with PureAUTH

PureID’s passwordless authentication platform PureAUTH, is a cloud based Single Sign On (SSO) solution. PureAUTH uses certificates (digital signatures) provided by an organisation, to uniquely identify its users, in a secure way. 

PureAUTH can be used as a secure, cryptography or certificate based alternative to Passwords and Two Factor (2FA) or Multi Factor Authentication (MFA) solutions, as prescribed by various standards.

In this article we discuss

How PureAUTH Works

Traditionally, applications authenticate users using passwords. For additional security along with passwords, 2FA or MFA are also sent to application on the same channel. This authentication method is found to be vulnerable to phishing and other man in the middle attacks. An adversary can trick users to share passwords and 2FA/MFA token, on a phishing page and use it to impersonate user, and gain unauthorised access to the application.

Traditional systems use same channel for authentication & application access

PureAUTH provides a secure alternative to passwords and 2FA /MFA based authentication. Organisation’s user is provided with an AuthVR5 authenticator app which holds cryptographic keys, certificates (digital signatures), seeds (for generating Pseudo Random token), which are unique for every user.

AuthVR5 sends out of the channel authentication request, directly to the PureAUTH server which consists of user’s certificate and one time token which is bound to the user’s session with the application.

PureAUTH uses out of channel authentication with non reusable token & certificate

Since the authentication request is sent out of the channel, the data in the request cannot be obtained by phishing, neither it can be used for any other session apart from the one it was generated for.

NOTE :

The authorisation & session management remains unaffected by introduction of PureAUTH. The user authentication security is enhanced by PureAUTH with the use of certificates (digital signatures), extensive logging, and risk assessment of user’s device, from which the application is being accessed.

Standards around User Authentication & Access Control

PureAUTH provides the required controls and complies with recommendations of various Industry and Regulatory standards, for user authentication and access control. Few widely used standards that PureAUTH complies with are as follows –

  1. ISO/IEC 27001/2
  2. SOC2 Standards
  3. PCI DSS
  4. HIPAA

ISO/IEC 27001 compliance with PureAUTH

ISO/IEC 27001 is the world’s best-known and widely exercised standard for Information Security Management Systems (ISMS). The annexure A, section 9 of ISO/IEC 27001, is all about access control procedures. The aim of Annex A.9 is to safeguard access to information and ensure that employees can only view information that’s relevant to their work.

Annexure A 9.4.2 Secure log-on Procedures

From Annexure A.9, we are focusing on section A 9.4.2, according to which

Access to systems and applications must be controlled by a secure log-on procedure to prove the identity of the user. This can go beyond the typical password approach into multi-factor authentication, biometrics, smart cards, and other means of encryption based on the risk being considered.

Secure log on should be designed so it cannot be easily circumvented and that any authentication information is transmitted and stored encrypted to prevent interception and misuse.

How PureAUTH helps with Annexure A 9.4.2 

In this section we answer a few relevant questions that are part of ISO 27001 Standard’s questionnaire form, that can help our customers applying for similar standards.

ISO 27001/2 STANDARDS Why it is needed How PureAUTH helps
Do you adopt multi factor authentication (MFA) for secure user access?Makes access controls more robust and enhances their effectiveness to verify a user’s identity.Yes, PureAUTH is an authentication solution that uses multiple factors like cryptographic signatures & device fingerprints to securely identify user
Do you give all users unique login credentials?Ensures that nobody can log on to the system without uniquely identifiable credentials.Yes, the certificate or digital signatures are unique for every user and device fingerprint is unique for every device
Do you enforce the secure use of passwords and verify a person is the one claimed?Strengthens unique network login credentials with context-aware access restrictions and user reminders which help verify that a person seeking access to the network and the information within is genuinely who they say they are.Not Applicable for PureAUTH, as it is a passwordless authentication solution that uses cryptographic keys, certificates (digital signatures) to identify user
Do you restrict users from sharing logins?Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.Yes, PureAUTH uses digital signatures embedded & paired to user’s personal device secured by further layer of device based authentication. This makes sharing of signatures with other user and using it from another device impossible.
Do you restrict network access on a job-role basis?Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job.Yes, PureAUTH supports policy based regulation of user access that considers user’s role, device risk and sensitivity of the application being accessed
Do you review network access for employees who change roles in the organisation?Enables administrators to easily change access rights (permanently or temporarily) for individual users groups of users or organisational units.Not Applicable, Authorisation is managed outside of the scope of PureAUTH
Do workstations automatically log users off the network following a period of inactivity?Automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing information from unattended workstations. What’s more UserLock can set authorised time frames for certain users’ access and force workstations to log off outside these hours.Yes, PureAUTH supports Single Log Out (SLO) and respects the session timeouts enforced by respective applications

Why Choose PureAUTH

PureAUTH passwordless authentication solution is not only compliant with all leading (and upcoming) industry and regulatory standards, but is also the most secure authentication and access management platform. Some of its advantages over traditional Passwords & Multi Factor Authentication solutions are as follows

Risks PureAUTH Passwords + MFA
PhishingUnaffected by PhishingVulnerable to Phishing attacks
Social EngineeringUnaffected by social
engineering or insider attacks
Vulnerable to Social Engineering
Account SharingNot possible, compliantAccount sharing is possible
Admin/Tech Support Completely self serviceable. No admin assistance or tech-support neededDependency on Admin, tech support for resetting of
passwords and MFA device

Conclusion & further support

Just like Passwords and Two-factor or Multi Factor authentication systems, PureAUTH Passwordless authentication solution can be used to ensure secure access to the most sensitive information systems, applications, and programs like Engineering & Dev-Ops resources, security systems, VPNs, PAM solutions, SaaS services, cloud consoles, communication suites, CRM solutions etc.

For further information on compliance & certification, you can visit https://trust.pureid.io

Jenkins 0 days & Your Supply Chain Security

The Security team of Jenkins announced 34 zero-day vulnerabilities in 24 of its plugins, which has rocked the world. The vulnerabilities range from XSS, stored-XSS, to passwords and token disclosures. The list of vulnerable plugins and overview of their impact can be found in this Bleeping Security article.

Jenkins 0 Days and its Impact

The various Jenikns’ plugins have varying impacts. Based on what plugin your organisation is using, it may see varying degrees of risk to its Jenkins setup and can result into compromise of its supply chain. 

Here we are listing few common vulnerabilities and their impacts

VulnerabilityMaximum ImpactAffected Plugins
Stored XSSCredential theft, account takeoverPlot Plugin, build-metrics Plugin, Rich Text Publisher Plugin, Matrix Reloaded Plugin, eXtreme Feedback Panel Plugin, Validating Email Parameter Plugin, Deployment Dashboard Plugin, 
XSS (Cross Site Scripting)Credential theft, account takeoverGitLab Plugin, TestNG Results Plugin, Project Inheritance Plugin, Recipe Plugin
CSRF (Cross Site Request Forgery)Credential reste, token theft, account takeoverXebiaLabs XL Release Plugin, Matrix Reloaded Plugin, Recipe Plugin, XPath Configuration Viewer Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Missing Permission ChecksCredential theft, Unauthorised actionsXebiaLabs XL Release Plugin, requests-plugin, build-metrics Plugin, Recipe Plugin, Deployment Dashboard Plugin, RQM Plugin, Rename Or Delete Plugin, Failed Job Deactivator Plugin
Passwords stored in Plain TextMass Credential theftDeployment Dashboard Plugin, Skype notifier Plugin, Jigomerge Plugin, Elasticsearch Query Plugin, Cisco Spark Plugin, RQM Plugin, hpe-network-virtualization Plugin
Tokens, API Kyes or secrets Stored in Plain TextSession Takeove / rAccount TakeoverBuild Notifications Plugin, RocketChat Notifier Plugin, OpsGenie Plugin

Remediation

Applying patches is the best and recommended way to fix vulnerabilities. In this incident, Jenkins is yet to provide fixes for many of the vulnerabilities and still remains a potentially risky, zero-day candidate. 

Shodan project lists more than 150,000 sites running vulnerable Jenkins.

In absence of patches, disabling the vulnerabile plugins is the best option from the security side, but disastrous if it affects the organisation’s engineering processes.

In such cases we always recommend strong Passwordless authentication. Absence of credentials make most of the attacks irrelevant even in the presence of vulnerable plugins.

Better prepare for 0 Day attacks

You cannot stop 0-day attacks and cannot predict them coming. What helps is sticking to security basics and best practices. Other proactive things an organisation can do is to adopt Passwordless Authentication for its entire Software Engineering infrastructure.

Passwordless solutions like PureAUTH also contain the impact of session takeovers arising from token theft with the use of XSS, by enforcing convenient but regular logins.

Making your Software Engineering Infrastructure passwordless can contain the impact of 95% of such 0-day vulnerabilities without any security configuration change.

Citrix ADM Incident; 3 Lessons Industry can Learn

A critical vulnerability in Citrix’s Application Delivery Management (ADM) technology was reported & patched this week. 

Tracked with CVE-2022-27511, Citrix reported that, if left unattended, exploitation of the vulnerability could enable remote attackers to reset admin passwords. (reference: Citrix ADM vulnerability)

Overview

Citrix ADM is a virtual appliance, that gives centralized management solution. It simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that are getting ran across multiple instances. 

Citrix ADM is known to ship with a built-in admin account nsroot, with default credentials nsroot (reflecting its legay of NetScaler).

As a best practice, admins change the default passwords to restrict unauthorised access.

Image Source – Citrix Documents

Citrix has documented various means to restore default admin password by resetting ADM node. 

With the exploitation of CVE-2022-2751 vulnerability, an adversary can force Citrix-ADM to restore the nsroot account’s default credentials as a recovery measure from a system corruption, on the very next reboot.

The Problem

Right from network gears, management consoles, virtual appliances we have seen all systems being shipped with a root account with default credentials. 

We have also witnessed that system restore option resoters the default credentials even if admins change them for security reasons.

This has been an industry standard practices from ages. With more options for authentication and evolving threat landscape its time industry should also evolve and change the way factory-default-restores support more secure (or hard to exploit) options. 

Here are a few learnings from suh incidents that we can draw & work for better securing our systems.

Lession 1 : Restrict Remote Access by Default

By default remote access to admin accounts of devices/appliances should be restricted.  Since restoration of default credentials at any time will make system vulnerable to unauthorised access.

Disabling the remote access as part of default setting triggered with restoration of default passwords can restrict the possibility of exploitation by a remote / external threat actor to a great extent. 

This we can see very commonly in Ubuntu, a debian based system.

Extracts from /etc/ssh/sshd_config file from a Ubuntu 22.4

Lesson 2 : Federate Authentication

Its always better to maintain credentials at a centralised location. This consolidates and optimise the efforts to securely manage and protect them. This also reduces or eliminates the need for restoring the default credentials of devices.

Down side of this being the centralised credential store becomes a single point of failure for all your systems and appliances in your network. This leads to our third and final learning.

Lesson 3 : Eliminate Passwords

Moving away from password based authentication drastically reduces the attack surface of any enterprise. You can choose PKI / certificate based authentication for better security. 

Adopting passwordless authentication goes long way in protecting your systems from unseen future vulnerabilities which might be triggered due to use of passwords or default credentials.

PureAUTH Identity and Trust Platform

Citrix ADM incident CVE-2022-27511 is an another example of the risks associated with passwords. Eliminating passwords using a true passwordless solution like PureAUTH protects organisations from future, unforeseen vulnerabilities.

To learn more, about how PureAUTH is used by various organisations to secure access to their assets and Build Trust in all relevant user actions, schedule a demo with us.