Zello Faces Another Potential Data Breach, Urges Precautionary Measures

Introduction

Zello, the widely-used push-to-talk app, is once again under scrutiny for its handling of user security. Recently, the company required users to reset their passwords, citing concerns that point to either a credential-stuffing attack or a potential data breach. With 175 million users spanning sectors like emergency response and hospitality, this incident has raised significant questions about the platform’s security measures.

What Happened?

On November 15, 2024, Zello warned users whose account creation date was before November 2nd to change their password. While the exact incident is not known, evidence suggests that:

  • Possible Breach: Customer credentials may have been accessed by unauthorized users.
  • Credential-Stuffing Attack: Threat actors might be using passwords compromised earlier to gain access.

This measure aims to mitigate risks to affected accounts.

Zello Potential Data Theft
Credit: CyberIL

Breaches History at Zello

In 2020, Zello faced a similar challenge:

Data Breach in 2020:

  • Unauthorized activity on a server led to the exposure of email addresses and hashed passwords.
  • Zello required password resets and asked users not to reuse passwords across platforms.

While the company achieved ISO 27001 certification in September 2024—a certification enforcing strict information security procedures—the recurrence of such incidents questions the strength of Zello’s defenses.

The Implications

If confirmed, such a breach or an attack might empower cybercriminals to:

  • Steal Credentials: Access account data for unauthorized use.
  • Expand Attacks: Use cracked passwords for credential-stuffing attacks on other platforms.
  • Expose Sensitive Operations: With Zello used by first responders and other critical sectors, data misuse could disrupt essential services.

What Users Should Do

Zello users should take the following steps to safeguard their accounts immediately:

  • Reset Passwords: Change passwords immediately for accounts created before November 2, 2024.
  • Use Unique Passwords: Avoid reusing passwords across different services.
  • Enable Security Tools: Consider using password managers to generate strong, unique passwords.

With passwordless solutions like PureAuth, organizations can eliminate vulnerabilities altogether, ensuring security by design and default.

Conclusion

The latest security incident at Zello serves as a grim reminder of the changing cyber threats that organizations face. Though breaches may not always be avoidable, proactive measures like enforcing password resets and adopting robust access management solutions can go a long way in mitigating risks.

By going passwordless, facilitated by solutions like PureAuth, businesses can ensure user credentials and data are secure by default and design, protecting against future incidents.

Read Also

Your 1st Step to #GoPasswordless

Making World Password Free

3 ways passwords are Failing the Enterprises

Fortinet VPN Zero-Day Exploited by BrazenBamboo Malware

Introduction

A critical zero-day vulnerability in Fortinet’s Windows VPN client, FortiClient, has been exploited by a Chinese-linked threat actor known as BrazenBamboo. This flaw, reported by cybersecurity firm Volexity, remains unpatched, leaving organizations vulnerable to credential theft and espionage. The attackers employ a modular malware framework called DeepData, which specializes in extracting sensitive information from compromised systems.

The Vulnerability: Unresolved and Exploited

The FortiClient zero-day allows credentials, including usernames, passwords, and VPN server details, to persist in process memory after authentication. The DeepData malware exploits this vulnerability using a FortiClient plugin, leveraging the stored JSON objects in memory to exfiltrate data.

Key facts about the vulnerability:

  • Reported by Volexity: On July 18, 2024, and acknowledged by Fortinet on July 24, 2024.
  • Unpatched: No CVE assigned, and no fixes released to date.
  • Targeted Versions: The latest FortiClient versions, including v7.4.0, are affected.
Fortinet VPN zero-day
Credit: Volexity

The DeepData Malware Framework

BrazenBamboo developed a sophisticated post-exploitation tool called DeepData. It is modular, utilizing plugins to target a wide range of sensitive data.

Key Features:

  • Credential Theft: Extracts credentials from FortiClient and 18 other sources.
  • Application Surveillance: Collects data from communication apps like WeChat, WhatsApp, and Signal.
  • Web Browsing Data: Gathers cookies, history, and passwords from major browsers like Chrome and Firefox.
  • System Monitoring: Records audio, captures screenshots, and tracks installed software.

DeepData also integrates with another BrazenBamboo tool, DeepPost, to exfiltrate stolen data to command-and-control (C2) servers.

BrazenBamboo: A Persistent Threat

Volexity attributes DeepData’s development to BrazenBamboo, a Chinese state-sponsored group also linked to LightSpy and DeepPost malware. These tools have been used in campaigns targeting Southeast Asian journalists, activists, and politicians.

Notable Traits:

  • Multi-Platform Capability: Operates on Windows, macOS, iOS, and Android.
  • Infrastructure Overlap: Shared C2 servers and coding styles with other malware families.
  • Operational Longevity: Continues to evolve despite public exposure.

Mitigation Recommendations

Organizations should implement the following measures while waiting for a patch:

  • Restrict VPN Access: Limit access to trusted users and monitor login activity.
  • Detect Malicious Activity: Use available rules and indicators of compromise (IOCs) to identify threats.
  • Enhance System Security: Regularly audit memory for sensitive information and improve credential management practices.

Conclusion

The ongoing exploitation of Fortinet’s VPN client zero-day by BrazenBamboo underscores the urgency of addressing vulnerabilities promptly. 

Proactive measures and modern solutions are the keys to staying resilient in an evolving cybersecurity landscape. It’s time for organizations to transition to secure-by-design platforms instead of relying on password and credential-based authentication. If something can be stolen, it will be. Using solutions like PureAuth for passwordless authentication and access management ensures your organization is safe and your data is secure by design and default. By eliminating passwords—a common attack vector—you can significantly enhance your security posture and stay ahead of sophisticated threats like BrazenBamboo. #gopasswordless

Read Also

Fortinet Leaked Credentials to fuel more Breaches!

Fortinet Data Breach: Insights and Implications for Cloud Security

Cisco VPNs Suffer Brute Force Attacks: Here’s your Shield!

Storm-0501: Unveiling the Tactics Behind Multi-Stage Hybrid Cloud Attacks

Introduction

The global cloud services market, valued at $551.8 billion in 2021, is projected to reach $2.5 trillion by 2031. This explosive growth makes cloud environments a prime target for cyber criminals. One such group is Storm-0501, an extortion-orientated cyber crime group that’s been conducting multi-stage attacks against hybrid cloud environments in government, manufacturing, transportation, and law enforcement. Since its inception in 2021, Storm-0501 has changed its operations, shifting from targeting U.S. school districts to running RaaS operations. This blog post explains the tactics, techniques and procedures (TTPs) of the group to help improve organizational defenses with mitigation strategies.

Storm-0501 TTPs: Steal Technique

Initial Compromise and Discovery

Storm-0501 has traditionally obtained initial access using compromised credentials or exploitation of known vulnerabilities in systems with widespread use. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho, ManageEngine (CVE-2022-47966), Citrix, NetScaler (CVE-2023-4966), and ColdFusion (possibly CVE-2023-29300 or CVE-2023-38203). After gaining entry into the target network, it conducts extensive exploration using several tools to find high-value assets, obtain credentials, and increase privileges.

Lateral Movement and Credential Theft

Storm-0501 uses Impacket’s SecretsDump and Cobalt Strike to move laterally across the network grabbing credentials to compromise additional devices. They target the administrative accounts, mostly utilizing password reuse or weak credentials, accessing both their on-premises and cloud environments. Using cloud session hijacking, especially in Microsoft Entra, they establish persistent backdoor access into the target systems.

From Ground to Cloud: Storm-0501’s Cross-Environment Exploits

One of the most significant tactics Storm-0501 uses is the exploitation of the Microsoft Entra Connect Sync service by doing synchronization of credentials between the on-premises AD and cloud. The attackers escalate the privileges in both environments after compromising the sync accounts to have control over the cloud environment and for a persistent backdoor for the next attack.

Storm 0501 Exploit
Credit: Microsoft

Aftermath of the Storm-0501 Attack

The aftermath of a Storm-0501 attack can be devastating, with the group often gaining control over both on-prem and cloud environments, exfiltrating sensitive data, deploying ransomware, and tampering with security products to avoid detection. The threat will only increase with the new deployment of Embargo ransomware, where victim data is encrypted and sensitive information leaked unless a ransom is paid.

Such attacks would lead to the stealing of credentials, data breaches, service disruptions, and heavy financial losses. Storm-0501 pays extra attention to sensitive sectors such as hospitals, which raises stakes not only on data security but also public safety.

Mitigation

Hybrid Cloud Security Enhancement

While Microsoft has implemented restricted permissions on DSA roles in Entra Connect Sync and Entra Cloud Sync, defending Storm-0501 needs a robust, multi-layered approach. Conditional Access policy can further harden access to cloud services from non-verified devices and locations as a risk mitigation approach.

Harden Cloud Security Measures

Even solutions proposed by today’s market leaders such as Microsoft are still often based on passwords in most cases and, hence, would probably fail to deliver proper authentication in a much-enlarged, cloud-to-on-premises environment. Therefore, organizations should embrace solutions such as PureAUTH IAM Firewall that come with the strongest security and reliability against attacks exploiting credentials and even zero-day vulnerabilities. Built on a zero-trust architecture, it provides reliable, passwordless protection, further enhancing resilience against sophisticated threats.

Conclusion

Organizations need to move away from convenient and conventional IAM solutions and start interacting with leading edge defenses, such as passwordless authentication. Enhancing cloud security policies and infrastructure defenses will enable enterprises to withstand new cyber threats.

Solutions like PureAUTH will help organizations build a far more robust infrastructure that is not only adaptable but will also neutralize the most sophisticated cyber threats in existence.

Read Also

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

The achilles’ heel of cloud security: Why two-factor authentication isn’t enough

Disney Leaves Slack: A Strategic Retreat

Walt Disney Co. is transitioning away from Slack after a serious data breach. The breach, which occurred in July 2024, compromised more than 1.1 terabytes of confidential data. This incident included 44 million messages and inside information about various projects at Slack. According to a news article in The Wall Street Journal, Disney has decided to shift to new corporate-wide communication software before the end of its fiscal year.

Why Disney Is Getting Off Slack

The NullBulge hack led Disney to move away from Slack. Hackers accessed thousands of internal channels, exposing unreleased projects, login credentials, and sensitive corporate data. This breach highlighted Slack’s vulnerability, especially due to weak employee security practices like not using robust authentication.

Disney’s decision isn’t just a reaction to the breach but a preventive step to reduce reliance on a platform that became a weak link in its cybersecurity. By switching to streamlined collaboration tools, Disney aims for platforms that offer tighter security and better integration with its IT systems.

History of Breaches at Disney

This is not the first time that the House of Mouse has faced a breach. In July 2024, Disney suffered a breach that exposed over 1.1TB of sensitive data, including 44 million messages, 18,800 spreadsheets, and internal project details. Several months ago in early June 2024, hackers targeted the Club Penguin Confluence server and led to leaking of 2.5 GB of data and information related to the company’s legacy operations.

Mitigation and Prevention: Enhancing Your Security Position

To prevent future incidents, companies like Disney harden up their security approach. One of these approaches involves using zero-trust products, where all actions are considered to be malicious unless proved otherwise and authenticated. The shift away from Slack for Disney should be used as an opportunity to have stronger encryption and more secure, decentralised methods of communication in a place.

Despite the risks, companies often prioritise familiar tools like Slack for their ease of use. Employees enjoy the convenience of SSO and real-time communication. However, this same ease of use can make these platforms vulnerable to attacks, as Disney’s breach demonstrated. Companies often avoid stricter security measures, such as multi-factor authentication (MFA), due to perceived inconvenience. This balance between convenience and security is where many organizations falter.


PureAUTH on the other hand, offers one-click access through passwordless authentication, which is friendly and secure.

Conclusion : One Move Toward Collaboration Over A Secure Platform

As Disney steps away from Slack, this highlights an emerging trend: companies must prioritise security in their collaboration tools. Convenience is awesome, but so is the robust security against emerging threats. PureAUTH balances convenience with the protection required to secure company data. If Disney had solutions like PureAUTH, then the breach might have been far less effective. As companies rethink their internal platforms for communication, the lesson is stark: security and usability are not mutually exclusive with PureAUTH. #gopasswordless

Read Also

Disney to ditch slack following July Data Breach

Fortinet Data Breach: Insights and Implications for Cloud Security

Introduction

Fortinet recently experienced a data breach with 440GB of stolen files. This incident underscores the critical importance of securing data in third-party cloud environments. In this blog, we dive into the details of the Fortinet breach, its implications, and why moving towards passwordless authentication is an essential step for enhancing security.

The Fortinet Breach: A Detailed Overview

Fortinet, renowned for its comprehensive cybersecurity solutions, has confirmed a significant data breach. The hacker, using the name “Fortibitch,” claimed to have exploited an Azure SharePoint vulnerability to steal 440GB of data in this breach, dubbed “Fortileak“.

Fortinet data breach: Fortibitch
Credit: Hackread.com

How the Breach Happened

According to reports, the breach involved unauthorised access to Fortinet’s Azure SharePoint instance. The hacker provided credentials to an Amazon S3 bucket where the stolen data was allegedly stored. The leaked data included customer information and various corporate documents.

Fortinet confirmed the breach involved less than 0.3% of its customer base, affecting a limited number of files. The company assured stakeholders that there was no evidence of malicious activity affecting its operations or services. No ransomware was deployed, and Fortinet’s corporate network remained secure.

The Response from Fortinet

Fortinet acted swiftly to mitigate the impact of the breach. The company engaged in immediate containment measures, including terminating the unauthorised access and notifying affected customers. They also worked with law enforcement and cybersecurity agencies to address the situation.

In their update, Fortinet emphasised that the breach did not involve data encryption or ransomware. The company’s operations and financial performance remain unaffected, with no significant impact reported.

Key Takeaways and Security Lessons

This incident highlights several critical lessons for organisations:

1. Secure Cloud Environments

The Fortinet breach underscores the need for robust security measures around cloud-based environments. Companies must properly configure their cloud storage solutions and actively protect them against unauthorized access.

2. Implement Strong Access Controls

Using multi factor authentication (MFA) is minimum, but given the MFA are also getting bypassed, more secure authentication like PureAUTH is highly recommended

3. Continuous Monitoring and Response

Proactive monitoring of cloud assets and rapid response to security incidents are essential for minimising the impact of breaches. Organisations should have incident response plans in place to handle such situations effectively.

Embracing Passwordless Authentication for Enhanced Security

As demonstrated by the Fortinet breach, traditional security measures, including passwords and MFA, are increasingly inadequate. The shift towards passwordless authentication offers a more secure and resilient alternative.

Passwordless authentication solutions like PureAuth provide a breach-resilient architecture by leveraging advanced cryptography and just-in-time access. This approach significantly reduces the risk of third-party breaches and enhances overall security. Key benefits include:

  • Breach Resilience: PureAuth’s architecture is designed to withstand breaches by eliminating the reliance on passwords and minimising attack vectors.
  • Flexible Security Measures: We work with you to design fallback and recovery mechanisms, ensuring uninterrupted access to enterprise resources.
  • Ongoing Support: Comprehensive breach support is available to address any issues that arise.
Fortinet data breach: Embracing passwordless authentication

Transitioning to passwordless authentication is no longer just a best practice but a necessity for enterprises aiming to protect critical assets. Passwords and traditional 2FA/MFA methods are becoming increasingly inefficient and insecure. Adopting a passwordless approach enhances security, simplifies access management, and aligns perfectly with modern cybersecurity needs.

Conclusion

The Fortinet data breach serves as a stark reminder of the evolving threats in the cybersecurity landscape. While Fortinet’s response has been commendable, organisations must take proactive steps to safeguard their data, especially in cloud environments. Moving towards passwordless authentication solutions like PureAuth offers a forward-thinking approach to security, addressing the limitations of traditional methods and providing a more resilient defence against breaches.

For enterprises looking to enhance their security posture, embracing passwordless authentication is not an option—it is a necessity. Ensure your organisation is equipped to handle the future of cybersecurity with advanced, breach-resilient solutions. #gopasswordless

Critical Vulnerabilities in SolarWinds Web Help Desk and the Essential Hotfixes

SolarWinds’ Web Help Desk, a widely used IT management software, recently faced severe security challenges. These vulnerabilities, if left unpatched, could expose organizations to significant risks. The latest updates have addressed these flaws, but understanding their impact and the necessary steps for mitigation is crucial.

The Gravity of the Situation

Two major vulnerabilities—CVE-2024-28986 and CVE-2024-28987—were discovered in SolarWinds’ Web Help Desk (WHD). These issues were severe enough to warrant critical CVSS scores of 9.8 and 9.1, respectively.

The first, CVE-2024-28986, is a remote code execution (RCE) vulnerability caused by a Java deserialization flaw. If exploited, it allows an attacker to execute arbitrary commands on the affected host. Despite initial reports suggesting the vulnerability could be exploited without authentication, SolarWinds could only reproduce it after authentication. Nonetheless, due to the severity, SolarWinds issued a hotfix and strongly urged all users to apply it immediately.

The second vulnerability, CVE-2024-28987, is particularly concerning. It involves hardcoded credentials within the Web Help Desk software. This flaw enables unauthenticated attackers to log into vulnerable systems, access internal functionalities, and potentially modify sensitive data. Given the widespread use of Web Help Desk across various sectors, including government, healthcare, and education, the implications of such a flaw are far-reaching.

SolarWinds’ Response and Hotfixes

SolarWinds responded quickly to these vulnerabilities by releasing Web Help Desk 12.8.3 Hotfix 2. This hotfix addresses both the RCE vulnerability and the hardcoded credential issue. It also restores functionality compromised in earlier patches, ensuring the software operates securely and efficiently.

For those managing the Web Help Desk, applying this hotfix is not just recommended but essential. The installation process, though manual, is straightforward, involving the replacement of specific files within the Web Help Desk directory. SolarWinds provides detailed instructions to ensure administrators can apply the fix without disrupting their systems. Creating backups before modifying files is crucial, allowing for a quick rollback.

The Importance of Immediate Action

The recent history of SolarWinds, particularly the infamous breach involving its Orion software, underscores the need for prompt and decisive action in the face of security vulnerabilities. The company’s IT products are critical infrastructure components for many organizations. Leaving these vulnerabilities unpatched could lead to severe consequences, including unauthorized access, data breaches, and potentially devastating operational disruptions.

Given that these vulnerabilities are now known and patches are available, malicious actors are likely scanning for unpatched systems. Organisations must prioritise the application of these hotfixes to protect their IT environments and data.

The Need for Enhanced Security Measures

The recurring vulnerabilities in SolarWinds products serve as a stark reminder of the importance of proactive security measures. One crucial step is the adoption of passwordless authentication systems. Hardcoded credentials, as seen in CVE-2024-28987, pose a significant security risk. Credentials, in general, are a weak point in many systems, often becoming targets for exploitation.

By implementing passwordless solutions like PureAuth, organizations can significantly reduce the attack surface. Passwordless systems eliminate the need for traditional credentials, replacing them with more secure authentication methods such as biometrics or hardware tokens. This not only enhances security but also improves the user experience by streamlining the login process.

Conclusion

SolarWinds Web Help Desk has been a reliable tool for many organizations, but these recent vulnerabilities highlight the ongoing security challenges in software development. By staying vigilant and promptly applying security patches, organizations can mitigate risks and continue to benefit from the functionality provided by the Web Help Desk. The critical nature of the CVEs discussed cannot be overstated, and the onus is on system administrators to act swiftly and decisively.

For more detailed coverage of SolarWinds’ security challenges, visit BleepingComputer and PureID’s analysis. The journey to a more secure environment begins with proactive steps, and passwordless authentication is a crucial part of that journey.

New York Times Source Code Leak

Introduction

The New York Times recently experienced a significant security breach, leading to the leak of their source code. This breach was initiated through an exposed GitHub token, allowing unauthorised access to their repositories

How It Happened

An anonymous hacker posted the New York Times’ source code on 4chan. The breach occurred due to an exposed GitHub token, which provided access to over 5,000 repositories, totalling 270 GB of data. The stolen data included sensitive and proprietary information.

Response from The New York Times

The New York Times confirmed the breach and revealed that a credential was inadvertently exposed in January 2024. They quickly addressed the issue, emphasising that their systems remained non-compromised and their operations unaffected. However, this incident highlights the critical need for stringent security measures.

Implications of the Leak

The breach exposed vast amounts of data, including source code for various projects. This poses significant risks for the New York Times, including potential security vulnerabilities and intellectual property theft. The leaked data also included uncompressed tar files, with the hacker urging users to seed due to potentially insufficient seed-boxes. Reactions ranged from disbelief at the volume of repositories to jokes about the newspaper’s digital complexity.

Connection to Disney Leak

Just days before, another breach occurred involving Disney’s internal servers. A hacker associated with the defunct game Club Penguin leaked 2.5 GB of sensitive data, including corporate strategies and internal emails. This shows a disturbing trend of high-profile data breaches. The Disney breach exploited Confluence servers via exposed credentials, further emphasising the need for robust security practices.

Conclusion

This incident underscores the critical importance of securing access tokens and implementing robust security measures to prevent unauthorised access to sensitive information. As cyber threats evolve, organizations must remain vigilant and proactive in safeguarding their digital assets. Securing the CI/CD Pipeline should be a priority for every organization and PureID’s CASPR can be a game-changer.

SnowBall effect of Snowflake Breach

Executive Summary

Snowflake an American cloud computing–based data cloud company, identified a breach in June 2024, which had far-reaching implications for various organisations. Attackers exploited stolen credentials from a Snowflake employee, enabling unauthorised access to sensitive customer data, including credentials and access tokens. This breach was exacerbated by bypassing Okta’s security measures, allowing the attackers to generate new session tokens and access extensive customer data without detection.

Key Affected Customers:

Attack Method

  • Credentials Theft: Initial access through compromised employee credentials
  • Bypass Mechanism: Circumvention of Okta Security Protocols
  • Exploitation: Generation of new session tokens to access databases and steal data

The Domino Effect

The Snowflake breach has created a domino effect, where the initial compromise has led to multiple subsequent breaches. This incident mirrors the earlier Okta breach,, where attackers leveraged stolen credentials to infiltrate various organizations.

Domino Effect of Snowflake Breach

Companies affected include:

  • Ticketmaster: Reported unauthorised access to sensitive data.
  • Advance Auto Parts: Experienced data theft, with stolen information now for sale on dark web marketplaces.
  • Santander Bank: Compromised customer data led to financial and reputational damage.
  • Hugging Face, Quote Wizard, Lending Tree: Also reported breaches, with more organizations likely to follow .

Inherent Weaknesses in Traditional IAM Solutions

Password + MFA Based Authentication:

  • Reliance on passwords makes systems vulnerable to phishing and credential theft.
  • Multi-Factor Authentication (MFA) is often ineffective as attackers can bypass Password + MFA protection mainly by phishing or using a compromised device.
  • Social Engineering attacks have shown that phishing resistant MFA like FIDO keys, & passkeys can prove to be ineffective & can be easily disabled or reset.

IAM Blind Spots:

Apart from reliance on vulnerable passwords for identifying user. The existing IAM solutions are blind to following risks

  • Connection Risk – Traditional IAM solutions lack visibility of user connections. They cannot know whether an authentication request is coming from an authorised actor or an attacker in the middle.
  • User’s Device Risk – They also do not account for the type & security posture of user’s devices, leaving systems exposed to malware and remote monitoring, as seen in the Uber incident.

Impact Assessment

The Snowflake breach is termed as the biggest data breach so far and it’s cascading effect has led to numerous organisations reporting security incidents & data breach. 

The amplification effect could potentially lead to a vast number of downstream breaches, escalating the overall impact.

Impact of Snowflake Breach
Credit: XQ

Towards a Secure Future

Challenges with Current Solutions:

  • Time and again Password + MFA based systems are proven to be ineffective against simple attacks like phishing & social engineering.
  • There is a pressing need for more robust authentication mechanisms.

Protect your Enterprise, #GoPasswordless with PureAUTH

FIDO Solutions like Passkeys and hardware tokens focus on giving users a passwordless experience keeping the passwords on the server as the primary way to identify and authenticate users.

PureAUTH Platform on the other hand provides a comprehensive passwordless approach, eliminating the passwords from server side & not just from user side. PureAUTH is the only solution that protects an organisation against phishing, social engineering, frauds & all types of credential-based attack.

To learn more about PureAUTH & how it protects your existing IAM systems like Okta, OneLogin, CISCO Duo, or Azure AD in just 60 minutes at Zero Cost – get in touch with us

Related Blogs

Okta Warns Customers of Credential Stuffing Attacks

Unpacking Okta’s Recent Security Breach

Cisco VPNs Suffer Brute Force Attacks : Here’s Your Shield!

Cisco recently issued a warning about large-scale brute-force attacks targeting VPN and SSH services on Cisco and other devices worldwide. These attacks pose significant risks to enterprise security, necessitating immediate action.

Hacker can login to VPN with stolen credentials

Cisco Warning and Compromised Services

Cisco Talos reports a surge in brute force attacks since March 18, 2024, targeting VPN services. These assaults exploit vulnerabilities in traditional password-based authentication, compromising network integrity. The known affected services are following:

  • Cisco Secure Firewall VPN 
  • Checkpoint VPN  
  • Fortinet VPN  
  • SonicWall VPN  
  • RD Web Services 
  • Miktrotik 
  • Draytek 
  • Ubiquiti 

History: Not so Private Virtual Private Networks

If you are here reading this blog, you know the drill. Maybe a password is slipped in code, spoofed, phished, whaled, 2FA or MFA is breached, or even a vendor is breached, and your organization and user information lies in the hands of a threat actor. According to an HBR Report “The FBI regards a cybersecurity breach at every organization—including yours—as a matter not of ‘if,’ or even ‘when,’ but ‘how often.'”

Most often then not, these threat actors will siege your assets, ask for ransom and cause a lot of trouble. Two out of Three organizations, without a regard of size, have faced ransomware in 2023. Beyond the cost of expenses, including, potentially, the ransom itself, downtime averages $365,000 an hour in revenue loss. When you consider that the average recovery time is three weeks, it becomes clear how devastating these attacks can be.

In our previous blog we have discussed VPN breaches in detail. Anyhow, here’s some compact data for you.

Affected EntityRoot CauseImpact
Avast AntivirusStolen credentialsAdversaries modified the CCleaner distributed by Avast .
Lockheed MartinCVE-2011-0609Critical data related to the defence contracts leaked.
Pulse SecureCVE-2019-115101000 enterprises are at risk of ransomware attacks.
Ukraine Power gridMalwarePower grid taken offline leading to no electricity for thousands.
List of the most serious VPN attacks due to stolen credentials

Brute Force Attacks

Brute force attacks involve systematically trying multiple username-password combinations until the correct one is found. Attackers leverage proxies like TOR, VPN Gate, IPIDEA Proxy etc to conceal their origins, intensifying the challenge of detection.Password spray attacks, on the other hand, target numerous accounts with commonly used passwords, increasing the likelihood of success.

Your Knight in Passwordless Armour – PureAuth

In light of escalating threats, enterprises must prioritise the adoption of passwordless VPN solutions. Embracing innovative authentication mechanisms ensures a resilient defence against evolving cyber threats.

Passwordless Authentication in popular VPN by PureAuth
VPNs you can make Passwordless

Transitioning to passwordless VPN systems offers a robust defence against brute force attacks. By eliminating passwords, these systems thwart credential stuffing attempts, enhancing overall security.

Conclusion

In the face of mounting VPN vulnerabilities, the imperative to transition to passwordless systems cannot be overstated. By embracing advanced authentication methods, organisations can fortify their defences against brute force attacks, safeguarding critical assets and data.

Read Also

Your 1st Step to #GoPasswordless

Credential stuffing Attacks on VPN: Serious Risk for Enterprise

Google 2FA Breach: Rethink Authentication Security

In today’s digital landscape, safeguarding our online presence is paramount. Two-factor authentication (2FA) has emerged as a crucial tool in this endeavour. Platforms like Google and Facebook offer 2FA to bolster account security. However, there have been multiple incidents revealing vulnerabilities in this system, prompting concerns among users.

The Case of the Bypassed 2FA

Recent reports unveiled breaches in Gmail and YouTube accounts despite 2FA activation. This revelation underscores a fundamental truth: security with passwords, along with 2FA or MFA is fallible. Hackers continuously adapt their tactics, exploiting weaknesses even in trusted systems like 2FA.

Credit : Forbes

Understanding the Bypass

While the exact method remains undisclosed, hackers may employ various strategies to circumvent 2FA. According to Forbes, It’s probable that these users fell prey to what’s known as a session cookie hijack attack. Typically initiated through a phishing email, hackers direct victims to a counterfeit login page. Upon entering their credentials, users are prompted to complete a simulated 2FA challenge, which they unwittingly comply with.

The Role of Vigilance

Despite these challenges, I would personally suggest moving away from systems that solely rely on 2FA for authentication. But in the extreme case where abandoning 2FA is not the solution, users must adopt additional measures to enhance their security posture.

Secure Alternative to 2FA/MFA

As we have seen numerous instance of 2FA & MFA getting by passed, enterprises need better methods to secure access to their resources. PureAUTH Secure IAM platform provides Zero Trust -Passwordless access and protects enterprises from following type of attacks

  1. Password Spraying & brute forcing attacks
  2. Credential Phishing, Push fatigue and Adversary in the middle attacks
  3. Public Key replacement attacks targeted at solutions using Public Key based authentication like FIDO keys
  4. Social Engineering attacks to reset user credentials and reset or disable MFA/2FA
  5. Abuse of shared credentials or leaked credentials and in general credential stuffing attacks

Elevating Security: Going Beyond 2FA

Security is an ongoing journey, requiring a multifaceted approach. While the challenges of bypassing 2FA are evident, there’s a growing trend towards passwordless authentication methods. Embracing secure identity and access management technologies, adopting a zero-trust architecture are some promising alternatives. By adapting these alternatives and staying vigilant, users can reinforce their online security against the ever-evolving tactics of cyber criminals.

PureID offers solutions that curate a robust defence against unauthorised access, heralding a more secure digital future for organizations. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cybersecurity landscape with renewed strength. The journey continues—Passwordless Authentication awaits.

Read Also

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds