BeyondTrust Breach: A Wake-Up Call for Cybersecurity

Introduction

Imagine this: An organization that promises to protect your passwords and block unauthorized access falls victim to the very attack it aims to prevent. That’s exactly what happened to BeyondTrust, one of the well-known companies in the privileged access management space, when attackers targeted their Remote Support SaaS instances earlier this month. The breach exposed a serious vulnerability CVE-2024-12356 that allows attackers to execute commands remotely. Though BeyondTrust responded with swift patching of the problem, the incident leaves several tough questions regarding the exploitations that can even take place against the best of defenses.

What Went Wrong in the BeyondTrust Breach?

On December 2, 2024, BeyondTrust noticed something unusual: attackers had seized an API key for their Remote Support SaaS. This gave them the power to reset application passwords and gain unauthorized access.

As they investigated, BeyondTrust uncovered two vulnerabilities:

  • CVE-2024-12356: A critical flaw that scored 9.8 out of 10 in severity and lets attackers inject commands remotely.
  • CVE-2024-12686: A medium-severity bug that allows attackers with admin privileges to upload malicious files.

What’s worse, CVE-2024-12356 wasn’t just a hypothetical risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that attackers were already exploiting it in the wild.

The Irony

It’s hard to ignore the irony. BeyondTrust promised to protect against attacks like remote code execution and password theft, but attackers breached its defenses.

This isn’t the first time BeyondTrust has faced such a challenge. Last year, the company confirmed they were targeted after the Okta breach, underscoring how interconnected cybersecurity threats have become.

This is not BeyondTrust’s story alone but a stark reminder that no company, not even cybersecurity experts, is perfectly immune to attacks.

Why It Matters for Businesses

Thousands of organizations in healthcare, retail, and banking use BeyondTrust’s tools. A breach like this doesn’t just affect the company; it ripples out, impacting businesses that rely on their tools.

Here’s why this should matter to you:

  • Eroded Trust: Clients might start questioning the reliability of their systems.
  • Raising Risk: Exploited vulnerabilities can lead to data theft, operational issues, or worse.
  • Supply Chain Woes: If a key vendor is breached, one asks themselves how secure third-party software really is.

What You Can Do to Protect Your Business

Whether or not you use BeyondTrust’s products, it is a good time to take stock of your security practices. Here’s what you can do right now:

  1. Patch Your Systems: Update to the latest versions of BeyondTrust’s PRA and RS software.
  2. Check for Signs of Trouble: Review logs for unusual activity linked to API keys.
  3. Limit Your Exposure: Disable any unnecessary features and limit your access to the internet.
  4. Be Alerted: Monitor updates from BeyondTrust and cybersecurity agencies such as CISA.

Conclusion

The BeyondTrust breach is a reality check for everyone. Even the most trusted cybersecurity companies can get caught in the crossfire. It’s a reminder that no system is invincible and that vigilance is non-negotiable.

This means that organizations go beyond trust—pun intended—and actively work toward making their defenses stronger. They should update early, monitor their systems, and never assume they are safe. In today’s evolving world of cyber threats, one can only protect what matters most by staying a step ahead.

Termite Exploits Cleo Zero-Day in Widespread Attacks

Introduction

Cleo’s popular file transfer software has fallen victim to a critical zero-day vulnerability, and the Termite ransomware group is wasting no time exploiting it. This flaw impacts Cleo’s Harmony, VLTrader, and LexiCom products—tools trusted by over 4,200 organizations in industries like logistics, manufacturing, and transportation.

Despite an earlier patch in October, the flaw (CVE-2024-50623) remains a serious threat, leaving businesses scrambling to protect their data and operations.

Cleo Zero Day Vulnerability
Credit: Huntress

What’s Happening with the Cleo Zero-Day?

The vulnerability allows attackers to upload malicious files, execute commands remotely, and potentially steal sensitive data. First detected on December 3, the attacks have escalated rapidly, targeting industries like consumer goods and trucking.

The Technical Lowdown:

  • Affected Products: Harmony, VLTrader, and LexiCom (versions before 5.8.0.21).
  • What’s the Risk?: Attackers can run unauthorized commands, leading to data breaches and operational disruptions.
  • The Culprit: Termite ransomware, which has already hit major organizations like Blue Yonder and Starbucks, is suspected.

How to Stay Safe: Immediate Steps to Take

While Cleo develops a new patch, here’s how you can mitigate the risk:

  1. Unplug from the Internet: Temporarily disconnect Cleo systems from public access.
  2. Turn Off Autorun:
    • Open Cleo’s settings.
    • Go to Configure > Options > Other Pane and disable the autorun directory.
    • Save the changes.
  3. Check for Signs of Trouble:
    • Look for suspicious files like healthchecktemplate.txt or .jar files in Cleo directories.
    • Use Cleo-provided scripts to scan for malicious activity.
  4. Stay Updated: Monitor Cleo’s security bulletins for patch updates.

Who’s Behind This?

All signs point to Termite, a growing ransomware group that mirrors the infamous Clop gang in its operations. Termite has gained a reputation for targeting file transfer software vulnerabilities, and some experts speculate they could be filling the gap left by Clop’s declining activity.

Their tactics include deploying malicious web shells to maintain access, running reconnaissance tools to identify assets, and using stolen data as leverage in ransom demands.

Conclusion

The Cleo zero-day vulnerability serves as another reminder of how quickly ransomware groups exploit weaknesses in trusted software. Organizations relying on Cleo products need to act now to protect their systems and data.

Third-Party Breaches: A Growing Concern

The ripple effects of a breach like this extend far beyond the immediate victims. High-profile organizations like Target, Walmart, Lowes, CVS, The Home Depot, FedEx, Kroger, Wayfair, Dollar General, Victrola, and Duraflame, which rely on Cleo software, now face the risk of third-party breaches. Attackers targeting Cleo’s vulnerabilities could exploit access to these businesses’ supply chains, putting customer data and operations at risk.

Third-party breaches are a significant pain point for businesses today, exposing them to reputational damage, financial loss, and regulatory scrutiny. Companies must assess their supply chain security and demand transparency and accountability from vendors like Cleo.

Zello Faces Another Potential Data Breach, Urges Precautionary Measures

Introduction

Zello, the widely-used push-to-talk app, is once again under scrutiny for its handling of user security. Recently, the company required users to reset their passwords, citing concerns that point to either a credential-stuffing attack or a potential data breach. With 175 million users spanning sectors like emergency response and hospitality, this incident has raised significant questions about the platform’s security measures.

What Happened?

On November 15, 2024, Zello warned users whose account creation date was before November 2nd to change their password. While the exact incident is not known, evidence suggests that:

  • Possible Breach: Customer credentials may have been accessed by unauthorized users.
  • Credential-Stuffing Attack: Threat actors might be using passwords compromised earlier to gain access.

This measure aims to mitigate risks to affected accounts.

Zello Potential Data Theft
Credit: CyberIL

Breaches History at Zello

In 2020, Zello faced a similar challenge:

Data Breach in 2020:

  • Unauthorized activity on a server led to the exposure of email addresses and hashed passwords.
  • Zello required password resets and asked users not to reuse passwords across platforms.

While the company achieved ISO 27001 certification in September 2024—a certification enforcing strict information security procedures—the recurrence of such incidents questions the strength of Zello’s defenses.

The Implications

If confirmed, such a breach or an attack might empower cybercriminals to:

  • Steal Credentials: Access account data for unauthorized use.
  • Expand Attacks: Use cracked passwords for credential-stuffing attacks on other platforms.
  • Expose Sensitive Operations: With Zello used by first responders and other critical sectors, data misuse could disrupt essential services.

What Users Should Do

Zello users should take the following steps to safeguard their accounts immediately:

  • Reset Passwords: Change passwords immediately for accounts created before November 2, 2024.
  • Use Unique Passwords: Avoid reusing passwords across different services.
  • Enable Security Tools: Consider using password managers to generate strong, unique passwords.

With passwordless solutions like PureAuth, organizations can eliminate vulnerabilities altogether, ensuring security by design and default.

Conclusion

The latest security incident at Zello serves as a grim reminder of the changing cyber threats that organizations face. Though breaches may not always be avoidable, proactive measures like enforcing password resets and adopting robust access management solutions can go a long way in mitigating risks.

By going passwordless, facilitated by solutions like PureAuth, businesses can ensure user credentials and data are secure by default and design, protecting against future incidents.

Read Also

Your 1st Step to #GoPasswordless

Making World Password Free

3 ways passwords are Failing the Enterprises

Okta Password Bypass – Cryptography Done by Non-experts

Okta recently disclosed a vulnerability in its AD/LDAP Delegated Authentication system with critical severity. The vulnerability was attributed to the use of the BCrypt hashing algorithm for generating and verifying cache keys.

From previous breaches, it’s known that Okta stores user passwords in plain text for delegated authentication, which have been exposed on multiple occasions.

Best practice suggests storing a hash of a password instead of the password itself. However, this is insufficient given the vast number of hashed passwords available on various internet crackstations, allowing easy lookup (or rainbow tables).

okta-password-bypass-BCrypt
Credit – Forbes

It is further recommended to use a randomly generated salt as an additional parameter when hashing a password.

Developers are required to generate, use, and maintain the salt along with the hash for all future verification operations. While this approach significantly reduces the risk of leaking passwords, there remains a lower risk of exposing salted-hashed passwords, which are harder to crack.

However, standard cryptographic hashing algorithms like SHA1 and SHA256 are faster and are optimized for speed and computational efficiency. As a result, brute-forcing these hashes can become feasible if the salt is known.

With this possibility in mind, Okta developers chose the BCrypt() algorithm to generate what they call a “cache key.”

About BCrypt()

The BCrypt hashing scheme is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computational power.

BCrypt takes only the first 72 characters as input. Anything over that is ignored. Out of 72 bytes, only 56-byte blocks are used by the Blowfish algorithm, and the first 4 bytes are reserved for denoting the version of the BCrypt algorithm. This effectively leaves 52 characters for the user’s input. Anything over that will be ignored.

How Okta Generates the ‘Cache Key’

Okta takes a bcrypt() hash of (userId + userName + passwd) values. If the userId + userName value exceeds 52 characters, the password field is automatically truncated, and the hash generated has no consideration for the passwords.

This also means that for a username longer than 52 characters, no matter what password is given, the hash value remains unchanged, resulting in a password bypass vulnerability.

Is BCrypt a Bad Choice?

BCrypt is a non-standard hashing algorithm, and the OpenSSL group has denied providing support for it. Since cryptographers are well aware of this fact, they will always recommend using standard cryptographic hash functions like SHA256() for key derivation or password storage.

A professional with decent knowledge of cryptography would have chosen something better than BCrypt().

Moving from Insecure to Insecure?

Okta’s recent move from BCrypt to PBKDF2 suggests that, when its initial choice proved insecure, they chose which they thought was insecure to begin with.This choice positions Okta as insecure both by design and by default, neither of which aligns with the security standards expected from Okta.

Conclusion

Regardless of which hashing algorithm Okta employs, it remains vulnerable as long as it relies on password-based security. For enhanced security and resilience, it’s time to #GoPasswordless with PureAUTH.

Read Also

When Cache Keys Outlast Authentication Keys: A Glimpse into Okta’s Latest “Oops”

Okta Warns Customers of Credential Stuffing Attacks

Unpacking Okta’s Recent Security Breach

Okta Breach Part 2: Unveiling the Full Scope and Impact

Disney Leaves Slack: A Strategic Retreat

Walt Disney Co. is transitioning away from Slack after a serious data breach. The breach, which occurred in July 2024, compromised more than 1.1 terabytes of confidential data. This incident included 44 million messages and inside information about various projects at Slack. According to a news article in The Wall Street Journal, Disney has decided to shift to new corporate-wide communication software before the end of its fiscal year.

Why Disney Is Getting Off Slack

The NullBulge hack led Disney to move away from Slack. Hackers accessed thousands of internal channels, exposing unreleased projects, login credentials, and sensitive corporate data. This breach highlighted Slack’s vulnerability, especially due to weak employee security practices like not using robust authentication.

Disney’s decision isn’t just a reaction to the breach but a preventive step to reduce reliance on a platform that became a weak link in its cybersecurity. By switching to streamlined collaboration tools, Disney aims for platforms that offer tighter security and better integration with its IT systems.

History of Breaches at Disney

This is not the first time that the House of Mouse has faced a breach. In July 2024, Disney suffered a breach that exposed over 1.1TB of sensitive data, including 44 million messages, 18,800 spreadsheets, and internal project details. Several months ago in early June 2024, hackers targeted the Club Penguin Confluence server and led to leaking of 2.5 GB of data and information related to the company’s legacy operations.

Mitigation and Prevention: Enhancing Your Security Position

To prevent future incidents, companies like Disney harden up their security approach. One of these approaches involves using zero-trust products, where all actions are considered to be malicious unless proved otherwise and authenticated. The shift away from Slack for Disney should be used as an opportunity to have stronger encryption and more secure, decentralised methods of communication in a place.

Despite the risks, companies often prioritise familiar tools like Slack for their ease of use. Employees enjoy the convenience of SSO and real-time communication. However, this same ease of use can make these platforms vulnerable to attacks, as Disney’s breach demonstrated. Companies often avoid stricter security measures, such as multi-factor authentication (MFA), due to perceived inconvenience. This balance between convenience and security is where many organizations falter.


PureAUTH on the other hand, offers one-click access through passwordless authentication, which is friendly and secure.

Conclusion : One Move Toward Collaboration Over A Secure Platform

As Disney steps away from Slack, this highlights an emerging trend: companies must prioritise security in their collaboration tools. Convenience is awesome, but so is the robust security against emerging threats. PureAUTH balances convenience with the protection required to secure company data. If Disney had solutions like PureAUTH, then the breach might have been far less effective. As companies rethink their internal platforms for communication, the lesson is stark: security and usability are not mutually exclusive with PureAUTH. #gopasswordless

Read Also

Disney to ditch slack following July Data Breach

Fortinet Data Breach: Insights and Implications for Cloud Security

Introduction

Fortinet recently experienced a data breach with 440GB of stolen files. This incident underscores the critical importance of securing data in third-party cloud environments. In this blog, we dive into the details of the Fortinet breach, its implications, and why moving towards passwordless authentication is an essential step for enhancing security.

The Fortinet Breach: A Detailed Overview

Fortinet, renowned for its comprehensive cybersecurity solutions, has confirmed a significant data breach. The hacker, using the name “Fortibitch,” claimed to have exploited an Azure SharePoint vulnerability to steal 440GB of data in this breach, dubbed “Fortileak“.

Fortinet data breach: Fortibitch
Credit: Hackread.com

How the Breach Happened

According to reports, the breach involved unauthorised access to Fortinet’s Azure SharePoint instance. The hacker provided credentials to an Amazon S3 bucket where the stolen data was allegedly stored. The leaked data included customer information and various corporate documents.

Fortinet confirmed the breach involved less than 0.3% of its customer base, affecting a limited number of files. The company assured stakeholders that there was no evidence of malicious activity affecting its operations or services. No ransomware was deployed, and Fortinet’s corporate network remained secure.

The Response from Fortinet

Fortinet acted swiftly to mitigate the impact of the breach. The company engaged in immediate containment measures, including terminating the unauthorised access and notifying affected customers. They also worked with law enforcement and cybersecurity agencies to address the situation.

In their update, Fortinet emphasised that the breach did not involve data encryption or ransomware. The company’s operations and financial performance remain unaffected, with no significant impact reported.

Key Takeaways and Security Lessons

This incident highlights several critical lessons for organisations:

1. Secure Cloud Environments

The Fortinet breach underscores the need for robust security measures around cloud-based environments. Companies must properly configure their cloud storage solutions and actively protect them against unauthorized access.

2. Implement Strong Access Controls

Using multi factor authentication (MFA) is minimum, but given the MFA are also getting bypassed, more secure authentication like PureAUTH is highly recommended

3. Continuous Monitoring and Response

Proactive monitoring of cloud assets and rapid response to security incidents are essential for minimising the impact of breaches. Organisations should have incident response plans in place to handle such situations effectively.

Embracing Passwordless Authentication for Enhanced Security

As demonstrated by the Fortinet breach, traditional security measures, including passwords and MFA, are increasingly inadequate. The shift towards passwordless authentication offers a more secure and resilient alternative.

Passwordless authentication solutions like PureAuth provide a breach-resilient architecture by leveraging advanced cryptography and just-in-time access. This approach significantly reduces the risk of third-party breaches and enhances overall security. Key benefits include:

  • Breach Resilience: PureAuth’s architecture is designed to withstand breaches by eliminating the reliance on passwords and minimising attack vectors.
  • Flexible Security Measures: We work with you to design fallback and recovery mechanisms, ensuring uninterrupted access to enterprise resources.
  • Ongoing Support: Comprehensive breach support is available to address any issues that arise.
Fortinet data breach: Embracing passwordless authentication

Transitioning to passwordless authentication is no longer just a best practice but a necessity for enterprises aiming to protect critical assets. Passwords and traditional 2FA/MFA methods are becoming increasingly inefficient and insecure. Adopting a passwordless approach enhances security, simplifies access management, and aligns perfectly with modern cybersecurity needs.

Conclusion

The Fortinet data breach serves as a stark reminder of the evolving threats in the cybersecurity landscape. While Fortinet’s response has been commendable, organisations must take proactive steps to safeguard their data, especially in cloud environments. Moving towards passwordless authentication solutions like PureAuth offers a forward-thinking approach to security, addressing the limitations of traditional methods and providing a more resilient defence against breaches.

For enterprises looking to enhance their security posture, embracing passwordless authentication is not an option—it is a necessity. Ensure your organisation is equipped to handle the future of cybersecurity with advanced, breach-resilient solutions. #gopasswordless

How Hackers Exploit Active Directory Certificate Services for Long-Term Persistence

Introduction

Active Directory Certificate Services (AD CS) may seem like a helpful gatekeeper for managing digital certificates and encryption, but if it’s not configured just right, it can leave the door wide open for hackers. AD CS is often overlooked when it comes to security, making it a perfect treasure trove for attackers. And once they’re in, they can sneak around undetected, establishing long-term persistence in your network like they’re on an extended vacation.

Meme :  AD Certificate Services
Credit: Medium

In this blog, we’ll break down how hackers exploit AD CS, dive into some clever tactics from recent findings, and most importantly, explain what you can do to keep them out.

Hackers in the Shadows: How AD CS Is Exploited

AD CS is Microsoft’s Public Key Infrastructure (PKI) solution for issuing and managing digital certificates in Active Directory environments. When configured correctly, it helps secure network communications. But if misconfigured, AD CS can quickly become a hacker’s best friend, enabling them to access networks, steal credentials, and stay hidden for the long haul.

Key Attack Vectors

  1. Stealing Certificates: Imitation is the Best (Criminal) Strategy
    Hackers can grab user or machine certificates, along with private keys, and use them to impersonate legitimate users or machines. This is like copying someone’s ID, if the certificate remains valid, they can continue authenticating, even after passwords change.
  2. Requesting Fake Certificates: Elevation Without the Effort
    Imagine asking for a regular office key but getting access to the CEO’s office instead. Similarly, if there are any misconfigured certificate templates, low-privileged users can request certificates that grant admin-like privileges.
  3. Misconfigured Certificate Templates: Unintentional Free Pass
    Certificate templates can be dangerous when they allow attackers to specify Subject Alternative Names (SANs). This essentially hands over the keys to high-level users’ certificates—like getting access to a domain admin’s credentials. Templates that aren’t secured give attackers serious access.
  4. CA Private Key Theft: A Permanent Invitation
    If an attacker can get their hands on a Certificate Authority (CA) private key, they can generate certificates for any user in the domain. This grants them persistent access that’s nearly impossible to revoke.
  5. Become a Shadow CA
    If an attacker can get a certificate signing request (CSR) signed by CA, which has constraint isCA is set to True, and allowed its use for signing other certificates, then the issue\d certificate makes the attacker a Parallel CA, which can independently generate any arbitrary certificates which will be considered as valid.
How to exploit AD Certificate Services

Tools of the Trade: Certify and ForgeCert

Hackers aren’t going in blind—they’ve got tools that make exploiting AD CS a breeze. The whitepaper by Will Schroeder and Lee Christensen highlights two key tools:

  • Certify: This tool scans for AD CS misconfigurations and assists attackers in requesting malicious certificates. It functions like a vulnerability scanner specifically designed for certificates.
  • ForgeCert: Attackers use this tool to create fake certificates with a stolen CA private key. By forging these certificates, they gain permanent access to your network, making detection much more challenging.
 Certify tool to exploit AD Certificate Services

Mitigation: Fortify Your AD CS Before It’s Too Late

So, how can companies stop attackers from abusing AD CS? It’s all about treating your certificates like they’re gold and your CAs like they’re Fort Knox. Here’s a breakdown of what you need to do:

  1. Treat CAs as Critical Assets
    Your CA servers should be protected like domain controllers (or fort knox), lock them down and apply Tier 0 security controls. These systems are high-value targets, and attackers know it.
  2. Audit and Harden Certificate Templates
    Regularly audit your certificate templates and remove any unnecessary features, like SAN customization, which could give attackers an easy way in. Ensure templates are configured for minimum privilege.
  3. Secure CA Private Keys
    Store CA private keys in hardware security modules (HSMs). This keeps them away from prying hands and makes it significantly harder for attackers to steal them.
  4. Monitor Certificate Activity
    Keep an eye on your certificate enrolments, authentications, and template modifications. If something seems off, it probably is. Proactive monitoring can be your early warning system.

Conclusion

Active Directory Certificate Services isn’t inherently insecure, but its complexity makes it ripe for misconfiguration. When that happens, hackers can sneak in, steal credentials, and establish persistence that’s incredibly tough to detect and eliminate. As the Certified Pre-Owned whitepaper highlights, understanding the risks and securing AD CS is key to preventing these kinds of attacks.

To learn more about Secure usage & management of X509 Certificates, you can refer to this in depth Practitioners Guide authored by our founder Ajit Hatti as part of Null Cipher Security Club

In short, if you’re not securing AD CS, hackers might just settle in and stick around your network for longer than you’d like.

Read Also

Certified Pre-Owned: Abusing Active Directory Certificate Services

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Secure Usage & Management of X509 Certificate

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

Introduction to Microsoft Entra ID and Pass-Through Authentication

Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), provides a unified identity management solution for both on-premises and cloud-based applications. One key feature of Entra ID Pass-Through Authentication (PTA), which allows users to sign in using the same password for both environments. This setup aims to enhance user experience and reduce IT support costs.

How Pass-Through Authentication Works

In PTA, the system validates users’ passwords against the on-premises Active Directory (AD) instead of storing them in the cloud. When a user tries to log in, Azure AD redirects them, and they enter their credentials. The system encrypts these credentials and sends them to a queue. An on-premises PTA agent retrieves the credentials from the queue, decrypts them, and checks them against the on-prem AD. The agent then sends the result back to Azure AD to complete the login process.

Microsoft Entra ID vulnerabilities: How PTA Works
Credit – Cymulate

Recent Vulnerabilities and Exploits

A recent vulnerability has exposed critical flaws in Microsoft Entra ID’s PTA mechanism. Researchers have discovered that attackers with local administrative privileges on a PTA agent can bypass authentication controls. This flaw allows attackers to impersonate any synchronised user without knowing their actual password.

This vulnerability effectively turns the PTA agent into a “Double Agent,” granting unauthorised access to any user account, including those with elevated privileges. If exploited, attackers could potentially gain full network privileges across the enterprise, posing significant risks.

Attack Methods and Implications

  1. Compromising the PTA Agent: Attackers who gain administrative access to the PTA agent can use tools to install a backdoor. This backdoor enables the attacker to authenticate as any user and even retrieve passwords in clear text.
  2. Seamless SSO Vulnerabilities: Seamless Single Sign-On (SSO) can also be used in coexistence with PTA, which introduces additional risks. Exploiting these vulnerabilities can further compromise an organisation’s security.
  3. Lateral Movement: Once inside the network, attackers can exploit the PTA vulnerability to move laterally across different domains and departments, increasing the scope of the attack.

Mitigation Strategies

To mitigate these risks, Microsoft suggested treating the Entra Connect server as a Tier 0 component, along with hardening the Microsoft Entra Connect server as a Control Plane asset.

Additionally, organizations should implement several key security measures:

  • Restrict Access: Limit access to PTA agent servers to prevent unauthorised modifications.
  • Robust Password Policies: Enforce strong password policies to enhance security.
  • Multi-Factor Authentication (MFA): Require MFA to add an additional layer of security and prevent lateral movement.
  • Monitor Authentication Logs: Implement encrypted authentication logs with detection alerts to identify and respond to potential breaches quickly.

Secure Authentication with PureAUTH

Time and again we have seen Microsoft and other traditional IAM solution providers rely on passwords & fail to provide secure authentication across cloud and on premise environments.

For more secure & reliable authentication, enterprises can depend on PureAUTH IAM firewall which protects enterprises from all credential based attacks and such 0 day vulnerabilities.

Conclusion

The Microsoft Entra ID vulnerability highlights the importance of securing authentication mechanisms and understanding potential weaknesses in identity management systems. With the constantly changing best practices implementing secure authentication is difficult. Organisations must constantly work to protect themselves from such threats.

For more details, refer to the Cymulate blog post and Microsoft’s official security advisories.

SnowBall effect of Snowflake Breach

Executive Summary

Snowflake an American cloud computing–based data cloud company, identified a breach in June 2024, which had far-reaching implications for various organisations. Attackers exploited stolen credentials from a Snowflake employee, enabling unauthorised access to sensitive customer data, including credentials and access tokens. This breach was exacerbated by bypassing Okta’s security measures, allowing the attackers to generate new session tokens and access extensive customer data without detection.

Key Affected Customers:

Attack Method

  • Credentials Theft: Initial access through compromised employee credentials
  • Bypass Mechanism: Circumvention of Okta Security Protocols
  • Exploitation: Generation of new session tokens to access databases and steal data

The Domino Effect

The Snowflake breach has created a domino effect, where the initial compromise has led to multiple subsequent breaches. This incident mirrors the earlier Okta breach,, where attackers leveraged stolen credentials to infiltrate various organizations.

Domino Effect of Snowflake Breach

Companies affected include:

  • Ticketmaster: Reported unauthorised access to sensitive data.
  • Advance Auto Parts: Experienced data theft, with stolen information now for sale on dark web marketplaces.
  • Santander Bank: Compromised customer data led to financial and reputational damage.
  • Hugging Face, Quote Wizard, Lending Tree: Also reported breaches, with more organizations likely to follow .

Inherent Weaknesses in Traditional IAM Solutions

Password + MFA Based Authentication:

  • Reliance on passwords makes systems vulnerable to phishing and credential theft.
  • Multi-Factor Authentication (MFA) is often ineffective as attackers can bypass Password + MFA protection mainly by phishing or using a compromised device.
  • Social Engineering attacks have shown that phishing resistant MFA like FIDO keys, & passkeys can prove to be ineffective & can be easily disabled or reset.

IAM Blind Spots:

Apart from reliance on vulnerable passwords for identifying user. The existing IAM solutions are blind to following risks

  • Connection Risk – Traditional IAM solutions lack visibility of user connections. They cannot know whether an authentication request is coming from an authorised actor or an attacker in the middle.
  • User’s Device Risk – They also do not account for the type & security posture of user’s devices, leaving systems exposed to malware and remote monitoring, as seen in the Uber incident.

Impact Assessment

The Snowflake breach is termed as the biggest data breach so far and it’s cascading effect has led to numerous organisations reporting security incidents & data breach. 

The amplification effect could potentially lead to a vast number of downstream breaches, escalating the overall impact.

Impact of Snowflake Breach
Credit: XQ

Towards a Secure Future

Challenges with Current Solutions:

  • Time and again Password + MFA based systems are proven to be ineffective against simple attacks like phishing & social engineering.
  • There is a pressing need for more robust authentication mechanisms.

Protect your Enterprise, #GoPasswordless with PureAUTH

FIDO Solutions like Passkeys and hardware tokens focus on giving users a passwordless experience keeping the passwords on the server as the primary way to identify and authenticate users.

PureAUTH Platform on the other hand provides a comprehensive passwordless approach, eliminating the passwords from server side & not just from user side. PureAUTH is the only solution that protects an organisation against phishing, social engineering, frauds & all types of credential-based attack.

To learn more about PureAUTH & how it protects your existing IAM systems like Okta, OneLogin, CISCO Duo, or Azure AD in just 60 minutes at Zero Cost – get in touch with us

Related Blogs

Okta Warns Customers of Credential Stuffing Attacks

Unpacking Okta’s Recent Security Breach