Cisco Data Breach: A Timeline of Events and Broader Implications

A Breach That Keeps Unfolding:

When Cisco was accused of a breach by a hacker named IntelBroker in October 2024, the tech giant initially denied any compromise of its internal systems. However, as the situation unfolded and over 4GB of data was leaked, Cisco acknowledged the authenticity of the exposed files while maintaining that its enterprise environments remained secure.

This incident sheds light on a concerning trend: organizations frequently deny breaches outright, only to later concede limited impact as evidence continues to emerge. In this blog, we examine the timeline of events, the repercussions, and the broader lessons stemming from the Cisco breach.

Timeline of the Breach

  1. October 14, 2024
    • Hacker IntelBroker announced a “Cisco breach” on BreachForums.
    • Claims included access to source code, credentials, and confidential documents from major companies, including Cisco.
  2. October 21, 2024
    • Cisco confirmed an investigation was underway but denied a breach of its internal systems.
    • The company reported that the data was accessed from a public-facing DevHub environment due to a configuration error.
  3. Mid-December 2024
    • IntelBroker leaked 2.9GB of data, including source code, certificates, and scripts.
    • Cisco acknowledged the leak but reiterated no sensitive personal or financial information was compromised.
  4. December 25, 2024
    • The hacker released an additional 4.45GB of data on BreachForums, claiming it was part of a much larger dataset.
    • Cisco analyzed the leak and confirmed its alignment with files previously identified in October.
  5. December 31, 2024
    • Cisco confirmed the authenticity of the leaked data but maintained that its internal systems remained uncompromised.
Cisco Data Breach: Timeline

Impact Analysis: What’s at Stake?

The breach exposed:

  • Source Code: Critical for Cisco products like WebEx, Catalyst,z and Secure Access Service Edge (SASE).
  • Internal Project Archives: Java binaries, Cryptographic Signatures, Certificates, and Configuration files.
  • Customer-Related Data: Files linked to Cisco CX Professional Services customers.

 What Cisco Claims:

  • No sensitive personal or financial information was exposed.
  • Internal production systems were unaffected.

Risks Highlighted:

  1. Exploitation Potential: Exposed source code could help attackers identify vulnerabilities in Cisco products.
  2. Supply Chain Risks: Customers and partners could be indirectly targeted using leaked data.
  3. Reputation Damage: Prolonged uncertainty damages trust in Cisco’s security practices.

A Broader Trend: Denial, Admission, and Full Disclosure

Cisco’s handling of the breach mirrors a recurring pattern:

  1. Initial Denial: Early claims often assert no compromise.
  2. Partial Admission: As evidence mounts, organizations acknowledge limited impact.
  3. Full Scope Revealed: Final admissions often come after external pressure or further leaks.

The Okta breach followed a similar trajectory, where early denials gave way to admissions of more significant exposure.

Lessons for the Future

Cisco’s breach underscores critical lessons for organizations:

  1. Prioritize Transparency: Honest and timely communication can mitigate reputational damage.
  2. Audit Public-Facing Platforms: Regular checks can prevent inadvertent exposure of sensitive files.
  3. Strengthen Configuration Management: Misconfigurations remain a top cause of data exposure.
  4. Adopt Proactive Monitoring: Real-time alerts can detect unusual activity before damage escalates.

Conclusion: A Story Still Unfolding

The Cisco breach, though limited in scope compared to initial claims, highlights how vulnerabilities in public-facing platforms can quickly escalate into significant incidents. While Cisco has introduced corrective measures, the full impact of the exposed data remains unclear.

This case illustrates a broader trend where companies initially deny breaches, only to gradually disclose the extent of their impact over time. As we await further updates and mitigation efforts from Cisco, the importance of proactive security strategies and transparent communication has become increasingly evident.

BeyondTrust Breach: A Wake-Up Call for Cybersecurity

Introduction

Imagine this: An organization that promises to protect your passwords and block unauthorized access falls victim to the very attack it aims to prevent. That’s exactly what happened to BeyondTrust, one of the well-known companies in the privileged access management space, when attackers targeted their Remote Support SaaS instances earlier this month. The breach exposed a serious vulnerability CVE-2024-12356 that allows attackers to execute commands remotely. Though BeyondTrust responded with swift patching of the problem, the incident leaves several tough questions regarding the exploitations that can even take place against the best of defenses.

What Went Wrong in the BeyondTrust Breach?

On December 2, 2024, BeyondTrust noticed something unusual: attackers had seized an API key for their Remote Support SaaS. This gave them the power to reset application passwords and gain unauthorized access.

As they investigated, BeyondTrust uncovered two vulnerabilities:

  • CVE-2024-12356: A critical flaw that scored 9.8 out of 10 in severity and lets attackers inject commands remotely.
  • CVE-2024-12686: A medium-severity bug that allows attackers with admin privileges to upload malicious files.

What’s worse, CVE-2024-12356 wasn’t just a hypothetical risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that attackers were already exploiting it in the wild.

The Irony

It’s hard to ignore the irony. BeyondTrust promised to protect against attacks like remote code execution and password theft, but attackers breached its defenses.

This isn’t the first time BeyondTrust has faced such a challenge. Last year, the company confirmed they were targeted after the Okta breach, underscoring how interconnected cybersecurity threats have become.

This is not BeyondTrust’s story alone but a stark reminder that no company, not even cybersecurity experts, is perfectly immune to attacks.

Why It Matters for Businesses

Thousands of organizations in healthcare, retail, and banking use BeyondTrust’s tools. A breach like this doesn’t just affect the company; it ripples out, impacting businesses that rely on their tools.

Here’s why this should matter to you:

  • Eroded Trust: Clients might start questioning the reliability of their systems.
  • Raising Risk: Exploited vulnerabilities can lead to data theft, operational issues, or worse.
  • Supply Chain Woes: If a key vendor is breached, one asks themselves how secure third-party software really is.

What You Can Do to Protect Your Business

Whether or not you use BeyondTrust’s products, it is a good time to take stock of your security practices. Here’s what you can do right now:

  1. Patch Your Systems: Update to the latest versions of BeyondTrust’s PRA and RS software.
  2. Check for Signs of Trouble: Review logs for unusual activity linked to API keys.
  3. Limit Your Exposure: Disable any unnecessary features and limit your access to the internet.
  4. Be Alerted: Monitor updates from BeyondTrust and cybersecurity agencies such as CISA.

Conclusion

The BeyondTrust breach is a reality check for everyone. Even the most trusted cybersecurity companies can get caught in the crossfire. It’s a reminder that no system is invincible and that vigilance is non-negotiable.

This means that organizations go beyond trust—pun intended—and actively work toward making their defenses stronger. They should update early, monitor their systems, and never assume they are safe. In today’s evolving world of cyber threats, one can only protect what matters most by staying a step ahead.

Termite Exploits Cleo Zero-Day in Widespread Attacks

Introduction

Cleo’s popular file transfer software has fallen victim to a critical zero-day vulnerability, and the Termite ransomware group is wasting no time exploiting it. This flaw impacts Cleo’s Harmony, VLTrader, and LexiCom products—tools trusted by over 4,200 organizations in industries like logistics, manufacturing, and transportation.

Despite an earlier patch in October, the flaw (CVE-2024-50623) remains a serious threat, leaving businesses scrambling to protect their data and operations.

Cleo Zero Day Vulnerability
Credit: Huntress

What’s Happening with the Cleo Zero-Day?

The vulnerability allows attackers to upload malicious files, execute commands remotely, and potentially steal sensitive data. First detected on December 3, the attacks have escalated rapidly, targeting industries like consumer goods and trucking.

The Technical Lowdown:

  • Affected Products: Harmony, VLTrader, and LexiCom (versions before 5.8.0.21).
  • What’s the Risk?: Attackers can run unauthorized commands, leading to data breaches and operational disruptions.
  • The Culprit: Termite ransomware, which has already hit major organizations like Blue Yonder and Starbucks, is suspected.

How to Stay Safe: Immediate Steps to Take

While Cleo develops a new patch, here’s how you can mitigate the risk:

  1. Unplug from the Internet: Temporarily disconnect Cleo systems from public access.
  2. Turn Off Autorun:
    • Open Cleo’s settings.
    • Go to Configure > Options > Other Pane and disable the autorun directory.
    • Save the changes.
  3. Check for Signs of Trouble:
    • Look for suspicious files like healthchecktemplate.txt or .jar files in Cleo directories.
    • Use Cleo-provided scripts to scan for malicious activity.
  4. Stay Updated: Monitor Cleo’s security bulletins for patch updates.

Who’s Behind This?

All signs point to Termite, a growing ransomware group that mirrors the infamous Clop gang in its operations. Termite has gained a reputation for targeting file transfer software vulnerabilities, and some experts speculate they could be filling the gap left by Clop’s declining activity.

Their tactics include deploying malicious web shells to maintain access, running reconnaissance tools to identify assets, and using stolen data as leverage in ransom demands.

Conclusion

The Cleo zero-day vulnerability serves as another reminder of how quickly ransomware groups exploit weaknesses in trusted software. Organizations relying on Cleo products need to act now to protect their systems and data.

Third-Party Breaches: A Growing Concern

The ripple effects of a breach like this extend far beyond the immediate victims. High-profile organizations like Target, Walmart, Lowes, CVS, The Home Depot, FedEx, Kroger, Wayfair, Dollar General, Victrola, and Duraflame, which rely on Cleo software, now face the risk of third-party breaches. Attackers targeting Cleo’s vulnerabilities could exploit access to these businesses’ supply chains, putting customer data and operations at risk.

Third-party breaches are a significant pain point for businesses today, exposing them to reputational damage, financial loss, and regulatory scrutiny. Companies must assess their supply chain security and demand transparency and accountability from vendors like Cleo.

Zello Faces Another Potential Data Breach, Urges Precautionary Measures

Introduction

Zello, the widely-used push-to-talk app, is once again under scrutiny for its handling of user security. Recently, the company required users to reset their passwords, citing concerns that point to either a credential-stuffing attack or a potential data breach. With 175 million users spanning sectors like emergency response and hospitality, this incident has raised significant questions about the platform’s security measures.

What Happened?

On November 15, 2024, Zello warned users whose account creation date was before November 2nd to change their password. While the exact incident is not known, evidence suggests that:

  • Possible Breach: Customer credentials may have been accessed by unauthorized users.
  • Credential-Stuffing Attack: Threat actors might be using passwords compromised earlier to gain access.

This measure aims to mitigate risks to affected accounts.

Zello Potential Data Theft
Credit: CyberIL

Breaches History at Zello

In 2020, Zello faced a similar challenge:

Data Breach in 2020:

  • Unauthorized activity on a server led to the exposure of email addresses and hashed passwords.
  • Zello required password resets and asked users not to reuse passwords across platforms.

While the company achieved ISO 27001 certification in September 2024—a certification enforcing strict information security procedures—the recurrence of such incidents questions the strength of Zello’s defenses.

The Implications

If confirmed, such a breach or an attack might empower cybercriminals to:

  • Steal Credentials: Access account data for unauthorized use.
  • Expand Attacks: Use cracked passwords for credential-stuffing attacks on other platforms.
  • Expose Sensitive Operations: With Zello used by first responders and other critical sectors, data misuse could disrupt essential services.

What Users Should Do

Zello users should take the following steps to safeguard their accounts immediately:

  • Reset Passwords: Change passwords immediately for accounts created before November 2, 2024.
  • Use Unique Passwords: Avoid reusing passwords across different services.
  • Enable Security Tools: Consider using password managers to generate strong, unique passwords.

With passwordless solutions like PureAuth, organizations can eliminate vulnerabilities altogether, ensuring security by design and default.

Conclusion

The latest security incident at Zello serves as a grim reminder of the changing cyber threats that organizations face. Though breaches may not always be avoidable, proactive measures like enforcing password resets and adopting robust access management solutions can go a long way in mitigating risks.

By going passwordless, facilitated by solutions like PureAuth, businesses can ensure user credentials and data are secure by default and design, protecting against future incidents.

Read Also

Your 1st Step to #GoPasswordless

Making World Password Free

3 ways passwords are Failing the Enterprises

Storm-0501: Unveiling the Tactics Behind Multi-Stage Hybrid Cloud Attacks

Introduction

The global cloud services market, valued at $551.8 billion in 2021, is projected to reach $2.5 trillion by 2031. This explosive growth makes cloud environments a prime target for cyber criminals. One such group is Storm-0501, an extortion-orientated cyber crime group that’s been conducting multi-stage attacks against hybrid cloud environments in government, manufacturing, transportation, and law enforcement. Since its inception in 2021, Storm-0501 has changed its operations, shifting from targeting U.S. school districts to running RaaS operations. This blog post explains the tactics, techniques and procedures (TTPs) of the group to help improve organizational defenses with mitigation strategies.

Storm-0501 TTPs: Steal Technique

Initial Compromise and Discovery

Storm-0501 has traditionally obtained initial access using compromised credentials or exploitation of known vulnerabilities in systems with widespread use. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho, ManageEngine (CVE-2022-47966), Citrix, NetScaler (CVE-2023-4966), and ColdFusion (possibly CVE-2023-29300 or CVE-2023-38203). After gaining entry into the target network, it conducts extensive exploration using several tools to find high-value assets, obtain credentials, and increase privileges.

Lateral Movement and Credential Theft

Storm-0501 uses Impacket’s SecretsDump and Cobalt Strike to move laterally across the network grabbing credentials to compromise additional devices. They target the administrative accounts, mostly utilizing password reuse or weak credentials, accessing both their on-premises and cloud environments. Using cloud session hijacking, especially in Microsoft Entra, they establish persistent backdoor access into the target systems.

From Ground to Cloud: Storm-0501’s Cross-Environment Exploits

One of the most significant tactics Storm-0501 uses is the exploitation of the Microsoft Entra Connect Sync service by doing synchronization of credentials between the on-premises AD and cloud. The attackers escalate the privileges in both environments after compromising the sync accounts to have control over the cloud environment and for a persistent backdoor for the next attack.

Storm 0501 Exploit
Credit: Microsoft

Aftermath of the Storm-0501 Attack

The aftermath of a Storm-0501 attack can be devastating, with the group often gaining control over both on-prem and cloud environments, exfiltrating sensitive data, deploying ransomware, and tampering with security products to avoid detection. The threat will only increase with the new deployment of Embargo ransomware, where victim data is encrypted and sensitive information leaked unless a ransom is paid.

Such attacks would lead to the stealing of credentials, data breaches, service disruptions, and heavy financial losses. Storm-0501 pays extra attention to sensitive sectors such as hospitals, which raises stakes not only on data security but also public safety.

Mitigation

Hybrid Cloud Security Enhancement

While Microsoft has implemented restricted permissions on DSA roles in Entra Connect Sync and Entra Cloud Sync, defending Storm-0501 needs a robust, multi-layered approach. Conditional Access policy can further harden access to cloud services from non-verified devices and locations as a risk mitigation approach.

Harden Cloud Security Measures

Even solutions proposed by today’s market leaders such as Microsoft are still often based on passwords in most cases and, hence, would probably fail to deliver proper authentication in a much-enlarged, cloud-to-on-premises environment. Therefore, organizations should embrace solutions such as PureAUTH IAM Firewall that come with the strongest security and reliability against attacks exploiting credentials and even zero-day vulnerabilities. Built on a zero-trust architecture, it provides reliable, passwordless protection, further enhancing resilience against sophisticated threats.

Conclusion

Organizations need to move away from convenient and conventional IAM solutions and start interacting with leading edge defenses, such as passwordless authentication. Enhancing cloud security policies and infrastructure defenses will enable enterprises to withstand new cyber threats.

Solutions like PureAUTH will help organizations build a far more robust infrastructure that is not only adaptable but will also neutralize the most sophisticated cyber threats in existence.

Read Also

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

The achilles’ heel of cloud security: Why two-factor authentication isn’t enough

Disney Leaves Slack: A Strategic Retreat

Walt Disney Co. is transitioning away from Slack after a serious data breach. The breach, which occurred in July 2024, compromised more than 1.1 terabytes of confidential data. This incident included 44 million messages and inside information about various projects at Slack. According to a news article in The Wall Street Journal, Disney has decided to shift to new corporate-wide communication software before the end of its fiscal year.

Why Disney Is Getting Off Slack

The NullBulge hack led Disney to move away from Slack. Hackers accessed thousands of internal channels, exposing unreleased projects, login credentials, and sensitive corporate data. This breach highlighted Slack’s vulnerability, especially due to weak employee security practices like not using robust authentication.

Disney’s decision isn’t just a reaction to the breach but a preventive step to reduce reliance on a platform that became a weak link in its cybersecurity. By switching to streamlined collaboration tools, Disney aims for platforms that offer tighter security and better integration with its IT systems.

History of Breaches at Disney

This is not the first time that the House of Mouse has faced a breach. In July 2024, Disney suffered a breach that exposed over 1.1TB of sensitive data, including 44 million messages, 18,800 spreadsheets, and internal project details. Several months ago in early June 2024, hackers targeted the Club Penguin Confluence server and led to leaking of 2.5 GB of data and information related to the company’s legacy operations.

Mitigation and Prevention: Enhancing Your Security Position

To prevent future incidents, companies like Disney harden up their security approach. One of these approaches involves using zero-trust products, where all actions are considered to be malicious unless proved otherwise and authenticated. The shift away from Slack for Disney should be used as an opportunity to have stronger encryption and more secure, decentralised methods of communication in a place.

Despite the risks, companies often prioritise familiar tools like Slack for their ease of use. Employees enjoy the convenience of SSO and real-time communication. However, this same ease of use can make these platforms vulnerable to attacks, as Disney’s breach demonstrated. Companies often avoid stricter security measures, such as multi-factor authentication (MFA), due to perceived inconvenience. This balance between convenience and security is where many organizations falter.


PureAUTH on the other hand, offers one-click access through passwordless authentication, which is friendly and secure.

Conclusion : One Move Toward Collaboration Over A Secure Platform

As Disney steps away from Slack, this highlights an emerging trend: companies must prioritise security in their collaboration tools. Convenience is awesome, but so is the robust security against emerging threats. PureAUTH balances convenience with the protection required to secure company data. If Disney had solutions like PureAUTH, then the breach might have been far less effective. As companies rethink their internal platforms for communication, the lesson is stark: security and usability are not mutually exclusive with PureAUTH. #gopasswordless

Read Also

Disney to ditch slack following July Data Breach

Fortinet Data Breach: Insights and Implications for Cloud Security

Introduction

Fortinet recently experienced a data breach with 440GB of stolen files. This incident underscores the critical importance of securing data in third-party cloud environments. In this blog, we dive into the details of the Fortinet breach, its implications, and why moving towards passwordless authentication is an essential step for enhancing security.

The Fortinet Breach: A Detailed Overview

Fortinet, renowned for its comprehensive cybersecurity solutions, has confirmed a significant data breach. The hacker, using the name “Fortibitch,” claimed to have exploited an Azure SharePoint vulnerability to steal 440GB of data in this breach, dubbed “Fortileak“.

Fortinet data breach: Fortibitch
Credit: Hackread.com

How the Breach Happened

According to reports, the breach involved unauthorised access to Fortinet’s Azure SharePoint instance. The hacker provided credentials to an Amazon S3 bucket where the stolen data was allegedly stored. The leaked data included customer information and various corporate documents.

Fortinet confirmed the breach involved less than 0.3% of its customer base, affecting a limited number of files. The company assured stakeholders that there was no evidence of malicious activity affecting its operations or services. No ransomware was deployed, and Fortinet’s corporate network remained secure.

The Response from Fortinet

Fortinet acted swiftly to mitigate the impact of the breach. The company engaged in immediate containment measures, including terminating the unauthorised access and notifying affected customers. They also worked with law enforcement and cybersecurity agencies to address the situation.

In their update, Fortinet emphasised that the breach did not involve data encryption or ransomware. The company’s operations and financial performance remain unaffected, with no significant impact reported.

Key Takeaways and Security Lessons

This incident highlights several critical lessons for organisations:

1. Secure Cloud Environments

The Fortinet breach underscores the need for robust security measures around cloud-based environments. Companies must properly configure their cloud storage solutions and actively protect them against unauthorized access.

2. Implement Strong Access Controls

Using multi factor authentication (MFA) is minimum, but given the MFA are also getting bypassed, more secure authentication like PureAUTH is highly recommended

3. Continuous Monitoring and Response

Proactive monitoring of cloud assets and rapid response to security incidents are essential for minimising the impact of breaches. Organisations should have incident response plans in place to handle such situations effectively.

Embracing Passwordless Authentication for Enhanced Security

As demonstrated by the Fortinet breach, traditional security measures, including passwords and MFA, are increasingly inadequate. The shift towards passwordless authentication offers a more secure and resilient alternative.

Passwordless authentication solutions like PureAuth provide a breach-resilient architecture by leveraging advanced cryptography and just-in-time access. This approach significantly reduces the risk of third-party breaches and enhances overall security. Key benefits include:

  • Breach Resilience: PureAuth’s architecture is designed to withstand breaches by eliminating the reliance on passwords and minimising attack vectors.
  • Flexible Security Measures: We work with you to design fallback and recovery mechanisms, ensuring uninterrupted access to enterprise resources.
  • Ongoing Support: Comprehensive breach support is available to address any issues that arise.
Fortinet data breach: Embracing passwordless authentication

Transitioning to passwordless authentication is no longer just a best practice but a necessity for enterprises aiming to protect critical assets. Passwords and traditional 2FA/MFA methods are becoming increasingly inefficient and insecure. Adopting a passwordless approach enhances security, simplifies access management, and aligns perfectly with modern cybersecurity needs.

Conclusion

The Fortinet data breach serves as a stark reminder of the evolving threats in the cybersecurity landscape. While Fortinet’s response has been commendable, organisations must take proactive steps to safeguard their data, especially in cloud environments. Moving towards passwordless authentication solutions like PureAuth offers a forward-thinking approach to security, addressing the limitations of traditional methods and providing a more resilient defence against breaches.

For enterprises looking to enhance their security posture, embracing passwordless authentication is not an option—it is a necessity. Ensure your organisation is equipped to handle the future of cybersecurity with advanced, breach-resilient solutions. #gopasswordless

How Hackers Exploit Active Directory Certificate Services for Long-Term Persistence

Introduction

Active Directory Certificate Services (AD CS) may seem like a helpful gatekeeper for managing digital certificates and encryption, but if it’s not configured just right, it can leave the door wide open for hackers. AD CS is often overlooked when it comes to security, making it a perfect treasure trove for attackers. And once they’re in, they can sneak around undetected, establishing long-term persistence in your network like they’re on an extended vacation.

Meme :  AD Certificate Services
Credit: Medium

In this blog, we’ll break down how hackers exploit AD CS, dive into some clever tactics from recent findings, and most importantly, explain what you can do to keep them out.

Hackers in the Shadows: How AD CS Is Exploited

AD CS is Microsoft’s Public Key Infrastructure (PKI) solution for issuing and managing digital certificates in Active Directory environments. When configured correctly, it helps secure network communications. But if misconfigured, AD CS can quickly become a hacker’s best friend, enabling them to access networks, steal credentials, and stay hidden for the long haul.

Key Attack Vectors

  1. Stealing Certificates: Imitation is the Best (Criminal) Strategy
    Hackers can grab user or machine certificates, along with private keys, and use them to impersonate legitimate users or machines. This is like copying someone’s ID, if the certificate remains valid, they can continue authenticating, even after passwords change.
  2. Requesting Fake Certificates: Elevation Without the Effort
    Imagine asking for a regular office key but getting access to the CEO’s office instead. Similarly, if there are any misconfigured certificate templates, low-privileged users can request certificates that grant admin-like privileges.
  3. Misconfigured Certificate Templates: Unintentional Free Pass
    Certificate templates can be dangerous when they allow attackers to specify Subject Alternative Names (SANs). This essentially hands over the keys to high-level users’ certificates—like getting access to a domain admin’s credentials. Templates that aren’t secured give attackers serious access.
  4. CA Private Key Theft: A Permanent Invitation
    If an attacker can get their hands on a Certificate Authority (CA) private key, they can generate certificates for any user in the domain. This grants them persistent access that’s nearly impossible to revoke.
  5. Become a Shadow CA
    If an attacker can get a certificate signing request (CSR) signed by CA, which has constraint isCA is set to True, and allowed its use for signing other certificates, then the issue\d certificate makes the attacker a Parallel CA, which can independently generate any arbitrary certificates which will be considered as valid.
How to exploit AD Certificate Services

Tools of the Trade: Certify and ForgeCert

Hackers aren’t going in blind—they’ve got tools that make exploiting AD CS a breeze. The whitepaper by Will Schroeder and Lee Christensen highlights two key tools:

  • Certify: This tool scans for AD CS misconfigurations and assists attackers in requesting malicious certificates. It functions like a vulnerability scanner specifically designed for certificates.
  • ForgeCert: Attackers use this tool to create fake certificates with a stolen CA private key. By forging these certificates, they gain permanent access to your network, making detection much more challenging.
 Certify tool to exploit AD Certificate Services

Mitigation: Fortify Your AD CS Before It’s Too Late

So, how can companies stop attackers from abusing AD CS? It’s all about treating your certificates like they’re gold and your CAs like they’re Fort Knox. Here’s a breakdown of what you need to do:

  1. Treat CAs as Critical Assets
    Your CA servers should be protected like domain controllers (or fort knox), lock them down and apply Tier 0 security controls. These systems are high-value targets, and attackers know it.
  2. Audit and Harden Certificate Templates
    Regularly audit your certificate templates and remove any unnecessary features, like SAN customization, which could give attackers an easy way in. Ensure templates are configured for minimum privilege.
  3. Secure CA Private Keys
    Store CA private keys in hardware security modules (HSMs). This keeps them away from prying hands and makes it significantly harder for attackers to steal them.
  4. Monitor Certificate Activity
    Keep an eye on your certificate enrolments, authentications, and template modifications. If something seems off, it probably is. Proactive monitoring can be your early warning system.

Conclusion

Active Directory Certificate Services isn’t inherently insecure, but its complexity makes it ripe for misconfiguration. When that happens, hackers can sneak in, steal credentials, and establish persistence that’s incredibly tough to detect and eliminate. As the Certified Pre-Owned whitepaper highlights, understanding the risks and securing AD CS is key to preventing these kinds of attacks.

To learn more about Secure usage & management of X509 Certificates, you can refer to this in depth Practitioners Guide authored by our founder Ajit Hatti as part of Null Cipher Security Club

In short, if you’re not securing AD CS, hackers might just settle in and stick around your network for longer than you’d like.

Read Also

Certified Pre-Owned: Abusing Active Directory Certificate Services

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Secure Usage & Management of X509 Certificate

RockYou2024: Nearly 10 Billion Passwords Leaked Online

Introduction

On July 4, 2024, the cybersecurity community was rocked by the discovery of RockYou2024, the largest password compilation leak in history. This staggering breach, revealed by a Cybernews research team, includes nearly 10 billion unique plaintext passwords. The massive dataset, posted on a popular hacking forum, presents severe security risks, especially for users prone to reusing passwords.

The RockYou2024 Password Leak

The RockYou2024 password leak, tracked as the largest of its kind, was unveiled by Cybernews researchers. The file, named rockyou2024.txt, contains an astounding 9,948,575,739 unique plaintext passwords. The dataset was posted by a user named “ObamaCare,” who has a history of leaking sensitive information. This compilation is believed to be a mix of old and new data breaches, significantly increasing the risk of credential stuffing attacks.

Credit: Cybernews

A Brief History of RockYou

The RockYou series of password leaks dates back to 2009, when the original RockYou breach exposed over 32 million user account details. In 2021, the RockYou2021 compilation, containing 8.4 billion passwords, set a new record at the time. RockYou2024 expands on this legacy, adding another 1.5 billion new passwords, making it the largest password dump to date.

Impact and Exploitation Risks

The RockYou2024 leak poses significant dangers due to the vast number of real-world passwords it contains. Cyber-criminals can leverage this data to execute brute-force attacks, attempting to gain unauthorised access to various online accounts. Combined with other leaked databases containing usernames and email addresses, RockYou2024 could lead to widespread data breaches, financial fraud, and identity theft.

How to Protect Against RockYou2024

Reset Compromised Passwords

Immediately reset passwords for any accounts associated with the leaked data. Ensure new passwords are strong, unique, and not reused across multiple platforms.

Enable Multi-Factor Authentication (MFA)

Enable MFA wherever possible. This adds an extra layer of security by requiring additional verification beyond just a password.

Implement Passwordless Solutions

Adopting passwordless solutions can further enhance security. SAML-based passwordless solutions, such as Single Sign-On (SSO) systems, eliminate the need for passwords by using secure tokens for authentication. These solutions reduce the risk of password-related attacks and improve user convenience.

Monitor Accounts and Stay Informed

Regularly monitor accounts for suspicious activity and stay informed about the latest cybersecurity threats and best practices.

Conclusion

This recent breach highlights how fragile and unsafe passwords are, underscoring the need for more secure authentication methods. The RockYou2024 leak demonstrates that even with strong, unique passwords, the risks remain significant. Multi-factor authentication (MFA), while an added layer of security, is not foolproof. For example, MFA breaches such as the 2022 Uber hack and the attack on Microsoft’s Office 365 users in 2021 show its vulnerabilities.

Additionally, password managers are not entirely reliable. The Okta breach in 2022 and the OneLogin breach in 2017 exposed millions of user accounts, demonstrating that even these tools can be compromised.

In light of these risks, passwordless systems are emerging as the next hot trend in cybersecurity. SAML-based passwordless solutions, like PureAuth, provide enhanced security by eliminating the need for passwords and reducing the attack surface for cybercriminals.

Embracing passwordless systems, combined with continuous monitoring and updated security practices, is essential for protecting against the evolving threat landscape. Stay ahead of cyber threats by adopting innovative authentication methods and ensuring your digital assets are well-protected.