Protect your Active Directory servers, a huge text-based phishing scam found and more.
Welcome to Cyber Security Today. It’s Friday, August 26th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Microsoft is urging Windows administrators to limit and tighten access to Active Directory servers. This comes after it discovered the Russian-based Nobelium threat group is able to get into systems and bypass multifactor authentication. If the attackers are able to get administrative privileges to an Active Directory Federated Services server they deploy a new tool dubbed MagicWeb. They do it by replacing a legitimate DLL file with one of their own. The tool then allows authentication tokens generated by Active Directory to be manipulated, allowing hackers to sign in as any user and get around multifactor authentication. Administrative access to domain controllers and crucial servers like Active Directory has long been a goal of any hacker. Microsoft says these have to be isolated, accessible only by dedicated admin accounts and regularly monitored for any changes. Keeping servers patched with the latest security updates and taking measures to prevent lateral movement by an attacker are also necessary.
Recently discovered SMS text-based phishing attacks on employees of Twilio and Cloudflare are part of a massive smartphone attack campaign. According to researchers at Group-IB, almost 10,000 people in 130 organizations have fallen for the scam to steal their credentials. Most of them were in the United States. Three targeted firms were in Canada. Most of the organizations use Okta’s identity and access management solution. The victims received text messages with links to phony websites that mimicked the Okta authentication page of their organization. When they logged in the hackers got their usernames and passwords. It still isn’t known how the attackers got a list of targets and their mobile phone numbers. It appears there are two lessons from this: First, employees need to be repeatedly warned of the dangers of logging into sites from links in text messages and emails. And second companies that use SMS-based multifactor authentication are taking a big risk.
Here’s a similar recent scam, discovered by email security vendor Trustifi. It involved the creation of a fake website that mirrored the login page of an unnamed global provider of voice and email services. Employees at one of this providers’ customers were emailed a message asking them to log in and confirm their credentials. More than 200 usernames and passwords were captured in the scam. In an interview Zack Schwartz, Trustifi’s vice-president of business development, told me email security solutions that do context analysis on attachments and links are essential for defence. IT administrators also need to follow proper email hygiene procedures to eliminate their email systems from being used by hackers to send poisoned messages. That means using the DKIM, DMARC and SPF authorization and authentication protocols on domains to prevent spoofing.
Kids will be going back to school in a few days. Parents who want to talk to their children about cyber hygiene now can take advantage of a website set up by Trend Micro to get advice on how to have an ongoing conversation about security. And youngsters can learn a few things online by going to the Cyber Academy for interactive lessons.
That’s it for this morning. But later today the Week in Review edition will be out. this week’s guest commentator will be David Shipley of Beauceron Security, who will talk about cyber insurance trends and whether cybersecurity programs of critical infrastructure providers like pipelines should be heavily regulated.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.