Tag Archive for: automate

Hackers abusing OAuth to automate cyber attacks, says Microsoft

/in


Threat actors are misusing OAuth-based applications as an automation tool for authentication, says Microsoft.

“Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity,” the company said in a blog this week. “The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account.”

Threat actors are launching phishing or password-spraying attacks to compromise user accounts that don’t have strong authentication mechanisms and have permissions to create or modify OAuth applications. The attackers misuse the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.

IT managers should take the following steps to mitigate against OAuth abuse:
— implement security practices that strengthen account credentials, such as enabling multifactor authentication. That dramatically reduces the chance of attack, says Microsoft;
— to protect against attacks that leverage stolen credentials, enable conditional risk-based access policies;
— ensure continuous access evaluation is enabled if available in your environment;
— enable all security defaults in identity platforms;
— audit all apps and consented permissions to ensure applications are only accessing necessary data and adhering to the principles of least privilege access.

The report gives an example of what one threat actor, which Microsoft dubs Storm-1283, is doing. (Under Microsoft’s new naming taxonomy, groups dubbed ‘Storm’ are newly discovered or under development.)

Storm-1283 used a compromised user account to create an OAuth application and deploy VMs for cryptomining. The compromised account allowed the attacker to sign in through a VPN, create a new single-tenant OAuth application in Microsoft Entra ID named similarly to the Microsoft Entra ID tenant domain name, and add a set of secrets to the application.

A diagram of Storm-1283's attack chain involving the creation of VMs for cryptocurrency mining.
A diagram of Storm-1283’s attack…

Source…

How Christina Cacioppo Built Startup Vanta Into A $1.6 Billion Unicorn To Automate Complicated Security Compliance Issues

/in


The Stanford graduate built a fast-growing software company to automate what had previously been a manual process. She’s now one of America’s richest self-made women.

About five years ago, Vanta CEO and cofounder Christina Cacioppo received a message from one of the customers of her nascent security and compliance automation company that something was wrong. The automated email the customer received each morning detailing what had happened in their Vanta account in the past 24 hours had the wrong company name in it. Cacioppo responded: “There’s a bug, we’re so sorry. We’ll fix it.”

What the customer didn’t realize was that the “automated” email was actually one that Cacioppo had sent early that morning. Cacioppo, who had founded Vanta just months earlier, set her alarm each day for 5:45 a.m. and crafted the emails by hand. She did this to make sure customers liked the emails before spending time writing code that would automate them. Once she knew what customers wanted, she and Vanta’s founding team sat down and wrote the code—and didn’t need to change it for a year and a half.

It’s just one example of the Ohio native’s scrappy approach—which also included everything from buying coffee in bulk from Costco to running Vanta without formal executive or staff meetings for its first two years. That hustle has helped her company land an estimated 5,000 customers including Quora, Autodesk and payments software firm Modern Treasury, with 600 new customers signing up each quarter, according to Vanta. Cacioppo has also helped score $203 million in funding to date from such venture capital firms as Craft Ventures and Sequoia, including $110 million raised in June 2022 that values the company at $1.6 billion. That’s enough to earn Cacioppo, 36, a spot on Forbes’ list of America’s Richest Self-Made Women with a $385 million fortune based on her stake in Vanta.

“Prior to Vanta, the way security and compliance was done was entirely with spreadsheets and screenshots of information that were collected in folders and shown to [certified…

Source…

Security researchers successfully hijack Windows 11’s Power Automate tool

/in


In a nutshell: Windows 11 includes tools to automate repetitive tasks, saving users a lot of time. However, one security researcher says it can also save hackers a lot of time. Microsoft questions the vulnerability of its automation tools, but as usual regarding cybersecurity, human complacency may be the weakest link.

A research firm recently published methods for attackers to hijack automation tools that ship with Windows 11 to distribute malware and steal data across networks. The process comes with some caveats but marks another area of concern for IT security.

The vulnerability centers on Power Automate, a tool Microsoft packages with Windows 11 that lets users automate tedious or repetitive asks across various programs. Users can automatically backup files, convert batches of files, move data between programs, and more, optionally automating actions across groups through a cloud.

Power Automate comes with many pre-made functions, but users can create new ones by recording their actions, which the tool can later repeat. The program could gain widespread use because it requires little-to-no coding knowledge.

Michael Bargury, CTO of security company Zenity, thinks attackers can use Power Automate to more quickly spread malware payloads, explaining how in a June Defcon presentation. He released the code for the attack, called Power Pwn, in August.

Image credit: Windows Report

The biggest obstacle to hacking with Power Automate is the fact that an attacker needs to already have access to someone’s computer or have penetrated a network through other nefarious methods. Bargury told Wired that if an attacker then creates a Microsoft cloud account with administrative privileges, they can use automated processes to push ransomware or steal authentication tokens. Attacks using Power Automate could be harder to detect because it technically isn’t malware and carries an official Microsoft signature.

Microsoft wrote about a 2020 incident in which attackers used a company’s automation tools against it. Windows 11 and Power Automate weren’t around back then, but the case provides a real-world example of the same fundamental technique.

Microsoft claims any fully…

Source…

Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy

/in


Contributed to this research: Segev Fogel, Amir Gendler and Nethanella Messer.

 

IBM Trusteer researchers continually monitor the evolution and attack tactics in the banking sector. In a recent analysis, our team found that an Ursnif (aka Gozi) banking Trojan variant is being used in the wild to target online banking users in Italy with mobile malware. Aside from the Ursnif infection on the victim’s desktop, the malware tricks victims into fetching a mobile app from a fake Google Play page and infects their mobile device with the Cerberus Android malware.

 

The Cerberus malware component of the attack is used by Ursnif’s operators to receive two-factor authentication codes sent by banks to their users when account updates and money transfer transactions are being confirmed in real-time. Cerberus also possesses other features and can enable the attacker to obtain the lock-screen code and remotely control the device.

 

Cerberus is an overlay-type mobile malware that emerged in mid-2019 but initially lacked advanced capabilities. It has evolved over time to eventually feature the ability to hijack SMS content and control devices remotely, alongside other sophisticated data theft features. Cerberus was peddled in the underground as commodity malware until the summer of 2020, taking over the market share of Anubis, a previous pay-per-use malware.

 

In September 2020, Cerberus’ development team decided to disband, spurring an auction attempt that aimed to sell off the source code to the highest bidder, starting at $100,000. The code did not sell but was instead shared with the malware’s customer base, which meant it was publicly leaked. That intentional release of the source code gave rise to numerous malware campaigns involving Cerberus and likely also led to this combined attack with the Ursnif banking Trojan.

A Combination Attack From Desktop to Smartphone

Ursnif is a very long-standing staple in the cybercrime arena, possibly the oldest banking Trojan that’s still active today. Recent campaigns featuring this malware have been most notable in Italy, where it is typically delivered to business email recipients in attachments that…

Source…