Security Applications

 Watering Hole Attack  In what became a classic watering hole attack, a Florida water, and wastewater treatment facility contractor inadvertently hosted malicious code on its website, leading to the reported Oldsmar water plant hack in 2021. The cybercriminals behind the attack seemed to have a distinct audience in mind — the malicious code found on the contractor’s site also appeared to target other Florida water utilities, and perhaps not surprisingly, was visited by a browser sourced to the city of Oldsmar on the same day of the hack. While the website didn’t launch exploit code, it instead injected malware that functioned as a browser enumeration and fingerprinting script designed to glean information from site visitors, including operating system, browser type, time zone, and presence of camera and microphone, which it then sent to a remote database hosted on a Heroku app site that also stored the script. What you need to know: Like a literal watering hole, a watering hol...

 Typosquatting  Noblox.js is a wrapper for the Roblox API, a function widely used by many gamers to automate interactions with the popular Roblox gaming platform. The software also appears to be attracting a new crowd. In 2021, hackers launched typosquatting attacks via the noblox.js package by uploading confusingly similar packages laden with ransomware to a registry for open-source JavaScript libraries and then distributing the infected files via a chat service. However, since September of 2021, gamer Josh Muir along with several others has actively been cracking down on the attackers, attempting to prevent the proliferation of ransomware through the noblox.js package and other code libraries, and thwart further attacks on the gaming community. What you need to know: Typosquatting is a phishing attack where attackers take advantage of commonly misspelled domain names. Often times, the guilty party isn’t actually looking to carry out an attack, but instead is holding out hope...

 System Misconfiguration  A little mistake can have drastic consequences. Nissan North America found that out after the source code of mobile apps and internal tools was leaked online due to a system misconfiguration. The mishap was sourced to a Git server that was left exposed on the internet with a default username and password combo of an admin, who thus learned of the leak from an anonymous source. Among other things, the leak contained source code data from Nissan NA Mobile apps, client acquisition and retention tools, market research tools and data, the vehicle logistics portal, and vehicle-connected services. What you need to know: Security misconfiguration is a widespread problem that can put organizations at risk thanks to incorrectly configured security controls (or lack thereof). This can happen at almost any level of the IT and security stack, ranging from the company’s wireless network to web and server applications, to custom code. 

 Suspicious Zoom Child Processes  Video-conferencing giant Zoom has emerged as the top enterprise video communications platform over the last several years. Its usage has increased dramatically with an upsurge of remote workers, attributed largely to shelter-in-place mandates following the COVID-19 pandemic. However, as Zoom’s popularity soared, flaws in both Windows and macOS systems have correspondingly received increased scrutiny by bad actors, who have increasingly relied on this attack vector to gain unauthorized access and escalate privileges onto targeted systems — including exploiting a local library validation function in Zoom to completely hijack an unsuspecting user’s webcam and microphone. Plausible attack scenarios could mean that attackers use their ill-gotten privileges to spy on targeted users, either in their personal lives or during important meetings where sensitive information is being shared. What you need to know: Essentially, these local privilege escala...

 Suspicious Okta Activity  Okta is often the gateway to enterprise applications and accounts — a fact not lost on hackers. If exploited, the SSO flaw allows hackers to abuse credentials of existing accounts for unauthorized access, persistence, privilege escalation and defense evasion. Once credentials are compromised, attackers can then bypass access controls to gain entrance to VPNs, Outlook Web Access and remote desktop. Adversaries can also use compromised credentials to elevate their privileges to certain systems or gain entry to restricted areas of the network, while also using malware to steal information and/or obfuscate their presence. In one attack scenario, hackers can take over inactive accounts of employees who have left the organization and use their credentials to gain access to critical systems for data and identify theft activities. What you need to know: Okta is the leading single sign on provider, allowing users to authenticate once to Okta, and from there a...

 Suspicious Cloud Storage Activities  According to the 2022 Verizon Data Breach Investigations Report (DBIR), a staggering 82% of breaches involve a “human element,” with “miscellaneous errors” on the rise due to misconfigured cloud storage. The Sensitive Data in the Cloud report also found that the majority of security and IT professionals (67%) are storing sensitive data in public cloud environments, with a third of respondents saying that they weren’t confident — or only slightly confident — about their ability to protect sensitive data in the cloud. This type of technical and professional oversight — whether it involves a misconfigured database or security teams lacking the necessary know-how — is exactly why cloud accounts have become a prime target in this era of remote work. What you need to know: Now that data is widely (and all too often, haphazardly) dispersed across the cloud, attackers have ample opportunity to find and exploit both known and unknown vulnerabilitie...

 Suspicious Cloud Authentication Activities  Now more than ever, identity access management (IAM) has become a critical part of cloud security. In 2022 alone, 84% of organizations fell victim to identity-related breaches, with 96% reporting that the breach could have been avoided or minimized by implementing identity-centric security. Without the correct technologies and policies in place (e.g. zero trust and vendor management), identifying anomalous behavior via authentication and authorization can be incredibly tricky. As a result, these attacks often go undetected, as the authentication performed by a bad actor can look the same as a legitimate user, depending on how expansive the IAM framework in place is (let alone if it even exists). What you need to know: Organizations need to move away from network security in order to better protect and authenticate user identities. Up until recently, however, this was much easier said than done. Certain technologies simply lacked the...