Apr 12, 2024NewsroomCyber Attack / Data Breach

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft’s systems that led to the theft of email correspondence with the company.

The attack, which came to light earlier this year, has been attributed to a Russian nation-state group tracked as Midnight Blizzard (aka APT29 or Cozy Bear). Last month, Microsoft revealed that the adversary managed to access some of its source code repositories but noted that there is no evidence of a breach of customer-facing systems.

The emergency directive, which was originally issued privately to federal agencies on April 2, was first reported on by CyberScoop two days later.

“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said.

The agency said the theft of email correspondence between government entities and Microsoft poses severe risks, urging concerned parties to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.

It’s currently not clear how many federal agencies have had their email exchanges exfiltrated in the wake of the incident, although CISA said all of them have been notified.

The agency is also urging affected entities to perform a cybersecurity impact analysis by April 30, 2024, and provide a status update by May 1, 2024, 11:59 p.m. Other organizations that are impacted by the breach are advised to contact their respective Microsoft account team for any additional questions or follow up.

“Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multi-factor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels,” CISA said.

The development comes as CISA released a new version of its malware analysis system, called Malware Next-Gen, that allows organizations to submit malware samples (anonymously or otherwise) and other suspicious artifacts for analysis.

Jan 24, 2024The Hacker NewsVulnerability / Software Security

In a world where more & more organizations are adopting open-source components as foundational blocks in their application’s infrastructure, it’s difficult to consider traditional SCAs as complete protection mechanisms against open-source threats.

Using open-source libraries saves tons of coding and debugging time, and by that – shortens the time to deliver our applications. But, as codebases become increasingly composed of open-source software, it’s time to respect the entire attack surface – including attacks on the supply chain itself – when choosing an SCA platform to depend upon.

The Impact of One Dependency

When a company adds an open-source library, they are probably adding not just the library they intended to, but also many other libraries as well. This is due to the way open-source libraries are built: just like every other application on the planet, they aim for a speed of delivery and development and, as such, rely on code other people built – i.e., other open-source libraries.

The actual terms are direct dependency – a package you add to your application, and a transitive dependency – which is a package added implicitly by your dependencies. If your application uses package A, and package A uses package B, then your application indirectly depends on package B.

And if package B is vulnerable, your project is vulnerable, too. This problem gave rise to the world of SCAs – Software Composition Analysis platforms – that can help with detecting vulnerabilities and suggesting fixes.

However, SCAs solve only the problem of vulnerabilities. What about supply chain attacks?

Attacks VS. Vulnerabilities

It might not be obvious what we mean by an “unknown” risk. Before we dive into the differentiation, let’s first consider the difference between vulnerabilities and attacks:

A vulnerability:

• A non-deliberate mistake (aside from very specific sophisticated attacks)
• Identified by a CVE
• Recorded in public databases
• Defense possible before exploitation
• Includes both regular vulns and zero-day ones
• Example: Log4Shell is a vulnerability

A supply chain attack:

• A deliberate malicious activity
• Lacks specific CVE identification
• Untracked by standard SCAs and public DBs
• Typically already attempted to be exploited or activated by default.
• Example: SolarWinds is a supply chain attack

An unknown risk is, almost by definition, an attack on the supply chain that is not easily detectable by your SCA platform.

SCA Tools Aren’t Enough!

SCA tools might seem to solve the issue of protecting you from supply chain risks, but they do not address any of the unknown risks – including all major supply chain attacks – and leave you exposed in one of the most critical pieces of your infrastructure.

Thus, a new approach is needed to mitigate the known and unknown risks in the ever-evolving supply chain landscape. This guide reviews all the known and unknown risks in your supply chain, suggests a new way to look at things, and provides a great reference (or introduction!) to the world of supply chain risks.

Jan 08, 2024NewsroomArtificial Intelligence / Cyber Security

The U.S. National Institute of Standards and Technology (NIST) is calling attention to the privacy and security challenges that arise as a result of increased deployment of artificial intelligence (AI) systems in recent years.

“These security and privacy challenges include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities to adversely affect the performance of the AI system, and even malicious manipulations, modifications or mere interaction with models to exfiltrate sensitive information about people represented in the data, about the model itself, or proprietary enterprise data,” NIST said.

As AI systems become integrated into online services at a rapid pace, in part driven by the emergence of generative AI systems like OpenAI ChatGPT and Google Bard, models powering these technologies face a number of threats at various stages of the machine learning operations.

These include corrupted training data, security flaws in the software components, data model poisoning, supply chain weaknesses, and privacy breaches arising as a result of prompt injection attacks.

“For the most part, software developers need more people to use their product so it can get better with exposure,” NIST computer scientist Apostol Vassilev said. “But there is no guarantee the exposure will be good. A chatbot can spew out bad or toxic information when prompted with carefully designed language.”

The attacks, which can have significant impacts on availability, integrity, and privacy, are broadly classified as follows –

• Evasion attacks, which aim to generate adversarial output after a model is deployed
• Poisoning attacks, which target the training phase of the algorithm by introducing corrupted data
• Privacy attacks, which aim to glean sensitive information about the system or the data it was trained on by posing questions that circumvent existing guardrails
• Abuse attacks, which aim to compromise legitimate sources of information, such as a web page with incorrect pieces of information, to repurpose the system’s intended use

Such attacks, NIST said, can be carried out by threat actors with full knowledge (white-box), minimal knowledge (black-box), or have a partial understanding of some of the aspects of the AI system (gray-box).

The agency further noted the lack of robust mitigation measures to counter these risks, urging the broader tech community to “come up with better defenses.”

The development arrives more than a month after the U.K., the U.S., and international partners from 16 other countries released guidelines for the development of secure artificial intelligence (AI) systems.

“Despite the significant progress AI and machine learning have made, these technologies are vulnerable to attacks that can cause spectacular failures with dire consequences,” Vassilev said. “There are theoretical problems with securing AI algorithms that simply haven’t been solved yet. If anyone says differently, they are selling snake oil.”

As technology adoption has shifted to be employee-led, just in time, and from any location or device, IT and security teams have found themselves contending with an ever-sprawling SaaS attack surface, much of which is often unknown or unmanaged. This greatly increases the risk of identity-based threats, and according to a recent report from CrowdStrike, 80% of breaches today use compromised identities, including cloud and SaaS credentials.

Given this reality, IT security leaders need practical and effective SaaS security solutions designed to discover and manage their expanding SaaS footprint. Here are 5 key ways Nudge Security can help.

Close the visibility gap

Knowing the full scope of SaaS apps in use is the foundation of a modern IT governance program. Without an understanding of your entire SaaS footprint, you cannot say with confidence where your corporate IP is stored (Did someone sync their desktop to Dropbox?), you cannot make assumptions about your customer data (Did someone upload your customer list to a new marketing app?), and you certainly can’t make strong assertions about your production data (Did someone clone their environment into a new AWS account to recreate a support issue?).

But, given the pace of SaaS adoption, it is a never-ending, pain-staking task to collect and maintain an accurate SaaS inventory. Nudge Security addresses this problem with real-time, continuous SaaS discovery that does not require agents, browser plug-ins, network proxies, or complicated API configurations. Within minutes of starting a free trial, you will have a full inventory of all SaaS accounts ever created by anyone in your org, along with security context on each app, alerts as new apps are introduced, and the ability to automate SaaS governance tasks.

Manage OAuth risks

Today, any employee has the power at their fingertips to string together multiple SaaS applications and data using no-code / low-code integrations that leverage authorization methods like OAuth grants. This creates a complex mesh of SaaS applications, making it extremely difficult to answer the fundamental question of, “who (and what SaaS applications) have access to my corporate assets?” Attackers are taking advantage of this complexity to move laterally across the SaaS supply chain to get to the crown jewels.

Given this, it’s important for IT and security teams to regularly review the OAuth grants that have been introduced for their organization to identify and address overly permissive scopes and app-to-app connections that may run contrary to data privacy and compliance requirements.

This article provides an overview of key steps for analyzing OAuth grants and assessing potential risks, along with an overview of how Nudge Security provides the context you need to simplify this process.

Monitor your SaaS attack surface

Recent high-profile SaaS supply chain breaches at Circle CI, Okta, and Slack reflect a growing trend in attackers targeting enterprise SaaS tools to infiltrate their customers’ environments. As mentioned above, the complex and interconnected nature of the modern SaaS attack surface makes it possible for attackers to move through the software supply chain to find valuable assets.

Given this reality, it’s important to understand what corporate assets are visible to attackers externally and, therefore, could be a target. Arguably, the SaaS attack surface extends to every SaaS, IaaS and PaaS application, account, user credential, OAuth grant, API, and SaaS supplier used in your organization—managed or unmanaged. Monitoring this attack surface can feel like a Sisyphean task, given that any user with a credit card, or even just a corporate email address, has the power to expand the organization’s attack surface in just a few clicks.

Nudge Security includes a SaaS attack surface dashboard to show you all externally facing assets attackers could see, including SaaS apps, cloud infrastructure, dev tools, social media accounts, registered domains, and more. With this visibility, you can take proactive steps to minimize and protect your SaaS attack surface.

Expand SSO coverage

Single sign-on (SSO) provides a centralized place to manage employees’ access to enterprise SaaS applications, which makes it an integral part of any modern SaaS identity and access governance program. Most organizations strive to ensure that all business-critical applications (i.e., those that handle customer data, financial data, source code, etc.) are enrolled in SSO. However, when new SaaS applications are introduced outside of IT governance processes, this makes it difficult to truly assess SSO coverage.

Nudge Security shows you which apps are enrolled in SSO (and which are not) along with context on each app so you can appropriately prioritize your SSO onboarding efforts. When you are ready to onboard new apps to your SSO tool, Nudge Security initiates SSO onboarding workflows to make the process easier.

Extend MFA usage

Multi-factor authentication adds an extra layer of security to protect user accounts from unauthorized access. By requiring multiple factors for verification, such as a password and a unique code sent to a mobile device, it significantly decreases the chances of hackers gaining access to sensitive information. This is especially important in today’s digital landscape where identity-based attacks are increasingly common.

With Nudge Security, you can see which user accounts do (and don’t) have MFA enabled, and send “nudges” to users via email or Slack to prompt them to enable MFA for their accounts. With the long-tail of applications often adopted without IT oversight, this visibility helps IT teams ensure that SaaS security best practices are followed.

Start improving SaaS security today

Nudge Security gives IT and security teams complete visibility of every SaaS and cloud asset ever created in their orgs (managed or unmanaged), and real-time alerts as new accounts are created. With this visibility, they can eliminate shadow IT, secure rogue accounts, minimize the SaaS attack surface, and automate tedious tasks, all without impeding the pace of work.

Start a free 14-day trial here.