Apr 15, 2024The Hacker NewsActive Directory / Attack Surface

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to privileged identity management aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.

What is JIT and why is it important?

JIT privileged access provisioning involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so.

One of the key advantages of JIT provisioning is its ability to reduce the risk of privilege escalation and minimize the attack surface for credential-based attacks. By eliminating standing privileges, or privileges that an account possesses when not in active use, JIT provisioning restricts the window of opportunity for malicious actors to exploit these accounts. JIT provisioning disrupts attackers’ attempts at reconnaissance, as it only adds users to privileged groups when active access requests occur. This prevents attackers from identifying potential targets.

How to implement JIT provisioning with Safeguard

Safeguard, a privileged access management solution, offers robust support for JIT provisioning across multiple platforms, including Active Directory and Linux/Unix environments. With Safeguard, organizations can create regular user accounts within Active Directory, without special privileges. These accounts are then placed under Safeguard’s management, remaining in a disabled state until activated as part of an access request workflow.

When an access request is created, Safeguard automatically activates the user account, adds it to designated privileged groups, such as Domain Admins, and grants the necessary access rights to the account. Once the access request is completed, either through a configured timeout period or the user checking credentials back in, the user account is removed from privileged groups and disabled, minimizing exposure to any potential security threats.

How to enhance JIT provisioning with Active Roles

When coupled with Active Roles ARS, One Identity’s market-leading Active Directory management tool, organizations can elevate the security and customization of their JIT provisioning to even greater heights. Active Roles enables more sophisticated JIT provisioning use cases, allowing organizations to automate account activation, group membership management and Active Directory attribute synchronization.

For instance, a Safeguard access request workflow can trigger Active Roles to not only activate user accounts and assign privileges but also update virtual attributes within Active Directory and synchronize changes across the environment.

Conclusion

Just-in-Time provisioning of privileged access is a critical component of a comprehensive privileged access management strategy. By implementing JIT provisioning, organizations can reduce the risk of privilege misuse, enhance security, and ensure that users access privileged resources only when and for as long as necessary. Combining Safeguard with Active Roles allows organizations to implement robust JIT provisioning policies to strengthen security and mitigate risks.

Apr 09, 2024NewsroomVulnerability / IoT Security

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices.

The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

The vulnerabilities are tracked from CVE-2023-6317 through CVE-2023-6320 and impact the following versions of webOS –

• webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
• webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
• webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
• webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA

A brief description of the shortcomings is as follows –

• CVE-2023-6317 – A vulnerability that allows an attacker to bypass PIN verification and add a privileged user profile to the TV set without requiring user interaction

• CVE-2023-6318 – A vulnerability that allows the attacker to elevate their privileges and gain root access to take control of the device

• CVE-2023-6319 – A vulnerability that allows operating system command injection by manipulating a library named asm responsible for showing music lyrics

• CVE-2023-6320 – A vulnerability that allows for the injection of authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint

Successful exploitation of the flaws could allow a threat actor to gain elevated permissions to the device, which, in turn, can be chained with CVE-2023-6318 and CVE-2023-6319 to obtain root access, or with CVE-2023-6320 to run arbitrary commands as the dbus user.

“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet,” Bitdefender said. A majority of the devices are located in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.

Apr 09, 2024The Hacker NewsPrivileged Access Management

As cyber threats loom around every corner and privileged accounts become prime targets, the significance of implementing a robust Privileged Access Management (PAM) solution can’t be overstated. With organizations increasingly migrating to cloud environments, the PAM Solution Market is experiencing a transformative shift toward cloud-based offerings. One Identity PAM Essentials stands out among these as a SaaS-based PAM solution that prioritizes security, manageability, and compliance.

Security-first, user-centric design

PAM Essentials boasts a user-centric and security-first design – not only prioritizing the protection of critical assets, but also ensuring a seamless user experience. By providing privileged sessions and access controls, PAM Essentials mitigates the heightened risks associated with unauthorized users, safeguarding critical data against potential breaches. Designed for ease of use, it ensures that robust security does not come at the expense of usability.

Simplified PAM approach with full visibility

One of the standout features of PAM Essentials is its simplified PAM approach, coupled with full visibility. Unlike traditional on-premises PAM solutions, PAM Essentials eliminates unnecessary complexities and the need for additional infrastructure investments. This streamlined approach not only reduces operational overhead but also provides organizations with comprehensive visibility into privileged access activities, facilitating proactive threat detection and mitigation.

Cost-effective and compliant

In today’s regulatory landscape, compliance is non-negotiable. PAM Essentials aids organizations in meeting compliance and industry-specific standards, ensuring adherence to regulatory requirements and enabling them to fulfill cyber insurance requirements. Its cost-effectiveness creates significant savings for businesses, eliminating the need for costly infrastructure and resource allocations associated with traditional PAM solutions.

Cloud-native architecture for scalability and flexibility

Built on a cloud-native architecture, PAM Essentials offers unparalleled scalability, flexibility and accessibility. This ensures seamless integration with cloud services, allowing organizations to adapt and scale their privileged identity management strategies in response to evolving business needs. PAM Essentials also provides a seamless experience for remote teams, enabling secure access to critical systems and resources from anywhere at any time.

Native integration and seamless experience

PAM Essential’s native integration with OneLogin access management solutions enhances its capabilities. By leveraging OneLogin’s robust identity and access management platform, PAM Essentials delivers a seamless privileged access management experience. This integration not only enhances security but also streamlines administrative tasks, improving overall operational efficiency.

Conclusion

As organizations navigate the complexities of modern cybersecurity threats and the constantly evolving digital landscape, the importance of effective Privileged Access Management cannot be overstated. PAM Essentials represents a shift in PAM tools, offering a comprehensive, cloud-native approach to security, manageability and compliance. With its user-centric design, simplified approach and seamless integration capabilities, PAM Essentials is set to redefine the future of Privileged Access Management, empowering organizations to safeguard their most critical assets.

Feb 28, 2024The Hacker NewsZero Trust / Cyber Threat

Traditional perimeter-based security has become costly and ineffective. As a result, communications security between people, systems, and networks is more important than blocking access with firewalls. On top of that, most cybersecurity risks are caused by just a few superusers – typically one out of 200 users. There’s a company aiming to fix the gap between traditional PAM and IdM solutions and secure your one out of 200 users – SSH Communications Security.

Your Privileged Access Management (PAM) and Identity Management (IdM) should work hand in hand to secure your users’ access and identities – regular users and privileged users alike. But traditional solutions struggle to achieve that.

Microsoft Entra manages all identities and basic-level access. With increasing criticality of targets and data, the session duration decreases, and additional protection is necessary. That’s where SSH Communications Security helps

Let’s look at what organizations need to understand about PAM and IdM and how you can bridge and future-proof your PAM and IdM.

PIM, PAM, IAM – you need all three of them

Privileged Identity Management (PIM), Privileged Access Management (PAM), and Identity and Access Management (IAM) – all three are closely connected, and you need all three of them to effectively manage and secure your digital identities, users and access.

Let’s quickly review what PIM, PAM, and IAM focus on:

Not all digital identities are created equal – superusers need super protection

Think about this: Your typical user probably needs access to regular office tools, like your CRM or M365. They don’t need access to any of your critical assets.

The identity verification process should correspond to this. A regular user needs to be verified with strong authentication methods, e.g. Microsoft Entra ID, but there’s usually no need to go beyond that.

These typical users form the majority of your users, up to 99,5% of them.

On the other hand, you have your privileged high-impact users – there’s only a small number of them (typically around one in 200 users), but the power and risks they carry are huge because they can access your critical data, databases, infrastructures, and networks.

Similarly, appropriate identity verification procedures should apply. In the case of your high-impact users, you need access controls that go beyond strong identity-based authentication.

Enter the Zero Trust – Borderless, Passwordless, Keyless and Biometric Future

Traditional solutions are not enough to bridge your PAM and IdM. They just can’t handle the security that you need to protect your critical assets. Nor can they offer effective and future-proof security controls for access and identities of your typical users as well as high-impact users.

The future of cybersecurity is borderless, passwordless, keyless, biometric, and Zero Trust.

This means that you need a future-proof cybersecurity model with no implicitly trusted users, connections, applications, servers, or devices. On top of that, you need an additional layer of security with passwordless, keyless, and biometric authentication.

Learn the importance of implementing the passwordless and keyless approach into your cybersecurity from the whitepaper provided by SSH Communications Security. Download the whitepaper here ➜

Feb 02, 2024NewsroomData Breach / Cloud Security

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner.”

As a precautionary measure, the company further said it rotated more than 5,000 production credentials, physically segmented test and staging systems, carried out forensic triages on 4,893 systems, reimaged and rebooted every machine across its global network.

The incident involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian user account and established persistent access to its Atlassian server to ultimately obtain access to its Bitbucket source code management system by means of the Sliver adversary simulation framework.

As many as 120 code repositories were viewed, out of which 76 are estimated to have been exfiltrated by the attacker.

“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes,” Cloudflare said.

“A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves.”

The threat actor is then said to have unsuccessfully attempted to “access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”

The attack was accomplished by making use of one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of Okta’s support case management system.

Cloudflare acknowledged that it had failed to rotate these credentials, mistakenly assuming they were unused.

The company also said it took steps to terminate all malicious connections originating from the threat actor on November 24, 2024. It also involved cybersecurity firm CrowdStrike to perform an independent assessment of the incident.

“The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network,” Cloudflare said.

Jan 31, 2024NewsroomSoftware Security / Linux

Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks.

The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed Leaky Vessels by cybersecurity vendor Snyk.

“These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges,” the company said in a report shared with The Hacker News.

runC is a tool for spawning and running containers on Linux. It was originally developed as part of Docker and later spun out into a separate open-source library in 2015.

A brief description of each of the flaws is below –

• CVE-2024-21626 – WORKDIR: Order of operations container breakout
• CVE-2024-23651 – Mount Cache Race
• CVE-2024-23652 – Buildkit Build-time Container Teardown Arbitrary Delete
• CVE-2024-23653 – Buildkit GRPC SecurityMode Privilege Check

The most severe of the flaws is CVE-2024-21626, which could result in a container escape centered around the `WORKDIR` command.

“This could occur by running a malicious image or by building a container image using a malicious Dockerfile or upstream image (i.e. when using `FROM`),” Snyk said.

There is no evidence that any of the newly discovered shortcomings have been exploited in the wild to date. That said, the issues have been addressed in runC version 1.1.12 released today.

“Because these vulnerabilities affect widely used low-level container engine components and container build tools, Snyk strongly recommends that users check for updates from any vendors providing their container runtime environments, including Docker, Kubernetes vendors, cloud container services, and open source communities,” the company said.

In February 2019, runC maintainers addressed another high-severity flaw (CVE-2019-5736, CVSS score: 8.6) that could be abused by an attacker to break out of the container and obtain root access on the host.

Jan 31, 2024NewsroomVulnerability / Endpoint Security

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc).

Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc’s __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It’s said to have been accidentally introduced in August 2022 with the release of glibc 2.37.

“This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access,” Saeed Abbasi, product manager of the Threat Research Unit at Qualys, said, adding it impacts major Linux distributions like Debian, Ubuntu, and Fedora.

A threat actor could exploit the flaw to obtain elevated permissions via specially crafted inputs to applications that employ these logging functions.

“Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library,” Abbasi noted.

The cybersecurity firm said further analysis of glibc unearthed two more flaws in the __vsyslog_internal() function (CVE-2023-6779 and CVE-2023-6780) and a third bug in the library’s qsort () function that can lead to memory corruption.

The vulnerability found in qsort() has affected all glibc versions released since 1992.

The development comes nearly four months after Qualys detailed another high-severity flaw in the same library called Looney Tunables (CVE-2023-4911, CVSS score: 7.8) that could result in privilege escalation.

“These flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications,” Abbasi said.

Jan 05, 2024NewsroomCyber Attack / Data Breach

Ukrainian cybersecurity authorities have disclosed that the Russian state-sponsored threat actor known as Sandworm was inside telecom operator Kyivstar’s systems at least since May 2023.

The development was first reported by Reuters.

The incident, described as a “powerful hacker attack,” first came to light last month, knocking out access to mobile and internet services for millions of customers. Soon after the incident, a Russia-linked hacking group called Solntsepyok took responsibility for the breach.

Solntsepyok has been assessed to be a Russian threat group with affiliations to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.

The advanced persistent threat (APT) actor has a track record of orchestrating disruptive cyber attacks, with Denmark accusing the hacking outfit of targeting 22 energy sector companies last year.

Illia Vitiuk, head of the Security Service of Ukraine’s (SBU) cybersecurity department, said the attack against Kyivstar wiped out nearly everything from thousands of virtual servers and computers.

The incident, he said, “completely destroyed the core of a telecoms operator,” noting the attackers had full access likely at least since November, months after obtaining an initial foothold into the company’s infrastructure.

“The attack had been carefully prepared during many months,” Vitiuk said in a statement shared on the SBU’s website.

Kyivstar, which has since restored its operations, said there is no evidence that the personal data of subscribers has been compromised. It’s currently not known how the threat actor penetrated its network.

It’s worth noting that the company had previously dismissed speculations about the attackers destroying its computers and servers as “fake.”

The disclosure comes as the SBU revealed earlier this week that it took down two online surveillance cameras that were allegedly hacked by Russian intelligence agencies to spy on the defense forces and critical infrastructure in the capital city of Kyiv.

The agency said the compromise allowed the adversary to gain remote control of the cameras, adjust their viewing angles, and connect them to YouTube to capture “all visual information in the range of the camera.”

Jan 03, 2024NewsroomMalware / Data Theft

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

• When the user is logged in with the browser, in which case the token can be used any number of times.

• When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.

• If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)