S1 EP. 16: Attackers bypass MFA, U.S. Gov’t Goes After Russian Hackers in Microsoft Case, Google Next Highlights

On Thursday, they issued a emergency
directive mandating that all federal

agencies immediately hunt for signs
of a known Russian APT that broke

into Microsoft's corporate network.

And then it, they pivoted to steal
some sensitive correspondence from us.

Government agencies.

And this directive comes, I think it's
a little less than three months after

Microsoft confirmed that attackers
also stole source code from them.

And here's the thing.

They think that this group might still be
poking around in their internal system.

Hey

everybody.

I'm Brad Bussie, chief information
security officer here at e360.

Thank you for joining me for the State
of Enterprise IT Security Edition.

This is the show that makes
IT security approachable and

actionable for technology leaders.

I'm happy to bring you
three topics this week.

The first, as MFA, which is multi
factor authentication, adoption

grows, so do MFA bypasses.

Second, U.

S.

government on high alert as
Russian hackers steal critical

correspondence from Microsoft.

And third, announcements
from Google Next Conference.

So with that, let's get started.

Now, first topic of today as MFA
adoption grows, so do MFA bypasses.

So multi factor authentication
MFA is really now, a mandate for

most organization and accounts.

You need it.

To get things like cyber insurance
policies for an organization.

And it's even part of a
presidential executive order.

And it's interesting because just
as all of this is starting to

get enforced in organizations.

Attackers are now finding
a way to bypass it.

So what I thought I'd do is talk a
little bit about how attackers are

bypassing MFA and some of the things
that you can do, not just as a user,

but as a cyber professional or an
IT person in your organization.

So one of the first styles of attacks
when it comes to MFA Is what's called M.

F.

A.

Fatigue.

And this is where a threat actor
essentially peppers a target user with

alerts just to confirm authentication.

And what they're hoping for is somebody is
just going to get tired of it and approve.

The authentication request.

And this actually does happen
because the user starts to think,

well, maybe the issue is on my side.

Maybe my, my email needs some
kind of authentication or one of

my applications is freaking out.

And if I approve it, it'll stop.

And interestingly, if you
do approve it, it does stop.

But the reason it stops is someone
now has that token or that six digits

or just the push authentication,
which then gives them access.

So what's what's interesting here
is that Apple has seen the style of

attacks, but it took it one step further.

Not only was the user getting peppered
with all of these requests, The user then

got a phone call from someone that was
pretending to be Apple support and said,

Hey, there's a problem with your account.

We need you to read us the six
digit code that just popped up.

Yes.

We understand there was like thousands
of them all of a sudden, but that

last one, why don't you go ahead and
read it to us and then we can fix it.

So not only are we talking about
MFA to fatigue, but we're also

talking about social engineering.

To a certain extent, and Microsoft
has gone on record saying that

they see somewhere in the realm
of 6, 000 MFA fatigue requests

every day in their organization.

So people are targeting Microsoft and
just think of that 6, 000 of these

a day for just one organization.

A second way that MFA is, is
having some challenges is with

what's called SIM swapping.

So inside of a phone or device,
you have a SIM card and there are

ways of cloning a SIM card without
it even leaving your device.

So if you're interested in
that, there's a whole bunch of

information on how to do that.

Please don't.

, and if you're, if you're trying
to do it for nefarious purposes.

Really don't because it's, it's a bit of a
challenge for cyber professionals because.

A lot of users, they don't
want to use an MFA app.

They don't want to use a token app.

They don't want to use
something like that.

So what's the next best thing?

Well, you get a text message.

Now, if I've cloned your SIM
card, guess what's going to happen

when a text message goes out?

I'm going to get that as the attacker.

So then I've got the code and
then I can go on and continue to.

attack you, take over your email,
move laterally, all that bad stuff.

Third way that MFA is having
some challenges is around what's

called session cookie theft.

And that is where a threat actor will
Swipe, what's, I mean, I like to call

it the browser's hall pass, and that
is the session cookie and it's just

a stored string of characters that
allows for, think of it as like re

entry into an application or system
without re entering a password.

So essentially all the good stuff
like, Hey, I knew who this person is.

They are who they say they are.

They're coming from a device
that says that it is what it is.

We verified that we don't
need to necessarily check

that again for 30 minutes.

So then it creates one of
these, session cookies.

It's just kind of how applications
work in a zero trust environment.

It actually would check each
authentication and authorization request.

So this kind of theft
doesn't really happen.

Most organizations still are,
are implementing zero trust.

It's not fully there.

So.

This one is a bad one.

This actually impacted Okta
back in October of 2023.

And that's how some of their
customers got compromised.

Now, probably the more useful thing,
when it comes to this is what,

what can you actually do about it?

So when it comes to cookie theft,
one of the best things you can do is

just shorten the amount of time that
a cookie is valid before it expires.

Some applications, it's like 90 minutes,
some are days, others are minutes.

And those are the types of applications
that I like, is just kind of

limit how long that cookie's alive.

The, I would say the, the gold
standard, and this is something that

comes from CISA, and you hear me
talk about CISA pretty often, and

that really is focusing on protecting
multi factor overall, and that's

creating a phishing, resistant MFA.

And this is using like a smart
card, a, what we call a Fido

security key, where only the key
owner has access to their device.

So think of it as something you have,
something you know, and then take it one

step further with something you are, your
face, your fingerprint, things like that.

And really even a one time code.

Sent to a phone is, is not bad.

It's not the worst way to authenticate.

And I would say any MFA is
better than no MFA at all.

But I would say, because of some
of the things that we talked about,

just making sure that we have another
factor of authentication for the

important things, that's, that's
where I would be angling for second

thing that I wanted to talk about
today is the U S cybersecurity agency.

CISA, again, on Thursday, they issued
a emergency directive mandating that

all federal agencies immediately
hunt for signs of a known Russian APT

that broke into Microsoft's corporate
network, and then they pivoted to steal

some sensitive correspondence from U.

S.

Agencies.

Government agencies and this
directive comes, I think it's a

little less than three months after
Microsoft confirmed that attackers

also stole source code from them.

And here's the thing, they think
that this group might still be poking

around in their internal systems.

And you've heard me say this on a previous
podcast, I don't like to say the name of

the attacker group because I feel that
it gives them notoriety and some power.

So I'm not going to do it.

So if you want to know who they are,
you can, you can look up the, the

actual breach from three months ago.

And read more about this hacker.

So according to the directive from CISA,
federal agencies, they need to analyze

the content of exfiltrated emails and
reset any compromised credentials.

and take additional steps to ensure
that authentication tools for privileged

Microsoft Azure accounts are secure.

So what they're, what they're saying
here is anytime that you think you've

been part of a breach, or you've been
notified that you are part of a breach,

one of the first things you should do
is go and reset compromise credentials.

I say, take it a step
further, reset everything.

So if you get one of those letters
in the mail that says, Oh, sorry.

You know, someone, someone went
through our systems and they now

have your username, password,
blah, blah, all that kind of stuff.

Here's your free credit monitor.

Thank you.

Great.

Take your credit monitoring,
but then go and cycle all of

your usernames and passwords.

Especially.

I know some of you are going
to kind of go, Oh, that's me.

If you are using variations of the
same password on all of your different

websites, accounts, anything like that.

And for those of you that use the same.

Password for everything.

I don't even know what the
word I'm going to use is.

How about don't and, try a password
manager because if, if you don't have

the time to remember and change and do
variations, it does all that for you.

And you can find free ones.

It's definitely better
than what you're doing now.

So when it comes to the compromise of
the Microsoft system, A lot of it was

the corporate email accounts, and there
was that X fill of correspondence between

government agencies and Microsoft, and
that's where the real concern happens is

that since this is a Russian attacker,
they are looking at this from the

government standpoint, the different
agencies that are communicating with

Microsoft, and it's and it's kind of
working its way out as a blast radius.

So that's what we're really.

Concerned about that's what sysa is
concerned about, and that is what

Microsoft is concerned about now.

Microsoft has represented to sysa that
for the subset of affected agencies

whose emails perhaps contained.

Things like authentication secrets,
that would be like credentials or

passwords, why that was in there.

I don't know, but it, it happened.

They, Microsoft said that they'll
provide metadata for those agencies.

And what that means is they
can take that metadata and see.

what the impact looks
like in their systems.

So a lot of this is for the agencies
that are impacted, but I think this is

just an interesting story because it
goes to show even large organizations

continue to struggle with this.

And the larger the org, it seems like
the more that they're being attacked,

especially by well funded nation States.

So Microsoft, after providing this
metadata, they are basically saying

that because this was a professional
hacking team that used not, not like

an old style of attack, but it's a
common style, which is a password

spray to compromise compromise.

A legacy non production test tenant,
and that's how they gain their foothold.

So just keep this in mind when, when
you're thinking about, well, how did

these attacks continue to happen?

We've got, you know, multi
factor authentication,

which we just talked about.

We've got all of these hardened systems.

We have all of these things.

A lot of the time, the
challenge comes from tech debt.

It's these old systems that someone
still needs for some reason.

You can't turn them off.

You can't change the password.

You can't even look at the system
wrong or it crashes and next thing

you know, you've got a bunch of
people that are unable to work.

So when it comes to those types of
systems, we need to wrap some additional

layers and controls around them, because
if they're still being used, even in

development, this is a great example.

Of you can still establish a foothold
in some systems because developers,

system admins, engineers, sometimes
we create these backdoors into systems

just for us, it's just meant for us.

But next thing you know, somebody
else is using that type of a, um,

backdoor to get into other systems.

So if you're creating something just
for you to use in your application,

your systems, your network.

I'm going to bet money that somebody
else is going to find and use that.

So I would recommend a don't create it B
if you are creating it during development,

document it and make 100 percent
sure that it is no longer accessible.

Third topic for today is the Google
Next conference, which I recently

attended, and I got to learn a
third of a lot about some of the new

solutions, products and features.

So one of the interesting things was
Gemini for cloud and cyber security.

So many of you probably remember
the experiment by Google,

which was known as BARD.

Well, BARD.

Was powered by a large language
model, Gen AI, and the name that

it's going by now is Gemini.

So Bard is gone.

You can still type bard.

google.

com.

It'll take you to Gemini.

Same good stuff.

I'm not going to say same.

Better stuff.

A lot better.

More to the large language model now.

So I attended the conference.

It was full of innovative solutions.

I mean, I walked the show floor
and I, this is kind of funny.

I had an AI scan my face and then tell
me what job I'm most likely to have.

And apparently it thinks I should
have been a firefighter, an astronaut.

Or a journalist.

I think that was a bit of a
range, but, but I'll allow it.

I think it's, it missed
the mark a little bit.

I mean, it, it did skip cybersecurity
professional, but Hey, I think, you

know, they're still training the model.

So it's not perfect yet, but Google
introduced a bunch of new features that

provide AI assistance to help customers.

Work code, identify and
resolve security threats.

And what I found also interesting is
they've expanded access to some of the

general AI models, and they introduced
something called an AI hypercomputer.

and AI powered workspace features as
part of their enterprise offering.

So starting from this conference,
they, they, Google is upgrading some

of the features like we'll call it
Gemini code assist, and that can

generate and test code for developers,
which is, which is pretty exciting.

And then they're Also providing
some more AI driven tools

to help security operations.

So this really is helping an
organization spot threats and

summarize the intelligence that's been
discovered and, or fed into the system.

And then I like take action.

Against the threat and or attack.

So Gemini has a threat Intel component.

Now it's in preview, but it's
still functional, which, which,

which I definitely like it uses
natural language to deliver.

Think of it as like a deeper insight
about how threat actors actually behave.

And I think what's useful about this is
that it does use that natural language.

There's a pretty large
context window that enables.

Anybody to analyze bigger and bigger
samples of potentially malicious content.

And that can be code that can be
a bunch of different things, and

it just gives you better results.

I, one of the things that I, that I
liked that I saw as some, some good value

AI security add on, and that's really
looking at data, privacy and security.

Because those continue to be top of
mind for me, top of mind for you.

And with Gen AI really taking
center stage, what's interesting is

data breaches, they increased 20%.

Last year, and I think the bigger that
GenAI gets, we're going to start seeing

more and more breaches because as you've
heard me talk about previously, if you

haven't done data governance correctly,
the biggest insider threat you can

introduce into your organization is.

Generative AI.

It is this large language model because
the model is just going to do what it's

been primed to do what it's learned to do.

And in some cases, you're
going to ask it a question.

What's its job?

It's going to go get you
the answer to that question.

It doesn't know if it's necessarily
supposed to have access to that

information if it does have access to it.

It's going to pull it back and
it's going to give it to you.

And if you have users that are giving
PII or information to these gen AIs and.

It's, it's not supposed to go out.

Well, it doesn't know that
it's not supposed to go out.

So we're needing to wrap more and
more security controls around this.

And this is what Google has identified.

So they're starting to add more
components to their security suite

to help with all of the things.

That, that I just talked about and
they are starting to weave Gemini

into, Gmail into workspace and they're
bringing the whole zero trust principles

into augmenting Gemini and helping
to deliver AI powered threat defense.

And I look at this as, you know, our
job in security, it's, it's never done.

And with the way that the market is
innovating, really, I love organizations

that are focused on helping to keep us
third topic helping to keep our data safe.

And I think when you look at some of
the neat things that Google's doing,

things like, you know, extending DLP
controls, allowing classification

labels into Gmail, they're, you know,
they're not the only ones doing this,

but I just was drinking a whole lot of,
of Google Kool Aid over the past week.

And I walked away from the experience.

Really, really happy with a lot of the
security things that I'm starting to see,

get woven into that, that whole suite.

So thank you for joining me and I
look forward to next time on the state

of enterprise, it security edition.

S1 EP. 16: Attackers bypass MFA, U.S. Gov’t Goes After Russian Hackers in Microsoft Case, Google Next Highlights
Broadcast by