While multi-factor authentication (MFA) and passwordless solutions are gaining traction, many organisations still rely on legacy authentication protocols, creating significant security vulnerabilities and present opportunities for low sophistication threat actors.
- Basic Authentication: This simple method transmits usernames and passwords in plain text or weakly encoded formats, making it incredibly easy for attackers to intercept and exploit credentials. It's often found in older email systems, APIs, and web applications.
- NTLM (NT LAN Manager): Primarily used in older Windows environments, NTLM is susceptible to pass-the-hash attacks and other credential theft techniques. Its age and known vulnerabilities make it a prime target for attackers.
- Older VPN Protocols (e.g., PPTP): While VPNs provide a secure tunnel, outdated protocols like PPTP have inherent security flaws that can be exploited to gain unauthorised access to internal networks.
- FTP (File Transfer Protocol): FTP, particularly without SSL/TLS encryption (FTPS), transmits credentials and data in the clear, exposing sensitive information to eavesdropping.
- Lack of MFA Support: Many legacy protocols don't support modern security measures like MFA, leaving organisations exposed to brute-force attacks and other credential-based threats.
- Credential Theft: Depending on the situation, legacy authentication methods are vulnerable to credential theft as credentials can be transmitted in clear text.
- Lateral Movement: Once an attacker gains access, they can easily move laterally within the network, compromising other systems and escalating their privileges.
- Data Breaches: Compromised credentials can lead to devastating data breaches, resulting in financial losses, reputational damage, and regulatory penalties.
- Compliance Issues: Many regulatory frameworks require strong authentication practices, and reliance on legacy protocols can lead to non-compliance.
Improving Your Security Posture:
- Phase Out Legacy Protocols: Prioritise the replacement of outdated authentication methods with modern, secure alternatives.
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all systems and applications, especially those accessible from the internet.
- Adopt Passwordless Authentication: Explore passwordless solutions like biometrics and hardware security keys to mitigate the risk of password-based attacks.
- Strengthen Password Policies: If passwords are still necessary, enforce strong password policies, including complexity requirements and regular password changes.
- Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities related to legacy authentication.
- Patch Management: Ensure all systems and applications are up to date with the latest security patches to mitigate known vulnerabilities.
- Zero Trust Architecture: Implement a Zero Trust security model, which assumes that no user or device is trusted by default, regardless of their location.
- Educate Users: Train employees on the importance of strong authentication practices and the risks associated with legacy protocols.
By taking these steps, organisations can significantly improve their security posture and mitigate the risks associated with legacy authentication. It is important to remember that cyber security is an ever evolving landscape, and that vigilance is key.
For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.
- EncryptHub Breaches 618 Organisations to Deploy Infostealers and Ransomware - EncryptHub, also known as Larva-208, is a threat actor conducting spear-phishing and social engineering attacks to infiltrate corporate networks, compromising at least 618 organisations since June 2024. The group uses phishing tactics, including fake login pages for VPN and Microsoft 365 services, to steal credentials and multi-factor authentication (MFA) session cookies, often redirecting victims to legitimate sites to avoid suspicion. Once inside a network, they deploy Remote Monitoring and Management (RMM) software like AnyDesk and TeamViewer, followed by information stealers such as Stealc and Rhadamanthys to extract sensitive data, including credentials and cryptocurrency wallets. EncryptHub has links to RansomHub and BlackSuit ransomware gangs, acting as either an initial access broker or a direct affiliate, and also uses a custom PowerShell encryptor to lock files and demand ransom payments.
- Cisco Details ‘Salt Typhoon’ Network Hopping, Credential Theft Tactics - Cisco's threat intelligence unit has confirmed that the Chinese state-sponsored hacking group Salt Typhoon successfully breached United States (U.S.) telecom networks by exploiting old vulnerabilities, stolen credentials, and ‘living-off-the-land’ (LOTL) tactics. The hackers leveraged CVE-2018-0171, a remote code execution flaw in Cisco’s Smart Install feature, which was patched in 2018 but remains a risk for unpatched legacy systems. They primarily gained access using stolen login credentials, capturing network traffic to obtain SNMP, TACACS, and RADIUS authentication details, and exfiltrating device configurations that contained weakly encrypted passwords. The attackers also used LOTL techniques to modify router settings, alter authentication mechanisms, and execute stealthy commands on Cisco Nexus devices while pivoting between telecom networks to evade detection.
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems - Between November and December 2024, a newly identified Linux malware called Auto-Color targeted universities and government institutions in North America and Asia. Once installed, Auto-Color grants attackers full remote access to compromised systems, making it difficult to remove without specialised tools. The malware employs various evasion tactics, such as using deceptive file names like door or egg, concealing command-and-control (C2) connections. Once active, Auto-Color connects to a C2 server, allowing attackers to execute commands remotely, create a reverse shell, modify system files, run programs, use the infected system as a proxy, and even uninstall itself via a built-in kill switch. The malware receives instructions from a remote command server, with each C2 IP address separately encrypted using a proprietary algorithm to further obfuscate its activities.
- Australia Bans Government Use of Kaspersky Software Over Russian Espionage Concerns - Australia has banned government officials from using cybersecurity software from the Russian company Kaspersky Lab, citing risks related to foreign interference, espionage, and sabotage. Under this directive, government agencies must not install Kaspersky products on official systems or devices and must remove any existing installations by April. Stephanie Foster, Secretary of the Department of Home Affairs, stated that using Kaspersky software presents an "unacceptable security risk" due to concerns over its extensive data collection and potential exposure to foreign government directives that conflict with Australian law. Australia is the latest Five Eyes nation to impose restrictions on Kaspersky, following similar actions by the United States, the United Kingdom, and Canada. While some state agencies may apply for exemptions, these will be strictly limited to national security, regulatory, or law enforcement purposes.
- Botnet Targets Basic Auth in Microsoft 365 Password Spray Attacks - A botnet of over 130,000 compromised devices is conducting large-scale password-spray attacks against Microsoft 365 accounts using Basic Authentication to bypass Multi-Factor Authentication (MFA). The attackers leverage credentials stolen by infostealer malware and exploit non-interactive sign-ins, which do not trigger MFA in many configurations, allowing them to evade detection. SecurityScorecard's analysis suggests a possible link to Chinese threat actors, with command-and-control servers hosted in the United States (U.S.) but proxying traffic through Hong Kong and China. To monitor this activity, organisations should disable basic authentication in M365, monitor Entra ID logs for signs of attacks, implement conditional access policies, and enforce MFA on all accounts.
