Bypassing Authentication, New Extortion Techniques, and the Perils of Default Passwords

So far, 2021 is starting much like 2020 ended in the world of cybersecurity – new techniques are constantly being devised by cybercriminals to earn higher payouts than ever.  Here are two new techniques – and one very old one – to ring in the new year.

Hackers Bypassing Multi-Factor Authentication  

It turns out that those passcodes and prompts you get on your smartphone before you can access certain websites or services – called Multi-Factor Authentication, or MFA for short – are becoming less universally effective as they become more common. (It’s still important, and you should still use it whenever you can!)

In 2019, Microsoft said that attacks bypassing MFA were so rare that they didn’t even have statistics on them.  Two years later, more people than ever are putting MFA on their accounts to prevent them from being hacked – and more hackers than ever are trying to bypass it.

Multiple recent attacks on cloud services have successfully bypassed MFA.  Some of these attacks trick a user into entering the passcode found on their phone into a web form, which is immediately used to log in from afar.  Other attacks trick users into clicking on an attachment which runs malware on their computers, extracting persistent login cookies and sending them to the hackers.  Either way, the result is the same, and it isn’t good.      Read more at Threatpost

Double-Extortion, with Humiliation on Top

Hackers are getting more creative – and personal – in their ransom-based attacks.

First, ransomware locked up companies’ data and forced them to pay to get it back.  Next, hackers stole sensitive personnel and financial data and threatened to leak it online.

Now, hackers are also targeting the workstations of senior executives, hoping to find embarrassing information they can disclose to third-parties if they don’t pay up.  In one recent case, the embarrassing information was related to a legal case and involved executives discussing management misconduct.    Read more at ZDNet

The Most Boring Hack  

While hackers are more creative than ever, that doesn’t mean that they’re going to pass up an easy win when it’s staring them in the face.  Nissan’s source code for mobile apps, dealer portals, sales tools, vehicle connected service and more were stolen from an online software repository.  The “hacker” used login credentials to gain direct access to the data.  The username was “admin”, and the password was, you guessed it, “admin”.  Even big companies mess up the basics sometimes.    Read more at ZDNet