identity rambles....

So if 

the y-axis is access to a system, and the x-axis is access across a network.

The Y access then becomes also access to data on the system, and the x-axis becomes access across the network to data.

If you can quantify the data, then you can assign numbers to number of systems, and then a separate set of numbers to levels of access to each system, Maybe?

How is the user able to prove that their authorized to access the system and the data it contains. 

Okay, zero trust, but how do you do a new user?

How do you establish trust?

Teams Phishing

     Security controls like Sender Policy Framework (SPF) that can prevent direct spoofing of domains and email security gateways that can flag suspicious domains. Those security controls don’t exist for IM, so we have new options for spoofing.
 

• https://github.com/Octoberfest7/TeamsPhisher
•  https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/
•  https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/

Slack Phishing

https://pushsecurity.com/blog/slack-phishing-for-initial-access/
 

    Security controls like Sender Policy Framework (SPF) that can prevent direct spoofing of domains and email security gateways that can flag suspicious domains. Those security controls don’t exist for IM, so we have new options for spoofing.
 

Chameleon attack 

    A particularly interesting external attack capability is that an attacker can act as a chameleon and change their identity over time. This could be particularly dangerous in CEO fraud attacks. An attacker could forge connections with finance employees ahead of time for seemingly legitimate and innocuous means and then later use those to send Slack messages spoofing the CEO.
 

Link preview spoofing
 

    HTML allows a variety of ways to specify hyperlinks. Secure email gateways will often alert or block commonly abused types, such as forging a different URL as the link display text to what the underlying link points to. On IM applications, however, this same standard of link analysis is not always present and the widespread introduction of link unfurling/previewing has also given additional options for spoofing links to hide their true source and increase social engineering success.

Phishing is Evolving Quickly

Phishing kits are Evolving 

SaaS Attacks 

SAML Jacking 

    It’s not just application-level lateral movement and persistence to worry about, though. It’s possible the attacker can start moving laterally across other user accounts. If they have selected their targets well, they might even find they have admin access to some downstream SaaS application that has been configured for SAML logins using Okta. 

    For example, maybe they compromise a finance employee who has admin access to their business expenses SaaS application. Then the attacker might be able to use a new technique like SAMLjacking to start attacking other users in a watering hole attack to achieve lateral movement. 

    There are many options for lateral movement and persistence after an account compromise, so simple containment actions like password resets for SSO credentials are not nearly enough to contain a knowledgeable attacker. 

    Update IR playbooks to to deal with SSO account compromise, factoring in lateral movement and persistence across cloud apps. This really necessitates that you understand what business apps your organization is using, how they are accessed (e.g. SSO or username and password) and what functionality exists that could be abused by an attacker. 

https://www.lab539.com/aitm 

Tools :: no vnc :: EvilnoVNC :: Modlishka 

Read More ::

• from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud
• 6-months-tracking-aitm-campaigns 
• https://blog.thinkst.com/2024/01/defending-against-the-attack-of-the-cloned-websites.html 
• https://zolder.io/using-honeytokens-to-detect-aitm-phishing-attacks-on-your-microsoft-365-tenant/

Holy Teamviewer Batman

Holy crap this is a big and devastating attack. This is definitely escalating things. 

https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/

If it does turn out to be apt-29, then this is a brilliant attack on their part because it would give them potential access to just about any environment that they could want to investigate.  

However on second thought I think that the group is more interested in the source code to TeamViewer so that they can find their own vulnerabilities that they keep to themselves.

This is going to greatly escalate the stakes in the security world for all vendors. I can see a lot of vendor Management Programs becoming a lot healthier all of a sudden, for those that can understand the trend.