Threat Actor successfully probes PHP RCE payload towards website protected by AWS WAF & ALB

Detection: Incident driven security assessment led to detecting PHP RCE Probing Attempts on a Non-PHP Nginx Web Server disclosing and mitigating a critical security risk allowing bypass of defense layers.  

Description: While reviewing client’s security posture, SecurityHQ’s Incident Response team identified malicious traffic attempting to exploit a PHP Remote Code Execution (RCE) vulnerability against a web application hosted on Nginx, which does not run any PHP components. The attacker’s objective appeared to be reconnaissance — specifically, probing for server behavior and response codes. Because the affected webserver was not yet integrated with SIEM, initial 404 responses generated by Nginx were not visible to the Monitoring Team. A deeper investigation, combined with consultation with the application team, revealed that these 404 responses were originating from the web tier behind the AWS WAF and Application Load Balancer (ALB). 

Recommendations: To strengthen the overall security posture and reduce unnecessary traffic reaching the application backend, we recommended enabling all default AWS Managed Rule Groups within AWS WAF. These rule sets help block common exploit attempts—including PHP-based probes—at the edge, preventing them from being forwarded to the ALB and ultimately to the webserver. This proactive hardening step aligns with AWS best practices and significantly minimizes exposure to widespread vulnerability scanners and exploit attempts. 

Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild

Detection: Critical FortiWeb Zero-Day Alert: Path Traversal Exploit Enables Remote Authentication Bypass

SHQ Detection Pack – Relevant Use Cases

1. Suspicious Web Requests Identified in Audit, System Logs
2. Administrative Logins to the management interface
3. Configuration Changes Executed

Description: SecurityHQ’s Incident Response team successfully responded to the incident involving CVE-2025-64446 – a critical vulnerability impacting Fortinet’s FortiWeb Web Application Firewall. The issue combines a relative path traversal flaw with an authentication bypass, allowing remote, unauthenticated attackers to access internal management endpoints. As per Vendor, Multiple FortiWeb versions are affected, including 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.9, 7.6.0–7.6.4, and 8.0.0–8.0.1, as confirmed by FortiGuard Labs and CISA. Exploitation requires no valid credentials. Attackers can send crafted HTTP(S) requests that leverage the pathtraversal weakness to reach protected CGI components on the management interface. Successful exploitation enables complete authentication bypass, allowing threat actors to create new administrative accounts and gain full control of the FortiWeb device. This poses a significant risk to environments relying on FortiWeb as a frontline security control.

Mitigation Actioned:

• Restricted Management Access to trusted internal
• networks only.
• Keys, Credentials and certificates were rotated.

Lessons Learnt: Organizations should have a strong proactive patching regime, restrict management access to internal networks, and enable key WAF protections to block exploitation attempts. Post-patch, review admin accounts and logs for unauthorized activity and ensure full SIEM visibility for ongoing monitoring.

Threat Detection Engineering

Key Detection Engineering Highlights for November

Azure Hound Probes

Threat Actors widely use Azure Hound or similar tools to map users, groups, and roles within Microsoft 365 or Entra ID as part of early enumerations. Often used by Red teamers to identify gaps in cloud security. Here is a short example of this Attack method: A lowprivilege account suddenly produces a burst of signins from an unusual application pattern.

The tool rapidly queries directory information, attempting to identify privileged roles, access paths, and high-value accounts.

Why it matters: This type of reconnaissance helps attackers understand your cloud environment, find weak points, and plan privilege escalation. Detecting these early signals reduces the chance of further compromise.

Rule Name: Azure Hound User Agent Detected (P2) Detection Scope: Microsoft 365 and Entra ID Rationale: Reconnaissance tools generate directory queries and sign-in patterns that differ from normal user activity. Identifying these anomalies allows early detection before attackers escalate privileges or move deeper into the environment.

BloodHound – Behavioral Detection:

An attacker runs a BloodHound/SharpHound collector from a compromised workstation to rapidly enumerate Active Directory. BloodHound enumeration creates rapid, large-scale directory queries that differ from normal user or admin behavior. Tracking abnormal spikes in object-access events helps identify reconnaissance before privilege escalation or lateral movement occurs.

Here is a short example of this Attack method: Host XYZ generated 2,400 “Failure Audit: An operation was performed on an object” events in 45 seconds, each referencing different AD objects (users/groups/ACLs). The source account was a low-privilege user (not a well-known service account) and the requests targeted many high-value OUs.

Why it matters: BloodHound-style enumeration reveals relationships, privileges, and ACEs that attackers use to plan lateral movement and privilege escalation.

Rule Name: Excessive Directory Access Failures Detected (P3)

Detection Scope: Monitor Windows Security audit logs for spikes in object-access events (success & failure) indicating mass AD enumeration; surface SourceHost, Username, and TargetObject; exclude known service/ admin accounts.

Threat Management

SecurityHQ’s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights. 

Account Takeover! Sign-In Activity from malicious useragent “axios/1.13.1”

Detection: The incident trigger was a suspicious user authentication activity with unfamiliar sign-in properties and a detected password spray attack. The alert identified potential unauthorized access attempts originating from an unusual IP address and nonstandard client application.

Investigation: Identity Protection detected an unusual interactive sign-in for the user account originating from external IP address from USA location. The authentication was performed using the atypical user agent “axios/1.13.1”, a tool commonly used for automated HTTP requests rather than legitimate
browser-based logins.

Multiple aspects of the authentication including ASN, browser type, device fingerprint, geographic location, and Tenant IP subnet were all inconsistent with the user’s typical login patterns from users location and device, making the activity highly anomalous. Although MFA was successfully completed via text message to the registered number, the abnormal client and unfamiliar sign-in characteristics raised concerns regarding potential credential compromise or account
takeover.

Subsequent activity from the account included a suspicious URL click event leading to a OneDrive resource. Sandbox analysis confirmed the link redirected to a OneDrive login page, indicative of phishing intent. The URL originated from “cable[.]coromans[.]com”, a domain active since 2010 but potentially abused for malicious purposes. Additionally, a concurrent password spray detection targeting multiple accounts suggested broader credential-stuffing attempts in the environment. Based on these findings, the activity aligns with MITRE ATT&CK T1110 (Brute Force) under TA0001 – Initial Access, consistent with threat actors attempting unauthorized entry via automated or scripted authentication attempts. 

Actions taken: A major incident was raised, and the customer was notified over the phone. Immediate remediation steps were applied to the user’s account, and the identified IOC were blocked by SecurityHQ Team under Manager EDR Service 

Reference: https://www.securityhq.com/blog/adaptive-defense-how-cloud-app-policies-can-block-malicious-user-agents/

Throughout the year 2025, SecurityHQ Team Raised 300+ Major incidents originating from this axios UserAgent and were successful in preventing further damage in all cases.

Suspicious Remote Command Execution and Lateral Movement Activity.

Detection: An incident was escalated indicating suspicious lateral movement activity and remote command execution on device. The alert identified ‘SuspRemoteCmdCommand’ malware associated with WMI process execution originating from an external IP address. 

Investigation: Microsoft Defender for Endpoint (MDE) detected suspicious WMI-related activity involving the legitimate WmiPrvSE.exe process executed with the unusual command line “-secured -Embedding.” Although WmiPrvSE.exe is commonly used by Windows, the behavior was flagged due to the associated detection of SuspRemoteCmdCommand, suggesting potential remote command execution.

Shortly afterward, a secondary process executed via cmd.exe, running quietly to capture the output of the whoami command to a temporary file—an action typically associated with attacker reconnaissance following lateral movement. The event also correlated with a prior Lateral Movement Detected alert on the same host, reinforcing concerns of unauthorized remote execution.

During behavior monitoring, threat was identified and terminated promptly. This active threat was classified as Behavior:Win32/SuspRemoteCmdCommand.SA operating within the WmiPrvSE.exe process.

Additional telemetry captured WUDFHost.exe activity near the same timeframe, indicating possible chained system operations triggered during the malicious sequence. Threat intelligence enrichment further validated risk indicators, as the external IP, and associated file hash were flagged by multiple security sources, supporting Defender’s classification of the activity as malicious.

Remediation Actions: The malicious process was successfully blocked and terminated by Microsoft Defender. No further suspicious activity was observed. All identified IOC’s wer blocked. Full antivirus scan was performed across the entire host to ensure no residual malware components remain active.

Not many security solutions are able to log command line activities. Having Enterprise EDR solution or command line auditing tool like Sysmon enables defenders and analyst to detect activities happening under the hood.

Threat Hunting

SecurityHQ’ s Threat Hunting team focused on hunting threats in cloud where Malicious or unauthorized activities occurring within the cloud environment mainly due to compromised credentials, misconfigured permissions, or exploitation of vulnerable services, leading to potential privilege escalation, lateral movement, and data exfiltration.

The objective of these hypotheses is to proactively detect, investigate, and respond to suspicious or unauthorized activities across cloud infrastructure that may indicate compromise, privilege escalation, data exfiltration, or other malicious behaviors — thereby reducing risk exposure and improving cloud security posture 

Notable Observations: Large-Scale Role Assumption & Privilege Probing: One of the customer environments showed an extremely high volume of AssumeRole operations, hinting at automation or scripted enumeration.

Key Observations:

• Unknown external IPs performing API calls with repeated access denials.
• Attempts to access sensitive resources or enumerate services.
• Occasional rate-throttling events tied to highvolume API activity, suggesting automation.

Associated Risk: Likely indicators of scripted scanning, misconfigured integrations, or malicious reconnaissance.

EC2 & Compute Irregularities: Most environments showed no compute-based compromise activity, but a
minority revealed abnormalities.

Key Observations:

• Large EC2 instances running unexpectedly.
• Rate-limiting and throttling events associated with compute services.

Associated Risks: No confirmed persistence, but compute resources are being probed or misused in some tenants.

Recommendations: Based on the combined threat landscape observed across all customers, the following global recommendations apply:

• Enforce Strong Authentication Immediately.
• Remove legacy IAM accounts where possible.
• Restrict console access by IP through IAM conditions or network controls.
• Harden IAM Roles & Reduce Privilege Exposure.
• Limit access to Secrets Manager and KMS to essential roles only.
• Lock Down S3 Storage by enabling Block Public Access globally.
• Conduct a Global Access Key Audit.

Incident Response – Success Story

Incident Story: ASP.NET Machine Key Exploitation

One of the Customer of SecurityHQ recently faced a critical web server compromise originating from a longstanding vulnerability in Microsoft’s ASP.NET framework. Threat actors have begun weaponizing publicly exposed ASP.NET machine keys — some of which have been available online since as early as 2003 — to hijack Internet Information Services (IIS) servers and deploy malicious modules.

IR Observations: Attack Narrative
During the investigation, it was discovered that threat actors exploited ASP.NET ViewState deserialization flaws. By obtaining publicly available machine keys, they could tamper with serialized ViewState data — a component used to maintain state information across web requests. Because these machine keys are cryptographic secrets that validate and secure ViewState content, possessing them effectively allowed the attackers to bypass ViewState MAC validation and execute arbitrary code on the targeted servers — all without requiring authentication credentials.

Microsoft had previously identified over 3,000 exposed machine keys across open repositories, forums, and developer sites, creating a wide landscape of potential victims. Many of these keys belonged to applications built on .NET Framework versions prior to 4.5, which lack built-in protection against deserialization abuse. 

Impact Analysis

Once the IIS servers were compromised, attackers loaded malicious IIS modules to maintain persistence and intercept incoming HTTP requests. These modules enabled:

• Command execution under IIS worker process privileges.
• Credential harvesting from memory and web traffic.
• Data exfiltration through legitimate web communications.
• Possible lateral movement within the network via trusted server accounts.

The stealth of this method made detection difficult, as all activities appeared as legitimate IIS traffic and
processes.

Root Cause

• Use of outdated ASP.NET versions (< 4.5) lacking secure ViewState handling.
• Disabled or weak MAC validation for ViewState integrity.
• Reuse or exposure of machine keys in public repositories and code-sharing platforms.

Conclusion

The exploitation of legacy ASP.NET vulnerabilities through leaked machine keys highlights the persistent risk posed by long-standing insecure configurations and public code exposure. By promptly rotating keys, enabling validation, and upgrading to modern frameworks with AMSI support, Organisation can restore the integrity of its web applications and prevent future exploitation of this vector.  

Reference: https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/

The post Managed Defense Threat Insights: November 2025 Newsletter appeared first on SecurityHQ.

Many organizations seek to block malicious user agents and prevent scripted or unauthorized programmatic access to Microsoft 365. Adversary-in-the-Middle (AiTM) attacks are on the rise, allowing attackers to intercept and forward authentication traffic in real time, even circumventing multi-factor authentication (MFA). A significant development is the adoption of malicious user agents, such as Axios, a JavaScript-based HTTP client, which attackers use to replicate browser activity and take over user sessions.

With these tools, attackers can:

• Automate the collection of credentials and replay of sessions
• Bypass basic browser fingerprinting techniques
• Launch large-scale attacks with minimal manual effort

Although detection strategies like monitoring user-agent strings or identifying unusual geolocation patterns are available, there is a lack of comprehensive guidance on countering these specific threats. Conventional security measures often fail to detect axios-driven requests that closely resemble genuine user actions.

As a result, organizations are exposed to risks including:

• Session hijacking, even when MFA is enabled
• Challenges in distinguishing automated agents from real users
• Ongoing unauthorized access after initial authentication

This blog underscores the urgent need to block malicious user agents through adaptive session policies and advanced behavior-based security in Microsoft 365

Prerequisites

Step-by-Step Configuration

Enable Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps (MDCA) is a security tool that provides visibility and control over user sessions in SaaS applications. It acts as a reverse proxy when Conditional Access routes a user’s traffic through it

1. Go to Microsoft 365 Defender Portal
2. Navigate to:
   Settings → Microsoft Defender for Cloud Apps → Connected Apps → Conditional Access App Control apps
3. Ensure Microsoft 365 apps are listed as below. If not, follow below 3.2 steps, to proceed to create conditional access policy for routing the requests to Cloud Apps

Create Conditional Access for Route Traffic to MDCA

Conditional Access App Control sends the session through the MDCA proxy where session inspection happens. This is the foundation for blocking based on the User-Agent string.

Go to Azure Portal → Microsoft Entra ID → Conditional Access

Click + New Policy

Configure the following settings:

Save and apply the policy.

Trigger MDCA Session Routing (App Detection)

After the CA policy is active, the user must log into the app (e.g., Outlook) to trigger MDCA to detect and begin monitoring the app.

1. Open a private/incognito browser window.
2. Visit Outlook or Teams.
3. Log in with a test account.
4. Wait 1–2 minutes.
5. Go to: Cloud Apps → Settings → Connected Apps → Conditional Access App Control apps
6. Confirm apps like Office 365, Teams, or Exchange appear as Monitored

Note: If not detected, recheck your Conditional Access policy and retry in incognito mode.

Create MDCA Session Policy to Block Axios

This policy inspects live sessions and blocks any that match certain criteria — in this case, when the User-Agent string contains “axios”.

1. In MDCA Portal → Control → Access policies → + Create policy

1. Configure the following settings:

Click Create

This will block any Axios-based request to Office 365 apps.

Blocking malicious user agents is just one layer of a broader adaptive defense strategy. As attackers evolve, organizations must go beyond detection and adopt real-time controls that secure sessions, user identities, and cloud interactions.

Learn how to take your security strategy further with SecurityHQ’s Adaptive Defense Solutions, built to identify, contain, and respond to threats at every stage of the attack lifecycle.

The post Adaptive Defense: How Cloud App Policies Can Block Malicious User Agents appeared first on SecurityHQ.

This blog discusses 6 key vulnerabilities to look out for, and ways to enhance your security posture.

What are Vulnerabilities in Cloud?

In cloud computing, vulnerabilities are referred to as oversight security loopholes that hackers can exploit to access, steal, or intercept confidential information about your business and/or employees. They may even encrypt files and demand a high ransom in exchange for the decryption key. 

It’s to be noted that a vulnerability isn’t the same as a threat; often these terms are used interchangeably, which is technically wrong. A threat is an immediate danger that can cause severe consequences if not responded to in time. DDoS (Distributed Denial of Service) attack is one such threat where bad actors flood a network with malicious traffic, causing an online service to crash temporarily or permanently. A vulnerability, on the other hand, is a security weakness that can be taken advantage of, to gain unauthorized access.

6 Top Cloud Vulnerabilities to Look Out For

Misconfigured Cloud Storage

Cloud storage is a goldmine for cybercriminals looking for data. Once they steal your data, they either use it themselves for attacking your business or sell it on the dark web. Thus, reviewing your cloud storage configurations is an important security measure.

Some cloud storage platforms are set to ‘private’ by default while many aren’t. Ensure resetting to ‘private’ so that only trusted people can access sensitive information. It’s also advised to enable encryption while transferring data so hackers can’t intercept it.

Insecure APIs

An API or Application Programming Interface lets two unrelated software applications communicate with each other. Here, the term ‘interface’ is used for the contract of service between these two sets of software, which tells how the information will be exchanged.

For APIs to transfer data securely, they need to have access to sensitive software functions and data, which cybercriminals take advantage of. The use of tokens allows the exchange of information without the risk of exposing passwords. 

All the APIs should undergo continuous asset discovery as a part of the vulnerability management exercise. This helps detect cloud vulnerabilities which you can remediate before it’s too late.

Poor Access Management

Access management, also called identity management, refers to the steps a user must take to access software and cloud applications. You can manage vulnerabilities in these steps by using multi-factor authentication, allowlisting, blocklisting, or the principle of least privilege. 

Lately, cloud platforms require users to create strong and unique passwords including a certain character length, and a combination of uppercase letters, lowercase letters, special characters, and numbers.

Data Compliance and Privacy Concerns

Companies are subjected to data compliance and privacy laws which means they must stick to the regulatory standards of cloud computing applied to their industry of service. Some of the most well-known privacy regulations include the General Data Protection Regulation (GDPR), PCI Security Standards Council (PCI SSC), and California Consumer Privacy Act (CCPA). 

As a user, you’re responsible for managing security controls. For example, if your password is weak or used across different accounts and it gets stolen, the cloud service provider isn’t at fault. 

You must choose a cloud service provider that uses the best security tools to protect your data. Look for features like access management, intrusion detection and prevention, traffic monitoring, etc. 

Account Hijacking

Account hijacking or session hijacking is when threat actors steal your accounts’ credentials. Some common techniques for attempting this are:

• Phishing: Hackers use social engineering tactics and send emails on behalf of reputed companies where they trick recipients into sharing personal details including passwords. Learn how you can detect phishing scams here.

• Keylogging: Software programs are used to track user activity, including login credentials. Data is then collected and sent back to cybercriminals.

• Brute Force Attack: Attackers use hit-and-trial methods to guess your passwords. That’s why it’s suggested not to set passwords that are easily guessable. For example, don’t use your pet’s name, street name, or favourite coffee shop. For more on password protection, read here.

• Cross-Site Scripting: In this technique, bad actors infect a system with malicious codes which are delivered through web browsers. These codes are designed to obtain access to unsecured accounts.

Malicious Insiders

Humans are the weakest security link. Employees, third-party vendors, and business partners can breach data or cause other cloud security issues knowingly or unknowingly. You need to establish strong policies against such acts to stay protected. Moreover, restricting access to critical files to only trusted people and conducting audits will help.

How to Manage Cloud Vulnerabilities?

Cloud vulnerabilities are ever emerging and managing them should be your priority.

There isn’t a one-size-fits-all solution to cybersecurity; you need to devise strategies as per your IT structure and vulnerability nature. Observe how your company’s risk posture changes, and alter your approach accordingly.

SecurityHQ’s vulnerability management service is designed to detect, classify, and contextualize vulnerabilities. With flexible patching days your operations aren’t disrupted.

To speak with an expert, contact the team here.

The post 6 Cloud Vulnerabilities to Look Out For appeared first on SecurityHQ.

Hock Tan, President and Chief Executive Officer of Broadcom released a blog highlighting that:

‘VMware Cloud on AWS is no longer directly sold by AWS or its channel partners. […] Customers who have active one or three-year subscriptions with monthly payments that were purchased from AWS will continue to be invoiced by AWS until the end of their term.’ – Hock Tan, CEO, Broadcom

This change has caused significant trust issues for companies who put their faith in this service. In addition to elements like higher prices, as well as less flexibility, SecurityHQ have noted the global impact.

‘What we are seeing with customers, and in business in the market across the globe, is that everybody is struggling with the same issue. Companies are feeling powerless and concerned with significantly increasing renewal prices. The market has seen this transition before with Broadcom’s acquisitions, and the way they integrate those acquisitions into their business model. We want to let VMware customers know that they have other options by working with SecurityHQ.’ – Shane Eliason, Cloud Sales Lead, SecurityHQ

SecurityHQ have seen cases where VMware prices have risen significantly. And companies are struggling to figure out how to de-risk their current VMware situation.  They currently have three options:

1. Accept price increases and new subscription model at renewal
2. Move to competing hypervisor (Nutanix, Hyper-V for instance)
3. Migrate to the cloud (AWS, Azure, GCP)

To add more pressure, CISOs have a limited time to decide on the correct course for their organisation, as this was not a planned event.

• First, companies need to determine if these options are as mature as VMware.
• Second, companies in specific industries, such as manufacturing, have unique requirements where the Cloud might not work for them.
• Third, business in specific industries, such as Life Sciences, must ensure watertight compliance.

An Alternative and Cost-Effective Solution

This VMware issue will continue to be a problem for the next two years at least, depending on the renewal date, and it is impacting everyone.

–             92% of Fortune 1000 Customers run on VMware (IDC)

–             85M Virtual Machines still on-premises (VMware Explore 2022)

–             $24B Total Addressable Spend for VMware (IDC)

If this is a challenge that you and your company are trying to solve right now, SecurityHQ would love to have a call with you. We offer a powerful, attractive, and flexible financial model, that is budget friendly to budget neutral to get you migrated to AWS quickly and easily.

To know more, drop us a message, here. 

The post De-risking the VMware Dilemma. Don’t let Software Paralysis Stop your Security! appeared first on SecurityHQ.

Password manager, NordPass, has reported that an average person has around 100 passwords for their online and offline technology. Today, everything about someone’s life can be considered protected by a password.

In the last 10-15 years, the use of Two Factor Authentication (2FA), has become more common, originally using RSA tokens, and later using SMS OTPs (One-Time Password), and mobile authentication applications. 2FA authentication in theory prevents the discovery of a password, allowing access to sensitive information, by having a second factor of authentication to prevent unauthorised access. Whilst this is effective, there are flaws, with SMS OTPs being susceptible to interception, and man-in-the-middle (MITM) attacks.

To enhance password protection, new methods of authentication have been formed. In this article, observe how an over-reliance of traditional password protocols has led to the birth of advanced authentication methods.

Token-Based Authentication & Passwordless Authentication

Hardware Tokens are small devices that look like USB drives. RSA SecurID commanded over 70% of the two-factor market in 2003 and was seen as the ultimate step in hardening authentication. Tokens became commonplace in the finance and defence sectors. This cornering of the market created a leviathan out of RSA, until March 2011, when the company fell victim to a targeted phishing attack, leveraging a malicious excel file, which in turn exploited a vulnerability in Adobe Flash, leading to the use of the Poison Ivy RAT (Remote Access Trojan) to gain access. This supply chain breach impacted multiple seemingly secure businesses in the process.

After, the rise of software tokens, and authentication apps came to the foreground. The rise of smart phones, and faster mobile data, meant that a 60-second software key using a smartphone app, was now considered the modernised ‘something you have’ factor, in MFA.

Great work has been done by the FIDO Alliance, creating FIDO2 which enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. Pivoting to a decentralised, possession-based credentialing system, meant that there was/is no central store of authentication secrets. In the process, the leveraging of biometrics moved away from vulnerable SMS OTPs, and Active Directory’s gold mines of password hashes located in Ntds.dit.

The rise of software tokens, alongside biometrics such as fingerprints, led to the development of the concept of passwordless authentication, which makes use of MFA, without the factor of a password.

Challenges and Considerations & Steps for the Future

‘Logging in’ to a computer, a practice that has existed for over 60 years, is now at a crossroads, as password protocols must get smarter to stay secure. What this boils down to is comprehensive user training, with a new employee being onboarded not with a new password, but with a fingerprint scan, a mobile phone, and even a hardware token. Readers who have spent time on the helpdesk can already see the inevitable concerns and questions that will arise from such practices and be expected to answer why a new employee can’t log in with the name of their dog accompanied by the year they were born.

Looking forward, continuous development and innovation in the industry will eventually see the humble password become obsolete. Whether iris scans replace this, or using hardware tokens will be the preferred options, remains to be seen. One thing is certain, that the service desk will still be inundated with authentication issues, and this time, they will find themselves tracking down lost hardware tokens, and re-installing authenticator apps in the process.

To learn more about Password Protocols read this blog.

The post Beyond Passwords: Exploring Advanced Authentication Methods  appeared first on SecurityHQ.

Home Charging Issues

The below image highlights one of the most popular EVs, being charged with a generic home charger. This shows the use of the vulnerable SNMPv1 protocol being used (the MAC address has been redacted). A low-level malicious actor could use this information to initiate a Denial of Service (DoS) or attempt to modify the internal systems of the car.

Whilst EV manufacturers have stressed that their cars are secure, the use of such protocols is indicative of a reactive approach to cybersecurity, patching vulnerabilities when found, as opposed to being secure by design. The use of a protocol invented in the 1980s in a car that is widely seen as the future of human transport, sets a less than perfect precedent.

With EVs leading the way to a greener future, many insiders in the industry have raised the alarm about the inherent vulnerabilities and implications of having vehicles which are not just ‘smart’ and ‘networked’, but in fact, an entire auto industry hooked up to a global network that has already been the target of malicious actors across the globe.

Issues with Moving Forward Safely

Many EV manufacturers publicise their bug bounties, which is a step in the right direction. With more and more business understanding the inherent cyber risks when operating in such a space; such operational practices will inevitably lead to strategic changes in risk appetite and cyber attitudes. However, the prevalence of overarching NDAs, and a rapid development cycle has led to several key flaws becoming apparent.

Primary Mode of Transport

The first consideration is that a fleet of EVs becoming the primary mode of transport would completely overhaul the traditional petrol station infrastructure that has been commonplace for decades. Instead, scores of electric charging stations will become the norm, with EVs drivers ‘charging’ their tanks instead of filling them up. This would comprise a large network of cloud computers which would build a ‘grid’ or EV chargers across the world.

Many of these grids would be owned and operated by separate entities, with budgetary factors being the driving force when it comes to security concerns. The Colonial Pipeline breach of 2021 illustrated how damaging core infrastructure breaches can be, and this will only be multiplied if such an attack was to impact a more interconnected and less secure global asset, cutting over half of the fuel to the American East Coast.

Centralised Store for all Crucial Data

Many readers may already have concerns about a highly centralised store of all automobile information, with encryption keys for vehicles and payment information. Such a glut of sensitive information being held in an emerging industry underpins the importance of secure design. 

Exposure to Nation State Threats

A co-ordinated nation-state attack triggering a DDoS is no longer the work of science fiction; with an entire electrical grid being networked and partially exposed over the internet, Nation State Actors will keep on monitoring for vulnerabilities, and take advantage of these when found.  

Internal Impact of Operational Technology

Networked Operational Technology (OT) impacts business and consumers similarly, as offices in the EU have started to have dedicated chargers outside their buildings, which is connected to a part of their corporate network. This, of course, can be used to pivot to an internal closed network, with several home users already reporting their home Wi-Fi being hacked and financial information stolen, after installing a home EV charger. 

Enabling Better Cyber Security for Electric Vehicles

The inevitable data privacy concerns that come with having personal user data residing on business networks, which can never be considered truly secure, may become a regulatory headache for risk officers. Many enterprises will need to seriously consider if such ‘green’ infrastructure may bring their company more harm than good.

A Penetration Test aiming to leverage any potential risks posed by emerging technologies, would certainly be the first step. Navigating the regulatory concerns that this will likely lead to, is something that businesses need to certainly consider.

There are many EV charging companies, who provide environmentally friendly infrastructure, in an emerging market globally. But if breached, it is likely that this will not only impact consumer confidence in their business, but perhaps in the EV revolution itself.

Next Steps

At SecurityHQ, we understand the complex and critical infrastructure of the industry. Our Threat Intelligence team is a cohesive global unit dedicated to Cyber Threats Intelligence, focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

If you want to identify and protect your business from prevalent cybersecurity threats, schedule a consultation with our experts today.

The post Charged Risks: Vulnerabilities in Electric Vehicle Charging Infrastructure Exposed    appeared first on SecurityHQ.

This blog aims to highlight the sophisticated nature of this attack, to understand the technical aspects of session abuse, and its prevention.

What is Quishing?

In the ever-evolving landscape of cybercrime, threat actors are constantly discovering new methods and using them to target organizations. One such emerging threat is known as ‘quishing’ or QR code phishing. Quishing attacks usually occur via the scanning of a QR code. This technique involves tricking organizations users into scanning a QR code using a mobile phone. The QR code then redirects the user to a phishing or fake website that aims to steal their credentials.

Why Are QR Codes Being Used?

In the past, attackers used various types of URLs and attachments to deliver phishing emails. But, due to advanced email gateway security controls, bypassing the email gateway is not an easy task.

One of the main reasons why threat actors choose the QR Code is because it’s the simplest way to force a user to move from a desktop or laptop to a mobile device, which usually don’t have any anti-phishing protections. Additionally, they have multiple advantages over a phishing link embedded directly in an email.

Another reason is these phishing emails are easily getting through the email security gateways because currently email gateway sandbox is not capable to scan QR code and provide the verdict on whether it is phishing or not. Due to a lack of inspection from email security gateways, attackers are taking advantage and more commonly targeting users with QR code phishing technique.

How Quishing Attacks Work?

The attack begins with an email that claims the recipient must take action to update/view their organizational account settings. These emails carry PNG, JPEG, GIF, or attachments containing a QR code. The recipient is prompted to scan to verify their account. These emails also show an urgency to act within 2-3 days in the email subject such as “Urgent”, “Important”, “2FA” and tricking the user sending emails related to ‘salaries’, ‘increment’ and ‘appraisals’ etc.

The QR codes in this campaign also uses redirects in well-known domains such as Baidu, GoDaddy, and IPFS, etc. URLs to send the targets to a Microsoft 365 phishing page to evade security.

The redirected URL is hidden in the URL using base64 encoding, this helps them to evade detection and get through email protection policies.

After entering the credentials these are being sent to a newly created random 34characters domain, and using this information users account are getting compromised.

Scenerio1:

An email claiming to be from Microsoft app support asking the recipient to reauthenticate the 2FA to avoid being locked out (stating urgent action required).

Scenerio2:

An email appeared from the organization’s doc store tricking users to view their updated salary increase by specifically asking users to scan the QR code from the smartphone camera to evade security controls via workstation/Laptop.

What is a MiTM Attack?

A ‘Man in the Middle’ (MiTM) is an attack where a malicious actor eavesdrops on the communication between clients and legitimate server. Regarding phishing, attackers are now using newly built phishing kits available on the Dark Web, like Evilginx, with reverse proxy being used to intercept email addresses, credentials, Multi Factor Authentication (MFA) code and session cookie.

We have observed this attack technique utilizes cloud services for hosting phishing servers, which aren’t sandboxed by the majority of email gateways and/or hosted on reputed cloud service provider as per threat intelligence.

How Does the MiTM Phishing Attack Work?

Taking into consideration that the email has been delivered to an end user’s Inbox folder and the user has clicked on this URL.

The malicious emails contain URL hosted on Google Docs URL which are clean reputed, hence sandboxing of email gateways won’t categorize such URLs as phishing. This redirects to phishing domain containing credential harvesting authentication forms which are behind Cloudflare captchas.

With new techniques provided by phishing kits, the login page appears as a legitimate Microsoft genuine portal, except the URL domain is the identifier in such scenarios. To understand how this authentication intercepts the traffic between client and server, here you can see the utilization of Fiddler Classic tool as a proxy.

While simulating, SecurityHQ analysts checked with entering wrong username for M365 logins, but the phishing page validates the entered information through API with M365 in the background and allows redirection if its valid. So ideally, if login URL isn’t reviewed the end user experience would be exact as M365 genuine login.

To provide genuine behavior, phishing server captures the M365 company branding for login from M365 servers as bait, to provide end user the feeling as if they are logging into the legitimate portal. From Fiddler, we observe GET request towards ‘aadcdn’ domain for tenant branding image fetching.

After entering the credentials, which aren’t encrypted towards the phishing server, indirectly it was entered against the M365 AAD servers by the attacker.

While MFA prompt is the next step for login flow, notice the difference between the current legitimate method used by M365 for my tenant, and that it is through Authenticator app code. Meanwhile the phishing server utilizes the other authentication methods like Text or Call with registered number for the test account.

Lastly, this suggests, that the phishing server is acting as proxy, as authenticator code would be submitted towards to M365 to get session assigned to the end user.

Genuine MFA Prompt:

Malicious Page MFA Prompt:

Here for simulation, SecurityHQ used Text code and received this from Microsoft servers through SMS, suggesting to the end user it’s a legitimate M365 page. After which the session cookie is provided by M365 server to the attacker. This session cookie can be captured and be injected on any browser for persistence. Below diagrams depict how normally a session cookie is available on the browser and how its injection works from an attacker’s perspective.

Under ESTSAUTHPERSISTENT, we have the cookie value which is valid for 3 months for 1 session.

Here is the access of the legitimate M365 login page to inject the session cookie on a different machine.

Below, the required cookie is manually added, and then the same page is refreshed.

After refreshing this page, logins work, bypassing MFA and security controls, and the attacker is allowed to login to the same Office home application without MFA.

Once the attacker gets the session cookies provided by M365 for the account, the user lands on a webpage showing error prompt depicting the login failed, while the attacker logs on, on the users’ behalf. M365 has captured the session cookies and from Azure AD sign-in logs, and login is noticed from USA IP.

Mitigations

• Implement detection use cases to monitor and alert login anomaly. SecurityHQ solutions have different layers of use cases that can detect and respond to such anomalies reducing the dwell time.
• Ensure Email and web gateway policies are hardened to block such innovative phishing attempts.
• Create awareness among the users around ever evolving phishing tactics and stay up to date against the new campaigns seen in the wild.
• Implement conditional access policies to not allow logins from noncompliant host, non-business locations and unusual user agents. In case of credential leakage CAS policies will help you to prevent successful login from attackers.

Speak with a SecurityHQ analyst, to learn more, here.

The post QR Code Vulnerabilities: Dissecting New Techniques Seen in the Wild appeared first on SecurityHQ.

Sustainability and security are this year’s key focuses within the industry, and with good reason. The upcoming 3-day long 2023 Paris Airshow boast ‘developments in the global aerospace and defence industry, including new orders and partnerships […] for a safe and united world’ as cyber-attacks against the industry have increased. Recently we have seen a surge of attacks like the one against British Airways (BA), only last month (June 2023), in which Clop ransomware group targeted the organisation with a malicious MOVEit file transfer software.

But how are threat groups able to interrupt and impact global organisations, with significant financial backing, within the industry? Well, within the sector, the use of multiple interconnected systems has shown a shift from what was once a ticket and payment card process, to an end-to-end digital air travel journey. The moment a ticket is booked, passports are screened, payment information is interrogated, the extensive airport security process uses technology that once seemed like science-fiction. Right up to a cockpit, systems are completely interconnected. But have these meteoric advancements within the industry outrun the security of the technology it uses? This leads us to the current void of cybersecurity in Aviation, concerning the following three element:

1. A growing cybersecurity knowledge gap in the industry.
2. The existence of multiple regulations: making it difficult to adapt to the speed of new regulations, to the quickly evolving threat landscape.
3. Multiple stakeholders, with their data flows constantly back and forth between numerous internal and external systems, leading to regulatory headaches for decision makers.

Supply Chains and Third-Party Risks

Third-party vendors are often used to provide critical infrastructure, services, and software to aviation companies, comprising elements of the industry such as flight planning, maintenance, digital infrastructure and solutions, and navigation systems, to name a few. Any compromise of these vendors can have severe consequences, including disruptions to air traffic, loss of sensitive data, and potential safety risks.

These can also have a rippling effect, with one supply chain compromise impacting multiple businesses and customers at a time.

The 2019 data breach of Cathay Pacific, a Hong Kong-based airline, illustrates this. In this attack, malicious actors gained access to the airline’s systems through a third-party vendor and stole sensitive information, including passport and credit card numbers from millions of passengers. This can then be used to develop large scale phishing campaigns, conduct identity fraud, and pivot to further attacks on individuals, not to mention the regulatory impact this had on the airline.

The industry must take proactive measures to address cybersecurity third-party risks and supply chain attacks, and guard against becoming reactive to these threats. This means implementing strict security protocols, conducting regular audits of third-party vendors, and ensuring that all aviation systems and related infrastructure are hardened and secure from potential attacks.

Why EPP, Vulnerability Management, and Threat Intelligence is Vital to the Aviation Industry

It is important for all operations in the aviation industry, and third parties, to have in place the right combination of security measures. Endpoint Protection, Vulnerability Management as a Service, and Threat and Risk Intelligence are crucial elements that all airports need, to safeguard against the latest cyber risks targeting the industry.

• Managed Endpoint Protection (EPP) allows any threats targeting a large environment to be prevented and contained, mitigating any potential damage.
• Vulnerability Management as a Service (VMaaS) offering can ensure your digital estate is never exposed to any malicious actors and is protected and always hardened.
• Threat and Risk Intelligence (TRI), means artifacts and intelligence from the Dark Web can be used to give early warning signs, take preventative actions, and even track down the advanced threat actors targeting you, before they even have a chance to launch an attack.

A MSSP can help alleviate cyber security issues within aviation by providing the necessary expertise to bridge the knowledge gap, assist with regulatory compliance, and streamline data management across the organization, ultimately improving overall cybersecurity posture.

Cybersecurity Managers, Incident Responders, and Analysts provide a best-class service. SecurityHQ’s CSMs and Analysts are highly certified, coming from infrastructure, network, and development backgrounds, and can cover every area of an extensive technology stack. With 24/7/365 Global SOCs, incident response around the clock is provided, meaning you are never without protection from malicious actors.

To speak with one of our experts, get in contact here.

The post Cybersecurity in Aviation – Head in the Clouds? appeared first on SecurityHQ.

Here are our top tips to keep in mind when securing your data!

Be Careful Where You Upload Data

Especially confidential data like financial details and PII should not be uploaded on public storage platforms. Upload such data on a secure storage where you have a password protected account, with MFA enabled.

Don’t Upload Credentials

No matter how secure the cloud storage, avoid uploading your username and password for accounts. Use a password manager software to securely store your credentials.

Encrypt Your Data

Encrypt your files before uploading them on cloud. If you use Microsoft O ice, go to File > Protect Document> Encrypt with Password. Similarly, you can encrypt documents you create on Google Drive by clicking on ‘New’ < Blank encrypted document / spreadsheet / presentation < Create.

Restrict User Permissions

All cloud storage platforms have permission settings for documents. While sharing documents, enable restrictions so that only the concerned person has access to the document, disable editing if you do not wish for anyone to edit your document.

Follow Password Protocols

Use random passphrases of minimum 15 characters, using capital and small letters, numbers and special characters. Change your passwords once every 45 days at least, and do not re-use your passwords for all your account.

Monitor Auto-sync to Cloud

Ensure that your auto-back up is up to date. Delete redundant files, since most cloud platforms also have storage space restrictions. Be careful that your files aren’t auto synced to any linked account that may be public facing.

Back-up Your Back-up

Even with Cloud storage, there is a risk of losing files and data. Make sure you have more than one secure back-up for your data stored on cloud platforms. For example, if you have files on your apple cloud, ensure you also back it up on your Google Drive.

Avoid Accessing Files from Unknown Devices

If you share a computer or borrow one from a friend or colleague, sign out of your Google Account when you’re done. Don’t install Backup & Sync or Drive File Stream on a shared or public computer. Anyone who uses the computer could access your files.

Note: Please adhere to data storage and back-up policies for your work-related data, as stipulated by your organisation. Do not back-up or copy your work-related data to your personal storage platforms.

The post 8 Top Tips to Improve Your Cloud Security [Infographic] appeared first on SecurityHQ.

Confidentiality – A set of rules that limits access to data, and grants access to those approved. It keeps information private.

Integrity – Knowing that the information provided is trusted and accurate and cannot be altered or moved by the wrong people.

Availability – The right people should consistently have access when needed.

The CIA triad is crucial to enhance a business’s overall security posture. It is also necessary to stay compliant with security rules and regulations. Despite many security teams advertising complete cyber security, the reality is that cyber security is a continual process, not a one-off activity, that takes a trained team of cyber security analysts, the best technology, the right processes, and the willingness from all members to enhance their security posture, to defend against the ever-growing threat landscape.

What is Managed Data Security?

Managed Data Security is a method used to govern and control integration with IT management and additional security solutions. That way data protection is comprehensive and clear for all. It is used to protect business assets, including both structured and unstructured databases and traffic, as well as to prevent data leaks, and to maintain compliance across multiple environments.

‘Managed Data Security is an incredibly valuable tool to business, as it can be used to control and monitor auditable events from the chosen databases. This can be used, for instance, to monitor user behaviour in terms of the authentication against a database/databases, any inbound and outbound suspicious network traffic, and the detection of data exfiltration of large data transfers. By spotting potential malicious transfers quickly, businesses can respond to threats faster and, as a consequence, take actions to mitigate the threat and protect their data.’ – Ali Al-Rubaya, Senior Cyber Security Manager, SecurityHQ

Six Benefits of Data Security for Business

• Track data in a given business environment.
• Ensure visibility and analysis of all transactions. Track the movements of end users and spot unusual activity.
• Control and review policies, such as privileged user access and database change control.
• Detect and assess vulnerabilities.
• Activate and automate auditing processes.
• Build an integrated audit repository for diverse systems and database.

‘Your business collects, stores and uses critical data on a daily basis. Not only do businesses hold a vast amount of data but they have hundreds, sometimes thousands, of databases and sub-databases. A business will have a database for their address book, another for leads, another for locations, and they are all interlinked to form a single GUI (Graphical User Interface) that the user will then see on their screen. But for online business you also have finance, banking, payment, credit card information, legal records, and these are the crown jewels of any business.’ – How Managed Data Security Can Benefit Business

Checklist to Secure Your Data When Outside the Office

1. Secure your Wi-Fi and Disable Bluetooth.
2. Configure privacy settings.
3. Use random passphrases for accounts.
4. Keep social media private.
5. Protect your identity – don’t overshare.
6. Don’t save information on websites & browsers.
7. Avoid unknown sites.
8. Verify before you click on anything.
9. Carefully back-up data.
10. Report any suspicious activity.

To learn more about data security for business, view these top ten tips, with SecurityHQ’s latest infographic. ‘10 Tips to Protect Your Data’

The post How to Enhance Data Security for Business – A Checklist appeared first on SecurityHQ.