Quarter by quarter, for three years now, abuse of Remote Desktop Protocol (RDP) has been the most common root cause of all ransomware events. It’s no surprise why RDP makes for an attractive target: RDP is the primary vehicle for remote access to Windows servers and is used for administrative functions. It’s the most commonly listed method of remote access sold by initial access brokers. According to some 2019 research [pdf] by Sophos, an open RDP port gets its first connection request...

Does your organization still allow users to authenticate to Office 365 or other Microsoft services using only a username and password? If you do, you’re 53x more likely to be targeted in credential-based attacks. (No, not 53% more likely. It’s 53 times more likely). Many organizations (at least one in ten Microsoft customers, as of October 2021) still allow access to the M365 cloud using what Microsoft calls “Legacy Authentication”. In these requests, the client forwards the username and...

Last Updated: 1/12/2022 3.30pm Pacific Time The Okta Security team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell. Log4j is a Java-based logging utility found in a wide number of software products. The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. If exploited, it could potentially allow a remote attacker to execute code on the server if the system logs...

Using Okta System Logs to monitor use of basic authentication to Office 365 As promised on the Risky Business podcast, here are some System Log queries to help Okta administrators weed out examples of clients connecting to their Office 365 tenant over basic authentication (“legacy authentication”, in Microsoft parlance.) If you already know why these authentication methods are risky, skip straight on to the queries and containment strategies. Otherwise, read on!In 2019, Microsoft announced the...

Malware can often be detected by scanning for a particular string or a sequence of bytes that identifies a family of malware. Yara is a tool that helps you do that. “Yara rules” are descriptions that look for certain characteristics in files. Using Yara rules, Yara searches for specific patterns in files that might indicate that the file is malicious. Let’s take a look at this example rule taken from Yara’s official documentation page. rule silent_banker { meta: description = "This...

When the Internet goes down, rendering everything inaccessible from mission-critical business services to mental stability-critical meme generators, is it because of an accident or malicious hackers? In the case of BGP hijacking, it could be either—and sometimes both. Consider the BGP hijacking incident on April Fool’s Day last year, which caused massive Internet service disruptions just as the world was beginning to grapple with the consequences of the COVID-19 pandemic. Internet traffic that...

Yesterday, President Biden took a major step forward in ensuring that the US government has the resources and focus needed to address our cybersecurity needs with the issuance of Executive Order on Improving the Nation’s Cybersecurity. This focus is long overdue. For nearly a decade, we’ve lived in this tenuous world where the next critical cyber event lies just around the corner, but the seeds were planted long before that. The day we decided to connect our agencies or our enterprises to the...

Okta Security has discovered and disclosed a new bypass in Windows Installer (MSI) Authenticode signature validation that could allow an attacker to disguise an altered package as legitimate software.

At Okta we are committed to ensuring the safety of our employees and workplaces. Nothing is more important to us than the trust of our employees, customers and partners. Transparency is one of our core values and in that spirit, I wanted to offer a reflection on the recent Verkada cyber attack. We partner with a number of cloud technology companies to achieve our holistic approach to security, and one of those companies is Verkada. It supplies us with cameras that we use in our office entrances...