Hello again, friends! 👋
We're back with another episode of Blumira Briefings, your weekly dose of security insights that matter. (Now available in commute-friendly podcast format too!) This week, I was joined by our CEO Matt Warner, our Director of IT and Security Mike Toole, and a first-time appearance from Jake Ouellette from our Detection Engineering team!
We covered quite the range of stories this week, with a heavy focus on breach disclosures (or lack thereof) and some in-depth examination of modern attack chains. Let's dive in!
Matt kicked us off with some surprisingly good news - overall findings are down about 20% week over week! We can't pinpoint exactly why (end-of-month fatigue, perhaps?), but we'll take the wins where we can get them. One interesting incident involved a RADIUS server accidentally opened on a FortiGate, resulting in DC lockouts without a clear source - a good reminder to check authentication settings on SSL VPNs!
We discussed two newly disclosed vulnerabilities with high-risk scores:
Jake provided a great breakdown of what factors into a CVSS score, including attack vector, complexity, privileges required, user interaction, scope, and the confidentiality, integrity, and availability (good ol' CIA triad!) impacts.
CheckPoint confirmed a breach that security researchers initially reported on LinkedIn, but claimed it was both "old" and "pinpointed" - affecting only four organizations in December. They stated it came from compromised credentials to a portal with limited access, some researchers wonder if the issue was more widespread.
Mike's advice when you're not sure whether a vendor incident is being downplayed or exaggerated:
The most dramatic story of the week involved Oracle's breach disclosure (or lack thereof) unfolding in three distinct parts:
This led to a fascinating discussion about breach disclosure practices. Mike highlighted the importance of tabletop exercises that include all stakeholders - especially HR and legal teams - to prepare for these scenarios: "When and where and how do we communicate a breach and who are we talking to?"
I shared my perspective that when I hear about a breach, "the fact that an incident has occurred is not inherently what makes me change my level of trust in that org. Finding out how that breach occurred and finding out how they respond to it... those are things that are going to have a much bigger impact on how I adjust my trust level."
Jake provided great insights into a sophisticated multi-stage attack that used a fake Zoom installer to eventually deploy BlackSuit ransomware, and what it can tell us about how modern multi-stage attacks adapt and evade today. Like Jake said, "If threat actors were predictable, it'd make my job a lot easier. So their job is absolutely to make things as unpredictable as possible."
Our final story examined how the Evilginx malicious proxy continues to effectively bypass some of the most common multifactor authentication methods through adversary-in-the-middle attacks. Evilginx creates transparent proxies of legitimate login pages, capturing credentials and session tokens.
The good news? There are stronger options for MFA, like FIDO hardware keys or passkeys. Mike also shared a clever tip: use canary tokens (free from Thinkst) in your Microsoft login page HTML. If someone ever tries to proxy your login page, you'll get an alert!
As we wrapped up, Matt reminded us the more things change, some things still stay the same: "Defense-in-depth is still important, least-privileged access still important. What we learned 10, 20 years ago still applies now."
While modern attacks continue to evolve in sophistication, the core principles of security remain relevant - we just need to adapt our implementations to match today's threats.
What topics would you like us to cover in future episodes? Drop a comment below or reach out to us on social media!
Until next week,