Threats from the Wild - Episode 3: Multi-Factor Authentication (MFA) Bypass 101: Pass-the-Cookie/Pass-the-Identity (PTC/PTI) Attack Detection Using Logs
The significant increase in remote work/work-from-home (WFH) over the past year as well as the recent high-profile attacks bypassing MFA that involved Solarwinds and cloud providers have heightened the need for the blue teams to better understand and detect attempts by the malicious threat actors to bypass MFA.
In this presentation, Oleg Kolesnikov, VP of Threat R&D/Securonix Threat Labs, will provide some of the key technical insights into the latest MFA bypass attacks carried out by malicious threat actors in the wild, including:
- Introduction to MFA bypass attacks in context of WFH focusing on pass-the-cookie/pass-the-identity (PTC/PTI) attack vectors.
- Latest observations from the wild including attack tools and examples of how malicious threat actors can use PTC/PTI to compromise MFA-enabled accounts, e.g. Azure, Github, etc.
- Demo of an PTC attack in action.
- What possible PTC/PTI attacks might look like in your cloud and EDR logs.
- Some insights into the relevant detection/hunting use cases to help you increase the chances of detecting such attacks in your environments.
Initial Coverage Advisory: Darkside Ransomware Targeting Critical Infrastructure Providers
Securonix Threat Labs R&D/Securonix Threat Research team has been actively monitoring and investigating the details of the critical targeted Darkside ransomware attacks (tracked by Securonix Threat Research as RE$HOOD) with some of the recent victims including Colonial Pipeline Networks, and many others (see Figure 1).
Darkside/RE$HOOD is an active malicious ransomware operator (MRO) that also offers a ransomware-as-a-service (RaaS) affiliate program. Securonix Threat Research has observed at least 64 victims being exploited by Darkside/RE$HOOD MRO or its affiliates since January 2021.