Privacy
- Wat niemand over je mag weten
Plex en LastPass breaches lijken erg veel op elkaar
26-08-2022, 09:03 door Anoniem, 3 reacties
Mailtje van Lastpass:
We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.
Mailtje van Plex:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
Is dit toeval? Of delen ze beiden hetzelfde ontwikkelplatform?
We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.
Mailtje van Plex:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
Is dit toeval? Of delen ze beiden hetzelfde ontwikkelplatform?
Reacties (3)
26-08-2022, 11:00 door
Erik van Straten
Vermoedelijk gaat het om dezelfde aanvallers, zoals o.a. gedocumenteerd in:
25 aug. https://blog.group-ib.com/0ktapus
15 aug. https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
15 aug. https://www.silentpush.com/blog/analysis-of-the-twilio-phishing-attack
en mogelijk deze al, 12 juli https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
In elk geval hebben ze gemeen dat ze bijna alle vormen van MFA (2FA) weten te omzeilen (middels proxies zoals Modlishka, Muraena, CredSniper of Evilginx2).
Het advies van Group-IB is m.i. het verstandigst:
Helaas wordt het ons, gebruikers, onnodig moeilijk gemaakt - zoals ik gisteren (cynisch) beschreef in https://security.nl/posting/765755.
25 aug. https://blog.group-ib.com/0ktapus
15 aug. https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
15 aug. https://www.silentpush.com/blog/analysis-of-the-twilio-phishing-attack
en mogelijk deze al, 12 juli https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
In elk geval hebben ze gemeen dat ze bijna alle vormen van MFA (2FA) weten te omzeilen (middels proxies zoals Modlishka, Muraena, CredSniper of Evilginx2).
Het advies van Group-IB is m.i. het verstandigst:
Group-IB recommends the following to mitigate similar attacks:
1) End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.
2) Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.
3) Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests
4) If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.
1) End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.
2) Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.
3) Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests
4) If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.
Helaas wordt het ons, gebruikers, onnodig moeilijk gemaakt - zoals ik gisteren (cynisch) beschreef in https://security.nl/posting/765755.
Door Erik van Straten: Vermoedelijk gaat het om dezelfde aanvallers, zoals o.a. gedocumenteerd in:
25 aug. https://blog.group-ib.com/0ktapus
15 aug. https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
15 aug. https://www.silentpush.com/blog/analysis-of-the-twilio-phishing-attack
en mogelijk deze al, 12 juli https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
In elk geval hebben ze gemeen dat ze bijna alle vormen van MFA (2FA) weten te omzeilen (middels proxies zoals Modlishka, Muraena, CredSniper of Evilginx2).
Het advies van Group-IB is m.i. het verstandigst:
Helaas wordt het ons, gebruikers, onnodig moeilijk gemaakt - zoals ik gisteren (cynisch) beschreef in https://security.nl/posting/765755.
25 aug. https://blog.group-ib.com/0ktapus
15 aug. https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
15 aug. https://www.silentpush.com/blog/analysis-of-the-twilio-phishing-attack
en mogelijk deze al, 12 juli https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
In elk geval hebben ze gemeen dat ze bijna alle vormen van MFA (2FA) weten te omzeilen (middels proxies zoals Modlishka, Muraena, CredSniper of Evilginx2).
Het advies van Group-IB is m.i. het verstandigst:
Group-IB recommends the following to mitigate similar attacks:
1) End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.
2) Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.
3) Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests
4) If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.
1) End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.
2) Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.
3) Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests
4) If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.
Helaas wordt het ons, gebruikers, onnodig moeilijk gemaakt - zoals ik gisteren (cynisch) beschreef in https://security.nl/posting/765755.
Dank voor deze toelichting Erik! Je bent een aanwinst op dit forum.
Gr, TS
Reageren
Deze posting is gelocked. Reageren is niet meer mogelijk.
Junior DevOps Engineer
Certified Secure is op zoek naar een Junior DevOps Engineer. Deze functie is een stuk interessanter dan de term doet vermoeden! Om jou als potentiële nieuwe collega meteen te laten zien wat we doen hebben we speciaal voor jou een selectie gemaakt van een aantal leuke security challenges. Are you ready for a challenge?
Cybersecurity Trainer / Streamer
Toe aan een nieuwe nieuwe job waarmee je het verschil maakt? In de Certified Secure trainingen laat je deelnemers zien hoe actuele kwetsbaarheden structureel verholpen worden. Ook werk je actief mee aan de ontwikkeling van onze gamified security challenges. Bij het maken van challenges kom je telkens nieuwe technieken tegen, van Flutter tot GraphQL, van Elastic Search tot Kubernetes.
