Breaking News

It's past time to retire passwords in favor of other methods for authenticating users and securing systems.
Despite how valuable corporate employees' passwords are and the best efforts of companies to protect their systems, user credentials keep ending up for sale on Dark Web forums. Even with the ever-advancing capabilities of the cybersecurity industry, corporate credentials from all industries appear in these notorious virtual auction halls to be used in a wide range of attacks, from simple phishing to complicated brute-force attacks. 

Even cybersecurity companies are not fully immune to such threats. According to ImmuniWeb research, a staggering 97% of cybersecurity companies have data leaks and other security incidents exposed on the Dark Web.

Moreover, the research revealed that 29% of these stolen passwords are weak, with less than eight characters or without uppercase letters, numbers, or other special characters. About 40% of employees from the 162 companies surveyed reused identical passwords from accounts that had been breached. Note that we are talking about cybersecurity industry employees — so awareness is not the issue here. 

When cybersecurity companies that should be well prepared to protect their employee data fail to do so, it seems that the problem is not the lack of protections around the passwords but rather passwords themselves. The time has come to question the use of passwords as a suitable authentication method. 

High-Severity Account Takeover Exposures on the Rise
Leveraging stolen credentials is the No. 1 tactic used by hackers in recent years due to its relative ease and effectiveness. And since March 2020, the number of high-severity account takeover exposures where corporate credentials with plaintext passwords were exposed has increased by 429%, according to Arctic Wolf.  

The prevalence of credential leaks highlights the impossible task enterprise security teams face. Password reuse on third-party sites beyond the borders of a company's perimeter is the main culprit behind most breaches. Unfortunately, we can't simply wish this problem away. Even though 91% of people know password reuse is insecure, 75% do it anyway, according to LastPass. Apart from nicely asking employees not to have such risky password hygiene, there are limited options for what company security teams can do. 

LastPass also reports that an average employee keeps track of 191 passwords. The reality is that we cannot change human behavior. Humans will always opt for the path of least resistance, and in this case, that means convenience over security. Workers shouldn't be expected to come up with 191 unique login/password combinations that are complex enough to pass the requirements. But that is exactly what many organizations are asking for. 

Unit 42 researchers have been tracking the threat group AridViper, which has been targeting the Middle Eastern region. As part of this research, a new information-stealing Trojan with relations to the MICROPSIA malware family has been identified, showing that the actor maintains a very active development profile, creating new implants that seek to bypass the defenses of their targets.

PyMICROPSIA has a rich set of information-stealing and control capabilities, including:

• File uploading.
• Payload downloading and execution.
• Browser credential stealing. Clearing browsing history and profiles.
• Taking screenshots.
• Keylogging.
• Compressing RAR files for stolen information.
• Collecting process information and killing processes.
• Collecting file listing information.
• Deleting files.
• Rebooting machine.
• Collecting Outlook .ost file. Killing and disabling Outlook process.
• Deleting, creating, compressing and exfiltrating files and folders.
• Collecting information from USB drives, including file exfiltration.
• Audio recording.
• Executing commands.

Workplace pension provider NOW: Pensions has emailed its near 1.7 million UK customers to warn about a data leakage caused by contractor error.

The email, seen by this publication, claims a service provider "unintentionally" posted user data to an unnamed "public software forum". These records include biographical data (names, email addresses, and dates of birth) as well as National Insurance numbers. According to the pension provider, the data was obtained by "a small number" of third parties.

NOW: Pensions said the records were only visible for "a short time". This apparently means three days, with the company saying the data was exposed between 11 and 14 December.