back to article Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure

Notorious cyber gang UNC3944 – the crew suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, and plenty more besides – has changed its tactics and is now targeting SaaS applications According to Google Cloud's Mandiant threat intelligence team, UNC3944's activities have plenty of overlap with …

  1. Mike 137 Silver badge

    Two fundamental failures

    [1] "In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks."

    "Identity verification" should include additional out of band challenge/response information that only the helpdesk and the legitimate party have access to (e.g. to ask when the caller signed up to the service).

    [2] "UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset."

    No phoned in request for a credentials reset should ever be provided without an additional out of band verification step (e.g. a call back to the user's register phone number with a verification code).

    Obviously neither of these is 100% assured as they could be circumvented in principle, but together they come pretty close in the majority of cases.

    The big snag here (which is commonplace unfortunately) is that we're still using decades-old (and in some cases, faulty) criteria for identification and authentication, despite the threats having escalated hugely since then. Many people (and organisations) still confuse identifiers and authenticators -- hence a common assumption that biometrics are authenticators, and password creation rules remain as flawed as ever. Most signifcantly though, there's clearly a serious lack of understanding of the basic principles of identity verification which needs to be addressed by much better training. That's obviously a long-term fix, but in the short term there's absolutely no reason why out of band one-time key generation should not be universally adopted as one of the Ms in MFA -- dongles supporting this have been around for decades.

    1. Pascal Monett Silver badge
      Thumb Up

      Re: Two fundamental failures

      I cannot upvote you enough.

      And yes, OTK tokens are the right answer for all authentication issues. Funny how rarely that is implemented (for a very low value of funny, that is).

    2. Richard 12 Silver badge
      Unhappy

      Re: Two fundamental failures

      SIM swap defeats the callback method, as the helpdesk often just ends up calling the scammer back at their own expense.

      Really, the only defence is always knowing that a new phone is coming into existence along with its IMEI before it actually does, by virtue of it being company property.

      Never allow a personal phone to be a second factor, only a company phone or company physical token.

      But that would mean the company paying for the second factor, instead of loading that cost onto the employee to "save" money.

      1. Mike 137 Silver badge

        Re: Two fundamental failures

        "SIM swap defeats the callback method"

        That's one of the 'not 100% assured' situations, but SIM swap is not apparently relevant to the attack described here, so callback would indeed assist.

    3. Anonymous Coward
      Anonymous Coward

      Can someone tell the so-called lawmakers about this?

      @Mike_137

      Quote: "...there's clearly a serious lack of understanding of the basic principles of identity verification..."

      ...not least in London SW1.....see the so called "Online Safety Act" for evidence....

      Yup...."confuse identifiers and authenticators"......."age verification" anyone?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like