Blog Posts

Research, Updates, Trends, Analysis
Ransomware Strikes Azure Storage: Are You Ready?

There’s been a recent surge in cloud ransomware attacks. Examples of such attacks were observed by Sophos X-Ops, which detected the ransomware group BlackCat/ALPHV using a new Sphinx encryptor variant to encrypt Azure storage accounts by employing stolen Azure Storage account keys. The BlackCat/ALPHV ransomware group is the same entity that claimed responsibility for infiltrating MGM’s infrastructure and encrypting more than 100 ESXi hypervisors.

Deciphering Shadows: Insights and Observations from the MGM Breach

On September 12, 2023, the world woke up to the news of another significant cyber-attack, this time on MGM Resorts International, a renowned name in the hotel and casino industry. The incident affected their operations across various locations, including iconic Las Vegas.

Think You Have All the Cloud Forensics Data You Need? You Probably Don't

Logs are everywhere—the digital records of events and actions that have taken place in every hardware system, application and network. All of yourdigital environments generate a log of some form.

Microsoft Storm-0558 SaaS Breach: Hunting for Stealth Espionage Attacks

In an ever-changing cyber landscape, the recent exploit by China-based threat actor, Storm-0558, highlights the need for constant vigilance. The threat actor exploited a compromised encryption key (MSA key) to target Microsoft Exchange Online, forge access tokens, manipulate the token verification process, and extract unclassified data from victim mailboxes.

Ready, Set, Respond: Ensuring Compliance with the SEC Reporting Regulations

The Securities and Exchange Commission (SEC) of the United States has adopted new regulations that require public companies to disclose material cybersecurity incidents within four days. To the positive, this initiative seeks to increase transparency and safeguard investors against potential cybersecurity risks.

A Mindset Shift for Cloud Security Resilience: Assume Breach

Cloud environments offer tremendous advantages in agility, scalability, and cost efficiency.

Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan

Mitiga's research discovered a significant new post-exploitation security concept: involving the use of Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines, controlling them using another AWS account. We shared our research with the AWS security team and included some of their feedback to this advisory.

Why the Implementation of CIRA is so Important for Incident Response

Incident response for cloud and SaaS (Software as a Service) requires new capabilities. Gartner® has released its recent report entitled “Emerging Tech: Security — Cloud Investigation and Response Automation Offers Transformation Opportunities.”

More on Abusing the Amazon Web Services SSM Agent as a Remote Access Trojan

Imagine that you’re a SOC (Security Operations Center) analyst receiving an alert about suspicious behavior from a binary on an EC2 instance. After checking the binary on VirusTotal, you find it was an AWS-developed software signed by Amazon. Further investigation reveals that it communicated only with Amazon-owned IP addresses.

Write DRY Go Code with Generics

Golang version 1.18 brought a shiny new feature — Generics. Go Generics is a programming style that is known and common in other high-level languages, including Python, Java, C#, and many more. Learn how to write DRY Go in generics

Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?

Step 1: Phish Mitiga. Step 2: Get Your Phishing-as-a-Platform Dissected by Mitiga

A few weeks ago, one of Mitiga’s employees received an email phishing for credentials. Instead of just laughing it off, our team decided to use their lunch breaks to analyze it. What we found indicates a sophisticated phishing platform that uses AWS and Oracle infrastructure to phish Office 365 email accounts.

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

If It Scares You, It Might Be Good to Try — Monorepo and Dynamically Configured CI

In this blog, Mitiga Devops Engineer Stav Ochakovski addresses our organizational monorepo shift and why it triggered a CI adjustment, as well.

How Identifying UserData Script Manipulation Accelerates Investigation

UserData script manipulation by threat actors is a technique that has been known in the wild for several years and has been observed being exploited by many attack groups, but monitoring and detecting malicious manipulation of user data script is not trivial with standard AWS Cloudtrail logging.

How Can Transit Gateway VPC Flow Logs Help My Incident & Response Readiness?

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots

A recent Mitiga Research Team investigation found the well-regarded Amazon Relational Database Service is leaking PII via exposed RDS Snapshots.

Google Workspace - Log Insights to Your Threat Hunt

Google Workspace is a popular service for document collaboration for organizations and for individual users. Threat actors note that the popularity of this service is increased, and search for ways to exploit vulnerabilities and misconfigurations, so it is important to know how to hunt for threats in Google Workspace.

Google Cloud Platform Exfiltration: A Threat Hunting Guide

If you’re wondering if the cloud era is here, you need only look at the latest stats. 67% of enterprise infrastructure is now cloud-based and 94% of enterprises use cloud services.1 It’s no wonder that public clouds like Google Cloud Platform (GCP) have become a new playground for threat actors. There is a lot to exploit.

Elastic IP Hijacking — A New Attack Vector in AWS

Mitiga Researchers found a new post-exploitation attack method, a novel way in AWS that may enable adversaries to hijack static public IP addresses for malicious purposes.

CircleCI Cybersecurity Incident Hunting Guide

In response to the recent CircleCI security incident, the Mitiga Research Team shares this technical guide to assist organizational threat hunting efforts.

Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive

After gaining initial access to any platform, data theft (exfiltration) is one of the most common attack vectors used by threat actors.

Viral Outbreaks: Thinking of Microsoft’s New Wormable Vulnerability in a Coronavirus Context

But today, in the midst of a pandemic outbreak of Coronavirus (COVID-19) and while governments and global organizations work to contain and eradicate the virus, we’re hearing of a new wormable vulnerability in Microsoft’s SMBv3 protocol.How can we learn from these unfortunate events to provide us with a different context and an opportunity to rethink our level of readiness for unexpected, viral cyber events?

Security Advisory: Mitiga Recommends All AWS Customers Running Community AMIs to Verify Them for Malicious Code

Based on recent research and analysis, Mitiga issued a global advisory, warning AWS customers running EC2 instances based on Community AMIs (Amazon Machine Instances), from potentially embedded malicious code. We strongly advise verifying their security before continuing using these instances.

Samsung Next Invests In Mitiga, Brings Total Funding to $45M

Mitiga, the cloud and SaaS incident response leader, today announced the completion of a Series A Round bringing total funding to $45 million led by ClearSky Security, with participation from Samsung Next and existing investors Blackstone, Atlantic Bridge and DNX.

10 Recommendations for Your Organization to Increase Readiness Following the Okta Breach

We all woke up recently to a security nightmare. Okta, an industry leader in identity and access management is potentially breached and the impact for the industry may be very high. Here are 10 actionable recommendations you can share, but please let us know if you have more so that we can add them to this list.

Ready or Not: Russian Attack on Ukraine Brings Global Cybersecurity Impacts

The Russian military strategy is often described as a strategy of “active defense.” This means that their strategy includes both the preventative measures taken before a conflict breaks out and the tenets for conducting the war.

Ransomware Heads-Up: Family Isn’t the Only Holiday Gang In Town

In this blog, Mitiga Vice President of Consulting Services Rob Floodeen provides several recommendations on how cybersecurity teams can make it through the upcoming holiday season with reduced ransomware visitors.

Advisory: Persistent MFA Circumvention in an Advanced BEC Campaign on Microsoft 365 Targets

Mitiga investigated an attempted Business Email Compromise (BEC) attack. While the alertness of the involved parties prevented the fraud, the attack indicated that the attacker had access to sensitive information that could only be obtained by compromising a user in the organization.

Patches are not enough for VMWare vCenter Server and Cloud Foundation vulns

If you are using either vCenter Server or Cloud Foundation, you must declare an emergency and treat it like you have already been compromised. These critical vulnerability disclosures do not offer a quick and easy patch, and patching alone is not enough.

Mitiga Featured by The Startup Pill as Best Cloud Security Startup 2020, Cyber Security Startups to Watch 2021

The Startup Pill recently recognized Mitiga in two articles highlighting exceptional startups in the cyber security industry.The publication put together a list of the 89 Best Cloud Security Startups Of 2020, and Mitiga is number nine on the list!

Mitiga Security Advisory: Insufficient Forensic Visibility in GCP Storage

As part of Mitiga’s continuous research into cloud attacks and forensics, we have been examining potential data exfiltration techniques in GCP (Google Cloud Platform) and how to identify and investigate them. During this research, we discovered a significant forensic security deficiency in Google Cloud Storage that enables a threat actor to exfiltrate in a covert manner.

Straight from the Mitiga RSAC booth: Your Cloud IR Planning Needs Readiness

Whether we were in the our exhibitor booth at RSA Conference, at the W Hotel for daily Happy Hour and Coffee Time socials, or in conversations following Thursday’s "It's Getting Real and Hitting the Fan! Real World Cloud Attacks” presentation by Ofer Maor, our co-founder and CTO, the energy was off the charts and the one-to-one exchanges rewarding. 

Mitiga Raises $25 Million to Radically Change Cybersecurity Incident Readiness and Response in the Cloud

Mitiga, the first cloud-based solution for Incident Readiness and Response in cloud and hybrid environments, raised $25 million in Series-A funding to completely change the traditional incident response market by supplying unlimited active incident response support for subscribers.

Mitiga is Cooperating with Law Enforcement on a Global Business Email Compromise (BEC) Campaign that Has Netted Over $15M

Mitiga uncovered a widespread and well-executed Business Email Compromise (BEC) campaign in which cybercriminals are impersonating senior executives using Office 365’s email services in order to intercept sensitive communications and then alter wire transfer details and redirect funds to rogue bank accounts.

Mitiga Advisory on Virus Total

A malicious .docx file was uploaded to Virus Total that uses several of Mitiga’s publicly available branding elements including logo, fonts, and colors, to lend credibility to the document. Mitiga was not breached, though the file was created by a threat actor, most likely for use as part of phishing or malware spreading campaigns.

Log4Shell — Forensic Investigation in AWS

In order to mitigate the problems caused by Log4Shell, companies and organizations started patching their systems, but while everyone is busy "locking the doors," the criminals might already be inside. Mitiga is focused on content and research: finding efficient ways to look at artifacts on cloud environments and indicate if there is a reason to believe that the vulnerability has already been used to hack the environment.

Log4Shell - Everything in one place

Security teams all over the world are rushing to deal with the new critical zero-day vulnerability called Log4Shell. This vulnerability in Apache Log4j, a popular open-source Java logging library, has the potential to enable threat actors to compromise systems at scale.

Lessons Learned from WannaCry: Are We Ready for Another Global Attack?

Five years ago, the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows, encrypting data at organizations around the world. The attackers demanded a ransom of just $300 worth of bitcoins within three days or the files would be permanently deleted. The cryptoworm leveraged the EternalBlue exploit, which the National Security Agency developed to attack older Windows Systems.

Lacking readiness, massive breach may be a win for competitors

What seems clear now is that Twitch simply wasn’t ready for an attack. Twitch claims that this latest incident was “a result of a server configuration change that allowed improper access by an unauthorized third party.”

How We Hired 10 Developers in a Highly Competitive Market during August and September

This year we had aggressive hiring goals, and the job market was extremely tight. Our HR team faced a challenge - how to hire the right people into the Mitiga team - quickly - so we could achieve our business goals for the year. This is how we did it!

Former Mandiant COO and President John Watters Joins Mitiga as Independent Board Member

Cybersecurity veteran brings 30+ years of cybersecurity experience, building companies and M&A, most recently selling to Google for $5.4B.

Customer Advisory Kaseya VSA Ransomware Incident

Kaseya, an IT management software provider, notified its customers of a possible security breach in the Kaseya Virtual System Administrator Product. Kaseya has indicated that the number of victims is around 1000s, though the number may increase, at least 36,000 Kaseya customers took their servers offline.

How to Beat the Cubans in the Cuba Ransomware Gang

The Cuba Ransomware Gang is a group that hijacks information and blackmails companies to pay in Bitcoin or watch the exfiltrated private information leaked for all to see.

Advanced BEC Scam Campaign Targeting Executives on O365

Mitiga spotted a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations (mostly CEOs and CFOs) using Office 365.

Cyber Week Israel 2022

Thank you for visiting Mitiga at Cyber Week, an expert-driven content and high-level networking in Israel, the high tech industry's Start Up Nation!

Mitiga at the 34th Annual FIRST Conference 2022

Thank you for joining Mitiga at the 34th Annual FIRST Conference 2022, which took place June 26 to July 1, 2022 in Dublin, Ireland

How Okta Passwords Can Be Compromised: Uncovering a Risk to User Data

Mitiga's research team uncovered a data risk to Okta users due to passwords that can be present in logs. This article outlines the risk and attack method.

Making Sense of Today’s Threat Detection and Response Buzzword Landscape

Today’s CISOs and their collective security teams may well find they have wide-ranging considerations to factor regarding both current and next-generation threat detection and response tool investments. How can they make sense of today's threat detection and response buzzword landscape?

Real-World Cloud Attacks: Still Hitting the Fan!

Recent cloud-based attack headlines remain front-and-center in the cybersecurity community, adding to the relevance of analysis and guidance provided by Mitiga Co-Founder and CTO Ofer Maor in his recent BrightTALK Webcast, It's Getting Real & Hitting the Fan! Real World Cloud Attacks.

When It Comes to Incident Response, It’s Time to Give Peacetime Value a Chance

There is an accepted notion in some corners of cybersecurity that maintains “there is no peacetime.” For many of us, that is a daunting premise — as it discounts extensive CISO efforts to extend multi-year investments in cybersecurity tools, innovation, and resources to address ongoing cyberattacks focused on business services transitioned to cloud and SaaS platforms.

Stop Ransomware Attackers From Getting Paid to Play Double-Extortionware Games

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separated from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.

Are You Ready for a Slack Breach? 5 Ways to Minimize Potential Impact

As Slack becomes a dominant part of the infrastructure in your organization, it will become a target for attacks and at some point, it is likely to be breached (just like any other technology that we use). The impact of that breach, however, depends on how we prepare for it, by limiting its potential propagation and allowing for fast response.

Don’t Believe Incident Response is Different in the Cloud? Let Us Count the 9 Ways

Your organization may well have already realized the improved technological efficiencies and reduced overhead promises of cloud migration — regardless of whether that move was designed as a phased model involving discrete workloads or services, a larger-scale transition, or a strategy based on using a mix of cloud providers across multiple geographies.

An Easy Misconfiguration to Make: Hidden Dangers in the Cloud Control Plane

The biggest risk in cloud development is not recognizing the differences between cloud and traditional definitions of common architecture terms. For example, imagine a system that is completely “firewalled off”—a firewall prevents any inbound or outbound connections from the machine.

7 Best Practices for Cloud Incident Response

Regardless of the specific details of a breach, organizations must be prepared to respond when one occurs. The more organizations move applications and services to the cloud, the more it is important to plan for cloud incident response. These seven best practices will help you get started.

Understanding Your Okta Logs to Hunt for Evidence of an Okta Breach

As the Okta breach event is still unfolding, it is unclear how far this breach may propagate and what influence it has on Okta customers. It is, however, extremely likely that any such potential abuse will leave traces in Okta logs (as well as other logs of potentially compromised systems). But Okta logs are not easy to investigate, so you need to know where to start your research.

How a Cybersecurity Awareness Program Can Empower Employees and Increase Security

Cybersecurity awareness is different from other types of cybersecurity. In cybersecurity there is certainly awareness and training, but technology and policies are also in place to help manage risks, assist in prevention, and detect anomalies. However, the common and often easy initial access vector remains users.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Crown Jewels Analysis — A Risk Of Bias

Organizations have widely adopted the Crown Jewels concept in their efforts to build cost-effective cybersecurity strategies and plans in the ever-growing world of risks and challenges. However, the Crown Jewels concept could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack. It is time for the adoption of new concepts and new methodologies.

How Do You Successfully Deliver Management Training in a Hybrid World?

Over the last year we have had hyper growth at Mitiga — we went from 20 employees in the beginning of 2021, to 75 today. This growth created a new layer of team leads, many of whom were promoted internally into management roles.

Just What is “Proactive Forensic Data Acquisition” Anyway?

It isn’t just anti-virus blind spots that hinder cybersecurity team efforts to safeguard organizational assets from threat actors. Veteran incident management analysts will tell you many detection tools also have blind spots that can lead to incomplete investigations and incorrect conclusions.

Get Ransomware-Ready – How to Protect Your Business Against Today’s Most Dangerous Cyberthreats

It is hard to overstate the level of havoc generated on global enterprises by year-over-year increases in ransomware attacks. We can point to any number of analyst findings to substantiate this position, but the latest Verizon Data Breach Investigations Report provides a credible, state-of-the-world snapshot.

SaaS Breaches: How to Think about Security in Cloud Apps and Services

The Okta breach is yet another indication of what we have been seeing for the past few years in the cybersecurity industry, particularly in the incident response practice, demonstrating the increased sophistication and capabilities of various attack groups.

Cyber Resilience - Why & How to Start Building It In Your Organization

Cyber resilience is the ability of an organization or entity to continue to deliver services or solutions even in the face of adverse cyber events, such as cyberattacks. Cyber resilience combines elements of information security, business continuity, and organizational resilience.

The real value of tabletop exercises (and how to pick the right one)

A cybersecurity incident response tabletop exercise (TTX) is an activity conducted as a discussion exercise. There can be multiple goals of a TTX, but a common goal is to review processes and procedures to identify gaps and dependencies in organizational response to an incident.

Rethinking zero-day vulnerabilities vs. one-days to increase readiness

Because zero-day vulnerabilities are announced before security researchers and software developers have a patch available, zero-day vulnerabilities pose a critical risk to organizations as criminals race to exploit them. Similarly, vulnerable systems are exposed until a patch is issued and applied.

What is the Spring4Shell exploit? An overview of the Spring vulnerability

Spring is a Java framework for dependency injection and Model-View-Controller (MVC) web development. Spring is a very popular framework; over 6,000 other libraries use the "spring-beans" library (according to Maven Central). Spring4Shell, a new exploit in Spring, was just disclosed.

The ultimate cybercriminal gift list: undisclosed zero-day vulnerabilities

Over the last few months, everyone has been busy patching — seeking to close the loophole most learned about when the a patch was released for Log4j 2.15.0 for Java 8 users to address the remote code execution vulnerability CVE-2021-44228, a previously undisclosed zero-day vulnerability.

Learn how ransomware attacks have changed - and how response needs to, too

Ransomware keeps hitting the news these days, filling headlines with stories about organizations struggling with disabled IT systems, inaccessible patient data, unavailable Wi-Fi, and general confusion. Today, organizations are facing an evolving threat, modern ransomware, also called double extortion ransomware.

How to NOT pay ransomware and live to tell the tale

Ransomware is out of control. So, what can organizations actually do to deal with this tidal wave of attacks? It’s time for organizations to ask themselves the question, “Are we ransomware ready?” And then think about what ransomware readiness really looks like.

What are the dangers of lateral movement in a hybrid environment?

Lateral movement cyberattacks are among the greatest threats cyber security faces today. Whether a company's network exists primarily in the cloud, on-premises, or a hybrid cloud environment, there are lateral movement attack techniques designed to exploit vulnerabilities unique to each environment.

4 Common Challenges Enterprises Face As They Move to the Cloud

Enterprises moving to the cloud from legacy data centers face many security challenges in making that transition, most notably the following four challenges.

How CEOs Can Embrace ‘The Cloud’ Without Compromising Security

While security should be top of mind for every business, it shouldn’t become a barrier preventing organizations from adopting cloud platforms. Provided you are prepared and take the necessary measures to properly protect data, you can enjoy the benefits of the cloud without compromising information security.

Golden Time During Cloud Transitions

In cloud transitions, the goal is move business processes from an on-premises environment to a cloud-based environment. Inevitably, as the transition progresses, some business processes are fully transferred while others are still in flux. It’s during this transition period that organizations are at risk.

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Top 5 New Security Challenges in Cloud Environments

While the cloud helps modernize environments and improves remote work models, the evolving cloud landscape also gives rise to new challenges. To adapt quickly to new considerations in the changing cloud landscape, organizations need to address these five new security challenges in cloud environments.

Are You Ready for These 5 Common Security Risks of Cloud Computing?

The cloud environment is the future for every industry. From finance to entertainment to healthcare, cloud computing helps businesses compete with increased flexibility, availability of information, and access. But just like on-premises, data center-based computing, moving to cloud environments and SaaS applications brings their own cybersecurity risks.

Increase your readiness for cloud and hybrid cyberattacks while lowering the impact of breaches with AWS and Mitiga
Learn how to work with AWS and Mitiga