Mitiga's research team uncovered a data risk to Okta users due to passwords that can be present in logs. This article outlines the risk and attack method.

Mitiga, the cloud and SaaS incident response leader, today announced the completion of a Series A Round bringing total funding to $45 million led by ClearSky Security, with participation from Samsung Next and existing investors Blackstone, Atlantic Bridge and DNX.

As part of Mitiga’s continuous research into cloud attacks and forensics, we have been examining potential data exfiltration techniques in GCP (Google Cloud Platform) and how to identify and investigate them. During this research, we discovered a significant forensic security deficiency in Google Cloud Storage that enables a threat actor to exfiltrate in a covert manner.

If you’re wondering if the cloud era is here, you need only look at the latest stats. 67% of enterprise infrastructure is now cloud-based and 94% of enterprises use cloud services.1 It’s no wonder that public clouds like Google Cloud Platform (GCP) have become a new playground for threat actors. There is a lot to exploit.

Cybersecurity veteran brings 30+ years of cybersecurity experience, building companies and M&A, most recently selling to Google for $5.4B.

In response to the recent CircleCI security incident, the Mitiga Research Team shares this technical guide to assist organizational threat hunting efforts.

In this blog, Mitiga Devops Engineer Stav Ochakovski addresses our organizational monorepo shift and why it triggered a CI adjustment, as well.

Mitiga Researchers found a new post-exploitation attack method, a novel way in AWS that may enable adversaries to hijack static public IP addresses for malicious purposes.

In this blog, Mitiga Vice President of Consulting Services Rob Floodeen provides several recommendations on how cybersecurity teams can make it through the upcoming holiday season with reduced ransomware visitors.

A recent Mitiga Research Team investigation found the well-regarded Amazon Relational Database Service is leaking PII via exposed RDS Snapshots.

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?

Today’s CISOs and their collective security teams may well find they have wide-ranging considerations to factor regarding both current and next-generation threat detection and response tool investments. How can they make sense of today's threat detection and response buzzword landscape?

Mitiga investigated an attempted Business Email Compromise (BEC) attack. While the alertness of the involved parties prevented the fraud, the attack indicated that the attacker had access to sensitive information that could only be obtained by compromising a user in the organization.

Mitiga spotted a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations (mostly CEOs and CFOs) using Office 365.

Recent cloud-based attack headlines remain front-and-center in the cybersecurity community, adding to the relevance of analysis and guidance provided by Mitiga Co-Founder and CTO Ofer Maor in his recent BrightTALK Webcast, It's Getting Real & Hitting the Fan! Real World Cloud Attacks.

Google Workspace is a popular service for document collaboration for organizations and for individual users. Threat actors note that the popularity of this service is increased, and search for ways to exploit vulnerabilities and misconfigurations, so it is important to know how to hunt for threats in Google Workspace.

As Slack becomes a dominant part of the infrastructure in your organization, it will become a target for attacks and at some point, it is likely to be breached (just like any other technology that we use). The impact of that breach, however, depends on how we prepare for it, by limiting its potential propagation and allowing for fast response.

It isn’t just anti-virus blind spots that hinder cybersecurity team efforts to safeguard organizational assets from threat actors. Veteran incident management analysts will tell you many detection tools also have blind spots that can lead to incomplete investigations and incorrect conclusions.

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

There is an accepted notion in some corners of cybersecurity that maintains “there is no peacetime.” For many of us, that is a daunting premise — as it discounts extensive CISO efforts to extend multi-year investments in cybersecurity tools, innovation, and resources to address ongoing cyberattacks focused on business services transitioned to cloud and SaaS platforms.

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separated from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.

UserData script manipulation by threat actors is a technique that has been known in the wild for several years and has been observed being exploited by many attack groups, but monitoring and detecting malicious manipulation of user data script is not trivial with standard AWS Cloudtrail logging.

It is hard to overstate the level of havoc generated on global enterprises by year-over-year increases in ransomware attacks. We can point to any number of analyst findings to substantiate this position, but the latest Verizon Data Breach Investigations Report provides a credible, state-of-the-world snapshot.

Whether we were in the our exhibitor booth at RSA Conference, at the W Hotel for daily Happy Hour and Coffee Time socials, or in conversations following Thursday’s "It's Getting Real and Hitting the Fan! Real World Cloud Attacks” presentation by Ofer Maor, our co-founder and CTO, the energy was off the charts and the one-to-one exchanges rewarding. 

Your organization may well have already realized the improved technological efficiencies and reduced overhead promises of cloud migration — regardless of whether that move was designed as a phased model involving discrete workloads or services, a larger-scale transition, or a strategy based on using a mix of cloud providers across multiple geographies.

Over the last year we have had hyper growth at Mitiga — we went from 20 employees in the beginning of 2021, to 75 today. This growth created a new layer of team leads, many of whom were promoted internally into management roles.

Golang version 1.18 brought a shiny new feature — Generics. Go Generics is a programming style that is known and common in other high-level languages, including Python, Java, C#, and many more. Learn how to write DRY Go in generics

Five years ago, the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows, encrypting data at organizations around the world. The attackers demanded a ransom of just $300 worth of bitcoins within three days or the files would be permanently deleted. The cryptoworm leveraged the EternalBlue exploit, which the National Security Agency developed to attack older Windows Systems.

The Okta breach is yet another indication of what we have been seeing for the past few years in the cybersecurity industry, particularly in the incident response practice, demonstrating the increased sophistication and capabilities of various attack groups.

Cyber resilience is the ability of an organization or entity to continue to deliver services or solutions even in the face of adverse cyber events, such as cyberattacks. Cyber resilience combines elements of information security, business continuity, and organizational resilience.

The biggest risk in cloud development is not recognizing the differences between cloud and traditional definitions of common architecture terms. For example, imagine a system that is completely “firewalled off”—a firewall prevents any inbound or outbound connections from the machine.

A cybersecurity incident response tabletop exercise (TTX) is an activity conducted as a discussion exercise. There can be multiple goals of a TTX, but a common goal is to review processes and procedures to identify gaps and dependencies in organizational response to an incident.

Regardless of the specific details of a breach, organizations must be prepared to respond when one occurs. The more organizations move applications and services to the cloud, the more it is important to plan for cloud incident response. These seven best practices will help you get started.

Mitiga uncovered a widespread and well-executed Business Email Compromise (BEC) campaign in which cybercriminals are impersonating senior executives using Office 365’s email services in order to intercept sensitive communications and then alter wire transfer details and redirect funds to rogue bank accounts.

Cybersecurity awareness is different from other types of cybersecurity. In cybersecurity there is certainly awareness and training, but technology and policies are also in place to help manage risks, assist in prevention, and detect anomalies. However, the common and often easy initial access vector remains users.

We all woke up recently to a security nightmare. Okta, an industry leader in identity and access management is potentially breached and the impact for the industry may be very high. Here are 10 actionable recommendations you can share, but please let us know if you have more so that we can add them to this list.

The cloud environment is the future for every industry. From finance to entertainment to healthcare, cloud computing helps businesses compete with increased flexibility, availability of information, and access. But just like on-premises, data center-based computing, moving to cloud environments and SaaS applications brings their own cybersecurity risks.

Spring is a Java framework for dependency injection and Model-View-Controller (MVC) web development. Spring is a very popular framework; over 6,000 other libraries use the "spring-beans" library (according to Maven Central). Spring4Shell, a new exploit in Spring, was just disclosed.

As the Okta breach event is still unfolding, it is unclear how far this breach may propagate and what influence it has on Okta customers. It is, however, extremely likely that any such potential abuse will leave traces in Okta logs (as well as other logs of potentially compromised systems). But Okta logs are not easy to investigate, so you need to know where to start your research.

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

The Russian military strategy is often described as a strategy of “active defense.” This means that their strategy includes both the preventative measures taken before a conflict breaks out and the tenets for conducting the war.

Lateral movement cyberattacks are among the greatest threats cyber security faces today. Whether a company's network exists primarily in the cloud, on-premises, or a hybrid cloud environment, there are lateral movement attack techniques designed to exploit vulnerabilities unique to each environment.

Over the last few months, everyone has been busy patching — seeking to close the loophole most learned about when the a patch was released for Log4j 2.15.0 for Java 8 users to address the remote code execution vulnerability CVE-2021-44228, a previously undisclosed zero-day vulnerability.

Because zero-day vulnerabilities are announced before security researchers and software developers have a patch available, zero-day vulnerabilities pose a critical risk to organizations as criminals race to exploit them. Similarly, vulnerable systems are exposed until a patch is issued and applied.

While the cloud helps modernize environments and improves remote work models, the evolving cloud landscape also gives rise to new challenges. To adapt quickly to new considerations in the changing cloud landscape, organizations need to address these five new security challenges in cloud environments.

Organizations have widely adopted the Crown Jewels concept in their efforts to build cost-effective cybersecurity strategies and plans in the ever-growing world of risks and challenges. However, the Crown Jewels concept could undermine the chances of effectively detecting, reacting to and recovering from a cyber-attack. It is time for the adoption of new concepts and new methodologies.

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

Security teams all over the world are rushing to deal with the new critical zero-day vulnerability called Log4Shell. This vulnerability in Apache Log4j, a popular open-source Java logging library, has the potential to enable threat actors to compromise systems at scale.

In order to mitigate the problems caused by Log4Shell, companies and organizations started patching their systems, but while everyone is busy "locking the doors," the criminals might already be inside. Mitiga is focused on content and research: finding efficient ways to look at artifacts on cloud environments and indicate if there is a reason to believe that the vulnerability has already been used to hack the environment.

Ransomware is out of control. So, what can organizations actually do to deal with this tidal wave of attacks? It’s time for organizations to ask themselves the question, “Are we ransomware ready?” And then think about what ransomware readiness really looks like.

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

What seems clear now is that Twitch simply wasn’t ready for an attack. Twitch claims that this latest incident was “a result of a server configuration change that allowed improper access by an unauthorized third party.”

If you are using either vCenter Server or Cloud Foundation, you must declare an emergency and treat it like you have already been compromised. These critical vulnerability disclosures do not offer a quick and easy patch, and patching alone is not enough.

This year we had aggressive hiring goals, and the job market was extremely tight. Our HR team faced a challenge - how to hire the right people into the Mitiga team - quickly - so we could achieve our business goals for the year. This is how we did it!

Ransomware keeps hitting the news these days, filling headlines with stories about organizations struggling with disabled IT systems, inaccessible patient data, unavailable Wi-Fi, and general confusion. Today, organizations are facing an evolving threat, modern ransomware, also called double extortion ransomware.

But today, in the midst of a pandemic outbreak of Coronavirus (COVID-19) and while governments and global organizations work to contain and eradicate the virus, we’re hearing of a new wormable vulnerability in Microsoft’s SMBv3 protocol.How can we learn from these unfortunate events to provide us with a different context and an opportunity to rethink our level of readiness for unexpected, viral cyber events?

In cloud transitions, the goal is move business processes from an on-premises environment to a cloud-based environment. Inevitably, as the transition progresses, some business processes are fully transferred while others are still in flux. It’s during this transition period that organizations are at risk.

Kaseya, an IT management software provider, notified its customers of a possible security breach in the Kaseya Virtual System Administrator Product. Kaseya has indicated that the number of victims is around 1000s, though the number may increase, at least 36,000 Kaseya customers took their servers offline.

Mitiga, the first cloud-based solution for Incident Readiness and Response in cloud and hybrid environments, raised $25 million in Series-A funding to completely change the traditional incident response market by supplying unlimited active incident response support for subscribers.

While security should be top of mind for every business, it shouldn’t become a barrier preventing organizations from adopting cloud platforms. Provided you are prepared and take the necessary measures to properly protect data, you can enjoy the benefits of the cloud without compromising information security.

The Cuba Ransomware Gang is a group that hijacks information and blackmails companies to pay in Bitcoin or watch the exfiltrated private information leaked for all to see.

Enterprises moving to the cloud from legacy data centers face many security challenges in making that transition, most notably the following four challenges.

The Startup Pill recently recognized Mitiga in two articles highlighting exceptional startups in the cyber security industry.The publication put together a list of the 89 Best Cloud Security Startups Of 2020, and Mitiga is number nine on the list!

A malicious .docx file was uploaded to Virus Total that uses several of Mitiga’s publicly available branding elements including logo, fonts, and colors, to lend credibility to the document. Mitiga was not breached, though the file was created by a threat actor, most likely for use as part of phishing or malware spreading campaigns.

A few weeks ago, one of Mitiga’s employees received an email phishing for credentials. Instead of just laughing it off, our team decided to use their lunch breaks to analyze it. What we found indicates a sophisticated phishing platform that uses AWS and Oracle infrastructure to phish Office 365 email accounts.

Based on recent research and analysis, Mitiga issued a global advisory, warning AWS customers running EC2 instances based on Community AMIs (Amazon Machine Instances), from potentially embedded malicious code. We strongly advise verifying their security before continuing using these instances.

Okta, an industry leader in identity and access management, was breached and the potential impact for the industry may be very high. Here are 10 actionable recommendations you can use to increase your breach readiness.

Thank you for joining Mitiga at the 34th Annual FIRST Conference 2022, which took place June 26 to July 1, 2022 in Dublin, Ireland

Thank you for visiting Mitiga at Cyber Week, an expert-driven content and high-level networking in Israel, the high tech industry's Start Up Nation!