April 5, 2022
Good morning, everyone!
The latest critical vulnerabilities:
Did you update everything last week?
A few hours after my last newsletter went out, one faithful reader wrote to me:
Glenda, I'm supposed to get auto updates. I checked my Note 10+, and it told me I was up to date. But, the last update was 2-4-22, so I manually checked. There was an update to be had.
See? I told you so! Patch all the things!
2FA and Prompt Bombing
The bad guys just never sit back and relax, do they? The Lapsus$ group and the gang that hacked SolarWinds have a new attack to bypass the protections of two-factor or multi-factor authentication (2FA/MFA): Prompt Bombing!
“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”
So you all know how much I love 2FA/MFA but no system is perfect, right? You have to use it properly.
Think before you click! One of the best things about these push notifications is that it gives you a warning – but only if you pay attention! When you get a popup on your mobile device, READ IT. If it’s asking you to confirm that you are trying to log in from a new device, and you aren’t, then say “NO” and immediately change your password to this account.
If the attacker got to the point of sending the 2FA/MFA request to log in, that means he has your actual password to that account. Either it was stolen or it was guessed, but either way, that account is now compromised. And the warning of a 2FA/MFA popup is telling you this.
Go forth and be secure! and have a great week.
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺
TNE. Cybersecurity. Possible.Speak with an Expert