A botnet of more than 130,000 compromised devices is conducting a large-scale password-spray cyberattack, targeting Microsoft 365 accounts through a basic authentication feature.
The attacks have been recorded in non-interactive sign-in logs, something that the researchers at Security Scorecard note is often overlooked by security teams. Threat actors are able to exploit this feature by conducting high-volume password spraying attempts while going virtually undetected.
Non-interactive sign-ins are completed on behalf of the user, performed by a client app or operating system components, and do not require the user to provide any authentication. Rather, the user is automically authenticated using previously established credentials.
Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations, said Jason Soroko, senior fellow at Sectigo, in an emailed statement to Dark Reading.
They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.
This tactic separates itself from traditional password spray attacks, which often result in account lockouts, prompting investigation by security teams. By exploiting non-interactive sign-ins, threat actors are given more time to infiltrate a system before the alarms are ever sound, and typically succeed against even the most robust security environments.
This tactic has been observed by the researchers across multiple M365 tenants across the world.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.darkreading.com/cyberattacks-data-breaches/microsoft-365-accounts-sprayed-mega-botnet
To ensure minimal business disruption, CISOs must have the right incident recovery strategies, roles, and processes in place. Security experts share tips on assembling your playbook.
When a company experiences a major IT systems outage — such as from a cybersecurity incident — it’s essentially out of business for however long the downtime lasts. That’s why having an effective incident response (IR) plan is vital.
It’s not just a matter of finding the source of an attack and containing it, though. Enterprises need to design for resilience to be able to continue operating even as key systems become unavailable.
What goes into an effective incident response plan? Here are some suggestions of essential components.
Perform impact analysis to ensure business resiliency and continuity
When a security breach brings down key systems, companies need to have a solid IT resiliency or business continuity (BC) plan in place. If the business is down for even a few hours that could lead to big financial losses and negative public relations.
0 seconds of 26 minutes, 3 secondsVolume 0%
“One of the key components of the development of a business continuity plan is to understand the essential functions your organization performs, and what the impacts would be if they were disrupted,” says Justin Kates, senior business continuity advisor for convenience store operator Wawa, who is responsible for architecting a new BC program for Wawa’s expanding footprint of more than 1,000 stores across 10 states.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3829684/how-to-create-an-effective-incident-response-plan.html
