Tag:

Enterprise security

Tech

Barracuda spots 7 million device code phishing attacks

by Chief Editor
written by Chief Editor

The Industrialization of Identity Theft: The PhaaS Evolution

The landscape of cybercrime is shifting from manual, targeted attacks to a highly scalable business model. The emergence of Phishing-as-a-Service (PhaaS) platforms, such as the EvilTokens kit, allows low-skill criminals to launch sophisticated campaigns that were once the sole domain of advanced threat actors.

This “industrialization” means that high-volume attacks are now easier to execute. For example, security firm Barracuda recently detected over 7 million device code phishing attacks within a single four-week window. By packaging complex exploits into ready-to-use kits sold on platforms like Telegram, the barrier to entry for attackers has vanished.

Did you recognize? Device code phishing is particularly dangerous since it doesn’t rely on fake login pages. Instead, it tricks users into using the legitimate Microsoft login portal, making it nearly invisible to traditional “spot the fake URL” training.

Beyond the Password: The Shift to Token Hijacking

For years, security training focused on preventing credential theft. However, we are seeing a strategic pivot toward hijacking trusted authentication flows. Instead of stealing a password, attackers are now targeting OAuth 2.0 access and refresh tokens.

From Instagram — related to Microsoft, Phishing

By abusing the device authorization flow—originally designed for devices with limited interfaces like printers or smart TVs—attackers can gain authorized access to Microsoft 365 and Entra ID environments. Once a victim enters a legitimate code on a real Microsoft page, the attacker receives the token directly.

This method provides three critical advantages for the attacker:

  • Stealth: No cloned websites are used, bypassing many email filters.
  • MFA Bypass: Because the victim authorizes the device themselves, multifactor authentication (MFA) and conditional access checks are often bypassed.
  • Persistence: Refresh tokens can grant attackers access for days or weeks, remaining effective even if the user changes their password.

The Next Frontier: Cross-Platform Expansion

While current surges heavily target Microsoft ecosystems, the trend is moving toward cross-platform versatility. The developers behind the EvilTokens kit have already indicated plans to extend their phishing capabilities to include Gmail and Okta phishing pages.

How fast is a BARRACUDA ATTACK? FREE CODE FRIDAY : DIGITAL CODES Magic Mike 7th son

This suggests a future where “identity-agnostic” phishing kits can pivot between different cloud providers depending on the target’s infrastructure. We are already seeing diverse threat actors—including Russian groups like Storm-237, UTA032, UTA0355, UNK_AcademicFlare, and TA2723, as well as the ShinyHunters data extortion group—leveraging these advanced techniques.

Pro Tip: To mitigate this risk, organizations should implement layered security controls, including advanced email filtering and continuous monitoring of identity protection mechanisms. Tighter controls around device authorization flows are essential to stop token abuse.

Redefining the Human Firewall

The rise of device code phishing renders traditional “look for the padlock” or “check the domain” advice obsolete. Since the final step of the attack happens on a genuine site (such as microsoft.com/devicelogin), the battle has shifted from technical detection to contextual awareness.

Future security training must move beyond identifying “fake” sites and instead teach users to question the reason for a request. If a user is asked to enter a verification code for a device they didn’t intentionally link, it should be treated as a critical red flag, regardless of how legitimate the website appears.

Attackers are increasingly tailoring their lures to specific roles. Recent campaigns have used PDFs, HTML, and DOCX files impersonating financial documents, payroll notices, or SharePoint shares to target employees in HR, finance, logistics, and sales.

Frequently Asked Questions

What is device code phishing?
It’s an attack that abuses the OAuth 2.0 device authorization flow. Attackers trick users into entering a legitimate device code on an official login page, which grants the attacker an access token to the user’s account.

Can MFA stop device code phishing?
Not necessarily. Because the victim is the one performing the authentication on a trusted device, they effectively “approve” the attacker’s session, potentially bypassing MFA and conditional access checks.

What is EvilTokens?
EvilTokens is a Phishing-as-a-Service (PhaaS) kit that automates device code phishing attacks, primarily targeting Microsoft 365 and Entra ID environments.

How do I protect my organization?
Implement layered security, use advanced email filtering, monitor for unusual identity patterns, and train staff to never enter device codes unless they initiated the request themselves.

Are you confident in your current identity protection strategy? Share your thoughts in the comments below or subscribe to our newsletter for the latest updates on evolving cyber threats.

0 comments
0 FacebookTwitterPinterestEmail
Tech

CrackArmour flaws in AppArmour risk Linux root access

by Chief Editor
written by Chief Editor

CrackArmor: The Looming Threat to Linux Security and the Future of Kernel Hardening

A critical set of vulnerabilities, dubbed “CrackArmor,” has been discovered in AppArmor, a widely used Linux kernel security module. Affecting systems since 2017, these flaws allow unprivileged local users to potentially gain root access and compromise container isolation. The discovery, made by Qualys researchers, impacts over 12.6 million enterprise Linux instances and signals a need for heightened vigilance and proactive security measures.

Understanding the Confused Deputy Problem

At the heart of CrackArmor lies a “confused deputy” vulnerability. This occurs when a low-privilege user can manipulate a trusted process into performing actions it shouldn’t be authorized to do. In this case, attackers exploit pseudo-files within the /sys/kernel/security/apparmor/ directory – specifically, the .load, .replace, and .remove interfaces – to alter AppArmor profiles. This manipulation can bypass user-namespace restrictions and potentially execute arbitrary code within the kernel.

Why AppArmor Matters: A Widespread Security Layer

AppArmor is a crucial component of the Linux security landscape. It functions as a mandatory access control system, enforcing security policies on applications. Enabled by default on major distributions like Ubuntu, Debian, and SUSE, it’s likewise heavily utilized in cloud and container environments for host hardening and workload confinement. The widespread adoption of AppArmor means the potential impact of CrackArmor is substantial.

The Ripple Effect: Containers, Namespaces, and Denial of Service

The vulnerabilities aren’t limited to privilege escalation. CrackArmor also introduces risks to container and namespace boundaries. Attackers could potentially create more permissive namespaces, weakening isolation in environments where unprivileged user namespaces are restricted. Certain removal operations can exhaust the kernel stack, potentially leading to a denial-of-service and system crashes.

Beyond Immediate Patching: A Shift in Security Thinking

While kernel updates are the primary remediation, the CrackArmor discovery highlights a broader issue: the limitations of relying solely on default security assumptions. As Dilip Bachwani, CTO at Qualys, stated, “CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials.” This necessitates a re-evaluation of security postures and a move towards more proactive and layered defenses.

Future Trends in Kernel Security

The CrackArmor vulnerabilities are likely to accelerate several key trends in kernel security:

  • Increased Focus on Runtime Security: Traditional security measures often focus on static analysis and perimeter defenses. CrackArmor demonstrates the need for robust runtime security solutions that can detect and prevent malicious activity even after a system has been compromised.
  • Enhanced Mandatory Access Control (MAC) Systems: The flaws in AppArmor will likely drive further development and refinement of MAC systems like SELinux and AppArmor, focusing on preventing confused deputy attacks and strengthening profile integrity.
  • Zero-Trust Architectures: The principle of “never trust, always verify” is becoming increasingly significant. Zero-trust architectures, which assume that no user or device is inherently trustworthy, can help mitigate the impact of vulnerabilities like CrackArmor.
  • Automated Vulnerability Management: The scale of the CrackArmor impact (over 12.6 million systems) underscores the need for automated vulnerability management tools that can quickly identify and prioritize systems requiring patching.
  • Supply Chain Security: The long-standing nature of these vulnerabilities (existing since 2017) raises concerns about the security of the software supply chain. Greater scrutiny of code contributions and more rigorous testing are essential.

Pro Tip:

Regularly monitor the /sys/kernel/security/apparmor/ directory for unexpected changes. This can serve as an early indicator of potential exploitation attempts.

FAQ

What is AppArmor?
AppArmor is a Linux kernel security module that enforces mandatory access control policies on applications.

What is CrackArmor?
CrackArmor is a set of nine vulnerabilities discovered in AppArmor that could allow an unprivileged local user to gain root access.

How can I protect my systems from CrackArmor?
Apply the latest kernel updates provided by your Linux distribution. Prioritize patching for internet-facing assets.

Does CrackArmor affect containers?
Yes, CrackArmor can compromise container isolation, potentially allowing attackers to escape from containers.

Are CVE identifiers available for these vulnerabilities?
Not yet. CVE assignment typically follows fixes landing in stable kernel releases.

What should I do if I suspect my system has been compromised?
Review system logs, investigate any unusual activity, and consider performing a full system scan with a reputable security tool.

Where can I find more information about CrackArmor?
Refer to the Qualys advisory: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root

Did you know? The CrackArmor vulnerabilities have existed since 2017, highlighting the importance of continuous security monitoring and proactive patching.

Stay informed about the latest security threats and best practices. Explore our other articles on kernel security and vulnerability management to strengthen your defenses.

0 comments
0 FacebookTwitterPinterestEmail
Tech

Microsoft patches major SQL Server flaw in March update

by Chief Editor
written by Chief Editor

March 2026 Patch Tuesday: A Deep Dive into Microsoft’s Latest Security Updates

Microsoft’s March 2026 Patch Tuesday addressed a substantial 77 security vulnerabilities across its product suite, with a notable focus on SQL Server. This release included fixes for two zero-day vulnerabilities that were publicly known before patches were available, though currently, there’s no evidence of widespread exploitation.

SQL Server Under Scrutiny: CVE-2026-21262

The most critical update centers around CVE-2026-21262, an elevation-of-privilege vulnerability impacting a wide range of SQL Server versions, from the latest 2025 release all the way back to SQL Server 2016 Service Pack 3. While the vulnerability has a CVSS v3 base score of 8.8 – just shy of “critical” – the potential impact is significant. An attacker with low-level privileges could potentially escalate to sysadmin-level rights over the database engine across a network.

According to Rapid7’s Lead Software Engineer, Adam Barnett, this isn’t a typical SQL Server patch. The ability to gain sysadmin access over a network is a serious concern. Despite Microsoft rating exploitation as less likely, the public disclosure of the vulnerability increases the urgency for administrators to apply the patch.

Even organizations that don’t directly expose SQL Server to the internet are at risk. Internet scanning reveals a considerable number of accessible SQL Server instances, amplifying the potential impact should reliable exploits emerge. Successful exploitation could allow attackers to access or alter data and potentially pivot to the underlying operating system using features like xp_cmdshell, which, while disabled by default, can be re-enabled by a sysadmin.

.NET Denial-of-Service Vulnerability (CVE-2026-26127)

Another key vulnerability addressed this month is CVE-2026-26127, affecting .NET applications and potentially leading to denial-of-service (DoS) conditions. Public disclosure of this vulnerability has also occurred. Exploitation could cause service crashes, creating brief windows where monitoring and security tools are offline, potentially allowing attackers to evade detection.

Repeated exploitation, even by less sophisticated attackers, could disrupt online services and lead to breaches of service-level agreements.

Authenticator App Vulnerability (CVE-2026-26123)

Microsoft also patched a vulnerability in the Microsoft Authenticator mobile app for iOS and Android (CVE-2026-26123). This flaw, related to custom URL schemes and improper authorisation, could allow a malicious app to impersonate Microsoft Authenticator and intercept authentication information, potentially leading to account compromise. While requiring user interaction – specifically, choosing a malicious app to handle the sign-in flow – Microsoft considers this an important vulnerability.

Organizations managing mobile devices should review app installation policies and default handler settings for authentication apps to restrict potentially harmful sign-in flows.

End of Life for SQL Server 2012 Parallel Data Warehouse

Beyond security patches, Microsoft announced the end of extended support for SQL Server 2012 Parallel Data Warehouse at the end of March. Customers continuing to use this platform will no longer receive security updates, leaving them vulnerable to potential exploits.

Future Trends in Vulnerability Management

These updates highlight several emerging trends in vulnerability management. The increasing speed of public disclosure before patches are available is a major concern. Attackers are actively scanning for vulnerabilities and sharing information, reducing the window of opportunity for defenders. This necessitates a shift towards proactive threat hunting and robust intrusion detection systems.

The focus on vulnerabilities in authentication mechanisms, like the Microsoft Authenticator app, underscores the growing importance of securing identity and access management (IAM) systems. Multi-factor authentication is becoming increasingly prevalent, making these applications prime targets for attackers.

The continued patching of older SQL Server versions, even those nearing end-of-life, demonstrates the long-tail challenge of maintaining security in complex environments. Organizations must prioritize patching critical vulnerabilities across all systems, regardless of age, and consider implementing compensating controls where patching is not immediately feasible.

Did you know?

Publicly disclosed vulnerabilities, even without known exploits, significantly increase the risk of attack. Attackers actively monitor vulnerability databases and security blogs for new disclosures.

FAQ

Q: What is Patch Tuesday?
A: Patch Tuesday is the unofficial name for the regular schedule when Microsoft releases security updates for its products.

Q: What is a zero-day vulnerability?
A: A zero-day vulnerability is a flaw that is unknown to the vendor and for which no patch is available, giving attackers a window of opportunity to exploit it.

Q: What is the CVSS score?
A: The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of software vulnerabilities.

Q: Should I patch all vulnerabilities immediately?
A: Prioritize patching based on the severity of the vulnerability, the potential impact to your organization, and the availability of exploits.

Q: What is xp_cmdshell?
A: xp_cmdshell is a stored procedure in SQL Server that allows execution of operating system commands.

Pro Tip: Regularly scan your network for vulnerable systems and prioritize patching based on risk assessment.

Stay informed about the latest security threats and updates by subscribing to security advisories and following reputable security blogs. Proactive vulnerability management is essential for protecting your organization from cyberattacks.

0 comments
0 FacebookTwitterPinterestEmail
Tech

Tenable warns of widening AI exposure gap in cloud

by Chief Editor
written by Chief Editor

The Widening AI Exposure Gap: Why Cloud Security is Falling Behind

Organisations are facing a growing cybersecurity challenge: an “AI exposure gap.” This isn’t about AI *causing* breaches, but rather the rapid integration of AI, cloud technologies, and third-party software creating vulnerabilities that security teams struggle to identify and address. A recent report from Tenable highlights this critical mismatch between engineering speed and security capabilities.

The Software Supply Chain: A Major Weak Point

The report reveals a significant risk within the software supply chain. A staggering 86% of organisations have third-party code packages installed containing critical-severity vulnerabilities. Even more concerning, 13% have deployed packages with a known history of compromise, including instances linked to the s1ngularity and Shai-Hulud worms. This demonstrates that vulnerabilities aren’t just theoretical; they’re actively being exploited.

The increasing use of AI and Model Context Protocol third-party packages – found in 70% of organisations – further complicates matters. These integrations often bypass traditional security oversight, embedding AI deeper into systems and expanding the attack surface.

Identity and Access Management: A Critical Control Point

Identity controls are proving to be a major pressure point. “Ghost” secrets – unused or unrotated cloud credentials – plague 65% of organisations. Alarmingly, 17% of these unused credentials grant critical administrative privileges. Nearly half (49%) of identities with excessive permissions remain dormant, representing a significant potential entry point for attackers.

The report also raises concerns about permissions granted to AI services themselves, with 18% of organisations giving them rarely-audited administrative access. Non-human identities, like AI agents and service accounts, now pose a higher risk (52%) than human users (37%), due to “toxic combinations” of permissions across fragmented systems.

The Rise of “Invisible” Exposure

Tenable defines this challenge as an issue of “exposure management” – the process of identifying, evaluating, and prioritizing risks across all potential attacker entry points. AI adoption dramatically expands the number of systems and components that can inherit risk, adding new layers to applications, infrastructure, identities, and data. This creates a largely invisible exposure that many security teams are ill-equipped to manage.

The report identified severe risks in four key areas: AI security posture, supply chain attack vectors, least-privilege implementation, and cloud workload exposure.

What Can Organisations Do?

The report recommends a multi-faceted approach. Improving visibility of AI integrations is paramount, alongside tightening identity-centric controls. Implementing least-privilege practices for AI roles, removing “ghost” identities, and eliminating exposure from static secrets are also crucial steps. Recognizing that third-party code and external accounts now function as extensions of an organisation’s infrastructure is vital.

Liat Hayun, Senior Vice President of Product Management and Research at Tenable, emphasizes the demand for security teams to proactively account for AI systems embedded within infrastructure. She states that a lack of visibility and governance leaves teams vulnerable to new exposures, including over-privileged identities in the cloud.

Hayun advocates for focusing on the “unified exposure path” to move beyond managing “security debt” and towards managing actual business risk.

Pro Tip

Regularly audit and rotate cloud credentials. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.

Future Trends to Watch

The AI exposure gap isn’t a static problem; it’s likely to worsen as AI becomes more pervasive. Several trends will exacerbate the challenge:

  • Increased AI Complexity: AI models will develop into more complex, making it harder to understand their internal workings and potential vulnerabilities.
  • AI-Powered Attacks: Attackers will increasingly leverage AI to automate and refine their attacks, making them more sophisticated and tough to detect.
  • Expansion of Non-Human Identities: The number of AI agents and service accounts will continue to grow, increasing the risk associated with non-human identities.
  • Decentralized AI Development: More AI development will occur outside of centralized IT departments, leading to shadow AI and increased security risks.

FAQ

Q: What is the “AI exposure gap”?
A: It’s the growing mismatch between the speed of AI and cloud adoption and the ability of security teams to assess and remediate associated risks.

Q: How significant is the risk from third-party code?
A: 86% of organisations have third-party code packages with critical vulnerabilities, and 13% have deployed compromised packages.

Q: What is exposure management?
A: It’s the process of identifying, evaluating, and prioritizing risks across all potential attacker entry points.

Did you know?

Non-human identities (AI agents, service accounts) now present a higher risk profile than human users, according to Tenable’s research.

Want to learn more about securing your cloud environment? Explore our other articles on cloud security best practices.

0 comments
0 FacebookTwitterPinterestEmail