The security researcher Vsevolod Kokorin (@Slonser) discovered a bug that allows anyone to impersonate Microsoft corporate email accounts. An attacker can trigger the vulnerability to launch phishing attacks. The researchers demonstrated the bug exploitation to TechCrunch, Kokorin told TechCrunch that he reported the bug to Microsoft, but the company replied that it couldn’t reproduce his findings. Then Kokorin disclosed the flaw on X. The researcher explained that the vulnerability works when an attacker sends an email to Outlook accounts.

92% of Organizations Hit by Credential Compromise from Social Engineering Attacks

More than nine in 10 (92%) organizations experienced an average of six credential compromises caused by email-based social engineering attacks in 2023, according to a new report by Barracuda. Scamming and phishing continued to make up the vast majority (86%) of social engineering attacks last year. There were some notable trends in how attackers are targeting users via social engineering techniques:

Multifactor Authentication Bypass: Attackers Refine Tactics

Using multifactor authentication wherever possible remains a must-have security defense, not least because it makes network penetration more time-consuming and difficult for attackers to achieve. Even so, MFA isn't foolproof, and attackers have been refining their tactics for bypassing or defeating the security control to gain remote access to a victim's network. Cisco Talos in a Tuesday blog post said that during the first quarter of this year, nearly half of all security incidents it helped investigate involved MFA. Specifically, 21% of the attacks it probed involved improperly implemented MFA, and 25% involved push-based attacks, in which attackers attempt to trick users into accepting a push notification sent to their MFA-enabled device.

US Bans Kaspersky Over Alleged Kremlin Links

The US government has banned cybersecurity provider Kaspersky from selling its products in the country because of the company’s alleged links to the Russian regime. On June 20, 2024, the US Department of Commerce’s Bureau of Industry and Security (BIS) issued a Final Determination prohibiting Kaspersky Lab, Inc., the US subsidiary of the Russian cybersecurity firm, from providing any products or services in the US. Kaspersky Lab, Inc., its affiliates, subsidiaries and resellers, will no longer be able to sell Kaspersky’s software within the US or provide updates to software already in use. The BIS has set a deadline of September 29, 2024, giving US consumers and businesses time to switch to alternative cybersecurity solutions. Commerce Secretary Gina Raimondo added that the US must act against Russia’s "capacity and intent to collect and weaponize the personal information of Americans.”

Small Business Security Challenges

Cybersecurity is difficult for small businesses, but there is help and support so that even the smallest organization can stay on top of essential security. Being a smaller organization has many benefits and challenges at the best of times. It can often be a tricky issue from a cybersecurity perspective. On one hand you’re probably too small to have a dedicated cyber function – it may well even be a stretch to afford a full-time IT manager. Yet on the other side of the coin, in everything but the smallest company the potential impact of a cyber-attack can be devastating in terms of financial or reputational damage, or even job losses if things go really bad.

Dropbox Breach Exposes Customer Credentials, Authentication Data

Threat actor dropped in to Dropbox Sign production environment and accessed emails, passwords, and other PII, along with APIs, OAuth, and MFA info. Online storage service Dropbox is warning customers of a data breach by a threat actor that accessed customer credentials and authentication data of one of its cloud-based services. The breach occurred when an unauthorized user gained access to the Dropbox Sign (formerly HelloSign) production environment, something administrators became aware of on April 24, according to a blog post published on May 1. Dropbox Sign is an online service for signing and storing contracts, nondisclosure agreements, tax forms, and other documents using legally binding e-signatures.

US-Led Operation Takes Down World’s Largest Botnet

A US-led law enforcement operation has successfully disrupted the 911 S5 botnet, believed to be the world’s largest ever botnet. The 911 S5 botnet is a global network of millions of compromised residential Windows computers used to facilitate cyber-attacks, large scale fraud, child exploitation and other serious criminal activity. The network of devices was associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the US. Cybercriminals were allowed to purchase access to these infected IP addresses to conduct various criminal activities. The US Department of Justice (DoJ) also announced the arrest of a Chinese national, YunHe Wang, 35, on charges relating to the creation and operation of 911 S5.

Alarming Decline in Cybersecurity Job Postings in the US

A new study by CyberSN warns that the overall number of cybersecurity job postings in the US decreased by 22% from 2022 to 2023. The cyber job platform provider added that this decline is alarming and could impact national security, as some of these roles are essential for maintaining organizational and national cyber defenses.

Cyb3R_Sm@rT!: Use a Password Manager to Create and “Remember” Strong Passwords

Strong passwords—those that are long, random, and unique—are essential to your personal cybersecurity, especially as advancements in computer processing speed and power continually make it easier for threat actors to crack passwords that do not meet these requirements. However, it is not practical for a person to remember all of their passwords. Password managers were created to solve this problem, helping you to formulate strong passwords and “remember” them.