Passwordless authentication

Passwordless authentication is coming, Docker is being used to support crypto miners, and The adversary is getting more sophisticated

By Austin Miller

Passwordless authentication is coming – what can we expect? 

Apple, Google, and Microsoft have all committed to expanding FIDO (Fast Indentity Online) in the coming years, aiming to make the web more secure and less reliant on hack-prone passwords. This will involve working more closely with the FIDO Alliance and the World Wide Web Consortium (W3C) and making it easier to use FIDO solutions with the most popular products on the market. 

Why should I care? 

The expansion of FIDO options – which generally promote the use of passkeys – will allow people and IT teams to have a simpler and stronger approach to authentication which is less likely to be hacked. Although modern password managers make the process more secure than using a single password for every website, they are potentially prone to hacking and catastrophic data leaks (as TeamSIK can tell you, after having found vulnerabilities in MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Keepsafe, Avast Passwords, and 1Password in 2016). 

As an IT professional, this is a massive bonus for you. Not only does it protect you, but it will also protect the people in your organization who have less than stellar data protection practices. No more worrying about John from HR using the same password for the sensitive PII/PHI documents and the various insecure websites that he signs up to on his own time. 

Docker is being used to support crypto miners, DDoS tools, and ransomware 

Docker is great, but here is another serious issue that users are starting to face – Docker honeypots are being used to support attacks, including those used by crypto-miners and ransomware gangs. According to the researchers from Uptycs, attacks compromised the Docker honeypot and then used this as a jumping off point to attack other systems through the Docker API. 

With between 10 and 20 attempts to compromise the honeypot server every day, it seems the bad guys won this one and have been using unwitting hosts to launch attacks. The research team CrowdStrike identified a Russian-source attack against them that came over the Docker remote API, prompting an investigation by other keen researchers. 

The problem is that the DoS-enabling containers are hosted on Docker Hub and have reportedly been downloaded more than 100,000 times, meaning that anyone coin mining or launching a DDoS attack only has to identify it and use it maliciously. This is without even covering the fact that 51% of 4 million images scanned by researchers Prevasio found critical security vulnerabilities in them. A very concerning time for Docker users, indeed. 

The adversary is getting more sophisticated – an unknown group is proof of it 

An as-of-yet officially unnamed threat group has proven that the adversary has all the skills to stage extremely sophisticated attacks that are undetectable by even the best security software and practitioners working today. This group has been named UNC3524 by Mandiant, who launched an investigation into the group a few months ago. 

Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.

In this case, the SOCKS tunnel was used to attach control servers to the victim network. This allows them to execute tools and infiltrate data without leaving any artefacts on the system, allowing a clean getaway whenever they are done. For cybersecurity researchers, the emphasis should firmly be on keeping all software up to date and using behavioral recognition software to stop the adversary. 

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.