loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Application Security

SaaS

loading..
loading..
loading..

SaaS Application Security Best Practices For Modern Businesses

Seamlessly prioritize your SaaS application security with our tailored checklist of best practices for reducing the application security risk…

loading..
  07-Nov-2022
loading..
 4 min read

Related Articles

loading..

SaaS

Application Security

Seamlessly prioritize your SaaS application security with our tailored checklist...

SaaS application's radical transformation proliferating the growth of businesses in varying verticals doesn't conceal the underlying security risks. Our research suggests that the amalgamation of remote work transition, shortage of security professionals, and even the inbuilt SaaS application complexity propelled CIOs & CISOs to prioritize SaaS application security before anything else. We have prepared a tailored set of best practices by introducing our SaaS Application Security Checklist. It is based on our extensive findings throughout our threat research in order to equip the organizations to decipher the intricacies of SaaS Applications Security. ### Our Comprehensive SaaS Application Security Checklist **Bridging Concealed Configuration Gaps:** More than 55% of companies have had sensitive data exposed over the public network, often due to unknown misconfiguration lapses. The configurability that makes SaaS Applications robust is also a viable cause of exploitation if not closely monitored & addressed. Gaining unified visibility becomes highly imperative for effectively configuring the SaaS Application to keep the underlying operations risk-free from any external threats. **Disable Legacy Authentication Protocols:** Many failed login attempts are due to legacy authentication, which does not support multi-factor authentication (MFA). Even if multi-factor authentication (MFA) is enabled for the directory, an attacker might still get unauthorized access by utilizing an older authentication method. A total ban on authentication requests from legacy protocols is the most effective measure you can take to prevent your environment from being exploited by fraudsters. **Enforce High Levels Of Security Authentication:** An account is 99.9% less likely to be compromised if you use MFA as an integral part of the enhanced authentication process. Access control for SaaS resources can be difficult to establish because of the several methods by which cloud providers can handle authentication. **Monitor & Analyze Conditional Access Policies:** Many intrusions primarily rely on exploiting vulnerabilities in conditional access controls, such as by creating new exceptions or implementing exception rules. Considering the potential depth and complexity of these rules, it is essential to validate rules and enable continuous monitoring. Always be on the lookout for IP address blocking updates and exceptions. **Evaluate Third-Party Access:** Integrations and third-party applications are frequently installed with elevated permissions and can serve as entry points for horizontal privilege escalation to other SaaS platforms. Ensure all third-party access to applications is processed, authorized, and utilized. Granting permissions and data access to third-party applications according to the principle of least privilege and removing access as soon as it is no longer required can reduce the danger of a compromise by a third party. **Determine User Access Data Management:** As ransomware attacks expand and the toolsets used to execute them become more widely dispersed, the use of least-privilege access provides more security. Better safeguarding of all data sets in the best possible manner via the use of data access modeling and analysis of third-party applications. **Keep An Eye Out For Red Flags:** Be wary of excessive failures and password spraying. Protect yourself by checking threat intelligence streams for signs of compromised accounts. If you can detect unauthorized actions quickly, you can react and mitigate the situation more effectively. SaaS applications become primarily responsible for running multiple critical business functions across cross-platforms. Thus its overall security often remains critical & complex with the advent of newer tech stacks. Therefore, extending the visibility throughout your SaaS ecosystem by continuously monitoring, addressing misconfigurations, and keeping a close eye on third-party access may hold the potential intrusion attempts at bay. At the same time, your businesses continue to run flawlessly. ### Are you still concerned about your SaaS Application Security? Let us introduce Threatspy! The absolute platform that addresses all your SaaS application security issues within a few clicks. If that interests you, please find a suitable time for a meeting [here](https://bit.ly/3UahQ3m) to experience Threatspy in action!

loading..
  07-Nov-2022
loading..
  4 min read
loading..

Activison

Call of Duty

Malware

Call of Duty cheats turned out to be RAT malware and dropper, threat actor poste...

Call of Duty: Warzone cheat programs were disguised by remote-access trojan (RAT) malware, according to a warning issued by Activision. Threat actors are targeting popular cheating sites to circulate the masqueraded cheats across the users. While this "newbie-friendly" strategy that explicitly shows how to circulate this malware through convincing it to be a video game cheat to the users of Call of Duty: Warzone was posted in a hacking forum back in March for the first time, as per the **[Activision](https://research.activision.com/publications/2021/03/cheating-cheaters-malware-delivered-as-call-of-duty-cheats)** warning. ***“It is common practice when configuring a cheat program to run it with the highest system privileges, ”*** Activision reported. ***“Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code-signing, etc.”*** Now for those who are not familiar with the team, 'cheats' are a program that creates interference with the in-game activities or players' interactions that leads to additional advantages that may seem to be unfair to their opponents. However, they are often banned from being utilized by the official creators of the game. ![COD-fake-cheat-ad](https://sb-cms.s3.ap-south-1.amazonaws.com/COD-fake-cheat-ad_d80cd8fa0d/COD-fake-cheat-ad_COD-fake-cheat-ad_d80cd8fa0d.png) ### **IDENTIFIED AS DROPPER** “COD-Dropper v0.1.” is the name of the malware that the researchers eventually identified. ***“Instead of malicious actors putting in hours of work creating complicated mitigation bypasses or leveraging existing exploits – they can instead work to create convincing cheat advertisements, which is priced competitively, could potentially get some attention,"*** Activision’s report added. ***“In December 2020, the dropper was also included in a ‘black hat’ tutorial aimed at ‘noobies’ looking to make some easy money.”*** Moreover, the Activision report also pinpoints that cheat forums filter out any malicious activities, which means the threat actors might have maintained a low profile to keep from getting booted. ***“This advertisement did not appear to be particularly clever or take much effort, but still had people replying, asking if anyone had tried it before being removed a day later, ”*** the report said. Additionally, the threat actor behind injecting this malware posted the entire malware file to set up the attack, which gained over 10,000 views and 260 replies. Besides, it was later followed up by further instruction in the post's comment along with a video tutorial link that redirects to a YouTube video that has over 5,000 views. ***“In likely a further attempt to scam people, the description also offered a private version of the cheat for a $10 BTC payment, ”*** the report added. ![COD-youtube-](https://sb-cms.s3.ap-south-1.amazonaws.com/COD-youtube-_937b7931bb/COD-youtube-_COD-youtube-_937b7931bb.png) Here these comments indicate that the members of the hacking forum did try out and download the tool. Following YouTube video pushing, the same malware showed up last August, with a direct link to infect the user, which had received 376 views, Activision added. Activision also illustrated that manipulating the game players into downloading the software wasn't a heavy lift. ***“While this method is rather simplistic, it is ultimately a social-engineering technique that leverages the willingness of its target (players that want to cheat) to voluntarily lower their security protections and ignore warnings about running potentially malicious software, ”*** Activision added. ##CALL OF DUTY UNDER ATTACK BY MALICIOUS While it is a RAT that allows the threat actors to gain full access to the victim's device but it is also a dropper that can be customizable in installing other malicious code on the victim's device, as the observed dropper in this attack is a .NET app that implores the target to agree in allowing the bug admin privilege post successful downloading. ***“Once the payload has been saved to disk, the application creates a VBScript named ‘CheatEngine.VBS,'”*** according to the report. ***“It then starts the ‘CheatEngine.exe’ process and deletes the ‘CheatEngine.exe’ executable. The creator/generator is a .NET executable that contains the dropper .NET executable as a resource object.”*** If the victim clicks on **“:: Build::, the application inspects the ‘COD_bin’ object with the ‘dnlib’ .NET assembly library, it replaces the URL placeholder named ‘[[URL]]’ with the provided URL and saves the ‘COD_bin’ resource under a new filename, ”** according to the analysis. **“The video gaming industry is a popular target for various threat actors, ”** Activision said. ***“Players, as well as studios and publishers themselves, are at risk for both opportunistic and targeted cyberattacks – tactics range from leveraging fake APKs of popular mobile games to compromising accounts for resale. Even [advanced persistent threat] actors have been known to target the video-gaming industry.”*** The Call of Duty: Warzone incident surfaced on the same day that the Talos security team of Cisco **[published](https://blog.talosintelligence.com/2021/03/cheating-cheater-how-adversaries-are.html?m=1)** a new malware campaign targeting gamers who use cheats. These malicious cheats were previously utilized by unknown cryptor tools that deterred antivirus programs from detecting the payload. Talos didn’t identify the game titles that were targeted.

loading..
  04-Apr-2021
loading..
  5 min read
loading..

Threat Actors

Cyberattacks

Here is some notable compilation of salient techniques that pretty much every us...

While talking about online safety Cyber Attack pops in many people's minds being the most common intimidation across the internet. And why it shouldn't be, as it often remains to be inevitable, leaving the netizens at stake. The ever-evolving threat landscape has grown to be even more sophisticated. So do the attack vectors that cybercriminals leverage to gain unauthorized access to any system or network, making it way more challenging to implement targeted cybersecurity solutions without quickly becoming obsolete. <br> This translates to staying ahead of any threat actors; enterprises and individuals also need to have a comprehensive awareness of prevalent cyber-attacks. And without that, preventive policies targeting the attacks won't be effective enough any longer, resulting in ballooning the cost of tackling cybercrime and its associated repercussions. As much as 50% of all cyberattacks target small businesses, costing over $200,000, which is fairly enough to jeopardize less-established companies out of business. <br> The significance of threat identification has never been easily exposed from a cybersecurity perspective in finding out the fundamental nature of posing a critical risk to an organization or personal life, making it circumstantially prone to formulating the ultimate enterprise-grade cybersecurity strategy in safeguarding against any abnormalities. This will ensure the effectiveness of the preventive measures and the allowance for better cybersecurity management on purpose. But it is also equally important to educate about the same in helping to develop substantial compatibility with the cybersecurity strategies and resources adopted by enterprises or individuals. <br> Understanding the cyber attacks and the different techniques cyber criminals employ to execute them can go a long way in establishing appropriate security frameworks. While there are several different ways to infiltrate an IT system, most cyber-attacks rely on similar techniques. <br> This proactive approach to internalizing application security is essential in defending enterprises from underlying threats & vulnerabilities of cyberattacks and maintaining business revenue with unwavering user loyalty. <br> #### **Cyber Attack** <br> A conscious attempt to maliciously exploit anyone through leveraging the underlying loopholes laid across in their interconnected IT system or network to a various extent depending upon the technology with the involvement of sophisticated resources and skills resulting in a compromised system or network, data breach, the infected system can be considered as a scenario of Cyber Attack. <br> #### **Categorical Explanation Of Cyber Attacker** <br> Cyberattack is mostly executed for malicious purpose, as the attackers may use several tools and techniques to perpetuate the cyberattack. Depending on their intent and the end objective, cyber attackers can be roughly grouped into: <br> **Cyber-Criminals** <br> This is classified based on individuals who primarily target organization information, customer data, or other critical data and monetize it on the dark web. They make use of sophisticated tools and techniques, use computer/mobile devices as a medium to perpetrate intelligent, hard-to-discover malicious cyberattacks. <br> **Hacktivists** <br> This is often classified as a prolific group having a non-financial agenda to propagate. They may perform an attack to reinforce their belief system, which could be political agenda, religious ideology, or a cause they want to be made known through their digital malfeasance. Depending on the political beliefs, they can be described as progressive, ethical, or plain disruptions, among other categories. <br> **State-Sponsored Attackers** <br> This is classified as cyberattacks targeted at a particular country to destabilize its social, economic, or military administration through the support of the country of their origin. They could perpetrate lone wolf attacks as well, showing allegiance to a particular state. <br> **Insider Threats** <br> Originate from employees, contractors, third-party affiliates of an organization and are hard to detect and prevent because of the trust factor involved. These attacks could be either malicious, accidental, or carried out due to pure negligence. <br> Although there are a plethora of ways to execute Cyber Attacks, However, here is some notable compilation of salient techniques that pretty much every user should be familiar with to remain vigilant against any cyber threats: <br> #### **Social Engineering** <br> ![Social-Engineering](https://sb-cms.s3.ap-south-1.amazonaws.com/Social-Engineering_c79980af5d/Social-Engineering_Social-Engineering_c79980af5d.png) <br> Social engineering is an umbrella term for a wide spectrum of disruptive practices in cybersecurity. To convince or manipulate people into doing such acts or obtain valuable information, cybercriminals use social engineering. In order to hijack accounts, impersonate characters, make fake payments, and more, they carry out these kinds of assaults. <br> The multiple types of attacks involving social engineering include: <br> **Phishing**: It is one of the most exploited social engineering attacks, where attackers send clickable links to malicious emails, enticing WhatsApp forwards, social media messages, and text messages. <br> **Spear Phishing**: Spear phishing is an email attack focused on customized ed, much like phishing. <br> **Vishing**: Often referred to as voice phishing, it includes scammers sending phone calls or leaving voice messages to mislead citizens into sharing confidential details. <br> **Baiting**: The intruder baits a person into doing the desired action in exchange for something, as the name implies. <br> **Quid Pro Quo**: Also known as a "something for something" attack where, in return for sensitive knowledge or resources, hackers provide free assistance or service. <br> **Pretexting**: To establish trust with end-users, the attacker impersonates a co-worker. The scammer appears to be highly influential and sends an email demanding tend-users to reveal vital business details. <br> **Tailgating**: The perpetrator secretly follows an approved person without knowing that person is breaching a protected area. <br> #### **Salami Slicing Attack** <br> ![Salami-Slicing-Attack](https://sb-cms.s3.ap-south-1.amazonaws.com/Salami-Slicing-Attack_0e3edd63aa/Salami-Slicing-Attack_Salami-Slicing-Attack_0e3edd63aa.png) <br> A “salami-slicing attack” or “salami fraud” is a technique leveraged by threat actors to extort financial assets or bit-sized resources at a time, avoiding any noticeable difference in the overall size. The threat actors manage to get away with these little pieces from many resources and thus accumulate a considerable amount over a while. The essence of this method is the failure to detect misappropriation. The most classic approach is the “collect-the-roundoff” technique. Most calculations are carried out in a particular currency and are rounded off up to the nearest number about half the time and down the rest of the time. If a programmer decides to collect these excess fractions of rupees to a separate account, no net loss to the system seems apparent. This is done by carefully transferring the funds into the perpetrator’s account. Attackers insert a program into the system to automatically carry out the task. Logic bombs may also be employed by unsatisfied greedy employees who exploit their network's know-how and privileged access to the system. In this technique, the criminal programs the arithmetic calculators to automatically modify data, such as interest calculations. Stealing money electronically is the most common use of the salami-slicing technique, but it’s not restricted to money laundering. <br> The salami technique can also be applied to gather little information to deduce an organization's overall picture. <br> This act of distributed information gathering may be against an individual or an organization. Data can be collected from websites, advertisements, documents collected from trash cans, and the like, gradually building up a whole database of actual intelligence about the target. Since misappropriation is just below the threshold of perception, we need to be more vigilant. Careful examination of our assets, transactions, and every other dealing, including sharing confidential information with others, might help reduce the chances of an attack by this method. <br> #### **Data Diddling** <br> ![Data-Diddling](https://sb-cms.s3.ap-south-1.amazonaws.com/Data-Diddling_4ceea37b8b/Data-Diddling_Data-Diddling_4ceea37b8b.png) <br> The unauthorized data alteration before or during entry into a computer system and then changing it back after processing is called Data Diddling. While using this technique, the threat actor may modify the expected output and is challenging to track. In translated terms, the original information to be entered is changed, either by a person typing in the data, a virus that's programmed to change the data, the programmer of the database or application, or anyone else involved in the process of creating, recording, encoding, examining, checking, converting or transmitting data. <br> This is one of the simplest methods of committing a cyber-related crime because even a computer amateur can do it. Despite this being an effortless task, it can have detrimental effects. For example, a person responsible for accounting may change data about themselves or a friend or relative showing that they're paid in full. By altering or failing to enter the information, they're able to steal from the enterprise. Other examples include forging or counterfeiting documents and exchanging valid computer tapes or cards with prepared replacements. Electricity boards in India have been victims of data diddling by computer criminals when private parties computerized their systems. <br> #### **Web Jacking** <br> ![Web-Jacking](https://sb-cms.s3.ap-south-1.amazonaws.com/Web-Jacking_406e564510/Web-Jacking_Web-Jacking_406e564510.png) <br> Web jacking derives its name from "hijacking." Here, the hacker takes control of a website fraudulently. He may change the original site's content and redirect the user to another fake similar-looking page controlled by him. The website owner retains it, and the attacker may use the website for his selfish intentions. Cases have been reported where the attacker has asked for a ransom and even published obscene material on the site. <br> The web jacking method attack may be used to create a website clone and present the victim with the new link saying that it has moved. Unlike usual phishing methods, when you hover your cursor over the link provided, the URL presented will be the original one and not the attacker's site. But when you click on the new link, it opens and is quickly replaced with the malicious web server. The address bar's name will be slightly different from the original website that can trick the user into thinking it's a legitimate site. For example, "Gmail” may direct you to "gmai1". Notice the one in place of 'Ľ. It can be easily overlooked. <br> #### **DNS Tunneling** <br> ![DNS-Tunneling](https://sb-cms.s3.ap-south-1.amazonaws.com/DNS-Tunneling_4dcb5ccd5d/DNS-Tunneling_DNS-Tunneling_4dcb5ccd5d.png) <br> DNS tunneling is a sophisticated attack vector designed to provide attackers with continued access to a given target. Since many organizations fail to monitor DNS traffic for malicious activity, attackers can insert or “tunnel” malware into DNS queries (DNS requests sent from the client to the server). The malware is used to create a persistent communication channel that most firewalls are unable to detect. For malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the threat actor's infrastructure. It can also be used for command and control callbacks from the threat actor's infrastructure to a compromised system. <br> #### **Watering Hole Attacks** <br> ![Watering-Hole- Attacks](https://sb-cms.s3.ap-south-1.amazonaws.com/Watering-Hole-_Attacks_b7f8b1a7ac/Watering-Hole-Attacks_Watering-Hole-_Attacks_b7f8b1a7ac.png) <br> A watering hole attack occurs when an attacker injects malicious code onto a public website to steal personal information. Threat actors will monitor the web activity logs of upper-level executives to identify the sites they visit most often. From there, an exploit code is written and uploaded. This form of attack is often coupled with Zero-day exploits, making it very hard to protect against. The success rate of watering hole attacks made it a go-to attack method for cybercriminals in 2019, and this trend is expected to continue in 2020. <br> #### **Injection Attacks** <br> ![Injection-Attacks](https://sb-cms.s3.ap-south-1.amazonaws.com/Injection-Attacks_07827d7f7a/Injection-Attacks_Injection-Attacks_07827d7f7a.png) <br> Injection attacks refer to a broad class of attack vectors mainly targeting the underlying vulnerabilities of web architecture. In an injection attack, a threat actor supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program <br> Injections are amongst the oldest and most dangerous attacks aimed at web applications. <br> They can lead to data theft, data loss, data integrity loss, denial of service, and complete system compromise. The primary reason for injection vulnerabilities is usually a lack of sufficient user input validation. This attack type is considered a significant problem in web security. It is listed as the number one web application security risk in the OWASP Top 10 – and for a good reason. Injection attacks, particularly SQL Injections (SQLi attacks) and Cross-site Scripting (XSS) are hazardous and widespread, especially in legacy applications. <br> Cyberattacks are pacing at an alarming extent; especially the techniques used behind some of them seem to be quite unprecedented in this world, aided by rapid technological transitions at every turn. While it may be intimidating to identify and eradicate the underlying threats and vulnerabilities in the entire system, which often tends to be dormant and stealthily exploit the resources, however, without complying with the standard security protocol even makes the system more prone to becoming a victim of the next big attack. Besides, it also becomes equally essential to have the accessibility of a management platform that offers visibility of the entire system application, real-time surveillance, automated detection, and response against any abnormalities identified in the radar, ensuring that the whole application possesses a robust strategy to endure any future attacks and minimize it's pertaining consequences. <br> ![Threat-Spy](https://sb-cms.s3.ap-south-1.amazonaws.com/Threat-Spy_dbd9970841/Threat-Spy_Threat-Spy_dbd9970841.png) <br> SecureBlink's **[ThreatSpy](https://www.secureblink.com/threat-spy)** actually takes care of all the points mentioned above, along with some other parks, to streamline the process of threat management. It is an automated application security management platform with AI-graded capabilities that primarily focuses on critical Threats & Vulnerabilities while targeting enterprises' application security at the code level. Though it identifies and rolls out patches depending upon the threat landscape of the application, however, its future threat predictability comes with a complete accuracy rate based on the instant scores of the application, including a detailed report that offers red alerts to critical vulnerabilities while ensuring an effective threat incident response with compliance to ZERO-TRUST strategies to keep all the malicious intents at bay.

loading..
  08-Mar-2021
loading..
  13 min read