Sometime in September 2020, two of our ProtectID customers reported a strange issue. Their employees started to get authentication requests on their phones for access to the company VPN. They reported this to their IT department who subsequently contacted us. Our technical staff worked with their IT department to identify the issue. Initially we thought that it was a bug in our software but on further analysis of their logs we identified that the access attempts were coming from Russian IP addresses. It seemed that the hackers got hold of the usernames and passwords and were attempting to login to the company network. We quickly shutdown the access attempts and provided a fix. Our customers were extremely happy especially since they had state-of-the art intrusion detection systems that never caught the attack and ProtectID alerted them of the access attempts as soon as it happened and stopped the hackers from compromising their network.
When we asked some knowledgeable folks in the security community, they said that a few companies had experienced similar attacks. We did not think of it any further. Then in December 2020, FireEye detailed the SolarWinds supply chain attack in a blog and attributed it to a Russian hacking group. Subsequently, Volexity connected the attack to multiple incidents in late 2019 and 2020 (detailed here) and attributed them to a Russian hacking group. What was interesting was that Volexity claimed that the hackers bypassed the Multi Factor Authentication (MFA) from Duo Security (now a part of Cisco) by getting the Duo integration secret key and thereby being able to generate a cookie that bypassed the MFA. Neither Duo’s system nor the myriad security systems were able to detect and prevent this.
This attack was similar to the ones that hit our ProtectID customers in that – (1) in both scenarios, the attack was perpetrated by a sophisticated Russian hacking group (possibly the same group), (2) in both scenarios, the hacker had the correct username / passwords, and (3) in both scenarios there was a MFA system to provide additional security – except with one big difference: ProtectID was able to alert the user of the attack immediately and prevent the access attempts!
Though the spotlight is on the way the hackers got in (by compromising the update process using a stolen code signing certificate), the real take away should be that hackers will always find a way to get in and the focus should be on trying to prevent the hackers from doing damage once they are in the network.
As companies look to revamp their security infrastructure in light of the massive data breach, the StrikeForce product portfolio deserves consideration. Our ProtectID authentication system combined with our endpoint security software (GuardedID / MobileTrust) provides the preventive layer that can complement the detection heavy security posture of companies.
In a post-COVID19 world, as companies increasingly rely on videoconferencing to cut down on costs and increase productivity, SafeVChat and PrivacyLok can provide a secure environment for communications.
Ram Pemmaraju, CTO of StrikeForce Technologies, Inc.
