Mastodawn

Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.

⚙️ Technical context:
- Target: msedgewebview2.exe process spawned by Teams.
- Stores AES-256-GCM encrypted cookies in a SQLite database.
- Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
- Enables attackers to read Teams/SharePoint data and send messages as victims.

💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?

👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
#MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu

Rene Robichaud Sep 23

GitHub tightens npm security with mandatory 2FA, access tokens
https://www.bleepingcomputer.com/news/security/github-tightens-npm-security-with-mandatory-2fa-access-tokens/

#Infosec #Security #Cybersecurity #CeptBiro #GitHub #NpmSecurity #Mandatory2FA #AccessTokens

GitHub tightens npm security with mandatory 2FA, access tokens

GitHub is introducing a set of defenses against supply-chain attacks on the platform that led to multiple large-scale incidents recently.

BleepingComputer

Evostrix Oct 20, 2024

Internet Archive Hacked: Stolen Access Tokens Expose Vulnerabilities Again
The latest cyber security breach that has rocked the online world: the Internet Archive hack. That's right, the beloved digital library has fallen victim to cyber criminals once again, with stolen access tokens exposing vulnerabilities that...
#InternetArchive #Hacked #DataBreach #CyberSecurity #AccessTokens #Vulnerability #DigitalPrivacy #OnlineSafety #TechNews #InformationSecurity #tech #news
https://cloudhosting.evostrix.eu/internet-archive-hacked-stolen-access-tokens-expose-vulnerabilities-again/

Internet Archive Hacked: Stolen Access Tokens Expose Vulnerabilities Again

The latest cyber security breach that has rocked the online world: the Internet Archive hack. That's right, the beloved digital library has fallen victim to

Evo Cloud

Kira Mourão May 23, 2024

Gitlab access tokens now have enforced lifetime limits and pre-existing non-expiring tokens will have their lifetime reset to comply:

https://about.gitlab.com/blog/2023/10/25/access-token-lifetime-limits/

Wish I’d known this before stuff mysteriously broke when some tokens expired at midnight yesterday. All fixed now but it was a “fun” day.

#Gitlab #accessTokens

Why GitLab access tokens now have lifetime limits

Pre-existing and new personal, group, or project access tokens now have enforced lifetime limits. Find out why and learn how to minimize disruption.

ITSEC News Apr 27, 2020

Single Malicious GIF Opened Microsoft Teams to Nasty Attack - Now patched flaw allowed attacker to take over an organization’s entire roster of Microsoft Teams ... more: https://threatpost.com/single-malicious-gif-opened-microsoft-teams-to-nasty-attack/155155/ #vulnerabilities #domaintakeover #microsoftteams #cloudsecurity #accesstokens #hacks #skype #api #gif

Single Malicious GIF Opened Microsoft Teams to Nasty Attack

Now patched flaw allowed attacker to take over an organization’s entire roster of Microsoft Teams accounts.

Threatpost - English - Global - threatpost.com

feed Sep 29, 2018

A detailed anatomy of the hack that compromised Facebook's 50 million user breach https://boingboing.net/2018/09/29/stolen-access-tokens.html ##deletefacebook #accesstokens #breaches #facebook #security #infosec #viewas #Post

A detailed anatomy of the hack that compromised Facebook's 50 million user breach

Yesterday, at least 90,000,000 Facebook users were forced to log back into the service without any explanation; later, the company revealed that at least 50,000,000 of them had been hacked, but wou…

Boing Boing