Tag Archives: MFA

New LYCEUM Threat Group targets Oil and Gas firms. Don’t panic! Enforce 2 Step Verification!

29 August 2019

Lindsey O’Donnell’s report (1) on a new APT named LYCEUM is well worth reading.  LYCEUM targets oil and gas firms in the middle east. The group leverages PowerShell once they created a foothold on computers in the victim’s network to exfiltrate company secrets. PowerShell is a good choice because the attackers can go undetected for a long time.

For launching the attack, LYCEUM draws on industry attack standards like password spraying: “LYCEUM initially accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.”(2)

The group aims at company mail accounts hosted by cloud service providers. Why? Credibility matters most in [spear] phishing attacks. A spear phishing email on a popular topic, send from a company account has a very high level of credibility and increases the attack’s probability of success.

This increase in credibility justifies the effort required for collecting email addresses from OSINT sources. Password spraying is then used to get a valid password for login with the victim’s account to the cloud service.

Here, the industry defense standard against password attacks, 2SV (Two Step Verification) or MFA (Multiple Factor Authentication), comes into play.

Yubikey for 2 Step Verification. Own work.

On 27 August, Catalin Cimpanu reported on ZDNet that Microsoft sees 300 million fraudulent sign-in attempts to O365 every day.(3) Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, explained that “enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.“(3)

So, by enforcing 2SV/MFA for login to all company cloud services we can stop all threat actors which use similar password mining technologies, including LYCEUM.

Alastair MacGibbon, National Security Advisor, Australian Cyber Security Center, shows the direction:

“Cyber security is about risk management. You can’t eliminate risk, but you can strengthen your defences to reduce the likelihood of the risk being realised, and the harm caused when it is.”

Let’s get started with 2SV. We have no time to waste.


  1. O’Donnell L. New Threat Group Found Targeting Critical Infrastructure Firms With Spear [Internet]. threatpost. 2019 [cited 2019 Aug 27]. Available from: https://threatpost.com/oil-and-gas-firms-targeted-by-new-lyceum-threat-group/147705/
  2. Secureworks Counter Threat Unit. Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign [Internet]. Secureworks. 2019 [cited 2019 Aug 27]. Available from: https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
  3. Cimpanu C. Microsoft: Using multi-factor authentication blocks 99.9% of account hacks [Internet]. ZDNet. [cited 2019 Aug 28]. Available from: https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/

SearchSecurity: Multifactor authentication key to cloud security success

12 July 2014

Multifactor authentication key to cloud security success

In this great post Brandon Blevins provides a brief summary about the Code Spaces attack, the progression of the attack and the catastrophic consequences for the company and the customers. Moreover, he makes clear that Multi Factor Authentication is an essential requirement for running a successful business in the cloud. With Two- or Multi Factor Authentication in place this attack would not have been possible.

The attack pattern in the Code Spaces case differs only slightly from the patterns in the eBay, Target, and Office attacks. In all cases the attackers used stolen credentials of employees for unauthorized access to the company network and the data.

One Euro Cent Coin

From my point of view, Two or Multi Factor Authentication (MFA) would have prevented most of the published data breaches, irrespective of whether the services are hosted on premise or in the cloud.

Multi Factor Authentication is worth every Cent!

The main difference between the attacks exists in the amount of the damage, in the eBay case data theft and loss of reputation, irreversible destruction and discontinuation of Business in the Code Spaces case.

But a third, more important type of damage must be considered:

Integrity loss, caused by tampering of data.

Small changes to software products, to the formulation of drugs, or a bill of material could lead in the worst case to a catastrophic impact on people, businesses and the environment.

How often does this happen, without you ever noticing?  At this very moment? And, are you able to recognize such integrity losses to prevent larger damage?

We should ask ourselves these worrying questions. The statement “I always call it the Wal-Mart-Target competition … to see who can get to the lowest price and still provide good service. Security is what gets lost” gains a new meaning from the integrity point of view.

I would strongly recommend, that all businesses, in particular in the manufacturing industries and in the pharma sector, should decide about implementing MFA to prevent damage caused by integrity loss.

That will make our world a somewhat safer place.