The Zscaler ThreatLabz team is seeing an increase in attacks that abuse IP-based authentication and target global organizations. Attackers are actively exploiting the limitations and weaknesses of IP-based authentication methods, posing a significant challenge for organizations. Successful attacks can lead to unauthorized system access, data breaches, and the potential compromise of critical assets.

In this advisory, we share information about risk exposure and best practices for organizations to defend against these attacks.

Key Takeaways

Zscaler ThreatLabz has observed an increase in source IP-based authentication abuse leveraging system compromise, identity compromise, and shadow IT environments, to name a few examples.
Employing a Zero Trust architecture, along with other security best practices, in managing your identities and multi-factor authentication (MFA) configuration is paramount to establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches.
Further mitigate IP-based authentication vulnerabilities by implementing an identity provider (IdP) with FIDO2-based MFA and reinforcing user account reset processes.

Background

Organizations employ various methods to restrict access to sensitive data and systems. Source IP-based authentication is a commonly used method that provides a straightforward and quick way to control access. However, if IP-based authentication is one of the primary authentication mechanisms, it also introduces additional risk factors. IP-based authentication can:

Be difficult to scale as the organization grows in size and complexity.
Prevent the implementation of granular access controls.
Reduce the sophistication and level of effort that threat actors must leverage to access organizational assets.
Introduce challenges in auditing access and activity.

Examples Of IP-Based Authentication Abuse

Threat actors use many methods to bypass source IP-based authentication. The following examples describe recently observed common attack vectors:

System compromise: Compromising local system credentials or installing malware gives an attacker access to a system that can be allowlisted to multiple sensitive systems.
Wi-Fi networks: By relying on source IP-based authentication, organizations are at a higher risk of unauthorized access due to vulnerabilities or misconfigurations in wireless networks.
Identity compromise: Identity compromise can occur when threat actors use social engineering to manipulate help desk personnel, posing as legitimate users. Through this deception, they aim to gain initial access. Once inside, a threat actor can exploit the limitations of IP-based authentication, allowing them to move laterally within the system.
Physical access: When a threat actor gains physical access to an office or data center, they are free to access sensitive systems because they now have an authorized IP address.
Misconfiguration: Source IP-based authentication relies on accurate network definitions, and it is easy to introduce risk by exposing sensitive systems to uncontrolled IP spaces.
Shadow IT: Unmanaged shadow IT environments are common and introduce additional risk because IP-based authentication might not discern between managed and unmanaged environments.

Best Practices To Safeguard Against These Attacks

Although source IP filtering can serve as an additional layer of security, it should NOT be relied upon for authentication. By implementing the following measures and best practices, organizations can safeguard their sensitive systems and data, as well as identify and bolster the efficacy of their environments.

1. Move all crown-jewel applications behind Zero Trust solutions

Move all crown-jewel applications behind Zero Trust solutions such as Zscaler Private Access™ (ZPA™), and prioritize user-app segmentation for sensitive applications to proactively defend against these attacks. Zero Trust solutions can help you:

Deploy role-based access controls, providing granular access based on the user’s role to prevent access to unnecessary systems and limit risk.
Enforce posture control to ensure that only approved systems with a full endpoint security stack can communicate with sensitive applications.
Establish strong Data Loss Prevention (DLP) policies to control access and prevent exfiltration of sensitive information.

The key principles of a Zero Trust architecture ensure that you never trust and always verify. Organizations that implement a Zero Trust solution like Zscaler are able to:

Minimize the attack surface by making internal apps invisible to the internet.
Prevent compromise by using cloud-native proxy architecture to inspect all traffic inline and at scale, enforcing consistent security policies.
Stop lateral movement by connecting authorized users to applications rather than connecting networks to applications, which reduces the attack surface through strong posture check and workload segmentation.
Stop data loss by inspecting all internet-bound traffic, including encrypted channels, to prevent data theft.
Identify threats by leveraging deception technologies to stop attacks before an attacker’s objectives are accomplished.

2. Use an IdP with FIDO2-based MFA

Using an IdP with FIDO2-based MFA for authentication offers numerous advantages over relying solely on local accounts. IdPs provide centralized control and management of your administrator identities, which streamlines the authentication process and ensures consistency across applications and services. It also:

Simplifies user access management, which saves time and reduces mistakes.
Enables the implementation of single sign-on (SSO), allowing users to authenticate once and access applications securely, thus enhancing the user experience and eliminating the risk of weak or reused passwords.
Offers additional security features such as MFA and adaptive authentication, which provide additional defenses against unauthorized access.

3. Strengthen processes around user account resets

Strengthen processes around user account resets by training help desk personnel to perform strong user identity validation. You can:

Leverage corporate directory contact information to perform callbacks that ensure user identities before resetting access.
Require managers to personally validate identities when standard validation techniques are not possible.

Conclusion

The Zscaler ThreatLabz and Product Security teams continuously monitor threat trends and share their findings with customers and the wider community. If you have any questions, please reach out using the official support channel.