Exposures, Exposed! Weekly Round-up November 26 - December 1

Welcome to "Exposures, Exposed!" - your weekly roadmap through the constantly morphing realm of cyber risk. Our expert exposures team helps you navigate the complexities of cybersecurity by curating the most relevant exposure incidents each week.

Here's what we’ve got for you this week:

Okta Discloses Extended Breach, Warns of Potential Risks

Okta, an identity services provider, revealed further threat actor activity related to the October 2023 breach of its support case management system. The breach impacted all Okta Workforce Identity Cloud and Customer Identity Solution customers except those in FedRamp High and DoD IL4 environments, which use a separate support system.?

The threat actor accessed names, support system user email addresses, reports containing certified user contact info and unspecified employee information. Notably, no user credentials or sensitive personal data were compromised.?

Okta claims it hasn't seen evidence of the stolen data being misused but warned customers about potential phishing risks. It has reinforced security measures and advised customers to bolster defenses against targeted attacks. The company plans to notify affected individuals and is collaborating with a digital forensics firm for the investigation.

Earlier, Okta reported the breach affecting 1% of its 18,400 customers between September 28 to October 17, 2023. The attackers remain unidentified, although the group Scattered Spider, involved in recent cybercrimes, targeted Okta previously with advanced social engineering attacks.?

Google Chrome Addresses Zero-Day Exploit and Security Flaws

Google has addressed seven security issues, including a zero-day exploit in Chrome. The zero-day, CVE-2023-6345, is a high-severity integer overflow bug in the Skia 2D graphics library, which has been actively exploited in the wild. Discovered by Google's Threat Analysis Group, the company released patches for the flaw shortly after it was reported on November 24, 2023.

Limited details were shared about the zero-day's exploitation, but it is reminiscent of a previous flaw (CVE-2023-2136) that was patched in April 2023. This connection suggests CVE-2023-6345 might bypass Google’s earlier fix.

The Google update addresses a total of seven zero-days in Chrome, including vulnerabilities like type confusion in V8, heap buffer overflows, and more. Google urges users to upgrade to version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to stay protected. Additionally, users of browsers based on Chromium, like Microsoft Edge, Brave, Opera, and Vivaldi, should apply fixes as soon as they're available to mitigate potential threats.

ownCloud Vulnerability Exploited, Exposing Sensitive Data

Threat actors have begun exploiting a critical vulnerability in ownCloud , an open-source file synchronization platform. This flaw is found in the Graphapi app, and exploits a third-party library that exposes PHP environment details when accessed. The information disclosed includes webserver environment variables (potentially revealing sensitive data like admin passwords), mail server credentials, and license keys. Versions impacted include ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1.

Several cybersecurity firms have observed the vulnerability's exploitation in the wild information – notably GreyNoise and Shadowserver Foundation, which identified over 11,000 exposed ownCloud instances in Germany, the US, and France. Researchers advise administrators to follow ownCloud's advisory to mitigate potential risks associated with this vulnerability.

Google Workspace Vulnerability Allows Unauthorized Data Access

Cybersecurity researchers uncovered a significant flaw in Google Workspace 's domain-wide delegation (DWD) feature, that could allow threat actors to exploit it for privilege escalation and unauthorized access to Workspace APIs. Dubbed "DeleFriend," the flaw enables manipulation of delegations within Google Cloud Platform (GCP) and Workspace without super admin privileges.

The vulnerability stems from the OAuth ID - rather than specific private keys tied to service accounts. Exploiting less privileged access, threat actors could create JSON web tokens then test various key pairs to determine delegation-enabled service accounts. This would enable the creation of new private keys, and allow API calls on behalf of other domain identities. Successful exploitation could lead to data exfiltration from services like Gmail, Drive, and Calendar.?

Palo Alto Networks Unit 42 confirmed the flaw, agreeing that a GCP identity could generate access tokens for delegated users. This loophole could enable malicious insiders or attackers with stolen credentials to access and manipulate Google Workspace data.

Study Reveals RSA Host Key Theft Vulnerability Impact

A recent study unveiled a method that could enable passive network attackers to obtain RSA host keys from vulnerable SSH servers by observing computational faults that occur naturally when a connection is established. The SSH protocol ensures secure network transmission by using cryptography for authentication and encryption between devices. RSA host keys, which are crucial for authentication, are cryptographic pairs generated via systems like RSA.

The fault would allow a passive adversary to keep track of legitimate connections without risking detection - until a faulty signature is observed, that exposes the private key. Then, the threat actor could masquerade as the compromised host, intercept sensitive data and precipitate adversary-in-the-middle (AitM) attacks.

The technique, termed a lattice-based key recovery fault attack, successfully retrieved private keys linked to 189 RSA public keys across devices from Cisco, Hillstone Networks, Mocana, and Zyxel. However, TLS 1.3, introduced in 2018, encrypts the handshake, preventing eavesdroppers from accessing signatures during connection establishment.

Lazarus Group Exploits Zero-Day in Supply-Chain Attacks

The NCSC and South Korea's NIS issued a joint warning about North Korea's Lazarus group, which may be exploiting a zero-day vulnerability in the MagicLine4NX software for supply chain attacks. MagicLine4NX, developed by Dream Security, facilitates logins and digital transactions via joint certificates.

The attackers used this vulnerability to breach a South Korean organizational intranet in March 2023, exploiting a watering hole tactic on a media outlet's website that targeted specific IP ranges. When users with MagicLine4NX software accessed the compromised site, malicious code executed, granting attackers system control. Exploiting system vulnerabilities, the hackers gained access to internet-side and business-side servers, aiming to exfiltrate information.

These incidents highlight the growing sophistication and impact of supply-chain attacks orchestrated by North Korea-linked APT groups, posing substantial risks to global cybersecurity.

That’s all for this week – have any exposures to add to our list? Let us know!