Issue #15 | November, 2023
The need for risk awareness
Many organizations, including the U.S. Government, celebrate October as the “Cybersecurity Awareness Month.” The Cybersecurity and Infrastructure Security Agency (CISA) has a couple of pages dedicated to this topic: one for users with essential advice (how to use strong passwords and recognize phishing), and another page for businesses. Curiously, the advice for businesses is the same, but from the business perspective: teach users how to use strong passwords, to recognize phishing…
Of course, that is certainly not all that businesses have to do to protect themselves — far from it. But the message is that many organizations still struggle with the basics. If you’re reading this newsletter, we believe you are aware of this and doing the best you can within your organization. If you follow along with us in this issue, you’ll find that even insurance companies are now looking at training and awareness programs to assess risk. But you’ll also find there are still situations when businesses shift responsibility to users instead of taking a hard look at their policies.
Still, when we add third parties into our businesses, we must realize that they too are facing this struggle. As partners, it falls on us to keep track of how well everybody is keeping up.
This is usually a lot harder than taking care of things in our own backyard. Awareness of these third-party risks – especially among non-security management and company leadership – plays a key role when it comes to avoiding unnecessary friction throughout the process of safely onboarding new suppliers and beyond.
Here at Tenchi, we strive to do our part in spreading awareness of third-party risk. On the 7th of November, we held our Tenchi TPCRM Conference 2023 in S?o Paulo, Brazil, to bring together professionals from the information security, compliance, and procurement areas. It was the first event dedicated to this subject in the country focused on technical content and with a formal CFP process, and we’re proud to have been the ones that made it happen together with all the speakers and participants.
Of course, we also have our round-up of third-party cyber-risk management stories here in Alice in Supply Chains. As usual, we hope you enjoy the read!
Hackers steal authorization tokens from Okta to access customer systems?
Identify services provider Okta suffered a security incident in which an attacker stole access tokens from its support unit. These tokens authorized users into systems integrated with Okta’s service, so compromising Okta was likely not the end goal, but the means to access these systems:
In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”
Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because they can include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users.
According to Okta, 1Password was the first customer to notify them about the incident. 1Password did post a brief statement to reassure users and employees that their data is safe, but it contains no additional information. Thankfully, BeyondTrust, another affected customer, provided a much more detailed write-up.
There are three factors we should focus on here. The HAR files, which are essentially debug files from a web browser, can contain sensitive session tokens that can allow attackers to log into systems regardless of how good the authentication process is (2FA, etc). It seems ?Okta's support team was not treating HAR files as particularly sensitive or akin to cleartext credentials, as they should.?
The second factor is how the attacker managed to breach Okta’s system. Okta’s statement says that an employee accessed a service account while being logged in to their personal Google Account on their browser, giving the attacker the password to this system once they compromised this personal account.
This doesn’t explain the exact mistake that was made, however. Chrome can sync passwords, but it can also sync bookmarks, browsing history, and open tabs. It’s also unclear how the intruder would have bypassed the access restrictions that should be present on the service account (assuming it couldn’t have MFA).
That said, the employee’s laptop was managed by Okta, so it could have enforced a policy to disable the browser password manager. As a rule, most browsers today will insist on saving passwords. When there is a “never ask” button, it may only apply to the current website, while the option to disable the prompts entirely is hidden in the settings. If that is a problem for corporate policy, then it should be disabled by the policy — it’s difficult to always do the right thing when software is constantly trying to convince the user to do otherwise. Ars Technica also has an article going over what Okta could have done.
The last noteworthy item is the matter of the actual targets of this campaign. Okta said the attackers stole access tokens belonging to 134 customers. However, only five customers had Okta sessions hijacked, and we know three of them: 1Password, BeyondTrust, and Cloudflare. All these companies provide services to many individuals and businesses, so a successful compromise would have made for a very worrying attack chain on third parties.
This news coincided with a sharp drop in Okta’s stock price, which fell from US$ 86 on October 19th — before the incident was made public – to US$ 67 at the end of the month.
SEC charges SolarWinds and Chief Information Security Officer with fraud, internal control failures
The Securities and Exchange Commission (SEC) is moving forward with its enforcement action against SolarWinds and Timothy Brown, the company’s Chief Information Security Officer (CISO). The complaint alleges that SolarWinds’ public statements about its cybersecurity practices and risks did not reflect its internal assessments (see also complaint PDF — technical note: these links point to the SEC website, which we suspect is enforcing geo-blocking; you may need a VPN or proxy service if it happens to you, or check the coverage at Reuters):
According to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”
As Troy Fine pointed out on LinkedIn, SolarWinds has an ISO 27001 certification. The complaint, however, doesn’t waste much time on third-party audits. Instead, the SEC focuses on the company’s internal assessments, and how they did not match with the public disclosures SolarWinds made. The SEC argues this was important for investors, since “poor cybersecurity practices could negatively impact sales and revenue, and, therefore, stock valuations.” Which is exactly what we just saw happen with Okta, as per the previous section of this issue.
The information security community has in part conflated this with the Uber CISO case, and we see a lot of mentions of a "chilling effect" and "open season" on CISOs. We respectfully disagree. CISOs have long wanted to be empowered, a true part of the C-Suite alongside other corporate officers. Well, with great power comes great responsibility. If a company makes claims about its financial health that the CFO knew to be false, he or she will be liable to be prosecuted for securities fraud. The SEC claims that the information security analog to that is what happened at SolarWinds, and that investors were misled into thinking the company had less information security risk than it actually did. We sincerely hope this kind of action from the SEC leads to companies finally understanding that CISOs do need to be true corporate officers, with all of the powers and responsibilities that entails.
For their part, SolarWinds criticized the SEC, saying the charges will undermine information-sharing among cybersecurity professionals and may take cybersecurity “warriors off the front lines.” Their blog post seems to try to bring some context into the attack and the company’s response, but does not directly address the complaints brought by the SEC.
On the subject of enforcement news, Blackbaud has settled with 49 states (and the DC) for US$ 50 million due to a data breach. The company had also been charged by the SEC in March this year for failing to properly communicate the impact of the ransomware incident responsible for the same leak in 2020. The company had already settled the SEC charges with a US$ 3 million fine.
The New York State Department of Financial Services and the Federal Reserve Board fined Metropolitan Commercial Bank a total of US$ 29.5 million for “deficient third-party risk management practices related to its issuance of prepaid card accounts.” While we’re talking banks, they’re moving the assessment of cloud providers due to the attention from regulators.
There is also some news from outside the US: India has recently approved a new privacy regulation, and now at least one analysis is pointing out that it will have an impact on third-party risk management. In Singapore, the government’s Cyber Security Agency announced several initiatives– some of them for cloud computing and healthcare organizations – to “improve cybersecurity posture across the board.
”To end our government news section, CISA has published a white paper on “Software Identification Ecosystem Analysis” and issued a Request for Comment along with it. It appears that CISA believes that the industry needs to adopt a common framework to enumerate all software that is being used by businesses. This should help improve vulnerability management practices and extend the value of “Software Bill of Materials” (SBOMs).
Microsoft says attackers linked to breaches at casinos use violent threats against targets
Last month, we covered the cyberattacks against MGM Resorts and Caesars Entertainment. Both casinos were breached through social engineering by the same group. The story recently got a new twist, as Microsoft researchers found that these criminals (which the company tracks as “Octo Tempest”) cross boundaries in their activities by threatening with physical violence:
?[I]n some cases, the group has come to rely on violent threats to break into high-profile targets, including in at least one incident sending text messages threatening violence against a target’s wife.
[Message screenshot:] if we dont get ur ***** login in the next 20 minutes, were [sic] sending a shooter to your house. ur wife is gonna get shot if u dont fold it ***
Microsoft’s report is here, and it says a lot more about the group’s tactics and procedures. As we also mentioned last month, many companies track this threat actor under a different name, so Microsoft’s “Octo Tempest” should be the same as “Scattered Spider,” “Muddled Libra,” or “0ktapus.” There’s research suggesting that many related subgroups are linked to a community that calls itself “the Com.”
It’s important to keep in mind that they don’t mention specifically whether these tactics were employed against the casinos. However, since we were already aware that social engineering was used against IT support staff, it wouldn’t be far-fetched to say the attackers may have at least tried this at some point, even if the successful attempt was based on a different type of narrative.
Physical security is not separate from information security. There’s a brilliant xkcd comic from 2009 about this, in which the characters suggest the easiest way of breaking the user’s encryption is by applying actual “brute force” with a wrench against said user. Banks have been installing time locks in their vaults to protect against this scenario for over 100 years, but the focus on IT for information security in the modern day can make us overlook some lessons from the past. Unfortunately, as cybersecurity improves, the path of least resistance may shift back to the physical world.
The effectiveness of this tactic will vary significantly from place to place. In regions where physical violence is commonplace, people can be more vulnerable to such threats. Businesses should consider this when hiring remote workers or third parties, since these people may need additional training or guidance to prevent criminals from finding out about this relationship.
Crypto thefts continue as LastPass hack victims lose $4.4 million in one day
Blockchain analysts are tracking more thefts believed to be linked to victims who had their wallet keys stored in LastPass when the company was hacked last year. A new heist in October siphoned US$ 4.4 million in a single day, and the total amount stolen has surpassed US$ 35 million:
ZachXBT and MetaMask developer Taylor Monahan have tracked at least 80 crypto wallets that have been compromised in relation to the hack.
Funds have been stolen from the Bitcoin, Ethereum, BNB, Arbitrum, Solana and Polygon blockchains, according to a list published by Monahan.
Due to the way the blockchain works, victims must create new keys. These come with their own addresses, so it’s necessary to pay transaction fees (or “gas fees”) to move the funds. It’s an uncommon situation in which the cost of changing a password or key is not limited to the time spent by the user on the task. It’s unclear if LastPass could be held liable for the losses or the fees, but victims will need a lot of expert help – especially those willing to participate in legal proceedings – to establish a proven link between the two.
Digital business platform ServiceNow issued a fix for a problem that has been present in their service since 2015. The change came in response to the work done by Aaron Costello, who demonstrated how ServiceNow widgets could be exploited to leak data, especially since they are set to be “public” by default. Thankfully, it’s believed no attackers exploited this.
Antivirus maker Kaspersky has published a new report on Lazarus, a hacking group believed to be associated with North Korea. Lazarus distinguishes itself from other nation-state actors by being more financially motivated than other groups of this type. According to Kaspersky, they’ve been carrying out supply chain attacks, and compromised a software vendor “through the exploitation of another high-profile software.”
A report by 404 Media claims that hackers are targeting Kodex, a company that acts as a trusted third party to validate emergency data requests (EDRs) from law enforcement. The company denied any such attacks have been successful. Kodex launched in 2021 to fight fake EDRs after criminals realized they could use compromised email accounts belonging to the police to request data from tech companies.
In the UK, more charity organizations are coming forward to say they have been affected by a data breach at About Loyalty. As we mentioned last month, many charities in the UK work with About Loyalty to carry out surveys. About Loyalty itself was compromised due to a hack at Kokoro, one of its subcontractors.
A breach at a service provider for the Irish police resulted in 512,000 documents being leaked. Since this happened at a third party, the police say they are not at fault - and we fully expect the country's privacy regulators will "remind" them about controller and processor relationships and liability established in the GDPR. In Australia, patient health data has been deleted after a breach at Personify Care, an IT provider responsible for an app used by health networks.
The last two stories for our breaches round-up come out of China. Cybersecurity company Human Security has found that so-called CTV boxes, which usually run an uncertified version of Android, come pre-installed with the Triada malware. Some of these boxes may have found their way to the US (and other countries as well). Also, Chinese security company QiAnXin published a report about a backdoor in the official package for OneinStack, a tool used to deploy PHP and Java applications.
Businesses are under-estimating cyber supply chain risks
A report published by advisory firm McGrathNicol in partnership with YouGov found that businesses in Australia have a “narrow perception” of their supply chain, while 73% “fail to consider cybersecurity in their risk management plans”:
Cyber risks appear to be a largely unconsidered threat with just 27 percent considering cyber risk in their supply chain risk management programs – despite the number of high-profile cyber breaches hitting the headlines in recent years, including a number of supply chain attacks. […]
But while 64 percent of Australian businesses rank cybersecurity as the second greatest challenge to their organisation – with financial performance the top challenge – businesses underestimate the likelihood or impact of an attack on their third-party suppliers with just one in six predicting those risks would impact their organisation in the next 12 months, and only 27 percent including cyber risks within their supply chain management plans.
One outcome of businesses not assessing third-party risk correctly is an increase in systemic risk. Lloyd’s, which runs an insurance and reinsurance marketplace, published a report on the “global economic impact of a hypothetical but plausible cyber-attack.” Their attempt at modeling the systemic risk in this scenario determined that such an attack could cost $3.5 trillion to the global economy. Though it’s not easy to say how realistic this number is, the study may have an impact on the cyber insurance market.
Indeed, the International Underwriting Association (IUA) also worked with CyberCube to publish a whitepaper on the link between cyber insurance and the digital supply chain. They offer a checklist for insurers to assess cyber supply chains (it’s on page 9 of the PDF) so they can make sure there are “appropriate levels of cover” for any claims. While we’re still on this topic, Emsisoft has been keeping a blog post updated with the number of victims of the MOVEit Transfer hacks. The total number of organizations affected is now over 2,500, while data from 67 million individuals has been compromised.
‘The death of cybersecurity questionnaires’ and more guidance on third-party cyber-risk
Becker’s Healthcare compiled tips from 18 experts into an article on how to reduce third-party cybersecurity risks:
The five recurring themes from the experts’ responses are to prioritize due diligence, specify contractual agreements, establish vendor risk management programs, conduct continuous monitoring, and minimize access levels.
As is usually the case, the advice doesn’t apply only to healthcare institutions. Security Magazine also published a piece with advice for pharmaceutical organizations.
TechTarget has two interesting articles on third-party risk management:
“The Death of Cybersecurity Questionnaires in Three Acts” shows how artificial intelligence is exposing the limitations of risk assessments based on questionnaires while also highlighting that this points us to what should come next: APIs made for seamless data exchange.
Finally, an article by Mary E. Shacklett at Information Week calls for “IT to clean up its supply chain.” Shacklett’s piece is based on her experience when she and her team cleaned up “IT’s debris,” so it tackles this issue from many angles, including poor communication, lack of SLAs in the contracts, or the fact some suppliers may be limiting business agility through lock-in.
Thanks for staying with us until the end. We have two more bonus links like usual for now, and we will be back next month. See you next time!
The data privacy risks of third-party enterprise AI servicesUsing third-party AI tools also raises major data privacy and security concerns. Although these data privacy risks don’t always outweigh the benefits, they are an important factor to consider when choosing whether to build an AI app or rely on third-party services. For businesses that opt to outsource some or all of their AI development and deployment, it’s essential to have a plan for managing data privacy issues.
[Brian Schultz, Senior Director Analyst with the Gartner Supply Chain Practice,] stresses that while it is not reasonable to expect CSCOs to assume the mantle of Chief Information Security Officers it is vital they “have a grasp of how supply chain cyber attacks are evolving, including sophisticated attacks that can impact products undetected until they reach the customer”.