Okta system attacked, another Cisco vulnerability, RagnarLocker arrest
Okta HAR support system attacked
An advisory from Okta states that last week’s attack involved threat actors gaining access to customers’ HTTP Archive files, short formed as HAR, which are used for troubleshooting by replicating browser activity. By their nature HAR files can contain sensitive data such as cookies and session tokens that threat actors can use to impersonate valid users. Security Chief David Bradbury said the compromised case management system is separate from the production Okta service, which was not impacted and remains fully operational. Okta has of course taken measures to protect its customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within an HAR file before sharing it. In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.
(SecurityWeek, Okta and Beyond Trust)
Cisco identifies additional IOS XE vulnerability
Last week we reported on the high-severity level 10 vulnerability CVE-2023-20198 which at the time did not have a patch. Now, in preparing a patch for release yesterday, Sunday, Cisco also mentioned that their incident responders had observed hackers also exploiting CVE-2021-1435, which Cisco had patched in 2021. The company noted that, “devices fully patched against that bug were seen infected by implants successfully installed through an as of yet undetermined mechanism.” The patch released yesterday was intended to deal with both issues, with the 2021 vulnerability being repackaged as CVE-2023-20273.
According to Bleeping Computer, over the weekend, numerous cybersecurity organizations reported that “the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans,” however experts are unsure as to whether “threat actors behind the attacks are deploying an update to hide their presence, thus causing the implants to be no longer seen in scans,” or that a “gray-hat hacker is automating the reboot of impacted Cisco IOS XE devices to clear the implant.”
(The Record and Bleeping Computer)
Key Ragnar Locker player arrested in Paris
Following up on a story we brought you on Friday regarding the sting operation that brought down RagnarLocker’s website and infrastructure, comes word that a key player was arrested last Monday in one of a series of raids related to the website takedown and coordinated among law enforcement agencies from 11 countries. The arrested individual has not been named but has been described by Europol officials as being a developer for the Ragnar group.
International Criminal Court hack was for espionage
Back in September we reported on a cyberattack that hit the International Criminal Court in The Hague. The ICC is an international body that tries the most serious of world crimes such as genocide. The ICC describes the attack as targeted and sophisticated, and “can therefore be interpreted as a serious attempt to undermine the Court’s mandate.” No threat actor has yet been named.
领英推荐
Huge thanks to this week’s episode sponsor, Vanta
US Senator asks 23andMe for breach details
Another ongoing story, Senator Bill Cassidy, the ranking member on the Senate Health, Education, Labor, and Pensions Committee has made a request to 23andMe CEO Anne Wojcicki for more information about a breach that allegedly exposed data of millions of people on the dark web. According to The Record, “23andMe said in a statement that the company itself had not been breached.”
Threat actor sells access to Facebook and Instagram police portal
According to Alon Gal, co-founder & CTO of Hudson Rock, the portal is used law enforcement to “request data relating to users (IP, phones, DMs, device info) or request the removal of posts and the ban of accounts.” Gal believes this was a social engineering attack in which the threat actor either solicited access data from a Meta employee or used police credentials to gain access. This gives the individual the ability to make unauthorized data requests, enable harassment and doxxing, initiate fake law enforcement actions, and steal identities.
Dozens of Squid Proxy vulnerabilities remain unpatched
Squid is a caching and forwarding web proxy that helps speed up broadband and dialup internet access as well as static and streaming video and audio, with more than 2.5 million instances exposed on the internet. In 2021, researcher and cybersecurity expert Joshua Rogers discovered 55 vulnerabilities within the platform and now states in a recent study that the majority of these – 35 in number have still not been fixed. Rogers points out that “the Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues.”
Last week in ransomware
Last week saw the fall of RagnarLocker as well as a data breach affecting the Trigona ransomware operation, which was taken down by the Ukrainian Cyber Alliance who “hacked the Trigona gang’s servers by exploiting a vulnerability in their Confluence server.” Okta suffered a breach as mentioned at the start of this episode, BlackBasta attacked TV advertising firm Ampersand, and US convenience store chain Kwik Trip, who we reported on last Monday, has confirmed that they did indeed suffer a cyberattack, but have not confirmed it as ransomware. The tech company CDW that we also reported on last Monday has now seen data leaked as part of the $80M ransomware attack on its CDW-G subsidiary.