Okta’s hack explanation, Looney Tunables exploited, Lazarus likes KandyKorn
Okta explains hack source and response timeline
Okta security head David Bradbury called the hack an internal lapse, stating, “an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account.” Additionally, in a blog post released Friday, Okta attributed the two-week time gap between the notifications from 1Password and Cloudflare and the discovery and disabling of the compromised account to the fact that it was not able to “identify suspicious downloads” in logs. According to The Record, “Okta said its initial investigation focused on access to support cases, where it examined logs linked to those cases. But the company later realized that the hacker was navigating its system in a different way that was generating an entirely different log event with a different record ID.” A link to Okta’s blog is available in the show notes to this episode.
(SecurityWeek and Okta’s blog)
Looney Tunables now being exploited
Following up on a story we brought you one month ago, researchers at cloud security firm Aqua have now observed actors exploiting the Linux flaw dubbed Looney Tunables. This is a privilege escalation flaw tagged as CVE-2023-4911 with a CVSS score of 7.8. In their advisory, Aqua stated they intercepted experimental incursions into cloud environments by a group named Kinsing, which they describe as “ a significant threat to cloud-native environments, particularly Kubernetes clusters, docker API, Redis servers, Jenkins servers and others.” A link to Aqua’s blog is available in the show notes to this episode.
Lazarus Group uses KandyKorn against blockchain engineers
According to Elastic Security Labs, KandyKorn is a macOS malware, specifically, “an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections.” The threat actors used social engineering techniques through Discord, in an attempt to trick people into downloading a malicious ZIP platform. North Korea-linked threat actors are well known for target cryptocurrency industry organizations to circumvent international sanctions and finance its military operations.
Discord to switch to temporary file links to block malware delivery
In a move designed to stop threat actors from hosting and pushing malware through its CDN, Discord plans to switch to temporary file links by year’s end. The company stated, “”There is no impact for Discord users that share content within the Discord client. Any links within the client will be auto refreshed. If users are using Discord to host files, we’d recommend they find a more suitable service.” This means as of next year, all links to files uploaded to Discord servers will expire after 24 hours.
领英推荐
Huge thanks to this week’s episode sponsor, OffSec
Mortgage company Mr. Cooper suffers cyberattack
Dallas-based Mr. Cooper, formerly Nationstar Mortgage Holdings Inc., and one of the largest mortgage providers in the US, has temporarily shut down some of its systems, including those that process customer payments. It has already warned customers of the incident and assures them that they will not incur fees, penalties, or negative credit reporting as they work to resolve the issue. According to Security Week, “taking systems offline is the typical response to a ransomware attack.”
Ontario hospitals do battle with Daixin
Five hospitals in Southwestern Ontario have been dealing for two weeks with a cyberattack in which millions of hospital and patient records were stolen. Some of these files have now been released while at the same time, patients have had to find other hospitals to go to for cancer treatment and other procedures. The perpetrators of the attack appear to be a little-known group called Daixin. The CEO of Windsor Regional Hospital, David Musyj, said on Thursday that the impacted hospitals “closely examined” the ransom demand from the cybercriminals, and decided against paying it. “We knew … that we could not trust the promise of a criminal to delete this information,” he said, adding “We learned that payment would not speed up the safe restoration of our network.”
(CBC News)
American Airlines pilots’ union suffers ransomware attack
The union representing more than 15,000 of the airline’s pilots, stated that the attack was discovered last Monday, October 30. Some systems were encrypted. Some core services have been restored, but work continues. No mention has been made of any gang claiming responsibility for the incident.
Last week in ransomware
In addition to the organizations already reported on in this newscast, and following an upwards trend in ransomware activity, last week saw the Toronto Public Library attacked by Black Basta, also ACE Hardware, and the British Library. These latter two are not confirmed to be ransomware attacks, they share many signs usually associated with such attacks. Of the many reports released last week, Bleeping Computer published analysis on the new Hunters International ransomware gang, which is believed to be a rebrand of Hive, a group that had been taken down by the FBI.