Okta Increases Scope of Breach; More 0-Day Fixes From Apple and Google; Ransomware Bust

Okta is in the trust business. It is very common for organizations to extend the scope of a breach as they investigate. But a company like Okta, struggling to retain customer trust, needs to do better. Luckily for Okta, it would be too expensive and complex for most customers to leave.

Johannes Ullrich

Two big lessons should be learned from this: (1) The initial assumption should always be a 100% compromise if a thorough investigation can’t be completed before disclosure is required; and (2) Okta has recommendations that should be followed ASAP. (1) may sound overly harsh but the cost of incidents apparently is not yet high enough to drive critical service providers to needed levels of security.

John Pescatore

Consider the cost of changing from a service provider like Okta to someone else. While not practical, you need to walk through that scenario for your outsourced/cloud service providers, next determine what events would need to happen to trigger that change. Make sure that matches your risk appetite to the highest levels.

Lee Neely

This really shouldn’t come as a surprise as organizations typically underestimate data loss while the forensics investigation continues. What is a bit surprising is the incredibly large miscalculation. In the short-term Okta’s reputation as a trust provider will take a hit, but it will recover.

Curtis Dukes

Note that Apple released patches for iOS 17 only, but the advisory notes that iOS 16 was exploited in the wild. It is possible that Apple will release updates for the older operating systems within the next couple days. WebKit vulnerabilities usually also require a standalone Safari update for older macOS versions. This advisory only includes updates for the most current iOS/iPadOS and macOS versions.

Johannes Ullrich

The flaw is specific to Webkit. Apple released updates to iOS/iPadOS, Safari and macOS 14 (Sonoma). Releases for the current macOS include Safari updates, for older versions, Safari is released separately. Push these updates as soon as you have the content for your MDM.

Lee Neely

This makes 20 zero-days that Apple has had to contend with in 2023 – an unfortunate record. The WebKit browser application has been a particular focus of vulnerability researchers this year. Given that both vulnerabilities are being actively exploited, make patching a high priority and expect updates to be made for older operating system versions.

Curtis Dukes

I always like to hear these stories. The taskforce for this takedown formed in 2019, and first took down 12 members of the group in 2021. The takedowns take so much time as it's difficult to gather sufficient evidence to prosecute. This particular gang isn't tracked with a specific moniker, so you're not going to see a reference to them you recognized. The group were well resourced and used multiple forms of malware to attack victims including LockerGoga, MegaCortex, Hive and Dharma.

Lee Neely

Kudos to law enforcement for shuttering the ransomware gang. What’s interesting is that the law enforcement analysis now confirms that ransomware groups organize like a typical business (i.e., separation of duties – operational, financial, talent development, etc.). Ransomware attack will continue as a business as long as payouts continue.

Curtis Dukes

Realistically, the software defect discovery curve is not flattening in any meaningful way. Secure Development Lifecycle investments have surely prevented that curve from tilting upwards, but that has not been even close to enough. Faster than monthly (let alone quarterly) is already the norm for browsers, mobile devices and cloud services. That needs to become the norm for all on-premise software on PCs and servers. It is also should be the expectation for all IoT devices moving forward.

John Pescatore

CVE-2023-6345, Google Sika Integer Overflow vulnerability, is in the NIST KEV catalog with a due date of 12/21/23. Your users may already be seeing the relaunch to update Chrome buttons. Make sure you've set an upper limit on that to ensure the updates are applied. Make sure the other chromium-based browsers in your environment are also updated.

Lee Neely

This makes the seventh zero day that Google has patched in 2023. Does the Google TAG get a cut of the vulnerability reward program? Probably not, but they should at least get a nice year-end bonus for all the hard work. Given this vulnerability is being actively exploited, restart your chrome browser to install the update.

Curtis Dukes

Browsers should be treated as broken. Prefer purpose-built clients for sensitive applications.

William Hugh Murray

Lesson learned from this one: a time-to-detect a compromise of an Active Directory that is measured in seasons (from summer to fall) is many factors too long.

John Pescatore

Getting notice from law enforcement or other third-party you've been breached is not desirable, let alone dwell time measured not in hours/days/weeks but seasons. Make sure that your red team exercises include critical infrastructure, like AD, to ensure your defenders, internal or otherwise, are well-prepared to catch any real shenanigans.

Lee Neely

You've heard some of these mitigations before. Change the default passwords in your PLCs and HMIs, make sure they are not in use - the default for the Unitronics PLC is 1111. Don't expose PLCs or HMIs to the Internet and ensure remote access mechanisms to your OT network require MFA across the board. Something new - have backups of your logic and configuration and be able to factory reset and restore these backups to speed resumption of activities after an attack. Keep the firmware updated. You're going to have to negotiate a process here to minimize disruption/risk - remember availability is king. Something to consider, and be sure you understand dependencies, is moving services off default ports as attackers are targeting these.

Lee Neely

All reasonable guidance from CISA. The two salient points: 1) change all default passwords before placing on the operational network; and 2) manage access to the internet. Separately, the PLC vendor should be admonished for shipping products with a default password in the first place – a boo-boo in the implementation of key ‘secure by design’ principles.

Curtis Dukes

While ransomware gangs target every sector, K-12 and healthcare providers have borne the bulk of attacks in 2023. It only seems logical that members would share cybersecurity best practices amongst their sectors ISAC. For example, exposing passwords in an unprotected cloud instance. This vulnerability could have been addressed by applying a CIS Foundations Benchmark.

Curtis Dukes

HSE reported this as a "crypto virus" as opposed to ransomware. Regardless of how they are categorizing it, it is only impacting the websites of Šoštanj Thermal Power Plants and the Velenje Coal Mine, indicating there was sufficient separation from their OT systems to not disrupt power production. Something to keep in mind when you're getting pushback on segmentation and/or isolation if IT and OT systems.

Lee Neely

Zyxel is addressing six CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473 and CVE-2023-4474. The recurring theme in these vulnerabilities is unauthenticated attacker. Keep in mind these fixes are for NAS devices, which means while you're updating them, make sure none are directly Internet accessible, remote compromise of NAS is just too common to warrant the risk.

Lee Neely

Do not expose NAS to the public networks.

William Hugh Murray