SANS NewsBites

Okta Increases Scope of Breach; More 0-Day Fixes From Apple and Google; Ransomware Bust

December 1, 2023  |  Volume XXV - Issue #93

Top of the News


2023-11-30

Okta: Breach Affected All Customer Support Users

Okta now says that a recent breach of its customer support management system affects all its customer support users. The incident was first disclosed in October, and in early November, Okta estimated the affected customer base to be about one percent. Since then, Okta has taken a closer look at the situation, which “included manually recreating reports the threat actor ran in the system and the files the threat actor downloaded.” Okta now says the breach affected all customer support center users.

Editor's Note

Okta is in the trust business. It is very common for organizations to extend the scope of a breach as they investigate. But a company like Okta, struggling to retain customer trust, needs to do better. Luckily for Okta, it would be too expensive and complex for most customers to leave.

Johannes Ullrich
Johannes Ullrich

Two big lessons should be learned from this: (1) The initial assumption should always be a 100% compromise if a thorough investigation can’t be completed before disclosure is required; and (2) Okta has recommendations that should be followed ASAP. (1) may sound overly harsh but the cost of incidents apparently is not yet high enough to drive critical service providers to needed levels of security.

John Pescatore
John Pescatore

Consider the cost of changing from a service provider like Okta to someone else. While not practical, you need to walk through that scenario for your outsourced/cloud service providers, next determine what events would need to happen to trigger that change. Make sure that matches your risk appetite to the highest levels.

Lee Neely
Lee Neely

This really shouldn’t come as a surprise as organizations typically underestimate data loss while the forensics investigation continues. What is a bit surprising is the incredibly large miscalculation. In the short-term Okta’s reputation as a trust provider will take a hit, but it will recover.

Curtis Dukes
Curtis Dukes

2023-11-30

Apple Fixes a Pair of Zero-days

Apple has released updates to address two zero-day vulnerabilities in iOS and iPadOS. Users are urged to update to version 17.1.2 of the affected operating systems. Both vulnerabilities – an out-of-bounds read issue and a memory corruption flaw – reside in the WebKit browser and both are being actively exploited.

Editor's Note

Note that Apple released patches for iOS 17 only, but the advisory notes that iOS 16 was exploited in the wild. It is possible that Apple will release updates for the older operating systems within the next couple days. WebKit vulnerabilities usually also require a standalone Safari update for older macOS versions. This advisory only includes updates for the most current iOS/iPadOS and macOS versions.

Johannes Ullrich
Johannes Ullrich

The flaw is specific to Webkit. Apple released updates to iOS/iPadOS, Safari and macOS 14 (Sonoma). Releases for the current macOS include Safari updates, for older versions, Safari is released separately. Push these updates as soon as you have the content for your MDM.

Lee Neely
Lee Neely

This makes 20 zero-days that Apple has had to contend with in 2023 – an unfortunate record. The WebKit browser application has been a particular focus of vulnerability researchers this year. Given that both vulnerabilities are being actively exploited, make patching a high priority and expect updates to be made for older operating system versions.

Curtis Dukes
Curtis Dukes

2023-11-28

International Law Enforcement Effort Shuts Down Ransomware Operation

Europol and Eurojust, along with law enforcement agencies from seven countries have detained in connection with a ransomwar4e group that has targeted networks in more than 70 countries. The operation’s alleged ringleader was arrested, and four alleged accomplices have been detained.

Editor's Note

I always like to hear these stories. The taskforce for this takedown formed in 2019, and first took down 12 members of the group in 2021. The takedowns take so much time as it's difficult to gather sufficient evidence to prosecute. This particular gang isn't tracked with a specific moniker, so you're not going to see a reference to them you recognized. The group were well resourced and used multiple forms of malware to attack victims including LockerGoga, MegaCortex, Hive and Dharma.

Lee Neely
Lee Neely

Kudos to law enforcement for shuttering the ransomware gang. What’s interesting is that the law enforcement analysis now confirms that ransomware groups organize like a typical business (i.e., separation of duties – operational, financial, talent development, etc.). Ransomware attack will continue as a business as long as payouts continue.

Curtis Dukes
Curtis Dukes

2023-12-01

2023 SANS Holiday Hack Challenge

Starting next week, play the most festive cybersecurity challenge of the year! Players will have to use their cybersecurity skills and, this year, AI tools to solve challenges. Enjoy many mini-games along the way, including a virtual Game Boy that allows you to flash its code to be played on a real physical Game Boy! Sign up for notifications and don’t miss a second of the action.

https://www.sans.org/mlp/holiday-hack-challenge-2023/

The Rest of the Week's News


2023-11-30

Google Updates Chrome to Fix Zero-day

Google has updated the stable channel for Chrome desktop to version 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows. The newest version of the browser includes fixes for seven security issues, including a high-severity integer overflow in Skia (CVE-2023-6345). Google notes that “an exploit for [the vulnerability] exists in the wild.”

Editor's Note

Realistically, the software defect discovery curve is not flattening in any meaningful way. Secure Development Lifecycle investments have surely prevented that curve from tilting upwards, but that has not been even close to enough. Faster than monthly (let alone quarterly) is already the norm for browsers, mobile devices and cloud services. That needs to become the norm for all on-premise software on PCs and servers. It is also should be the expectation for all IoT devices moving forward.

John Pescatore
John Pescatore

CVE-2023-6345, Google Sika Integer Overflow vulnerability, is in the NIST KEV catalog with a due date of 12/21/23. Your users may already be seeing the relaunch to update Chrome buttons. Make sure you've set an upper limit on that to ensure the updates are applied. Make sure the other chromium-based browsers in your environment are also updated.

Lee Neely
Lee Neely

This makes the seventh zero day that Google has patched in 2023. Does the Google TAG get a cut of the vulnerability reward program? Probably not, but they should at least get a nice year-end bonus for all the hard work. Given this vulnerability is being actively exploited, restart your chrome browser to install the update.

Curtis Dukes
Curtis Dukes

Browsers should be treated as broken. Prefer purpose-built clients for sensitive applications.

William Hugh Murray
William Hugh Murray

2023-11-29

Japan Aerospace Exploration Agency Active Directory Server Breached

The Japan Aerospace Exploration Agency (JAXA) was the target of a cyberattack over the summer. This fall, law enforcement notified JAXA that their systems had been compromised and that intruders had accessed JAXA’s Active Directory Server.

Editor's Note

Lesson learned from this one: a time-to-detect a compromise of an Active Directory that is measured in seasons (from summer to fall) is many factors too long.

John Pescatore
John Pescatore

Getting notice from law enforcement or other third-party you've been breached is not desirable, let alone dwell time measured not in hours/days/weeks but seasons. Make sure that your red team exercises include critical infrastructure, like AD, to ensure your defenders, internal or otherwise, are well-prepared to catch any real shenanigans.

Lee Neely
Lee Neely

2023-11-29

CISA: Water Utility Attackers Exploited Weaknesses in Unitronics PLCs

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an alert warning that cyber threat actors are actively exploiting weaknesses in Unitronics programmable logic controllers (PLCs) that are used in the Water and Wastewater Systems (WWS) Sector. CISA is investigating a cyberattack that targeted the Aliquippa Municipal Water Authority in Pennsylvania.

Editor's Note

You've heard some of these mitigations before. Change the default passwords in your PLCs and HMIs, make sure they are not in use - the default for the Unitronics PLC is 1111. Don't expose PLCs or HMIs to the Internet and ensure remote access mechanisms to your OT network require MFA across the board. Something new - have backups of your logic and configuration and be able to factory reset and restore these backups to speed resumption of activities after an attack. Keep the firmware updated. You're going to have to negotiate a process here to minimize disruption/risk - remember availability is king. Something to consider, and be sure you understand dependencies, is moving services off default ports as attackers are targeting these.

Lee Neely
Lee Neely

All reasonable guidance from CISA. The two salient points: 1) change all default passwords before placing on the operational network; and 2) manage access to the internet. Separately, the PLC vendor should be admonished for shipping products with a default password in the first place – a boo-boo in the implementation of key ‘secure by design’ principles.

Curtis Dukes
Curtis Dukes

2023-11-29

Cyberattacks Affect Hospitals in Multiple US States

A cyberattack against Ardent Health Services has caused hospitals in several US states to divert ambulances to other healthcare facilities. The attack was detected on the morning of November 23, and “Ardent proactively took its network offline.” In a separate story, Capital Health disclosed that it has been the target of a cyberattack that affected two hospitals in New Jersey.

Editor's Note

While ransomware gangs target every sector, K-12 and healthcare providers have borne the bulk of attacks in 2023. It only seems logical that members would share cybersecurity best practices amongst their sectors ISAC. For example, exposing passwords in an unprotected cloud instance. This vulnerability could have been addressed by applying a CIS Foundations Benchmark.

Curtis Dukes
Curtis Dukes

2023-11-28

Slovenian Electric Utility Victim of Ransomware Attack

Slovenian electrical utility Holding Slovenske Elektrarne (HSE) disclosed that they experienced a ransomware attack on November 22. While HSE’s systems were compromised, the incident did not disrupt the utility’s power production. The attack was contained on November 24.

Editor's Note

HSE reported this as a "crypto virus" as opposed to ransomware. Regardless of how they are categorizing it, it is only impacting the websites of Šoštanj Thermal Power Plants and the Velenje Coal Mine, indicating there was sufficient separation from their OT systems to not disrupt power production. Something to keep in mind when you're getting pushback on segmentation and/or isolation if IT and OT systems.

Lee Neely
Lee Neely

2023-11-30

Zyxel Releases Fixes for Vulnerabilities in NAS Devices

Zyxel has published a security advisory that addresses multiple vulnerabilities in its network attached storage (NAS) devices. Patches are available to fix all six of the vulnerabilities. Three of the vulnerabilities (CVE-2023-35138, CVE-2023-4473, and CVE-2023-4474) are rated critical; all three are command injection issues.

Editor's Note

Zyxel is addressing six CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473 and CVE-2023-4474. The recurring theme in these vulnerabilities is unauthenticated attacker. Keep in mind these fixes are for NAS devices, which means while you're updating them, make sure none are directly Internet accessible, remote compromise of NAS is just too common to warrant the risk.

Lee Neely
Lee Neely

Do not expose NAS to the public networks.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Apple Updates

https://isc.sans.edu/diary/Apple+Patches+Exploited+WebKit+Vulnerabilitiues+in+iOSiPadOSmacOS/30444

Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today

https://isc.sans.edu/forums/diary/Prophetic+Post+by+Intern+on+CVE20231389+Foreshadows+Mirai+Botnet+Expansion+Today/30442/

Decoding the Patterns: Analyzing DShield Honeypot Activity

https://isc.sans.edu/diary/Decoding+the+Patterns+Analyzing+DShield+Honeypot+Activity+Guest+Diary/30428

Pro-Russian Attackers Scanning for Sharepoint Servers to Exploit CVE-2023-29357

https://isc.sans.edu/diary/Pro+Russian+Attackers+Scanning+for+Sharepoint+Servers+to+Exploit+CVE202329357/30436

DNS Looking Glass

https://isc.sans.edu/tools/dnslookup/

Zyxel Vulnerabilities

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products

SolarWinds Update

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-4_release_notes.htm#link3

Arcserve Unified Data Protection Multiple Vulnerabilities

https://www.tenable.com/security/research/tra-2023-37

Hikvision Vulnerabilities

https://www.hikvision.com/hk/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-products/

Assessing Prompt Injection Risks in 200+ Custom GPTs

https://arxiv.org/pdf/2311.11538.pdf

Microsoft Deprecates Microsoft Defender Application Guard for Office

https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features

Synology Vulnerability

https://www.synology.com/en-global/security/advisory/Synology_SA_23_16

Apache Tomcat Request Smuggling Vulnerability CVE-2023-46589

https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr