Welcome to the latest edition of the Cyber Safe Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, and malware including Ransomware, to ensure you stay safe online.
Hackers update Cisco IOS XE backdoor to hide infected devices
The number of Cisco IOS XE devices impacted by a malicious backdoor implant has experienced a significant reduction, dropping from an initial estimate of over 50,000 devices to just a few hundred. However, this is not good news that the number has dropped. This cyber attack began when hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to infiltrate over 50,000 Cisco IOS XE devices. These exploits allowed the attackers to create privileged user accounts and install a malicious LUA backdoor implant on the compromised systems.
This backdoor allowed the threat actors to remotely execute commands at privilege level 15, the highest privilege level on these devices. It’s worth noting that the backdoor did not persist through a device reboot; however, any local user accounts created during the attack remained intact.
How has the cyber security industry reacted?
After the initial disclosure of the security breach, cyber security firms and researchers identified approximately 60,000 out of 80,000 publicly accessible Cisco IOS XE devices as having been compromised by the implant. What has become particularly perplexing is the recent and mysterious drop in the number of detected devices with this malicious implant. Multiple cyber security organisations reported that the number of compromised Cisco IOS XE devices had dwindled to as low as 100-1,200, depending on the scanning method.
Another theory suggests that a grey-hat hacker might be involved in automating reboots of affected Cisco IOS XE devices to eliminate the implant. A similar scenario was observed in 2018 when a hacker claimed to have patched 100,000 MikroTik routers to prevent their misuse for cryptojacking and DDoS campaigns.
Why has there been a sudden drop?
The sudden drop in detected implants is attributed to the threat actors deploying a new backdoor version on Cisco IOS XE devices. This further version checks for an Authorisation HTTP header before responding, which was not part of the previous scan methods.
As a result, the implant appeared as if it had been removed. Cisco Talos confirmed this change and provided a new way to detect the implant on compromised devices, which revealed approximately 37,890 devices to be infected with the malicious backdoor implant. The situation continues to evolve, and the precise reasons behind the decline in detections are still being investigated.
Neuways will explain further on this specific cyber threat and how it will impact the industry.
—-
Okta shares drop after identity company discloses yet another data breach
Okta Inc. has experienced a decline in its stock value following the revelation of another data breach. As officially described by Okta, this breach involved “adversarial activity that exploited stolen credentials to gain access to Okta’s support case management system.” Using these stolen credentials, a threat actor accessed files from specific Okta customers related to recent support cases.
It’s worth noting that the support case system is distinct from Okta’s leading production service, which remained unaffected by the breach. The company’s Auth0/CIC case management system was not implicated.
Okta has already informed all affected customers and is actively collaborating with them to conduct a more thorough investigation into the incident. Okta advises its customers to sanitise all credentials and cookies/session tokens within an HAR file before sharing it. However, the company did not disclose the number of affected customers or the method through which the credentials were stolen.
The situation takes an interesting turn as one of the impacted customers, BeyondTrust Corp., has come forward to share its experience, which does not reflect favourably on Okta. BeyondTrust reported that it detected an identity-focused attack on an internal Okta administrator account on October 2. Despite alerting Okta on the same day and following up, they received no response for over a week.
BeyondTrust stated, “We raised our concerns of a breach to Okta on October 2… Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until October 19 when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers.”
Cloudflare Inc. has also come forward, revealing that it discovered attacks on its systems on October 18, which were traced back to Okta. While Cloudflare managed to protect its customers, it specifically pointed to the BeyondTrust report and Okta’s delayed response. Cloudflare recommended that Okta treat any information of compromise seriously and take immediate action to limit damage.
This is not Okta’s first time experiencing a breach; unfortunately, the company may have broader security issues. If BeyondTrust’s report is accurate, it indicates at least internal management problems. The recent violation may be minor, but Okta’s shares dropped nearly 12% in trading on Friday, suggesting a significant investor response.
In March 2022, Okta was infamously targeted by the Lapsus$ hacking group alongside Microsoft Corp., resulting in the theft of internal documents. The breach had occurred in January but was only disclosed in March when Lapsus$ made the details public. Okta reportedly suffered another data breach in December, which involved unauthorised access to some of its source code repositories.
Cyber security experts have emphasised the importance of robust password management and multi-factor authentication in light of this breach. It was noted that this incident underscores the significance of a multilayered cyber security and resilience program to protect organisations from cyber attacks and reduce the risk of compromise, safeguarding their data and users.
Organisations using Okta should implement strong passwords, enable MFA for all Okta accounts, monitor Okta logs for suspicious activities, and implement a zero-trust security model to reduce the risk of compromise if an attacker gains access to a user’s credentials.
—-
Even More Okta Customers have been hacked
Following on from the above – Okta, a prominent identity and access management service provider, recently disclosed a security breach in its customer support case management system. This incident has raised concerns as it exposed sensitive customer data, including cookies and session tokens, which malicious actors could exploit to impersonate legitimate users when contacting Okta’s support services.
The critical details of this security breach are as follows:
Nature of the Breach
The security breach affected Okta’s customer support case management system, distinct from its core identity and access management services. This means the incident only impacted customers recently interacting with Okta’s support team.
Response and Notification
Okta’s Chief Security Officer, David Bradbury, promptly addressed the breach and confirmed that the affected customers were notified. The company worked closely with these customers to investigate the extent of the violation and took measures to safeguard their information. This included the revocation of embedded session tokens to mitigate potential risks.
Support Case Management System
Okta’s support case management system handles customer issues and requests. As part of the troubleshooting process, Okta’s support team sometimes requests that customers upload an HTTP Archive (HAR) file. This file contains data that replicates browser activity, and it can include sensitive information such as cookies and session tokens. In this breach, malicious actors accessed these files, raising concerns about potentially misusing this information.
Security Recommendations
Okta stressed the importance of sanitising all credentials and cookies/session tokens within an HAR file before sharing it to minimise the risk of exploitation.
Origin of the Attack
Okta revealed that the breach resulted from a threat actor gaining access using a stolen credential. The adversary used this credential to infiltrate the support case management system and view files uploaded by specific Okta customers in recent support cases.
Impact on Share Price
Following the disclosure of the cyber breach, reports indicated that Okta’s share price experienced a significant drop of 12%. This highlights the potential financial consequences and reputation damage that security breaches can have on a company.
Previous Cyber attacks
It’s worth noting that this security incident involving Okta occurred after the company was identified as the initial attack vector in twin cyberattacks on MGM Resorts and Caesars Entertainment. These incidents underscore the significance of robust cyber security measures in the identity and access management sector.
In summary, the breach in Okta’s support case management system exposed sensitive customer data, and the company has taken steps to mitigate the impact and notify affected customers. This incident emphasizes the ongoing need for organisations to prioritise security, particularly in the context of identity and access management services, to protect their interests and those of their customers.
—————————————————————————————————————————–
Contact Neuways to help your business become
Cyber Safe
If you need any assistance with cyber security assistance, then please contact Neuways and we will help you where we can. Just get in touch with our team today.
