Daily Brief

San Francisco-based Okta has revealed that almost 5,000 of its employees have had their personal data exposed due to a recent data breach. The breach impacted Rightway Healthcare, a provider that offers healthcare coverage to Okta's employees and their families. The cybercriminals accessed a file which was maintained for the insurance provision and benefit plans of eligible individuals. This file included details on current and former employees of Okta and their dependants. Okta began investigations into the extent of the compromise after the breach was disclosed by Rightway on October 12, 2023. Despite the exposure, Okta stated that there has been no evidence of misuse of the leaked personal information. Affected individuals are being offered two-year credit monitoring, identity theft protection and fraud protection services through Experian as a precaution. This incident is the latest in a series of breaches experienced by Okta in recent years, but unlike past incidents, this breach did not impact any Okta customers. The leak of employees' full names could potentially aid cybercriminals in deriving corporate email addresses for further targeted attacks.

A TechRepublic survey revealed that 53% of users reuse passwords, making their accounts more vulnerable to cyber attacks. Verizon estimates that 86% of digital assaults begin with compromised credentials. Methods end-users might give up their credentials to an attacker include responding to a phishing email, logging in through an unsecured network, using a device infected with malware, or selecting an easy password. When a hacker breaches an online platform and steals user credentials, they can use them to try and gain access to other user accounts. Other cyber criminals will pay a substantial amount for such information because it is likely for people to reuse passwords. A recent study by Microsoft found 44 million users reusing passwords over a three-month duration, while a LastPass survey suggests 62% of knowledge workers reuse passwords. The average person, however, tends to erroneously believe that they will not fall victim to hacking. Four recommended methods to mitigate the risk of compromised credentials include implementing multi-factor authentication, ongoing cybersecurity training, reducing the use of passwords particularly for privileged accounts, and routinely checking for compromised passwords. Tools such as Specops Password Policy with Breached Password Protection can provide continuous monitoring against the use of compromised passwords, protecting businesses from the prevalent risk of password reuse.

The Iranian nation-state actor MuddyWater is carrying out a spear-phishing campaign against two Israeli entities to deploy Advanced Monitoring Agent, a legitimate remote administration tool from N-able. The campaign was disclosed by cybersecurity firm Deep Instinct, who confirmed previous reports of MuddyWater's similar activities, although this is the first instance of the group using N-able's remote monitoring software. Cybersecurity company Group-IB also separately confirmed the findings. They affirmed MuddyWater is a cyber espionage group and a subsidiary element within Iran's Ministry of Intelligence and Security (MOIS), alongside other MOIS-affiliated groups like OilRig, Lyceum, Agrius, and Scarred Manticore. MuddyWater's established modus operandi has shown continued success through spear-phishing, using direct links and various file attachments to drop one of several remote administration tools. A new development is the use of Storyblok, a file-sharing service, to initiate a multi-stage infection vector, leading to the victim's machine being remotely administered and reconnoitered. Another novel capability is the use of MuddyC2Go, a new command-and-control (C2) framework, indicating a significant improvement in Iran's malicious cyber capabilities.

Wing Security has launched a new self-onboard product, "Essential SSPM" (SaaS Security Posture Management), which combines application discovery, risk assessment, and user access control to enhance SaaS security. The system allows organizations to discover unknown applications within their work environment, mitigating shadow IT risks associated with SaaS. The platform evaluates and scores the security risks of associated SaaS applications via a vast database, offering near-real-time risk assessments to paid users. The product also manages user access controls in line with the principle of least privilege, enabling organizations to control data access and reduce potential attack surfaces. Wing Security's solution differentiates itself with its "try first, pay later" approach, allowing users to self-onboard without interaction with a human representative. Data security features, automated remediation paths, and greater control over user privileges require upgrading to Wing's full solution. The freemium model is unusual for security-related products, providing a practical opportunity for client organizations to assess their SaaS security needs.

Researchers have discovered 34 vulnerable Windows drivers that could be exploited by non-privileged actors to gain complete control over devices and implement arbitrary code on the systems. These vulnerable drivers create opportunities for attackers to alter or eliminate firmware and elevate operating system privileges. The research particularly focuses on drivers that allow firmware access via port I/O and memory-mapped I/O. Six of these drivers allow for kernel memory access, a vulnerability that can be leveraged by attackers to elevate privilege and circumvent security measures. Twelve drivers could be exploited to undermine security mechanisms like kernel address space layout randomization (KASLR), and seven could be utilized to wipe out firmware in SPI flash memory. Certain WDF drivers identified can be easily weaponized by privileged threat actors to launch a Bring Your Own Vulnerable Driver (BYOVD) attack. BYOVD attacks have been previously used by adversaries such as the Lazarus Group. Researchers suggest extending the code to cover other attack vectors, including the termination of random processes.

The Forum of Incident Response and Security Teams (FIRST) has launched the Common Vulnerability Scoring System (CVSS) v4.0, eight years after CVSS v3.0. CVSS v4.0 aims to provide accurate vulnerability assessment for industries and the public, implementing a system to capture key technical features of a security vulnerability and give it a numerical score denoting its severity. The scoring can be translated into different levels such as low, medium, high, and critical, helping organisations prioritise their vulnerability management processes. FIRST emphasises CVSS v4.0 does not merely measure the severity of vulnerability and should not be the sole system to assess risk. Criticisms toward former version, CVSS v3.1, included a lack of granularity in the scoring system and insufficient representation of health, human safety, and industrial control systems. CVSS v4.0 addresses these issues by providing supplemental metrics for vulnerability assessment, including Safety, Automatable, Recovery, Value Density, Vulnerability Response Effort, and Provider Urgency. FIRST introduces a new nomenclature for enumerating CVSS scores using a variety of severity ratings.

The HelloKitty ransomware group has been spotted exploiting a critical vulnerability in the Apache ActiveMQ open-source message broker service, according to cybersecurity firm Rapid7. The exploited flaw is called CVE-2023-46604; a remote code execution vulnerability allowing threat actors to run arbitrary shell commands. The vulnerability carries a maximum severity CVSS score of 10.0 As of November 1, 2023, the Shadowserver Foundation found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604, the majority of which are located in China, the U.S., Germany, South Korea, and India. Successful exploitation allows adversaries to load remote binaries that function akin to ransomware, searching and terminating a specific set of processes before starting the encryption process. The encrypted files are appended with the ".locked" extension. ActiveMQ updated versions addressing the vulnerability were released last month, and users are urged to apply the updates. Rapid7 is emphasizing the importance of scanning networks for indicators of compromise due to the active exploitation of the flaw.

Boeing, the aerospace defence contractor, has reported a cyber incident affecting its parts and distribution business, which it is currently investigating alongside authorities. The attack follows claims by ransomware group LockBit that it had exfiltrated sensitive data from Boeing, however, the source of the cyber incident remains unconfirmed. Boeing's parts and distribution website was temporarily unavailable due to the attack, which may disrupt the lucrative aftermarket sales of spare parts. Screenshots showed that LockBit had added Boeing to its victims list, with administrators stating they had used a 0-day exploit to gain access to the company's systems. The LockBit ransom note gave Boeing a six-day window to begin negotiations. By Monday, Boeing had been removed from the group's website, implying that discussions may have begun. Boeing has not released a formal statement on the matter. The US Cybersecurity and Infrastructure Security Agency (CISA) lists LockBit as 2022’s most prolific ransomware operator. The group is known for high-profile attacks and is believed to have generated over $90 million from ransomware activities between 2020 and mid-2023.

FBI Director Christopher Wray warned a US Senate committee about the potential negative impact of allowing the Federal Section 702 surveillance powers to lapse. He stated that if this was to occur, it may lead to failure to prevent major cyberattacks from adversaries like Iran or China. Wray cited that 97% of the FBI's technical intelligence on malicious "cyber actors" in the first half of this year was acquired via Section 702 searches. Section 702 of America's Foreign Intelligence Surveillance Act (FISA) permits US intelligence agencies to monitor foreigners' electronic communication outside the US. The rule is set to expire at the end of 2023 unless renewed or reformed. Advocacy groups and some lawmakers seek to reform Section 702 to strengthen protections for US residents. Proposed changes include limiting the scope of permissible targeting, strengthening the role of FISA Court amici, and outlawing "about" collections that allow more surveillance than usually permitted. The Biden administration called for the reauthorisation of Section 702 without new and operationally damaging restrictions", and suggested that letting the law expire would ranks among "the worst intelligence failures". Critics argue that requiring a warrant for US person queries and other reforms would not undermine the value of Section 702. They also question the FBI's objection to these proposed changes.

The notorious cybergang, Alphv also known as BlackCat, claims to have stolen data from Advarra, a company that aids medical trials, via a SIM swap on an executive's phone. The criminals reportedly have access to over 120GB of confidential data relating to employees, customers and patients. If no ransom is paid, the gang have said they may sell or leak the information. Evidence of the breach was shared on Alphv's dark-web site, including personal details of some individuals. However, these details have since been removed, and Advarra doubts that some of the claimed interactions between the company and the gang actually occurred. In response to the claims, a spokesperson for Advarra revealed a colleague's phone number was compromised and used to access their professional accounts. The company is investigating with the help of cyber experts, and has reportedly taken containment actions and notified federal law enforcement. Despite these allegations, the spokesperson claims its operations have not been disrupted and there's no evidence that clients' or partners' systems were compromised or accessed. The report follows the recent activities of Alphv which leaked 8.6TB of data from Morrison Community Hospital in Illinois. The healthcare sector's vulnerability to cybercrime is well-known, and recent figures from Sophos show that encrypting data remains the criminal's preference, with encryption occurring in nearly 75 percent of successful attacks.

The Toronto Public Library (TPL), Canada's largest public library system, has been targeted in a ransomware attack by the Black Basta ransomware operation. The attack, which has disrupted various online services and caused technical outages, is currently being investigated by law enforcement and third-party cybersecurity experts. Affected services include the tpl.ca website, accounts access, map passes and digital collections. Public computers and printing services are also currently unavailable. No evidence suggested that personal data of staff or users were affected and it’s unclear whether the ransomeware infiltrated sensitive data servers. TPL announced it had engaged third-party cybersecurity experts to resolve the situation, with the acknowledgement that a full restoration might take several days. The origins of Black Basta are somewhat disputed. Some believe they are a splinter group from the cybercrime operation Conti whereas others identify a link with the Fin7 cybercrime operation, also known as Carbanak.

Security researchers at ESET have found a kill switch that has sharply slowed and possibly ended activity of the Mozi botnet, which accounted for nearly 90% of malicious internet of things (IoT) network traffic. It exploited hundreds of thousands of devices each year. The activity of the botnet started slowing down in India on 8 August and in China on 16 August. By the end of September, researchers discovered a control payload within a user datagram protocol (UDP) message that acted as the kill switch. The control payload was deployed eight times, requiring the bot to download and install an update via HTTP. This stopped the Mozi malware, disabled some features and commands, and shut down access to various ports. Despite the kill switch, the Mozi bots maintained persistence but were stripped of their malicious capabilities. ESET researchers are proposing two possible theories about who disabled the botnet: the original creator or Chinese law enforcement, possibly through coercion of the original team. The investigation is ongoing, and a more detailed analysis is expected in the coming months. The question about whether the botnet will stay inactive still remains.

The Forum of Incident Response and Security Teams (FIRST) has released its updated Common Vulnerability Scoring System (CVSS) standard, eight years after its last major version. CVSS is a standardized system for evaluating the severity of software security vulnerabilities, informing threat prioritization and response strategies. The new standard, CVSS 4.0, offers enhanced granularity in metrics, clearer scoring, simpler threat metrics, and better ability to assess environment-specific security requirements and controls. New metrics under CVSS 4.0 include Automatable (indicating vulnerability to worms), Recovery (resilience), Value Density, Vulnerability Response Effort, and Provider Urgency. CVSS 4.0 has expanded its applicability to operational technology (OT), industrial control systems (ICS), and Internet of Things (IoT), adding safety metrics to its Supplemental and Environmental metric groups. FIRST also introduced a new nomenclature under CVSS 4.0, which includes Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings. FIRST aims to empower its members and the sector, improving cybersecurity defenses and responses to cyberattacks. It also released Traffic Light Protocol (TLP) 2.0 in 2021, a standard for sharing sensitive information in the CSIRT community.

Three Russian nationals have been apprehended in New York on charges related to smuggling electronic components—valued at over $10m—to sanctioned entities in Russia, some of which were recovered from Ukrainian battlefields. The individuals charged are Nikolay Goltsev, a Russian-Tajikistani dual citizen, and Salimdzhon Nasriddinov and Kristina Puzyreva, both Russian-Canadians. They are accused of wire fraud, smuggling, and conspiring to violate the Export Control Reform Act. The accused trio utilised front companies SH Brothers Inc. and SN Electronics Inc. to ship around 300 consignments of semiconductors, integrated circuits, and other dual-use electronics components, all in just over a year. Packages were initially sent to countries such as Turkey, Hong Kong, India, China, and the UAE before being rerouted to Russia, according to law enforcement officials. The electronic parts shipped were used in various Russian military equipment like radio reconnaissance tools, electronic warfare kits, missiles, and tanks. The sides receiving these goods included sanctioned entities such as Radioavtomtika, a Moscow defense procurement company specialising in procuring imported parts for the Russian army. The indictments indicate that the prosecuted individuals were aware their activities were illegal, and that the parts they were smuggling had military uses. This arrest is among several similar cases reported recently, especially since the imposition of sanctions on Russia following its invasion of Ukraine.

Hackers are leveraging a vulnerability, known as 'Citrix Bleed' and identified as CVE-2023-4966, to launch attacks on government, technical, and legal organizations globally, with campaigns occurring since late August 2023. The flaw, which impacts Citrix NetScaler ADC and NetScaler Gateway devices, was disclosed in October and allows access to sensitive information. It was active as a zero-day vulnerability, enabling attackers to hijack authenticated sessions and bypass multifactor protection. Cybersecurity company Mandiant has observed post-exploitation related to credential theft and lateral movement. The attacks are stealthy, leaving limited forensic evidence. Efforts to investigate these exploits are challenging due to the lack of logging on the targeted appliances, requiring specialized network monitoring to determine if a device was exploited. According to Mandiant, the threat actors engaging in these activities are using recognizable administrative tools and streamlining into daily operations, making detection even more difficult. Once the vulnerability is exploited, attackers engage in network reconnaissance, credential theft, and lateral movement using RDP among other tactics. Mandiant has suggested that addressing the vulnerability alone will not solve current breaches. A comprehensive incident response and system restoration strategy is required.