Flair Data Systems-Brent Forrest Cybersecurity News Update 12-06-2023

One of the big themes to this week's update is going to be around third-party compromises, as there are four different articles around third-party incidents and how they are affecting other organizations - Okta being one of the largest.  During our consultations, one area that has not been consistently performed is Third-Party Risk Management, and I will not lie - it is an undertaking but something that is well worth it.  It is something that has such importance that we have started working with organizations on how to add this as a program within their organizations. 

All Okta customers exposed in breach 

Last month it was found that a threat actor gained access to Okta's support case management system, at the time it was disclosed by Okta that only 134 Okta customers were affected, which included HAR files that led to the compromise of Okta environments for customers like 1Password, BeyondTrust, and Cloudflare 

• However, it has been discovered that the threat actor was able to grab full names and emails for all Okta customers (except Okta's Auth0 support case management system, along with FedRamp High and DoD IL4 environments) 
• The reason for the delay in findings was that their searching was narrowed down to a specific filtered view, when they continued to investigate and searched in an unfiltered view it provided more context 

Link (1): https://www.csoonline.com/article/1249988/okta-confirms-recent-hack-affected-all-customers-within-the-affected-system.html#:~:text=Okta%20confirms%20recent%20hack%20affected%20all%20customers%20within%20the%20affected%20system,-News&text=Contrary%20to%20its%20earlier%20analysis,by%20the%20recent%20security%20incident. 

Chrome 6th zero day 

CVE-2023-6345: Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file 

• The specific detail for the vulnerability is being withheld until the majority of users have updated the browser to the fixed version 

Link (1): https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/ 

Link (2): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6345 

Dollar tree breach 

A third-party (Zeroed-In Technologies) breach has affected almost 2 million people that occurred between August 7 and 8, 2023 

• Data that was compromised was Names, DOB, and SSNs 
• The concerning part of this entire situation was that Zeroed-In was able to determine which system was accessed, but not what data was accessed - which means they did not have proper logging turned on 
• In a Tabletop exercise I recently performed, one of the areas of concern that came out of it was around "if a database was accessed, how would you know what data was exported and/or deleted and by who" - meaning, do you have proper logging turned on and at a level that would give the right information during an investigation? 

Link (1): https://www.bleepingcomputer.com/news/security/dollar-tree-hit-by-third-party-data-breach-impacting-2-million-people/ 

Motorola former employee phishing hack 

28-year-old Andrew Mahn (Derry, New Hampshire) has plead guilty for illegally hacking the network of his former employer, Motorola, after successfully tricking current staff into handing over login credentials 

• Mahn used the above access to obtain stolen code and software tools from the Motorola network, which allowed him to unlock radio equipment features 
• On top of the above, he also attempted to expedite the passport processing time requesting the expedite from Senator Maggie Hassan by stating he had to travel internationally for family reasons 
• Mahn currently faces up to 20 years in prison, 3 years of supervised release, and a $250,000 fine for the hack; and on top of that a 10 year prison term, 3 years of supervised release, and a fine of another $250,000 for the passport fraud 

Link (1): https://www.tripwire.com/state-of-security/ex-motorola-worker-phished-former-employer-illegally-hack-network-and-steal-data 

Credit unions facing outages due to ransomware attack on cloud provider 

Cloud services provider, Ongoing Operations (owned by Trellance) has experienced a ransomware attack that has affected nearly 60 credit unions across the U.S. 

• Investigation is currently underway, but at this point in time Ongoing Operations has stated that they are not seeing any signs of data misuse 

Link (1): https://www.scmagazine.com/brief/third-party-ransomware-attack-disrupts-dozens-of-us-credit-unions 

Roblox, Twitch allegedly targeted by ransomware cartel 

Alphv/Blackcat has supposedly breached the accounting software provider, Tipalti, which supports both Roblox and Twitch (amongst others) 

• Alphv has allegedly exfiltrated over 265 GB of sensitive company data, on both employees and customers 
• Other orgs supported by Tipalti would include X, GoDaddy, National Geographic, Business Insider, SkillShare, Canva, and others 

Link (1): https://cybernews.com/news/roblox-twitch-tipalti-ransomware-cyberattack/#:~:text=Roblox%20and%20Twitch%20data%20allegedly,an%20accounting%20software%20provider%2C%20Tipalti. 

Qlik Sense Exploited by Cactus Ransomware 

Cactus Ransomware gang has been observed exploiting publicly-exposed installations of Qlik Sense 

• The three different vulnerabilities will be 
• CVE:3023-41266 & CVE-2023-41265 combined can lead to an unauthenticated remote code execution 
• CVE-2023-48365 successful exploitation can lead to an unauthenticated remote code execution 
• Patches have been released (review links 2 & 3 above) 

Link (1): https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ https://www.praetorian.com/blog/qlik-sense-technical-exploit/ 

Link (2): https://community.qlik.com/t5/Support-Updates/Qlik-Sense-Enterprise-for-Windows-New-Security-Patches-Available/ba-p/2108549 

Link (3): https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 

US confirms Iranian actors behind water breaches 

Cyber Av3ngers is the hacktivist group that attacked the water facility in Aliquippa that I covered last week - and since have claimed to have breached multiple water treatment stations in Israel 

• The reasoning for attacking Aliquippa was because the PLCs were manufactured by an Israeli company, Unitronics Vision PLC 
• Cyber Av3ngers is supposedly affiliated with the Iranian Government Islamic Revolutionary Guard Corps and has targeted Israeli entities since 2020 
• This statistic is concerning - per a Shodan search, roughly 1,800 Unitronics PLCs are located around the world and exposed to the internet - with a few hundred being in the U.S. 

Link (1): https://www.securityweek.com/ics-at-multiple-us-water-facilities-targeted-by-hackers-affiliated-with-iranian-government/ 

Federal agency breached through Adobe ColdFusion vulnerability 

CVE-2023-26360: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user 

• Exploitation of this issue does not require user interaction 
• Threat actor is currently unknown 
• In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances 
• In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment 

Link (1): https://therecord.media/adobe-coldfusion-vulnerability-two-federal-agencies 

Malicious loan app downloaded 12 million times from Google Play 

Over a dozen malicious loan apps, generically named SpyLoan, have been downloaded more than 12 million times from Google Play (more have been downloaded through other third-party stores) 

• Device personal data being stolen include: a list of all accounts, device info, call logs, installed apps, calendar events, local Wi-Fi network details, and metadata from images 
• With potential to extend to contact lists, location data, and text messages per researchers 

Link (1): https://www.bleepingcomputer.com/news/security/spyloan-android-malware-on-google-play-downloaded-12-million-times/ 

 
Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!