Okta reports on Lapsus$ breach
The company completed its third-party forensic investigation into its recent attack by the pernicious threat actor. Lapsus$ “actively controlled” a workstation for an engineer at the support firm Sitel for 25 minutes, during which time it accessed information on two customers. Okta found the attacker “viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenant.” The investigation confirmed that Lapsus$ was not able to make any configuration changes, password resets, or impersonate customer support. At the time it disclosed the breach, Okta estimated as many as 366 customers may have been impacted.
Popular VPNs use risky certificates
The security firm AppEsteem discovered that several popular VPN provider apps, including Surfshark, TurboVPN, and VyprVPN, install a trusted root certificate authority on users’ devices, in some cases without consent. In the case of Surfshark, the cert is installed even if a user cancels the installation process. Security researchers note that installing a trusted root certificate isn’t good practice as it could allow an attacker to forge certificates or very effectively operate a man-in-the-middle attack if compromised. In response to the report, Surfshark said it installs a root CA so that it is not dependent on a third-party for security, and worked with AppEsteem to support OpenVPN protocols to no longer require it.
Project Zero disclosed a new vulnerability record
Google’s Project Zero security team reported that 58 zero-day vulnerabilities in use in the wild were detected and reported in 2021, more than double its previous record from 2015. Project Zero reported 25 zero-days in 2020. The Project Zero Team believed this large uptick was due to increased disclosure of these vulnerabilities, rather than simply increased usage by threat actors. The team rationalized this as it noted that the attacker methodology hasn’t significantly changed in the past several years. Google noted that the number of disclosed vulnerabilities may have reversed the “Detection Deficit” it noted in its 2019 report, and credited an increased number of vendors reporting their own zero-days, which tripled in 2021 to 16.
A look at malicious email scale
According to data gathered by Comparitech, UK government employees across 260 organizations received nearly 2.7 billion malicious emails in 2021, roughly 2400 per employee. Some departments were definitely more targeted than others, with NHS Digital seeing an average of over 89,000 malicious emails per employee. Based on information requests, this number includes emails identified by the organizations, not Comparitech, as malicious. An average of 0.32% of malicious emails were opened by staff in the year, of which 0.67% resulted in employees clicking through to links. Which means over 57,000 suspicious links got clicked.
Thanks to our episode sponsor, Votiro
Brave unplugs Google’s AMP
The makers of the Brave browser announced a new feature called De-AMP, which will automatically take users to an original website for pages linked to Google’s Accelerated Mobile Pages framework. The browser will rewrite links and URLs when possible to avoid visiting AMP pages altogether. Otherwise it will redirect users away from AMP pages before a page is rendered. Brave said it added the feature because AMP “gives Google even more knowledge of users’ browsing habits, confuses users, and can often be slower than normal web pages.”
Ransomware eyes greener pastures
The FBI issued a private industry notification, warning farming cooperatives to be on the lookout for an uptick in ransomware activity during planting and harvesting season. Back in September, the FBI issued a similar warning, but it didn’t stop two major co-ops from getting hit. The FBI said ransomware gangs may see these organizations as lucrative targets, given the time sensitive nature of farming operations. The FBI further noted that a disruption in grain output could impact the entire food chain, given its importance as a human and livestock food staple. So far the agency is aware of one HelloKitty ransomware attack where the threat actor demanded a $30 million ransom.
Microsoft Defender gives Chrome the side eye
Defender for Endpoint began tagging updates for Google’s browser delivered through Google Update as suspicious activity as of April 19th. The security service began warning admins of a “Multi-stage incident involving Execution & Defense evasion” involving Chrome. Microsoft subsequently issued a service advisory that these were false positives and not any form of malicious activity. It’s not just Google that Defender occasionally has an issue with, back in November it blocked Office Documents and executable with similar false positive tags.
QNAP issues a new security advisory
The last few years have seen a number of threat actors targeting QNAP NAS devices with ransomware, made more problematic by a number of QNAP devices no longer supported and receiving security patches. The latest security advisory from the company urges customers to disable Universal Plug and Play port forwarding on routers as an additional protection for their NAS hardware. QNAP advises to keep its NAS devices without a public IP address, and disable manual and UPnp port forwarding, recommending its myQNAPcloud Link service as a more secure connection method. It’s unclear if this is in response to a new threat campaign or just a good security reminder.