This week’s Cyber Security Headlines – Week in Review is hosted by Sean Kelly with guest Howard Holton, CTO, GigaOm
Here are the stories we plan to cover TODAY, time permitting. Please join us live at 12:30pm PT/3:30pm ET by registering for the open discussion on YouTube Live.
Okta explains hack source and response timeline
Okta security head David Bradbury called the hack an internal lapse, stating, “an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account.” Additionally, in a blog post released Friday, Okta attributed the two-week time gap between the notifications from 1Password and Cloudflare and the discovery and disabling of the compromised account to the fact that it was not able to “identify suspicious downloads” in logs. According to The Record, “Okta said its initial investigation focused on access to support cases, where it examined logs linked to those cases. But the company later realized that the hacker was navigating its system in a different way that was generating an entirely different log event with a different record ID.” A link to Okta’s blog is available in the show notes to this episode.
(SecurityWeek and Okta’s blog)
Google Calendar as a C2 infrastructure
Google itself has issued a warning regarding “multiple threat actors sharing a public proof-of-concept exploit named Google Calendar RAT, that relies on Calendar service to host command-and-control (C2) infrastructure.” Developed by red teaming activities, the description of the PoC, published on GitHub, says that only a gmail account is required. “The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar. The target will connect directly to Google.” Google has not seen use of GCR in the wild so far, although “Mandiant has seen multiple actors sharing the public proof of concept on underground forums.”
Data brokers selling US service members’ secrets
A new report from the Sanford School of Public Policy at Duke University says that “vast amounts of highly sensitive data on American military service members are up for sale by data brokers. The Duke researchers describe how they observed brokers transfer “private data about active-duty service members, veterans, and their families, including sensitive health and financial information….They also sold bulk data for people within geofenced military facilities such as Fort Bragg and Quantico.” Lead researcher Justin Sherman stated, “because the data for sale includes information about an individual’s mental health conditions, personal debts, and other highly sensitive information, it could theoretically be used to blackmail or otherwise compromise active-duty military personnel.” A link to the study is available in the show notes to this episode.
(The Record and Duke University)
Atlassian bug escalated to 10.0 severity
The severity rating for a bug in all on-premises versions of Atlassian Confluence Data Center and Server technology (CVE-2023-2251) has been increased from 9.1 to the most critical rating of 10.0. An Atlassian advisory explains that the severity rating was raised due to ongoing active exploits against the bug, including ransomware. Researchers at Rapid7 also issued an advisory warning of snowballing attacks starting over the weekend. The vulnerability allows unauthenticated attackers to reset Confluence and create an administrator account. Atlassian said it can’t confirm which customer instances have been impacted by the active attack, but has published indicators of compromise for security teams and admins to research.
Thanks to today’s episode sponsor, OffSec
Free tool helps industrial organizations find vulnerabilities
OPC UA is a machine-to-machine communication protocol used by many industrial solutions providers for interoperability between various types of industrial control systems (ICS). While the protocol is highly useful, it can also pose a serious risk to organizations. Finland-based cybersecurity company Molemmat Oy, has developed a new vulnerability scanning tool, called OpalOPC, to help identify weaknesses in the protocol. OpalOPC is available for both Windows and Linux and is free for non-profit projects and organizations whose revenue does not exceed $1 million.
US launches “Shields Ready” campaign
DHS, CISA, and FEMA announced this new campaign to promote overall resiliency and security for critical national infrastructure. If it sounds familiar, CISA launched a “Shield Up” campaign previously. Shields Ready focuses on broad strategies to prepare critical infrastructure for disruption. Shields Up is more about time-sensitive actions for specific risks. This new campaign asks infrastructure providers to identify the most critical assets for operations, consider a range of threats of disruption and evaluate their actual risk, develop a risk management plan, and maintain realistic incident response.
ICE’s devices entice vices
The US Department of Homeland Security Office of the Inspector General issued a report on a recent investigation into equipment management and IT policies by Immigration and Customs Enforcement, or ICE. The report found MDM issues that could put sensitive data at risk. It found “thousands” of unauthorized apps on devices, ranging from third-party file transfer software, to VPN apps, and messaging platforms. It also included apps formally banned from government IT systems. ICE’s IT policies state that it doesn’t monitor data sent to these user-installed “personal applications.” Ahead of the report’s release, ICE implemented some auditor recommendations like disabling prohibited apps.
Python developers warned against becoming targets
A cautionary tale from cybersecurity firm Checkmarx, as reported in The Record, “sometimes when malicious hackers meddle with open-source software development, the target isn’t the software — it’s the developers themselves.” The researchers have been tracking malware intended to infect the computers of developers who work in Python and who are looking for tools that will help disguise their code in development. The article looks specifically at a package called BlazeStealer which enables a bot on the Discord messaging service “that gives attackers complete control over the victim’s computer.”
OpenAI blames DDoS attacks for ongoing ChatGPT outages
OpenAI confirmed yesterday, Thursday, that the “periodic outages” affecting its API and ChatGPT services were DDoS related. Users saw error messages in their ChatGPT windows as well as on generative art engine DALL-E on Monday. Anonymous Sudan is claiming responsibility for the outage, stating on its Telegram channel that it used the SkyNet botnet to carry out the attack. Bleeping Computer is quick to point out this claim may be a false flag, with many cybersecurity researchers looking at Russia instead.