This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Arvin Bansal, former CISO, Nissan Americas
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Okta HAR support system attacked
An advisory from Okta states that last week’s attack involved threat actors gaining access to customers’ HTTP Archive files, short formed as HAR, which are used for troubleshooting by replicating browser activity. By their nature HAR files can contain sensitive data such as cookies and session tokens that threat actors can use to impersonate valid users. Security Chief David Bradbury said the compromised case management system is separate from the production Okta service, which was not impacted and remains fully operational. Okta has of course taken measures to protect its customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within an HAR file before sharing it. In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.
(SecurityWeek, Okta and Beyond Trust)
Cisco identifies additional IOS XE vulnerability
Last week we reported on the high-severity level 10 vulnerability CVE-2023-20198 which at the time did not have a patch. Now, in preparing a patch for release yesterday, Sunday, Cisco also mentioned that their incident responders had observed hackers also exploiting CVE-2021-1435, which Cisco had patched in 2021. The company noted that, “devices fully patched against that bug were seen infected by implants successfully installed through an as of yet undetermined mechanism.” The patch released yesterday was intended to deal with both issues, with the 2021 vulnerability being repackaged as CVE-2023-20273.
According to Bleeping Computer, over the weekend, numerous cybersecurity organizations reported that “the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans,” however experts are unsure as to whether “threat actors behind the attacks are deploying an update to hide their presence, thus causing the implants to be no longer seen in scans,” or that a “gray-hat hacker is automating the reboot of impacted Cisco IOS XE devices to clear the implant.”
(The Record and Bleeping Computer)
CISA protests potential 25% budget cut as “catastrophic”
This from Eric Goldstein, executive assistant director for cybersecurity at CISA, speaking at a House Homeland Security cybersecurity and infrastructure protection subcommittee hearing on federal cybersecurity, held Wednesday. The 25% cut to CISA’s budget has been proposed by House Republicans. Goldstein said that CISA will effectively be “in a period of stasis where even as our adversaries evolve,” adding that such cuts would “federal networks more vulnerable to attacks from U.S. adversaries like Russia, China, Iran and North Korea.”
Threat actor sells access to Facebook and Instagram police portal
According to Alon Gal, co-founder & CTO of Hudson Rock, the portal is used law enforcement to “request data relating to users (IP, phones, DMs, device info) or request the removal of posts and the ban of accounts.” Gal believes this was a social engineering attack in which the threat actor either solicited access data from a Meta employee or used police credentials to gain access. This gives the individual the ability to make unauthorized data requests, enable harassment and doxxing, initiate fake law enforcement actions, and steal identities.
(Security Affairs)
Thanks to today’s episode sponsor, Vanta
Over 80% of security leaders have already received AI email attacks
A recent report from Abnormal Security has revealed that nearly all (98%) security leaders are concerned about the cybersecurity risks posed by artificial intelligence (AI) tools with four-fifths (80.3%) of respondents confirming their organizations have either already received AI-generated email attacks or strongly suspect that this is the case. The majority of respondents rely on their cloud email providers or legacy tools for email security. Nearly half of respondents (46%) lack confidence in traditional solutions to detect and block AI-generated attacks. Finally, 92% of survey participants see the value in using AI to defend against AI-generated email threats while more than 94% say that AI will have a major impact on their cybersecurity strategy over the next two years.
Microsoft’s Scattered Spider warning
Microsoft has described the group as “one of the most dangerous financial criminal groups,” pointing to its “operational fluidity and its ability to incorporate SMS phishing, SIM swapping, and help desk fraud into its attack model.” The group has been seen using impersonation techniques, with members posing as newly hired employees in its target firms in order to blend in. The group is also known by other names, including Octo Tempest, 0ktapus, Scatter Swine, and UNC3944.
Microsoft tests Security Copilot
Microsoft first announced its Copilot would receive a security-focused offering back in March. It will now open up an early access pilot embedded within Microsoft 365 Defender XDR. The company the Copilot can free up to 40% more time that would otherwise go to mundane tasks. The company frames the service as a way to upskill less-skilled analysts. In terms of features, Security Copilot can summarize security incidents into natural language, analyze incidents, and synthesize reports. It can also use natural language prompts to create KQL queries.