Security Skim: November 9th

“When it rains, it pours.”

Someone

Where have I been? I set up everything for my recordings as part of the Security Skim Workflow. I was ready to go, and my roof started leaking in my office. It had been leaking so long that mushrooms grew from my carpet. I didn’t notice because it was leaking behind a guest bed, and the leak was behind the wall. I only found out because my cat and I were playing, and she chased her ball under the bed. I reached down and low, and behind the new carpet was soaking wet, and a mushroom was growing. Hard to believe, but it does happen! Luckily, it was only one mushroom, but my office was damaged. Things have been on hold while I fix the roof leak, rip out the carpet, replace the tach strips, and replace any rot. Anyway, I finally got time to sit down and catch up on the security world, so here we go!

Okta Breach

Okta, a leading identity and access management (IAM) provider, revealed that threat actors accessed files related to 134 of its customers, including Cloudflare, 1Password, and BeyondTrust, following a breach of its backend support case management system. Attackers exploited a service account with permissions to view and update customer cases, accessing HTTP Archive (HAR) files containing session tokens. These session tokens were then used for session hijacking attacks on the targeted customers. Okta’s investigation traced the compromise back to an employee’s personal Google account or device. The incident occurred between September 28 and October 17, with Okta’s security team identifying the issue after suspicious activity was reported on September 29. Okta took remediation measures, including disabling the compromised account and enhancing monitoring of the customer support system.

Key Points:

1. Breach Details: Okta disclosed that attackers accessed files related to 134 customers, including prominent organizations such as Cloudflare, 1Password, and BeyondTrust. The breach involved session tokens used for session hijacking attacks.
2. Attack Vector: Threat actors exploited a service account with permissions to view and update customer cases. The compromised account’s credentials were stored in an employee’s personal Google profile, likely resulting from a compromise of the employee’s personal Google account or device.
3. Timeline and Detection: The breach occurred between September 28 and October 17. Okta’s security team initiated an investigation on September 29 following a report from 1Password. Suspicious activity was identified on October 13, leading to the discovery of unauthorized access to the customer support system’s Files tab.
4. Remediation Actions: Okta took several remediation actions, including disabling the compromised service account, blocking the use of personal Google profiles on company laptops using Google Chrome, enhancing monitoring of the customer support system, and implementing session token bindings based on network location.
5. Customer Impact: Cloudflare, 1Password, and BeyondTrust confirmed no customer data loss due to the breach. The identities of the other two targeted organizations have not been disclosed.
6. Previous Security Incident: In a separate incident, data of 4,961 current and former Okta employees, including names, health insurance plan numbers, and Social Security numbers, were compromised following a breach at third-party vendor Rightway Healthcare.

Conclusion:

The Okta breach highlights the importance of securing service accounts and employee credentials. Allowing employees to sign into personal accounts and save company passwords in their cloud-connected browser is a big no-no. I have to throw some shade at Facebook because to use their Facebook Business platform, you must use your personal account. They don’t allow you to create a separate business login. This was an absolute nightmare at a company I was working for.

Russian Sandworm Group Disrupted Power in Ukraine

Google-owned cybersecurity firm Mandiant revealed that the Sandworm hacking group, backed by Russia, conducted a disruptive cyber-attack targeting a Ukrainian critical infrastructure organization in late 2022. The intrusion began in June 2022 and involved a multi-event cyber-attack utilizing a novel technique to impact industrial control systems (ICS) and operational technology (OT). The attack culminated in two disruptive events on October 10 and 12, 2022, causing a power outage and deploying a wiper attack to limit investigation efforts. Sandworm leveraged OT-level living off the land (LotL) techniques to gain access to the victim’s substation environment. The attackers employed an optical disc (ISO) image to execute malicious control commands, potentially causing the power outage to coincide with missile strikes on critical infrastructure across Ukraine. Mandiant emphasized the growing maturity of Russia’s offensive OT arsenal and urged OT asset owners to take action to mitigate the threat.

Key Points:

1. Attack Details: Sandworm, tracked as UNC3810 before merging with Sandworm, used OT-level living off the land (LotL) techniques to gain access to the victim’s substation environment. The attackers executed malicious control commands using an optical disc (ISO) image, potentially causing an unplanned power outage coinciding with missile strikes on Ukraine’s critical infrastructure.
2. Timing of Attacks: While Mandiant did not conclusively establish a deliberate connection between the cyber-attack and missile strikes, the timing of the two events was considered highly coincidental. The attacks aimed to exacerbate the psychological toll of the war, with civilians suffering the consequences.
3. Maturity of Offensive OT Arsenal: The attack demonstrated the growing maturity of Russia’s offensive OT capabilities, indicating their ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure for attacks.
4. Sandworm Hacker Group: Sandworm, also known as Telebots, Voodoo Bear, and Iron Viking, is linked to the Main Center for Special Technologies (GTsST), a cyber warfare unit of Russia’s military intelligence service (GRU). The group has a history of disruptive and destructive attacks in Ukraine, using wiper malware.
5. Mitigation: Mandiant urged OT asset owners to take action to mitigate the threat posed by Sandworm. Enhanced cybersecurity measures and vigilance are crucial to defending against such attacks.

Conclusion:

The Sandworm hacking group’s attack on Ukrainian critical infrastructure underscores the persistent threat posed by state-backed cyber adversaries. Organizations, particularly those in the critical infrastructure sector, must bolster their cybersecurity measures and collaborate with cybersecurity experts to defend against evolving cyber threats. Cyber attacks are becoming a larger part of the battlefield. Future wars will see many more cyber attacks because the cost ratio of cost vs. damage done will be much lower than a conventional strike.

Flipper Zero Strike Again! DDosing iPhone devices via Bluetooth

Security researcher Jeroen van der Ham experienced disruptive Bluetooth-based attacks on his iPhone during his train commute in the Netherlands. The attacks were carried out by a passenger using a Flipper Zero device, which sent Bluetooth pairing requests to iPhones within radio range. This portable multi-tool for pentesters and geeks can interact with various wireless communications, allowing users to change TV channels, clone hotel key cards, read RFID chips, and disrupt iPhones’ normal use. The Flipper Zero device, which costs $200, democratizes RF (radio frequency) hacking, making previously complex attacks accessible to more individuals. These attacks highlight the vulnerabilities in Bluetooth security and the need for enhanced protections against such disruptions.

Key Points:

1. Bluetooth Disruptions: A passenger on a train in the Netherlands used a Flipper Zero device to send Bluetooth pairing requests, causing disruptive pop-up windows and reboots on iPhones within radio range. The attacks made iPhones nearly unusable and affected multiple devices in the same train car.
2. Flipper Zero Device: The Flipper Zero device is a portable multi-tool designed for hacking radio protocols, building access control systems, troubleshooting hardware, cloning electronic key cards and RFID cards, and serving as a universal TV remote. Its open source design allows users to flash custom firmware and expand its capabilities.
3. Democratizing RF Hacking: Flipper Zero’s affordable price and convenient form factor have made it accessible to a broader audience, democratizing RF hacking capabilities. Users can perform various attacks without the need for expensive software-defined radios (SDRs), making RF hacking more accessible to casual technology enthusiasts.
4. Vulnerabilities in Bluetooth Security: The Bluetooth disruptions highlighted the vulnerabilities in Bluetooth security, especially on iPhones. While Android and Windows devices can also be disrupted by Flipper Zero, users can disable notifications to block such attacks on these platforms. However, the attacks have the potential to be highly disruptive, making it challenging to mitigate them effectively.
5. Expanding RF Hacking Capabilities: Flipper Zero and similar devices are expanding the capabilities of RF hacking, making previously insecure RF systems accessible to simple tools. As attacks become more sophisticated and accessible, poorly secured technology becomes increasingly vulnerable.

Conclusion:

The disruptive Bluetooth attacks carried out by the Flipper Zero device underscore the vulnerabilities in Bluetooth security and the broader challenges posed by RF hacking. I actually have one of these devices, and developers are cranking out firmware to make pen testing easier and easier. The device is incredibly useful as a pen testing tool, but people will abuse it. If anything, this device is bringing to light years of RF security neglect.

Microsoft New ‘Secure Future Initiative’ After Attack

Microsoft has announced its new ‘Secure Future Initiative’ (SFI) in response to recent cyberattacks and security vulnerabilities. The initiative aims to prioritize security by default, reworking the Software Development Lifecycle (SDL) to address current cyberattack trends. Microsoft plans to move identity signing keys to a hardened Azure Hardware Security Module (HSM) and confidential computing infrastructure, ensuring encryption at rest, in transit, and during computational processes. Automation will facilitate high-frequency key replacement without human access, reducing the risk of unauthorized access. The company will utilize AI for threat modeling automation and adopt memory-safe languages like Rust to eliminate specific software vulnerabilities.

Microsoft intends to implement Azure tenant baseline controls across internal tenants by default, reducing configuration management effort and ensuring adherence and auto-remediation of settings during deployment. The goal is to achieve 100% auto-remediation without impacting service availability. Additionally, Microsoft aims to reduce the time taken to mitigate cloud vulnerabilities by 50% and will advocate against non-disclosure agreements for third-party researchers to promote transparency in vulnerability reporting.

Key Points:

1. Security by Default: Microsoft’s Secure Future Initiative emphasizes security by default, echoing its early mission to address security issues and root out vulnerabilities in its products.
2. Encryption of Signing Keys: Microsoft plans to move identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure, ensuring encryption during all stages, including computational processes. Automation will enable high-frequency key replacement without human intervention.
3. Adoption of Secure Coding Practices: Microsoft will utilize AI for threat modeling automation and adopt memory-safe languages like Rust to enhance security at the language level and eliminate specific software vulnerabilities.
4. Azure Tenant Baseline Controls: Microsoft will implement Azure tenant baseline controls across internal tenants by default, reducing engineering effort for configuration management. The initiative aims for 100% auto-remediation without impacting service availability.
5. Transparency in Vulnerability Reporting: Microsoft intends to reduce the time taken to mitigate cloud vulnerabilities and advocate against non-disclosure agreements for third-party researchers. Promoting transparency in vulnerability reporting is a key focus of the initiative.

Conclusion:

While Microsoft deserves some of the flack for the attack they had, I don’t think they deserve all of it. This wasn’t some simple breach where an employee plugged in a USB they found in the parking lot or logged into their personal account and saved a password. The attackers had the foresight to link a crash dump with a vulnerability in Azure. I am glad they are taking things more seriously, especially since their cloud services have really started to ramp up.

Industrial & Commercial Bank of China Ransomware Attack

The Industrial & Commercial Bank of China (ICBC) is recovering from a ransomware attack that disrupted the U.S. Treasury market, leading to equities clearing issues. ICBC, China’s largest bank and the world’s largest commercial bank by revenue, experienced connectivity problems with DTCC/NSCC, impacting its clearing customers. As a result, ICBC was unable to settle U.S. Treasury trades for other market participants. The incident prompted a temporary suspension of inbound FIX connections and order acceptance. While ICBC has not released an official statement, industry sources have confirmed the ransomware attack. Security expert Kevin Beaumont noted that an ICBC Citrix server, unpatched against the actively exploited NetScaler security bug (‘Citrix Bleed’), is now offline.

Key Points:

1. Ransomware Disruption: ICBC, China’s largest bank, faced a ransomware attack that disrupted the U.S. Treasury market, causing equities clearing issues and connectivity problems with DTCC/NSCC.
2. Impact on U.S. Treasury Trades: The attack prevented ICBC from settling U.S. Treasury trades for other market participants, affecting the bank’s clearing customers and prompting the temporary suspension of inbound FIX connections and order acceptance.
3. ICBC’s Response: While ICBC has not issued an official statement, industry sources have confirmed the ransomware attack. A security expert noted that an unpatched ICBC Citrix server, vulnerable to the ‘Citrix Bleed’ exploit, is now offline.
4. ICBC’s Profile: ICBC is the largest commercial bank in the world by revenue, reporting $214.7 billion in revenue and $53.5 billion in profits in 2022. It serves 10.7 million corporate and 720 million individual customers, with branches in 41 countries, including the United States.

Conclusion:

I don’t normally get to write about Chinese companies getting hit by cyber attackers. They do happen, but because it’s China, we don’t get to hear much about them. Since this bank is listed on a US exchange, they had to report it. What is even more interesting is that a Citrix Server that had the Citrix Bleed bug on it was never patched. We don’t know if that was the cause,, but I wouldn’t be surprised now that it is offline. Some security engineer over there is probably banging his head against the table.

Conclusion

I do hope I can get my office repaired soon. I am doing most of the work myself, so we shall see. I will keep everyone updated! Good luck to all the engineers out there, and until next time, stay safe!