PLCs are the backbone of modern industrial operations, controlling everything from water treatment facilities to manufacturing plants. Traditionally, PLCs have been considered secure due to their isolated operational environments. However, the integration of web technologies for ease of access and monitoring has opened new avenues for cyber threats.

Based on the research several attack methods targeting Programmable Logic Controllers (PLCs) have been identified. These methods range from traditional strategies focusing on control logic and firmware manipulation to more innovative approaches exploiting web-based interfaces. Here’s an overview of the known attack methods for PLCs:

Traditional Attack Methods

Traditional PLC (Programmable Logic Controller) malware targets the operational aspects of industrial control systems (ICS), aiming to manipulate or disrupt the physical processes controlled by PLCs. These attacks have historically focused on two main areas: control logic manipulation and firmware modification. While effective in certain scenarios, these traditional attack methods come with significant shortcomings that limit their applicability and impact.

Control Logic Manipulation

This method involves injecting or altering the control logic of a PLC. Control logic is the set of instructions that PLCs follow to monitor and control machinery and processes. Malicious modifications can cause the PLC to behave in unintended ways, potentially leading to physical damage or disruption of industrial operations.

Shortcomings:

• Access Requirements: Successfully modifying control logic typically requires network access to the PLC or physical access to the engineering workstation used to program the PLC. This can be a significant barrier if robust network security measures are in place.
• Vendor-Specific Knowledge: Each PLC vendor may use different programming languages and development environments for control logic. Attackers often need detailed knowledge of these specifics, making it harder to develop a one-size-fits-all attack.
• Detection Risk: Changes to control logic can sometimes be detected by operators or security systems monitoring the PLC’s operation, especially if the alterations lead to noticeable changes in process behavior.

Firmware Modification

Firmware in a PLC provides the low-level control functions for the device, including interfacing with the control logic and managing hardware operations. Modifying the firmware can give attackers deep control over the PLC, allowing them to bypass safety checks, alter process controls, or hide malicious activities.

Shortcomings:

• Complexity and Risk: Developing malicious firmware requires a deep understanding of the PLC’s hardware and software architecture. There’s also a risk of “bricking” the device if the modified firmware doesn’t function correctly, which could alert victims to the tampering.
• Physical Access: In many cases, modifying firmware requires physical access to the PLC, which may not be feasible in secure or monitored industrial environments.
• Platform Dependence: Firmware is highly specific to the hardware of a particular PLC model. An attack that targets one model’s firmware might not work on another, limiting the scalability of firmware-based attacks.

General Shortcomings of Traditional PLC Malware

• Isolation and Segmentation: Many industrial networks are segmented or isolated from corporate IT networks and the internet, making remote attacks more challenging.
• Evolving Security Practices: As awareness of cybersecurity threats to industrial systems grows, organizations are implementing more robust security measures, including regular patching, network monitoring, and application whitelisting, which can mitigate the risk of traditional PLC malware.
• Limited Persistence: Traditional malware attacks on PLCs can often be mitigated by resetting the device to its factory settings or reprogramming the control logic, although this might not always be straightforward or without operational impact.

In response to these shortcomings, attackers are continually evolving their methods. The emergence of web-based attack vectors, as discussed in recent research, represents an adaptation to the changing security landscape, exploiting the increased connectivity and functionality of modern PLCs to bypass traditional defenses.

Web-based Attack Methods

The integration of web technologies into Programmable Logic Controllers (PLCs) marks a significant evolution in the landscape of industrial control systems (ICS). This trend towards embedding web servers in PLCs has transformed how these devices are interacted with, monitored, and controlled. Emerging PLC web applications offer numerous advantages, such as ease of access, improved user interfaces, and enhanced functionality. However, they also introduce new security concerns unique to the industrial control environment. Here’s an overview of the emergence of PLC web applications, their benefits, and the security implications they bring.

Advantages of PLC Web Applications

1. Remote Accessibility: Web applications allow for remote access to PLCs through standard web browsers, enabling engineers and operators to monitor and control industrial processes from anywhere, provided they have internet access.
2. User-Friendly Interfaces: The use of web technologies enables the development of more intuitive and visually appealing user interfaces, making it easier for users to interact with the PLC and understand complex process information.
3. Customization and Flexibility: Web applications can be customized to meet specific operational needs, offering flexibility in how data is presented and how control functions are implemented.
4. Integration with Other Systems: Web-based PLCs can more easily integrate with other IT and operational technology (OT) systems, facilitating data exchange and enabling more sophisticated automation and analysis capabilities.
5. Reduced Need for Specialized Software: Unlike traditional PLCs, which often require proprietary software for programming and interaction, web-based PLCs can be accessed and programmed using standard web browsers, reducing the need for specialized software installations.

Security Implications

While the benefits of web-based PLC applications are clear, they also introduce several security concerns that must be addressed:

1. Increased Attack Surface: Embedding web servers in PLCs increases the attack surface, making them more accessible to potential attackers. This accessibility can be exploited to gain unauthorized access or to launch attacks against the PLC and the industrial processes it controls.
2. Web Vulnerabilities: PLC web applications are susceptible to common web vulnerabilities, such as cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF). These vulnerabilities can be exploited to manipulate PLC operations or to gain access to sensitive information.
3. Authentication and Authorization Issues: Inadequate authentication and authorization mechanisms can lead to unauthorized access to PLC web applications. Ensuring robust access control is critical to prevent unauthorized actions that could disrupt industrial processes.
4. Firmware and Software Updates: Keeping the web server and application software up to date is crucial for security. Vulnerabilities in outdated software can be exploited by attackers, but updating PLCs in an industrial environment can be challenging due to the need for continuous operation.
5. Lack of Encryption: Not all PLC web applications use encryption for data transmission, which can expose sensitive information to interception and manipulation. Implementing secure communication protocols like HTTPS is essential for protecting data integrity and confidentiality.

WB PLC MALWARE STAGES

The stages of Web-Based (WB) Programmable Logic Controller (PLC) malware, as presented in the document, encompass a systematic approach to compromise industrial systems using malware deployed through PLCs’ embedded web servers. These stages are designed to infect, persist, conduct malicious activities, and cover tracks without direct system-level compromise. By exploiting vulnerabilities in the web applications hosted by PLCs, the malware can manipulate real-world processes stealthily. This includes falsifying sensor readings, disabling alarms, controlling actuators, and ultimately hiding its presence, thereby posing a significant threat to industrial control systems.

1. Initial Infection

The “Initial Infection” stage of the Web-Based Programmable Logic Controller (WB PLC) malware lifecycle, focuses on the deployment of malicious code into the PLC’s web application environment. This stage is crucial for establishing a foothold within the target system, from which the attacker can launch further operations. Here’s a closer look at the “Initial Infection” stage based on the provided research:

Methods of Initial Infection

The initial infection can be achieved through various means, leveraging both the vulnerabilities in the web applications hosted by PLCs and the broader network environment. Key methods include:

1. Malicious User-defined Web Pages (UWPs): Exploiting the functionality that allows users to create custom web pages for monitoring and control purposes. Attackers can upload malicious web pages that contain JavaScript or HTML code designed to execute unauthorized actions or serve as a backdoor for further attacks.
2. Cross-Site Scripting (XSS) and Cross-Origin Resource Sharing (CORS) Misconfigurations: Leveraging vulnerabilities in the web application, such as XSS flaws or improperly configured CORS policies, attackers can inject malicious scripts that are executed in the context of a legitimate user’s session. This can lead to unauthorized access or data leakage.
3. Social Engineering or Phishing: Utilizing social engineering tactics to trick users into visiting malicious websites or clicking on links that facilitate the injection of malware into the PLC web server. This approach often targets the human element of security, exploiting trust and lack of awareness.

Challenges and Considerations

• Stealth and Evasion: Achieving initial infection without detection is paramount. Attackers must carefully craft their malicious payloads to avoid triggering security mechanisms or alerting system administrators.
• Access and Delivery: The method of delivering the malicious code to the PLC’s web application varies depending on the network configuration, security measures in place, and the specific vulnerabilities of the target system. Attackers may need to conduct reconnaissance to identify the most effective vector for infection.
• Exploiting Specific Vulnerabilities: The effectiveness of the initial infection stage often relies on exploiting specific vulnerabilities within the PLC’s web application or the surrounding network infrastructure. This requires up-to-date knowledge of existing flaws and the ability to quickly adapt to new vulnerabilities as they are discovered.

The “Initial Infection” stage sets the foundation for the subsequent phases of the WB PLC malware lifecycle, enabling attackers to execute malicious activities, establish persistence, and ultimately compromise the integrity and safety of industrial processes. Addressing the vulnerabilities and security gaps that allow for initial infection is critical for protecting industrial control systems from such sophisticated threats.

2. Persistence

The research outlines several techniques that WB PLC malware can use to achieve persistence within the PLC’s web environment:

1. Modifying Web Server Configuration: The malware may alter the web server’s settings on the PLC to ensure that the malicious code is automatically loaded each time the web application is accessed. This could involve changing startup files or manipulating the web server’s behavior to serve the malicious content as part of the legitimate web application.
2. Exploiting Web Application Vulnerabilities: If the PLC’s web application contains vulnerabilities, the malware can exploit these to re-infect the system periodically. For example, vulnerabilities that allow for unauthorized file upload or remote code execution can be used by the malware to ensure its persistence.
3. Using Web Storage Mechanisms: Modern web applications can utilize various web storage mechanisms, such as HTML5 local storage or session storage, to store data on the client side. The malware can leverage these storage options to keep malicious payloads or scripts within the browser environment, ensuring they are executed whenever the PLC’s web application is accessed.
4. Registering Service Workers: Service workers are scripts that the browser runs in the background, separate from a web page, opening the door to features that don’t need a web page or user interaction. Malicious service workers can be registered by the malware to intercept and manipulate network requests, cache malicious resources, or perform tasks that help maintain the malware’s presence.

3. Malicious Activities

In the context of the research on Web-Based Programmable Logic Controller (WB PLC) malware, the “Malicious Activities” stage is crucial as it represents the execution of the attacker’s primary objectives within the compromised industrial control system (ICS). This stage leverages the initial foothold established by the malware in the PLC’s web application environment to carry out actions that can disrupt operations, cause physical damage, or exfiltrate sensitive data. Based on the information provided in the research, here’s an overview of the types of malicious activities that can be conducted during this stage:

Manipulation of Industrial Processes

The malware can issue unauthorized commands to the PLC, altering the control logic that governs industrial processes. This could involve changing set points, disabling alarms, or manipulating actuators and sensors. Such actions can lead to unsafe operating conditions, equipment damage, or unanticipated downtime. The ability to manipulate processes directly through the PLC’s web application interfaces provides a stealthy means of affecting physical operations without the need for direct modifications to the control logic or firmware.

Data Exfiltration

Another key activity involves stealing sensitive information from the PLC or the broader ICS network. This could include proprietary process information, operational data, or credentials that provide further access within the ICS environment. The malware can leverage the web application’s connectivity to transmit this data to external locations controlled by the attacker. Data exfiltration poses significant risks, including intellectual property theft, privacy breaches, and compliance violations.

Lateral Movement and Propagation

WB PLC malware can also serve as a pivot point for attacking additional systems within the ICS network. By exploiting the interconnected nature of modern ICS environments, the malware can spread to other PLCs, human-machine interfaces (HMIs), engineering workstations, or even IT systems. This propagation can amplify the impact of the attack, enabling the attacker to gain broader control over the ICS or to launch coordinated actions across multiple devices.

Sabotage and Disruption

The ultimate goal of many attacks on ICS environments is to cause physical sabotage or to disrupt critical operations. By carefully timing malicious actions or by targeting specific components of the industrial process, attackers can achieve significant impacts with potentially catastrophic consequences. This could include causing equipment to fail, triggering safety incidents, or halting production lines.

The “Malicious Activities” stage of WB PLC malware highlights the potential for significant harm to industrial operations through the exploitation of web-based interfaces on PLCs. The research underscores the importance of securing these interfaces and implementing robust detection mechanisms to identify and mitigate such threats before they can cause damage.

4. Cover Tracks

To ensure the longevity of the attack and to avoid detection by security systems or network administrators, the WB PLC malware includes mechanisms to cover its tracks:

• Deleting Logs: Any logs or records that could indicate malicious activities or the presence of the malware are deleted or modified. This makes it more difficult for forensic investigations to trace the origin or nature of the attack.
• Masquerading Network Traffic: The malware’s network communication is designed to mimic legitimate traffic patterns. This helps the malware evade detection by network monitoring tools that look for anomalies or known malicious signatures.
• Self-Deletion: In scenarios where the malware detects the risk of discovery, it may remove itself from the compromised system. This self-deletion mechanism is designed to prevent the analysis of the malware, thereby obscuring the attackers’ techniques and intentions.

The “Cover Tracks” stage is essential for the malware to maintain its presence within the compromised system without alerting the victims to its existence. By effectively erasing evidence of its activities and blending in with normal network traffic, the malware aims to sustain its operations and avoid remediation efforts.

Evaluation and Impact

The researchers conducted a thorough evaluation of the WB PLC malware in a controlled testbed, simulating an industrial environment. Their findings reveal the malware’s potential to cause significant disruption to industrial operations, highlighting the need for robust security measures. The study also emphasizes the malware’s adaptability, capable of targeting various PLC models widely used across different sectors.

Countermeasures and Mitigations

The research paper inherently suggests the need for robust security measures to protect against the novel threat of Web-Based PLC (WB PLC) malware. Drawing from general cybersecurity practices and the unique challenges posed by WB PLC malware, here are potential countermeasures and mitigations that could be inferred to protect industrial control systems (ICS):

1. Regular Security Audits and Vulnerability Assessments

Conduct comprehensive security audits and vulnerability assessments of PLCs and their web applications to identify and remediate potential vulnerabilities before they can be exploited by attackers.

2. Update and Patch Management

Ensure that PLCs, their embedded web servers, and any associated software are kept up-to-date with the latest security patches and firmware updates provided by the manufacturers.

3. Network Segmentation and Firewalling

Implement network segmentation to separate critical ICS networks from corporate IT networks and the internet. Use firewalls to control and monitor traffic between different network segments, especially traffic to and from PLCs.

4. Secure Web Application Development Practices

Adopt secure coding practices for the development of PLC web applications. This includes input validation, output encoding, and the use of security headers to mitigate common web vulnerabilities such as cross-site scripting (XSS) and cross-site request forgery (CSRF).

5. Strong Authentication and Authorization

Implement strong authentication mechanisms for accessing PLC web applications, including multi-factor authentication (MFA) where possible. Ensure that authorization controls are in place to limit access based on the principle of least privilege.

6. Encryption of Data in Transit and at Rest

Use encryption to protect sensitive data transmitted between PLCs and clients, as well as data stored on the PLCs. This includes the use of HTTPS for web applications and secure protocols for any remote access.

7. Intrusion Detection and Monitoring

Deploy intrusion detection systems (IDS) and continuous monitoring solutions to detect and alert on suspicious activities or anomalies in ICS networks, including potential indicators of WB PLC malware infection.

8. Security Awareness and Training

Provide security awareness training for ICS operators and engineers to recognize phishing attempts and other social engineering tactics that could be used to initiate a WB PLC malware attack.

9. Incident Response and Recovery Plans

Develop and maintain an incident response plan that includes procedures for responding to and recovering from a WB PLC malware infection. This should include the ability to quickly isolate affected systems, eradicate the malware, and restore operations from clean backups.

10. Vendor Collaboration and Information Sharing

Collaborate with PLC vendors and participate in information-sharing communities to stay informed about new vulnerabilities, malware threats, and best practices for securing ICS environments.

Implementing these countermeasures and mitigations can significantly reduce the risk of WB PLC malware infections and enhance the overall security posture of industrial control systems.

The post Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems appeared first on Information Security Newspaper | Hacking News.

The Breach Explained

The breach was reportedly executed by a third-party merchant processor, which inadvertently allowed the sensitive information of American Express cardholders to leak onto the dark web. This exposed data includes American Express Card account numbers, expiration dates, and possibly other personal information, putting customers at risk of fraud and identity theft.

American Express has been proactive in addressing the situation, notifying affected customers and urging them to remain vigilant for signs of unauthorized activity on their accounts. Despite the breach, American Express has emphasized that its own systems were not compromised, pointing to the external nature of the security lapse.

Impact on Customers

The exposure of credit card details in a third-party data breach is a stark reminder of the vulnerabilities that exist within the digital financial ecosystem. For customers, this incident underscores the importance of monitoring their financial statements regularly and reporting any suspicious transactions immediately.

American Express has assured its customers that it is taking the necessary steps to mitigate the impact of the breach. This includes offering free credit monitoring services to affected individuals to help protect their financial information from further misuse.

Industry-Wide Concerns

This incident is not isolated, as data breaches involving third-party service providers have become increasingly common. The reliance on external vendors for processing financial transactions and handling sensitive data introduces additional risks that companies must manage. It highlights the need for stringent security measures and continuous vigilance to protect against cyber threats.

Moving Forward

In response to the breach, American Express and other financial institutions are likely to reassess their relationships with third-party vendors and enhance their security protocols to prevent similar incidents in the future. This may involve more rigorous vetting processes, the implementation of advanced cybersecurity technologies, and closer collaboration between companies and their service providers to ensure the highest standards of data protection.

For customers, the breach serves as a critical reminder of the need to be proactive in safeguarding their personal and financial information. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and being cautious of phishing attempts and other online scams.

The exposure of American Express credit card details in a third-party data breach is a concerning event that highlights the ongoing challenges in securing financial data. As the digital landscape evolves, so too do the tactics of cybercriminals, making it imperative for both companies and consumers to remain vigilant and proactive in their cybersecurity efforts. American Express’s commitment to addressing the breach and supporting its customers is a positive step, but it also serves as a call to action for the industry to strengthen its defenses against future threats.

Update from American Express

The incidents that you are inquiring about occurred at a merchant or merchant processor and were not an attack on American Express or an American Express service provider, as some media outlets have erroneously reported. Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts.

American Express Card Members are not liable for fraudulent charges on their accounts. We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity. If we see there is unusual activity that may be fraud, we will take protective actions. We also recommend customers regularly review and monitor their account activity, and immediately contact us if they detect any suspicious activity. For added protection, customers can receive free fraud and account activity alerts via email, SMS text messaging, and/or notifications through our app.

This blog post on the Massachusetts state website may shed a little more light on the different circumstances under which financial institutions may report incidents. For example, a financial institution may report an incident that occurred at a retailer where the consumer used their bank-issued card.

The post Are You Affected? American Express Credit Cards Compromised in Data Leak at a third-party service provider appeared first on Information Security Newspaper | Hacking News.

The Threat Actors: Volt Typhoon

Volt Typhoon has successfully infiltrated the networks of critical infrastructure sectors, including Communications, Energy, Transportation Systems, and Water and Wastewater Systems, across the continental United States and its territories. The actors’ choice of targets and operational patterns diverge from conventional cyber espionage, indicating a clear intent towards enabling disruption of operational technology (OT) functions.

Tactics, Techniques, and Procedures (TTPs)

Volt Typhoon’s operations are characterized by the use of “living off the land” (LOTL) techniques, leveraging valid accounts and maintaining strong operational security to ensure long-term, undetected persistence within compromised environments. The actors conduct extensive reconnaissance to tailor their TTPs to the victim’s environment and have been observed maintaining access to some IT environments for at least five years.

Key stages of Volt Typhoon’s activity include:

1. Reconnaissance: Volt Typhoon’s operations begin with meticulous reconnaissance, gathering detailed intelligence on target organizations. This phase is critical for understanding the network architecture, security measures, typical user behaviors, and identifying key network and IT staff. The actors use various methods for reconnaissance, including web searches on victim-owned sites and leveraging search engines like FOFA, Shodan, and Censys to find exposed infrastructure. This extensive pre-compromise intelligence gathering is tailored to enhance their operational security and ensure successful penetration and persistence within the target environment.
2. Initial Access: Gaining initial access to the IT network is a pivotal step in Volt Typhoon’s operations. The actors commonly exploit known or zero-day vulnerabilities in public-facing network appliances, such as routers, VPNs, and firewalls. The use of publicly available exploit code for known vulnerabilities is frequent, but the actors are also adept at discovering and exploiting zero-day vulnerabilities. This approach allows them to establish a foothold within the network, from which they can launch further intrusion activities.
3. Credential Access and Privilege Escalation:Once inside the network, Volt Typhoon aims to obtain administrator credentials, often by exploiting privilege escalation vulnerabilities in the operating system or network services. In some instances, credentials are obtained from insecurely stored information on a public-facing network appliance. With these credentials, the actors can move laterally within the network, accessing critical systems and data.
4. Lateral Movement:Using valid administrator credentials, Volt Typhoon moves laterally to the domain controller and other critical devices via remote access services such as Remote Desktop Protocol (RDP). This step is crucial for expanding their access within the network and positioning themselves for further exploitation and disruption.
5. Discovery:Post-compromise, Volt Typhoon conducts discovery activities within the victim’s network, leveraging Living Off the Land (LOTL) binaries for stealth. This includes using PowerShell to perform targeted queries on Windows event logs, focusing on specific users and periods. These queries facilitate the discreet extraction of security event logs, allowing the actors to gather critical information while minimizing detection.
6. Domain Compromise:Achieving full domain compromise is a key objective for Volt Typhoon. The actors frequently employ the Volume Shadow Copy Service (VSS) to access the NTDS.dit file from the domain controller. This file contains critical Active Directory data, including user accounts and passwords (in hashed form), which can be leveraged for further exploitation.
7. Persistence:Volt Typhoon relies on valid credentials for persistence within the compromised environment. This approach allows them to maintain long-term, undiscovered access to the network, enabling them to re-target the same organizations over extended periods.
8. Defense Evasion:The actors’ strong operational security is evident in their primary use of LOTL techniques for defense evasion. By camouflaging their malicious activity with typical system and network behavior, they can circumvent simplistic endpoint security capabilities. Additionally, Volt Typhoon actors obfuscate their malware and engage in targeted log deletion to conceal their actions within the compromised environment.

Mitigation and Recommendations

The advisory urges critical infrastructure organizations to apply recommended mitigations and actively hunt for similar malicious activity. These measures are primarily intended for IT and OT administrators and include updating to the latest security patches, enhancing monitoring and detection capabilities, and applying best practices for identity and access management.

International Implications

While the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is assessed as lower than that to the U.S., the interconnected nature of critical infrastructure means that disruptions in the U.S. could have cascading effects on Canada and potentially other allied nations. Australian and New Zealand critical infrastructure is also considered vulnerable to similar activities from PRC state-sponsored actors.

The advisory from CISA, NSA, and FBI, supported by international cybersecurity agencies, highlights the sophisticated and persistent threat posed by PRC state-sponsored cyber actors to U.S. critical infrastructure. The detailed analysis of Volt Typhoon’s activities underscores the necessity for vigilance, proactive security measures, and international cooperation to mitigate the risks of disruptive or destructive cyberattacks against critical infrastructure sectors.

For organizations within the targeted sectors, adherence to the recommended mitigations and engagement with cybersecurity authorities for incident response and reporting is crucial. As geopolitical tensions continue to influence the cyber threat landscape, the resilience of critical infrastructure against state-sponsored cyber threats remains a top priority for national security.

The post How to Infiltrate Industrial OT Networks and Stay Undetected for Half a Decade appeared first on Information Security Newspaper | Hacking News.

Immediate Actions and Remediation

Understanding the gravity of the situation, AnyDesk took decisive steps to mitigate the impact of the breach. The company has informed relevant authorities about the incident and is collaborating closely with them to ensure a comprehensive response. Notably, the incident was clarified not to be related to ransomware, which often targets such essential services for extortion purposes.

In a proactive move to secure its systems and user data, AnyDesk has revoked all security-related certificates. This step is crucial in preventing any further unauthorized access using the compromised credentials. The company is also in the process of revoking its previous code signing certificate for binaries, transitioning to a new certificate to ensure the integrity of its software.

Safeguarding User Data and Recommendations

AnyDesk reassures its users that its systems are architecturally designed to avoid storing sensitive information like private keys, security tokens, or passwords that could potentially be used to access end-user devices. This design philosophy is pivotal in limiting the potential exploitation scope of such breaches.

As an additional precautionary measure, AnyDesk is revoking all passwords to its web portal, my.anydesk.com. Users are strongly encouraged to change their passwords, especially if the same credentials are used across multiple platforms. This recommendation aims to prevent any possibility of credential stuffing attacks, where attackers use stolen credentials to gain unauthorized access to other accounts.

Moving Forward

AnyDesk’s swift and transparent response to the security breach underscores its commitment to user security and trust. By involving industry-leading cybersecurity experts and working closely with law enforcement, AnyDesk demonstrates its dedication to maintaining the highest security standards.

The incident serves as a reminder of the persistent cybersecurity threats facing remote access software providers and the importance of robust security measures. AnyDesk’s actions following the breach provide a blueprint for effective incident response and remediation, reinforcing the security of its systems against future threats.

Users and stakeholders are advised to stay tuned to official AnyDesk communications for further updates and recommendations on safeguarding their accounts and data.

The post How AnyDesk’s Latest Hack Could Affect You and What to Do Next appeared first on Information Security Newspaper | Hacking News.

Overview of the Vulnerability (CVE-2024-23897)

The critical vulnerability in Jenkins, CVE-2024-23897, allows unauthenticated attackers with ‘overall/read’ permission to read data from arbitrary files on the Jenkins controller file system. This flaw poses a severe risk as it enables attackers to gain access to sensitive information, potentially leading to further exploitation of the system.

The exploit for the Jenkins vulnerability, identified as CVE-2024-23897, is a critical security flaw that has significant implications. To understand this exploit, it’s important to break down its components and how it operates:

Nature of the Vulnerability

• Jenkins System: Jenkins is an open-source automation server widely used in continuous integration and continuous delivery (CI/CD) pipelines. It helps automate various aspects of software development, such as building, testing, and deploying applications.
• Vulnerability Type: CVE-2024-23897 is a Remote Code Execution (RCE) vulnerability. RCE vulnerabilities are particularly severe because they allow an attacker to execute arbitrary code on the victim’s system remotely.

How the Exploit Works

1. Exploitation of Permissions: The vulnerability allows unauthenticated attackers with ‘overall/read’ permissions to read data from arbitrary files on the Jenkins controller file system. This means that even without full administrative privileges, attackers can access sensitive information.
2. Reading Arbitrary Files: The exploit enables attackers to read the first few lines of arbitrary files on the Jenkins controller. This could include configuration files, source code, credentials, or any other sensitive data stored on the server.
3. Potential for Further Exploitation: While the primary capability is to read files, the exposure of sensitive data could lead to further exploitation. For instance, if credentials are obtained, attackers could escalate their access privileges.

The Criticality of the Exploit

• Unauthenticated Access: The fact that the exploit can be triggered by unauthenticated users makes it particularly dangerous. It lowers the barrier for attackers, as they do not need to compromise an account before exploiting this vulnerability.
• Ease of Execution: The release of a Proof of Concept (PoC) means that the exploit can be replicated easily by attackers who have access to this PoC. This increases the likelihood of widespread exploitation.

Mitigation and Response

• Patch Availability: Jenkins has released a patch to address this vulnerability. It is crucial for users and administrators of Jenkins to apply this patch immediately to mitigate the risk.
• Security Best Practices: Regularly updating software, monitoring systems for unusual activities, and following security best practices are essential steps in protecting against such exploits.

Security experts have developed curated Sigma rules to detect exploitation attempts of this vulnerability. These rules are crucial for organizations using Jenkins, as they provide a way to identify and respond to any malicious activities related to CVE-2024-23897.

The Severity of the Issue

Rated as critical, this vulnerability has garnered attention due to the ease with which it can be exploited and the potential damage it can cause. The publication of the PoC exploit has escalated the situation, as it provides attackers with a ready-made tool to exploit this vulnerability.

Response from the Jenkins Community

The Jenkins community has been quick to respond to this threat. A patch has been released to address the vulnerability, and users are strongly advised to update their Jenkins installations as soon as possible. The prompt release of the patch highlights the community’s commitment to security and its proactive approach to addressing such critical issues.

Real-World Implications

There have been reports of the PoC exploits for the Jenkins vulnerability being targeted in the wild. This real-world exploitation underscores the importance of immediate action by organizations using Jenkins. Delaying the application of the patch could leave systems vulnerable to attacks, which could lead to severe consequences.

The discovery and subsequent publication of the PoC exploit for the critical Jenkins vulnerability, CVE-2024-23897, serve as a stark reminder of the importance of cybersecurity vigilance. Organizations using Jenkins must prioritize the application of the latest patch to protect their systems from potential exploitation. The situation also highlights the need for continuous monitoring and rapid response mechanisms to address emerging cybersecurity threats.

The post Exploit code: How the New Jenkins Vulnerability Could Compromise Your Data appeared first on Information Security Newspaper | Hacking News.

The modus operandi of these scammers is quite consistent and alarming. They approach organizations that have already been victimized by ransomware and offer a service to hack into the servers of the ransomware groups and delete the stolen data. This proposition typically comes with a significant fee, sometimes in the range of 1-5 Bitcoins (which could amount to about $190,000 to $220,000).

These scammers often use platforms like Tox Chat to communicate with their targets and may go by names like “Ethical Side Group” or use monikers such as “xanonymoux.” They tend to provide “proof” of access to the stolen data, which they claim is still on the attacker’s servers. In some instances, they accurately report the amount of data exfiltrated, giving their claims an air of credibility.

A notable aspect of this scam is that it adds an additional layer of extortion to the victims of ransomware. Not only do these victims have to contend with the initial ransomware attack and the associated costs, but they are also faced with the prospect of paying yet another party to ensure the safety of their data. This situation highlights the complexities and evolving nature of cyber threats, particularly in the context of ransomware.

Security experts and researchers, like those from Arctic Wolf, have observed and reported on these incidents, noting the similarities in the tactics and communication styles used by the scammers in different cases. However, there remains a great deal of uncertainty regarding the actual ability of these scammers to delete the stolen data, and their true intentions.

The Emerging Scam in Ransomware Attacks

1. The False Promise of Data Deletion

• Ransomware gangs have been known not to always delete stolen data even after receiving payment. Victims are often misled into believing that paying the ransom will result in the deletion of their stolen data. However, there have been numerous instances where this has not been the case, leading to further exploitation.

2. Fake ‘Security Researcher’ Scams

• A new scam involves individuals posing as security researchers, offering services to recover or delete exfiltrated data for a fee. These scammers target ransomware victims, often demanding payment in Bitcoin. This tactic adds another layer of deception and financial loss for the victims.

3. The Hack-Back Offers

• Ransomware victims are now being targeted by fake hack-back offers. These offers promise to delete stolen victim data but are essentially scams designed to extort more money from the victims. This trend highlights the evolving nature of cyber threats and the need for greater awareness.

4. The Illogical Nature of Paying for Data Deletion

• Paying to delete stolen data is considered an illogical and ineffective strategy. Once data is stolen, there is no guarantee that the cybercriminals will honor their word. The article argues that paying the ransom often leads to more harm than good.

5. The Role of Ransomware Groups

• Some ransomware groups are involved in offering services to delete exfiltrated data for a fee. However, these offers are often scams, and there is no assurance that the data will be deleted after payment.

These scams underscores the critical importance of cybersecurity vigilance and the need for robust security measures to protect against ransomware and related cyber threats. It also highlights the challenging decision-making process for organizations that fall victim to ransomware: whether to pay the ransom, how to handle stolen data, and how to respond to subsequent extortion attempts.

The post Inside the Scam: How Ransomware Gangs Fool You with Data Deletion Lies! appeared first on Information Security Newspaper | Hacking News.

Kubernetes and GKE Overview: Kubernetes, the most widely adopted open-source container platform, is used for application deployment and management. GKE, Google’s Kubernetes Engine, offers additional features and capabilities, enhancing the deployment and management of Kubernetes clusters. However, the complexity of Kubernetes environments often makes them susceptible to security breaches due to misconfiguration and excessive privileges.

Issues in FluentBit and Anthos Service Mesh:

• FluentBit: The default configuration of FluentBit, a lightweight log processor and forwarder, includes a volume mount that provides unnecessary access to the pod directory, including projected service account tokens.
• Anthos Service Mesh (ASM): ASM’s Container Network Interface (CNI) DaemonSet retains excessive permissions post-installation, which can be exploited to create a new pod with elevated privileges.

FluentBit Flaw

The vulnerability described in the FluentBit container within a Kubernetes cluster is a significant issue. This vulnerability arises from the way FluentBit is configured to access volumes within the cluster. Let’s break down this vulnerability and its implications:

Understanding the Vulnerability

1. FluentBit’s Volume Mount Configuration:
   • Misconfiguration: FluentBit is mounted with access to the /var/lib/kubelet/pods volume. This directory contains subdirectories for each pod running on a node.
   • Access to Sensitive Data: Within each pod’s directory, there is a kube-api-access volume that stores projected service account tokens. These tokens are used for authenticating with the Kubernetes API and are highly sensitive.
2. Exploitation of the Misconfiguration:
   • Compromise of FluentBit: If an attacker gains access to the FluentBit container, they can exploit this misconfiguration.
   • Access to Tokens: The attacker can access any service account token of the pods on the same node.
   • Impersonation and Unauthorized Access: Using these tokens, the attacker can impersonate pods with varying levels of privileges, potentially gaining unauthorized access to the Kubernetes API server.
3. Scope of the Attack:
   • Mapping the Cluster: The attacker could potentially list all running pods in the cluster (get pods command), allowing them to map the entire cluster.
   • Potential for Privilege Escalation: Depending on the permissions associated with the compromised tokens, the attacker could escalate their privileges within the cluster.
   • Harmful Actions: The attacker could perform various harmful actions, such as data theft, service disruption, or further exploitation of cluster resources.

The Role of the Sidecar Container

• Functionality of Sidecar Container: In a typical Kubernetes setup, a sidecar container like FluentBit is used for log collection. It operates within the context of its pod, collecting, parsing, and forwarding logs from the main application container.
• No Direct API Access Needed: The sidecar container generally doesn’t require direct access to the Kubernetes API server. It uses the Kubernetes infrastructure to access log files and container runtime metadata.

Anthos Service Mesh (ASM) Flaw

Imagine you are managing a Kubernetes cluster that utilizes Anthos Service Mesh (ASM) with Istio’s CNI plugin. The cluster hosts various applications critical to your organization.

Initial Setup

• ASM Installation: During the setup of ASM, the Istio-cni-node DaemonSet is installed on the cluster.
• DaemonSet’s Role: This DaemonSet is responsible for installing the Istio CNI plugin on each node. It also has a repair mode to handle misconfigured pods.

The Flaw

• Excessive Permissions: After the installation, the Istio-cni-node DaemonSet retains high-level permissions, which are no longer necessary for its daily operation. This is where the flaw lies.

Exploitation Example

1. Attacker’s Entry: An attacker, who already has limited access to the cluster (maybe as a low-privileged user), discovers the excessive permissions of the Istio-cni-node DaemonSet.
2. Creating a Powerful Pod:
   • The attacker creates a new pod in the cluster, assigning it the same permissions as the Istio-cni-node DaemonSet. This is possible due to the excessive permissions that the DaemonSet still holds.
   • This new pod, which we can call a “powerful pod,” now has abilities far beyond what a regular pod should have.
3. Misuse of Permissions:
   • The attacker uses the powerful pod to perform actions that are normally restricted, like accessing sensitive data or modifying critical configurations.
   • The pod could also manipulate other pods or services, disrupt operations, or even spread to other nodes, escalating the attack’s impact.
4. Privilege Escalation:
   • Leveraging the capabilities of the powerful pod, the attacker escalates their privileges to that of a cluster administrator.
   • With admin-level access, they gain complete control over the Kubernetes cluster, leading to a severe security breach.

The Privilege Escalation Chain

The combination of these two issues can be exploited in a second-stage attack to gain full control of a Kubernetes cluster. The attack involves exploiting FluentBit permissions to read projected service account tokens and then leveraging ASM’s post-installation permissions to escalate privileges.

Let’s break down this attack chain to understand how an attacker could escalate privileges to become a cluster admin:

Step-by-Step Breakdown of the Attack Chain

1. Initial Access via FluentBit Container

• Prerequisite: The attacker needs the Anthos Service Mesh feature to be enabled in the Kubernetes cluster.
• Exploiting FluentBit: The attacker gains control of the FluentBit container. FluentBit, being a logging tool, often has extensive access within a cluster for log collection purposes.
• Mounting Sensitive Volume: The attacker exploits FluentBit to mount the /var/lib/kubelet/pods volume, which contains the kube-api-access-<random-suffix> directory. This directory holds tokens from all pods on a node.

2. Token Harvesting Across the Cluster

• Leveraging DaemonSet Nature of FluentBit: Since FluentBit runs as a DaemonSet (a pod on every node), the attacker replicates the initial compromise on each node.
• Mapping the Cluster: By doing so, the attacker can access mounted tokens of other pods across the cluster.
• Targeting Istio-Installer-container Token: Among these tokens, the attacker specifically looks for the Istio-Installer-container token.

3. Exploiting ASM CNI DaemonSet’s Permissions

• Creating a New Pod: Utilizing the ASM CNI DaemonSet’s retained permissions, the attacker creates a new pod in the kube-system namespace.
• Targeting a Powerful Service Account: The aim is to associate this pod with a service account that has extensive privileges.

4. Choosing the CRAC Service Account

• Selecting CRAC: The ClusterRoleAggregationController (CRAC) service account is a prime target due to its ability to add permissions to cluster roles.
• Updating Cluster Role: The attacker modifies the cluster role bound to the CRAC service account to gain full privileges.

5. Final Steps to Gain Cluster Admin Access

• Mounting CRAC Token: The CRAC service account token is mounted onto the newly created pod.
• Exploiting FluentBit Again: The attacker then exploits the FluentBit misconfiguration to extract the CRAC token from their pod.
• Using CRAC Token: With the CRAC token, which has cluster admin permissions, the attacker can operate with full control over the Kubernetes cluster.

Google’s Response and Fixes:

Google addressed these configuration issues on December 14, 2023, with the release of GCP-2023-047. The fixes involved removing the /var/lib/kubelet/pod volume mount from the Fluent Bit pod and modifying ASM’s ClusterRole to remove excessive RBAC permissions.

Fixes and Mitigations Implemented

1. FluentBit Configuration Update

• Issue: Initially, FluentBit had excessive access due to a hostPath volume mount of the /var/lib/kubelet/pods directory, which included access to sensitive service account tokens.
• Fix: Google’s security team restricted FluentBit’s access, removing the unnecessary volume mount. This change ensures that FluentBit can only access the logs it requires for its operation, significantly reducing the risk of token compromise.

2. Anthos Service Mesh (ASM) Permissions Adjustment

• Issue: ASM’s CNI DaemonSet had high privileges, as identified in an internal report.
• Action Taken: Before the external report, Google was already working on reducing these permissions.
• Fix: Google modified the ASM’s ClusterRole and restructured some functionalities to eliminate unnecessary RBAC permissions. This change addresses the excessive permissions that previously allowed for potential exploitation.

Impact of the Fixes

• Security Hardening: These updates significantly enhance the security of both FluentBit and ASM within Kubernetes clusters, mitigating the specific vulnerabilities and strengthening the overall security posture against similar threats.
• Preventing Privilege Escalation: By rectifying these issues, Google has effectively closed the attack vector that allowed for escalation to cluster admin privileges.
• Proactive Vulnerability Management: Google’s response, especially their pre-emptive work on ASM’s permissions, highlights the importance of ongoing security assessments and proactive vulnerability management.

Broader Implications for Kubernetes Security

• Continuous Monitoring and Auditing: Kubernetes environments should be continuously monitored and audited for misconfigurations and excessive permissions, especially for components with wide-ranging access like DaemonSets.
• Principle of Least Privilege: This principle should be rigorously applied to all Kubernetes components, ensuring that each component has only the permissions necessary for its function.
• Prompt Patching and Updates: Regularly updating Kubernetes and its associated components is crucial for maintaining security, as vulnerabilities can be discovered and exploited rapidly.

This discovery highlights the importance of vigilant security practices in cloud environments. Kubernetes, while powerful, can be vulnerable to sophisticated attacks due to misconfigurations and excessive privileges in system pods. The proactive response from Google and the detailed analysis by Palo Alto Networks underscore the ongoing need for robust security measures in cloud infrastructures.

The post How to hack Google Kubernetes Engine (GKE)? Securing against GKE threats appeared first on Information Security Newspaper | Hacking News.

Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by France’s National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.

In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.

As a cyber-espionage group, APT28’s primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.

ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.

In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.

APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.

The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:

Protecting the privacy of email communications and preventing their disclosure via 
adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.

The post How APT28 Infiltrates Networks in French Universities & Nuclear Plants Without Detection appeared first on Information Security Newspaper | Hacking News.

The database had an enormous quantity of medical test results, which included the names of patients, physicians, and other sensitive health information such as the location of where the testing sample was performed (at home or at a medical institution), amongst a broad variety of other information. There were a substantial amount of records overall, with a total count of 12,347,297 and a total size of 7 terabytes (TB). After additional research, it was discovered that the papers included a watermark indicating that they belonged to a corporation situated in India known as Redcliffe Labs. I did not waste any time in sending a responsible disclosure notification, and I was promptly rewarded with a response that acknowledged my finding and thanked me for my efforts. It is unknown how long the information was available to the public or whether any unauthorised persons viewed the supposed health records before public access was limited the same day. However, public access was restricted the same day. On the other hand, the database included a folder labelled “test results” that held more than six million PDF documents. This may point to either the fact that a much larger number of consumers were possibly impacted or the possibility that there were repeated tests from the same customers.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is the name of a broad new privacy legislation that was passed into law in India in the month of August 2023. The Data Protection and Development Act (DPDP) is India’s first all-encompassing data protection legislation. It addresses a broad variety of data-related concerns and is applicable to any business that conducts operations inside India or whose clients are located in India.

Companies that have experienced a data breach are required under the DPDP Act to notify the relevant authorities as well as the people whose personal information was compromised within the first 72 hours after the breach has been identified and validated. In addition, the DPDP Act includes a provision that levies monetary fines on businesses that do not adhere to the newly implemented standards. The fines may vary anywhere from INR 10,000 (about equivalent to USD 120) to INR 250 crore (roughly equivalent to USD 30.2 million).

As of the time that this article was published, it is unknown if Redcliffe Labs has informed the appropriate authorities or the people who might possibly be impacted by the data disclosure that occurred earlier. There were a total of 12,347,297 entries in the database, which had a total size of seven terabytes Documents that were categorised as “Reports” had a total number of objects of 1,180,000 and a total size of 620.5 gigabytes. These, too, were test findings, and the report seemed to be in its most basic form; there was no header logo.

Intelligent Report Archiving: There are a total of 1,164,000 items, and their combined size is 1.5 terabytes. The findings of the exam were presented in these publications in an info-graphic format.

“Test results” folder contains the following: There are a total of 6,090,852 items, and their combined size is 2.2 terabytes.

A variety of other folders, each holding files that are not password protected: There are 3,912,445 items in all, and their combined size is 2.7 gigabytes. These folders included a total of.PDF files, papers used internally by the company, logging data, mobile application development files, and other types of files.

The database not only housed millions of medical records, but it also held the development files from their mobile application. Leaving application files open to the public presents the possibility of a serious danger falling into the wrong hands. The functionality of an application as well as the data that is sent from the user to the host server may be controlled by these files. This information or these files might possibly be used by malicious actors to carry out a variety of assaults, which could jeopardise the data of users, the operation of applications, or the security of the mobile device itself.

The alteration or change of the application’s source code files is one of the most significant potential threats. The files might be altered in such a way as to incorporate a malicious code execution, which would make it possible for hackers to undermine the app’s integrity and security, inject malware, or add additional features without authorization. As soon as the code has been altered, malicious actors have the opportunity to steal or get access to a patient’s confidential data, which may include the results of tests, scans, or other sensitive information. If hackers were to obtain access to a user’s health and medical testing information, this might lead to major abuses of the user’s privacy. In addition, accessible code or resource files might theoretically be used in reverse engineering, analysis, or decompilation of the application in order to get insight into how the programme operates. It’s possible that this may lead to the discovery of new vulnerabilities and weaknesses that can be used in the future for malicious purposes.

The post Redcliffe Labs, India’s Medical Diagnostic Company leaks 7 TB of customer data. Will it pay 250 crore fine? appeared first on Information Security Newspaper | Hacking News.

1. Nature of the Breach

• Okta’s support system was compromised in a security breach. Hackers were able to break into its support case management system and steal sensitive data. This data could potentially be used to impersonate valid users.

2. Detection and Notification

• BeyondTrust, a cybersecurity firm, detected an identity-centric attack on an in-house Okta administrator account. They notified Okta of the breach on October 2, 2023.

3. Affected Parties

• BeyondTrust was identified as one of the customers affected by this breach. The breach had an internal impact on Okta, affecting its security leadership and other operational aspects.

4. Method of Attack

• The attackers breached Okta’s support system using stolen credentials. This allowed them unauthorized access to sensitive customer data and internal resources.

5. Market Impact

• Following the news of the cyber breach, Okta’s shares experienced a significant slump. This reflects the market’s reaction to the security incident and its potential implications .

6. Official Statements

• Okta’s security leadership has confirmed the breach, acknowledging the compromise of their internal systems and the impact on their customers.

The fallout from the breach saw a slump in Okta’s shares and an approximate 1% of Okta’s customers being affected, although Okta did not disclose the exact number of affected customers. This incident also casts a spotlight on Okta’s security measures, especially coming after a similar breach in 2022 where hackers managed to steal some of Okta’s source code and gained access to the company’s internal network.

Below is a summary of known breaches:

1. Lapsus$ Incident (January 2022): In January 2022, Okta suffered a breach when a hacking group known as Lapsus$ infiltrated its third-party support provider, Sitel. Okta faced criticism for not disclosing the breach promptly​.
2. Source Code Theft: In an undisclosed timeline, Okta confirmed a major security incident where a hacker accessed its source code following a breach of its GitHub repositories​​.
3. January 2022 Data Breach: A separate incident in late January 2022 was confirmed by Okta CEO Todd McKinnon, where some customer data might have been exposed. The exact details of this breach were not provided​.
4. October 20, 2023 Breach: Hackers gained unauthorized access to Okta’s support case management system and stole sensitive data that could be used to impersonate valid users on October 20, 2023​.
5. Lapsus$ Incident (Undisclosed Date): In a different encounter with Lapsus$, hundreds of Okta customers were possibly affected by a security breach, and Okta faced backlash for its slow response to the incident​.

These incidents reflect the challenges even established identity management providers face in ensuring the security and privacy of their systems and customer data.

The breach is a stark reminder of the sophisticated threats that modern enterprises face, and the critical importance of robust cybersecurity measures to safeguard sensitive data and systems from unauthorized access. The breach at Okta underscores the vulnerabilities that even identity services providers face in the realm of cybersecurity. The incident has led to the compromise of sensitive data, affecting both Okta and its customers, and has had noticeable market repercussions.

The post From Trusted to Busted: Okta Hacked again. Epic tale of security nightmares, 4 times in 2 years appeared first on Information Security Newspaper | Hacking News.

MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGM’s various properties, disrupting operations and inflicting significant monetary losses.

Details of the Attack

The digital onslaught on MGM Resorts wasn’t confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driver’s license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.

Economic Fallout

The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.

Compromise of Customer Data

A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.

Identity of the Attackers

Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.

Recovery and Response

In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the company’s domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.

Conclusion and Future Implications

The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.

The post How MGm Resorts lost $100 million as a result of a simple vishing call appeared first on Information Security Newspaper | Hacking News.

In response to these imminent threats, Qualcomm has rolled out security updates designed to rectify the issues present within its Adreno GPU and Compute DSP drivers. The company has promptly communicated this information to the affected Original Equipment Manufacturers (OEMs), urging them to implement these security updates without delay.

One of the significant flaws, CVE-2022-22071, which was initially disclosed in May 2022, is categorized as a high-severity issue, with a CVSS v3.1 score of 8.4. This vulnerability is a use-after-free bug that can be exploited locally and affects widely-used chips, including the SD855, SD865 5G, and SD888 5G.

However, Qualcomm has opted to remain tight-lipped regarding the details of the other actively exploited vulnerabilities, namely CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063. Further information on these vulnerabilities is expected to be disclosed in the company’s security bulletin scheduled for December 2023.

In addition to these, Qualcomm’s recent security bulletin also shed light on three other critical vulnerabilities, each with severe implications:

• CVE-2023-24855 involves memory corruption within Qualcomm’s Modem component. This occurs when processing security-related configurations prior to the AS Security Exchange and has a CVSS v3.1 score of 9.8.
• CVE-2023-28540 relates to a cryptographic issue within the Data Modem component, resulting from insufficient authentication processes during TLS handshakes, with a CVSS v3.1 score of 9.1.
• CVE-2023-33028 involves memory corruption in the WLAN firmware which occurs during the copying of pmk cache memory without conducting necessary size checks, and it holds a CVSS v3.1 score of 9.8.

In light of these findings, Qualcomm disclosed an additional 13 high-severity flaws along with three more vulnerabilities classified as critical, all of which were identified by the company’s engineers. In total, Qualcomm has released updates to address 17 vulnerabilities across various components while highlighting that three zero-day vulnerabilities are currently being actively exploited.

Of these identified vulnerabilities, three have been classified as critical, 13 are high-severity, and one is medium-severity. Qualcomm’s advisory noted: “There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.”

To safeguard against these vulnerabilities, patches for issues in the Adreno GPU and Compute DSP drivers have been issued and are readily available. OEMs have been duly notified and strongly urged to deploy these security patches at the earliest convenience to prevent potential exploitation.

Users of Qualcomm products are advised to stay vigilant and apply updates provided by OEMs as soon as they are released to ensure their devices are protected from these vulnerabilities. This proactive approach to device security is crucial in mitigating the risk of exploitation and maintaining the integrity and functionality of devices that play a pivotal role in various technological applications.

The post Zero day vulnerabilities in Qualcomm chips allow hacking into billion mobile phones in world appeared first on Information Security Newspaper | Hacking News.