Okta’s support system hacked, and examples to use for cyber awareness training
Welcome to Cyber Security Today. It’s Monday, October 23rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
A threat actor has been able to capture the credentials of an unknown number of organizations using the Okta identity management system. The company said Friday that the hacker did it by accessing what’s called the HAR files that get uploaded to Okta support on request for troubleshooting browser problems. Security Week notes that a firm called Beyond Trust says it was the target of a cyber attack that used this tactic IT departments that were affected have been notified by now. Okta recommends IT departments sanitize all credentials and tokens in an HAR file before they share it.
American Family Insurance has suffered a cyberattack. The company, which offers commercial, personal and property insurance, told Bleeping Computer that it had to shut portions of its IT systems.
A threat actor is selling access — or what they say is access — to Facebook and Instagram’s Police Portal. This is used by law enforcement officers to request data from the platforms about users being investigated. The cybersecurity firm Hudson Rock made the discovery. It says the hacker is offering US$700 for the access. One researcher is skeptical, saying access to this portal would command a higher price.
This being Cybersecurity Awareness Month, trainers are looking for new lessons to pass on to employees. Researchers at Malwarebytes wrote about a scam last week that would be a good presentation. They discovered a malicious ad for the KeePass password manager. It includes a link to what looks like the real KeePass download page with what looks like the real internet address: KeePass.info. However, there’s a tiny squiggle under the ‘k’. Many people might think it’s a piece of dirt on their computer screen and click on the ad to get the product. It’s really a comma that can be inserted under any letter by a skilled coder. That enables a hacker to disguise the real internet address the link goes to. This trick isn’t new. Sometimes hackers put a dot above a letter. There are a couple of lessons awareness trainers need to pass on to employees. First, an ad on any search engine — Google, Firefox, Edge, whatever — is risky. Second, be suspicious of what you think may be a speck of dirt. There’s a link in the text version of this podcast to the blog that can be used for training.
Here’s another that can be used for training: British security researcher Graham Cluley got a text notice from the hotel site booking.com about a reservation he recently made. It claimed that for some reason his credit card hadn’t been automatically verified. He was asked to click on the included link and use the card again for verification, after which the second payment would immediately be canceled. The link was a long string that included the words ‘booking.com‘. It was ‘booking[.]com-id34[.]com.’ Many people would think, “This address has booking.com in it, so it must be legit.” Wrong. Unfortunately the system that controls registering internet addresses allows this type of fraud. Once a domain like ‘booking.com’ has been registered, no one can register that name. But they can register ‘booking.com.abunchofnumbers.com’, and hope to sucker a lot of people.
Earlier this year I reported on a zero-day vulnerability in Barracuda Networks ESG email gateways. Last week one corporate victim, Wescom Credit Union of West Sacramento, Calif. began notifying over 34,000 people their email messages may have been copied by an attacker as far back as October 30th, 2022.
Finally, here’s the latest news in software updates:
Cisco Systems aimed to release patches yesterday for two vulnerabilities in its IOS XE software. This is used in certain routers and switches. One of the vulnerabilities was publicly announced a week ago today. By some estimates, tens of thousands of Cisco devices had been hacked through this vulnerability. The other hole was disclosed on Friday. Check to see if these security updates are available now and install them fast.
Eight vulnerabilities have been found in Siemens’ Tecnomatix Plant Simulation tool. This is a utility that can simulate production systems. Siemens has issued updates. The holes were discovered by Trend Micro’s Zero Day initiative.
Google says hackers continue to compromise IT systems that haven’t patched the WinRAR file archiving utility. The patch was issued in August. What’s your excuse for not having done it yet?
And eight vulnerabilities have been found in SolarWinds’ Access Rights Management tool. All of the vulnerabilities are rated high in terms of criticality. Patches were released last Wednesday. There is no reason for them not to have been installed by now.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.