🎓️ Vulnerable U | #035

Okta Hack and Resulting Splash Damage, Cisco Finds Second Zero-Day, New Apple Side-Channel Attack iLeakage, Crypto Wars on E2E Encryption vs. Child Exploitation, and more!

Read Time: 8 minutes

Howdy friends!

Had an interesting week here. House was fighting off covid in the midst of all the normal busy life. How 2020 of us?

For this week’s blog, I dove further into the Loneliness Epidemic we’re seeing and its impact on the cybersecurity industry. We tend to be an isolated group:

This story inundated my inbox this week, and I’m absolutely fascinated by the stats coming out of the Surgeon General’s report.

> Murthy issued an advisory laying out the consequence of loneliness, which can include a 29 percent increased risk of heart disease, a 32 percent increased risk of stroke, a 50 percent increased risk of developing dementia for older adults, and an increased risk of premature death by more than 60 percent.

🤯 Those numbers are absolutely bonkers. Not socializing seems worse than a pack-a-day smoking habit!

Get to the point, Matt. How does this relate to Vulnerable U readers?

Along with it being an important humanity issue, infosec tends to be a major self-isolating industry. Heck, the whole point of this newsletter is to surface us basement dwellers and start sharing openly in the spirit of greater group resilience.

But while alone time is important and oftentimes (especially for us parents out there) hard to come by, we need to watch out for that line when alone time becomes seclusion. Our industry makes it easy to detach.

In this episode:

  • Okta Hack and Resulting Splash Damage

  • Telegram is still leaking user IP addresses to contacts

  • Cisco Finds Second Zero-Day as Number of Hacked Devices Apparently Drops

  • iLeakage - New side-channel attack impacting Apple devices

  • Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar

  • Spain arrests 34 cybercriminals who stole data of 4 million people

  • The Shapeshifting Crypto Wars - Battle between E2E encryption and child predators

  • They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird

  • Citrix Bleed: Leaking Session Tokens with CVE-2023-4966

  • 33 state attorneys general sue Meta for harming kids, alleging Facebook and Instagram created a ‘national youth mental health crisis’

  • and more!

ICYMI

🖊️ Something I wrote: How the goal of “not getting hacked” is meaningless.

🎧️ Something I heard: Listening to the audiobook “The Comfort Crisis” - do recommend

🎤 Something I said: A run-through of the news over on YouTube and Podcasts

🔖 Something I read: The HackerOne security report and rez0’s thread summarizing it.

📣 Sponsor

How do we fix what’s broken in security teams?

We start by asking the right questions. 

For the Voice of the SOC 2023 report, we at Tines asked 900 security practitioners some very revealing questions.

They include:
→ What prevents you from doing your best work?
→ What one task, if completely automated, would save your team the most manual time?
→ What could your current organization do to retain you?

Find out how security pros answered these and lots more questions by accessing the full Voice of the SOC 2023 report.

Vulnerable News

Okta Hack and Resulting Splash Damage

The big news of the week was all about the Okta hack and the resulting companies coming forward, filling in some details of how it was discovered and the impact.

The long and short is that Okta got popped. The only thing they’ve told us is “stolen credentials” as a root cause, so anything beyond that is speculation. They also told us only 1% of their customers were impacted, which puts it around 170.

We then found out that 3 of the impacted customers were BeyondTrust, CloudFlare, and 1Password. All of which have some claim to actually catching the incident before Okta did themselves. All of which did not suffer a breach but thwarted the incident.

It all stems from Okta’s support portal and their asking for HTTP Archive (HAR) files which included sensitive info like session tokens. Once the support portal was compromised, attackers were able to replay those tokens the other customers sent to Okta in these tickets.

Krebs report on the incident: (read more)

BeyondTrust’s report on how they discovered the incident: (read more)

1Password’s announcement on how they caught this before there was any user impact on their side. (read more)

CloudFlare’s “How we mitigated yet another Okta Compromise” - tons of shade thrown in the title alone: (read more)

Cisco has discovered another zero-day vulnerability in its IOS XE, actively exploited, coinciding with a noticeable decrease in the number of compromised devices.

  • Active Exploitation: The vulnerability, identified as CVE-2023-20198, allows remote attackers to create high-privileged accounts on targeted Cisco devices. This has been actively exploited since mid-September, enabling attackers to execute arbitrary commands.

  • Double Trouble: Initially, Cisco identified one vulnerability, but further investigation revealed a second zero-day vulnerability (CVE-2023-20273) being exploited in conjunction with the first, complicating the security landscape.

  • Patch and Clean-Up: Cisco has released patches for both vulnerabilities. However, merely installing the patches isn’t enough; additional steps are required to cleanse the systems thoroughly.

  • Uncertain Threat Landscape: The number of compromised devices has seen a significant drop, but more on that in the next story

For the full article: (read more)

A backdoor implanted on Cisco devices has been altered by threat actors to avoid detection. The attackers exploited zero-day vulnerabilities in Cisco’s IOS XE software, modifying the backdoor to respond only when a specific HTTP header is set, making it less visible to previous fingerprinting methods. (read more)

iLeakage is a newly unveiled security vulnerability that targets the Safari web browser on Apple devices such as Macs, iPads, and iPhones. It exploits the browser through transient execution side-channel attacks, revealing that the Spectre attack remains a significant threat despite years of mitigation efforts.

  • What it Does: iLeakage can induce Safari to render an arbitrary webpage, allowing an attacker to recover sensitive information within it using speculative execution. This includes recovering secrets from high-value targets like Gmail inbox content and auto-filled passwords by credential managers.

  • How it Works: The attack involves the use of speculative execution to access sensitive information. It demonstrates that malicious webpages can recover secrets from popular platforms, emphasizing the continued relevance and exploitability of the Spectre attack.

  • Demonstrated Risks: iLeakage has been demonstrated to recover Instagram credentials, Gmail inbox content, and YouTube watch history, showing the practical risks and the types of information that can be compromised.

  • Defensive Measures: “At the time of public release, Apple has implemented a mitigation for iLeakage in Safari. However, this mitigation is not enabled by default, and enabling it is possible only on macOS. Furthermore, it is marked as unstable.”

For the full vulnerability report, including demonstration videos: (read more)

Quasar RAT, an open-source remote access trojan, has been detected using DLL side-loading to discreetly infiltrate and extract data from compromised Windows systems, evading detection mechanisms effectively.

  • Capabilities: Quasar RAT is proficient in collecting a variety of system information, capturing keystrokes, taking screenshots, and executing arbitrary shell commands, making it a multifaceted threat.

  • Execution Chain: The attack begins with an ISO image file containing various files, including legitimate binaries and malicious DLLs. These components work in conjunction to initiate the loading of malicious code, ultimately leading to the execution of the Quasar RAT payload.

For the full article: (read more)

Telegram, a messaging app popular for its security features, has been found to leak users' IP addresses under certain conditions. A security researcher, Denis Simonov, highlighted this vulnerability, which becomes apparent during voice calls on the platform.

  • How it Happens: If a user adds a contact and accepts a call from them, the IP address can be exposed. This is due to Telegram’s default peer-to-peer connection setting during voice calls, aiming to improve call quality and reduce latency.

  • Preventive Measure Available: Users can prevent their IP addresses from being exposed by changing Telegram’s settings. By adjusting the peer-to-peer settings in the privacy and security section, users can enhance their privacy.

  • Comparison with Other Apps: Other messaging apps like WhatsApp have also faced similar issues in the past, but corrective measures were taken. Telegram, however, seems to accept this as a part of its operational design.

For the full story: (read more)

Spanish National Police have arrested 34 individuals connected to a cybercriminal organization responsible for stealing and monetizing the personal data of over four million people through various computer scams.

  • Significant Seizures: In the raids conducted, the police confiscated firearms, cash, high-end cars, and computers containing a vast database with information on millions of individuals.

  • Money Laundering: The profits, estimated to be around €3,000,000 ($3.2 million), were primarily obtained from reselling stolen data. The high-ranking members of the group are believed to have laundered the money through crypto asset investment platforms.

For the full article: (read more)

Susan Landau wrote a fantastic deep dive into the balance between encryption and catching child predators.

The ongoing "Crypto Wars" (crypto = cryptography in this case) debate has evolved, focusing now on whether end-to-end encryption (E2EE) should be limited to combat online child sexual abuse and exploitation (CSAE). Law enforcement argues that E2EE, which secures communications so that only the sender and receiver can view them, hinders CSAE investigations. However, security experts argue that undermining E2EE for this purpose could compromise overall online security and privacy.

  • Encryption vs. CSAE: E2EE is a crucial technology for securing online communications, but it also complicates the investigation of online CSAE. The debate centers on finding a balance between protecting privacy and ensuring the safety of vulnerable individuals, particularly children.

  • Legislative Challenges: Various bills in the EU and US seem to allow E2EE but impose requirements that effectively make its use impossible. These legislative efforts aim to make tech companies responsible for detecting and reporting CSAE content, which would require scanning user content, conflicting with the principles of E2EE.

This is an ongoing debate with many impassioned takes. Read this full essay here: (read more)

A cybersecurity startup, Unciphered, has developed a technique to crack the password of a specific model of encrypted USB drives known as IronKey S200. This achievement is significant because these drives are designed to erase their contents after ten incorrect password attempts, making the recovery of data nearly impossible.

  • A Treasure in Waiting: Unciphered’s interest in cracking the IronKey is driven by the story of Stefan Thomas, a Swiss crypto entrepreneur who has lost the password to his IronKey, which holds keys to 7,002 bitcoins, worth around $235 million. Thomas has only two password attempts left before the drive erases its contents.

  • Technical Triumph: Unciphered’s technique allows for an unlimited number of password guesses without triggering IronKey’s self-destruction feature. They have successfully demonstrated this capability, proving the potential to unlock Thomas’ fortune.

  • A Waiting Game: Despite Unciphered’s readiness and capability to unlock the IronKey, Thomas has been hesitant to accept their help, citing existing commitments with other teams. This has left Unciphered in a peculiar position, holding a powerful tool but waiting for the opportunity to use it.

For the full report: (read more)

A vulnerability dubbed "Citrix Bleed" has been discovered in Citrix NetScaler ADC and NetScaler Gateway, which allows for the leaking of session tokens due to a buffer over-read issue. This vulnerability, identified as CVE-2023-4966, was unveiled by security researchers who found that it could be exploited by manipulating the HTTP Host header in requests to the OpenID Connect Discovery endpoint.

  • Technical Breakdown: The vulnerability stems from a misunderstanding of the snprintf function, where the return value was used to determine the number of bytes sent to the client, exposing memory contents beyond the intended buffer.

  • Exploitation: By crafting specific requests, attackers could retrieve sensitive information, such as session tokens, from the memory of the vulnerable device. This could allow unauthorized access to protected resources.

  • Real-world Impact: The researchers were able to demonstrate the practical exploitation of this vulnerability, confirming that exposed session tokens could be used to authenticate against the affected Citrix services.

For the full report: (read more)

Microsoft's security team has been closely monitoring the activities of a financially motivated threat actor named Octo Tempest. This group's evolving tactics and strategies have become a significant concern for various industries worldwide.

  • Affiliation with Ransomware Groups: In 2023, Octo Tempest became an affiliate of ALPHV/BlackCat, a ransomware-as-a-service operation. They started deploying ALPHV/BlackCat ransomware payloads, focusing mainly on VMWare ESXi servers. Their targets for extortion have expanded to various industries, including natural resources, gaming, hospitality, consumer products, retail, and more.

  • Advanced Techniques: Octo Tempest employs a range of tactics, techniques, and procedures (TTPs) to compromise organizations. They leverage SMS phishing, SIM swapping, and advanced social engineering techniques, making them one of the most formidable financial cybercriminal groups.

Great report from Microsoft. Read the full thing here: (read more)

We talked about this a bit last week, but this article by Kim Zetter is way more thorough and worth a read if you’re interested in this issue.

North Korean IT workers, through extensive deceptive practices, have managed to secure remote coding jobs with U.S. companies, funneling their earnings to finance North Korea’s weapons programs.

  • Sophisticated Deception: Using fake profiles, stolen identification, and even U.S.-based individuals to conduct interviews on their behalf, North Korean IT workers concealed their true identities, successfully tricking U.S. companies into hiring them.

For Kim’s full article: (read more)

A group of 33 attorneys general from various states has filed a lawsuit against Meta, accusing the social media giant of creating products that are harmful to the mental health of young users. The lawsuit alleges that Meta’s platforms, including Facebook, have been deliberately designed with features that promote "compulsive, prolonged, and unhealthy use," contributing to a mental health crisis among the youth. (read more)

We reported on the breach. I think I made a bleach joke. But now I know it is no laughing matter as they are coming after our Ranch Dressing.

Full article from Salon: (read more)

India has intensified its efforts against tech support scams, conducting numerous raids on alleged call centers implicated in such fraudulent activities. This crackdown is a part of India’s broader initiative to combat cyber-related financial crimes.

For the full article: (read more)

A significant data breach has exposed over half a million records related to vehicle seizures by the Irish National Police, Garda Síochána, implicating a substantial number of vehicle owners in a privacy compromise.

For the full article: (read more)

Miscellaneous mattjay

Teaser of things to come:

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay