🎓️ Vulnerable U | #035
Okta Hack and Resulting Splash Damage, Cisco Finds Second Zero-Day, New Apple Side-Channel Attack iLeakage, Crypto Wars on E2E Encryption vs. Child Exploitation, and more!
Read Time: 8 minutes
Had an interesting week here. House was fighting off covid in the midst of all the normal busy life. How 2020 of us?
For this week’s blog, I dove further into the Loneliness Epidemic we’re seeing and its impact on the cybersecurity industry. We tend to be an isolated group:
In this episode:
Okta Hack and Resulting Splash Damage
Telegram is still leaking user IP addresses to contacts
Cisco Finds Second Zero-Day as Number of Hacked Devices Apparently Drops
iLeakage - New side-channel attack impacting Apple devices
Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar
Spain arrests 34 cybercriminals who stole data of 4 million people
The Shapeshifting Crypto Wars - Battle between E2E encryption and child predators
They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird
Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
33 state attorneys general sue Meta for harming kids, alleging Facebook and Instagram created a ‘national youth mental health crisis’
🖊️ Something I wrote: How the goal of “not getting hacked” is meaningless.
🎧️ Something I heard: Listening to the audiobook “The Comfort Crisis” - do recommend
Okta Hack and Resulting Splash Damage
The big news of the week was all about the Okta hack and the resulting companies coming forward, filling in some details of how it was discovered and the impact.
The long and short is that Okta got popped. The only thing they’ve told us is “stolen credentials” as a root cause, so anything beyond that is speculation. They also told us only 1% of their customers were impacted, which puts it around 170.
We then found out that 3 of the impacted customers were BeyondTrust, CloudFlare, and 1Password. All of which have some claim to actually catching the incident before Okta did themselves. All of which did not suffer a breach but thwarted the incident.
It all stems from Okta’s support portal and their asking for HTTP Archive (HAR) files which included sensitive info like session tokens. Once the support portal was compromised, attackers were able to replay those tokens the other customers sent to Okta in these tickets.
Krebs report on the incident: (read more)
BeyondTrust’s report on how they discovered the incident: (read more)
1Password’s announcement on how they caught this before there was any user impact on their side. (read more)
CloudFlare’s “How we mitigated yet another Okta Compromise” - tons of shade thrown in the title alone: (read more)
Cisco has discovered another zero-day vulnerability in its IOS XE, actively exploited, coinciding with a noticeable decrease in the number of compromised devices.
Active Exploitation: The vulnerability, identified as CVE-2023-20198, allows remote attackers to create high-privileged accounts on targeted Cisco devices. This has been actively exploited since mid-September, enabling attackers to execute arbitrary commands.
Double Trouble: Initially, Cisco identified one vulnerability, but further investigation revealed a second zero-day vulnerability (CVE-2023-20273) being exploited in conjunction with the first, complicating the security landscape.
Patch and Clean-Up: Cisco has released patches for both vulnerabilities. However, merely installing the patches isn’t enough; additional steps are required to cleanse the systems thoroughly.
Uncertain Threat Landscape: The number of compromised devices has seen a significant drop, but more on that in the next story
A backdoor implanted on Cisco devices has been altered by threat actors to avoid detection. The attackers exploited zero-day vulnerabilities in Cisco’s IOS XE software, modifying the backdoor to respond only when a specific HTTP header is set, making it less visible to previous fingerprinting methods. (read more)
iLeakage is a newly unveiled security vulnerability that targets the Safari web browser on Apple devices such as Macs, iPads, and iPhones. It exploits the browser through transient execution side-channel attacks, revealing that the Spectre attack remains a significant threat despite years of mitigation efforts.
What it Does: iLeakage can induce Safari to render an arbitrary webpage, allowing an attacker to recover sensitive information within it using speculative execution. This includes recovering secrets from high-value targets like Gmail inbox content and auto-filled passwords by credential managers.
How it Works: The attack involves the use of speculative execution to access sensitive information. It demonstrates that malicious webpages can recover secrets from popular platforms, emphasizing the continued relevance and exploitability of the Spectre attack.
Demonstrated Risks: iLeakage has been demonstrated to recover Instagram credentials, Gmail inbox content, and YouTube watch history, showing the practical risks and the types of information that can be compromised.
Defensive Measures: “At the time of public release, Apple has implemented a mitigation for iLeakage in Safari. However, this mitigation is not enabled by default, and enabling it is possible only on macOS. Furthermore, it is marked as unstable.”
For the full vulnerability report, including demonstration videos: (read more)
Quasar RAT, an open-source remote access trojan, has been detected using DLL side-loading to discreetly infiltrate and extract data from compromised Windows systems, evading detection mechanisms effectively.
Capabilities: Quasar RAT is proficient in collecting a variety of system information, capturing keystrokes, taking screenshots, and executing arbitrary shell commands, making it a multifaceted threat.
Execution Chain: The attack begins with an ISO image file containing various files, including legitimate binaries and malicious DLLs. These components work in conjunction to initiate the loading of malicious code, ultimately leading to the execution of the Quasar RAT payload.
Telegram, a messaging app popular for its security features, has been found to leak users' IP addresses under certain conditions. A security researcher, Denis Simonov, highlighted this vulnerability, which becomes apparent during voice calls on the platform.
How it Happens: If a user adds a contact and accepts a call from them, the IP address can be exposed. This is due to Telegram’s default peer-to-peer connection setting during voice calls, aiming to improve call quality and reduce latency.
Preventive Measure Available: Users can prevent their IP addresses from being exposed by changing Telegram’s settings. By adjusting the peer-to-peer settings in the privacy and security section, users can enhance their privacy.
Comparison with Other Apps: Other messaging apps like WhatsApp have also faced similar issues in the past, but corrective measures were taken. Telegram, however, seems to accept this as a part of its operational design.
For the full story: (read more)
Spanish National Police have arrested 34 individuals connected to a cybercriminal organization responsible for stealing and monetizing the personal data of over four million people through various computer scams.
Significant Seizures: In the raids conducted, the police confiscated firearms, cash, high-end cars, and computers containing a vast database with information on millions of individuals.
Money Laundering: The profits, estimated to be around €3,000,000 ($3.2 million), were primarily obtained from reselling stolen data. The high-ranking members of the group are believed to have laundered the money through crypto asset investment platforms.
Susan Landau wrote a fantastic deep dive into the balance between encryption and catching child predators.
The ongoing "Crypto Wars" (crypto = cryptography in this case) debate has evolved, focusing now on whether end-to-end encryption (E2EE) should be limited to combat online child sexual abuse and exploitation (CSAE). Law enforcement argues that E2EE, which secures communications so that only the sender and receiver can view them, hinders CSAE investigations. However, security experts argue that undermining E2EE for this purpose could compromise overall online security and privacy.
Encryption vs. CSAE: E2EE is a crucial technology for securing online communications, but it also complicates the investigation of online CSAE. The debate centers on finding a balance between protecting privacy and ensuring the safety of vulnerable individuals, particularly children.
Legislative Challenges: Various bills in the EU and US seem to allow E2EE but impose requirements that effectively make its use impossible. These legislative efforts aim to make tech companies responsible for detecting and reporting CSAE content, which would require scanning user content, conflicting with the principles of E2EE.
This is an ongoing debate with many impassioned takes. Read this full essay here: (read more)
A cybersecurity startup, Unciphered, has developed a technique to crack the password of a specific model of encrypted USB drives known as IronKey S200. This achievement is significant because these drives are designed to erase their contents after ten incorrect password attempts, making the recovery of data nearly impossible.
A Treasure in Waiting: Unciphered’s interest in cracking the IronKey is driven by the story of Stefan Thomas, a Swiss crypto entrepreneur who has lost the password to his IronKey, which holds keys to 7,002 bitcoins, worth around $235 million. Thomas has only two password attempts left before the drive erases its contents.
Technical Triumph: Unciphered’s technique allows for an unlimited number of password guesses without triggering IronKey’s self-destruction feature. They have successfully demonstrated this capability, proving the potential to unlock Thomas’ fortune.
A Waiting Game: Despite Unciphered’s readiness and capability to unlock the IronKey, Thomas has been hesitant to accept their help, citing existing commitments with other teams. This has left Unciphered in a peculiar position, holding a powerful tool but waiting for the opportunity to use it.
For the full report: (read more)
A vulnerability dubbed "Citrix Bleed" has been discovered in Citrix NetScaler ADC and NetScaler Gateway, which allows for the leaking of session tokens due to a buffer over-read issue. This vulnerability, identified as CVE-2023-4966, was unveiled by security researchers who found that it could be exploited by manipulating the HTTP Host header in requests to the OpenID Connect Discovery endpoint.
Technical Breakdown: The vulnerability stems from a misunderstanding of the
snprintffunction, where the return value was used to determine the number of bytes sent to the client, exposing memory contents beyond the intended buffer.
Exploitation: By crafting specific requests, attackers could retrieve sensitive information, such as session tokens, from the memory of the vulnerable device. This could allow unauthorized access to protected resources.
Real-world Impact: The researchers were able to demonstrate the practical exploitation of this vulnerability, confirming that exposed session tokens could be used to authenticate against the affected Citrix services.
For the full report: (read more)
Microsoft's security team has been closely monitoring the activities of a financially motivated threat actor named Octo Tempest. This group's evolving tactics and strategies have become a significant concern for various industries worldwide.
Affiliation with Ransomware Groups: In 2023, Octo Tempest became an affiliate of ALPHV/BlackCat, a ransomware-as-a-service operation. They started deploying ALPHV/BlackCat ransomware payloads, focusing mainly on VMWare ESXi servers. Their targets for extortion have expanded to various industries, including natural resources, gaming, hospitality, consumer products, retail, and more.
Advanced Techniques: Octo Tempest employs a range of tactics, techniques, and procedures (TTPs) to compromise organizations. They leverage SMS phishing, SIM swapping, and advanced social engineering techniques, making them one of the most formidable financial cybercriminal groups.
Great report from Microsoft. Read the full thing here: (read more)
We talked about this a bit last week, but this article by Kim Zetter is way more thorough and worth a read if you’re interested in this issue.
North Korean IT workers, through extensive deceptive practices, have managed to secure remote coding jobs with U.S. companies, funneling their earnings to finance North Korea’s weapons programs.
Sophisticated Deception: Using fake profiles, stolen identification, and even U.S.-based individuals to conduct interviews on their behalf, North Korean IT workers concealed their true identities, successfully tricking U.S. companies into hiring them.
For Kim’s full article: (read more)
A group of 33 attorneys general from various states has filed a lawsuit against Meta, accusing the social media giant of creating products that are harmful to the mental health of young users. The lawsuit alleges that Meta’s platforms, including Facebook, have been deliberately designed with features that promote "compulsive, prolonged, and unhealthy use," contributing to a mental health crisis among the youth. (read more)
We reported on the breach. I think I made a bleach joke. But now I know it is no laughing matter as they are coming after our Ranch Dressing.
Full article from Salon: (read more)
India has intensified its efforts against tech support scams, conducting numerous raids on alleged call centers implicated in such fraudulent activities. This crackdown is a part of India’s broader initiative to combat cyber-related financial crimes.
A significant data breach has exposed over half a million records related to vehicle seizures by the Irish National Police, Garda Síochána, implicating a substantial number of vehicle owners in a privacy compromise.
YouTube isn't letting you use ad blockers anymore.
Me looking away from the screen so they don't win:
— Matt Johansen (@mattjay)
Oct 26, 2023
Teaser of things to come:
Two new trainings planned for next year:
“Red, Blue, Purple AI: Practical Applications of AI for Security Programs and Practitioners” with @DanielMiessler and @mattjay
“The Paved Road: Full Stack Modern Security Leadership”
See you there! 😎
— Jason Haddix (@Jhaddix)
Oct 22, 2023
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen