Information Technology

Okta has admitted it “made a mistake” by not telling customers sooner about a security breach in January, in which hackers were able to access the laptop of a third-party customer support engineer.The Lapsus$ hacking group published screenshots of Okta’s systems on March 22, taken from the laptop of a Sitel customer support engineer which the hackers had remote access to on January 20. “We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible. In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel,” Okta said in an FAQ it published on Friday, under the heading ‘Why didn’t Okta notify customers in January?’.On January 20, Okta said, it saw an attempt to directly access the Okta network using a Sitel employee’s Okta account, which was detected and blocked by Okta, which then notified Sitel. Outside of that attempted access, there was no other evidence of suspicious activity in Okta systems, it said.Okta is an important enterprise access management software vendor. It said that only 366 customers, about 2.5% of its customers, were affected. However there have been questions as to why customers did not know about the incident sooner. In its FAQ Okta said: “In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”The company has provided a detailed timeline of events from January 20 — when it received an alert that a new factor was added to a Sitel employee’s Okta account — to March 22 — the date Lapsus$ published the screenshots it grabbed. Sitel hired an unnamed forensic company to investigate the breach on January 21, which concluded it on February 28. The forensic report to Sitel is dated March 10 and Okta received a summary of that report on March 17, according to Okta’s timeline. After the screenshots were published Okta’s chief security officer David Bradbury said he was “greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report.”   More

The average ransom demand made following a ransomware attack has risen to $2.2 million as cyber criminals are becoming bolder and have a bigger impact on the businesses they’re targeting. The amount ransomware attackers are demanding has more than doubled since 2020, when the average ransom demand for a decryption key stood at $900,000, The figures comes from cybersecurity researchers at Palo Alto Networks, who analyzed ransomware incident response cases they were involved in during 2021. While the final ransom payments are often much less than the initial ransom demands, they’ve also risen significantly in reason years. During 2020, the average ransom paid was just over $300,000, which rose to $541,000 in 2021.  Analysis of incidents suggests that for those businesses which paid a ransom when the attackers initially demanded over $3 million, the average amount paid was 43% of the ransom demand – but some cyber criminals managed to blackmail victims into paying almost the full amount they first asked for. SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the webFor example, researchers cite an incident by the BlackCat ransomware gang which saw cyber criminals demand a payment of $9 million for a decryption key and walking away $8.5 million. Sometimes ransomware attackers get much less than they demand; in one case, cyber criminals behind a Suncrypt ransomware attack made a ransom demand of $12 million, only to get paid just $200,000 – 1.67% of their ransom demand. The overall trend of the rise in ransom demands and rise in ransom payments shows that ransomware is working, as cyber criminals can make millions of dollars from a single victim who gives into the extortion demands.  Despite warnings not to pay because it only encourages further ransomware attacks, the Unit 42 report suggests that 58% of organisations hit by a ransomware attack opt to pay the ransom. But even if the ransom is paid, that isn’t necessarily the end of their troubles – researchers say 14% of organisations paid cyber criminals more than once.  The network being down because of encrypted files and servers is disruptive enough, but one of the reasons so many victims are giving into ransom demands is because of the rise of double extortion attacks. In order to carry out a ransomware attack, hackers enter the network, providing them with access to sensitive files and data. Many cyber criminals use this as extra leverage, copying the data before it’s encrypted and threatening to publish it if the ransom isn’t paid – and in many cases, it’s working. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   “Cyber criminals are doubling down by finding additional ways to extort victims in conjunction with ransomware,” said Ryan Olson VP of threat intelligence at Unit 42 for Palo Alto Networks. “In 2021, ransomware gangs took these tactics to a new level, popularizing multi-extortion techniques designed to heighten the cost and immediacy of the threat,” he added. But this hasn’t just involved threats to publish stolen data – in some cases cyber criminals are adding other extortion tactics including the threat of DDoS attacks, or even harassing employees of the victim organisation over the phone. Ransomware continues to be one of the most significant cybersecurity threats facing businesses and the wider world today, but there are ways in which businesses can help protect themselves from falling victim to attacks. Many ransomware attacks begin with hackers exploiting unpatched cybersecurity vulnerabilities or remote desktop protocol (RDP) logins.  Information security teams should therefore ensure that security patches for known vulnerabilities are applied as quickly as possible and that login credentials are protected with multi-factor authentication in order to help defend against attacks. Any passwords which are suspected of being leaked or stolen should be changed. It’s also vital for IT departments to understand and monitor the network, as this can help them identify potentially malicious behaviour before cyber criminals trigger a full-blown ransomware attack. MORE ON CYBERSECURITY More

An Estonian man connected to multimillion dollar ransomware attacks has received a 5-and-a-half-year jail sentence for his involvement in online fraud schemes.The US Department of Justice says Maksim Berezan, a 37-year-old from Estonia, took part in at least 13 ransomware attacks, including seven against American businesses, which cost victims over $53 million in losses. Berezan was an active member of an online forum designed for Russian-speaking cybercriminals to gather and exchange their criminal knowledge, tools, and services, the DoJ said.Berezan was arrested in Latvia in November 2020 and extradited to the US where he pleaded guilty in April 2021 to conspiracy to commit wire fraud affecting a financial institution and conspiracy to commit access device fraud and computer intrusions. Following his arrest, police searched Berezan investigated his computers and found evidence of his involvement in ransomware attacks, with $11 million in ransom payments flowing through cryptocurrency wallets he owned. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   According to court documents, he used the money made from cyber crime to buy two Porsches and a Ducati motorcycle, along with an assortment of jewelry. Authorities confiscated $200,000 in cash from Berezan’s home, along with cryptocurrency wallets holding $1.7 million in Bitcoin. The Eastern District of Virginia sentenced Berezan to 66 months in prison and he’s been ordered to pay $36 million in restitution. “Ransomware thieves are not safe in any dark corner of the internet in which they may think they can hide from our highly trained investigators and law enforcement partners worldwide,” said special agent in charge Matthew Stohler of the US Secret Service. “Together with our critical partners we are dedicated to protecting the public and securing every iteration of our money and every part of our national financial infrastructure.” The US Department of Justice worked with the Latvian State Police and Estonian Police to help obtain the conviction. “Cybercrime has become increasingly more sophisticated, but so have our methods for combatting it,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia.  “Ransomware attacks are devastating to people and organizations alike, and we have honed our strategies and techniques to target both the individual actors who perpetrate these attacks and the networks that support them,” she added.MORE ON CYBERSECURITY More

Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor had published at least 200 malicious Node Package Manager (npm) packages. The team said that the repositories were first detected on March 21 and grew rapidly, with each npm package deliberately named to mimic legitimate software. 

An automated script targeted scopes used by Microsoft Azure developers, including @azure, @azure-rest, @azure-tests, and more, in the npm software registry. On Monday, Checkmarx researchers Aviad Gershon and Jossef Harush said the Supply Chain Security (SCS) team has also been tracking these activities and have recorded over 600 malicious packages published over five days, bringing the total to over 700. To try and keep the attacks under the radar, the miscreant responsible has been using unique user accounts. “This is uncommon for the automated attacks we see; usually, attackers create a single user and burst their attacks over it,” Checkmarx says. “From this behavior, we can conclude that the attacker built an automation process from end to end, including registering users and passing the OTP challenges.”According to Checkmarx, the attacker’s “factory” is developing malicious npm packages relying on type dependency confusion to dupe developers and steal their data successfully.As previously noted by JFrog, the attack method relies on typosquatting and names that mimic trustworthy packages, often removing the “scope” part of a package name to look legitimate. The command-and-control (C2) server used to manage the overall infrastructure of the attack wave, “rt11[.]ml,” is also the recipient address for the stolen information to be sent. The C2 appears to be running Interactsh, an open source tool written in the Go programming language for data extraction. Checkmarx set up its own domain and server, complete with an Interactsh client, to better understand the attacker’s method. A script was then written that opens NPM accounts upon request, using the web testing software SeleniumLibrary. The script can randomly generate usernames and email addresses under the test domain and automatically initiates the sign-up process. This is where Interactsh comes in. To bypass the One-Time Password (OTP) verification check used by NPM, Interactsh automatically extracts the OTP and sends it back to the sign-up form, allowing the account creation request to succeed. The team then adhered to the attacker’s method by creating a template npm package and a script able to communicate with NPM utilities in the ‘login’ and ‘publish’ stages. “It is worth mentioning that once the user account is open, it is possible to configure it in a way that does not require OTP in order to publish a package,” the researchers said. “This could be done using an authentication token and configuring it to work without 2FA. We presume that this is the way attackers who published bursts of malicious packages were able to automate their process without setting up the described mechanism.”Checkmarx, as well as JFrog, have reported the malicious packages to the NPM security team. In addition, the company providing the C2 server has been notified. “By distributing the packages across multiple usernames, the attacker makes it harder for defenders to take them all down with “one stroke,” Checkmarx noted. “By that, of course, making the chances of infection higher. Just to make it clear, the building blocks required for creating single (OTP verified) user[s] per package is no trivial task.”In February, JFrog found 25 malicious npm packages containing Discord token stealers. Many of these packages mimicked colors.js, open source software for using colored text on node.js — before its creator sabotaged the package. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to patch 66 new security bugs based on evidence of active exploitation. These new 66 bugs join a growing list of bugs in the Known Exploited Vulnerabilities Catalog that covers technology typically used in enterprises, such as network security appliances. 

ZDNet Recommends

Federal agencies have been given until April 15, 2022 to apply this batch of patches under the Binding Operational Directive aimed at reducing the significant risk of known exploited vulnerabilities. SEE: There’s a critical shortage of women in cybersecurity, and we need to do something about itThe 66 bugs include recent and older flaws in networking kit and security appliances from D-Link, Cisco, Netgear, Citrix, Kuiper, Palo Alto, Sophos, Zyxel, plus enterprise software from Oracle, OpenBSD, VMware and others, as well as multiple Windows bugs.Among the bugs are one affecting Watch Guard’s Firefox and XTM appliances (CVE-2022-26318), one impacting Mitel’s MiCollab, MiVoice Business Express Access Control Vulnerability (CVE-2022-26143), and the Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2022-21999). The Mitel bug was being exploited for the TP240PhoneHome DDoS attack, which was capable of an amplification ratio of 4,294,967,296 to 1. It was observed being exploited in February and March. CISA last month gave agencies two weeks to fix a whopping 95 bugs. Again some were newly exploited while others have had patches available for several years. So, it looks like admins at federal agencies will have yet another busy few weeks finding and then patching systems. As part of its Shields Up initiative, CISA and the White House are encouraging all US organizations to step up patch and check multi-factor authentication configurations due to an increased threat from cyberattacks being directed at them by Russia. More

Sophos has patched a remote code execution (RCE) vulnerability in the Firewall product line. Sophos Firewall is an enterprise cybersecurity solution that can adapt to different networks and environments. Firewall includes TLS and encrypted network traffic inspection, deep packet inspection, sandboxing, intrusion prevention systems (IPSs), and visibility features for detecting suspicious and malicious network activity.

On March 25, the cybersecurity company disclosed the RCE, which was privately disclosed to Sophos via the firm’s bug bounty program by an external cybersecurity researcher. Sophos offers financial rewards of between $100 and $20,000 for reports. Tracked as CVE-2022-1040 and issued a CVSS score of 9.8 by Sophos as a CNA, the vulnerability impacts Sophos Firewall v18.5 MR3 (18.5.3) and older. According to Sophos’ security advisory, the critical vulnerability is an authentication bypass issue found in the user portal and Webadmin Sophos Firewall access points. While the vulnerability is now patched, Sophos has not provided further technical details. Sophos Firewall users will have received a hotfix, in most cases, to tackle the flaw. So if customers have enabled the automatic installation of hotfix updates, they do not need to take further action. However, if customers are still using older software versions, they may have to update their builds to a newer version to stay protected. There is also a general workaround to mitigate the risk of attacks made through the user portal and Webadmin. Users can disable WAN access to these platforms entirely, and Sophos recommends using a virtual private network (VPN) alongside Sophos Central to improve the security of remote connections. Earlier this month, Sophos resolved CVE-2022-0386 and CVE-2022-0652, two vulnerabilities in Sophos UTM threat management appliance. CVE-2022-0386 is a high-severity post-auth SQL injection vulnerability, whereas CVE-2022-0652 is an insecure access permissions bug. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: slyellow/Shutterstock
Google is urging users on Windows, macOS, and Linux to update Chrome builds to version 99.0.4844.84, following the discovery of a vulnerability that has an exploit in the wild. Due to the this, the browser maker is being tight lipped on details. “CVE-2022-1096: Type Confusion in V8. Reported by anonymous on 2022-03-23,” was as far as Google would explain the issue. V8 is Chrome’s JavaScript engine — it is also used server-side in Node.js, but has not yet said it is impacted. Google added that bug details would be restricted until a majority of users had updated the browser. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” it said on Friday. A day later, Microsoft issued its own notice and said the issue was fixed in Edge version 99.0.1150.55 released the same day. At the start of the month, Google said it was seeing more Chrome zero-day flaws in the wild. Related Coverage More

Image: Getty Images
The US Federal Communications Commission (FCC) has added Kaspersky to the country’s entity list, along with China Telecom and China Mobile. First reported by Bloomberg, the Kaspersky addition marks the first time a Russian company has been added to the list. Prior to the latest update to the entity list, the list comprised only of Chinese companies.Companies placed on the entity list are banned from buying parts and components from US companies without government approval.The FCC said it placed the three companies onto the list as it found they all posed national security risks. “I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests,” said Brandan Carr, FCC commissioner. In response to being placed on the entity list, Kaspersky, in a statement, accused the US agency of making that decision based on political grounds. “This decision is not based on any technical assessment of Kaspersky products — that the company continuously advocates for – but instead is being made on political grounds,” Kaspersky said. “Kaspersky will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate with US government agencies to address the FCC’s and any other regulatory agency’s concerns.” Kaspersky’s response mirrors a similar complaint it made against Germany’s Federal Office for Information Security, which recently issued an advisory warning people to avoid using Kaspersky’s products and services. In Kaspersky’s complaint against the German regulator, the company said the advisory was made on political grounds too. Prior to being on the US entity list, the US government in 2017 had already banned the use of Kaspersky products and services by federal entities and contractors. For China Telecom and China Mobile, their additions to the entity list come as no surprise as the two telcos were already booted off the New York Stock Exchange by the US Treasury Department at the start of last year. The FCC in October also ordered the removal of China Telecom’s authority to operate in the US.Related Coverage More