This Week in Cyber 27th October 2023

Okta Discloses Security Incident Involving Stolen Credentials and Customer Data Exposure

Identity services provider Okta disclosed a security incident where threat actors exploited stolen credentials to access its support case management system. While this system is separate from Okta's production service, it allowed the threat actor to view files uploaded by certain Okta customers as part of recent support cases. These files can contain sensitive data, including cookies and session tokens.

Okta worked with impacted customers to revoke session tokens to prevent abuse. Okta did not disclose the scale or the exact timing of the attack, but it confirmed the incident affected about 1% of its customers. BeyondTrust and Cloudflare were among the targeted customers, with Cloudflare experiencing a sophisticated attack but no impact on customer data. 

Record-Breaking Surge in Ransomware Attacks: New Threat Actors Emerge

In September, ransomware attacks hit a record high, with 514 victims exposed on leak sites, marking a 153% increase compared to the previous year. New threat actors contributed to this surge, with LostTrust ranking as the second most active group. While established actors like Lockbit remained active, the volume of attacks and the emergence of new groups were noteworthy. Industrials, consumer cyclicals, and technology sectors were the primary targets, with the healthcare sector witnessing an 86% increase in attacks compared to August.

North America remained the primary target of cybercriminals, experiencing 258 attacks in September. Europe was the second most targeted region with 155 attacks, followed by Asia in third place with 47 attacks. The surge in ransomware attacks during September was partly anticipated for that time of year. However, the volume of attacks and the emergence of new threat actors were notable trends. These new threat actors are increasingly utilizing the Ransomware as a Service (RaaS) model and exploring various tactics to pressure victims into paying ransoms.

Telesoft’s MDR service is a valuable addition to your organization's security posture. It provides proactive threat monitoring, rapid incident response, and access to the latest threat intelligence, all of which are critical in preventing ransomware attacks and minimizing their impact.

Critical Vulnerability Disclosure: VMware's vCenter Server at Risk

VMware, a leading virtualization and cloud tech provider, disclosed a critical vulnerability (severity score: 9.8/10) in its vCenter Server. This flaw allows hackers to execute remote code. vCenter Server manages virtualized environments, offering a unified interface for multiple hosts.

The vulnerability is linked to an out-of-bounds write issue in the DCE/RPC protocol used for network-distributed application communication. The flaw permits unauthorized data access with non-admin administrative privileges.  VMware recommends immediate patching, with no viable workarounds. Additionally, this also marks the end-of-life for older vCenter Server versions. VMware's products and services are utilized by major banks, telecom companies, the UK government, and others.

Cloudflare Mitigates Thousands of Hyper-Volumetric HTTP DDoS Attacks Exploiting HTTP/2 Rapid Reset Flaw and Other DDOS Trends

Cloudflare reported mitigating thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited the HTTP/2 Rapid Reset vulnerability. This campaign led to a 65% increase in HTTP DDoS attack traffic in Q3, with 89 attacks exceeding 100 million requests per second. Total attack requests in the quarter reached 8.9 trillion, up from 5.4 trillion in Q2 and 4.7 trillion in Q1 2023.

The HTTP/2 Rapid Reset flaw (CVE-2023-44487) was disclosed recently and was used in attacks targeting major providers like AWS, Cloudflare, and Google Cloud. Botnets utilizing cloud platforms and HTTP/2 were able to launch hyper-volumetric DDoS attacks with a small number of nodes. Industries targeted by these attacks include gaming, IT, cryptocurrency, computer software, and telecom. The U.S., China, Brazil, Germany, and Indonesia were the primary sources of L7 DDoS attacks, while the U.S., Singapore, China, Vietnam, and Canada were the main targets. DNS-based DDoS attacks were the most common for the second consecutive quarter, followed by SYN floods, RST floods, UDP floods, and Mirai attacks.

iLeakage: New Side-Channel Attack Targets Apple CPUs and Safari Browser

Researchers have discovered a new side-channel attack called "iLeakage" targeting Apple's A- and M-series CPUs in iOS, iPadOS, and macOS devices. This innovative attack methodology exposes a vulnerability that enables the extraction of sensitive data from the Safari web browser. iLeakage represents the first instance of a Spectre-style speculative execution attack on Apple Silicon CPUs. It affects all Apple devices released since 2020 that are powered by A-series and M-series ARM processors.

Of particular importance, iLeakage circumvents Apple's security measures and employs timer-less and architecture-agnostic techniques to differentiate cache hits from misses. Ultimately, this process leads to information leakage within Safari's rendering process. While the practical exploitation of this vulnerability is unlikely due to the high level of technical expertise required, the research emphasizes the persistent threat posed by hardware vulnerabilities in the modern computing landscape.