What happened to Okta?

At the end of October 2023, Okta released a notification on social media about the security breach. The named reason is the lack of session token validation, which made it possible for hackers to access the computers of tech support employees. From this point, cybercriminals were able to access files sent by other customers; these files commonly contain cookies, their session tokens and the like.

This is not the first time when Okta gets into trouble with hackers. In March 2022, hackers from Lapsus cybercrime group managed to hack into the laptop of their tech support engineer. This affected a small portion of Okta customers – only ~2.5%, still a large enough number as the company is a major identity management provider. Such recurring hacks, especially within one specific division of the company, strikes its image pretty hard, to say the least.

1Password Hacked Through the Okta Hack

Despite how bad the Okta hack sounds, it is not that bad for 1Password. At the moment, the company reports about ceasing any operations related to the accounts of their employees that used Okta services. Further investigation showed that it is nothing to worry about – no accounts were compromised whatsoever.

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. — the report upon the situation.

Although things appear to be fine on the 1Password side, it may not be over yet. New details of the hack appear each day, even though all the key events happened almost a month ago, on September 29.

Should you be worried?

In all this situation, the best part of it is that companies do not hesitate to notice exposed customers. Actually, no 1Password user data was touched, though it is different for Okta. They were – and continue – sending emails to users whose credentials are potentially in danger with recommendation upon further actions. Hence, keep track of emails from Okta, and this will be it for keeping up to date with the situation.

The post 1Password Hacked Following the Okta Hack appeared first on Gridinsoft Blog.

What is a Security Breach?

First of all, let’s have a look at the definitions. A security breach is when an intruder bypasses security mechanisms and gets access to data, apps, networks, or devices. Despite their close relations, there’s a difference between security breaches and data breaches. A security breach is more about getting access as such – like breaking into someone’s house. On the other hand, the data breach results from a security breach – as the latter may aim at tasks other than leaking data. It is instead a specific consequence of security breaches.

What are the types of Security Breaches?

Threat actors may create a security breach in different ways, depending on their victim and intentions. Here are the three most important ones.

1. Malware injection

Cybercriminals often employ malicious software to infiltrate protected systems. Viruses, spyware, and other malicious software are transmitted via email or downloaded from the Internet. For instance, you might receive an email that contains an attachment – generally, an MS Office document. Moreover opening that file can end up infecting your PC. You may also download a malicious program from the Internet without any tricky approaches. Often hackers will target your computer to get money and steal your data, which they can sell on the Darknet or other appropriate places.

2. Man-in-the-Middle-attack

As the name says, the assailant’s route is in the middle. Now we’ll determine what it means. Also hacker can intercept communications between two parties, which results in one party receiving a false message, or the entire communication log may be compromised. Such an attack is often carried out due to hacked network equipment, such as a router. However, some malware examples may fit that purpose as well.

3. Insider threat

Insider threat is the danger of a person from within the company using their position to utilize their authorized access to commit a cybercrime. This harm can include malicious, negligent, or accidental actions that negatively affect the organization’s security, confidentiality, or availability. Other stakeholders may find this general definition more appropriate and valuable to their organization. CISA defines an insider threat as the danger that an insider will knowingly or unknowingly misuse his authorized access. It does so to harm the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. This danger can be manifested through the following behaviors of insiders:

• Corruption, including participation in transnational organized crime
• Terrorism
• Sabotage
• Unauthorized disclosure of information

4. Advanced persistent threat

An advanced persistent threat is a persistent cyberattack that employs advanced tactics to remain undetected in a network for an extended time to steal information. An APT attack is meticulously planned and executed to infiltrate a specific organization, circumvent existing security measures and remain undetected. Also APT attacks are more complex and require more advanced planning than traditional cyberattacks. Adversaries are typically well-funded, experienced teams of cybercriminals that target organizations with a high value. They’ve devoted significant time and resources to investigating and identifying vulnerabilities within the organization.

Examples of Security Breaches

Recent high-profile breaches include:

• Facebook: In 2021, the personal information of over half a billion Facebook users was leaked, including phone numbers, dates of birth, locations, email addresses, and more. As a result, the attack was a zero-day exploit that allowed hackers to harvest a large amount of data from the company’s servers.
• Equifax: In 2017, the US credit bureau Equifax experienced a security breach via a third-party software vulnerability that was similar to the EternalBlue exploit. Fraudsters gained access to the personal information of over 160 million people; this is considered one of the most significant identity theft cyber crimes to date.
• Yahoo!: In 2016, 200 million Yahoo users were active. A schedule of usernames and passwords for Amazon accounts posted for sale on the dark web. Yahoo! The company blamed the breach on “state-sponsored hackers,” who could manipulate cookie data to gain access to user accounts.
• eBay: In 2014, it experienced a severe security breach resulting in the widespread disclosure of personal information.

How to help Protect yourself from a Security Breach

Monitor your accounts and devices

After a security incident, closely monitor your accounts and devices for any unusual activity. If one is present, ask the site administrator to suspend your account and help prevent the threat actor from accessing it.

Change your passwords

Choose complex passwords on all devices that need configuring. Ensure that you pay special attention to routers and utilize public Wi-Fi. Remember to update your password frequently. The password must include all upper and lower case letters, numbers, and special characters.

Contact your financial institution

Contact your bank immediately to prevent fraudulent transactions if your credit card or other financial information is compromised. They can tell you what the problem is and how to fix it. Sometimes, it may take time to resolve issues with your card. The best thing to do in these cases is to block your card so that fraudsters can’t withdraw money from it.

Perform an antivirus scan

If someone has gained access to your computer or home network, they may be infected with malware. Use a reliable antivirus software to identify and remove any threats that may be present. Run an initial scan to determine if your computer has any issues or bugs. Depending on the scan you run, it may take time for the scan to complete. The default is to run a quick scan. The standard scan is recommended, but it takes longer.

Report the incident to the appropriate authorities

Contact your local law enforcement agency if you’ve been the victim of identity theft or fraud. They will assist you in the necessary steps to regain control over your accounts.

You should know that avoiding any attack is possible if you take the proper steps to protect yourself. This requires creating strong passwords, using two-factor authentication, and keeping track of your credentials with a strong password manager.

Good digital hygiene also includes using comprehensive security and privacy software to prevent threats from infiltrating your devices and protecting your data. This makes it harder for hackers to enter your device, get your data, and sell it on third-party paywalls.

The post Security Breach appeared first on Gridinsoft Blog.

F5 warns its customers of a new vulnerability

The CVE-2022-1388, according to the analysts from the company, allows the potential threat actors to remotely execute arbitrary code and disable services on BIG-IP without any authentication. This threat is classified as severe, with a CVSS v3 rating of 9.8 – that indicator classifies it as critical. Vulnerability in one of the components of iControl REST makes it possible to bypass the authentication in BIG-IP. Afterward, crooks are free to execute any code in the framework. Here is the list of BIG-IP versions that reportedly contain that breach:

• 16.1.0 to 16.1.2;
• 15.1.0 to 15.1.5;
• 14.1.0 to 14.1.4;
• 13.1.0 to 13.1.4;
• 12.1.0 to 12.1.6;
• 11.6.1 to 11.6.5.

F5 offers a fast fix for the issue

As you can see, almost all versions of BIG-IP that are currently in use are exposed. F5 Inc. has already released fixed versions of this software, and recommends installing it as soon as possible. Those versions are:

• 17.0.0;
• 16.1.2.2;
• 15.1.5.1;
• 14.1.4.6;
• 13.1.5.

The company emphasizes that older versions of the software (12.x and 11.x) will not receive the fix of that flaw, and it is recommended to move on to the newer version. If the client is not able to apply the update for some reason, F5 recommends applying the following settings to prevent vulnerability exploitation:

—

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

Block iControl REST access through the self IP address
You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured.

—F5 Inc. advice on the case of CVE-2022-1388 vulnerability in BIG-IP.

How serious is the CVE-2022-1388?

Since the iControl framework, as well as BIG-IP, are generally used by corporations, they are the main place where CVE-2022-1388 may harm. The ability to remotely execute the code without the authorisation allows the cybercriminals to extend their presence pretty quickly, up to the full control over the network. Any malware distributor will be pleased with such an ability, especially considering the amount of valuable data that is present in such corporations. Moreover, using such advanced and expensive solutions as the ones offered by F5 Corporation means that attackers may ask for a huge ransom.

Besides that, having such a vulnerability in your software product also impacts you image as a developer. F5 did a pretty good job – they detected the flaw and issued a fix for it before cybercriminals did. However, that does not mean that crooks lost the ability to exploit it – they just lost the suddenness – it is not a zero-day vulnerability anymore. A lot of companies will be slow with updates, and some may just ignore it. The absence of a fast reaction often leads to bad consequences. Fortunately for the F5, they already have disclaimed the responsibility for any case of a malware attack with that breach.

The post F5 warns of critical BIG-IP RCE vulnerability appeared first on Gridinsoft Blog.

In total, Picren discovered seven vulnerabilities in the Apple browser and the Webkit browser engine (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 , CVE-2020-9787), three of which can be linked together and used to track users through the camera and microphone on an iPhone, iPad or Mac.

For such an attack, just a little is required: for the victim to enter a malicious site. No other interaction is required, and a malicious site can pretend to be a popular legitimate resource and abuse the permissions that the victim would grant only to a trusted domain.

“If a malicious site needs to access the camera, all that it needs to mask itself as a reliable site for video conferencing, such as Skype or Zoom”, — the researcher notes.

Corrections for bugs found by the specialist were released as part of Safari 13.0.5 (release dated January 28, 2020) and Safari 13.1 (release dated March 24, 2020).

Picren explains that Safari creates access to devices that require specific permissions (such as camera, microphone, location, and so on) for each individual site. This allows individual sites, such as the official Skype site, to access the camera without asking for user permission with each start.

In iOS, there are exceptions to this rule: if third-party applications must require user’s consent to access the camera, then Safari can access the camera or photo gallery without any permissions.

Exploitation of the problems became possible due to the way the browser parses URL schemes and processes the security settings for each site. In this case, the researcher’s method works only with sites already open in the browser.

“The most important fact is that the URL scheme is completely ignored,” the expert writes. – This is a problem, as some schemes do not contain a meaningful host name at all, for example file:, javascript: or data:. Simply, the error makes Safari think that the malicious site is actually trusted one. This is due to exploitation of a number of shortcomings (how the browser parses the URI, manages the web origin and initializes the secure context).”

In fact, Safari cannot verify that the sites adhered to Same Origin policies, thereby granting access to another site that should not have been granted permission at all. As a result, the site https://example.com and its malicious counterpart fake://example.com may have the same permissions. Therefore, you can use file: URI (for example, file:///path/to/file/index.html) to trick the browser and change the domain using JavaScript.

“Safari believes we are on skype.com and I can download some kind of malicious JavaScript. Camera, Screen Sharing microphone will be compromised after opening my local HTML file”, — Ryan Pickren writes.

Similarly works the blob URL: (for example, blob://skype.com) can be used to run arbitrary JavaScript code, using it to directly access the victim’s webcam without permission.

Even worse, the study showed that unencrypted passwords can be stolen in the same way, since Safari uses the same approach to detect sites that require automatic password completion.

PoC exploits and a demonstration of the attacks described are available on the specialist blog.

I should also remind you that recently researcher remotely hacked iPhone using only one vulnerability.

The post Vulnerabilities allowed access to cameras on Mac, iPhone and iPad appeared first on Gridinsoft Blog.