Here's another fresh issue with news that I found interesting :-) I hope you enjoy the read.
Have a good one!
Okta has concluded that the root cause of this breach was an employee storing company credentials in a private Google account, which is what their Chrome was signed in under. As a response, Okta have now enabled an option within Chrome Enterprise that prevents sign-ins using a personal Google profile.
They've also released a new feature where session tokens from Okta administrators are bound to a specific network location. If a network change is detected they will have to re-authenticate. You have to specifically enable this feature for now though.
Microsoft will roll out Conditional Access policies requiring MFA from administrators when signing into Microsoft admin portals for Microsoft Entra, 365, Exchange, and Azure. These policies will initially be implemented in a report-only mode for Microsoft Entra tenants, after which administrators will have a 90-day period to review and decide on their activation. If not explictly disabled within this period, the policies will be automatically enabled.
Way to go Microsoft, I quite like how "forceful" they are being on this.
Speaking of Microsoft and MFA, they also rolled out a change to Authenticator to automatically silence suspicious prompts, like MFA fatigue attacks. When marked as suspicious the codes are still generated and viewable in the app, but the user doens't get spammed with notifications anymore: link.
This will hopefully prevent the use of their CDN to host and distribute malware, which happens a lot right now. It will add expiration timestamps and unique signatures to file links, which will expire after 24 hours.
If you think doing a quick pentest every few quarters isn’t enough, you are correct. GlitchSecure combines continuous vulnerability assessments with real-time pentesting - all verified by highly skilled (and wonderful) humans in a user friendly platform. (Sponsored)
They will move the signing keys into a hardware security module, so that "the keys are not only encrypted at rest and in transit, but also during computational processes as well." Automated key rotation will also be implemented to allow for high-frequency key replacements.
The well known Russian hacking group Sandworm took down a substation last year that caused a (fortunately brief) outage. It's not the first time that happened, they've attacked the Ukrainian electricity net several times before.
(If you want to read more on Sandworm, I highly recommend Andy Greenberg's book).
The students will be put in charge of defending a distributed energy provider (like a collection of rooftop solar and EV batteries that feed back to the grid) against cyberattacks. More than a hundred teams will join the competition. Very cool stuff, I'm jealous :-)
It's a bit more nuanced than that, but it's very interesting research. The "Find My" functionality works because all Apple devices listen for Bluetooth messages of "lost" devices, which are then forwarded anonymously. It's an impressive system, but apparently it is (or was) also possible to send custom data through that network, making it a very nice "mesh network" to exfiltrate data through.
It's not clear to me if this is still possible though. They say that the initial research for sending data was released two years ago and that Apple has fixed that issue, so I'm not sure if this still works? Very interesting nonetheless.
Solid security shouldn't have to come at the expense of a great user experience. That's why Passage by 1Password is building a passwordless auth service that allows you to implement passkey logins in your app or website with just a few lines of code. (Sponsored)
Breaches and leaks
- Sumo Logic discloses security breach, advises API key resets: link.
- Okta breach: 134 customers exposed in October support system hack: link.
- Cloudflare website downed by DDoS attack claimed by Anonymous Sudan: link.
- American Airlines pilot union hit by ransomware attack: link.
- Marina Bay Sands discloses data breach impacting 665,000 customers: link.
- Fake Ledger Live app in Microsoft Store steals $768,000 in crypto: link.
- TransForm says ransomware data breach affects 267,000 patients: link.
- Russian state-owned Sberbank hit by 1 million RPS DDoS attack: link.
- OpenAI confirms DDoS attacks behind ongoing ChatGPT outages: link.
- Industrial and Commercial Bank of China hit by ransomware attack: link.
- Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems: link.
- BlackCat ransomware claims breach of healthcare giant Henry Schein: link.
- Ace Hardware says 1,202 devices were hit during cyberattack: link.
- Nude “before and after” photos stolen from plastic surgeon, posted online, and sent to victims' family and friends: link.
- NY AG issues $450k penalty to US Radiology after unpatched bug led to ransomware attack: link.
- Japan Aviation Electronics says servers accessed during cyberattack: link.
Issues and fixes
- New Microsoft Exchange zero-days allow RCE, data theft attacks: link.
- Veeam warns of critical bugs in Veeam ONE monitoring platform: link.
- QNAP warns about critical vulnerabilities in NAS systems: link.
- SysAid vulnerability is actively being exploited by ransomware affiliate: link.