Daily Brief

Okta has denied that its data was leaked following a claim by a cybercriminal on a hacking forum. The threat actor, using the name 'Ddarknotevil,' alleged that the database containing details of 3,800 Okta customers was from a breach in October 2023. The data purportedly included user IDs, full names, company names, office addresses, phone numbers, email addresses, and positions/roles. After being notified, Okta conducted a thorough investigation and found no evidence of a new breach or a link to the October incident. Okta suggested the data might be aggregated from public sources, noting some dates in the leaked information are over a decade old. Cyber-intelligence firm KELA concluded that the data does not originate from Okta, but matches a July 2023 data dump from a different company's breach.

New York-based EquiLend Holdings LLC suffered a data breach as a result of a ransomware attack in January. The breach led to the theft of employees' personally identifiable information (PII), including names, birth dates, and Social Security numbers. Despite the breach, there is currently no evidence of the stolen data being used for identity theft or fraud. EquiLend has offered two years of complimentary identity theft protection services to affected employees through IDX. The company managed to restore all client-facing services post-attack and has found no indication of client transaction data being compromised. LockBit ransomware group claimed responsibility for the attack, although EquiLend has not explicitly confirmed the group's involvement. EquiLend, backed by ten global banks since its establishment in 2001, has a significant footprint with over 330 employees and its services used by more than 190 firms worldwide.

Security experts unveiled a repository called Misconfiguration Manager to address attack techniques stemming from improper configurations of Microsoft's Configuration Manager. Microsoft Configuration Manager (MCM), previously known as SCCM, is widely used in Active Directory environments to manage servers and workstations. Vulnerabilities due to misconfigurations can provide attackers with administrative domain privileges or enable payload execution. Common misconfigurations include the use of network access accounts (NAAs) with excessive privileges, which can lead to severe security breaches, such as gaining domain controller access. One documented security lapse involved overprivileged NAAs that led from a compromised SharePoint account to full domain control. Another vulnerability allows enrolling domain controllers as clients, creating potential for remote code execution if proper site hierarchy isn't maintained. Misconfiguration Manager offers insights and defense strategies for 22 attack techniques, aiming to educate defenders on securing Microsoft MCM correctly. Administrators are urged to validate the defensive actions suggested by the repository within a non-production environment prior to live deployment due to the complexity and potential impact on security posture.

New York-based EquiLend Holdings suffered a ransomware attack in January, leading to the theft of employee data. The financial technology firm initially took systems offline on January 22 to contain a breach and confirmed the incident resulted from ransomware. Although client services resumed, and there is no evidence of client data exfiltration, employee personally identifiable information (PII) was stolen. Stolen PII includes names, birth dates, and Social Security numbers of EquiLend employees. LockBit ransomware group claimed responsibility, but EquiLend has not confirmed the attackers' identity. Affected employees are being offered two years of free identity theft protection services through IDX. EquiLend, founded by major banks and broker-dealers, serves over 190 firms globally and facilitates transactions worth over $2.4 trillion monthly.

Roku has confirmed a data breach affecting 15,363 customers, with accounts being used for unauthorized purchases. Stolen accounts were sold for $0.50 apiece, enabling buyers to use the victims' stored payment information. The breach was due to credential stuffing attacks using details from other breaches to access Roku accounts. Once inside an account, attackers could alter passwords, email, and shipping addresses, blocking out the legitimate user. Roku responded by securing the breached accounts, forcing password resets, and initiating refunds for unauthorized transactions. Roku has faced criticism for new "Dispute Resolution Terms" that may be connected to the credential stuffing attacks and the resultant fraudulent activities. At present, Roku does not support two-factor authentication, potentially leaving accounts more vulnerable to such attacks.

A counterfeit Leather cryptocurrency wallet app on Apple's App Store has been reported as a "wallet drainer," stealing users' digital assets. The authentic Leather wallet platform has warned its community and advised that any user who entered their passphrase into the fake app should immediately transfer their assets to a secure wallet. Despite Leather's warnings and a report to Apple, the malicious app, published by 'LetalComRu,' remains available for download and sports a suspiciously high user rating. Victims have already reported losses, indicating that the fake app is actively draining cryptocurrency from those who have installed it. This incident echoes previous occurrences on the App Store, highlighting that even with Apple's strict security measures, scammers are managing to bypass checks. Experts recommend accessing any digital wallet app via official links from verified websites, using the real Leather website as an example at leather.io.

A new banking trojan named CHAVECLOAK is targeting Brazilian users, disseminated through phishing emails with PDF attachments. The emails utilize contract-themed DocuSign lures, prompting users to click a button which downloads malware from a remote link. CHAVECLOAK uses DLL side-loading with an executable "Lightshot.exe" to infect systems, specifically aiming at Brazilian financial institutions. The trojan can block screens, log keystrokes, and use deceptive pop-ups to steal credentials, with a focus on banks and cryptocurrency platforms like Mercado Bitcoin. A Delphi variant of the malware has been identified, continuing the trend of Delphi-based malware in Latin America. This threat emphasizes the evolving cyberthreat landscape in the financial sector and parallels other phishing campaigns, like the mobile banking fraud campaign deploying Copybara malware in Europe. Advanced evasion techniques, geofencing, and real-time remote interaction with infected devices demonstrate the growing sophistication of on-device fraud (ODF) schemes.

One Identity PAM Essentials is a cloud-based Privileged Access Management solution designed to enhance security and manageability while ensuring compliance in cloud environments. The solution focuses on a user-centric and security-first design, simplifying privileged sessions and access controls, thus reducing the risk of unauthorized access and potential data breaches. PAM Essentials streamlines traditional PAM approaches by eliminating complexities and the need for additional infrastructure, leading to reduced operational costs and improved visibility into privileged activities. Its compliance features help organizations adhere to regulations, meet industry-specific standards, and satisfy cyber insurance requirements, all while being cost-effective. With cloud-native architecture, PAM Essentials supports scalability, flexibility, and remote access, ensuring seamless integration with existing cloud services for adaptive identity management. Native integration with OneLogin's access management solutions amplifies the capabilities of PAM Essentials, providing a holistic and seamless privileged access management experience. PAM Essentials is positioning itself to redefine the PAM market by offering a comprehensive cloud-native tool that addresses modern cybersecurity challenges and the evolving digital landscape.

The British Library is struggling to recover from a ransomware attack by Rhysida that damaged servers and stole 600GB of data, attributing issues to legacy IT systems. Ageing technology cannot be restored on new infrastructure and lacks vendor support, with a report underscoring the complex network that allowed extensive Rhysida infiltration. Legacy systems relied on insecure, manual data processes, increasing the volume of vulnerable staff and customer data on the network. The library cites fiscal constraints imposed by legal regulations that diverted funds from IT modernization to mandatory archiving services as a contributing factor to the outdated IT estate. Disruption from the ransomware attack continues to affect library services including online access, on-site WiFi, and access to physical collections; electronic resources and some research services remain offline. The British Library plans to shift toward cloud-based technologies within the next 18 months, having identified them as easier to manage despite new security risks. There is now a rush to strengthen cybersecurity capacity, but challenges include team size, adequate funding, and competitive remuneration for IT talent. Financial reallocation will expedite the IT overhaul with interim solutions being implemented, and a major upgrade phase set for the next 18 months; this adjustment comes after a budget originally spread over seven years.

Traditional Data Leakage Prevention (DLP) solutions, accustomed to on-premises IT infrastructure, now require adaptation to better secure data within cloud-based environments. The effectiveness of on-premise DLPs diminishes as corporate data increasingly resides online, necessitating a shift in data protection strategies. A new guide by LayerX, "On-Prem is Dead. Have You Adjusted Your Web DLP Plan?", outlines this transition and offers solutions for evolving DLP approaches. The guide suggests three possible data protection paths: maintaining the status quo with traditional DLPs, adopting Cloud Access Security Broker (CASB) DLP for SaaS app monitoring, or implementing Browser DLP for comprehensive monitoring and policy enforcement. Browser DLP is recommended as the most effective solution, using enterprise browser extensions to monitor user activity and website execution directly. Examples of browser DLP policies, tailored to safeguard data in cloud environments, showcase practical measures that can be taken to prevent unauthorized data exposure and cyber threats. IT and security professionals are encouraged to read the guide to better understand and implement updated DLP solutions suitable for the current cloud-centric landscape.

The UK Information Commissioner's Office (ICO) is conducting a consultation on "consent or pay" models, which offer users a choice between paying for services or consenting to their data being used for advertising. The ICO has not specifically named any companies, but Meta's approach in the EU, which involves a choice between paying for ad-free services or allowing data processing for ads, is a well-known example. Privacy advocates have criticized these models, and there have been several lawsuits based on EU data protection laws, questioning their legality and the nature of consent. The ICO emphasizes the importance of clear consent and the ease of withdrawing consent, in line with UK GDPR rules, which remain closely aligned with EU GDPR post-Brexit. There are four key considerations highlighted by the ICO, including how fees should be calculated, the equivalence of ad-funded and paid services, the balance of power between service providers and users, and the user's understanding of data usage. "Consent or pay" models are not prohibited by data protection law, but the ICO is carefully assessing the complexity of consent within these models to ensure they comply with legal standards. Stakeholders can submit their opinions to the ICO until April 17, 2024, as part of this open consultation process.

The BianLian ransomware group is exploiting vulnerabilities in JetBrains TeamCity to carry out extortion attacks. Security analysis disclosed that the recent compromise involved a TeamCity server exploitation, resulting in a Go backdoor deployment. After a decryptor for BianLian was made available in January 2023, the group shifted focus to exclusively conduct exfiltration-based extortion. Attackers gain initial access by exploiting CVEs in TeamCity, subsequently creating new users and executing commands for lateral movement. BianLian's tailored Go backdoor, known as BianDoor by Microsoft, failed, leading attackers to use an equivalent PowerShell backdoor. The GitHub PowerShell backdoor establishes a TCP socket to allow remote attackers to perform actions on compromised hosts. Separately, critical vulnerabilities in Atlassian Confluence (CVE-2023-22527) have led to the deployment of C3RB3R ransomware, cryptocurrency miners, and RATs. The vulnerability exploitation indicates a trend of active exploitation by threat actors in the wild, highlighting the importance of vigilance and rapid response.

A high-risk vulnerability in Progress Software's OpenEdge Authentication Gateway and AdminServer could allow bypassing of authentication mechanisms. Identified as CVE-2024-1403, the flaw has received the maximum severity score of 10.0 according to the CVSS rating system. The security issue affects various versions of OpenEdge and stems from improper handling of unexpected username and password types. Updates to OpenEdge that rectify the issue have been released: versions 11.7.19, 12.2.14, and 12.8.1. Security firm Horizon3.ai has published a proof-of-concept exploit after reverse-engineering the affected AdminServer service. The PoC indicates that specially crafted usernames can trigger an incorrect authentication success, potentially leading to unauthorized system access. Further potential threats include the ability to deploy new applications remotely via WAR files, though this attack vector presents increased complexity.

Magnet Goblin, a financial-motivated hacker group, is exploiting one-day vulnerabilities in edge devices and public-facing services. The group has been active since at least January 2022, quickly leveraging new vulnerabilities to infiltrate systems and deploy malware. Compromised devices include Ivanti Connect Secure VPN, Magento, Qlik Sense, and potentially Apache ActiveMQ servers. Upon successful exploitation, Magnet Goblin deploys a cross-platform RAT named Nerbian RAT, and its variant MiniNerbian for command execution and data exfiltration. Nerbian RAT and MiniNerbian have largely avoided detection by operating on edge devices, which are often less protected. The group also utilizes other tools such as WARPWIRE JavaScript credential stealer, Ligolo tunneling software, and legitimate remote desktop software like AnyDesk and ScreenConnect. This trend underlines the importance of securing all potential entry points, including those previously considered low-risk.

Microsoft took six months to patch a Windows vulnerability actively exploited by North Korea's Lazarus Group. The vulnerability, located in the input/output control dispatcher of appid.sys, allowed admin-to-kernel exploitation. Avast cybersecurity researchers notified Microsoft of the exploit in August but the fix wasn't issued until February's Patch Tuesday. Microsoft has been criticized for not prioritizing the vulnerability and for failing to disclose its active exploitation when the patch was released. Critical vulnerabilities were also reported in Apple's iOS, with updates released for several including some under active exploitation. The NSA and CISA released cloud security mitigation tips, highlighting the importance of proper cloud computing security practices. A new initiative by the White House and open-source organizations aims to offer Infosec training and certifications to 250 Jordanian women, enhancing cybersecurity workforce diversity.