Daily Brief

Cloudflare, a web infrastructure and website security provider, has experienced an extensive outage affecting many of its products including the company's dashboard and various APIs. Affected services include the Cloudflare dashboard, the Cloudflare API, Logpush, WARP / Zero Trust device posture, Stream API, Workers API, and the Alert Notification System. Customers may encounter 'Code: 10000' authentication errors and internal server errors when trying to access the Cloudflare dashboard. The company clarified that the service issues do not impact the cached file delivery via the Cloudflare CDN or Cloudflare Edge security features. The source of the downtime was identified as multiple power outages at the company's data centers. This is the second significant service interruption experienced by Cloudflare within a week; the first one also impacted multiple products and was attributable to a misconfiguration in the tool used to deploy a new Workers KV build.

Almost 5,000 Okta employees have been notified of a data breach that occurred via a third-party vendor, Rightway Healthcare. The stolen data includes staff names, social security numbers, and health or medical insurance plan numbers. Unauthorized access into Rightway's IT systems occurred on September 23, with notification to Okta received on October 12. Okta has launched an investigation to understand the extent of the impact on current and former employees and, while there is no evidence of misuse of personal data, is offering two years of free credit monitoring and fraud detection services from Experian's IdentityWorks as a precaution. The incident, impacting Okta employees, follows recent security issues impacting Okta's customers. In August, multiple US customers including MGM Resorts and Caesars Entertainment reported phishing attempts aimed at compromising user accounts with administrative permissions. More recently, in October, a data breach gave criminals access to sensitive customer files used for solving support tickets within Okta's support case management system. OnePassword confirmed it was among the customers impacted but assured its customers that their login details remained safe.

Aerospace giant Boeing is investigating a cyberattack on its parts and distribution business; the LockBit ransomware group claims responsibility. Boeing confirmed that the incident did not impact flight safety and is working with law enforcement agencies in their ongoing investigation. Boeing is yet to confirm the verity of LockBit claims of data theft from Boeing's network; the LockBit ransomware group threatened to leak this data if Boeing does not reach out to them. The statement of data theft has been removed from the LockBit dark web site, indicating possible ongoing negotiations or payment of ransom to the group. LockBit is a ransomware-as-a-service operation noted for attacks on organizations like the Continental automotive giant, the UK Royal Mail, the Italian Internal Revenue Service, and the City of Oakland. Boeing, one of the world's largest aerospace and defense companies, operates in more than 150 countries.

Okta, a cloud identity and access management solutions provider, has warned 4,961 of its current and former employees that their personal data was compromised in a third-party vendor data breach. Rightway Healthcare, an Okta vendor providing employee healthcare coverage, suffered a network breach, allowing cybercriminals to access an eligibility census file containing employee and their dependents' information. Okta learned about the breach when Rightway disclosed it on October 12, 2023, and promptly launched an investigation about the extent of the compromise. The leaked data includes employees' full names, which could potentially assist cybercriminals in deducing corporate email addresses and instigate targeted brute-forcing attacks in an attempt to hijack valuable accounts. Okta reassures that there is no evidence yet of misuse of the exposed personal information and has provided steps for two-year credit monitoring, identity theft protection, and fraud protection services via Experian. The compromised employee data was from April 2019 through 2020, and it is unrelated to Okta services, which remain secure. No customer data has been affected by this incident. Okta has faced multiple breaches in the past two years due to social engineering attacks and credential theft, notably affecting customers like BeyondTrust, Cloudflare, and the 1Password password manager.

Okta, a cloud identity and access management solutions provider, has warned almost 5,000 employees about a data breach at its third-party vendor, Rightway Healthcare. Rightway suffered a network breach on September 23, 2023, compromising an eligibility census file containing personal information on Okta employees and their dependents. Okta learned of the breach on October 12 and launched an investigation. Exposed data includes health information and full names the latter could be utilized by cybercriminals to derive corporate email addresses for account hijacking. Okta is providing instructions on enrolling for two-year credit monitoring, identity theft protection, and fraud protection services through Experian. The company stated that the exposed employee data was from April 2019 through 2020, unrelated to the use of its services and did not affect any customer data. In the past two years, Okta has experienced several breaches due to social engineering attacks or credential theft, most recently in October 2023 when customer session tokens were accessed, and previously in December 2022 when attackers accessed confidential information in private GitHub repositories.

Microsoft has unveiled the 'Secure Future Initiative' to enhance the built-in security of its products and platforms to thwart escalating cyber threats. Due to the significant rise in the complexity of cyber attacks, the company acknowledged the need for a new response, particularly following the detection of 123 advanced ransomware-as-a-service affiliates by Microsoft's Digital Crimes Unit. Since September 2022, the company reported an over 200% surge in ransomware attempts, and a tenfold increase in password-related attacks compared to the corresponding period in 2022. The company's initiative will be underpinned by three strategic pillars: AI-based cyber defences, advanced software engineering, and advocating for the application of international norms to protect civilians from cyber threats. Particularly, Microsoft aims to use AI to transform software development, prioritize secure defaults for optimal user protection, implement a unified identity system to bolster security across products, and enhance vulnerability response and cloud security update release. Executive VP for Microsoft Security, Charlie Bell, assured transparency in communicating key milestones in this initiative, and called for shared responsibility between tech companies and governments in addressing cybersecurity, especially regarding nation state activity.

The Mozi Internet of Things (IoT) botnet experienced a sudden drop in malicious activity in August 2023, due to a kill switch distributed to its bots. The decrease was first observed in India on August 8, followed by China a week later where a control payload, similar to a kill switch, was activated. While the kill switch made the bots largely nonfunctional, they maintained persistence, indicating a purposeful and planned neutralisation. The drop in Mozi botnet activity from circa 13,300 hosts to about 3,500 over a few days is believed to be due to an unknown actor sending a command to bots to download and install an update that neutralises the malware. There are conjectures that the takedown could have been initiated by the botnet's original creator or Chinese authorities, perhaps in conjunction with the original actor(s). A second version of the control payload also emerged with minor modifications, such as pinging a remote server, likely for tracking purposes. This kill switch shares a strong similarity with the botnet's original source code and was signed with the correct private key.

San Francisco-based Okta has revealed that almost 5,000 of its employees have had their personal data exposed due to a recent data breach. The breach impacted Rightway Healthcare, a provider that offers healthcare coverage to Okta's employees and their families. The cybercriminals accessed a file which was maintained for the insurance provision and benefit plans of eligible individuals. This file included details on current and former employees of Okta and their dependants. Okta began investigations into the extent of the compromise after the breach was disclosed by Rightway on October 12, 2023. Despite the exposure, Okta stated that there has been no evidence of misuse of the leaked personal information. Affected individuals are being offered two-year credit monitoring, identity theft protection and fraud protection services through Experian as a precaution. This incident is the latest in a series of breaches experienced by Okta in recent years, but unlike past incidents, this breach did not impact any Okta customers. The leak of employees' full names could potentially aid cybercriminals in deriving corporate email addresses for further targeted attacks.

A TechRepublic survey revealed that 53% of users reuse passwords, making their accounts more vulnerable to cyber attacks. Verizon estimates that 86% of digital assaults begin with compromised credentials. Methods end-users might give up their credentials to an attacker include responding to a phishing email, logging in through an unsecured network, using a device infected with malware, or selecting an easy password. When a hacker breaches an online platform and steals user credentials, they can use them to try and gain access to other user accounts. Other cyber criminals will pay a substantial amount for such information because it is likely for people to reuse passwords. A recent study by Microsoft found 44 million users reusing passwords over a three-month duration, while a LastPass survey suggests 62% of knowledge workers reuse passwords. The average person, however, tends to erroneously believe that they will not fall victim to hacking. Four recommended methods to mitigate the risk of compromised credentials include implementing multi-factor authentication, ongoing cybersecurity training, reducing the use of passwords particularly for privileged accounts, and routinely checking for compromised passwords. Tools such as Specops Password Policy with Breached Password Protection can provide continuous monitoring against the use of compromised passwords, protecting businesses from the prevalent risk of password reuse.

The Iranian nation-state actor MuddyWater is carrying out a spear-phishing campaign against two Israeli entities to deploy Advanced Monitoring Agent, a legitimate remote administration tool from N-able. The campaign was disclosed by cybersecurity firm Deep Instinct, who confirmed previous reports of MuddyWater's similar activities, although this is the first instance of the group using N-able's remote monitoring software. Cybersecurity company Group-IB also separately confirmed the findings. They affirmed MuddyWater is a cyber espionage group and a subsidiary element within Iran's Ministry of Intelligence and Security (MOIS), alongside other MOIS-affiliated groups like OilRig, Lyceum, Agrius, and Scarred Manticore. MuddyWater's established modus operandi has shown continued success through spear-phishing, using direct links and various file attachments to drop one of several remote administration tools. A new development is the use of Storyblok, a file-sharing service, to initiate a multi-stage infection vector, leading to the victim's machine being remotely administered and reconnoitered. Another novel capability is the use of MuddyC2Go, a new command-and-control (C2) framework, indicating a significant improvement in Iran's malicious cyber capabilities.

Wing Security has launched a new self-onboard product, "Essential SSPM" (SaaS Security Posture Management), which combines application discovery, risk assessment, and user access control to enhance SaaS security. The system allows organizations to discover unknown applications within their work environment, mitigating shadow IT risks associated with SaaS. The platform evaluates and scores the security risks of associated SaaS applications via a vast database, offering near-real-time risk assessments to paid users. The product also manages user access controls in line with the principle of least privilege, enabling organizations to control data access and reduce potential attack surfaces. Wing Security's solution differentiates itself with its "try first, pay later" approach, allowing users to self-onboard without interaction with a human representative. Data security features, automated remediation paths, and greater control over user privileges require upgrading to Wing's full solution. The freemium model is unusual for security-related products, providing a practical opportunity for client organizations to assess their SaaS security needs.

Researchers have discovered 34 vulnerable Windows drivers that could be exploited by non-privileged actors to gain complete control over devices and implement arbitrary code on the systems. These vulnerable drivers create opportunities for attackers to alter or eliminate firmware and elevate operating system privileges. The research particularly focuses on drivers that allow firmware access via port I/O and memory-mapped I/O. Six of these drivers allow for kernel memory access, a vulnerability that can be leveraged by attackers to elevate privilege and circumvent security measures. Twelve drivers could be exploited to undermine security mechanisms like kernel address space layout randomization (KASLR), and seven could be utilized to wipe out firmware in SPI flash memory. Certain WDF drivers identified can be easily weaponized by privileged threat actors to launch a Bring Your Own Vulnerable Driver (BYOVD) attack. BYOVD attacks have been previously used by adversaries such as the Lazarus Group. Researchers suggest extending the code to cover other attack vectors, including the termination of random processes.

The Forum of Incident Response and Security Teams (FIRST) has launched the Common Vulnerability Scoring System (CVSS) v4.0, eight years after CVSS v3.0. CVSS v4.0 aims to provide accurate vulnerability assessment for industries and the public, implementing a system to capture key technical features of a security vulnerability and give it a numerical score denoting its severity. The scoring can be translated into different levels such as low, medium, high, and critical, helping organisations prioritise their vulnerability management processes. FIRST emphasises CVSS v4.0 does not merely measure the severity of vulnerability and should not be the sole system to assess risk. Criticisms toward former version, CVSS v3.1, included a lack of granularity in the scoring system and insufficient representation of health, human safety, and industrial control systems. CVSS v4.0 addresses these issues by providing supplemental metrics for vulnerability assessment, including Safety, Automatable, Recovery, Value Density, Vulnerability Response Effort, and Provider Urgency. FIRST introduces a new nomenclature for enumerating CVSS scores using a variety of severity ratings.

The HelloKitty ransomware group has been spotted exploiting a critical vulnerability in the Apache ActiveMQ open-source message broker service, according to cybersecurity firm Rapid7. The exploited flaw is called CVE-2023-46604; a remote code execution vulnerability allowing threat actors to run arbitrary shell commands. The vulnerability carries a maximum severity CVSS score of 10.0 As of November 1, 2023, the Shadowserver Foundation found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604, the majority of which are located in China, the U.S., Germany, South Korea, and India. Successful exploitation allows adversaries to load remote binaries that function akin to ransomware, searching and terminating a specific set of processes before starting the encryption process. The encrypted files are appended with the ".locked" extension. ActiveMQ updated versions addressing the vulnerability were released last month, and users are urged to apply the updates. Rapid7 is emphasizing the importance of scanning networks for indicators of compromise due to the active exploitation of the flaw.

Boeing, the aerospace defence contractor, has reported a cyber incident affecting its parts and distribution business, which it is currently investigating alongside authorities. The attack follows claims by ransomware group LockBit that it had exfiltrated sensitive data from Boeing, however, the source of the cyber incident remains unconfirmed. Boeing's parts and distribution website was temporarily unavailable due to the attack, which may disrupt the lucrative aftermarket sales of spare parts. Screenshots showed that LockBit had added Boeing to its victims list, with administrators stating they had used a 0-day exploit to gain access to the company's systems. The LockBit ransom note gave Boeing a six-day window to begin negotiations. By Monday, Boeing had been removed from the group's website, implying that discussions may have begun. Boeing has not released a formal statement on the matter. The US Cybersecurity and Infrastructure Security Agency (CISA) lists LockBit as 2022’s most prolific ransomware operator. The group is known for high-profile attacks and is believed to have generated over $90 million from ransomware activities between 2020 and mid-2023.