Mar 24, 2022
[Some Interesting] Cloud ‘n Sec news: 25th Mar 22
What’s worth your reading time
It’s been a very busy week in security, let’s skip cloud topics on this one.
Security
Threats
Botnet targeting ASUS routers
The Botnet, named Cyclops Blink is believed to be a replacement framework of VPNFilter, which was brought to attention a few years back.
Researchers believe that Sandworm, a nation-state threat actor, is behind this.
The report states, and I quote:
Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.
Okta breached in January
This whole discussion took over the week in twitter. For its potential magnitude and for its mishandling by the involved parties.
Early in the reports, they denied having been breached, which turned out to be true once they explained what happened — problem was that it took them too long to notify and disclosure the issue…
As of yesterday, they released the timeline of the situation, I quote:
On March 22, 2022, nearly 24 hours ago, a number of screenshots were published online that were taken from a computer used by one of Okta’s third-party customer support engineers. The sharing of these screenshots is embarrassing for myself and the whole Okta team.
By way of background, like many SaaS providers, Okta uses several companies (“sub-processors”) to expand our workforce. These entities help us to deliver for our customers and make them successful with our products. Sitel, through its acquisition of Sykes, is an Okta sub-processor that provides Okta with contract workers for our Customer Support organization.
On January 20, 2022, the Okta Security team was alerted that a new factor was added to a Sitel customer support engineer’s Okta account. This factor was a password. Although that individual attempt was unsuccessful, out of an abundance of caution, we reset the account and notified Sitel who engaged a leading forensic firm to perform an investigation.
End of quote.
Some large Okta customers took their discontentment to social media to complain about the handling and lack of transparency on whether they had been affected or not.
Microsoft research on LAPSUS$ and their disclosure of ongoing attack
On a similar note, but an entirely different handling, Microsoft suffered an attack by Lapsus too, but provided immediate information to the public.
Microsoft Threat Intelligence Center, Detection and Response Team and Microsoft 365 Defender Threat Intelligence Team released a thorough research and statement on recent activity of a threat actor that has been making noise in the infosec scene.
The industry calls them LAPSUS$, whilst Microsoft Intelligence has been tracking them under the name “Dev-0537”.
The most fascinating part of it IMO, for other Threat Intelligence teams is the Analysis on how they operate, which helps establish their TTPs — how much do you know of what’s inside your network?
Including infiltrating Disaster Response teams of organizations they’re attacking…
Among their attack approach you’ll see how they “recruit” people from within organizations to give them access — how much do you trust your employees ?
There are also a number of recommendations from the team, be sure to give it a read.
The document also mentions how the group is targeting Microsoft and some developments on that subject.
