Cisco IOS XE is an open and flexible operating system for enterprises which enables model-driven programmability, application hosting, and configuration management, automating day-to-day tasks on network devices like enterprise routers, switches, access points etc.
A high-severity vulnerability has been discovered that deploys malicious implants on IOS XE devices which are already compromised by another vulnerability (authentication bypass). Cisco revealed that this vulnerability works by privilege escalation is used to gain root access and take complete control of Cisco IOS XE devices to deploy malicious implants that enable the unauthorized attackers to execute arbitrary commands at the system.
Due to the wide use of Cisco networking devices, Shodan reports that over 146 thousand vulnerable systems are exposed to attacks while Orange Cyberdefense reported that malicious implants were found on about 34,500 IOS XE devices.
Cisco has advised that while the company is working on releasing patches to address the vulnerabilities, security administrators should block incoming attacks by disabling the vulnerable HTTP server feature on all internet-facing systems and look out for suspicious or recently created user accounts as potential indicators of malicious activity associated with these ongoing attacks.
This situation is really eye opening, for all of us not those who work with Cisco products. It serves as a reminder that no system’s invulnerable to attacks. Its crucial to actively monitor for any potential issues. Whats particularly concerning is how quickly the number of compromised devices has been rising. This highlights the importance of not relying on patches but also implementing intrusion detection measures. Additionally the suggestion to disable the HTTP server feature until a patch becomes available is a solution although its something that can easily be overlooked in our busy daily routines. Sometimes it’s these precautions that have the impact. Lets make sure we remain vigilant and attentive, to this matter.
https://thehackernews.com/2023/10/malvertisers-using-google-ads-to-target.html
This article is about how Malvertisers are using Google ads to target users searching for popular software. The attack will single out people who are searching for the software Notepad++, PDF converters, and KeePass password manager to show fake ads on the Google search results page. When you click on those ads it will filter out bots and other unintended IP addresses by showing a decoy website. If the person trying to commit the malicious act thinks he has found a potential target it will send them to a replica of the website that is advertising the software. When on the decoy site the users are tricked into downloading a malicious installer which will run FakeBat and it is a loader engineered to download other malicious code. The threat of this malicious code installer is only in the browser which is initiated from a legitimate and expected email, social media site, search engine query, or by simply navigating to the compromised site itself.
The search for free software can introduce malware, we have to be careful of downloading malware unknowingly in the name of quick, free softwares and website extensions too.
Okta, an identity security company, experienced a breach. Hackers used stolen credentials to access Okta’s support system, viewing confidential files. These files, particularly HAR files, contained sensitive data like cookies and session tokens, enabling hackers to mimic legitimate users.
Okta responded by:
-Assisting impacted clients and securing accounts.
-Advising the removal of sensitive data from files before sharing.
-Confirming that Okta’s primary service wasn’t affected.
They also issued warnings about suspicious IP addresses and urged customers to monitor their systems. BeyondTrust, another security firm, encountered a related attack but thwarted it, highlighting some vulnerabilities in Okta’s security.
This incident isn’t isolated; Okta has been previously targeted. Hackers have attempted sophisticated methods to compromise it, aiming to access connected organizations. The specifics of the attackers and their goals remain largely undisclosed.
I wonder how the access to Okta’s network occurred especially because they have suffered previous hacks and one will assume they would invest in improving the security of their networks to prevent unauthorized access and protect sensitive information as well.
Hackers got into Okta’s system for managing customer support cases using a stolen login detail. They could see files that some customers shared for support purposes.
North Korean Attackers Exploiting Critical CI/CD Vulnerability https://www.infosecurity-magazine.com/news/north-korean-exploiting-critical/
The tech giant said it has observed two North Korean nation-state actors – Diamond Sleet and Onyx Sleet – exploiting the remote code execution vulnerability, CVE-2023-42793, since early October 2023.
In this article, Microsoft warns that North Korean threat actors are actively exploiting a critical vulnerability in a Continuous Integration/Continuous Deployment (CI/CD) application called JetBrains TeamCity. This software is commonly used in software development for DevOps and other activities. The vulnerability in question is identified as CVE-2023-42793 and has a high severity rating of 9.8 on the Common Vulnerability Scoring System (CVSS).
The threat actors involved are named Diamond Sleet and Onyx Sleet, which are believed to be North Korean nation-state actors. They have been observed exploiting this vulnerability since early October 2023. It’s important to note that the use of “nation-state actors” implies that these attackers may have the support and backing of a government.
The concern here is that these threat actors have a history of successfully conducting software supply chain attacks by infiltrating build environments. compromise the development or build process of a software project, allowing them to insert malicious code or components into the software before it’s distributed to end-users.
Given the history of these attackers and the specific vulnerability they are exploiting, Microsoft considers this activity to pose a “significantly high risk” to the organizations using JetBrains TeamCity server for their DevOps and software development activities
In response to this threat, organizations that use JetBrains TeamCity should take immediate steps to patch the vulnerability and enhance their security measures to protect against supply chain attacks. Microsoft’s warning serves as an important reminder of the ongoing need for vigilance in the cybersecurity landscape, especially when it comes to critical infrastructure and software development tools.
https://www.infosecurity-magazine.com/news/api-security-flaw-grammarly-vidio/
Salt Security uncovered critical API security vulnerabilities in the OAuth protocol implementations of platforms like Grammarly, Vidio, and Bukalapak, which have now been addressed. These vulnerabilities had the potential to compromise user credentials and lead to full account takeovers, putting billions of users at risk. The flaws were related to access token verification in OAuth, allowing cyber-criminals to gain unauthorized access to sensitive information. These affected platforms have taken steps to fix the vulnerabilities. The research highlights the importance of proper OAuth implementation to ensure user security.
QR Codes Used in 22% of Phishing Attacks – Infosecurity Magazine (infosecurity-magazine.com)
A recent article, by Alessandro Mascellino brought attention to a concerning trend; 22% of phishing attacks in October 2023 used QR codes as a deceptive technique. The Hoxhunt Challenge, a study conducted across 38 companies in 125 countries revealed some findings. Shockingly 36% of individuals were able to recognize and report these QR codes. Interestingly it was observed that retail workers were particularly susceptible to missing them while those in business roles demonstrated detection skills.
Timothy Morris from Tanium cautioned about the risks associated with QR codes especially when they are received via email. The study also indicated that individuals who are actively engaged in their jobs tend to have an ability to identify such threats. However, security expert Georgia Weidman issued a warning regarding the lack of built in security measures for QR codes emphasizing the need for businesses to exercise caution. Another report, from SlashNext also highlighted the dangers posed by QR code scams. Urged everyone to remain vigilant.
“34 Cybercriminals Arrested in Spain for Multi-Million Dollar Online Scams”
Spanish law enforcement authorities have recently arrested 34 members of a criminal group responsible for conducting various online scams, resulting in approximately €3 million ($3.2 million) in illegal profits. The arrests were made after extensive operations in multiple cities, leading to the seizure of simulated firearms, weapons, €80,000 in cash, high-end vehicles, and electronic materials. The criminals utilized tactics such as email, SMS, and phone call impersonation, posing as banks and electricity companies to defraud victims. Their schemes also included manipulating delivery notes from technology firms and unauthorized access to financial institutions’ databases. Additionally, the group profited from selling fake bank websites, mass messaging programs, and gathering information from specialized forums. The leaders of the network employed false documentation and spoofing techniques to hide their identities, investing their profits in cryptocurrency assets. This follows earlier arrests related to cybercrimes in Spain, indicating the ongoing efforts to combat various forms of digital fraud and scams.
URL: https://thehackernews.com/2023/10/34-cybercriminals-arrested-in-spain-for.html
This article talks about cybersecurity insurance, which is used to cover losses and helps organizations with disaster recovery. It mentions how threat actors are able to purchase plug-and-play ransomware kits on the dark web, which causes Ransomware as a service to grow in frequency. This means that businesses are more at risk for downtime, business interruption costs, increased litigation, and regulatory penalties. One thing to keep in mind is that insurance does not cover all losses, and that the cybersecurity insurance market is brought down by problems that can be solved if we have clear standards for risk. If we do this, then predicting risks will be more accurate, which in turn, means cybersecurity insurance will be more reliable.
https://thehackernews.com/2023/10/ex-nsa-employee-pleads-guilty-to.html
Jareh Sebastian Dalke, a former employee of the U.S. National Security Agency (NSA), pleaded guilty to charges of attempting to transmit classified defense information to Russia. He worked at the NSA with Top Secret clearance from June to July 2022, and later admitted to sending excerpts of classified documents to someone he believed to be a Russian agent, but who was actually an undercover FBI employee. He also requested $85,000 in exchange for more information. The document transmission occurred in downtown Denver, Colorado, and included files related to NSA plans, threat assessments, and defense capabilities. Dalke faces sentencing in April 2024, with a potential maximum penalty of life in prison.
Ooreofeoluwa Koyejo says
Cisco Discloses new IOS XE Zero-day Vulnerability Exploited to Deploy Malware Implant
https://www.bleepingcomputer.com/news/security/cisco-discloses-new-ios-xe-zero-day-exploited-to-deploy-malware-implant/
Cisco IOS XE is an open and flexible operating system for enterprises which enables model-driven programmability, application hosting, and configuration management, automating day-to-day tasks on network devices like enterprise routers, switches, access points etc.
A high-severity vulnerability has been discovered that deploys malicious implants on IOS XE devices which are already compromised by another vulnerability (authentication bypass). Cisco revealed that this vulnerability works by privilege escalation is used to gain root access and take complete control of Cisco IOS XE devices to deploy malicious implants that enable the unauthorized attackers to execute arbitrary commands at the system.
Due to the wide use of Cisco networking devices, Shodan reports that over 146 thousand vulnerable systems are exposed to attacks while Orange Cyberdefense reported that malicious implants were found on about 34,500 IOS XE devices.
Cisco has advised that while the company is working on releasing patches to address the vulnerabilities, security administrators should block incoming attacks by disabling the vulnerable HTTP server feature on all internet-facing systems and look out for suspicious or recently created user accounts as potential indicators of malicious activity associated with these ongoing attacks.
Yannick Rugamba says
This situation is really eye opening, for all of us not those who work with Cisco products. It serves as a reminder that no system’s invulnerable to attacks. Its crucial to actively monitor for any potential issues. Whats particularly concerning is how quickly the number of compromised devices has been rising. This highlights the importance of not relying on patches but also implementing intrusion detection measures. Additionally the suggestion to disable the HTTP server feature until a patch becomes available is a solution although its something that can easily be overlooked in our busy daily routines. Sometimes it’s these precautions that have the impact. Lets make sure we remain vigilant and attentive, to this matter.
Jon Stillwagon says
https://thehackernews.com/2023/10/malvertisers-using-google-ads-to-target.html
This article is about how Malvertisers are using Google ads to target users searching for popular software. The attack will single out people who are searching for the software Notepad++, PDF converters, and KeePass password manager to show fake ads on the Google search results page. When you click on those ads it will filter out bots and other unintended IP addresses by showing a decoy website. If the person trying to commit the malicious act thinks he has found a potential target it will send them to a replica of the website that is advertising the software. When on the decoy site the users are tricked into downloading a malicious installer which will run FakeBat and it is a loader engineered to download other malicious code. The threat of this malicious code installer is only in the browser which is initiated from a legitimate and expected email, social media site, search engine query, or by simply navigating to the compromised site itself.
Ooreofeoluwa Koyejo says
The search for free software can introduce malware, we have to be careful of downloading malware unknowingly in the name of quick, free softwares and website extensions too.
Eyup Aslanbay says
https://www.securityweek.com/okta-support-system-hacked-sensitive-customer-data-stolen/
Okta, an identity security company, experienced a breach. Hackers used stolen credentials to access Okta’s support system, viewing confidential files. These files, particularly HAR files, contained sensitive data like cookies and session tokens, enabling hackers to mimic legitimate users.
Okta responded by:
-Assisting impacted clients and securing accounts.
-Advising the removal of sensitive data from files before sharing.
-Confirming that Okta’s primary service wasn’t affected.
They also issued warnings about suspicious IP addresses and urged customers to monitor their systems. BeyondTrust, another security firm, encountered a related attack but thwarted it, highlighting some vulnerabilities in Okta’s security.
This incident isn’t isolated; Okta has been previously targeted. Hackers have attempted sophisticated methods to compromise it, aiming to access connected organizations. The specifics of the attackers and their goals remain largely undisclosed.
Ooreofeoluwa Koyejo says
I wonder how the access to Okta’s network occurred especially because they have suffered previous hacks and one will assume they would invest in improving the security of their networks to prevent unauthorized access and protect sensitive information as well.
Eyup Aslanbay says
Hackers got into Okta’s system for managing customer support cases using a stolen login detail. They could see files that some customers shared for support purposes.
Celinemary Turner says
North Korean Attackers Exploiting Critical CI/CD Vulnerability
https://www.infosecurity-magazine.com/news/north-korean-exploiting-critical/
The tech giant said it has observed two North Korean nation-state actors – Diamond Sleet and Onyx Sleet – exploiting the remote code execution vulnerability, CVE-2023-42793, since early October 2023.
In this article, Microsoft warns that North Korean threat actors are actively exploiting a critical vulnerability in a Continuous Integration/Continuous Deployment (CI/CD) application called JetBrains TeamCity. This software is commonly used in software development for DevOps and other activities. The vulnerability in question is identified as CVE-2023-42793 and has a high severity rating of 9.8 on the Common Vulnerability Scoring System (CVSS).
The threat actors involved are named Diamond Sleet and Onyx Sleet, which are believed to be North Korean nation-state actors. They have been observed exploiting this vulnerability since early October 2023. It’s important to note that the use of “nation-state actors” implies that these attackers may have the support and backing of a government.
The concern here is that these threat actors have a history of successfully conducting software supply chain attacks by infiltrating build environments. compromise the development or build process of a software project, allowing them to insert malicious code or components into the software before it’s distributed to end-users.
Given the history of these attackers and the specific vulnerability they are exploiting, Microsoft considers this activity to pose a “significantly high risk” to the organizations using JetBrains TeamCity server for their DevOps and software development activities
In response to this threat, organizations that use JetBrains TeamCity should take immediate steps to patch the vulnerability and enhance their security measures to protect against supply chain attacks. Microsoft’s warning serves as an important reminder of the ongoing need for vigilance in the cybersecurity landscape, especially when it comes to critical infrastructure and software development tools.
Bo Wang says
https://www.infosecurity-magazine.com/news/api-security-flaw-grammarly-vidio/
Salt Security uncovered critical API security vulnerabilities in the OAuth protocol implementations of platforms like Grammarly, Vidio, and Bukalapak, which have now been addressed. These vulnerabilities had the potential to compromise user credentials and lead to full account takeovers, putting billions of users at risk. The flaws were related to access token verification in OAuth, allowing cyber-criminals to gain unauthorized access to sensitive information. These affected platforms have taken steps to fix the vulnerabilities. The research highlights the importance of proper OAuth implementation to ensure user security.
Yannick Rugamba says
QR Codes Used in 22% of Phishing Attacks – Infosecurity Magazine (infosecurity-magazine.com)
A recent article, by Alessandro Mascellino brought attention to a concerning trend; 22% of phishing attacks in October 2023 used QR codes as a deceptive technique. The Hoxhunt Challenge, a study conducted across 38 companies in 125 countries revealed some findings. Shockingly 36% of individuals were able to recognize and report these QR codes. Interestingly it was observed that retail workers were particularly susceptible to missing them while those in business roles demonstrated detection skills.
Timothy Morris from Tanium cautioned about the risks associated with QR codes especially when they are received via email. The study also indicated that individuals who are actively engaged in their jobs tend to have an ability to identify such threats. However, security expert Georgia Weidman issued a warning regarding the lack of built in security measures for QR codes emphasizing the need for businesses to exercise caution. Another report, from SlashNext also highlighted the dangers posed by QR code scams. Urged everyone to remain vigilant.
Yannick Rugamba says
Here is the the Link of the article : https://www.infosecurity-magazine.com/news/qr-codes-used-22-phishing-attacks/
Nicholas Nirenberg says
“34 Cybercriminals Arrested in Spain for Multi-Million Dollar Online Scams”
Spanish law enforcement authorities have recently arrested 34 members of a criminal group responsible for conducting various online scams, resulting in approximately €3 million ($3.2 million) in illegal profits. The arrests were made after extensive operations in multiple cities, leading to the seizure of simulated firearms, weapons, €80,000 in cash, high-end vehicles, and electronic materials. The criminals utilized tactics such as email, SMS, and phone call impersonation, posing as banks and electricity companies to defraud victims. Their schemes also included manipulating delivery notes from technology firms and unauthorized access to financial institutions’ databases. Additionally, the group profited from selling fake bank websites, mass messaging programs, and gathering information from specialized forums. The leaders of the network employed false documentation and spoofing techniques to hide their identities, investing their profits in cryptocurrency assets. This follows earlier arrests related to cybercrimes in Spain, indicating the ongoing efforts to combat various forms of digital fraud and scams.
URL: https://thehackernews.com/2023/10/34-cybercriminals-arrested-in-spain-for.html
Hashem Alsharif says
https://www.csoonline.com/article/656898/the-rise-of-the-cybersecurity-insurance-market-3.html
This article talks about cybersecurity insurance, which is used to cover losses and helps organizations with disaster recovery. It mentions how threat actors are able to purchase plug-and-play ransomware kits on the dark web, which causes Ransomware as a service to grow in frequency. This means that businesses are more at risk for downtime, business interruption costs, increased litigation, and regulatory penalties. One thing to keep in mind is that insurance does not cover all losses, and that the cybersecurity insurance market is brought down by problems that can be solved if we have clear standards for risk. If we do this, then predicting risks will be more accurate, which in turn, means cybersecurity insurance will be more reliable.
Edge Kroll says
https://thehackernews.com/2023/10/ex-nsa-employee-pleads-guilty-to.html
Jareh Sebastian Dalke, a former employee of the U.S. National Security Agency (NSA), pleaded guilty to charges of attempting to transmit classified defense information to Russia. He worked at the NSA with Top Secret clearance from June to July 2022, and later admitted to sending excerpts of classified documents to someone he believed to be a Russian agent, but who was actually an undercover FBI employee. He also requested $85,000 in exchange for more information. The document transmission occurred in downtown Denver, Colorado, and included files related to NSA plans, threat assessments, and defense capabilities. Dalke faces sentencing in April 2024, with a potential maximum penalty of life in prison.