Hackers used stolen credentials to access OKTA’s support case system. Hackers were also able to view customer uploaded files. The good news is that only 1% of OKTA’s customers base was affected equating to about 184 people. OKTA reported that its production service and other customer offerings were not impacted and are fully operational. As we are discussing the impact of a disaster and recovery tactics, we see here although the breach had a minimal impact as far as number of customers effected but it cost them much more. OKTA’s shares fell almost 12% once the news broke of the breach. I wonder was a situation like this apart of the disaster recovery plan. Yes, OKTA is committed to protecting their client base, something like this makes it difficult to recover that trust. The larger issue is are they going to be able to recover. Are their shares to keep falling or will the descend cease.
Title: Casio discloses data breach impacting customers in 149 countries
This article details a data breach suffered by Casio, a Japanese electronics manufacturer. This attack affected customers in 149 countries and was discovered on October 11 when a ClassPad database failed. The attacker accessed customer data, including names, email addresses, countries of residence, service usage, and purchase information, but no credit card information was compromised. As of October 18, 91,921 records of Japanese customers and 35,049 records from other countries were accessed. Casio attributed the breach to network security settings being disabled due to an operational error and insufficient management. The company is cooperating with authorities and conducting an internal investigation. In early August, a threat actor (known as thrax) claimed to have leaked user records allegedly stolen from Casio’s older databases.
Backup power and its purpose in data center disaster recovery planning – DCD (datacenterdynamics.com)
The article shows the importance of having a disaster recovery pal and a data center for business continuity but also shows that there is a heightened danger for data centers and their need for disaster recovery preparation.
The importance of a robust disaster recovery plan for data centers is crucial and the data center serving as the nucleus of many organizations, downtime due to unforeseen circumstances crucial as natural disaster or a cyber-attack can be detrimental. “The number of disasters reported have increased five-fold over the past five decades and 10-fold over the past 100 years, with storms like hurricanes and blizzards constituting 30 percent of all-natural disaster- pertinent threats for all data centers.
The article hones in on the needs for data centers to prioritize backup power for each asset regardless of risk or loss evaluation as data centers have hardware, software, networks, virtual machines, security services, SaaS services and more that all individually require electricity to function. Disaster recovery is not just a precautionary measure as it is an essential strategy in today’s technology driven world. The integration of backup power into the plan is a crucial element as the data centers are becoming the backbone during these disastrous events.
Malware is being spread to Android devices via fake volcano eruption alerts in Italy, cyber security researchers have found.
D3Labs discovered that malicious actors were exploiting the IT-Alert service, a new public alert system used by the Italian government to disseminate crucial information to its citizens in emergency situations, for example natural disasters.
A website posing as IT Alert that read “due to the possible eruptions of a volcano, a national earthquake could occur. Download the app to keep an eye on whether the region could be affected”.
Once a victim clicked on the download button, a file labelled IT-Alert.apk was downloaded to their device. This file contains SpyNote malware. This malware is primarily used to target financial institutions and is usually sold via Telegram by its creator who uses the alias CypherRat.
By prompting the user to allow the app to run in the background, malicious actors are able to gain full control of the victim’s smartphone via its accessability services. This allows the malicious actors to “monitor, manage and modify the resources and features of the device along with remote access capabilities”. This technique also makes it more difficult for victims to “uninstall the application, update already uninstalled applications or install new ones”.
Malicious actors are also able to obtain codes used for two-factor authentication (2FA) and steal login credentials for both banking applications and social media. This is done by launching a fake application that looks like a legitimate service and prompting victims to input their login credentials.
Philippine Military Ordered to Stop Using Artificial Intelligence Apps Due to Security Risks
The Philippine Defense chief has instructed defense personnel to stop using AI-driven digital applications that generate personal portraits. He stated that using AI-driven applications can eventually pose a security risk, which can lead to privacy breaches and malicious activities like identity theft and phishing.
John Riggi, a national advisor for cybersecurity and risk at the American Hospital Association, highlighted the growing threat of high-impact ransomware attacks on healthcare systems at the 2023 HIMSS Healthcare Cybersecurity Forum. He stressed the need for local and regional planning to address the rising concern of cyberattacks that disrupt hospital operations and deny access to patient information. The impact of these attacks is no longer considered a white-collar crime but a significant patient safety risk. Riggi called for a more offensive posture from the healthcare industry and the U.S. government to combat these threats. He also pointed out that patient data breaches are projected to impact up to 100 million individuals in 2023, with the majority of attacks being foreign-based, often involving data theft extortion. Riggi emphasized the importance of safeguarding network servers and email outside of electronic health records (EHRs) and underlined the need for robust emergency management planning, both locally and regionally, to ensure clinical continuity for up to four weeks in the event of an attack.
Data Of More Than 200 Million Twitter Users Is Leaked
Perplesec.us’s latest insights into security incidents reveal a startling cybersecurity breach: the data of over 200 million Twitter users has been compromised. These findings not only highlight the urgency to reinforce digital protection measures but also cast light on the challenges faced by social networks in maintaining user data privacy. This incident serves as a harsh reminder of the criticality of cybersecurity in our increasingly connected digital era. Further investigations into the incident are necessary, and these results are a call-to-action for both users and companies to prioritize data security.
Title: Cyberattack On NY Hospitals Forces Ambulance Diversions
The article that I chose this week details a recent cyber attack on several NY hospital systems that caused ambulance and care diversions in the Westchester, NY. Though not detailed exactly how, WMCHealth concluded in mid-October that it had, in fact, been the target of a recent cyber attack that may have compromised several systems. Through remediation steps it was determined that shutting down IT systems temporarily to restore integrity would be necessary, causing ambulance services, among other necessary systems, to be temporarily unavailable. I found this article interesting, as it covers details such as hospital systems IT and health care, similar to our recent case study. The tough decisions to temporarily take life saving procedures offline is always difficult, and further stresses the need for robust IT security, especially in the healthcare sector
In the News Article
1Password Detects Suspicious Activity Amidst Okta Breach
Connection to Okta breach: I found this article interesting since it bridges together many things that we have learned so far. On September 29th, 1Password detected suspicious activity on its Okta instance following Okta’s support system breach. As far as 1Password knows, no user data has been accessed. Erskine shared in his article the Okta breach and what is interesting is that it took Okta some time to publicly announce this breach since 1Password alludes to the attack happening some time in September. Also, between these two articles, I was able to uncover that Okta was breached last year through an account belonging to a Cost Rica-based Sykes employee (Sykes, an outsourcing firm) who was providing customer service to Okta users. In addition to this, it is uncovered that Scattered Spider (aka 0ktapus, Scatter Swine, or UNC3944) has a track record of targeting Okta using social engineering tactics to obtain elevated privileges! With this information, it makes sense that 1Password is armed and ready to make public as much information as early as possible in case further events come from this. They do conclude at the end of the article that they are on alert since all of the activity suggests they conducted initial reconnaissance with the intent to penetrate their (Okta, I imagine from this article) systems and gather info for a more sophisticated attack.
Standalone mitigation: I wanted to bring together the connection between Okta and 1Password first. The suspicious activity that truly brought about this article is through a session cookie after a member of their IT team shared a HAR file with Okta support. The threat actor essentially performed a series of actions that are interesting:
• Attempted to access the IT team member’s user dashboard, but was blocked by Okta
• Updated an existing IDP tied to our production Google environment
• Activated the IDP
• Requested a report of administrative users
It seems the threat actor was able to get a proper blocking from accessing the user dashboard that ultimately belongs to Okta. However, the threat actor was able to go into 1Password’s IDP in their production Google environment, activate the IDP and request report of admin users. This shows an obvious misstep on 1Password’s end in terms of authorization but ultimately does show that Okta could be the main target here and this could, in fact, be tied to a much larger attack. The steps that 1Password takes to mitigate the risk is by denying logins from non-Okta IDPs, reducing session times for administrative user, tighter MFA rules for admins, and decreasing the number of super admins. Now, I will be honest and say that tighter MFAs seems to be the only mitigation that truly addresses the suspicious activity, but I am still learning. It does not sound like 1Password has either fully divulged their mitigation plans or are more interested in getting out a public statement to keep their reputation intact.
The City of Philadelphia experienced a data breach in May 2023, potentially exposing personal and protected health information. While officials discovered suspicious activity on May 24, the investigation revealed that unauthorized access to compromised email accounts may have continued for two months after the initial detection. The breach potentially affected individuals interacting with various city departments, including health and human services, parks and recreation, and the Philadelphia Parking Authority. Affected individuals may receive notifications and complimentary credit monitoring services. The city works with law enforcement and cybersecurity experts to investigate the incident and enhance security measures.
Hackers have recently disclosed yet another set of user information (in the millions), claiming that this new leak includes data on “the wealthiest individuals residing in the United States and Western Europe.” These hackers initially gained access to user credentials on 23andMe by exploiting a hacking technique known as “credential stuffing,” which involves using credentials obtained from prior data breaches. The success of this method is largely attributed to users who tend to reuse the same credentials across multiple websites. As a result, 23andMe is placing responsibility on its users for this security breach. You can find further details on this incident in the provided link.
Title: Ex-NSA Employee Pleads Guilty to Leaking Classified Data to Russia
Link: https://thehackernews.com/2023/10/ex-nsa-employee-pleads-guilty-to.html
Summary: Former NSA employee Jareh Sebastian Dalke, pleaded guilty to attempting to transmit classified defense information to Russia. He had Top Secret clearance during his employment at the NSA, used an encrypted email account to send excerpts of classified documents to an individual he believed was a Russian agent. However he was actually sending them to an undercover FBI employee. Dalke wanted $85,000 for each piece of information and now faces a maximum penalty of life in prison when he is eventually sentenced on April 26, 2024.
An advertising campaign was seen using Google Ads to target users searching for popular software such as Notepad++ and PDF converters. When users click on fake ads, they are instructed to download sites that remove bots and unwanted IP addresses. If a user is considered a potential target, they are redirected to a replication site that advertises the software, and silently verify that the request is coming from a virtual machine or that they fail at the check goes to a proper Notepad++ site, while the winners get a unique ID to track, to make each download unique and time-sensitive
This includes a malicious HTA payload to a remote domain (“mybigeye[.]icu”) on a custom port, delivering a lot of malicious code. Attackers use a variety of techniques to bypass ad verification processes, allowing them to target specific victims. This campaign shows another of KeePass targeting users looking for a password manager, using malicious ads to drive victims to fraud.
Erskine Payton says
Erskine Payton
In the News Article- Week 9
MIS 5206
Temple University
Okta shares fall 11% after company says client files were accessed by hackers via its support system
https://www.cnbc.com/2023/10/20/okta-shares-fall-after-company-says-client-files-were-accessed-by-hackers-via-its-support-system.html
Hackers used stolen credentials to access OKTA’s support case system. Hackers were also able to view customer uploaded files. The good news is that only 1% of OKTA’s customers base was affected equating to about 184 people. OKTA reported that its production service and other customer offerings were not impacted and are fully operational. As we are discussing the impact of a disaster and recovery tactics, we see here although the breach had a minimal impact as far as number of customers effected but it cost them much more. OKTA’s shares fell almost 12% once the news broke of the breach. I wonder was a situation like this apart of the disaster recovery plan. Yes, OKTA is committed to protecting their client base, something like this makes it difficult to recover that trust. The larger issue is are they going to be able to recover. Are their shares to keep falling or will the descend cease.
Ikenna Alajemba says
St. Louis University students and employees experienced a data breach that spanned over eight months, according to the school.
On Thursday, SLU sent out letters to individuals who may have been affected by the breach. Personal information such as names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, passwords, digital signatures, health insurance information and medical information all could have been accessed, a statement from the university said.
https://www.stltoday.com/news/local/education/data-breach-hits-slu-students-and-employees-school-says/article_31bdc9c6-6ec2-11ee-b255-cb1cd7baadcc.html
Chidi Okafor says
Title: Casio discloses data breach impacting customers in 149 countries
This article details a data breach suffered by Casio, a Japanese electronics manufacturer. This attack affected customers in 149 countries and was discovered on October 11 when a ClassPad database failed. The attacker accessed customer data, including names, email addresses, countries of residence, service usage, and purchase information, but no credit card information was compromised. As of October 18, 91,921 records of Japanese customers and 35,049 records from other countries were accessed. Casio attributed the breach to network security settings being disabled due to an operational error and insufficient management. The company is cooperating with authorities and conducting an internal investigation. In early August, a threat actor (known as thrax) claimed to have leaked user records allegedly stolen from Casio’s older databases.
Link – https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/casio-discloses-data-breach-impacting-customers-in-149-countries/amp/
Jeffrey Sullivan says
Backup power and its purpose in data center disaster recovery planning – DCD (datacenterdynamics.com)
The article shows the importance of having a disaster recovery pal and a data center for business continuity but also shows that there is a heightened danger for data centers and their need for disaster recovery preparation.
The importance of a robust disaster recovery plan for data centers is crucial and the data center serving as the nucleus of many organizations, downtime due to unforeseen circumstances crucial as natural disaster or a cyber-attack can be detrimental. “The number of disasters reported have increased five-fold over the past five decades and 10-fold over the past 100 years, with storms like hurricanes and blizzards constituting 30 percent of all-natural disaster- pertinent threats for all data centers.
The article hones in on the needs for data centers to prioritize backup power for each asset regardless of risk or loss evaluation as data centers have hardware, software, networks, virtual machines, security services, SaaS services and more that all individually require electricity to function. Disaster recovery is not just a precautionary measure as it is an essential strategy in today’s technology driven world. The integration of backup power into the plan is a crucial element as the data centers are becoming the backbone during these disastrous events.
https://www.datacenterdynamics.com/en/opinions/backup-power-and-its-purpose-in-data-center-disaster-recovery-planning/
Marc Greenberg says
Spyware is being spread via fake natural disaster alerts
https://www.cshub.com/malware/news/spyware-natural-disaster-alert
Malware is being spread to Android devices via fake volcano eruption alerts in Italy, cyber security researchers have found.
D3Labs discovered that malicious actors were exploiting the IT-Alert service, a new public alert system used by the Italian government to disseminate crucial information to its citizens in emergency situations, for example natural disasters.
A website posing as IT Alert that read “due to the possible eruptions of a volcano, a national earthquake could occur. Download the app to keep an eye on whether the region could be affected”.
Once a victim clicked on the download button, a file labelled IT-Alert.apk was downloaded to their device. This file contains SpyNote malware. This malware is primarily used to target financial institutions and is usually sold via Telegram by its creator who uses the alias CypherRat.
By prompting the user to allow the app to run in the background, malicious actors are able to gain full control of the victim’s smartphone via its accessability services. This allows the malicious actors to “monitor, manage and modify the resources and features of the device along with remote access capabilities”. This technique also makes it more difficult for victims to “uninstall the application, update already uninstalled applications or install new ones”.
Malicious actors are also able to obtain codes used for two-factor authentication (2FA) and steal login credentials for both banking applications and social media. This is done by launching a fake application that looks like a legitimate service and prompting victims to input their login credentials.
Akintunde Akinmusire says
https://www.securityweek.com/philippine-military-ordered-to-stop-using-artificial-intelligence-apps-due-to-security-risks/
Philippine Military Ordered to Stop Using Artificial Intelligence Apps Due to Security Risks
The Philippine Defense chief has instructed defense personnel to stop using AI-driven digital applications that generate personal portraits. He stated that using AI-driven applications can eventually pose a security risk, which can lead to privacy breaches and malicious activities like identity theft and phishing.
Alyanna Inocentes says
Is your hospital ready for 3-4 weeks of downtime?
https://www.healthcareitnews.com/news/your-hospital-ready-3-4-weeks-downtime
John Riggi, a national advisor for cybersecurity and risk at the American Hospital Association, highlighted the growing threat of high-impact ransomware attacks on healthcare systems at the 2023 HIMSS Healthcare Cybersecurity Forum. He stressed the need for local and regional planning to address the rising concern of cyberattacks that disrupt hospital operations and deny access to patient information. The impact of these attacks is no longer considered a white-collar crime but a significant patient safety risk. Riggi called for a more offensive posture from the healthcare industry and the U.S. government to combat these threats. He also pointed out that patient data breaches are projected to impact up to 100 million individuals in 2023, with the majority of attacks being foreign-based, often involving data theft extortion. Riggi emphasized the importance of safeguarding network servers and email outside of electronic health records (EHRs) and underlined the need for robust emergency management planning, both locally and regionally, to ensure clinical continuity for up to four weeks in the event of an attack.
Michael Obiukwu says
Data Of More Than 200 Million Twitter Users Is Leaked
Perplesec.us’s latest insights into security incidents reveal a startling cybersecurity breach: the data of over 200 million Twitter users has been compromised. These findings not only highlight the urgency to reinforce digital protection measures but also cast light on the challenges faced by social networks in maintaining user data privacy. This incident serves as a harsh reminder of the criticality of cybersecurity in our increasingly connected digital era. Further investigations into the incident are necessary, and these results are a call-to-action for both users and companies to prioritize data security.
https://purplesec.us/security-insights/twitter-data-leak-200-million-users/
Andrew Young says
Title: Cyberattack On NY Hospitals Forces Ambulance Diversions
The article that I chose this week details a recent cyber attack on several NY hospital systems that caused ambulance and care diversions in the Westchester, NY. Though not detailed exactly how, WMCHealth concluded in mid-October that it had, in fact, been the target of a recent cyber attack that may have compromised several systems. Through remediation steps it was determined that shutting down IT systems temporarily to restore integrity would be necessary, causing ambulance services, among other necessary systems, to be temporarily unavailable. I found this article interesting, as it covers details such as hospital systems IT and health care, similar to our recent case study. The tough decisions to temporarily take life saving procedures offline is always difficult, and further stresses the need for robust IT security, especially in the healthcare sector
Article: https://healthitsecurity.com/news/cyberattack-on-ny-hospitals-forces-ambulance-diversions
Ashley A. Jones says
In the News Article
1Password Detects Suspicious Activity Amidst Okta Breach
Connection to Okta breach: I found this article interesting since it bridges together many things that we have learned so far. On September 29th, 1Password detected suspicious activity on its Okta instance following Okta’s support system breach. As far as 1Password knows, no user data has been accessed. Erskine shared in his article the Okta breach and what is interesting is that it took Okta some time to publicly announce this breach since 1Password alludes to the attack happening some time in September. Also, between these two articles, I was able to uncover that Okta was breached last year through an account belonging to a Cost Rica-based Sykes employee (Sykes, an outsourcing firm) who was providing customer service to Okta users. In addition to this, it is uncovered that Scattered Spider (aka 0ktapus, Scatter Swine, or UNC3944) has a track record of targeting Okta using social engineering tactics to obtain elevated privileges! With this information, it makes sense that 1Password is armed and ready to make public as much information as early as possible in case further events come from this. They do conclude at the end of the article that they are on alert since all of the activity suggests they conducted initial reconnaissance with the intent to penetrate their (Okta, I imagine from this article) systems and gather info for a more sophisticated attack.
Standalone mitigation: I wanted to bring together the connection between Okta and 1Password first. The suspicious activity that truly brought about this article is through a session cookie after a member of their IT team shared a HAR file with Okta support. The threat actor essentially performed a series of actions that are interesting:
• Attempted to access the IT team member’s user dashboard, but was blocked by Okta
• Updated an existing IDP tied to our production Google environment
• Activated the IDP
• Requested a report of administrative users
It seems the threat actor was able to get a proper blocking from accessing the user dashboard that ultimately belongs to Okta. However, the threat actor was able to go into 1Password’s IDP in their production Google environment, activate the IDP and request report of admin users. This shows an obvious misstep on 1Password’s end in terms of authorization but ultimately does show that Okta could be the main target here and this could, in fact, be tied to a much larger attack. The steps that 1Password takes to mitigate the risk is by denying logins from non-Okta IDPs, reducing session times for administrative user, tighter MFA rules for admins, and decreasing the number of super admins. Now, I will be honest and say that tighter MFAs seems to be the only mitigation that truly addresses the suspicious activity, but I am still learning. It does not sound like 1Password has either fully divulged their mitigation plans or are more interested in getting out a public statement to keep their reputation intact.
Article Link: 1Password Detects Suspicious Activity Following Okta Support Breach (thehackernews.com) – https://thehackernews.com/2023/10/1password-detects-suspicious-activity.html
Kelly Conger says
https://www.bleepingcomputer.com/news/security/city-of-philadelphia-discloses-data-breach-after-five-months/
The City of Philadelphia experienced a data breach in May 2023, potentially exposing personal and protected health information. While officials discovered suspicious activity on May 24, the investigation revealed that unauthorized access to compromised email accounts may have continued for two months after the initial detection. The breach potentially affected individuals interacting with various city departments, including health and human services, parks and recreation, and the Philadelphia Parking Authority. Affected individuals may receive notifications and complimentary credit monitoring services. The city works with law enforcement and cybersecurity experts to investigate the incident and enhance security measures.
Akiyah says
https://techcrunch.com/2023/10/18/hacker-leaks-millions-more-23andme-user-records-on-cybercrime-forum/
Hackers have recently disclosed yet another set of user information (in the millions), claiming that this new leak includes data on “the wealthiest individuals residing in the United States and Western Europe.” These hackers initially gained access to user credentials on 23andMe by exploiting a hacking technique known as “credential stuffing,” which involves using credentials obtained from prior data breaches. The success of this method is largely attributed to users who tend to reuse the same credentials across multiple websites. As a result, 23andMe is placing responsibility on its users for this security breach. You can find further details on this incident in the provided link.
Alex Ruiz says
Title: Ex-NSA Employee Pleads Guilty to Leaking Classified Data to Russia
Link: https://thehackernews.com/2023/10/ex-nsa-employee-pleads-guilty-to.html
Summary: Former NSA employee Jareh Sebastian Dalke, pleaded guilty to attempting to transmit classified defense information to Russia. He had Top Secret clearance during his employment at the NSA, used an encrypted email account to send excerpts of classified documents to an individual he believed was a Russian agent. However he was actually sending them to an undercover FBI employee. Dalke wanted $85,000 for each piece of information and now faces a maximum penalty of life in prison when he is eventually sentenced on April 26, 2024.
Unnati Singla says
Title: Malvertisers Using Google Ads to Target Users Searching for Popular Software
Link: https://thehackernews.com/2023/10/malvertisers-using-google-ads-to-target.html
An advertising campaign was seen using Google Ads to target users searching for popular software such as Notepad++ and PDF converters. When users click on fake ads, they are instructed to download sites that remove bots and unwanted IP addresses. If a user is considered a potential target, they are redirected to a replication site that advertises the software, and silently verify that the request is coming from a virtual machine or that they fail at the check goes to a proper Notepad++ site, while the winners get a unique ID to track, to make each download unique and time-sensitive
This includes a malicious HTA payload to a remote domain (“mybigeye[.]icu”) on a custom port, delivering a lot of malicious code. Attackers use a variety of techniques to bypass ad verification processes, allowing them to target specific victims. This campaign shows another of KeePass targeting users looking for a password manager, using malicious ads to drive victims to fraud.