Archive for September 7, 2023

Newer Entries »

Flashpoint releases H1 Cyber Threat Intelligence Index 

Posted in Commentary with tags on September 7, 2023 by itnerd

Flashpoint released its H1 Cyber Threat Intelligence Index: https://flashpoint.io/blog/cyber-threat-intelligence-index-2023-midyear/.

Here are just a few of the points in the report: 

Flashpoint digs into the activity from ransomware groups over the past 12 months. Regarding ransomware, Flashpoint found:

  • The most headline-grabbing cyber extortion event in the first half of 2023 was (and continues to be) the impact of the Clop ransomware group, which began exploiting the MOVEit zero-day vulnerability in May to gain illegal access to a wide range of victims. 
  • As of August 9, the total number of victims—those posted on Clop’s ransomware blog combined with data from Flashpoint’s Cyber Risk Analytics (CRA) platform—totaled more than 650. This number includes companies that were directly attacked by Clop as well as third-party victims. 

Regarding Vulnerabilities over the past 6 months:

  • 14,201 new vulnerabilities were reported in H1 2023, and 2,189 of them were missed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD). 
  • Over 36 percent of H1’s disclosed vulnerabilities have a working proof-of-concept or a known public exploit, giving low-level attackers an opportunity to compromise vulnerable systems. 

Regarding Data Breaches over the past 6 months, Flashpoint found:

  • In H1 2023, Flashpoint analysts identified 2,893 data breach events, resulting in the loss of 5.94B records. 
  • The highest number of breaches were recorded in the US. 

Flashpoint’s H1 2023 report also digs into Malware IOCs and Insider Threats. 

Leave a comment »

Apache Superset Insecure Default Config Part II: RCE, Credential Harvesting and More (IOCs)

Posted in Commentary with tags on September 7, 2023 by itnerd

In April 2023, threat researchers at Horizon3.ai analyzed CVE-2023-27524, which Horizon3.ai Chief Architect Naveen Sunkavally described at the time as “a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data.”

Today, Sunkavally and team have updated their analysis of CVE-2023-27524 with the publication of Apache Superset Part II: RCE, Credential Harvesting and More. This post includes indicators of compromise (IOCs) and examples of what an attacker can do once he/she has attained admin privileges, either from exploiting CVE-2023-27524, or by other means. The blog post includes:

  • Accessing Default Metadata Database Credentials
  • Harvesting Credentials from the Metadata Database
  • Conducting Remote Code Execution on the Superset Server
  • Conducting Remote Code Execution on Any Connected DB Server
  • Indicators of Compromise
  • Remediation Guidance and Remediation Resource Links 

Sunkavally notes: “As of this writing, there are still a few default settings to be aware in the Superset helm template and docker-compose setup. The Superset team is aware of these defaults and planning to remove them. The latest data we gathered supports removing these defaults and providing a complete fix for CVE-2023-27524.”

Apache Superset is an open-source data visualization and exploration tool with over 50,000 stars on GitHub. More than 3000 instances of it are exposed to the Internet.

Previous (April 23, 2023) Horizon3.ai research on “CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution”  https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/

Leave a comment »

Okta Customers Targeted In Social Engineering Attacks

Posted in Commentary with tags , on September 7, 2023 by itnerd

Okta customers have been targeted in a social engineering scam the company said, and on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions: 

In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.

The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.

That’s pretty scary. I’ll explain why in a moment. John Gunn, CEO, Token had this comment:

Cybercriminal organizations intentionally and smartly target the organizations that have the richest assets and that will pay the highest ransoms, and with that they focus on compromising the users that have the greatest privileges to gain immediate access to applications and data they are targeting. Because of Okta’s market dominance they are able to get a perspective not available to others and they share this with the market to the benefit of all.

So, why do I think that this is scary? It once again proves that the weakest link in cybersecurity is the people. This sort of attack will not work if people are properly trained and that training is constantly reinforced with “secret shopper” type exercises where people pretend to be threat actors and target the recipients of the training to see if the knowledge is retained. Thus companies need to get onto that train as quickly as possible to bolster their defences.

Leave a comment »

Newer Entries »