On Okta employee is faulted for a hack that led to the exposure of HAR files, another U.S. school board’s data is stolen, and more.
Welcome to Cyber Security Today. It’s Monday, November 6th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
An employee is being faulted for the recent compromise of the customer support system of identity management provider Okta. In that incident, which I reported last week, a threat actor got hold of HAR files that IT departments upload to Okta for analysis. These files had session tokens that the attacker used to hijack the Okta login sessions of five customers. After an investigation Okta says the incident started when an employee logged into their personal Google profile on the Chrome browser of their Okta-managed laptop. The employee’s Okta username and password was saved into that personal Google account. The threat actor probably compromised that personal account and got the employee’s Okta credentials. Then the attacker got into the Okta customer support system. What the report doesn’t say is whether the employee violated Okta policy by using their company computer to log into a personal account. It does say that Okta now blocks the use of personal Google profiles with Google Chrome. That prevents an employee from signing into their personal Google profile from a company-managed laptop.
The hacking of employees’ emails played a part in a different data breach. The email accounts of two staff members of Five Guys Enterprises, a Washington, D.C., area fast food chain, were hacked earlier this year. What the threat actor got was access to emails and attachments with names and Social Security numbers. Both employees had multifactor authentication protection on their email accounts. The company didn’t explain how the attacker got around that in its data breach disclosure to the Maine attorney general’s office. This incident is a reminder that attackers don’t have to get into a firm’s database to get confidential information. A lot of it is sitting — unencrypted — in the email inboxes of employees.
The IT systems of American mortgage provider Mr. Cooper remained offline Sunday after the company suffered what it calls a cyber security incident last week. With systems down mortgage payments can’t be processed. However the company says customers won’t be penalized for late payments. Its FAQ page says the company is investigating if customer data was compromised.
More American companies are acknowledging being directly or indirectly hit by the hack of MOVEit servers. Among the latest is AlohaCare, a Hawaii healthcare provider. It is notifying almost 13,000 people their personal information was stolen in the hack of the company’s MOVEit server. Copied were names, dates of birth and Social Security numbers.
A week ago today I told you that a Las Vegas area school board had been hacked by a gang that says it stole 200,000 student profiles. That gang, SingularityMD, has done it again. This time the victim is Colorado’s Jeffco Public Schools. According to DataBreaches.net, the gang claims it exploited the same bad cybersecurity policy as the other school board: Allowing students to use their birthdates as a password. The gang allegedly got the birthdates of students from postings they made on social media. School boards probably allow using a birthdate because its easier for youngsters to remember than create a unique password. But the risks are high — as these two incidents show.
A nasty piece of malware has been floating under the radar since 2016, according to researchers at Bitsight. The malware is behind a proxy botnet which Bitsight calls Socks5Systemz. A proxy botnet infects computers so a threat actor can use their IP addresses to mask malicious internet traffic. Those behind this particular botnet rent it out from between US$1 to US$4,000 in cryptocurrency, depending on how long subscriber wants access. At least 53 servers in Europe have spread this botnet to 10,000 computers around the world. How are computers being infected? Probably by employees clicking on attachments or downloading unapproved software.
Trend Micro’s Zero Day Initiative has published news of four vulnerabilities found in Microsoft Exchange that Windows administrators should pay attention to. It is doing so because Microsoft says it doesn’t need to immediately address the vulnerabilities. Trend Micro disagrees. In response Microsoft told Bleeping Computer that Exchange administrators who applied August patches are protected for one of the vulnerabilities. The other three require an attacker to already have access to email credentials to exploit. In one of those three cases there is no evidence that the vulnerability can lead to a hacker getting high access. In another Microsoft said there’s no evidence it can be leveraged to get sensitive customer information. Microsoft said it is evaluating the holes and may address them in the future in updates or patches.
Finally, are you worried about the security of a desired Android app in Google’s Play store? You might get some comfort from a new badge some apps may qualify for. If you look in the Data Safety section of the app’s listing it will soon say whether the app has passed an independent security review. If it has, there will be a badge symbol with a star in the middle. This doesn’t mean the app doesn’t have vulnerabilities. But it does mean the app meets security and privacy standards set by the Application Defense Alliance. Presumably, apps made by threat actors won’t want their code to be tested. Initially, only VPN apps are open to being tested. Honest Android developers will want to have this badge on their apps.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.