At a glance.
- Okta discloses a data exposure incident.
- Cisco works to fix zero-day.
- DPRK threat actors pose as IT workers.
- Five Eyes warn of AI-enabled Chinese espionage.
- Job posting as phishbait.
- The risk of first-party fraud.
- The Quasar RAT and DLL side-loading.
- Hacktivists trouble humanitarian organizations with nuisance attacks.
- Content moderation during wartime.
- Not content-moderation, but fact-checking.
- Cyberespionage at the ICC.
Okta discloses a data breach.
Identity and access management company Okta has disclosed a data breach affecting some of the company’s customers. The company stated, “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”
BeyondTrust, which discovered the breach, stated, “The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers. The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. Custom policy controls blocked the attacker's initial activity, but limitations in Okta's security model allowed them to perform a few confined actions.”
KrebsOnSecurity notes that “it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.” For more on this incident, see CyberWire Pro.
Cisco works to fix zero-day.
Cisco has disclosed a new zero-day vulnerability (CVE-2023-20273) that was used to deploy malware on IOS XE devices devices compromised via CVE-2023-20198, another zero-day the company disclosed last week, BleepingComputer reports. According to data from Censys, as of October 18th nearly 42,000 Cisco devices had been compromised by the backdoor, though that number is steadily falling. Cisco said in an update on Friday that “[f]ixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22.”
Cisco stated, “The CVE-2023-20198 vulnerability received the highest Common Vulnerability Scoring System (CVSS) score (10/critical). Successful exploitation allows the attacker to gain access to the device with full administrator privileges. After compromising the device, we observed the adversary exploit a second vulnerability (CVE-2023-20273), which affects another component of the Web UI feature, to install the implant. This allows the attacker to run arbitrary commands with elevated (root) privileges, thereby effectively taking full control of the device. In this particular attack, the actor then used the ability to run arbitrary commands to write the implant to the file system. CVE-2023-20273 has a CVSS score of 7.2 (high).”