The PacketWatch Intelligence Team
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights the recent Okta breach, Google Ads being used to promote malicious 7-zip installers, and a vulnerability roundup.
We've also enriched our original threat intelligence report to include resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
Okta Breach Fallout
This early November, Okta disclosed a threat actor had gained access to their customer support system.
In the initial disclosure, Okta stated that only about 1% of their customers were affected. But last week, Okta amended their initial report, stating they found evidence the threat actor accessed and downloaded a report containing "names and email addresses of all Okta customer support system users".
While the downloaded report contains fields for a range of data points, including full name, email, company name, address, last password change/reset date, role, phone number, mobile number, SAML Federation ID, and more, Okta emphasizes that 99.6% of the users listed in the report only had a small subset of this information listed, i.e. full name and email address.
Importantly, no credentials were exposed. While this data cannot be used to gain unauthorized access to a client network directly, the data could be leveraged in phishing attacks.
In their statement, Okta recommends the following best practices to protect against potential attacks:
Multi-factor Authentication (MFA)
It is strongly recommended that MFA is implemented for administrative access at a minimum. It is also strongly encouraged that admin users leverage phishing-resistant MFA, such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
Admin Session Binding
Okta has released an optional security feature that requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number). It is strongly encouraged that this feature is enabled.
Admin Session Timeout
Okta has rolled out a setting that will set the Admin Console timeout default to a 12-hour session duration and a 15-minute idle time. This feature will be rolled out to all production organizations on January 8, 2024.
Phishing Awareness
As with all phishing threats, user awareness training is one of the key pieces to thwarting these attacks. Okta recommends customers review their IT Help Desk verification processes to ensure that proper validation is performed before completing tasks such as a password or MFA reset, especially on privileged accounts.
Related Reading from SOCRadar
Google Ads Deliver Fake 7-zip Installer
During a recent investigation into an endpoint detection alert, PacketWatch discovered newly created infrastructure being used to deliver fake 7-zip installers.
The investigations showed the user ran a Google search for 7-zip, and clicked an advertisement taking them to a newly registered website, zipiziper[.]com. The downloaded file execution then triggered the EDR alert.
While several AV vendors flagged the file as malicious, the sandbox behavior of the file gave little indication as to the type of malware this was.
Upon further investigation, user Luke Acha on X discovered the content of the zipiziper site closely matched another suspicious page, pdfconvertercompare[.]com, which was flagged as distributing the Redline infostealer.
This investigation reinforces a trend growing in 2023, where threat actors purchase legitimate ads on search engines to promote benign-looking webpages that host downloads for common utilities such as 7-zip, WinSCP, and more.
The best way to combat this threat is to have a central local repository of pre-approved software. If this cannot be accomplished, users should be educated to download and install software only from the official software vendor websites.
Download our Redline IOCs
Related Reading from SOCRadar
Vulnerability Roundup
PacketWatch has compiled a list of relevant vulnerabilities for our clients and readers.
For additional CVE insight, visit the SOCRadar Vulnerability Intelligence for more details on CVEs, including a description, CVSSv3 details, news links, and available PoC's and Exploits.
Multiple Critical Vulnerabilities in Zyxel NAS
Zyxel recently addressed multiple security issues in their NAS devices, used commonly with small and medium-sized businesses.
Among the vulnerabilities addressed are three critical vulnerabilities that allow for unauthenticated remote code execution, CVE-2023-35138, CVE-2023-4473, and CVE-2023-4474. Per the advisory, NAS326 devices with version V5.21(AAZF.14)C0 and earlier, and NAS542 devices running V5.21(ABAG.11)C0 and earlier are vulnerable. Administrators are urged to patch immediately.
SOCRadar Vulnerability Intelligence
Apple 0-Day Fixes
Apple recently released an emergency security update for two new 0-day flaws discovered in their WebKit browser engine.
The vulnerabilities, CVE-2023-42916 and CVE-2023-42917 discovered by Clément Lecigne of Google's Threat Analysis Group, can allow attackers to gain access to sensitive information on the device and gain arbitrary code execution.
The vulnerabilities affect iOS versions before 16.7.1. As these vulnerabilities are being actively exploited in the wild, users are urged to update their iOS devices to version 17.1.2 and macOS Sonoma 14.1.2 as soon as possible.
SOCRadar Vulnerability Intelligence
Google Chrome 0-day
Google released a security update for the Chrome browser that addresses seven vulnerabilities, including a 0-day that is being actively exploited in the wild. The 0-day, CVE-2023-6345 discovered by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, is an integer overflow vulnerability in the open source 2D graphics library Skia. Users are recommended to update their browsers to the latest versions, 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux, as soon as possible.
SOCRadar Vulnerability Intelligence
ownCloud RCE Under Active Exploitation
OwnCloud recently released details of multiple critical vulnerabilities affecting its systems. Most notable is CVE-2023-49103, a critical vulnerability with a CVSS v3 score of 10.0.
The vulnerability impacts the third party graphapi library version 0.2.0 through 0.3.0.
Successful exploitation exposes environment variables, including admin passwords, mail server credentials, and license keys. No direct patch is available.
To mitigate this vulnerability, the vendor recommends deleting the file 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php', disable the phpinfo() function within the Docker container, and out of caution, change credentials for the ownCloud admin password, mail server credentials, database credentials, and the Object-Store/S3 access-key. This vulnerability is under active exploitation.
A second critical vulnerability is an authentication bypass issue. It affects ownCloud core library versions 10.6.0 to 10.13.0.
Attackers can access, modify, or delete any file without authentication if the user's username is known and they have not configured a signing-key (which is the default setting).
The vendor solution is to "deny the use of pre-signed URLs if no signing-key is configured for the owner of the files".
SOCRadar Vulnerability Intelligence
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Disclaimer
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.