Take a look at this week's Cyber Weekly Digest for a run down of our top cyber security news picks of the week. In this release, we take a look how Okta's support system was breach as well as the Iranian threat group which maintained access on compromised Middle East Government's devices for 8 months. Keep reading to stay up to date on the latest cyber security news.
This week, Okta says attackers accessed files containing cookies and session tokens uploaded by customers to its support management system after breaching it using stolen credentials. The threat actor was able to view files uploaded by specific Okta customers as part of recent support cases. The support system is entirely separate from Okta's production service, which has not been impacted. Okta notified all customers' whose Okta environment or support tickets were impacted by the incident. Those who haven't received an alert are not affected. Interestingly, two security solutions that are customers of Okta were impacted, Cloudflare and BeyondTrust, who have both been investigating the incident.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is tracked as CVE-2023-20198 and has a maximum severity rating of 10.0 on the CVSS scoring system. This vulnerability allows a remote, unauthenticated attacker to create an account with privilege level 15 access on an affected system. The vulnerability only affects enterprise networking gear with the web UI feature enabled and when exposed to the internet or to untrusted networks. The problem impacts physical and virtual devices running Cisco IOS XE software with the enabled HTTP or HTTPS server feature. As a mitigation, disabling the HTTP server feature on internet-facing systems is recommended.
Global law enforcement seized infrastructure and arrested a suspected vital member of the Ragnar Locker group. The individual was arrested in Paris last Monday and has already been brought before the examining magistrates of the Paris Judicial Court. Five other suspects were interviewed by officers in Spain and Latvia. Ragnar Locker infrastructure was seized in the Netherlands, Germany and Sweden, and the group's data leak website on Tor was taken down in Sweden. Ragnar Locker has been active since 2019 and is known for its double-extortion techniques, with some of its victims recently being a Portuguese airline.
Iranian threat group, known as OilRig, breached at least twelve computers belonging to a Middle Eastern government network and maintained access for eight months between February and September 2023. Investigators found the attacks were used to steal passwords and data and to install a PowerShell backdoor dubbed 'PowerExchange', which accepted commands from execution via Microsoft Exchange. OilRig uses tools, scripts, and techniques to expand access and maintain persistence across multiple systems in a compromised network. The first device was compromised in February and started with the introduction of a PowerShell script (joper.ps1), which ran multiple times over the first week.
Japanese electronics manufacturer Casio disclosed a data breach impacting customers from 149 countries after hackers gained to the servers of its ClassPad education platform. Casio detected the breach two weeks ago following the failure of a ClassPad database within the company's development environment. Evidence suggests that the attacker accessed customers' personal information a day later. The exposed data includes customer names, email addresses, countries of residence, service usage details, and purchase information such as payment methods, license codes, and order specifics.