Cyber Round-up for 25th March
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and year to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
President Joe Biden has warned of the growing cyber threat posed by Russia and stated that the US are prepared to use “every tool to prevent and respond to such a move”. Biden suspects that Moscow may launch cyber attacks in response to the sanctions set following the invasion of Ukraine; as a result, all US companies have been advised to “accelerate efforts to lock their digital doors”. So far, intelligence has very accurately predicted the movements and actions of Russia, so this statement could indicate that large scale cyber attacks are imminent.
Earlier this month, a HubSpot employee account was compromised, which led to the attacker extracting data from a number of customer portals. The owners of the compromised portals have all been notified by HubSpot, who also stated how seriously they take the security and privacy of their customer’s data. Investigations are still ongoing, but more details, as well as frequently asked questions, can be found here in the meantime. If you are concerned customer, or seeking guidance following the compromise, we advise visiting this page to learn more.
Lapsus$ has recently emerged as one of the most active data extortion groups around and has taken credit for a number of impactful cyber attacks this year, including NVIDIA, Samsung, Ubisoft and more. This time, the group claims to have come into possession of source code for Bing, Cortana, and many other Microsoft projects. This was all supposedly found after gaining access to Microsoft’s Azure DevOps server. Lapsus$ have posted a 9GB 7zip archive online but is expected to be in possession of approximately 37GB of stolen data. Not much is known about the group, but they have made a name for themselves following a string of high-profile attacks. We expect to see much more activity from them in the near future.
Many customers are unhappy with Okta’s lack of urgency in revealing this data breach. The breach occurred back in January, and reports suggest that Okta were made aware of it a few weeks later; despite this, customers are just now finding out about the incident. If this delay wasn’t bad enough, it wasn’t until hacker group Lapsus$ claimed responsibility and posted evidence of the breach that Okta issued a statement. The breach occurred through the compromise of a third party customer support provider, and while it appears the breach was contained, it is still unacceptable that customers were kept in the dark.
Okta are confident that there is “no longer a security risk” and believe the hack wasn’t impactful. Despite this, security professionals are “outraged by the lack of disclosure from Okta”. Even the CEO of Cloudflare has claimed he is looking into alternatives for their single sign-on needs.
The situation continues to evolve; Okta’s investigation continues and with lots of customers resetting credentials for their users, we should watch this space.
Google’s Threat Analysis Group recently uncovered an Initial Access Broker who appears to be working closely with the Russian group responsible for the Conti and Diavol ransomware attacks. The broker, known as Exotic Lily, is now actively exploiting a critical vulnerability in the Windows MSHTML platform and is utilising the exploit in a recent string of phishing campaigns. These campaigns reportedly send 5,000 scam emails a day, targeting more than 600 organisations around the world.
Vulnerabilities & Updates
Sophos recently released a patch for a critical vulnerability in the all-in-one Universal Threat Management appliances. This SQL injection flaw exists in the Mail Manager component of the UTM appliance and could allow an attacker to execute arbitrary code on the target device. Users are advised to upgrade to version 9.710 to ensure they are protected against exploitation of this vulnerability. In this same update, a few other important flaws received fixes.
In this same update, a few other important flaws received fixes. More details on these can be found here.
HP’s latest security advisory covers three critical vulnerabilities affecting hundreds of different printer models, including LaserJet Pro, Pagewide Pro, OfficeJet and more. Exploitation of these flaws could allow a remote attacker to execute arbitrary code on the target device. We advise all owners of HP printers to upgrade to the latest firmware version.
For more details on these flaws and the affected versions, see the official HP advisory here.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #183 – 25th March 2022
Why not follow us on social media:
Ironshare – Security Simplified