Check For Compromised Okta IDs and Your Use of HAR Files; BHI Energy Compromise Another Reason to Use MFA for All Remote Access; Patch Citrix NetScaler ASAP

Any organization outsourcing identity must establish a plan to detect compromise of the outsourced identity function. You must not rely solely on the service provider to detect compromise. Do not outsource identity management if you do not have a detection plan in place.

Johannes Ullrich

An important point to note is that this breach was discovered and reported to Okta by its customers and not by Okta itself. As we rely more and more on third-party providers for key services, we need to ensure our detection and incident response capabilities can deal with a breach in those third parties and that your security doesn’t stop with a list of security questions sent to the vendor as part of the initial engagement.

Brian Honan

Ironic that Okta’s marketing tag line is “Everything starts with Identity” and they were compromised by a stolen identity credential. This incident is a good reason to check if your support systems or processes are using HTTP Archive files that may expose sensitive information or credentials.

John Pescatore

When you're gathering data for a support ticket, be aware of sensitive data included in that data. Consider redacting, or better still not gathering in the first place, data they don't need, particularly sensitive data like session tokens/etc. Ask where your information is stored, for how long, and who can access it. Have conversations about what data you do and don't want to share with system admins and/or users before a ticket ever gets filed. Assist when needed to help only gather what's needed.

Lee Neely

Since the compromised third party contractor account was used on a VPN connection to BHI’s internal network, this seems to be another use of reusable credentials on remote access systems - a violation of just about every compliance regime out there. This means either audits of BHI security were never done, were done badly or were done well and the audit results were ignored.

John Pescatore

Of note here, BHI's cloud backup was not impacted by the ransomware, allowing them to recover systems without paying ransom once the threat actor was ejected from their network. Further, they expedited other projects such as implementing MFA, EDR as well as decommissioning of legacy and unused systems. Those are projects you should look at now, before your back is against the wall.

Lee Neely

Better late than never but the lesson for the rest of us is to lock the barn before the horse is stolen. Reusable credentials are implicated in nine out of ten breaches. Strong authentication is the single most essential and efficient measure that we have. Properly chosen and implemented, it can be even more convenient than passwords. Oh, and while I think about it, terminate VPNs on the application, not on the operating system, not on the network perimeter, not on an internet proxy.

William Hugh Murray

The two flaws here - CVE-2023-4966, a buffer overflow flaw, which can result in sensitive information disclosure with a CVSS score of 9.4 and CVE-2023-4967, a denial-of-service flaw, with a CVSS score of 8.2 make an attractive target. Essentially in under two weeks the announced vulnerability is being actively exploited. While the exploit only works on NetScaler ADC and NetScaler Gateways setup as gateways, or AAA virtual servers, you need to apply the update as they still contain the vulnerable code, even if not in the vulnerable configuration, assume threat actors are working to exploit the flaws in the non-gateway/AAA configured devices. This flaw is in CISA's KVE catalog with a due date of November 8th and guidance to apply the mitigation (update) or discontinue use of the product.

Lee Neely

I just got a copy from a public repository for several CVEs relating to this equipment from this year alone. The first one appears to be an overflow condition that allows you to perform command injection when done. This would presumably allow for control of the ADC and gain access to your network. The second is an overflow that allows for memory reading. With this bug, you can read cookies and take over sessions. This is the one that Citrix is talking about being exploited. For those that have memory of this, if you recall, Juniper SSL VPN had a similar issue, and several significant breaches came from this, including Community Health Services.

Moses Frost

This issue has been exploited by multiple groups. Be careful and as you apply patches assume the device is already compromised, possibly multiple times.

Johannes Ullrich

If you have Cisco IOS XE, patch it. Even if you've mitigated the risk by disabling the Web UI or limiting access to that service, you need to update the flawed code running on your device. If you haven't applied the mitigations, get on it, you don't want management interfaces exposed to the Internet (ever) and internally limit access to reduce the risks from insiders as well as compromised systems.

Lee Neely

We are weeks into this being a known vulnerability, and that the number of owned devices is still this high is concerning. Let’s start with what we know: 37,000 Cisco IOS XE Devices have their Web UI on the internet. I am still befuddled as to why this is even a thing outside of a default configuration, ease of administration, or a set of providers with bad practices. How do we tell these companies what’s occurred? Do we call the ISP? Does the ISP call them?

Moses Frost

Now we begin the second leg of the exploit race – updating and monitoring for compromise. What’s even more interesting is the fact that two zero-day vulnerabilities were chained together for this exploit. Given the ‘cost’ in using a zero-day, the perpetrator definitely had a specific target, or targets, in mind.

Curtis Dukes

CVE-2023-35180, CVD-2023-35184 and CVE-2023-35186 can be abused for remote code execution, while CVE-2023-35181 and CVE-2023-35813 allow local users to perform privilege escalation. The final (most severe) three, CVE-2023-35182, CVE-2023-35185 and CVE-2023-35187, allow RCE due to improper validation for the methods createGlobalServerChannelInternal, OpenFile, and OpenClientUpdateFile, respectively, allow that SYSTEM level code execution. The vulnerabilities are fixed in ARM version 2023.2.1. The process, check system requirements, prepare system for update, install the updated packages, seems pretty simple, but make sure you follow the steps in the preflight guide for a smooth update. Given that this is SolarWinds, assume threat actors are going to smell blood in the water going after these.

Lee Neely

One use-case the report suggests considering is that encrypted data is being gathered today in hopes of using quantum computers to decrypt it later. While some data value diminishes over time, other data, PII, biometrics, likely does not. Those recommendations are prudent for any sector. Be aware of the technology, monitor, experiment and familiarize yourself. Where you're using cryptography, be ready to adopt quantum resistant alternatives when they become available. Don't panic.

Lee Neely

The chief concern with quantum computing remains its use in ‘cracking’ encrypted communications, in transit and stored. Law enforcement is not going to solve that problem, cryptologists will. Otherwise, a mildly interesting report.

Curtis Dukes

To file a claim, customers must call the AmFam help desk. Bill due dates are being extended until systems are back online. If you're delaying that payment, don't forget to watch for the window to re-open. While this appears to be a ransomware attack, it's not yet clear if extortion over exfiltrated data is also in play. This, so far, is looking like a good case study to model your ransomware response on.

Lee Neely

It proves that everyone is a target of ransomware gangs, even large, well-resourced companies. In order to minimize impact to business operations, organizations should conduct tabletop exercises as part of disaster recovery planning.

Curtis Dukes

While the ICC has taken steps to increase their security posture, they are being decidedly vague about that, except that like BHI above, they are accelerating planned security projects. If you've got some projects waiting in the wings, pick one and work to get it adopted sooner than later.

Lee Neely

As of October 23rd, it appears all systems are 100% operational, and patients are no longer being diverted. The only hiccup was difficulty in communicating with local residents as initial claims that healthcare was not impacted turned out to be untrue. A key part of your response plan has to be communication. Timely, accurate and honest, ideally, delivered through the channels you regularly use to reach customers. Update it at least daily.

Lee Neely

This may not be as big of a deal as it appears. Voter roll data is often shared with parties and candidates. In some states, the data is public.

Johannes Ullrich

To be clear, the third-party provider, DataNet, not DCBOE, was compromised. DCBOE has engaged Mandiant to help with the investigation, and is working with DHS, the FBI and OCTO on assessing the situation. The data impacted appeared to belong to at least 4,000 people who had their voter records between August 9, 2019, and January 25, 2022, leaked. These records contained data collected in DCBOE's canvass process which is conducted every odd year to ensure the voter roll is up to date. When you annually verify the protections at your third-party service providers, verify they are well equipped to respond to a data loss incident, to include exercises.

Lee Neely