Another month, another batch of news stories to digest! To summarise the events of November; Okta faces another data breach, three new vulnerabilities hit the headlines, the British Library faces a £600,000 ransomware payment, Google Ads take a turn for the dark, and much more.
But on a lighter note, TryHackMe just celebrated its 5th birthday, reached 2.5 million users, and Advent of Cyber is coming to our screens in just a few days! 😉
Okta discloses another new data breach
On the 2nd of November, Okta (who suffered an attack just last month) disclosed a new data breach after a third-party vendor, Rightway Healthcare, was hacked.
This time, 4,961 employees were warned that their personal data was exposed as a result of the data breach. According to the data breach notification, Rightway Healthcare notified Okta of an unauthorised actor gaining access to an eligibility census file maintained by the provider in its provision of services to Okta.
Okta is now offering all impacted employees access to 24 months of complimentary credit monitoring, identity restoration, and fraud detection services.
Cyber criminals demand £600,000 ransom for stolen British Library data
On the 21st of November, it was announced the British Library had been targeted in recent weeks by a group of hackers known as Rhysida Group.
We’re continuing to experience a major technology outage as a result of a cyber-attack, affecting our website, online systems and services, and some onsite services too. We anticipate restoring many services in the next few weeks, but some disruption may persist for longer.… pic.twitter.com/Wdj7VfkWXa
— British Library (@britishlibrary) November 20, 2023
Rhysida has since demanded 20 Bitcoin (calculated at around £602,500) for the return of the stolen data, which includes financial information and employee passport scans. In addition, the ransomware group have restricted the British Library’s access to its own IT systems and brought down the library’s website, online systems and book ordering.
The hacking group’s online listing for the library data reads: “With just seven days on the clock, seize the opportunity to bid on exclusive, unique and impressive data. Open your wallets and be ready to buy exclusive data.”
Possibly fatal kubernetes vulnerability gives administrator access
A new high-severity vulnerability, CVE-2023-5528, has been identified in Kubernetes for Windows.
This vulnerability, with a severity rating of 7.8, affects Windows nodes in Kubernetes, in-tree storage plugins, the Container Storage Interface (CSI) driver, and persistent volumes.
It was reported by Jimmy Mesta of KSOC and stems from the developmental lag of Windows Nodes in Kubernetes compared to their Linux counterparts.
The issue is exacerbated by differences in how Linux and Windows handle permissions. The vulnerability arises when in-tree storage plugins for Windows Nodes lack proper input sanitisation, potentially allowing users to gain administrative privileges on cluster nodes.
To mitigate this risk, Kubernetes users are advised to upgrade to the latest version of Kubernetes CSI, v1.27.
New exploit in Zimbra email software
CVE-2023-37580 is a new vulnerability found in the Zimbra emailing software. Through a Cross-Site Scripting (XSS) attack in an HTTP GET parameter, attackers could inject malicious code into the software.
Before the exploit was patched, there were four campaigns, all targeting government entities in different countries. Each campaign was different in nature, all attempting to gather different information from the target. This is noted in the first and third campaigns; the first gathered emails, whereas the third set out to gather credentials.
Google under fire for a workspace vulnerability
Bitdefender Labs' research into Google Workspace and Google Cloud Platform has revealed new attack methods that pose significant risks for network-wide breaches, ransomware, and data exfiltration.
The vulnerabilities are primarily found in Google Credential Provider for Windows (GCPW), which is integral to remote device management and Single-Sign-On authentication. These flaws could allow for cloning machines with shared passwords and unauthorised access token requests, potentially bypassing multi-factor authentication.
Bitdefender’s investigation also highlights the danger of decrypting user passwords, underscoring the severity of compromised credentials.
Google Advertisements taking a turn for the dark!
It may be a Google advertisement, but that does not mean it is verified by Google itself! There have been many reports of look-a-like pages appearing all over the internet to trick unsuspecting victims into downloading malware.
Attackers are doing this by manipulating Google’s search results and using the feature to pay to advertise your website above others.
But wouldn’t you notice if you were clearly running malware? Not entirely! Threat actors use legitimate winscp software (the software of the website they are replicating) to trick users into thinking it is legitimate. This gives the trojan enough time to execute malicious scripts in the background.
Other software, such as Pycharm, has also been targeted in this attack. Although this type of attack is not new, it is becoming increasingly more common.
IPStorm Botnet put to rest
The U.S. Government recently dismantled the IPStorm botnet! Active from June 2019 to December 2022, the botnet initially targeted Windows systems before expanding to Linux, Mac, and Android devices worldwide. The developer, Sergei Makinin, now faces up to 30 years in prison for infecting thousands of devices.
IPStorm allowed customers to rent over 23,000 bots for various illicit activities, earning Makinin at least $550,000. He is now expected to forfeit his cryptocurrency wallets linked to the scheme.
TryHackMe attends BSides Nairobi Conference
On the 9th and 10th of November, Mawazo (one of our talented Content Engineers!) attended BSides Nairobi Conference.
Security BSides is a not-for-profit, community-driven event built for and by members of the information security community with an aim to develop the Information Security community in Kenya. Throughout the two-day event, teams competed in the ‘Cyber Challenge’ CTF and attended informative talks about cloud security and breach investigations.
The winners of the Cyber Challenge, p3rf3ctr00t (pictured above), were also awarded a beautiful trophy to celebrate their efforts and free TryHackMe subscription vouchers! Meanwhile, all attendees were able to take advantage of discounted annual TryHackMe subscriptions.
Advent of Cyber 2023!
Ho ho hackety ho. It’s your favourite time of the year because Advent of Cyber is almost near!
Join us on the 1st of December as we release festive cyber security challenges every day leading up to Christmas. Best of all, it’s FREE to enter, and we're giving away over $50,000 worth of awesome goodies 🎁
All tasks will be catered to beginners, accompanied by guided walkthroughs from some of your favourite cyber influencers, including John Hammond, Gerald Auger, InsiderPHD, InfoSec Pat, HuskyHacks, David Alves, UnixGuy, Day Cyberwox, Tib3rius, Alh4zr3d, Tyler Ramsbey, and John Breth.
Ben Spring