October 26, 2023
In this Episode:
Marcel Brown: October 26th, 1861. Only two days after the Transcontinental Telegraph line opened, the Pony Express ceases operation. Prior to the opening of the cross-country telegraph line, the Pony Express was the fastest way to send communication between St. Joseph, Missouri and San Francisco, California.
Edwin Kwan: 1Password has confirmed that it was attacked by cybercriminals using session information that was stolen in the recent Okta breach. 1Password is a popular password management platform used by over 100,000 businesses.
Katy Craig: A new variant of the notorious Mirai malware is making headlines. This time, it’s going after millions of Android TV set-top boxes used by people for media streaming.
Ian Garrett: You’ve likely heard of supply chain attacks, but did you know there are different types of supply chain attacks? This is a two-part series where I cover the different type of attacks.
The Stories Behind the Cybersecurity Headlines
1Password Impacted by Okta Breach
This is Edwin Kwan from Sydney, Australia.
1Password is a popular password management platform used by over 100,000 businesses.
A member of their IT team detected suspicious activity on their Okta instance when they receive an unexpected email notification suggesting that they had initiated an Okta report for a list of admins.
Before the incident, the IT team member had engaged with Okta support and at Okta’s request, created a HTTP archive file and uploaded it to the support portal. The file contains sensitive information including session cookies.
In the early morning of Friday, September 29th, the threat actor used the stolen session information to access 1Password’s Okta environment, and it did so with administrator access. Logs had shown that the threat actor attempted to access the IT team member’s user dashboard, but was unsuccessful. It then made some changes to the identity provider for 1Password’s Google environment before requesting a report of administrative users. 1Password’s security team at that time could not identify how the session data got compromised.
They rotated the IT team members credentials and switched the account to use a hardware token, a YubiKey, for MFA, and they applied additional restrictions to their Okta account. It was not until Okta’s publicly confirming that their internal systems were compromised were they able to explain how the attackers had gotten access to the HTTP archive file.
– 1Password: https://blog.1password.com/files/okta-incident/okta-incident-report.pdf
– Dark Reading: https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/
– Hacker News: https://thehackernews.com/2023/10/1password-detects-suspicious-activity.html
– The Record: https://therecord.media/1password-cloudflare-affected-by-okta-incident
– The Register: https://www.theregister.com/2023/10/24/1password_confirms_all_logins_are/
New Mirai Malware Variant
This is Katy Craig in San Diego, California.
What’s concerning is that these cybercriminals are targeting budget-friendly Android TV boxes like the Tanix TX6 and MX10 Pro 6K. These devices may be inexpensive, but they’re powerful enough to launch DDoS attacks even in small groups.
So how does this malware sneak into these boxes? Well, there are two main methods. First, it can arrive through malicious firmware updates, often signed with publicly available test keys. These updates might be installed by the device resellers or tricked users who think they’re getting improved streaming capabilities.
The second way is through pirated content apps promising free access to copyrighted TV shows and movies. Once installed, these apps start a background service without users’ knowledge, giving the malware a foothold.
Once in, this malware can do some nasty things. It can perform DDoS attacks, manipulate system partitions, and even open a reverse shell. In other words, it’s a cybersecurity nightmare.
So what can you do to stay safe? Consider sticking to streaming devices from trusted brands like Google Chromecast, Apple TV, or Amazon Fire TV, and always be cautious when downloading apps or firmware updates from unverified sources.
This is Katy Craig. Stay safe out there.
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/
– Fortinet: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits
6 Types of Supply Chain Attacks (Part 1)
You’ve likely heard of supply chain attacks, but did you know there are different types of supply chain attacks? A software supply chain attack refers to instances where attackers interfere with the software development lifecycle, affecting multiple consumers of the final product or service. This interference can involve tainted code libraries, trojanized software updates, stolen code signing certificates, or compromised servers hosting software as a service.
This is a two-part series where I cover the different type of attacks.
Hey folks, this is Ian Garrett in Arlington, Virginia.
The software supply chain risk is significant. Despite efforts to monitor and remove malicious code from code repositories or libraries, attackers continue to find ways to make their code available to unsuspecting developers. Recent reports show a growing problem, with increased malicious packages and a shift towards targeting specific companies.
Developers play a role in this risk, as many do not verify the integrity of downloaded code. This negligence creates opportunities for attackers potentially leading to large scale ransomware attacks or botnets in the future.
Type 1 is the Upstream Server Compromise, where an attacker breaches an upstream server or code repository and often injects a malicious payload that gets distributed downstream. An example of this method is the Codecov attack. The Codecov attackers obtain credentials to modify the Codecov bash uploader, a script hosted on the Codecov server. Thousands of repositories pointed to this script, causing an impact on downstream repositories. While no malicious code was distributed downstream in this case, the after-effect was that the attackers breached hundreds of customer networks using credentials collected from the hacked bashed uploader.
Type 2 is the midstream compromise attack, where attackers compromise an intermediary software upgrade, functionality, or CI/CD tool rather than the original upstream source-code base. An example of this method is the Passwordstate Case, where attackers compromised the in-place upgrade functionality to distribute malicious updates to Passwordstate users. The illicit update included a modified DLL file, and affected users’ password records were potentially harvested. The attack had both technical and social engineering aspects, as attackers altered user manuals, help files, and scripts to point to their malicious content distribution network server.
Software supply chain attacks come in various forms, and understanding these methods is crucial for cybersecurity professionals. In the next part, we’ll delve into more types of software supply chain attacks, exploring the tactics and the impact they have.
This Day, October 26, in Tech History
October 26th, 1861. Only two days after the Transcontinental Telegraph line opened, the Pony Express ceases operation. Prior to the opening of the cross-country telegraph line, the Pony Express was the fastest way to send communication between St. Joseph, Missouri and San Francisco, California.
October 26, 2012. Microsoft releases its Windows 8 operating system with its tile-based start screen. Universally derided as a flop, and often compared to the marketing disaster that was New Coke, the fallout from Windows 8 eventually led to the retirement of Microsoft CEO Steve Ballmer.
That’s your technology history for today. For more, tune in tomorrow and visit my website thisdayintechhistory.com.