Marcel Brown: September 4th, 1998. Larry Page and Sergey Brin filing corporation papers for Google in California. Filing on a Friday, the date of official incorporation would be marked as Monday, September 7th. Starting out as a privately held company, Google would hold their IPO about six years later, on August 19th, 2004.

Edwin Kwan: A WordPress migration plugin contains add-ons that suffer from a vulnerability that could result in sensitive information disclosure. The free plugin is not affected by the vulnerability. It is the premium extensions that are affected.

Ian Garrett: Okta, an identity and access management company has issued a warning regarding a new social engineering attack targeting IT service desks in the US.

Katy Craig: Today we’re talking about Okta, the identity and access management company, which has been dealing with a series of targeted attacks. The attackers are going after the IT help desk of Okta’s US-based customers. Even the gatekeepers need to double-check who’s knocking.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
WordPress Migration Add-on Vulnerable to Sensitive Information Disclosure

A WordPress migration plugin contains add-ons that suffer from a vulnerability that could result in sensitive information disclosure.

This is Edwin Kwan from Sydney, Australia.

The plugin is the All-In-One WP Migration plugin and the affected extensions are its Box extension, Google Drive extension, OneDrive extension, and Dropbox extension. Those extensions suffer from unauthenticated access token manipulation, which allows an attacker to update or delete the access token configuration of the affected extensions.

The All-In-One WP Migration Plugin is a popular and free data migration plugin for WordPress sites and have over 5 million active installations. The free plugin is not affected by the vulnerability. It is the premium extensions that are affected. Patches for those extensions have already been released.

As this plugin is used for migrating WordPress sites, site owners should follow security best practices and remove the plugin and extensions once the migration is completed.

Resources
– https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions/
– https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-flaw-could-lead-to-data-breaches/

 

Ian Garrett
Social Engineering to Bypass Multi-factor Authentication

How are hackers social engineering their way past multifactor authentication? Okta, an identity and access management company has issued a warning regarding a new social engineering attack targeting IT service desks in the US. The attackers’ objective is to manipulate the IT agents into resetting multifactor authentication for high-privileged users.

Hey folks, this is Ian Garrett in Arlington, Virginia.

The attackers aim to hijack Okta Super Administrator accounts, which grants them significant privileges. This access allows them to exploit identity federation features, enabling impersonation of users from the compromised organization. Before contacting the IT service desk, the attackers either possess passwords for privileged accounts, or can manipulate the authentication process through the Active Directory.

Once the compromise a Super Admin account, the attackers employ anonymizing proxy services, new IP addresses, and devices. They then elevate privileges for other accounts, reset authenticators, and in some cases remove multifactor authentication protection. The threat actors configure a second identity provider to act as an “impersonation app.”

This identity provider is controlled by the attacker and engages in an inbound federation relationship with the target. Using the setup, the attackers modify usernames to match real users in the compromised identity provider, facilitating impersonation.

Okta provides several security measures to safeguard admin accounts from external actors, including enforcing phishing-resistant authentication, requiring re-authentication for privileged app access, and implementing strong authenticators for self-service recovery.

They also emphasize the importance of limiting Super Administrator roles, enhancing help desk verification, and activating alerts for suspicious activity. Okta’s advisory also offers indicators that a compromise has taken place, as well as IP addresses associated with the attacks observed. This threat underscores the significance of robust security measures, particularly in the face of evolving social engineering attacks.

Resources
– CSO Online: https://www.bleepingcomputer.com/news/security/okta-hackers-target-it-help-desks-to-gain-super-admin-disable-mfa/

 

Katy Craig
Okta hack affects US customers

Today we’re talking about Okta, the identity and access management company, which has been dealing with a series of targeted attacks. The attackers are going after the IT help desk of Okta’s US-based customers. They’re tricking the help desk into resetting the multifactor authentication on the company’s Okta Super Administrator account.

This is Katy Craig in San Diego, California.

Compromised Super Administrator accounts were then used to assign higher privileges to other accounts, or reset enrolled authenticators in existing administrator accounts. In some cases, the threat actor removed second factor requirements from authentication policies. Once they were in, they’re impersonating other users and moving laterally inside the network like they own the place.

These attacks happened between July 29th and August 19th, but Okta’s keeping mum on the number of customers affected. They have, however, published indicators of compromise, tactics, techniques, and procedures. So if you’re an Okta user, you might wanna check those out.

What’s the takeaway? Well, even the gatekeepers need to double-check who’s knocking. If you’re in IT, especially on the help desk, be extra cautious when handling MFA resets for admin accounts. Remember Zero Trust principles, which are never trust, always verify.

This is Katy Craig. Stay safe out there.

Resources
– https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

 

Marcel Brown
This Day, September 3-5, in Tech History

This is Marcel Brown bringing you some technology history for September 3rd through the 5th.

September 3rd, 1995. The online auction site, eBay, is launched as “AuctionWeb” by Pierre Omidyar. The first item sold, a broken laser pointer, wasn’t actually intended to sell, but rather to test the new site, itself started as a hobby. Surprised that the item sold for $14.83, Omidyar contacted the buyer to make sure he knew the laser pointer was broken, to which was replied, “I’m a collector of broken laser pointers.” From that first $14.83, Omidyar is now worth billions of dollars.

September 4th, 1998. Larry Page and Sergey Brin filing corporation papers for Google in California. Filing on a Friday, the date of official incorporation would be marked as Monday, September 7th. Starting out as a privately held company, Google would hold their IPO about six years later, on August 19th, 2004.

September 5th, 1980. The last IBM 7030 “Stretch” mainframe in active use is decommissioned at Brigham Young University. The first Stretch was delivered to the Los Alamos National Laboratory in 1961, giving the model almost 20 years of operational service. The stretch was famous for many things, but perhaps most notably, it was the first IBM computer to use transistors instead of vacuum tubes. It was the first computer to be designed with the help of an earlier computer, and it was the world’s fastest computer from 1961 to 1964.

That’s your technology history for today. For more, tune in tomorrow and visit my website, thisdayintechhistory.com.

Resources
– http://thisdayintechhistory.com/09/03
– http://thisdayintechhistory.com/09/04
– http://thisdayintechhistory.com/09/05