IT NEWS

Satellites are critical infrastructure and need to be cybersecured

In the context of this article we will use the term satellite for a machine that is launched into space and moves around Earth. And there might be a lot more of them than you would expect—this live map tracks a huge number of satellites.

Originally most of earth’s satellites were launched for scientific reasons. Some because of their unique ability to provide a view of a large area of the earth’s surface, and others because they are able to study space without having to deal with the atmosphere.

Today, a majority of the satellites in orbit are used in some form of communication. That’s not surprising when you consider that Elon Musk’s SpaceX is by far the largest operator of satellites. In September 2021, the total number of satellites amounted to 4550, with 1655 of them belonging to SpaceX. SpaceX’s Starlink satellite Internet program plans to send more than a thousand new satellites into orbit every year.

Commercial satellites, like Starlink, provide us with the ability to have things like Internet access, television, GPS, and scientific information about the weather and other processes in the atmosphere and on the surface.

CISA

On March 17, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published an alert in conjunction with the Federal Bureau of Investigation (FBI) which warned of possible threats to US and international satellite communication (SATCOM) networks.

Along with that alert came a report that provided mitigation strategies for SATCOM providers and their customers. And, as part of CISA’s Shields Up initiative, all organizations are being asked to significantly lower their threshold for reporting and sharing indications of malicious cyberactivity.

Russia

On March 2, 2022 the current head of the Russian Roscosmos State Space Corporation, Dmitry Rogozin, said that Russia will consider any cyberattacks targeting Russian satellite infrastructure an act of war. This didn’t seem to stop activist group NB65 from claiming that it had disabled WS02, the Rocosmos Vehicle Monitoring System.

Viasat

On February 28, 2022 US-listed satellite communications firm Viasat Inc said it was investigating a suspected cyberattack that caused a partial outage in its residential broadband services in Ukraine and other European countries. Among other things, the outage caused a disruption of the remote monitoring and control of 5,800 wind turbines in Central Europe, with a total capacity of 11 gigawatt (GW).

Starlink

Viasat operates large geostationary satellites. Geostationary means they are synchronized with the earth’s rotation, which results in a stationary orbit at a point about 35,000 kilometers from Earth.

Viasat’s geostationary approach is the traditional method of providing broadband service from space, but other operators, like Starlink, use satellites in low earth orbits. This requires more satellites, but provides higher speeds.

In answer to a request for Starlink support from Ukraine digital minister Mykhailo Fedorov, SpaceX’s CEO Elon Musk was quick to respond and promise help.

Critical infrastructure

The examples above demonstrate how networks of satellites and space systems are vulnerable to cyberattack, and create a backdoor into the physical and digital systems we rely upon on a daily basis.

While we tend to think about other things first when we are discussing critical infrastructure, the underlying systems that enable technology functionality across these sectors often rely on space systems. For example, some high-tech farming equipment relies on GPS information provided by satellite.

Like so many other important assets, a lot of space systems were developed without cybersecurity in mind. Around the turn of the century, cybersecurity was not a big concern, and during the development of some systems no special cybersecurity parameters were deployed because engineers thought the technology was too advanced for a hacker to compromise.

It wasn’t until NASA set up the Cyber Defense Engineering and Research Group (CDER) that anyone looked at the unique cybersecurity requirements that distinguishes space mission systems from traditional firewalled data servers.

And it wasn’t until the end of 2016, that AT&T encrypted NASA’s Deep Space Network (DSN), after a report on how to hack into the Mars Rover appeared on the Internet.

Recommendations

If you know or suspect that an important part of your organization’s internal processes depends on satellite services, the CISA report provides some guidelines for customers of SATCOM providers:

  • Use secure methods for authentication.
  • Enforce principle of least privilege through authorization policies.
  • Review existing trust relationships with IT service providers.
  • Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider.
  • Strengthen the security of operating systems, software, and firmware, including vulnerability and patch management.
  • Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Create, maintain, and exercise a cyberincident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Stay safe, everyone!

The post Satellites are critical infrastructure and need to be cybersecured appeared first on Malwarebytes Labs.

Update now! Google releases emergency patch for Chrome zero-day used in the wild

Google has urged its 3 billion+ users to update to Chrome version 99.0.4844.84 for Mac, Windows, and Linux to mitigate a zero-day that is currently being exploited in the wild. This is in response to a bug reported by an anonymous security researcher last week.

The flaw, which is tracked as CVE-2022-1096, is a a “Type Confusion in V8” and is rated as high severity, meaning that it’s necessary for everyone using Chrome to update as quickly as possible because of the damage attackers could cause once they exploit this.

Not much is known about the vulnerability itself or how great the impact would be if exploited, but the unusual release of this patch, which notably addresses just one vulnerability, means that this update shouldn’t be ignored.

Google is always cautious to release more details until the majority of users are updated with a fix. Google says it may take weeks before the update reaches its entire user base.

How to update

The easiest way to update is to allow Chrome to do it automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is relaunch the browser.

Microsoft Edge

Microsoft has confirmed that Edge, a Chromium-based browser, is also affected by this vulnerability. Edge users should urgently update their browsers to version 99.0.1150.55, which is not vulnerable to the flaw.

The post Update now! Google releases emergency patch for Chrome zero-day used in the wild appeared first on Malwarebytes Labs.

Telling stories securely, with Runa Sandvik: Lock and Code S03E07

In 2017, a former NSA contractor named Reality Winner was arrested for allegedly leaking an internal report to the online news outlet The Intercept. To verify the report itself, a journalist for The Intercept sent an image of the report to the NSA, but upon further inspection, it was revealed that the image was actually a scan of a physical document. 

This difference—between an entirely digital document and a physical piece of paper—spurred several suspicions that the news outlet had played an unintended role in identifying Winner to her employer. Some security onlookers proposed that, because The Intercept had sent a scan, the NSA did not have to search far to find who looked it: Rather than combing through every employee or contractor who had access privileges to the report itself, the NSA only had to find people who had printed it.

Winner eventually received the longest sentence ever for sharing classified information—five years and three months in Federal prison. The former co-editor of The Intercept said that the way that the story was handled, including the push to have the documents verified by the NSA, was a “deeply embarrassing newsroom failure.” 

This is what journalism can look like in the modern age. There are countless digital traces left behind that can puncture the safety and security of both journalists and their sources. Adding complexity and stress to the situation is that many journalists have an online person in which they share many details about their private lives—a habit that could provide leverage for future harassment, said security researcher Runa Sandvik.

“If you’re default is to share absolutely everything and anything that you’re doing on social media, at some point in time, some people that are upset with something you wrote, may actually find that and use that to harass you and harass your friends harass your loved ones.”

Runa Sandvik

Today, on the Lock and Code podcast with host David Ruiz, we speak with Sandvik about how she helps reporters tell important stories securely and privately amongst many digital threats. 

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Telling stories securely, with Runa Sandvik: Lock and Code S03E07 appeared first on Malwarebytes Labs.

A week in security (March 21 – 27)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (March 21 – 27) appeared first on Malwarebytes Labs.

Tech support fraud is still very much alive, says latest FBI report

The FBI’s Internet Crime Complaint Center (IC3) has released its annual report. In 2021, IC3 continued to receive a record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding $6.9 billion. Among the complaints received, ransomware, business email compromise (BEC) schemes, and the criminal use of cryptocurrency are among the top incidents reported.

The IC3 also received 23,903 complaints related to tech support fraud from victims in 70 countries. The losses amounted to more than $347 million, which represents a 137 percent increase in losses from 2020.

Tech support fraud

Tech support fraud is a type of scam that is often neglected in the press, but as a security software vendor we often get reminded that this branch of scamming is still active. The only surprise in the report is that it is still a sector that is showing a strong growth.

Tech support fraud is where a criminal poses as customer, security, or technical support in order to defraud unwitting individuals. Criminals involved in tech support fraud will claim to be support or service employees from trusted institutions like banks and software vendors. Often, they sell victims services they don’t need or at absurd prices, and many victims report being directed to make wire transfers to overseas accounts or purchase large amounts of prepaid cards.

Malwarebytes examples

We get a lot of questions and complaints about tech support scammers impersonating us or using our brand to defraud victims. We set up a dedicated page for tech support scams years ago. Sometimes the scam mails are easy to recognize, and the offers these scammers make are often heavily over-priced. In the example shown below, the scammer couldn’t decide whether to use MW Bytes or MA Bytes, but they added our logo at the bottom to make a good impression.

fake Malwarebytes email

This is an email template we see quite often. Although the phone number may be different at times.

different phone number

To help you avoid Malwarebytes impersonators, there are a few important red flags you can look out for:

  • Overpricing. You can find our actual pricing here: https://www.malwarebytes.com/pricing
  • Malwarebytes does not use a third party company for technical support on our products. Support is in-house at Malwarebytes.
  • Our employees have company email addresses, so we will not use gmail, comcast, or other third party email addresses in our customer facing communications.

Senders that claim to be responsible for Malwarebytes Tech Support which we see repeatedly are TechGeek, Geek Squad Team, Czone Solutions Inc, Tech philosopher, Web-Gear solutions, and Malwarebytes Support R Us. While some of these may be the names of actual legitimate companies, none of them have any business acting on Malwarebytes’ behalf.

How to avoid tech support scams

In general, keep an eye out for overpricing. And do your own research to check the company in question’s charges.

When in doubt, do not use links or phone numbers sent by email. Research a direct method of contacting the organization by yourself and use that line of contact to enquire whether they are the origin of the mail.

For matters regarding Malwarebytes, please reach out to our Support team.

Stay safe, everyone!

The post Tech support fraud is still very much alive, says latest FBI report appeared first on Malwarebytes Labs.

Anti-war open-source software developer targets Russians and Belarussians with “protestware”

Russia is in the midst of its fourth week of attack against Ukraine. People worldwide have been increasingly and passionately showing support for Ukrainians since day one while condemning the atrocities of Russian President Vladimir Putin, the Russian military, and Belarus, its allied country.

While there is truly increased risk against lives and property in the frontline, we have also seen certain risks online affecting individuals and businesses alike. There were scams; disinformation campaigns; and several wiper malware variants including HermeticWiper, IsaacWiper, and CaddyWiper. But one emerging trend we’re beginning to see play a part in the online impacts of the Russia-Ukraine war is the appearance of “protestware”.

When protestware doesn’t just protest

Protestware is a portmanteau of the words “protest” and “software.” It is software used in protest against something or someone—and we know what those are in the context of the current Ukraine crisis. Protestware is a very new term, but it has already come of age in a span of days.

Many open-source developers have started expressing their support (“We Stand With Ukraine”) on their official websites, either as content or banner. Some have also begun modifying their applications to include similar messages of support in the program’s UI or README text files.

One package, for example, called es5-ext, a small library (or a “shim”) that can be used in ECMAScript 5 or ECMAScript 6 environments, has been given a new dependency named postinstall.js, which displays a “call for peace” message when the shim is run on systems using a Russian IP address.

postinstall eng
The message to Russian users broadcasted by postinstall.js. The text is originally in Russian, so the above is the English translation of the message. (Source: Github)

A portion of the message reads in English as follows:

Currently aware of 5000-11000 casualties among the Russian military and about 1500-3000 - among Ukranians, and also about 350 civilians killed, including 38 children.

The people of Ukraine are fully mobilized and ready to defend their country from the enemy invasion. 91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.

The whole world condemned the unreasonable invasion and decided to enter unprecedented sanctions against Russia. With each new day, they will be felt more and more among the civilians citizens. It is predicted that within 2-3 years (with the current sanctions) Russia's GDP may reach the level of a small European country.

Fellow developers criticized medikoo, the brains behind es5-ext and postinstall.js, saying “the NPM package is not a place for politics.” One even went as far as calling this benign change to the shim “malware.” But medicoo stood his ground, saying he’ll only remove the dependency “once the aggression stops, and Ukrainians can live in peace in their own country.”

Not all changes to one’s work are benign, though. Several open-source developers have started gravely sabotaging their projects by adding code that, at its worse, would wreak havoc on systems that download and run them.

One popular application, node-ipc, was updated in early March to include code that, according to Liran Tal, a security researcher from cybersecurity company Snyk, “raised concerns for suspicious activity and potential abuse of the source code and the package’s behavior.” When executed on systems geolocated in Russia or Belarus, versions 10.1.1 and 10.1.2 completely wipe files from machines and replace them with the heart emoji.

snyk node ipc debug
Here’s a simuted debug results in a test sandbox conducted by Snyk against node-ipc (Source: Snyk)

node-ipc developer Brandon Nozaki Miller (also known as RIAEvangelist, Sparky, and Electric Cowboy) also created a new library called PeaceNotWar. It carries the same wiping capabilities as the node-ipc package. Miller added this library as a dependency of node-ipc version 11.0.0. So every time node-ipc is called by other dependencies that import it, PeaceNotWar executes as well. One of the library’s payloads is to drop a file named WITH-LOVE-FROM-AMERICA.txt into an affected user’s desktop and their OneDrive.

Miller did the same for node-ipc version 9.2.2, the latest stable version of the package that many projects rely on. But he also added the highly popular module, colors, as a dependency on this package. Doing so would pull in nasty code deliberately created to introduce an infinite loop to the source code, triggering a denial of service (DoS) to any Node.js server using it.

Suffice to say, servers using version 9.2.2 would be rendered useless.

Portions of PeaceNotWar‘s README page on Github says this:

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users' desktops, and it will only do it if it does not already exist just to be polite.

...

I pledge that this module, to the best of my knowledge and skills, does not do any damage to anyone's data. If you do not like what this module does, please just lock your dependencies to any of my work or other's which includes this module, to a version you have code reviewed and deemed acceptable for your needs. Also, please code-review your other modules for vulnerabilities.

We have not confirmed that this module is already free of malicious code.

For those who are anti-war and pro-Ukraine, this form of protest may seem appropriate. But Snyk’s Tal raised questions that revealed a lack of foresight on the part of Miller in sabotaging his work and deploying his protestware.

“How does that reflect on the maintainer’s future reputation and stake in the developer community? Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?” Tal said in a post.

The US National Institute and Standards and Technology (NIST) recognizes the malicious package versions of node-ipc as a vulernability, which is tracked as CVE-2022-23812.

When protestware ripples out

Because of the new threat posed by protestware against Russia, Sberbank, Russia’s biggest state-owned bank, advised Russians to not update any software due to “increased cyberattacks.”

“We urge users to stop updating software now, and developers to tighten control over the use of external source code,” a press release from the bank states, “If there is an urgent need to use software, be sure to check all downloaded files with an antivirus, and when using someone else’s code in your programs, conduct a manual or automatic check, including, view the text of the source code.”

“In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.”

The National Coordination Center for Computer Incidents (NCCCI), a Russian cybersecurity agency, also issued a list of recommended guidelines (text in Russian) for IT risk for Russian companies and organizations in light of sabotaged open-source software.

In an unfortunate and ironic turn of events, a Washington-based American NGO who monitors human rights in post-Soviet states is one of those affected by Miller’s protestware. A Github post, which has already been taken down but preserved for posterity here, details the harm that the protestware has caused the organization—and they are likely to seek litigation against the developer as a result:

Since our start in 2014, we have been in contact with 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.

Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive.

Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could.

Snyk has recommended that developers refrain from using affected packages of these modified FOSS (free and open source) projects altogether. If that is not possible, however, they should use an npm package manager to override poisoned versions and use a clean version instead.

When protestware becomes a point of no return

Protestware is one of the ways internet users have actively used tech to make a statement of support for Ukrainians, combat Russian government misinformation, and deliver news to Russian civilians who are victims of their own state’s propaganda and severe censorship.

Apart from the developers of these poisoned packages, no developer has been happy with what protestware had to offer. For one thing, a great majority of developers see the FOSS ecosystem as politically agnostic. Although the intent is understandable, many agree that there are better avenues for developers, especially those who maintain popular packages with millions of downloads, to exercise their support for a people or cause.

Protestware, whether seen as benign or malicious, throws a spanner in the face of developer trust. It has also, yet again, raised concerns about the safety and integrity of the software supply chain. All it takes is one developer deciding to turn things around and ruin everyone’s day. This is something any open-source software would start thinking more often, like a gray cloud hanging over their heads, uncertain of when sabotage might happen next.

“The Pandora’s box is now opened, and from this point on, people who use open source will experience xenophobia more than ever before, EVERYONE included,” writes GitHub user NM17. “The trust factor of open source, which was based on goodwill of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought was ‘the right thing to do.’ Not a single good came out of this ‘protest.’”

The post Anti-war open-source software developer targets Russians and Belarussians with “protestware” appeared first on Malwarebytes Labs.

Update now! Many HP printers affected by three critical security vulnerabilities

In two security advisories, HP has alerted users to the existence of security vulnerabilities in several of its printer models.

In total, four vulnerabilities were patched, but three of those vulnerabilities are rated critical, and all of them can lead to remote code execution (RCE) when exploited.

Link-Local Multicast Name Resolution

CVE-2022-3942 is a vulnerability rated with a  CVSS score of 8.4 out of 10. As HP puts it: Certain HP Print products and Digital Sending products may be vulnerable to potential remote code execution and buffer overflow with use of Link-Local Multicast Name Resolution.

The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. Its main function is to resolve host names to facilitate communication between hosts on local networks.

HP Print devices

The second security advisory states that certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution. This is a set of three vulnerabilities, of which two have been rated as critical and one rated “high”.

Which models are affected?

The list of printer models affected by the first vulnerability is almost endless. Users of every model of HP Color LaserJet, HP LaserJet, HP PageWide, HP Scanjet Enterprise, HP DeskJet, HP OfficeJet, HP DesignJet, and the HP Digital Sender Flow 8500 fn2 Document Capture Workstation are encouraged to check for updated firmware.

The models affected by the second set of vulnerabilities are:

  • HP Color LaserJet Pro M453 – M454, MFP M2XX, MFP M478, M479
  • HP LaserJet Pro M304, M305, M404, M405, MFP M428, M429, MFP M428, M429 F
  • HP PageWide 352dw Printer, 377dw Multifunction Printer,
  • HP PageWide Managed P55250dw Printer series, P57750dw Multifunction Printer
  • HP PageWide Pro 452dn Printer series, 452dw Printer series, 477dn Multifunction Printer series, 477dw Multifunction Printer series, 552dw Printer series, 577 Multifunction Printer series
  • HP OfficeJet Pro 8210 Printer series, 8216 Printer series, 8730 All-in-One Printer, 8740 All-in-One Printer series

How to update your printer

Patches are available for these vulnerabilities, so users can visit HP’s official software and driver download portal, navigate to their device model, and install the latest available firmware version.

An exception exists for the HP Color LaserJet Pro MFP M2xx models where remediation is pending. Users of these type of all-in-one printers will have to check later whether a patch has been made available.

Stay safe, everyone!

The post Update now! Many HP printers affected by three critical security vulnerabilities appeared first on Malwarebytes Labs.

Elden Ring exploit traps players in infinite death loop

Back in January, we wrote about how the Dark Souls games had their online components switched off for PC gamers. This is because someone figured out how to execute code remotely on the target’s PC. Given that the multiplayer angle of Souls games is rather important, this was quite a body blow for anyone playing. I fired up the first Dark Souls game a few days ago to see if the online services have been reinstated. They have not.

“Logging into the Dark Souls Remastered server” appears in the top right hand corner. A few moments later, I’m greeted with the following message:

Cannot log in to the Dark Souls Remastered game server because it has been stopped or is undergoing maintenance.

I haven’t tested the other two titles but it’s the same situation there too:

Note that this issue doesn’t affect console gamers; it’s PC specific.

The latest round of problems for Souls titles affect the latest game from the developer, FromSoftware. Interestingly, it may have its origins in one of the games which currently has its multiplayer component switched off.

Heavy souls and broken rings

The new game in the Souls line-up (in a roundabout fashion) is called Elden Ring. In the run up to launch, some wondered if it, too, would suffer from the same remote code execution attack forcing the brand new title to launch with its online capabilities disabled.

This did not happen, and a jolly multiplayer time was had by all. Well, for a little while at least. The exploits have arrived, despite the game itself making use of the anti-cheating service called Easy Anti-cheat.

What happened?

A little over a week ago, players of Elden Ring complained that their sessions were being invaded by “hackers”. Invading people’s games is a normal feature of the title, but being put into an endless death loop, not so much.

After the first time your character dies, you’re supposed to respawn at locations resembling a bonfire. Instead, in the death loop scenario the victim simply continues to die over and over again.

No detailed information has been released by the developer FromSoftware as to what is happening. One of the theories from players is that the invaders were able to edit their save files somehow while in game, or at least adjust some parameters related to the victim’s save points. In other words: you no longer spawn at the nearest bonfire. You respawn somewhere over the nearby ocean and die instantly on account of not being able to swim.

Avoiding the exploit

The solution, as with so many attacks of this nature, is to remove functionality from the title. Switching off online play is the only way to ensure you’re not caught by this. Anyone trapped in a death loop has to attempt an ALT + F4/rapid-fire sequence of button presses in menus to try to manually respawn at a bonfire. This, as it turns out, isn’t easy to do. At one point there were Twitch videos of people punching in the combination with the right timing.

Ouch.

Where did this come from?

One of the older Souls titles, Dark Souls 3 from 2016, suffered from the exact same problem. The hack there was described as being able to alter player save data and “lock them out of their save files”. The article above and most of the detailed warnings about this are from a year ago. However, there are multiple complaints about this going back to 2020.

One portion of the Elden Ring fix—using ALT + F4 to kill the game at the right moment—was even used for the fix in Dark Souls 3.

Has this been patched?

Good news! A patch was released yesterday for various game related issues. One note in particular is relevant here:

“Fixed a bug in multiplayer that allowed players to teleport others to incorrect map coordinates.”

No word as to the specifics of how they were doing it are given. Even so, this is hopefully the last we’ll see of game invading/save locking/character murdering exploits along these lines. Save points in Souls titles are supposed to be the one safe breathing space in the entire game. To have them corrupted or tampered with and cursed with instant death is probably a bridge too far for even the most hardcore of Souls players.

This hack comes hot on the heels of one which caused innocent players to receive bans.  Let’s hope fewer exploits manage to spawn in the next Souls title.

The post Elden Ring exploit traps players in infinite death loop appeared first on Malwarebytes Labs.

Okta admits 366 customers may have been impacted by LAPSUS$ breach

Through its usual means of communication, its Telegram channel, the LAPSUS$ group has posted screenshots of what appears to be superuser access to the Okta management console. As such, the group claims to have acquired “superuser/admin” access to Okta.com and gained access to Okta’s customer data, saying on Telegram:

BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA – our focus was ONLY on okta customers.

Yesterday morning, an Okta spokesperson said the company was investigating the matter, and admitted an attempted breach in late January 2022 in which customers were exposed for five days. The date visible in the LAPSU$ screenshots is 21 January, 2022. Okta provided a more detailed update later in the day, which we have summarised below.

Importantly, neither Okta nor LAPSU$ are claiming that Okta’s software has been compromised. Both are saying that the criminal hacking group acquired access to a user account with access to some customer data.

okta breach
A screeshot of the alleged Okta breach shared on the LAPSU$ Telegram channel

Okta

Okta is an access management company based in San Francisco. According to its own website, Okta serves over 15,000 organizations. Essentially, Okta software allows employees to log in using single sign-on—a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The kind of indentity-first approach to security is seen by some as an important underpinning of a Zero Trust security model.

LAPSUS$

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. The group is believed to hail from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

In recent events, LAPSUS$ claims to have hacked:

  • Samsung (source code has been leaked)
  • Nvidia (at least limited access has been proven)
  • Mercado Libre (confirmed)
  • Microsoft (under investigation)
  • Okta (under investigation)

Okta’s statement

In an article on Okta’s website, CSO David Bradbury provided a timeline of the incidents which took place in January. According to Bradbury, a forensic examination identified a five-day window between January 16 and January 21 when a threat actor “had access to the Sitel environment”. Sitel is what Okta calls a “sub-processor”—a company that provides contract workers for Okta’s Customer Support Organization.

According to that post, the intruder “obtained remote access using RDP” to a Sitel-owned machine that was logged into Okta. The company says the access permissions of the user were limited, and that the tools support engineers have access to include Jira, Slack, Splunk, RingCentral, Salesforce, and an internally-built application called SuperUser.

The group has not explained how it got access to an RDP session. Brute-force attacks against RDP are common, as is phishing, but LAPSU$ is also known to bribe insiders for access. For example, on 10 March, it said it was looking to recruit tech company “employees/insiders” who were prepared to provide remote access, such as VPN or Citrix access.

lapsus recruits
LAPSU$ attempts to recruit insiders

To understand the scope of the breach, Bradbury says Okta examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question. His conclusion was that the maximum potential impact of the breach is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel. Affected customers are promised “…a report that shows the actions performed on their Okta tenant by Sitel during that period of time”, so they can perform their own analysis.

In what is fast becoming a bizarre back-and-forth, LAPSU$ took to Telegram to respond to Okta’s assertions. Although the group doesn’t dispute that support engineers are limited to the applications Bradbury listed, it does take issue with whether that access is as benign as he suggests, commenting that it’s “…rather a bad security practice to store AWS keys in Slack channels”, and “The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems”.

Advice for Okta customers

What Okta customers can do to keep any damage contained is hard to say while we are still waiting for details. But here are a few pointers:

  • Keep an extra pair of eyes on your access logs.
  • Same for threat hunting and other logs.
  • Change the privileged Okta passwords.
  • Wait for more information.
  • Inform your customers that you are on the case.

The post Okta admits 366 customers may have been impacted by LAPSUS$ breach appeared first on Malwarebytes Labs.

White House urges US businesses: Protect against potential Russian cyberattacks

On Monday, the White House told US business leaders to toughen up their cybersecurity defenses against a potential cyberattack from Russia.

“The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed.  There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.”

Since Russian forces begun their attack against Ukraine on February 24, the US government and cybersecurity community have raised the possibility of a cyber arms conflict. The day Russian troops set foot in Ukraine, the Administration released a statement saying the US is prepared to respond to Russian cyberattacks if it comes to that.

“If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond. For months, we’ve been working closely with the private sector to harden their cyberdefenses [and to] sharpen our ability to respond [to] the Russian cyberattacks as well.”

In a business advisory, the FBI warned that US critical infrastructures, particularly entities within the financial, water, and energy sectors, are likely to be targeted. In fact, the FBI has already seen some abnormal “network scanning activity” from multiple IP addresses based in Russia, with an early stage of reconnaissance, a means to find vulnerabilities for potential future intrusions.

The FBI also revealed the at least five energy companies and at least 18 other US companies in different sectors (information technology, financial service, defense industrial base) have been subjected to these scanning activities.

With all this in mind, what should organizations be doing? Inspired by the Shields Up initiative, a campaign set up by the US Cybersecurity & Infrastructure Security Agency (CISA), here’s a list of things that business leaders can do to prepare.

  • Update your systems. Your IT teams should prioritize patching vulnerable software that is currently being exploited.
  • Change passwords across your networks. This is to ensure that any previously stolen or leaked credentials will no longer work when when used to access certain resources within your business network.
  • Install good security software and make sure you keep it up to date.
  • Create multiple backups of your data. It’s the key to bouncing back from a ransomware attack as quickly as possible, especially when done right—something one school district found out the hard way—and you want to avoid paying cybercriminals. And while we’re on the subject of backups, test your backup procedures, too.
  • Require the use of multi-factor authentication (MFA) wherever you can.
  • Educate your employees. Ensure that they know common threat tactics, such as social engineering ploys, that may be used against them. Lower your company’s threshold of reporting incidents, so if an employee notices that their computer or phone is starting to show unusual behavior, such as crashing or suddenly running slowly, they should report it.
  • Keep an open line to your local FBI or CISA Regional Office. CISA has opened 24/7 reporting avenues via report@cisa.org and (888)282-0870 and encourages business organizations to report cyber incidents they may encounter.

You can also read about four key cybersecurity practices businesses can adopt when there’s a threat of “cyberwar”.

The Administration has made clear that the US government will do what it can to protect US businesses and critical infrastructure. But it also said they can’t defend without the help of the private sector, which owns and operates most of the big businesses and infrastructures the country relies on.

In the statement he made on Monday, Biden concluded:

“You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time—your vigilance and urgency today can prevent or mitigate attacks tomorrow.”

The post White House urges US businesses: Protect against potential Russian cyberattacks appeared first on Malwarebytes Labs.