Welcome to Security Sunday – Week 45. our weekly summary from the world of cybersecurity (6. 11. – 12. 11. 2023).

We’re collecting notable incident and vulnerability reports from the past week.

Summary of Okta Security Breach Information

Okta said a recent security breach that led to some of its customers being hacked likely occurred when an employee logged into a personal Google account using a company laptop.

Okta disclosed that cyberattacks targeting customers such as 1Password, BeyondTrust and Cloudflare resulted in unauthorized access to internal files. This breach involved a total of 134 customers and could have compromised sensitive information.

“During the course of our investigation, Okta Security discovered that an employee had logged into his personal Google profile in Chrome on his Okta-managed laptop. The service account username and password were saved to the employee’s personal Google account. The most likely cause is compromise of the employee’s personal Google account or personal device,” wrote Okta’s director of security.

Before blocking access, cybercriminals managed to obtain information from 134 customers, as published by Okta. Among the stolen data were several session tokens, some of which were subsequently used in cyberattacks against Okta customers.

One customer, cybersecurity company BeyondTrust Inc., reported that hackers used a stolen session token to create an administrator account on its network.

Link: https://www.cysecurity.news/2023/11/unpacking-latest-okta-breach-what-all.html

Cloudflare and OpenAI websites hit by DDoS attack claimed by Anonymous Sudan

Cloudflare experienced a DDoS attack that caused intermittent connectivity issues to cloudflare.com for several minutes. This DDoS attack did not affect any service or product capability provided by Cloudflare and no customers were impacted by this incident.

Cloudflare’s websites are intentionally hosted on separate infrastructure and cannot affect Cloudflare’s services. said a CloudFlare spokesperson

The Anonymous Sudan group (also known as Storm-1359) also claimed responsibility for the attack that knocked ChatGPT out of service on Wednesday and other attacks that affected Outlook.com, OneDrive and Microsoft’s Azure portal in June.

Although the group claims to target countries and organizations that interfere in Sudanese politics, some analysts associate the group more with Russia.


Summary of gaming threats in 2023

In 2023, Kaspersky Lab recorded an alarming 4,076,530 desktop infection attempts affecting 192,456 players. The main threats were Downloaders, Adware and Trojans, with Downloaders accounting for 89.70% of these threats. Minecraft was the most abused title, accounting for 70.29% of all detections, followed by Roblox and Counter-Strike: Global Offensive.

Between July 2022 and July 2023, 436,786 infection attempts were detected on mobile devices, affecting 84,539 users. Minecraft players were once again the main target of attacks, facing 90.37% of all attacks on the mobile platform, followed by the PUBG title.

The most common source of infection was unofficial mods or game cracks.


Atlassian bug escalated to score 10, all unpatched instances vulnerable

Active ransomware attacks on the unpatched Atlassian Confluence Data Center and Server application increased the CVSS score associated with vulnerability CVE-2023-22518 from the original 9.1 to 10, the most critical rating on the scale.

The Atlassian Confluence vulnerability was first disclosed on 31. October and from 3. November, its active abuse was observed.

This vulnerability allows an unauthenticated attacker to reset Confluence and create an instance administrator account. Using this account, an attacker can then perform all actions that are available to the administrator, leading to complete compromise.


Fake Ledger Live app in Microsoft Store stole $768,000 in cryptocurrency

Microsoft recently removed the fraudulent cryptocurrency management app Ledger Live from its store after several users lost at least $768,000 worth of cryptocurrency assets.

The fake app, published under the name Ledger Live Web3, appears to have been in the Microsoft Store since the 19th. October, but the theft of cryptocurrencies began to be reported only a few days ago.

Blockchain enthusiast ZachXBT pointed out 5. November, the cryptocurrency community on the Ledger Live scam app in the Microsoft Store, which stole nearly $600,000 from users who installed it.

Microsoft responded later that day and removed the app from the store, but the scammer has already transferred more than $768,000 from victims.

The scammer didn’t put much effort into making the fake Ledger Live app look legitimate.

Aside from the description, which was copied word for word almost entirely from a legitimate app in the Apple Store, the app had only one five-star rating, and the imposter used “Official Dev” as the developer’s name.

Whoever is behind the scam also created a page for the app using the GitBook documentation management platform. The site promotes the app as an official Ledger product available through the Microsoft Store, although it does not match the look and feel of the legitimate Ledger Live site.

Given all the signals pointing to a possible scam, it’s unclear how the scammer managed to get the app published on the Microsoft Store. ZachXBT believes that the vetting process is not thorough enough.


MuddyC2Go: New C2 framework used by Iranian hackers against Israel

Iranian state actors have been found to be using a previously undocumented command and control (C2) framework called MuddyC2Go in attacks on Israel.

“The web component of this framework is written in the Go programming language,” a security researcher at Deep Instinct said in a technical report published Wednesday.

The tool was attributed to MuddyWater, an Iranian state-sponsored hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

The cybersecurity firm said the C2 framework could have been used by threat actors since early 2020, with recent attacks using it instead of PhonyC2, another framework from MuddyWater.

Installing the remote management software opens the way to the delivery of other useful software, including PhonyC2. Remote administration tools are distributed using encrypted .zip archives and contain an executable file.

“This executable contains a PowerShell script that automatically connects to MuddyWater’s C2 server, eliminating the need for manual operator execution,” Kenin explained.


Ransomware groups exploit Zero-Day vulnerability in SysAid

The exploitation of the zero-day vulnerability, tracked as CVE-2023-47246, was apparently first observed by Microsoft’s threat monitoring team, which promptly notified SysAid of the vulnerability and attacks.

SysAid became aware of the zero-day on 2. November and 8. announced on November 23 the release of version 23.3.36, which should fix the vulnerability.

In addition to the patches, the manufacturer shared technical information on its blog about the observed attacks, including indicators of compromise (IoCs), as well as recommendations on what steps potentially affected customers should take.


Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.