Welcome to Security Sunday – Week 43. our weekly summary from the world of cybersecurity (23 October – 29 October 2023).

We’re collecting notable incident and vulnerability reports from the past week.

1Password, CloudFlare and BeyondTrust stop an attack linked to the Okta security breach

Cloudflare, 1Password and BeyondTrust said their recent incidents were related to the Okta security breach, but that the incidents did not affect their customer systems or user data.

“We immediately shut down the attackers’ activity, conducted an investigation and found no compromise of user data or other sensitive systems, either to employees or users,” said 1Password’s chief technology officer.

In a report detailing the security incident, 1Password said the hackers used a session token from a file that a member of the IT team uploaded to Okta’s support system. The session token allowed hackers to use a member’s IT department account without needing their password or two-factor code, giving hackers limited access to Okta’s 1Password dashboard.

1Password said the incident occurred on 29. September, two weeks before Okta released details of the incident.

Cloudflare also confirmed in a blog post that hackers had similarly attacked its systems using a session token stolen from Okta’s support department.

Cloudflare’s director of information security said the incident, which began on 18. October, resulted in no access to their systems or data.

Security company BeyondTrust said it was also affected by the Okta breach, but that it also quickly shut down the attack. In a blog post, BeyondTrust said they had notified Okta about the incident on 2. October.

A spokesperson for Okta told TechCrunch that about 1% of its 17,000 enterprise customers, or 170 organisations, were affected by the breach.

Samsung Galaxy S23 hacked four times in four days

During Pwn2Own Toronto, which took place from 24. until 27. October, the Samsung Galaxy S23 smartphone was subjected to several attacks, being successfully cracked four times by different teams of researchers. This figure shows the serious security issues that Samsung has to deal with, especially when compared to other flagship smartphones, from Apple (iPhone) and Google (Pixel). that have not been breached. Xiaomi’s flagship was hacked twice during the conference.

The first attack on Samsung by the Pentest Limited team showed how incorrect input validation can be exploited to run malicious code on a device.

The STAR Labs SG and ToChim teams have shown how too large a list of allowed inputs can be exploited to gain access to system resources.

The Interrupt Labs team exploited the same type of vulnerability as the first team, but showed a different way that incorrect input validation can be exploited to carry out an attack.

Although not counted as a new zero-day attack, the Orca team at Sea Security also successfully attacked the Samsung Galaxy S23 by exploiting a previously known exploit that has not yet been patched.

Samsung has been notified of these vulnerabilities and now has 120 days to develop and distribute patches before the technical details of the vulnerabilities are made public. Security researchers were awarded a total of $125,000 for disclosing these vulnerabilities.

The Pwn2Own Toronto event, spearheaded by Trend Micro’s Zero Day initiative, serves as a gathering of cybersecurity experts looking to uncover weaknesses in today’s gadgets. Testing includes smartphones, printers and smart speakers, among others, and is conducted with their standard settings and the latest security patches.

Link: https://www.androidpolice.com/samsung-galaxy-s23-hacked-pwn2own/

European government email servers hacked using zero-day vulnerability in Roundcube

Russian hacking group Winter Vivern is exploiting a zero-day vulnerability in Roundcube webmail to attack European government entities.

The Roundcube development team has released security updates to fix the XSS vulnerability tracked as CVE-2023-5631, reported by ESET researchers 16. October.

These security patches were released five days after ESET discovered Russian attackers exploiting this zero-day in real-world attacks.

According to ESET’s findings, the cyber espionage group (also known as TA473) used HTML email messages containing SVG documents to remotely inject arbitrary JavaScript code.

Their phishing messages impersonated Outlook Team and attempted to trick potential victims into opening malicious emails, launching the first phase of a payload that exploited a vulnerability in the Roundcube email server. This script helped attackers to obtain emails from compromised webmail servers.

“By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual intervention is required apart from displaying the email in the web browser,” ESET said.

The final JavaScript payload is able to list folders and emails in the current Roundcube account and exfiltrate email messages to the C&C server.

First spotted in April 2021, Winter Wyvern has attracted attention by deliberately targeting government entities around the world, including countries such as India, Italy, Lithuania, Ukraine and the Vatican.

According to SentinelLabs researchers, the group’s goals closely align with the interests of the governments of Belarus and Russia.

Winter Vivern is actively targeting Zimbra and Roundcube email servers owned by government organizations.

Link: https://thehackernews.com/2023/10/nation-state-hackers-exploiting-zero.html

iLeakage: New Safari vulnerability affects Apple iPhones and Macs with A- and M-series processors

A team of researchers from universities in the U.S. and Germany has revealed an attack targeting Apple devices made from 2020 onwards, specifically those with A-series and M-series processors

The iLeakage exploit targets the WebKit kernel that powers the Safari browser on macOS, and essentially any browser on iOS and iPadOS due to the mandatory use of the WebKit kernel.

iLeakage can extract sensitive data from the browser, such as. the contents of your Gmail inbox and the passwords stored in your password manager.

Apple was notified of the iLeakage exploit on 12. September, and the good news is that the patch has already been released, so you just need to have the latest versions of Apple’s operating systems.

Link: https://thehackernews.com/2023/10/ileakage-new-safari-exploit-impacts.html

Seiko security breach by the “BlackCat” group: 60,000 records leaked

“After a comprehensive review by both the company and cybersecurity experts, we have confirmed that a total of 60,000 items of personal information have been compromised by Seiko,” Seiko said in its latest version of the announcement.

Information includes:

  • information on job applicants at SGC and SWC.
  • personal details of current and former SGC employees
  • SWC customer data
  • contact details of counterparties in commercial transactions

“Since attackers now have sensitive data belonging to customers, employees and job applicants, they can target these victims with realistic phishing scams.”

Remarkably, credit card information remained safe. The company has also increased security, including blocking communication with external servers, deploying EDR systems and implementing multi-factor authentication (MFA). Going forward, Seiko plans to work with cybersecurity experts to assess vulnerabilities, improve system security and prevent future incidents.

“We sincerely apologize for any inconvenience this attack on our data servers may have caused or may yet cause,” Seiko wrote.

Link: https://www.infosecurity-magazine.com/news/seiko-blackcat-breach-affects-60000/

Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.