Top cybersecurity stories for the week of 10-23-23 to 10-27-23

Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.

If you’d like to watch and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Arvin Bansal, former CISO, Nissan Americas.

To get involved you can watch live and participate in the discussion on YouTube Live or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.

Here are the stories we plan to cover, time permitting:

Okta HAR support system attacked
An advisory from Okta states that last week’s attack involved threat actors gaining access to customers’ HTTP Archive files, short formed as HAR, which are used for troubleshooting by replicating browser activity. By their nature HAR files can contain sensitive data such as cookies and session tokens that threat actors can use to impersonate valid users. Security Chief David Bradbury said the compromised case management system is separate from the production Okta service, which was not impacted and remains fully operational. Okta has of course taken measures to protect its customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within an HAR file before sharing it. In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.(SecurityWeek, Okta and Beyond Trust)

Cisco identifies additional IOS XE vulnerabilityLast week we reported on the high-severity level 10 vulnerability CVE-2023-20198 which at the time did not have a patch. Now, in preparing a patch for release yesterday, Sunday, Cisco also mentioned that their incident responders had observed hackers also exploiting CVE-2021-1435, which Cisco had patched in 2021. The company noted that, “devices fully patched against that bug were seen infected by implants successfully installed through an as of yet undetermined mechanism.” The patch released yesterday was intended to deal with both issues, with the 2021 vulnerability being repackaged as CVE-2023-20273.According to Bleeping Computer, over the weekend, numerous cybersecurity organizations reported that “the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans,” however experts are unsure as to whether “threat actors behind the attacks are deploying an update to hide their presence, thus causing the implants to be no longer seen in scans,” or that a “gray-hat hacker is automating the reboot of impacted Cisco IOS XE devices to clear the implant.”

CISA protests potential 25% budget cut as “catastrophic”
This from Eric Goldstein, executive assistant director for cybersecurity at CISA, speaking at a House Homeland Security cybersecurity and infrastructure protection subcommittee hearing on federal cybersecurity, held Wednesday. The 25% cut to CISA’s budget has been proposed by House Republicans. Goldstein said that CISA will effectively be “in a period of stasis where even as our adversaries evolve,” adding that such cuts would “federal networks more vulnerable to attacks from U.S. adversaries like Russia, China, Iran and North Korea.”
(Cyberscoop)

Threat actor sells access to Facebook and Instagram police portal
According to Alon Gal, co-founder & CTO of Hudson Rock, the portal is used by law enforcement to “request data relating to users (IP, phones, DMs, device info) or request the removal of posts and the ban of accounts.” Gal believes this was a social engineering attack in which the threat actor either solicited access data from a Meta employee or used police credentials to gain access. This gives the individual the ability to make unauthorized data requests, enable harassment and doxxing, initiate fake law enforcement actions, and steal identities.
(Security Affairs)

Over 80% of security leaders have already received AI email attacks
A recent report from Abnormal Security has revealed that nearly all (98%) security leaders are concerned about the cybersecurity risks posed by artificial intelligence (AI) tools with four-fifths (80.3%) of respondents confirming their organizations have either already received AI-generated email attacks or strongly suspect that this is the case. The majority of respondents rely on their cloud email providers or legacy tools for email security. Nearly half of respondents (46%) lack confidence in traditional solutions to detect and block AI-generated attacks. Finally, 92% of survey participants see the value in using AI to defend against AI-generated email threats while more than 94% say that AI will have a major impact on their cybersecurity strategy over the next two years.
(Security Magazine)

Microsoft’s Scattered Spider warning
Microsoft has described the group as "one of the most dangerous financial criminal groups," pointing to its “operational fluidity and its ability to incorporate SMS phishing, SIM swapping, and help desk fraud into its attack model.” The group has been seen using impersonation techniques, with members posing as newly hired employees in its target firms in order to blend in. The group is also known by other names, including Octo Tempest, 0ktapus, Scatter Swine, and UNC3944.
(The Hacker News)

Microsoft tests Security Copilot
Microsoft first announced its Copilot would receive a security-focused offering back in March. It will now open up an early access pilot embedded within Microsoft 365 Defender XDR. The company the Copilot can free up to 40% more time that would otherwise go to mundane tasks. The company frames the service as a way to upskill less-skilled analysts. In terms of features, Security Copilot can summarize security incidents into natural language, analyze incidents, and synthesize reports. It can also use natural language prompts to create KQL queries.
(The Register)

SMIC making advanced chips with ASML tech
Bloomberg’s sources say China’s largest domestic chip producer used ASML’s immersion deep ultraviolet machines to produce advanced chips for Huawei smartphones. SMIC produced a 7nm chip with the equipment, something that recent US export bans have looked to stop going to China. ASML never exported its most advanced chip making equipment to China, however analysts say its possible to retool its less advanced models to produce advanced chips. The company could justify this in a competitive market, but SMIC received significant state assistance to produce these chips. It’s believed Chinese firms stockpiled less advanced ASML chipmaking equipment for years prior to the more stringent export bans.
(Bloomberg) submitted by /u/CISO_Series_Producer
[link] [comments]


http://dlvr.it/Sy4FXh