The Latest in the Okta/Lapsus$ Saga + Return of Log4J

March 30, 2022

This week’s new is brought to you by JupiterOne – find our more about them at here

  • It was all things Lapsus$ and Okta last week and to know more about where it all started you can check out our episode from last week. In short, Lapsus$ a digital extortion gang alleged that they could control an Okta administrative or “super user” account. Okta obviously investigated and responded to this sharing that approximately 2.5% of their customers have potentially been impacted and whose data may have been viewed or acted upon. Okta has since further elaborated on the matter a timeline of events from Jan to March 2022, talking about Sitel,  an Okta sub-processor that provides Okta with contract workers for their Customer Support organization. The screenshots that Lapsus$ shared were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP. This device was owned and managed by Sitel. Okta shared that the access that a support engineer has is limited to basic duties in handling inbound support queries and does not provide “god-like access” to all its users. Okta acknowledged that they made a mistake and Sitel is their service provider for which they were ultimately responsible.
  • You can read their statement here and let us know what you think of Okta’s response, are you satisfied with it?
  • As Okta works through this, Seven youths between the ages of 16 and 21 have been arrested by the City of London Police for alleged ties to the prolific LAPSUS$ extortion gang and a 16-year-old from Oxford has been accused of being one of the leaders of the cyber-crime gang and has allegedly built up a (£10.6m) fortune. They have all been released under investigation and inquiries remain ongoing.
  • Just when you thought you had seen the last of log4J, Sophos has reported this week that the remote code execution (RCE) Log4j vulnerability is under active attack, “particularly among cryptocurrency mining bots.” Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are initial access brokers (IABs) that could lay the groundwork for later ransomware infections. These attacks have included ones targeting vulnerable VMware Horizon servers: a platform that serves up virtual desktops and apps across the hybrid cloud VMware has pushed out patched versions of Horizon as of March 8 2022, but many organizations may still not have deployed the fixed versions or applied workarounds to vulnerable ones. Even if they have, as demonstrated by the backdoors and reverse shell activity we found, those systems may already be compromised in other ways. Its a friendly reminder for Organizations to thoroughly research their exposure to potential Log4J vulnerabilities, as they may impact commercial, open-source and custom software that in some cases may not have regular security support. But platforms such as Horizon are particularly attractive targets to all types of malicious actors because they are widespread and can easily be found and exploited with well-tested tools. Read the Sophos report here.
  • The Cloud Security industry does deliver some great reporting and we do a deep dive on them to bring you the best bits. This week we read Rapid 7’s Vulnerability Intelligence Report. They reported A 136% increase in widespread threats over 2020, due in part to attacker economies of scale, like ransomware and coin mining campaigns, a significant rise in zero-day attacks and lower time to known exploitation.Interestingly they also shared that a much higher proportion of zero-day attacks are now threatening many organizations from the outset, instead of being used in more targeted operations. You can check out Rapid7’s report here. 
  • Google Chrome the popular browser is often the browser of choice for large companies with lots of employees – it is used worldwide for accessing the internet including your Cloud Accounts, SaaS accounts. Google Chrome recently  issued a warning on its official Chrome blog, revealing that Chrome on Windows, macOS and Linux is vulnerable to a new ‘zero-day’ hack, acknowledging that Google is aware that an exploit for the critical vulnerability exists in the wild In response, Google has announced an emergency update for Chrome. Read more about this here. While we are talking about CyberSecurity for your staff using Google Chrome, you may want to check out the Video that Ashish did for Password Manager – 1Password and Ryan Reynolds – yes you heard that right! 
  • And finally, as you know we love celebrating the up and coming cloud security start ups as there is always something exciting the talented folks of Cloud Security are working on. The latest in that rank is Cyera, an Israeli cloud-native data security platform have announced their exit from Stealth with $60M in financing. They wish to usher  in a new era of cloud security, one where data is finally factored into the equation

Recommend a topic

Partner with us

Join the team

Enjoying our content? Don't forget to subscribe!