Cyber Intelligence Weekly (October 29, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight that we're back with another episode of our "Chew on This" webinar series, and you won't want to miss it! 🚀

📅 Save the Date: Wednesday, November 1st

🕛 Time: 1:00 PM ET

🎙️ Panelists: Matt Donato and Paul Interval

🌟 Special Guest: Christopher Hetner

This episode will delve deep into the vital relationship between a Virtual Chief Information Security Officer (vCISO) and a Chief Information Officer (CIO) in the realms of cybersecurity and overall business strategy.

This collaboration fortifies the organization's cybersecurity framework and bolsters its long-term success. We've designed this webinar especially for IT Executives and Leaders in medium-sized, growing businesses.

Mark your calendar and get ready to boost your cybersecurity and business strategy knowledge. We can't wait to see you there! 🤝💡

Link to register: https://www.linkedin.com/events/cios-chewonthis-shouldavcisobet7118338556552466432/theater/

Away we go!

1. Okta Breach Fallout Hits Cloudflare and 1Password

In a recent and alarming development, Cloudflare and 1Password have revealed that they were targeted by hackers in the aftermath of a breach at Okta's support unit. Okta, a prominent player in the single sign-on technology space, admitted that its customer support unit had been compromised, leading to the theft of files utilized for diagnosing technical problems. These files contained browser recording sessions which could potentially include sensitive user credentials, such as cookies and session tokens, thereby putting user accounts at risk.

Both Cloudflare and 1Password were quick to clarify that the intrusions they experienced were directly linked to the Okta breach, but importantly, their customer systems and user data remained untouched. Pedro Canahuati, 1Password's CTO, stated in a blog post, "We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. We’ve confirmed that this was a result of Okta’s support system breach."

Despite the swift action taken by both Cloudflare and 1Password to contain the situation, this incident has shone a spotlight on the potential domino effect that can result from a single cybersecurity breach. The fact that the hackers were able to leverage session tokens from Okta's support unit to target other companies highlights the interconnectedness of online systems and the need for robust cybersecurity measures. In today's digital age, a breach in one system can easily spill over and pose threats to multiple entities, thereby underscoring the critical importance of having strong and resilient cybersecurity frameworks in place.

2. Citrix Issues Urgent Warning: Patch CVE-2023-4966 Now to Prevent Critical Data Exposure

In a recent development, Citrix has issued a stern warning to administrators, urging them to patch the CVE-2023-4966 bug affecting NetScaler ADC and Gateway appliances at the earliest. The vulnerability, which relates to sensitive information disclosure, was patched by Citrix two weeks ago, with a severity rating of 9.4 out of 10, highlighting its critical nature. The flaw allows unauthenticated attackers to remotely exploit the vulnerability with low complexity and without any user interaction required. Notably, NetScaler appliances must be configured as a Gateway or an AAA virtual server to be vulnerable to attacks.

Despite no initial evidence of the vulnerability being exploited in the wild, cybersecurity firm Mandiant reported a week later that threat actors had been exploiting the CVE-2023-4966 as a zero-day since late August 2023. The exploitation allowed attackers to steal authentication sessions and hijack accounts, thereby potentially bypassing multifactor authentication or other robust authentication requirements. Mandiant also discovered instances where the vulnerability was used to infiltrate the infrastructure of government entities and technology corporations.

Citrix has urged administrators to install the recommended builds immediately to secure their systems against ongoing attacks. In addition, Citrix has recommended killing all active and persistent sessions using specific commands, highlighting the seriousness of the vulnerability. Importantly, NetScaler ADC and Gateway devices not configured as gateways or AAA virtual servers are not vulnerable to CVE-2023-4966 attacks. The urgency of addressing this vulnerability is underscored by the addition of CVE-2023-4966 to the Known Exploited and Vulnerabilities Catalog by the Cybersecurity and Infrastructure Security Agency (CISA), mandating federal agencies to secure their systems against active exploitation by November 8.

3. Crossing Borders, Breaching Privacy: The Serious Security Flaws in Cellphone Roaming Technology

In a report that shines light on the vulnerabilities of global cellphone roaming, the University of Toronto's Citizen Lab has revealed the ease with which spies and criminals can exploit archaic technologies to track phone owners worldwide. The seemingly seamless transition that occurs when a cellphone moves from one cellular tower to another, owned by a different company, opens up a host of opportunities for unwanted location tracking. These transitions require networks to share information about the user’s location to prevent any disruption in service, but this system can be manipulated by various actors to gain access to a user’s location details.

The Citizen Lab report points out that not only foreign intelligence and security services seek location information, but so do domestic state actors like law enforcement. The methods used by these actors are not unlike those employed by unlawful actors who may use the information for nefarious purposes. The complex web of companies involved in the cellular ecosystem creates ample opportunities for these bad actors to exploit vulnerabilities for location tracking.

The report also highlights the role of the IP Exchange (IPX), a network that facilitates data sharing among cellular companies. The IPX is connected to over 750 mobile networks in 195 countries, and its accessibility can be bought and sold privately by telecom companies. This creates further opportunities for surveillance actors to take advantage of networking vulnerabilities and obscure their identities while tracking locations. Citizen Lab documented several instances where cellular roaming was exploited for surveillance, such as a seven-month location surveillance campaign in Vietnam and multiple geolocation attacks originating from telecoms in Chad and the Democratic Republic of the Congo. The global nature of the cellular system makes it a ripe target for exploitation, with the report noting location surveillance efforts originating from India, Iceland, Sweden, and Italy.

The report calls out the lax security standards and lack of legal and regulatory consequences in global telecommunications. It points out that while much attention has been focused on the surveillance threats posed by Chinese technologies, similar scrutiny has not been applied to non-Chinese equipment and its potential to facilitate surveillance activities. The report emphasizes the need for improved security measures and accountability in the global telecommunications industry to protect users from unwanted location tracking.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about