Cyber Intelligence Weekly (August 20, 2023): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight our Hackin’ SaaS Webinar Series on October 10th, 2023, where we dive deep into the world of SQL Injection. At Echelon, our Offensive Security (OffSec) team confronts web app vulnerabilities daily, and SQL Injection remains one of the most prevalent threats. In this webinar, we'll not only demonstrate how to break into SQL statements but also teach you how to prevent these attacks. Don't miss this chance to boost your application security expertise and safeguard your web apps with Jake Murphy, Evan Isaac, and Kristofer Johnson. Secure your spot now!

📅 Date: October 10th, 2023

🕒 Time: 3:00 PM EST

Register for this LinkedIn Live event here: https://www.linkedin.com/events/hackin-saas-top10webappvulnerab7105295202419949568/theater/

Away we go!

1. Forever 21 Faces Significant Data Breach Impacting Half a Million Current and Former Employees

Popular retail clothing behemoth, Forever 21, disclosed a severe data breach earlier this year, impacting over half a million people. According to a breach notice sent to Maine’s attorney general, the fashion retailer fell victim to a cyber attack over a span of three months starting in January 2023. The cyber intruders were able to extract files, which encompassed the personal details of both current and past employees. A spokesperson representing Forever 21 through the PR agency FTI Consulting, communicated to TechCrunch that the compromised data covered aspects such as names, birth dates, bank details, Social Security numbers, and specifics related to Forever 21's health plan.

The notification to the affected 539,207 individuals did not delve deep into the breach specifics. However, it emphasized the actions taken by Forever 21 to ensure that the unauthorized entity no longer had access to the compromised data. The company's statement raises eyebrows due to its ambiguity, hinting at the possibility that the retailer might have paid the cybercriminals to delete the accessed data. Although some ransomware groups often threaten to expose stolen data if their ransom demands aren't met, trusting their claims of data deletion remains a risky gamble, as per security experts.

This incident isn't Forever 21's maiden encounter with cyber breaches. The brand faced a significant data breach in 2017 where a considerable amount of credit card details were stolen from its store payment systems. Amidst this crisis, the recent announcement of a partnership between Forever 21 and the retail titan Shein comes into focus, raising concerns about the potential impact of this breach on their collaboration. The exact implications of the breach on this partnership remain uncertain.

2. Okta Warns of Social Engineering Attacks on IT Service Desks

Identity and access management firm Okta recently alerted its users about cybercriminals employing social engineering tactics to deceive IT service desk agents. The malicious actors are primarily focusing on U.S.-based customers, aiming to mislead them into resetting multi-factor authentication (MFA) for high-privilege users. The primary objective is to gain control over Okta Super Administrator accounts, subsequently misusing identity federation features to impersonate users from the affected organization. Okta disclosed indicators of such compromise attempts that transpired between July 29 and August 19.

Prior to targeting the IT service desk, the attacker either possessed passwords to privileged accounts or manipulated the authentication process via the Active Directory (AD). Upon successful infiltration of a Super Admin account, the adversary employed anonymizing proxies, switching IP addresses, and devices. The unauthorized access enabled the attacker to enhance privileges of various accounts, reset linked authenticators, and even disable two-factor authentication (2FA) for certain users. Additionally, the malefactors set up a second Identity Provider, acting as an "impersonation app", to access apps within the infiltrated organization on other users' behalf.

To counteract such threats, Okta recommends multiple security precautions, including adopting phishing-resistant authentication through Okta FastPass and FIDO2 WebAuthn, demanding re-authentication for privileged app access, and strengthening help desk verification via visual checks and MFA challenges. Moreover, the firm urges limiting Super Administrator roles, implementing privileged access management, and delegating high-risk assignments. Okta's advisory provides further details about indicators of compromise, highlighting specific system log events and attack patterns. It also shares IP addresses linked to observed attacks during the specified period.

3. Microsoft Hackers Stole Powerful Signing Key from Windows Crash Dump

Remember the Microsoft stolen MSA key to breach the Exchange Online and Azure Active Directory (AD) accounts of roughly two dozen organizations? This hack affected government agencies in the United States, such as the U.S. State and Commerce Departments.

Well Microsoft recently revealed the results of an in-depth technical investigation into the acquisition of a Microsoft account (MSA) consumer signing key by the China-Based threat actor, Storm-0558. This key allowed the threat actor to forge tokens to gain access to OWA and Outlook.com.

Microsoft Hackers Stole Powerful Signing Key from Windows Crash Dump

Microsoft's controlled production environment has stringent measures, including background checks, multi-factor authentication, and dedicated accounts, to prevent unauthorized access. However, a system crash in April 2021 led to the unexpected presence of the signing key in the crash dump, due to a race condition.

Although crash dumps are designed to redact sensitive information, in this case, the key was not redacted, a flaw that has since been rectified by Microsoft. Following standard debugging procedures, this crash dump, presumed to be free of key material, was transferred to the corporate network's debugging environment. Subsequently, the threat actor managed to compromise a Microsoft engineer's account that had access to this crash dump, leading to the unauthorized acquisition of the key.

Further analysis revealed why a consumer key could access enterprise email. In 2018, Microsoft set up a common key metadata publishing endpoint to cater to both consumer and enterprise applications. The issue arose when developers made an incorrect assumption about the mail system's complete validation process, leading the mail system to accept enterprise email requests signed with the consumer key. Microsoft has since addressed these vulnerabilities, reinforcing their systems, resolving the race condition issue, improving crash dump security, and enhancing key detection in debugging environments. Additionally, they've released updated libraries for better authentication and validation processes.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about