Okta October breach affected 134 orgs, biz admits
Plus: CVSS 4.0 is here, this week's critical vulns, and 'incident' hit loan broker promises no late fees. Generous
Infosec in brief Okta has confirmed details of its October breach, reporting that the incident led to the compromise of files belonging to 134 customers, "or less than 1 percent of Okta customers."
Okta's report on the breach confirms much of what was previously known, but provides the first set of solid numbers of those affected, and notes that five of its 134 affected customers experienced their own intrusions - at least that Okta knows of.
With so many high-profile companies among Okta's user base, one percent is still a concern for the countless customers, and any employees affected as well.
Among those who had data stolen was password manager 1Password, which said last month that it had experienced a breakin in its Okta instance by a malicious user who had admin privileges. The attacker attempted to collect details on other 1P administrators, update an existing identity provider and access Okta's IT dashboard.
Along with 1Password, Okta said that identity management company BeyondTrust and web security firm Cloudflare were targeted, along with two unnamed customers. Cloudflare has had its own trouble of late, which doesn't appear to be linked to the Okta breach.
The Okta attackers made off with HTTP Archive (HAR) files that contain cached web session data and cookies that can be used to impersonate valid users, which appears to be what the attackers attempted to do.
As to how the cybercriminals gained access to Okta's systems in the first place, well, it appears to have been a good old fashioned insider snafu.
- Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims
- Critical vulnerability in F5 BIG-IP under active exploitation
- 'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in
- Stop what you're doing and patch this critical Confluence flaw, warns Atlassian
"Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop," Okta chief security officer David Bradbury wrote Friday. "The most likely avenue for exposure of this credential is the compromise of the employee's personal Google account or personal device."
Okta's troubles continued this week, as it also admitted a third-party breach exposed records belonging to nearly 5,000 current and former employees.
Critical vulnerabilities of the week
Cisco released a whole slew of security updates this week for multiple products, but only one was rated critical and not covered by The Register before: A newly-identified issue in the company's Firepower Management Center.
With a CVSS score of 9.9, CVE-2023-20048 involves insufficient authorization of config commands sent through the Cisco security software management platform's web service interface. If exploited with a malicious HTTP request, an attacker could gain the ability to execute configuration commands on a vulnerable Firepower Threat Defense device. Get patching.
- CVSS 9.9 - Multiple CVEs: INEA's ME remote terminal unit versions prior to 3.36b are improperly authenticating the root account, making them vulnerable to remote code execution.
- CVSS 9.8 - Multiple CVEs: Schneider Electric SpaceLogic C-Bus Toolkit versions 1.16.3 and prior contain a pair of vulnerabilities that an attacker could exploit to remotely execute code.
- CVSS 9.8 - CVE-2023-5777: Several versions of Weintek EasyBuilder Pro software for programing HMI devices contain hard-coded credentials.
- CVSS 9.8 - Multiple CVEs: Several models of Zavio IP cameras are vulnerable to a series of exploits that could give an attacker remote code execution privileges.
- CVSS 9.8 - CVE-2023-3346: Multiple Mitsubishi Electric CNC series devices are vulnerable to denial-of-service and RCE thanks to a classic buffer overflow vulnerability.
- CVSS 9.1 - CVE-2023-4699: Multiple Mitsubishi Electric MELSEC-series PLCs are failing to verify data authenticity, which an attacker could use to remotely trigger a reset.
- CVSS 8.8 - CVE-2023-5719: Red Lion's Crimson software prior to v.2.3.0053.18, used to program industrial devices, fails to neutralize null characters, resulting in weak passwords an attacker could truncate.
- CVSS 8.3 - CVE-2023-5846: Franklin Fueling System TS-550 automatic tank gauges are improperly hashing credentials, making them easy for an attacker to decode in order to gain access to vulnerable devices.
No one's hangin' with Mr Cooper thanks to cybersecurity incident
Texas-based mortgage and loan company Mr Cooper appears largely down for the count days after a cybersecurity incident.
The finance house, which began life in the 1990s as Nova Credit Corporation and has gone through several rebranding efforts, admitted to the October 31 incident earlier this week. As of writing, many pages on the company's website appear to not be resolving, and its blog post about the incident says its systems "remain locked down."
"Rest assured, you will not incur any fees, penalties or negative credit reporting related to late payments as we work to fix this issue," Mr. Cooper said.
It's not immediately clear what sort of incident the business experienced, and responses to The Register didn't directly answer that question. "At this time, we believe this cybersecurity incident was isolated to Mr. Cooper systems and technology and did not affect any of the company's clients' or partners' systems or technology," a Mr. Cooper spokesperson told us.
CVSS 4.0 officially released
The fourth iteration of the Common Vulnerability Scoring System (CVSS) is now available, with the Forum of Incident Response and Security Teams (FIRST) making the official publication on Wednesday.
As we covered previously, there are a number of changes in CVSS 4.0, most notably new nomenclature that splits the CVSS score into new, more granular versions designed to make scores more clear.
While combing through CVEs, new CVSS scores that may be noticed are CVSS-B (base) scores, CVSS-BT (base + threat), CVSS-BE (base + environmental) and CVSS-BTE, which combine all three elements into a single score.
Base metrics were modified to include attack requirements, as well as whether any user interaction was required, be it passive or active.
A self-paced online training course for CVSS 4 is available for those that want to be up on the latest in cyber threat scoring, but it'll likely take some time before the world adopts the new standard. The US National Institute for Standards and Technology still lists CVSS 2.0 scores in its National Vulnerability Database, which was superseded by CVSS 3.0 eight years ago. ®