Lilith >_> of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered three vulnerabilities in Asus router software.
The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via

Tuesday, January 10, 2023 11:01

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in Asus router software.

The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via an HTTP server running on the local network. However, it can also be configured to support remote administration and monitoring in more of an IOT style.

Talos has identified TALOS-2022-1586 (CVE-2022-35401), an authentication bypass vulnerability that can lead to full administrative privileges. An attacker would need to send a series of HTTP requests to exploit this vulnerability.

TALOS-2022-1590 (CVE-2022-38105) is an information disclosure vulnerability in the opcode of the router’s configuration service that can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

TALOS-2022-1592 (CVE-2022-38393) is a denial of service vulnerability, also in the opcode of the configuration service. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Cisco Talos worked with Asus to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Asus RT-AX82U 3.0.0.4.386\_49674-ge182230. Talos tested and confirmed this version of Asus could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60394 and 60473. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered

New Add-On Empowers SOCs and MSPs to Automate & Orchestrate Incident Response for Microsoft 365.

**SAN FRANCISCO****,** **Jan. 10, 2023** **/PRNewswire/ --** Vade, the global leader in threat detection and response with 1.4 billion mailboxes protected, today announced the availability of Threat Intel & Investigation. An add-on for Vade's flagship product, Vade for M365, Threat Intel & Investigation provides the integrations, intel, and tools for SOCs and MSPs to investigate and respond to email-borne threats transiting through networks.

According to a 2021 report, breaches caused by phishing emails take an average of 213 days to be identified and another 80 days to be contained. This lag time gives cybercriminals the runway they need to conduct additional attacks on an organization, causing even more damage than the initial attack.

"Email is the #1 vector for cyberattacks," said Adrien Gendre, Chief Technology & Product Officer and cofounder at Vade. "Unfortunately, SOCs and MSPs don't always have visibility into how or when an email threat infiltrated their organization or how far it has spread throughout the network. The speed at which today's cybercriminals are working means that organizations cannot afford to lose precious time on incident response."

Vade for M365 is an AI-based email security solution for Microsoft 365 that catches the advanced phishing, spear phishing and malware threats that bypass Microsoft's native security. The Threat Intel & Investigation add-on for Vade for M365 features five core capabilities designed to empower SOCs and MSPs to automate investigations, orchestrate responses and move swiftly and with precision to live threats:

*   **File Inspector:** Deconstructs files and attachments directly in the Vade for M365 interface—without exposing administrators to risk. File Inspector reveals critical details about files and attachments, providing admins with the data required to make faster decisions, cross-check threats across networks and accelerate incident response across affected endpoints and users.
*   **Log Export:** Injects live email and event logs into any security management system, a powerful two-way integration powered by the Vade for M365 API. Connect Vade's email threat intelligence into your organizations' SIEM or SOAR to trigger automation playbooks and enhance your disaster recovery program.
*   **Reported emails:** Automates collection of user-reported emails and clusters similar, unreported emails in one dashboard, speeding user-based incident response and eliminating time-consuming, manual investigations. Receive alerts when users report emails via Outlook and quickly triage and remediate reported emails, similar emails, and forwarded emails with one click.
*   **Download emails/attachments:** Provides access to raw email intelligence for objective evaluation by threat analysts, saving precious time and resources that are typically wasted on searching for and analyzing raw email data.
*   **Add-on for Splunk:** Integrates Vade for M365 with Splunk without the need for custom software development. Combine Vade's threat intelligence with Splunk's SIEM and SOAR capabilities to have better visibility into the threat landscape and actionable insights with which to orchestrate rapid responses.

Vade partners and customers are already experiencing the benefits of Threat Intel & investigation, including Huntington Technology, a US-based MSP offering comprehensive managed services and managed security services:

"One of my helpdesk technicians excitedly came into my office last week. He asked if I had seen the new 'Reported emails' function within Vade," said William Bluford, Vice President, Huntington Technology. "He explained that we can now see which emails are reported as malicious. Not only can we see those emails, but we can see how many users are affected, and we can then remediate and remove those emails from all user mailboxes. This saves time for my helpdesk team and keeps our clients protected."

"Our customers have made clear that they need better visibility into their cybersecurity landscape," Gendre said. "They're challenged to monitor and manage threats from an array of end points, and IT is overburdened by too many complex tools. Threat Intel & Investigation was designed to give our customers the tools they need to thoroughly investigate threats, cross check those threats across their networks, and develop incident response processes—without the burden of complexity."

Threat Intel & Investigation on brings all these capabilities to Vade for M365. Vade's latest innovation will reduce incident response time, eliminate the need for additional security investments, and free up critical IT resources. Threat Intel & Investigation is available today in Vade for M365. To learn more, visit Threat Intel & Investigation.

**About Vade**

Vade is a global cybersecurity company specializing in the development of threat detection and response technology with artificial intelligence. Vade's products and solutions protect consumers, businesses, and organizations from email-borne cyberattacks, including malware/ransomware, spear phishing/business email compromise, and phishing.

Founded in 2009, Vade protects more than 1.4 billion corporate and consumer mailboxes and serves the ISP, SMB, and MSP markets with award-winning products and solutions that help increase cybersecurity and maximize IT efficiency.

To learn more, please visit www.vadesecure.com and follow us on Twitter @vadesecure or LinkedIn https://www.linkedin.com/company/vade-secure/.

SOURCE Vade

Vade Releases Advanced Threat Intel & Investigation Capabilities

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent...

Tuesday, January 10, 2023 09:01

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent. These groups engaged in a variety of malicious activities, including espionage, intellectual property theft, and deploying destructive malware. Major trends observed include:

*   Delivering new, custom malware and updated variants of previously known malware.
*   Exploiting publicly known vulnerabilities, such as Log4j utilities.
*   Updating tooling and behavior patterns to evade discovery.
*   Increasing APT activity in our Cisco Talos Incident Response (CTIR) engagements, including the Iran state-sponsored MuddyWater group and several China affiliated APTs.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

APT Topic Summary Report: Cisco Talos Year in Review 2022

In a new survey from Clever, 3 out of 4 school districts say they will increase their spending on security and privacy in the next two to three years; 1 in 4 teachers report that cybersecurity training is missing in their district.

**SAN FRANCISCO****,** **Jan. 5, 2023** **/PRNewswire/ --** Clever, the platform used by more than 70% of U.S. K-12 schools to simplify and secure digital learning, today announced a new survey of school administrators and teachers revealing that the two groups perceive security vulnerabilities differently as the district edtech stack increases. According to the data, three out of four districts say they will increase their spending on security and privacy in the next two to three years. While more than half of administrators (63%) and teachers (53%) believe that their district is prepared to take on digital security challenges, one in four teachers report that cybersecurity training is missing altogether in their district.

Last year, over 90% of educators said they will continue to use at least some of the digital tools they adopted during the pandemic, as schools increasingly embrace devices and digital platforms to enable individualized instruction and student support. But with the expanded access to technology comes greater responsibility on schools and their edtech partners to protect the information these tools may collect. In 2021, nearly a million students were impacted by 67 ransomware attacks against schools, with a cost of over $3.5 billion in downtime.  

To help district and school leaders navigate new edtech practices in this era of increased usage, Clever surveyed almost 4,000 teachers and administrators. The data suggest that educators and administrators perceive the risks in schools differently: only 11% of teachers said a cybersecurity incident would be very likely, but one in four administrators say their district already experienced a hack, phishing incident, data breach, or other cyber attack in the past year.

"Creating a safe digital learning environment requires that everyone -- administrators, educators, students -- play a role," said Mohit Gupta, who oversees security products at Clever. "Cybersecurity is a team sport, and the differences highlighted in the survey offer us a path forward to address vulnerabilities in our schools. While the groups differ on where the risks exist, they agree on what can be done: more training for educators, the use of security tools, and increased specialized staff."

Among additional key findings from Clever's Cybersecure 2023 report:

*   **Teachers and administrators see devices as the greatest tech vulnerability in their district.** Teachers (34%) and administrators (34.3%) alike believe that devices are the most vulnerable part of their technology infrastructure. However, administrators are more aware of potential risks elsewhere as well: they're five times more concerned about vulnerabilities from administrative platforms like a learning management system or student information system, and nearly three times more concerned about vulnerabilities from applications used for curriculum and instruction.
*   **When it comes to identifying risks around human usage of technology, administrators think teachers are the most likely source of security vulnerability, but teachers think students are.** Teachers, responsible for their own safe use of technology and appropriate use by their students, see students (67%) as the biggest risk for a security incident, followed by teachers (27%). In contrast, two-thirds of administrators believe that teachers pose the highest vulnerability threat, and only 19% believe it to be students. Administrators were also three times more likely than teachers to say administrators are a vulnerability.
*   **Teachers and administrators agree on what can be done to improve digital security.** Both groups believe the three most important activities to support security are: 1) more educator training; 2) more or better technology solutions; and 3) more staff focused on technology. Two-thirds of teachers indicated they would want to learn more about topics related to data privacy and security.
*   **Yet, one in four teachers say cybersecurity training is missing altogether in their district.** While the majority of administrators and educators report that privacy and security training happens in their district, a surprising 26% of teachers say they never receive training on privacy or security – representing a big opportunity for districts to shore up their practices.
*   **Increasing challenges means increased spending.** 65% say their spending on digital security will increase over the next two to three years; another 12% say it will increase significantly, and a majority say that federal stimulus dollars are helping support their efforts.

The survey, administered throughout October 2022 using Clever's user database, asked more than 800 US-based school administrators and more than 3,000 US-based educators. To see the full findings and methodology, click here.

**About Clever**

Clever is on a mission to unlock new ways to learn for all students. More than 70% of U.S. K-12 schools now use Clever to simplify access and improve engagement with digital learning. With our free platform for schools and a network of leading application providers, we're committed to advancing educational equity. Clever, a Kahoot! company, has offices in San Francisco, CA and Durham, NC but you can visit us at clever.com anytime.

SOURCE Clever

New Survey: One In Four Schools Were Victims Of Cyber Attacks In the Last Year; Administrators To Increase Spending On Privacy and Security

Happy New Year and welcoem to this week's edition of the Threat Source newsletter. 
We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our

Thursday, January 5, 2023 14:01

Happy New Year and welcome to this week's edition of the Threat Source newsletter.

We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged into 2023. With that we’re keeping this week’s newsletter light as we all ease back into the flow of things.

**The one big thing**

Last month Talos released our Year in Review report, a comprehensive report covering Talos’ work for the 2022 year. The initial report launched December 14th with an additional Ukraine Topic Summary Report on the same day. To discuss the initial report and Ukraine section Talos held a livestream with key contributors to the report, which can be viewed here.

**Why do I care?**

We expect this data-driven story will shed some light on Cisco’s (and the security community’s) most notable successes and remaining challenges. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversarial use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: _adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior to remain resilient._

**So now what?**

While yes, we’ve moved into another new year the Talos 2022 Year in Review is the gift that keeps on giving. If you’ve yet to read the report, you can catch the cliff notes version in our four part livestream series covering the full report and corresponding topics. Join us January 10th at 12pm ET for our next livestream 2022 Year in Review: APTs on our Talos LinkedIn or Twitter page.

**Top security headlines of the week**

The not-so-bad-guys? The LockBit ransomware group apologies for attacking the Hospital for Sick Children (SickKids) after one of its members violated their rules by attacking a healthcare organization. In their apology, LockBit stated the member is blocked and no longer in their affiliate program and offered a free decryptor for the hospital to recover impacted files. (Bleeping Computer)

Meta was fined over $4 million for breaching the EU’s General Data Protection Regulation (GDPR) personal data laws on Facebook and Instagram according to Ireland’s Data Protection Commission. In a statement the commission stated Meta breached “it’s obligations in relation to transparency” and “for its processing of personal data for the purpose of behavioral advertising”. (SecurityWeek)

All was not calm over the holidays as PyTorch has recently identified a malicious dependency under the same name as the framework’s ‘torchtriton’ library. PyTorch admins are urging users who recently installed PyTorch-nightly to uninstall the framework with the counterfeit ‘torchtriton’ dependency. (SC Media)

**Can’t get enough Talos?**

2022 Year in Review Report

Beers with Talos

Talos Takes

Ukraine Topic Summary

2022 Year in Review: Ukraine livestream on demand

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5: d47fa115154927113b05bd3c8a308201

Typical Filename: excel.exe

Claimed Product: N/A

Detection Name: W32.00AB15B194-95.SBX.TG

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:   93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  
Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5:  df11b3105df8d7c70e7b501e210e3cc3

Typical Filename: DOC001.exe

Claimed Product: n/a

Detection Name: Win.Worm.Coinminer::1201

Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes

**SANTA CLARA, Calif.****,** **Jan. 5, 2023** **/PRNewswire/ --** Netskope, a leader in Secure Access Service Edge (SASE), on the heels of its recognition as Cloud Security Services Vendor of the Year, its sixth straight ranking on the Forbes Cloud 100 list of top cloud companies, and its recognition as a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge (SSE), today announced an oversubscribed investment round of $401M.

The partners for this oversubscribed convertible note investment were four of the world's premier investors. The financing was led by investment funds managed by Morgan Stanley Tactical Value, with participation from Goldman Sachs Asset Management, Ontario Teachers' Pension Plan, and CPP Investments. Netskope plans to extend its technology and platform advantages and market reach through continued innovative worldwide platform development and expansion of strategic go-to-market activities, underscoring its leadership and momentum in what leading analysts estimate to be the $36 billion market opportunity for SASE by 2025.

This financing marks the latest among many recent business and financial milestones for Netskope and serves as another strong validation and indicator of the continued momentum and adoption of the company's vision, team, products, culture, and market opportunity. 

**Securing Modern Cloud Networks** 

As hybrid and remote work has become the new reality, and the use of the cloud accelerates, enterprises of all sizes need to transform their network and data security strategy and architecture. As a result, they are rapidly adopting SASE as a foundational part of their zero trust strategy, to safeguard data, support digital transformation efforts, and realize better efficiency by addressing security and networking challenges through a unified architecture. In addition, enterprises are increasingly seeking SASE capabilities from fewer sources to reduce vendor and tool sprawl. Gartner notes1 that, "by 2025, 65% of enterprises will have consolidated individual SASE components into one or two explicitly partnered SASE vendors, up from 15% in 2021."

The Netskope converged SASE platform includes Netskope's industry-leading Intelligent Security Service Edge (SSE) and Borderless SD-WAN technologies, all of which are crucial to providing the optimized access and zero trust-based security required in a modern networking and security technology stack. Netskope today is one of only a few providers of single-vendor SASE. It is also the only SASE provider recognized as a representative vendor in the 2022 Gartner Market Guide to Single Vendor SASE that also appears as a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge. 

"Our vision from day one was that traditional network and security perimeters would transform, with users, data, and devices moving outside the confines of corporate network perimeters and requiring a new approach to security," said Sanjay Beri, Netskope CEO and co-founder. "With a cloud-first, data-first, and customer-centric philosophy, we built a market-leading SASE platform and one of the world's fastest and most-connected security cloud networks. We have enabled enterprises everywhere to allow their users to be mobile, efficient, and flexible while securing them and the data and applications they access, whether they are in the cloud, on the web, or are private applications on-prem and beyond. We are very proud of the team members, customers, industry luminaries, and existing and new partners announced today who are helping to enable Netskope's journey and secure the journey of all enterprises worldwide."

Over the past 12 months, Netskope has broadened its market reach in the following ways:

*   **Increased Customer Base** – to more than 2,400 total customers worldwide, including over 25 of the Fortune 100, and across all verticals including financial services, healthcare, retail, telecommunications, manufacturing, government, high tech, and beyond.
*   **Expanded SASE Platform** – through organic development of new endpoint data loss prevention, advanced cloud firewall, and zero trust network access products, as well as strategic acquisitions of WootCloud and Infiot to serve as core technology components of Netskope's innovative IoT Security and Borderless SD-WAN modules, respectively.
*   **Growing Patent Portfolio** – more than 100 global patents awarded to Netskope inventors, in data loss prevention, AI/ML, threat prevention, high speed cloud networking, and other strategic technology categories.
*   **Continued Expansion of NewEdge security private cloud** – now powered by full-compute data centers in more than 60 regions worldwide. Every Netskope NewEdge data center is accessible to every customer, with all Netskope SASE services available, providing low latency and high-performing infrastructure, and backed by industry-leading Service Level Agreements.
*   **New and Enhanced Go-to-Market Partnerships** – with some of the world's best-known cloud platform, service provider and systems integrator brands, including Orange, Deloitte, Telefonica, KPN, AWS, Google Cloud, CrowdStrike, Mimecast, Okta, and others which expand Netskope's global reach and ability to capture market share.
*   **Increased Corporate Footprint** – to more than 2,500 team members, active in over 40 countries, with open roles across teams and regions. In 2022, Netskope also enhanced its seasoned executive team with leaders from Salesforce, AWS, Cisco, Palo Alto Networks and others joining Netskope.
*   **Industry Recognition:** Recent Netskope highlights also include product, customer, and industry recognition, including:

*   Won 2022 CRN Cloud Services Vendor of the Year award
*   Won Best SASE Solution and Most Promising Unicorn awards from SC Media
*   Ranked among the highest two solutions for every single use case in the 2022 Gartner Critical Capabilities for Security Service Edge report
*   Named a Leader in the IDC Marketscape for Cloud Security Gateways
*   Awarded one of the first U.S. Federal Civilian Government SASE Contracts, led by the United States Patent and Trademark Office
*   Named for a sixth time to the Forbes Cloud 100, as one of only four security vendors to rank in the Top 50
*   Achieved best-in-class employer brand and employee experience ratings from Glassdoor
*   Achieved a Silver Medal from EcoVadis, highlighting commitment to ESG and business sustainability

"Cloud migration—and securing this modern network—represents one of the most significant and transformative technology shifts in decades," said Pedro Teixeira, managing director of Morgan Stanley and Co-Head of Morgan Stanley's Tactical Value Investing Team. "We seek to invest in high-quality companies that are driving their markets today and into the future.  Netskope epitomizes this, with its innovative SASE vision and solid execution, a robust platform with significant monetization ahead of it, a large global customer base, and defensible market leadership. We look forward to partnering with the team as they strive to realize the significant opportunity that lies ahead."

**Legal Notices**

Morgan Stanley & Co. LLC served as the sole placement agent for the note offering. Pillsbury Winthrop Shaw Pittman LLP served as Netskope's legal counsel and Latham & Watkins LLP served as Morgan Stanley Tactical Value's counsel. J Wood Capital Advisors LLC acted as financial advisor to Netskope.

This press release does not constitute an offer to sell, or a solicitation of an offer to buy, any securities of Netskope.  The securities referenced herein have not been registered under the Securities Act of 1933, as amended, and may not be offered or sold in the United States absent registration or an applicable exemption from such registration requirements.

**Gartner Disclaimer**

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Receives $401M In New Funding

Categories: News
Tags: Okta

Tags:  GitHub

Tags:  Auth0

Okta's code repository on GitHub has been accessed by an unauthorized third party, but there's no reason for customers to worry



(Read more...)




The post Okta breached last month, no customers compromised appeared first on Malwarebytes Labs.

Some of Okta’s source code fell into the hands of an unauthorized party. The code was stolen from GitHub in the first part of December, according to a statement issued by the company. In the same statement the company reassured users that there was no impact to any customers.

**Okta**

Okta is an access management company based in San Francisco. According to its own website, Okta serves over 15,000 organizations. Essentially, Okta software allows employees to log in using single sign-on—a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The kind of identity-first approach to security is seen by some as an important underpinning of a Zero Trust security model.

**Stolen source code**

GitHub alerted Okta about a possible breach in early December. An investigation by Okta revealed that the unauthorized access was used to copy code from the Okta Workforce Identity Cloud (WIC) code repositories.

Okta Workforce Identity Cloud provides a unified solution for secure access to any resource from any user that needs it, while maintaining the "Principle of Least Privilege" (POLP). The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function.

**Customers unaffected**

In the statement that was also sent out by mail to security contacts, Okta told their customers that there was no unauthorized access to the Okta service, and no unauthorized access to customer data. This includes Okta's HIPAA, FedRAMP, and DoD customers. This is because Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully functional and secure.

**Auth0**

A few months ago, Okta subsidiary Auth0 disclosed a similar incident, where code repository archives that predated Okta’s acquisition of Auth0 were stolen. It never became clear how the unauthorized party, that notified Okta about the possession of the archives, exfiltrated them.

**LAPSUS$**

Okta themselves admitted to a breach that happened in January of 2022, where the LAPSUS$ cybercriminal group accessed two active customer tenants within their SuperUser application and viewed limited additional information in certain other applications like Slack and Jira that could not be used to perform actions in Okta customer tenants. The January breach was initially believed to have a much larger impact and there was talk of possibly 366 customers that might be affected.

**Measures**

When Okta learned of the latest incident, it placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications. The company also reviewed the integrity of all the code that was recently placed on GitHub, and rotated GitHub credentials. Law enforcement has also been notified of the breach.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Okta breached last month, no customers compromised

NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

CVE-2022-42267: Security Bulletin: NVIDIA GPU Display Driver - November 2022

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalog to help federal agencies and critical infrastructure organizations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalog across 58 updates from January to end of November 2022, according to Grey Noise in its first-ever "GreyNoise Mass Exploits Report."

Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalog's existence.

Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalog in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalog were older vulnerabilities dating back to before 2022.

"Many were published in the previous two decades," noted Grey Noise's vice president of data science, Bob Rudis, in the report.

Several of the vulnerabilities in the KEV catalog are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

"The fact that they are a part of CISA KEV is quite telling as it indicates that many organizations are still using these legacy systems and therefore become easy targets for attackers," CSW wrote in its "Decoding the CISA KEV" report.

Even though the catalog was originally intended for critical infrastructure and public-sector organizations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalog's curated list of CVEs under active attack to create their priority lists.

In fact, CSW found a bit of a delay between when a CVE Numbering Authority (CNA), such as Mozilla or MITRE, assigned a CVE to a vulnerability and when the vulnerability was added to the NVD. For example, a vulnerability in Apple WebKitGTK (CVE-2019-8720) received a CVE from Red Hat in October 2019 was added to the KEV catalog in March because it was being exploited by BitPaymer ransomware. It had not been added to the NVD as of early November (the cutoff date for CSW's report).

An organization relying on the NVD to prioritize patching would miss issues that are under active attack.

Thirty-six percent of the vulnerabilities in the catalog are remote code execution flaws and 22% are privilege execution flaws, CSW found. There were 208 vulnerabilities in CISA’s KEV Catalog associated with ransomware groups and 199 being used by APT groups, CSW found. There was an overlap, as well, where 104 vulnerabilities were being used by both ransomware and APT groups.

For instance, a medium-severity information disclosure vulnerability in Microsoft Silverlight (CVE-2013-3896) is associated with 39 ransomware groups, CSW said. The same analysis from CSW found that a critical buffer overflow vulnerability in the ListView/TreeView ActiveX controls used by Office documents (CVE-2012-0158) and a high-severity memory corruption issue in Microsoft Office (CVE-2017-11882) are being exploited by 23 APT groups, including most recently by the Thrip APT group (Lotus Blossom/BitterBug), in November 2022.

The spike in March 2022 is the result of Russia invading Ukraine in February – and the updates included many legacy vulnerabilities that nation-state actors had been known to exploit in businesses, governments, and critical infrastructure organizations, Grey Noise said. The vast majority – 94% – of the vulnerabilities added to the catalog in March were assigned a CVE before 2022.

CISA updates the KEV catalog only if the vulnerability is under active exploitation, has an assigned CVE, and there is clear guidance on how to remediate the issue. In 2022, enterprise defenders had to deal with an update to the KEV catalog on an almost weekly basis, with a new alert typically issued every four to seven days, Rudis wrote. The defenders were just as likely to have just a single day between updates, and the longest break defenders had in 2022 between updates was 17 days.

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months.
Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.

Malware / Windows Security

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months.

Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.

Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code.

These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background.

To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector.

While this blockade only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, bad actors have been experimenting with alternative infection routes to deploy malware.

One such method turns out to be XLL files, which is described by Microsoft as a "type of dynamic link library (DLL) file that can only be opened by Excel."

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Cisco Talos researcher Vanja Svajcer said in an analysis published last week.

The cybersecurity firm said threat actors are employing a mix of native add-ins written in C++ as well as those developed using a free tool called Excel-DNA, a phenomenon that has witnessed a significant spike since mid-2021 and continued to this year.

That said, the first publicly documented malicious use of XLL is said to have occurred in 2017 when the China-linked APT10 (aka Stone Panda) actor utilized the technique to inject its backdoor payload into memory via process hollowing.

Other known adversarial collectives include TA410 (an actor with links to APT10), DoNot Team, FIN7, as well as commodity malware families such as Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.

The abuse of the XLL file format to distribute Agent Tesla and Dridex was previously highlighted by Palo Alto Networks Unit 42, noting that it "may indicate a new trend in the threat landscape."

"As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," Svajcer said.

**Malicious Microsoft Publisher macros push Ekipa RAT**

Ekipa RAT, besides incorporating XLL Excel add-ins, has also received an update in November 2022 that allows it to take advantage of Microsoft Publisher macros to drop the remote access trojan and steal sensitive information.

"Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing \[of\] the file, which makes them interesting initial attack vectors from the threat actor's point of view," Trustwave noted.

It's worth noting that Microsoft's restrictions to impede macros from executing in files downloaded from the internet does not extend to Publisher files, making them a potential avenue for attacks.

"The Ekipa RAT is a great example of how threat actors are continuously changing their techniques to stay ahead of the defenders," Trustwave researcher Wojciech Cieslak said. "The creators of this malware are tracking changes in the security industry, like blocking macros from the internet by Microsoft, and shifting their tactics accordingly."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#cisco