The San Francisco, Calif.-based cybersecurity firm says its new Security Center offering includes real-time data on an organization’s state of attack protection, out-of-the-box threat monitoring on major identity attack vectors, and application-level visibility into authentication traffic.

The Security Center is essentially designed to make assessing an organization’s identity security posture easier than what many companies experience, which includes parsing through logs, using third-party tools or building their own, all of which requires expert-level experience.

According to Okta, Security Center leverages the Okta Customer Identity Cloud security insights to give security and identity professionals a more streamlined way to detect and respond to identity threats as well as providing a more clear view of authentication events, incidents and threat response.

In addition to helping organizations respond to identity threats faster, Security Center can also help companies measure the user experience impacts of Attack Protection features, showing app owners in near-real time the user experience effects of defense tactics and allows then to adjust security and friction as appropriate to their situation, the company says.

In a statement, Jameeka Aaron, Okta’s Chief information security officer, says accurate detection alone isn’t enough to ensure that threat response is appropriate to the level of risk an organization faces.

“As attacks against identity flows get more sophisticated and evolve to bypass detection, security teams often have to go through a learning curve on their own production environments, which can mean delayed detection of attacks and consequent business losses,” Aaron says. “Security Center leverages our focused expertise in identity security, and packages it in a way that security operations professionals can understand and take action.”

The post Okta Releases General Availability of Security Center in Attack Protection appeared first on My TechDecisions.

The feature essentially allows Zoom users to leverage the identity and access management technology from Okta to authenticate a meeting attendee’s identity by email in end-to-end encrypted (E2EE) meetings.

According to Zoom, users will know when a meeting attendee is authenticated when a blue shield appears next to their name in the meeting participant list. Other attendees can hover over the icon to see a pop-up window that displays authenticated information about that person, including their company domain and corresponding Okta-verified email address. Users can then use that information to verify that it matches the person they were expecting.

Aurora Brigham, Zoom’s lead product manager for privacy, says in a blog that Okta has become a core component of a modern zero trust approach.

“By weaving its technology into E2EE meetings, Zoom is striving to add an extra layer of security to virtual communication while maintaining our seamless and consistent experience,” Brigham says.

According to Brigham’s blog, Okta Authentication for E2EE in Zoom can be enabled by account administrators in the security tab of the Zoom web portal. Admins also need to download the Zoom E2E app from Okta and enable the feature flag called Okta Authentication for Zoom E2E Encryption, the company says.

Once the feature is turned on, a user can choose to enable the sharing of their identity in E2EE meetings by turning it on in settings. Depending on a user’s settings, they may get authenticated automatically or redirected to the Okta webpage to finish authentication with their credentials for two-factor authentication.

Once an attendee is authenticated, the blue shield will give other participants reassurance that the person they’re communicating with is the right person.

Brigham says this can help cut back on the toggle tax, which is defined as the time wasted by switching between apps to get work done.

“With Okta’s robust identity technology available right in your meeting, you can focus on meaningful communication without having to sacrifice effective security,” Brigham writes. “That way, you get to work when and where you want, all while keeping your information safe.”

The post Zoom Users Can Now Use Okta to Authenticate Identity of Attendees appeared first on My TechDecisions.

Microsoft discovers new botnet capabilities

Microsoft says its researchers have discovered new capabilities of the botnet Zerobot, a Go-based botnet primarily spread through IoT and web application vulnerabilities. Monitored by Microsoft’s security team for months, Zerobot now uses new attack methods and exploits that expand the malware’s reach to new devices.

The new version of the malware includes additional DDoS attack capabilities that allow attackers to target resources and make them inaccessible, which can be layered onto a ransomware attack to compel the victim to pay.

Read Microsoft’s blog to learn more about these new Zerobot capabilities and other DDoS-for-hire trends.

Google changes Chrome release schedule to fix issues earlier

Google is making a change to the release schedule for Chrome and will be releasing stable to a small percentage of users, and the majority of users will be getting the release a week later at the normal scheduled date. That date will also be when the new version is available from the Chrome download page.

According to Google, the company is making the change to monitor the release before it rolls out to all users so it can act on any issues without impacting a large user base.

Learn more about this updated Google Chrome release schedule.

Okta GitHub repositories hacked

Okta, one of the largest providers of authentication services and identity and access management (IAM) solutions, has had its GitHub repositories hacked and its source code essentially stolen.

BleepingComputer reported the incident, citing a confidential security incident notification that Okta has been sending to its security contacts. This comes after GitHub alerted Okta of suspicious access to the company’s code repositories, the notification purportedly said.

However, attackers did not gain access to Okta’s service or customer data, the company says, per BleepingComputer.

Read the story for more information.

Google threatened by ChatGPT, report says

Google is reportedly sounding the alarm on Open AI’s ChatGPT and is ramping up its AI chatbot teams in response to the conversational Ai chatbot, reports The New York Times. Google reportedly sees ChatGPT as a threat to Google’s search engine and the company’s own AI chatbot endeavors.

Read The New York Times article for more information.

The post This Week in IT: Botnet, Google Chrome, Okta’s GitHub Hacked, ChatGPT appeared first on My TechDecisions.

Microsoft Teams for Education Gets a new look

Just in time for back-to-school, Microsoft Teams has a new home page that places the most important information for educators at the center of the screen. The home page shows announcements, pinned classroom resources, upcoming assignments and more. Educators can customize the screen to add images, sections and other pertinent information. Educators can also now use Teams to create and review assignments on an iPad and Android tablets.

The new feature is expected to roll out this week and will automatically be included in all classes using Teams.

Learn more here.

Ransomware Attacks Spike to More Than 1.2 million per month

Researchers from cloud security company Barracuda identified and analyzed 106 highly publicized ransomware attacks and determined the dominant targets are still education (15%), municipalities (12%), healthcare (12%), infrastructure (8%) and financial (6%). Ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled over the last 12 months, according to Barracuda. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organizations all increased as well.

Lear more here.

Hackers Exploit Whole Email Inbox

A hacking group called Charming Kitten are targeting users with email accounts from Google, Microsoft and Yahoo, according to Google security researchers. The hacking group is using a tool called Hyperscraper to download whole inboxes undetected.

Learn more here.

130 Organizations Affected by Twilio Hackers

An investigation into the phishing campaign that targeted Twilio and Cloudflare in July revealed that more than 130 organizations have been affected since the initial attack. Nearly 10,000 user credentials were stolen in the campaign, which started in March 2022, as well as more than 5,000 multifactor authentication codes. Victims of the targeted attack were customers of identity and access management provider Okta. Imitation Okta authentication sites were used in each attack.

Researchers at Group-IB noted “despite using low-skills methods [the threat actors] were able to compromise a large number of well-known organizations.” Group-IB also noted the threat actors may have been inexperienced based on the “improperly” configured phishing kit used.

Learn more here.

64% of businesses suspect they’ve been targeted or impacted by nation-state attacks

Research from machine identify management firm Venafi found that 66% of organizations have changed their cyber security strategy as a direct response to the conflict between Russia and Ukraine, while nearly two thirds (64%) suspect their organization has been either directly targeted or impacted by a nation state cyber attack.

Other key findings found that 77% believed we’re in a perpetual state of cyberwar, more than two-thirds of security decision makers have had more conversations with their board and senior management in response to the Russia-Ukraine conflict.

“We’ve known for years that state-backed APT groups are using cybercrime to advance their nations’ wider political and economic goals. Everyone is a target, and unlike a kinetic warfare attack, only you can defend your business against nation-state cyberattacks. There is no cyber-Iron Dome or cyber-NORAD. Every CEO and board must recognize that cybersecurity is one of the top three business risks for everyone, regardless of industry,” said Kevin Bocek, vice president, security strategy and threat intelligence at Venafi in a statement.

Learn more here.

The post This Week in IT: Microsoft Teams for Education Updates, Ransomware Attacks Spike, Organizations Impacted by Nation State Cyber Attacks appeared first on My TechDecisions.

In a blog detailing how the Lapsus$ hacking group accessed “a single account” and stole Microsoft source code, Microsoft says the group gains initial access in a variety of ways, including paying employees at targeted organizations, or their suppliers or business partners, for access to credentials and multifactor authentication approval.

Microsoft’s blog, published March 22, comes three days after the Lapsus$ hacking group posted screenshots of a compromised Microsoft developer’s account and after the group published stolen source code of Bing, Cortana and other projects.

However, Microsoft says no customer code or data was involved in Lapsus$’ compromise of a single account, which granted the threat actor limited access.

“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft said in a blog penned by the company’s Threat Intelligence Center, Detection and Response Team and Microsoft 365 Defender Threat Intelligence Team.

The company does not detail exactly how the Microsoft employees’ account was compromised, but says the tactics described in the blog were used in the intrusion. Further, Microsoft says it was already investigating the compromised account based on threat intelligence when Lapsus$ posted the screenshots.

“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” Microsoft said in the blog.

Microsoft says it has been tracking the group’s “large-scale social engineering and extortion campaign” in recent weeks. According to the blog, Lapsus$ has been observed attacking multiple organizations with these tactics, including some “destructive elements.” The group spends a considerable amount of time gathering knowledge about the targeted organization, including information about operations, employees, team structures, help desks, crisis response workflows and supply chain relationships.

Unlike ransomware actors, Lapsus$, which Microsoft calls DEV-0537, uses a pure extortion and destruction model without actually deploying ransomware. The group has shown a disregard for covering its tracks, announcing attacks on social media and advertising their intent to buy credentials from targeted organization.

In these instances, Lapsus$ recruited employees or employees of a target organization’s suppliers or business partners after advertising that they wanted to buy credentials. For a fee, the insiders provide their credentials and approve the MFA prompt. Or, the user installed remote management software like AnyDesk on their corporate machine and gave the group full control of their authenticated system.

In addition to bribing employees or business partners to give them initial access, other tactics out of the norm include phone-based social engineering, SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at targeted organizations and intruding in crisis communication calls of their targets. The group has also been observed mapping a target user with MFA prompts and calling the organization’s helpdesk to reset a targeted user’s credentials.

Microsoft’s blog also contains several recommended steps to thwart these attacks, including strengthening MFA implementation and avoiding SMS- or email-based authentication, requiring healthy and trusted endpoints, leveraging new authentication options for VPNs, strengthening cloud security postures and improving awareness of social engineering attacks.

Read: What We Know So Far About Okta, Microsoft and Lapsus$

Okta: Up to 2.5% of customers impacted

After initial access is gained, Lapsus$ accesses internet-facing systems and applications, such as VPNs, RDP, virtual desktop infrastructure and identity providers such as Azure Active Directory and Okta, the latter of which also became embroiled in the crisis when screenshots showing a purported breach were posted to the group’s pages.

Late Tuesday, Okta’s Chief Security Officer David Bradbury posted a detailed timeline of the company’s response to the compromise. In the blog, Bradbury says the screenshots were taken from a computer used by Sitel, one of Okta’s third-party customer support engineers. On Jan. 20, Okta’s security team was alerted that a new MFA factor had attempted to be added to a Sitel customer support engineer’s Okta account, Bradbury wrote. That attempt was unsuccessful, but the account, Sitel was notified and a forensic firm was hired to investigate.

According to Bradbury, the “maximum potential impact” is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel.

Here is the timeline (times in UTC) provided by Bradbury:

• January 20, 2022, 23:18 –  Okta Security received an alert that a new MFA factor was added to a Sitel employee’s Okta account from a new location.
• January 20, 2022, at 23:46 – Okta Security investigated the alert and escalated it to a security incident.
• January 21, 2022, at 00:18 – The Okta Service Desk was added to the incident to assist with containing the user’s account.
• January 21, 2022, at 00:28 – The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
• January 21, 2022, at 18:00 – Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm.
• January 21, 2022 to March 10, 2022 – The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
• March 17, 2022 – Okta received a summary report about the incident from Sitel
• March 22, 2022, at 03:30 – Screenshots shared online by LAPSUS$
• March 22, 2022, at 05:00 – Okta Security determined that the screenshots were related to the January incident at Sitel
• March 22, 2022, at 12:27 – Okta received the complete investigation report from Sitel

Here is the remainder of Bradury’s statement:

I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.

Our investigation determined that the screenshots, which were not contained in the Sitel summary report, were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP. This device was owned and managed by Sitel. The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.

It’s important to understand that the access that a support engineer has is limited to basic duties in handling inbound support queries. Support engineers use a number of customer support tools to get their job done including Okta’s instances of Jira, Slack, Splunk, RingCentral, and support tickets through Salesforce. The majority of support engineering tasks are performed using an internally-built application called SuperUser or SU for short, which is used to perform basic management functions of Okta customer tenants. This does not provide “god-like access” to all its users. This is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles. They are unable to create or delete users. They cannot download customer databases. They cannot access our source code repositories.

The report from the forensic firm highlighted that there was a five-day window of time between January 16-21, 2022 when the threat actor had access to the Sitel environment, which we validated with our own analysis.

In trying to scope the blast radius for this incident, our team assumed the worst case scenario and examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question. Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel.

Because of the access that the support engineers had, the information and the actions were constrained. While it is not a necessary step for customers, we fully expect they may want to complete their own analysis. For transparency, these customers will receive a report that shows the actions performed on their Okta tenant by Sitel during that period of time. We think this is the best way to let customers assess the situation for themselves.

As with all security incidents there are many opportunities for us to improve our processes and our communications. I’m confident that we are moving in the right direction and this incident will only serve to strengthen our commitment to security.

The post Lapsus$ Attacks: Microsoft Says Group Pays Employees For Initial Access; Okta Provides Attack Timeline appeared first on My TechDecisions.

After screenshots claiming to stem from security breaches at IT giant Microsoft and identity and authentication provider Okta, both companies are investigating possible attacks from the Lapsus$ hacking group.

In statements to various media outlets, the companies say they are investigating after screenshots purporting to be from the companies’ internal environments were posted to the Lapsus$  group’s Telegram channel this week.

Here is what we know so far.

Lapsus$ claims to have accessed, leaked Microsoft source code 

According to Bleeping Computer, the Lapsus$ hacking group claims to have penetrated Microsoft’s environment and stolen source code for Bing, Cortana and other projects from Microsoft’s internal Azure DevOps server. After a screenshot was posted to the group’s Telegram channel, Lapsus$ posted a torrent for a 9 GB 7zip archive wit source code from over 250 projects allegedly belonging to Microsoft, including Bing, Bing Maps and Cortana.

The files appear to be legitimate, and some contain emails and documentation that were being used by Microsoft engineers to publish mobile apps, according to Bleeping Computer. Microsoft is investigating the claims.

Microsoft has yet to release any public statements, but has told several news outlets that it is aware of the reports and is investigating.

Update (3/22, 8:30 p.m.)

Microsoft has released another statement, saying the company’s investigation found that “an account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” 

The company also released a blog post detailing Lapsus$’ activity.

Okta: Lapsus$ activity may be from January security incident that was contained

In addition to Microsoft, Lapsus$ has posted screenshots of what appears to be the internal websites of Okta, an identity solutions leader, which caused many in the cybersecurity community to express alarm on social media overnight.

If Okta is compromised, the company’s software could be used in a supply chain attack against the company’s “hundreds of millions” of users and “thousands” of customers, including some very large companies, such as Major League Baseball, T Mobile, Moody’s, Hewlett Packard Enterprise, Sonos, FedEx, Ally Financial and other high-profile organizations.

Posting to Twitter, Okta CEO Todd McKinnon said the screenshots shared on Lapsus$’s Telegram channel are believed to be connected to an attempted compromise of a third-party customer support engineer from January. An Okta spokesperson sent the same statement to us when we asked for more information.

“The matter was investigated and contained by the subprocessor,” McKinnon wrote. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Update (3/22, 2:07 p.m.)

Okta released an updated statement later Tuesday, claiming the Okta service was not breached and that customers don’t need to take any action. The full statement is below in full:

The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.

In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.

We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

We take our responsibility to protect and secure our customers’ information very seriously. We are deeply committed to transparency and will communicate additional updates when available.

Lapsus$ has claimed big targets, so organizations should be very vigilant

According to Bleeping Computer and Reuters, Lapsus$ allegations of penetrating internal systems at Okta and Microsoft appear to be credible. Particularly in the case of Okta, where screenshots purportedly show Okta’s internal tickets and Slack chats.

The Lapsus$ group has been very active in recent months, with several confirmed cases of compromise against very large companies.

According to Bleeping Computer and these companies’ own public statements, NVIDIA, Samsung, Vodafone, Ubisoft and Mercado Libre have all been recent victims of the hacking group, with source code and sensitive data the target.

Okta customers should remain very vigilant until the company releases more information about the incident.

The post What We Know So Far About Okta, Microsoft and Lapsus$ appeared first on My TechDecisions.