25 Mar 2022

Week in review

Greetings,

Earlier this week, the Okta breach saw many of their customers worldwide become alerted to the potential risk with third party vendors. The group suspected of causing the breach, Lapsus$, were also involved in attacks on Microsoft and Nvidia.

itnews reported early Friday morning, that several suspects had been arrested in London following an investigation into the ransom-seeking gang. Some of those arrested are said to only be aged between 16 and 21.

AUSCERT issued an ASB on Thursday, March 24th, about the Lapsus $ Okta incident, which can be viewed at the following link: ASB-2022.0073

As the war in Ukraine enters a second month, the heightened risk concerning a major cyber attack from Russia on the USA has resulted in speculation that the Australia, New Zealand and United States Security Treaty (ANZUS) is expected to be activated.

Such an attack would come as retaliation for sanctions imposed upon Russia, including by Australia. However, should Australia be a target for such retaliatory action, assurance has been given by Joe Biden’s top cyber security advisor that the US would respond.

The Sydney Morning Herald provides further details that include the White House issuing a statement for all companies to “lock the digital door” against potential attacks.

The AUSCERT team has received a flurry of emails and calls concerning the upcoming AUSCERT2022 Cyber Security Conference which is a fantastic sign that people out there are interested in coming along.

Our line-up of speakers has been confirmed and we are fine tuning the program that we will be sure to let everyone know about when it’s ready for you to peruse! In the meantime, be sure to check out who we have coming along and, a little more about this year’s theme, Rethink, Reskill, Reboot.


Authentication firm Okta probes report of digital breach
Date: 2022-03-23
Author: Reuters

Authentication services provider Okta Inc (OKTA.O) is investigating a report of a digital breach, the company said on Tuesday, after hackers posted screenshots showing what they claimed was its internal company environment.
A hack at Okta could have major consequences because thousands of other companies rely on the San Francisco-based firm to manage access to their own networks and applications.
The company was aware of the reports and was investigating, Okta official Chris Hollis said in a brief statement.

Okta: Lapsus$ attackers had access to support engineer’s laptop
Date: 2022-03-23
Author: ZDNet

Okta says that a rapid investigation into the sharing of screenshots appearing to show a data breach has revealed they relate to a “contained” security incident that took place in January 2022.
Okta, an enterprise identity and access management firm, launched an inquiry after the LAPSUS$ hacking group posted screenshots on Telegram that the hackers claimed were taken after obtaining access to “Okta.com Superuser/Admin and various other systems.”

Microsoft confirms they were hacked by Lapsus$ extortion group
Date: 2022-03-22
Author: Bleeping Computer

Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code.
Last night, the Lapsus$ gang released 37GB of source code stolen from Microsoft’s Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps.
In a new blog post published tonight, Microsoft has confirmed that one of their employee’s accounts was compromised by Lapsus$, providing limited access to source code repositories.

New Phishing toolkit lets anyone create fake Chrome browser windows
Date: 2022-03-19
Author: Bleeping Computer

A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows.
When signing into websites, it is common to see the option to sign with Google, Microsoft, Apple, Twitter, or even Steam.

White House issues call to action in light of new intelligence on Russian cyberthreat
Date: 2022-03-21
Author: CyberScoop

The Biden administration renewed calls Monday for the private sector to address known vulnerabilities and shore up cyberdefenses in light of a looming possibility of a cyberattack from Russia on U.S. infrastructure.
The latest warning is “based on evolving threat intelligence, that the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States,” Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, said at a press conference Monday.

A Closer Look at the LAPSUS$ Data Extortion Group
Date: 2022-03-23
Author: Krebs on Security

Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.

BitRAT malware now spreading as a Windows 10 license activator
Date: 2022-03-21
Author: Bleeping Computer

A new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS versions for free using unofficial Microsoft license activators.
BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime access) to any cybercriminal who wants it.
As such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or trojanized software.

Australia launches federal cybercrime centre as part of national plan
Date: 2022-03-21
Author: ZDNet

Australian Home Affairs Minister Karen Andrews has launched a centre to bolster the country’s cybercrime fighting efforts.
The AU$89 million cybercrime centre forms part of Home Affairs’ national plan to combat cybercrime, which was announced alongside the centre’s launch on Monday morning.
The AU$89 million was provided through the AU$1.67 billion in funding for Australia’s cybersecurity strategy by the federal government.
Andrews said the national plan and the Australian Federal Police’s (AFP) new cybercrime centre, called Joint Policing Cybercrime Coordination Centre (JPC3), would bring together the experience, powers, capabilities, and intelligence needed to build a strong, multi-faceted response.

Newer Conti ransomware source code leaked out of revenge
Date: 2022-03-20
Author: Bleeping Computer

A Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in revenge for the cybercriminals siding with Russia on the invasion of Ukraine.
Conti is an elite ransomware gang run by Russian-based threat actors. With their involvement in developing numerous malware families, it is considered one of the most active cybercrime operations.
However, after the Conti Ransomware operation sided with Russia on the invasion of Ukraine, a Ukrainian researcher named ‘Conti Leaks’ decided to leak data and source code belonging to the ransomware gang out of revenge.

Microsoft Azure developers targeted by 200-plus data-stealing npm packages
Date: 2022-03-24
Author: The Register

A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public.


ASB-2022.0071 – .au direct domain names:

AUSCERT’s advisory for its members contains important information about .au Direct Domain names. We encourage all our members who consider their domains to be registered in .au direct, to do so within six months to avoid any potential issues arising later.

ASB-2022.0072 – Potential Cyberattacks :

US President warns the public to be aware of possible escalation of cyber-attacks from Russia.

ASB-2022.0073 – Lapsus $ Okta incident:

AUSCERT’s advisory on Lapsus$ Okta incident includes Microsoft recommended defence against DEV-0537.

ESB-2022.1275 – VMware Carbon Black App Control (AppC): CVSS (Max): 9.1

Updates are available to remediate the vulnerabilities in VMware Carbon Black App Control.


Stay safe, stay patched and have a good weekend!

The AUSCERT team