Commit 10_23_2023: Living in strange times

Marek Piwnicki / Unsplash

Welcome to Commit 10_23_2023! README senior editor Nathaniel Mott here on the first non-rainy day in what feels like an epoch to bring you the hottest (for the season) infosec news.

BC: Cisco patches IOS XE vulns

Cisco has released patches for two vulnerabilities in the networking-focused IOS XE operating system, CVE-2023-20198 and CVE-2023-20273, that BleepingComputer reported were exploited to compromise more than 50,000 devices over the last week. (And yes, I double-checked the number of zeroes in that figure. Turns out two zero-days times a bunch of devices equals tens of thousands of popped shells.)

BleepingComputer reported that the number of devices known to be infected with malware after these vulnerabilities were exploited dropped “from about 60,000 to just a few hundred.” That figure is misleading, however.  Fox-IT said the drop resulted from the implant being “altered to check for an Authorization HTTP header value before responding,” which stymied existing fingerprinting methods. A different approach revealed that nearly 38,000 of these devices remain infected, the company said.

CNBC: Okta shares tumble after hack

Identity access management service provider Okta said on Oct. 20 that it had “identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system” and that the “threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.” The company noted that this system is separate from its production service, however.

CNBC reported Okta’s share price fell 11.5% after the disclosure. (At time of writing, it’s down 15.5% over the last five days, according to Google’s stock info.) But it’s worth remembering that companies often see a small dip in their share price after disclosing a breach only for their stock to recover, or even end up being priced higher than before, once investors realize that getting hacked is often just an inconvenience.

The Record: Jabber surveillance efforts foiled… by expired certificate

Researchers said on Oct. 21 that they believe efforts to surveil communications involving Jabber, which The Record described as “the largest Russian XMPP service,” were foiled when someone involved in the wiretapping failed to renew a TLS certificate used as part of an adversary-in-the-middle attack on Jabber’s “servers on Hetzner and Linode hosting providers in Germany.” Whoops!

The researchers said the nature of this attack meant that “the attacker could download [the] account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time” without knowing the associated password. That’s an incredible level of access to Jabber-based communications… and the fact that it was lost because of an expired TLS certificate is perhaps even more incredible.

AP: China struggles to crack down on scam networks

Another surprise for this week: Associated Press reported that China has “netted thousands of people in a crackdown” on Southeast Asian scam networks, “but experts say they are failing to root out the local elites and criminal networks that are bound to keep running the schemes.” Authorities have effectively been trimming the leaves off these organizations instead of digging up the roots from which they’re growing.

The report is a helpful reminder that while many in the West focus on the Chinese government’s hacking efforts—which are plentiful—the country’s billion-plus people can also be targeted by internet-connected ne’er-do-wells. The primary difference is that companies outside China probably have little visibility (and perhaps even less motivation to reveal how much visibility they have) into the country’s security posture.