Commit 11_6_2023: Were you expecting good news this month?

Mick Haupt / Unsplash

Welcome to Commit 11_6_2023! README senior editor Nathaniel Mott here on this chilly November day with the top infosec news.

Ars Technica: Is Okta being transparent or passing the buck?

Okta published on Nov. 3 a “root cause and remediation” report related to the compromise of its support case management system. The company said that a threat actor gained “unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers” by gathering credentials associated with a service account that had been synced to an employee’s personal Google account.

That’s a clear no-no, but as Ars Technica pointed out, the compromise of a single account probably shouldn’t be game-over for a company of Okta’s size and stature. (And it certainly shouldn’t fall to Okta’s customers to notice suspicious activity and inform the company that it might have suffered a breach.) The employee knocked over the first domino, but Okta was the one that lined them up in the first place.

NBC: It’s super easy to buy U.S. military personnel data

Duke University researchers found that it was easy to purchase data about U.S. military personnel, including their “names, phone numbers, addresses and sometimes even information like the names of service members’ children, their marital status, net worth and credit rating, often for as little as 12 cents per person,” NBC reported today, and some folks are worried this poses a national security risk.

An optimist might expect this to be enough to convince policymakers that it’s finally time to regulate the digital advertising industry. A pessimist would probably note that U.S. agencies rely on that same industry to provide information about people of interest, so they’d be fairly likely to claim that curbing this data collection would also pose a national security risk. Whose complaints seem more likely to be heard?

Rapid7: That data-wipey Confluence bug is being exploited

Rapid7 said on Nov. 5 that it was “observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment,” following the Oct. 31 disclosure of a vulnerability that Atlassian said could cause “significant data loss.” (A bit more on that in Changelog.)

“The process execution chain, for the most part, is consistent across multiple environments,” Rapid7 said, “indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.” Anyone running an on-premise version of Confluence Data Center and Server should probably A) look to install Atlassian’s patch sooner than later and B) kick off the appropriate incident response procedures.

CyberScoop: CISA reports uptick in zero-day exploitation

CyberScoop reported on Nov. 3 that Michael Duffy, an associate director of the cybersecurity division at CISA, said the agency has had a “very eventful past six months.” That’s at least partly attributable to what Duffy described as “a really high increase in zero-day activity, exploits that we’re seeing across the globe, really affecting the federal government networks throughout the federal government.”

The comment hardly comes as a surprise. The MOVEit Transfer saga began when Cl0p exploited a zero-day in the software, and Mandiant said the recent CitrixBleed vulnerability was being exploited as a zero-day, too. Those are just the campaigns we know about; other zero-day vulnerabilities in totally unrelated software are almost certainly being exploited as I type this sentence.

The Record: North Korean hackers raise ire of U.S., South Korea and Japan

The U.S. has partnered up with South Korea and Japan to address ongoing activity from North Korean hackers, The Record today reported, with the office of South Korea’s president saying the countries would be “jointly preparing measures to block cyber activities that are abused as a major source of funds for North Korea's weapons development, such as nuclear weapons and [weapons of mass destruction].”

The partnership is a reminder of just how much of a scourge North Korea has been on the cybersecurity front. It’s not necessarily competing with other nation-states when it comes to destructive attacks, but it’s certainly been an ongoing problem for organizations from which it can steal cryptocurrency or valuable information. Let’s see if formalizing the fight against the country can lead to an actual change.