1Password Responds to Okta Incident

Oct 25 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that was born in the dark web, moulded by it. We didn’t see the cyberlight until we were already men, by then it was nothing to us but BLINDING! ???? #KnowYourEnemy

Today’s hottest cybersecurity news stories:

  • ???? 1Password smells something phishy after Okra Support breach ????

  • ???? Dios Mio! 34 cyber criminals arrested in Spain for stealing millions ????????

  • ????‍???? Can they hack it? iOS they can. Operation Triangulation is back ???? 

1s the word ????

???? 1Password Responds to Okta Incident: Enhancing Security Measures ????️

Popular password management solution, 1Password, identified suspicious activity on its Okta instance on September 29, following a support system breach. The good news is no user data was compromised.

Immediate Action Taken: ????

1Password's CTO, Pedro Canahuati, reported that they acted swiftly, terminating the suspicious activity and conducting a thorough investigation, reassuring users that no compromise of sensitive data occurred.

Breach Details: ????

The breach was facilitated through the use of a session cookie after an IT team member shared a HAR file with Okta Support. The threat actor attempted several actions.

What the Threat Actor Tried: ????️

  • Attempted to access the IT team member's user dashboard.

  • Updated an existing IDP tied to the production Google environment.

  • Activated the IDP.

  • Requested a report of administrative users.

1Password's Security Response: ????

1Password has taken significant steps to enhance security in the wake of the incident.

Measures include:

  • Denying logins from non-Okta IDPs.

  • Reducing session times for administrative users.

  • Implementing stricter multi-factor authentication (MFA) rules for admins.

  • Limiting the number of super administrators.

Similar Threat Patterns: ????

1Password noted that this incident shares similarities with a known campaign where threat actors compromise super admin accounts and manipulate authentication flows to impersonate users within the organisation.

Okta's Prior Warnings: ????

Okta had previously warned of social engineering attacks to obtain elevated administrator permissions.

Possible Connection: ????️

It remains uncertain whether these attacks are related to Scattered Spider, a group known for using social engineering to target Okta and gain elevated privileges.

Broader Impact: ????

This development comes shortly after Okta revealed a separate breach where unidentified threat actors leveraged stolen credentials to infiltrate their support case management system. This breach affected about 1% of Okta's customer base, impacting companies like BeyondTrust and Cloudflare.

1Password's Assessment: ????

1Password stated that the activity observed suggested the attackers aimed to remain undetected while gathering information for a more sophisticated attack.

Ensure your online security measures are up to date and stay vigilant! ????????️‍????️

Cybersecurity is more important than ever, and your Mac or PC are no exception. Over time, your Mac or PC can accumulate junk files, malware, and other threats that can slow it down and make it vulnerable to attack.

That's where MacPaw comes in. MacPaw offers a suite of easy-to-use apps that can help you clean, optimize, and secure your Mac. With MacPaw, you can:

  • Remove junk files and malware to free up space and improve performance

  • Protect your privacy by erasing sensitive data

  • Optimize your startup settings to speed up boot times

  • Manage your extensions and apps to keep your Mac or PC running smoothly

Since 2008 MacPaw is trusted by over 30 million users worldwide, and it's the perfect solution for keeping your Mac or PC safe and secure.

MALaga, eh? ????????

???? Spanish Authorities Nab 34 in €3M Cyber Crime Bust ????????

???? Spanish law enforcement celebrates a major victory as they arrest 34 members of a cybercrime group responsible for online scams that reaped a staggering €3 million ($3.2 million) in illegal profits.

???? Searches Across Spain: Police conducted searches in 16 locations, including Madrid, Malaga, Huelva, Alicante, and Murcia. They seized simulated firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end vehicles, and electronic equipment worth thousands of euros.

???? Massive Data Haul: Authorities uncovered a database with information on four million people, gathered by infiltrating financial and credit institutions' databases.

???? Elaborate Scams: The cybercriminals used email, SMS, and phone calls to impersonate banks and utility companies. They also posed as distraught family members and manipulated technology firm delivery notes to defraud victims.

???? Corporate Insider: In one instance, they exploited a member's position in a tech company to divert products to the criminal group.

???? Cryptocurrency Investments: The network leaders employed false documents, spoofing techniques, and invested their ill-gotten gains in crypto assets.

???? Past Arrests: This follows the Spanish National Police's arrest of 55 individuals from the Black Panthers group, accused of SIM swapping and stealing €250,000 from victims.

???? Global Cyber Threats: Meanwhile, in a different scheme, scammers in China and India are joining forces to deceive victims using counterfeit loan apps and exploiting India's Unified Payments Interface (UPI).

???? Deceptive Apps: The scam involves creating fake Android loan apps that gather personal and financial information while coercing intrusive permissions, leading to unauthorised transactions.

???? Legislative Gap: Researchers highlight that UPI service providers currently lack coverage under the Prevention of Money Laundering Act, making it easier for scammers to manipulate victim accounts.

Stay vigilant, and be cautious with unsolicited communications and unfamiliar apps. Cybercrime is a global challenge. ????????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)

???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)

???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Operation Triangulation: Zero-Day Attacks

This time it’s personal.

???? Apple iOS Devices Targeted in Complex Cyber Attack ????

Kaspersky recently unveiled the secrets of a sophisticated attack on Apple iOS devices. This campaign, known as "Operation Triangulation," deploys the TriangleDB implant, consisting of four modules for spying and data theft.

????️ Elaborate Attack: Operation Triangulation, revealed in June 2023, used a zero-click exploit that targeted iOS devices by exploiting two zero-day vulnerabilities through iMessage attachments. The attack allows complete control over the device and user data.

???? Unknown Threat Actor: The scale and identity of the threat actor remain a mystery, although even Kaspersky was a target at the beginning of the year. This is a fully-featured advanced persistent threat (APT) platform.

???? TriangleDB Backdoor: At the core of the attack is the TriangleDB backdoor. It's deployed after the attackers gain root privileges on the iOS device by exploiting a kernel vulnerability (CVE-2023-32434) that allows arbitrary code execution.

???? Pre-Implant Stages: Before deploying the implant, two validator stages (JavaScript and Binary) ensure the target isn't a research environment. These checks protect zero-day exploits and the implant.

???? Invisible iMessage Attachment: The attack begins with an invisible iMessage attachment triggering a zero-click exploit chain, which opens a unique URL containing obfuscated JavaScript code and an encrypted payload.

????️‍♂️ Detailed Surveillance: The JavaScript Validator conducts various checks and browser fingerprinting, sending the results to a remote server to receive further malware. The Binary Validator erases traces, checks jailbreak status, and more.

???? Data Exfiltration: The actions taken by the implant include file deletion, personalised ad tracking, collecting device information, and app lists. The results are encrypted and sent to a command-and-control (C2) server.

???? Ongoing Surveillance: The implant maintains communication with the C2 server and can issue instructions to delete logs, cover forensic traces, and periodically exfiltrate sensitive data.

????️ Smart Microphone Control: Notably, the microphone module suspends recording when the screen is on or the battery is below 10%, indicating the attacker's desire to remain unnoticed.

???? Location Tracking: The location module triangulates the victim's position using GSM data when GPS data is unavailable.

???? Stealthy and Expert: The attackers exhibited a deep understanding of iOS and used private, undocumented APIs in the attack.

Stay vigilant and keep your iOS devices up to date to protect against such threats. ????????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa: The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles