Editor's Note: Welcome to this holiday edition of Forcepoint Security News—curated news meant to provide a quick look at what's happening around the cybersecurity industry. Lots of recent activity!
Forcepoint Security News
Password manager company LastPass has confirmed that its customers' encrypted password vaults, which store passwords and other secrets, were stolen in a data breach earlier this year. The intruders used cloud storage keys stolen from a LastPass employee to take a copy of a backup of customer vault data, which is stored in a proprietary binary format containing both encrypted and unencrypted data. The vaults are encrypted and can only be unlocked with a customer's master password, but LastPass has warned that the attackers "may attempt to use brute force to guess your master password and decrypt the copies of vault data they took." The cybercriminals also took customer data including names, email addresses, phone numbers, and some billing information.
Okta, a provider of authentication services and Identity and Access Management solutions, has reported that its private GitHub repositories were hacked earlier this month. GitHub alerted Okta to suspicious access to its code repositories, and upon investigation, Okta found that the access had been used to copy its code. However, the hackers did not gain unauthorized access to the Okta service or customer data. The incident appears to be relevant to Okta's Workforce Identity Cloud code repositories, but not its Auth0 Customer Identity Cloud product. Okta has placed temporary restrictions on access to its GitHub repositories, suspended GitHub integrations with third-party applications, rotated GitHub credentials, and notified law enforcement. It does not anticipate any disruption to its business or its ability to service customers as a result of the event.
The US Department of Justice (DOJ) has seized 48 internet domains and charged six individuals for their involvement in running “booter” or “stresser” platforms that allow anyone to easily conduct distributed denial of service (DDoS) attacks. These online platforms allow threat actors to pay for DDoS attacks on websites and internet-connected devices, by registering an account and depositing cryptocurrency. The platforms, which often claim to be used for legitimate testing of web services and servers, are widely promoted on hacker forums and criminal marketplaces, and are used to conduct DDoS attacks on victim computers without authorization. As part of Operation PowerOFF, an international effort against DDoS platforms, the FBI and other law enforcement agencies are seizing 48 internet domains for stressor and booter platforms worldwide. In addition, the FBI, the UK’s National Crime Agency and the Netherlands Police are displaying ads in search engines when people search for booter services, offering information on how to use cyber skills legally.
Accenture's Cyber Threat Intelligence team found that infostealer malware and multifactor authentication (MFA) fatigue attacks are on the rise. Infostealer malware is designed to steal users' information, including passwords, and MFA fatigue attacks involve an attacker flooding a user's MFA device with notifications to approve a login attempt in order to tire the user out and get them to finally approve a login request to stop the notifications. The rise of infostealer malware is thought to be due to extortion being more lucrative and simpler than ransomware, and MFA fatigue is increasing as more organizations enforce MFA for their employees. To protect against these types of attacks, it is recommended to use a password manager with zero-trust architecture and strong forms of two-factor authentication, such as an authenticator app.
And here’s one more holiday-related story worth noting:
A Southeast Asian e-commerce fraud ring targeted US retailers, stealing an estimated $660 million worth of goods in November. The group has built a sophisticated operation using stolen credentials and account takeover to place orders from unsuspecting consumers' accounts, which are then shipped to Asia for repackaging and resale at a premium. The group targeted a total of $3.3 billion worth of merchandise in November, according to researchers at Signifyd. The attack has been described as the largest of its kind in 20 years, with the group attempting large numbers of fraudulent transactions per minute and not attempting to hide its activities. The group also reportedly uses mules to facilitate the reshipment of stolen goods.