Okta raises alarm over surge in credential stuffing attacks
- SISA Weekly Threat Watch -
Last week witnessed a flurry of cyber threats, ranging from state-sponsored espionage campaigns exploiting zero-day vulnerabilities in Cisco networking equipment, to unprecedented surges in credential stuffing attacks targeting Okta. Additionally, the emergence of ‘Muddling Meerkat’ revealed sophisticated DNS manipulation tactics, while critical vulnerabilities in GitLab and HPE Aruba devices underscored the urgent need for security patches and proactive measures. These developments emphasize the persistent and evolving nature of cyber threats, urging organizations to prioritize security measures and stay vigilant against emerging risks.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. ArcaneDoor campaign exploits Cisco zero-day flaws for espionage
A recent malware campaign, dubbed ArcaneDoor, exploited two undisclosed vulnerabilities in Cisco networking equipment to distribute tailored malware, attributed to a highly skilled state-sponsored actor known as UAT4356. These vulnerabilities enabled the deployment of novel malware, including Line Dancer and Line Runner, on compromised ASA and FTD devices, allowing attackers to establish persistence and conduct espionage activities such as reconnaissance, network traffic capture, and potentially lateral movement.
The actor manipulated device configurations, exfiltrated text versions of configuration files, and obscured commands through syslog manipulation. Cisco promptly released security updates to address the zero-day vulnerabilities, emphasizing the importance of upgrading devices, monitoring system logs for unauthorized activities, and ensuring strong multi-factor authentication (MFA) and centralized logging.
2. Okta alerts customers to an “unprecedented” surge in credential stuffing attacks
Okta has warned of a significant uptick in credential stuffing attacks targeting its identity and access management solutions, with some customer accounts breached in these incidents. These attacks, suspected to stem from infrastructure used in previous brute-force and password-spraying attacks, leverage automated tools with lists of usernames and passwords, often sourced from cybercriminals. Notably, the attackers utilize the TOR anonymization network and various residential proxies. Okta highlights vulnerability among organizations running on the Okta Classic Engine with ThreatInsight configured in Audit-only mode and those not denying access from anonymizing proxies.
While only a small percentage of customers were affected, the potential impact on compromised accounts, including unauthorized access to sensitive information, underscores the urgency of proactive security measures. Okta recommends enabling ThreatInsight in Log and Enforce Mode, denying access from anonymizing proxies, considering a switch to Okta Identity Engine, and implementing Dynamic Zones for enhanced security.
3. China’s ‘Muddling Meerkat’ and DNS hijacking for global internet mapping
A recent cyber threat dubbed ‘Muddling Meerkat,’ suspected to originate from a Chinese state-sponsored group, has been manipulating the domain name system (DNS) since October 2019. This sophisticated activity involves injecting counterfeit responses, particularly targeting MX records, via China’s Great Firewall (GFW), a departure from its traditional role in internet censorship. Cybersecurity researchers uncovered this manipulation, indicating advanced capabilities in DNS infrastructure tampering.
Muddling Meerkat’s tactics include initiating DNS requests for non-existent subdomains, leveraging open resolvers, and targeting domains with short names registered before 2000 to evade detection. The motive behind this activity remains unclear, but it likely involves reconnaissance and testing network resilience. Recommended security measures include emphasizing the deployment of DNSSEC, continuous monitoring of DNS traffic, firewall security enhancement, and employee education on recognizing and reporting suspicious activities.
4. CISA alerts to ongoing exploitation of GitLab password reset flaw
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged CVE-2023-7028, a critical vulnerability in GitLab, as a Known Exploited Vulnerability (KEV) due to ongoing attacks. With a CVSSv3 score of 10, this flaw allows attackers to perform unauthorized password resets and potentially gain control over user accounts, inject malicious code into repositories, and steal sensitive data, posing serious risks of supply chain attacks and data breaches.
Affected GitLab self-managed instances range from versions 16.1 to 16.7.1, impacting all authentication mechanisms. Immediate action is advised, with patches available in GitLab versions 16.5.6, 16.6.4, and 16.7.2, along with backported patches for earlier versions. Additionally, organizations are recommended to regularly rotate access tokens, implement least privilege principles, and monitor activities within their Identity Provider (IDP) or Single Sign-On (SSO) systems for any suspicious behavior.
5. Four critical vulnerabilities expose HPE Aruba devices to RCE attacks
HPE Aruba Networking has issued a critical security advisory for April 2024, highlighting ten vulnerabilities in ArubaOS, including four critical remote code execution (RCE) flaws affecting various versions of ArubaOS. These vulnerabilities, rated with a CVSS v3.1 score of 9.8, pose severe risks, particularly for unauthenticated buffer overflow issues. These vulnerabilities affect various components like Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed through Aruba Central, spanning multiple versions of ArubaOS and SD-WAN, including those past their End of Life (EoL) status.
The vendor recommends enabling Enhanced PAPI Security and upgrading to patched versions of ArubaOS to mitigate these risks. Additionally, six medium-severity vulnerabilities have been addressed in the latest versions, posing potential denial-of-service risks. Immediate action is urged to safeguard systems against exploitation, including updating to recommended patched versions, staying vigilant for further advisories, and reviewing and enhancing existing security measures.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.