Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 27 April - 3 May
Massive credential stuffing attacks against Okta accounts
The company Okta has issued a security warning about a massive campaign of credential stuffing attacks that has affected user accounts. Specifically, this campaign has been going on since mid-March and has managed to compromise a small percentage of accounts, without specifying the number. It should be noted that all the requests registered in these attacks came through the TOR network and various proxy servers such as NSOCKS, Luminati and DataImpulse.
According to Okta, the observed attacks were particularly successful against organisations usiing Okta Classic Engine with ThreatInsight configured in audit-only mode instead of logging and enforcement mode. Due to these facts, the company has issued a series of security recommendations to mitigate these campaigns by enabling ThreatInsight in Log and Enforce mode, denying access to anonymous proxy servers or switching to Okta Identity Engine.
Palo Alto updates fix for CVE-2024-3400 vulnerability in PAN-OS
Palo Alto has updated the originally released fix for the CVE-2024-3400 (CVSSv3 10.0 according to the vendor) vulnerability due to the increasing number of successful attacks reported after the patch was released, especially after the disclosure of several proof-of-concepts that successfully exploited the issue.
Palo Alto recommends taking action based on previously identified suspicious activity. If there has been probing or testing activity, users should upgrade to the latest revision of PAN-OS and protect running configurations, create a master key, and select AES-256-GCM.
More than 100 arrested for the "son in trouble" scam in Spain
The Guardia Civil has posted a press release detailing the arrest of over a 100 people in various Spanish provinces accused of running the "son in trouble" telephone scam. In this type of scam, the attackers study the victims looking for potential families who have an emancipated, living abroad or travelling child, with the aim of impersonating them and, claiming they have a problem, manipulate the victims into sending them money.
Operation Hiwaso, as it has been dubbed, found that the fraudsters obtained transfers of between 800 and 55,000 euros for each victim, defrauding at least 850,000 euros only in the province of Alicante.
More info (Spanish)
HPE Aruba Networking fixes critical vulnerabilities
HPE Aruba Networking has issued a security advisory that lists a total of ten vulnerabilities affecting multiple versions of ArubaOS, four of which are considered critical. Specifically, these security flaws are registered as CVE-2024-26304, CVE-2024-26305, CVE-2024-33511 and CVE-2024-33512, all of which are rated with a CVSSv3 of 9.8 by the vendor.
Malicious actors could exploit these vulnerabilities and trigger remote code execution (RCE) conditions. In terms of the impact, all versions of ArubaOS and SD-WAN with EoL, ArubaOS 10.5.1.0 and earlier, 10.4.1.0 and earlier, 8.11.2.1 and earlier, and 8.10.0.10 and earlier are affected. In addition, different mobility drivers have also been affected.
Based on these facts Aruba recommends enabling PAPI security and updating assets to the latest available versions, and also indicates that no PoC or active exploits have been identified at this time.
Dropbox Sign Security Incident
Dropbox issued a statement reporting that threat actors compromised its Dropbox Sign eSignature platform, gaining access to authentication tokens, MFA keys and customer data. The unauthorised access was detected on 24 April and the company quickly launched an investigation that revealed the compromise of a system configuration tool, which allowed threat actors to run automated applications and services with elevated privileges and gain access to the database.
The exposed data included emails, usernames, phone numbers and passwords, as well as configurations and API keys. Although no customer documents or agreements were accessed, Dropbox reset passwords, closed sessions, and restricted the use of API keys. The company also advises users to change their passwords and MFA settings, and to be on the lookout for phishing emails, warning that it is essential to perform any password recovery actions directly on the Dropbox Sign website and to disregard links in emails.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
