Brief #22: Okta Breach, Brave's Stealthy VPN, Weak Passwords

TL;DR

Credential Abuse and Data Exposure: Hackers exploited a stolen credential to access Okta's support case management system. They viewed HAR (HTTP Archive) files containing sensitive cookies and session tokens. These tokens could be used for impersonation attacks, posing a significant risk to Okta's client base.
Third-Party Impact and Containment: Cloudflare detected unauthorized access to their Okta instance, originating from a compromised token at Okta. They used their Zero Trust Access Gateway and Data Loss Prevention tools to contain the incident swiftly, preventing any customer data breach.
Lag in Okta's Incident Response: BeyondTrust detected an unauthorized attempt to create an admin account in their Okta environment on October 2, 2023. They alerted Okta, but the company took 16 days to fully contain the breach. This delay exposed a critical gap in Okta's incident response capabilities.
Immediate Actions and Long-Term Recommendations: Okta revoked compromised session tokens and advised sanitizing credentials. However, Cloudflare and BeyondTrust recommend more robust measures, such as hardware-based MFA and immediate action on compromise reports. The incident calls for a re-evaluation of Okta's security protocols, including faster response times and mandatory hardware keys for all system accesses.

VPN Components in Windows Services: Brave's VPN service is automatically installed as part of the browser setup on Windows. Two services, labeled as "Brave VPN" and "Brave WireGuard," appear in the Windows Services Manager. These services remain dormant unless activated by a subscription.
Admin Rights and Installation Behavior: The VPN services are installed with administrative rights, making them harder to remove. An update to Brave could potentially reinstate these services even if manually removed.
VPN Service Architecture: The VPN service is not free and is part of Brave's Firewall + VPN package. Despite being dormant, the services are set to "manual" and "manual trigger start," meaning they can be activated if the user subscribes to Brave's VPN.
Security Concerns: The auto-installation of VPN services could potentially be exploited as an attack vector. It also raises questions about software integrity and the ethical implications of installing services without explicit user consent

Scale of the Problem: Out of 18 million analyzed admin passwords, over 40,000 were "admin." This isn't a few isolated cases but a systemic issue. The widespread use of weak passwords by IT admins is a glaring security gap that could lead to large-scale breaches.
The Malware Connection: Information-stealing malware is specifically targeting these weak admin passwords. Once these credentials are compromised, they're sold in underground markets. This creates a supply chain of vulnerability, from the IT admin to the malware distributor to the final attacker.
Predictability as a Risk: The top 20 admin passwords are not just weak; they're predictable. With machine learning algorithms getting better at password cracking, this predictability could be exploited at an unprecedented scale.
Ignoring Available Solutions: What makes this situation worse is the willful ignorance of existing security measures. Tools for endpoint detection and strong password policies are available but not implemented. This suggests a culture of complacency, where the very individuals responsible for security are its weakest link.

Unauthenticated RCE: CVE-2023-35187, CVE-2023-35185, and CVE-2023-35182 allow remote attackers to execute code at the system level without requiring authentication. These flaws exist in methods like OpenClientUpdateFile, OpenFile, and CreateGlobalServerChannelInternal.
Local Privilege Abuse: CVE-2023-35181 and CVE-2023-35183 exploit local resources and incorrect folder permissions. Attackers can escalate their local privileges by abusing these vulnerabilities, rated 7.8 out of 10 in severity.
API and Service Exploits: CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186 allow attackers to perform RCE by abusing SolarWinds service or its ARM API. These are rated 8.8 out of 10 and can lead to unauthorized control of the affected system.
Patch Now: SolarWinds released ARM version 2023.21 to fix these vulnerabilities. Delaying the update exposes systems to unauthorized network takeover and potential data breaches.

Two-Stage Attack Vector: CVE-2023-20198 is the entry point, granting level 15 access. Attackers then exploit CVE-2023-20273 to inject elevated root commands. This isn't just privilege escalation; it's a full compromise allowing arbitrary command execution.
Stealth and Persistence: Attackers are sophisticated, clearing logs and removing temporary usernames like ciscoTacAdmin. They're covering tracks in real-time, making traditional forensics less effective.
Implant Deployment: An implant configuration file, ciscoService.conf, is deployed. It's not persistent across reboots but allows remote command execution. If your device reboots and the threat seems gone, think again. The local user accounts they created remain active.
Cisco's Partial Solution: Disabling HTTP server is advised but insufficient. Given the attacker's level of access, assume compromise extends beyond the HTTP server. Full device audit and possibly a wipe are prudent steps.