Brief #24: SolarWinds CISO Sentenced, Okta Breached Again and More

Mandos Brief for week 44 of 2023: SolarWinds CISO charged, Okta's third-party breach, critical Windows driver vulnerabilities, CVSS 4.0, and Boeing ransomed.

Brief #24: SolarWinds CISO Sentenced, Okta Breached Again and More

SolarWinds CISO Charged: A Wake-Up Call for Security Leaders

  • Misleading Investors and Cybersecurity Failures: SolarWinds and its CISO, Tim Brown, are charged with fraud by the SEC. They are accused of overstating cybersecurity measures and not disclosing known risks. This happened from their 2018 IPO through the 2020 Sunburst cyberattack. Internal documents revealed they knew their remote access was vulnerable.
  • Internal Contradictions and Profit from Deception: Despite public reassurances, internal SolarWinds presentations in 2018 and 2019 highlighted severe security vulnerabilities. Meanwhile, Brown sold 9,000 shares for a $170,000 profit before the stock plummeted by 35% after the attack's disclosure.
  • Legal and Ethical Repercussions: The charges have caused concern among CISOs about increased accountability. The SEC's actions may deter potential CISO candidates, exacerbating the shortage of cybersecurity professionals. This case raises questions about the balance between holding leaders accountable and creating a fear-based environment.
  • Factual Outcomes of the Case: The SEC's complaint alleges that Brown was aware of but did not address or sufficiently escalate the company's cybersecurity issues. As a result, SolarWinds could not assure the protection of its assets, including its Orion product. The company's stock dropped about 25% two days after disclosing the Sunburst attack and 35% by the end of that month.

Okta Breached Again: This Time via Third-Party Vendor

  • Third-Party Breach Leads to Employee Data Exposure: Okta, the identity management giant, faced a breach through its third-party vendor, Rightway Healthcare. The breach, which occurred on September 23, 2023, led to the exposure of personal and healthcare data of nearly 5,000 Okta employees. The compromised data included names, social security numbers, and medical insurance plans.
  • Delayed Discovery and Response: The breach was discovered on October 12, nearly three weeks after the initial incident. Okta's response included a thorough investigation, notification of affected individuals, and the provision of free identity and credit monitoring services. This incident adds to a series of security challenges Okta has faced in recent weeks.
  • Impact on Okta's Reputation: While Okta's services remained secure, the breach raises concerns about the company's overall security posture, especially considering recent events involving threat actors and supply chain vulnerabilities. The trust of cybersecurity professionals in Okta may be impacted, despite the company's proactive steps to mitigate the situation.
  • Recent Security Woes: The breach is part of a series of security incidents involving Okta. Previously, threat actors exploited Okta's software platform to breach MGM Resorts, and Okta's own systems were compromised, leading to the theft of customer data including session tokens and cookies. This was followed by a supply chain attack on its customer 1Password, marking a challenging period for the IAM provider.

Vulnerable Windows Kernel Drivers Lead to Full Device Takeover

  • Widespread Driver Flaws Identified: Researchers uncovered 34 Windows drivers with vulnerabilities that could be exploited for kernel access. These drivers, signed by major chip and BIOS manufacturers, lack proper access controls, allowing non-admin users full device control.
  • In-depth Analysis Reveals Risks: The vulnerabilities, discovered through static analysis automation, enable firmware erasure and elevation of privilege (EoP) attacks. Despite vendor patches for some, the majority remain a threat, with attackers potentially using them to disable security software.
  • Exploit Development and POCs: Proof of Concept (POC) exploits were developed for a subset of drivers, demonstrating firmware erasure and EoP on Intel platforms. These POCs bypass existing protection settings, leading to unbootable systems upon firmware header deletion.
  • Vendor Response and Future Outlook: Only two vendors have addressed the reported vulnerabilities, with CVEs assigned. The findings suggest a need for more robust prevention strategies beyond Microsoft's current banned-list method, as attackers could still exploit drivers with revoked certificates.

CVSS 4.0 Released: A New Era of Vulnerability Scoring

  • Comprehensive Overhaul: FIRST announces CVSS v4.0, enhancing vulnerability scoring with new metrics for safety, recovery, and provider urgency. The update addresses past criticisms by offering a more granular and environment-specific assessment, crucial for OT/ICS and IoT systems.
  • Strategic Scoring: The new scoring system introduces a nomenclature for combining base, threat, and environmental metrics, allowing for a nuanced understanding of vulnerabilities. This shift underscores the importance of context in evaluating security threats.
  • Evolution of Standards: Since its inception in 2005, CVSS has undergone significant changes. The v4.0 release marks a substantial advancement, incorporating feedback from two months of public comments and extensive collaboration among FIRST members.
  • Enhanced Applicability: CVSS v4.0 extends its relevance to emerging technologies by including metrics for automatable, wormable, and recovery resilience. This version also introduces safety considerations, making it pertinent for assessing vulnerabilities in OT/ICS and IoT environments.

Boeing Parts Division Hit by Ransomware Attack

  • MoveIt Vulnerability Exploited: Cyber criminals targeted CCleaner using a flaw in the MoveIt file transfer tool. They stole names, contact info, and product details. The attack affected less than 2% of users but given CCleaner's large user base, the impact is significant.
  • Delayed Disclosure: CCleaner took several months to inform its users about the breach. This delay raises questions about the company's transparency and incident response strategy, potentially eroding trust among its user base.
  • Community Confusion: Users on CCleaner's community forum were initially unsure if the warning emails were genuine. Even moderators were not informed, leading to misinformation and increased risk for users who might have ignored genuine alerts.
  • Data Protection Advice: Users are advised to check their email and passwords on "Have I Been Pwned" for any breaches. The company is also offering dark web monitoring services to affected individuals, although this is seen as a reactive measure rather than a proactive solution.