GM, this is the first edition of the Cyb3rSecurity Tips newsletter. A newsletter to make you smarter about Cybersecurity.

Last month a lot has happened, mainly driven by the geopolitical environment in Eastern Europe and an IAM that doesn't think like incident disclosure should be a thing. I guess they learned a lesson.

Email Read Time: about 4 minutes

What’s important for you to know this month?

• Hacks: Red Cross (CICR) and Okta

• Germans advised to uninstall Russian antivirus

• Geopolitics meets war and invites cybersecurity

• A "secure" datacenter that doesn't have a fire extinguisher

CyberSecurity

Red Cross (CICR) hack

CICR said that data from more than 500.000 individuals was lost due to an hack on an internal CRM database. In a long post explaining the situation, we could squeeze the details to: they were running an outdated version of ZoHo CRM whose patch was available for more than a year and because it was critical, the hackers were able to access the database.

Source: CICR.org

Okta

Okta, an identity management provider with +15.000 customers, said a subcontractor was hacked back in January after the Lapsus$ group released print-screens of admin consoles. This would have been a relatively easy incident to handle, but they decided to complicate, so the TL;DR is:

1. In mid march, the hacking group Lapsus$ revealed print-screens of internal tools and claimed they had access to internal network for more than 2 months. Okta said it was not true

2. Okta corrected the statement and said that 2.5% of customers might have been affected, adding that the attack was directed to a subcontractor, Sitel.

3. The attackers gained access to the admin account of a support agent back in January and only in the week that Lapsus$ released the print-screens, they received the investigation report

4. The Okta infrastructure was not compromised, but the attackers had access to an administration console from the subcontractor that contained Excel files with passwords

5. Recently there was a leak of the attack timeline and it seems like the attackers disabled the EDR just by closing the task

Sean Gallagher 🇺🇦 (╯°□°）╯︵ ┻━┻ @thepacketrat

Okta be like

6:05 PM ∙ Mar 23, 2022

---

418Likes59Retweets

Sources:

• Cloudflare: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise

Cybersecurity

 🇷🇺 Germany advises citizens to uninstall Russian antivirus

What happened? Germany's BSI federal cybersecurity agency has warned the country's citizens not to install Russian-owned Kaspersky antivirus, saying it has "doubts about the reliability of the manufacturer."

Why it matters? The warning does not appear to be based on any specific threat. Instead, however, it focuses on the notion that Kaspersky could find itself being used against its management's will to harm instead of protect its customers.

The German government is typically cautions and quick to react (they did something similar with Google Analytics recently) so it's not something unusual. However, it's a risk if the EU decides to take this recommendation and make it a rule.

Source:

• Reuters: https://www.reuters.com/business/media-telecom/us-fcc-adds-ao-kaspersky-lab-china-telecom-firms-national-security-threat-list-2022-03-25/

• The Register: https://www.theregister.com/2022/03/15/kaspersky_germany_antivirus

🇺🇦 Major internet provider suffers cyber-attack

Ukraine's national telecoms operator Ukrtelecom is restoring internet services after driving back a major cyber-attack.

Global internet monitor Netblocks said it was the most severe disruption to affect Ukrtelecom since Russia's invasion of Ukraine started last month.

Netblocks said it saw a collapse in connectivity to 13% of pre-war levels.

Sources:

• BBC: https://www.bbc.com/news/60854881

• Forbes: https://www.forbes.com/sites/thomasbrewster/2022/03/28/huge-cyberattack-on-ukrtelecom-biggest-since-russian-invasion-crashes-ukraine-telecom/?sh=32abfdde7dc2

🔥 OVHCloud fire report: SBG2 data center had wooden ceilings, no extinguisher, and no power cut-out

Over a year after the fire which destroyed part of an OVH data center in Strasbourg, the local firefighters have released a report, and boy it doesn't look good for OVH:

[...] the SBG2 data center had no automatic fire extinguishing system and no general electrical cut-off switch. The facility also had a wooden ceiling rated to resist fire for only one hour, and a free-cooling design that created "chimneys" that increased the fire's ferocity.

Bas-rhin firefighters

Source:

• Datacenter Dynamics: https://www.datacenterdynamics.com/en/news/ovhcloud-fire-report-sbg2-data-center-had-wooden-ceilings-no-extinguisher-and-no-power-cut-out

Meme of the month

🍗 Five interesting Cybersecurity things:

1. Keeping your domain name secure: https://www.gov.uk/guidance/keeping-your-domain-name-secure

2. Fake surrender declaration from Ukraine. The first time we got a deepfake into a real war.

3. Whitehouse has released a fact sheet with a list of measures to protect against cyberattacks: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/

4. What is Tokenization? https://basistheory.com/blog/what-is-tokenization

5. Logging at Twitter: https://blog.twitter.com/engineering/en_us/topics/infrastructure/2021/logging-at-twitter-updated