🔥 The DC with no fire extinguisher and the IAM with no incident disclosure - April Newsletter
Also: how Okta screwed up incident disclosure and Germans advised to uninstall Russian AV
GM, this is the first edition of the Cyb3rSecurity Tips newsletter. A newsletter to make you smarter about Cybersecurity.
Last month a lot has happened, mainly driven by the geopolitical environment in Eastern Europe and an IAM that doesn't think like incident disclosure should be a thing. I guess they learned a lesson.
Email Read Time: about 4 minutes
What’s important for you to know this month?
Hacks: Red Cross (CICR) and Okta
Germans advised to uninstall Russian antivirus
Geopolitics meets war and invites cybersecurity
A "secure" datacenter that doesn't have a fire extinguisher
Red Cross (CICR) hack
CICR said that data from more than 500.000 individuals was lost due to an hack on an internal CRM database. In a long post explaining the situation, we could squeeze the details to: they were running an outdated version of ZoHo CRM whose patch was available for more than a year and because it was critical, the hackers were able to access the database.
Okta, an identity management provider with +15.000 customers, said a subcontractor was hacked back in January after the Lapsus$ group released print-screens of admin consoles. This would have been a relatively easy incident to handle, but they decided to complicate, so the TL;DR is:
In mid march, the hacking group Lapsus$ revealed print-screens of internal tools and claimed they had access to internal network for more than 2 months. Okta said it was not true
Okta corrected the statement and said that 2.5% of customers might have been affected, adding that the attack was directed to a subcontractor, Sitel.
The attackers gained access to the admin account of a support agent back in January and only in the week that Lapsus$ released the print-screens, they received the investigation report
The Okta infrastructure was not compromised, but the attackers had access to an administration console from the subcontractor that contained Excel files with passwords
Recently there was a leak of the attack timeline and it seems like the attackers disabled the EDR just by closing the task
🇷🇺 Germany advises citizens to uninstall Russian antivirus
What happened? Germany's BSI federal cybersecurity agency has warned the country's citizens not to install Russian-owned Kaspersky antivirus, saying it has "doubts about the reliability of the manufacturer."
Why it matters? The warning does not appear to be based on any specific threat. Instead, however, it focuses on the notion that Kaspersky could find itself being used against its management's will to harm instead of protect its customers.
The German government is typically cautions and quick to react (they did something similar with Google Analytics recently) so it's not something unusual. However, it's a risk if the EU decides to take this recommendation and make it a rule.
🇺🇦 Major internet provider suffers cyber-attack
Ukraine's national telecoms operator Ukrtelecom is restoring internet services after driving back a major cyber-attack.
Global internet monitor Netblocks said it was the most severe disruption to affect Ukrtelecom since Russia's invasion of Ukraine started last month.
Netblocks said it saw a collapse in connectivity to 13% of pre-war levels.
🔥 OVHCloud fire report: SBG2 data center had wooden ceilings, no extinguisher, and no power cut-out
Over a year after the fire which destroyed part of an OVH data center in Strasbourg, the local firefighters have released a report, and boy it doesn't look good for OVH:
[...] the SBG2 data center had no automatic fire extinguishing system and no general electrical cut-off switch. The facility also had a wooden ceiling rated to resist fire for only one hour, and a free-cooling design that created "chimneys" that increased the fire's ferocity.
Meme of the month
🍗 Five interesting Cybersecurity things:
Keeping your domain name secure: https://www.gov.uk/guidance/keeping-your-domain-name-secure
Fake surrender declaration from Ukraine. The first time we got a deepfake into a real war.
Whitehouse has released a fact sheet with a list of measures to protect against cyberattacks: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/
What is Tokenization? https://basistheory.com/blog/what-is-tokenization
Logging at Twitter: https://blog.twitter.com/engineering/en_us/topics/infrastructure/2021/logging-at-twitter-updated