A recently identified security vulnerability affecting the OAuth protocol puts users of major extensions like Grammarly, Vidio, and Bukalapak at risk of authentication token theft.
OAuth, a protocol dating back to 2006, enables secure, password-free login through social media platforms like Facebook, Twitter, and Google. This specific flaw is concerning given that the collective user base of the impacted vendors surpasses 100 million. However, it is reassuring that these vendors responded promptly to resolve the issue.
The crux of the problem lies in the lack of token validation. Applications that utilise OAuth for user authentication must ensure that the received authentication tokens are genuine, and not from rogue vendors. Failure to validate these tokens opens the door for cybercriminals to set up malicious websites. These criminals can then substitute their own Facebook or Google tokens to seize control of users' accounts on vulnerable platforms.
This threat is even more ominous when the targeted website has a solid reputation, as it becomes easier for attackers to ensnare multiple victims and engage in large-scale account hijacking. As proof of concept, researchers set up a mock website, acquired an OAuth token via Facebook, and switched it with a vulnerable application’s token, successfully commandeering the account.
Given the scale of the issue, the urgency for developers to implement token validation mechanisms for OAuth cannot be overstated. Without proper validation, countless applications remain exposed to large-scale account takeovers.
The ALPHV/BlackCat ransomware group announced that it successfully infiltrated the servers of LBA Hospitality, one of the largest hospitality management organisations in the U.S., and extracted approximately 200GB of sensitive data. Based in Alabama, LBA Hospitality manages close to a hundred hotels, affiliated with prominent brands such as Marriott, Hilton, Holiday Inn, and Best Western. Cyber security analysts confirmed that the group has listed LBA Hospitality on its data leak website.
The ransomware group issued a three-day ultimatum to LBA Hospitality for ransom payment, threatening to publicise the stolen data otherwise. The message from ALPHV/BlackCat tauntingly read, "You have 3 days to decide this pity mistake made by your IT department." The pilfered data allegedly contains employees' personal information, including social security numbers, driver's license IDs, financial reports, and more. Additionally, client data encompassing social security numbers, financial details, and credit card information has apparently been compromised.
The cybercriminal group had previously claimed responsibility for a significant breach on MGM Resorts International, affecting 31 of the company's properties and its mobile app. At the time of writing LBA Hospitality has remained tight-lipped about whether it plans to comply with the ransom demands or if the claims made by ALPHV/BlackCat are accurate.
The ISC2 2023 Cyber security Workforce Study has unveiled that the global cyber security skills gap has increased by 12.6% to four million.
In spite of the cyber security sector growing by 8.7% since last year, 92% of professionals highlighted skill shortages within their organisations. The shortfall is further exacerbated by economic uncertainties, leading 47% of surveyed firms to reduce cyber-related budgets, affecting staffing and training programmes.
The survey highlighted the rise of insider threats, with 52% reporting an increase in such incidents, linking it to the economic climate. Those in organisations that have experienced redundancies are three times more likely to encounter insider threats.
The study also identifies a significant knowledge gap when it comes to AI, with 47% admitting to having minimal understanding of the technology, even though AI is listed as one of the biggest forthcoming challenges for cyber security.
Russian hacking group UserSec claimed responsibility for taking down Manchester Airport's website on October 30. Despite the cyberattack, airport operations and flights remained unaffected, and no passenger disruptions were reported.
UserSec had announced that they were targeting UK airports in a series of attacks, naming Manchester as their initial focus. They claimed via a Telegram post that the website would remain down until 5:30 pm Manchester time (8:30 pm Moscow time). However, the site was restored by 4:15 pm UK time. Manchester Airport has not confirmed the origin of the attack, but the National Cyber Security Centre (NCSC) is investigating the incident.
Earlier this year, UserSec and another group called Anonymous Russia claimed responsibility for similar attacks on UK airports, including London City and Birmingham, whose websites were taken offline on July 19th.
The U.S. Securities and Exchange Commission (SEC) has charged SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown, with fraud and internal control failures. The charges relate to allegedly misleading investors about the company's cyber security measures ahead of the Sunburst cyberattack in December 2020.
According to the SEC, SolarWinds and Brown overlooked numerous red flags and painted an overly rosy picture of the company's cyber health, in direct contrast to internal assessments. The complaint alleges that the company violated antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, as well as reporting and internal controls provisions. The SEC is seeking various penalties, including barring Brown from serving as an officer or director. In response, SolarWinds CEO Sudhakar Ramakrishna dismissed the charges as "misguided and improper."
This legal action could have significant ramifications for CISOs across the U.S. and the world, as the SEC and similar authorities increase their scrutiny on executive roles in cyber security.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Integrity360's flagship conference Security First comes to Stockholm in 2023!
Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.