All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-62cx-5xj4-wfm4: ggit is vulnerable to Command Injection via the fetchTags(branch) API

The vast majority of organizations in the region saw more attacks in the past year, but most don't feel prepared for future incidents.

Source: Viacheslav Lopatin via Shutterstock

Organizations in Saudi Arabia, the United Arab Emirates, and Turkey suffered more than 10 attacks in the past year on average — and the vast majority of business and IT professionals expect the coming year to be worse — driving efforts by cybersecurity experts in those countries to simplify and modernize their cyber defenses and IT infrastructure.

Overall, less than half of organizations (46%) feel well-prepared to defend against future cyberattacks, according to a survey of nearly 1,000 security professionals in those three regions published by Internet-services provider Cloudflare. With geopolitical conflict on the rise and cybercriminals increasingly focused on the Middle East region and Turkey, Bashar Bashaireh, regional vice president at Cloudflare, said in a statement.

"Organizations across the Middle East and Türkiye are managing an increasingly complex cybersecurity landscape," he said. "With incidents on the rise in both volume and frequency, this balancing act becomes even more challenging, leaving leaders with a sense of diminishing control over their organizations’ technological and security frameworks."

Cyberattacks have become commonplace in the region, but each nation's threat profile is slightly different. While the vast majority of companies in the UAE, for example, have suffered cyberattacks in the past two years, approximately a quarter of those incidents were caused by insiders. Both Saudi Arabia and the UAE have seen an increase in attacks over the past year, with DDoS attacks alone leveled by hacktivists jumping 70%. And in another wrinkle, a group of cybercriminals recently targeted Turkish users with Android malware aimed at stealing accounts.

The three countries have all embarked on major investments in modernization, pursuing major initiatives such as Abu Dhabi's Economic Vision 2030 and Saudi Arabia's Vision 2030, but the countries also need to strengthen their cybersecurity efforts to protect their investments, Chris Murphy, managing director at FTI Consulting, said in a November 2023 analysis of Middle East firms' cyber-readiness.

"Threat actors will not pause their activities while these strategic plans unfold, and without the necessary security and preparedness measures in place, cyber risks will threaten the vitality of key sectors and the overall economic growth of the region," he said.

**Simplifying & Modernizing Cyber Defense**

The majority of organizations in the Middle East and Turkey plan to increase cybersecurity's share of their IT budgets. The top priority for businesses across the region is to consolidate and simplify their cybersecurity infrastructure, with half of all organizations ranking the effort as a Top 3 initiative, followed by almost half (47%) prioritizing the modernization of their applications, according to Cloudflare's report.

"Despite their plans, many feel they are still not ready for what lies ahead, and there is a 'confidence gap' in key areas for a large number of respondents," Cloudflare stated.

Those include the security of applications and data in the public cloud, a lack of oversight into their supply chain, and a lack of visibility and control over the devices that access their networks, Cloudflare stated in its report.

The good news is that some nations have made strong progress in securing their systems, to the point that the Kingdom of Saudi Arabia is ranked second, after the United States, in the International Telecommunication Union's Global Cybersecurity Index.

**Most Pessimistic Industries: Media, Telecom & Gaming**

According to Cloudflare, cyberattackers in the past year targeted financial services, IT firms, and companies providing business and professional services most often, and were more likely to target larger organizations. Yet, the sectors most worried about future cyberattacks are the media and telecom sector, and the gaming sector, with 97% and 92% of respondents, respectively, predicting a cybersecurity incident in the next 12 months.

Perhaps unsurprisingly, the telecom and media sectors are among the least staffed as well, with 39% of information-security roles remaining unfilled, according to a recent report by cybersecurity firm Kaspersky.

"The growth rate of the domestic IT market in some developing regions is changing so rapidly, the labor market cannot manage to educate and train the appropriate specialists with the necessary skills and expertise in such tight deadlines," Vladimir Dashchenko, a security evangelist with Kaspersky's ICS CERT, said in a statement.

Companies in each region have struggled to meet government-backed cybersecurity frameworks, with 62% of companies in Turkey meeting the requirements of the EU cybersecurity framework, 69% of Saudi firms meeting the Saudi Arabian Monetary Authority (SAMA) framework, and many UAE organizations falling short in complying with the National Electronic Security Authority (NESA) framework.

Yet, despite that, executives' commitment to cybersecurity remains lukewarm, Cloudflare stated in the report

"Interestingly, despite the increasing volume of attacks, many cite a lack of buy-in from leadership as a key challenge," the firm stated. "Perhaps this is a case of cybersecurity fatigue, but whatever the cause, senior leaders cannot afford to ignore the challenges facing their organizations."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters.
The incident took place on the night of October 7, VGTRK confirmed, describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters.

The incident took place on the night of October 7, VGTRK confirmed, describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally despite attempts to interrupt radio and TV broadcasts.

That said, Russian media outlet Gazeta.ru reported that the hackers wiped "everything" from the company's servers, including backups, citing an anonymous source.

A source told Reuters that "Ukrainian hackers 'congratulated' Putin on his birthday by carrying out a large-scale attack on the all-Russian state television and radio broadcasting company."

The attack is believed to be the work of a pro-Ukrainian hacker group called Sudo rm-RF. The Russian government has since said an investigation into the attack is ongoing and that it "aligns with the anti-Russian agenda of the West."

The development comes amid continued cyber attacks targeting both Russia and Ukraine against the backdrop of the Russo-Ukrainian war that commenced in February 2022.

Ukraine's State Service of Special Communications and Information Protection (SSSCIP), in a report published late last month, said it has observed an increase in the number of cyber attacks targeting security, defense, and energy sectors, with 1,739 incidents registered in the first half of 2024 reaching, up 19% from 1,463 in the previous half.

Forty-eight of those attacks have been deemed either critical or high in severity level. Over 1,600 incidents have been classified as medium and 21 have been tagged as low in severity. The number of critical severity incidents witnessed a drop from 31 in H2 2023 to 3 in H1 2024.

Over the past two years, adversaries have pivoted from staging destructive attacks to securing covert footholds to extract sensitive information, the agency said.

"In 2024, we observe a pivot in their focus towards anything directly connected to the theater of war and attacks on service provider — aimed at maintaining a low profile, sustaining a presence in systems related to war and politics," Yevheniya Nakonechna, head of State Cyber Protection Centre of the SSSCIP, said.

"Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations."

The attacks have been primarily attributed to eight different activity clusters, one of which includes a China-linked cyber espionage actor tracked as UAC-0027 that was observed deploying a malware strain called DirtyMoe to conduct cryptojacking and DDoS attacks.

SSSCIP has also highlighted intrusion campaigns staged by a Russian state-sponsored hacking group dubbed UAC-0184, pointing out its track record of initiating communications with prospective targets using messaging apps like Signal with the goal of distributing malware.

Another threat actor that has remained laser-focused on Ukraine is Gamaredon, a Russian hacking crew that's also known as Aqua Blizzard (previously Actinium), Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder.

"The intensity of the physical conflict has noticeably increased since 2022, but it's worth noting that the level of activity from Gamaredon has remained consistent – the group has been methodically deploying its malicious tools against its targets since well before the invasion began," Slovak cybersecurity firm ESET said in an analysis.

Notable among the malware families is an information stealer called PteroBleed, which also relies on an arsenal of downloaders, droppers, weaponizers, backdoors, and other ad hoc programs to facilitate payload delivery, data exfiltration, remote access, and propagation via connected USB drives.

"Gamaredon has also demonstrated resourcefulness by employing various techniques to evade network-based detections, leveraging third-party services such as Telegram, Cloudflare, and ngrok," security researcher Zoltán Rusnák said. "Despite the relative simplicity of its tools, Gamaredon's aggressive approach and persistence make it a significant threat."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday

Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption

Mobile Security / Privacy

Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild.

The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption while maintaining memory maps of HLOS memory."

Qualcomm credited Google Project Zero researcher Seth Jenkins-Google Project Zero and Conghui Wang for reporting the flaw, and Amnesty International Security Lab for confirming in-the-wild activity.

"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," the chipmaker said in an advisory.

"Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible."

The full scope of the attacks and their impact is presently unknown, although it's possible that it may have been weaponized as part of spyware attacks targeting civil society members.

October's patch also addresses a critical flaw in the WLAN Resource Manager (CVE-2024-33066, CVSS score: 9.8) that's caused by an improper input validation and could result in memory corruption.

The development comes as Google released its own monthly Android security bulletin with fixes for 28 vulnerabilities, which also comprise issues identified in components from Imagination Technologies, MediaTek, and Qualcomm.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits

American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services…

American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident.

American Water has become the latest target of a cyberattack affecting its computer networks and systems, which the company has described as a “cybersecurity incident.”

For your information, American Water is the largest publicly traded water and wastewater utility company in the United States, providing services to millions of customers, and it is based in Camden, New Jersey.

The issue was first detected on October 3, 2024, initiating immediate action by the company to protect customer data and its online and physical infrastructure. American Water has also temporarily taken its customer portal, MyWater, offline, putting a halt to billing operations until further notice.

Although the nature of the cyberattack—whether a data breach or ransomware attack—remains unknown, American Water’s **security advisory** states that the company has mobilized a team of cybersecurity professionals and internal experts who are working around the clock to manage the situation.

Customers have been reassured that water and wastewater services remain unaffected by the cybersecurity incident. The company confirms that the safety and quality of the water supply continue to meet all standards, with no disruptions anticipated.

To further address billing and service interruption concerns, American Water has announced that there will be no late fees or service shutoffs while the MyWater portal remains offline. Similarly, the company’s call center is operating with limited functionality, focusing on providing support and information to customers during this time.

The latest news comes just a day after The Wall Street Journal **revealed** that the Chinese government-backed Salt Typhoon APT group hacked AT&T, Verizon, and Lumen Technologies, compromising wiretap systems used in criminal investigations.

**Tim Erlin**, a Security Strategist at Wallarm, weighed in on the situation, highlighting the broader implications for critical infrastructure. “Critical infrastructure isn’t immune from digital transformation, including reliance on APIs and applications,” Erlin noted. He referenced past incidents, such as the 2021 breach in Oldsmar, Florida, and a recent event in Kansas, emphasizing the ongoing challenges in securing water treatment facilities against cyber threats.

Erlin’s insights also align with **recent findings** from the cybersecurity firm Censys, which indicate that thousands of Industrial Control Systems (ICS) in the United States and the United Kingdom are vulnerable to cyberattacks, putting critical infrastructure such as water systems at risk.

1.  **DoJ charges man for hacking, tempering with public water facility**
2.  **Cyberattack Defaces Israeli-Made Equipment at US Water Agency**
3.  **Technician Indicted for Hacking California Water Treatment Facility**
4.  **CISA – Ransomware targeted SCADA systems of 3 US water facilities**
5.  **Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes**

Cyberattack on American Water Shuts Down Customer Portal, Halts Billing

The BMS/BAS controller suffers from an arbitrary file deletion vulnerability. Input passed to the 'file' parameter in calendarFileDelete.php is not properly sanitised before being used to delete calendar files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using directory traversal sequences passed within the affected POST parameter.

ABB Cylon Aspect 3.08.01 (calendarFileDelete.php) Arbitrary File Deletion

Among those affected by all this monkeying around with DDoS in September were some 4,000 organizations in the US.

Source: Moviestore Collection Ltd via Alamy Stock Photo

Distributed denial-of-service (DDoS) attacks involving a new Mirai variant called GorillaBot surged sharply last month, launching 300,000 attacks, affecting some 20,000 organizations worldwide — including nearly 4,000 in the US alone.

In 41% of the attacks, the threat actor attempted to overwhelm the target network with a flood of User Datagram Protocol (UDP) packets, which are basically lightweight, connection-less units of data often associated with gaming, video streaming, and other apps. Nearly a quarter of the GorillaBot attacks were TCP ACK Bypass flood attacks, where the adversary's goal was to flood the target — often just one port — with a large number of spoofed TCP Acknowledgement (ACK) packets.

**GorillaBot, the Latest Mirai Variant**

"This Trojan is modified from the Mirai family, supporting architectures like ARM, MIPS, x86\_64, and x86," researchers at NSFocus said in report last week, after observing the threat actor behind GorillaBot launch its massive wave of attacks, between Sept. 4 and Sept. 27. "The online package and command parsing module reuse Mirai source code, but leave a signature message stating, 'gorilla botnet is on the device ur not a cat go away \[sic\],' hence we named this family GorillaBot."

NSFocus said it observed the botnet controller leverage five built-in command-and-control servers (C2s) in GorillaBot to issue a steady cadence of attack commands throughout each day. At its peak, the attack commands hit 20,000 in a single day. In all, the attacks targeted organizations in 113 countries with China being the hardest hit, followed by the US, Canada, and Germany, in that order.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Though GorillaBot is based on Mirai code, it packs considerably more DDoS attack methods — 19 in all. The available attack methods in GorillaBot include DDoS floods via UDP packets and TCP Syn and ACK packets. Such multivector attacks can be challenging for target organizations to address, because each vector often requires a different mitigation approach.

For example, mitigating volumetric attacks such as UDP floods often involve rate limiting or restricting the number of UDP packets from a single source, blocking UDP traffic to unused ports, and distributing attack traffic across multiple servers to blunt the impact. SynAck flood mitigation on the other hand is about using stateful firewalls, SYN cookies, and intrusion-detection systems to track TCP connections and ensure that only valid ACK packets are processed.

**Bad Bots Rising**

Traffic related to so-called bad bots like GorillaBot has been steadily increasing over the past few years, and currently represents a significant proportion of all traffic on the Internet. Researchers at Imperva recently analyzed some 6 trillion blocked bad bot requests from its global network in 2023, and concluded that traffic from such bots currently accounts for 32% of all online traffic — a nearly 2% increase from the prior year. In 2013, when Imperva did a similar analysis, the vendor estimated bad bot traffic at 23.6% and human traffic as accounting for 57% of all traffic.

Related:Criminals Are Testing Their Ransomware Campaigns in Africa

Imperva's 2024 "Bad Bot Report" is focused entirely on the use of bad bots at the application layer and not specifically on volumetric DDoS attack on low-level network protocols. But 12.4% of the bad bot attacks that the company helped customers mitigate in 2023 were DDoS attacks. The security vendor found that DoS attacks in general were the biggest — or among the biggest — use cases for bad bots in some industries, such as gaming, and the telecom and ISP sector in healthcare and retail. Imperva found that threat actors often tend to use bad bots for DDoS attacks where any kind of system downtime or disruption can have significant impact on an organization's operations.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GorillaBot Goes Ape With 300K Cyberattacks Worldwide

The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations.

Source: Miro Novak via Alamy Stock Photo

The Chinese state-sponsored advanced persistent threat (APT) known as Salt Typhoon appears to have accessed major US broadband provider networks by hacking into the systems that law-enforcement agencies use for court-authorized wiretapping.

According to unnamed sources speaking to the Wall Street Journal, the affected providers include major national players like AT&T and Verizon Communications, along with enterprise-specific service providers like Lumen Technologies.

In addition to the wiretapping connections, the sources said Salt Typhoon also had access to more general Internet traffic flowing through the provider networks, and that the cyberattackers went after a handful of targets outside the US as well. The APT could have had access for months, they added.

"The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon," sources told the WSJ. "It appeared to be geared toward intelligence collection."

Neither AT&T, Lumen, or Verizon immediately responded to a request for comment from Dark Reading.

**Lawful Intercept Connections in China's Hacking Sights**

The news comes about a week after Salt Typhoon was outed as hacking into major telecom networks for cyber-espionage purposes, and possibly to position itself to disrupt communications in the event of a kinetic conflict between China and the US. But the subversion of the connections that law enforcement entities have to service provider networks (which they can use to intercept communications of private individuals or organizations during criminal investigations or for purposes of national security) is a new wrinkle.

No information is available on how the attackers might have gotten access to the lawful intercept infrastructure, but Ram Elboim, CEO of Sygnia, which tracks the APT as "GhostEmperor," notes that clearly Salt Typhoon performed extensive reconnaissance.

"Reaching and compromising these sensitive assets requires not only familiarity with the network structure, but also advanced capabilities to be able to move laterally across separated sub-networks," he tells Dark Reading. "One assumes that these assets are far separated from the ISP corporate and operational network, and also connected to law enforcements’ networks in order for authorities to be able to operate and stream the gathered data in a very secure method."

This breach demonstrates the need for critical infrastructure organizations to not only design their network structure securely with strict segregation strategies, but to "continuously update and test the resilience of their operational networks and sensitive assets as part of a robust incident response playbook," he adds.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid…

Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs.

Okta, a leading identity and access management provider, recently announced patching a critical security vulnerability affecting its Classic product. The flaw, which could allow attackers to bypass application-specific sign-on policies, originated in a July 17, 2024 update and remained exploitable until the issue was patched on October 4, 2024.

The vulnerability, now addressed in Okta’s production environment, could have allowed unauthorized access to applications by bypassing key security controls, including device-type restrictions, network zones, and certain authentication requirements.

However, **Okta** confirmed that the vulnerability only affected organizations using Okta Classic, and exploitation was contingent on a combination of factors, limiting the scope of the vulnerable systems.

****What Happened?****

Okta identified the vulnerability on September 27, 2024, and after an internal investigation, determined that it had originated from a software update rolled out on July 17, 2024. The issue was specific to Okta Classic and impacted organizations that had configured application-specific sign-on policies, especially those that relied on device-type restrictions or additional conditions outside the platform’s Global Session Policy.

According to Okta’s security advisory, an attacker would need to meet several conditions to carry out a successful attack. First, the attacker needed access to valid credentials—either through phishing, credential stuffing, or brute-force attacks. Second, the organization had to be using application-specific sign-on policies.

Lastly, the attacker had to be using a device or script that Okta evaluated as an “unknown” user-agent type, which might evade detection by standard device-type restrictions. Once these conditions were met, the attacker might have bypassed sign-on policies that typically require additional layers of authentication or device verification.

Okta has provided specific search recommendations that administrators can use to identify potential exploit attempts in their logs. This includes looking for unexpected successful authentication events where the device type was flagged as “unknown.” Okta also advised customers to search for unsuccessful authentication attempts, which could indicate credential-based attacks preceding a successful login.

Additionally, organizations were encouraged to monitor for deviations in user behaviour, such as unfamiliar IP addresses, geolocations, or access times that could signal unauthorized activity.

**Piyush Pandey**, CEO of identity and access security provider Pathlock, provided insight into the broader implications of such vulnerabilities. Speaking with HackRead.com, Pandey emphasized the importance of rigorous access risk analysis and compliant provisioning of users.

“Automated password management alone is insufficient to secure unauthorized regulated application access risk,” Pandey said. “By focusing on stringent access risk analysis and the compliant provisioning of users, including rigorous management of third-party identities and access, organizations can significantly bolster their security posture, safeguard sensitive data, and ensure compliance with regulatory requirements. This proactive approach protects customer data and trust and enhances overall resilience.

Pandey’s comments highlight the need for organizations to go beyond basic password management and embrace a more comprehensive approach to identity security, especially given the increasing sophistication of cyberattacks.

Organizations affected by this vulnerability are encouraged to follow **Okta’s detailed guidance** to ensure no unauthorized access occurs during the timeframe in question and to adopt stronger access management practices moving forward.

1.  **Okta Breach Linked to Employee’s Google Account**
2.  **Dropbox Abused in Phishing Scam to Steal SaaS Logins**
3.  **Live Nation Confirms Massive Ticketmaster Data Breach**
4.  **LAPSUS$ Hackers Leak Trove of Data, Breach Microsoft, Okta**
5.  **Customer Used Flawed 3rd-Party Tool, Exposed Twilio Call Records**

Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass

A data breach at a US debt collection agency has led to the loss of data of some Comcast and Truist Bank customers.

A data breach at Financial Business and Consumer Solutions (FBCS), a US debt collection agency, has led to the loss of data of some Comcast Cable Communications and Truist Bank customers.

FBCS is in the business of collecting unpaid debts on behalf of its customers. The data breach occurred in February 2024 and the cybercriminals responsible for the incident gained access to:

*   Full names
*   Social Security Numbers (SSNs)
*   Date of birth
*   Account information and other provider information
*   ID card and/or driver’s license
*   Other state identification number
*   Medical claims information
*   Clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS discovered the unauthorized access to certain systems in its network on February 26, 2024.

The latest count of impacted people, established in July, increased the number of people in the US impacted by the data breach from the original 1.9 million to 4.2 million people.

As part of the ongoing investigation, FBCS recently informed additional customers that the breach had impacted them and their clients. Among those customers are Comcast and Truist Bank.

Comcast commented that FBCS originally reassured the company that the breach involved none of Comcast’s customer data. However, that subsequently had to be revoked. According to a notice submitted to the Maine authorities, 273,703 Comcast customers were impacted by the breach.

Apparently, due to FBCS’s worsening financial position, which could be a direct result of the breach, entities indirectly impacted by the incident will have to undertake the notification and remediation processes themselves. Comcast is offering customers impacted by the FBCS breach 12 months of free-of-charge identity theft protection services.

Unfortunately, it’s not the first or even the worst time Comcast customers have been affected by a data breach.

In January 2023, data belonging to 7,358,464 Comcast customers was leaked on a hacking forum. The data contained names, usernames and additional personal information.

And in November 2015, a cybercriminal offered to sell listed 590,000 Comcast user account information for $1,000 on the Dark Web. At the time Comcast insisted that there was no breach and that only 200,000 of the leaked were active customers, and it was unclear if the data leak was indeed a security breach or a result of years of phishing.

Truist customers have also been impacted before. In October 2023, data reported to belong to Truist Bank, was stolen during a cyberincident. The stolen data included email addresses, phone numbers, birth dates, bank information, full names, company names, physical addresses, credit card information, and more. Like the Comcast breach, this data was publicly shared on the internet.

**Scan for your exposed personal data**

It’s always extra painful when a company you have done no direct business with has leaked your personal data. Sadly these days you can’t know who has your data, but you can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Latest News