Cybersecurity Trends October 2023: Threat Intelligence Report
Cybersecurity trends that marked October 2023
In our October 2023 report, we take a closer look at the cybersecurity trends that marked October 2023 including the Okta security breach, DoNot APT Group's New Android Malware and more.
Phishing and Malware trends and statistics
Newly registered domains
Confirmed new phishing domains
New potential similar domains
During the month of October, FYEO discovered a total of 2.75 (Million) newly registered top level domains of which 14,911 were considered similar domains that are likely squatting domains (e.g when someone registers a domain name that is similar to a well-known brand or organization with the intention of using it for malicious purposes such as phishing attacks).
A further 3639 domains out of the newly registered domain were identified as actively serving fake websites and content related to phishing and 5.1K (Thousand) were identified as serving malware related files and content.
Data leaks and credentials statistics
Reported leaked credentials
Reported leak sources
FYEO indexed sources
FYEO indexed credentials
October also saw 20 security incidents that resulted in the compromise of more than 16.9M (Million) records. In the recent security incident involving Redcliffe Labs, a cybersecurity expert, Jeremiah Fowler, has brought to light a significant data breach. This incident saw over 12 million patient records exposed due to the lack of password protection on their database. The exposed data included medical diagnostic scans, test results, and potentially sensitive medical records, which underscores the urgent need for robust security measures and the safeguarding of sensitive medical information. This incident serves as a stark reminder of the ongoing cyber threats to healthcare providers and the critical importance of securing patient data.
During the month, FYEO indexed and gathered a total of 24.8 (Million) leaked credentials from a total of 15 sources that were gathered through open sources and public releases.
In regards to FYEO’s collection statistics it's worth noting that there is in general a large delay in the time in which the hacked data gets published. Therefore the data collected by FYEO is most likely not the same sources that were reported hacked for the month.
Okta Security Breach: Unauthorized Access to Source Code Raises Concerns
Okta, a company specializing in identity and authentication services, recently experienced a security breach that impacted a small number of its customers. The breach involved unauthorized access to Okta's support case management system and lasted for at least two weeks before being contained. During this time, the hackers had the ability to view sensitive files uploaded by customers in support cases, which could include cookies and session tokens, posing a risk of user impersonation.
When Okta discovered the breach, it revoked compromised session tokens and advised customers to sanitize credentials and tokens in their files before sharing them. Despite the breach, Okta assured that no unauthorized access occurred to its core services or customer data, and products related to Auth0, which Okta acquired in 2021, remained unaffected. The breach raised concerns about how hackers managed to access Okta's private repositories, but the company didn't disclose specific details.
BeyondTrust, a customer of Okta, detected the attack in its early stages and informed Okta, leading to the eventual containment of the incident. While the exact number of affected customers remains undisclosed, Okta emphasized that it only impacted a very small subset of its 18,000 customers. Okta's Deputy Chief Information Security Officer, Charlotte Wylie, suggested that this breach was likely carried out by a known threat actor who had previously targeted Okta and its customers.
In the wake of the breach, other companies such as 1Password and Cloudflare reported compromises of their Okta authentication platforms but asserted that customer information and systems remained unaffected. Given the scope of the breach, Okta has taken steps to notify impacted customers and provide indicators of compromise to help affected parties identify potential issues.
In summary, Okta experienced a security breach that affected a small number of its customers, allowing hackers to access and view sensitive support case files. The breach raised questions about Okta's security measures and the nature of the attackers. Despite this incident, Okta maintained the integrity of its core services, and other companies using Okta's authentication platforms reported no impact on customer data or systems. Efforts were made to inform affected customers and provide guidance on identifying potential compromises.
Unveiling DoNot APT Group's New Android Malware: Threat to Kashmir and Cybersecurity Best Practices
Cyble Research and Intelligence Labs (CRIL) has identified a new version of Android malware used by the DoNot APT group, which is a known Advanced Persistent Threat group active since 2016. This malware is now targeting individuals in the Kashmir region of India. The DoNot APT group uses malicious Android apps that pose as legitimate apps to collect sensitive data and infiltrate devices.
The updated Android malware includes features like recording VoIP calls, collecting messages from messaging and social media apps, screen recording, capturing photos, and screenshots. It employs a command and control system with Firebase Cloud Messaging (FCM) and other servers to maintain communication and stores stolen data in an SQLite database.
Cyble Research identified two malicious files named "NapChat App 1.0.apk" and "Quran pro.apk" associated with the DoNot APT group, both of which were uploaded from India. These files share the same source code as a previously discovered malicious app, but with new functionalities added.
The latest version of the malware has expanded its target list to include additional messaging and social media applications, making it more dangerous. The malware also records VoIP calls, captures clipboard contents, downloads payloads during runtime, and gathers various types of data.
The DoNot APT group weaponizes seemingly innocent apps to collect sensitive data, including VoIP call recordings and messaging app conversations. Their evolving capabilities highlight the ongoing threat they pose, particularly in the sensitive Kashmir region of India.
To protect against such advanced adversaries, it's crucial to follow essential cybersecurity best practices, such as downloading apps only from official stores, using reputable antivirus software, employing strong passwords and multi-factor authentication, being cautious with links from SMS or emails, enabling Google Play Protect, and keeping devices and software up to date. These practices help safeguard against sophisticated cyber threats like the DoNot APT group.
Security Breach Exposes Cryptocurrency Theft: LastPass Users Urged to Protect Assets
In recent years, there has been a concerning trend of crypto thefts linked to security breaches. Since 2022, it has been estimated that over $35 million in cryptocurrency has been stolen from victims due to the LastPass breach, and a new hack in October has added to the growing toll. The breach initially affected at least 25 individuals, resulting in the loss of approximately $4.4 million from around 80 wallets. Most of these victims were long-time users of the LastPass password storage software and had stored their crypto wallet keys or seeds in it.
The latest breach occurred on October 25, 2023, leading to the theft of an additional $4.4 million from over 25 victims. Pseudonymous on-chain researcher ZachXBT, along with MetaMask developer Taylor Monahan, tracked the compromised wallets' fund movements. It is crucial to emphasize that if you have ever stored your cryptocurrency seed phrase or private keys in LastPass, immediate action is required to secure your assets.
In December 2022, LastPass disclosed that an attacker had exploited information stolen in an earlier breach to target an employee, gaining access to their credentials and decrypting stored customer information. The attacker also obtained a backup of encrypted customer vault data, which, if the account's master password is guessed through brute force, could potentially be decrypted. This led to the theft of over $35 million worth of cryptocurrency from around 150 victims, as reported by cybersecurity journalist Brian Krebs in a September blog post.
In January, a class-action lawsuit was filed against LastPass by individuals who claimed that the August 2022 breach resulted in the theft of approximately $53,000 worth of Bitcoin. As a precaution, ZachXBT has strongly recommended that anyone who has ever stored their wallet seed or private key in LastPass should promptly transfer their cryptocurrency assets to a more secure location. Sources: