Ethan Grammer
Guillermo Sánchez / October 28, 2024 / 3 minutes of readingAdvisories, Vulnerabilities & Alerts
Google Account Takeover Scam
Description:
There has recently been a new Google account takeover scam that has become prevalent around the United States. In this AI-generated scam, the threat actors are spoofing phone numbers to appear to be coming from Google support in Mountain View, CA, and are attempting to get users to provide information that would enable the threat actor to gain unauthorized access into the user’s Google account.
Recommended Actions:
- Never share your password or verification codes with anyone.
- Be cautious of unsolicited calls or messages, even if they appear to be from a trusted source.
- Never share identifying information with unknown parties; this includes email addresses or usernames.
- Verify the identity of anyone asking for personal information.
- Enabled two-factor authentication for added security on your Gmail Accounts.
Take Action Now: Ensure that your organization is on the lookout for this ongoing scam, and that all employees and contractors are careful with their personal or business account credentials.
External Links:
Okta Classic Application Sign-On Policy Bypass
Description: On September 27, 2024, a vulnerability was identified in specific Okta configurations whereby an attacker with valid credentials could bypass configured conditions within application-specific sign-on policies. These conditions could include use of network zones, device-type restrictions or authentication requirements set outside of the Global Session Policy. After investigation, we determined that this vulnerability was introduced as part of a release that occurred on July 17th, 2024.
Recommended Actions:
Customers who were on Okta Classic as of July 17, 2024, and who meet the above conditions are advised to review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as “unknown” between July 17, 2024 and October 4, 2024 using the following query: outcome.result eq “SUCCESS” and (client.device eq “Unknown” OR client.device eq “unknown”) and eventType eq “user.authentication.sso”
Take Action Now:
- Search for activity prior to July 17, 2024. If a user authenticated to the same application with the same “unknown” user-agent, this suggests that the more recent event was authorized.
- Search for unsuccessful authentication attempts that may indicate a credential-based attack (such as credential stuffing or password spray events) immediately prior to a successful authentication event for the user, this suggests that the more recent event was not authorized.
- Search for activity that deviates from previous user behavior such as unusual geolocations, IPs, time of access, or ASNs.
- Pay particular attention to applications with default policy rules that are not customer configurable including Microsoft Office 365 and Radius.
External Links:
Cisco Event Response: September 2024 Semiannual Cisco IOS and IOS XE Software
Description: The September 25, 2024, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication includes 11 Cisco Security Advisories that describe 11 vulnerabilities in Cisco IOS Software and Cisco IOS XE Software.
Recommended Actions:
- Cisco has released software updates that address these vulnerabilities.
Take Action Now: Review the Security Advisory Table to check if any vulnerability affects your environment and patch accordingly.
External Links: