Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: A 2024 Resolution
Our last tip of 2023 involves looking ahead to 2024. Consider making cybersecurity awareness your business’s new year’s resolution in January. Encourage every team member to become a cybersecurity champion by staying informed about potential threats and practicing safe online habits. Offer regular training sessions and simulations to keep everyone sharp. Everyone needs to do their part to keep your organization – and themselves cyber safe.
All the best for the holidays from all of us at ISA Cybersecurity!
Security incident at MongoDB
On December 16, open-source database developers MongoDB disclosed a “security incident involving unauthorized access to certain MongoDB corporate systems, which includes exposure of customer account metadata and contact information.”
According to the alert post, while the incident was first detected on December 13, indications are that that the company believes “that this unauthorized access has been going on for some period of time before discovery.” MongoDB recommends “that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant multi-factor authentication (MFA), and regularly rotate their MongoDB Atlas passwords.”
The incident generated significant concern among users of the popular database system – so much so that the company’s support system crashed due to an onslaught of user logins and enquiries. Service has now been restored.
In their December 17 update, the company advised that their software and cloud databases (i.e., MongoDB Atlas clusters) were not compromised in the incident, and that only corporate systems were involved. “We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer.”
As the investigation continues, MongoDB has committed to providing regular updates.
Microsoft details abuse campaigns targeting OAuth applications
In a December 12 blog post, Microsoft Threat Intelligence researchers describe how financially-motivated threat actors are misusing OAuth applications as an automation tool for authentication.
“Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account,” according to the post.
“Threat actors launched phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications. The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.”
The blog presents several examples of how threat actors are leveraging OAuth applications, and present a list of mitigation strategies to help reduce the risk of being compromised:
- secure the identity infrastructure, particularly through the implementation of multi-factor authentication and other measures and security practices that strengthen account credentials;
- enable conditional access policies for user sign-in, device compliance and trusted IP address requirements;
- elements of a zero-trust architecture like continuous access evaluation;
- implementing all available security features; and
- adopting a least privilege approach for access control
A companion piece in Microsoft’s tech community forum provides additional details and mitigation strategies.
Cyber attack at Newsquest
A December 13 cyber attack at Newsquest, one of the United Kingdom’s largest regional media groups, has disrupted operations at its local news outlets, causing intermittent website outages and leaving journalists unable to file stories.
One of Newsquest’s properties, Daily Echo, published a report on the incident, pointing to a distributed denial of service attack (DDoS) being behind the disruptions.
“This website has suffered some intermittent disruption which may have affected your reader experience, as well as your access to our associated digital edition and app,” explained the article, suggesting that further disruptions may be ahead as they work to block the attacks. The article assured readers “no reader or subscriber data has been accessed or compromised” and that the media group’s infrastructure was undamaged. No indication was provided about the nature or motivation of the attackers.