All articles tagged with #incident response
Amazon disputes the Financial Times’ claim that an AI bot caused an AWS outage, saying the December disruption was due to a misconfigured access role affecting only Cost Explorer in one region, with no impact on core services like compute or AI; no customer inquiries were reported, and AWS added safeguards and follows its Correction of Error process to prevent recurrence.
CISA released a cybersecurity advisory sharing lessons learned from responding to a breach at a U.S. federal agency, highlighting the importance of prompt patching, effective incident response planning, and log management. The attack involved exploitation of CVE-2024-36401 in GeoServer, with threat actors gaining initial access, establishing persistence, and moving laterally within the network over three weeks before detection. CISA emphasizes immediate patching of known vulnerabilities, testing incident response plans, and implementing comprehensive logging to improve security posture and prevent similar incidents.
Hawaiian Airlines is responding to a cybersecurity incident affecting some IT systems, but flight operations remain safe and unaffected, with ongoing investigations and updates.
Google Cloud experienced a major outage caused by a code change in its Service Control system that lacked proper error handling and feature flag protection, leading to a three-hour service disruption. The incident was triggered by a failed rollout of new quota policy checks, which caused crashes and infrastructure overloads. Google has committed to improving its operational procedures and communication to prevent similar incidents in the future.
1Password confirms that it was targeted by cyber criminals following a breach of Okta's systems. The attack was detected when an email was received indicating an order for a report of all 1Password admins, which was not authorized. The investigation found that the attacker accessed 1Password's Okta instance with admin privileges but did not exfiltrate data or access other systems. The attacker attempted to lay low and gather intelligence for a potential future attack. 1Password has taken measures to secure its systems and protect user data. This incident is part of a larger campaign targeting high-profile customers of Okta, including BeyondTrust and Cloudflare.
Barracuda Networks urged its Email Security Gateway (ESG) customers to replace affected appliances instead of patching them after discovering a zero-day vulnerability that allowed attackers persistent backdoor access to the devices. The company said the malware was identified on a subset of appliances, and evidence of data exfiltration was identified on some systems. Experts suggest that the malware was able to corrupt the underlying firmware that powers the ESG devices in some irreparable way, indicating a state actor. Barracuda advises customers to rotate any credentials connected to the appliance(s) and check for signs of compromise dating back to at least October 2022.
Western Digital has disclosed a network security breach that occurred on March 26, 2023, which allowed an unauthorized third party to gain access to some of the company's systems. The company has taken several services offline and is working with cybersecurity and forensic experts to investigate the incident. It is also coordinating with law enforcement agencies and has not yet determined the nature and scope of the data accessed.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released an open-source incident response tool called 'Untitled Goose Tool' that helps detect signs of malicious activity in Microsoft cloud environments. The Python-based utility can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments. With the help of CISA's cross-platform Microsoft cloud interrogation and analysis tool, security experts and network admins can export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT alerts, and Microsoft Defender for Endpoint data for suspicious activity.