Enlarge / Cybercriminals or anonymous hackers use malware on mobile phones to hack personal and business passwords online. (credit: Getty Images)

Hackers suspected of working for the Chinese government are mass exploiting a pair of critical vulnerabilities that give them complete control of virtual private network appliances sold by Ivanti, researchers said.

As of Tuesday morning, security company Censys detected 492 Ivanti VPNs that remained infected out of 26,000 devices exposed to the Internet. More than a quarter of the compromised VPNs—121—resided in the US. The three countries with the next biggest concentrations were Germany, with 26, South Korea, with 24, and China, with 21.

(credit: Censys)

Microsoft’s customer cloud service hosted the most infected devices with 13, followed by cloud environments from Amazon with 12, and Comcast at 10.

Enlarge (credit: Getty Images )

A prolific espionage hacking group with ties to China spent over two years looting the corporate network of NXP, the Netherlands-based chipmaker whose silicon powers security-sensitive components found in smartphones, smartcards, and electric vehicles, a news outlet has reported.

The intrusion, by a group tracked under names including "Chimera" and "G0114," lasted from late 2017 to the beginning of 2020, according to Netherlands-based NCR, which cited “several sources” familiar with the incident. During that time, the threat actors periodically accessed employee mailboxes and network drives in search of chip designs and other NXP intellectual property. The breach wasn’t uncovered until Chimera intruders were detected in a separate company network that connected to compromised NXP systems on several occasions. Details of the breach remained a closely guarded secret until now.

No material damage

NCR cited a report published (and later deleted) by security firm Fox-IT, titled Abusing Cloud Services to Fly Under the Radar . It documented Chimera using cloud services from companies including Microsoft and Dropbox to receive data stolen from the networks of semiconductor makers, including one in Europe that was hit in “early Q4 2017.” Some of the intrusions lasted as long as three years before coming to light. NCR said the unidentified victim was NXP.

Enlarge (credit: Getty Images)

Identity and authentication management provider Okta has been hit by another breach, this one against a third-party vendor that allowed hackers to steal personal information for 5,000 Okta employees.

The compromise was carried out in late September against Rightway Healthcare, a service Okta uses to support employees and their dependents in finding health care providers and plan rates. An unidentified threat actor gained access to Rightway’s network and made off with an eligibility census file the vendor maintained on behalf of Okta. Okta learned of the compromise and data theft on October 12 and didn’t disclose it until Thursday, exactly three weeks later.

“The types of personal information contained in the impacted eligibility census file included your Name, Social Security Number, and health or medical insurance plan number,” a letter sent to affected Okta employees stated. “We have no evidence to suggest that your personal information has been misused against you.”

Enlarge / This is not what a hacker looks like. Except on hacker cosplay night. (credit: Getty Images | Bill Hinton )

Microsoft has been tracking a threat group that stands out for its ability to cash in from data theft hacks that use broad social engineering attacks, painstaking research, and occasional physical threats.

Unlike many ransomware attack groups, Octo Tempest, as Microsoft has named the group, doesn’t encrypt data after gaining illegal access to it. Instead, the threat actor threatens to share the data publicly unless the victim pays a hefty ransom. To defeat targets’ defenses, the group resorts to a host of techniques, which, besides social engineering, includes SIM swaps, SMS phishing, and live voice calls. Over time, the group has grown increasingly aggressive, at times resorting to threats of physical violence if a target doesn’t comply with instructions to turn over credentials.

“In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts,” Microsoft researchers wrote in a post on Wednesday. “These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.”

Enlarge (credit: Getty Images )

Identity and authentication management provider Okta said hackers managed to view private customer information after gaining access to credentials to its customer support management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Okta Chief Security Officer David Bradbury said Friday . He suggested those files comprised HTTP archive, or HAR, files, which company support personnel use to replicate customer browser activity during troubleshooting sessions.

“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” Bradbury wrote. “Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”