[Security Weekly] PCI SSC Publishes PCI DSS v4.0 With New Requirements

pci dss

April 2022, Issue I


1. PCI Security Standard Council releases PCI DSS v4.0 with new requirements

PCI Security Standards Council (PCI SSC), an international forum in charge of regulating digital payment security, published Version 4.0 of its Payment Card Information Data Security Standards (PCI DSS) on March 31, four years after its previous release (v3.2.1) in May 2018. PCI DSS v4.0 made some clarifications and changes based on evolving attack methods and cybersecurity measures.

Besides some concept modifications and clarifications, a few major security requirements were newly added to the regulation. For instance, v4.0 requires all firms to “deploy an automated technical solution for public-facing web applications that continually detects and prevents web-based attacks”. The previous release only required firms to have a web application vulnerability assessment tool. The new update means that real-time web application security solutions like web application firewalls (WAF) are now mandatory.

Several major updates can be seen in the authentication section as well, including the new requirement of multi-factor authentication (MFA) for all types of access into cardholder data environments (CDE), as well as the increase of minimum password length from seven to 12 characters.

Businesses are given two years of adaptation time for these new changes. In the meantime, v3.2.1 will remain effective until March 31, 2024.

Sources: PCI SSC


2. Okta customer support system compromised by LAPSU$ hacker group

Over the weekend of March 19, LAPSU$ hacker group claimed to have compromised Okta by posting screenshots of Okta’s “Superuser/Admin” accounts among other systems. Okta is an enterprise identity and access management (IAM) firm, providing solutions to more than 15,000 client firms.

Okta’s CSO confirmed the incident on March 23 and said that the hackers accessed a customer support engineer’s laptop over a five-day period between January 16 and 21. The laptop was owned and managed by third-party customer support provider Sitel. LAPSU$ managed to gain remote access to the laptop and compromised Okta’s customer support portal and Slack server.

Even though the compromised Superuser account did not have the permission to download any databases or export any data, it did have the authorization to reset passwords and multi-factor authentication (MFA).

Okta said that about 2.5% of all clients, or roughly 375 firms, were affected. However, LAPSU$ claimed that being able to reset passwords and MFAs meant it could potentially compromise up to 95% of all accounts.

Within a one-month period, the LAPSU$ hacker group has gone on a hacking spree that swept across multiple global tech giants, including NVIDIA, Samsung, LG, Microsoft, and Globant.

Sources: Infosecurity, Bleeping Computer, TechCrunch


3. Over 37 GB of Microsoft source code leaked by LAPSU$ hacker group

On March 20, the LAPSU$ hacker group revealed that it had compromised Microsoft’s Azure DevOps server. A day later, it posted a compressed torrent file containing the source code of over 250 projects. With an uncompressed size of 37 GB, the files were said to contain 90% of the source code for Bing Maps, and 45% for Bing and Cortana.

Microsoft later confirmed the claim, adding that the hackers got into the DevOps server by compromising one single employee account, which granted limited access. Fortunately, Microsoft reaffirmed that the company does not rely on the secrecy of its source code, hence a source code leak does not increase the security risk for its users and partners.

Microsoft also said that its security team spotted the intrusion prior to the hackers’ announcement and successfully limited the impact of the attack. Microsoft later revealed that the LAPSU$ hacker group’s intrusion tactics range from social engineering, SIM swapping, business email compromise, to even bribing employees and partners of targeted organizations for login credentials.

Sources: Threatpost, PCMag, TechTarget


4. Satellite communications giant Viasat confirms DoS and data wiper attacks

On March 31, satellite communications provider Viasat confirmed suffering a denial-of-service (DoS) and data wiper attack back on February 24, which took down thousands of broadband customers in Ukraine and tens of thousands across the rest of Europe.

Viasat’s KA-SAT satellite network was attacked on the same day Russia invaded Ukraine, where a high-volume DoS attack forced many modems to disconnect. After weeks of investigations, Viasat confirmed that it was a ground-based network intrusion where the attackers exploited a VPN misconfiguration to gain remote access to the trusted management segment of the KA-SAT network. Once in the network, the attackers were able to execute legitimate management commands on a large number of residential modems, causing overwhelming traffic.

Security firm SentinelOne added to the findings, suggesting that the compromised modems were attacked with the newly discovered AcidRain wiper. The wiper was designed to brute-force file names and wipe all files it could find, including those in flash memory, SD cards, and virtual environments.

Sources: ZDNet, Bleeping Computer, The Stack


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security