Archive for September 9, 2022

Rogers Hires Lisa LaFlamme… No Seriously They Did

Posted in Commentary with tags on September 9, 2022 by itnerd

In a move that would be applauded by many Rogers Sports and Media has announced that they have hired Lisa LaFlamme who was fired by Bell Media, who then promptly then mishandled the situation in epic fashion. You can read the full saga here. LaFlamme will cover the funeral of Queen Elizabeth II as a special correspondent for CityNews, and make appearances for Breakfast Television as well.

The cynic in me says that this move was opportunistic to both get some positive press for Rogers, as well as to pile onto Bell’s complete mishandling of this situation. But I am also happy for LaFlamme as she was royally (pun intended) screwed over by Bell Media. And I imagine that many in the public are happy as well.

I wonder what the suits at Bell Media must be thinking.

Massive Phishing Campaign Targets Filipino Mobile Users

Posted in Commentary with tags on September 9, 2022 by itnerd

Yesterday, the Philippine senate launched an investigation to identify the attackers behind a massive phishing campaign of millions of text messages sent to mobile users in hopes of capturing personal login credentials for fraudulent transactions.

The country’s two biggest telecoms providers have said they blocked more than 1 billion spam and suspicious text messages between them this year. PLDT and Globe have assured their combined 156 million mobile subscribers that cybercriminals have not breached their security systems.

Senator Grace Poe, who heads the senate’s public services committee, called for tighter measures against cybercriminals.

“This is a staggering number of messages that prey upon the vulnerable like those who are unemployed, in need of money or are just unfamiliar with these schemes,” Poe said.

Consumers have reported a surge in phishing attempts during the pandemic as people relied heavily on mobile devices for shopping and food delivery orders and banking.

The scale of this campaign is nuts. And something needs to be done. But apparently an attempt to deal with this was squashed:

Poe said it was time for lawmakers to revive a bill, vetoed last year by then President Rodrigo Duterte, that would require SIM card buyers to register with network providers to prevent scams and misinformation. read more

And Nick Ascoli, VP of Threat Research at PIXM has this to say:

There is a need for regulations that represent a sincere and holistic attempt at taking steps towards curbing cybercrime operations affecting the region. Unfortunately, scammers use many techniques to send luring text messages to victims, few of which involve the actual purchase of a physical phone and SIM card. Most involve the use of internet based SMS Gateways. While the specific proposal would likely not address the issue, it represents a hopeful sentiment that Southeast Asian governments will increase their use of federal resources in stopping cybercrime.

One of the best ways to deal with cybercrime is to go after the threat actors and take away the money gained from these crimes and take away their liberty. The next best thing is to make it harder for cybercriminals to execute their schemes. That’s what the law that was squashed last year would do and hopefully it gets enacted so that this issue is addressed.

This Is A New One…. Microsoft BitLocker Is Being Used In Ransomware Attacks

Posted in Commentary with tags on September 9, 2022 by itnerd

If you’re not familiar with Microsoft BitLocker, it’s the native full disk encryption product for Microsoft Windows. But only the business and enterprise versions. The consumer versions of Windows 10 and 11 don’t have this feature. Enterprises around the world use this as a way to encrypt the data on their hard drive for security reasons. But it appears that threat actors are also using this to launch ransomware attacks according to Microsoft:

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270’s operations.

DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.

In some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.

I have to admit that this is novel as the threat actors are using built in tools to pwn their targets. The Microsoft report has mitigation strategies that you should read and implement. Because it seems that we’re going to hear more from this in the weeks and months to come.

Who’s To Blame For The QNAP Security Mess? My $0.02 Worth…

Posted in Commentary with tags on September 9, 2022 by itnerd

Yesterday, I wrote about QNAP’s latest security issue with DeadBolt ransomware. And I highlighted that by my count that I’ve written about this 8 times this year which is insane. But after I wrote that article, I thought about this and wondered if this is all QNAP’s fault. Or if there’s more to it than that. Which is where this article came from. In short, I believe that while QNAP shoulders a lot of blame, users (including myself to a degree) have to shoulder some blame as well. Let me explain by starting with QNAP.

There’s clearly something wrong with QNAP in terms of the quality of their code, the QA practices, their ability to find security issues, or something else for them to repeatedly be targets of DeadBolt. After all a ransomware gang wants to have access to the largest amount of targets possible to maximize their chances of making money. Thus if other NAS vendors had issues, you would see those vendors being affected by DeadBolt. But outside of one instance where ASUS users being a target of DeadBolt, and one instance of Terramaster users being hit by DeadBolt, I haven’t heard about DeadBolt from other vendors of NAS products. Now to be clear, other types of ransomware have hit other NAS vendors, but nothing on the scale of what is happening to QNAP. Thus QNAP really needs to get its house in order or potential customers are going to simply look elsewhere for the next NAS as clearly their products will not be seen as secure.

On the flip side, there are two things for a threat actor like whomever is behind DeadBolt to take advantage of in a QNAP NAS for the threat actor to pwn the NAS:

  • A vulnerability that they can exploit
  • The opportunity to do so.

Let’s start with the vulnerability part of this. I religiously update my NAS to whatever the latest firmware is within a day of it being available. I do that because I want to make sure that I am not leaving myself open to getting pwned by hackers as they will often reverse engineer what a vulnerability might be based on what the fix is in the current firmware. Thus giving themselves an attack vector in earlier versions of firmware. Now everybody isn’t yours truly, and you may put off updating the firmware in your NAS (never mind an Android update, or Windows update) until days or weeks or months later. Or you may never do it at all. That leaves you wide open to attack and that I have to say is on you if you get pwned.

Now let’s look at the opportunity part of this. DeadBolt as far as I am aware can only attack your NAS if you have the NAS exposed to the Internet. If you expose anything to the Internet, you are risking a threat actor taking the opportunity to pwn it. I say that because even if you have updated all the things on the NAS, there’s still the possibility that a flaw that exists that nobody knows about. Which means that if the threat actor finds it before one of the good guys finds it, the threat actor wins and you get pwned. And that’s on you for exposing the NAS to the broader Internet. In my case, I expose nothing to the Internet. And that includes my NAS which reduces the odds of this happening to me significantly. You’ll note that I said reduces and not the word “eliminate”. Because it is always possible for anyone, anywhere to get pwned by hackers. But the idea is that you don’t want to make it easy for them by exposing anything from a smart light bulb to a NAS to the broader Internet.

Now I do know that many people out there will say that they have a legitimate need to have their NAS exposed to the Internet. But here’s what I would say about that. If my clients say that they have a need to expose a NAS which may contain personal or business related files to the Internet, I would counter with why their need doesn’t outweigh the security or the potential loss of theft of those files. Not to mention the possibly of ransomware or a threat actor using that NAS to get to their broader network. And not one of my clients has disagreed when this was highlighted to them. Because they understand that security must always come ahead of doing something that is easy and quick.

There’s one other thing that I should point out. If you don’t back up your NAS to another location, be it another NAS, a cloud service, a hard drive, it makes a potential attack more effective as you’ve got no plan “b”. Or put another way, say that your NAS was pwned by ransomware. If you had a backup you could easily say “well that sucks”. Then you could factory reset the NAS which would likely remove the ransomware, set it up again, and restore your backup and move on with your life. All without paying the threat actors a cent. If enough people did that, the people behind DeadBolt and other types of ransomware would be out of business tomorrow because they wouldn’t have the opportunity to profit from their attacks.

Now I know that what I’ve just said above has the potential of opening me up to being lit up like a Christmas tree in a bonfire. And I am fine with that as I am calling it as I see it. But what are your thoughts? Drop a comment below and share them, but please keep it civil.

Ransomware Groups Will Increasingly Target Linux Servers And Embedded Systems Over The Coming Years: Trend Micro

Posted in Commentary with tags on September 9, 2022 by itnerd

Trend Micro Incorporated yesterday predicted that ransomware groups will increasingly target Linux servers and embedded systems over the coming years. It recorded a double-digit year-on-year (YoY) increase in attacks on these systems in 1H 2022.

To read a full copy of the Trend Micro 2022 Midyear Roundup Report, please visit:   

According to Trend Micro data:

  • 63 billion threats blocked by Trend Micro in 1H 2022
  • 52% more threats in the first half of the year than the same period in 2021
  • Government, manufacturing and healthcare are the top three sectors targeted with malware

Detection of attacks from ransomware-as-a-service surged in the first half of 2022. Major players like LockBit and Conti were detected with a 500% YoY increase and nearly doubled the number of detections in six months, respectively. The ransomware-as-a-service model has generated significant profits for ransomware developers and their affiliates.

New ransomware groups are emerging all the time. The most notable one in the first half of 2022 is Black Basta. The group hit 50 organizations in just two months. Many persist with the “big game-hunting” of large enterprises, although SMBs are an increasingly popular target.

One of the primary attack vectors for ransomware is vulnerability exploitation. Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the period, a 23% YoY increase. The number of critical bug advisories published soared by 400% YoY.

APT groups continue to evolve their methods by employing expansive infrastructure and combining multiple malware tools. The ten-fold increase in the number of detections is another proof point that threat actors are increasingly integrating Emotet as part of their elaborate cybercrime operations.

The concern is that threat actors are able to weaponize these flaws faster than vendors can release patch updates and/or customers can patch them.

Unpatched vulnerabilities add to a growing digital attack surface many organizations are struggling to manage securely as the hybrid workplace expands their IT environment. Over two-fifths (43%) of global organizations believe it is “spiraling out of control.”

Cloud visibility is particularly important given the continued threat of third parties exploiting misconfigured environments and using novel techniques like cloud-based crypto mining and cloud tunneling. The latter is frequently abused by threat actors to route malware traffic or host phishing websites.