Archive for November 3, 2022

French Threat Group Steals $11M

Posted in Commentary with tags on November 3, 2022 by itnerd

New research from Group-IB on OPERA1ER shows the threat group has stolen at least $11 million from banks and telecommunication services providers. The OPERA1ER obtained initial access via phishing emails and would spend 3 to 12 months inside compromised networks, performing lateral phishing attacks and studying internal documentation to understand money transfers.

Mike Fleck, Senior Director of Sales Engineering at Cyren:

     “Combining phishing, malware, and account takeover is a common attack chain. What seems to differ is the motivation of the attackers. A bad actor doing a “spray and pray” campaign will grab whatever data is available once they’ve takeover an account (e.g. recent GitHub account compromise at Dropbox). However, it’s the determined and targeted attacks that pivot off the initial access to launch a more profitable/damaging follow on. Regardless, phishing remains an unsolved issue and a precursor for data breaches and financial losses.”

Clearly OPERA1ER is a dangerous group that needs to be monitored as I can see them evolving to be even more dangerous over time. In the meantime, the report is very much worth your time to read.

UPDATE: Dr. Darren Williams, CEO and Founder, BlackFog had this comment:

     “The Ransomware as a Service model is alive and well and is now the defacto standard for cybercriminals. This gives hackers the ability to leverage the best tools available at any moment in time for a percentage of the takings. This latest attack with gains of $11m just proves how viable this model really is. It also clearly demonstrates that existing EDR based solutions offer too little, too late to really protect the organizations key asset, its data. As we can see from these attacks, once a hacker has gained access to the network, lateral movement and data exfiltration plays a key role in the success of the attack. Organizations should be focused not only on defensive approaches, but also on anti data exfiltration to protect any possible lateral movement or data loss to prevent any attempt of data extortion.”

EdTech Cyber Expert Comments On Governments Hyper Focused K-12 & HigherEd Cyber Response And Reporting Activity/Efforts

Posted in Commentary with tags on November 3, 2022 by itnerd

There’s been a lot of activity this week on education cybersecurity. Starting with the federal student aid CISO begging the government to make cyber incident reporting for higher education institutions to be at the same standard as K-12 institutions, and a recent report from the GAO criticizing the U.S. Department of Education for not sufficiently coordinating communication between school districts and the feds on cybersecurity.

Stan Golubchik, Co-Founder and CEO, ContraForce, works directly with K-12 and higher education institutions to detect attacks and incidents. In response to Educause’s annual conference, specifically the education department and federal student aid office CISO on cyber incident reporting, Stan says: 

“While there are over 9,000 EdTech tools in the K12 space, it is unknown how many tools are actually used in Higher Education (HigherEd institutions are not held to the same standards of reporting as K12). This is precisely why the government is begging HigherEd to report on cyber attacks— because today, there is no reason for private colleges to report anything to anyone.”

“With the proliferation of remote education and SaaS applications, colleges struggle with knowing when incidents occur due to the distributed educational footprint. They lack visibility to security threats when they occur, and lack effective incident response plans and systems. With loose regulations on what should be reported in times of a breach, colleges will struggle to not only gather the information needed for reporting a breach but to understand what information is needed and how to communicate it.”

It’s pretty clear that cybersecurity within education needs to be a key focus as this is where threat actors will focus as the education sector tends not to have the same resources available for cybersecurity versus other organization. Effectively making them soft targets. Any sort of soft target needs to be eliminated so that everyone is safer as a result.

Report Claims That Elon Musk Will Be Chopping 50% Of Twitter Staff

Posted in Commentary with tags on November 3, 2022 by itnerd

A reader surfaced a Bloomberg report to me that outlines the following:

Elon Musk plans to eliminate about 3,700 jobs at Twitter Inc., or half of the social media company’s workforce, in a bid to drive down costs following his $44 billion acquisition, according to people with knowledge of the matter.

Twitter’s new owner aims to inform affected staffers Friday, said the people, who requested anonymity discussing non-public plans. Musk also intends to reverse the company’s existing work-from-anywhere policy, asking remaining employees to report to offices — though some exceptions could be made, the people said.

Musk and a team of advisers have been weighing a range of scenarios for job cuts and other policy changes at San Francisco-based Twitter, the people said, adding that the terms of the headcount reduction could still change. In one scenario being considered, laid off workers will be offered 60 days’ worth of severance pay, two of the people said.

After the layoffs were sorted, Twitter Chief Accounting Officer Robert Kaiden left the company, becoming one of the last pre-Musk C-suite executives to depart, according to people familiar with the matter.

A spokesperson for Twitter didn’t immediately respond to a request for comment.

Musk is really under the gun to find a way to get Twitter to a point that it will not only make money, but he doesn’t look like someone who talks the talk but can’t walk the walk. Even though he has a history of not being able to walk the walk. And this is the sort of stuff that will send those who survive this coin flip shot at keeping their jobs at Twitter to the exit door faster than Barry Allen trying to save the day. Because as the person who brought this to my attention said, it’s no fun working for a dictator. I would agree with that, but I would also add that it’s no fun working for a dictator who is desperate and don’t have a clue.

Those who work for Twitter, those who use Twitter, and most importantly, those who were dumb enough to lend Musk money to buy Twitter should brace for impact as this is not going to end well for anyone.

New Threat Intelligence Research Says That Illegal Dark Web Pharmaceutical Sales Drop 80%, Significantly Decline

Posted in Commentary on November 3, 2022 by itnerd

Today, Cybersixgill published new threat intelligence research finding that authorities have shut down dedicated underground pharmaceutical drug markets in big numbers over the last three years, but many are still active.

The number of posts for prescription drugs on underground forums dropped by 79% from 2020 to 2021 and did not go back up in 2022. Cybersixgill’s researchers attribute the initial decline to the Covid-19 pandemic and major law enforcement operations, including a Europol dark web drug bust resulting in arrests.

You can get further details on this research here.

NIST Asks For Feedback In Terms Of Cybersecurity For The Water And Wastewater Utilities Sector

Posted in Commentary with tags on November 3, 2022 by itnerd

Yesterday, NIST put out a draft white paper asking for feedback from stakeholders in the water and wastewater utilities sector as to how best to secure this sector.

Here’s the abstract from the draft white paper.

The U.S. Water and Wastewater Systems (WWS) sector has been undergoing a digital transformation. Many sector stakeholders are utilizing data-enabled capabilities to improve utility management, operations, and service delivery. The ongoing adoption of automation, sensors, data collection, network devices, and analytic software may also increase cybersecurity-related vulnerabilities and associated risks.

The NCCoE has undertaken a program to determine common scenarios for cybersecurity risks among WWS utilities. This project will profile several areas, including asset management, data integrity, remote access, and network segmentation. The NCCoE will also explore the utilization of existing commercially available products to mitigate and manage these risks. The findings can be used as a starting point by WWS utilities in mitigating cybersecurity risks for their specific production environment. This project will result in a freely available NIST Cybersecurity Practice Guide.

You can read the draft white paper here. Chris Warner, OT Cybersecurity Consultant, GuidePoint Security adds this commentary:

“Water systems are unique and challenging to secure because many systems are over 50 years old, and it will take tremendous financial and human resources to replace or upgrade to stay in compliance with regulatory entities. Water SCADA systems have numerous physical sites that are diverse in architecture and challenging to ensure integrity and security for water treatment basins, distribution centers, storage towers/level management, drinking water distribution networks, real-time decentralized industrial wastewater treatment centers, and real-time flood control system monitoring. 

Now, the AWWA mandates over 180 standards of practice for water utilities, and many US States have their own regulations. Some states are now encouraging water utilities to align to the NIST CSF. The NIST CSF mainly focuses on the business, IT, and a limited amount of OT. Creating an overlay of the NIST 800-82 with the CSF specifically addresses SCADA systems.”

I’ll be keeping an eye on this as there needs to be change in this sector to address the threat landscape that we find ourselves in at present.

Today Is World Digital Preservation Day

Posted in Commentary with tags on November 3, 2022 by itnerd

World Digital Preservation Day (WDPD) is held on the first Thursday of every November. In honor of the day, the World Digital Preservation Coalition stated, “The DPC invites all data creators, curators and consumers from around the world to celebrate digital preservation by participating in a whole day dedicated to all of the benefits and opportunities enabled by the hard work of our dynamic and collaborative community. Continuing the theme ‘Data For All, For Good, Forever’ from another celebration – iPres 2022 – World Digital Preservation Day is an opportunity to showcase how digital preservation enables ‘digits to flourish.’”

Steve Santamaria, CEO of Folio Photonics offers up this commentary: 

“Digital data is the world’s most valuable resource and the storage, protection and preservation of this resource is crucial. Not only business, but a society’s advancement depends upon the ability to preserve, access, and analyze historical data. When our historical data is lost, we suffer. This is why we saw the Spanish friars burn nearly every book that existed in the pre-Columbian Mayan civilization during their conquest. Once data is lost, there is no way to determine how much value has been irrevocably lost.

Data preservation can be done several ways, but at its core it is a combination of the technology, organizational management, and proper resource planning. While data storage technology is only one aspect of the ongoing process known as preservation, it still plays a vital role. Having the appropriate data storage technology at the center of your preservation strategy is critical to ensure your data’s safety. Storage that is highly reliable, long-lived, easily accessible, and cost-efficient is crucial to any data preservation strategy. We have yet to see an ideal storage technology developed that strikes the right balance between these vectors. However, new technologies such as next-generation tape storage, advanced optical storage, and DNA storage are all currently being developed to sit at the center of data preservation strategies around the globe.”

Whether it is electronic health records, financial statements, HR documentation, architectural blueprints, retail buying trends reports, or movies and other entertainment content, as well as classified government documents (and the list goes on) – the critical importance of preserving digital data spans virtually every industry, around the world.

Bell Reports ‘Best-Ever’ Internet Subscriber Growth In Q3…. Gee I Wonder Why?

Posted in Commentary with tags on November 3, 2022 by itnerd

It’s Q3 results season for Canada’s “big three” telcos and I’ve been waiting for this for a while as I want to see what effect that the great Rogers outage back in July had on the “big three”. Bell was the first to come to the table with their results and you can see that they had one hell of a Q3. Here’s a quote attributed to Mirko Bibic, President and CEO of BCE and Bell Canada from the press release:

“We’re seeing clear demand from Canadians for differentiated fibre Internet services and fast, reliable wireless networks. We experienced over 400,000 net activations across our wireline and wireless networks, with our highest-ever number of total mobile phone net additions, and we also gained a significant share of Internet subscriber growth with over 95,000 new net fibre-to-the-home customers this past quarter, up 33% over last year and our best-ever result.

While I am sure that Bell won’t say that Rogers was the reason behind this growth, it was likely a factor. Along with the fact that they are rolling out fibre as fast as they possibly can. Which then leads to customers signing up with Bell as they have a much better Internet offering. And the Rogers outage and customers not being happy about that also likely drove people to Bell. Leaving the boys in red in no position to compete against Bell. I want to see what numbers Telus puts up because if they have similar growth, it will be clear that Rogers is in deep trouble. Thus stay tuned as this will get interesting to watch.

Silverfort To Provide Acrisure Cyber Services Clients With Compliant Identity Protection

Posted in Commentary with tags on November 3, 2022 by itnerd

Silverfort, a unified identity protection leader, today announced a partnership with Acrisure Cyber Services (ACS). ACS is a division of Acrisure, a global fintech that operates a top-10 global insurance broker that also provides cyber services, real estates services and asset and wealth management.  Silverfort is known for helping organizations of all sizes meet an increasingly rigorous identity and access management compliance burden emerging in cyber insurance policies.  

The increasing sophistication of cyber attacks continues to expose the IT infrastructures of organizations, which is driving up cyber insurance premiums. As a result, underwriters are increasingly mandating that Multi Factor Authentication (MFA) is applied with far greater depth than before to inhibit threat actors’ movements as they propagate attacks.  

ACS will deliver Silverfort as part of its “Security as a Service” model, sitting alongside other technologies intended to provide companies of all sizes with full compliance to a range of carrier policies. Alongside Silverfort, this stack of technologies also covers endpoint security, vulnerability detection and management, backup and disaster recovery, security awareness training and email security.  

Silverfort will help enable ACS clients to comply with requirements by seamlessly extending MFA to previously unprotectable resources. Organizations will be able to enforce MFA across all on-prem and cloud resources including on email, remote network access tools, network infrastructure, directories, servers, workstations and even on legacy protocols that allow ransomware attacks to spread. It will also allow customers to automatically discover, monitor and secure the automated Service Accounts commonly used in data breaches, without having to modify them. 

More information on how Silverfort helps companies comply with emerging cybersecurity insurance standards can be found here. Further details on Acrisure Cyber Services can also be seen here.

Hackers Abuse Microsoft Customer Voice in Phishing Campaign… Legitimate Microsoft Links Used to Bypass Security Filters

Posted in Commentary on November 3, 2022 by itnerd

Researchers at Avanan, a Check Point Software Company, have released a report discussing how hackers are impersonating Microsoft’s Dynamic 365 Customer Voice to send credential harvesting pages.

In this attack, victims are presented with an email from the survey feature in Dynamics 365, notifying them that a new voicemail from a customer has been received. Using a legitimate Customer Voice link from Microsoft, end users are encouraged to listen to the voicemail by clicking on the provided link that instead redirects them to a phishing page. 

You can read the full report here.

Hackers Using Vendor Fraud Techniques to Bypass Microsoft Office Email Security: Armorblox

Posted in Commentary with tags on November 3, 2022 by itnerd

Armorblox today announced the addition of Armorblox Vendor and Supply Chain Attack Protection to the company’s cloud-delivered email security platform to protect organizations from the biggest challenge in today’s threat landscape: vendor email compromise and the ensuing supply chain attacks. 

As companies invest in more tools to defend against cyber threats of all kinds, hackers are staying one step ahead, by exploiting the trusted relationship between vendors and clients. With the addition of Vendor and Supply Chain Attack Protection to its email security platform, Armorblox eliminates the guesswork for organizations of all sizes around safe vendor and third-party communications across Microsoft Office 365, Microsoft Exchange, and Google Workspace environments. Armorblox NLU-based analysis and organization-specific custom models continuously monitor and assess the risk of over 50,000 vendors, proactively stopping vendor fraud attempts and supply chain attacks and further aligning with the company’s mission of helping organizations communicate without compromise.

Email-based financial fraud attacks have a higher chance of slipping past legacy email security solutions due to their increased sophistication. According to the 2022 Armorblox Email Security Threat Report2 out of 5 (44%) financial fraud attempts happened as wire fraud, invoice fraud, or vendor fraud over email. The Armorblox Vendor and Supply Chain Attack Protection delivers the layer of defense organizations need to secure their user and business data and protect the company and employees from sophisticated, targeted attacks such as financial fraud, look alike domains, or hijacking payment-related email threads.

Customers benefit from Armorblox Vendor Compromise and Supply Chain Attack Protection in a number of ways, including:

  • Enhanced Detection: Protect against vendor fraud attempts and supply chain attacks on the organization such as invoice fraud, look alike domains, or hijacking payment-related email threads.
  • Continuous Monitoring: Immediate protection against compromised accounts with around-the-clock monitoring and risk analysis of over 50,000 vendors. 
  • Improved Security Posture: Prevent loss of money, sensitive credentials, or confidential data over email with continuous risk assessment of vendors and third-party contacts, based on behavior models.

To learn more about the capabilities of Armorblox Vendor Compromise and Supply Chain Protection, visit this blog post: