In a new report by Elastic Security Labs, researchers revealed that a new remote access trojan named LOBSHOT is being distributed through Google Ads allowing threat actors to stealthily take over infected Windows devices using hVNC.
Fake ads promoting the legitimate AnyDesk remote management software leads victims to a site that pushes a malicious MSI file that downloads the DLL LOBSHOT file.
If Microsoft Defender is not detected, the malware will start automatically when logging into Windows and transmit system information, including running processes, and check for wallet extensions.
LOBSHOT then deploys an hVNC module allowing access to the hidden desktop as if they were in front of it. At this point the threat actors have complete control over the device, allowing them to execute commands, steal data, and even deploy further malware payloads and spread laterally to other devices to lead to other attacks.
“Remote access trojans and other nefarious attacks delivered via Google Ads are becoming more common. While difficult to spot and detect initially, having the visibility into outbound, anomalous communication via Protective DNS solutions can prove critical to identifying these types of attacks and stopping them before they steal data, deploy further malware payloads, and spread laterally through the organization.”
Roy Akerman, Co-Founder & CEO, Rezonate follows up with this comment:
“Ads as a delivery mechanism and LOBSHOT as the exploiting malware is a pattern we’ve seen many times due its success rates. Most often, users reduce their guards once they see a sponsored ad in Google or any familiar social platform, assuming thorough checks have been made by the company to assure authenticity and security. However, time and time again, we see this technique used. Early this year we saw ransomware groups, specifically threat actor tracked as DEV-0569 and others to use Google Ads for distribution. The Ads vary from AnyDesk to Zip software, FileZilla, WinRAR, and those very common and free to use tools.
“This hVNC module used for exploiting and gaining access is similar to ransomware techniques and the RDP protocols that are most often available and unrestricted. Restriction of specific, known to be vulnerable applications should be either restricted or closely monitored in addition to the ability to identify abnormal malicious attempts to exploit on every endpoint such as the push of an MSI file or in memory DLL.”
Reading this report by Elastic Labs illustrates the need for enhanced detection and prevention of these payloads so that they never get to their intended targets. Otherwise, based on the report, this malware is going to be a serious problem for many organizations.
Posted in Commentary with tags VCU on May 2, 2023 by itnerd
Virginia Commonwealth University and the Institute of Data have forged a partnership to provide programs that will prepare nontraditional adult learners for careers in the tech industry.
The collaboration between VCU Continuing and Professional Education and the Institute of Data aims to bridge the gap between traditional academic education and industry-specific skills training, providing learners with the best of both worlds. The partnership offers noncredit bootcamps led by experienced instructors and industry professionals, leading to hands-on experience in cutting-edge technologies.
Through this collaboration, VCU alumni and other community members in Virginia will have access to the Institute of Data’s curriculum and state-of-the-art learning platform. Bootcamps will be tailored to meet the needs of the industry, providing adult learners with in-demand skills that are necessary to thrive in the job market. Full-time and part-time bootcamps that range from 12 to 24 weeks cover topics such as software engineering, data analytics and artificial intelligence, and cybersecurity.
Posted in Commentary with tags HYAS on May 2, 2023 by itnerd
HYAS Infosec, leaders in advanced adversary infrastructure intelligence and detection to preemptively neutralize cyberattacks, today announced HYAS Onpoint Partner Program that goes beyond typical reseller agreements to work with partners towards a platform designed to help customers prevent attackers from damaging their security network infrastructure.
HYAS Onpoint Partner Program will highlight HYAS’s Protective DNS Platform and how partners can incorporate this into their suite of security offerings and open new doors for additional product sales.
The HYAS Onpoint Partner Program features:
Differentiation: By offering Protective DNS as part of a security solution suite, partners can differentiate their offering from the competition, providing added value to customers.
Increased revenue: By incorporating Protective DNS into their security product offering, partners can increase their revenue by selling additional security services to end-user customers, improving overall customer satisfaction.
Enhanced technical expertise: Protective DNS makes it easy to demonstrate technical expertise in security solutions and helps position partners as a trusted advisor to customers while providing a competitive advantage.
Competitive advantage: By offering Protective DNS, partners can gain a competitive advantage in the market and attract new customers looking for comprehensive security solutions.
Transformative approach: HYAS’s Protective DNS solution uniquely focuses on mapping attacker infrastructure to enable a next-generation approach to proactively identify, counter, and mitigate attacks.
More effective: HYAS’s solution is 3-5x more effective at quickly identifying threats than competing solutions.
Multi-tenant architecture: Enables deployment of multiple clients with logical segregation and centralized management.
Layered approach: HYAS’s solution integrates with services like Microsoft Defender for Endpoint, making conversations simple, and offering easy upsell opportunities to existing customers.
Deep discounts: HYAS offers aggressive discounts off retail pricing, allowing partners to increase profit margins. Partners are also provided product trials to demonstrate functionality and value pre-customer sale.
Robust training and support: Provided for all aspects of sales, onboarding, and ongoing product support, with portal-driven engagement.
Product white labeling: Provides MSP customers with co-branded HYAS Protect dashboards or fully customized partner dashboards so software is tracked only to the partner.
HYAS Protect can be deployed in minutes to improve organizations’ existing security investments by integrating always-on DNS intelligence into security information and event management systems, firewalls, endpoint solutions, and more. HYAS Protect combines authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, supply-chain, and other forms of cyber attacks, thereby rendering the attack inert before it can do significant damage.
Posted in Commentary with tags Telus on May 2, 2023 by itnerd
TELUS today announced the kick off of its 18th annual TELUS Days of Giving, a month-long initiative that mobilizes TELUS team members, retirees and partners around the world to volunteer and give back in their local communities. According to the 2023 Edelman Trust Barometer, Canadians are increasingly looking to businesses to do more to help solve pressing social issues. Almost 60 per cent of Canadians believe businesses are not doing enough to address climate change and 81 per cent agree companies should be doing more to give back. Championed by team members almost two decades ago, the annual TELUS Days of Giving movement continues to grow, now bringing together a record-breaking 75,000 TELUS team members and retirees across the globe. From cleaning local shorelines and parks, donating blood, planting trees, recycling old mobile devices, or volunteering at neighbourhood food banks, the TELUS team is committed to creating long-lasting impacts and helping address some of today’s most pressing challenges in their local communities. Since 2000, the TELUS team members, retirees and their families have contributed 2 million days of global volunteerism and donated C$1.5 billion to local charities and not-for-profit organizations.
In addition to the TELUS Days of Giving program, TELUS leads by example, stepping up and providing support every day of the year. Last year alone, TELUS:
Enabled $6.6 million in 2022 for humanitarian and emergency relief around the world, directly helping those impacted by the conflict in Ukraine, Hurricane Fiona and Hurricane Ian, the flooding in Pakistan, and the unrest in Iran
Provided over $1 million worth of food and meals to communities in need nationwide
Filled and distributed 17,000 backpacks, filled with back-to-school essentials for Canadian youth, as part of TELUS’ Kits for Kids program
Planted 265,000 trees in 2022, helping reach a 2023 milestone of 1 million trees planted to date, and removing 10,000 bags of garbage from shorelines across the country
Donated over 145,000 handmade and collected care items, such as hand sewn baby clothes, heart pillows, knitted knockers and comfort kits, for organizations supporting the health and wellness of Canadians from coast to coast
To learn more about how TELUS is helping create a friendlier future for all, visit telus.com/purpose.
Appdome, the mobile app economy’s one and only Cyber Defense Automation platform, today announced that it has released a pre-built integration between its platform and GitLab, the most comprehensive, scalable enterprise DevSecOps platform for software innovation. The new integration is part of Appdome’s Dev2Cyber Partner initiative to accelerate delivery of secure mobile apps globally.
Appdome’s cyber defense automation platform streamlines delivery of mobile app protection and accelerates release times by using technology to build cyber security defenses into iOS and Android apps. Fully automated, no-code, no-SDK protections on Appdome include runtime application self-protection (RASP), code obfuscation, mobile data encryption, jailbreak detection, root detection, man-in-the-middle attack prevention, on-device anti-malware, anti-fraud, anti-cheat, anti-bot and other protections. Appdome delivers these protections with real-time time defense monitoring and attack intelligence via its fully integrated Appdome ThreatScope™ XDR solution.
Today, global consumers demand more protection than ever in their mobile app experiences. As Appdome’s recent Global Consumer Expectations of Mobile App Security survey revealed, 94% of global consumers said they would promote a brand if the mobile apps protected them against security, fraud and malware risks, while 68% said they’d abandon brands that offered no protection.
For more information on how to use Appdome with GitLab, please see this knowledge base article.
Posted in Products with tags ESR on May 2, 2023 by itnerd
My wife and I both have had chargers for our iDevices on our respective night stands. The iDevices that we charge are usually our respective iPhone and Apple Watches. Over the holiday season I gave her a ESR HaloLock 3-in-1 Wireless Charger with CryoBoost which she absolutely loves. As a result of that, I got one for myself and decided to review it.
Now to be clear, this charger will charge the following devices:
An iPhone with MagSafe which will charge at 7.5W.
An Apple Watch which will charge at 5W and requires you to supply your own charging puck.
A pair of AirPods in the wireless charging case underneath the iPhone. That will charge at 5W.
Here’s what you get when you take it out of the box.
Not pictured is the wall adapter. As you can see and as I mentioned earlier, you need to bring your own Apple Watch charging puck. I’m guessing that ESR didn’t want to pay Apple to put one that was MFi certified in, which also explains why the MagSafe charger is capped at 7.5W as that the max that a non-MFi MagSafe charger can go. But as you’ll see shortly, neither of these details matter. But before I get to that, let’s get the Apple Watch charging puck thing out of the way. So to make this work, I had to spring for the fast charging version of the Apple Watch charging puck. And ESR has a couple of really clever features that make this work:
As you can see here, you can open the base of the charging stand and you will see a USB-A port, and a USB-C port. Choosing the latter allows you to use the fast charging Apple Watch charging puck which is important if you have a recent Apple Watch that supports fast charging. In fact, I would suggest you just go out and by the fast charging puck as that is a form of future proofing.
And as you can see, you can wrap the cable up so that it is nice and neat so that it looks like the stand came that way from the factory.
Here’s the net result with the charging puck installed. It looks pretty clean.
Now the main claim to fame for the ESR HaloLock 3-in-1 Wireless Charger with CryoBoost is the aforementioned CryoBoost feature. CryoBoost in short is a MagSafe adapter that has a cooling fan. By having the cooling fan it will keep your iPhone cooler while charging. Which not only extends the health of the iPhone’s battery as heat kills batteries, but it keeps the charging speed more consistent. Which means it charges faster as a result. This despite the fact that it has a maximum 7.5W charge speed. Now the company claims that it can charge an iPhone 13 from 0 to 100% in three hours. Which is 4 hours faster than Apple’s MagSafe charing puck which while it has the ability to charge at 15W, the MagSafe puck will bring that charge speed down as the phone heats up. And it will stop charging if the iPhone gets too hot and wait until the temperature comes down to start charging again. Which means despite the fact it has a charge speed of 15W, it will charge slower because it has to manage the heat the iPhone generates while charging. When I tested these claims out, it took 2 hours and 21 minutes to charge my iPhone 14 Pro from 5% to 100% with CryoBoost turned on. That was pretty impressive and confirms what the company claims.
As for the charging puck for the Apple Watch, I used my Apple Watch Ultra to test this and it charged that as fast as the fast charging puck that is on my desk. That makes sense as this stand isn’t employing any cooling tricks to charge the watch faster. Finally, the spot for the AirPods didn’t charge my AirPods Pro any faster than any of the 5W chargers that I have scattered around my home. Again, that makes sense as the stand isn’t doing anything cooling related to charge the AirPods faster. The only thing that I have to say about the AirPods charger is that you have to put the AirPods in exactly the right spot for it to charge. Fortunately there is an outline on the charger that in daylight will help you with that. At night you’re going to have to rely on either the light on the AirPods case or the ding sound on the Generation 2 AirPods Pro to let you know if you’ve got them in the right spot. And if you move the AirPods because you toss and turn while you sleep for example, you may not have fully charged AirPods in the morning.
Gripes? I have a minor one. The fan is definitely not silent. It’s not super loud either. But you will be able to hear it, and this will keep you awake at night. Along with that, when CryoBoost is turned on, a light gets turned on around the MagSafe charging puck that will create a bit of a glow in a dark room which can keep you from getting to sleep. Fortunately you can hit a button on the stand to turn both of those off. But that takes away the ability for CryoBoost to keep you phone cool. Now that’s not really a big deal as having Optimized Battery Charging turned on will charge your iPhone to 80%, and then slow charge to 100% before you wake up. That makes heat less of a factor on your iPhone’s battery health. But still, it might have been nice to be able to make the fan a tiny bit more quiet and having the ability to turn the light off while keeping the fan on.
So this is what this setup cost me on Amazon:
ESR HaloLock 3-in-1 Wireless Charger with CryoBoost: $70.39 CDN
Apple Watch Fast Charing Puck: $37.96 CDN
Total cost: $108.35
I really can’t argue with the price, and the fact that I had to bring my own Apple Watch charing puck to the party. This product is well thought out for the most part and works as advertised. Thus if you need a charging stand for your Apple Watch, iPhone, and AirPods, you should give this one a look.
A press release from Apple just dropped where Apple is announcing that they have teamed up with Google to lead an “industry specification to address unwanted tracking.”:
Today Apple and Google jointly submitted a proposed industry specification to help combat the misuse of Bluetooth location-tracking devices for unwanted tracking. The first-of-its-kind specification will allow Bluetooth location-tracking devices to be compatible with unauthorized tracking detection and alerts across iOS and Android platforms. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have expressed support for the draft specification, which offers best practices and instructions for manufacturers, should they choose to build these capabilities into their products.
This is overdue to be frank as this has been an issue for a long time, and there needed to be a cross platform effort to make sure that Bluetooth trackers aren’t used for nefarious purposes. Apple and Google will release a production implementation of the specification for unwanted tracking alerts by the end of 2023. The technology will then be supported in future versions of iOS and Android. And I for one look forward to that day as we will be a little bit safer as a result.
UPDATE Roy Akerman, Co-Founder & CEO, Rezonate adds this comment:
“Collaboration between all leading providers can truly make a difference and reduce the risk of location tracking. Creating a new protocol is yet another step joining other actions previously announced of privacy as those of the chromium browser and cookie tracking. This reduce the chances for individual tracking for one of the most common protocols used in almost any device. Instead of suggesting limiting usage and then passing responsibility back to the user, Apple, Google, and several other manufacturers are assuming responsibility and embedding additional security controls directly to the device.”
Abnormal Security has announced the results of a new ESG Survey: The Freedom to Communicate and Collaborate, revealing that more than two-thirds of IT and security leaders are concerned that attackers are leveraging communication and collaboration channels beyond email to evade security controls.
According to the results, 47% of organizations are currently using 6-10 communication and collaboration tools at once, with video conferencing ranking as the most used tool (80%), followed by email (77%) and messaging (71%).
More than a quarter (27%) consider strengthening security controls across multiple communication and collaboration channels their top priority relative to other security threat vectors, with another 54% classifying it as a top three priority.
BullWall, a global leader in ransomware containment, announced today its expansion into North America following strong success in Europe for its patented ransomware “kill switch,” Ransom Care.
Ransom Care is field proven to block ransomware from data sources in seconds and disable “patient zero” ransomware carriers. (More details are in today’s two releases, linked at bottom.)
BullWall’s last line of defense against ransomware is now used in many European healthcare, education, government and critical infrastructure enterprises. It continuously monitors file shares, application servers and database servers in the cloud and in the data center, preventing server data encryption within seconds and thwarting attempts to encrypt and/or exfiltrate data.
North American Sales 100% via Channels – New Channel Partner Program Launched:
It will be sold 100% via channel partners in the North American market, as it has been throughout Europe, BullWall integrators report that Ransom Care blocks ransomware attacks in <10 seconds. The BullWall Channel Program introduced today includes:
Education and support that equip its partners to share BullWall’s unmatched ransomware kill switch capabilities with customers;
Free customer assessments for environments with 250 Active Directory users or more, as well as support for smaller customer environments;
On-site pre-sale support from BullWall’s sales engineers, including demos and ransomware assessments or pentests;
Superb post-sales customer service and support; and
Industry-leading revenue sharing.
BullWall has also announced a pair of North America executive appointments:
Carol Volk (linkedin.com/in/carolvolk) has been appointed Chief Marketing Officer and brings a proven track record of success in developing and executing strategic marketing initiatives for leading technology companies.
Steve Hahn (linkedin.com/in/stephenmhahn) has been appointed Executive Vice President of America Sales. He is an accomplished security sales leader with a background spanning start-ups, Fortune 100, PE owned and publicly held companies. He has a 15+ year record of leading teams past quota targets and EBITDA expectations.
In another sign that Twitter is continuing its death spiral, there are reports that just before the Met Gala, Twitter users were being logged out of Twitter without warning:
Twitter appeared to suffer another glitch on Monday, as desktop users reported being repeatedly logged out of the platform.
Downdetector, which lets users self-report issues, peaked at 4,143 reports just after 4 p.m. ET – a couple hours before celebrities arrived on the red carpet for the Met Gala. The amount of problem reports didn’t return to normal until just after midnight.
“It seems less than ideal that Twitter is logging people out who use the service on desktop during the Met Gala, a traditionally high-traffic event for the platform,” New York Times technology reporter Ryan Mac tweeted.
Ryan Mac later put this out:
Mac later reported that the outage was caused by “a bad front-end deployment,” meaning Twitter staff tried to release a visual change to the platform’s interface but its release caused unintended problems.
“[Elon] Musk sent an internal email earlier noting that though development is going fast ‘system reliability should always be paramount,'” he added.
Maybe Elon needs more developers? Like the ones that he mass fired? As that might have mitigated the fact that his minions broke the site because he likely ordered something to be rushed into production. Or perhaps he needs more resiliency seeing as he cut back on that last Christmas? I’m just spitballing here because it’s likely not coincidental that Twitter decides to take a dirt nap every time there’s a high traffic event. It’s clear that Twitter has lots of issues that Elon can’t fix. Which means that the clock that is headed to Twitter’s eventual demise is still headed towards zero.
LOBSHOT’s hVNC Malware Allows Total Access To Windows Devices
Posted in Commentary with tags Elastic Secuirty on May 2, 2023 by itnerdIn a new report by Elastic Security Labs, researchers revealed that a new remote access trojan named LOBSHOT is being distributed through Google Ads allowing threat actors to stealthily take over infected Windows devices using hVNC.
Fake ads promoting the legitimate AnyDesk remote management software leads victims to a site that pushes a malicious MSI file that downloads the DLL LOBSHOT file.
If Microsoft Defender is not detected, the malware will start automatically when logging into Windows and transmit system information, including running processes, and check for wallet extensions.
LOBSHOT then deploys an hVNC module allowing access to the hidden desktop as if they were in front of it. At this point the threat actors have complete control over the device, allowing them to execute commands, steal data, and even deploy further malware payloads and spread laterally to other devices to lead to other attacks.
Dave Ratner, CEO, HYAS had this comment:
“Remote access trojans and other nefarious attacks delivered via Google Ads are becoming more common. While difficult to spot and detect initially, having the visibility into outbound, anomalous communication via Protective DNS solutions can prove critical to identifying these types of attacks and stopping them before they steal data, deploy further malware payloads, and spread laterally through the organization.”
Roy Akerman, Co-Founder & CEO, Rezonate follows up with this comment:
“Ads as a delivery mechanism and LOBSHOT as the exploiting malware is a pattern we’ve seen many times due its success rates. Most often, users reduce their guards once they see a sponsored ad in Google or any familiar social platform, assuming thorough checks have been made by the company to assure authenticity and security. However, time and time again, we see this technique used. Early this year we saw ransomware groups, specifically threat actor tracked as DEV-0569 and others to use Google Ads for distribution. The Ads vary from AnyDesk to Zip software, FileZilla, WinRAR, and those very common and free to use tools.
“This hVNC module used for exploiting and gaining access is similar to ransomware techniques and the RDP protocols that are most often available and unrestricted. Restriction of specific, known to be vulnerable applications should be either restricted or closely monitored in addition to the ability to identify abnormal malicious attempts to exploit on every endpoint such as the push of an MSI file or in memory DLL.”
Reading this report by Elastic Labs illustrates the need for enhanced detection and prevention of these payloads so that they never get to their intended targets. Otherwise, based on the report, this malware is going to be a serious problem for many organizations.
Leave a comment »