Archive for May 9, 2023

TELUS Awarded ‘Running On ODA’ Status By TM Forum

Posted in Commentary with tags on May 9, 2023 by itnerd

TM Forum today announced that Canadian communications technology company, TELUS, has become the first North American Communications Service Provider (CSP) to secure ‘Running on ODA’ status. Joining Axiata, Jio and Vodafone Group, TELUS is the fourth CSP to gain this recognition, meaning network architectures following TM Forum’s Open Digital Architecture (ODA) principles now support millions of customers worldwide.

ODA provides a blueprint to help CSPs transform into agile digital organizations, rapidly bringing new products to market at significantly reduced cost, while improving customer experience.

The ‘Running on ODA’ award recognizes advancements in TELUS’ IT architecture and delivery capabilities, using cloud-native, vendor-agnostic solutions integrated by TM Forum’s industry standard Open APIs. ODA enables TELUS to deliver products and services built from reusable components to over 9 million customers.

ODA has enabled TELUS to continue delivering innovative technology solutions and revolutionize its go-to-market strategy. For example, it recently launched a new offering across all six of its go-to-market channels simultaneously at a third of the usual cost and reducing time-to-market by one third. Prior to ODA-aligned architecture, this would have involved creating two versions of a product for wireless and wireline systems and launching it sequentially over various channels.

TELUS is the latest CSP to have been awarded ‘Running on ODA’ status, with another four organizations under assessment and three further organizations eligible.

Time To Patch All Your Microsoft Gear Because The May Patch Tuesday Updates Are Out

Posted in Commentary with tags on May 9, 2023 by itnerd

Like the title says, today is Patch Tuesday and Bleeping Computer is reporting that May’s dump of patches is something that you should pay attention to:

Today is Microsoft’s May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws.

Six vulnerabilities are classified as ‘Critical’ as they allow remote code execution, the most severe type of vulnerability.

Lovely. For commentary as to the patches that you need to pay attention to, here’s Yoav Iellin, Senior Researcher, Silverfort:

 “While CVE-2023-29325 – Windows OLE Remote Code Execution vulnerability might sound fairly innocuous, we strongly recommend taking note of it due to the ease with which users could fall victim to any exploitation attempts.

With this vulnerability, the simple act of glancing at a carefully crafted malicious email in Outlook’s preview pane is enough to enable remote code execution and potentially compromise the recipient’s computer.

At this stage, we believe Outlook users will be the main attack vector, although it has the potential to be used in other Office programs as well. We recommend ensuring client’s Windows machines and Office software are fully up to date and consider following the workaround given by Microsoft while deploying the patch.

In this month’s Patch Tuesday, we’re seeing multiple vulnerabilities affecting SharePoint. CVE-2023-24950, CVE-2023-24955 and CVE-2023-24954 have caught our attention for their potential to lead to privilege escalation and remote code execution.

The first two vulnerabilities require user privileges to create a SharePoint site. Once a threat actor has obtained the credentials of a user with these privileges, they could steal the NTLM hash of the SharePoint domain user and escalate their privileges. From this stage and using the three vulnerabilities together, a threat actor could potentially achieve the SharePoint server credentials.

These vulnerabilities are all listed as “exploitation more likely”, meaning they could be good targets for threat actors looking for innovative ways to achieve lateral movement and RCE. The best mitigation for this group of vulnerabilities is the official patch issued by Microsoft.

Another vulnerability that we’ve taken note of is CVE-2023-24941 – Windows Network file System Remote Code Execution Vulnerability. With a high CVSS score of 9.8, it could be used to attack and run malicious code on a Windows file server that has NFS (Network File System) version 4.1 support enabled.

The NFS protocol is more common in Linux and Unix environments than in Windows, where SMB protocol is more common. Even so, organizations using Windows server as their NFS server should consider applying Microsoft’s fix promptly. This vulnerability does not appear to impact earlier versions, so a quick mitigation could be to disable V4.1 support, especially if apps are only using older versions of NFS. However, please consider vulnerabilities that exist in older versions.”

So if you’re. responsible for making sure your Microsoft infrastructure is fully patched, you should be preparing to patch all the things as this month has a lot of critical or worse vulnerabilities that have been addressed by Microsoft.

See you next month.

A Google Email Based Extortion Phishing #Scam Is Making The Rounds…. Let’s Dive In

Posted in Commentary on May 9, 2023 by itnerd

Here’s a new one for me. Google is being used to perpetrate an extortion phishing scam. Let me walk you through it. It starts with this email that you get in your inbox:

So I will give the threat actor credit for coming up with an email that looks convincing. But there’s one way to tell that this is not sent by Google. And that’s to check the email address that it was sent from:

By some strange coincidence, it’s the same email address that is referenced in the body of the email. Which shouldn’t be the case as this email should come from Google via a domain like or for example. So upon seeing that, most people should immediately hit the delete button on this button. I’m not most people which means we’re going down the rabbit hole on this one. Upon clicking on the words “Disconnect email”, which for the record you should never ever do, I got this:

This is your classic extortion phishing scam. The whole point of the scam is to convince you that your PC has been hacked by some “God Tier” hacker and they’ve caught you “pleasuring yourself.” And to keep the video that he took of you supposedly doing this from getting out, you have to pay them. Usually I have seen the extortion part of this simply delivered by email. But I am guessing that because more and more spam filters on email servers are catching those emails, the threat actors have now resorted to this method to get directly to the user. I’ll admit that it’s crafty. And checking the Bitcoin wallet associated with this scam shows that seven people have fallen for the scam:

Here are the facts behind extortion phishing scams. There’s no way for the scammer to tie you to the money that they could get from you as Bitcoin is anonymous by design. Which means that they have no way to delete the data that they allegedly collected if you pay them. Which by extension means that they’re lying about having data on you. On top of that, the level of skill required to come up with some sort of trojan that is capable of doing the sort of things that they are describing would not be used in a low rent scam like this. They would more likely be used by nation states wanting to spy on people. Think the sort of stuff that the notorious NSO Group does on the iOS side of the fence. All of that should make hitting the delete button on any email that you get that has this type of scam very easy to do. It also makes closing the browser window that has anything like the image above also easy to do.

I will also make this observation. The website that hosts this page is in China. Does that make the threat actor Chinese? Who knows? They may actually be Chinese, or they could be from someplace else and are using a Chinese host to cover their tracks. At the end of the day it doesn’t matter. But it’s worth noting.

Having said all of that, if you’re concerned about this scam actually being real, and if you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. They likely won’t find anything wrong. But if it gives you peace of mind, it’s worth it.

MTRIX Selects Veridium For Their Passwordless Authentication Needs

Posted in Commentary with tags on May 9, 2023 by itnerd

Veridium, a leading developer of frictionless, passwordless authentication solutions, today announced its selection by MTRIX as a solution of choice for trusted digital identities and passwordless authentication for providing organizations with a uniform, simple, passwordless authentication user experience across platforms and environments.

MTRIX – (MTRIX GmbH in Germany and MTRIX America Inc. in the US) is recognized globally as one of the leading experts in authentication solutions. From small businesses to large enterprises, MTRIX is the one-stop-shop for all things authentication. MTRIX serves organizations such as BMW, VGH, Heckler & Koch, Pfisterer and BFS health finance.

In today’s world, security, compliance, and user satisfaction all depend on strong, frictionless, passwordless authentication that works across platforms and ecosystems and is massively scalable. Companies spend billions of dollars on anti-phishing solutions and user training in an attempt to overcome human nature. Veridium eliminates the root cause of these problems: the password.

Veridium delivers uniform authentication across

  • All devices: smartphone, tablet, desktop, VDI
  • All stakeholders: employees, customers, contractors
  • All applications and systems: VPN, workspaces, mobile, web and custom applications.

Veridium customers receive state of the art protection against phishing and password theft, eliminating password spraying, password reuse and replay, brute force attacks, and other threats.

Veridium has emerged as the preferred solution for top integrators and their customers for:

  • Broad and frictionless MFA adoption: Security administrators want to enhance security while ensuring a smooth user experience. Veridium provides a solution that balances both, making MFA adoption seamless. With Veridium, even the initial registration process for new users is streamlined, eliminating the need for physical presence with an administrator.
  • Security without complexity: Veridium simplifies MFA deployment and maintenance, freeing up administrators to focus on other important tasks in the organization.
  • Control costs: Acquiring and operating smartcards, security tokens, and security keys can be expensive, even for organizations with ample budgets. Lost or broken smartcards also add to these costs. Veridium offers a cost-effective and secure solution to manage these expenses.

Industry-First Integration From Fortra Allows Organizations To Supercharge Their Automation Footprint

Posted in Commentary with tags on May 9, 2023 by itnerd

Fortra announced today a compelling connection between JAMS, its top-rated workload automation and job scheduling solution and Automate, its robotic process automation solution. This first-of-its-kind integration allows organizations to supercharge their automation footprint by incorporating Automate’s low code approach to building automation with the powerful orchestration capabilities of JAMS.

The integration also comes as more organizations turn to hyperautomation, the concept of automating as many processes as possible using a mix of tools and technology to further transform operations.

The new Automate Execution Method simplifies job creation, leading to improved process efficiency, increased productivity, and faster turnaround times for tasks such as report generation, data entry, and employee onboarding. Through Automate’s no-code, drag-and-drop development, users can leverage predefined native actions to common applications, connect to API endpoints, and use a built-in step recorder to capture user actions on a website or desktop application. 

Automate can also be used to create complex automation workflows using steps, logic, and more. Users can then schedule, manage, and run their RPA workflows directly from JAMS.

“We’re excited to help our customers bridge a critical gap in automation while giving them more visibility and control over the automation running in their environment,” said Laun. “Bringing workload automation and robotic process automation together further amplifies their efforts with the convenience of a single vendor.”

For more information, visit

HYAS Protective DNS Substantially Outperforms All Other Services Tested Via An Independent Test

Posted in Commentary with tags on May 9, 2023 by itnerd

HYAS Infosec, leaders in utilizing advanced adversary infrastructure intelligence, detection, and prevention to preemptively neutralize cyberattacks, today announced that globally recognized independent research institute AV-TEST GmbH has independently tested and confirmed that HYAS Protect provides the highest level of cyber security protection achieved to date by a Protective DNS solution.

Specifically, AV-TEST found that HYAS Protect blocked over 87 percent of portable executables (PEs) malware, over 84 percent of non-PE issues (e.g. links pointing to other forms of malicious files), and over 80 percent of phishing URLs, all with incredibly low false positive rates averaging 2 percent. Compared to other Protective DNS solutions tested by AV-TEST, HYAS Protect has achieved the highest efficacy ratings of all protective DNS solutions providers tested to date and results indicate it affords substantially greater protection.

AV-Test has long been viewed as the industry’s go-to leader in rigorous 3rd party testing and evaluation. The complete report is available online at AV-TEST.

CISA endorses Protective DNS, which it recommends in its Shields Up initiative. Protective DNS is also a recommended element of modern secure access service edge (SASE) architectures, and is increasingly factored into cyber security insurance policy decisions.

Regardless of how a bad actor breaks into an organization, the first step in progressing the attack is communication with adversary infrastructure, commonly referred to as command-and-control (C2) for instructions. Protective DNS solutions see this communication, identify it as malicious, and stop the attack by preventing the communication and rendering the attack inert, regardless of whether it originated as a supply-chain, phishing, insider-risk, or something else. Even advanced malware-less attacks still need to beacon out for instructions. At this year’s RSA Conference, CrowdStrike CEO George Kurtz and President Michael Sentonas reported that they have been dealing with an average of one malwareless cyber issue a week during the last couple quarters, reaffirming data reported earlier this year that 71 percent of cyberattacks were carried out without malware, and that malware-less attacks nonetheless need to beacon out for instructions.

Regardless of how a bad actor breaks in or the attack type used, their anomalous communication can be seen by Protective DNS solutions and the attack can then be shut down. The higher the efficacy of a Protective DNS solution, the sooner the infection/identification cycle ends with remediation. CISA’s recommendation reflects the importance of Protective DNS to business resiliency.

HYAS Protect accurately detects and thwarts attacks, with extremely low false positives, through an advanced and patented process.

  1. Data Collection and Context: HYAS collects data continuously and without human involvement from authoritative sources around the world. It combines a set of exclusive, private, commercial and open source data into a graph database with a set of proprietary algorithms to build connections between the nodes in the graph.
  2. Observation Derived Foresight: Through these connections within the graph database, HYAS drives correlations between what has happened, what is happening now, and what will happen to maintain a real-time view of adversary infrastructure on the Internet. In this way, HYAS can actually observe infrastructure as it is built up and know what is and isn’t adversary infrastructure often weeks or months before it is weaponized.
  3. Advanced, Automated Analysis: Through HYAS’ combination of unique data organized into a graph database, and a deep understanding of how the internet functions, HYAS achieves previously unrealized Protective DNS service efficacy results with incredibly low false positive rates.

HYAS Protect is available for commercial use, is easy to deploy and manage, and is pre-integrated with other common components of the cyber security stack including EDR/XDR, SIEM/SOAR, and firewalls. In addition, HYAS Protect is also made available to cybersecurity’s first responders and IT personnel for their home personal use via the completely free HYAS Protect At Home solution which I am testing right now and I will have a review up shortly.

Elon Musk Is Going To Purge Unused Twitter Accounts So That The Handles Can Be Reused…. This Is A Dumb Idea

Posted in Commentary on May 9, 2023 by itnerd

Elon Musk put this out yesterday. Which is that he’s going to purge accounts that have had zero activity for several years:

As is typical for an Elon Musk Tweet, there’s no detail behind it. Because he likely doesn’t have all the details himself. But this is a really dumb idea for the reason that tech entrepreneur John Carnack noted:

And that doesn’t take into account dead people. I know a widow who looks at her late husband’s Twitter account on an almost daily basis because scrolling through his Tweets gives her a bit of comfort. I don’t even want to bring this up to her as her reaction is just going to be all sorts of bad. Here’s Elon’s answer to that:

Again, there’s zero detail here. But Elon isn’t a detail sort of guy so that’s not a shock. But truly, this is yet another dumb idea from Elon. And I suspect he’s doing this to force more interaction on the platform in general. Or by moving the goalposts at some point so that if you don’t Tweet at a level that he likes, you get zapped. Which would force not only people, but brands who advertise to use the platform more. Maybe I am looking at this wrong. But it sounds like something that he would do. I guess we’ll find out soon enough.

Here’s Another New Ransomware Group… This One Is Called Cactus

Posted in Commentary on May 9, 2023 by itnerd

Kroll researchers detail the discovery of a new, unique ransomware operation known as Cactus that has been targeting high-profile commercial entities by exploiting Fortinet VPN vulnerabilities.

In analysis shared with Bleeping ComputerKroll researchers described how the attackers used a batch script to obtain the encryptor binary using 7-Zip. Once the original ZIP is removed, the binary is deployed with a specific flag that allows it to execute, thereby preventing detection.

The encryption routine in Cactus ransomware attacks is unique with the following procedures after the initial VPN vulnerability exploitation:

  • Establishes C2 with SSH
  • Scans the network and generate target list for encryption
  • Installation of remote access software for persistent access
  • Push files to remote machines with RMM software
  • Extract credentials from browsers and LSASS
  • Install Cobalt Strike and Chisel for C2
  • Disable and uninstall antivirus software
  • Add administrator accounts
  • Conduct exfiltration via Rclone
  • TotalExec.ps1 to push and execute ransomware

Currently, there appears to be no leak site and information has not been made public about the ransoms the Cactus group has demanded.

I have three comments on this. The first is from Steve Hahn, Executive VP, BullWall:

   “This is yet another way for Ransomware to completely evade the endpoint security tools such as antivirus and EDR and highlights just how easy it is for the threat actors to kickoff a Ransomware attack despite the most sophisticated detection tools on the planet. Every year Ransomware completely takes down thousands of enterprises. In each such event the impacted companies invested heavily in prevention tools and were given guarantees such as “completely effective against Ransomware”.

   Every Ransomware event found a way to disable or evade those tools. Even the Whitehouse admits that Worsening Ransomware attacks are outpacing our ability to stop them. It’s simply a matter of time before any business is hit, loses their infrastructure for weeks and critical data permanently. We can’t continue to rely on prevention, which requires you being 100% effective 100% of the time. We must also implement Ransomware Containment tools to quickly neutralize the attack and air-gapped backup strategies to get systems restarted with the least amount of disruption. Like severe weather, you can prepare for it, but you can’t stop it.”

The next comment is from Dave Ratner, CEO, HYAS:

   “Visibility into anomalous outbound connections, indicative of communication to command-and-control, continues to grow in priority as a necessity for modern cyber protection.  As attackers find new and innovative ways to infiltrate organizations, the ability to identify the command-and-control communication and stop it before data exfiltration and encryption may be the difference between business resiliency and a significant interruption of business operations.”

The final comment is from Roy Akerman, Co-Founder & CEO, Rezonate:

   “Ransomware groups continue to find stealthy techniques to bypass defenses and be able to remotely control systems. SSH backdoors as in the case of Cactus and other remote access techniques such as webshells, provide the same control and are able to disguise as benign, light weight, traffic. SSH traffic, internal recon, use of LSASS and Cobalt Strike, tampering with security controls configuration are many steps security operations teams can better secure today. Smart security teams must take action to prevent suspicious activity on the endpoint, improve data hygiene and recovery capabilities, and limit spread of attack with least privilege access across their identity controls.”

It’s not even 9AM and already I am writing about a pair of new ransomware operations. That’s not good because it illustrates how profitable ransomware is for gangs like these. The fact that this particular ransomware has a novel way to evade detection is concerning as it also illustrates the need for defenders to come up with ways to stay at worst in lockstep with these ransomware gangs.

Meet Akira, The Latest Ransomware Gang On The Block

Posted in Commentary with tags on May 9, 2023 by itnerd

A new ransomware gang named Akira has been observed by the MalwareHunter Team since March targeting at least 16 corporate networks worldwide in various industries including education, finance, real estate, manufacturing, and consulting.

Akira uses the Windows Restart Manager API to close processes or shut down Windows services that may be preventing encryption by keeping a file open, allowing for more impactful file encryption.

Once executed, Akira will delete Windows Shadow Volume Copies, skip files found in the Recycle Bin, System Volume Information, Boot, ProgramData, and files with .exe, .lnk, .dll, .msi, and .sys file extensions, append the targeted file names with ‘.akira’ and drop a ransom note in each file with links the data leak and negotiation site.

Unlike others, the negotiation site simply includes a chat system. Demands range from $200,000 to millions of dollars, but the gang is also willing to lower ransoms for those who do not require a decryptor, and just want to prevent the leaking of stolen data.

A sample of the Akira ransomware was discovered by the MalwareHunterTeam, who shared it with BleepingComputer for analysis.

Roy Akerman, Co-Founder & CEO, Rezonate had this comment:

   “The use of the Windows Restart Manager API is a common tool groups like REvil, SamSam and LockerGoga have been using for quite some time. Conversations about paying the ransom must stop as this only contributes to more Ransomware and new malicious research to improve techniques, not to mention the impact on business data and business operation. Organizations must prioritize solutions that prevent known exploitation of services, allow data recovery that is not solely dependent on shadow copies and limit malware spread with strict least privilege identity and access practices.

Clearly this adds yet another group of bad actors to the list of things that defenders have to worry about. Which makes sense as ransomware is a very profitable activity at the moment. Hopefully any and all tools that stops these bad actors from getting a big payday are being employed by defenders so that ransomware becomes less profitable going forward.

Nyriad And Carahsoft Team Up

Posted in Commentary with tags on May 9, 2023 by itnerd

Nyriad, provider of cutting edge GPU storage technology, and Carahsoft Technology Corp., The Trusted Government IT Solutions Provider, today announced a partnership. Under the agreement, Carahsoft will serve as Nyriad’s Master Government Aggregator®, making the company’s UltraIO storage system available to the Public Sector through Carahsoft’s reseller partners, NASA Solutions for Enterprise-Wide Procurement (SEWP) V, Information Technology Enterprise Solutions – Software 2 (ITES-SW2), National Cooperative Purchasing Alliance (NCPA), and OMNIA Partners contracts.

In 2022, the global Government IT spending amounted to over 551 billion U.S. dollars, which is an increase of nine percent compared to 2021, and it is expected to increase even more in 2023 to 589 billion U.S. dollars worldwide. The increase in IT spending is driven by a variety of factors, including the need to modernize outdated systems, improve cybersecurity, and enhance digital services and capabilities for internal and external users. As IT spending in the government sector continues to grow, there is a critical need for modern and efficient storage solutions that can meet the demands of data-intensive applications, protect against cyber threats, and facilitate the digital transformation of government services. The Nyriad UltraIO storage system delivers the ideal solution to address these needs and enable government agencies to improve their operations and services.

The Nyriad UltraIO storage system will enable improved capabilities across several use cases, such as:

  1. High-performance computing (HPC) – Government agencies and academic institutions rely on high-performance computing to perform complex simulations, modeling, and analysis. The UltraIO storage system enables performant, cost efficient storage access, and ingest for large capacity points of HPC results inside of a single array. Additionally, with block-level erasure codes, the storage system provides a high degree of system resiliency, ensuring data integrity and protection against potential data loss.
  2. Backup and recovery – Government agencies and academic institutions must be prepared for unexpected events, such as natural disasters or cyberattacks, that can result in data loss. The UltraIO storage system’s combined GPU + CPU architecture enables parallel read and write capabilities to perform backup and restore operations with exceptional performance.
  3. Active archive – Government agencies and academic institutions archive their data to preserve records for historical, legal, and regulatory purposes. This data may include records of legislative proceedings, court cases, financial transactions, and other important documents. As data sets grow, the value of the analytical insights the data provides has grown as well.  We access the data, looking for trends and insights that can be advantageous for good decision making.  Enhanced data access beyond normal archival capabilities is needed for this.  With its high throughput, fast retrieval, and high data protection capabilities, the UltraIO storage solution is the next architectural step for implementing an active archive.  This is cost efficient storage that allows performant access to warm tier archive data.
  4. Video and imaging – Government agencies and academic institutions produce and store large amounts of media content, such as videos, images, and audio files. Because these agencies use video surveillance systems as a security measure to monitor public areas, protect critical infrastructure, and ensure public safety, a storage system with fast data ingest and playback capabilities or analytics processing is an essential enabler of quick incident response. In fact, the Nyriad UltraIO storage system can ingest video streams from as many as 90,000 cameras simultaneously, while providing highly resilient large-scale storage capacity. The UltraIO storage system’s modern, GPU-accelerated storage also facilitates video production tasks such as 8K resolution or higher video editing without the need to transcode, create proxies, or copy files across the network – enabling agencies to work more efficiently, saving time and money.

Nyriad’s UltraIO storage system is available through Carahsoft’s SEWP V contracts NNG15SC03B and NNG15SC27B, ITES-SW2 Contract W52P1J-20-D-0042, NCPA Contract NCPA01-86, and OMNIA Partners Contract #R191902.