Archive for May 25, 2023

SMBs Targeted By State-Aligned Actors Through Their MSPs: Proofpoint

Posted in Commentary with tags on May 25, 2023 by itnerd

new study by Proofpoint researchers found that Advanced persistent threat (APT) actors are increasingly using vulnerable regional managed service providers (MSPs) to leverage attacks on the small and medium-sized businesses (SMB’s) they service. Once through the MSP’s defenses, the attackers are feeding off of the less well defended SMB’s for financial gain.

The report published this week found that the state aligned actors from Russia, Iran and North Korea were increasingly using this supply chain approach to breach SMB’s defenses.

Proofpoint: “Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses. APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end-user environments.”

David Mitchell, Chief Technical Officer, HYAS starts off the commentary with this:

   “MSP/MSSPs have been a concern for quite some time, primarily due to the access required into a customer network, along with varying degrees of technical and security expertise on the provider side. Managed services is no longer a high margin business and as such, many MSPs are still utilizing legacy technologies to provide services to their customers, which leaves everyone in that chain exposed.

   “Understanding the security posture of your third party providers is a difficult, if not impossible undertaking for small and medium businesses. Until there is a more scalable way of continuously auditing your service providers, the risk fully lies with whether the customer chose a capable MSP or not.“

Roy Akerman, Co-Founder & CEO, Rezonate adds this:

   “We’ve seen the increased risk around third-party access and supply chain risk increasing for the past few years. The Kaseya VSA software vulnerability used by many MSPs was a key part of distributing REvil ransomware all the way to SMB organizations managed by MSPs. So was the SolarWinds security breach. “Watching-the-watcher” was and will continue to be a focus for organizations who outsource their work externally while always being able to identify who’s doing what and for what reason. Zero trust principles can help tackle and reduce risk by limiting MSPs to only do what they need to and not take the path of a yet-another-superadmin across your network.”

For many small and midsize companies, having someone else remotely monitor and manage their computer network is perceived as a no-brainer. The managed service provider can improve efficiency, reliability, security, and maintenance — all while lowering costs and freeing up IT staff to work on more strategic projects. But there are risks, and this Proofpoint research illustrates that in black and white.

Apria Healthcare Was Pwned…. But You’re Finding Out About It Two Years After The Fact…. WTF??

Posted in Commentary with tags on May 25, 2023 by itnerd

This week, Apria Healthcare alerted nearly 1.9 million patients and employees that their personal and financial data may have been accessed by hackers who breached the company’s networks between April 5, 2019 to May 7, 2019, and then a second time from August 27, 2021 to October 10, 2021. It’s unclear, however, why Apria has only sent letters about the incident two years later.

Information potentially accessed may have included personal, medical, health insurance or financial information such as bank account and credit card numbers in combination with security codes, access codes, passwords and account PINs. 

According to Apria, the company took immediate action including working with the FBI and hiring a reputable forensic investigation team to investigate. I’ll comment on this in a moment and I will let Willy Leichter, VP, Cyware start off the commentary:

This is another example of the fundamental flaws in our breach notification system. Learning that your personal data was breached two years ago is practically useless, and all the free credit reporting in the world won’t help. While we try to mandate how quickly an organization must report a breach, there are no clear standards on how quickly breaches need to be discovered. In fact, there’s a perverse disincentive – the more lackluster your security, the longer you can wait to discover or disclose breaches that can be damaging to your business.

Roy Akerman, Co-Founder & CEO, Rezonate follows up with this:

   “Unfortunately, we see an example where time to report an incident is not measured in days but in years. Healthcare PII data is considered premium in the dark web forums as one cannot simply alter their information with a new one. It is critical now to complete the investigation and truly understand the chain of attacks that occurred in 2019 and 2021 and validate there is no additional stealthy adversaries hiding and no backdoors left behind.”

Apria needs to be slapped here. Fines, Congressional hearings, whatever. The thing is that they took way too long to tell the world about this breach. And who knows if they have truly addressed whatever issues led to the breach in the first place. The fact is that Apria failed miserably here and that not only needs to be addressed with this healthcare provider, but by better laws that force immediate disclosure of breaches.

TELUS Gives The Results Of Its Investigation Into A Cyber Incident From Earlier This Year

Posted in Commentary with tags on May 25, 2023 by itnerd

Earlier this year, news came out that TELUS might have been the victim of a cyberattack. Here’s what was said to be out in the wild at the time:

Canada’s second-largest telecom, TELUS is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data. The threat actor subsequently posted screenshots that apparently show private source code repositories and payroll records held by the company.

At the time, TELUS said that they were investigating this. And today we have the results of that investigation:

We have concluded our investigation of this incident and have discovered that no systems used to support our customers were impacted, and that TELUS Health and TELUS Agriculture & Consumer Goods were not impacted in any way. 

We also discovered that a small amount of customer data may have been accessed by an unauthorized third party. While our ongoing monitoring has not discovered evidence of any personal information appearing in any public forum, we will be notifying impacted customers in the coming days.

So this confirms that TELUS was pwned. And I have to wonder what “a small amount of customer data” means. Plus whatever amount of customer data that “may have been accessed by an unauthorized third party” is too much as no amount of customer data should ever get out into the wild. It will be interesting to see how many people get notified by TELUS. And finally, I have to wonder what effect this will have on TELUS as a brand. You can expect me to keep an eye on all of this.

Snake Malware Is Something That You Might Want To Keep An Eye On

Posted in Commentary with tags on May 25, 2023 by itnerd

While there’s always a new malware of the moment, Snake Malware, which is associated with Russian hackers affiliated to FSB is one that you might want to be concerned about. The CISA are so concerned about it that they have put out an advisory on this malware. And when you read the technical description on this malware, it should make you re-evaluate your defences.

Kevin Bocek, VP,Ecosystem and Community at Venafi had this comment on Snake:

“According to more information released about the Snake Ransomware uncovered by the U.S. Department of Justice earlier this month, cybercriminals appear to have fallen into a trap. Namely, they have neglected the basics of machine identity management. The CISA Advisory published a report suggesting that the OpenSSL library the group used for the Diffie-Hellman key exchange had a significant vulnerability. Snake’s key set generated during the exchange used a wholly inadequate prime length of only 128 bits. This made this process completely insecure for asymmetric key systems and vulnerable to today’s machine-to-machine operations, whether for malware or transactions. In addition, when Snake was hastily deployed, users failed to remove certain components, inadvertently exposing function names, plaintext strings, and developer comments.”

“This again shows how difficult it is to properly manage machine identities manually – both for developers and security teams. Even experienced attackers obviously make mistakes. In this case, the malware’s developers did not properly configure one. This allowed the machine identities to be exposed, making the communications no longer private or even open to another attacker and revealing who the operators of Snake were. At best, this could have rendered the entire campaign useless; at worst, the Snake developers could have been attacked by other cybercriminals themselves.”

“The lesson is that machine identity management requires developers, operations and security teams to work closely together. In a world where machines transact, protect and attack, machine identity management is increasingly important.”

Well it seems that even the bad guys have issues creating malware that doesn’t give away clues about what it’s all about. Defenders should take that as a hint that they should do better when it comes to ensuring that they are as secure as possible.

Public Mobile Launches Canada’s First 5G Subscription Phone Service 

Posted in Commentary with tags on May 25, 2023 by itnerd

Public Mobile has launched Canada’s first 5G subscription phone service, offering Canadians the unique opportunity to experience mobility differently on an award-winning network.

Different from traditional postpaid and prepaid plans, Public Mobile’s subscription service offers a number of features and benefits:

  • For the first time ever, Public Mobile customers have the ability to access premium 5G wireless service, backed by an award-winning wireless network.
  • The ability to choose between a monthly or 90-day subscription, the speed plan and premium features (like unlimited data) that best fits their needs.
  • No overage fees, no credit checks, no confusing contracts and no surprises 
  • An all-new Public Mobile app that lets you manage your Public Mobile experience  digitally . From activating in minutes with eSIM to 24/7 account management and digital support and rewards with Public Points, Canadians can do it all on the app any where, anytime. 

This launch addresses a growing consumer demand and pain point, with a new survey commissioned by Public Mobile uncovering that more than 60% of Canadians agree that having a subscription service provides them cost certainty, convenience and peace of mind. Furthermore, 94% of Canadians feel they deserve more options when it comes to mobile phone plans, furthering why Public Mobile’s unique offering is a game-changer for Canadian mobility.

Here’s a message from Jim Senko, Chief of the Unexpected Officer, Public Mobile, for more information on the new offering and what it means for Canadians.

Guest Post: ESET Research Reveals New Analysis Of AceCryptor: Used By Crimeware, It Hits Computers 10,000 Times Every Month

Posted in Commentary with tags on May 25, 2023 by itnerd

ESET researchers revealed today details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families. This threat has been around since 2016, and has been distributed worldwide, with multiple threat actors actively using it to spread packed malware in their campaigns. During 2021 and 2022, ESET telemetry detected over 240,000 detection hits of this malware, which amounts to over 10,000 hits every month. It is likely sold on dark web or underground forums, and tens of different malware families have used the services of this malware. Many rely on this cryptor as their main protection against static detections.

“For malware authors, protecting their creations against detection is challenging. Cryptors are the first layer of defense for malware that gets distributed. Even though threat actors can create and maintain their own custom cryptors, for crimeware threat actors, it often may be time-consuming or technically difficult to maintain their cryptor in a fully undetectable state. Demand for such protection has created multiple cryptor-as-a-service options that pack malware,” says ESET researcher Jakub Kaloč, who analyzed AceCryptor.

Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware available for purchase on underground forums and used to steal credit card credentials and other sensitive data, upload and download files, and even steal cryptocurrency. RedLine Stealer was first seen in Q1 2022; distributors have used AceCryptor since then, and continue to do so. “Thus, being able to reliably detect AceCryptor not only helps us with visibility into new emerging threats, but also with monitoring the activities of threat actors,” explains Kaloč.

During 2021 and 2022, ESET protected more than 80,000 customers affected by malware packed by AceCryptor. Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times by ESET software. AceCryptor is heavily obfuscated and has incorporated many techniques to avoid detection throughout the years.

“Even though we don’t know the exact pricing of this service, with this number of detections, we assume that the gains to the AceCryptor authors aren’t negligible,” theorizes Kaloč.

Because AceCryptor is used by multiple threat actors, malware packed by it is distributed in multiple ways. According to ESET telemetry, devices were exposed to AceCryptor-packed malware mainly via trojanized installers of pirated software, or spam emails containing malicious attachments. Another way someone may be exposed is via other malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we have observed downloading an AceCryptor-packed RedLine Stealer.

Since many threat actors use the malware, anyone can be affected. Because of the diversity of packed malware, it is difficult to estimate how severe the consequences are for a compromised victim. AceCryptor may have been dropped by other malware, already running on a victim’s machine, or, if the victim got directly afflicted by, for example, opening a malicious email attachment, any malware inside might have downloaded additional malware; thus, many malware families may be present simultaneously.

AceCryptor has multiple variants and currently uses a multistage, three-layer architecture.

Even though attribution of AceCryptor to a particular threat actor is not possible for now, ESET Research expects that AceCryptor will continue to be widely used. Closer monitoring will help prevent and discover new campaigns of malware families packed with this cryptor.

For more technical information about AceCryptor, check out the blogpost “Shedding light on AceCryptor and its operation” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Ron DeSantis Makes The Mistake Of Launching His Presidential Campaign On Twitter

Posted in Commentary with tags on May 25, 2023 by itnerd

Ron DeSantis is seen as a frontrunner for the Republican nomination to become President of the United States. And he decided to launch his bid for The White House on Twitter with is “friend” Elon Musk.

Bad move Ron. Here’s why:

The start of a much-anticipated Twitter event in which Florida Gov. Ron DeSantis planned to announce his 2024 Republican presidential bid was repeatedly disrupted Wednesday when Twitter’s servers apparently could not handle the surge in traffic. 

The app crashed repeatedly as Twitter users tried to listen to the event where Twitter owner Elon Musk joined DeSantis for the announcement. 

DeSantis eventually was able to speak, about 20 minutes after the scheduled start, after Musk closed the initial Twitter Spaces event and started a second one on the app. That space attracted about 161,000 users, according to Twitter’s public-facing data, as DeSantis read a short speech.


Voices early in the Twitter Spaces event were openly concerned Trump would take advantage of the early glitches, a notable admission because the event was set up by DeSantis supporters.’

“This is going to be a stain that Trump is going to leverage for at least a few weeks,” one person could be heard saying amid the event’s early glitches.

As the first Twitter Spaces event kicked off, metrics published by Twitter indicated that more than 600,000 were attempting to listen. 

“We’ve got so many people here that I think we are kind of melting the servers,” Sacks said at one point.

“We’re reallocating some of the server capability to be able to handle the load here. It’s really going crazy,” Musk said.

By the time DeSantis got the moment his political team had spent weeks negotiating, there were fewer than 70,000 viewers remaining, a significantly smaller audience than is traditional for a major presidential campaign launch.

That’s a #fail. But the bad news doesn’t end there:

Trump aides and allies immediately — and gleefully — mocked the Florida governor for the initial tech fiasco.

“Glitchy. Tech issues. Uncomfortable silences. A complete failure to launch. And that’s just the candidate!” Steven Cheung, spokesman for former President Donald Trump’s campaign, told NBC News. 

President Joe Biden’s Twitter account posted a link to his own fundraising page, writing, “This link works.”

You have to think that Elon must be embarrassed that such a high profile event caused Twitter to pretty much implode. It illustrates just how badly Elon is running Twitter at the moment. And should serve as a warning to anyone who wants to do a high profile event to not do it on Twitter. Meanwhile, I am sure a bunch of Twitter employees who were fired by Elon in the early days of his takeover of Twitter are laughing at Elon because of this embarrassing situation. Sucks to be Elon.

Hackers Creating Magic Links, Exploiting URL Deception and Obfuscation

Posted in Commentary on May 25, 2023 by itnerd

Avanan, a Check Point Software Company, has released a report unveiling how hackers create “magic links” that transform from safe to malicious upon pasting in the browser. The report uncovers a sophisticated phishing technique that exploits URL deception and obfuscation, enabling hackers to bypass traditional security measures and deliver malicious content to unsuspecting victims.

The attack involves the creation of “magic links” that appear harmless at first glance but transform into malicious destinations upon pasting them into a browser. Through email vectors and techniques such as URL obfuscation, hackers can deceive both users and security filters, successfully infiltrating the target’s inbox with malicious content.

You can read the report here.

ChatGPT Impersonation Fuels a Clever Phishing Scam: INKY

Posted in Commentary with tags on May 25, 2023 by itnerd

INKY has published a new Fresh Phish that impersonates OpenAI and takes numerous creative steps to harvest credentials. 

To give you an idea of the complexity, here is a recap of the techniques used in this phish:

  • Brand impersonation — using brand logos and trademarks to impersonate well-known brands.
  • Spoofing – disguising an email address so it appears to be from someone familiar. 
  • Malicious links – a clickable link that directs users to an illegitimate or unsafe website, usually for the purpose of harvesting credentials.
  • Credential harvesting — occurs when a victim thinks they are logging in to one of their resource sites but are really entering credentials into a dialog box owned by the attackers.
  • Dynamic redirection — uses elements of the victim’s email address, particularly the domain, to guide the attack flow.

You can read their research here.

Chinese Sponsored Hackers Target US Infrastructure

Posted in Commentary with tags , on May 25, 2023 by itnerd

Microsoft has said that it has found malicious activity by a Chinese-state sponsored hacking group that has stealthily gained access into critical infrastructure organizations in Guam and elsewhere in the US, with the likely aim of disrupting critical communications in the event of a crisis. 

In a report published Wednesday, Microsoft said the group, named Volt Typhoon, had been active since mid-2021, targeting organizations that span manufacturing, construction, maritime, government, information technology and education. 

Joe Saunders, CEO, RunSafe Security had this comment on this rather disturbing news:

“In all these attacks, denying the adversary the ability to target memory weaknesses in code is essential to thwart any additional steps in the attack, especially if  if we want to make our infrastructure resilient. Achieving cyber resilience is an urgent need for our country.”

Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States, even over decades of data theft from US systems, the country’s hackers have periodically been caught inside US critical infrastructure. Thus the time is to act now before these hackers escalate their activities beyond what they have done to date.

UPDATE: I have two more comments on this. The first is from Willy Leichter, VP, Cyware:

   “These state-sponsored groups are relentless in trying to get a persistent foothold in our critical infrastructure systems, and attacks are inevitable. While all organizations need to remain vigilant about tracking threats, and closing vulnerabilities, we really need to improve how quickly we disseminate critical intelligence industry-wide. Information sharing communities (ISACs) in critical infrastructure, energy, and other sectors are providing some of this intelligence, but we need much more wide-spread adoption and automation, so an attack on one system can be automatically defended against across an entire industry sector.”

Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:

   “While described as novel, the TTPs mentioned in the report have been used for years. Webshells, Living-off-the-Land, command line, proxies for exfiltration. IOCs extracted are valuable but unfortunately have a short shelf life as attackers evolve their infrastructure. The report coming from CISA and NSA provide a fantastic insight on the techniques however you can also clearly identify where traditional EDR solutions will fall short against LOLBin use and how a layered defense approach is critical to augment and further provide critical context.”

Finally Steve Stone, Head of Rubrik Zero Labs concludes with this:

“Rubrik believes the combination of multiple private companies and several governments publicly reporting their findings is a great situation for the overall cybersecurity community.  In particular, the US Government and its partners are working to publicly report activity sooner than in the past at the cost of maintaining their potential access.  This demonstrable shift by the US government is a major step forward for private organizations.

“This activity is in-line with well-established Chinese hacking efforts.  This in no way undercuts the reporting, but its critical we view this as an existing assessment confirmation instead of net new activity.

“The continued focus on valid users and valid tools by threat actors presents one of the largest threats to the industry. The valid user is the most capable attack surface an attacker can gain.  Additionally, these types of actions are notoriously difficult to detect.  For all of these reasons, Rubrik is heavily investing in user intelligence in 2023, which we will combine with data trends.  We think this remains one of the largest problems to solve from a threat perspective.”