Archive for August 30, 2023

Guest Post: Big tech doesn’t care about your digital rights

Posted in Commentary with tags on August 30, 2023 by itnerd

Big tech companies talk a big game about privacy and freedom of expression, but their policies and practices often undermine it.

According to the data presented by the Atlas VPN team, Twitter scored the best on its policies and practices affecting people’s rights to freedom of expression and privacy. While Amazon and Tencent got the worst ratings for their actions on people’s digital rights. However, none of the companies earned a passing grade.

Twitter (currently X) received the best score of 56% on practices and policies they have on governance, freedom of expression, and privacy. The company took the top spot for its detailed content policies and public data about moderation of user-generated content.

Yahoo got 54% on the digital rights scorecard. Microsoft received 50% on its practices and policies around digital rights. Microsoft lacks comprehensive policies protecting freedom of expression. 

Google scored 47%, but its score declined for the second straight year due to outdated policies. Meta got 46% despite releasing a new human rights policy. Apple, which often boasts about its privacy commitments, scored 44%. 

On the flip side, Amazon and Tencent scored an awful 25% due to significant shortcomings in policies and practices affecting digital rights.

Cybersecurity writer at Atlas VPN, Vilius Kardelis, shares his thoughts on people’s digital rights:

“Big tech’s relentless data collection and algorithms working without oversight threaten privacy and freedom of expression. Individuals should educate themselves, minimize data sharing, and use privacy tools to take more control of their digital rights in their own hands.”

To read the full article, head over to:

https://atlasvpn.com/blog/big-tech-doesnt-care-about-your-digital-rights

Leave a comment »

Chinese Disinformation Network Dismantled By Facebook

Posted in Commentary with tags on August 30, 2023 by itnerd

Facebook is dismantling a significant and highly sophisticated disinformation network supporting the People’s Republic of China (PRC).

Meta, the parent company of Facebook, announced that it had identified connections between individuals linked to Chinese law enforcement and a long-standing yet largely ineffective pro-China “Spamouflage” influence campaign. “We assess that it’s the largest, though unsuccessful, and most prolific covert influence operation that we know of in the world today,” said Meta Global Threat Intelligence Lead Ben Nimmo.

In its quarterly security report, the social media giant disclosed that it had taken down approximately 7,700 Facebook accounts and numerous pages, groups, and Instagram accounts associated with this campaign. Some aspects of this operation had been active since 2018.

Meta said these fake accounts are managed from various regions within China, but they shared common digital infrastructure and followed apparent work schedules, including designated breaks for lunch and dinner based on Beijing time.

The campaign was active on more than 50 platforms and forums, including Facebook, Instagram, X (formerly Twitter), YouTube, TikTok, Reddit, Pinterest, Medium, Blogspot, LiveJournal, VKontakte, Vimeo, and dozens of additional smaller platforms and forums.

Jason Keirstead, VP of Collective Threat Defense, Cyware had this comment:

   “One of the ways in which social media companies could more effectively combat disinformation campaigns is through more effective collaboration and coordination, made possible by using frameworks such as those provided by the DISARM foundation (https://www.disarm.foundation/). Cybersecurity practitioners should be encouraging large social media companies to become more actively involved in the work of the foundation, and of the disinformation sharing standards it supports such as DAD-CDM (https://github.com/DAD-CDM). Development and support of these standards will allow government and industry to work together to combat disinformation campaigns more effectively.”

David Mitchell, Chief Technical Officer, HYAS:

   “China appears to be playing a PR campaign to shine their activities in a positive light, especially when it comes to Taiwan and human rights. While this campaign doesn’t appear to have made an impact, it shows that they are tuning their capabilities to mimic what the Russians have previously pulled off. 

   “Based on the ties to Chinese law enforcement, this also could be an op to target and identify ex-pats overseas that do not agree with their views — potentially to relay to the Chinese police stations discovered in US and other cities. 

   “Security personnel, whether executive level or operators, should pay attention to disinformation campaigns just as they would an attack campaign. Disinformation can target a company (Anheuser-Busch InBev) and the links may also include phishing or malware that employees may click on, if the targeted message fits their views.”

   “While it is fantastic that Meta is finally taking a proactive stance against disinformation campaigns, this problem is going to continue to get worse during geo-political strife and election seasons. Because these platforms do not verify the identity of accounts, nor charge for their services, they are rife for coordinated nation state abuse. Dealing with these campaigns will always be a global form of whack-a-mole and will not change until social media networks change how they are monetized & valued – just a few dollars per user per month significantly increases the barrier to entry for malicious actors.”

Every social media platform needs to step up and do more to combat this sort of disinformation. If Facebook/Meta can do this, there’s zero excuse for other platforms to not do so as well.

Leave a comment »

Purfoods Pwned…. 1.2 Million People Affected

Posted in Commentary with tags on August 30, 2023 by itnerd

Purfoods has notified more than 1.2 million people that their personal and medical data such as names, SSNs, driver’s license numbers, financial account and/or payment card information, medical information, health information, and DOB may have been stolen from its servers during a cyber-attack occurring between January 16th, 2023, and February 22nd, 2023.

Purfoods, a health-focused food-delivery company that does business under the name Mom’s Meals, works with more than 500 health providers including governments and managed-care organizations in the US and delivers meals to those covered under Medicare and Medicaid, as well as individuals not covered.

The company identified “suspicious account behavior” on February 22nd, 2023, and, according to the notification letter, the attackers gained access to the Purfoods’ network on January 16th. It is still unclear how the criminals accessed the network.

Dave Ratner, CEO, HYAS had this to say:

   “It’s still unclear how the criminals breached the network, but it actually doesn’t matter. Bad actors will continue to create and obfuscate their techniques. The attack demonstrates yet again that no one is safe, and that organizations need to think more about business and operational resiliency than pure prevention. Deploying anomaly visibility and detection as part of a depth-in-depth strategy, such as Protective DNS, is clearly critical today to protect PII and other critical data from being stolen.”

This is bad as this is all the information that a threat actor requires to launch identity theft attacks. Hopefully there’s a full accounting of what happened and what Purfoods is going to do to protect those who are affected.

Leave a comment »

FBI Pwns Qakbot Ransomware Network

Posted in Commentary with tags on August 30, 2023 by itnerd

The FBI has managed to take down the infamous Qakbot ransomware network. And this is no minor takedown by the feds:

The FBI and international partners disrupted the Qakbot botnet — a grouping of computers infected by a malware program that was used to carry out the cyberattacks — and are now working to disable the program on thousands of victim computers, law enforcement officials said.

Dubbed “Operation Duck Hunt,” the effort to take down the botnet system also seized nearly $9 million in cryptocurrency that was collected in criminal ransomware campaigns.

Qakbot’s victims totaled 700,000 across the globe in 2023, according to the Justice Department, with approximately 200,000 located in the U.S. Small businesses, healthcare providers and government agencies including a defense manufacturer base in Maryland were harmed by attacks linked to the network.

And:

As part of “Operation Duck Hunt,” the FBI gained access to the QakBot infrastructure and “redirected” the cyberactivity to servers controlled by U.S. investigators, according to senior FBI and Justice Department officials. Investigators were then able to inject the malware with a program that released the victim computer from the botnet, freeing it of the malicious host.

Law enforcement officials said Tuesday they’re still trying to determine how many of the more than 700,000 computers infected this year were freed from Qakbot’s control and credited close partnership with European investigators for the operation’s success. No one has been arrested as a result of the international probe, but 52 servers were seized, and the investigation is ongoing.

Ken Westin, Field CISO, Panther Labs had this comment on the takedown:

It is interesting the FBI essentially deployed something that almost resembles “hacking back”  to redirect traffic to their servers and ran a script to uninstall the malware on remote systems. It is rare that law enforcement would deploy such measures as there are potential risks of executing commands on remote systems, however, the risk may have been minimal in this case given the threat posed by Qakbot to networks and critical infrastructure. It will be interesting to learn more about the legal case for when such activities can be taken to execute scripts on remote systems when dealing with malware and threats to national security.

In short, the FBI has pwned them. Ingenious. And I have to admit that I am impressed. Clearly even the bad guys are vulnerable to being pwned due to the fact that they didn’t take the proper measures to avoid being pwned. Just like their victims fail to sometimes do.

UPDATE: Dave Ratner, CEO, HYAS had this comment:

   “We applaud the FBI for taking control of the Qakbot malware command-and-control infrastructure; unfortunately, without any arrests, it’s likely that the criminals will setup new adversary infrastructure in the near future.  With dwell time being as little as 24 hours, these attacks highlight once again how critical it is for organizations to have immediate visibility into anomalous network traffic communicating with adversary infrastructure so that they can take control before ransomware impacts operational resiliency, as recommended by CISA and the NSA via Protective DNS solutions.”

Leave a comment »

Google adds generative AI to security tools

Posted in Commentary with tags on August 30, 2023 by itnerd

Yesterday at Google Cloud Next conference, the company announced new generative AI enhancements to three Duet AI security products aimed to ‘do more with less’ and make it easier to navigate large security datasets simply by asking questions in plain language.

  • Duet AI in Mandiant Threat Intelligence helps security teams understand the mass of data they have by providing a summary of a particular threat.  
  • Duet AI for Chronicle Security Operations helps teams ask better questions about a particular threat to identify the level of danger and how to respond.
  • Duet AI in Security Command Center enables less experienced security analysts to ask questions to understand the nature of the threat by providing analysis of security findings, potential attack paths and possible actions to take.

“AI is enabling security teams to improve their security posture by generating AI summaries to describe threats, by searching for patterns in security data to identify if teams have been targeted or companies have been targeted, and finally, by recommending actions to take both in response to active threats and also to proactively improve security posture,” Steph Hay, head of UX for cloud security at Google said.

Dave Ratner, CEO, HYAS had this comment :
 
   “Generative AI has the ability to both tremendously help and harm the cyber security industry.  Google is highlighting some very positive steps to drive efficacy and efficiency in  battling bad actors, but we can’t forget that criminals will be utilizing AI in nefarious ways to continue to make their attacks harder to detect and more effective, similar to what’s been highlighted by HYAS’ eyespy proof of concept and others.   While Protective DNS systems perform admirably today for business and operational resiliency, continued research into how best to detect and defend against tomorrow’s AI-based attacks is needed across the industry to ensure this same level of resiliency going forward.”


Emily Phelps, Director, Cyware follows with this comment:

   “Using AI is a good step toward aiding security teams to get the context they need to take meaningful actions. Cybersecurity programs often include different teams using disparate tools, lacking a shared taxonomy. This makes it difficult to get the right information to the right people to take the right action, even as insights are automatically distributed. Coupling automation with true collaborative technologies – that have flexible playbooks and defined workflows – will give enterprises the contextual insights needed to move faster and more effectively.”

This is a good move by Google. But security is best done in a layered approach. Which means that you as an organization need to have multiple layers to make sure that you don’t get pwned.

Leave a comment »

Microsoft Says That Adversary-in-the-Middle Strategies Have Spiked

Posted in Commentary with tags on August 30, 2023 by itnerd

In tweets dated August 28, 2023, Microsoft reported a significant increase in adversary-in-the-middle (AiTM) strategies facilitated by phishing-as-a-service (PhaaS) platforms.

Researchers have observed the emergence of new PhaaS platforms equipped with AiTM capabilities throughout 2023. Simultaneously, established phishing services like PerSwaysion have also incorporated AiTM features.

The two predominant techniques employed in AiTM-enabled phishing attacks are reverse proxy servers and synchronous relay servers.

In the first scenario, as seen in phishing toolkits such as EvilGinx, Modlishka, Muraena, and EvilProxy, every HTTP packet is proxied to and from the original website, making the URL the sole discernible distinction between the phishing page and the authentic site.

In AiTM attacks using synchronous relay servers, the target is presented with a fake sign-in page, much like traditional phishing attacks. Threat group Storm-1295 was reported to offer synchronous relay services to other attackers.

AiTM phishing aims to steal session cookies from browsers, allowing users access to protected systems without reauthentication. Incident response for AiTM attacks requires the revocation of stolen session cookies.

Microsoft emphasized the importance of implementing MFA methods such as Microsoft Authenticator, FIDO2 security keys, and certificate-based authentication as crucial measures for securing identities – “This emphasizes the importance of MFA thru methods like Microsoft Authenticator, FIDO2 security keys, & certificate-based authentication in securing identities.”

George McGregor, VP, Approov had this comment:

   “AiTM phishing aims to steal cookies from browsers and use them to access backend systems.

   “However, there is an even bigger AiTM threat posed by mobile apps which is not mentioned by Microsoft: Mobile apps are highly susceptible to AiTM attacks and secret theft at runtime because hackers can easily manipulate the client environment and/or the communication channel(s). This could certainly also be packaged “as a service” for hackers.

   “Defense against this threat requires app and client attestation and pinning of the communication channel.”


Emily Phelps, Director, Cyware follows with this:

   “Multifactor authentication is table stakes when it comes to safeguarding data. Strong authenticator apps should be used with each log-in session. Human behavior continues to be a common exploit for attackers because it continues to be effective.

   “As an industry, cybersecurity must work to get ahead of these tactics, with threat intelligence programs that include intelligence sharing so that once these strategies are known and can be widely distributed, enabling other organizations and individuals to protect themselves against them.

I’ve been saying for a while to my clients that they need to move towards MFM or passwordless solutions. Because the threats out there are so many and so sophisticated that you will leave yourself open to having bad things happen to you if you don’t.

Leave a comment »