Archive for February 7, 2024

Joint Advisory Issues Warning About Volt Typhoon

Posted in Commentary with tags on February 7, 2024 by itnerd

Heads up. There was a joint cybersecurity advisory issued by the US today that Volt Typhoon has infiltrated and existed in critical infrastructure networks for at least five years. This link is a TL:DR of that joint advisory. This somewhat echoing an analysis by Microsoft from almost a year ago.

Ken Westin, Field CISO, Panther Labs had this comment:

The methods being utilized by Volt Typhoon, although not new, should be cause for concern given their intent and targets. Unlike ransomware operators whose goal is to get in and cause damage quickly, this nation-state operator is leveraging valid accounts and “living off the land” techniques to evade detection for long periods of time. These methods allow the group to monitor their targets and provide a foothold to cause kinetic damage — damage that can affect equipment and pose a physical threat to critical infrastructure. By targeting energy, water, communications and transportation infrastructure, it is apparent that Volt Typhoon is seeking to disrupt operations of critical infrastructure to cause panic, discord and distract leadership and the public. Many of the OT environments being targeted are notorious for running outdated software, either out of negligence or necessity, if the systems cannot be updated, which increases the risk posed by this threat.

This is another one of those wake up calls that everyone needs to heed as the PRC who are the ones behind Volt Typhoon are serious about their aims to get into networks and steal data. That makes keeping them out a top priority.

UPDATE: Damir J. Brescic, CISO, Inversion6 adds this comment:

This development represents a significant escalation in something warned last year — the underscoring of the sophisticated capabilities of APT (Advanced Persistent Threat) groups.

Volt Typhoon is known for targeting critical infrastructures, government facilities, and the manufacturing sector. Oh, did I mention that they are a Chinese-sponsored hacking group?

The group operations demonstrate a deep understanding of network defense and evasion techniques that allow them to remain undetected for extended periods of time. Their TTP’s (Tactics, Techniques, and Procedures) point to their technical expertise and resources typically found with state-sponsored APT groups.

Their presence is a warning call, highlighting the need for proactive cybersecurity measures, continuous monitoring and sharing of information among various stakeholders. I believe the Volt Typhoon poses a significant risk to critical infrastructure networks – underscoring the need for robust cybersecurity measures across industries and government partners.

Leave a comment »

OVHcloud Opens its First Two Local Zones in Spain and Belgium 

Posted in Commentary with tags on February 7, 2024 by itnerd

 OVHcloud today announces the opening of its first two public cloud ‘Local Zones’ with one site located in Madrid, Spain and the other in Brussels, Belgium. Driven by innovative technology from gridscale, OVHcloud’s latest acquisition, the Group can now deploy cloud capacity within weeks to

serve new international locations. The Local Zones in Belgium and Spain bring new options for customers to access the Group’s Public Cloud services, with low latency and local data residency.

The gridscale technology provides a software stack that lays the groundwork for the Group’s growth strategy in the Edge Computing market. Requiring only modest infrastructure, with effective hosting in colocation centres, Local Zones are more agile and flexible, but also less CAPEX intensive than regular Datacenters. This gives OVHcloud a significant competitive advantage and allows for the Group to rapidly deploy its Public Cloud environments.

An ambitious roadmap of up to 150 Local Zones to support a growing global market

In the context of a Cloud market growing globally, OVHcloud laid out an ambitious deployment plan to capture demand for cloud services in existing and new geographies. Targeting the opening of up to 150 Local Zones by 2026, the Group starts with regions where its own growth is the most important.

Throughout 2024 OVHcloud plans to open up to 15 Local Zones with the following non-exhaustive list of sites being considered. In Europe, the Group is preparing openings in Prague (Czech Republic), Marseille (France), Milan (Italy), Amsterdam (Netherlands), and Zurich (Switzerland). New Local Zones are expected to open in the United States of America, including Atlanta (Georgia), Denver (Colorado), Chicago (Illinois), Dallas (Texas), New York City and San José (California).

The advantages of OVHcloud Open & Trusted Cloud

New OVHcloud Local Zones offer customers the advantage of the Group’s Open and Trusted Cloud and the benefits of data residency. With data now being closer to where it’s generated or needed, and accessible through the Cloud, customers are confident their data will stay within geographical boundaries defined by either local regulations or security policies. This is particularly important across industries such as consulting, financial services and healthcare.

Local Zones also confer better latency. That means that workloads with latency-sensitives services such as real-time analytics, E-commerce websites, Content Delivery Network (CDN) for replay and streaming videos, as well as Cloud gaming, will benefit from faster response times, providing a better user experience. For most customers, OVHcloud Local Zones offer single digit millisecond latencies enabling use cases such as high-performance Cloud gaming with minimal delays.

Organisations can now benefit from Local Zone Public Cloud features including Compute, Block Storage and Networking, including local Public IP. Additional services will be released in the coming months thanks to an iterative development model. Customers can expect future access to features such as Object Storage and Managed Rancher Service for Multi-cloud Kubernetes management.

OVHcloud new Local Zones in Spain and Belgium are also ISO/IEC 27001 certified, supplemented by the requirements of ISO/IEC 27017 specific to cloud services security and ISO/IEC 27018 for personal data protection. Those certifications ensure that businesses can deploy services in an OVHcloud environment with the highest security standards.

Availability

Available now, the Local Zone located in Madrid, Spain, is open in Beta with customers being able to deploy their Public Cloud services direct from the OVHcloud customer interface.

Available now, the Local Zone located in Brussels, Belgium, is open in Beta with customers being able to deploy their Public Cloud services direct from the OVHcloud customer interface.

Learn more about OVHcloud Local Zones here.

Leave a comment »

Ransomware Payments Exceed $1 Billion In 2023….. WTF?

Posted in Commentary with tags on February 7, 2024 by itnerd

I have to admit that this has stunned me as the conventional thinking is that you don’t pay threat actors to get your data back. But apparently there are plenty of people don’t buy into that as this report states that ransomware payments exceed $1 Billion in 2023:

In 2023, ransomware actors intensified their operations, targeting high-profile institutions and critical infrastructure, including hospitalsschools, and government agencies. Major ransomware supply chain attacks were carried out exploiting the ubiquitous file transfer software MOVEit, impacting companies ranging from the BBC to British Airways. As a result of these attacks and others, ransomware gangs reached an unprecedented milestone, surpassing $1 billion in extorted cryptocurrency payments from victims.

And:

2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks — a significant reversal from the decline observed in 2022, which we forewarned in our Mid-Year Crime Update.

 Ken Westin, Field CISO, Panther Labs had this comment:

The fact the numbers have increased this year shouldn’t be surprising. Ransomware groups operating in Russia were emboldened by the Ukraine conflict and many ransomware groups removed a lot of restrictions they previously had regarding targeting of schools, government agencies and critical infrastructure. The exploitation of software vulnerabilities such as MOVEit has also played a devastating role in the compromise of companies and institutions. Many IT departments were unaware the tool was running in their environments. In addition to the money paid to ransomware gangs, there is also the increasing cost of damage imposed by ransomware on organizations that don’t pay the ransom.

This has to serve as a wake up call that all of us can no longer sleepwalk though this ransomware crisis. Everyone needs to take action. Every part of a defensive playbook from detection, remediation, and a no paying threat actors policy needs to be on the table and acted upon. Because this is the only way to stop this crisis.

Leave a comment »

The IT Nerd Can Now Be Found On Bluesky

Posted in Commentary on February 7, 2024 by itnerd

With my recent creation of a Bluesky account, and Bluesky opening up to the public, I am now actively posting to Bluesky. Up until today, the only thing that was holding me back from posting to Bluesky was the fact that WordPress which is the platform that I use to host this blog doesn’t have a means to post to Bluesky in a manner that is similar to the way I post to Mastodon. But thanks to a Bluesky user named Mark Waters, I was directed a WordPress plug in called Neznam Atproto Share that now allows me to post to Bluesky. Set up was easy and it works flawlessly. You can’t ask for anything more than that.

So, if you’re still on Twitter for whatever reason, you now have a second option to keep up to date on what I post. You can give me a follow on @theitnerd.bsky.social. And you can also follow me on Mastodon at @The_IT_Nerd@noc.social as well.

Leave a comment »

Horizon3.ai Unveils Phishing Impact Testing to Help Organizations Understand the Impact of Phished Credentials

Posted in Commentary with tags on February 7, 2024 by itnerd

Horizon3.ai, a pioneer in autonomous security solutions, today announced the launch of its first-to-market Phishing Impact testing capability within NodeZero. The new capability marks a significant advancement in penetration testing, addressing a critical gap in understanding the real-world implications of phished credentials.

Business leaders often dismiss the threat of entry-level employees who click on malicious links, leading to frustration by IT and security organizations. The Phishing Impact test delivered by NodeZero can help those IT and security teams accurately convey the “blast radius” of those phished credentials, proving that sensitive data was indeed at risk.

Easily Interoperates With Popular Phishing Awareness Solutions

The NodeZero Phishing Impact test is resource-light: it’s easily conducted by IT and security team members by simply adding a few lines of JavaScript generated by NodeZero to their phishing page. Credentials of users “hooked by the lure” are automatically injected into a running NodeZero pentest via the JavaScript copied into the phishing page.

With legitimate credentials in hand, this type of testing reveals if an attacker would next be able to:

  • Find and gain access to private data stores
  • Gain admin access to other hosts in the network
  • Move laterally to compromise cloud environments
  • Elevate their privileges and take over domains
  • Exploit unpatched vulnerabilities in internal systems
  • Conduct other malicious acts

The Phishing Impact test is conducted with Horizon3.ai’s secure methods that ensure clear text credentials are not maintained outside of the test’s ephemeral infrastructure.

Each phished credential is added to the NodeZero platform as a “Notable Event” with a timestamp. Testers see the running list of credentials being tested in the Credentials window in the NodeZero UI.

By adding a few lines of JavaScript code provided by NodeZero to phishing pages created using popular testing tools, organizations can automatically channel captured credentials into an active NodeZero penetration test. This test then utilizes those phished credentials in conjunction with exploitable security weaknesses discovered by NodeZero as part of its attack against the network.

The outcome is a comprehensive report detailing the impact of each phished credential, offering organizations unprecedented insights into their security posture. This not only enhances their understanding of potential threats but also drives effective improvements to safeguard their systems against real-world attacks.

Leave a comment »

Email Marketing Company Used to Phish Itself in Novel Impersonation Campaign: Netcraft

Posted in Commentary with tags on February 7, 2024 by itnerd

Netcraft has published new research in which the company has recently observed that criminals abused Twilio SendGrid’s email delivery, API, and marketing services to launch a phishing campaign impersonating itself. 

Hackers behind this novel phishing campaign used SendGrid’s Tracking Settings feature, which allows users to track clicks, opens, and subscriptions with SendGrid. The malicious link was masked behind a tracking link hosted by SendGrid. 

The email headers reveal that phishing emails are sent using SendGrid’s infrastructure. All the domain names appear to be other SendGrid customers, suggesting criminals use compromised SendGrid accounts rather than registering their own. 

Netcraft has identified at least nine companies whose accounts have been used in the campaign. These companies span a range of industries, including cloud hosting, energy, healthcare, education, property, recruitment, and publishing. 

You can read the research here.

Leave a comment »