Archive for June, 2024

« Older Entries

Dump Your D-Link DIR-859 Router In The Trash Because Hackers Are Exploiting It To Pwn You

Posted in Commentary with tags on June 30, 2024 by itnerd

So let me start with the exploit behind the title in this story. D-Link has released a security advisory which is tied to CVE-2024-0769 that goes like this:

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

 So let’s unpack this. In English, what this is saying is that an attack that can be launched remotely exists that allows attackers to leak session data, achieve privilege escalation, and gain full control via the admin panel. In short, they can take over the router. And presumably use that access to launch secondary attacks. Like theft of data for example via reconfiguring the router to let them have full access to your network. On top of that you’ll note this part:

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

So this isn’t going to get fixed. Which means that if you have one of these routers, your best course of action is to throw it in the trash (or responsibly recycle it) and get something else. I say that because the word on the street is that threat actors are actively using this exploit to pwn people. Thus you don’t want to be the person on the other end of that.

Leave a comment »

TeamViewer Pwned Again

Posted in Commentary with tags on June 29, 2024 by itnerd

Today, TeamViewer, a large remote access and control software provider, has confirmed a data breach by the notorious hacker group Midnight Blizzard. The company’s statement confirmed the breach is tied to an employee’s credentials within its Corporate IT environment. Bleeping Computer has more details:

While TeamViewer states there is no evidence that its product environment or customer data has been breached, its massive use in both consumer and corporate environments makes any breach a significant concern as it would provide full access to internal networks.

In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors due to their use of the Winnti backdoor. The company said they did not disclose the breach at the time as data was not stolen in the attack.

Glenn Chisolm, Co-Founder, Obsidian had this to say:

“Identity compromise, which has been a driver in the TeamViewer incident, is a critical component of most breaches we see in customer environments, accounting for over 80% of SaaS breaches. We see TeamViewer deployed by 1-in-3 organizations – so ensuring that the breach is contained is the first big step for the company. 

Our advice to customers to minimize identity compromises is to follow 3 crucial steps – a) centralize identity access behind an IdP — often many apps also have local users, and ensuring the right levels of security is much harder in a distributed setting, b) federated access supported with the right levels of MFA to elevate the security, and c) monitor and protect employee accounts, especially administrative accounts, against abnormal behavior — such as can result from spear phishing attacks, AiTM phishing, and more.”

TeamViewer is something that I have been strongly recommending against since their 2016 hack that they only admitted to three years later. This reinforces the fact that if you use TeamViewer, you should strongly consider using another product. Because TeamViewer clearly cannot be trusted.

Leave a comment »

“Clusterbomb” Malware droppers hit over 50,000 victims 

Posted in Commentary with tags on June 28, 2024 by itnerd

Security researchers discovered a threat actor known as Unfurling Hemlock infecting target systems with up to ten pieces of malware simultaneously. Dubbed a “malware cluster bomb” by researchers, this method involves using one malware sample to spread additional ones on compromised machines. The malware mainly consisted of stealers, such as Redline, RisePro and Mystic Stealer, and loaders such as Amadey and SmokeLoader.

Outpost24’s KrakenLabs, the Cyber Threat Intelligence team, discovered this operation. Their findings reveal that Unfurling Hemlock’s activity dates back to at least February 2023 and employs a unique distribution method. KrakenLabs has identified over 50,000 “cluster bomb” files with distinct characteristics linking them to Unfurling Hemlock.

The attack begins with the execution of a file named ‘WEXTRACT.EXE’, which arrives on target devices through malicious emails or malware loaders that Unfurling Hemlock acquires from other operators. This executable contains nested compressed cabinet files, each level holding a malware sample and another compressed file. As each stage is unpacked, a new malware variant is dropped onto the victim’s machine. The final stage’s extracted files are executed in reverse order, with the most recently extracted malware executed first.

The researchers found that over half of Unfurling Hemlock’s attacks targeted systems in the United States, with significant activity also observed in Germany, Russia, Turkey, India, and Canada.

Evan Dornbush, former NSA cybersecurity expert had this to say:

   “KrakenLabs’ report demonstrates why it is critical to support cybersecurity research efforts. The attackers appear to have taken a multitude of known tools and packaged them up in a novel mechanism that could facilitate evasion from defensive technology or, if detected, only be partially caught and removed from infected systems. In other words, things the defensive community thought were “solved” are still able to have harmful impact. This report highlights how both attackers and defenders incrementally improve looking at prior works.”

Organizations and perhaps individuals have one more thing that they can add to the list of things that they need to create defences to stop. Making life hard for overworked teams who are responsible for stopping cyber threats.

Leave a comment »

The BlackSuit ransomware gang claims Responsibility For Kadokawa ransomware attack

Posted in Commentary with tags on June 28, 2024 by itnerd

The BlackSuit ransomware gang is claiming responsibility for a June 8th cyberattack on Kadokawa Corporation, threatening to publish stolen data unless a ransom is paid. The gang has set a deadline of July 1st for the ransom, warning that the released data will include contacts, confidential documents, employee data, business plans, and financial data.

Kadokawa Corporation is a major Japanese media conglomerate involved in film, publishing, and gaming, including the well-known game developer FromSoftware. The company reported net sales of approximately $1.6 Billion USD in 2023. The cyberattack caused service outages across multiple Kadokawa Group websites, significantly disrupting the company’s operations as they share the same data center. This attack particularly affected the popular Japanese video-sharing platform Niconico.

“In response to the system failure, Kadokawa is working on building a secure network and server environment,” explained the Wednesday update.

“Its top priority is to restore the accounting functions, which are fundamental to its business activities, and to normalize the manufacturing and distribution functions in the publication business, which generate considerable revenue. The accounting functions, owing partly to measures in an analog manner, are expected to be restored in early July.”

BullWall Executive, Carol Volk had this comment:

“As Kadokawa rebuilds its systems, focusing on the protective aspects of ransomware containment is crucial. A robust ransomware containment system offers significant benefits over simple Endpoint Detection and Response (EDR) solutions. While EDR is essential for identifying and mitigating threats, a comprehensive ransomware containment system ensures that sensitive data remains secure even during an attack. This approach not only detects but also isolates and neutralizes threats”

Cigent CGO Brett Hansen follows with this comment:

“Restoring critical functions and rebuilding the network is table stakes after a major attack and fortifying against similar threats. That said, it is more a matter of protection, than detection to ensure data remains safe during an attack. When data is protected at rest, it can remain safe during an attack. There are multiple ways to ensure an attacker in-system still cannot steal or encrypt your data. zero-trust, MFA, hidden partitions and encryption are all proven methods of protecting data at rest when properly implemented.”

I wish the company luck in restoring their systems. But in this day and age, you need a plan to keep the bad guys out, and a plan to fix everything if they do get in. I am not sure about the first part of this, but this organization is certainly testing the second part right now.

Leave a comment »

Texas Retina Associates Gets Pwned…. Lots Of Personally Identifiable Information Has Been Leaked

Posted in Commentary with tags on June 28, 2024 by itnerd

Ophthalmology practice Texas Retina Associates yesterday notified nearly 300,000 customers about a data breach earlier in the year that compromised names, Social Security numbers, medical info, health insurance info, addresses, and dates of birth:

On June 26, 2024, Texas Retina Associates (“Texas Retina”) filed a notice of data breach with the Attorney General of Texas after discovering that confidential information that had been entrusted to the company was subject to unauthorized access. In this notice, Texas Retina explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers, addresses, medical information, health insurance information and dates of birth. Upon completing its investigation, Texas Retina began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

Rogier Fischer, CEO and Co-Founder, Hadrian had this to say:

“We don’t have the specific details on the cause of breach or the impact of it, but based on the cases that we handled in the US, we see several issues firms in the US, particularly Texas, could face in such a situation. If a data breach occurs at a Texas-based firm, the Texas Business and Commerce Code mandates that the firm must notify affected individuals immediately. If over 250 residents are affected, the Texas Attorney General must also be informed. HIPAA rules come into play if any medical information was compromised, as in this case. The HIPPA provisions demand specific notifications and call for potential penalties on non-compliance.

The business or organization in question may face scrutiny from the FTC if their data security measures are deemed inadequate. Possible penalties in that case include fines, civil damages, and orders to improve our security protocols. Apart from the regulatory compliance issues, the organization could face potential class action lawsuits from affected individuals, citing negligence or breach of privacy. In this particular case, the Texas Attorney General could also pursue legal action, leading to civil penalties and mandated corrective actions.There are several steps to mitigate the damage in these situations, but adopting an offensive cybersecurity strategy is the best defense of all. Automated penetration testing keeps the organization a step ahead of their peers, while automated compliance and reporting ensures that the systems they have in place are up and updated all the time.”

I think it’s a pretty safe bet that Texas Retina Associates are about to come under a lot of scrutiny over this….. Whatever this is as details are pretty scarce. I hope they have answers for all the questions that they’ve about to be asked.

1 Comment »

Dynatrace Named a Winner in the 2024 Microsoft Americas Partner of the Year Awards

Posted in Commentary with tags on June 28, 2024 by itnerd

Dynatrace today announced it has been recognized as the winner of the 2024 Microsoft Americas Partner of the Year Award in the Commercial Marketplace, Canada category. The company received recognition among a group of top Microsoft partners for demonstrating innovation and successfully delivering customer solutions using Microsoft technologies.

The Microsoft Americas Partner of the Year Awards acknowledge Microsoft partners who have created and delivered exceptional Microsoft-based solutions, services, and devices in the past year. The award selections are categorized, with honorees selected from a pool of over 2,000 submitted nominations, and Dynatrace was recognized for providing outstanding solutions and services in the Commercial Marketplace category for Canada. Dynatrace was also named a winner of the Commercial Marketplace category for LATAM in addition to being acknowledged as a finalist for the ISV Innovator Award – Canada.

The Microsoft Partner of the Year Awards will be announced at the Americas Start for Partners, a digital event, which will take place on July 12 this year. Additional details on the 2024 awards are available on the Microsoft Americas Partner Blog.

To learn more about Dynatrace’s recognition in this year’s Microsoft Partner of the Year Awards, see the Dynatrace blog, Dynatrace recognized in the 2024 Microsoft Partner of the Year Awards.

Leave a comment »

LockBit Pwns Evolve Bank & Trust And NOT The Federal Reserve

Posted in Commentary with tags on June 27, 2024 by itnerd

Remember when I told you that the infamous ransomware group LockBit claimed to have pwned The Federal Reserve? Well that turns out to be incorrect because yesterday, Evolve Bank & Trust confirmed in an online statement that hackers stole retail bank and financial technology partners’ customers’ information and posted it on the dark web. Here’s the connection to the Federal Reserve. The documents that were posted in relation to the alleged Federal Reserve hack actually belonged to Evolve.

“33 terabytes of juicy banking information containing Americans’ banking secrets,” claimed LockBit on its leak site.

The bank said it is investigating the incident and it appears the hackers have released data including Personal Identification Information that varies by individual but may include:

  • Name
  • Social Security Number
  • Date of birth
  • Account information
  • Other personal information

Earlier this month, Evolve was subject to a Federal Reserve enforcement action and Tuesday LockBit’s dark web post linked a press release about the enforcement action alongside a collection of information apparently taken from the institution’s systems. 

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “Once an organization experiences a breach, and the smoke begins to clear after a deep investigation into what happened, the biggest question they need to ask is, “What do we do next?” Everything in the networking environment is now suspect, possibly riddled with other exploitable vulnerabilities and weaknesses that likely remain hidden. Teams must find the attack path that allowed the breach to happen, and they must uncover other attack paths that could enable it to happen again.

   “Now is the time to thoroughly assess the entire networking environment, both on-premises and cloud, but that could take months if not longer. And as one area gets assessed, and human assessors move on to the next, changes have already taken place in areas that were previously marked as secure. This is the time when autonomous assessment solutions meet a critical need.

   “These technologies are designed to find the original attack path (if it still remains a mystery) and other attack paths that remain unknown. Acting as force multipliers for human assessors, autonomous assessment solutions never tire as they scan the entire environment looking for other weaknesses such as easily compromised credentials, additional exposed data, unidentified software misconfigurations, inadequately implemented security controls, and unenforced security policies.

   “Some of these issues were probably uncovered by attackers when defenses were breached the first time. If they are not resolved now, the inescapable will likely happen again.”

At this point, Evolve has some explaining to do given the fact that it was subject to an enforcement action from the Federal Reserve. And Evolve’s customers will be waiting to hear those answers.

Leave a comment »

Action1 Achieves CSA STAR Level 1 Certification and Signs CISA’s Secure by Design Pledge

Posted in Commentary with tags on June 27, 2024 by itnerd

Action1 announced today it has secured Security, Trust & Assurance Registry (STAR) Level 1 Certification from the Cloud Security Alliance (CSA), the world’s leading organization promoting the use of security best practices within cloud computing and helping foster secure cloud environments through education. Additionally, Action1 has signed the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design Pledge. These initiatives underscore Action1’s commitment to internal security and solidify its position as a trusted vendor in the cloud-based patch management space.

As Action1 has achieved CSA STAR Level 1 successfully, it is now listed in CSA’s publicly accessible registry. The STAR registry lists cloud solutions from vendors that follow the strictest security and privacy controls, facilitating users in identifying vendors dedicated to maintaining data confidentiality, integrity, and availability. The CSA STAR program is recognized as the industry’s most powerful program for security assurance in the cloud.

Action1 is a cloud-native patch management platform enabling enterprises to rapidly discover and remediate vulnerabilities with a 99% patch success rate. It helps understaffed IT teams save time and reduce costs by streamlining third-party patching, including custom software, and OS updates, all fully integrated with full feature-parity and uniformity.

By signing CISA’s Secure by Design Pledge, Action1 has joined cybersecurity industry leaders in a unified commitment to enhancing software security standards. This pledge represents a significant step in ensuring that security is a foundational element in software development and is part of CISA’s global Secure by Design initiative, launched last year, which implements the White House’s National Cybersecurity Strategy.

These initiatives exemplify the high security standards of the Action1 cloud-native platform, which is also certified for ISO/IEC 27001:2022 and SOC 2 Type II by independent auditors. Visit action1.com/security to learn more about these certifications.

Leave a comment »

Sage study reveals IT channel partners embrace advisory roles to boost SMB digital agility

Posted in Commentary with tags on June 27, 2024 by itnerd

A new study from Sage reveals the evolving role of technology channel and reseller partners in the U.S. and Canada. The study indicates a shift from point solutions providers and integrators to strategic advisors for SMBs, unlocking significant growth opportunities and paving the way for greater digital agility.

The report, Small and medium-sized business demand for digital advisory services fuels IT channel growth’, surveyed 2,800 technology channel decision-makers globally, including in the U.S. and Canada, to better understand the key drivers impacting the IT channel and reseller market today. 

The research highlights that the majority of technology resellers in the U.S. (59%) and Canada (52%) have shifted their focus toward providing strategic advice and services, aiming to improve SMBs’ ability to swiftly adapt to market shifts, new technological breakthroughs and evolving customer demands.

The report found that almost three-quarters of SMBs in the U.S. (73%) and Canada (74%) see investing in digital agility as a high priority, believing it will drive business growth (30%), followed by enhance competitiveness in the U.S. (25%), and increase efficiency in Canada (26%). 

Key findings include:

  • Shift to Advisory Roles: U.S. and Canadian channel leaders are split on what is driving the shift to advisory roles with U.S. leaders citing the use of technology and data analytics for personalized solutions (59%), increased competition in the market requiring differentiation and value-added services (57%) and desire to build stronger customer relationships (55%). In Canada, leaders attribute the shift to the need to keep up with shifting customer demands (56%) and building stronger customer relationships (53%).
  • Digital Agility of SMBs: Almost two-thirds of Canadian SMBs (64%) and half of SMBs (51%) in the U.S. are recognized as ‘fairly digitally agile’ by channel leaders, highlighting their quick adoption of technologies that enhance efficiency and customer experience. However, only 39% of U.S. and 28% of Canadian partners feel SMBs are adequately prepared for future disruptions. Continuous investment in digital tools and training, supported by channel partners, is essential for maximizing the benefits of a digital-first approach. 
  • Challenges in Driving Digital Agility: The report identifies the main obstacle preventing channel partners from effectively supporting SMBs as the complexity of technology and integration processes. In the U.S., channel partners face significant challenges in providing advisory services, primarily due to keeping up with evolving technology and balancing priorities (both at 48%), along with SMB resistance to advisory services (45%). Similarly, in Canada, nearly half of the channel partners (47%) cite the complexity of technology and integration processes as the top hindrance to supporting SMBs’ digital agility journey.
  • Adoption of Innovative Technologies:  The majority of U.S. channel partners are focused on driving the adoption of innovative technologies (59%), while 52% of Canadian resellers are prioritizing offering strategic advice and solutions. This is to ensure that SMBs not only access but effectively utilize technology to enhance responsiveness and competitive edge in a rapidly changing market.
  • Critical Technologies: Channel leaders in both Canada (62%) and the U.S. (56%) believe cybersecurity solutions are the most instrumental in fostering digital agility. AI and automation followed closely, with 58% in Canada and 56% in the U.S. finding these as the second most critical technologies. Focusing on these areas can enhance SMB efficiency, and security.

Sage’s research underscores the importance of deepening collaboration between IT resellers and SMBs to fully harness new technologies and enhance resilience against market changes. By focusing on areas like cybersecurity, digital transformation, and operational efficiency, IT resellers can boost their growth while helping SMBs successfully navigate these challenges.

Summary of methodology 

The research questioned 2,800 decision makers in the tech industry whose company resells tech and IT supplies/services for various businesses in Canada, France, Germany, Portugal, South Africa, Spain, the United Kingdom and United States. The interviews were conducted in April and May 2024. 

This online survey was conducted by market research company OnePoll, in accordance with the Market Research Society’s code of conduct.  

Leave a comment »

Review: Western Digital My Passport SSD 1TB

Posted in Commentary with tags on June 27, 2024 by itnerd

This review started off in a weird way. A client of mine bought this at Best Buy because he saw some of the marketing claims on the box and figured that the Western Digital My Passport SSD in the 1TB size must be fast. But when it didn’t “feel” fast to him, he asked me to look at it because he figured that it was him and not the drive. Well, the short answer is that it’s the drive. But before I get to what I mean by that, let me give you a look at the drive in question:

In the box you get the drive (you do get to choose between 5 colours), a USB-C cable, and a USB-C to USB-A adapter. This is a good start as USB-C is used on the drive which means that getting replacement cables will be easy. On the drive itself is backup software which is likely more useful for PC users than Mac users who should use Time Machine instead. Though they will have to format the drive before that as the drive comes out of the box formatted for ExFAT. The drive itself is light despite being made of metal and feels solid enough. It claims to be shock resistant up to a 6.5 foot drop. Though I did not test that. And when I tried transferring files to it, it got warm to the touch. Which is fine as I have seen SSD drives get hot to the touch. This drives also supports 256-bit AES hardware encryption for those who are paranoid about keeping their data safe.

Now over to the testing part. Here’s a picture of the box that it came in so that I can show you the speed claim that Western digital makes:

Note the part that it says “Up to 1050 MB/s”. Flipping the box over and reading the fine print, they’re referring to read speed. And looking at the Western Digital website the company also says that it has up to 1000 MB/s write speeds. Those are very bold claims. But here’s what I got when I plugged the drive into my M1 Pro MacBook Pro which has Thunderbolt 4 via the included USB-C cable:

So I was able to confirm that Western Digital was correct on the write speeds as it hit 967.38. But the read speeds was significantly slower than what Western Digital claims. As in around 25% slower. I repeated this test on a PC with Thunderbolt 3 via the included USB-C cable and got similar results. So that suggests that it’s not the computer or the cable that’s responsible for those read speeds. Or lack thereof. It’s the drive that’s responsible. But to be fair to Western Digital. They did say “up to” so just like ISP’s who use that term to cover themselves when the Internet connections aren’t up to the speeds that they advertise, Western Digital has covered themselves. But this explains why the client felt the drive was “slow.” A 5% or even a 10% difference in read speed would likely not have been noticed by most people. But 25% will be noticed by most people. Also to be fair to Western Digital, this speed doesn’t suck. But it doesn’t measure up to the claims on the box.

Now does that mean that you should not buy this drive? As long as you’re not expecting the drive’s read speed to match what’s on the box, go ahead. It’s MSRP is $100 CDN so it’s not a lot of cash to spend. Just make sure you buy it direct from Western Digital or shop around as buying it from Best Buy will cost you $30 more for no good reason.

Leave a comment »

« Older Entries