Archive for August 20, 2024

Unit 42 Research Unveils Biggest Attack Surface Risks

Posted in Commentary with tags on August 20, 2024 by itnerd

Recently, Palo Alto Networks released the 2024 Unit 42 Attack Surface Threat Report unveiling the biggest risks facing the growing attack surface and key recommendations for organizations to strengthen their security postures.

Key points from the report:

  • Attack surface change inevitably leads to exposures: Across industries, attack surfaces are always in a state of flux.
    • On average, an organization’s attack surface has over 300 new services every month. 
    • These additions account for nearly 32% of new high or critical cloud exposures for organizations.
  • Opportunities for lateral movement and data exfiltration are abundant: Just 3 categories of exposures – IT and Networking Infrastructure, Business Operations Applications, and Remote Access Services – account for 73% of high-risk exposures across the organizations
    • These can be exploited for lateral movement and data exfiltration.
  • Critical IT and security services are dangerously exposed to the internet: Over 23% of exposures involve critical IT and security infrastructure, opening doors to opportunistic attacks.
    • These include vulnerabilities in application-layer protocols like SNMP, NetBIOS, PPTP, and internet-accessible administrative login pages of routers, firewalls, VPNs, and other core networking and security appliances.
  • Industry Attack Surface Outlook
    • Analysis revealed that the media and entertainment industry experienced the highest rate of new services added, exceeding 7,000 per month. 
    • The telecommunications, insurance, pharma and life sciences sectors also faced substantial increases, with over 1,000 new services added to their attack surfaces. 
    • Critical industries such as financial services, healthcare, and manufacturing saw their attack surfaces add over 200 new services every month. 
    • For the past three years, Unit 42 analysis has consistently identified professional services, healthcare, high technology, finance, manufacturing, wholesale and retail as the top 6 industries to which we’ve provided IR services.

You can read the report here.

Leave a comment »

Vulnerabilities In Microsoft Apps Could Allow Hackers To Pwn macOS Users…. And Microsoft Won’t Fix These Vulnerabilities

Posted in Commentary with tags , , on August 20, 2024 by itnerd

Cisco’s Talos Intelligence group has a very interesting blog post that any macOS user that runs Microsoft apps should read. First the bad news from said blog post:

Cisco Talos recently conducted an analysis of macOS applications and the exploitability of the platform’s permission-based security model, which centers on the Transparency, Consent, and Control (TCC) framework.

We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification. If successful, the adversary could gain any privileges already granted to the affected Microsoft applications. For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures or record videos without any user interaction. 

All of that is pretty bad. Now here’s what’s worse:

Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues. 

Lovely. I can say with confidence that someone will look at this and say “that’s a great way to get into a Mac and use it for my evil purposes.” Then this will become a major problem. And you have to wonder what Microsoft will do at that point. Though there’s always the possibility that Apple will force Microsoft to do something as it is their platform after all. I would love to be a fly on the wall when that conversation happens. In the meantime, there’s no mitigations for these vulnerabilities at present. So you’ll just have do your best to be careful out there.

Leave a comment »

Alabama Cardiovascular Group Pwned By Hackers With Patient Data Being Swiped

Posted in Commentary with tags on August 20, 2024 by itnerd

The Alabama Cardiovascular Group (ACG) began notifying nearly 280,500 current and past patients, physicians and employee that hackers stole their sensitive information.

ACG has about two dozen physicians and said it became aware on July 2nd that an unauthorized party accessed its computer network, resulting in its network being severed from the internet. An investigation determined that threat actors accessed internal systems between June 6 and July 2, 2024.

The information impacted by the incident varies by individuals but may include: 

SSNs, Health insurance information and claims, Usernames and passwords, Payment cards, Bank account information, Dates of medical services, Diagnoses, Medications, Images, Lab results, Other treatment information.

Steve Hahn, Executive VP, BullWall:

   “It is a matter of when, not if, public facing companies will experience a breach and often, a full on Ransomware Attack. Prevention tools that exist today are not enough, as is evidenced by these ongoing attacks. Medical groups and hospitals have become a favorite for these attacks this past year. In fact, the ransomware group ALPHV (Blackcat) told the FBI, after the FBI claimed falsely that they “took down” the group, that they would now focus all of their efforts on US healthcare organizations. This attack does not mention a ransom demand, but once you have been breached and data exfiltrated, the damage can be just as severe.

   “Organizations can no longer rely solely on prevention. They have to have containment and mitigation strategies in place. They can continue to work to try to stop them, but they have to also plan on the inevitable and work out rapid Ransomware “containment” and mitigation strategies as well as plans for how to rebuild after the event.”

This is yet another example of a health care organization being pwned by hackers. At this point, it should be beyond clear that more needs to be done to ensure that these organizations are not easy targets for threat actors.

Leave a comment »

VPN Usage Surges In Brazil After Elon Closes Twitter Operations In Brazil

Posted in Commentary with tags on August 20, 2024 by itnerd

VPN Mentor just published a research concerning an increase of VPN demand in Brazil, which is directly tied to Elon Musk doing Elon Musk things. Specifically closing Twitter’s operations in Brazil rather than obey a court order.

What’s interesting about this is two things. First is this:

Earlier this year, Moraes opened a criminal inquiry into Elon Musk after X’s owner said he would defy a court order by lifting restrictions on designated accounts. Then the company seemed to reverse course and said it would block the accounts after all.

But of course, Elon being anything but an honest broker has decided to flip Moraes off instead and stop operating in the country instead of obeying this order. That’s brings us to VPN Mentor’s observations. Despite Twitter still being still available in the country, VPN Mentor conducted an analysis of user demand data in Brazil after Musk announced closing Twitter’s operations in the country, and they observed a surge of 151% in VPN demand. Which is I guess based on people’s fears that either Elon will keep Twitter from being available in Brazil, or the government might block it.

You will find all the details to VPN Mentor’s findings here: https://www.vpnmentor.com/news/vpn-demand-surge-brazil/

2 Comments »

Rumours Of Action1 Being Purchased By Have Been Put To Bed

Posted in Commentary with tags on August 20, 2024 by itnerd

Action1 got into the news recently via a leaked email that sparked a discussion on Reddit about the company potentially getting purchased by CrowdStrike. Yes, the same CrowdStrike that has been in the news recently for all the wrong reasons.

You can put that to bed as of today as the company just announced its decision to remain a founder-led company. Despite receiving multiple acquisition inquiries over the past year, including from well-known industry players, Action1 has chosen to continue operating independently to fully realize its vision.

Alex Vovk, CEO and Co-Founder of Action1 had this to say:

“We are honored by the interest we have received from major industry players, as it validates our strategy and leadership in the space. However, after careful consideration, we have determined that remaining founder-led is the best path forward. While it is tough to turn away from significant financial opportunities, we believe our future is far brighter as an independent company.”

Action1’s vision is a world where cyberattacks exploiting vulnerabilities are entirely prevented across all types of devices, operating systems, and applications.

Mike Walters, President and Co-Founder of Action1 added this:

“We are excited to continue on the path of innovation and are deeply grateful to our customers worldwide for their trust and support.”

So I think think that todays announcement should put any rumours of Action1 being purchased to bed once and for all.

Leave a comment »