Archive for January, 2025

« Older Entries

New York Blood Center Pwned In Ransomware Attack

Posted in Commentary with tags on January 31, 2025 by itnerd

The New York Blood Center, one of the world’s largest independent blood collection and distribution organizations, says a Sunday ransomware attack forced it to reschedule some appointments.

Here’s what happened:

On Sunday, January 26, New York Blood Center Enterprises and its operating divisions identified suspicious activity affecting our IT systems. We immediately engaged third-party cybersecurity experts to investigate and confirmed that the suspicious activity is a result of a ransomware incident. We took immediate steps to help contain the threat and are working diligently with these experts to restore our systems as quickly and as safely as possible. Law enforcement has been notified.

We understand the critical nature of our services, and the health of our communities remains our top priority. We remain in direct communication with our hospital partners and are implementing workarounds to help restore services and fulfill orders.

Paul Bischoff, Consumer Privacy Advocate at Comparitech, commented: 

“Ransomware gangs don’t discriminate between charitable organizations and for-profit companies. Medical organizations are frequently targeted because they can’t operate for long without their computer systems, and those systems store a lot of sensitive patient and employee data. That makes hospitals and clinics more likely to pay ransoms. Furthermore, hospitals employ a lot of non-IT staff that attackers can phish.”

For the second time today, I am writing about a health care organization who has been pwned. Seriously, the fact that this sector is pretty much easy prey for threat actors needs to change. And it needs to change right now.

1 Comment »

DOJ Takes Down Cracked And Nulled Marketplaces

Posted in Commentary with tags on January 31, 2025 by itnerd

The DOJ made an announcement detailing an international effort that seized the Cracked and Nulled Marketplaces. Prosecutors said this affected at least 17 million Americans.

The two forums were called Cracked and Nulled. According to the DOJ, since 2018, Cracked promised access to “billions of leaked websites” by letting users search for stolen login credentials and had over 4 million users who traded in cybercriminal tools and stolen information producing around $4 million in revenue.

The DOJ press release said that the accused “active administrator” of Nulled faces criminal charges with a maximum penalty of five years in prison for conspiracy to traffic in passwords, 10 years in prison for access device fraud, and 15 years in prison for identity fraud, the DOJ said.

Evan Dornbush, former NSA cybersecurity expert had this to say:

  “Historically attackers can more easily obtain information and tools than defenders, giving them a perpetual advantage. Actions like this make it more expensive for cyber criminals to operate and ultimately this is a good thing.

  “Lesser players who rely on purchasing tools and network access from these two marketplaces won’t be able to get started, raising the barrier to entry for their criminal enterprise aspirations.”

It’s great to see sites like these taken down by the forces of good. This is something that we need to see more of. A lot more of.

Leave a comment »

Another Report About A DeepSeek Jailbreak Surfaces

Posted in Commentary with tags on January 31, 2025 by itnerd

Hot off the heels of this report about a jailbreak related to DeepSeek, Wallarm published a new analysis revealing that its security researchers have discovered a novel jailbreak technique for DeepSeek V3. This technique allows researchers to ask questions and receive responses about DeepSeek’s root instructions, training, and structure. 

Other jailbreaks have focused on getting the LLM to discuss restricted topics or build something prohibited, like malicious software. Wallarm’s jailbreak focused on getting DeepSeek to share restricted data about itself, how it was trained, policies applied to its behavior, and other facts about the model. 

Wallarm contacted DeepSeek about this vulnerability, and they addressed it as quickly as an hour ago. DeepSeek V3 is no longer susceptible to this specific jailbreak technique. Wallarm also found evidence that DeepSeek is based on OpenAI, stating this has been demonstrated sufficiently elsewhere.

You can find the blog post now live at: https://lab.wallarm.com/jailbreaking-generative-ai/

Leave a comment »

Equinix partners with designer Maximilian Raynor to turn internet into a dress

Posted in Commentary with tags on January 31, 2025 by itnerd

Earlier today, Equinix – world’s leading digital infrastructure company unveiled the end-result of its partnership with LVMH scholar and emerging designer, Maximilian Raynor to personify the internet itself!

Maximilian has created a one-off, striking dress from ‘the internet’ which aims to physically embody the vast connectivity framework that influences our daily lives (social media, messaging, mobile banking, etc). The garment represents every click, text, or video stream, from Stockholm, to Sydney.

You should check out the Equinix blog post and interview with Maximilian, which detail the creation of the garment and the stories the materials tell! 

Leave a comment »

Over 1 million patients impacted by non-profit healthcare provider breach 

Posted in Commentary with tags on January 31, 2025 by itnerd

In a Thursday filing, non-profit, Connecticut healthcare provider Community Health Center (CHC) disclosed that it started notifying over 1 million patients of a data breach that impacted their personal and health data.

CHC said in the notice that a breach was discovered on January 2, 2025, two months after the unknown attackers gained access to its network in mid-October.

While the breach didn’t impact its operations, the threat actors stole files containing patients’ personal and health information belonging to 1,060,936 individuals.

“Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal’s activity did not affect our daily operations. We believe we stopped the criminal hacker’s access within hours, and that there is no current threat to our systems,” CHC said.

Stolen data includes a combination of:

  • Names
  • DOBs
  • Contact Information
  • SSNs
  • Medical diagnoses
  • Treatment details
  • Test results 
  • Health insurance details

In response to the incident, CHC said it has strengthened its security and added special software to “watch for suspicious activity” and working to make sure patient information “stays safe in the future.”

Emily Phelps, Director, Cyware:

  “Incidents in this sector underscore the ongoing risks healthcare providers face, with attackers gaining access to sensitive data like names, medical diagnoses, and insurance details. This incident highlights the urgency of securing healthcare infrastructures—protecting not just patient data, but the broader ecosystem of communication, collaboration, and care delivery. Strengthening threat intelligence management and automating security processes are essential steps in reducing vulnerabilities and enhancing defenses. Effective information sharing and a collective defense approach are critical in safeguarding healthcare organizations from these growing threats.”

Sometimes I feel like I am a broken record. But the healthcare sector needs to do better. Getting pwned on a constant basis is something that simply must not continue. It needs to be addressed as an urgent problem. And I have to be honest, I don’t know if that sector really takes this problem seriously.

UPDATE: Erich Kron, Security Awareness Advocate at KnowBe4 adds this: 

“The repeated successful attacks against healthcare organizations have become a very frustrating problem both for organizations and for the individuals caught up in the breaches. The medical industry collects and stores some of the most sensitive information individuals have, including specific medical diagnoses, treatments, medications, and other information that most people don’t want in the public eye. Unfortunately, these medical facilities are targeted consistently and seem to be struggling to defend themselves.”

“For a long time, the healthcare industry has struggled with balancing costs and expenses, while hiring enough employees to ensure high levels of service to their patients. The most common way for bad actors to spread ransomware, or make initial network intrusions successful, is by targeting the employees within these organizations. Unfortunately, many healthcare organizations remain understaffed, and their staff can be overworked, leading to errors and mistakes simply through fatigue and ongoing stress, adding to the risk of an incident.”

“For organizations in these industries, it is critical that the human risk is addressed in their cybersecurity plans, and that employees are given the education, tools, and resources they need to defend themselves against bad actors. Employees need to be able to quickly and efficiently spot and report suspected social engineering attacks to teams within their organization, allowing them to continue their work with the least amount of disruption. This industry has proven to be a significant challenge when it comes to securing information, but clearly, we must focus on improving the protection of this sensitive patient information.”

Leave a comment »

New Research from Unit 42 Reveals DeepSeek is Vulnerable to Jailbreaking

Posted in Commentary with tags on January 31, 2025 by itnerd

Palo Alto Networks’ threat intelligence team, Unit 42, released research revealing that DeepSeek is concerningly vulnerable to jailbreaking and can produce nefarious content with little to no specialized knowledge or expertise.

The new research exposes the security risks of employees using unauthorized third-party LLMs and stresses the need to address these vulnerabilities when integrating open source LLMs into business processes. 

The research reveals: 

  • High bypass/jailbreak rates, highlighting the potential risks of emerging attack vectors that can be used by malicious actors
  • Jailbreak methods can elicit explicit guidance for malicious activities and could greatly accelerate their operations
  • Malicious activities include creating keyloggers—software or hardware designed to record keystrokes on a computer or device—as well as stealing and exfiltrating data, demonstrating the security risks to businesses. 

In addition to the research, the team shared commentary from Sam Rubin, SVP of Consulting and Threat Intelligence of Unit 42, discussing the findings.

Unit 42’s DeepSeek jailbreaking research shows that we can’t always trust that LLMs will work as they intend — they are able to be manipulated. It’s important that companies consider these vulnerabilities when building open source LLMs into business processes. We have to assume that LLM guardrails can be broken and safeguards need to be built in at the organizational level.

And, as organizations look to leverage these models, we have to assume threat actors are doing the same—with the goal of accelerating the speed, scale, and sophistication of cyberattacks. We’ve seen evidence that nation state threat actors are leveraging OpenAI and Gemini to launch attacks, improve phishing lures, and write malware. We expect attacker capabilities will get more advanced as they refine their use of AI and LLMs and even begin to build AI attack agents. 

You can read the research here.

1 Comment »

macOS Sequoia 15.3 Fixes An Annoyance That I Tripped Over… Are Other Issues Fixed As Well?

Posted in Commentary on January 31, 2025 by itnerd

macOS Sequoia has been a bit of a mess in terms of the quality of the software since it was released. I say that because there were a number of issues and oddities that quite honestly, shouldn’t had made it to the streets. In fact, I have been actively telling my clients not to upgrade their Macs until a lot of these issues get sorted. With the release of 15.3 earlier this week, things might be improving.

Back in mid December when macOS 15.2 hit the streets, there was something odd that I tripped over. When a Mac such as my Mac mini was plugged into a TV via HDMI, it would show the icon in the menu bar that the screen was being mirrored. This would not happen if you had the same computer plugged into a monitor. I later discovered that it was apparently a change that Apple made. At the time I said this:

I honestly wish Apple found some more elegant method of doing this. I say that because I am sure that the AppleCare helpline is being hit with calls regarding this, which is something that could have been avoided by a better UI design. But what do I know? After all Apple knows best right?

I guess Apple must have figured out that this wasn’t a good change to make because in macOS Sequoia 15.3, it no longer shows that a Mac plugged into a TV over HDMI is being mirrored. I can only think of two reasons why this was fixed:

  1. The AppleCare helpline got bombarded with calls and they needed to make that stop.
  2. Someone internally got a clue and said that this was a stupid idea that they needed to change direction on this.

Either way, I am glad that Apple addressed this as this is one thing that is off my list of annoyances with Sequoia. Now in case you were wondering, here’s some other issues and oddities that I have been tracking since Sequoia came out:

That I can confirm is accurate via the WayBack Machine as the text on that page was completely different in late 2024. On the surface, it seems that Apple has made another design decision that was poorly communicated. Why Apple insists on doing these design changes and not telling anyone, I do not know. But it looks like we’re done with this issue as Apple clearly is done with this issue.

Now if Apple has fixed the Time Machine issues, I would start to feel comfortable enough with recommending it to my clients. That’s because many of my clients who aren’t businesses or enterprises use Time Machine to back up. Thus the fact that it doesn’t work reliably is a hard no for many of my clients. Stay tuned to see if that has been fixed, or if we’re going to be waiting until Apple decides that is something worthy of getting a fix from them instead of focusing totally on that dumpster fire known as Apple Intelligence.

UPDATE: It doesn’t fix the ongoing issues with Time Machine. Sigh.

Leave a comment »

DeepSeek Is In The News For All The Wrong Reasons

Posted in Commentary with tags on January 30, 2025 by itnerd

A few days ago, DeepSeek was setting the world on fire because the AI that it put on the table offered strong LLM performance at a much lower cost to train. That made heads explode. But heads are exploding again with news that cybersecurity researchers from Wiz have found a ClickHouse database owned by Chinese AI start-up DeepSeek containing over a million lines of chat history and sensitive information. The database was publicly accessible and allowed the researchers full control over database operations. That too made heads explode. And this is on top of attacks DeepSeek.

Gunter Ollmann, CTO, Cobalt had this to say:

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security. Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs. Given DeepSeek’s recent global recognition and growth in the AI space, the breach could have had a huge impact, significantly affecting businesses and individuals relying on their services, with potential ripple effects across industries.

This case underscores why organizations must continuously evaluate the robustness of their defensive controls —not just to meet compliance, but to protect sensitive data and improve their risk posture. Offensive security, including penetration testing and attack surface monitoring, is essential in identifying these open doors before adversaries do. AI-driven platforms like DeepSeek must integrate security testing into their development lifecycle, ensuring rigorous assessments of infrastructure, access controls, and data handling policies.

AI may be “new” but the basics of security processes and controls still apply.

As AI companies become integral to critical infrastructure, security can’t be an afterthought. The industry needs to adopt a proactive mindset—regular pentesting, red teaming, and continuous attack surface monitoring—to safeguard both intellectual property and customer trust.”

The more I hear about DeepSeek, the more I think that this is an AI that should be avoided. They don’t seem to have their act together, and that’s on top of them being based in China which by itself should set off alarm bells.

1 Comment »

Aviso Selects Darktrace ActiveAI Security Platform

Posted in Commentary with tags on January 30, 2025 by itnerd

Darktrace, a global leader in AI for cybersecurity, today announced that Aviso, one of Canada’s leading wealth services suppliers, has selected the Darktrace ActiveAI Security Platform to secure its organization’s digital ecosystem.

With over CAN$140 billion in assets under administration and management, Aviso is a leading wealth services supplier for the Canadian financial industry. The organization provides services to nearly all credit unions across Canada and to a wide range of portfolio managers, investment dealers, insurance and trust companies and introducing brokers. Seeing digital transformation and modernization as strategic opportunities to differentiate and drive growth, Aviso is focused on building a technology-enabled, client-centric wealth management ecosystem. Implementing a robust, modern cybersecurity strategy that keeps networks, systems, people and data secure is vital for excellent client service and Aviso’s overall growth journey.

Financial services organizations are often a top target for cyber-criminals, with this industry subject to attacks from a broad range of threat actors ranging from organized and well-funded cyber-criminal groups with financial motivations to hacktivist groups seeking to cause disruption and wreak havoc in the markets.

Faced with a rapidly evolving threat landscape, Aviso wanted to free its security team from time-consuming manual processes, including investigating an overwhelming volume of security alerts. As part of its plan to create a modern cybersecurity strategy, Aviso turned to Darktrace’s pioneering AI technology to help their security team overcome alert fatigue, while freeing up time to focus on more proactive efforts like vulnerability management and enhancing business practices in other areas such as service, operations and compliance.

Aviso is using a variety of components of the Darktrace ActiveAI Security Platform, including Darktrace / EMAIL for user-focused and business-centric approach to email security, Darktrace / NETWORK and Darktrace / ENDPOINT for industry leading network detection and response capabilities, Darktrace / IDENTITY for robust identity management and Darktrace Managed Detection and Response. The Darktrace ActiveAI Security Platform, underpinned by Darktrace’s unique Self-Learning AI engine, learns what is normal behavior for Aviso’s entire network, continuously analyzing, mapping and modeling every connection to create a full picture of devices, identities, connections and potential attack paths. Darktrace uses this deep understanding of Aviso’s enterprise network to identify suspicious behavior and autonomously respond without disrupting business operations to secure Aviso’s entire digital footprint.

In just one month, Aviso tracked 6.7 billion network events using Darktrace / NETWORK; of those events, Darktrace autonomously investigated 23 million alerts, saving Aviso’s team an estimated 1,104 hours of manual investigation.

To learn more about how Darktrace helps protect Aviso, check out the case study. 

Leave a comment »

New Research Exposes FUNNULL CDN Renting IPs from Big Tech Like AWS & MSFT for Laundering

Posted in Commentary with tags on January 30, 2025 by itnerd

Today, Silent Push announced that its threat analysts have discovered threat actors enabled by mainstream cloud providers, including Amazon Web Services (AWS) and Microsoft Azure. 

New details uncovered in the course of this reporting indicate that FUNNULL is likely using fraudulent or stolen accounts to acquire these IPs to map to their CNAMEs, and providers we have spoken to claim this wasn’t caught in real time due to visibility holes from the technical complexity of their DNS architecture.

Additional key findings include:

  • FUNNULL has rented over 1,200 IPs from Amazon and nearly 200 from Microsoft. Although most IPs have been taken down, new ones are acquired every few weeks.
  • There are indications of FUNNULL illicitly acquiring the IPs using stolen or fraudulent accounts. However, external visibility into this process is limited.
  • Money laundering is directly associated with a service hosted on shell websites, retail phishing schemes, and pig-butchering scams being kept online via infrastructure laundering.

This is now live at https://www.silentpush.com/blog/infrastructure-laundering/

Leave a comment »

« Older Entries