Archive for February 18, 2025

XCSSET macOS Malware Reappears With New Attack Strategies

Posted in Commentary with tags on February 18, 2025 by itnerd

Microsoft has warned that a new variant of XCSSET malware is actively targeting macOS users. “The latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4,commented:

“Downloading, running, or re-using any code from any repository is taking a big risk. If you download and reuse code that you yourself or someone you greatly trust did not write, you have to inspect it. This is a lesson the world has known about the threat of reusing other people’s code since the late 1970’s. In 1984, one of the co-creators of Unix, Ken Thompson, wrote a seminal paper on the trustworthiness of code titled Reflections on Trust. He summarized it by stating, “You can’t trust code that you did not totally create yourself.” He footnotes a 1974 paper on software security paper entitled Multics Security Evaluation: Vulnerability Analysis that says the same. Unfortunately, almost none of today’s programmers are taught basic ‘secure code’ skills, and hence each generation of programmers seems to have to learn the same mistakes of the past. We need all of today’s programming curriculums teaching secure coding, including the need to be wary of and inspect others’ code, and we need employers who hire programmers requesting that those programmers come with secure coding skills.”

“It’s a little ironic to see Microsoft pointing out and defending against Mac vulnerabilities and threats, especially before Apple does. But that’s testament to today’s interconnected world and the shift that Microsoft has made in better protecting the entire ecosystem.”

This is a reminder that Mac users are not immune to threats. They need to practise good computing habits such as these. Because threats like this one are starting to become more and more common on the Mac platform. Which means that you need to be on guard at all times.

Leave a comment »

Microsoft Tracks Storm-2372 Who Are Behind A Wave Of “Device Code Phishing” Attacks 

Posted in Commentary with tags on February 18, 2025 by itnerd

Researchers at Microsoft have discovered a group that has been dubbed Storm-2372 using “device code phishing” that tricks users into logging into productivity apps that allows the hackers to capture information from the log in (tokens) in order to access compromised accounts. The researchers believe this group could be aligned with Russia’s interests and tradecraft:

Today we’re sharing that Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts. These tokens are part of an industry standard and, while these phishing lures used Microsoft and other apps to trick users, they do not reflect an attack unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“The best piece of advice I can give anyone to fight phishing of any type is this: If you receive an unexpected message, no matter where received (e.g., in-person, email, browser, social media, SMS, etc.) and it is asking you to do something you’ve never done before, research it outside of the information given in the message before performing. If more people followed this advice, there would be far less successful phishing. This applies to device code phishing.”

“Device code phishing attacks aren’t new, but the use by a possible nation-state aggressor does significantly increase the risk to those targeted victims. And let’s remember that today’s most likely targeted victim is a regular person or regular company. Nation-states no longer focus on traditional nation-state targets like government or military agencies or contractors.”

“One of the most concerning aspects of this attack is the ability for the attacker to get the victim’s primary refresh token, which is a Microsoft Azure-only specialized authentication access token, which allows the attacker to access any of the involved apps the victim is using. When a traditional browser access control token is stolen, it gives the attacker access to only the involved site/service/app that the token was generated by. But the primary refresh token can be used to access any app the victim has access too. Its power is exponential.”

These are the sorts of attacks that can be mitigated if not stopped if there is more user awareness and training. Therefore I challenge organizations to go out and invest in user training as well as performing simulated attacks to that users will be less of a risk to your organization.

Leave a comment »

Xerox Printer Vulnerability Could Enable Windows Active Directory Credentials Exploit

Posted in Commentary with tags on February 18, 2025 by itnerd

Researchers have uncovered vulnerabilities in Xerox Versalink C7025 Multifunction printers (MFPs) that could have enabled pass-back attacks. This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor which could have been used to capture authentication data.

You can read the details here: https://www.rapid7.com/blog/post/2025/02/14/xerox-versalink-c7025-multifunction-printer-pass-back-attack-vulnerabilities-fixed/

Martin Jartelius, CISO at Outpost24 had this comment:

“While the vulnerabilities in the Xerox VersaLink C7025 printer are important to address, they do not pose a high risk in most corporate environments, as these printers are typically not accessible from the internet. 

However, capturing authentication credentials could allow an attacker to move laterally within the organization, which becomes a concern if the network lacks proper segmentation.

The solution lies in strengthening security by restricting access to the printer’s administrative settings and ensuring the printer is configured correctly.

“The first step is to prevent unauthorized access by locking down the configuration page. Additionally, FTP and LDAP credentials both rely on plain-text protocols, which are outdated and vulnerable; even without changing any settings on the printer, a network tap could expose this information. To improve security, use authentication protocols that are inherently more secure and avoid using older protocols like FTP (defined in 1971) and LDAP (defined in 1997).

“The correct approach to mitigating these risks is universal, regardless of the printer model or software used: set a complex password for the admin account, avoid using Windows authentication accounts with elevated privileges (such as domain admin accounts for LDAP or scan-to-file SMB services), and prevent enabling the remote-control console for unauthenticated users. Implementing strong network security practices, including proper segmentation, will help protect critical systems and limit unnecessary connections between devices.” 

Regardless of the risk, any organization that has one of these printers should take a look at this to get the update that addresses this issue. And they should do so ASAP as now that this is out there, threat actors are going to use it to pwn the unsuspecting.

UPDATE: Jim Routh, Chief Trust Officer at Saviynt adds this:

“Both of the vulnerabilities identified related to administering Xerox printers and obtaining administrator credentials (CVE 2024-12510 and CVE 2024-12511) are indicative of the preference of cyber criminals today to pursue the acquisition of user credentials as the preferred method of attack on enterprises. In this case, threat actors focus on the administration of multifunction printers connected to enterprise networks that also have internet connectivity for users and administrators. In certain configurations with LDAP, user credentials to Windows Active Directory can be harvested for criminal activity. Both vulnerabilities are dependent on specific enterprise configuration settings and the potential for exploitation will vary from enterprise to enterprise. 

Reducing the need for credentials (passwordless options) is the most effective way to shrink this specific attack surface. Other methods include adjustments to configuration settings for LDAP and Windows device administration settings.”

Leave a comment »

A Browser Extension Is Now Out There To Keep Canadian Money In Canada’s Economy

Posted in Commentary with tags on February 18, 2025 by itnerd

It’s no secret that Canadians are mad about the completely unjustified tariffs imposed by Donald Trump on Canadians. That’s created a grassroots movement to keep as many Canadian dollars in Canada. To help with that, a reader tipped me off to this browser extension called Support Canadian. From the website:

Unfortunately leaving Amazon fully is difficult for many so the extension surfaces Canadian products to the top of any Amazon search you make.

And:

Visiting Walmart.ca? It suggests Canadian Tire. On Netflix? It flags CBC Gem or Crave. It has 500+ alternative websites based on some of Reddit’s largest Canadian-made lists.

And:

No tracking, no ads. I made it completely privacy-focused with no personal information requested. (You can see for yourself on the download page in the Privacy Section)

This browser extension has gained traction on Reddit and as the word gets out there, I am pretty sure that it’s going to get even more traction. You can download it here:

There’s no version for Safari currently, but I am sure that if the demand for that is there, it will come.

In my mind, this is a far more productive exercise than booing the US national anthem at hockey games because if enough people use this extension and alter their purchasing habits accordingly, then it will send a clear message that Canada will not be bullied by the US.

1 Comment »

1.6 Million Clinical Research Records Exposed in Data Breach

Posted in Commentary with tags on February 18, 2025 by itnerd

A data breach involving DM Clinical Research — a Texas-based network of clinical trial sites — was discovered and reported to Website Planet by cybersecurity researcher Jeremiah Fowler.

What happened:

A non-password-protected database containing nearly 1.6million records was exposed. The leaked data includes PII and PHI, such as names, physical and email addresses, phone numbers, vaccine details, medical conditions, and more.

Why it matters:

The exposure of personal and medical data raises serious privacy concerns, potentially leading to identity theft, phishing attacks, extortion attempts, or unauthorized use of sensitive health information.

Read the report here: https://www.websiteplanet.com/news/dmclinicalresearch-report-breach/

Leave a comment »

Hammerspace Honored as the Top Data Storage Innovation in SiliconANGLE Media’s Tech Innovation CUBEd Awards

Posted in Commentary with tags on February 18, 2025 by itnerd

 Hammerspace today announced it has been named a winner of SiliconANGLE Media’s 2025 Tech Innovation CUBEd Awards as the “Top Data Storage Innovation.” 

The Hammerspace Global Data Platform has been honored for its groundbreaking approach to high-performance, enterprise data and storage management. In today’s landscape, where digital assets can no longer be isolated in data silos, the platform allows organizations to use existing data and infrastructure for AI/DL initiatives along with the original applications and use cases for the data.   

The Top Data Storage Innovation award recognizes the data storage solution that excels in providing robust, scalable and high-performance storage capabilities for modern enterprises as requirements for storing data evolve in the AI era or due to other factors.

The Tech Innovation CUBEd Awards recognize exceptional achievements in technological advancement, highlighting the diverse contributions of companies and individuals shaping the future of B2B and B2B2C technology. This technology awards program recognizes the most innovative companies (public, private and startups), visionary leaders and groundbreaking products that are pushing the boundaries of what’s possible. Hammerspace was selected from a competitive field of nominees by a panel of industry experts and technology leaders.

The newest update of Hammerspace’s software unlocks a new tier of storage by transforming local NVMe storage on GPU servers into a Tier 0 of ultra-fast, persistent shared storage. By activating previously “stranded” local NVMe storage seamlessly into the Hammerspace Global Data Platform, Tier 0 delivers data directly to GPUs at local NVMe speeds, unleashing this untapped potential. This breakthrough approach redefines both GPU computing performance and storage efficiency.

For more information on SiliconANGLE Media’s Tech Innovation CUBEd Awards, visit https://www.thecube.net/awards

Leave a comment »

New CompTIA CloudNetX equips IT professionals with the skills to design, manage and secure complex networks

Posted in Commentary with tags on February 18, 2025 by itnerd

A new certification to help experienced technology professionals navigate the intricate challenges of modern enterprise networks is available from CompTIA, Inc., the leading global provider of vendor-neutral information technology (IT) training and certification products.

CompTIA CloudNetX, the newest certification in the CompTIA’s Xpert Series, validates the advanced skills needed to design, engineer and integrate secure and scalable networking solutions in hybrid environments.

CompTIA CloudNetX is a vendor-neutral certification, a critical differentiator for IT professionals who work with hybrid networks and products from multiple vendors. The certification exam assesses hands-on capabilities on a range of topics, including:

  • Emerging technologies such as container networking, software-defined cloud interconnect and generative AI for automation and scripting.
  • Network security, including threats, vulnerabilities, and mitigations; identity and access management; and wireless security and appliance hardening. Zero Trust Architecture is another area of dedicated focus.
  • Analyzing business requirements to design and implement network solutions, ensuring candidates can align technical skills with organizational goals.

CompTIA CloudNetX was created for IT professionals with at least five years of experience as a systems architect, network architect, cloud network architect, infrastructure architect or enterprise architect.

Two new learning resources are available for the new certification. CertMaster Perform CloudNetX is a comprehensive eLearning resource to gain knowledge and practical experience through instructional lessons and live labs. CertMaster Labs CloudNetX offers hands-on practice and skills development through a browser-based lab environment, allowing learners to apply their knowledge in real IT environments. Both resources align with the CompTIA CloudNetX certification exam objectives. Visit https://www.comptia.org/certifications/cloudnetx for complete details.

Leave a comment »

Appdome Stops AI-Deep Fakes at the Mobile Doorstep

Posted in Commentary with tags on February 18, 2025 by itnerd

Appdome, the leader in protecting mobile businesses, today announced it is extending its Account Takeover Protection suite with 30 new dynamic defense plugins for Deep Fake Detection in Android & iOS apps. The new plugins are designed to guarantee the integrity of Apple Face ID, Google Face Recognition and 3rd party face and voice recognition services against AI-generated and other deepfake attacks. Like all Appdome defenses, each of the 30 new dynamic defense plugins for Deep Fake Detection is available by choice using the Appdome platform without the need to integrate code, perform manual coding, implement SDKs, or deploy servers.

The mobile economy trusts Face ID and facial recognition for authentication, Know Your Customer (KYC) compliance, and to combat on-device fraud (ODF). Mobile brands rely on facial recognition, including liveness checks, to build and maintain trust with their users. These brands tell users that facial recognition will ensure that only the authorized account holder can access their apps, accounts, and services. However, the number and sophistication of attacks targeting every aspect of facial recognition and biometric authentication have exploded in the last nine months, driven by the rise of AI-generated deepfakes, virtual cameras, image substitution, buffer attacks, voice cloning and other methods. Deepfake attacks easily generate hyper-realistic, adversarial, replications or manipulations that fool facial and voice verification systems. Sometimes attackers use virtual cameras to inject pre-recorded or live video streams into the facial recognition process. Other times, image buffer attacks manipulate face data processing in real time to bypass liveness detection processes. The speed of evolution, ease of use, and ubiquity of deepfake attacks make deepfake detection one of the top anti-fraud and anti-ATO objectives for brands and enterprises in 2025.

Despite the growing sophistication of Face ID and facial recognition services for mobile applications, Face ID bypass techniques, which manipulate biometric authentication processes, use virtual cameras and use AI-generated synthetic images or streams to mimic legitimate users, have started to outpace biometric authentication methods. Additionally, malicious actors are developing tools and techniques to exploit vulnerabilities in device hardware, face recognition software and face recognition APIs to compromise the integrity of biometric authentication. These challenges highlight the need for enhanced security measures around the biometric authentication workflows, to safeguard Face ID and facial recognition against deepfake attacks. 

Appdome’s Deep Fake Detection plugins sit on top of OS-native or third-party Face ID, facial recognition and voice recognition methods, including face verification SDKs. This approach ensures that any facial recognition process is secure from deepfake attacks and provides enhanced integrity and security for authentication workflows, regardless of the provider. Specific attack vectors that Appdome’s Deep Fake Detection protects against include:

  • Face ID Bypass: Detects attempts to bypass Native Android and iOS biometric, facial recognition authentication systems on mobile devices, including FaceID and Biometric API calls, hardware abstraction layers and more.
  • Deep Fake Apps: Detects deepfake and face swap apps that can be used to spoof facial recognition services used by Android and iOS applications, including in combination with virtual camera and video injection tools.
  • Deepfake Video Detection: Detects synthetic identity attacks, video injection, frame and image buffer attacks, Direct Memory Access (DMA) attacks, monitors face embeddings and more.
  • Appdome Liveness Detection: Applies primary or secondary liveness check to ensure a real face is used during the facial recognition process, applying AI models to verify 3D depth, skin texture, lighting, eye reflectiveness, the strength of liveness image, and more.
  • Voice Cloning:  Detects synthetic voice spoofing and voice cloning apps when in use with the protected application, perfect for applications that rely on “my voice is my password” authentication workflows.

Brands and businesses can expect each Appdome defense to detect the Deep Fake attack as well as its variants. Appdome dynamic defense plugins use real-time behavioral analysis to detect the behaviors and methods that the multitude of FaceID bypass and AI-based Deep Fake and Voice Cloning Tools use to exploit authentication checks in Android & iOS apps. As a learning system, it constantly evolves to ensure continuous defense against Deep Fakes and related threats.

Like all Appdome mobile app defenses, the new deep Fake Detection plugins combine the power of choice-driven defense in depth, and no-code, no SDK delivery with innovative on-device detection, defense, and intelligence options to satisfy any implementation objective. All Android & iOS Deep Fake Detection Plugins are available with Appdome’s Threat-Events™ Intelligence and Control Framework and ThreatScope™ Mobile XDR service. Threat-Events allows mobile brands and facial recognition SDK and API providers to gather data on each attack and use the data to control the application or user experience when deepfake attacks happen. Mobile brands and facial recognition SDK and API providers can use Threat-Events to gather deeper threat intelligence and create unique workflows and user messages leveraging the power of their brand voice when threats are present. Mobile brands can track and monitor Deepfake attacks via Appdome’s ThreatScope™, either before or after the deployment of the anti-Deep Fake features.

For more information about Appdome’s Deep Fake Detection, click here.

Leave a comment »