Posted in Commentary with tags Hacked on April 15, 2025 by itnerd
Yesterday, Comparitech reportedthat Ransomware gang Medusa over the weekend claimed responsibility for last week’s cyber attack against Fall River Public Schools in Bristol County, Massachusetts.
In the blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech,wrote:
“Medusa is a ransomware gang that first surfaced in September 2019. It debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay both to decrypt their systems and for not selling or publishing stolen data.”
“In 2025 so far, Medusa claimed responsibility 10 confirmed ransomware attacks and made 69 unconfirmed claims that have not been acknowledged by the targeted organizations. Many of those attacks targeted schools. Its attacks on Lee University and Laurens County School District 56 were both confirmed this year.”
“Medusa has claimed 24 confirmed ransomware attacks on schools and other educational institutions around the world since the group started publicizing its targets. Its average ransom demand is $430,000.”
“So far in 2025, Comparitech researchers logged 12 confirmed ransomware attacks on US schools and colleges. Last year, we recorded 75 such attacks, which compromised at least 2.8 million records. The average ransom demand is $815,000.”
“Ransomware attacks on schools and other education facilities can disrupt day-to-day operations such as taking attendance, submitting grades, phone and email communications, billing, payroll, and assignments. Ransomware attacks are often two-pronged: they lock down systems and steal data. Schools that refuse to pay can face extended downtime, lose data, and put students and faculty at increased risk of fraud.”
Ransomware attacks are insanely prevalent. That’s bad as they need to go in the other direction to keep everyone safe. Thus more needs to be done to turn this around and it needs to be done ASAP.
Posted in Commentary with tags Hacked on April 15, 2025 by itnerd
Ransomware gang Rhysida today claimedresponsibility for a cyber attack last week at the the Oregon Department of Environmental Quality which forced the department to shut down the email system, computer workstations, help desk, and vehicle inspection stations. Most of those services were brought back online by April 14.
In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech,wrote:
“Rhysida is a ransomware group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected systems. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.”
“Rhysida claimed 86 confirmed ransomware attacks since it began, compromising more than 5.4 million records. It made another 104 attack claims that haven’t been acknowledged by the targeted organizations. Its average ransom demand is $1.07 million.”
“In 2025 so far, Comparitech researchers have logged 15 confirmed ransomware attacks on US government entities, plus 22 unconfirmed claims.”
“In addition to data theft, ransomware attacks on US government entities can disrupt computer access to essential services, payments, communications, and stored files. Officials must then either pay a ransom or face extended downtime, data loss, and putting constituents at increased risk of fraud.”
The research team at SafetyDetectives just wrapped up a really interesting study, where they compare the censorship and content moderation policies of major platforms and investigate whether they are actually effective or just security theater.
Key findings at a glance:
Censorship patterns for videos on major social media show that, profanity is the most censored type of content at 55.6%, followed by violence and conflict and sexual Abuse at 7%. On the other hand, the less censored are Self-Harm and People’s Faces tied at 2.3%.
News outlets and credible informational accounts are sometimes subject to different moderation standards. On the other hand, comedic and entertainment posts still experienced strict regulations on profanity, even on news outlets.
Content depicting graphic violence is the most widely prohibited in platforms’ policies, with only Meta allowing it with conditions. While YouTube is the only one to impose a blanket prohibition on gory or distressing materials.
Content censorship appears to be more performative than functional and double standards are also apparentin other platforms whose owners haveclear political ties.
Considering their findings, they believe that individuals and organizations must practice careful scrutiny when consuming media or information on these platforms, given the seemingly one-sided implementation of policies on different social media sites.
Rental car company Hertz says it suffered a data breach, attributed to software maker Cleo, that included customers personal information and driver’s licenses. Hertz has put up a page on this which you can see here:
“The data breach impacting Hertz and its associated brands is a textbook example of how third-party vulnerabilities can cascade into massive data exposure, even for well-established enterprises. What makes this breach especially concerning is the type of data compromised, not just names and contact details, but driver’s licenses, payment card information, Social Security numbers, and even workers’ compensation claims. This is prime identity theft material, and unfortunately, once it’s leaked, there’s no putting the genie back in the bottle.
“The breach relates to a known vulnerability exploited by the Clop ransomware group in Cleo’s enterprise file transfer solution. Last year, Cleo was already on the radar for widespread exploitation by Russian-linked actors, yet many organizations were slow to identify and isolate exposure paths. This reinforces a painful truth: companies are only as secure as their most vulnerable vendor.
“Hertz may not have been directly compromised, but its vendor relationships introduced risk vectors that weren’t fully mitigated. This is a growing pattern across the ransomware landscape, where attackers target software supply chains to scale their reach and impact.
“For consumers, the aftermath is frustratingly familiar. A driver’s license or Social Security number cannot be ‘reset’ like a password. These data points are permanent identifiers, and once they are exposed, victims become vulnerable to synthetic identity fraud, targeted phishing, and even fraudulent claims or loans.
“This breach highlights the necessity for increased proactive vendor due diligence, enhanced threat intelligence sharing, and stronger regulatory pressure on third-party software providers to comply with contemporary security standards. The risks impact millions of individuals and the public’s trust in digital infrastructure.”
Javvad Malik, lead security awareness advocate at KnowBe4 follows with this:
Zero-day vulnerabilities are rare, but when they occur have a large impact. Even if Hertz had all their systems patched and up to date, it would have been difficult to protect against the Cleo zero day attack. Offering identity monitoring is all well and good, but it is very much a case of bolting the barn door once the horse has bolted. The real challenge lies in staying ahead of these evolving threats. Organizations need to shift their mindset from reactive to proactive. Defense in depth needs to be adequately configured so that even if one system is compromised through a zero day, the whole infrastructure doesn’t fall like a house of cards. Part of this is building a strong security culture, where security is embedded throughout the organization and not just limited to the security team.
This is something that I will watch closely as my wife and I used Hertz when we were in France in 2023. Thus there is always the possibility that we’re impacted. Regardless, this is another example of you’re only as secure as the people your company works with. On top of that, why did it take so long for Hertz to report this? That’s a question that I would like answered sooner rather than later.
CloudSEK’s security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after the FBI’s Denver office issued a public alert warning of malicious online file converters being leveraged to deliver malware.
The report reveals how cybercriminals have crafted deceptive websites, such as candyxpdf[.]com and candyconverterpdf[.]com, that meticulously mimic the legitimate pdfcandy.com service.
These fraudulent platforms lure users into executing a malicious PowerShell command, initiating a complex infection chain that delivers malware capable of stealing sensitive data, including browser credentials, cryptocurrency wallets, and other personal information.
A Sophisticated Blend of Deception and Technology
The campaign employs advanced social engineering to exploit users’ trust. Victims uploading a PDF for conversion encounter a fake processing animation, followed by an unexpected CAPTCHA prompt designed to enhance the site’s perceived legitimacy and rush users into action. This leads to instructions to run a PowerShell command, which triggers a redirection chain through domains like bind-new-connect[.]click, ultimately delivering a malicious “adobe.zip” payload. The archive contains “audiobit[.]exe,” which leverages legitimate Windows tools like MSBuild[.]exe to deploy Arechclient2. (Read Full Report, For More Information)
“This campaign highlights how cybercriminals exploit everyday digital tools. By combining psychological manipulation with technical sophistication, these attackers turn routine tasks like file conversion into opportunities for data theft. Our research aims to equip individuals and organizations with the knowledge to stay safe,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.
The scale of this threat becomes clear when considering the popularity of the legitimate PDFCandy.com, which attracts approximately 2.8 million monthly visits. Notably, India represents the largest segment of its user base, accounting for 19.07% or roughly 533,960 monthly visitors. This substantial audience provides a vast pool of potential victims for the threat actors behind this malicious campaign. While the fraudulent sites, candyxpdf[.]com and candyconverterpdf[.]com, saw approximately 2,300 and 4,100 visits respectively in March 2025, these numbers demonstrate active exploitation of the impersonated service’s popularity.
How the Attack Works
Spoofed Websites: Domains like candyxpdf[.]com and candyconverterpdf[.]com imitate the real PDFCandy website.
Deceptive Flow: Fake file conversion followed by a CAPTCHA prompt creates trust and urgency.
Malware Trigger: Users are prompted to run a PowerShell command, leading to the download of a malicious ZIP file masquerading as a legitimate Adobe resource.
Payload Execution: The ZIP contains audiobit.exe, which executes via MSBuild.exe – a legitimate Windows utility weaponized to run ArechClient2. (Read Full Report, For More Information)
CloudSEK’s technical analysis traced the malware delivery chain through multiple redirections, eventually landing on a known malicious domain (bind-new-connect[.]click) to deliver the payload. The attacker’s infrastructure, command chain, and payload hashes are included in the full report.
Wider Implications
This campaign demonstrates a growing trend where attackers prey on routine digital activities—like file conversion—to compromise systems. Given the increasing use of online converters in corporate and personal workflows, this type of attack has wide-ranging implications for cybersecurity hygiene.
Protecting Against the Threat
CloudSEK’s report provides actionable recommendations to safeguard individuals and organizations:
Stick to Trusted Tools: Use reputable file conversion services from official websites and avoid unverified “free” converters.
Strengthen Technical Defenses: Keep antivirus software updated, deploy endpoint detection and response (EDR) solutions, and use DNS filtering to block malicious domains.
Educate Users: Train employees to recognize red flags, such as suspicious URLs, unexpected CAPTCHAs, or prompts to run command-line instructions.
Incident Response: Isolate compromised devices, change passwords from a clean device, and report incidents to authorities promptly.
Offline Alternatives: Consider offline conversion tools to avoid uploading sensitive files to remote servers.
A Call to Vigilance
As online file converters remain a staple in digital workflows, this campaign underscores the need for heightened awareness. “As threat actors become more creative with their tactics, cybersecurity must evolve to prioritize behavior-based detection, user awareness, and zero-trust principles. Organizations should invest in robust endpoint security, DNS filtering, and employee training. Most importantly, we need to reduce reliance on unknown web-based tools and encourage the use of secure, offline alternatives for tasks like file conversion,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.
About CloudSEK:CloudSEK is a contextual AI company that predicts Cyber Threats. Our Cloud SaaS platform constantly seeks security solutions for our customers’ digital risks. To learn more about how CloudSEK can strengthen your external security posture and deliver value from Day One, visit https://cloudsek.com or drop a note to info@cloudsek.com.
Arcitecta, a creative and innovative data management software company, today announced it has been named a Leader and Fast Mover in the 2025 GigaOm Radar Report for Unstructured Data Management. The report recognized the innovation and leadership of the Arcitecta Mediaflux® data management platform, awarding it with “Exceptional” 5-star scores across crucial categories that included Metadata Analytics, Global Content Search, Workload Orchestration, Data Protection, Scalability, Flexibility, Performance and Manageability. These scores earned Arcitecta the top ratings for Key Features and Business Criteria, with the sole top average rating across business criteria comparisons (4.7 out of 5.0) and tying with IBM and Cohesity for the top average rating across key feature comparisons (each with 4.4 out of 5.0).
Unstructured data management has evolved from a storage-centric discipline into a strategic imperative for modern enterprises, requiring critical tools for transforming data repositories into actionable business assets, as noted in the GigaOm report. Organizations are facing exponential data growth – petabyte scale is the new normal. Without proper data acquisition and data management, the full value of all this data is often unrealized.
Arcitecta’s Mediaflux is an open platform with robust security and access controls, powered by hyperscale database technology and a simple API. It integrates data management, metadata curation and business policies into a single distributed solution, connecting business systems, compute infrastructure and data holdings.
The GigaOm report highlights the following key strengths that distinguish Arcitecta from its peers and fortify its position as a market leader:
Metadata Analytics: Arcitecta stands out with its sophisticated metadata analytics capabilities powered by its XODB database. This enables comprehensive data lifecycle management and empowers organizations to make informed decisions through real-time analysis and reporting.
Global Content Search: Arcitecta delivers exceptional performance with its implementation of a unified global namespace, facilitating efficient content search across distributed environments. With response times measured in milliseconds, even when handling billions of files, this feature ensures rapid and reliable data access.
Workload Orchestration: Arcitecta shines with its advanced orchestration capabilities, which effectively manage sequencing, storage allocation and computational resources throughout the data lifecycle. These features are complemented by robust error handling and recovery mechanisms, ensuring seamless operations.
The Mediaflux Difference
Mediaflux offers an advanced, comprehensive data management platform that can operate on a massive scale to help organizations better manage their data throughout its entire lifecycle. Its suite of solutions enables organizations to organize, search, share and preserve their data well into the future for lasting value and includes the following:
Mediaflux Real-Time. An ideal solution for growing file management, video, live sports, broadcast, experimentation and more. Arcitecta’s Mediaflux Real-Time provides nearly instant access to live data as it is being generated and delivers it to edge locations where it can be utilized. It supports real-time editing, removes workflow bottlenecks and enhances remote collaboration, enabling faster content delivery and seamless media management.
Mediaflux Point in Time. A revolutionary new backup and recovery approach that redefines data resilience at scale. Point in Time eliminates the cost and business impact of lost or corrupted data and provides self-service data recovery. It allows users or IT administrators to go back to any point in time to recover needed files – even in the event of a cyberattack where files have been encrypted. It provides a strong first line of defense against crypto locking with the ability to roll back ransomware attacks, enabling the complete and immediate recovery of data – a recovery time objective (RTO) of zero – and virtually no downtime with a recovery point objective (RPO) near zero, typically within milliseconds.
Mediaflux Livewire. A file transfer software solution that leverages the power of metadata to optimize data movement via parallelized data transfers across latent networks and eliminate redundant file transfers. Livewire enables customers to transmit large amounts of data over very low-bandwidth and unreliable network connections. It allows customers with smaller networks, especially relative to the size of data they need to transmit, to easily keep large amounts of data synchronized between sites and transmit data in both directions, regardless of low network bandwidth and reliability.
Mediaflux Universal Data System. A convergence of data management, data orchestration, multi-protocol access, and storage in one platform. The system manages the entire data lifecycle, both on-premise and in the cloud, with globally distributed access. With Mediaflux Universal Data System, data- and research-intensive organizations can easily share data across locations while achieving massive scalability, high performance and dramatic cost savings.
Mediaflux Multi-Site, Mediaflux EdgeandMediaflux Burst. These solutions enable users within geographically dispersed workforces to collaborate more efficiently, spend far less time waiting for data when needed and avoid unnecessary investments in compute resources when usage times peak. As part of Arcitecta’s evolving ecosystem of advanced data management capabilities, these solutions ensure data is moved to the right location for the right user at the right time, accelerating innovation, discoveries and business outcomes.
ConnectSecure today announced the launch of its new Google Workspace Assessments. This powerful new capability enhances ConnectSecure’s vulnerability platform by empowering MSPs to assess, detect, and mitigate risks within their clients’ Google Workspace environments. With this addition, ConnectSecure expands its cloud assessment capabilities beyond Microsoft 365, offering broader protection across key collaboration platforms.
As cloud adoption accelerates, the need for visibility and control over third-party platforms has never been greater. With the new Google Workspace Assessments, MSPs can now identify vulnerabilities, flag configuration issues, and generate client-facing reports — all within minutes. This offering is designed to proactively reduce risk across a suite of cloud applications, including Gmail, Google Drive, Google Meet and Calendar.
Key benefits of ConnectSecure’s Google Workspace Assessments include:
Immediate Deployment: Simple setup with fast results — run assessments in just minutes.
Client-Friendly Reports: Translate technical findings into clear, actionable insights for end users.
Risk Detection & Prioritization: Uncover and address risks across Gmail, Drive, Calendar and Meet.
Revenue Growth Opportunity: Equip MSPs to enhance service offerings and expand client trust through value-added cybersecurity services.
This new offering complements ConnectSecure’s broader mission: to deliver a single, unified platform for risk assessments across networks, endpoints, vulnerabilities, Microsoft 365 and now Google Workspace.
Posted in Products with tags TP-Link on April 15, 2025 by itnerd
WiFi 7 is quickly becoming mainstream. I say that because all sorts of new WiFi 7 hardware options are coming onto the market every time I look around. Today’s example of this is the TP-Link Archer GE800 BE19000:
The first thing that came to mind when I saw this was that it looked like an Imperial Shuttle from Star Wars: Return Of The Jedi. But this shape does give it some party tricks for your enjoyment. Before I get to those, you get buttons on the front that do the following easily:
Game Acceleration. This accelerates game applications, game devices, mobile games, and the like with WTFast GPN.
Turning on/off the LED lights
I am going to assume that the antennas are in each “wing.” But that’s not all that’s in them.
There’s RGB lighting on the sides which you can tweak with via the TP-Link Tether app.
Not to mention that there’s RGB lighting on the bottom as well. Now I had to turn these off during my testing as my wife thought that it was beyond over the top and ordered me to disable all of it the second she saw it. So for those of you who have significant others, you might want to keep that in mind and proactively turn the RGB effects off.
Here’s the business end of the router. Besides a USB 3.0 port for a storage device like a hard drive, you get two 10 Gbps ports. One of them is a LAN port, the other is a combo WAN port which gives you the option of running an SFP+ module. So if you have fibre Internet and you don’t need to use an optical networking terminal like I do, you can plug the fibre cable straight into the router for maximum speed. Nice! There’s also four 2.5 Gbps LAN ports but one is a dedicated gaming port. Meaning that any device connected to this port will be automatically prioritized. Which in turn means that it will give you that extra millisecond or two to pwn n00bz.
With the looks and connectivity out of the way, let’s get to the WiFi part of this. This is what you get out of the box:
4×4 2.4GHz BE: Up to 1376Mbps (20/40MHz)
4×4 5GHz BE: Up to 5760Mbps (20/40/80/160MHz)
4×4 6GHz BE: Up to 11520Mbps (20/40/80/160/320MHz)
That’s not all. You can create an SSID (network name) for each of the three bands which allows you to support special use cases such as mine where I want all the bands separate to make sure that devices, especially IoT devices have no issues connecting. And on top of that you can create an MLO (multi link operation) SSID for your WiFi devices that support MLO. That was easily done through the TP-Link Tether app. But it also has a web interface that also gives you way more customization if you want to tinker with your router’s setup. I should also mention that this router supports TP-Link’s EasyMesh which allows you to add a compatible TP-Link router to create a mesh network should the need arise.
Set up is going to be easy for most using theTether app. By that I mean that if you have a straight forward Internet connection, you can be set up in under five minutes. But it took me about 20 due to the fact that my Internet connection isn’t straight forward as it uses PPPoE and a VLAN on top of that. Thus I had to spend some time figuring out how to set that up. But once it was set up, and I did a firmware update, I was ready to go with my testing.
Let’s start with 5 Ghz testing. Frankly I wasn’t impressed when I tested this router with my iPhone 14 Pro:
I’ve gotten much faster 5 Ghz speeds with other routers in the past. But my lack of enthusiasm quickly changed when I tested the 6 Ghz band via my M2 Pro Mac mini. When I did that, here’s what I got:
My Internet connection is a symmetrical 1 Gbps fibre connection. So over WiFi it not only came close to maxing out my Internet connection, but it also recorded the fastest speeds from a router that I have ever tested. Or put another way, if I had a faster Internet connection, This TP-Link router has the headroom to support it. Impressive. And range wasn’t an issue as I was getting insanely fast speeds through walls and even outside my condo in the hallway.
Gripes? Well for starters, this router has a fan to keep things cool. Which it needs as I could feel the heat coming out the various vents that the router has. Now I had to really make things quiet to come close to hearing the hum it made. And to be clear that hum wasn’t objectionable. But I have to wonder if that fan will survive the test of time as any moving part in any device will eventually fail at some point. My advice is to make sure it’s in an open space so that heat and the potential of a fan failure less of a potential issue.
My other gripe is that features like Security+ which makes your router more secure by implementing features like intrusion detection and prevention as well as scanning your web traffic for harmful content such as malware, as well as parental controls are paid subscription services. That’s a bit of a #fail and I say that because ASUS for example just tosses these features into the cost of the router. While that does make ASUS routers more expensive than the TP-Link equivalent, at least you those features out of the gate and don’t have to sign up for yet another subscription to get those features. Plus it makes users more secure in the process as users will simply turn on those features rather than think about taking out their credit cards in order to be as secure as possible.
The TP-Link Archer GE800 BE19000 is currently $900 on Amazon.ca which is a good price for a router that performs this well. If TP-Link added the security and parental control features as part of the price, or increased the price of the router to include those features by a reasonable amount, it in my mind would go from a great router, to an almost perfect router as I really didn’t find any flaws with it. That makes this router worth a look if you are a gamer, or you have an Internet connection that can fully leverage it.
Ransomware gang demands $400K from Massachusetts school district
Posted in Commentary with tags Hacked on April 15, 2025 by itnerdYesterday, Comparitech reported that Ransomware gang Medusa over the weekend claimed responsibility for last week’s cyber attack against Fall River Public Schools in Bristol County, Massachusetts.
In the blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:
“Medusa is a ransomware gang that first surfaced in September 2019. It debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay both to decrypt their systems and for not selling or publishing stolen data.”
“In 2025 so far, Medusa claimed responsibility 10 confirmed ransomware attacks and made 69 unconfirmed claims that have not been acknowledged by the targeted organizations. Many of those attacks targeted schools. Its attacks on Lee University and Laurens County School District 56 were both confirmed this year.”
“Medusa has claimed 24 confirmed ransomware attacks on schools and other educational institutions around the world since the group started publicizing its targets. Its average ransom demand is $430,000.”
“So far in 2025, Comparitech researchers logged 12 confirmed ransomware attacks on US schools and colleges. Last year, we recorded 75 such attacks, which compromised at least 2.8 million records. The average ransom demand is $815,000.”
“Ransomware attacks on schools and other education facilities can disrupt day-to-day operations such as taking attendance, submitting grades, phone and email communications, billing, payroll, and assignments. Ransomware attacks are often two-pronged: they lock down systems and steal data. Schools that refuse to pay can face extended downtime, lose data, and put students and faculty at increased risk of fraud.”
Ransomware attacks are insanely prevalent. That’s bad as they need to go in the other direction to keep everyone safe. Thus more needs to be done to turn this around and it needs to be done ASAP.
Leave a comment »