Archive for July, 2025

« Older Entries
Newer Entries »

Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems

Posted in Commentary with tags on July 24, 2025 by itnerd

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws, Storm-2603, is deploying Warlock ransomware on targeted systems.

As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.

Ensar Seker, CISO at SOCRadar had this comment:

“The exploitation of unpatched SharePoint servers by Storm-2603 represents a serious escalation in threat actor behavior. What began as an espionage campaign has now evolved into a destructive ransomware operation using Warlock malware. This is significant not only because of the rapid weaponization of recent vulnerabilities, but because the group has adopted enterprise-level tactics; stealing credentials, disabling defenses, and deploying ransomware across entire networks using Active Directory tools.”

“Warlock ransomware in this context is particularly dangerous. Once Storm-2603 gains access to a vulnerable SharePoint server, they quickly move laterally, extract domain credentials, and push ransomware across systems often encrypting data en masse before defenders can respond. This is not a hit-and-run campaign. It reflects a strategic shift where attackers burrow deep, create persistence mechanisms, and time their ransomware deployment for maximum disruption.”

“The takeaway for enterprises is clear: if you run on-premises SharePoint, you must patch immediately. Beyond that, organizations should rotate keys and credentials, hunt for web shells or suspicious DLLs, and harden against lateral movement. Defenses like EDR in block mode, AMSI integration, and proper backup strategies are critical now, not optional. This campaign isn’t just a wake-up call for patch management, but for a broader rethink of how we defend internal collaboration platforms.”

James McQuiggan, Security Awareness Advocate at KnowBe4 adds this:

“Cybercriminals don’t need to be sophisticated, they just need organizations to be slow. Attackers don’t target the most vulnerable point, they go for what’s exposed, unpatched, and easiest to monetize. Essentially, a front door left wide open.”

“Enterprise environments are especially vulnerable because change takes time. There are processes, reviews, testing, and approvals that are needed to roll out mitigations and patches. However, if an organization’s SharePoint server is exposed on the internet with a known zero-day vulnerability and no compensating controls, it’s making their job easier.”

“If it’s internet-facing, treat it like a crown jewel. Anything exposed should be hardened, monitored, and patched rapidly, or segmented entirely. Limit attack surfaces by design. Many of these exposures exist simply because someone left default configurations or expanded access for convenience.”

“Cybersecurity isn’t about being perfect, it’s about not being predictable. The more visible and unpatched your environment, the easier it is for an organization to find and exploit. Organizations don’t need to outsmart every attacker, they just need to stop making it easy for them.”

If you have an on premise SharePoint server, now would be a really good time to update it. As in drop everything you are doing and apply updates right now. Because if it wasn’t clear that this was a today problem, it should be now.

Leave a comment »

Prestige Maintenance USA Appears To Have Been Pwned….. And Perhaps Not For The First Time

Posted in Commentary with tags on July 24, 2025 by itnerd

Prestige Maintenance USA this week confirmed that it had notified 65,452 people of a January 2025 data breach that compromised their personal information. Ransomware group Medusa took credit for the breach shortly after it occurred and demanded $1.2 million in ransom. This may not be the first time that they have been pwned as there is an unconfirmed report of ALPHV/BlackCat pwning them in 2023.

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“Medusa is a ransomware gang that first surfaced in September 2019. It debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay both to decrypt their systems and for not selling or publishing stolen data. Medusa has claimed responsibility for 132 confirmed attacks in total, compromising more than 3.1 million records. Its average ransom demand is $631,000.”

“In 2025, Comparitech researchers have logged 226 confirmed ransomware attacks on US organizations in total, plus 1,788 unconfirmed claims. Ransomware attacks on US organizations can both steal data and lock down computer systems. Infected businesses are forced to either pay a ransom or face extended downtime, permanent data loss, and putting customers at increased risk of fraud.”

The fact that the company didn’t tell anyone about this this until seven months later is troubling. And the fact that they might have been pwned before suggests that this is an organization that isn’t great at keeping the bad guys out. I say that someone needs to ask this company some really tough questions and the company needs to answer them if they want anyone to trust them.

Leave a comment »

SOCRadar Posts Their 2025 North America Threat Landscape Report

Posted in Commentary with tags on July 24, 2025 by itnerd

SOCRadar has published a 2025 North American Threat Landscape Report looking at the critical cyber threats that are shaping North America’s digital environment. The research outlines major attack vectors, sector-specific threats, and dark web activities. 

Key insights include: 

  1. Finance and Insurance Sectors at Highest Risk: Accounting for 12.11% of all incidents, this sector remains the most frequently targeted, reflecting its vast data and financial assets.
  2. U.S. Dominates Cyber Targeting: The United States faced 82.15% of all regional cyber incidents, making it the primary focus of threat actors, especially in ransomware and phishing.
  3. Ransomware Surge Led by PLAY Group: PLAY, RansomHub, and Akira top the list of active ransomware groups, with double-extortion tactics increasingly affecting public and private organizations.
  4. Dark Web Exposure Escalates: Stolen data, unauthorized access sales, and compromised credentials dominate dark web listings—58.38% of all incidents involve selling sensitive digital assets.
  5. Phishing Targets Public and Info Sectors: Public administration (18.75%) and information services (17.53%) lead phishing targets, with attackers mimicking trusted platforms and using HTTPS to deceive victims.
  6. DDoS Attack Volume Alarming: Over 1.48 million DDoS attacks were recorded, with peak bandwidths exceeding 1857 Gbps, posing serious continuity threats.

The full report can be found here: https://socradar.io/wp-content/uploads/2025/07/North-America-Threat-Report.pdf

Leave a comment »

Critical vulnerabilities across 20 of the most popular travel & tourism websites detailed

Posted in Commentary with tags on July 24, 2025 by itnerd

The Business Digital Index (BDI) platform evaluated and ranked 20 of the most visited travel and tourism websites by their cybersecurity posture.

Each company’s score reflects performance across seven security categories: software patching, web app security, email protection, system reputation, hosting infrastructure, SSL/TLS configuration, and data breach history. 

Here are the 20 most popular travel & tourism websites ranked by cybersecurity (best to worst):

Out of the 20 travel and tourism websites analyzed, just two—Trip.com and Flightradar24—achieved an A grade.

These four—Wetter.com, Hilton, Marriott, and Skyscanner—received the lowest cybersecurity scores.

To find out what critical vulnerabilities these websites have and why some of them score so low, please see the full report here: 

https://businessdigitalindex.com/research/cybersecurity-analysis-reveals-critical-vulnerabilities-across-20-major-travel-tourism-websites

Leave a comment »

CIRA’s Net Good Grants back Indigenous, rural and youth-led initiatives for a safer, more connected Canada

Posted in Commentary with tags on July 24, 2025 by itnerd

Today, CIRA is proud to announce 13 transformative, community-led initiatives funded through its 2025 Net Good Grants program. From remote broadband infrastructure to youth-focused cybersecurity training, these projects are advancing internet safety, access and digital sovereignty across Canada.

Each initiative equips communities with the tools, knowledge and infrastructure they need to thrive in an increasingly challenging digital world. The collective impact spans most provinces and territories, reflecting a broad and diverse commitment to digital resilience from the ground up.

Key insights

  • Over 270,000 community members will benefit from this year’s Net Good Grants
  • Three infrastructure projects building community-managed connectivity networks
  • Two policy engagement projects raising awareness and amplifying local voices in internet sovereignty discussions
  • Eight online safety projects empowering youth, educators and community leaders

In British Columbia, communities like rural Shuswap region and Cortes Island are developing locally governed broadband co-operatives so that they can build, own and operate networks to directly serve their residents and generate revenue.

Initiatives like the Digital Defenders Project in Saskatchewan and the Northwest Territories, the SmartScroll Digital Safety Program in small-town Ontario and Cyber Ready Islanders in Prince Edward Island are helping young people recognize and respond to online harms, misinformation and privacy risks.

For professional development, the University of Ottawa’s CyberSafe Youth project is delivering cyber attack simulation training to youth in Quebec and Ontario, while the Malahat Nation in B.C. is establishing a cybersecurity operations centre and training hub through its Malahat Internet Safety Initiative.

Every initiative is rooted in local collaboration, underscoring a community-first approach to digital empowerment. These projects not only focus on youth development, but will also train educators, parents and community leaders, extending their impact through intergenerational learning and institutional partnerships.

Whether through civic engagement in internet policy, broadband infrastructure co-ops, or multilingual online safety programs, these projects exemplify how community-led innovation can drive systemic change and ensure no one is left behind in Canada’s digital future.

Resources 

Leave a comment »

Artificial Intelligence Adoption in S&P 500 Firms Brings New Security Challenges, Study Finds

Posted in Commentary with tags on July 24, 2025 by itnerd

As artificial intelligence becomes increasingly central to the operations of America’s largest corporations, recent research reveals potential security vulnerabilities that could affect both organizations and their customers. 

An analysis by cybersecurity experts at Cybernews examined AI deployments across the S&P 500 and uncovered close to 1,000 potential weak points that may lead to data exposure, theft of proprietary information, and erroneous AI actions.

The study found that 327 S&P 500 companies publicly report using AI tools in their operations in sectors including finance, healthcare, manufacturing, and energy. 

While these tools have accelerated innovation and efficiency, safety measures have yet to fully catch up, leaving systems open to misuse or failure. This includes AI outputs that may be inaccurate or misleading, unintended disclosure of confidential data, and risks of corporate secrets being compromised.

The potential vulnerabilities extend across multiple industries. Technology and semiconductor companies are especially vulnerable to data leaks and intellectual property risks. Financial institutions might face challenges protecting client data while ensuring AI does not reinforce unfair bias in lending. 

Healthcare providers carry the added responsibility of protecting patients from flawed AI-driven recommendations. Meanwhile, industrial and infrastructure sectors must guard against disruptions that could affect critical services, such as power supply or supply chain operations.

For consumers, the consequences are tangible. Unsecured AI systems risk leaking private details – ranging from medical histories to financial records – while flawed AI judgments could influence decisions that directly affect people’s health and finances. 

As AI tools play a larger role in retail, banking, transportation, and other areas, protecting these technologies becomes essential for public protection.

The report highlights past incidents that illustrate these dangers. IBM’s Watson once offered unsafe cancer treatment suggestions. Apple’s credit system faced scrutiny after allegations of gender bias. Zillow’s AI-driven pricing led to substantial financial losses. Additionally, Samsung experienced unintended source code disclosures due to inappropriate use of AI chatbots by employees.

As AI further transforms businesses, past incidents and potential threats show how crucial it is to improve security strategies in parallel. 

Leave a comment »

Guest Post – Workflow Automation: a Primer

Posted in Commentary with tags on July 24, 2025 by itnerd

By Tim Flower, VP of DEX Strategy, Nexthink

What Is workflow automation?

Workflow automation takes manual or scripted tasks and processes performed by employees and groups them in a logical order, initiated by automated or manual triggers. These workflows include decision points, branches, tasks, and calls to other systems or humans for additional insights, delivering fast, consistent, repeatable, and scalable outcomes with minimal or no human intervention. 

But modern workflow automation goes beyond simple task execution by leveraging low-code/no-code platforms to lower the skills entry point, and to deliver more complex AI-driven decision-making processes that continually optimize themselves. In fact, many systems can now “automate the automation,” further reducing errors, speeding time-to-market, ensuring compliance, and eliminating bottlenecks. 

How does it work? 

Originally, workflow automation consisted of repeatable tasks scripted for automated execution, bringing efficiency to humans by handling defined, repetitive processes. Over time, it evolved into more robust AI-powered decision-making, enabling automation of complex and variable workflows.

Today, workflow automation can:

  • Optimize itself using machine learning, analyzing historical data to improve workflows over time.
  • Leverage event-driven automation, where real-time business triggers (e.g., exceeding a technical threshold or dropping below an inventory level) automatically initiates a process workflow.
  • Integrate with AI-powered digital employee experience (DEX) tools, which can analyze human behavior and operations, and suggest new automation opportunities based on a broad enterprise view.

As AI continues to evolve, workflows will become more self-improving, reducing the need for human intervention even in process design.

Why should businesses use workflow automation? 

Businesses that do not embrace workflow automation risk falling behind their competition. The benefits include:

  • Faster, more efficient operations – Automating processes reduces execution time, leading to significant reductions in processing times in key IT and business functions.
  • Lower operational costs – Companies using automation report 30% or more cost savings by reducing manual effort, according to LatentBridge.*
  • Improved employee productivity – Employees are freed from repetitive, low-value tasks, allowing them to focus on more strategic work.
  • Better customer experiences – Faster service delivery and error reduction lead to higher customer satisfaction and retention rates.
  • Scalability – Companies can handle more work without proportionally increasing costs or headcount.

How best to deploy workflow automation?

To implement modern workflow automation effectively, businesses need three key components:

  1. Broad, multi-source data – Automation opportunities should be identified using real-time data from multiple systems. Process mining tools can analyze inefficiencies and suggest improvements.
  2. AI-driven automation creation – The skill barrier to automation should be lowered using AI and low-code/no-code solutions, enabling business users to build automations without heavy IT involvement.
  3. A unified automation platform – A solution that combines workflow automation with real-time experience monitoring, sentiment analysis, and measurement of business outcomes is crucial to track effectiveness and continuously improve processes.

Additionally, proper change management, security, and governance must be considered to ensure successful adoption and compliance.

Common implementation mistakes

Businesses often face these pitfalls when implementing workflow automation:

  • Not identifying the right problems to solve – Automating low value processes while missing what really matters can result in lower returns. 
  • Failing to optimize first – Automating inefficient processes without first optimizing them can lead to wasted efforts.
  • Using a fragmented approach – Selecting tools that don’t integrate across all enterprise systems results in automation silos.
  • Not tracking value – Without clear success metrics, businesses may struggle to measure ROI and justify further investment.
  • Trying to automate too much at once – Overloading teams with too many changes can cause adoption failures. A phased approach is more effective.
  • Not monitoring for unintended consequences – Poorly designed workflows can introduce new problems or outcomes that weren’t present before.

Emerging workflow automation trends

Businesses embracing workflow automation with AI and DEX capabilities will outpace the competition. Those who delay adoption will find themselves increasingly behind as automation plays a bigger role across enterprises. There are several trends happening that should demand some attention:

  • Hyper-automation – AI, machine learning, and robotic process automation (RPA) will increasingly work together to automate as much as possible.
  • Conversational automation – AI-powered intelligent chatbots and voice assistants will play a larger role in initiating and executing workflows.
  • Process mining and AI-driven optimization – AI will proactively analyze and recommend new automation opportunities.
  • End-to-end digital experiences – Automation will integrate deeply into Digital Employee Experience (DEX) strategies, ensuring seamless workflows across systems to improve the overall employee experience at work.

Tim Flower, VP, DEX Strategy for Nexthinkhas worked in enterprise IT for over 30 years, and since joining Nexthink in 2015, he has helped businesses large and small around the world to understand the power of information when viewed through the end-user.  

Leave a comment »

Bell Pure Fibre Ranked Fastest Internet in Canada For The Third Year In A Row

Posted in Commentary with tags on July 23, 2025 by itnerd

Ookla’s Canada Speedtest Connectivity Report (H1 2025) has hit the street along with the accompanying Speedtest Awards.

For the third year in a row, Bell Pure Fibre has been named Canada’s Fastest Internet — a Speedtest Award win based on millions of real-world consumer tests from Q1–Q2 2025. In addition to this award, Bell ranked #1 in the Speedtest Connectivity Report for:

  • Median download and upload speeds
  • 90th percentile performance

Bell’s wireless network also continues to show strong performance, with the Speedtest Connectivity Report reaffirming leadership in key mobile categories across the country.

 Full reports are here:

Leave a comment »

The data of 100 million Swedish citizens has been exposed

Posted in Commentary with tags on July 23, 2025 by itnerd

The Cybernews research team has uncovered a major data leak exposing over 100 million detailed records tied to Swedish citizens and companies.

An unsecured server exposed a large collection of sensitive business intelligence and personal data, with records spanning 2019 to 2024 across 25 indices — some over 200GB in size.

Analysis suggests the data originated from Risika, a leading Nordic data analytics firm. However, metadata indicates the server was likely operated by an unidentified third-party client, not Risika itself.

What data was leaked?

  • Full legal names, including history of previous names
  • Swedish personal identity numbers
  • Date of birth and gender
  • Address history, both in Sweden and abroad
  • Civil status and information about deceased individuals
  • Foreign addresses for emigrants
  • Debt records, payment remarks, bankruptcy history, property ownership indicators
  • Income tax data spanning several years (2019–2023)
  • Activity and event logs (including income statement submissions, migration status, and address updates)

Significance of this leak

  • These records effectively mapped out a five-year financial and behavioral profile of Swedish citizens and organizations, making the scale and precision of this leak especially concerning.
  • The leaked data offered a detailed, time-stamped snapshot of how both individuals and organizations function, tracking everything from address changes and income shifts to debt, tax filings, and business ties.
  • The sheer volume and precision of the information make the dataset extremely valuable and dangerous. Banks, lenders, and compliance teams could use it for risk assessments and credit analysis. 
  • Attackers could weaponize this intelligence for everything from corporate surveillance and competitor profiling to highly targeted phishing campaigns, social engineering, or extortion. 

To read the full research report, please click here.

Leave a comment »

Abstract Security Introduces Shift Left for Detection, Turning Real-Time Insight into a Strategic Advantage

Posted in Commentary with tags on July 23, 2025 by itnerd

Abstract Security, the pioneer in streaming detection and response, today unveiled its groundbreaking Shift Left strategy for security operations—bringing real-time analytics, correlation, and response closer to the source of data. Abstract’s new model empowers security operations teams to detect threats in stream, before data hits storage—not after the damage is done. 

Read more about the Shift-Left Detections Approach from Abstract Security: www.abstract.security/blog/shift-left-detections-with-abstract.  

Why Shift Left for Detection Matters 

Instead of analyzing logs hours after an event, Abstract enables security teams to detect and respond in the moment: 

  • Real-time correlation across cloud, endpoint, identity, and SaaS sources 
  • In-stream threat intelligence and asset context 
  • Instantaneous detection logic execution, before data hits the SIEM or data lake 

The result: security operations that are not only faster, but smarter, leaner, and more effective. 

A New Standard for ROI in Detection 

Traditional detection requires pushing massive volumes of telemetry into SIEMs just to run rules—an expensive, delayed, and inflexible process. Abstract changes the economics of detection by running analytics in-stream: 

  • Up to 70% reduction in SIEM ingestion volume 
  • 4x faster detection using ready-to-deploy rules with no custom tuning required 
  • Improved signal-to-noise ratio, enabling faster, more confident responses 

To learn more about how companies like Juul Labs are already transforming their journey with Abstract, visit https://www.abstract.security/abstract-canvas.   

Detection-as-Code, Powered by ASTRO

Abstract’s ASTRO team delivers constantly evolving detection logic and threat intelligence as code—built for real-time execution. ASTRO also treats DFIR as code, enabling live incident investigations, timeline reconstruction, and playbook automation directly in the stream. 

  • No manual queries 
  • No stale enrichments 
  • No delays in response 

DFIR becomes just as fast and automated as detection itself. Learn More about the DFIR-As-Code from Abstract in their blog series here. 

A Shift Worth Making 

Abstract’s Shift Left philosophy offers security teams a chance to modernize without overhauling. You don’t need to rip and replace. You just need to move detection to where the action is—before the threat moves past you. 

Leave a comment »

« Older Entries
Newer Entries »