Red Canary Threat Report uncovers 4x increase in identity attacks

Posted in Commentary with tags on March 18, 2025 by itnerd

Red Canary today unveiled its seventh annual Threat Detection Report, examining the trends, cyber threats, and adversary techniques that organizations should prioritize in the coming months and years. The report tracks the MITRE ATT&CK® techniques that adversaries abuse most frequently, and this year noted four times as many identity attacks compared to the 2024 edition. After debuting in the top 10 in 2024, cloud-native and identity-enabled techniques surged in this year’s report, with Cloud Accounts, Email Forwarding Rule, and Email Hiding Rules ranking among the top five.

Research highlights major shifts in the threat landscape

The data that powers Red Canary and this report are not mere software signals—this data set is the result of hundreds of thousands of investigations across millions of protected systems and identities. Each of the threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.

Red Canary’s 2025 report provides in-depth analysis of nearly 93,000 threats detected within more than 308 petabytes of security telemetry from customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications over the past year. The total number of threats detected increased by more than a third compared to 2024’s report as a result of not only more customers, but also Red Canary’s expanded visibility into cloud and identity infrastructure. 

The analysis shows that while the threat landscape continues to shift and evolve, adversaries’ motivations do not. The tools and techniques they deploy remain consistent, with some notable exceptions. Key findings include:

  • Click, paste, compromised – One of the most successful new initial access techniques observed this year was paste and run, also known as “ClickFix” and “fakeCAPTCHA.” In this attack, adversaries socially engineer users into executing malicious scripts under the pretense that doing so will fix something, like providing access to a video or document.
  • VPN abuse is rampant and difficult to detect – Adversaries constantly use virtual private networks (VPNs) to conceal their location and bypass network controls, but employees also rely on them for legitimate activity. Strikingly, organizations in the educational services sector accounted for 63 percent of all VPN use – a disproportionately high share given their smaller presence among Red Canary’s data. This highlights that environments from organizations in this sector are a potential hotspot for VPN-related security risks.
  • RMM exploitation is on the rise – The use of remote monitoring and management (RMM) tools for command and control and lateral movement is growing, enabling adversaries to drop malicious payloads including ransomware. This year, Red Canary saw malicious use of NetSupport Manager break its yearly top 10, highlighting the popularity of RMM tools amongst adversaries.
  • The not-so-helpful IT desk – Phishing remains prevalent in many forms. Email, QR code (aka “quishing”), SMS, and voice phishing attacks all increased in 2024. Often adversaries posed as IT personnel, asking victims to download malicious or remote control software. In 2024, Black Basta paired email bombing with social engineering, posing as IT personnel “helping” with the issue to gain access and install RMM tools.

The rise of LLMJacking to attack cloud infrastructure

While cloud attacks rose overall in 2024, the techniques adversaries abused have largely remained the same as in past years. However, adversaries have shifted more of their efforts to attacking and compromising cloud infrastructure and platforms:

  • Red Canary observed adversaries attempting to impair defenses inside cloud environments by disabling or modifying firewall rules and logging. Gaining access through compromised cloud accounts or valid credentials, adversaries elevate their privileges by granting the identity additional roles. 
  • With the rise of LLM usage, cloud services such as AWS Bedrock, Azure OpenAI, and GCP Vertex AI have become prime targets for adversaries in an attack known as “LLMJacking.” Adversaries have reportedly sold access to these hijacked models as part of their own SaaS “business” and passed all LLM usage costs to the victim.

Info-stealing malware is the ultimate identity threat

In 2024, stealer malware infections were on the rise across Windows and macOS platforms. Adversaries use stealers to gather identity information and other data at scale. In 2024 there were some interesting variations in the use of infostealers, including:

  • LummaC2 was the most prevalent stealer detected in 2024, operating under a malware-as-a-service (MaaS), and selling for anywhere from $250 per month to a one-time payment of $20,000. Its growing popularity and expanded scope make it a major threat, exposing user credentials and enabling adversaries to gain initial access to organizations using legitimate accounts.
  • Adversaries commonly use LummaC2 to deliver NetSupport Manager, Red Canary’s seventh most detected threat detected in 2024 – giving them a gateway to deploy other malicious payloads as a follow-up to their initial attack.

Mac malware ran rampant

In 2024, macOS experienced the same phenomenon that Windows did: an exponential increase in stealer malware.

  • Red Canary detected 400 percent more macOS threats in 2024 than in 2023, including an exponential increase in malware driven by Atomic, Poseidon, Banshee, and Cuckoo stealers. Atomic Stealer was the most prevalent, appearing on Red Canary’s monthly top 10 threat rankings five times.
  • In September 2024, detections dropped off sharply after Apple remediated a popular Gatekeeper bypass technique abused by numerous malware families. 95 percent of stealer infections happened before September and just five percent occurred after, highlighting the dramatic and immediate impact that patching can have.

Recommended actions:

  • Limit unsanctioned VPN usage. Tighter policies around acceptable use of VPNs will mean that abuse is rare and becomes a potential signal of suspicious logins and other malicious activity when they are present.
  • Manage your centralized identity management solution. A central identity solution isn’t an excuse to kick back. Centralized identity solutions make organizations more secure, but they’re also a priority target for adversaries. Organizations should pay special attention to the evolving threat landscape and be careful to manage their identity infrastructure as safely and securely as possible.
  • Mitigate risk by making patching a top priority. It remains one of the best ways to protect yourself from risk. Unpatched vulnerabilities are one of the most common entry points for adversaries, making timely updates critical to reducing exposure.
  • Balance accessibility to cloud systems with protection. Verify that permissions and configurations are correctly set, and stay informed on how your organization uses cloud infrastructure. Distinguishing between legitimate and suspicious activity requires a deep understanding of what’s normal in your environment.
  • Assess and test your defenses. Look at the top threats and techniques and ask: ‘am I confident in my ability to defend each of these?’ Red Canary’s open source test library Atomic Red Team is free and easy to adopt. 

Learn more

About the Threat Detection Report

The full report is intended as a reference library for security practitioners to improve their ability to prevent, mitigate, detect, and emulate cyber threats. It offers detailed guidance on data sources that log relevant evidence of adversary behaviors, tools that collect from those data sources, insight into how security teams can use this visibility to develop detection coverage, and much more deeply actionable information.

The Threat Detection Report sets itself apart from other annual reports by offering unique data and insights, accompanied by recommended actions derived from a combination of expansive visibility and expert, human-led investigation and confirmation of threats.

Each of the nearly 93,000 threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.

Leave a comment »

MIND Reveals Traditional Data Loss Prevention Solutions Are Not Working for Most Organizations

Posted in Commentary with tags on March 18, 2025 by itnerd

MIND™ today announced the release of The State of Data Loss Prevention – Current Struggles and Future Expectations. The report examines trends driving the need for data loss prevention (DLP) solutions to secure sensitive information from unauthorized access, leakage and theft, and key challenges as enterprise security teams struggle with outdated or incomplete tools. The report’s findings underscore the importance of modernizing DLP programs so that organizations can efficiently scale sensitive data visibility, classification, detection, remediation and loss prevention.

The report found that enterprise environments are more complex and data stores are exponentially growing, further exacerbating security team difficulties, such as maintaining and evolving DLP policies, dealing with a majority of alerts that are false positives and lack of resources to address and investigate every incident. In fact, 78% of organizations report being challenged in administering and maintaining existing DLP technology solutions and policies, and 94% report using at least two tools and, on average, more than three tools with DLP capabilities, resulting in significant man-hours to administer and maintain multiple solutions. Additionally, nearly all organizations (91%) said it is important to reduce alert noise produced by their current DLP controls due to simple, poor and outdated classification schemes.

These challenges highlight the importance of adopting a future-ready DLP strategy that autonomously discovers and classifies sensitive data that matter, proactively detects issues with a context-aware and risk-based approach and automatically prevents and remediates data leaks. By delivering on these modern capabilities, organizations can expect to experience unprecedented visibility and understanding of their data risks, simplified solution management, dramatic reduction of false positives and efficient data loss prevention and issue remediation.

The report’s key findings include:

  • Persistent data leaks: Despite using multiple DLP tools, 53% of respondents reported two or more unstructured data loss events that they know of and, on average, more than four data loss events in the last 12 months. There were likely many more data loss events that are unknown.
  • Lack of visibility and understanding of data risks: Organizations report that more than 73% of their unstructured sensitive data has not been discovered and classified, leading to potential data risk landmines and unknowns.
  • Debilitating alert fatigue: Organizations are overwhelmed by DLP alerts, with 92% either deferred/left for inspection  after 24 hours or false positives/not remediated. 47% of DLP alerts that are inspected within 24 hours are false positive.
  • Administrative burdens: 68% of companies manage multiple DLP policy sets across their IT environments with disparate, siloed tools.

Download the full report here.

Leave a comment »

New KnowBe4 Report Finds Education Sector Unprepared for Escalating Cyberattacks

Posted in Commentary with tags on March 17, 2025 by itnerd

 KnowBe4, today announced a new report, “From Primary Schools to Universities, The Global Education Sector is Unprepared for Escalating Cyber Attacks”.

The education sector was the most targeted industry for cyberattacks in 2024, according to several reports, including one from Check Point Research. The sector has also seen a stark increase in cyberattacks.

Key findings from the report include:

  • Both primary and higher education institutions heavily rely on third-party vendors for software-as-a-service, cloud storage, and IT services. This creates a risk, as vulnerabilities or breaches within third-party systems could later affect all institutions using these services, which often goes on undetected.
  • An attacker’s search for an open door is helped by the fact that with limited resources, and increasing demands for modernization, schools and universities often mix modern and legacy IT systems, which can leave highly sensitive personal information on outdated and exploitable systems.
  • In its 2024 Data Breach Investigation Report (DBIR), Verizon examined 30,458 security incidents in total, of which 10,626 were confirmed data breaches. Of these, 1,780 incidents (17%) were attacks against the education system,1,537 (14%) with confirmed data disclosure; a figure that put education in the top five of all industries breached globally.
  • In 2023, Trustwave researchers monitored 352 ransomware claims against educational institutions. Phishing stood out in the Trustwave study as the most commonly exploited method for gaining an initial foothold in an organization.

The report demonstrates the significant impact of security awareness training on reducing human risk in educational institutions. Employee susceptibility to phishing attacks dropped dramatically from 33.4% to 3.9% in small educational institutions after one year or more of sustained training and simulated phishing evaluations.

To download the report, visit here.

Leave a comment »

Cl0p Pwns Western Alliance Bank

Posted in Commentary with tags on March 17, 2025 by itnerd

 Western Alliance Bank over the weekend confirmed that it notified 21,899 people about an October 2024 data breach that compromised info such as SSNs, Tax ID Numbers, DOBs, Passports, etc. The infamous ransomware gang Clop has claimed responsibility for the breach. 

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech,wrote: 

“Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. Its latest wave of claims mostly involve exploiting vulnerabilities in the Cleo file transfer software, which is used by many organizations. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it demands ransoms solely in exchange for not selling or publishing stolen data.”

“In 2024, Clop claimed nine confirmed ransomware attacks, plus 74 unconfirmed attacks that haven’t been acknowledged by the targeted organizations. 55 of the 74 unconfirmed claims are related to the same Cleo vulnerability used to breach Western Alliance Bank. In 2025, Cl0p has claimed responsibility for 332 unconfirmed attacks, the vast majority of which exploited Cleo.”

“Ransomware attacks on US finance can endanger clients and delay day-to-day operations until systems are restored. Banks and other financial institutions must either pay a ransom or face extended downtime, data loss, and putting customers at increased risk of fraud. In 2024, Comparitech researchers logged 61 confirmed ransomware attacks on the US finance sector, compromising more than 34.9 million records. The average ransom demand is $1.05 million.”

Clearly the fact that there’s a $10 million reward available for anyone who can serve up information on Cl0p has clearly not deterred them. Illustrating that crime does pay apparently. Speaking of rewards, if you do have information on Cl0p, this Tweet will help to get your info into the right hands.

Leave a comment »

KnowBe4 Sees 98% Spike in Phishing Campaigns Leveraging Russian (.ru) Domains

Posted in Commentary with tags on March 17, 2025 by itnerd

 KnowBe4 has observed a 98% rise in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) from December 2024 to January 2025, primarily used for credential harvesting. 

These Russian .ru domains are run by so-called “bullet-proof” hosting providers, that are known to keep malicious domains running and ignore abuse reports which is ideal for cybercriminals.  

Many of the phishing emails that we identified and investigated had passed through one or more security products including Exchange Online Protection, Barracuda Email Security Gateway, Mimecast, and Cisco Ironport. 

KEY FINDINGS 

  • 98% increase in phishing sites using .ru TLDs from December 2024 to January 2025 
  • 1,500 unique .ru domains identified as part of the campaign 
  • 377 new domains registered with “bulletproof” registrar R01-RU 
  • More than 13,000 malicious emails with the domain were reported 
  • 2.2% of observed emails from .ru domains were phishing emails  
  • 7.4 days average age of a .ru domain 

You can get the full details here.

Leave a comment »

Guest Post: What is Web Scraping?

Posted in Commentary with tags on March 17, 2025 by itnerd

By Geonode

Ever wondered how companies gather huge amounts of data from the internet without breaking a sweat? That’s where web scraping comes into play. Imagine having a digital assistant that tirelessly scours websites, picking up the information you need and organizing it into neat spreadsheets or databases. That’s essentially what web scraping does.

Web scraping involves two main players: the crawler and the scraper. Picture the crawler as a curious explorer, navigating the vast internet landscape, while the scraper is the diligent collector, picking up the data gems. Together, they turn chaotic web data into structured, usable insights.

While you can technically scrape data manually, it’s usually an automated game—think bots or scripts doing the heavy lifting. This automation is a game-changer in today’s data-driven world, empowering businesses to stay competitive. Companies use web scraping for a variety of reasons, like monitoring prices, generating leads, conducting market research, and aggregating content. However, it’s crucial to remember that web scraping isn’t a free-for-all; there are legal and ethical boundaries to respect.

The Legal Landscape of Web Scraping

Web scraping, though incredibly useful, can be a legal minefield. You could stumble into issues like copyright infringement, violating terms of service, breaching data privacy laws, or misusing scraped content. Staying on the right side of the law is key, and understanding the legal frameworks that govern web scraping is crucial.

Key Laws and Regulations

The Computer Fraud and Abuse Act (CFAA)

The CFAA is a cornerstone law in the U.S. that governs web scraping. Established in 1986, it criminalizes “intentionally accessing a computer without authorization” or “exceeding authorized access.” Some landmark cases have helped shape its interpretation.

Van Buren v. United States

In 2021, the Supreme Court ruled in Van Buren v. United States that “exceeds authorized access” should only apply when someone accesses parts of a computer system they’re not supposed to. This narrows the scope of what counts as unauthorized access under the CFAA, offering some relief for web scrapers.

hiQ Labs, Inc. v. LinkedIn Corp.

In another pivotal case, the Ninth Circuit Court ruled that hiQ’s scraping of publicly accessible LinkedIn profiles did not constitute unauthorized access under the CFAA. LinkedIn couldn’t restrict public access to the data, making this a significant decision for the scraping community.

Data Protection Laws

When it comes to personal data, regulations like the GDPR in Europe and the CCPA in the U.S. mandate businesses to obtain proper consent. Ignoring these laws can lead to hefty fines and legal troubles.

Digital Millennium Copyright Act (DMCA)

The DMCA prohibits circumventing technological measures designed to control access to copyrighted works. So, if you’re thinking about bypassing some tech barrier to scrape data, you might want to think twice.

Ethical Best Practices

To navigate these legal complexities, ethical web scraping is the way to go:

  1. Respect Terms of Service: Always abide by the terms of service of the websites you scrape.
  2. Obtain Consent: Ensure you have the necessary consent to collect and use personal data, in line with GDPR and CCPA regulations.
  3. Avoid Technological Barriers: Don’t bypass technical measures designed to protect content.

Ethical Concerns in Web Scraping

Web scraping isn’t just about legality; it’s also about ethics. You wouldn’t want to end up on the wrong side of a moral dilemma, right?

Privacy and Data Protection

Collecting personal data without consent is a major no-no. Ethical web scraping means obtaining necessary consents and complying with data protection laws.

Respect for Terms of Service

Web scraping often clashes with the terms of service of the targeted websites. Ignoring these terms can lead to legal battles and a loss of trust. Ethical scraping involves playing by the rules set by website owners.

Intellectual Property and Copyright

Scraping content without permission can lead to copyright issues. The DMCA and CFAA are pretty clear about this, and violations can have serious repercussions. For example, copying entire web pages or extracting data behind login credentials without authorization can breach proprietary rights.

Responsible Data Use

Misusing scraped data can lead to misinformation, spam, or other harmful activities. Responsible data usage means being transparent about your data collection practices and using the data ethically.

Best Practices for Ethical Web Scraping

  1. Respect Robots.txt and Rate Limits: Configure your scrapers to follow the robots.txt file and adhere to rate limits to avoid overloading servers.
  2. Legal Compliance: Stay updated on the legal landscape and comply with both local and international laws.
  3. Transparency and Accountability: Be transparent about your data collection methods and be accountable for the data you collect.

Case Studies and Precedents

Learning from real-world cases can help you avoid potential pitfalls.

Van Buren v. United States (2021)

This Supreme Court decision reshaped how we interpret the CFAA by narrowing its scope. It ruled that the CFAA’s definition of “exceeds authorized access” only applies when someone breaches a technical barrier.

hiQ Labs, Inc. v. LinkedIn Corp.

In this case, the Ninth Circuit Court ruled that scraping data from a public website likely doesn’t violate the CFAA, even if the website owner objects. This decision emphasizes a more restrained interpretation of “unauthorized access.”

By studying these cases, businesses can better navigate the complex web of laws governing web scraping, ensuring their activities are both ethical and legal.

Actionable Takeaways

Here’s how you can practice ethical and legal web scraping:

  1. Read the Terms of Service: Always check the terms of service of websites before scraping.
  2. Get Consent: Make sure you have permission to collect and use personal data.
  3. Follow Robots.txt: Respect the robots.txt file and adhere to rate limits.
  4. Stay Informed: Keep up-to-date with legal requirements and best practices.
  5. Be Transparent: Clearly communicate your data collection methods and purposes.

So, the next time you think about web scraping, remember to do it the right way—both legally and ethically. Happy scraping!

“Web scraping, if done ethically and legally, can be incredibly beneficial,” notes Josh Gordon, a technology infrastructure expert at Geonode. “With Geonode’s secure and reliable proxy solutions, businesses can access data without barriers, ensuring privacy and security.”

By following these guidelines, you can make the most out of web scraping while staying on the right side of both legal and ethical considerations.

Leave a comment »

PII Exposed Online in Healthcare Marketplace Connecting Facilities and Nurses Data Leak

Posted in Commentary with tags on March 14, 2025 by itnerd

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database that contained over 86,000 records belonging to ESHYFT — a New-Jersey-based HealthTech company that operates in 29 states. This database contained 86,341 records including PII of users. A discovery that I previously covered here.

Erich Kron, Security Awareness Advocate at KnowBe4 had this to say: 

“Breaches like this are indicative of the problem with collecting sensitive data without controls to protect it. Not only is the information that has been stolen extremely useful if a bad actor wants to steal one of these individuals’ identity, but it also contains a lot of information that could easily be used in an even more damaging social engineering attack. By having access to information about past jobs, shifts, or similar private life events, a bad actor could easily use it to convince a potential victim that they are from a previous employer, or a potential future employer trying to recruit them. Scams related to employment opportunities are common and can be used to fleece the victims out of money and even more sensitive information.”

“Organizations that handle information such as this have a duty to protect their customers’ information. While it is a temporary inconvenience for an organization to suffer a data breach, the implications of information such as this being lost can impact the victims for a lifetime. Organizations need to address not only technical security controls, but also human risk, which can include misconfiguring security and permissions related to information storage and access, poor software coding practices, or even making unapproved copies of data, among others.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech follows with this: 

“There is no excuse for leaving such a sensitive database unprotected, and it has almost certainly been found and copied already by cybercriminals. Our honeypot studies show it takes just a few hours for hackers to find and target exposed databases like this one. Thankfully, none of the data poses a direct threat to data subjects or their finances.”

“Hospitals, clinics, and other healthcare companies are frequently targeted by ransomware gangs and other cybercriminals.  Comparitech researchers logged 146 confirmed ransomware attacks on US healthcare companies in 2024, compromising more than 24.8 million records. The average ransom was $1.05 million.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy adds this:

“Unfortunately, it seems like lately it’s another day, another data breach made easy by a misconfigured AWS S3 data bucket. There is simply no excuse for this happening. We’ve seen enough of these data breaches that are enabled by misconfigured data buckets that every database professional should be aware of the issue and they should have educated themselves as to how to better secure these data buckets. Until we see more educational efforts and efforts on the parts of IT professionals, we’ll continue to see these on a regular basis.”

Organizations need to make protecting PII their priority. And if they don’t take that responsibility seriously, then I say fine them and make it so expensive that they are forced to do the right thing. Because these sorts of events are not acceptable.

UPDATE: Martin Jartelius, CISO at Outpost24 had this to say:

“Do your attack surface management and track data leakage in it – otherwise someone else will. In this case someone who responsibly disclosed it later thankfully.”

Jim Routh, Chief Trust Officer at Saviynt follows with this:

“Thanks to Cybersecurity Researcher, Jeremiah Fowler for pointing out the obvious. Customer information for healthcare or any other sector must apply the right level of control to the appropriate data classification. Data classified as restricted or at the highest level must include encryption of data at rest and advanced multi-factor authentication at a minimum.”

Leave a comment »

FCC creates council to counter Chinese threats

Posted in Commentary with tags on March 14, 2025 by itnerd

The FCC announced it is creating a national security council to improve US defenses against Chinese cyber-attacks and in an effort to “[win] the strategic competition with China over critical technologies” such as 5G, AI, and quantum computing.

The new FCC chair Brendan Carr said he was establishing the council to focus on the “persistent and constant threats from foreign adversaries, particularly the Chinese Communist party”.

  “These bad actors are always exploring ways to breach our networks, devices, and technology ecosystem. It is more important than ever that the FCC remain vigilant and protect Americans and American companies from these threats,” Carr said.

Carr also mentioned that the council would “pull resources from a variety of FCC organizations” and target mitigating US vulnerabilities to cyber-attacks, espionage and surveillance and reducing supply chain dependence on adversarial states.

The new council is expected to shift focus from individual Chinese entities to a more sectoral approach due to US loopholes, such as a Chinese group changing its name, that allowed threat actors to circumvent punitive actions.

  “The US side, instead of playing up the so-called ‘China threat’, should adopt an objective and rational perception of China. It needs to work with China, under the principles of mutual respect, peaceful coexistence and win-win co-operation, for stable, sound and sustainable development of China-US relations,” said Liu Pengyu, the embassy spokesperson, in learning of the new council.

Evan Dornbush, former NSA cybersecurity expert had this to say:

The FCC announcement to build a China-focused response capability is only a few days old, so it may be too early to understand the first-order tactics (and their effectiveness). This is a bold step. The FCC owns the airwaves, and with so much technology leveraging wireless, from drones using GNSS, to cellular networks using foreign-made 5G routing, to mesh networks coordinating over the managed spectrum, it’s clear the FCC is crucially placed to have impact.

This also gives the FCC a “stick” to match its “carrot”. Over the summer when US telecom carriers revealed that the lawful intercept systems they are obligated to operate (due to CALEA, which is managed by FCC), were exposed to foreign adversaries. The resulting action? Congress gave a $3B hand out to “rip and replace” foreign-manufactured equipment. With that gone, telcos still have vast exposure from old legacy equipment likely vulnerable to both known and zero-day exploits.

What might it take for these companies to upgrade? The new authorities could increase audits and inspections. It could increase stricter fines or other penalties.

And this stick could apply to areas other than telcos. It is common practice for foreign companies to white label through US shell entities to get around various disclosures and other restrictions pertaining to license applications. Tightening up the authorization process to trace the supply chain can perturb aggressors trying to preposition deeply embedded malware.

The Chinese are clearly a threat as demonstrated by their past actions. Thus anything that can be done to counter that threat is a good thing in my mind.

Leave a comment »

CISA Puts Out Advisory On Medusa Ransomware

Posted in Commentary with tags on March 13, 2025 by itnerd

Yesterday, CISA released a joint advisory on the Medusa Ransomware that provided tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with the ransomware group. As of February 2025, Medusa has impacted over 300 victims across critical infrastructure sectors, including medical, education, law, insurance, technology, and manufacturing.

You can read the advisory here.

 James Winebrenner, CEO at Elisity had this to say:

“The CISA recent advisory on Medusa ransomware really reflects how threat actors are getting smarter and adapting. What particularly concerns me is Medusa’s exploitation of legitimate remote management tools like AnyDesk, ConnectWise, and Splashtop, which are the tools many OT environments rely on for maintenance and support.

Medusa’s attack pattern through the lens of IEC 62443 is a classic example of why proper zone boundary protection (CR 5.2) and network segmentation (CR 5.1) are foundational to industrial control system security. The attackers first perform reconnaissance and then leverage legitimate tools for lateral movement before payload deployment, a pattern that traditional detection methods struggle to identify.

Organizations should implement three technical controls aligned with IEC 62443:

  1. Implement proper zones and conduits architecture as specified in IEC 62443-3-2, ensuring critical control systems are isolated and protected from IT networks where initial compromise typically occurs.
  2. Apply least privilege principles (CR 7.7) for all network communications. Define granular policies based on asset function and operational context rather than just network location to limit lateral movement.
  3. Deploy solutions that can detect anomalous behavior in legitimate tools and enforce zone boundary protection (CR 5.2), focusing on monitoring behavioral patterns rather than just the presence of these tools.

The triple extortion scheme mentioned in the advisory indicates that Medusa actors understand the unique pressures facing critical infrastructure operators. Organizations must treat ransomware as a business risk requiring defense-in-depth strategies across people, process, and technology controls.

With Medusa attacks up 42% according to Symantec, OT security teams should reassess their segmentation strategies and ensure alignment with IEC 62443 standards.”

What this advisory highlights is the fact that this is a today problem and every organization needs to treat it as such. Because an advisory like this would not exist if this ransomware were not a clear and present danger.

Leave a comment »

John Gruber Rips Apple Over The Apple Intelligence Debacle

Posted in Commentary with tags on March 13, 2025 by itnerd

For those who don’t know, John Gruber has been writing and covering the Apple space for a couple of decades now. He’s even been on stage interviewing top Apple execs. So when he says something about Apple, you should pay attention.

With that in mind, Gruber has posted this piece on his site and it should get the attention of people within Apple. In short, he pretty much takes Apple to the woodshed over Apple Intelligence:

In the two decades I’ve been in this racket, I’ve never been angrier at myself for missing a story than I am about Apple’s announcement on Friday that the “more personalized Siri” features of Apple Intelligence, scheduled to appear between now and WWDC, would be delayed until “the coming year”.

I should have my head examined.

This announcement dropped as a surprise, and certainly took me by surprise to some extent, but it was all there from the start. I should have been pointing out red flags starting back at WWDC last year, and I am embarrassed and sorry that I didn’t see what should have been very clear to me from the start.

And:

What Apple showed regarding the upcoming “personalized Siri” at WWDC was not a demo. It was a concept video. Concept videos are bullshit, and a sign of a company in disarray, if not crisis.

He’s clearly not pulling any punches here. And I’ve just posted a couple of snippets of what he said. If you really want to get the full flavor of his epic takedown of Apple, I encourage you to read the whole piece. But let me get to the TL:DR: He’s basically said that nobody should have believed the Apple Intelligence demo at WWDC 2024 because Apple was lying. And now they’re scrambling to somehow catch up when they were already behind the 8-ball so to speak.

And the thing is he’s right as far as I am concerned. Just like I said here. And hopefully this is the wake up call that Apple needs to get its act together. Because if not, Apple’s credibility at the very least is screwed. And at worst, the company may be screwed as well.

Are you listening Tim Cook?

Leave a comment »

« Older Entries
Newer Entries »