macOS Sequoia 15.3 Fixes An Annoyance That I Tripped Over… Are Other Issues Fixed As Well?

Posted in Commentary on January 31, 2025 by itnerd

macOS Sequoia has been a bit of a mess in terms of the quality of the software since it was released. I say that because there were a number of issues and oddities that quite honestly, shouldn’t had made it to the streets. In fact, I have been actively telling my clients not to upgrade their Macs until a lot of these issues get sorted. With the release of 15.3 earlier this week, things might be improving.

Back in mid December when macOS 15.2 hit the streets, there was something odd that I tripped over. When a Mac such as my Mac mini was plugged into a TV via HDMI, it would show the icon in the menu bar that the screen was being mirrored. This would not happen if you had the same computer plugged into a monitor. I later discovered that it was apparently a change that Apple made. At the time I said this:

I honestly wish Apple found some more elegant method of doing this. I say that because I am sure that the AppleCare helpline is being hit with calls regarding this, which is something that could have been avoided by a better UI design. But what do I know? After all Apple knows best right?

I guess Apple must have figured out that this wasn’t a good change to make because in macOS Sequoia 15.3, it no longer shows that a Mac plugged into a TV over HDMI is being mirrored. I can only think of two reasons why this was fixed:

  1. The AppleCare helpline got bombarded with calls and they needed to make that stop.
  2. Someone internally got a clue and said that this was a stupid idea that they needed to change direction on this.

Either way, I am glad that Apple addressed this as this is one thing that is off my list of annoyances with Sequoia. Now in case you were wondering, here’s some other issues and oddities that I have been tracking since Sequoia came out:

That I can confirm is accurate via the WayBack Machine as the text on that page was completely different in late 2024. On the surface, it seems that Apple has made another design decision that was poorly communicated. Why Apple insists on doing these design changes and not telling anyone, I do not know. But it looks like we’re done with this issue as Apple clearly is done with this issue.

Now if Apple has fixed the Time Machine issues, I would start to feel comfortable enough with recommending it to my clients. That’s because many of my clients who aren’t businesses or enterprises use Time Machine to back up. Thus the fact that it doesn’t work reliably is a hard no for many of my clients. Stay tuned to see if that has been fixed, or if we’re going to be waiting until Apple decides that is something worthy of getting a fix from them instead of focusing totally on that dumpster fire known as Apple Intelligence.

UPDATE: It doesn’t fix the ongoing issues with Time Machine. Sigh.

Leave a comment »

DeepSeek Is In The News For All The Wrong Reasons

Posted in Commentary with tags on January 30, 2025 by itnerd

A few days ago, DeepSeek was setting the world on fire because the AI that it put on the table offered strong LLM performance at a much lower cost to train. That made heads explode. But heads are exploding again with news that cybersecurity researchers from Wiz have found a ClickHouse database owned by Chinese AI start-up DeepSeek containing over a million lines of chat history and sensitive information. The database was publicly accessible and allowed the researchers full control over database operations. That too made heads explode. And this is on top of attacks DeepSeek.

Gunter Ollmann, CTO, Cobalt had this to say:

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security. Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs. Given DeepSeek’s recent global recognition and growth in the AI space, the breach could have had a huge impact, significantly affecting businesses and individuals relying on their services, with potential ripple effects across industries.

This case underscores why organizations must continuously evaluate the robustness of their defensive controls —not just to meet compliance, but to protect sensitive data and improve their risk posture. Offensive security, including penetration testing and attack surface monitoring, is essential in identifying these open doors before adversaries do. AI-driven platforms like DeepSeek must integrate security testing into their development lifecycle, ensuring rigorous assessments of infrastructure, access controls, and data handling policies.

AI may be “new” but the basics of security processes and controls still apply.

As AI companies become integral to critical infrastructure, security can’t be an afterthought. The industry needs to adopt a proactive mindset—regular pentesting, red teaming, and continuous attack surface monitoring—to safeguard both intellectual property and customer trust.”

The more I hear about DeepSeek, the more I think that this is an AI that should be avoided. They don’t seem to have their act together, and that’s on top of them being based in China which by itself should set off alarm bells.

1 Comment »

Aviso Selects Darktrace ActiveAI Security Platform

Posted in Commentary with tags on January 30, 2025 by itnerd

Darktrace, a global leader in AI for cybersecurity, today announced that Aviso, one of Canada’s leading wealth services suppliers, has selected the Darktrace ActiveAI Security Platform to secure its organization’s digital ecosystem.

With over CAN$140 billion in assets under administration and management, Aviso is a leading wealth services supplier for the Canadian financial industry. The organization provides services to nearly all credit unions across Canada and to a wide range of portfolio managers, investment dealers, insurance and trust companies and introducing brokers. Seeing digital transformation and modernization as strategic opportunities to differentiate and drive growth, Aviso is focused on building a technology-enabled, client-centric wealth management ecosystem. Implementing a robust, modern cybersecurity strategy that keeps networks, systems, people and data secure is vital for excellent client service and Aviso’s overall growth journey.

Financial services organizations are often a top target for cyber-criminals, with this industry subject to attacks from a broad range of threat actors ranging from organized and well-funded cyber-criminal groups with financial motivations to hacktivist groups seeking to cause disruption and wreak havoc in the markets.

Faced with a rapidly evolving threat landscape, Aviso wanted to free its security team from time-consuming manual processes, including investigating an overwhelming volume of security alerts. As part of its plan to create a modern cybersecurity strategy, Aviso turned to Darktrace’s pioneering AI technology to help their security team overcome alert fatigue, while freeing up time to focus on more proactive efforts like vulnerability management and enhancing business practices in other areas such as service, operations and compliance.

Aviso is using a variety of components of the Darktrace ActiveAI Security Platform, including Darktrace / EMAIL for user-focused and business-centric approach to email security, Darktrace / NETWORK and Darktrace / ENDPOINT for industry leading network detection and response capabilities, Darktrace / IDENTITY for robust identity management and Darktrace Managed Detection and Response. The Darktrace ActiveAI Security Platform, underpinned by Darktrace’s unique Self-Learning AI engine, learns what is normal behavior for Aviso’s entire network, continuously analyzing, mapping and modeling every connection to create a full picture of devices, identities, connections and potential attack paths. Darktrace uses this deep understanding of Aviso’s enterprise network to identify suspicious behavior and autonomously respond without disrupting business operations to secure Aviso’s entire digital footprint.

In just one month, Aviso tracked 6.7 billion network events using Darktrace / NETWORK; of those events, Darktrace autonomously investigated 23 million alerts, saving Aviso’s team an estimated 1,104 hours of manual investigation.

To learn more about how Darktrace helps protect Aviso, check out the case study. 

Leave a comment »

New Research Exposes FUNNULL CDN Renting IPs from Big Tech Like AWS & MSFT for Laundering

Posted in Commentary with tags on January 30, 2025 by itnerd

Today, Silent Push announced that its threat analysts have discovered threat actors enabled by mainstream cloud providers, including Amazon Web Services (AWS) and Microsoft Azure. 

New details uncovered in the course of this reporting indicate that FUNNULL is likely using fraudulent or stolen accounts to acquire these IPs to map to their CNAMEs, and providers we have spoken to claim this wasn’t caught in real time due to visibility holes from the technical complexity of their DNS architecture.

Additional key findings include:

  • FUNNULL has rented over 1,200 IPs from Amazon and nearly 200 from Microsoft. Although most IPs have been taken down, new ones are acquired every few weeks.
  • There are indications of FUNNULL illicitly acquiring the IPs using stolen or fraudulent accounts. However, external visibility into this process is limited.
  • Money laundering is directly associated with a service hosted on shell websites, retail phishing schemes, and pig-butchering scams being kept online via infrastructure laundering.

This is now live at https://www.silentpush.com/blog/infrastructure-laundering/

Leave a comment »

INKY Introduces New Generative AI Capabilities

Posted in Commentary with tags on January 30, 2025 by itnerd

 INKY, the leader in modern email security for Managed Service Providers, announced today the integration of groundbreaking Generative AI capabilities into its platform, redefining the standards of email security. INKY GenAI is now available to analyze emails in real-time for all eligible customers, at no additional cost.

Building on its legacy of innovation, INKY’s Generative AI marks a major leap forward, akin to its groundbreaking deployment of Computer Vision in late 2018. Now in its sixth generation, INKY Computer Vision recognizes hundreds of brands with human-level accuracy, and its Generative AI sets a new standard for language understanding and email threat detection.

Key Benefits of INKY Generative AI:

  1. Human-Level Language Understanding: INKY’s Generative AI processes email content much like advanced chatbots, interpreting meaning and intent regardless of phrasing. This enables superior detection of zero-day attacks, thwarting even the most cleverly worded attempts to evade pattern-based detection systems.
  2. Explainable Results: The INKY Dashboard highlights specific sections of an email that contribute to its assessment, giving administrators actionable insights and confidence in the AI’s decision-making process.
  3. Integrated Obfuscation Countermeasures: Combining Generative AI with INKY’s existing countermeasures for cloaked text (e.g., zero font, Unicode, and homograph techniques), the platform transforms obfuscated email content into clean text for precise analysis.
  4. Broad System Integration: Generative AI is infused into all aspects of INKY’s platform, including the analysis of website content linked in emails and third-party cloud services.
  5. Enhanced Graymail Detection: INKY’s popular graymail filter is now even more accurate and effective, providing greater productivity and inbox organization for users.
  6. Privacy-First Approach: INKY’s Generative AI operates entirely within the company’s infrastructure, ensuring that no company data or personally identifiable information (PII) is exposed to third parties.

INKY’s Generative AI technology fundamentally changes the email security landscape. By applying advanced AI capabilities, INKY provides comprehensive protection against threats while delivering practical tools to enhance user confidence. Administrators can see the system’s value immediately by examining real-world detections, which demonstrate INKY’s ability to truly “read” and interpret emails with unmatched depth.

For more information on INKY’s Generative AI capabilities and how they provide transformative language understanding and detection capabilities for email security, visit INKY GenAI.

Leave a comment »

Microsoft 365 Services Had A Bit Of A Problem Yesterday

Posted in Commentary with tags on January 30, 2025 by itnerd

Bleeping Computer is reporting that Microsoft had an issue that was preventing users and admins from accessing some Microsoft 365 services and the admin centre. There was a big spike yesterday afternoon in reports of trouble. But that seems to have reduced since then. Though I am still hearing of scattered issues today despite the fact that Microsoft’s status page listing everything as being fine. Thus I have to assume that these are just isolated incidents.

Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:

“When you’re a cybersecurity professional reading this update, you generally offer a sigh of relief since the outage is not related to a cyber security incident. The root cause is more of a rather mundane type of configuration change that caused the outage. There is always an opportunity to learn from these types of issues and the quick acknowledgement by Microsoft, along with their commitment to applying the lessons learned, is admirable for Microsoft customers.” 

This outage appears to have been short in duration. But it highlights how dependant organizations are on Microsoft services. Hopefully Microsoft does all it can to make sure that whatever happened yesterday doesn’t happen again.

Leave a comment »

Significant Vulnerability In Zyxel CPE Series Devices Is Being Actively Exploited

Posted in Commentary with tags on January 30, 2025 by itnerd

Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that has remained unpatched since last July.

GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.

CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attemptsobserved command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).

Martin Jartelius, CISO at Outpost24 had this to say:

“This is a case where the CVE system has not been efficient. As vendors withhold publishing information and CVEs until they have a solution, organizations are unable to proactively take action and remove critically vulnerable devices.”

“The vulnerability was put in a reserved state in July 2024 and has since remained undisclosed by the vendor, meaning that currently it is also not indexed by sources such as NVD. Many organizations source their vulnerability information from NVD, and even though security researchers and the vendor are aware, customers remain uninformed.”

“If we turn to the vendor and review the available drivers, they have a range of release dates, some dating as old as 2016, others released in spring 2024.”

“It should be noted that the devices are not present on either of the vendors lists of End-Of-Life devices, and the lack of updates addressing the issue is very concerning. Zyxel already prior to this constitutes several of the vulnerabilities listed in the CISA KEVs list, and if the latest two are added, Zyxel will on their own constitute 1% of the total list of Known Exploited Vulnerabilities.”

To say that this isn’t good is an understatement. Hopefully Zyxel decides to address this issue ASAP as the fact that this is being actively exploited isn’t going to end well for anyone using the Zyxel devices. Nor will it end well for Zyxel.

Leave a comment »

Guest Post: Ransomware 2024 report: the number of ransomware victims increased by 26%

Posted in Commentary with tags on January 30, 2025 by itnerd

According to Cybernews tool Ransomlooker’s data, nearly 5,300 ransomware victims were reported last year, a whopping 26% increase from the previous year. Ransomware operators continue to prove their uncanny versatility, even though 2024 was marked by significant and far-reaching attempts from law enforcement to curb attacker activity.

Ransomlooker’s top attackers

Interestingly, LockBit, pronounced dead after the highly publicized operation Cronos in early 2024, still secured the top spot among cybercrooks. This made it the gang’s third consecutive year on the throne.

Worth noting, however, that LockBit’s position severely weakened last year as the number of the gangs’ victims fell to around 530, a 50% decrease. Given the whole ransomware scene widened by a quarter, the gang’s actual fall is even more spectacular. 

Emerging in 2024, RansomHub sprinted straight to the top, victimizing nearly 500 organizations and showing a startling ability to scale operations apace.

Meanwhile, the Play ransomware gang has entrenched itself in third place, holding the title for a second year in a row with nearly 350 victims. The gang focused its efforts on targeting sectors like manufacturing/industrial, real estate/construction, and technology.

At the same time, LockBit mostly targeted manufacturing/industrial, technology, and retail industries, while RansomHub put the most effort into victimizing real estate/construction, manufacturing/industrial, and retail sectors.

Malicious actors were most active in spring and autumn

Ransomlooker helped to spot a worrying trend last year: the proliferation of new ransomware gangs. According to the team, the number of active ransomware gangs almost reached 89, a significant hike from 67 in the previous year.

“Among the tsunami of newcomers, 43 were newly formed or rebranded groups, highlighting the dynamic and decentralized nature of the ransomware ecosystem. Newbies alone accounted for more than one-third of all claimed victims in 2024, illustrating their aggressive start,” researchers said.

Apart from RansomHub, two other groups strongly entered the fray: KillSec and Funksec, with 136 and 91 victims, respectively. New and, unfortunately, successful entries point to the challenges of reducing ransomware activity – the barriers for entry remain low and the decentralized model of operation allows new groups to fill the void left by dismantled ones.

Another interesting trend the team noticed was the seasonal pattern of ransomware group activity. For example, spring and autumn were the most active periods for malicious actors, with nearly 1,600 victimized organizations in fall and another 1,500 in spring.

Top industries under attack: manufacturing, technology, and real estate 

The top three sectors under siege closely mirrored trends we saw in 2023, with manufacturing and industry sectors bearing the brunt of attackers’ punches.

Ransomware gangs victimized over 300 sector companies, an unsurprising outcome given how sensitive manufacturing is to downtime, making them profitable targets for extortion.

With 150 victims, businesses in the technology sector were the second most targeted. Real estate ranked third, showcasing attackers’ love to aim for organizations with interconnected systems and valuable data.

“Healthcare services also remained a key target, raising concerns about the security of critical infrastructure. This is particularly alarming, as each year brings more reports emphasizing that ransomware attacks on healthcare institutions can lead to severe consequences, including the loss of patient lives,” the team said.

America’s onslaught

The United States holds the unfortunate crown as the most targeted country in the world. Ransomlooker data shows that over 1,700 organizations were victimized in the States, far surpassing others.

For example, the second and third-place holders, Canada and the UK, had more than ten times fewer victims.

India, the fourth-place holder, should take note of that. The world’s largest democracy was absent from the top targeted country list from 2021 through 2023 but emerged as the hottest target in 2024.

Other countries such as Italy, Germany, France, and Spain also experienced steady ransomware activity, illustrating how attackers focus on nations with strong economies and extensive digital reliance.

Image
Image

Leave a comment »

Red Canary Posts Analysis On “Tangerine Turkey” Worm

Posted in Commentary with tags on January 30, 2025 by itnerd

Tangerine Turkey is a new VBS worm spread via USBs with a cryptomining payload. Tangerine Turkey first appeared in November, but infections rose sharply last month to launch it into Red Canary’s top 10 threats at #8. More interestingly though, when Red Canary’s analysts started digging, they discovered the new worm appears to be connected to a much bigger global cryptomining operation, which has so far largely gone under the radar.

There is more background in the blog here – which is being updated later today with new information about GitHub repositories that Red Canary’s analysts discovered were being used to store configuration files for Tangerine Turkey.

Stef Rand, Senior Intelligence Analyst, Red Canary leading the investigation had this comment:

“External USB drives delivering malicious payloads–like worms and cryptominers–are still a surprisingly common problem in information security. What’s interesting here is that what initially looked like a new cryptomining worm bears strong similarity to a larger global operation uncovered by Azerbaijan’s CERT in October 2024. That investigation has so far traced 270,000 infections across 135 countries, attributed to what the Azerbaijan CERT has dubbed the “Universal Mining Operation”. That suggests that Tangerine Turkey could be much more widespread than we first thought.

“When we started digging into Tangerine Turkey, we found a report from February last year from someone who used their USB to make copies in a print shop in Turkey. When they put it back into their own machine, they detected activity that looked similar to Tangerine Turkey. This indicates a strong possibility the operation could be linked to physical shops or internet cafes where adversaries can take advantage of unsuspecting users plugging USBs into and out of public machines. While that’s a slower and lower-volume way of distributing malware than a phishing campaign, it makes it self-distributing and more difficult to trace – which makes it lower risk from the adversary’s perspective.

“Cryptomining can consume significant amounts of CPU, so those infected by Tangerine Turkey could see the performance of their systems impacted, as well as their costs increasing. The biggest risk they face, however, is the unauthorized access that adversaries gain to their endpoints. While the payload we’re seeing for now is for cryptomining, adversaries could theoretically switch it for something more nefarious in the future when Tangerine Turkey reaches out to retrieve code from remote resources.”

I would take the time to read this blog post as the fact that this uses USB drives to spread should underscore that some of the best ways to protect yourself from threats are often pretty simple. Such as not trusting USB drives that aren’t under your control. And perhaps not trusting the ones that are.

Leave a comment »

SuperOps raises $25M in Series C Funding

Posted in Commentary with tags on January 30, 2025 by itnerd

SuperOps, the groundbreaking AI-driven IT platform transforming operations for IT service providers and internal IT teams, today announced it has raised $25 million in Series C funding, led by March Capital with participation from existing investors Addition and Z47. This brings SuperOps’ total funding to $54.4 million, a testament to the company’s exceptional growth and market disruption. Over the past year, SuperOps has tripled its customers and expanded its footprint to 104 countries, cementing its status as a global leader.

SuperOps is now taking its proven expertise in Managed Service Provider (MSP) technology into the broader IT market with the launch of its revolutionary Endpoint Management tool. Designed to supercharge IT team productivity, the tool enables IT teams to achieve more with fewer resources.

Over the last four years, SuperOps has become a trusted partner for MSPs worldwide, helping thousands of such service providers optimize operations through its unified AI-powered platform. Now, internal IT teams—already comprising 20% of SuperOps’ customer base—stand to benefit from the same transformative technology.

The foundation of SuperOps’ success lies in its relentless focus on AI innovation. In 2024, the company unveiled Monica, a hyper-contextual AI guide that analyzes the MSP’s dataset to deliver personalized insights, automate routine workflows, and accelerate decision-making. With Monica, MSPs and IT teams have seen up to a 30% improvement in operational efficiency.

SuperOps plans to use the new funding to expand its AI research and development, scale its offerings for mid-market and enterprise MSPs, and further extend its global reach. With IT spending projected to hit $5.74 trillion in 2025 (Gartner), the stakes have never been higher.

The Series C round, entirely backed by existing investors, highlights the continued confidence in SuperOps’ vision and execution.

Leave a comment »

« Older Entries
Newer Entries »