Posted in Commentary with tags Google on September 4, 2024 by itnerd
There have been reports that recent exploit attacks on iOS and Android web browsers by Russian hacking group APT29, have been detected by Google:
The Google TAG report, authored by Clement Lecigne, and published on August 29, revealed that the exploits being deployed by the Russian state-sponsored APT29 hacking group were the same as those used by commercial spyware vendors in the past.
Observed by the Google and Mandiant security analysts between November 2023 and July 2024, the exploits formed part of what is known as a watering hole attack. This is pretty much what you would expect it to be: a cyberattack targeting victims by infecting a website or service that they would ordinarily use and trust. Just like predators who attack their prey by hiding near real watering holes for thirsty animals at their most vulnerable. “The use of watering hole attacks circumvents traditional web security controls like URL categorization filters,” Adam Maruyama, field chief technology officer at Garrison Technology said, “because the owner of the site and the human-readable content hosted there are legitimate, leaving only a few layers of protection between the end user’s device and the malicious webcode.” The threat becoming even more acute on mobile devices, Maruyama continued, “where few users have endpoint protection products to stop even known exploits, leaving unpatched devices vulnerable.”
The prey in these particular attacks were Mongolian government websites, although the same tactic would apply to any targeted victim. State-sponsored groups such as APT29 tend to go for big game, as it were, being commercial and government organizations that benefit their paymasters most. The common denominator was that the victims were using the Safari browser on older versions of iOS (those before 16.6.1) initially and then Android users running the m121 to m123 versions of the Chrome browser. It should be noted that fixes had already been made available for the vulnerabilities exploited in these attacks, but users who were using unpatched versions were at risk.
Alan Bavosa, VP of Security Products at Appdome had this comment:
“While the APT29 group attack is focused on mobile browsers, the real targets ultimately are the Android and iOS apps running on unprotected end-user devices. To counter such threats, comprehensive mobile app protection is vital. App developers need to protect their apps and mobile end users from these and other attacks, using basic mobile app security protections as well as protections against new, sophisticated attacks, such as accessibility malware and social engineering attacks.”
“The nature of today’s mobile attack landscape means that it is difficult, if not impossible, for mobile end users to protect themselves.”
“Consumers are holding mobile brands accountable for mobile app defense. In order for mobile developers to keep up, they must implement automated mobile app defense systems to combat today’s increasingly sophisticated cyber threats rather than using SDKs or protecting their apps from scratch.”
This is a wakeup call for consumers and brands on how vulnerable the little rectangles we carry around with us everywhere we go really are. Thus updates need to be issued and applied and app companies need to make sure that their apps are secure.
BlackFog has today released the State of Ransomware report for August 2024.Additionally, Darren Williams, CEO and Founder, BlackFog, has provided his thoughts on the state of ransomware in August, below:
“August witnessed the 3rd highest number of attacks for the year with 63 publicly disclosed attacks, already surpassing the total number of attacks in 2020, 2021 and 2022. It also represents the second highest number of undisclosed attacks of the year with 464, with a ratio of 737% undisclosed to disclosed attacks.
From a sector perspective Healthcare had the biggest increase this month with 20%, or 16 verified attacks. This makes Healthcare the most targeted sector by a significant margin, followed by Government and Education, which saw only modest increases of 10% and 12% respectively.
In terms of variants, this month we saw RansomHub, a new entrant rocket to 7.9% of all attacks, followed by Medusa and Rhysida at 7.6% and 6.0% respectively. While LockBit still maintains its lead with 18.4% of all attacks, we only saw one confirmed attack this month.
A similar trend was observed in unreported attacks with RansomHub commanding 8.4% of attacks.
Lastly, we saw data exfiltration rates to China increase significantly to 20% this month (an increase of 4%) and Russia stable at 6%, with 93% of all attacks involving data exfiltration.”
TrustGrid, an established leader in decentralized digital ecosystem solutions, has been selected by AFWERX for a Direct-to-Phase II contract focused on decentralized digital identity and communications to address the most pressing challenges in the Department of the Air Force (DAF). The Air Force Research Laboratory and AFWERX have partnered to streamline the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) process by accelerating the small business experience through faster proposal to award timelines, changing the pool of potential applicants by expanding opportunities to small business and eliminating bureaucratic overhead by continually implementing process improvement changes in contract execution. The DAF began offering the Open Topic SBIR/STTR program in 2018 which expanded the range of innovations the DAF funded. TrustGrid will start its journey to create and provide innovative capabilities that will strengthen the national defense of the United States of America.
About TrustGrid
TrustGrid enables government entities, enterprises, organizations, and individuals alike to create secure digital ecosystems anywhere in the world with sovereign control of data and maximized privacy. Leveraging industry standards for Decentralized Identity (DID), Verified Credentials (VC), and Web3 capabilities, TrustGrid’s decentralized ecosystem simplifies and secures the management of shared information and peer-to-peer communications and transactions. TrustGrid delivers superior confidentiality, enabling access to and use of critical data while maintaining the privacy and security of individuals and organizational data. For further information about TrustGrid and their digital identity solution, please visit www.trustgrid.com.
About AFRL
The Air Force Research Laboratory is the primary scientific research and development center for the Department of the Air Force. AFRL plays an integral role in leading the discovery, development, and integration of affordable warfighting technologies for our air, space and cyberspace force. With a workforce of more than 12,500 across nine technology areas and 40 other operations across the globe, AFRL provides a diverse portfolio of science and technology ranging from fundamental to advanced research and technology development. For more information, visit www.afresearchlab.com.
About AFWERX
As the innovation arm of the DAF and a directorate within the Air Force Research Laboratory, AFWERX brings cutting-edge American ingenuity from small businesses and start-ups to address the most pressing challenges of the DAF. AFWERX employs approximately 370 military, civilian and contractor personnel at five hubs and sites executing an annual $1.4 billion budget. Since 2019, AFWERX has executed over 6,100 new contracts worth more than $4 billion to strengthen the U.S. defense industrial base and drive faster technology transition to operational capability. For more information, visit: www.afwerx.com.
“Regardless of the illegal treatment of Starlink in freezing of our assets, we are complying with the order to block access to X in Brazil,” Starlink, which has more than 200,000 customers in the Latin American nation, said in a post on X.
This is one of these times where I will default to being skeptical. Starlink is blocking Twitter for now, but at some point Elon’s going to get ticked off and demand that they undo that because of his rather perverse version of free speech that he is a fanboy of. Then it’s all going to kick off with the Brazilians. And I strongly suspect that Elon will come out on the losing end when that happens.
Posted in Commentary with tags Hacked on September 4, 2024 by itnerd
Professional services giant CBIZ Benefits & Insurance Services (CBIZ), a management consulting company specializing in tax, financial, benefits, HR services and insurance services, has confirmed a data breach in which a threat actor accessed client information in certain data bases by exploiting a vulnerability in a CBIZ web page. CBIZ has 120 U.S. offices employing 6,700 people, with $1.59 billion in revenue in 2023:
On June 24, 2024, CBIZ learned that an unauthorized party may have acquired information from certain databases. CBIZ promptly launched an investigation with the assistance of cybersecurity professionals. CBIZ’s investigation determined that an unauthorized party was able to exploit a vulnerability associated with one of its web pages, and acquired information from certain databases between June 2, 2024 and June 21, 2024.
CBIZ conducted a review of the data acquired and determined that individuals associated with multiple CBIZ clients were impacted by the incident. Beginning on July 24, 2024, CBIZ began notifying its clients of the incident and the data involved for each client. The information varied by CBIZ client and included information related to retiree health and welfare plans which, depending on the individual, may have included their name, contact information, Social Security number, date of birth, and/or date of death.
On August 28, 2024, CBIZ began mailing letters with information about the incident to individuals on behalf of CBIZ’s clients. CBIZ has offered two years of complimentary credit monitoring and identity theft protection services for individuals whose Social Security number was involved.
Stephen Gates, Principal Security SME, Horizon3.ai had this comment:
A seemingly harmless vulnerability in a public-facing website – that has access to downstream databases – can be the enabler of data breaches. Critical vulnerabilities like remote code execution and/or arbitrary code execution in web applications can enable these sorts of outcomes. Improper input sanitization would also be high on the list of being a likely culprit.
Evan Dornbush, former NSA cybersecurity expert follows with this:
The lack of transparency surrounding the CBIZ data breach is alarming.
Despite the mandatory SEC 8-K filing for material events, it appears that CBIZ has yet to disclose this significant incident. The company’s silence on the technical details of the vulnerability not only fails to help the community understand and take action but also undermines trust at a time when cybersecurity initiatives like CISA KEV are gaining prominence. As concerns grow, there are already law firms soliciting potential plaintiffs for a suit against CBIZ.
This is all sorts of problematic, which honestly requires the relevant authorities to investigate further as the lack of transparency along with the sorts of data that were swiped make me wonder if there’s more to this than we know.
Posted in Commentary with tags CISA on September 3, 2024 by itnerd
The CISA have put out an advisory on Iran-linked threat actors known as Fox Kitten who are using their exploits for both government espionage and commercial ransomware operations:
This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm. The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship.
The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.
Adam Maruyama, Field CTO of Garrison Technology had this to say:
“CISA’s recent advisory regarding the joint governmental espionage and commercial ransomware activities of Iran-linked cyber group Fox Kitten shows how groups with the capabilities to attack some of the world’s most hardened networks are turning those capabilities to the broader commercial space. Increasing pressure from Fox Kitten and similarly equipped actors against commercial companies, particularly in non-regulated sectors, raises the stakes significantly in their fight against ransomware and other network intrusions.
“To put it simply, the architecture and technologies commercial companies use to detect and respond to low-to-moderate sophistication cyber attacks lacks the ability to effectively prevent and deter highly sophisticated cyber criminals and nation-state actors.
“If the trend of blurred lines between nation-state and criminal actors continues, commercial entities will need to augment their defenses by using defense-grade, high-assurance technology that aims to prevent, rather than detect, malicious activity using techniques like hardware-enforced isolation/access and content disarm and reconstruction (CDR). Unlike most commercial cybersecurity solutions, which analyze content and determines whether it’s malicious or not, these technologies treat all content as potentially malicious and use innovative methods to recreate safe, inert versions before content enters an organization’s systems.”
This is a great example of “good enough” security not being nearly “good enough” and nation-state exploits being used against a broader target set. Thus organizations need to shift their thinking and defence strategies to not be the next victim of these groups.
Internet providers and app stores servicing Brazil have until Wednesday to comply with the ban, The Verge reports. But over the weekend, Musk’s Starlinkinternet service reportedly told Anatel, Brazil’s telecom agency, that it won’t block X on its network. Starlink has about 250,000 users in Brazil, though not all of those customers necessarily use X. Brazilian legal news outlet JOTA reports that most Brazilians are not currently able to access X, but not all Brazilian internet providers have blocked the platform as of Monday.
We’re going to get to Wednesday and Elon is likely to find out that something really bad is going to happen to Starlink. The Brazilian government has already seized their assets. So it’s only a hop, skip and a jump to imagine that they’d go further. And what then? Does Elon escalate this further? Is he really willing to die on this hill? Perhaps he will because he’s afraid of other nations blocking Twitter. Tune in tomorrow to see if that’s the case.
Posted in Commentary with tags Samsung on September 3, 2024 by itnerd
As the summer winds down, the excitement of a new school year has begun to build. Whether you’re preparing for your child’s first day of school or you yourself are returning for another year, now is the time to stock up on supplies, organize your space, and set the tone for a successful year ahead. Let’s make this school year the best one yet!
To kick off the start of the school year, Samsung has compiled a list of tech essentials to make easing into the school year a smooth experience.
For the music lover: Samsung Music Frame (Starting at $599) – Ideal for the student who loves to entertain, this versatile photo frame doubles as a speaker. Easily swap in your favorite photos or artwork while playing your go-to study jams or party playlists. It’s the perfect blend of personal style and powerful sound for any dorm room or study space.
For the gamer student: Samsung 49 Inch Odyssey OLED G9 Gaming Monitor (Starting at $1,499) – This monitor is both a study tool and a gaming powerhouse, featuring a lightning-fast 0.03ms (GtG) response time and a 240Hz refresh rate to keep you ahead in every match. This monitor is perfect for balancing schoolwork and gaming without missing a beat.
For the student that needs the extra storage:Samsung 990 EVO Memory Card (Starting at $199.99) – Designed to store everything from class projects to digital memories, this memory card is a must-have for the school year. Compact yet powerful, it keeps your assignments, photos, and adventures secure and ready to share in an instant.
Posted in Products with tags Aqara on September 3, 2024 by itnerd
If you’re someone who has a lot of smart home gear, then the Aqua Hub M3 is something that you might be looking into to add to your smart home setup. The reason being that this hub does the following:
It’s a Matter controller that can work with non-Aqara Matter smart home devices
It’s a Thread border router
It has a two-way 360° infrared blaster that can be exposed to your smart home ecosystem to control devices that support IR control
It of course supports the Zigbee protocol
The first two items might be of value if you don’t already have a Matter controller or a Thread border router in whatever home ecosystem you are in. HomeKit users won’t care about this because if you have a HomePod or a recent AppleTV, you get Matter and Thread support in those devices. Which is why I won’t be testing that functionality as I review this product. On top of that, Aqara says that only a handful of Matter-compatible lights, switches, and thermostats are officially supported. And from what I can figure out, the same appears to be true for Thread devices. So that might limit the use cases that this hub can be used in. But having said that, if you do have devices that this hub supports, or Aqara broadens the support for Matter and Thread devices, this could be the “one hub to rule them all” as all your smart home devices could be run through this hub. The IR blaster could be useful for controlling non “smart” devices. But my use case doesn’t include any such devices. So I didn’t test that either.
Now let’s look at the Aqara Hub M3 hub:
If you compare this to the Aqara M1S Hub for example, it looks way better. Because it is a black square it doesn’t stand out. And the big ring light that was present in the M1S is gone in favour of a single LED on the front. Also included are a mounting bracket and a USB-C to USB-A cable. Not pictured are a set of screws for the mounting bracket as well as documentation.
One cool thing is that this can be powered by USB-C or by PoE. Which means in the case of the latter a single ethernet cable can supply data as well as power for a clean setup. Unless you use USB-C as that requires you to bring your own power adapter to the party. That’s a bit of a #Fail. But if you have a UPS that supports USB, you could power it that way I suppose.
Setting this up was….. Problematic. You need the Aqara app to start the setup process. That went well and guided me through getting the device into the app and updating the firmware. But things went off the rails when I tried to use the Aqara app’s ability to migrate from one hub to another. By migration I mean that if you have an old Aqara hub with a bunch of devices and automations, it will move those over to the M3. In my case, I wanted to move a door sensor with related automations over to the M3. But I tried twice and waited 10 minutes before it failed each time. I then started to troubleshoot by rebooting the M3 hub. At that point, I was prompted for a firmware update in the Aqara app that I promptly did. Why it didn’t prompt me to update to that firmware when I first set the hub up I don’t know. But after I did that the migration process worked and took only a minute. After doing some quick testing, I found that everything worked fine. Though it didn’t “feel” any faster than the M1S that it was replacing.
Next up was to delete the old hub from the Home app, which was painless, and add the new M3, which again didn’t go to plan. There is a HomeKit barcode on the back of the hub, and I tried to use that to add the M3 hub via the Home app on my iPhone.
#Fail.
Next up I tried to use the Aqara app to add the M3 hub to HomeKit.
#Fail.
I rebooted the hub and added it via the HomeKit barcode.
#Success
The other thing that I had to do is to add back all the notifications for things like doors opening and closing in HomeKit, along with setting up my HomeKit scenes to include the M3 as that understandably isn’t part of the migration process.
Total time invested: 45 Minutes
Given that this is supposed to be a consumer device, which means that it should be easy to set up to make sure that said consumers don’t flood a tech support line looking for help, these sorts of glitches and oddities should be the exception and not the rule. But in this case, they seem to be the rule. Which is of course bad.
Some other notes:
The M3 features 8GB of encrypted local storage for device lists, configuration parameters and automation data. Which means that if you have no Internet connection, your automations should still work.
The M3 claims to have a 95dB speaker, but in my testing, I could only register a max of 87dB. But that’s useful enough for an alarm system, which is how I am using this.
You can set the M3 up with one or more Aqara hubs to create a more resilient and efficient setup. In other words if one fails, another can take over.
From a WiFi perspective, it supports 2.4 GHz and 5 GHz bands. I set the hub up on the latter to take one more device off of the 2.4 GHz band as I want to have as few devices on 2.4 GHz as possible on my WiFi network.
Here’s the bottom line. With all the glitches that I came across, it makes the Aqara Hub M3 a bit difficult to recommend. If Aqara can sort out these issues, that would likely make it a worthy upgrade for existing Aqara owners. For new owners, the M3 is only worth looking at if you need a Matter controller or a Thread border router. That won’t be the case for HomeKit users. But for other home ecosystems, it is worth looking at as long as you have Thread or Matter devices that the hub plays nice with. This hub goes for $169 CAD on Amazon. It’s worth a look if you have a use case for this hub, and you’re willing to deal with the bugs and oddities that seem to be part of the deal at the time of writing this review.
Posted in Commentary with tags Twitter on September 2, 2024 by itnerd
This is perhaps some good news for Elon Musk in regards to his antics resulting in Twitter getting banned in Brazil. The VPN Mentor research team conducted an analysis of user demand data in Brazil after X’s ban in the country, and they detected a surge of 1600% in VPN demand. This got the attention of Elon:
However, I should point out that as I mentioned here, people or businesses using means such as VPNs to access Twitter could be fined $12,000 CAD for doing so. Thus this may be short lived.
Russian Hacking Group Targets iOS & Android Devices Says Google
Posted in Commentary with tags Google on September 4, 2024 by itnerdThere have been reports that recent exploit attacks on iOS and Android web browsers by Russian hacking group APT29, have been detected by Google:
The Google TAG report, authored by Clement Lecigne, and published on August 29, revealed that the exploits being deployed by the Russian state-sponsored APT29 hacking group were the same as those used by commercial spyware vendors in the past.
Observed by the Google and Mandiant security analysts between November 2023 and July 2024, the exploits formed part of what is known as a watering hole attack. This is pretty much what you would expect it to be: a cyberattack targeting victims by infecting a website or service that they would ordinarily use and trust. Just like predators who attack their prey by hiding near real watering holes for thirsty animals at their most vulnerable. “The use of watering hole attacks circumvents traditional web security controls like URL categorization filters,” Adam Maruyama, field chief technology officer at Garrison Technology said, “because the owner of the site and the human-readable content hosted there are legitimate, leaving only a few layers of protection between the end user’s device and the malicious webcode.” The threat becoming even more acute on mobile devices, Maruyama continued, “where few users have endpoint protection products to stop even known exploits, leaving unpatched devices vulnerable.”
The prey in these particular attacks were Mongolian government websites, although the same tactic would apply to any targeted victim. State-sponsored groups such as APT29 tend to go for big game, as it were, being commercial and government organizations that benefit their paymasters most. The common denominator was that the victims were using the Safari browser on older versions of iOS (those before 16.6.1) initially and then Android users running the m121 to m123 versions of the Chrome browser. It should be noted that fixes had already been made available for the vulnerabilities exploited in these attacks, but users who were using unpatched versions were at risk.
Alan Bavosa, VP of Security Products at Appdome had this comment:
“While the APT29 group attack is focused on mobile browsers, the real targets ultimately are the Android and iOS apps running on unprotected end-user devices. To counter such threats, comprehensive mobile app protection is vital. App developers need to protect their apps and mobile end users from these and other attacks, using basic mobile app security protections as well as protections against new, sophisticated attacks, such as accessibility malware and social engineering attacks.”
“The nature of today’s mobile attack landscape means that it is difficult, if not impossible, for mobile end users to protect themselves.”
“Consumers are holding mobile brands accountable for mobile app defense. In order for mobile developers to keep up, they must implement automated mobile app defense systems to combat today’s increasingly sophisticated cyber threats rather than using SDKs or protecting their apps from scratch.”
This is a wakeup call for consumers and brands on how vulnerable the little rectangles we carry around with us everywhere we go really are. Thus updates need to be issued and applied and app companies need to make sure that their apps are secure.
Leave a comment »