Microchip Technology Pwned In Cyberattack

Posted in Commentary with tags on August 21, 2024 by itnerd

It has been disclosed via a regulatory filing with the SEC that Arizona based Microchip Technology has been pwned in some sort of cyberattack:

On August 17, 2024, Microchip Technology Incorporated (the “Company”) detected potentially suspicious activity involving its information technology (“IT”) systems. Upon detecting the issue, the Company began taking steps to assess, contain and remediate the potentially unauthorized activity. On August 19, 2024, the Company determined that an unauthorized party disrupted the Company’s use of certain servers and some business operations. The Company promptly took additional steps to address the incident, including isolating the affected systems, shutting down certain systems, and launching an investigation with the assistance of external cybersecurity advisors. 

As a result of the incident, certain of the Company’s manufacturing facilities are operating at less than normal levels, and the Company’s ability to fulfill orders is currently impacted. The Company is working diligently to bring the affected portions of its IT systems back online, restore normal business operations and mitigate the impact of the incident. 

As the Company’s investigation is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

Ted Miracco, CEO, Approov had this to say:

   “Microchip Technology’s involvement in sectors like aerospace, defense, and communications makes it a strategic target for cyberattacks. Given the nature of this attack, the most likely culprits would be nation-states including Russia, Iran, or North Korea, rather than China. While China typically focuses on intellectual property theft, especially in the semiconductor industry, the attack on Microchip Technology seems more aligned with the disruptive tactics often employed by Russia and Iran or the financially motivated ransomware attacks linked to North Korea. 

   “The disruption of multiple manufacturing facilities aligns with the strategic goals of nation-states like Russia and Iran, which have a history of cyber operations intended to cause chaos or weaken their adversaries. This contrasts with China, which usually aims to acquire technology and trade secrets to bolster its own industries. This attack underscores the importance of maintaining resilience in manufacturing operations, especially those integral to national security.”

 Tom Marsland, VP of Technology, Cloud Range follows with this comment:

“The 8-K filing does not go into any more details than what is necessary for the report to the SEC, so this is definitely an item that requires closer observation. This goes along with other attacks we’ve observed, such as Volt Typhoon, probing our infrastructure and threatening our utilities, manufacturing, and defense industrial base. I am pleased to see the quick reporting by Microchip, and remain eager to see what our government will do to protect critical infrastructure, which includes suppliers such as Microchip. These companies can be major points of failure for the defense, manufacturing and other critical industries, and will undoubtedly remain a large target as threat actors try to find weak points in our supply chains.

Unfortunately, these companies are big targets because of the potential for disruption to the defense industrial base and/or various sectors of critical infrastructure. It’s one thing to directly attack defense networks, which is largely difficult to do, but if a company that is responsible for helping them “keep their lights on”, so to speak, can be attacked easier, that’s where the threat actors tend to go.

Our government needs to lean in on helping investigate these attacks, and consider an attack on our critical supply chains, on our utilities and critical infrastructure, and on our defense industrial networks as attacks on the United States itself, and take appropriate actions, especially if this is determined to be a nation-state actor.  On the regulatory side, there needs to be incentives for these companies to keep their networks secure. Oftentimes, the cost of the breach is on par with the proper security controls that could’ve been in place from the beginning. Increasing oversight and penalties for companies that do not have adequate security controls is a necessary and logical next step.”

Given how important the chip sector is to the US and beyond, this is something that will need to be watched closely. And besides that, Microchip Technology needs to disclose what happened, and how they will stop it from happening again.

Leave a comment »

Fortra Unveils Interoperable Bundles for Email Security

Posted in Commentary with tags on August 21, 2024 by itnerd

Fortra announced today the availability of new Core, Advanced, and Elite bundles for Email Security. These new bundles bring together multiple Fortra products and services to provide comprehensive protection across the entire email threat lifecycle. 

Fortra’s new Core email security bundle includes:

  • Cloud Email Protection – an integrated cloud email security solution (ICES) that uses AI, threat intelligence, and automation to detect and remediate advanced email threats.
  • Terranova Security Awareness Training – a comprehensive training solution that enables organizations to develop positive security behaviors and measurably reduce human risk. 
  • Suspicious Email Analysis – expert triage and response to suspicious messages reported by users, ensuring timely user feedback and prompt threat remediation. 

The Advanced Email Security bundle includes all solutions in Core and adds Agari DMARC Protection, which prevents email domain spoofing by simplifying policy deployment and ongoing monitoring. The Elite bundle includes all solutions in Advanced but adds PhishLabs’ Domain Monitoring to proactively detect and suspend look-alike domains, which are often used in phishing attacks, BEC, and other threats.

To learn more about Fortra’s Email Security bundles, visit: https://emailsecurity.fortra.com/resources/datasheets/fortra-email-security-bundles-datasheet.

Leave a comment »

The Banks Who Gave Elon Musk Money To Buy Twitter May Be Reconsidering Their Life Choices

Posted in Commentary with tags on August 21, 2024 by itnerd

A Reuters story lays out the pain and suffering that banks who were dumb enough to lend Elon Musk money to buy Twitter are going through. Here’s the reason why they are suffering:

Banks typically sell such loans to investors at the time of the deal. But Twitter’s lenders, led by Morgan Stanley, could face billions of dollars in losses if they tried to do so now, as investors shy away from buying risky debt during a period of economic uncertainty, market participants said. In addition, Twitter has seen advertisers flee amid worries about Musk’s approach to policing tweets, hitting revenues and its ability to pay the interest on the debt.

The biggest chunk of the debt — $10 billion worth of loans secured by Twitter’s assets — might have to be written down by as much as 20%, one of the sources said. The hit on the loan, distributed among seven banks, could probably be managed by most of the firms without creating a significant hit to profits, the source added.

Another one of the three sources with direct knowledge of the matter estimated that some banks might only take a 5% to 10% writedown on the secured portion of the loan.

The deliberations of how some of these banks are thinking about accounting for these losses have not been previously reported. They come as Wall Street banks are bracing for lower fourth-quarter earnings due to a slump in investment banking revenue and a rise in loan-loss reserves amid a weakening global economy.

Three banking industry sources said the remaining $3 billion, which is unsecured, could lead to steeper losses for the seven Twitter banks. Reuters could not determine how much the banks were planning to write down the unsecured portion of the debt.

The thing is that banks don’t like to lose money. So if it hasn’t happened already, the banks will want Elon to restructure this debt so that the banks lose less money. That ties into the fact that he might have to sell more Tesla stock to keep the banks happy. It will be interesting for those who watch the dumpster fire that is Twitter and the dumpster fire that is Tesla to see what happens next.

Leave a comment »

New Research Reveals Attackers Mimicking Tech Companies’ Domain Using Typosquatting Techniques

Posted in Commentary with tags on August 21, 2024 by itnerd

In today’s digital landscape, cybercriminals are constantly finding new sophisticated ways to compromise corporate systems. An example of a clever tactic used: typosquatting- an attack style that intentionally includes misspelled characters in the domain name that at a quick glance to the average user, may appear to be legitimate. Interacting with the fake domain may set the user up for a potential phishing attack.

Cado Security has released their latest blog, which discovered a domain that closely resembled the Cado corporate domain.

During a routine check, Cado discovered that just three days prior and before any damage had been done, the domain resembling the Cado domain, had been registered that contained a character substitution similar to what is seen for typosquatting attacks. Analysis revealed that not only was the domain being mimicked, but also several other tech companies’ domains have been targeted in a similar fashion.

This blog will discuss how this domain was identified, and the steps taken following discovery. You can read the blog here.

Leave a comment »

Unit 42 Research Unveils Biggest Attack Surface Risks

Posted in Commentary with tags on August 20, 2024 by itnerd

Recently, Palo Alto Networks released the 2024 Unit 42 Attack Surface Threat Report unveiling the biggest risks facing the growing attack surface and key recommendations for organizations to strengthen their security postures.

Key points from the report:

  • Attack surface change inevitably leads to exposures: Across industries, attack surfaces are always in a state of flux.
    • On average, an organization’s attack surface has over 300 new services every month. 
    • These additions account for nearly 32% of new high or critical cloud exposures for organizations.
  • Opportunities for lateral movement and data exfiltration are abundant: Just 3 categories of exposures – IT and Networking Infrastructure, Business Operations Applications, and Remote Access Services – account for 73% of high-risk exposures across the organizations
    • These can be exploited for lateral movement and data exfiltration.
  • Critical IT and security services are dangerously exposed to the internet: Over 23% of exposures involve critical IT and security infrastructure, opening doors to opportunistic attacks.
    • These include vulnerabilities in application-layer protocols like SNMP, NetBIOS, PPTP, and internet-accessible administrative login pages of routers, firewalls, VPNs, and other core networking and security appliances.
  • Industry Attack Surface Outlook
    • Analysis revealed that the media and entertainment industry experienced the highest rate of new services added, exceeding 7,000 per month. 
    • The telecommunications, insurance, pharma and life sciences sectors also faced substantial increases, with over 1,000 new services added to their attack surfaces. 
    • Critical industries such as financial services, healthcare, and manufacturing saw their attack surfaces add over 200 new services every month. 
    • For the past three years, Unit 42 analysis has consistently identified professional services, healthcare, high technology, finance, manufacturing, wholesale and retail as the top 6 industries to which we’ve provided IR services.

You can read the report here.

Leave a comment »

Vulnerabilities In Microsoft Apps Could Allow Hackers To Pwn macOS Users…. And Microsoft Won’t Fix These Vulnerabilities

Posted in Commentary with tags , , on August 20, 2024 by itnerd

Cisco’s Talos Intelligence group has a very interesting blog post that any macOS user that runs Microsoft apps should read. First the bad news from said blog post:

Cisco Talos recently conducted an analysis of macOS applications and the exploitability of the platform’s permission-based security model, which centers on the Transparency, Consent, and Control (TCC) framework.

We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification. If successful, the adversary could gain any privileges already granted to the affected Microsoft applications. For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures or record videos without any user interaction. 

All of that is pretty bad. Now here’s what’s worse:

Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues. 

Lovely. I can say with confidence that someone will look at this and say “that’s a great way to get into a Mac and use it for my evil purposes.” Then this will become a major problem. And you have to wonder what Microsoft will do at that point. Though there’s always the possibility that Apple will force Microsoft to do something as it is their platform after all. I would love to be a fly on the wall when that conversation happens. In the meantime, there’s no mitigations for these vulnerabilities at present. So you’ll just have do your best to be careful out there.

Leave a comment »

Alabama Cardiovascular Group Pwned By Hackers With Patient Data Being Swiped

Posted in Commentary with tags on August 20, 2024 by itnerd

The Alabama Cardiovascular Group (ACG) began notifying nearly 280,500 current and past patients, physicians and employee that hackers stole their sensitive information.

ACG has about two dozen physicians and said it became aware on July 2nd that an unauthorized party accessed its computer network, resulting in its network being severed from the internet. An investigation determined that threat actors accessed internal systems between June 6 and July 2, 2024.

The information impacted by the incident varies by individuals but may include: 

SSNs, Health insurance information and claims, Usernames and passwords, Payment cards, Bank account information, Dates of medical services, Diagnoses, Medications, Images, Lab results, Other treatment information.

Steve Hahn, Executive VP, BullWall:

   “It is a matter of when, not if, public facing companies will experience a breach and often, a full on Ransomware Attack. Prevention tools that exist today are not enough, as is evidenced by these ongoing attacks. Medical groups and hospitals have become a favorite for these attacks this past year. In fact, the ransomware group ALPHV (Blackcat) told the FBI, after the FBI claimed falsely that they “took down” the group, that they would now focus all of their efforts on US healthcare organizations. This attack does not mention a ransom demand, but once you have been breached and data exfiltrated, the damage can be just as severe.

   “Organizations can no longer rely solely on prevention. They have to have containment and mitigation strategies in place. They can continue to work to try to stop them, but they have to also plan on the inevitable and work out rapid Ransomware “containment” and mitigation strategies as well as plans for how to rebuild after the event.”

This is yet another example of a health care organization being pwned by hackers. At this point, it should be beyond clear that more needs to be done to ensure that these organizations are not easy targets for threat actors.

Leave a comment »

VPN Usage Surges In Brazil After Elon Closes Twitter Operations In Brazil

Posted in Commentary with tags on August 20, 2024 by itnerd

VPN Mentor just published a research concerning an increase of VPN demand in Brazil, which is directly tied to Elon Musk doing Elon Musk things. Specifically closing Twitter’s operations in Brazil rather than obey a court order.

What’s interesting about this is two things. First is this:

Earlier this year, Moraes opened a criminal inquiry into Elon Musk after X’s owner said he would defy a court order by lifting restrictions on designated accounts. Then the company seemed to reverse course and said it would block the accounts after all.

But of course, Elon being anything but an honest broker has decided to flip Moraes off instead and stop operating in the country instead of obeying this order. That’s brings us to VPN Mentor’s observations. Despite Twitter still being still available in the country, VPN Mentor conducted an analysis of user demand data in Brazil after Musk announced closing Twitter’s operations in the country, and they observed a surge of 151% in VPN demand. Which is I guess based on people’s fears that either Elon will keep Twitter from being available in Brazil, or the government might block it.

You will find all the details to VPN Mentor’s findings here: https://www.vpnmentor.com/news/vpn-demand-surge-brazil/

2 Comments »

Rumours Of Action1 Being Purchased By Have Been Put To Bed

Posted in Commentary with tags on August 20, 2024 by itnerd

Action1 got into the news recently via a leaked email that sparked a discussion on Reddit about the company potentially getting purchased by CrowdStrike. Yes, the same CrowdStrike that has been in the news recently for all the wrong reasons.

You can put that to bed as of today as the company just announced its decision to remain a founder-led company. Despite receiving multiple acquisition inquiries over the past year, including from well-known industry players, Action1 has chosen to continue operating independently to fully realize its vision.

Alex Vovk, CEO and Co-Founder of Action1 had this to say:

“We are honored by the interest we have received from major industry players, as it validates our strategy and leadership in the space. However, after careful consideration, we have determined that remaining founder-led is the best path forward. While it is tough to turn away from significant financial opportunities, we believe our future is far brighter as an independent company.”

Action1’s vision is a world where cyberattacks exploiting vulnerabilities are entirely prevented across all types of devices, operating systems, and applications.

Mike Walters, President and Co-Founder of Action1 added this:

“We are excited to continue on the path of innovation and are deeply grateful to our customers worldwide for their trust and support.”

So I think think that todays announcement should put any rumours of Action1 being purchased to bed once and for all.

Leave a comment »

Android Phones Vulnerable To Remote Access Vulnerability

Posted in Commentary with tags on August 19, 2024 by itnerd

Bad news if you have an Android phone, particularly a Pixel phone. A company named iVerify has discovered an extremely serious vulnerability in those versions:

The vulnerability makes the operating system accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections, and spyware installations. The potential impact of this Android security vulnerability is unknown and could result in millions of dollars in data loss and breaches.

iVerify, in concert with the information security team at Palantir Technologies, initially identified and investigated a vulnerability in an Android app package called Showcase.apk. The application runs at the system level and can fundamentally change the phone’s operating system. Since the application package is installed over unsecured HTTP protocols, this opens a backdoor, making it easy for cybercriminals to compromise the device. iVerify notified Google of the vulnerability and submitted a detailed report after discovering it on customer devices that did not pass iVerify’s behavior-based detections. It’s unclear if Google will issue a patch or remove the software from the phones to mitigate the potential risks.

Furthermore, users cannot remove this app because it is part of the firmware image, and Google does not allow end-users to alter the firmware image for security reasons. 

This is bad as at present, users of Android phones cannot mitigate this vulnerability on their own. They have to wait for Google to do it for them. Which Google has said that they will do. At least with Pixel phones that aren’t the Pixel 9 as that doesn’t have the .apk file in question. Google has said that it will notify other OEMs about this vulnerability. That means that it will potentially take longer for this issue to be addressed on non Pixel phones.

Leave a comment »

« Older Entries
Newer Entries »