Kaspersky Says It’s Not A National Security Threat To The US

Posted in Commentary with tags on June 24, 2024 by itnerd

Last week the US banned Kaspersky saying that it’s a national security risk. At the time, I could not find a response from the Russian software company. But clearly I didn’t look hard enough because now I have. Here’s what they said in part:

Kaspersky is aware of the decision of the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to place members of the company’s executive and senior leadership team on the sanctions list. The current step will not affect the company’s resilience as neither Kaspersky nor its subsidiary companies nor its CEO were designated by the OFAC. 

We regard the move as unjustified and baseless, being a continuation of recent U.S. government decisions based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of company’s products and operations. Neither Kaspersky nor its management team has any ties to any government, and we consider the allegations quoted by the OFAC as pure speculation, which lacks concrete evidence of a threat posed to U.S. national security. None of the listed members have any ties to the Russian military and intelligence authorities or have anything to do with the Russian government’s cyber intelligence objectives.

John Gunn, CEO, Token had this to say:

Banning the use of Kaspersky software is a prudent and informed action. Kaspersky’s majority owner and CEO is a Russian national who lives in Russia and is subject to the jurisdiction of the Russian government. People who don’t do what Putin wants have a bad habit of falling out of windows. The code for many mature security applications is so complex that finding a designed-in vulnerability would be very challenging, and a “clean” version today could be updated to a malicious version at any time. Operating on a promise of trust from a country that is attacking us constantly would be bad strategy.

Here’s the thing. If you can’t trust the tools that you use to defend yourself against attackers, you shouldn’t use them. Which is why this ban makes sense despite the fact that some will find this as an over reaction by the US government. Will this ban make you stop using Kaspersky products? Sound off in the comments with your thoughts.

Leave a comment »

CDK Global Was Pwned By BlackSuit Ransomware: Report

Posted in Commentary with tags on June 23, 2024 by itnerd

You might recall that thousands of car dealerships have been shut down by their SaaS provider CDK Global not being available to them. Now BleepingComputer is reporting that a ransomware group called BlackSuit is apparently responsible for all of this:

The BlackSuit ransomware gang is behind CDK Global’s massive IT outage and disruption to car dealerships across North America, according to multiple sources familiar with the matter.

The same sources, who provided information on condition of anonymity, told BleepingComputer that CDK is currently negotiating with the ransomware gang to receive a decryptor and not leak stolen data.

While BleepingComputer is the first to report that BlackSuit is behind the attack, the news that CDK is negotiating with threat actors was revealed by Bloomberg yesterday.

If this is true and CDK Global is actually in negotiations with BlackSuit, then that’s bad. I’ve been consistent in saying that threat actors should never profit from their crimes. So by extension, negotiating with threat actors is bad. I guess we’ll find out if this is true or not if dealerships across the US are suddenly able to conduct business normally in the coming days.

Leave a comment »

Elon Musk Is Slowly Walking Away From Telling Advertisers To “Go F**k Yourselves”

Posted in Commentary with tags on June 22, 2024 by itnerd

Remember when Elon Musk told advertisers to “go f**k yourselves” when said advertisers decided to stop advertising on Twitter? If not, this will help. Well I am going to go out on a limb and suggest that this is making Elon hurt. Specifically in the bank account. Which is why Elon has been in Cannes this week to walk this back:

Elon Musk on Wednesday tried to walk back remarks lashing out at advertisers fleeing his X social media platform.

At the Cannes Lions advertising festival in Cannes, France, Musk was asked by WPP CEO Mark Read what he meant by telling advertisers threatening to pull ads from the platform late last year to “go f— yourself.”

Musk said it was meant as a general point on free speech rather than a comment to the wider advertising industry.

“It wasn’t to advertisers as a whole,” Musk said. “It was with respect to freedom of speech, I think it is important to have a global free speech platform, where people from a wider range of opinions can voice their views.”

“In some cases, there were advertisers who were insisting on censorship,” Musk said. “At the end of the day … if we have to make a choice between censorship and losing money, [or] censorship and money, or free speech and losing money, we’re going to choose the second.”

“We’re going to support free speech rather than agree to be censored for money which I think is the right moral decision,” he added.

The fact is that Elon is scrambling for cash because real advertisers have been replaced by porn and AliExpress ads. Clearly advertisers that pay Twitter’s bills are not coming back and he’s trying to thread the needle so to speak between getting those advertisers back while keeping his Nazi, racist, homophobic, and other scumbag friends happy. All to get money into his bank account. I am hoping that advertisers don’t fall for this and continue to avoid Twitter because Elon needs to pay for his behaviour. Literally.

Leave a comment »

Change Healthcare Admits That Hack Resulted In The Theft Of Medical Records

Posted in Commentary with tags on June 22, 2024 by itnerd

Remember the Change Healthcare hack? It’s now gotten worse. According to TechCrunch, American’s medical records have been leaked:

In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack. 

The health tech giant, owned by U.S. insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, the company has access to massive amounts of health information on about a third of all Americans

The cyberattack prompted the company to shut down its systems, resulting in outages and delays to thousands of healthcare providers who rely on Change, and affecting countless patients who could not obtain prescriptions or had medical care or procedures delayed. 

Change said in its latest statement that it “cannot confirm exactly” what data was stolen about each individual, and that the information may vary from person to person. 

The affected information includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identity documents, such as Social Security numbers, driver’s licenses and passport numbers.

The data also includes medical records and health information, such as diagnoses, medications, test results, medications, imaging, and care and treatment plans, said Change. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said includes financial and banking information.

This is bad. This is really bad. This illustrates what can happen when an organization doesn’t properly secure their network. In short, people suffer. And in this case a whole lot of people are going to suffer because their personal information is out there. Change Healthcare really needs to be taken to the woodshed over this and be made an example of to show that this is unacceptable and companies need to do much better.

Leave a comment »

The US Bans Kaspersky

Posted in Commentary with tags on June 21, 2024 by itnerd

Now some of you reading this headline will be thinking “wait, didn’t the US already ban Kaspersky?” The answer is sort of. They were banned on federal government networks. But you and I could still get a copy of the anti-virus software for example. Well, that has changed as the Biden administration has banned them outright:

Yesterday, the Department of Commerce issued a final determination pursuant to Executive Order (E.O.) 13873 prohibiting Kaspersky Lab, Inc., its affiliates, subsidiaries and parent companies directly or indirectly from providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. Commerce reached this determination after an investigation found transactions involving the products and services of Kaspersky Lab, Inc. and its corporate family pose unacceptable risk to U.S. national security or the safety and security of U.S. persons, as outlined in E.O. 13873. 

In addition, the Department of Commerce has designated AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom) on the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives. These activities are contrary to U.S. national security and foreign policy interests.

Damir J. Brescic, CISO, Inversion6 had this comment:

The reason that the U.S. government took such a stance is due to the concerns that Kaspersky could/has complied with the Russian government in what could be seen as assisting in cyber espionage or other malicious activity. The concern is obviously heightened by some of the controversial laws Russia has in general regarding cybersecurity; where they require companies to assist the government in intelligence gathering activities. Similar to other nation-state threat actors, such as China, Iran and North Korea. 

There are a few key aspects that companies and even government agencies need to take into consideration when assessing the impact of a software tool, such as Kaspersky. The major concern is that the Kaspersky antivirus solution, when implemented in an organization, requires extensive system privileges to function correctly, as most solutions of its kind do. This type of technology can provide a threat actor the potential to exploit and gain access to a systems configuration, sensitive data, and network connections.

If an organization is currently utilizing the Kaspersky antivirus software, they should look to conduct the following steps:

  • Deactivate the Kaspersky software immediately on all their host systems
  • Conduct a thorough risk assessment of the organizational use of this Kaspersky software; this should include the potential impact of compromise, as well as the likelihood of such an event
  • Start evaluating alternative solutions from a trusted vendor 
  • Implement robust monitor detection
  • Review incident response capabilities and plans, and potentially run a tabletop exercise 
  • For advanced measures, look to implement network segmentation to limit the spread of any malware and reduce the overall impact from potential threat and compromise

All of this is good advice as unlike the when the US government network ban came into effect, Kaspersky sued the government, I can’t find any statements or any other reaction from the Russian software company. Their silence suggests a lot in my opinion.

1 Comment »

SolarWinds Vulnerability Being Actively Exploited By Threat Actors

Posted in Commentary with tags on June 21, 2024 by itnerd

SolarWinds reports that a high-severity flaw in SolarWinds Serv-U file transfer software exists and should be patched ASAP:

Summary

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

Affected Products

SolarWinds Serv-U 15.4.2 HF 1 and previous versions 

Fixed Software Release

SolarWinds Serv-U 15.4.2 HF 2

Here’s why it should be patched ASAP. Threat actors are currently using it to launch attacks:

Threat actors are actively exploiting a SolarWinds Serv-U path-traversal vulnerability, leveraging publicly available proof-of-concept (PoC) exploits.

Although the attacks do not appear particularly sophisticated, the observed activity underscores the risk posed by unpatched endpoints, emphasizing the urgent need for administrators to apply the security updates.

Rogier Fischer, CEO and Co-Founder, Hadrian had this comment:

“Exploiting this vulnerability can lead to significant issues such as unauthorized data access, resulting in potential data breaches and non-compliance with regulations, from GDPR to HIPAA. Financial implications are considerable, involving not only the costs of incident response and mitigation but also regulatory fines and legal actions from affected customers. In an idea world, organizations utilizing this software would have applied the patch already, considering how big the earlier SolarWinds fiasco was.”

This is another one of those times where you need to drop everything and patch away. Seeing as this exploit is out there and being used by threat actors, you really have no other choice.

Leave a comment »

New Targus hard cases carry, connect, and protect students’ devices in any learning environment

Posted in Commentary with tags on June 21, 2024 by itnerd

Targus today introduced its new lineup of commercial-grade form-fit Chromebook™ cases and protective iPad® cases for the education market at ISTELive 24, June 23rd-26th. These new additions further expand Targus’ extensive portfolio of innovative laptop bags, hard cases, and accessories designed to carry, connect, and protect students’ technology in the classroom and beyond.

 The new Commercial-Grade Form-Fit Clear Cases arriving in June/July are translucent cases made for the latest DellLenovo, and HP Chromebooks™.  These cases feature drop-rated protection up to the typical school desk height of three feet, enhanced corner and edge protection, a thin and lightweight molded design, and easy access to all ports. Plus, like all Targus laptop bags and cases, they’re backed by Targus’ limited lifetime warranty.

Available now, Targus has also added two new iPad cases to its portfolio delivering portable protection for the latest iPad® (10thgeneration), iPad Air® (M2), and iPad Pro® (M4) devices in the classroom and beyond: a SafePort® Clear Case and Kids Antimicrobial Case.

With military-grade drop protection up to six feet, Targus’ Kids Antimicrobial Case is the perfect solution for young learners to keep their iPad protected from inevitable drops and bumps, while enjoying more portable features and functionality. A convenient carry handle doubles as a stand, so young learners can grab and go or set it and stand it for their viewing preference. Precision cutouts give full access to controls, ports, and cameras, making it easy to enjoy favorite videos, movies, and music.

As a bonus, this case features Targus DefenseGuard™ Antimicrobial Protection, which helps to create a cleaner surface by preventing the growth of microorganisms and works continuously for the life of the product.

Targus’ SafePort® Clear Case for iPad® (10th gen.) 10.9-inch lets students show off their colorful new iPad while wrapping it in superior protection. This protective case passes military grade 6 ft./1.8m drop testing (MIL-STD 810G) with its clear, shock-absorbent back cover, protective snap-on front cover, reinforced corners, wrap-around bezel, and covered buttons. The kickstand of this case has been tested to withstand up to 44 lbs. of force making it durable enough to withstand kids’ everyday use.

Beyond protection, it offers a variety of integrated features to boost functionality and versatility on the go. A built-in extra durable kickstand flips out to offer hands-free portrait and landscape viewing from multiple angles. Precision cutouts allow complete access to ports and cameras, and it also has a built-in stylus holder making it easy to store an Apple Pencil® (Pencil sold separately by Apple®).

Targus will be showcasing its latest lineup of laptop and tablet cases and accessories for the education market during ISTELive 24 in booth #1882 at the Colorado Convention Center.

Watch Targus’ Commercial Grade Hard-Shell Cases for Chromebook in action and visit Targus.com for product details, pricing, and availability.

Leave a comment »

CDK Global Pwned In Cyberattack Taking Down Thousands Of Car Dealers

Posted in Commentary with tags on June 21, 2024 by itnerd

Tuesday night, car dealership Saas provider CDK Global was hit by a cyberattack, causing the company to shut down its IT systems, phones, and applications leaving its 15,000 clients unable to operate normally.

The company’s SaaS product provides auto industry clients with a platform that handles all aspects of a car dealership’s operations, including CRM, financing, payroll, support and service, inventory, and back-office operations.

To use CDK’s services, car dealerships configure an always-on VPN to the SaaS provider’s data centers, allowing their locally installed applications to access the platform. Also, the software has administrative privileges used to deploy updates. CDK has recommended disconnecting from the data centers.

Some dealerships appear to have gotten creative to continue doing business during the outage, logging in with old credentials on old CDK platforms, and sharing that they were simply relying on spreadsheets and sticky notes to sell customers small parts and make repairs, but that they weren’t making any large transactions. 

CDK’s systems first went down around 2:00 a.m. EDT and some functions began to come back online by Wednesday afternoon.

Ted Miracco, CEO, Approov Mobile Security had this to say:
 
   “This incident highlights a common vulnerability that is especially impacting the automotive supply chain and CDK’s breach exemplifies this risk. These apps provide extensive mobile tools for dealership management, offering functionalities such as real-time inventory management, customer relationship management, repair tracking, and mobile access to critical business information. However, without proper API security measures, these features can expose sensitive data and backend systems to potential breaches and malicious attacks. Many companies do not adequately secure their APIs, especially for mobile applications. API protection for web access does not adequately protect mobile interfaces, creating an easy target for hackers and ransomware attacks. These API attacks increasingly target the automotive supply chain, exploiting the lack of security in mobile interfaces.”

One of the reasons why I tend to warn my clients about using SaaS solutions is that you have to be able to trust that their security is top shelf. Because if they get pwned, you get pwned. And then your business is down for however long it takes for the SaaS provider to address their issues. Your organization has to ask if they want to take that risk.

1 Comment »

LockBit ransomware attacks in May up 665% over April 

Posted in Commentary with tags on June 21, 2024 by itnerd

A new report from NCC Group plc shows ransomware attacks hit a record high in May, largely due to a significant resurgence in LockBit ransomware activities. According to the NCC Group 2024 Threat Intel report, global ransomware attacks increased by 32% month-over-month in May, reaching 470 incidents compared to 356 in April. This marks an 8% increase compared to May of last year.

The spike in attacks is primarily attributed to LockBit 3.0, the latest version of the notorious LockBit ransomware gang. After being dismantled by law enforcement in February, the group resurfaced just a week later, quickly becoming the most active ransomware group, responsible for 37% of all ransomware attacks in May. LockBit was implicated in 176 ransomware incidents during the month.

Other notable ransomeware players mentioned in the report for May included:

  • Play ransomware group in second position with 32 attacks, for 7% of all attacks in the month 
  • RansomHub came in at third position with 22 attacks
  • DAn0n, with 13 attacks. A newcomer to the field that uses a double-tap extortion method.
  • Underground, which also uses double-tap extortion, was recorded to have undertaken 12 ransomware attacks during the month
  • Arcus Media, with 11 attacks

The report noted that the majority (77%) of ransomware attacks in May targeted companies in North America and Europe, with a notable increase in attacks in South America, accounting for 8% of the total, a 60% rise from April.

By sector, industrial companies remained the most targeted, a trend ongoing since January 2021, with 143 attacks in May, up from 116 in April. The technology sector was the second most targeted, with 72 attacks, an increase from 49 the previous month.

Cigent CGO Brett Hansen had this to say:

   “The only real way to end ransomware is to make it no longer profitable for the bad actors. Let me be clear, solutions already exist in the commercial sector to protect against these threats. In addition to instituting zero-trust access to your data, adding available real-time encryption can ensure that data is useless to the attacker, if they do get in. While you’re adding data protection, the use of invisible partitions can ensure your data is not accessed by intruders. Data at rest can also be data protected.”

What we see here is a game of “whack a mole”. Where law enforcement takes out LockBit only to have LockBit reappear in a new form. Like Mr. Hansen has said, this isn’t working. Thus organizations need to take security a lot more seriously and implant things that will make it way harder for threat actors to pwn them.

UPDATE: Rogier Fischer, CEO and Co-Founder, Hadrian add this comment:

“Ransomware groups like LockBit versions, and Conti before that, show how cybercriminal organizations evolve and change tracks, often rebranding or merging with other groups to stay operational despite law enforcement actions. The cybersecurity community have been dredging up evidence of their interconnectivity, as seen in the use of shared resources, such as Conti’s leaked source code being adopted by LockBit for its “LockBit Green” variant​​. Law enforcement actions, including arrests and website seizures, have disrupted these groups temporarily, but have not eliminated the threat entirely, as these groups quickly adapt and reconstitute their operations. What we need it continuous, coordinated international efforts to effectively combat the ever-evolving ransomware menace.”

Leave a comment »

Crown Equipment Pwned In Cyberattack

Posted in Commentary with tags on June 21, 2024 by itnerd

According to local media, forklift manufacturer Crown Equipment confirmed Wednesday that it suffered a cyberattack on June 8th that disrupted manufacturing at its plants.

Crown is one of the largest forklift manufacturers in the world, employing 19,600 people and having 24 manufacturing plants in 14 locations worldwide. 

Since the attack, all IT systems have been shut down and employees have been unable to clock in their hours, access service manuals, or deliver machinery in some cases. Employees have been told not to accept MFA requests and to be cautious of phishing emails.

“We determined that many of the security measures Crown had in place were effective in limiting the amount of data the criminals were able to access. We also learned that the hackers gained entry into our system because an employee failed to adhere to our data security policies by allowing unauthorized access to their device,” Crown said in an email sent to employees yesterday.

It is believed that the breach occurred after an employee fell for a social engineering attack and allowed a threat actor to install remote access software on their computer.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “The recent cyberattack on forklift manufacturer Crown Equipment highlights the critical need for comprehensive zero-trust solutions that extend beyond the corporate network to include edge devices, such as mobile phones and personal devices. This breach is believed to have occurred after an employee fell for a social engineering attack, allowing a threat actor to install remote access software on their device. This incident underscores the vulnerability of edge devices, which are often more susceptible to social attacks like phishing. To enhance security, it’s crucial that zero-trust principles encompass all devices, including personal and mobile ones. Mobile apps should also incorporate security measures that attest to the integrity of the device, verifying whether it has been compromised. This can prevent unauthorized access and ensure that only secure devices interact with corporate systems.”

On top of what Mr. Miracco said, defences have to be layered so that attacks don’t work at all, or are limited in scope as the threat actor would not be able to get very far into a network. Otherwise you get this situation.

Leave a comment »

« Older Entries
Newer Entries »