Another Day, Another Third Party Breach

Posted in Commentary with tags on May 29, 2024 by itnerd

Late last week, ABN Amro Bank NV announced that unauthorized parties may have accessed the data of some of its clients after supplier AddComm was the victim of a ransom-ware attack this month.

AddComm, which distributes documents and tokens to clients and employees for ABN Amro, said in a statement that the hack took place between May 5 and May 17 and disrupted its services for a few days.

At this time, it is not clear what type of data was involved, and ABN Amro said it has no indication that the unauthorized parties have used the data of its clients and that the lender’s systems were not affected.

This comes in the same month that Banco Santander SA said that information of clients and staff managed by a third-party was accessed without authorization, and Deutsche Bank, Commerzbank and ING Groep were among dozens of companies to suffer from the MOVEit file transfer tool breach.

Meanwhile, the European Central Bank, which oversees lenders in the region, conducted a stress test to examine how banks respond to and recover from cyber attacks and observed the extensive use of outsourced functions as one of the main challenges impacting 88% of banks that claim they are at least partially reliant on service providers to operate their core banking system.

Dave Ratner, CEO, HYAS had this to say:

   “The fact is that every exploit has to do one thing before it wreaks havoc: communicate with the threat actor controlling it. Identifying and thwarting that communication is the first, last and best chance an organization has to prevent an attack. Third-party breaches will continue to escalate and be a critical pain point for organizations of all sizes until true cyber resiliency implementations are put into effect and organizations have not just the operational internal visibility that they require, but also the capability to detect those telltale signs of a breach and imminent attack, early in the kill chain, and stop it before damage ensues.”


Emily Phelps, Director, Cyware:

   “The recent ransomware attack underscores the critical need for proactive cybersecurity measures in the financial sector. To address these challenges, modernizing traditional SOCs into cyber fusion centers can enable real-time threat intelligence sharing and collaboration across institutions, fostering a collective defense approach. By integrating strategic AI-driven cybersecurity solutions, financial institutions can proactively detect and mitigate threats, ensuring the resilience and integrity of their operations.”

Third party attacks are a danger that every business needs to wrap their heads around. If they don’t, they’ll be the next victim through no fault of their own.

Leave a comment »

Investors At Amazon’s AGM Show That Support For Workers Rights At An All Time High

Posted in Commentary with tags on May 28, 2024 by itnerd

This is a follow up to this recent story involving Amazon and workers rights. 

Investors of Amazon.com continued to lend their support to a shareholder proposal on freedom of association and collective bargaining during the company’s recent annual general meeting (AGM).  

The proposal, put forward by an international coalition of responsible investors representing 3.5-trillion USD in assets under management (AUM), called for Amazon to undergo a third-party assessment reviewing the extent to which it has been living up to its promises to respect international labour standards. 

According to Company filings that were published on Friday, approximately 32 per cent of votes were cast in favour of the proposal — the second-highest level of investor support for any of the 14 shareholder proposals voted on at last Wednesday’s AGM. Accounting for the large number of shares controlled by board member and former Amazon CEO Jeff Bezos, roughly 37 per cent of independent votes were cast in favour of the proposal. 

This vote comes amid a number of recent concerning developments in Amazon’s relationship with its workers. A major British trade union, GMB, recently announced legal action against the Company in the U.K. over allegations of anti-union practices; in the U.S., a federal administrative judge ruled that CEO Andy Jassy violated federal law by making comments on unions. 

These developments coincided with a surge in investor support for the shareholder proposal. In addition to the original coalition of 22 cofilers, the proposal was publicly supported in recent weeks by numerous major public funds and asset managers: 

  • the California Public Employees’ Retirement System (CalPERS) 
  • the California State Teachers’ Retirement System (CalSTRS) 
  • the Office of the New York City Comptroller  
  • the New York State Common Retirement Fund 
  • Norges Bank Investment Management (NBIM)  
  • Legal and General Investment Management (LGIM). 

The proxy advisory firms International Shareholder Services (ISS) and Glass-Lewis also backed the proposal, despite management’s opposition. 

Sarah Couturier-Tanoh, Director of Shareholder Advocacy for SHARE, the Shareholder Association for Research and Education, which led the investor coalition behind the proposal had this comment: 

“Once again, shareholders have sent a clear message to Amazon’s board and management that the Company must do better in delivering on its commitment to workers’ rights,”

“Given the widespread support the proposal received, we expect the board to demonstrate — at a minimum — what it is doing to comply with international human rights standards and mitigate the labour-rights related risks shareholders are seeing.” 

Leave a comment »

RansomHub Threatens Christie’s With The Release Of Stolen Data If They Don’t Get Paid

Posted in Commentary with tags on May 28, 2024 by itnerd

News has emerged that the hacker group known as RansomHub is threatening to release the sensitive data of high-end Christie’s art auction house in New York, including financial data and client addresses by the end of May, if no ransom is paid:

Now, RansomHub has posted a new thread on a dark web site, assuming responsibility for the attack, and claiming it grabbed customer names and birth dates. At this moment it is impossible to verify the authenticity of the claims, but with RansomHub’s history, it’s possible they are telling the truth.

RansomHub was born out of the disappearance of the ransomware-as-a-service known as ALPHV, or BlackCat. 

With a ransomware-as-a-service model, one group builds and maintains the malware while others, called affiliates, do the actual breaching and encrypting. When affiliates successfully extort money from a victim, they get a piece of it, while a piece goes to the developers. When an ALPHV affiliate breached Change Healthcare earlier this year, they allegedly successfully extorted the healthcare giant for $22 million. However, when it was time to split the prize, the developers took all of it and just disappeared, leaving the affiliate with roughly 4TB of stolen sensitive data.

This affiliate was later named RansomHub and it tried, on its own, to extort Change Healthcare again. 

In Christie’s case, the group said it would release the timer by the end of May, since it couldn’t come to an agreement with the company.

Darren Williams, CEO and Founder, Blackfog had this to say:

 “The clock is ticking for Christies Art House who has a major decision to make now that criminal gang RansomHub has implemented a payment deadline.  With the personal and financial data belonging to their high-profile clients at risk, this is indeed quite worrying. 

The ‘to pay or not to pay’ dilemma is a serious issue for all types of organisations who are facing a rising wave of ransomware attacks. High profile organisations such as Christie’s, which sells high value items upwards of £600 million, will always be on the radar or cyber attackers looking for a quick win with large financial gain. 

Once the data is in the hands of the attackers, the focus must be on handling the incident and repercussions as quickly as possible, leaning on experts to help ease the process when possible.  Once the clean up is done, the focus must shift to preventing these attacks in the future by implementing technology designed to prevent the exfiltration of data, mitigating the risks of future attacks and extortion.”

RansomHub, the attacker group behind this attack, is quite new, first identified by BlackFog in February of this year. The criminal gang has since claimed attacks on multiple organisations – notably UnitedHealth Group, American Clinical Solutions and now Christie’s art auction house in New York.

It will be interesting to see what happens next as we’re only two days from the end of May. I’m pretty sure that this group will release some sort of data in retaliation for not getting paid. But not paying them is the correct course of action as cybercrime groups cannot be allowed to succeed in terms of extorting money from their victims.

1 Comment »

BforeAI Launches PreCrime Guarantee Program for Seamless Cyber Risk Coverage

Posted in Commentary with tags on May 28, 2024 by itnerd

BforeAI, the world’s fastest and most accurate predictive attack intelligence and digital risk protection solution, announced today the launch of PreCrime Guarantee, the company’s new breach protection pledge that underlines confidence in their cybersecurity solutions platform. In partnership with the leading global provider of cyber insurance, PreCrime Guarantee reimburses customers up to ten times the value of their service contract if impacted by a cyberattack due to a failure by BforeAI’s predictive solution.

BforeAI’s PreCrime platform predicts, blocks, and preempts malicious campaigns before they can impact an organization. With a false positive rate of 0.05%, the company’s automated preemption can stop attacks within minutes,before the customer falls victim. PreCrime Guarantee provides customers with additional peace of mind as they assess the platform’s effectiveness in the field and further validates the powerful insights and resources that the PreCrime platform provides security teams.

BforeAI underwent a stringent, nine-month process in which the insurance partner validated the effectiveness of the artificial intelligence platform against BforeAI’s go-to-market claims.

Because AI systems are not deterministic but based on probability, it is critical that they are developed to deliver reliable, business process-friendly results. PreCrime delivers best-in-class false positive/false negative and recall performance with extreme reliability. As BforeAI’s AI models were evaluated for their performance, the insurance partner’s team of experts were impressed by the quality of the underlying technology and its controls to limit deviation from performance claims.

The PreCrime Guarantee launch comes on the heels of a recent $15 million Series A funding round led by SYN Ventures, with renewed participation from early investors Karma Ventures, Karista, Addendum Capital, and a new investment from the Partnership Fund for New York City. The program will be instrumental in new customer engagements as BforeAI looks to expand further in the U.S. market in 2024.

Leave a comment »

Make Sure You Update Chrome ASAP To Mitigate An Actively Exploited Vulnerability…. Along With Some Others

Posted in Commentary with tags on May 27, 2024 by itnerd

If you’re a Google Chrome user, you should make sure that you’re on 125.0.6422.112/.113 for Windows, Mac and 125.0.6422.112 for Linux. If you’re not, update ASAP as this update addresses a zero day vulnerability that is being actively exploited. Here’s what Google said:

This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[N/A][341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

Google is aware that an exploit for CVE-2024-5274 exists in the wild.

Fun fact, this is the fourth zero day that Google has patched this month. Here are the other three:

  • CVE-2024-4947 patched on 15 May. This was another type confusion flaw in V8 that was reported by Vasily Berdnikov and Boris Larin of Kaspersky Lab and which was used in targeted attacks according to Kaspersky.
  • CVE-2024-4761 patched on 13 May. An out of bounds memory write in V8 reported by an Anonymous researcher.
  • CVE-2024-4671 patched on 9 May. A use after free flaw in the browser’s Visuals component that was reported by an Anonymous researcher.

So if you haven’t updated Chrome, consider this a today problem.

Leave a comment »

Why I Think Spotify’s Handling Of The Demise Of It’s Car Thing Device Quite Frankly Sucks

Posted in Commentary with tags on May 26, 2024 by itnerd

First some background. Back in October 2021, Spotify announced the Car Thing. This was a $90 USD device that went in your car and allowed you to stream from Spotify in your car. The device had a 4-inch touchscreen and knob for easy navigation, as well as support for Apple CarPlay, Android Auto, and voice control. But you needed a data connection of some sort and you also needed to be a Spotify Premium account holder to use it. I at the time questioned how useful this would be. But clearly Spotify felt there was a need for this device. Though it killed the product in 2022 as I am guessing that the money wasn’t rolling in because this product existed.

Fast forward to earlier this week when it was announced by Spotify that it was going to remote brick this device and users could dispose of it responsibly as e-waste. Effectively, Spotify was killing the product and making sure there was no possibility that it could return.

Cue the outrage on multiple fronts. Reddit and Spotify own forum among other places were soon filled with angry owners of the device venting their frustration at the company for this move. Some called this move unacceptable and many wanted a refund. Some even wanted the company to open source the device to keep it alive. Thus while I had my reservations about the usefulness of such a device, there are clearly many who found it useful.

Here’s my thoughts on this. What this seems like to me is that Spotify used its user base as a beta test group for a product. And now they want to kill the product because it didn’t work out the way the company wanted it to. Which is code for it didn’t make Spotify a pile of money from this device. Now if someone wants to pay up to be part of this beta test, is up to them. But for Spotify to brick the device and tell users to throw it away is completely unacceptable. Yes they did say to dispose of it responsibly as e-waste, but that’s still the wrong message. Because the message I would be getting if I were a Spotify customer is not to support them in terms of getting any other piece of hardware that they might come out with. And in an extreme case, I might be rethinking my support of Spotify in general. As in cancelling my subscription. So far from what I can tell, Spotify really isn’t saying anything than what is in the document that I linked to above. Nor have they answered questions about the possibility of open sourcing the device. But if they did open source the device, it would make them look a whole lot better than they do right now. Spotify really needs to recognize that they have stuffed the handling of this situation and rethink this. Because right now, they look like a bunch of clowns who don’t care about this subset of their user base. And for those like me who don’t have a Spotify account and who are watching this from afar, this situation and how it is being handled doesn’t give me an incentive to get a Spotify account. Even a free one.

Over to you Spotify. Though given your past track record in handling bad situations, I fully expect you to continue to screw up the response to this bad situation.

1 Comment »

Threat Actor Committing Massive Gift Card Fraud: Microsoft

Posted in Commentary with tags on May 25, 2024 by itnerd

Microsoft has alerted retailers and restaurants to sophisticated gift card fraud by the threat actor Storm-0539, which can result in losses of up to $100,000 daily. According to Microsoft’s latest Cyber Signals report released this week, there has been a 30% rise in intrusion activity by Storm-0539 between March and May 2024.

Operating out of Morocco, Storm-0539 targets cloud and identity services linked to gift card portals of large retailers, luxury brands, and fast-food restaurants. The group increases its activity around major holidays such as this weeks Memorial Day and a 60% rise last year prior to Thanksgiving, Black Friday, and Christmas holidays.

Active since late 2021, Storm-0539 initially used point-of-sale (POS) malware to compromise payment card data. As industries strengthened POS defenses, the group shifted focus to gift card portals, infiltrating employee accounts at target organizations by sending smishing texts to personal and work mobile phones. The attackers gather information from employee directories, schedules, contact lists, and email inboxes.

Once inside, they move laterally through the network, identifying gift card business processes and remote environments like virtual machines, VPN connections, SharePoint, and OneDrive resources. Using compromised accounts, they create new gift cards. Microsoft has observed thefts of up to $100,000 a day from a single company through this method.

Storm-0539 maintains persistent access by registering their own devices for secondary authentication prompts, bypassing multifactor authentication (MFA). They present themselves as legitimate organizations to cloud providers to gain initial free resources for their attacks. This involves creating websites that impersonate US-based charities, animal shelters, and other nonprofits via typosquatting.

The group conducts extensive reconnaissance on federated identity service providers at targeted companies to convincingly mimic user sign-in experiences creating adversary-in-the-middle (AiTM) pages and using domains that closely match legitimate services. To minimize costs and maximize efficiency, Storm-0539 has been observed downloading legitimate 501(c)(3) letters from nonprofit websites to obtain sponsored or discounted technology services from major cloud providers. They also create free trials or student accounts on cloud service platforms, granting them 30 days of access to launch targeted operations.

“Storm-0539’s skill at compromising and creating cloud-based infrastructure lets them avoid common up-front costs in the cybercrime economy, such as paying for hosts and servers,” Microsoft stated. The company stresses the need for robust cybersecurity measures to counteract such sophisticated fraud schemes.

Ted Miracco, CEO, Approov Mobile Security:

   “The increasing reliance on mobile devices in cyber attacks, as illustrated by Storm-0539’s activities, highlights the need for comprehensive mobile and API security strategies. Smishing, or SMS Phishing, in this case underscores a significant vulnerability: employees often use the same devices for both personal and work-related activities, increasing the attack surface. 

   “In bypassing MFA by registering their devices, this incident highlights the need for more robust MFA implementations and better device management policies. Organizations must adopt a defense-in-depth approach to security, incorporating advanced mobile threat monitoring, training, and device management to protect against sophisticated threats.”

Seeing as gift cards are the number one go to gift for a lot of people, this is a huge problem. One that needs to be addressed on multiple fronts. Hopefully those organizations who rely on gift cards as a part of their business are paying attention.

Leave a comment »

Bad News: London Drugs Data Leaked By Hackers

Posted in Commentary with tags , on May 24, 2024 by itnerd

Remember the London Drugs hack? It shut down their stores for a while. And it caused their president to apologize for getting pwned. There’s a new chapter in this saga, and The Canadian Press has the details:

Retailer London Drugs says cybercriminals who stole files from its corporate head office last month have released some of the data after it refused to pay a ransom.

The Richmond, B.C.-based company says in a statement the files may contain “some employee information,” calling it a “deeply distressing” situation.

This statement comes in response to this Tweet from Brett Callow who is in a position to know these things:

So now we know that LockBit was the group who pwned London Drugs. And we know they swiped data. Though that part should have been a given as that’s how these groups operate. Right now we know that employee data was swiped. But they could have gotten more. And given that London Drugs refused to pay the ransom, as they should, then we’ll find out soon enough what else LockBit swiped.

This does bring up a question. If Brett Callow didn’t disclose this on Twitter, would London Drugs have said anything? Riddle me that Batman.

Leave a comment »

OVHcloud Adds Qiskit To Market Leading Quantum Notebooks Portfolio

Posted in Commentary with tags on May 23, 2024 by itnerd

OVHcloud today announces at France Quantum 2024 updates to its Quantum Notebooks portfolio. 

To further support the rapid growth and development of quantum computing, OVHcloud adds a new Quantum Notebook supporting the IBM-developed open-source QiskitTM SDK. This new addition completes OVHcloud already impressive set of Quantum Notebooks available in the Cloud, including Alice & Bob, C12, Eviden, Pasqal and Quandela. OVHcloud is one of IBM’s recommended notebook environment solution for users of the IBM Quantum Lab, which was sunset on 15 May, 2024.

Leveraging state of the art technologies, OVHcloud offers developers and students alike the opportunity to develop today, the algorithms of tomorrow. With the notebooks designed to program a wide variety of Quantum computer architectures, OVHcloud continues to support the development of a truly vibrant Quantum ecosystem. The addition of Qiskit, the most-used Quantum development framework in the world, allows for programmers to create software using the Python development language to program Quantum computers, including algorithms, circuits and pulses.

The Quantum Notebook with Qiskit is available now from the OVHcloud Public Cloud universe. Registered startups within the OVHcloud Startup Program can access the Qiskit SDK, through the Quantum Notebook now. Eligible students can get free access to the whole range of OVHcloud Quantum Notebooks, including Qiskit.

Resources

Leave a comment »

Elon Musk Has Decided To Make “Likes” Private On Twitter And Remove Likes Tab From Profiles

Posted in Commentary with tags on May 23, 2024 by itnerd

From the “this is a very cynical move” department comes this move to make “likes” private on Twitter and outright remove likes tab from profiles. This was confirmed in this Tweet:

Haofei Wang is director of engineering over at Twitter. At least until Elon decides to fire him on a whim. In any case, since he is in a position to know, this move can be taken as fact. The question is why is this happening. From where I sit, this means that Twitter which under Elon has become a cesspool of hate and other evil things has less accountability than it did before this move. Now with this move, the hate mongers, racists, and conspiracy theorists among others can fly under the radar without fear of being called out for liking a Tweet that is vile and unacceptable in a civil society. Which is likely what Elon wants seeing as he’s all for those sorts of people. The other side effect is that it will make it harder for brands to avoid having their ads next to content that they don’t like. I’m sure that that part will be marketed by Elon as “See there’s no issues here. Come back and advertise.” Which to be clear, no brand should be advertising on Twitter. And this move underscores why that’s the case.

Leave a comment »

« Older Entries
Newer Entries »