HP Analyzes Stealthy Raspberry Robin Campaign 

Posted in Commentary with tags on April 10, 2024 by itnerd

In new analysis from HP Wolf Security, they reveal that since March, threat actors have been using the Raspberry Robin worm to spread malware through Windows Script Files (.wsf) unnoticed, At this time, these scripts are not classified as malicious by any anti-virus scanners on VirusTotal.

This new campaign sees threat actors using advanced obfuscation and anti-analysis techniques to bypass detection tools, fool sandboxes, and slow down security teams seeking to understand the malware and respond to attacks. 

Historically, Raspberry Robin spread through removable media like USB drives. But this new campaign uses malicious .wsf files hosted on the web to act as a downloader for other popular malware families – or as a precursor to ransomware – which is why it’s currently one of the top security threats to enterprises.

You can read this analysis here.

Leave a comment »

DOJ Consulting Firm Compromises Data Of 341k While EPA Hack Impacts 8.5m

Posted in Commentary with tags on April 10, 2024 by itnerd

Another day. Another case of pwnage via supply chain attack.

Friday, a consulting firm working with the Department of Justice, Greylock McKinnon Associates, reported a data breach to regulators in Maine, telling 341,000 victims that personal information such as Medicare, Social Security numbers and more were accessed during an incident last May.

The company which provides “litigation support services in civil litigation matters”, said those affected by the breach originally had information obtained by the DOJ “as part of a civil litigation matter.” Information accessed by the hackers included:

  • Names
  • Dates of birth
  • Addresses
  • Medicare Health Insurance Claim Numbers
  • Social Security numbers
  • Some medical or health insurance info

The consulting firm says it “deleted DOJ data from its systems after the incident.”

Meanwhile, Sunday, threat actors claimed to have hacked the Environmental Protection Agency allegedly compromising the data of over 8.5 million customers and contractors.

The EPA hasn’t yet confirmed the breach, but various reports confirm the legitimacy of the hacker’s claims. The leaked database was found to contain three zipped files with 500MB of data. The files are named: Contact (3,726,130 records), Inter_Contact (9,952,374 records), and Staff (3,325,973 records). Some of the fields included:

  • Full names
  • Phone numbers
  • Email addresses
  • Mailing Addresses
  • Company name
  • Company address

After filtering the duplicate records, the total accounts breached amounted to 8,460,182.

Corey Brunkow, Dir of Eng Operations, Horizon3.ai:

The DOJ data breach is a great use-case example of Supplier Security Posture Management. Supplier Security Posture Management is the concept that your large organization’s exploitable attack surface is not just your own IT infrastructure any longer, but the IT infrastructure of your suppliers and your distributors too.  Forward thinking organizations like the Cyber Collaboration Center at NSA are running pilot programs to manage this risk among their defense industrial base suppliers – See Link to info here:  https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/

   “In this case, the US DOJ utilized a consultant (Labor Supplier) whose cyber security was not able to prevent this 3rd party attack, despite the regulations and bureaucracy of government contracting.  TheRecord reports that the consulting firm deleted the data AFTER the hacking incident.  This may be the case, but based on the breach notification, the consultants failed to verify that the data was either deleted or sufficiently protected prior to attackers gaining access to it. This is a common Supplier Security Risk Management risk for large organizations and should be prevented to avoid risk to brand and reputation of both suppliers and large organizations in both the commercial and government sectors. “

The EPA hack is pretty bad because of the scale. But the DoJ hack is worse because it’s another supply chain attack. How long will it take for organizations to get the message that supply chain attacks are real and defending against them has to move up the list of priorities? I ask because the amount of supply chain attacks that I report on seems to be greater than the amount of ransomware attacks that I report on. Which is insane and shows how bad this problem is.

Leave a comment »

Most Canadians want both AI + Human Support in Customer Service Experiences: ServiceNow

Posted in Commentary on April 10, 2024 by itnerd

With ongoing debate about whether people want more AI or human interaction, new data from ServiceNow reveals a key insight: Canadians want both. The report reveals 61% of Canadian consumers prioritize seeking assistance from a human to resolve complex issues, whereas nearly half (44%) are open to AI-powered services like chatbots or intelligent search engines.

The study underlines why businesses must strike a balance in meeting consumer preferences—with 74% of Canadians saying they are less loyal to brands than they were two years ago, embracing AI tools becomes essential to stay competitive in today’s market.

The recent ServiceNow Consumer Voice Report 2024 surveyed 1,000 Canadians and found:

  • What shoppers think of AI chatbots: Having a good chatbot service is deemed important by 55% of Canadians, with this number increasing to 70% for those ages 18-34. Some (7%) even prefer to use chatbots for all their customer service needs.
  • Humans are best suited to solve complex problems: When looking to solve a complex issue or troubleshoot, 61% of Canadians will prioritize turning to customer service agents, whether by phone, chat, or in-person. However, 44% would choose to use AI-powered services such as a chatbot or intelligent search engine.
  • Preserving the human connection. Nearly half (49%) would never want to see 100% autonomous, AI-driven customer service. Additionally, 36% of Canadians hold back from engaging with AI for customer service because they do not like the lack of personalization, further underscoring the need for a balanced approach. While 73% of those ages 55+ want to see a return to human-based customer service by 2025, less than half (47%) of those ages 18-34 say the same. 

You can also find the full survey results here.

Leave a comment »

70% Increase in Attacks Against Automotive Industry via Email Compromise

Posted in Commentary with tags on April 10, 2024 by itnerd

Abnormal Security today revealed a concerning trend: the automotive industry has experienced a shocking 70% surge in business email compromise (BEC) attacks. 

Even more alarming, 63% of organizations in the automotive sector face at least one vendor email compromise (VEC) attack every week. 

The research blog is now live at https://abnormalsecurity.com/blog/automotive-industry-bec-vec-attacks

Leave a comment »

Automatic Acquires Beeper…. Uh.. Okay.

Posted in Commentary with tags , on April 9, 2024 by itnerd

Well, I didn’t have this on my BINGO card.

Automatic, who owns WordPress (fun fact, this blog is hosted on WordPress) and Tumblr, has acquired Beeper, who you might recall got into one hell of a fight with Apple last year when they tried and failed to bring iMessage to Android phones:

Messaging today is a mess. We have endless chat apps on our phones, each with different contacts and notification settings, making it all too easy to accidentally ghost family and friends. 

That’s why we’re excited to announce today that Automattic has acquired Beeper, a universal messaging app that combines 14 different chat networks in one inbox. We began investing in messaging last year when we acquired Texts.com. Now, two of the most exciting teams in tech will work together to push the boundaries of messaging, giving us one app that will improve our focus and the way we communicate. 

So why would they do this? Well Automatic wants to create its own messaging app. Thus this fits in with that ambition. And given Apple’s current issues with the US Justice Department, I guess they felt that the time was right to jump into this market as it might get a lot more competitive shortly. Well, I wish them luck with that because if that doesn’t happen, Automatic has spent a lot of money for no appreciable gain.

Leave a comment »

Tis The Season For Canada Revenue Agency Related Email #Scams

Posted in Commentary with tags on April 9, 2024 by itnerd

It’s tax time here in Canada. And much like spring flowers, Canada Revenue Agency scams are popping up everywhere. Here’s today’s example. This arrived via email late yesterday:

Now right off the top I knew that it was a scam for the following reasons:

  1. If you have set up direct deposit, your tax refund is sent to your bank account automatically. You do not have to lift a finger to get it.
  2. The day that I received this was yesterday which was April the 8th. But this email claims that the refund will expire on April the 7th. Thus this threat actor isn’t all that smart as they clearly can’t pay attention to the details.

There’s also a third thing that identified this as a scam:

That’s the email address that the email was sent from. Which is not the Canada Revenue Agency which typically end in cra-arc.gc.ca. So if you see this email, and you’ve identified all of this, this is the point where you should delete this email. But I’m going down the rabbit hole to expose their endgame. Which is of course a scam to capture your banking credentials. So after clicking on “Deposit your refund” which by the way you should never do, you get taken to this web page:

Now you’ll notice the address of the web page. Here’s a closer look:

That’s not the Canada Revenue Agency as their website is https://www.canada.ca/en/revenue-agency.html. But the threat actors are hoping that you won’t notice. Clicking on the CAPTCHA (which works by the way) takes you here:

Then from there, the threat actors have spent some time trying to replicate each bank’s web page to fool you into entering your banking credentials so that they can swipe your hard earned money. Take CIBC for example:

Other than the two missing pictures at the bottom of the page, this is a pretty good replication of the actual CIBC website. While the threat actors didn’t that that detail right, what they did get right was the fact that there’s code to check the validity of the card number that you have to enter. That way the threat actors aren’t wasting time going through bogus data to find the bank accounts that they can actually steal money from. That shows how crafty these scammers have become. It also shows why you need to always watch out for them as they are clearly evolving to better execute their scams. Thus as always, delete this email the second it arrives in your inbox and move on with your day.

Leave a comment »

Cranium Launches the Connect Reseller Program 

Posted in Commentary with tags on April 9, 2024 by itnerd

Cranium today announced the launch of its new innovative partner program – the Cranium Connect Reseller Program. Designed to provide new opportunities for organizations to discover the benefits of enhancing AI security and governance, the Cranium Connect Reseller Program actively fosters a community of value-added partners, security and risk-focused service providers, and alliance partners.

Representing a significant milestone for expanding the reach of AI security across diverse industries, this initiative focuses on channels for resale, services, and support to enhance profitability and predictability for partners. Those joining the Cranium Connect Program will benefit from competitive margins, access to advanced services, and a surge in customer demand, all driven by Cranium’s strategic marketing efforts.

The program has distinct tiers, each offering escalating benefits and support. This tiered approach ensures a customizable experience for each partner, fostering growth alongside their business development.

Additional benefits include access to dedicated partner testing environments, certification training, promotional opportunities, comprehensive support via the Partner Portal, a hub for sales and marketing resources, and deal registration management.

As the foremost enterprise AI security and trust software firm, Cranium empowers organizations to ensure the security and compliance of their AI and GenAI systems. The Cranium Enterprise software platform offers comprehensive solutions for driving visibility, security, and governance across all AI and GenAI environments. Secure your enterprise’s AI today with Cranium.AI.

Leave a comment »

Google Rolls Out Find My Device Network

Posted in Commentary with tags on April 9, 2024 by itnerd

Google has introduced the Find My Device network for Android. Which as the name suggests is just like the Find My network that Apple rolled out a while ago. This network will allow you to do five things:

  • Keep track of your Android devices as well as find them.
  • Keep track of everyday items such as keys using Bluetooth trackers. Google specifically calls out Chipolo and Pebblebee. But also says that support for eufy, Jio, Motorola and other trackers are coming. One has to wonder if the O.G. of Bluetooth trackers which is Tile will be included? In any case, you can also find “unwanted” trackers which apparently includes AirTags.
  • You can leverage Nest devices to find items in your home and share items with your family.

This is live in the US and Canada and works on phones running Android 9 or higher. The one that that I think is a win here is that this will further discourage the use of AirTags and other Bluetooth trackers by criminals as any of these trackers are now more likely to be found by “Joe Average.”

Leave a comment »

Smishing Attack Takes NYC Payroll Website Offline And Threatens Up To 300K With Identity Theft

Posted in Commentary with tags on April 9, 2024 by itnerd

New York City is the latest victim forced to take a city payroll website offline and remove it from public access for almost a week now after dealing with a smishing incident.

The website was partially taken offline following the smishing campaign that allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain.

It wasn’t till after being contacted by POLITICO, who first reported the incident last week, the city warned the roughly 300,000 full time workers of the phishing campaign, but they did not mention that access to the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) website (including essential tax forms) would be limited.

That action also came after the city’s largest agency, the Department of Education, sent an email to its employees on March 23rd, warning about “a new smishing” or SMS phishing campaign “targeting users of NYCAPS/ESS.”

“This (is) a user education issue to not fall prey to these scams, but the real site is antique & easily cloned,” said Naveed Hasan, a technology consultant and member of the city’s Panel for Education Policy.

Dave Ratner, CEO, HYAS had this to say:

   “Smishing campaigns are becoming more commonplace, in part because of our increasing reliance and familiarity with automated systems that generate text messages, and in part because the rise of AI makes it so much easier to generate accurate-looking fakes. This trend will unfortunately continue and there are only two good ways to address it. The first involves increased training, education, and communication; the second involves the use of highly accurate Protective DNS systems which are capable of separating malicious from legitimate sites on the Internet and ensuring that individuals are not accidentally fooled.”

I have long argued for the use of either multi-factor authentication, or better yet password less authentication to stop this sort of thing from happening. But either has to be combined with user education and better checks to ensure “smishing” isn’t a successful attack vector.

Leave a comment »

American Privacy Rights Act Unveiled

Posted in Commentary with tags on April 9, 2024 by itnerd

The newly unveiled American Privacy Rights Act (APRA) represents a significant step toward establishing a federal data privacy standard in the U.S., offering a bipartisan solution to longstanding legislative challenges.  This legislative effort underscores a unified approach to enhance online privacy protections, aiming to reconcile differences over state preemptions and legal remedies for privacy breaches.

Antonio Sanchez, principal evangelist at cybersecurity company Fortra says:

“Today, about half of the states have some sort of legislation, but it’s varied. Ideally, this legislation would be a baseline of privacy at the federal level which provides consumers with more control over their personal data.  Each state would then decide on passing something more stringent than the baseline.

This would be a great win for consumers as this would be a big step towards reducing misinformation, disinformation, and AI generated content which are used to sway the public’s mindset on a particular issue.  For big tech this would represent a big hit to their bottom line since big tech monetizes personal data by mining, using, and selling it.  The ones that use it deliver content (real and AI generated) to targeted audiences to either position a product or gain support on a social issue.

I like the idea, but we will see if this continues to move forward or if it slowly fades away and nothing happens.”

This is a piece of legislation that is long overdue. If the people on Capitol Hill are smart they would do everything possible to move this bill forward and get it passed into law. But given the tenor of politics in the US at the moment, one has to wonder if that will happen.

UPDATE: Madison Horn, Congressional Candidate (OK-5) and cybersecurity expert adds these comments regarding the American Privacy Rights Act:

The American Privacy Rights Act is a significant first-step towards setting up national consumer centric data privacy standards. While the American Privacy Rights Act aims to define the type of data that companies can collect, there is ambiguity and concern in a number of areas that will be left vague. In the typical process for introducing new regulation, there is either over or under calibration, or it is not specific enough. Regulators must define what data is considered necessary, determine how data collection needs should be managed across applications, determine whether data storage will be centralized or segmented, and establish clear limitations on the types of data companies can collect.

I have concerns that regulators will over-calibrate these new data privacy regulations and inadvertently introduce vulnerabilities in company systems, potentially making it easier for bad actors to exploit them. While giving consumers control over their data is a positive step, it’s crucial that identity and access-management are securely designed, otherwise bad-actors could easily steal personal data. Giving consumers the right to access, correct, delete, and export their personal data is a great step forward, but brings significant security concerns. There’s a technical challenge in setting up and managing identities to ensure that people can’t access or edit someone else’s data. Despite the good intentions, opening these doors will inadvertently increase security concerns. The real task lies in minimizing these incidents as much as possible. It’s all achievable, but requires careful planning and execution.

To get this crucial data privacy law right, it’s important that everyone involved – lawmakers, regulators, and the private sector – all meet at the table together. If lawmakers try to force this law through like dictators, there will be endless pushback from lobbyists – something entirely counterproductive to effective regulation – and will only hurt small businesses and innovation. With many of the few qualified individuals in Congress left retiring or being pushed out of office by partisan politics, it’s up to the American people to elect qualified leaders with experience that matches the problems of today. Leaders that understand the nuances and pitfalls of drafting, right sizing and passing acts that adequately protect Americans while not hindering innovation and economic growth. 

Leave a comment »

« Older Entries
Newer Entries »