CISA, The FBI, And MS-ISAC Release DDoS attack Guidance For The Public Sector 

Posted in Commentary with tags on March 26, 2024 by itnerd

In a joint advisory, CISA, the FBI, and MS-ISAC has published new guidance, Understanding and Responding to Distributed Denial-Of-Service Attacks, for federal, state and local government agencies to help prevent disruption to critical services.

The advisory noted that DDoS attacks are difficult to trace and block and are commonly used by politically motivated attackers, with government websites often targeted by one of three types of DDoS attacks: Volume-based, Protocol-based attacks, and Application layer-based attacks. 

  • The guidelines emphasized that there are steps that can be taken to mitigate the possibility of being hit. These include:
  • Use risk assessments to identify potential vulnerabilities
  • Implement robust network monitoring tools and detection systems 
  • Integrate a Captcha challenges
  • Configure your firewalls to filter out suspicious traffic 
  • Regularly patch and update all software, operating systems and network devices
  • Train employees about DDoS attacks, and how to recognize and report suspicious activities

The advisory also emphasized the importance of putting in place measures to maintain service availability during a DDoS attack such as increasing bandwidth capacity and implementing load balancing solutions to distribute traffic to handle sudden spikes in traffic during an attack. Also, establish redundancy and failover mechanisms to redirect traffic and regularly back up critical data to allow for fast recovery and minimize data loss.

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “Although volumetric DDoS attacks have been pretty much defeated by those who offer cloud-based DDoS defenses, protocol-based attacks and application layer-based attacks are still a resounding problem. These attacks are often low-and-slow attacks are extremely difficult to defeat in the cloud since defenses regularly end up blocking legitimate traffic.

   “For those who are concerned about DDoS attacks, the best approach is a hybrid one. Subscribe to cloud-based DDoS defensive services to defeat volumetric attacks and deploy specialty-built DDoS defenses on-premises in front of your border firewalls to defeat the low-and-slow attacks. This way, all types of DDoS attacks can be defeated.”

A DDoS attack can be highly disruptive if an organization isn’t prepared to defend against one. So it is in any organization’s interest to add this to the list that they need to have a playbook for. Fortunately this joint advisory will help with that.

Leave a comment »

HYAS Threat Intel Report Is Now Out

Posted in Commentary with tags on March 25, 2024 by itnerd

HYAS Infosec has just issued the Threat Intel Report March 25 2024in which HYAS Threat Intelligence Security Engineer David Brunsdon details:

  • Top ASNs Under Observation
  • The most active malware families during the week that’s just ended.

The Report includes specific details on each ASN,  including organizational description and location, recent activity, organization type (hosting, ISP, telco) and recommendation for protecting organizations. 

For the Top Malware Families Under Observation, the report provides descriptions of each threat, recent activities, specific risks and potential impacts, and recommendations for mitigation and tightening security posture against the threat.

Leave a comment »

Nursing Home Provider Files For Bankruptcy After Getting Pwned Twice

Posted in Commentary with tags on March 25, 2024 by itnerd

Last week, Illinois-based Petersen Health Care, known for its extensive network of nursing homes across the US, has filed for bankruptcy following the impacts of two cyberattacks on its systems and defaults on its loans.

Petersen Health Care operates over 90 nursing homes with nearly 4,000 employees and a capacity to accommodate 6,796 residents with services ranging from assisted living to hospice care in Illinois, Missouri, and Iowa. While the company had more than $339 million in revenue last year its debts were more than $295 million.

In October 2023, a cyberattack claimed by the Cactus ransomware gang compromised the company’s network and led to the exposure of sensitive information. 

Petersen had attempted to restructure its debt, but the cyberattack forced the company to replace its servers, email addresses, and software and consequently caused the company to lose a significant amount of its business records resulting in an “incredible difficulty and delay” in its attempts to bill customers and insurers, according to court filings.

Furthermore, the ransomware attack on UnitedHealth Group’s Change Healthcare, a major payor for Petersen, further exacerbated Petersen’s financial difficulties. 

In the fallout of the two ransomware attacks, Petersen missed payments on $45 million of HUD loans, causing lenders to place 19 of its locations into receivership. Petersen has worked to transition those locations to the receiver’s control but has struggled to keep up with “demand-after-demand from the receiver” while also working to address its larger debt issues, further disrupting the company’s operations, compounding its financial woes.

Steve Hahn, Executive VP, BullWall:

   “This is the first of many to come. Blackcat (AlphV), the largest player in the Ransomware space, has specifically said they will focus most of their attention on US Healthcare organizations as a result of the FBI lead attack on Blackcat’s infrastructure. The FBI claimed they “took down” Blackcat but within 24 hours Blackcat proved otherwise. Continuing attacks and saying specifically that US healthcare would be targeted more as a result. Considering this group is Russia based, there are economic principals at play here as this group has likely pulled in close to a billion dollars in Ransom in 2023, but it is also geo-political as many members of Blackcat have ties to former KGB bosses running the criminal underground and Putin was the head of the KGB. We believe he provides them cover in exchange for targeting the sectors Putin wants targeted. 

   “Their attacks have been financially ruinous to many. United Healthcare recently paid 22 million to this group to decrypt their data after being hit with Ransomware, but that’s peanuts compared to the billions in lost prescription refills caused by the attack. Truly, the impacts of this will likely be over $5 billion dollars when the dust settles. Attacks on hospitals, such as the Lehigh Valley Health Network not only encrypted data but the threat actor extorted the hospital for millions more, threatening to release hundreds of photos of breast cancer patients in states of undress. They trickled these out in batches as they demanded payment. It’s not certain how much they paid to the threat actor group, but the lawsuits will be ruinous to that health network as a result. 

   “Healthcare networks are easy targets. Massive numbers of IOT devices, doctors accessing systems with personal devices, thousands of connected providers and a sprawling attack surface make them sitting ducks. On top of that they have to pay to get their systems up and running or there will be loss of life. 

   “Another group of hospitals was recently hit in the Northeast and had to suspend operations as they transferred patients to other providers. It’s unknowable how many people have lost their life in 2023 because of these attacks but we know healthcare will continue to be the top target, that healthcare services will be impacted and the financial strain on these systems will cost hundreds of billions for our economy. Exactly what Russia wants. 

   “For healthcare, it’s not a matter of “if” it’s a matter of “when”. And they need backup plans, recovery plans and rapid containment plans to limit the effects. They can’t stop these, but they can minimize their impact.”

Getting pwned has a cost to it. And that cost could be anything from expensive to terminal for a business. This is why every organization needs to wrap their heads around prevention and mitigation as a strategy to avoid finding out what the cost of getting pwned is for them.

Leave a comment »

Two Municipalities Pwned In Cyberattacks In The Last Week

Posted in Commentary with tags on March 25, 2024 by itnerd

Jacksonville Beach joins a growing list of municipalities to suffer a cyberattack, disclosing just last week that 48,949 people had their names and social security numbers disclosed during a January cyberattack. 

“On or about January 29, 2024, [City of Jacksonville Beach] began experiencing information system issues as a result of a cybersecurity event,” the city said.

The LockBit ransomware group claimed the attack back in February. In statement posted to their website last week, the City confirmed the LockBit claim and said they are still working with federal law enforcement on the investigation. 

“This investigation determined that certain files in COJB systems were subject to unauthorized access and that information may have been taken from the network between January 22, 2024 through January 29, 2024. As a result, COJB began a thorough review of the data stored within these files to determine the type of information was contained within them and to whom the information relates.”

Another Florida city,  Pensacola, announced a cyberattack earlier in the week that caused serious issues for the local government making it the 21st U.S. municipality to suffer a cyberattack this year, according to cybersecurity expert Brett Callow.”

BullWall Executive, Carol Volk had this to say:

“This Jacksonville cyberattack echoes the severity of similar incidents like the one in Dallas, TX last fall and in Oakland, CA earlier that year. Just like those attacks, this not only disrupted essential services but also compromised sensitive personal data. With 48,949 individuals’ names and social security numbers exposed, the repercussions are profound.

   “Data breaches of this magnitude lead to identity theft and financial losses for both citizens and institutions. The perpetrators’ demand for ransom adds another layer of complexity, potentially causing further financial and reputational harm to the municipality. The week-long disruption to city services underscores the immediate impact, while the long-term effects on infrastructure and security cannot be overlooked. We’ve all seen the consequences when critical services like hospitals are incapacitated for days.

   “This incident emphasizes the urgent need for robust cybersecurity measures to defend against evolving threats. Implementing proactive strategies and response protocols including response and containment measures to safeguard against such attacks, as there is no end in sight to these sorts of attacks.”

To be clear, it isn’t just US municipalities who are the targets of cyberattacks. Hamilton Ontario and Huntsville Ontario here in Canada have been pwned too. That illustrates not only the fact that this is a huge problem, but municipalities need to wrap their heads around it or this will get out of control quickly like we’ve seen in the healthcare space.

Leave a comment »

Someone Is Targeting Apple iCloud Users With A High Effort Attack To Take Over Apple iCloud Accounts

Posted in Commentary with tags on March 25, 2024 by itnerd

A series of targeted attacks designed to hijack iCloud accounts by doing something that causes the user’s device to be inundated with One Time Password requests is apparently making the rounds. The key word is targeted as at the moment it appears that only specific individuals are being targeted with this attack.

The attack goes something like this:

  • You are flooded by password change requests on your various iDevices. The logic by the threat actors is that if they send enough requests, the target might eventually click yes either by accident or because you want to make the prompts stop.
  • If that doesn’t work, the target will get a phone call from “Apple Support” which isn’t really Apple Support. But they will spoof the actual Apple Tech Support number to pretend to be Apple Support.
  • “Apple Support” will then use open source intelligence to present you with information that they are trying to “validate” and then proceed to talk you into accepting a One Time Password request or giving them the One Time Password code. If you do that you’ll have your Apple iCloud account taken over.

One person who was targeted by this attack posted his experience on Twitter. I encourage you to click below to read the whole episode:

To be clear. Apple would never behave in this manner. They would never call you, nor would they ever ask you to hand over a One Time Password code. Or put another way, you should never give anyone that code. EVER. Thus every Apple user needs to be on guard for this attack as today it might be a highly targeted attack. But in the future it could broaden out to anyone which makes it highly dangerous. In the meantime, I wonder what if anything that Apple could do about it. They can’t do anything about a spoofed number, but the attack vector has to be something that perhaps they can do something about.

Leave a comment »

Apple Released Some Updates Last Week Without Telling You What Security Issues They Fix…. Why?

Posted in Commentary with tags on March 24, 2024 by itnerd

On Thursday, Apple released a bunch of updates. Specifically:

  • iOS 17.4.1 and iPadOS 17.4.1
  • iOS 16.7.7 and iPadOS 16.7.7
  • visionOS 1.1.1

And if you look at what the update said, you saw this:

Okay. So this has bug fixes and security updates with the word “important” in this description. That’s interesting. I wonder what the security updates are. Let’s look at Apple’s Security Updates Page to find out:

Under those updates, it says “Details coming soon”. Now Apple has done this before, but this isn’t an everyday occurrence. Thus it’s captured a lot of attention. And it’s resulted in a bunch of emails hitting my inbox asking why Apple wouldn’t release the details of what security issues they’ve fixed in this update. In my mind, there are three reasons why that hasn’t happened:

  • You’ll note that there are no watchOS or macOS updates. One thing that Apple might be doing is that they are waiting for those updates to ship so that whatever security issues that these updates fix aren’t then instantly exploited.
  • Another reason is that Apple wants a critical mass of people to install these updates so that when they release the details it won’t be instantly exploited because it’s that serious.
  • All of the above.

Now in my years of covering tech, I’ve only seen Apple do something like this a handful of times. Thus you need to take this seriously and install the updates for iOS and visionOS ASAP. And then if there are watchOS and macOS updates that ship in the next week. You should install those too. Clearly whatever security issue(s) that these updates fix are serious enough for Apple to take this route. And I’ll also point out that it is entirely possible that Apple may go weeks before releasing the information about whatever these updates fix. But that shouldn’t stop you from going ahead and updating all the things. Security these days should be your top priority so the fact that Apple isn’t speaking to this in public just yet shouldn’t stop you from staying as secure as possible.

UPDATE: It turns out my first thought was the correct one. Apple released macOS 14.4.1 on Monday and the security releases page got updated just after that.

1 Comment »

Guest Post: What You Need to Know to Protect Your Identity and Finances This Tax Season

Posted in Commentary with tags on March 23, 2024 by itnerd

By Valimail

Recent tax scams, as highlighted by the IRS and the FBI, continue to pose significant threats to taxpayers, exploiting various schemes to commit fraud and identity theft. The IRS’s “Dirty Dozen” list for 2023 underscores the variety of scams taxpayers and tax professionals should be wary of, not only during the tax season but throughout the year. 

Among these scams, the misuse of the Employee Retention Credit (ERC) has been notably aggressive, with scammers luring ineligible individuals with promises of significant refunds. Other popular cons are “professionals” offering to set up your IRS accounts (to steal your data), lying about fuel tax credits you can get, or fake charities exploiting your kindness to pocket donations. Other scammers try to bait people through phishing emails and texts, pretending you need to simply “update personal info” or something else seemingly non-nefarious. 

Like always, it’s smart to keep your personal info safe and be cautious of any surprise emails or calls pretending to be from the IRS or similar tax organizations. One small piece of advice: if you ever get questionable requests, check the IRS and/or FBI website for scam alerts to protect yourself, no matter how convincing the communication sounds. 

Sound rather daunting? Help is on the way…

Google and Yahoo’s New Requirements 

The biggest vector for abuse happens when a bad actor can fraudulently use a business’s trusted emailing domain to send legitimate-seeming messages to their employees, partners, or users. Google and Yahoo have set new requirements that began taking effect in February 2024, focusing on enhancing authentication and anti-spam measures for emails, to stop spam, phishing, and fraud. These rules require emailers to secure their domains from fraudulent usage and apply to nearly every business that sends email to Gmail or Yahoo inboxes. 

These rules, once fully in effect, should make it much harder for scammers to leverage trusted domains to defraud users. However, it’s important to note that these changes won’t be fully implemented for this tax season. Google and Yahoo will gradually enforce these rules to give senders ample time to comply. This means that while some improvements in email security might be noticed, the full benefits of these new requirements in curbing tax scams and other phishing attempts will be more fully realized in future tax seasons.

How to Avoid Tax-Related Phishing Attempts THIS Season

Before the upcoming regulations fully take effect, forward-thinking businesses are proactively elevating their security measures, especially during tax season. Valimail is at the forefront of this movement – creating ways to keep brands reliable and customers feeling safe. Here’s how Valimail can assist.

Valimail Align keeps you in step with the changing delivery rules of major providers such as Google and Yahoo, giving you peace of mind about your compliance across various services. With our automation platform, you can effortlessly align SPF and DKIM, ensuring your emails are delivered smoothly without gaps.

Valimail Enforce offers a smarter and more efficient path to DMARC enforcement. Our dedication lies in crafting top-tier automation solutions that ensure ongoing enforcement without the hassle of manual SPF and DKIM setups.

With our market-leading products, you can safeguard your domains and enhance email deliverability. We provide sophisticated sender intelligence, unlimited SPF lookups, and insightful analytics, all bundled into an easy-to-use application suitable for anyone.

Leave a comment »

Truth Social To Merge With Digital World Acquisition Company

Posted in Commentary with tags on March 22, 2024 by itnerd

The Truth Social circus has taken another twist with news that the merger with Digital World Acquisition Company was approved:

Trump Media, which runs the social media platform Truth Social, is poised to become a publicly listed company, after a majority of shareholders of Digital World Acquisition Corp voted on Friday to acquire it.

Mr Trump is due to have a stake of at least 58% in the merged company, worth roughly $3bn at Digital World’s current share prices.

It’s an astonishing potential windfall for Mr Trump in exchange for a business whose own auditor warned last year it was at risk of failure.

Never mind the many red flags associated with the deal, including unresolved lawsuits from former business partners. There’s also an $18m settlement that Digital World agreed to pay last year to resolve fraud charges over how the merger plan came together.

Shares in Digital World rose on Friday ahead of the approval, to more than $45 apiece, before later sliding to below $40.

Now because of the red flags that were mentioned above, this could still become a dumpster fire. But this is a significant hurdle that has been passed for this troubled social media platform. Oh, and in case you were wondering, Donald Trump stands to eventually make billions from this. Though he needs cash right now and this might not help.

1 Comment »

I Questioned Freedom Mobile’s Security When It Comes To Preventing A SIM Swap #Scam… Now There’s A Case Of SIM Swapping That Cost A Couple $140K

Posted in Commentary with tags , on March 22, 2024 by itnerd

When my wife and I switched to Freedom Mobile, I’ve wondered about the security to stop things like SIM swap scams. I say that because the way that Freedom Mobile has set up their “My Freedom” customer portal doesn’t seem all that secure to me. Which is why a story from Global News caught my attention as it details the story of a couple who are Freedom Mobile customers that lost $140K in a SIM swap scam:

Wayne Stork and his wife Diana had not heard of the SIM swap scam until they became victims.

The GTA couple did nothing wrong but they lost about $140,000 anyway.

“It’s a nightmare,” Wayne told Global News in a television interview, his wife Diana at his side.

“We’re doing this, in part, to get the word out,” Diana said.

The Storks are longtime customers of Freedom Mobile. Last September, when the couple were at home, Wayne’s phone suddenly stopped working.

“My phone went into SOS mode, it was deactivated,” he said.

From that point, Wayne had no use of the phone, but someone else had access to the personal information attached to it.

“He (Wayne) was watching his accounts drain of money, that’s when the panic set in,” Diana said.

Over the next 24 hours, scammers had gained access to Wayne’s stock trading account and other accounts, including a cryptocurrency one that contained the proceeds from an inheritance.

“The Bitcoin was worth $140,000, and we lost that,” Diana said.

When the couple called Freedom Mobile’s customer service line, they say a representative said records showed someone had obtained a new SIM card in a retail location in Toronto, apparently claiming to be Stork.

Stork says the phone representative asked “weren’t you in the store yesterday to get a new SIM card?” to which Stork said no, it wasn’t him.

So you’re likely wondering how a SIM swap scam ends up in someone losing a lot of cash. Well, people often use their cell phones, specifically text messaging, to receive multi factor authentication codes for the financial institutions or online services that they use. So if a threat actor can get their hands on your cell phone number and some other information like passwords and the like, they can drain you of all your cash.

Now while this incident didn’t involve the “My Freedom” customer portal, it does suggest that Freedom Mobile does have weaknesses in terms of preventing this sort of scam from happening. After all, it should not be possible, or at least very difficult to walk into a retail location and execute this scam in 2024. In fact, I pinged my “off the record” contacts at Rogers, TELUS, and Bell. While they don’t rule out the possibility of this happening with them, and they don’t know the specifics of how this incident was executed, all of them say that this would be far more difficult to execute with them because of the security measures that they have in place. Or put another way, they’re throwing shade on whatever security measures that Freedom Mobile does or more importantly doesn’t have because they assume that they can do better. I’m not sure that I would make that assumption. But that’s just me. And what makes this worse is that now that this story is out there, other threat actors will specifically target Freedom Mobile because the perception will be that they are an easier target in terms of executing this scam. That’s bad for Freedom Mobile, and its customers.

Now if you’re worried about being a victim of a SIM swapping, the Global News article as well as the link to what a SIM swap is has some actionable information. But the one thing that you could really do to protect yourself is use app based multi factor authentication rather than text message based multi factor authentication wherever possible. Because the second that you do that, the safer you become as that’s not tied to the SIM card in your phone. That does require financial institutions and online services to move in that direction. So you may be stuck with text message based multi factor for a while. Which means it’s up to carriers like Freedom Mobile to up their game to protect their customers. Let’s see if Freedom Mobile does that now that this incident is out in the public domain.

Leave a comment »

HYAS Publishes New Data On Malware Communications And The Top Malware Families

Posted in Commentary with tags on March 21, 2024 by itnerd

HYAS has published new data on malware communications and the top malware families currently in use. 

The Top Five Malware Destinations (i.e. geographic locations and destinations for malware communication from their detonations) during the week of March 10-16, 2024. The data is derived from the HYAS Insight platform which identifies, tracks, and attributes fraud and attacks rapidly and accurately, pinpointing the origin and current infrastructure employed. A South Korean service provider’s infrastructure was the top destination point of the week.

Of the Top Five Malware Families for the week of March 10-16, 2024, the top was Urelas, a trojan malware that allows hackers to remotely control an infected system. This family of malware often propagates through malicious email attachments and drive-by downloads. It is known to avoid detection by disguising its malicious activities as legitimate system processes. This data is derived from HYAS Protect, a protective DNS solution that combines authoritative knowledge of attacker infrastructure and domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, and other forms of cyber-attacks.

Leave a comment »

« Older Entries
Newer Entries »