GuidePoint Security has revealed that it has discovered three RaaS groups attempting to recruit new members through advertisements on illicit forums on the dark web following Alphv and LockBit law enforcement disruptions, identifying Cloak on UFO Labs and Medusa and RansomHub on the Russian-language RAMP forum for posting ads.
Each ad had a boilerplate with a short group description, ransom split rates, and contact for TOX. Cloak’s ad was the least remarkable, with few unique features that entice a potential affiliate with options. Medusa was particularly appealing with a sliding payout scale and affiliate/core split dependent on the size of the ransom payment obtained, incentivizing the appearance of high ransom demands. RansomHub was less materialistic, implicitly addressing the crisis of confidence in RaaS groups by declaring that its affiliates could collect ransom payments directly before paying the core group a 10% fee.
GuidePoint Security’s analysis observations include signs of distrust and discontent among RaaS groups and affiliates, indicating that the model is increasingly scrutinized.
Posted in Commentary with tags DoD on March 19, 2024 by itnerd
The Department of Defense Cyber Crime Center (DC3) announced that it processed its 50,000th vulnerability since introducing its crowd-sourced ethical hacking vulnerability disclosure program:
Unlike short-duration bug bounties, VDP’s crowd-sourced ethical hackers report vulnerabilities continuously as part of a defense-in-depth approach. Through its function as the focal point for receiving vulnerability reports, DC3 VDP continues to contribute significantly to DoD’s overall security.
Olivier Beg, Co-Founder and Chief Hacking Officer at Hadrian had this to say:
“The DoD reaching 50,000 processed vulnerabilities through its Vulnerability Disclosure Program is a major milestone! As a security researcher who has submitted to the VDP, I’ve seen firsthand the program’s dedication to continuous improvement. The expansion of scope and focus on automation make it an attractive option for researchers to contribute to national security.
I’m excited about the DoD VDP’s future. With continued emphasis on researcher recognition, transparency around remediation efforts, and greater accessibility for the security community, this program has the potential to become a true benchmark for cybersecurity collaboration.”
Bug bounty programs are great for surfacing all sorts of issues. This is an initiative that I applaud and I hope to see more of going forward.
Appdome today unveiled its new Social Engineering Prevention service on the Appdome Platform. The new service enables mobile brands to continuously detect, block and intervene the moment social engineering attacks attempt to exploit user trust or manipulate user behavior. The new service includes several new real-time defenses against voice phishing (vishing), remote desktop control, FaceID bypass, fake applications, and SIM swapping, all of which protect user safety, brand reputation, business continuity, and revenue generation.
Social engineering attacks exploit brand trust by using impersonation and psychological manipulation to cause mobile users to divulge sensitive information, such as passwords, OTP keys, and more, perform actions in a mobile app on behalf of the attacker, or install new apps that give the attacker control over the user’s mobile device. Such mobile app attacks can have far-reaching consequences for consumers, including account takeover, financial loss, identity theft, confusion, and fear. Traditionally social engineering attacks were only discovered after an attack was successful, leaving mobile brands and users with months of financial, reputational, and emotional harm. Now, brands have the power of the first real-time solution to detect and intervene in social engineering attacks the moment they happen, disrupting the multi-billion-dollar social engineering fraud ecosystem.
Appdome’s Social Engineering Prevention empowers mobile brands to break the cycle of live attacks by detecting and defending in real time the top methods social engineering attackers use to injure brands and users:
Voice Phishing (Vishing) Fraud: Uses behavioral analysis to detect when mobile end users’ activity in a mobile app coincides with a potentially malicious phone call, via attacks such as FakeCalls.
Remote Desktop Control: Detects third-party applications, such as TeamViewer, used in social engineering attacks to remotely control mobile devices and applications.
Biometric (FaceID) Bypass: Detects when an attacker attempts to spoof, fake or bypass biometric (facial) recognition in Android and iOS mobile apps, such as in GoldPickaxe.
SIM Swapping: Detects when an attacker uses the mobile application with a replacement SIM card that the attacker controls.
Admin-SU Profiles: Detects if the device has an MDM, admin-SU, or similar profile installed on the device, which could spy or control the user’s application.
Trojan Apps: Prevent trojan apps, embedded with Malware such as FjordPhantom, used to spy on end users and gather data for social engineering attacks.
The new Social Engineering Prevention features can be deployed stand-alone or combined with any or all of Appdome’s 300+ other mobile app security, anti-fraud, anti-malware, geolocation compliance and other defenses. Together, Appdome makes it easy for mobile brands to unify mobile app defenses vs. the cost and complexity of cobbling together several disparate technologies to attempt to achieve a workable defense.
Like all of Appdome’s mobile app defenses, the new social engineering prevention features are available in several enforcement modes – in-app defense, in-app detection, and using Appdome’s Threat-Events™ in-app control framework. Threat-Events allows mobile brands to gather data on each attack, control the user experience and create beautiful on-brand mobile experiences when attacks happen. Mobile brands can use Threat-Events to leverage the power of their brand voice to break the cycle of a social engineering attack by restricting transactions, triggering SMS check-ins or educating users with in-app popups when threats are present. Mobile brands can track and monitor social engineering attacks via Appdome’s ThreatScope™ Mobile XDR, either before or after the deployment of social engineering prevention features.
Posted in Commentary with tags Scam on March 19, 2024 by itnerd
Yesterday was a typical Monday for me. Which meant that I was busy as Monday and Fridays are my busy days. I had just come back to my home office after seeing a number of clients and found a voice mail with an urgent request for a call back from one of my clients. I could hear the panic in her voice so I called her back. And what unfolded next was someone who was clearly freaked out by a run in with a pop up scammer.
Before I get into the weeds of the story, let me quickly explain what a pop up scam is. Pop ups are generated by websites to offer users additional information or guidance (such as how to fill in a form, how to apply a discount code, etc.). So a pop up is typically not harmful. However, scammers have leveraged pop ups to allow them to perpetrate their scams in a variety of ways. Scammers use pop-up scams to make money by preying on concerned users who want to ensure their computer is secure and extorting money from you to fix problems and resolve threats that do not exist. Or they want to get into your computer to collect information to steal your identity or steal your money, or both. In the worst case, these pop-ups can install malware onto your computer which can cause all sorts of damage and issues.
Back to the story. My client saw this pop up on her computer:
She tried to get rid of this screen, but couldn’t do so. More on that later. She then panicked and called the number on the screen. The scammer who claimed he was a “Level 5 Microsoft Technician” (Fun fact: Microsoft doesn’t have “Level 5 technicians”) then proceeded to execute the scam. He got access to her computer and then blanked her screen so that he could install ConnectWise Screen Connect which would give him access to her computer anytime he wanted to. The reason that the scammer blanked her screen is that he didn’t want her to see what he was up to as that would have made her suspicious. He then ran a variety of commands to convince her that her computer had been “hacked”. For example the scammer ran the “Tree” command inside a command window followed by the “netstat” command to accomplish that. After that he tried to convince her to open her online banking. That’s when she got suspicious and not only ended the call, but she also disconnected her Internet entirely. Then she called me.
Now let me stop here and say something. Scammers rely on putting pressure on you so that you suspend your critical thinking which allows them to do what they want. But my client did not suspend her critical thinking and was able to stop this scam from going further. Or put another way, her “Spidey Sense” went off and she paid attention to it. That’s good because if something doesn’t seem right, it usually isn’t. And you should run from that situation as quickly as possible. Thus I really applaud this client for listening to her gut and taking action to stop the scam before it went too far.
When I arrived on site, I had a look at her computer. The first thing that I dealt with was the installation of ConnectWise Screen Connect. The scammer had installed it as a service, meaning that it not only would activate every time the computer was on, but the owner of the computer would have difficultly finding it and removing it. But because this wasn’t my first rodeo in terms of dealing with scammers, I found it and killed it quickly. I then examined her computer to see what the threat actors did, and it seemed that they were early in executing the scam. So that meant that they likely didn’t have time to do much of anything. I also found the pop up that she encountered and I noted that the pop up made itself take up the entire screen. That made it difficult to close. However, the pop up was designed to have a close button that was small and not easily noticed so that the scammer could “fix” the threat that the pop up allegedly created. Other than that, I could find no other problems with the computer. Thus I had her turn on the Internet.
That’s the good news. Here’s the bad news. On the computer she had a Microsoft Word document with all her passwords on there. Thus I advised her to change all those passwords immediately as I could not guarantee that the scammers didn’t steal this document. The second thing that I advised her to do is to get credit monitoring because the same document had her social insurance number in it. Meaning that there was the possibility of identity theft. Finally, I advised her to watch the computer for any unusual activity.
Now let me dissect some key points of the scam so that you don’t fall victim to something like this:
If you encounter a pop up like this. It’s guaranteed to be a scam. Your antivirus software will never require you to call a phone number to resolve an issue. Anything that the antivirus software encounters is usually resolved by the software itself.
The pop up can usually be closed without too much of a problem. However, if the pop up will not go away by closing it, try restarting the computer. If that doesn’t work, turn off the computer contact a computer professional for assistance.
Microsoft does not provide support for end users and they never have. Any and all support for Windows is provided by whomever you bought the computer from. As in Dell, or HP, or Lenovo for example.
Finally, I handed the phone number from the picture above to the scam baiter community so that they can have “fun” with these scammers. By that I mean that they will get more intel on them and do things to disrupt their scams. Because I know from experience that getting law enforcement in these situations is difficult at best. But scam baiters can do a lot of damage to these scumbags and expose their activities. Thus that is the best that I can do to make these scumbags pay for what they did to this woman as they really freaked her out. And that’s not cool with me.
Hopefully this story was informative and gives you some insight. If you have any questions, please reach out by leaving a comment below.
The thing about cyberattacks is that if the threat actors get paid via say ransomware or outright theft, they need to launder the money somehow so that they can spend it. Otherwise it would have been pointless to “acquire” the cash. Well a new report from The Record shows what the Lazarus Group based out of North Korea will do to launder money:
North Korea’s Lazarus hacking group allegedly has turned back to an old service in order to launder $23 million stolen during an attack in November.
Investigators at blockchain research company Elliptic said on Friday that in the last day they had seen the funds — part of the $112.5 million stolen from the HTX cryptocurrency exchange in November — laundered through the Tornado Cash mixing service.
“Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail,” Elliptic said, noting that the hackers sent the more than $23 million in about 60 transactions.
“This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io,” the company said.
The researchers noted that Tornado Cash has been able to continue operating despite the sanctions because it runs on decentralized blockchains, meaning it “cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been.”
Ken Westin, Field CISO, Panther Labs had this comment:
The Lazarus threat group from North Korea have been primarily targeting the crypto currency, financial services and cybersecurity industries. Their techniques focus primarily on developers through social engineering attacks to gain access to code repositories, devops and cloud infrastructure with the goal of gaining access to crypto wallets and accounts, as well as access to code and secrets. These attacks have proven to be quite lucrative, and by stealing cryptocurrency, has provided the North Korean regime a method to evade financial sanctions and further fund their military endeavors. This should be a bigger cause for concern for the the US government and its allies given the collaboration North Korea has with helping the Russian military, where it recently shipped 7K containers of munitions and other military supplies. Although the US has been cracking down on crypto currency mixing services, which are commonly used to launder money through crypto exchanges, North Korea has still been able to take advantage of the rising value of crypto currencies and continue to use these services to convert stolen crypto currency to fund their military operations.
This illustrates how hard it is so shut down avenues for groups like this one to launder money. That means that nations really have to redouble their efforts to make harder and harder for groups to launder money. That way it makes it less profitable for these groups.
VPN Mentor’s research team has conducted an analysis of user demand data in Texas after the well known adult site Pornhub blocked access to its users in Texas following a new age verification law that came into force on March 14th. In just one day, VPN Mentor witnessed a surge of 234.8% in VPN demand in Texas.
ServiceNow today announced it has signed an agreement to acquire 4Industry, a Netherlands‑based partner whose manufacturing technology application is built on the Now Platform, and has completed the acquisition of Smart Daily Management, a connected digital worker application from EY. Together, the deals augment ServiceNow’s existing operational technology (OT) management capabilities, adding Connected Worker solutions and enhancing expertise across key industrial markets such as manufacturing, energy and transport & logistics.
4Industry, founded in 2018, brings a mobile‑enabled application to make shop floor work more intuitive, efficient, and enjoyable through a suite of digital tools and Smart Daily Management from EY, which creates more efficiency around time‑consuming tasks, will enable ServiceNow’s industrial customers to drive operational excellence. The technology and industry expertise from 4Industry and the Smart Daily Management application will be utilized to build a new Connected Worker solution on the ServiceNow platform, expected in 2025.
This example of continued investment in European tech and talent will significantly enhance ServiceNow’s long‑term roadmap for its global customers, delivering continuity across IT, OT, and factory floor workers. ServiceNow will continue to maintain a strong alliance with EY and partnership with Plat4mation, an affiliated services company of 4Industry. It will work jointly with these companies, as innovation and implementation alliance partners for both existing OT solutions as well as future Connected Worker solutions.
4Industry and Smart Daily Management from EY follow acquisitions of UltimateSuite, G2K, Atrinet’s NetACE technology and Element AI as part of ServiceNow’s ongoing commitment to bringing impactful automation to customers. ServiceNow closed the acquisition of Smart Daily Management in early March and expects to close the acquisition of 4Industry in the coming weeks. Financial terms of the deals will not be disclosed.
Posted in Commentary with tags Apple on March 17, 2024 by itnerd
If you use a Mac, chances are that you have a copy of GarageBand on it. Whether you use it or not isn’t the point. But if you have it, and you’re running macOS Ventura or Sonoma, you should make sure that you it is updated to 10.4.11 ASAP. Why? It fixes a security issue according to this:
The quickest way to confirm that you have 10.4.11 is to go to the App Store and click on Update to see if it’s been updated. If not, search for GarageBand, and click on Update.
Posted in Commentary with tags Hacked on March 16, 2024 by itnerd
Wednesday, France Travaildisclosed (Translation here) that hackers stole personal data belonging to 43 million job seekers who had registered with the French governmental unemployment agency. France Travail is the government agency in France tasked with registering unemployed citizens, offering financial assistance, and aiding them in securing employment opportunities.
The cyberattack occurred between February 6th and March 5th and includes data spanning 20 years.
The data that has been exposed from this attack includes:
Full name
Date of birth
Place of birth
Social security number
France Travail identifier
Email address
Postal address
Phone number
This is the second data breach France Travail has suffered. Last August approximately 10 million individuals (Translation here) were impacted by an attack indirectly attributed to the Clop ransomware group who exploited a zero-day vulnerability in the MOVEit Transfer software tool.
The cyberattack on the agency sets a new record for France impacting the largest number of individuals, surpassing the more than the 33 million people (Translation here) impacted by the Viamedis and Almerys breach in February.
“The good news here is that while the disclosed information includes sensitive personal identifiers, it does not extend to passwords or banking information, limiting the scope of immediate financial fraud, however the potential for identity theft or other forms of cybercrime remains. Also, the response from France Travail aligns with best practices in handling data breaches, in compliance with the General Data Protection Regulation (GDPR).
“This incident underscores the critical need for organizations to implement robust cybersecurity measures at the edge, especially when it comes to mobile devices, which are increasingly used in attacks. Comprehensive security audits, regular vulnerability assessments, and real-time analytics are critical for security awareness. Lastly, it highlights the importance of having an incident response plan that can be quickly activated to mitigate the impact of data breaches.”
The fact that this organization has been pwned twice isn’t good. They really have some work to do to make sure that they don’t get pwned a third time.
Posted in Commentary with tags Centro on March 15, 2024 by itnerd
Certero, a leader in IT asset management, software asset management, SaaS optimization, and cloud FinOps solutions, announced a new Partner Program to support channel partners. This initiative is designed to help partners and their customers manage technology costs effectively, especially in a changing market and economic climate. The program aims to transform technology asset management and reduce overspending.
The program offers a straightforward structure with incentives, intending to generate new revenue opportunities for channel partners. Josh Shields, with nearly 20 years of experience in channel operations, has been appointed as the new Director of Strategic & Channel Partnerships to oversee this initiative.
Recent Certero Highlights:
Increased solution-scope to tackle Shadow IT, SaaS optimization
Revitalized ‘ITAM’ for modern IT infrastructure
Significant investment in Cloud FinOps technology
Technology-Led Services introduces live data into ITAM / SAM Services
An Oracle Gold Partner, Certero earns additional Oracle Third-Party Tool Vendor Verification for Java, on top of Database & Fusion Middleware.
Consistently Gartner Peer Insights’ highest-rated major SAM vendor across every pre-sales, implementation, solution and on-going support categories.
The Partner Program includes three levels of partnership: Connect, for transactional relationships; Advance, for strategic collaborations without a services capability; and Elite, for partners with their service delivery capabilities. This structure offers flexibility and support for partners at different engagement levels.
Certero is committed to a collaborative, customer-led, and partner-focused approach, promising a supportive onboarding process, expert-led training, and a partnership aimed at long-term success. The program is open to new partners looking to deliver value to customers through Certero’s advanced technology solutions.
GuidePoint Security Details RaaS Recruitment Efforts Following Law Enforcement Disruption Of Other RaaS Groups
Posted in Commentary with tags GuidePoint on March 20, 2024 by itnerdGuidePoint Security has revealed that it has discovered three RaaS groups attempting to recruit new members through advertisements on illicit forums on the dark web following Alphv and LockBit law enforcement disruptions, identifying Cloak on UFO Labs and Medusa and RansomHub on the Russian-language RAMP forum for posting ads.
Each ad had a boilerplate with a short group description, ransom split rates, and contact for TOX. Cloak’s ad was the least remarkable, with few unique features that entice a potential affiliate with options. Medusa was particularly appealing with a sliding payout scale and affiliate/core split dependent on the size of the ransom payment obtained, incentivizing the appearance of high ransom demands. RansomHub was less materialistic, implicitly addressing the crisis of confidence in RaaS groups by declaring that its affiliates could collect ransom payments directly before paying the core group a 10% fee.
GuidePoint Security’s analysis observations include signs of distrust and discontent among RaaS groups and affiliates, indicating that the model is increasingly scrutinized.
You can read the report here.
Leave a comment »