Small Businesses Often Hit by Common Cloud Vulnerabilities and Threats

Posted in Commentary with tags on March 12, 2024 by itnerd

Small businesses are turning to the cloud in order to increase efficiency and operational capacity. Along with these benefits comes increased security risks, cloud vulnerabilities and threats to small businesses.

Here are some thoughts from Mike Walters, President and co-founder of Action1, who works directly with small businesses on vulnerabilities. Mike is the President and co-founder of Action1 Corporation, which provides risk-based patch management software. Mike has more than 20 years of experience in cybersecurity. Prior to Action1, Mike co-founded Netwrix, which was acquired by TA Associates.

  • What are common cloud vulnerabilities and threats for SMBs in 2024? In 2024, common cloud vulnerabilities and threats for small and medium-sized businesses (SMBs) are expected to include unauthorized access to sensitive data due to misconfigurations, weak passwords, exploitation of software vulnerabilities, or phishing attacks. Insecure APIs can also be a problem, exposing cloud services and data to unauthorized users or malicious actors. Malicious or negligent employees can cause data leaks of confidential information. And, of course, misconfigured cloud resources can lead to unintended access or data exposure. Supply chain attacks can also be very dangerous, as cloud infrastructure and MSP services can be an entry point to the SMB’s critical infrastructure and confidential information. Last but not least, non-compliance with data privacy and security regulations can result in fines and reputational damage, as SMBs are primarily focused on the bottom line and ignoring compliance can limit the pace of revenue generation.
  • What steps should SMBs take to safeguard their cloud operations? To secure their cloud operations, SMBs should implement strong access controls – use multi-factor authentication (MFA), least privilege access, and role-based access control (RBAC). Plus, they should review and update access privileges regularly. To secure APIs, SMBs need to implement API gateways, use encryption, and enforce authentication and authorization for API access. It includes regularly auditing API usage and monitoring for anomalies. SMBs need to regularly scan for misconfigured resources and automate remediation where possible. The same goes for vulnerabilities; patching must be automated. Regular security awareness training for employees focusing on cloud security best practices, phishing, and data protection is also very important. Finally, don’t forget about compliance: conducting regular audits and assessments to ensure compliance with relevant regulations such as GDPR, HIPAA, or PCI DSS, and so on, is essential to ensure cybersecurity.

Leave a comment »

Newly-Found Google Gemini Vulnerablities Give Attackers Control Over Users’ Queries & Content

Posted in Commentary with tags on March 12, 2024 by itnerd

Gemini is Google’s newest family of Large Language Models (LLMs). The Gemini suite currently houses 3 different model sizes: Nano, Pro, and Ultra.

Although Gemini has been removed from service due to politically biased content, new findings from HiddenLayer – unrelated to that issue – analyze how an attacker can directly manipulate another users’ queries and output, which represents an entirely new threat. These vulnerabilities were disclosed to DeepMind per responsible disclosure practices.

While testing the 3 LLMs in the Google Gemini family of models, HiddenLayer found multiple prompt hacking vulnerabilities, including the ability to output misinformation about elections, multiple avenues that enabled system prompt leakage, and the ability to inject a model indirectly with a delayed payload via Google Drive. These vulnerabilities enable attackers to conduct activities that allow for misuse and manipulation. In new research released from HiddenLayer today, “New Google Gemini Content Manipulation Vulns Found – Attackers Can Gain Control of Users’ Queries and LLM Data Output – Enabling Profound Misuse,” HiddenLayer deep dives into these vulnerabilities, including a proof-of-concept of an Indirect Injection.

Who should be aware of the Google Gemini vulnerabilities:

  • General Public: Misinformation generated by Gemini and other LLMs can be used to mislead people and governments.
  • Developers using the Gemini API: System prompts can be leaked, revealing the inner workings of a program using the LLM and potentially enabling more targeted attacks.
  • Users of Gemini Advanced: Indirect injections via the Google Workspace suite could potentially harm users. The attacks outlined in this research currently affect consumers using Gemini Advanced with the Google Workspace due to the risk of indirect injection, companies using the Gemini API due to data leakage attacks, allowing a user to access sensitive data/system prompts, and governments due to the risk of misinformation spreading about various geopolitical events.

Gemini Advanced currently has over 100M users, and so the ramifications of these vulnerabilities are widespread. With the accelerating adoption of LLM AI, companies must be aware of implementation risks and abuse methods that Gen AI and Large Language Models offer in order to strengthen their policies and defences.

Here is a link to the report :https://hiddenlayer.com/research/new-google-gemini-content-manipulation-vulns-found/

Leave a comment »

HYAS Partner Program Addition Gives MSPs and MSSPs True Cybersecurity Service Differentiation Without Risk

Posted in Commentary with tags on March 12, 2024 by itnerd

HYAS Infosec, the adversary infrastructure platform provider that offers unparalleled visibility, protection, and security against all kinds of malware and attacks, today announced the latest benefit of the HYAS ONPOINT Program, which lets MSPs, MSSPs and other channel partners offer HYAS Protect, cybersecurity sector’s top protective DNS solution, to their clients and leverage HYAS Insight proactive threat intelligence platform – all with unprecedented discounts and without financial risks.

HYAS is dedicated to its partners and the latest program benefit eliminates the fees, barriers, and ongoing commitments that other cybersecurity vendors often demand from their channel partners. Partners joining the HYAS ONPOINT Partner Program and offering HYAS Protect protective DNS as part of their managed service will receive a complimentary 12-month minimum subscription to the HYAS Insight threat intelligence and investigation platform to use in their security stack.

This offer brings immediate value to the internal SOC, incident response and threat analysis teams, and gives sales teams a highly differentiated solution to offer to clients and prospects. Partners will be able to protect clients more effectively and bring complex threat analysis to a close faster and more efficiently. The HYAS ONPOINT Partner Program provides an important new cybersecurity service entry point and revenue expansion opportunity that lets MSSPs and MSPs:

  • Provide exceptional proactive threat and adversary intelligence to identify and stop advanced cyberthreats, across services including managed security, DFIR, MDR, MSOC & others
  • Elevate service offerings, free from financial constraints
  • Add a sticky new revenue stream to service offerings
  • Increase client retention
  • Expand service differentiation without fees, catches, or up-front minimum revenue commitments of any kind.

The HYAS Solution

HYAS is the cybersecurity vendor that offers the unique combination of cybersecurity products that are a benefit to both managed services teams and threat intel teams:

HYAS Insight: This advanced threat intelligence and investigation platform gives organizations the ability to identify, track, and attribute fraud and attacks faster and more efficiently. HYAS Insight provides threat and fraud response teams with unprecedented visibility into everything a defender needs to know about an attack: the origin, current infrastructure being used, alerts when new relevant infrastructure is created, and any infrastructure likely to be used by an adversary in the future.

By analyzing data aggregated from leading private and commercial sources around the world, HYAS identifies suspicious infrastructure likely to be used in attacks — sometimes months before it is even activated. Top Fortune 500 companies rely on HYAS’ exclusive data sources and nontraditional collection mechanism to power their security and fraud investigations.

HYAS Protect: Built on the underpinning technology of HYAS Insight threat intelligence, HYAS Protect is a protective DNS solution that combines authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, and other forms of cyber-attacks.

Even if an attack has bypassed a network’s perimeter defenses – regardless of how the breach occurred – it still must “beacon out” for instructions, including lateral motion, privilege escalation, data exfiltration, and even encryption. And the need to beacon out to malicious infrastructure, commonly called command-and-control (C2), must be established prior to launching the attack.

HYAS detects and blocks these beaconing requests of nefarious C2 communication, letting users cut off these attacks before they cause harm, whether in an IT or OT environment. If an organization can be alerted to this adversary infrastructure, they can stop an attack before damage can be done and ensure true business resiliency.

Leave a comment »

Uber Launches New Rider Emissions Tracker

Posted in Commentary with tags on March 11, 2024 by itnerd

Starting today, Uber is introducing the Emission Savings feature in the Uber app, so riders around the world can track and learn more about their carbon emissions impact. 

Uber believes that knowledge is power. Just like they popularized rider ratings in an effort to promote respectful behaviour during Uber rides, Uber is excited to launch this new feature to both celebrate your impact and encourage greener choices when using Uber.

With the Emission Savings feature, you can: 

  • Tap a button, see your impact: In the Account section of the Uber app, tap “Estimated CO2saved” to see all of the emissions you’ve saved by taking Uber Green and Uber Comfort Electric.
  • Make sense of your savings: Riders tell Uber it would be helpful to see examples of how their emission savings add up. So, they’ve included a graphic that shows what your CO2 emission savings are comparable to. 
  • See how your emissions are calculated: The emission savings for an Uber Green or Uber Comfort Electric trip represents the estimated amount of CO2 emissions avoided, on average, when a rider takes Uber Green instead of an UberX or when a rider takes Uber Comfort Electric instead of an Uber Comfort trip of the same distance. See here to read more on the methodology. 
  • Get teens going green: Among Gen Alpha and Gen Z, Uber knows that the environment is their top cause. That’s why they’re also making the Emission Savings feature available for Uber teen account holders. And starting today in select cities throughout the US & Canada, they’re launching Uber Green and Uber Comfort Electric for teen riders, providing them with a way to be part of the climate solution when they ride. 
  • See a greener future: In the future, Uber plans to include even more products in your emission savings calculation including all-electric autonomous rides, trips with UberX Share, and rides on e-bikes and e-scooters booked in the Uber app.

Uber is committed to become a zero-emissions mobility platform and today is an important step in their journey to help inform riders about the estimated emissions they’ve saved and the positive impact they’re making in their communities.

Leave a comment »

Customers’ Data Exposed in Children Recreational Center Operator’s Data Breach

Posted in Commentary with tags on March 11, 2024 by itnerd

Over 2.3 million records belonging to Kids Empire, a US based operator of indoor recreational centers for kids, were exposed according to cybersecurity researcher Jeremiah Fowler, putting their customers at risk of many online threats. 

The key findings are the following: 

  • 2,363,222 documents with a total size of 92.3 GB. 
  • Records included reservations, injury waivers, and receipts with partial credit card numbers. 
  • Many documents revealing personally identifiable information (PII) such as names, physical and email addresses, phone numbers and more. 

If you want to know more about Jeremiah’s findings, you will find all the details here: https://www.vpnmentor.com/news/report-kidsempire-breach/

Leave a comment »

The CISA Was Pwned By Hackers… That’s Not A Good Look

Posted in Commentary with tags , on March 11, 2024 by itnerd

The CISA or The Cybersecurity and Infrastructure Security Agency is a government agency responsible for making sure that the US is prepared to defend itself against cyber threats. And I’ve posted lots of stuff about the actions that they’ve take to protect the US over the years. So when a story from The Record crossed my desk, I said to myself “that’s not a good look for them”:

Hackers breached the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in February through vulnerabilities in Ivanti products, officials said.

A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses” about a month ago.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline. Ivanti makes software that organizations use to manage IT, including security and system access.

In short, the CISA got pwned using exploits related to Ivanti products. Now it’s not know if it was the same Ivanti products that the CISA told government agencies to disconnect back in February. But this is absolutely not a good look because when the guys who are supposed to issue guidance and direction about not getting pwned by hackers are actually pwned by hackers, we’re all in deep trouble. And the fact that the hack was limited to a couple of systems doesn’t really matter. What matters is that it happened, and questions need to be asked as to how to ensure that it doesn’t happen again.

Leave a comment »

Novel PowerShell Backdoor Discovered By GuidePoint Security

Posted in Commentary with tags on March 10, 2024 by itnerd

GuidePoint Security has revealed its first encounter with BianLian’s PowerShell backdoor – the first encounter in 2024 to be reported publicly thus far.

GuidePoint Security’s Research and Intelligence Team (GRIT) discovered malicious activity while responding to an incident that began with the exploitation of TeamCity vulnerabilities for initial access, resulting in deploying a novel implementation of a PowerShell backdoor.

Through their analysis, GuidePoint Security ultimately identified the threat actor group behind the attack and provided highly confident attribution to the BianLian ransomware group.

In this technical blog, Drew Schmitt, Practice Lead, GRIT, breaks down BianLian’s use of a novel PowerShell backdoor following the exploitation of TeamCity vulnerabilities.

The research deep dives into BianLian’s exploitation of TeamCity vulnerabilities and post-exploitation behaviors, BianLian’s PowerShell implementation of their GO backdoor, and attribution of the PowerShell backdoor to BianLian.

You can read the details in their new blog, now live at https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/.

Leave a comment »

A Disney+ Email #Scam Is Making The Rounds

Posted in Commentary with tags on March 9, 2024 by itnerd

I’ve come across a Disney+ Email scam that you should be aware of that is pretty interesting as this is the first Disney+ scam email that I have come across.

Let’s start the email that you get:

This email by scam standards is pretty good. But I will note the following. For starters, it never mentions you by name. That’s because this email is emailed out to thousands of people hoping that someone will take the bait. Then there’s where this email is sent from:

That’s not a Disney+ email. And as far as I know, they have chat and phone resources for account and billing issues. So that’s a #Fail. Next is this:

That link clearly doesn’t go to a website that is controlled by Disney+. Thus this is clearly a scam and you should delete this email immediately if you get it. But since I work to expose these scams, I’m not going to do that. But to be clear, don’t be me as I am a trained professional.

Clicking that link takes you here:

First you go to a CAPTCHA. But it’s a demo likely “borrowed” from the company. It even says so in the top left. And that’s where you’ll also notice that these losers are using a WordPress site to pull this off. The “W” next to the words “Captcha Demo” are the big giveaway. Once you get past that, you go here:

This is a fake Disney+ login page. I typed a fake email address and password in and I got past this. That could mean that they are trying to capture credentials, or this is just a gateway to their ultimate goal. Either is possible. Next up is this:

They’re clearly trying to steal your credit card details. And they have logic built into this website to make sure that the card number is valid. Thus at the very least, these threat actors are trying to steal your credit card info. At worst, they’re also trying to snatch your login details to Disney+. It would be a shame for these threat actors if I sent this information to Disney+.

Oh wait. I did before posting this.

In any case, this email illustrates why you need to be careful and closely look at anything that hits your inbox as anything could be a scam email that could catch you out.

Leave a comment »

Guest Post: Election Officials, Poll Workers and Other Public Servants Face A Threatening Weapon: Their Own Private Info

Posted in Commentary with tags on March 9, 2024 by itnerd

Here’s what election staffers can do right now to block potential attackers from uncovering who they are

Byline: Dimitri Shelest, CEO and founder, Onerep

Jan. 6, 2021 is a day mother-and-daughter Georgia poll workers Ruby Freeman and Wandrea Moss will never live down. 

As a mob was attempting to disrupt Congress’s official declaration of Joe Biden as the winner of the 2020 presidential election, about 640 miles away, Freeman and Moss’s home was being stormed by an equally-incensed, if somewhat smaller, crowd. 

Freeman and Moss had already been through a month of harassment and menacing calls after a video falsely claiming the poll workers purposely mishandled ballots on Election Day began to be heavily circulated across the web.

The Capitol’s location is public and well known. But the Freemans’ Atlanta-area home should have been comparatively anonymous. Of course, finding even the most private, least-known individual’s’ personally identifiable information — their home and work addresses, their cell phone number, their family members, their social security information — is barely a Google search away these days.

“I’ve lost my name and I’ve lost my reputation,” said Freeman in her blistering testimony in June 2022 before a House of Representatives committee investigating the Jan. 6 unrest at the Capitol. 

While the Freemans have won their days in court — and settled with some of their other tormentors — their experience and other similar forms of harassment have raised fear among the people charged with upholding election integrity.

Thousands of election officials and staffers have endured similar hostility in the last four years. Arizona Republican State House Speaker Rusty Bowers was met with relentless protests at his home, some of whom arrived armed. Georgia’s Republican Chief of State Gabriel Sterling, who oversaw the state’s election integrity, received images of a noose and accusations of treason. His colleague, Secretary of State Brad Raffensperger, reported that protesters invaded his daughter-in-law’s home and threatened his wife.

About 11% of current election officials said they are “very or somewhat likely to leave” their posts before the 2024 general election, according to a survey from the Brennan Center, which noted that 1-in-5 poll workers know someone who left their election job due to threats against their safety. Meanwhile, women, who comprise about 80% of election administrators, are at a greater risk of attacks and harassment, according to a study by the Voting Rights Lab.

These incidents against unsung public servants show how many innocent civilians could be at risk of having their personal information weaponized by political partisans. But there are clear steps that all of us can take to diminish the threats.

How did we get here? Even the most experienced internet users are often in the dark about how seemingly “private” information can be gleaned by those with malicious intent to pressure them over otherwise innocuous, politically impartial activity. 

Specialty websites like VoterRecords.com and various data brokers expose personal and political information, allowing for easy access to comprehensive individual profiles (for a relatively nominal fee, of course). That access has simplified targeted attacks and undermined the common belief in the confidentiality of voter registration and preferences.

Partisans Are Sharpening The Weapons: Your Info

As Election Day on November 5 draws near, traditional forms of civic engagement like peaceful protests and writing to editors or legislators are considered outdated or ineffectual by a growing cohort of self-appointed “election defenders.” 

An increasing number of partisans believe that to ensure their vote counts, they must actively fight for their cause. Election workers, perceived as hostile, are targeted through the malicious use of their personal information.

Although these armchair info detectives tend to act alone, their methods can often miss the intended, if still undeserving, target and hit another. Anyone with a name and location close to matching an election staffer could find themselves in a partisan’s virtual crosshairs.

Practical Steps for Protection

It’s always possible to scrub personal information from the web, but there are several proactive steps individuals on the election frontlines can take to guard their privacy right away:

  • Opt-Out of People Search Sites: Regularly remove your data from websites like Whitepages, Spokeo, and BeenVerified to minimize your digital footprint.
  • Shine Light On The Dark Web: Use services like credit monitor Experian, which can provide a “scan” of  your information and alert you if private details about you are  being traded on the “dark web,” a common venue for doxxing and harassment.
  • Enhance Social Media Privacy Settings: Tightly control who has access to your personal information on social media platforms, sharing details sparingly.
  • Use a PO Box and Google Voice Number: Shield your real address and phone number from public records by using alternative services for mail and calls.
  • Secure Your Voter Registration Details: In some states, you can make your voter registration confidential, especially if your profession or situation demands higher privacy levels.
  • Regularly Monitor and Secure Your Online Presence: Employ tools like Google Alerts to keep tabs on mentions of your name and update your passwords and security settings frequently.

Since 2020, 14 states have introduced laws to safeguard election officials and poll workers, with measures varying across the board, a study by the National Conference of State Legislatures noted in Dec. 2023. Ten of those states now penalize intimidation and interference against these workers through potential jail time and fines. 

Maine mandates de-escalation training for election staff, while Arizona, California, Oregon, and Washington offer them inclusion in address confidentiality programs. Washington additionally takes a stand against cyber harassment, highlighting a growing recognition of the need to protect those at the forefront of upholding democratic processes.

These legal protections are encouraging. They add some sharp teeth to previously weak laws designed to curtail these kinds of cyber attacks against election administrators and staffers. But they won’t deter the most committed — and dangerous — partisans from hunting down vulnerable civil servants. When it comes to real prevention, the people who ensure  our voting rights must take on the job of protecting themselves before becoming a potential victim.

Leave a comment »

Microsoft Releases More Details On Being Pwned By Midnight Blizzard

Posted in Commentary with tags on March 8, 2024 by itnerd

Remember when Microsoft got pwned by Midnight Blizzard and Microsoft said this:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.  

The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.  

Well, Microsoft has altered their tune. Now they’re saying this:

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised. 

It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024. 

Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.  

 Shawn Loveland, COO, Resecurity had this to say:

It is well known that Microsoft expends significant resources to protect its assets. Their security posture is world-class. However, this example shows that even world-class security processes and technologies can be bypassed by threat actors ranging from opportunistic script kiddies to well-resourced state actors. Microsoft, as with most defenders, has become overly reliant on legacy technologies and processes, a digital version of the Maginot Line. Companies need to evolve to a defense in-depth strategy, which includes offensive defenses that incorporates what threat actors are doing and preparing for outside of their perimeter, which gives them visibility from the attacker’s perspective.

It will not surprise me if Microsoft changes its tune again when more information about what happened is discovered. While the ideal situation is not to get pwned in the first place, this incident illustrates why you need to really go deep into the weeds if you do get pwned.

Leave a comment »

« Older Entries
Newer Entries »