Nissan Australia Notifies 100000 Customers That Their PII Was Swiped In A Hack From Three Months Ago

Posted in Commentary with tags on March 13, 2024 by itnerd

Nissan Australia today released a statement that they have started contacting around 100000 customers who may have had their personally identifiable information (PII) compromised three months ago when they were hit by a cyberattack:

We now know the list of affected individuals includes some of Nissan’s customers (including customers of our Mitsubishi, Renault, Skyline, Infiniti, LDV and RAMS branded finance businesses), dealers, and some current and former employees.

Nissan expects to formally notify approximately 100,000 individuals about the cyber breach over the coming weeks. This number might reduce as contact details are validated and duplicated names are removed from the list.

The type of information involved will be different for each person. Current estimates are that up to 10% of individuals have had some form of government identification compromised. The data set includes approximately 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports and 1,300 tax file numbers.

The remaining 90% of individuals being notified have had some other form of personal information impacted; including copies of loan-related transaction statements for loan accounts, employment or salary information or general information such as dates of birth.

We know this will be difficult news for people to receive, and we sincerely apologise to our community for any concerns or distress it may cause.

Darren Williams, CEO and Founder of Blackfog had this to say:

     “The fact that around 10,000 were believed to have had seriously critical PII data stolen, such as driving licenses and Medicare cards, as a result of the Nissan cyberattack, is really quite concerning. The perpetrators of this attack managed to steal confidential data and will surely try to blackmail the victims endlessly for extortion purposes.

They were able to evade the security tools at the front door and remain hidden in the system of a multinational global brand for months, highlighting the sophistication of today’s cybercriminals. To really reduce the chance of data breaches, organizations need to look beyond perimeter defense and focus on securing the back door with anti data exfiltration solutions.”

This sort of PII is like gold to a threat actor as it can be used by the threat actor to launch secondary attacks or simply sold to the highest bidder to do the same thing. This is bad and hopefully Nissan does better on this front as this situation is not acceptable.

Leave a comment »

Red Canary Detects Spike in Cloud Account Compromises and Email Forwarding Rule Abuse

Posted in Commentary with tags on March 13, 2024 by itnerd

 Red Canary today unveiled its sixth annual Threat Detection Report, examining the trends, threats, and adversary techniques that organizations ought to prioritize in the coming months and years. The report tracks MITRE ATT&CK techniques that adversaries abuse most frequently throughout the year, and two new and notable entries soared to the top 10 in 2023: Email Forwarding Rule and Cloud Accounts. 

Red Canary’s latest report provides in-depth analysis of nearly 60,000 threats detected with the more than 216 petabytes of telemetry collected from customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications in 2023. The report sets itself apart from other annual reports with its unique data and insights derived from a combination of expansive detection coverage and expert, human-led investigation and confirmation of threats. 

The research shows that while the threat landscape continues to shift and evolve, attackers’ motivations do not. The classic tools and techniques adversaries deploy remain consistent–with some notable exceptions. Key findings include: 

  • Cloud Accounts were the fourth most prevalent MITRE ATT&CK technique Red Canary detected in 2023, rising from 46th in 2022, increasing 16x in detection volume and affecting three times as many customers in 2023 than in 2022.
  • Detections for malicious email forwarding rules rose by nearly 600 percent, as adversaries compromised email accounts, redirected sensitive communications to archive folders and other places users are unlikely to look, and attempted to modify payroll or wire transfer destinations, rerouting money into the criminal’s account.
  • Half of the threats in top 10 leveraged malvertising and/or SEO poisoning, occasionally leading to more serious payloads like ransomware precursors.
  • Half of the top threats are ransomware precursors that could lead to a ransomware infection if left unchecked, with ransomware continuing to have a major impact on businesses. 
  • Despite a wave of new software vulnerabilities, humans remained the primary vulnerabilitythat adversaries took advantage of in 2023, comprising identities to access cloud service APIs, execute payroll fraud with email forwarding rules, launch ransomware attacks, and more.
  • Uptick in macOS threats–in 2023 Red Canary detected more stealer activity in macOS environments than ever before, along with instances of reflective code loading and AppleScript abuse.

Red Canary noted several broader trends impacting the threat landscape, such as the emergence ofgenerative AI, the continued prominence of remote monitoring and management (RMM) tool abuse,the prevalence of web-based payload delivery like SEO poisoning and malvertising, the increasing necessity of multi-factor authentication (MFA) evasion techniques, and the dominance of brazen but highly effective social engineering schemes such as help desk phishing

Emerging techniques for macOS, Microsoft, and Linux users to watch out for 

The techniques section within the report highlights the most prevalent and impactful techniques observed in confirmed threats across the Red Canary customer base in 2023. While many techniques like PowerShell and Windows Command Shell persist, there were some interesting variations, including: 

  • Adversaries compiled malicious installers with Microsoft’s new MSIX packaging tool–typically used to update existing desktop applications or install new ones–to trick victims into running malicious scripts under the guise of downloading legitimate software. 
  • Container escapes–where adversaries exploit vulnerabilities or misconfigurations in container kernels and runtime environments to “escape” the container and infect the host system. 
  • Reflective code loading is allowing adversaries to evade macOS security controls and run malicious code on otherwise hardened Apple endpoints. 

Attackers don’t target verticals; they target systems  

The data shows that adversaries reliably leverage the same small set of 10-20 ATT&CK techniques against organizations, regardless of the victim’s sector or industry. However, adversaries do favor certain tools and techniques that may target systems and workflows that are common in specific sectors: 

  • Healthcare: Visual Basic and Unix Shell were more prevalent likely due to the different machinery and systems used within that industry. 
  • Education: Email forwarding and hiding rules were more common, likely due to a heavy reliance on email.
  • Manufacturing: Replication through removable media, such as USBs, was more common—likely due to a reliance on air-gapped or pseudo air-gapped physical infrastructure and legacy systems. 
  • Financial services and insurance: Less “obvious” techniques, such as HTML smuggling and Distributed Component Object Model were more common, likely due to greater investments in controls and testing.

Recommended actions:

  • Validate your defenses. Look at the top threats and techniques and ask: ‘am I confident in my ability to defend each of these?’ Red Canary’s open source test library Atomic Red Team is free and easy to adopt. 
  • Patching vulnerabilities is key. It remains tried and true as one of the best ways to insulate yourself from risk.
  • Become a cloud expert–ensure your permissions and configurations are properly set up, and know how everyone in your organization is using cloud infrastructure, as the difference between suspicious and legitimate activity is nuanced in the cloud and requires a deep understanding of what is normal in your environment.

Learn more

About the Threat Detection Report

The full report is intended as a reference library for security practitioners to improve their ability to prevent, mitigate, detect, and emulate cyber threats. It offers detailed guidance on data sources that log relevant evidence of adversary behaviors, tools that collect from those data sources, how security teams can use this visibility to develop detection coverage, and much more deeply actionable information.

The Threat Detection Report sets itself apart from other annual reports by offering unique data and insights, accompanied by recommended actions derived from a combination of expansive visibility and expert, human-led investigation and confirmation of threats.

Each of the nearly 60,000 threats Red Canary detected in 2023 were not prevented by the customers’ other expansive security controls. They are the product of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.

Leave a comment »

RCE Bugs Feature Among 60 CVEs In March Patch Tuesday

Posted in Commentary with tags on March 13, 2024 by itnerd

It is being reported that Microsoft fixed 60 vulnerabilities in this month’s Patch Tuesday security update round. This includes two critical bugs CVE-2024-21407 that enables attackers to escape from a Hyper-V guest virtual machine and achieve remote code execution on the Hyper-V host, and CVE-2024-21408, a denial of service vulnerability in Windows Hyper-V.

Melvin Lammerts, Hacking Lead at cybersecurity firm Hadrian had this comment:

This Patch Tuesday underscores the critical importance of timely system patching. The Hyper-V vulnerabilities are particularly concerning, as they could enable attackers to execute arbitrary code on the Hyper-V host or cause a complete system crash.  Administrators relying on Hyper-V should prioritise these patches without delay.Furthermore, the Microsoft Defender bypass vulnerability serves as a reminder that no single security solution is foolproof. A robust defence-in-depth strategy is essential, incorporating patching, firewalls, intrusion detection systems, and reliable endpoint protection.Finally, staying informed through resources like the Microsoft Security Bulletins is the best way to stay on top of the latest threats and helps you maintain a strong security posture.

This highlights what I tell every client that I have. Which is patch everything the second it becomes available as it’s an easy way to protect yourself.

Leave a comment »

Air Canada’s Aeroplan Is Being Used In An Email Based Phishing #Scam

Posted in Commentary with tags on March 13, 2024 by itnerd

Some new scams have hit my inbox as of late. And this Aeroplan one is interesting. For those of you who don’t know what Aeroplan is, this is an airline rewards program that is run by Air Canada and its partner airlines. I have an Aeroplan account so I do get marketing emails from them. But one look at this, I knew that this wasn’t one of them:

So the first thing was the fact that the word Aeroplan was highlighted several times. That is odd and when I compared it to other Aeroplan emails, this wasn’t present. So that put me on alert. The other thing that put me on alert is the typical scam hook of if you don’t do something, bad things will happen to you. In this case, if I don’t click the link to upgrade your Aeroplan account, your account will be limited. Whatever that means. Then there was the words “Kindly use the link below to upgrade your account.” Air Canada nor Aeroplan would ever use language like that. Finally, the email was allegedly sent from my personal email account. Meaning that the threat actor spoofed my email.

I wanted to go down the rabbit hole to see what the threat actor was up to. So before clicking on the link, I hovered my mouse cursor over it and saw this:

That looks like a link that has been shortened by Twitter’s link shortener. And that’s done to cover up the fact that if you click on it, which you should not do if you get this email, it will be taking you to someplace other than the Aeroplan website. But since I investigate these scams, I clicked it and this is what I got:

Now I have to give the threat actor credit here. Just like the email, this website is a very good replication of the actual Aeroplan website. Most people I think would be fooled by this. But if you look at the address bar, you’ll see that you’re not at the Aeroplan website as it’s not Aeroplan.com.

And at first glance, this fake website is going after your login details so that presumably the threat actors can log into your account and drain it of your Aeroplan points in the form of gift cards or something like that. And what’s interesting is that the website might be trying to validate that you’ve entered a valid Aeroplan number because when I tried to enter a bogus number, I got this:

This was also the case when I tried to enter a bogus email address. Clearly this threat actor has some skills as they really want to get your login details. And what’s even more interesting is that the links to create a new account or reset your password go to the real Air Canada website. I guess that they’re hoping that those who don’t remember their passwords will reset them, then come back to enter them in what’s clearly a phishing site. What concerns me is that the fact that the threat actor has spoofed my email address to try and scam me. That implies that this might be a targeted attack. I wonder if this is related to the fact that Air Canada got pwned in 2018. Then pwned again in 2023. And the threat actor or actors behind either of those attacks are using the information gained in either of those events to launch further attacks against Aeroplan members. Seeing as I’ve been an Aeroplan member for years, that seems plausible. Thus I would be interested to know if you’re an Aeroplan member and you get an email like this. If so, feel free to leave a comment below.

Leave a comment »

New Online Investment Scams: Fake Trading Platforms Exploit Victims Using Email, Social Media, Ads

Posted in Commentary with tags on March 13, 2024 by itnerd

Netcraft has published its new research following the recent release of the FBI’s 2023 IC3 Report, which revealed that investment fraud was the costliest type of crime, with losses rising to $4.57 billion in 2023, a 38% increase from the previous year.

Netcraft’s newest report reveals it detected and blocked almost 13,000 fake investment platform domains across more than 7,000 IPs, the highest number since they began tracking these platforms independently and 25% more than in December when compared to January alone.

The Netcraft research delves into how cybercriminals behind these scam websites find their victims, operate fake trading platforms, use social engineering tactics, and eventually trick victims into depositing significant amounts of money. Cybercriminals often depend on sophisticated fraudulent investment websites that use fake trading platforms to lure victims through email, social media posts, or counterfeit ads. Netcraft’s report includes a real-world example of a WhatsApp invitation to join an investment group that promises to teach you how to earn huge profits in the cryptocurrency market and emails containing links to fake investment platforms, which offer tiered accounts and promise unrealistic ROI.

You can read the report here.

Leave a comment »

Apple’s Plan To Deal With Massimo Is To Win On Appeal Or Let The Clock Run Out

Posted in Commentary with tags on March 13, 2024 by itnerd

I have to admit that when I heard about this, my first thought that Apple was being super crafty here. What I mean by “this” is this report is this one by MacRumors where they talk about how Apple got around the pulse oximetry ban that came about via the patent lawsuit that Masimo brought against Apple:

The original January 12 order from CBP that allowed Apple to bring Apple Watch models with a disabled sensor in the United States was published recently (via ip fray), and it gives some insight into how Apple disabled pulse oximetry. While some of the order is redacted, Apple implemented a fix that turns off pulse oximetry when an Apple Watch is paired to an iPhone. Blood oxygen sensing becomes inaccessible to the user, and opening the blood oxygen app gives a warning that the feature is not available. Apple said that it hardcoded each Apple Watch at the factory with new software.

As part of the process to get approval to sell ‌Apple Watch Series 9‌ and Ultra 2 models without pulse oximetry enabled, Apple had to provide the code disabling the feature and test devices to Masimo. Masimo didn’t want Apple to have such an easy fix, so it paired the “redesigned” Apple Watches with a jailbroken ‌iPhone‌ running an older version of iOS, and was able to get pulse oximetry working.

Masimo tried to argue that activating pulse oximetry through a jailbroken phone meant Apple had not effectively removed the feature and the devices should not be allowed to be imported in to the U.S. Masimo also tried to say that jailbreaking is “permissible, common, and readily known,” but Masimo’s arguments were unsuccessful. The Exclusion Order Enforcement Branch of the U.S. Customs and Border Patrol ultimately decided that disabling pulse oximetry in the ‌Apple Watch Series 9‌ and Ultra 2 was enough to avoid infringing on Masimo patents, allowing those models to be offered for sale at Apple retail stores in the U.S.

Because Masimo was able to get blood oxygen sensing working using software on a jailbroken ‌iPhone‌, Apple too would be able to reactivate the blood oxygen sensor in the models where it has been disabled through a software update. When no longer subject to an import ban, Apple will be able to reintroduce blood oxygen sensing for ‌Apple Watch Series 9‌ and ‌Apple Watch Ultra 2‌ users who are not able to access the feature.

As noted by ip fray, the patents that Apple was found to have infringed on expire in August of 2028, which means that Apple will be able to re-enable pulse oximetry in affected models at that time. Apple filed an appeal with the United States International Trade Commission to attempt to get the ruling overturned, so if the appeal is successful, Apple could be able to re-add blood oxygen sensing sooner.

That’s pretty crafty by Apple seeing as they have no interest in coming to a settlement with Masimo. Likely because everyone and every company that Apple has “Sherlocked” over the years would come out of the woodwork to get paid as well. So that makes letting the clock run out or winning on appeal the best options for the folks at Apple Park. Let’s see how well that works out for them.

Leave a comment »

WH Proposes Budget Seeking To Boost Cybersecurity

Posted in Commentary with tags on March 13, 2024 by itnerd

On Monday, the White House’s proposed a budget for fiscal year 2025 calling for $13 billion of the $1.67 trillion discretionary spending to go to cybersecurity funding for civilian agencies, including additional investments to the DOJ, Homeland Security and Health and Human Services to bolster digital defenses.

The White House’s proposal seeks $3 billion for CISA, which is a $103 million increase from the 2023 enacted budget. The funding would include:

  • $470 million to deploy network tools like endpoint detection and response capabilities for federal assets
  • $394 million for its internal cybersecurity and analytical efforts
  • $116 million to oversee the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022
  • $41 million for “critical infrastructure security coordination”  

Also notable is the proposed funding for healthcare cybersecurity efforts:

  • $800 million to help “high need, low-resourced hospitals” cover the initial costs of implementing basic cybersecurity practices 
  • $500 million incentive program for more robust digital defenses
  • $141 million for HHS’s own security, including $11 million to better protect health information

The budget also includes a handful of other proposals aimed at improving cybersecurity including:

  • The National Highway Traffic Safety Administration’s Office of Automation Safety to “address vehicle cyber security risks,” as well as AI risks
  • The Department of Energy would receive $455 million “to extend the frontiers of AI”, in addition to its cybersecurity efforts
  • Military cybersecurity spending would be $7.4 billion, with another $6.4 billion for activities such as cyberspace operations and $630 million for R&D
  • The Department of Defense total would be $14.5 billion which is an increase from $13.5 billion since last year

The budget would also add additional funding to address workforce challenges via minority-serving institutions.

The next immediate deadline for government spending is March 22, when the continuing resolution funding DHS, DOD and other agencies expire. 

Emily Phelps, VP, Cyware had this to say:

   “The White House’s emphasis on cybersecurity in the 2025 budget reflects a strong commitment to national and economic security. This significant investment reinforces the importance of collaborative efforts between public and private sectors to combat sophisticated and persistent cyber threats. By focusing on key areas such as healthcare cybersecurity and leveraging advancements in AI and military defenses, the budget aims to fortify the resilience of our critical infrastructure, economy, and the protection of citizens and industries against the concerted efforts of threat actors.”

This is a good move by The White House to keep cyber assets safe. Hopefully this is a budget that can get through The House and Senate as this is something that the nation needs.

Leave a comment »

Town Of Huntsville Pwned In Cyberattack

Posted in Commentary with tags on March 12, 2024 by itnerd

Joining the City of Hamilton who is recovering from being pwned in a cyberattack is the City of Huntsville which is north of Toronto Canada. I know this because of this notice posted on their website:

The Town of Huntsville continues to work with experts to investigate the cybersecurity incident that occurred over the weekend. Upon discovering this incident, we initiated our incident response protocol and we took immediate steps to secure our network against further unauthorized activity.


The investigation, led by the cybersecurity specialists the Town has engaged, is currently ongoing. At this time, we have no evidence any sensitive data, including personal information, has been compromised; however, if this is discovered the appropriate steps will be taken.


March 11, 2024 – Updates:

  • Town Hall will remain closed to the public on Tuesday, March 12, 2024. The Canada Summit Centre is open; camp and town programming is operating at that facility. The Algonquin Theatre day camp will also operate. The Library will reopen on March 12 to the public and programs will be available.
  • The Municipality has taken precautionary measures, which has impacted some of our systems and online services, including some municipal and Council email addresses. Customer service representatives are available by phone at 705-789-1751.
  • The Regular Planning Committee Meeting on March 13 and the Special Council Meeting on March 13, have been cancelled and will be rescheduled. The Library Board Meeting Scheduled on March 12 has been cancelled and rescheduled for March 26, 2024.

The Town is committed to being as transparent as possible regarding this incident and its implications for our community. This type of incident takes time to investigate, and we would like to thank the community for their patience.

I love the words “At this time, we have no evidence any sensitive data, including personal information, has been compromised; however, if this is discovered the appropriate steps will be taken” because it is highly likely that they have no clue if anything has been taken. And given what’s written above, this is clearly crippling. I hope they live up to their pledge to being “as transparent as possible regarding this incident and its implications for our community” because everyone needs to know how this happened, and what they are going to do to ensure that it doesn’t happen again.

Leave a comment »

Fubo Canada Serves Up A Limited Time Promo Offer

Posted in Commentary with tags on March 12, 2024 by itnerd

Fubo, the leading sports-first live TV streaming platform, is offering Canadians an exciting, limited time offer for subscribers on its Sports Quarterly or Annual plan, starting as low as $12.50 a month.  

Until May 3, 2024, new subscribers can save 38 per cent off for six months (savings of $25.00) on the Quarterly plan, or 32 per cent off for twelve months (savings of $70.00) on the Annual Sports plan, bringing Canadians more of the content they love, for less. With this plan, subscribers can watch Premier League, Serie A, Coppa Italia, Global news, HGTV, Disney Channel and more. 

Canadians can learn more and take advantage of this limited time offer at this link: Watch the Premier League all season | Fubo 

Leave a comment »

Stanford University Pwned…. 27,000 People Affected

Posted in Commentary with tags on March 12, 2024 by itnerd

Stanford University has notified victims of a data breach in which the personal info of more than 27,000 people was accessed. The ransomware gang known as Akira was able to gain access to the schools Department of Public Safety’s network from May 12th until September 27th, 2023. The data collected includes DOBs, SSNs, Gov ID #’s, passport #’s, driver’s license #’s and, for some victims, biometric data, health/medical info, email addresses and passwords, and more. 

Darren Williams, CEO and Founder, BlackFog had this to say:

     “The attack on Stanford University highlights the need for consistent monitoring of data leaving the network. With hackers successfully exfiltrating sensitive data, the victims of this attack will no doubt be dealing with relentless extortion attempts going forward. As with many attacks, hackers were able to bypass perimeter defense tools and spend months lurking in the system undetected. To really mitigate the risk of data breaches organizations must look past perimeter defense and focus on protecting the back door with anti data exfiltration solutions.” 

I for one am a bit bothered by two things. One is that the event happened between May and September of last year. Second is that we’re only finding out about it now. That gives threat actors a whole lot of time to use that data for whatever evil purposes that they desire. Which isn’t a good thing for the victims involved.

Leave a comment »

« Older Entries
Newer Entries »