Washington County, PA pays nearly $350,000 in ransom…. WHY??

Posted in Commentary with tags on February 17, 2024 by itnerd

After weeks of being shut down by a ransomware attack and much deliberation, Washington County Pennsylvania chose to pay the ransom rather than expose their children to possible abuse. That was the explanation given for paying almost $350,000 to a Russian ransomware group.

The county hired a cyber security firm to facilitate the payment of $346,687 to “Russian Hackers.”

Solicitor Gary Sweat said the hackers demanded ransom money or they’d release the hacked data and “We were advised not to make any statements because the cybercriminals were listening in on everything being said.” 

WPXI Pittsburgh reported that Commissioner Larry Maggi voted not to pay the ransom, saying it was “repugnant” to give in to cybercriminals. But Commissioner Nick Sherman who voted to pay the ransom explained that the stolen data was more than just social security numbers and driver’s license numbers. “Some of the info they got was Children and Youth Services information about the children of Washington County… children in severe need of services, children who have been abused, abducted… very sensitive information.”

In exchange for the ransom payment, the County received a decryption key to unlock their servers and a promise of deletion of stolen data.

Commissioner Sherman’s had this closing comment: “When you pay the ransom they go away, and they leave you alone, because they know if they don’t people will continue to not pay ransom.  It’s a business model they follow.”

I’ll come back to this later. But now I will hand this over to Mark Campbell, Sr. Director, Cigent:

   “Ransomware gangs continue to lean in on extortion. It’s no longer about getting the data back via the decryption keys. Many organizations have ways to restore data already, however the threat of releasing sensitive data such as internal communications, customer information, or in this case highly sensitive information about the Children and Youth Services takes the extortion to a new level. Even if the extortion demands are paid, there is no real way to trust that the attackers will earnestly destroy the stolen data. Can we count on honor among these thieves?”

Here’s the deal. You should never, ever pay the ransom. There’s no guarantee that you will get your data back. There’s no guarantee that they won’t come back and attack you again. And there’s no telling what they will do with any data that they stole. This is a really bad move and it may come back to haunt Washington County Pennsylvania.

Leave a comment »

Review: EnGenius Fit6 4×4 Lite WiFi Access Point

Posted in Products with tags on February 16, 2024 by itnerd

Engenius last year launched a series of access points targeted towards home and small office users called EnGenius Fit. This line of products is meant to take aim at the pain points of these user by making them easy to deploy and manage. Today I’m reviewing the EnGenius Fit6 4×4 Lite (also known as the EWS-276fit) and here’s a look at it starting with the bottom:

  • 1 x 10/100/1000/2500 N-BASE-T, RJ-45 Ethernet Port
  • 1x DC Jack (this is a good time to mention that this is a PoE device and no AC adapter is included)
  • Reset button

On the side is a Kensington lock slot.

The top has a bunch of LED’s to indicate the status of the access point. One thing that I should point out is that this access point is really thin. Thus it’s more likely to go unnoticed.

This access point supports 2.4 Ghz and 5 Ghz WiFi. Which means that you can get up to 2400 Mbps in the 5-GHz frequency band & 1148 Mbps in the 2.4-GHz frequency band in ideal conditions. It also supports everything up to 802.11ax. In my testing using my usual testing protocol, I got these speeds:

  •  4.5 meters away:  912 Mbit/s
  • 10 meters and a pair of concrete walls to deal with: 569 Mbit/s

These are better than respectable speeds. If you had this access point, I doubt there’d be any complaints. Especially with multiple clients which this access point handed without an issue.

In terms of managing this access point, you get three options:

Option A – Cloud Management: Manage and monitor the Access Point through the FitXpress Platform with a mobile app or through the web portal.

Option B – On-Premises Management: If you want to manage the device in on-premises mode, you need an onsite management station running a FitController connected to the same network.

Option C – Standalone Configuration: You connect to the access point with a web browser and manage it that way.

I set it up using Option C, but it’s nice to have options for whatever you feel most comfortable with. And deploying it only took me 15 minutes.

The EnGenius Fit6 4×4 Lite Indoor Wireless Access Point is available now for a price of $149 USD. If you’re looking to blanket your office, or a home with WiFi that won’t break the bank, and at the same time have something that is easy to deploy and manage, this is totally access point is totally worth looking at.

Leave a comment »

LockBit Claims Responsibility For Pwning Fulton County

Posted in Commentary with tags on February 16, 2024 by itnerd

The LockBit ransomware gang is claiming responsibility for the January Fulton County Georgia cyber-attack and are threatening to publish “confidential” documents if the ransom is not paid by this Friday.

You might recall that I first brought this story to you on February 1st. But here’s a quick recap.

Initial reports by the county on January 29th acknowledged a “cyber security incident”, confirming widespread system outages, including phone, court and tax systems, but gave no further details.

It wasn’t until yesterday, almost three weeks later and only after LockBit claimed the attack, that officials acknowledged the outage was in fact a ransom attack, but still offered no details on the attack itself. Many of the county’s systems are still down and the investigation is on-going.

Services remaining down include:

  • 2/3rd of phone services
  • Court systems
  • Property tax systems
  • Jail IT systems
  • Water billing

LockBit has given a deadline of Friday 2/16 for the County to pay the ransom. Fulton county is Georgia’s largest county and home to the state’s capital, Atlanta.

Steve Hahn, Executive VP, BullWall had these thoughts:

   “What we are seeing here is part of a larger trend. Cities all across the US are under attack by Russian threat actors. Oakland declared a state of emergency when nearly all services, all the way to their city hall, were shut down. In that instance the threat actor stole and released data as well. Hundreds of US cities have been the victim of these attacks.

   “In the past these Russian threat actors were strictly financially motivated. Since the war in Ukraine the attacks have become increasingly targeted and not just getting the Ransom but also hurting us financially. Hitting supply chains that could impact inflation, hitting hospitals and cities providing life saving services to maximize the human impact. The other new trend is the threat actor is typically getting command and control access prior to the attack. This means they have admin level rights, they steal data, then set up their ransomware attack in a way that no preventative tool can stop it.

   “We have to recognize that we are truly under attack and if you’re in their crosshairs it’s not “if” but “when” you’ll be hit with Ransomware. We have to shift focus from simply trying to prevent these attacks to also how to contain them quickly to minimize the effect. Containment and recovery are key strategies these cities need to employ so their services aren’t impacted. We need MFA to every server, every session. They need to work towards a zero-trust environment and, most importantly, they need containment and recovery strategies in place. In the same way we “war game” physical attacks, knowing you can’t pin your hopes on “preventing” them, we need to take that same approach to cyber-attacks and assume it’s not “if” but “when” and how do we respond. Cities simply aren’t doing that today.”
   

Emily Phelps, VP, Cyware follows with this comment:

   “Effective cybersecurity is challenging for even the most well-resourced organizations. Local governments have additional resourcing challenges that further complicate protecting the critical data of their citizens.

   “Organizations, across sectors, must become more proactive in their cyber defense strategies. This starts with advanced threat intelligence that can be automatically operationalized across a security team. Context-rich threat intelligence enables security teams to prioritize critical threats and take rapid action. Intelligence sharing organizations (ISACs) are also an important component that can provide relevant intelligence to industry organizations to improve effectiveness and efficiency.”

Given that I started to write about this at the start of this month and the incident is still ongoing shows how devastating and disruptive cyberattacks can be. Which is why prevention and rapid detection of intrusions has to be the way to go to stop from being the next headline.

1 Comment »

Microsoft & OpenAI – How nation-states are weaponizing AI 

Posted in Commentary with tags , on February 16, 2024 by itnerd

According to research from Microsoft and OpenAI, Nation-state threat actors from Russia, China, and North Korea and Iran are using generative AI tools, including large language models (LLMs) such as ChatGPT, in their efforts to support cyber campaigns rather than to develop novel attack techniques.

The researchers observed that AI is currently being used to scale and enhance existing social engineering attacks and to help bad actors find unsecured devices and accounts using the following services:

  • Querying open-source information (reconnaissance)
  • Translation
  • Scripting
  • Finding coding errors
  • Running basic coding tasks

OpenAI said yesterday that it terminated 5 threat actor accounts linked to China, Russia, Iran and North Korea observed to be using these TTPs.

Also, as part of the report, Microsoft published a set of principles to govern its efforts to prevent other state-backed hackers from abusing its AI models. Those principles are:

  • Identification and action against malicious threat actors’ use
  • Notification to other AI service providers
  • Collaboration with other stakeholders
  • Transparency

“Understanding how the most sophisticated malicious actors seek to use our systems for harm gives us a signal into practices that may become more widespread in the future, and allows us to continuously evolve our safeguards,” OpenAI wrote.

Ted Miracco, CEO, Approov Mobile Security had this comment:

   “The emergence of nation-state actors leveraging generative AI in cyber operations is no surprise and underscores the urgent need for proactive measures to safeguard digital infrastructure and information assets. Microsoft, OpenAI and Google can shutdown accounts periodically, but powerful generative AI technologies are readily available to all nation states through open source LLMs that are very close in capabilities to the industry leaders. There is no effective choke point that will prevent these nation states form using these emerging AI technologies, and it is essential to understand that safeguards need to be in place across the digital landscape as the opportunity to curtail access at the source has passed.”


Mark Campbell, Sr. Director, Cigent follows with this comment:

   “At the end of the day nothing really changes for security professionals.  Phishing, whether human or AI generated, is still the leading cause of initial access. Cyber security professionals need to keep systems up to date and deploy advanced endpoint security solutions that include AI and behavior analysis, to more effectively detect and block malicious activities, including those initiated by AI generated phishing emails.”

Making sure that AI isn’t being abused by bad actors to launch attacks should be priority one. Yes there’s a ton of cybersecurity priorities out there, but this one at the moment appears to potentially be the most dangerous.

Leave a comment »

Roku Surpasses 80 Million Active Accounts and More than 100 Billion Streaming Hours in 2023 

Posted in Commentary with tags on February 16, 2024 by itnerd

Roku has more than 80 million active accounts and counting, a major marker of the company’s growth and scale as consumers continue to move to TV streaming. Viewer engagement on Roku is also at a record high—for the first time, more than 100 billion hours were streamed on the platform in 2023, averaging a record of 4.1 hours per day per account in Q4. Additionally, in the U.S., Roku’s active account base is now bigger than the subscribers of the six largest traditional pay-TV providers* combined. 

In 2023, Roku launched its own line of TVs and expanded the Roku TV licensing program to include more than 30 partners, furthering the reach of the Roku Operating System (OS). In select markets, user experience updates, new features, and content discovery tools like the Sports Experience, What to Watch, All Things Food, and All Things Home were added to the platform. These enhancements, plus a more informative and engaging Roku search, have led to increased time spent on the platform and an easier, more enjoyable experience for the Roku user.  

Since the launch of its first streaming player in 2008, Roku has put the needs and experience of the consumer at the center of its offerings, such as The Roku Channel and Roku’s purpose-built OS. Through its streaming players, Roku TV program, Roku-branded TVs, and continuous innovation on its platform, the company will continue to grow its scale and deliver a best-in-class TV streaming experience for viewers. This continued growth helps the company on its mission to be the global TV streaming platform that connects and benefits the entire TV ecosystem, connecting content partners to an engaged audience and providing advertisers with unique capabilities to reach viewers. 

Roku is the leading TV streaming platform in the U.S. and Mexico by hours streamed (Hypothesis Group, Dec 2023) and is the #1 selling TV operating system in the U.S., Canada, and Mexico in Q4 (Source: Circana, Retail Tracking Service, Unit Sales, Oct-Dec 2023 combined).  

*Leichtman Research Group, Nov 2023 

Leave a comment »

New iOS And Android Malware Takes Over Your Device And Steals Your Facial Image To Commit Fraud

Posted in Commentary with tags on February 16, 2024 by itnerd

According to the Feb 15th report by Group-IB, the malware steals the users facial image with video and stills and gets them to upload the images and PII to their C2 servers. The threat actors have been using “multi-staged social engineering scheme” to persuade victims to install a Mobile Device Management (MDM) profile that gives them full control of the user’s device. The malware affects iOS and Android devices.

According to Group-IB the trojan was found disguising itself in 20 different applications from the Thailand’s government, the financial sector, and utility companies and stealing login credentials from these services.

Approov Mobile Security CEO Ted Miracco offers some thoughts on this malware and attacker’s approach:

   “While the social engineering piece of this attack is common, and stealing facial data isn’t entirely new, the focus on deepfake creation for financial fraud is a concerning and very recent development, that wouldn’t have been possible a couple years ago. This is part of the rapidly evolving threat landscape that are 100% enabled through the use of AI technologies. 

   “At this time, the GoldPickaxe malware can trick users into generating images and videos from their iOS and Android phones. This is not the same as stealing biometric data that is stored on the device’s secure enclave and is encrypted and remains secure. This malware is not breaching the Face ID functionality nor breaching either of the two mobile OSes security features, so at this time there is no reason to fear widespread attacks, and there is no reason to disable biometric support from the apps and phones that enable them. 

   “There are several things that can be done to prevent these kinds of attacks. Endpoint detection and response (EDR) and runtime application self protection (RASP) are solutions specifically designed for mobile devices to detect and respond to malicious activity in real time. 

   “It’s extremely unlikely that “GoldPickaxe” will slow facial recognition development, however, it serves as a wake-up call for responsible development and implementation of security mechanisms to detect deep fakes and other fraud.”

This is pretty scary as it’s always been thought that biometrics are an excellent way to secure your device. Clearly given the existence of this malware, that no longer appears to be the case. And it proves that threat actors will stop at nothing to get what they want.

Leave a comment »

The US Is Offering Up Big Money To Capture ALPHV/Blackcat

Posted in Commentary with tags on February 15, 2024 by itnerd

The United States has clearly had enough of the ALPHV/Blackcat ransomware gang. I say that because the U.S. State Department offering rewards of up to $15 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders:

The U.S. Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold a key leadership position in the Transnational Organized Crime group behind the ALPHV/Blackcat ransomware variant.  In addition, a reward offer of up to $5,000,000 is offered for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware activities.

On December 19, 2023, the Department of Justice (DOJ) and the FBI announcement of cooperation with an international group of law enforcement agencies from the United Kingdom, Australia, Germany, Spain, and Denmark, to conduct a disruption campaign against the notorious ransomware gang ALPHV/Blackcat.  FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations). To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.

 Shawn Loveland, COO, Resecurity had this to say:

According to Resecurity reporting, BlackCat (ALPHV) has increased its ransom demands to up to $2.5M per victim from the large enterprise segment. This is why the group is well-funded and has a significant number of access brokers and affiliates working for them. In fact, many of their attacks have not been publicly disclosed, which suggests that this figure could be much higher in practice. By offering a $15M reward, the law enforcement community aims to disrupt their activity by collecting intelligence from actors familiar with them, potentially causing “competition” between bad actors and their associates. This is especially relevant in light of recent conflicts, such as Lockbit experiencing a ban from certain Dark Web communities. It is possible that the group could be “burned” due to internal conflicts and other actors leaking data about them.

This is an interesting tactic to try and take this group down. Let’s see how successful this tactic is, or isn’t.

Leave a comment »

Air Canada Tried To Dodge Responsibility For It’s Chatbot Handing Out Incorrect Information… And Fails

Posted in Commentary with tags on February 15, 2024 by itnerd

This is something that I suspect that we’ll see more of in the coming months and years. CTV News is reporting that a chatbot that Air Canada uses handed out incorrect information to a man in regards to bereavement rates:

Jake Moffatt was booking a flight to Toronto and asked the bot about the airline’s bereavement rates – reduced fares provided in the event someone needs to travel due to the death of an immediate family member.

Moffatt said he was told that these fares could be claimed retroactively by completing a refund application within 90 days of the date the ticket was issued, and submitted a screenshot of his conversation with the bot as evidence supporting this claim.

He submitted his request, accompanied by his grandmother’s death certificate, in November of 2022 – less than a week after he purchased his ticket. But his application was denied and the tribunal decision said emails submitted as evidence showed that Moffatt’s attempts to receive a partial refund continued for another two-and-a-half months.

The airline refused the refund because it said its policy was that bereavement fare could not, in fact, be claimed retroactively.

In February of 2023, Moffatt sent the airline a screenshot of his conversation with the chatbot and received a response in which Air Canada “admitted the chatbot had provided ‘misleading words.'”

But Moffatt was still unable to get a partial refund, prompting him to file the claim with the tribunal.

Air Canada for its’ part said that the company could not be held responsible for what the chatbot said because the chatbot is a separate entity from Air Canada.

Yeah. They really said that. Here’s how that went down:

Air Canada, for its part, argued that it could not be held liable for information provided by the bot.

“In effect, Air Canada suggests the chatbot is a separate legal entity that is responsible for its own actions. This is a remarkable submission. While a chatbot has an interactive component, it is still just a part of Air Canada’s website,” [tribunal member Christopher C. ] Rivers wrote.

“It should be obvious to Air Canada that it is responsible for all the information on its website. It makes no difference whether the information comes from a static page or a chatbot.”

The airline also argued that the chatbot’s response to Moffatt’s inquiry included a link to a section of its website that outlined the company’s policy and said that requests for a discounted fare are not allowed after someone has travelled.

Rivers rejected this argument as well.

Air Canada has been ordered to pay $650.88 in damages. In addition, the airline was ordered to pay $36.14 in pre-judgment interest and $125 in fees.

Now Air Canada’s argument is at best laughable, and at worst a desperate attempt to cover up the fact that their chatbot wasn’t properly set up to deliver accurate information 100% of the time. And while the story doesn’t say this, I suspect that the reason he went the chatbot route is that it is nearly impossible to get an actual human being on the phone over at Air Canada. At least, that’s been my experience over the last few years when I’ve needed to call them. Perhaps Air Canada should invest not in chatbots, but actual human beings that are properly trained and properly equipped to help customers 100% of the time and quickly? Just a thought.

Leave a comment »

Guest Post: Navigating Microsoft SQL Server and Kubernetes in a Hybrid and Multi-Cloud Era

Posted in Commentary with tags on February 15, 2024 by itnerd

By Don Boxley, CEO and Co-Founder, DH2i

In a business world that’s increasingly leaning on hybrid and multi-cloud environments for agility and competitiveness, DH2i’s recent launch of DxOperator couldn’t be more timely. For those managing SQL Server within Kubernetes — especially when dealing with the intricacies of operating across various cloud platforms — it is a true game changer. 

DxOperator is the result of a close relationship with the Microsoft SQL Server team, which led to the creation of a tool that is ideally suited to automate SQL Server container deployment in Kubernetes. What makes it truly unique and a stand-out in this space is DxOperator’s ability to take complex setups and make them simple — which ensures that HA and operational efficiency are easily achievable, even across multi-cloud environments.

Of course, another reason that DxOperator is in a league of its own is how it turns your specific requirements into optimized actions. DxOperator handles everything from custom pod naming to node selection with such finesse that managing SQL Server containers becomes a breeze. It’s all about making sure that your deployments are not just efficient but also best practice compliant.

Microsoft’s Rob Horrocks praised DxOperator (see announcement) for its ease-of-use and effectiveness, noting its potential to simplify complex deployments for those who might not be Kubernetes experts. DxOperator’s user-friendly nature, together with its robustness is reshaping how businesses approach database management.

“Previously, deploying this type of setup could require up to 30 minutes and numerous pages of code. However, with the DxOperator feature, it’s been streamlined to a mere 3-5 minutes and a handful of code lines. This makes the transition to K8s significantly smoother for those experienced with SQL Server but new to K8s,” Horrocks explained.

OJ Ngo, DH2i’s CTO and Co-Founder, also shared that DxOperator was built with a focus on practical automation and efficient management of SQL Server availability groups. OJ and his team met their goal with flying colors! DxOperator is the industry’s most versatile tool — aligning with Kubernetes’ best practices while meeting the modern demands of IT infrastructures, particularly in hybrid and multi-cloud scenarios.

Tailored for Hybrid and Multi-Cloud Strategies

For organizations embracing hybrid and multi-cloud models, DxOperator is a significant boon. DxOperator streamlines the deployment of SQL Server across various settings, aligning seamlessly with the scalable and adaptable characteristics of hybrid cloud approaches. The result is that businesses have the flexibility to allocate their resources more wisely and keep spending under control. Moreover, digital security is enhanced with our cutting-edge DxEnterprise with secure tunneling technology, ensuring safe and private data exchange across any network. And, at the same time, it ensures everything runs smoothly, no matter where their data and applications are hosted in the cloud.

Highlights:

  • Efficient Deployment: DxOperator facilitates quick and intelligent setup of SQL Server instances, ideally suiting the complex requirements of hybrid and multi-cloud settings.
  • High Availability: The tool ensures that your SQL Server environments are always up and running, smoothly integrating into Always On Availability Groups for continuous operation across any cloud setting.
  • Simplified Management: With DxOperator, the complexity of managing SQL Server environments is significantly reduced, freeing up IT teams to focus on strategic initiatives.

For those interested in exploring DxOperator and how it can streamline your SQL Server deployments, especially within hybrid and multi-cloud frameworks, I encourage you to check out DH2i’s website. (Click here for comprehensive guides and details on how to get started with DxOperator.) 

1 Comment »

Cradlepoint Launches X10 5G Router

Posted in Commentary with tags on February 15, 2024 by itnerd

 Cradlepoint, the global leader in cloud-delivered LTE and 5G wireless network solutions, today announced the release of the X10 5G router, designed to equip service providers with an all-in-one fixed wireless access (FWA) service for small and medium-sized businesses, temporary sites, and remote workers. The X10 5G router delivers enterprise-grade connectivity and ease-of-management through NetCloud Manager while enabling service providers to craft tiered security and Quality of Service (QoS)-based plans. 

The X10 5G router is designed to provide fast and reliable 5G connectivity, enabling service providers to offer their business customers day-one connectivity using the cellular network or as a backup cellular connection, helping businesses connect quickly and securely to the internet and avoid network downtime. This enables service providers to offer business internet solutions that are quickly deployed, reliable, resilient, and more secure than other best-effort solutions on the market today.

With 5G expected to account for almost 80 per cent of FWA connections by 2028, businesses of all sizes will increasingly demand tailored solutions from service providers. The enterprise-grade yet cost-efficient X10 5G router represents Cradlepoint’s commitment to the growing FWA Business Internet solutions market and will enable service providers to meet growing demand for these solutions. Opportunities for service providers include:

  • Attract FWA customers across various markets: The cost-efficiency and flexibility of the X10 Router appeals to small and medium-sized businesses across a variety of industries and use cases.
  • Upsell security, Quality of Service, and managed services: The Cradlepoint X10 router will be available with the NetCloud Exchange advanced service architecture, which enables providers to construct and offer tiered service plans and further differentiate their FWA Business Internet offerings.
  • Enhanced operational efficiency and reduced operational costs: Cloud management through NetCloud enables service providers to more effectively and efficiently support their managed services at scale while robust APIs give them the flexibility to integrate X10 management into their existing management systems.

The Cradlepoint X10 router is available immediately. For more information, please visit here. Cradlepoint will debut the X10 at Mobile World Congress, Barcelona, February 26-29, 2024. Please visit Cradlepoint at Hall 2 Stand 2L20 or Ericsson at Hall 2 Stand 2060.

Leave a comment »

« Older Entries
Newer Entries »