Saks 5th Avenue Pwned By Cl0p Ransomware Group

Posted in Commentary with tags on March 22, 2023 by itnerd

The Cl0p ransomware gang claimed responsibility an attack on Saks 5th Avenue by posting stolen Saks data on its Dark Web site. Threat Analyst Brett Calllow posted the ClOp announcement on Twitter on Monday. 

Saks claims it’s all mock customer data used for training purposes but has not detailed whether it includes corporate information or employee PII.

In response to questions about the breach from Bleeping Computer, the company confirmed that the incident was linked to Fortra (formerly HelpSystems), a Saks vendor: 

“Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks.”

This attack continues Cl0p’s use of the GoAnywhere MFT server vulnerability, CVE-2023-0669, which allows attackers remote code execution on unpatched system if the admin console is exposed to Internet access. Clop told Bleeping Computer just last month that it had breached 130+ organizations in just 10 days using this same vulnerability.

So far no one has confirmed what data was taken or details of any ongoing ransom discussions.

Al Martinek, Customer Threat Analyst at Horizon3ai had these questions regarding this incident:

What?

“Since the start of the Russo-Ukrainian war, we have seen a sharp increase in Russian cyber activity, especially targeting NATO, US allies, and US critical infrastructure globally. Russian state-sponsored and backed cyber threat actors have used the Ukrainian cyber landscape to hone their skills, as well as their tactics, techniques, and procedures (TTPs). 

“The recent attack on the US-based Community Health Systems (CHS) and large US-based Retailer shows that the Russian-linked ransomware group Cl0p exploited the GoAnywhere MFT zero-day vulnerability (CVE-2023-0669) to gain access and steal data; and has reportedly targeted over 130 organizations worldwide. Although not confirmed, Clop has conducted such attacks in the past with the goal of disrupting daily organizational cyber activity, stealing sensitive data, and finding other opportunistic ways to disrupt or deploy further attacks.

So what?

“Zero-day vulnerabilities will continue to plague organizations and could have severe consequences. Although cyber threat actors generally attack larger organizations, every business regardless of size can be a target for zero-day vulnerabilities. With the continued presence of Russia in Ukraine, we will continue to see Russian state-sponsored and backed groups take responsibility for zero-day attacks, bolstering their credibility while targeting US interests worldwide to gain support. Zero-day threat actors do not fit into a one size fits all category, and attack vectors change from group to group with differing TTPs.

Now what?

“These types of vulnerabilities occur with little to no warning, making them a major cybersecurity threat as they are difficult to predict or protect against. Currently, 3% of Horizon3.ai customers from across different industries and sectors to include energy, retail, medical, and financial use GoAnywhere MFT in their environments. 

“The best way to proactively protect against zero-day vulnerabilities it to ensure all systems and networks devices are updated to the most current software, and by using autonomous penetration testing software, such as NodeZero, to help companies stay ahead of possible vulnerabilities in their cyber environment. Additionally, implementing a regular cadence of pentesting within an environment with NodeZero helps find vulnerabilities and issues quickly, suggests mitigations and fix actions, and allows for instant verification of said fix actions.”

I fully expect more details to come out as Saks needs to explain more than it has to date as simply saying that this was “mock data” really doesn’t quite meet the standard of disclosing the details of this incident. The fact is that there needs to be a very detailed accounting of what was actually taken by the threat actors, and what they will do to make sure that it doesn’t happen again.

Leave a comment »

$36M Supply Chain Attack Detected And Stopped By Abnormal Security

Posted in Commentary with tags on March 22, 2023 by itnerd

Abnormal Security has revealed it recently detected and stopped an attempted VEC attack that targeted an enterprise company in the commercial real estate industry that was cc’d on an email containing an invoice for $36 million

This report details the following:

  • How threat actors manipulated the target using a VIP from a trusted partner company?
  • What was a red flag in this email that differed from what’s typically expected in an invoice?
  • Why was there little reason for immediate concern about the validity of the wire transfer request?

You can read the report here.

Leave a comment »

Guest Post: ESET Research discovers trojanized WhatsApp and Telegram applications stealing crypto funds and with new functionalities

Posted in Commentary with tags on March 21, 2023 by itnerd

ESET researchers have discovered dozens of copycat Telegram and WhatsApp websites targeting mainly Android and Windows users with trojanized versions of these instant messaging apps. Most of the malicious apps we identified are clippers — a type of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time ESET Research had seen Android clippers focusing specifically on instant messaging. Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.

Based on the language used in the copycat applications, it seems that the operators behind them mainly target Chinese-speaking users. Because both Telegram and WhatsApp have been blocked in China for several years now, with Telegram being blocked since 2015 and WhatsApp since 2017, people who wish to use these services have to resort to indirect means of obtaining them.

The threat actors first set up Google Ads leading to fraudulent YouTube channels, which then redirected the viewers to copycat Telegram and WhatsApp websites. ESET Research immediately reported the fraudulent ads and related YouTube channels to Google, which promptly shuttered them all.

“The main purpose of the clippers we discovered is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. In addition to the trojanized WhatsApp and Telegram Android apps, we also found trojanized Windows versions of the same apps,” says ESET researcher Lukáš Štefanko, who discovered the trojanized apps.

Despite serving the same general purpose, the trojanized versions of these apps contain various additional functionalities. The analyzed Android clippers constitute the first instance of Android malware using OCR to read text from screenshots and photos stored on the victim’s device. OCR is deployed in order to find and steal a seed phrase, which is a mnemonic code composed of a series of words used for recovering cryptocurrency wallets. Once the malicious actors get hold of a seed phrase, they are free to steal all the cryptocurrency directly from the associated wallet.

In another instance, the malware simply switches the victim’s cryptocurrency wallet address for the attacker’s address in chat communication, with the addresses being either hardcoded or dynamically retrieved from the attacker’s server. In yet another instance, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends the full message to the attacker’s server.

ESET Research also found Windows versions of the wallet-switching clippers, as well as Telegram and WhatsApp installers for Windows bundled with remote access trojans (RATs). In a departure from the established pattern, one of the Windows-related malware bundles is not composed of clippers, but of RATs that enable full control of the victim’s system. This way, the RATs are able to steal cryptocurrency wallets without intercepting the application flow.

“Install apps only from trustworthy and reliable sources, such as the Google Play store, and do not store unencrypted pictures or screenshots containing sensitive information on your device. If you believe you have a trojanized version of Telegram or WhatsApp, manually remove it from your device and download the app either from Google Play or directly from the legitimate website,” advises Štefanko. “For Windows, if you suspect that your Telegram app is malicious, use a security solution to detect the threat and remove it for you. The only official version of WhatsApp for Windows is currently available in the Microsoft store.”

For more technical information about the clippers built into instant messaging apps, check out the blog post “Not-so-private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets” on WeLiveSecurity.

Leave a comment »

Approov Names Pearce Erensel Vice President of Sales

Posted in Commentary with tags on March 21, 2023 by itnerd

Approov, the end-to-end mobile app security provider, today named Pearce Erensel vice president of sales, reporting to Approov’s CEO Ted Miracco.

Erensel will have responsibility for Approov’s global sales and support. His focus will be on increasing Approov’s footprint in the mobile app security market by leading a professional sales and business development organization and driving customer-facing processes.

Pearce Erensel is an experienced sales and business development executive noted for meeting or exceeding revenue targets. Most recently, he was employed by Zimperium in its London office after serving as an account executive for whiteCryption, a company acquired by Zimperium. At Zimperium, he was a product expert for its mobile app protection suite working alongside EMEA account executives and training application engineers. At Intertrust Technologies Corporation, a software technology company specializing in trusted distributed computing, Erensel worked as a business development manager and account executive. He began his career in New York City working as a corporate sales trainer for advertising services firm First Reaction Inc.

Erensel is a graduate of Dickinson College in Pennsylvania with a Bachelor of Arts degree in Environmental Studies. He holds a Master of Arts degree in Global Policy from the University of Maine School of Policy and International Affairs (SPIA) in Orono, Maine.

Leave a comment »

New LinkedIn Data Details Why Recruiters Have The Power To Enable Change At Their Organizations

Posted in Commentary with tags on March 21, 2023 by itnerd

With the world of work being reshaped, employers are now rethinking everything including what they look for in candidates, where they find them, and how they attract and retain them. Now more than ever companies need more guidance. 

LinkedIn recently released a data report sharing 17 predictions for the future of recruiting, based on dozens of interviews with global talent leaders, surveys of thousands of recruiting pros, and analysis of billions of data points generated on LinkedIn.  

The data and insights center around five key themes ranging from internal mobility to skills-first hiring to employers remaining committed to DEI despite the current economic uncertainty. 

Key Global Findings Include: 

  • Three-out-of-four of recruiter respondents are saying that DEI hiring is being prioritized. 
  • Recruiters are 25% more likely to search for candidates based on skills than they were just three years ago. And more than 50% of recruiters are more likely to search for skills than by years of experience. 
  • Employees who work at companies with a high internal mobility tend to stay 60% longer than those at companies with a lower internal mobility. 

The full report can be viewed here.

Leave a comment »

Google Blocks Chinese App Pinduoduo Over Security Concerns

Posted in Commentary with tags , on March 21, 2023 by itnerd

Google has suspended the Chinese shopping app Pinduoduo after discovering that versions of the app not in the Play Store have been found to contain malware and the current version is “not compliant with Google’s Policy”. With approximately 900 million users, Pinduoduo is one of China’s most popular e-commerce platforms.

“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” Ed Fernandez, a Google spokesperson said. 

Google Play Protect scans for malicious apps installed on Android phones and will recommend that users uninstall them. Play Protect currently prevents users from installing the Pinduoduo app.

Furthermore, a Pinduoduo spokesperson said in a statement to CNN, “We are communicating with Google for more information. We have been told that there are several other apps that have been suspended as well.” 

In a later statement Pinduoduo said it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google.”

It reiterated that “there are several apps that have been suspended from Google Play at the same time.”

Google Play has yet to confirm other suspended apps and has asked users with off-store, which is another way of saying side loading, versions to uninstall it.

Ted Miracco, CEO, Approov had this to say:

   “Mobile attestation is the process involved in verifying that the app was signed by a trusted party and has not been modified since it was signed. If mobile app developers use Google Play Integrity for the attestation process involved, they leave substantial end-users out of the process as both Huawei and Xiaomi smartphones typically do not have access to Google Play attestation capabilities and many Samsung devices support app attestation through their own Samsung Knox (a mobile security platform that provide security features, including app attestation). 

   “It is incumbent on developers to ensure that only genuine apps can access the APIs, otherwise they are opening up their users to the possibilities of malware or credentials being stolen from the app. Attestation across all mobile platforms is both necessary to protect APIs and to ensure the safety of the end users.”

I didn’t see a mention of the Apple versions of this app in the CNN story. I am guessing that because it’s much harder (but not impossible) to slip such code into apps on Apple’s App Store. And apps on that platform need to be signed. Plus side loading isn’t a thing on iOS. Some clarification on that would be handy. But if that’s the case, then as stated above, Google needs to move towards that sort of model as that will keep people safer.

Leave a comment »

Guest Post: 92% of organizations fell victim to phishing in the past 12 months

Posted in Commentary with tags on March 21, 2023 by itnerd

Phishing attacks remain a significant threat to organizations. According to the data presented by the Atlas VPN team, based on the survey conducted by Egress with 500 cybersecurity leaders, 92% of organizations were victims of phishing in the past 12 months, and 86% experienced negative consequences as a result.

The most commonly reported fallout from phishing attacks was financial losses from customer churn. Overall, 54% of surveyed organization leaders said they lost customers and revenue due to successful phishing attacks. 

A company’s reputation, which may have taken years or even decades to build, can be irreparably damaged in just seconds due to a single security breach. Reputational damagewas reported by 47% of organizations that were impacted by phishing attacks in the last 12 months. 

Moreover, over a fourth (27%) of organizations underwent lengthy remediations, while nearly a tenth (9%) faced legal repercussions

However, phishing incidents did not only have repercussions for the victim organizations but also for the employees involved. In 30% of cases, the employees were disciplined as a result of the successful phishing event, while 22% of organizations reported that the employee was dismissed. In 18% of instances, employees left voluntarily

72% of cybersecurity leaders express concern over AI’s use in phishing emails

Phishing has become an increasingly sophisticated cyber threat as cybercriminals continue to evolve their tactics. With the advancement of AI technology, there are concerns it may be misused to create more sophisticated cyberattacks. 

Specifically, 72% of cybersecurity leaders are expressing worries about the use of AI in email phishing attacks. Cybersecurity leaders within financial organizations are the most alert about AI’s use to craft phishing campaigns — 80% showed concern.

These concerns arise from the potential for AI to automate the phishing process, which can make attacks more efficient and scalable. Additionally, AI can create highly sophisticated and personalized phishing emails that are difficult to detect using traditional security systems. The use of deepfake technology to add video and voice capabilities to phishing attacks can make them even more dangerous. 

To read the full article, head over to: https://atlasvpn.com/blog/survey-92-of-organizations-fell-victim-to-phishing-in-the-past-12-months

Image

Leave a comment »

Telstra Names Nitin Tikku as VP of Global Business Development for the Americas

Posted in Commentary with tags on March 21, 2023 by itnerd

 Telstra has appointed Nitin Tikku as Vice President of Global Business Development for Telstra Americas, responsible for leading the company’s strategic business development and growth initiatives across the region and beyond. 

Tikku brings more than 20 years of experience to his new role, with a successful record of driving revenue growth, leading sales teams, managing strategic relationships and identifying high-potential new business opportunities.

Prior to joining Telstra, Tikku held technical and sales leadership roles where he successfully designed, secured and managed multi-million-dollar contracts with U.S. federal government agencies, global system integrators and Fortune 500 companies. Most recently, he held the position of Senior Director of Sales at AT&T, responsible for the business management and growth of one of AT&T’s largest customers, a global system integrator.

Tikku holds a bachelor’s degree in electrical engineering from Drexel University, and a master’s degree in management of information technology from the University of Virginia.

Leave a comment »

Commvault Appoints Global Sales and Operations Leader Allan Timchuk as Area Vice President, Americas Sales

Posted in Commentary with tags on March 21, 2023 by itnerd

Commvault, an enterprise data protection leader for the complex and mission critical hybrid environments of today’s global businesses, today announced that Allan Timchuk has joined the company as Area Vice President, Americas Sales.

At Commvault, Timchuk will be responsible for the go-to-market strategy, customer engagements, and partner alignment in Canada and Latin America (LATAM). He will report to David Boyle, Senior Vice President, Americas Sales.

Timchuk brings a wealth of experience in executive sales leadership, global sales operations, and strategy within technology and security organizations, having worked in enterprise, commercial, government, and international markets. He has led teams helping customers use technology solutions to drive business value for more than two decades. He is committed to leveraging his creativity and transformational technology expertise to resolve customers’ business challenges.

Most recently, Timchuk was responsible for overseeing sales, customer engagement, and go-to-market for the Security Business Practice at VMware Canada. Prior to that, he held the role of COO for the Americas at Dell EMC Technologies Modern Data Center. In addition, Timchuk was the Director of Sales for government markets at SAS Canada for over five years, and had an 11-year tenure at EMC Corporation, responsible for sales and go-to-market strategy for government, commercial, and enterprise businesses for Eastern Canada.

Timchuk studied Industrial Design at Carleton University and is based in Ottawa, Ont.

Leave a comment »

Twitter Appears To Be Testing Using Government IDs To Sign Up For Twitter Blue

Posted in Commentary with tags on March 21, 2023 by itnerd

The folks at TechCrunch are reporting the following:

Twitter appears to be testing a new verification process for Twitter Blue subscribers that would involve submitting a government ID. Code-level insights reveal a process for sending in a photo of the user’s ID, both front and back, along with a selfie photo to verify their Twitter account. The feature is listed alongside others only available to Twitter Blue subscribers, like support for editing tweets, uploading longer videos, organizing bookmarks with folders and other paid subscription perks.

The ID upload feature was uncovered in Twitter’s code last week by product intelligence firm Watchful.ai, but it’s unclear for now if it’s being tested externally. The firm told TechCrunch it believes the feature is in testing in the U.S., where it was found in the Android version of the Twitter app. However, it doesn’t know how many (or if any) Twitter users are actually seeing the feature as of yet.

Seeing as the launch of Twitter Blue has been a train wreck next to a dumpster fire to say the least, and very few Twitter users have signed up for it, I guess that Elon was forced to come up with something that makes it less likely to be a train wreck next to a dumpster fire as this will stop the impersonations and the other stuff that happened when Twitter Blue first launched. As for getting people to sign up for Twitter Blue, I have to assume that this is one piece of a bigger puzzle to encourage Twitter users to sign up for Twitter Blue. And we’ll have to wait to see what those other pieces are.

Leave a comment »

« Older Entries
Newer Entries »