New Account Compromise attack Offers Fake Jobs to Students in Exchange for sensitive Information

Posted in Commentary with tags on February 23, 2023 by itnerd

Today, Armorblox released its latest blog of a recent account compromise attack that targeted a large university. 

These emails, targeting over 160,000 end users and a much larger number of organizations outside as well from this compromised account in a trusted university, bypassed native Microsoft 365 Email Security (receiving an SCL score of -1) to land in victims’ inboxes. 

How it worked: the attack involved the use of a compromised account to execute a malicious email attack to university students about a (fake) job that was open for applications. Clicking the Apply Here button directed victims to a google form that included a summary of the position and asked for sensitive information such as address, phone number, bank name, full name, age, etc.

The blog post can be found here.

Leave a comment »

ESET discovers WinorDLL64 backdoor, likely part of the Lazarus arsenal

Posted in Commentary with tags on February 23, 2023 by itnerd

ESET researchers have discovered the WinorDLL64 backdoor, one of the payloads of the Wslink downloader. The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group Lazarus. Wslink’s payload can exfiltrate, overwrite, and remove files, execute commands, and obtain extensive information about the underlying system.

WinorDLL64 contains overlaps in both behavior and code with several Lazarus samples, which indicates that it might be a tool from the vast arsenal of this North Korea-aligned APT group.

The initially unknown Wslink payload was uploaded to VirusTotal from South Korea shortly after the publication of an ESET Research blog post on the Wslink loader. ESET telemetry has seen only a few detections of the Wslink loader in Central Europe, US, Canada, and the Middle East. Researchers from AhnLab confirmed South Korean victims of Wslink in their telemetry, which is a relevant indicator, considering the traditional Lazarus targets and that ESET Research observed only a few detections.

Active since at least 2009, this infamous North Korea-aligned group is responsible for high-profile incidents such as the Sony Pictures Entertainment hack, the tens-of-millions-of-dollars cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA.

You can read more here.

Leave a comment »

Guest Post: Types of Adversarial Attacks and How To Overcome Them

Posted in Commentary with tags on February 23, 2023 by itnerd

 By Brad Fisher, CEO Lumenova AI 

Machine Learning powered algorithms are susceptible to a variety of adversarial attacks that aim to degrade their performance. Here’s what you need to know.

From deep learning systems to traditional models, ML-powered algorithms are susceptible to a variety of adversarial attacks that aim to degrade their performance.

Poisoning attacks

Poisoning attacks are used to corrupt the data on which a model trains, by introducing maliciously designed samples in the training set. Hence, we may consider poisoning to be the adversarial contamination of data, used to reduce the performance of a model during deployment.

This type of contamination may also occur during re-training, as ML systems often rely on data collected while they’re in operation.

Poisoning attacks usually come in two nuances. Some target the model’s availability, while others its integrity.

Availability attacks

The concept behind availability attacks is pretty simple. The purpose is to feed so much bad data into a system that it loses most of its accuracy, thus becoming obsolete. While availability attacks might be unsophisticated, they are broadly used and, unfortunately, lead to disastrous outcomes.

Integrity attacks

Integrity poisoning, also known as a backdoor attack is much more sophisticated. The goal of these attacks is to cause the model to associate a specific ‘backdoor pattern’ with a ‘clean target label’. This way, whenever the attacker plans on inserting malware into a model, they just need to include the ‘backdoor pattern’ to get an easy pass.

For example, imagine a company asking a new employee to submit his photo ID. Their photo will be fed to a facial recognition control system for security purposes. However, if the employee provides a ‘poisoned’ photo, the system will associate the malicious pattern with a clear pass, thus creating a backdoor for future attacks.

While your classifier might still function the way it should, it will be completely exposed to further attacks. As long as the attacker inserts the ‘backdoor’ string into a file, they will be able to send it across without raising any suspicions. You can imagine how this might play out in the end.

Backdoor attacks are very difficult to detect since the model’s performance remains unchanged. As such, data poisoning can cause substantial damage with minimal effort.

Evasion attacks

An evasion attack happens when an adversarial example is carefully tailored to look genuine to a human, but completely different to a classifier.

These types of attacks are the most prevalent and, hence, the most researched ones. They are also the most practical types of attacks since they’re performed during the deployment phase, by manipulating data to deceive previously trained classifiers. As such, evasion doesn’t have any influence on the training data set. Instead, samples are modified to avoid detection altogether.

For example, in order to evade analysis by anti-spam models, attackers can embed the spam content within an attached image. The spam is thus obfuscated and classified as legitimate.

Model extraction

The third type of adversarial attack is model stealing or model extraction. In this particular case, the attacker will probe a black-box ML system with the goal of reconstructing the model or extracting the data it was trained on.

Model extraction can be used, for example, if the attacker wishes to steal a prediction model that can be used for their own benefit. Let’s say a stock market prediction model.

Extraction attacks are especially delicate considering the adjacent data theft involved. Not only do you lose exclusivity to your ML model, but given the sensitive and confidential nature of data, it might lead to additional hardships.

White-box and black-box attacks

On top of the classification above, adversarial attacks can be further subcategorized as being white-box or black-box.

During a white-box attack, the attacker has complete access to the target model, its architecture and the model parameters. In a black-box attack, he does not.

Making ML models more robust

While there are no techniques that guarantee 100% protection against adversarial attacks, some methods can provide a significant increase in defense.

Adversarial training

Adversarial training is a brute-force solution. Simply put, it involves generating a lot of adversarial examples and explicitly training the model not to be fooled by them.

However, there is only so much you can feed a model in a given time frame, and the list of adversarial attacks is, unfortunately, not an exhaustive one.

Defensive distillation

As opposed to adversarial training, defensive distillation adds some flexibility to the equation. Distillation training employs the use of two different models.

Model 1: The first model is trained with hard labels in order to achieve maximum accuracy. Let’s consider a biometric scan, for example. We train the first system, requiring a high probability threshold. Subsequently, we use it to create soft labels, defined by a 95% probability that a fingerprint will match the scan on record. These lower accuracy variations are then used to train the second model.

Model 2: Once trained, the second model will act as an additional filter. Even though the algorithm will not match every single pixel in a scan (that would take too much time), it will know which variations of an incomplete scan have a 95% probability of matching the fingerprint on record.

To sum up, defensive distillation provides protection by making it more difficult for the scammer to artificially create a perfect match for both systems. The algorithm becomes more robust and can easier spot spoofing attempts.

Final words

The constant effort which goes into AI research is ever-growing. Slowly, but steadily, Machine Learning is becoming a core element in the value proposition of organizations worldwide. At the same time, the need to protect these models is growing just as fast.

Meanwhile, governments around the globe have also started to implement security standards for ML-driven systems. In its effort to shape the digital future, the European Union has also released a complete checklist meant to assess the trustworthiness of AI algorithms: ALTAI.

Big industry names such as Google, Microsoft, and IBM have already started to invest both in developing ML models, but also in securing them against adversarial attacks.

Have you raised your defenses?

Leave a comment »

New Salesforce for Communications Innovations Announced At MWC

Posted in Commentary with tags on February 23, 2023 by itnerd

Today, as part of Mobile World Conference, Salesforce announced a series of innovations tailored to the communications industry that feature analytics, AI intelligence, and prebuilt solutions that automate common processes to boost customer experiences while driving down operational costs. The company also announced new integrations with WhatsApp and Infosys.

With the new features, communications providers can:

  • Accelerate time-to-value and deliver better customer experiences with enhanced agent performance through Salesforce’s new Contact Center for Communications. 
  • Leverage data and AI-powered insights to predict order delays and recommend fulfillment dates. 
  • Enrich communications and meet customers where they are through new WhatsApp integrations. 

You can read full release linked here as it has way more details.

Leave a comment »

Twelve Canadian startups joining the Google for Startups Accelerator: Canada Cohort Class of 2023

Posted in Commentary with tags on February 23, 2023 by itnerd

A total of 12 startups from across Canada will be participating in our 2023 Google for Startups Accelerator Canada program. Supporting the next generation of Canadian founders and kicking-off our first accelerator cohort of the year, the 10-week, equity-free program is designed to bring the best of Google’s programs, products, people and technology to Canadian startups – at a time when AI continues to advance.

Now in its fourth year, the Google for Startups Accelerator builds on Google’s continued support for Canada’s startup ecosystem. The program is one of five accelerators developed specifically for Canadian companies, others include the Cloud Accelerator,Women Founders AcceleratorBlack Founders Accelerator, and the Climate Change Accelerator. 

The participating startups are:

  • Bidmii (Toronto) is an online marketplace that quickly connects homeowners and contractors for home improvement projects, guaranteeing payment security for each party by holding payments in trust.
  • Chimoney (Toronto) enables businesses to send payments to phones, emails and Twitter, regardless of scale, currency, country and other factors.
  • Clavis Studio (Edmonton) is an AI and /machine learning (ML)-driven design, visualization, and sourcing platform that provides a marketplace for designers and decorators to source new clients and use supporting tools to deliver their projects.
  • Foqus Technologies (Toronto) is an AI and quantitative imaging technology company that designs and develops software solutions to enhance the speed and quality of MRI scans.
  • Gryd Digital Media (Winnipeg) is a PropTech company that has developed a suite of products and services designed to deliver increased efficiencies, increased asset value, and reduced costs to property owners, managers, and REITs nationwide.
  • Morpheus.Network (Burlington) focuses on helping companies and government organizations eliminate inefficiencies and remove barriers to optimize and automate their supply chain operations.
  • Moves (Toronto) is building the collective of the gig economy, solving financial challenges associated with being a gig worker, and the lack of representation and ownership gig workers experience.
  • My Choice (Toronto) is an insurance aggregator that partners with insurance companies and brokerages to bring customers the power of choice and transparency through seamless, personalized user experiences and automation.
  • SalonScale Technology Inc. (Saskatoon) is the salon industry’s leading B2B SAAS provider in professional goods management, providing solutions that address the rising cost of salon supplies.
  • ShareWares (Vancouver) Has developed a platform that pairs technology with current city infrastructure to allow reusable cups and food containers to be bought, returned, tracked, and processed for resale. Stay tuned as food packaging is just the beginning.
  • Tablz (Ottawa) is a 3D bookings platform that lets diners upgrade to the seat of their preference, while generating net new profit for restaurants.
  • TrojAI (Saint John) helps enterprises manage AI risk through stress testing and audit of AI/ML models.

You can read the blog post here.

Leave a comment »

Rezilion Research Discovers Hidden Vulnerabilities in Hundreds of Docker Container Images

Posted in Commentary with tags on February 23, 2023 by itnerd

Rezilion announced today the release of the company’s new research, “Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers,” uncovering the presence of hundreds of docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools.

The research revealed numerous high severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known exploited vulnerabilities catalog, including CVE-2021-42013, CVE-2021-41773, CVE-2019-17558.

This finding follows Part I of the research, released in October, which was the first quality assessment for leading open-source and commercial vulnerability scanners and SCA tools. The vulnerability scanner benchmark survey discovered the most common causes for scanner misidentifications, including false positive and negative results.

The new research dives deeper into one of the root causes identified in the assessment – inability to detect software components not managed by package managers. The study explains how the inherent method of operation of standard vulnerability scanners and SCA tools relies on acquiring data from package managers to know what packages exist in the scanned environment, making them susceptible to missing vulnerable software packages in multiple common scenarios in which software is deployed in ways that circumvent these package managers. This research shows precisely how wide this gap is and its impact on organizations using third-party software. The report provides numerous real-world examples of some of the most popular docker container images that contain dozens of such hidden vulnerabilities. The report also offers recommendations on minimizing the risk presented in the research.

According to the report, package managers circumventing deployment methods are extremely common in Docker containers. The research team has identified over 100,000 container images that deploy code in a way that bypasses the package managers, including most of DockerHub’s official container images. These containers either already contain hidden vulnerabilities or are prone to have hidden vulnerabilities if a vulnerability in one of these components is identified.

The report identifies four different scenarios in which software is deployed without interaction with package managers, such as the application itself, runtimes required for the operation of the application, dependencies as are necessary for the application to work, and dependencies required for the deployment/build process of the application that are not deleted at the end of the container image build process and shows how hidden vulnerabilities can find their way to the container images.

To download the full report, please visit: https://info.rezilion.com/scanner-research-part-ii

Leave a comment »

New Attack Brief Finds Hackers Exploiting “Best Note Taking App” to Host Malicious BEC Phishing Campaign

Posted in Commentary with tags on February 23, 2023 by itnerd

Avanan, a Check Point Software Company, has revealed a new attack brief on how threat actors use Evernote’s legitimacy, an online note-taking and task management application, to help make their Business Email Compromise (BEC) attacks even more convincing.  

In this phishing attack, hackers use Evernote links to host malicious messages sent in BEC phishing attacks on users by compromising a company executive, in this case, the organization’s president, to send out emails with an attached “secure” message to the victims. 

The recipients have an unread email in their inbox encouraging them to click on the provided link to view the message, which directs them to an Evernote page. Susceptible, vulnerable employees, to their dismay, are led to a fake login page the attackers exploit and leverage to steal credentials. 

You can read the attack brief here.

Leave a comment »

Time To Deploy Ransomware Down… Successful Ransomware Prevention Up: IBM

Posted in Commentary with tags on February 22, 2023 by itnerd

According to IBM, ransomware prevention saw massive improvements in 2022, while ransomware time to deploy (TTD) dopped by 94%, just two findings derived from billions of datapoints collected in 2022 from network and endpoint devices by IBM and reported on in their “X-Force Threat Intelligence Index 2023.” This is a wide-ranging report with excellent stats:

  • 27% – Percentage of attacks included extortion – 30% aimed at manufacturing
  • 21% – Share of incidents that saw backdoors deployed – the top action on objective
  • 17% – Ransomware’s share of attacks (down from 21% in 2021)
  • 41% – Percentage of incidents involving phishing for initial access
  • 26% – Exploited public-facing applications
  • 100% – Increase in the number of thread hijacking attempts per month

Top impacts 2022

  • 21% – Extortion
  • 19% – Data theft
  • 11% – Credential harvesting
  • 11% – Data leak
  • 9% – Brand reputation

This is a bit of mixed bag. But at least the fact that ransomware is being stopped is good news.

Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:

   “It is excellent news that ransomware prevention is improving, if for no other reason than it diverts cybercriminals away from executing attacks to developing new tactics, which they will. With extortion, data theft, data leaks and brand reputation being the top 4 out of 5 ways ransomware impacted organizations in 2022, organizations cannot rely solely on prevention and need to also consider active defense/containment strategies to catch the attacks that bypass prevention-based tools. When an active attack is unable to encrypt or exfiltrate data, organizations are given time to respond, eliminating 80% of the potential impact to their business.”
 

David Maynor, Senior Director of Threat Intelligence at Cybrary followed up with this:

“There are three kinds of lies: lies, damn lies, and ransomware stats. For the last couple of months depending on who you ask ransomware attacks and becoming less of a problem or they are increasing. If your risk model is based on arbitrary thresholds like at 20% we don’t address it but we take it seriously at 21% of attacks seen…you have already lost and a ransomware actor is probably watching you read this.”

Hopefully when this report comes out in 2024, we see more ransomware being stopped which means by extension that ransomware is less profitable for the people behind ransomware.

Leave a comment »

Guest Post: Car Theft Is Out Of Control Right Now…. Here’s Some Tips From ESET Canada In Terms Of How You Can Protect Yourself

Posted in Commentary with tags on February 22, 2023 by itnerd

The technology in our cars is advancing by leaps and bounds, but as far as vehicles have come with automated features and expanded entertainment options, thwarting the car thief has proven to be an elusive endeavor. 

York Regional Police recently reported more than 2,000 vehicles have been stolen in their jurisdiction over the past year, and they are noting the criminals are using technology to their advantage. They start by identifying high-end vehicles in public places — like a shopping mall parking lot — and place an “AirTag” tracking devices discreetly on the vehicle. This allows them to follow the vehicle to the owner’s house where they use more technology — an electronic device used to reprogram a car’s factory setting — to hack into a car’s computer and re-program it to accept the key they brought with them. 

The car thieves then simply drive the car away. 

Car thieves have also been known to steal a car by relaying the signals of the contactless key to give them a method to gain access to and start the car without having the key present. Two thieves work in tandem — one uses a transmitter in close proximity to the car key and the other has a receiver beside the car. If a vehicle owner stores their keys just inside the front door (quite a common practice), the transmitter will pick up that signal and relay it to the accomplice at the car, allowing them to get the door open and start the vehicle without causing it any damage.

“These acts may seem like technological voodoo, but they can actually be quite easy for criminals to pull off,” says Tony Anscombe, Chief Security Evangelist with ESET Canada. “All it takes is the right equipment, which is easily accessible, and as technology advances, this equipment becomes cheaper and cheaper.”

Car owners are not powerless against this, but interestingly enough many of the solutions against these high-tech crimes are decidedly low-tech: 

  • Protect your keys. Key to thwarting the thieves is to deny them access to the signal from your key fob. This can be accomplished with something as simple as a tin box for storing keys, or storing your keys away from the front door of your home. A secure faraday pouch or bag will also block theft of the fob’s signal, especially if you are out and about. 
  • Conceal your vehicle. It is a wise idea to store your expensive car in a locked garage. 
  • Secure your vehicle. If a garage is not an option, simply locking your doors will not be enough of a deterrent for a determined criminal. An alarm system helps, and a steering wheel lock is not only effective, but it is also a visual deterrent from even trying to steal your car. 
  • Lock the data port. The car’s OBD data port is where thieves will access your car’s computer. A simple lock can be purchased online that will protect this port from being accessed by unauthorized folks. 
  • Get it on video. Surveillance cameras trained on your driveway will record any activity there. Today’s systems are advanced elements of your smart home, and many allow remote access so you can keep an eye on your property from a far. 

Leave a comment »

Activision Has Been Pwned As It Were A N00b Playing Call Of Duty

Posted in Commentary with tags on February 22, 2023 by itnerd

It appears that video game company Activision has been pwned by hackers. And this hack is really bad. Here’s a quick synopsis:

  • Sunday 2/19 – Cybersecurity research group vx-underground Tweeted screenshots of data purportedly stolen from Activision, including a content release schedule for Call of Duty.  “Activision did not tell anyone.”
  • Monday 2/20am – Insider Gaming said it confirmed the Activision data breach after obtaining “the entirety” of the stolen data (not published by vx-underground).
  • Monday 2/20pm – Nothing to see here: “Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed.” Activision confirmed to Bleeping Computer that their systems were breached through an SMS text phishing attack on an HR employee, gaining access to their Slack on December 2 and tried to trick other employees into clicking malicious links..
  • However, Insider Gaming claims to have reviewed the entirety of the stolen data, saying the data also contained sensitive employee information, including full names, emails, phone numbers, salaries, places of work, and more.

And seeing as they are being purchased by Microsoft, this could not have come at a worse time for the company. And Activision’s response to this has been, shall we say, sub-optimal.

David Maynor, Senior Director of Threat Intelligence at Cybrary had this to say:

   There is no one “SOP” for breaches. This timeline shows a typical public reaction to a breach. Some entity, in this case VX-Underground, notices something on a market and tells the world about it. Reporters that follow VX-Underground use it as a tip and suddenly the victims switchboard/email server gets loaded with requests for comment. 

   “There is also the fog of war effect where different people have different parts of a puzzle and make assumptions. This leads to different hot takes contradicting each other.

   “From the trial last year of the Uber CISO, Joseph Sullivan, we know that big corps can handle breaches differently. What I can say from personal experience is that the responses to questions as well as public statements are approved by if not written by a crisis communications team. The default response is deescalate, deflect, then deny. This is why the infosec community values technically insightful Root Cause Analysis (RCA) from a victim.”

Tim Morris, Chief Security Advisor, AMER at Tanium follows up with this:

   “There is conflicting information on this one. Specifically, about what was accessed /stolen. Regardless, the initial attack vector was a social engineered phishing/smishing attack, obtaining access via SMS / 2FA. Proving once more that SMS / 2FA isn’t the most robust form of authentications and other, stronger MFA methods should be used.

   “Also, training of users is still needed. Users should treat SMS messages with the same scrutiny as email phishing scams. Be wary of phone calls from “IT Support”. Unless initiated by the user, they should be suspect. Either ignore or call back to a known number. For SMS, ignore and never give out any 2FA codes sent via text.

   “Principle of least privilege needs to be implemented, so that if/when an employee’s account credentials are stolen the “blast radius” is small, i.e. what the attacker has access to is minimized. Threat hunting, good incident response, and monitoring are key to find these intrusions quickly, and limit their reach.

   “Have a good PR plan on what to do when a breach happens. This successful attack happened two and a half months ago, and is only public now because some leaked data was published on vx-underground.”

Given the profile of Activision who makes the Call Of Duty franchise, and their relationship with Microsoft, a lot of eyes are going to be on this one. If I were Activision, I’d be working very hard to find out what happened, what was stolen, and how to stop this from happening again. Then I would put all of that out in the public domain as quickly as possible. Because right now, Activision look like a bunch of n00bs.

Leave a comment »

« Older Entries
Newer Entries »