For QNAP, The Hits Keep Coming As Yet Another Security Issue Disclosed

Posted in Commentary with tags on June 23, 2022 by itnerd

Seriously, QNAP can’t catch a break when it comes to security issues related to their NAS devices. Days after announcing this security flaw, comes a brand new one:

A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution. 

For CVE-2019-11043, there are some prerequisites that need to be met, which are:

  1. nginx is running, and
  2. php-fpm is running.

As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.

So in English, if you run some non-default software on your QNAP NAS, you could get pwned. Some fixes are already out, but there are more fixes to come. To be honest, I see this vulnerability as an edge case. But given QNAP’s recent history of security issues, it will put the NAS vendor on even more scrutiny than it is now.

Leave a comment »

Auto Parts Maker Nichirin Pwned By Ransomware

Posted in Commentary with tags on June 22, 2022 by itnerd

Japanese automotive hose maker Nichirin has been hit by a ransomware attack forcing it to shut down its computerized production controls, as reported by Reuters:

“We are investigating what impact this may have on our customers, and we will promptly disclose any necessary information,” the company said.

Nichirin also posted a warning on its website about possible spoof emails that appeared to be from the company and asked recipients not to open any attached files.

Darren Williams, CEO of BlackFog has offered some perspective on this:

“We continue to see threat actors targeting manufacturers in the automotive, infrastructure and government sectors. Cyber criminals continue to target organizations with older infrastructure, lack of investment in cyber security in terms of both product and personnel. These industries continue to outpace the rest of the market in terms of attacks. It should serve as a reminder that even the smallest contributors to the supply chain must do their part to defend against cyberattacks.”

Additionally, the UK has decided not to impose regulations on the cyber security profession after an 8-week consultation conducted by the Department for Digital, Culture, Media and Sport. The UK Cyber Security Council will its planned chartered standards, as the Government monitors its adoption. In response, an expert with GoodAccess has offered commentary.

Artur Kane, VP of Product of GoodAccess also offers some perspective:

“According to Forbes, there are nearly 465,000 unfilled cyber jobs across the US. At the same time, the number of cyber-attacks has never been so high in history. While society becomes more digitized and wars move more often to cybersecurity space, those nations who want to be relevant must support their digitalization notions with strong security legislation. The lack of unfilled jobs must be supported through investments in education, but without clear directives on what skills, roles and frameworks, graduates rarely leave school being fully prepared for their new jobs. Leaving much of work on recruiting and requalifying employees on organizations and inherently slowing down the whole process and raising costs. Also, the diversity in approaches leads to varying quality and leaves some organization more vulnerable. The UK’s Embedding Standards and Pathways Across the Cyber Profession by 2025 has the potential of filling those gaps. With the decision to postpone its enforcement the UK government heard the voices of organizations, which is a good thing in democratic society, but on the other hand we’ve learnt in history that for big changes to make impact, more swift adoption is required. With GDPR, being controversial, not ideally communicated and left quite big space for speculative understanding of some standards, we are now all thankful for this directive to exist. Yes, companies struggled at the beginning to adopt those standards, but by enforcing it and leaving a protective period when fines were waived, companies felt the urgency and acted swiftly towards full adoption. Postponing the enforcement of the Embedding Standards might be a generous thing but will inherently compromise the speed at which UK solves one of most crucial problems of fully digital and globally competitive country.”

You can see how crippling an attack like this can be. Thus every company needs to make sure that their defences are in tip top shape and that they have the people required to fight this sort of battle if they have to, or make sure that they are in a position never to have to fight this sort of battle.

Leave a comment »

Bill C-11 Passes…. Why This Is A Incredibly Dumb Idea From The Canadian Government

Posted in Commentary with tags on June 22, 2022 by itnerd

Last night, Canada’s parliament approved legislation that targets what video and audio-sharing platforms like YouTube and TikTok can broadcast to a Canadian audience via bill C-11. In short, this is what the bill purports to do (via the Wikipedia link):

The bill seeks to amend the Broadcasting Act to account for the increased prominence of internet video and digital media, and to prioritize the “needs and interests” of Canadians, and the inclusion and involvement of Canadians of diverse backgrounds in broadcast programming. It adds undertakings that conduct “broadcasting” over the internet to the regulatory scope of the Canadian Radio-television and Telecommunications Commission (CRTC), which would give the CRTC the power to regulate almost all audiovisual content distributed via online platforms (including monetized content on social media services). This can include compelling them to make use of Canadian talent, mandating that they make contributions to the Canada Media Fund to support the production of Canadian content, and improve the discoverability of Canadian content on their platforms. 

Alongside this, the bill also removes the seven-year term limit for CRTC-issued broadcast licenses (a regulatory process which will not apply to internet broadcasters), adds a mechanism of imposing “conditions” on broadcasters without them being bound to a license term, and introduces monetary fines for violating orders and regulations issued by the CRTC.

That all sounds good. But it isn’t good. If you’re a Canadian YouTuber like Linus Sebastian or Rene Ritchie for example, the YouTube algorithm curates and recommends videos based on feedback from users based on everything from how long a video is viewed to how quickly it is skipped. Thus if their videos are promoted by YouTube to adhere to Bill C-11 and the content isn’t a match for the viewer, the viewer might skip that video, causing the creator’s channel to drop in visibility. The bill would also regulate the types of advertising a Canadian creator’s channel can have. That would significantly limit their sources of revenue.

Creators are going to discover very quickly that the kind of content that has previously been successful on YouTube is no longer successful in a bill C-11 regulated YouTube. As a result, they will either have to change the nature of content that they make in order to make it more overtly Canadian…. Whatever that means. In short, the Canadian Government is killing the people that they’re trying to protect. The thing is that this was feedback provided to the Canadian Government in various hearings on bill C-11, and it was ignored. Which makes me wonder what the true agenda that the Canadian Government has when it comes to this bill.

Here’s another thing to consider. Canadians on platforms like YouTube punch well above their weight. Linus Sebastian has 14.6 million subscribers for example which makes him one of the top YouTube creators on the planet. There are many others who are among the top content creators, meaning YouTube, TikTok, and whatever other platforms are out there who are doing the same thing. Thus I don’t think that Canadians need the “protection” that this bill supposedly provides.

But there’s really a darker thing that should concern you about bill C-11. This bill gives the CRTC the power to regulate the pictures, podcasts and videos every Canadian posts online as ‘broadcasting’ content. So if you post a Instagram reel, the CRTC could knock on your door. Something that the CRTC admits is true. But they promise that they won’t use that power.

That falls under the category of not believable because if someone gives you power, you’re going to use it at some point.

The reason why this is the case is that this bill sets no revenue threshold on who it will target, meaning every Canadian on every platform could soon be forced to make Canadian content contributions, or potentially get into trouble if the CRTC decides that they didn’t. Which is a #Fail.

The only hope for Canadians who like things the way they are is that the Senate will step in and either shoot this bill out of the sky, or send it back to parliament for major revisions. But even if this doesn’t happen, I would keep this in mind. This bill was passed by the Liberal Party with help from the NDP and Block Quebecois. Seeing as Canada has a minority government which introduces the possibility that an election could be called at any time, I would keep that in mind the next time a federal candidate from any of those parties comes knocking at your door asking for your support. Because frankly based on how broken this bill is, they don’t deserve it.

Leave a comment »

Products Prevalent In Many Important Industries Are Home To Dozens Of Vulnerabilities

Posted in Commentary with tags on June 21, 2022 by itnerd

Security researchers have disclosed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products that they say demonstrate significant “insecure-by-design” practices.

Forescout issued the OT:Icefall report today, naming products prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.

The vulnerabilities are divided into four main categories:

  • Insecure engineering protocols
  • Weak cryptography or broken authentication schemes
  • Insecure firmware updates
  • Remote code execution (RCE) via native functionality
    • 38% allow for compromise of credentials
    • 21% allow for firmware manipulation and 
    • 14% allow remote code execution
    • 74% of have some form of security certification

I have a pair of comments on this report. The first is from Rajiv Pimplaskar, CEO, Dispersive Holdings, Inc.:

“As the report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices pose appealing soft targets for threat actors as a significant percentage of the estate has vulnerabilities. Also, they tend to fall out of the purview of the IT organization’s responsibility and its cyber security program. Oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation and other operations technology (OT) intensive businesses should be especially vigilant and actively secure their OT estate using zero trust strategies and leveraging next gen VPN technologies that are capable of protecting both IT and OT assets.  A key strategy is cloud obfuscation where source and destination relationships and sensitive data flows are anonymized and privatized using a smart secure communications overlay that makes it virtually impossible for a bad actor to even detect and target such vulnerable devices in the first place.”

Garret Grajek, CEO, YouAttest had this to say:   

“This is an extremely alarming but not surprising finding.  Hackers often go at known vulnerabilities in software – that’s noted and publicized. But deployment and misconfiguration errors are really the bread and butter. How the engineering pieces fit together is where the gaps usually are – and can be exploited.   This is where the man-in-the middle attacks, form hacking and hijacking of sessions occurs. Thorough pen testing through automated and manual means are a must to eliminate these errors – including thorough overview of system and admin privileges.”

The report is very much worth reading because it seriously got my attention. Which means that if you’re in any of the sectors outlined in the report, it should get your attention.

UPDATE: I have three additional comments. The first is from Ron Fabela, Co-founder and CTO of SynSaber:

“While the breadth and depth of the vulnerabilities identified in OT:ICEFALL seem like a doomsday scenario, Forescout has just outlined what many of us in the industry already know: Protocols are not secure, unauthenticated, and other ‘insecure by design’ engineering choices that were never really meant to be CVEs. Again, these are not vulnerabilities as information security would identify them, but truly ‘that’s not a bug, it’s a feature’ for industrial. Protocols were designed to not use authentication, and although there are secure options for industrial protocols, there has been slow adoption. ‘Protocol does not use authentication’ could generate thousands of CVEs across multiple vendors and business lines, because there was never meant to be authentication. But does generating thousands of CVEs, tying up vendor product security teams and asset owners, really cause a positive impact on the security of our critical infrastructure? The OT:ICEFALL report is well constructed, highly detailed, and great insight from a security perspective on legacy ICS ‘vulnerabilities,’ however, because CVE numbers are being generated, this will trigger a swell of unnecessary tracking and management of vulnerabilities with no patch and few mitigations.”

The second is from Chris Olson, CEO of The Media Trust:

“The ongoing convergence of information technology (IT) and operational technology (OT) has paved the way to an ever-expanding host of OT vulnerabilities that will continue to threaten public safety and national security for years to come. Even when OT systems are designed with cybersecurity in mind, an unsafe IT perimeter creates channels which global cyber actors can use to compromise critical infrastructure, especially when remote industrial control systems (ICS) come into play.”

“Today, geopolitical tensions and the growing possibility of cyberwarfare makes OT vulnerabilities a preoccupation for nation state actors. Following the Florida Water Supply hack, the attack on Colonial Pipeline and many similar incidents, these vulnerabilities represent a proven threat to the United States. In response, organizations throughout the public and private sector should not only be taking steps to secure OT, but also to harden their IT defenses and lock down their digital ecosystem.”

The third is from Christopher Prewitt, Chief Technology Officer of Inversion6:

IOT devices are often developed as commodity products that aren’t treated as enterprise products. The IOT software development process is immature and focus is not on security and software lifecycle, but immediate functionality and value to the consumer.

Some product developers have been improving security within their product sets for some time, but this is a long slow evolution as some products may exist within the market for more than a decade. At the time of development, there wasn’t concern for how would we maintain this software for 10 to 15 years. How would updates be provided, how would code be compiled as processors, chip sets, compilers come and go.

In some cases, you may have a computer or software that is tied to a piece of industrial or healthcare equipment that is expected to have a 10 or 20 year life. Not enough thought was given to managing the hardware and software componentry.

 

Leave a comment »

Email Threats Spike 101% Year Over Year Says Trend Micro

Posted in Commentary with tags on June 21, 2022 by itnerd

Trend Micro announced today that it has blocked over 33.6 million cloud email threats in 2021, a 101% increase on the previous year. This stark increase in attacks proves that email remains a top point of entry for cyber attacks.

The data was collected over the course of 2021 from products that supplement native protection in collaboration platforms such as Microsoft 365 and Google Workspace. 

Other key findings include:

  • 16.5 million detected and blocked phishing attacks, a 138% increase as the hybrid workforce continued to be targeted
  • 6.3 million credential phishing attacks, a 15% increase as phishing remains a primary means of compromise
  • 3.3 million malicious files detected, including a 134% surge in known threats and a 221% increase in unknown malware

More positively, ransomware detections continued to decline by 43% year-over-year. This could be because attacks are becoming more targeted, along with Trend Micro’s successful blocking of ransomware affiliate tools such as Trickbot and BazarLoader.

Business email compromise (BEC) detections also fell by 11%. However, there was an 83% increase in BEC threats detected using Trend Micro’s AI-powered writing style analysis feature, indicating that these scams may be getting more sophisticated.

To read a full copy of the Cloud App Security Threat Report, please visit: https://www.trendmicro.com/vinfo/us//security/research-and-analysis/threat-reports/roundup/trend-micro-cloud-app-security-threat-report-2021

Leave a comment »

Retrospect Announces Retrospect Cloud for Simple Offsite Data Protection

Posted in Commentary with tags on June 21, 2022 by itnerd

 Retrospect™, a StorCentric company, today announced Retrospect Cloud Storage, Retrospect Backup 19, and Retrospect Virtual 2022. With Retrospect Cloud Storage integrated into Retrospect, businesses have a complete ransomware protection and detection solution that encompasses on-premise and cloud protection. Retrospect Cloud Storage is a low-cost, high-availability (HA) cloud storage service, with 13 data centers located around the world. Retrospect Cloud Storage has been one of the most requested features from Retrospect’s customers, combining the simplicity of a single subscription with seamless integration into Retrospect Backup.

Ransomware continues to hamper businesses around the world, locking them out of their business workflows and demanding exorbitant payments. With the availability of Ransomware-as-a-Service (RaaS), those attacks will become even more frequent, targeting ever-wider segments of businesses. Organizations need tools to defend themselves, both to protect their data and to detect early signs of intrusion.

With Retrospect Backup 19 and Retrospect Virtual 2022, businesses around the world can now protect their critical infrastructure on Retrospect Cloud Storage, with complete support for immutable backups and anomaly detection, as well as on-premise with Retrospect’s deep support for NAS devices, including the new Nexsan EZ-NAS unit with Retrospect built-in, and tape libraries, including LTO-9 support.

Retrospect Cloud Storage is built on Wasabi Technologies’ Hot Cloud Storage, providing lightning-fast object storage. Retrospect Cloud Storage leverages that foundation to provide advanced data protection features like immutable backups. With Retrospect’s AES-256 at-rest encryption, sensitive data can be backed up to Retrospect Cloud Storage but guaranteed to remain private from the underlying infrastructure provider, including Retrospect, Inc. and Wasabi Technologies. Using Retrospect Cloud Storage and the multi-homed backups with the 3-2-1 backup rule, businesses are fully protected and encrypted from ransomware attacks with on-premise and cloud backups.

Retrospect Backup 19

Also included in Retrospect Backup 19:

  • Backup Comparison: Businesses need to understand not only what is in a backup but what changed between backups. Using anomaly detection and backup comparison, administrators can identify exactly which files changed to signal an anomaly and evaluate their contents to isolate valid ransomware infections.
  • OS Compliance Checks: Many ransomware variants depend on unpatched systems for infiltration. Retrospect Backup now utilizes its extensive footprint to aggregate system information and identify systems that are out of compliance with the latest version of each operating system.

In addition, Retrospect Backup 19.1 will be released on August 30 with the following features:

  • Multi-Factor Authentication (MFA): Identity protection is important even for on-premise applications. Retrospect Backup will support configuration encryption and multi-factor authentication combined with a password prompt. Even if an attacker gains administrative access to the computer where Retrospect Backup runs, they will not be able to access the program or the configuration files.
  • Flexible Immutable Retention Periods: Retrospect will support an additional type of retention where Retrospect extends the period on past backups instead of including that data in new backups.
  • Additional 12 Worldwide Locations for Retrospect Cloud Storage: Retrospect Cloud Storage will include twelve additional worldwide locations, certifying each of Wasabi’s data centers around the world.
  • Microsoft Azure for Government: Retrospect will support blob storage on Microsoft Azure for Government to enhance support for state and local agencies looking for data protection in a US-based high-security data center.

Finally, Retrospect Management Console, the hosted backup analytics service, will be updated on August 30 to include the following features:

  • Multi-Factor Authentication (MFA): Identity protection is crucial for cloud services, and Retrospect Management Console will offer app-based multi-factor authentication for a more secure workflow.
  • Redesigned Reporting: The dashboard will be redesigned to better aggregate information for larger environments to address reporting pains in significantly larger backup infrastructure.
  • User Roles: Organizations will be able to assign roles to individual users, with “Administrators” able to access any function within the service and “Viewers” able to utilize the extensive reporting capabilities without worrying about changing any settings.
  • Audit Log: Administrators will be able to access a full audit log for actions taken by any users on their account.

Retrospect Virtual 2022

Included in Retrospect Virtual 2022:

  • Faster Backups and Restores: Fast data protection is critical in physical and virtual environments. Retrospect Virtual is now significantly faster at backups and restores.
  • Backup Data Deduplication: With advanced data deduplication, Retrospect Virtual can now protect larger amount of data in a smaller storage space.
  • Hyper-V 2022 Support: Hyper-V 2022 is the latest version of Microsoft’s virtualization software, and Retrospect Virtual is now fully certified for it.

Pricing and Free 30-Day Trial

For Retrospect Backup pricing details, please visit: https://www.retrospect.com/store. To request a free 30-day trial, please visit: https://www.retrospect.com/try.

General Availability

Retrospect Backup 19.0 and Retrospect Virtual 2022 will be generally available on July 12, and Retrospect Backup 19.1 and Retrospect Management Console updates will be generally available on August 30.

Leave a comment »

Ninety Percent Of Canadian Organizations indicate That They Have Experienced A Cyberattack In The Past Year: CDW Canada

Posted in Commentary with tags on June 21, 2022 by itnerd

CDW Canada today launched its annual Security Study, Advancing the Maturity of Canadian Organizations, which explores the state of IT security in Canada and evaluates the top cybersecurity challenges facing Canadian organizations today. The report uncovered that as the cybersecurity threat landscape evolves, Canadian organizations have become over-exposed to cyberattacks.   

CDW’s Security Study revealed regardless of size, industry or location, 90 percent of Canadian organizations surveyed have experienced a cyberattack in the past year. As cyberattacks increase in frequency, sophistication and severity, more organizations are taking a Zero-Trust approach to security.  

Additional highlights from the report include:   

  • Nearly three-quarters (73%) of Canadian companies surveyed reported having experienced data infiltration attacks with ransom demands in the past year, and 76% reported repeat ransom demands. 
  • 30% of organizations have adopted Zero Trust, while another 40% have it under process.    

There are many more findings outlined in the report, which can be accessed here. It’s very much worth a read.

Leave a comment »

New APT Group Targets Exchange Servers in Asia & Europe

Posted in Commentary with tags on June 21, 2022 by itnerd

An APT group has been actively targeting Microsoft Exchange servers since at least December 2020, according the researchers at Kaspersky’s Global Research & Analysis Team (GReAT). Security researchers have also found a previously unknown passive backdoor they named Samurai and a new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims’ network. Which of course means that these malware strains are very dangerous.

Christopher Prewitt, CTO of Inversion6 had this commentary:

In March of 2020, Microsoft released patches to fix the Exchange exploit. It was thought that Chinese nation state actors were the ones who uncovered this vulnerability and were exploiting prior to discovery and disclosure. ToddyCat, likely linked to Chinese espionage activities, has been focused on Europe and Asia using the familiar China Chopper web shell.

The Samurai backdoor, in some cases has been used to deploy a post-exploitation toolkit dubbed Ninja. Ninja allows for full control of a system including shell access, and appears to have been developed by ToddyCat.

My thoughts go something like this. While these attacks are presently targeted towards high-profile entities in Europe and Asia, I can see this branching out to North America. Assuming that it hasn’t already. Thus I would make sure that your Exchange servers have all the patches needed to defend against this exploit.

UPDATE: Aimei Wei, CTO and Founder, Stellar Cyber added this commentary:

“When a vulnerability is discovered, it takes time for the patch to be available for all the impacted software releases. Usually, the newer releases get patched faster than older ones. It could take more than a year for patches to be available to earlier releases. The New ToddyCat APT group that has been actively targeting Microsoft Exchange servers since at least Dec. 2020 are still exploiting the vulnerability to attack even more entities from more countries. While actively patching the systems is critical to be protected from the attacks, it can’t always be achieved within short period of time, having a threat detection and response system that can effectively detect lateral movement and help to stop the attacks at the early stage is an important catch all mechanism.”

And Jake Williams, Executive Director of Cyber Threat Intelligence for SCYTHE had this to say:

The Samurai backdoor is a textbook example of a tool used to expand a beachhead access to an internal network. After the backdoor is deployed on an Internet facing Exchange server, network redirection modules are deployed that facilitate access by the threat actors to the internal network. Network redirection isn’t new, is especially useful when deployed on a server that is expected to communicate with many external and internal destinations. While zero-trust networking principles could limit some communication, threat actors will always execute actions on objectives on endpoints inside the network. A combination of network and endpoint controls, configured in alignment with the organization’s specific operational model, will be required to detect stealthy actors like ToddyCat after they gain access to a network.

Leave a comment »

Takeda Canada Innovation Challenge Awarded To Pentavere 

Posted in Commentary with tags , on June 21, 2022 by itnerd

Pentavere Research Group Inc. has been awarded the first Takeda Canada Innovation Challenge. The Innovation Challenge was launched in January 2022 to accelerate partnerships in identifying new digital technologies and artificial intelligence (AI) solutions that support enhanced patient care in inflammatory bowel disease (IBD) or rare disease conditions.  

Pentavere Research Group Inc. is a clinical discovery company that has developed a breakthrough, proprietary, artificial intelligence (AI) engine called DARWEN™, which accelerates discovery from vast amounts of clinical text.  DARWEN™ unlocks value, insights and evidence from clinical information which is impossible to analyze by human intelligence alone.

Pentavere will have the opportunity to collaborate and benefit from Takeda’s expertise and extensive international network, as well as funding, to build a proof of concept project in the areas of rare diseases.

The Takeda Canada Innovation Challenge received multiple submissions within the fields of early diagnosis or integrated and personalized care, applicable to the therapeutic areas of inflammatory bowel disease (ulcerative colitis or Crohn’s disease) or rare genetic diseases.

Leave a comment »

Guest Post: Almost 70% Of Email Scammers Leave The ‘Subject’ Line Empty Says Atlas VPN

Posted in Commentary with tags on June 21, 2022 by itnerd

In phishing attacks, scammers will employ social engineering techniques to get you to click on their email.

According to the data presented by the Atlas VPN team, 67% of scammers leave the ‘subject’ line empty in malicious emails. Other ‘subject’ lines are not nearly as used as just keeping it blank, which can be a major red flag when identifying a phishing email.

About 9% of attackers would type in ‘Fax Delivery Report’ in the subject line of phishing emails. Nearly 6% of email scammers enter ‘Business Proposal Request’ as the subject line. Furthermore, 4% of threat actors would write a simple ‘Request’ as the email’s subject. Another 4% of attackers are trying to set up a ‘Meeting’ with their victims.

Almost 3.5% of scammers would send emails with the subject ‘You have (1*) New Voice Message’. Moreover, 2% of threat actors would type in ‘Re: Request’ in the subject of their phishing emails.

The tactic used in phishing emails is often to urge the user to click on the email or link without much thought. Some subjects are directed at business employees who might have real and fake ‘meetings’ or ‘business requests’ mixed in their inboxes.

To read the full article, head over to: https://atlasvpn.com/blog/study-almost-70-of-email-scammers-leave-the-subject-line-empty

Leave a comment »

« Older Entries
Newer Entries »