Retrospect Adds Anomaly Detection To Ransomware Protection In Retrospect Backup 18.5

Posted in Commentary with tags on February 15, 2022 by itnerd

Retrospect, a StorCentric company, today announced the general availability (GA) of Retrospect Backup 18.5, featuring new anomaly detection, customizable filtering and thresholds, and enhanced ransomware protection to help businesses quickly detect and protect against malicious attacks. With deeper Microsoft Azure Blob integration for Immutable Backups and integrated cloud bucket creation, Retrospect Backup 18.5’s anomaly detection and ransomware protect bolsters StorCentric’s data-centric security approach to organizations’ critical infrastructure.

Ransomware is a huge global threat to businesses around the world. Beyond the high-profile attacks, including Colonial Pipeline, JBS, Garmin, and Acer, many people now personally know a colleague whose business was attacked. According to Coveware, most corporate targets are small and medium businesses. 72% of targeted businesses have fewer than 1,000 employees, and 37% have fewer than 100. Businesses are projected to have paid out $20B in 2021, a 100% Y-o-Y increase for the last four years, and it’s only going to get worse with new business models like RaaS: ransomware-as-a-service. With Retrospect Backup 18, businesses can protect their infrastructure with immutable backups for ransomware protection.

Beyond protection, organizations need to detect ransomware as early as possible to stop the threat and remediate those resources. Retrospect Backup 18.5 includes anomaly detection to identify changes in an environment that warrants the attention of IT. Administrators can tailor anomaly detection to their business’s specific systems using customizable filtering and thresholds for each of their backup policies, and those anomalies are aggregated on Retrospect Management Console across the entire business’s Retrospect Backup instances or a partner’s client base with a notification area for responding to those anomalies.

Included in Retrospect Backup 18.5:

  • Anomaly Detection: Detect anomalies in systems based on customizable filters and thresholds tailored to individual environments.
  • Retrospect Management Console Integration: View anomalies across a business or partner’s entire client base in a single pane of glass.
  • Improved Microsoft Azure Blob Integration: Set individual immutable retention policies for different backup sets within the same Azure Storage Container.
  • Streamlined Immutable Backup User Experience: Automatically create cloud buckets with immutable backups supported by default.
  • LTO-9 Support: Includes support for LTO-9, with capacities up to 18TB (45TB compressed).

Retrospect Backup 18.5 is a free upgrade to Retrospect Backup 18, the award-winning ransomware protection solution. For Retrospect Backup pricing details, please visit: https://www.retrospect.com/store. To request a free 30-day trial, please visit: https://www.retrospect.com/store/trial

Leave a comment »

Proofpoint Discovers Common Threat Actors In Malware Campaigns Aimed At Aviation And Defense Targets

Posted in Commentary with tags on February 15, 2022 by itnerd

Researchers at Proofpoint have discovered a common threat actor behind aviation and defense malware campaigns, dubbed TA2541. The threat group has been attacking targets in several critical industries since 2017 with phishing emails and cloud-hosted malware droppers, according to a report from Proofpoint.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Volumetric phishing campaigns are playing the odds that at least one person will take the bait. That is really all it takes to compromise an organization. Once that initial compromise takes place, the threat actor uses dwell time and other techniques to maintain their presence and evade current XDR and SIEM tools as they spread their infection, look for critical data and eventually either exfiltrate data, detonate ransomware, or both. TA2541 is so confident in the lack of detection capabilities in current tools, all they do is tweak the phishing campaign, while barely touching commodity malware and previous techniques once inside. This shows that XDR and SIEM solutions are insufficient for preventing threat actor groups from successfully executing their attack campaigns. The only answer is more advanced analytics, behavioral baselining, and anomaly detection with a better understanding of users, access controls and entity activity. These promote the ability to automate detection before a security team can sift through the huge volumes of data that they must parse through and prioritize manually despite most vendor claims. The proof is in the number of true, not rule-based, machine learning models that can adapt to changing tactics by threat actors to circumvent most other solutions.”

Your security shouldn’t be so bad that “playing the odds” allows them to get in and do damage. Companies need to up their game so that groups like TA2541 don’t have an easy time to pwn anyone that they are interested in.

UPDATE: Chris Olson, CEO, The Media Trust had this to say:

“TA 2541 demonstrates a level of detail and personalization that is increasingly typical of threat actors in the digital space. After a lengthy research and reconnaissance phase, they craft professional and high-quality messaging based on the target’s industry, products and other criteria. In the past, one could often tell the difference between legitimate and fraudulent messaging by quality alone – but that is no longer the case.”

“This is particularly true across websites and mobile applications, where personalization and tracking features are increasingly weaponized to target victims based on granular data, which may include personal interests, search history and location. While today’s organizations often focus on email as the most dangerous channel for malware delivery, they should be paying close attention to their digital properties as well.”

Leave a comment »

BlackCat Claims Responsibility For Swissport Attack

Posted in Commentary with tags on February 15, 2022 by itnerd

BlackCat (ALPHV), dubbed the ‘most sophisticated’ ransomware group of 2021, has claimed the responsibility for the Swissport ransomware attack by leaking a small set of sample files that the group claimed to have obtained from Swissport. The threat actor is striving to sell the entire 1.6 TB ‘data dump’ to a prospective buyer. The data leak page, as seen by DarkTracer: DarkWeb Criminal Intelligence, contained passports, internal business memos, and details of job candidates including:

  • Full Name
  • Passport Number
  • Nationality
  • Religion (Muslim or Non-Muslim)
  • Email
  • Phone Number
  • Job role, interview scores, other recruitment info

Swissport has maintained the attack was “largely contained”, with systems fully cleaned and restored.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“While Swissport is claiming the cyber-attack was ‘largely contained’, 1.6TB of data exfiltrated is no joke. They are indeed lucky that only personal information was stolen versus a disruption in service. However, this shows how easy it is for threat actors to compromise networks and go largely undetected for large periods of time. Current XDR and SIEM solutions are incapable of preventing damage or disruption despite claims that would lend you to believe they are a silver bullet in detecting and preventing successful breaches. Organizations need to look at Next Generation SIEM solutions that employ true self-learning machine learning (ML) models with an extensive library and variety of advanced analytics if they have any hope of preventing new and emerging attacks from groups like BlackCat and Darkside. Automated detection, as well as high-fidelity non-disruptive response, early in the kill chain is critical to truly containing the attack before damage is done, not well after an attack has already made progress in its main objective.”

This attack is truly no joke. Swissport needs to get on top of this so that what has happened to date is the only bad thing that happens to them.

Leave a comment »

Commvault Adds Intelligent Data Services Features To Fortify Ransomware Security

Posted in Commentary with tags on February 15, 2022 by itnerd

Commvault today announced General Availability for Feature Release 11.26. These enhancements to our best-in-class Intelligent Data Services help to harden infrastructure against attack and improve recoverability, continuing Commvault’s commitment to mitigating cyber threats—including ransomware—in any infrastructure: on-premises, in the cloud, and even across multiple clouds. 

The new enhancements include:

  • Utilizing hardware-based security tokens, along with common access card support, helps to strengthen customers’ security posture
  • Leveraging highly secure cloud authentication methods, including the AWS Key Management System (KMS) and Azure Key Vault
  • Extended Disaster Recovery orchestration now includes Object Storage and Big Data File Systems, to accommodate larger datasets.

Complete documentation of all the features and capabilities included with this release can be found at https://documentation.commvault.com/11.26/essential/143030_feature_release_1126.html.

Leave a comment »

Social Media Attacks Doubled in 2021: PhishLabs 

Posted in Commentary with tags on February 15, 2022 by itnerd

Social media as a threat channel saw a two-fold increase in attacks throughout 2021, according to the latest Quarterly Threat Trends & Intelligence Report from PhishLabs by HelpSystems, the leading provider of digital risk protection solutions.

In Q4 and throughout 2021, PhishLabs analyzed hundreds of thousands of phishing and social media attacks targeting enterprises, their employees, and brands. The report provides an analysis of the latest findings and insights into key trends shaping the threat landscape.

According to the findings, the number of social media attacks per target increased 103% from January 2021, when enterprises were experiencing an average of just over one threat per day. In December, enterprises averaged over 68 attacks per month, or more than two per day.

Additional Key Findings

  • Hybrid Vishing (voice phishing) attacks initiated by email increased 554% in volume from Q1 to Q4.
  • Phishing volume has grown 28% year-over-year, with half of all phishing sites observed in Q4 being staged using a free tool or service.
  • Malware delivered via email nearly tripled in Q4, led by a resurgence in Qbot and ZLoader attacks. 
  • 70% of advertisements for stolen data took place on chat-based services and carding marketplaces in Q4. 
  • The percentage of attacks targeting financial institutions increased from 33.8% in Q1 to 61.3% of all phishing sites observed in Q4.

Additional Resources

To learn more about the report findings and what recent changes to the threat landscape mean for businesses, attend the live webinar at 2 PM EST today or watch on-demand: https://www.phishlabs.com/webinars/details/?commid=528515.

To access the complete PhishLabs Quarterly Threat Trends & Intelligence Report, visit:m https://info.phishlabs.com/quarterly-threat-trends-and-intelligence-february-2022.

Leave a comment »

Microsoft Defender Will Soon Block Windows Password Theft

Posted in Commentary on February 15, 2022 by itnerd

I’ve argued for a while that Microsoft Defender is free and does a great job of defending you against the evils of the Internet. It’s now about to get better. Microsoft is enabling a Microsoft Defender ‘Attack Surface Reduction’ security rule by default to block hackers’ attempts to steal Windows credentials from the LSASS process:

When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits. One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows. This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices. While Microsoft Defender block programs like Mimikatz, a LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked. 

To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process. One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it. However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it. As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default. The rule, ‘ Block credential stealing from the Windows local security authority subsystem,’ prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges. 

While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means. This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer’s tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients. Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the device. Furthermore, security researchers have discovered built-in Microsoft Defender exclusion paths allowing threat actors to run their tools from those filenames/directories to bypass the ASR rules and continue to dump the LSASS process. Mimikatz developer Benjamin Delpy told BleepingComputer that Microsoft probably added these built-in exclusions for another rule, but as exclusions affect ALL rules, it bypasses the LSASS restriction.

This is a great move on the part of Microsoft as this will make things better. But like everything else in the universe, there is a catch:

While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means.

This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer’s tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients.

Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the device.

Furthermore, security researchers have discovered built-in Microsoft Defender exclusion paths allowing threat actors to run their tools from those filenames/directories to bypass the ASR rules and continue to dump the LSASS process.

Still it’s a great first step by Microsoft. Let’s hope that they improve on this to remove the negatives and make this a positive for all.

Leave a comment »

Fisker Now Accepting Reservations For The Fisker PEAR

Posted in Commentary with tags on February 15, 2022 by itnerd

Fisker Inc. is now accepting reservations for its second product, the Fisker PEAR, opening the door to the Personal Electric Automotive Revolution.

The all-electric Fisker PEAR blends sustainability, technology, and design into a digitally connected, compact, five-passenger urban EV. Featuring intuitive controls, sporty driving, clever storage, and a focus on industry firsts, the Fisker PEAR will start at $29,900 before taxes and incentives in the US. Fisker’s first vehicle, the all-electric Fisker Ocean SUV, will start production in November 2022.

Fisker has partnered with Foxconn to produce this innovative EV. 

Consumers can reserve the Fisker PEAR for $250 for the first reservation and $100 for the second reservation. Deliveries will begin in 2024. The Fisker PEAR will be produced in Ohio with a minimum initial production of 250,000 units per year. 

California-based Fisker Inc. is revolutionizing the automotive industry by developing the most emotionally desirable and eco-friendly electric vehicles on Earth. Passionately driven by a vision of a clean future for all, the company is on a mission to become the No. 1 e-mobility service provider with the world’s most sustainable vehicles. To learn more, visit www.fiskerinc.com.

Leave a comment »

Donors Of Canadian Truck Convoy Protests Out In The Wild As Fund-raising Site Apparently Pwned By Hackers

Posted in Commentary with tags on February 14, 2022 by itnerd

For the last couple of weeks, Canada has seen protests by Canadian anti-vaccine mandate truckers in various places around the country. There has always been news that sources outside Canada were funding these protests. That may about to be proven to be true or debunked as false as the fundraising site that was being used to fund these protest has apparently been pwned by hackers:

A website devoted to disseminating leaked data says it has been given reams of information about donors to the Canadian anti-vaccine mandate truckers after the fundraising platform popular with supporters of the movement allegedly suffered a hack.

Distributed Denial of Secrets announced on its website that it had 30 megabytes of donor information from Christian fundraising site GiveSendGo, including names, email addresses, ZIP codes and internet protocol addresses.

At the same time, GiveSendGo appeared to be offline.

Visitors to the website were met with a message that it was under maintenance and “we will be back very soon.” Messages seeking comment from the site’s operators were not immediately returned.

A journalist at the Daily Dot digital news outlet said on Twitter that the site suffered a hack overnight and had its front page briefly replaced by a clip from the movie “Frozen” and a manifesto accusing it of supporting “an insurrection in Ottawa.” 

Reuters could neither immediately confirm the hack nor the leak claims, although Distributed Denial of Secrets (DDoS) has a long record of hosting leaked data from right-wing organizations, including the far right Patriot Front and the Oath Keepers.

DDoS said that, because the donor information contains sensitive personal information, it would not be making the data available publicly but will instead be offering it to “journalists and researchers.” 

DDoS describes itself as a non-profit devoted to enabling the free transmission of data in the public interest.

The Tweet that the article references can be found here:

Well, I suspect that anyone who isn’t Canadian (and perhaps those who are) who served up some cash to these protestors is perhaps going to be embarrassed as this info gets into the hands of journalists. Especially if the you have well known politicians, well known celebrities, etc as part of this list.

This should be fun to watch.

Leave a comment »

San Francisco’s 49ers Pwned In Ransomware Attack

Posted in Commentary with tags on February 14, 2022 by itnerd

Hot off the heels of the Super Bowl, come reports of BlackByte ransomware attacking NFL’s San Francisco’s 49ers. The news was confirmed yesterday in a statement to Bleeping Computer.

“The San Francisco 49ers recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident.

Third-party cybersecurity firms were engaged to assist, and law enforcement was notified.

While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.

As the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.”

Additionally, in a TLP: WHITE joint cybersecurity advisory released Friday, the FBI has revealed that the BlackByte group had breached the networks of at least three organizations from the US critical infrastructure sectors in the last three months. 

Chris Olson, The Media Trust had this commentary:

“Despite the amount of news coverage devoted to ransomware attacks, no amount of awareness seems to stunt their growth. Ransonware-as-a-service (RaaS) is the new mafia. As we are seeing with small players like BlackByte, as the cybercriminal underclass grows so will the black market for ransomware, malware, exploits and sensitive data harvesting.”

“With these shadow markets in place, hacking skills aren’t needed to target organizations across any industry: nation states, terrorist groups and profit-seekers can infiltrate a business by simply paying someone else to do it for them. It doesn’t take god-like powers to pull off a ransomware attack, all it takes is the basic knowhow to exploit backdoor channels hidden across all modern websites and applications.”

You know things are serious when pro sports teams start getting pwned. Hopefully this story has a happy ending for them.

UPDATE: Saryu Nayyar, CEO and Founder, Gurucul provided additional commentary:

“The attack on the SF 49ers would have gotten a lot more national attention if they had won their playoff game, but the impact is familiar. Ransomware attackers are more frequently not just encrypting data but stealing data first and making it available on the dark web even as they demand payment from organizations to restore the data for their own usage. Regardless of the complexity of ransomware, it tends to follow a typical attack pattern that requires multiple stages to execute, and it all starts with the initial compromise, often a phishing attack. Security teams need to invest in advanced solutions that leverage multiple out-of-the-box analytics and machine learning models to identify new ransomware variants without relying on vendor updates. This can provide the necessary automated detection at the earlier stages of the ransomware campaign. Security teams can then be provided enough context and high-fidelity detection confirmation to execute a response for eradicating the ransomware fully prior to data loss or encryption of data.” 

UPDATE #2: Saumitra Das, CTO and Cofounder, Blue Hexagon added these comments:

“Ransomware operators are getting even more organized with initial access brokers getting initial footholds followed by affiliates who move laterally and find the important assets before deploying the actual ransomware from an entity like BlackByte. BlackByte has been observed going after critical US infra as well apart from entities like the 49ers which is a new trend again after the cooling-off from the Colonial pipeline attack after which some ransomware gangs were lying low and only going after mid-size organizations to escape scrutiny. This news comes on the heels of the joint cybersecurity advisory (https://www.cisa.gov/uscert/ncas/alerts/aa22-040a) that shows that attackers are not just encrypting data but now doing triple extortion to find a way to blackmail the victim. One of the key newer methods is public naming and brand harm by informing partners, shareholders, and customers as well as cutting off the Internet access for the victim.”

Leave a comment »

Guest Post: Americans Are More Concerned About Their Social Media Accounts Getting Hacked Than Their House Being Broken Into

Posted in Commentary with tags on February 14, 2022 by itnerd

In today’s constantly evolving age of technology, consumers are very aware that scams exist but often have trouble understanding how to protect themselves from these online threats. Unlike in our homes where we can physically lock all entryways to protect ourselves, in the cyber world, it’s harder to comprehend if you’re secure. Consequently, survey data provided by Lookout reveals that hacking-related threats are consumers’ ultimate worry.

Here is how 1,500 participants ranked their highest concerns: 

  1. Someone Hacking My Bank Account – 30%
  2. Someone Hacking My Social Media – 15%
  3. Experiencing A Natural Disaster – 14%
  4. Getting In A Car Accident – 12%
  5. Someone Taking Out A Loan In My Name – 10%
  6. Someone Breaking Into My House – 10%
  7. Losing My Wallet – 9%

Why it may seem surprising that more consumers ranked having their bank account and social media account hacked a higher concern than having their home broken into, the reasoning behind these results is understandable, as it is more difficult to comprehend how you can reliably protect your online identity & financial information in today’s digital world. But, in the same way, we have locks, safety alarms, and video doorbells installed in our homes to make us feel safer, we need to have that same level of security for our devices and online data.

To help consumers protect their social media and banking accounts – as well as all of their online accounts – Lookout, the leader in delivering Integrated Security, Privacy, and Identity Theft Protection solutions, recommends consumers be on guard against risks and take steps to secure their accounts from compromise, including:

  1. Always use strong and unique passwords. If your online account password is ever leaked as part of a data breach, change your password immediately. 
  2. Enable two-factor authentication (like Google Authenticator) rather than SMS validation to protect your accounts. Two-factor authentication helps protect your account even if your account credentials are compromised or your phone is targeted in a SIM swapping scam.  
  3. Enable a security service – like Lookout Security & Identity Protection-  that will monitor and alert you immediately if your personal and financial information is leaked on the dark web, and provide you with steps to protect your accounts from compromise and your identity from being stolen.  

If you’re experiencing any of these potential social media threats, or if you just want to check if your email address has been exposed for free, download the Lookout mobile app today! 

Leave a comment »

« Older Entries
Newer Entries »