Category Archives: Alert

Security alerts

What if Ransomware is Just a Cover for Theft of Intellectual Property?

A China-based Advanced persistent threat actor (APT) who has been active since last year seems to be using ransomware as a smokescreen for state-sponsored espionage.

The group has been using just one malware loader called the HUI loader, which seems to only be used by Chinese hackers. They use that to load Cobalt Strike Beacon and use that specific ransomware software.

Unlike most ransomware gangs that become very familiar with one ransomware tool, these hackers have used, at least, 5 different ransomware tools – LockFile, AtomSilo, Rook, Night Sky and Pandora. It is possible that they are doing this to look like several different gangs.

Researchers are calling this gang Bronze Starlight.

The group’s victims include a pharmaceutical company, law firm and media companies in the U.S. Other victims include electronics manufacturers and aerospace/defense companies.

These are the types of companies that China likes to spy on and steal data from.

In at least one case Bronze Starlight installed a backdoor (to be able to steal data) but did not deploy any ransomware.

Their software is also evolving. A new version includes a number of detection evasion techniques like disabling Windows Antimalware Scan Interface so that Windows won’t detect malware that it knows about.

But in one way, these attacks are not sophisticated – they are using known unpatched exploits, for the most part.

If you have valuable (to you or an adversary) intellectual property or personally identifiable information of your customers, you need to make sure that you are making it hard for the bad guys. Zero trust is part of this, as are a number of other processes and technologies. If you need help with implementing this, or if you want to see how secure you currently are, please contact us.

Credit: Dark Reading

Board Members & C-Suite Need Secure Communication Tools

Board members and other executives are the key target of hackers. There is even a term for it – whaling. This has nothing to do with anyone’s personal dimensions, but rather that they are the big fish in the pond and have the most access to data.

Many times, executives and board members are also not technical so they don’t use sophisticated tools. Hackers know this too.

Boards are directly linked to their organization’s risk management – cyber, third party, supply chain and have other sensitive responsibilities like ESG, compliance, diversity and other subjects.

Non-profits have the additional responsibility of donor and fundraising information and they depend on the goodwill of those folks.

Non-profits also, often, have less security resources to protect themselves with.

So what do boards need to do to protect their companies?

  • Make sure that all sensitive communications between board members and between the board and management – which it probably almost all communications except for the lunch order – are encrypted.
  • Make sure that communications are integrated – chat, messaging, collaboration, store. Easy to use, secure, encrypted.
  • Make sure the solution does not require a year’s worth of training to use
  • Make sure that the solution can minimize weak links like lost devices
  • Include the board and executive family members and home networks – they are often used and outside of the control of IT. Hackers know this and call it the soft underbelly.

If you don’t have a strategy for this, we can help you. It needs to be comprehensive, secure and, most importantly, easy to use. It also needs to be flexible enough to handle the unexpected. Also consider the board and executive non-corporate resources.

Call us and we will help you design a solution.

Credit: Help Net Security

Security News for the Week Ending June 17, 2022

Ransomware Morphs Again

We know that ransomware has gone through a lot of iterations over the last couple of years as hackers try to maximize their revenue. The BlackCat group is now creating public websites for each victim company and has indexed the data to make it easy to search. I guess this means that it will be harder for companies that get hacked to hide what data was stolen. In one of their sites, you can select between employee data and customer data as the first filter and then search on that subset. Credit: Brian Krebs

NSA Quietly Appoints General Counsel After Two Years

You may remember that in the final, sort of weird, final days of the last President’s administration, the ex-President attempted to force the NSA to accept an unqualified political hack in the role of GC – a person who had not even worked inside the intelligence community, a process known as burrowing. Burrowing converts a political appointee into a career civil servant. Gen. Nakasone was ordered, on the last day of the ex-President’s administration to swear the guy in. That same day, the General put the new GC on administrative leave pending an inquiry about some security incidents. After several months in limbo, he resigned. He now is a lawyer at Rumble, a business partner of Truth Social. See a pattern? Anyway, April Falcon Doss, who seems to have impressive legal creds, was finally, quietly, sworn in as GC last month. Credit: The Record

Cyberattack – One and Done? Nope; Not Likely

According to research by Cymulate, 39% of companies were hit by cybercrime over the last year. Of those, TWO THIRDS were hit more than once. Also, of those who were hacked once, 10% were hacked ten times. That doesn’t give me a lot of warm fuzzies. Credit: ZDNet

Joshua Schulte, Former CIA Coder, Represents Himself in Second Espionage Trial

Joshua Schulte, is a former software engineer who worked for the CIA. He is accused of the largest, most damaging leak the CIA ever had. In his first trial, the jury hung on espionage charges. Now the second trial is beginning and he is representing himself. I recall a saying about a lawyer who represents himself has a fool for a client. Even though he is not a lawyer, the saying applies. He says he was framed. Prosecutors say he is guilty. Stay tuned for details. Credit: Security Week

Indian Police Planted False Evidence on Activist’s Computers to Arrest Them

Police in India were caught using hacking tools to plant evidence on people’s computers and then arresting them for the staged crime. The people being cyber attacked are not terrorists, but rather journalists and activists – in other words, people who annoy the police. With the help of SentinelOne, the hacking-by-police incidents have been publicly exposed. Credit: Wired

Does Deleted Mean Deleted?

This is an interesting story of how law enforcement, completely legally, can obtain data that you thought you deleted. Well, you did delete it, but deleted does not really mean deleted.

Earlier this year the FBI was trying to solve a string of seven bank robberies in five states. One of the tools that they used was cell tower data. If you get the cell phone data around the times of all of the robberies (and the robbers had not turned off their phones) and look for one or more phones that were present at the time of all of the robberies, you have reasonable cause to believe that (or those) number(s) belong to people involved in the robbery.

In this case, one of the suspects that came up was one Fernando Enriquez.

The police used this phone number to search police databases. That search produced email addresses and social media account usernames.

The police got a judge to sign a search warrant for Google, Instagram and TikTok to provide a copy of the data that Enriquez stored on those accounts.

One of the pictures produced showed him standing in front of a Chevy SUV that looked like the getaway vehicle. Photos also showed his tattoos and those seemed to match surveillance video from the bank robberies. Note to self, if you plan to rob a bank, make sure that you do not have visible distinctive tattoos.

Having gotten this data, the FBI asked TikTok for more information, including any deleted data.

Each social media company has a different policy for what deleted means. Google says they keep user data two months after you think it was deleted – although that can extend up to six months if the data was stored on an encrypted backup. Facebook says, well, data is deleted, it depends. Some data is deleted after 30 days; other data after six months, other data at different times. They do say that if an account is deleted, all associated data is deleted after 90 days.

China owned TikTok is much less clear. The FBI asked for all data, even if it is removed, locked or deleted. Forbes asked TikTok about how it handles deleted data and the company referred them to their website. The website says they store data in the U.S. and Singapore. It doesn’t say what happens to deleted data. The policy says that they retain data for as long as needed. That could include forever, I supposed, because one of the permitted purposes is to improve the platform.

Bottom line here, if you store or post data online, assume it will be there forever, no matter what you do and appears to be especially true for TikTok. I can tell you from personal experience there is stuff about me, articles I wrote, and other stuff from thirty years ago.

If you ask a company want to know what happens to your business data, you need to ask and get the answer in writing.

But also remember this. The fact that they may be able to recover data that you deleted six months ago does not represent a commitment by any of these providers to actually recover your data if you lose it. What they will do if presented with a search warrant (which could be “we looked but did not find anything that matches”) and if you ask them politely are two completely different things.

YOUR DATA, YOUR RESPONSIBILITY.

Credit: Forbes

Security Vendors Says Azure Takes Months to Fix Bugs

The cloud is not magic. Nor does it fix all vulnerabilities. Cases in point.

Two security vendors are accusing Microsoft of unnecessarily putting customers’ data at risk.

The vendors, Orca Security, and Tenable, are not bit players with a grudge, so you have to, at least, listen to them. According to the source:

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure’s Synapse Analytics that he discovered in January. 

And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

https://www.theregister.com/2022/06/14/security_azure_patch/

Orca’s bug starts in early January and had a score of 7.8. The bug allowed a remote hacker to bypass the separation between tenants and access and control other customers’ workspaces, including stealing Azure keys, API tokens, and passwords.

While Microsoft patched it two months later, Orca told Microsoft that the patch didn’t work.

Microsoft repatched the bug on April 10, but Orca still said nice try.

Then the two got into a war of blogs. Microsoft said it was blog-fixed and Orca said it was blog-broke.

Several patches later, Orca is about to publish a technical analysis of the vulnerability. Now Microsoft says they really, really fixed it this time. Orca says that they have not had time yet to break these new fixes.

Moving on to Tenable, their CEO wrote a blog post that details Microsoft’s response to a privilege escalation bug that could be exploited by anyone. Microsoft, says Tenable, privately admitted the bugs were serious and silently patched one of the bugs. 89 days after Tenable disclosed them and after they told Microsoft that they were going public with the details.

Other security companies – Wiz, Positive Security, and Fortinet had similar tales.

To add pressure on Microsoft, Orca said that they found bugs in AWS Glue and AWS Cloud Formation and Amazon fixed them in 25 hours.

The current hand-shake agreement is that vendors have 90 days before researchers go public.

That timeline pre-dated AQS and Azure. Vendors do not have to package and test 100 different configurations to fix their own systems, so they ought to be able to do it more quickly.

Amazon is dealing with a much simpler and newer code base, which works in their favor. Microsoft, at some point, is going to have to deal with the backward compatibility dragon that they have been trying to ignore for thirty years.

In the meantime, the customers – you and me – get to deal with a less than perfect system.

Caveat emptor.

Credit: The Register

HHS Says Preview of HIPAA Changes This Summer

I guess HHS wants to be cool, so rather than having a press conference where people can ask embarrassing questions, they are going to release the proposed changes via a prerecorded video – sometime this summer. These new rules will apply to covered entities (like doctors) and business associates (like IT providers).

Part of what they are going to release is guidance of what regulators are going to consider as recognized security practices when considering fining a health care entity. Possibly this will give entities a little more clarity on what the “floor” for cybersecurity might be.

An update to the HITECH law requires the government to review whether a entity or business associate demonstrated recognized security practices during the prior 12 months. The review could happen after a breach or during a compliance audit.

HHS says that this video will cover how entities will need to prove what recognized security practices they are following, information on what HHS means by these particular practices and the feedback they got when they asked for comment on those practices.

They said this video process will allow them to respond more quickly than using the rulemaking process, but unless last year’s legislation allows them to bypass the rulemaking process, I don’t see how this will speed things up.

While an update to HIPAA is a good thing, don’t expect anything to happen super quickly. Credit: Data Breach Today