go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: article commentary

Go to Homepage [0], contents or to navigation menu



I’m behind on news, let’s start with some good news

Hi all,

Let’s start with some good news to start the day on blogging. After not feeling well for a few days, i’m now feeling much better, trying to prepare for the security box, as well as get sone blogging done from the past while.

Yes, I have plenty still from last year I definitely want to cover, and I need to move forward with this year as it is still young.

There are two articles in regards to the apparent closing of the Joker Stash, a public web site that was once the king of credit card selling for underground shops.When putting in Jokers stash, you’ll definitely find a public domain that anyone can go to, but you need to log in to be able to do anything with.

I wanted to see what the web site was just so I can make sure i am giving accurate information, and I can say that at least for now, there is an active domain.
Krebs on Security does a great job in introducing people who have never heard of these guys to what they were up to. He writes:

The Russian and English language carding store first opened in October 2014, and quickly became a major source of “dumps” — information stolen from compromised
payment cards that thieves can buy and use to create physical counterfeit copies of the cards.

Krebs continues to write that 2020 was probably the worse year for the card shop, and apparently, the closure is coming from the card shop owner himself. I am not even going to speculate whether the person responsible for the Joker’s Stash had or didn’t have Covid-19, the major virus that has swept the world since March of last year. According to the article from Mr. Krebs, this web site was always good on making sure there were fresh cards to sell, and if the case was that he had Covid-19, it definitely didn’t help anything as buyers were complaining about the lack of fresh data.

Late last year according to this article, notices on several domains ran by the group displayed notices of seizures by the government. The shop moved to other infrustructure afterword and they were told things were OK.

What the Cyberscoop article didn’t cover and that Krebs on Security does, are some of the major breaches of companies that they got card data from.

Gemini estimates that Joker’s Stash generated more than a billion dollars in revenue over the past several years. Much of that revenue came from high-profile
breaches, including tens of millions of payment card records stolen from major merchants including Saks Fifth Avenue, Lord and Taylor,  Bebe Stores,  Hilton Hotels,  Jason’s Deli,  Whole Foods,  Chipotle, Wawa, Sonic Drive-In, the Hy-Vee supermarket chain, Buca Di Beppo, and Dickey’s BBQ.

All of these are links within the linked article we’ll be linking to.

Those who got in early will be able to cash out, according to Krebs, most will not. Spend by February 15th it says or forfit the earnings.

Joker’s Stash Carding Market to Call it Quits Krebs on Security


The second article, written around the same time starts out by stating:

An administrator of a notorious forum for stolen payment data and illicitly obtained personal information says they will shutter the site in 30 days. 

It goes in to detail on who they were, and what happened with law enforcement actions. I don’t know if both articles state this, but the Cyberscoop article indicated that there were over 3 million credit numbers under a claim.

Cyberscoop Article on Dickeys Bar-b-q

I don’t know if Krebs covered this, but another section of the web site > indicated that there were social security numbers and other personally identifiable information. This would be information such as name, birth date, and location just to name a few that was able to be searched by someone using the site.

Joker’s Stash, a forum for stolen data, says it will shut down within 30 days Cyberscoop

This has got to be the biggest news in recent memory of one of the biggest carding shops potentially closing. I’d love to link to the web site I found, but it is bearbones, a log in page with nothing to see. So long, Joker, hope you find something else to do. Its been fun.

Comments (0)

Did you get your windows update on? It should be good to go now

Did you get your patch tuesday on? Windows each month provides updates to your operating system so that it can be as secure as possible.

This month, the Redmond based company released 83 security updates with 7 of them disclosed through the Zero Day Initiative otherwise known as ZDI. The ZDI was recently covered in a recent security podcast we do called the Security Box.

There is information in both of these articles from Krebs and Trend that you should read. Microsoft Patch Tuesday, January 2021 Edition and January Patch Tuesday Repairs Critical MS Defender RCE Bug should be read for their content and you decide what you want to read.

Do you want to read more about the Zero Day Initiative? No problem! Here’s a link to the Zero Day initiative web site for those who want to learn more about what Trend and companies involved do.

Here are the headings within Trend Micro’s article that might be of interest:

  • Critical flaw in Windows Defender can lead to RCE
  • >;Microsoft splwow64 bug possibly next in line for active exploitation
  • RCE from vulnerable HEVC video extensions, Visual Studio

and don’t forget the heading talking about their own solutions. I’d definitely be concerned if you use defender, as the disabled community’s choice is only defender for AntiVirus. I’ve written about this in a 2017 piece talking about AntiVirus and the disabled. I’ve also talked about AntiVirus in this 2020 piece asking if this field is dead.

I honestly think that AntiVirus will never change, but finding a flaw in the only piece of software the blind and disabled can easily use is not acceptible. I’m sure it was an oversite, but something I’m at least concerned about.

Find something within these articles you’d like to discuss? Bring it on, let me know what concerns you. Thanks for listening, reading and participating!

Comments (0)

Use cloud environments? Better check this out

CISA sent an email about attackers taking advantage of poor cyber hygene. It was released on January 13th, and while it was short, I think this is of value to share.

The first paragraph says:

CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques,
including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices.

They recommend that people take a look at Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services for people who need it.
For the full article, Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments should be read and I hope that you find it of value.

Comments (1)

Apple’s Game-Changing iPhone Privacy Move Sparks Serious New Problem

Game over! Developers need to find another way to make money if they offer free apps. Its just a matter of time, but this article talks about IOS 14 having this feature. Kate does a great job covering this, so give it a read.

Apple’s game-changing new privacy move is great for users and bad for data collectors such as Facebook. And it could spark a serious new problem, according to reports.

Source: Apple’s Game-Changing iPhone Privacy Move Sparks Serious New Problem

Is it more of a problem for us or for developers? Sound off.

Comments (0)

Sans News Bites reports Minnesota’s Lake Region health care is the next victim on the ransomware is right

In all seriousness, on the next ransomware is right, the Minnesota health system is next up. I took the article from Health IT Security and it is entitled Minnesota’s Lake Region Healthcare Recovering From Ransomware Attack and it is a very interesting read. We did cover UHS in multiple articles from the blog and this particular article first linked mentions this and other health systems we may not have covered.

We need to really get a grip on our security, especially in the health care system. it isn’t enough to indicate that “we’re sorry” is going to cut it in this industry. The COVID-19 pandemic is in full swing, with sports going on and teams getting infected to the point where games are cancelled. One on Jan 11th and one on Jan 12th are cancelled because of the pandemic. Why should our health care have to suffer because of the fact that hospitals need to use other methods to verify care and the like because their operating systems and procedures are so out of date?Its time hospitals read articles like this so they can proactively figure out how to not get infected. Read the articles here, and add this to the list of more ransomware hit facilities and companies.

Comments (0)

Disgruntled former VP hacks company, disrupts PPE supply, earns jail term | ZDNet

The sabotage of electronic records led to delays in shipping critical PPE during the COVID-19 pandemic.

Source: Disgruntled former VP hacks company, disrupts PPE supply, earns jail term | ZDNet

One year should not be the default on sentencing for someone like this. The company could’ve been shut down because they couldn’t deliver, glad they’re not. Problem is that while one year may be a start, big time damage as you’ll read in the article was caused. Should one year be enough?

What do you guys think of someone going in and putting in a secret account and then getting fired just to have them do this? Would one year be enough for you to know he can’t possibly do that to another employer again? My thought is no. It becomes unauthorized access, and that is more than one year from what I’ve read in the past.

Comments (0)

House Passes Bill to Codify and Revamp FedRAMP

The bill would provide $20 million in annual appropriations for the federal cloud security program.

Source: House Passes Bill to Codify and Revamp FedRAMP

Does this mean that the government can finally start figuring out how to do things securely because they’re talking, or is this another talking point? With the worst breach in 2020 still needing to be learned about, I’m not sure this is the answer. Thoughts after reading this one.

Comments (0)

Ubiquiti: now joins the breach department through a cloud provider

This is still a developing story, and several podcasts will more than likely have this as I found another security podcast that might be of interest. Hearing things in a different light is definitely something I’m interested in, so we’ll see what has to be said about this story.

Brian Krebs wrote the article yesterday, and this is huge.

Ubiquiti, a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders, security cameras and access control
systems, is urging customers to change their passwords and enable multi-factor authentication. The company says an incident at a third-party cloud provider
may have exposed customer account information and credentials used to remotely manage Ubiquiti gear.

If you want to know how big they are, the last paragraph says:

According to Ubiquiti’s investment literature, the company has shipped more than 85 million devices that play a key role in networking infrastructure in
over 200 countries and territories worldwide.

I believe Security Now has talked about this router and I wonder what Steve is going to say about this?

The company became aware that information stored by a third party provider was accessed but they did not say which provider they were using. Brian has steps in the article that cover what you need to do if you’re effected.

Ubiquiti: Change Your Password, Enable 2FA is the article, if you’re effected, read it and follow its instructions or call the company for help.

Comments (0)

January Ouch is now available from Sans

I’m going through email and Ouch from Sans is here talking about Securing WIFI. Lots of us are on WIFI, so read the newsletter for this month and see if anything is needing to be done for you.

Comments (0)

The Big news of the day, Amazon booting a new social media platform off of AWS

Hello Folks,

I placed a call to someone today to catch up with them, and they happened to tell me about an app that was removed off of the Internet by Amazon. Sure enough, I found an article by Cyberscoop about it, and that article is entitled Amazon boots Parler from web hosting service over violent content which was quite interesting.

We know that Social Media has tried to play sensor and delete things that could be questionable. The problem with this is that in the United States, we have the first amendment of what is called Free Speech.

We also know that Donald Trump has been kicked off of both Facebook and Twitter, although from what I heard, he urged people to be civil, and from what I was told today, he was outraged about the violence that took place last Wednesday.

The article in question starts:

Parler, a social media platform favored by pro-Trump groups, was completely offline Monday morning after Amazon knocked the company from its web hosting
services overnight.

Federal law enforcement have continued to make arrests after the January 6th attack on the Capital according to the article. It continues:

Posts on the social media platform were part of the long trail of digital
evidence available to investigators. The mob included white supremacists and proponents of the QAnon conspiracy movement.

Here is an article from the NY Times that talk about the arrests if anyone wants to take a look at that, as it is outside of the technology blog and security aspect of the blog.

The publication Buzzfeed first reported the news that came straight from AWS itself, feel free to read the news if you;’re interested. The ban went in to effect just before 3 am eastern time according to the article.

They link to the Washington Post for this aspect of the story.

I completely understand the problem we have here. You’re trying to get rid of hate speech which could encourage violence, and that is probably a good thing. People may say something that may not necessarily be hateful, but people at these companies could suspend you just for posting something they consider hateful or violent. That, I don’t think is fair.

Also, according to the article, we learn that Donald Trump has been permanently banned by Twitter, following Facebook and their move to do so last week.

Last night, I ended up reading a couple of articles that had to do with Q-Anon, and I wasn’t really going to talk about one until I saw the other. Since this is in regards to a social network being shut down, I’ll say that these guys can probably go elsewhere to do their talking, and there isn’t anything we can really do about it.

One article by Krebs is entitled Hamas May Be Threat to 8chan, QAnon Online and I found it interesting. The first paragraph says:

In October 2020, KrebsOnSecurity looked at how a web of sites connected to conspiracy theory movements QAnon and 8chan were being kept online by DDoS-Guard,
a dodgy Russian firm that also hosts the official site for the terrorist group Hamas. New research shows DDoS-Guard relies on data centers provided by
a U.S.-based publicly traded company, which experts say could be exposed to civil and criminal liabilities as a result of DDoS-Guard’s business with Hamas.

All I’m going to say about the app, and the dealings with these other companies in this article is this: if there are terms of service violations which are apparent, then kick them off the Internet. If not, there is no need to do anything, because we should have the right to have free speech and say so about whatever is on our mind. Unless the government says otherwise, the U.S. has a constitution and so do other places saying we can write, think, do, and speak whatever we want unless we’re threatening people or causing harm.

Just because one says they’re going to “do something” doesn’t mean they will. Sure, there are groups organizing to “do a lot of various things” but is it your jonb to try and kick them off because they were doing something civilly?

Brian links to last year’s article and says that it

examined how a phone call to Oregon-based CNServers was all it took to briefly sideline multiple websites related to 8chan/8kun — a controversial online
image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global
child sex-trafficking ring and plotting against President Donald Trump.

We know that sex trafficing is a global problem, and I could see someone making a phone call to get that taken off line so nobody gets hurt. I support that. But why take a social media platform offline just because people are organizing? Am I missing something?

The second article in this series All Aboard the Pequod! goes in to more detail on these groups. If you kick them off one place, they’ll go to another place, so it isn’t a big deal since they’re going to continue to organize and cause problems. Maybe the publicity is what they want.

That’s all i have to write right now, but this is a good way to tie all of these articles in to one blog post for today. This is only going to get more interesting as time goes on.

Comments (0)

Reserve Bank likely hacked? Should we be backing up to the cloud?

Shaun Everiss sent me the following email this morning.

Hi.

This appeared yesterday just before dinner.

https://www.rnz.co.nz/news/national/434299/reserve-bank-likely-hacked-by-another-government-expert

Everyone is trying to get on this, now its government warfair all over again.

And people say we should back up to the cloud.

I am in the process of replacing one of my backup drives.

The article indicates that this particular breach was caused by a nation state actor who may have breached their third party

In a statement, the bank said a third party file sharing service it used to share and store some sensitive information had been hacked.
Professor of Computer Science at Auckland University, Dave Parry, said the attack was significant.

The article continues:

It was likely to be another government trying to attack the Reserve Bank, he said.
“Because ultimately if you were coming from a sort of like criminal perspective, the government agencies aren’t going to pay your ransom or whatever, so
you’d be more interested probably coming in from a government to government level.”

It also reminds us that this isn’t the first attack in New Zealand, as this blog post talked about New Zealand coming back online after the stock exchange was hacked or apparently anyway hacked.

I’m sure this is a developing story, and if more comes across my desk, we’ll be sure to cover it.

Comments (0)

We’ve got more news … DDO Secrets isn’t being done leaking data … using TOR now

In the back dated department, I remember talking about DDO Secrets in this 2020 blog post: Blue Leaks, this is as bad as it gets which talked about something called blue leaks. Apparently, this was 10 years of archives named blue leaks, and we’ve not heard anything about it nor DDO Secrets till now. To set the record straight as I was writing this, Blue Leaks was the name of 269gb of data that you’ll read about as I take this Phishlabs article apart, no wonder my memory is fuzzy on the name.

Now, Phishlabs has an article on this agency, Activists Leak Data Stolen in Ransomware Attacks and it has lots of various links to various things to boot.

This company seems to have terabytes of stolen emails, documents, and photos
from various companies covering the range of sectors like finance, pharmaceuticals, software, and manufacturing. So, I guess Germany didn’t do enough to shut them completely down as now they’re back to work causing havoc like every other ransomware group out there. That’s nice!

This is probably the most important paragraph about this group which brings back memories from the earlier post I linked to within this article. While I mentioned it above after I initially wrote this, it is still worth sharing for those who are not interested in linking back to my prior coverage of the Blue Leaks fiasco. The paragraph says:

Stating their goal is to “serve and inform the public,” DDoSecrets claims that the information they are promoting and publishing is already exposed and
that data leaked by ransomware groups often contains information that deserves to be scrutinized. 

Are you sure they have already been exposed and you just aren’t another hacker going after data to make yourselves look good?

Now we’ve also got to worry about double extortion where companies have to pay the ransome and then pay to make sure it doesn’t get out. We’ve learned through other articles that this tactic doesn’t quite work, because these gangs can go on their word and do it anyway. That is what I think this DDO Secrets company is, and I’m sticking to it.

The collection and publication of stolen data by DDoSecrets clearly illustrates why organizations affected by a ransomware attacks have more to worry about
than negotiating a ransom payment. Extracted data is frequently exposed whether or not ransoms are paid. Data stolen in ransomware compromises may be on
the road to a fast and much more public exposure via a third-party. 
 
DDoSecrets has been in the spotlight for publishing hacked documents in the past, including a 269-gigabyte collection of law enforcement files known as
BlueLeaks. After a series of repercussions including a server seizure, they are now hosting a majority of their content on Tor protected sites. 

Now I understand where Blue Leaks came from, this company either stole stuff or baught it, published it, then got it named blue leaks by the community based on the data that was stolen. Now, that makes sense, and I remember now this article said that but I’ve been reading so much as of late.

Since now they host their stuff on TOR web sites, is there any luck on getting it shut down for good? People like this make me wonder why we have the internet anymore; even though we’re all connected during this difficult time. I appreciate my Internet, and I really don’t want my Internet to have problems because of some company like this out loose buying stolen data, putting it out and hurting companies. That isn’t for the greater good, is it? The comment boards await you.

Comments (0)

Chinese web firms ‘bullying’ customers with data, algorithms – consumer watchdog

This is the same China that goes around and sensors their own citizen Internet, go look it up. Now, they want fair buying practices when they tell consumors what they can see, where they can go, and what social media to use? I honestly buy this. The beginning of the article and a link are below to form your own opinion. China, I’m not buying.

Chinese internet companies have been violating customers’ rights by misusing personal data and

Source: Chinese web firms ‘bullying’ customers with data, algorithms – consumer watchdog

Comments (0)

Here is some solar winds news, news ending January 9, 2021

The biggest news this week in regards to Solar Winds is the fact that a court has been hit in the ongoing fiasco that is now being talked about as the biggest breach of 2020 according to Solutions Review Presents: The Top Data Breaches of 2020 which one of my followers tweeted. What I’d like to do is try to get the videos from this and share it on a future podcast, as some may be familiar and some may not. I may just read from the web site and do it that way. What isn’t surprising in this list is that Solar Winds is the breach of the month in December, and from what I’m hearing, companies may be effected but not coming out as of yet.

As I said, courts are the next victim, and this article entitled Federal courts are latest apparent victim of SolarWinds hack and it is a Cyberscoop article. Tim Starks writes for Cyberscoop on this one.

According to the article, Federal courts are a goldmine for criminals, since there are so many cases that go through there. All kinds of cases and all kinds of crimes may be heard by the federal court, so protecting this data is of utmost importance I’d hope.

According to the article, it says:

Going forward, federal courts will only accept filings of highly sensitive documents in paper form or via secure electronic devices, and won’t upload those
documents to its electronic case management system.

“This new practice will not change current policies regarding public access to court records, since sealed records are confidential and currently are not
available to the public,” the office said.

They also write:

“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of
these vectors,” the agency said.

This continues to be an ongoing ordeal, and I’ve published a blog post about something that may be of interest for those who come here specifically for Solar Winds coverage.

Finally, the article concludes with this paragraph that says:

Via a new technique that CISA has seen hackers use in an incident it responded to, the agency said, “it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner.”

This may be a major problem moving forward, and I don’t know what the solution of this is going to be if 2021 is the year for huge breaches like this one that can go undetected for over a year.


Next, Sen. Warner accuses White House of weakening statement attributing SolarWinds hack to Russia comes to mind as well. Mr. Warner has spoken out in regards to other breaches, so he’s a good vocal point that we need to have.

The first paragraph may just sum this article up beautifully. It states:

An influential Senate Democrat who will soon chair the intelligence committee on Thursday accused the White House of “water[ing] down” the U.S. government’s
public statement linking a hacking campaign to Russia, and suggested more high-profile corporations had been breached.

Another paragraph later down says:

A person familiar with internal U.S. government deliberations on the matter echoed Warner’s accusation, saying that the White House had weakened the language
attributing the campaign to Russia and that the word “likely” was a surprise inclusion in the final statement.

Spokespeople for the White House and its National Security Council did not respond to requests for comment. Russia has denied involvement in the hack.

Those that may have done it of course don’t want to admit to having any involvement but attribution seems to now be stronger on Russia, even if they don’t want to admit it.

There is a lot of linked stuff here, so I can’t take every paragraph and pull it apart, so just check out the article, and let us discuss it.


Finally, Mr. Trump, if he’s very unhappy now that he’s apparently lost his twitter account for the foreseable future, he mize well find something to do as one of his own people he hired than fired had no trouble finding another job. Mr. Christopher Krebs, no relation to Brian Krebs, found a job at Solar Winds as he was hired to help them figure out what broke and help them get back on their feet. The article SolarWinds hires Chris Krebs, Alex Stamos to boost security in wake of suspected Russian hack is the article I’m talking about by Cyberscoop. Sean Lyngaas wrote this article for the publication.

Alex Stamos, former Facebook Security Chief, also got hired for the task as well.

According to the very first paragraph:

Software provider SolarWinds, which was breached in a suspected Russian hacking campaign against U.S. companies and federal agencies, has hired former
senior U.S. cybersecurity official Chris Krebs and former Facebook security chief Alex Stamos to help respond to the hack and improve its security practices.

Continuing:

Krebs and Stamos will work as consultants for Texas-based SolarWinds as it continues to deal with the fallout of a hacking operation that has roiled Washington
and is considered one of the more significant cyber-espionage campaigns against U.S. agencies in years.

When we first learned about the breach, publications like Cyber Scoop and others stopped short on saying it was espionage, but it has later been confirmed to be such.

Lastly for this section, the article says:

“Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies,” SolarWinds said in a statement. “We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class
guidance on our journey to evolve into an industry leading secure software development company.”

Solar Winds, your mistake was the fact that you took your development offshore according to what I read, and you put security on the back burner. In my opinion, maybe you deserve what happened, and hopefully you’ll learn what not to do next time.

The article goes on to say that less than 10 federal agencies including commerce, DHS, the department of energy, the white house and possibly others we still don’t know about. The article only lists three as example, but I don’t believe we’ve heard it all yet.

Alex was part of Yahoo! at the time we didn’t learn of the many Yahoo! accounts that were breached. I’ve stopped using my Yahoo SBC account and have no plans on using it.

There’s more about each member, lots of links, and lots to read. Have something to say? Register and leave those comments. Its free to do, and we welcome your comments right here, on the tech blog.

Comments (0)

CISA releases Alert (AA21-008A) Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

I’ll have more on Solar winds and some articles I’ve read that night be of interest, but for tonight, I read a lot of this CISA report:
Alert (AA21-008A) Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
for people who need it. I don’t know if people need this, so I thought I’d share it.
There is information on techniques and procedures the actors have used along with links to other information they released.

If you’re not subscribed to this email list, than I’m supplying it to you so you can have it. I hope this finds interest to those who need it.

Comments (0)

What is going on in the security landscape, news ending January 8, 2021

Hello folks, welcome to a wrapup of what is going on in the landscape of security. In no way is this going to be a complete rundown, however, some of what I’ve read or come across, or even news that I didn’t see that comes across my desk through a digest from Trend Micro.

Let us get started with “This week in Security News” from Trend Micro. I really like covering these posts because they cover a lot, some I may have read, some I still need to read, yet others may just be interesting but yet not worth talking about in the long term.

There are two articles I’ve been meaning to cover that are in my rundown from this news digest that I mise well cover here. The first is Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration and I had to read it from the web version. This is very dangerous because it relies on people using webmail to access their mail. I’ve ditched webmail many, many, many years ago because I personally find it to be something that doesn’t interest me. Even when I signed up for gmail and I finally decided on it for youtube and even now an off site email address, I was not using the website to check my mail.

The good news is that I think that most of us who read this aren’t using this site at all that is referenced. The web site is mail2000tw[.]com or any kind of sub domain. I can’t tell what language it is, I did visit the site via private browsing to see what language it is.

Trend Micro writes:

We discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities
in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that
is widely-used in Taiwan.  With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.”
Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians
and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan,
which this report covers. 

Other headings within this article include but are not limited to:

  • Initial Access and Propagation
  • Exfiltration of the mailbox
  • Infection of email accounts
  • Service Worker script exploitation
  • and Email exfiltration

The article here is very detailed and I think people need to read this, as it could come to a web mail service near us. Luckily, it hasn’t happened as of yet, but it is definitely something that could eventually happen.


The other thing in this week’s digest of the news is also something that I wanted to cover An Overview of the DoppelPaymer Ransomware is the article and it is also a good one.

The article starts out:

DoppelPaymer uses a fairly sophisticated routine, starting off with network infiltration via malicious spam emails containing spear-phishing links or attachments
designed to lure unsuspecting users into executing malicious code that is usually disguised as a genuine document. This code is responsible for downloading
other malware with more advanced capabilities (such as Emotet) into the victim’s system.

I believe I’ve talked about Emotet on the technology podcast, and it definitely isn’t going anywhere with this new project. This also uses the Dridex malware family (website) which will either download the DoppelPaymer directly or something else.

This is definitely something that is stealthy, troublesome, and something that we should all know about.

The article goes on and says:

Once Dridex enters the system, the malicious actors do not immediately deploy the ransomware. Instead, it tries to move laterally within the affected system’s
network to find a high-value target to steal critical information from. Once this target is found, Dridex will proceed in executing its final payload,
DoppelPaymer. DoppelPaymer encrypts files found in the network as well as fixed and removable drives in the affected system.

Finally, DoppelPaymer will change user passwords before forcing a system restart into safe mode to prevent user entry from the system. It then changes
the notice text that appears before Windows proceeds to the login screen.

The new notice text is now DoppelPaymer’s ransom note, which warns users not to reset or shut down the system, as well as not to delete, rename, or move
the encrypted files. The note also contains a threat that their sensitive data will be shared to the public if they do not pay the ransom that is demanded
from them.

According to the FBI notification, DoppelPaymer’s primary targets are organizations in the healthcare, emergency services, and education. The ransomware
has already been involved in a number of attacks in 2020, including disruptions to a community college as well as police and emergency services in a city
in the US during the middle of the year.

DoppelPaymer was particularly active in September 2020, with the ransomware targeting a German hospital that resulted in the disruption of communication
and general operations. It also fixed its sights on a county E911 center as well as another community college in the same month.

The following is what is recommended by Trend Micro in regards to this one:

  • Refraining from opening unverified emails and clicking on any embedded links or attachments in these messages.
  • Regularly backing up important files using the 3-2-1 rule: Create three backup copies in two different file formats, with one of the backups in a separate physical location.
  • Updating both software and applications with the latest patches as soon as possible to protect them from vulnerabilities.
  • Ensuring that backups are secure and disconnected from the network at the conclusion of each backup session. 
  • Auditing user accounts at regular intervals — in particular those accounts that are publicly accessible, such as Remote Monitoring and Management accounts.
  • Monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.
  • Implementing two-factor authentication (2FA) for user login credentials, as this can help strengthen security for user accounts
  • and Implementing the principle of least privilege for file, directory, and network share permissions.

As with all things troublesome, making sure we have our backups is the most important thing. I personally pay for dropbox for that purpose, and I am sure glad I have!


The Hacker News has an article entitled: FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack which I have not read. Cyberscoop has articles dealing with Solar Winds and some fall out. They are:

The last two go hand in hand, but all in the above list are interesting, saying that Russia has been to blame in varying paragraphs. That is why I link all of them in this section because it is the latest we have, and I can only imagine Trump going ape over his accounts being suspended. With what has gone on, its about time that the companies do something to curve his behavior, even if it indirectly was responsible for the attacks that have been in the news as of late. Read all of these articles linked above in the above list because they are all good and vary in content. several of these articles may be linked in podcast content in passing for news notes, but its all informative. articles will


Another article that is worth talking about is protecting your kids while learning at home. This article How to Protect Your Kid’s Privacy While At-Home Learning goes in to detail on this.

The beginning of this article says:

Why Trend Micro
Research
Support
Partners
Company
?
navigation region end
?
Privacy & Risks
Share
Print
article
Privacy & Risks
How to Protect Your Kid’s Privacy While At-Home Learning
Many kids now have school-supplied computer equipment away from the school network. However, with this come privacy and security concerns. Some are easy
to avoid, but others need some modifications to ensure safety.
By: Stephen Hilt, Erin Johnson December 22, 2020Read time: 5 min (1381 words)
Share
Print
?
——————————————————————————–
main region
With the pandemic forcing many people to work and attend school from home, there has been a major shift in the use of technology for many businesses and
learning institutions. And this has brought a lot of interesting findings, at least from my own.
My kids have been attending school virtually this year, and I’m glad that schools can offer options and provide a high level of education virtually during
the Covid-19 pandemic. One of these options is the use of Chromebooks. While many US school districts have been providing Chromebooks to children at school
for some time, the scale of this need changed significantly in 2020. Fortunately, some school districts have found the ability to get more computers for
students who need them at home.

While I applaud the schools for providing people who need them the computers, the article talks about how schools are locking down even the network at home because it is signed in to the same google account even though the provided computer is not even being used. This goes beyond the reach of my understanding, please read Trend Micro’s article on this.

One of the things I heard in a new podcast I just subscribed to called The CyberWire Daily mentioned software called JetBrains, another piece of software that may have been compromised. I have not read Investigation Launched into Role of JetBrains Product in SolarWinds Hack: Reports but it is interesting that yet another company may be involved in one of the biggest breaches we’ve ever known.

Here is what the clip of this article states. Again, i’ve not read this, so I have no more info except what I heard on the podcast.

Cybersecurity experts and government agencies are trying to determine whether the hackers that targeted SolarWinds may have abused software created by
JetBrains to achieve their goal. JetBrains is a software development company based in the Czech Republic that has offices in Europe, Russia and the United
States. The company claims its solutions are used by over 9 million developers across 300,000 companies around the world.


We can’t forget phishing. Email threats are going to rise, and with that legitimate domains may be used. Also, RYUK is still being used more than ever, something called Hastebin is being used to deliver fileless malware called Hastebin and much more. To read the entire article of what is going on this week from Trend Micro, please go on over to Trend Micro’s blog: This Week in Security News – Jan 8, 2021 to read all of the details.


Finally, we’ve got some great news I always like to cover. Russian man sentenced to 12 years in prison for massive JPMorgan data heist and that i good news because J.P. Morgan’s breach was one of the biggest to date for its time.

Tyurin’s breach of JPMorgan Chase alone saw data on 80 million customers stolen, according to prosecutors. The Russian man made $19 million altogether
from the hacking, the Justice Department said in a statement.

We should back up and start at the beginning though: The article states in part: A U.S. federal judge on Thursday sentenced Andrei Tyurin, a 37-year-old Russian man, to 12 years in prison for his role in a hacking scheme that prosecutors
say involved the theft of personal data from over 100 million customers of big U.S. financial firms.

The brazen hacking operation, which ran from 2012 to 2015, is one of the biggest to hit Wall Street in recent memory. It involved Tyurin allegedly working
with an Israeli man named Gery Shalon, among others, to breach big-name companies like JPMorgan Chase, ETrade and The Wall Street Journal. The scammers
then sought to inflate stock prices by marketing them to people whose data they had stolen.

There is definitely more, and more that I need to get out in regards to Solar Winds but I’ll do that in a separate article as Solar Winds is just as interesting alone as it would be in a roundup like this.

This completes the news notes, did you find something of interest? Why not get in touch? Comment on the blog! Write an Email! Use whats app, email/imessage or any other contact info you want! We’ll be waiting.

Comments (0)

Have you read Trend Micro’s year in review yet? Its quite interesting as usual

The Year in Review for 2021 was released on Trend Micro on the 8th of December, 2020. It is definitely a facinating read every time I read it, and Trend Micro isn’t far off. There is always room for error.

I’m always facinated in regards to Trend Micro and their predictions report that they come out with each year. This time, Takeaways from Trend Micro’s 2021 Security Predictions is the article and there’s a lot here.

In the next Security Box, I’ll Text-to-speech this article as it’ll go faster, and we’ll discuss it.

I think one of the biggest and continuing threats in this landscape will be the continuing ordeal of the pandemic as well as the actors keeping up with what people want to know.

Home offices as hubs? You bet. With more people working from home and that not changing for the foreseeable future, criminals will be wanting to utalize any connection they can to get their wares out in to the world.

For example, I used a website tpo see an IP address to try to see if it was reported as spam. It was a malicious spam message, but the IP was a fixed landline internet connection. That makes it a bad IP. Because it sent me Spam, I had no choice but to report it, although I felt bad. The site, which I may rtalk about on a podcast of some sort, is a site that collects data on various trends of Spam, hacking and other aspects of attacks. I don’t exactly know what they do with it, but if I see something from the same range, I can block that range of IP’s from coming to my web site and spamming me. This is especially true if it is an IP designed to push traffic to their next destination such as your hosting provider, it isn’t supposed to visit the web and send Spam.

Covid-19 isn’t going anywhere, in fact, California is so out of control we’re out of beds in the ICU. Actors are going to take advantage of this, and Phishing and ransomware have been sent based on this devistating tragety which has rocked the world. It is unfortunate, however I don’t think we’re done with that aspect of attacks as of yet.

The next major heading they talk about here is Digital transformation efforts as a double-edged sword (if not done right). This section is really meant for business and not necessarily for consumers, so when you read the article, know that I’m thinking of you as a business. Consumers must read this to understand what is happening in the business world, and it was a definite interesting read.

To read the full article which links to Turning the Tide: Trend Micro Security Predictions for 2021 which you should read the first heading: “What At-Home Workers Need to Know.” Thanks so much for reading.

Comments (0)

CISA Updates Emergency Directive

I wasn’t originally going to cover this at all, however, I recently subscribed to a podcast called “Cyber Wire Daily” which releases podcasts every day on the goings on in the Cyber Security industry.

While I need to catch up with this podcast, one of the recent podcasts listed covers this so I thought I should better cover this. CISA Updates Emergency Directive 21-01 Supplemental Guidance and Activity Alert on SolarWinds Orion Compromise is the entire title of this and is linked here for you.

There are links throughout that might be of interest to boot, so go ahead and check it out and see if there is something you need to know about within this linked item.

I read a lot of this, however, I’m not really sure how to cover this on a podcast since I don’t know people specifically effected.

There are two items that caught my attention when I initially read this.

  • Federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises
    should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1
    HF2. The National Security Agency (NSA) examined this version and verified it eliminates the previously identified malicious code. This version also includes
    updates to fix un-related vulnerabilities, including vulnerabilities that SolarWinds has publicly disclosed.
  • Federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic
    analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems.

There might be something you need to pass on to your superiors who deal with this, so please check this out and see if it applies to you.

Comments (0)

Ticketmaster pays $10 million for misuse of data

Well, finally someone pays for doing harm. I believe this article was supposed to say ticketmaster, but it is ticketmaster. Turns out, they were able to obtain passwords and other stuff to look at what their rivals were up to, so they can have an upper edge.

Does a 10 million dollar fine cover the overall cost of the rival company going after them to determine what was going on? Maybe it does, maybe it doesn’t.

To make things interesting, a paragraph of the article says:

The rival company didn’t know that one of its former employees had leaked logins to Ticketmaster, which used them to gather information in the mid-2010s
about the competitor’s technology and other aspects of its business.

While the feds didn’t name the company, this article claims that it is a company I don’t think I’ve heard of called Songkick. This is a New York Times article on Songkick which is linked within the article I’ll be linking.

“Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law. This investigation
is a perfect example of why these laws exist — to protect consumers from being cheated in what should be a fair market place,” said FBI Assistant Director-in-Charge
William F. Sweeney Jr.

The $10 million fine against Ticketmaster — a wholly owned subsidiary of entertainment giant Live Nation — settles five criminal charges for illegal computer
access and fraud. In a related case in October, Zeeshan Zaidi, the former head of Ticketmaster’s Artist Services division, pleaded guilty to charges of
conspiring to commit computer intrusions and wire fraud.

Under the deal with the feds, Ticketmaster also must maintain a compliance and ethics program “designed to prevent and detect violations of the Computer
Fraud and Abuse Act and other applicable laws, and to prevent the unauthorized and unlawful acquisition of confidential information belonging to its competitors.”

This is quite interesting and when I read that, I just had to shake my head. This was quite an interesting article and lots of things are linked within it.

Tickemaster pays $10M fine to settle charges of using stolen passwords to spy on rival company is the article, and I hope that this is a lesson to others, the feds are waiting.

Comments (0)

Another t-mobile breach, the 4th in several years

Are you effected by the t-mobile breach that is now coming to light? The article is written today, January 4, 2021: and this looks to be quite interesting as this isn’t the first by the looks of things.

Here are three paragraphs.

T-Mobile says that it “recently identified and quickly shut down” a data breach that included call-related information about some accounts.

The wireless telecommunication firm said in a notice mailed to some customers in late December that the incident “may have included phone number, number
of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.”

It’s the fourth data breach that the company has acknowledged within the last three years. T-Mobile, which completed a merger with Sprint in April 2020,
also disclosed incidents that occurred in March 2020, November 2019 and August 2018.

I’m happy that they identified this 4th breach quickly, what about the other three? The article continues:

The company called the intrusion “malicious, unauthorized access,” but did not release details about the suspected intruders or their methods. Personally
identifiable information was not affected in this latest breach, T-Mobile said.

“The data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers,
tax ID, passwords, or PINs,” the company said, adding that it had contacted cybersecurity experts and federal law enforcement about the breach

Even though it doesn’t have personal information involved, we learn:

The affected data is known as customer proprietary network information, and although it might not contain the names or other identifying information of customers, the Federal Communications Commission still considers it sensitive in nature.

If you’re a t-mobile customer, the boards await you.

To read more: T-Mobile: Breach exposed call information for some customers

Comments (0)

Older Posts »

go to sections menu


navigation menu

go to sections menu