UPDATE to last week's Headlines:
Kaseya's universal REvil decryption key leaked on a hacking forum by a poster, who is believed to be affiliated with the REvil ransomware gang, on a hacking forum, tests successfully.

• On July 22nd, Kaseya obtained a universal decryption key for the ransomware attack from a mysterious "trusted third party" and began distributing it to affected customers.
• Before sharing the decryptor with customers, CNN reported that Kaseya required them to sign a non-disclosure agreement, which may explain why the decryption key hasn't shown up until now.

On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability from Cogni and Magniber Ransomware groups, all in south Asia, protecting customers before any encryption takes place, They have seen almost 600 submissions in the last 30 days (July 12-Aug 12th). Also, Vice Society ransomware, which targets small and midsize schools.

This Week's Security Tip:
It’s scary what kids can see online. Here are some little-known ways to see if your kid is doing things and visiting sites you don’t want them to:

1. They’ve deleted their browsing history. What are they hiding?
2. The ads showing up are questionable. Marketers use retargeting to get you to come back to their websites. So if you’re seeing ads that make you go “hmmmm,” that’s a sign they’ve been visiting those sites.
3. They hide when using the device. A good rule of thumb is NO devices in bedrooms, or in any room that is not out in the open.

Today's Headlines:
On Tuesday, just over $600 million in cryptoassets were stolen from Poly Network, a system that allows users to transfer digital tokens from one blockchain to another. The threat actor who hacked Poly Network's cross-chain interoperability protocol yesterday to steal over $600 million worth of cryptocurrency assets is now returning the stolen funds. He then sent multiple transactions to the same with text embedded in each transaction, he included a Q&A explaining his motives, including the line "why hack? For fun 😊"

Sentinel One has detected another AdLoad malwarevariant that Apple's YARA signature-based XProtect built-in antivirus undetected for at least 10 months, and currently still undetected. Variations of this strain have been detected since 2017, and is used to deploy various payloads, mostly adware and PUAs (potentially unwanted apps), and harvest sytem info.

• To put things into perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect before and infect Macs with other malicious payloads, has hit over 10% of all Apple computers monitored by Kaspersky.

Next Week's Teaser:
NEVER use the same password twice

Call to Action: Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery

This Week's Security Tip: Make sure EVERY employee knows what is acceptable and what is not, regarding company technology.

With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).

Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and TRAIN your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. NEVER assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.

UPDATE to last week's Headlines:

• Kasaya VSA breach – has been on their CVE for 3 months, also upon a third party security incidence response evaluation, they found their billing and customer support site, portal.kasaya.net, was, and has been since July 2015, susceptible to CVE 2015-2862, a "directory transversal attack – basically, even without credentials you could access server files and locations, including the web.config file, which includes usernames, passwords, and locations to other sensitive information.. Kasaya had updated their customer portal in 2018, but left their legacy portal alive.

• Microsoft issues Emergency patch for PrintNightmare – We briefly mentioned this last episode, but the story goes:

  A security researcher publicly announced the initial vulnerability, allowing for the print spooler, which by default runs on all Windows versions by default with kernel level administrative rights, could be maliciously used to run remote executable code, potentially take over the entire domain. In the next update, Microsoft issued a weak patch that only addressed the point of concept, but didn't really address the actual vulnerability. Another research team then publicly reported a point of concept they too had reported to MS: a different CVE than the other, which in summary was an active exploit – so basically they published a how-to on a zero day. SO then MS had to patch both the first CVE and second as fast as they could, and finally after a couple days did offer an out of band update which covers both

• WD – to recap, A flaw for all WD MyBook external drives of a zero-day exploit was reported in 2020 prior to Pwn2Own Tokyo, but WD replied that the bug had been resolved in their new OS5 software. The research team then posted a video of the proof of concept. Go figure, tons of them in the wild were then (and probably still are) being wiped by malicious hackers. WD's initial response in March was to advise eveyrone with a MyBook on v3 upgrade to a dvice that can use v5 (basically a new one), and that they would not update the old versions with security patches. Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”

Next Week's Teaser:
What the heck is an AUP…and why do you want it?

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery

UPDATE to last week's Headlines:
Microsoft officially releases Windows 11 announcement, preview. Expected to arrive Oct 20

This Week's Security Tip:
10 easy tips for mobile phone security:

1. Lock your device with a PIN or password, and never leave it unattended in public
2. Uninstall apps you don’t use
3. ONLY download apps from trusted sources
4. Keep your phone’s operating system updated
5. Install antivirus software
6. Use your phone’s “find me” feature to prevent loss or theft
7. Cover the camera with a camera sticker when not in use
8. Back up your data
9. Encrypt the data if you have sensitive info stored on it
10. Don’t click on links or attachments from unsolicited e-mails or texts

Today's Headlines:

• Western Digital MyBook users urged to unplug devices from the network - malicious hackers are remotely wiping the drives using a critical flaw that can be triggered by anyone who knows the Internet address of an affected device.
• Quickbooks Online opts users in to share payroll info of 1.4 million small businesses with Equifax, who has been and will be hacked again. (To disable sing-in to QBO, go to Payroll settings, uncheck "Shared Data.")
• Eight unsecured databases were found leaking approximately 60 million records of LinkedIn user information. While most of the information is publicly available, the databases contain the email addresses of the LinkedIn users.
• HSE, socialized public healthcare system of Ireland, breached in May and 700GB of patient and employee data, orders Virus total to reveal
• Briefly mention PrintNightmare, security vulnerability that affect every version of Windows. Much more in depth next week.

• Kasaya ransom: $70,000,000 for universal decryptor ($5mill per individual compromise)
  • fewer than 40 customers worldwide, though all MSPs with over 1000 clients
  • Supply chain attack on on-prem servers – all from US based hosting servers. CISA and Biden announce almost immediately they are investigating and blame Revil/Russia. This all comes weeks after FBI/DOJ seized ReVIL/Darkside servers.
  • Was allegedly a known exploit that Kasaya was in the process of patching, before the zero-day attack was carried out.

Next Week's Teaser:
What the heck is an AUP…and why do you want it?

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery

UPDATE to last week's Headlines:
US DOJ said it recovered $2.3Mil of Bitcoin sent to Darkside for the Colonial Piepeline attack "saying they were able to track the bitcoin to a wallet for which the FBI has the "private key." (appears to be the affiliate's take, the remainder of 15% going to developers.

Darkside sends message that they are now closed, after servers seized and money transferred.

This Week's Security Tip:
Social engineering is big business. What is it? Figuring out who you are and then using that information to make money off of it.

People list password challenge and identity verification publicly on their Instagram, Twitter and Facebook pages and feeds without giving it a second thought. Maiden name? Check. Favorite pet? Check. High school? Check. Town they grew up in? Check. Favorite or first car? Check. Throwback Thursday is a social engineer’s dream! They love this stuff.

Combat this by A) not posting that information online anywhere or B) always giving false password and identity challenge and verification information to the sites and services that require it. Keep the answer file offline. Remember, if it’s a handwritten list, you can still take a photo of it.

Today's Headlines:
JBS & Pilgrims meat processing hacked – ransomware that the FBI attributes to REvil and Sodinokibi

Amazon sidewalk goes live – Amazon Sidewalk creates a low-bandwidth network with the help of Sidewalk Bridge devices including select Echo and Ring devices. These Bridge devices share a small portion of your internet bandwidth which is pooled together to provide these services to you and your neighbors.

6 years ago, Microsoft promised Windows 10 would be the last OS, being "refreshed" twice a year forever. A couple days ago, Windows 11 has been leaked. Some features – taskbar is centralized, similar to Mac vs. Curtrent left-side, no more tiles in start menu – instead , windows will be rounded, like MacOS, overall, a very MacOS vibe.

Next Week's Teaser:
These easy tips will keep your phone safe

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery

UPDATE to last week's Headlines:
Darkside Ransomware breach on Colonial Pipeline – discuss what happened and the repercussions after our tech tip

This Week's Security Tip:
While most businesses understand the importance of backing up their server and files, many forget to back up their website!

Most sites are hosted on a third-party platform like HostGator or WordPress. However, these hosts have limits on what they back up, and the Terms and Conditions you agreed to most likely waive their responsibility to preserve and back up your files and data.

Therefore, if you’re posting a lot of new content, you should be backing up your site weekly if not daily. Hackers can (and do!) corrupt websites all the time. If you don’t want to have the cost of a down website and the cost of rebuilding it, back up your website!

Today's Headlines:
Darkside Ransomware breach on Colonial Pipeline

The first DarkSide ransomware attacks were all owner-operated, but after a few successful months, the owners began to expand their operations. On November 10, DarkSide operators announced on Russian-language forums XSS and Exploit the formation of their new DarkSide affiliate program providing partners with a modified form of their DarkSide ransomware to make use in their own operations.

It’s worth noting that DarkSide actors have pledged in the past to not attack organizations in the medical, education, nonprofit, or government sectors. At one point, they also advertised that they donate a portion of their profit to charities. However, neither claim has been verified and should be met with a heightened degree of scrutiny; these DarkSide operators would be far from the first cybercriminals to make such claims and not follow through.

DarkSide Operators Likely Former “REvil” Affiliates

Flashpoint assesses with moderate confidence that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the “REvil” RaaS group. Several facts support this attribution:

• Spelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers are not native English speakers.
• The malware checks the default language of the system to avoid infecting systems based in the countries of the former Soviet Union.
• The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to “REvil” ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.
• The affiliate program is offered on Russian-language forums XSS and Exploit.

Timeline:

UPDATE to last week's Headlines:
US Gov formally accuses Russia for SolarWinds/Orion attack. Biden issues state of Emergency, giving him the power to issue executive order: emphasizing an exploitation on US and Russian elections, kicks-out Russian diplomats in DC, prohibits US financial entities from trading in Rubles, issues sanctions against Russian networking infrastructure.

This Week's Security Tip:
There are two mistakes we see with usernames and passwords, even if they are GOOD strong ones. The first is using the SAME password across multiple sites. The second is using the same e-mail usernames and prefixes across multiple free e-mail services. For example:
jimmy67chevy@aol.com
jimmy67chevy@gmail.com
jimmy67chevy@yahoo.com
jimmy67chevy@icloud.com

When you use the same password and the same username across multiple sites, you make it easy for a cybercriminal to compromise multiple accounts of yours. With the first part easy to figure out, they can get access to other online services and data or even spoof your e-mail addresses to others. Variety is the spice of life, so make sure you’re using UNIQUE, strong passwords along with unique usernames on free e-mail accounts.

Today's Headlines:

• 2 Google Chrome zero-day exploit dropped on twitter last week, both remote code executables, affects Chrome, Edge, and other Chromium-based borwsers
• Google announced plans to roll out a new privacy-focused feature called Federated Learning of Cohorts (FLoC), Vivaldi, Brave, DuckDuckGo, and now WordPress reject it. - Thousands of browsers with identical browsing history (belonging to the same "cohort") stored locally will have a shared "cohort" identifier assigned, which will be shared with a site when requested. - "At Vivaldi, we stand up for the privacy rights of our users. We do not approve tracking and profiling, in any disguise. We certainly would not allow our products to build up local tracking profiles," says Jon von Tetzchner, Vivaldi CEO and co-founder.
• Signal CEO and founder Moxie Marlinspike slams Cellebrite (company that police and gvmt uses to unlock Android and iOS phones ) after they say they can now access Signal data.

Next Week's Teaser:
Here is what you should do with your data on your laptop..

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery