The Hidden Costs of DIY IT: Why ‘Good Enough’ Isn’t Enough Anymore

.elementor-68437 .elementor-element.elementor-element-1dec012 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-1dec012 > .elementor-widget-containerpadding:50px 0px 0px 0px;.elementor-68437 .elementor-element.elementor-element-057d048 > .elementor-widget-containerpadding:29px 0px 0px 0px;.elementor-68437 .elementor-element.elementor-element-057d048width:var( --container-widget-width, 100% );max-width:100%;--container-widget-width:100%;--container-widget-flex-grow:0;.elementor-68437 .elementor-element.elementor-element-3efded8 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-c592685 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-598b915 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-598b915 > .elementor-widget-containerpadding:15px 0px 0px 0px;.elementor-68437 .elementor-element.elementor-element-442a19b .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-fb98c6c .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-ddadcfa .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-eba39e6 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-eba39e6 > .elementor-widget-containerpadding:15px 0px 0px 0px;.elementor-68437 .elementor-element.elementor-element-8261a0a .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-0d0d93e .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-c55455b .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-2c5d76c .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-2c5d76c > .elementor-widget-containerpadding:15px 0px 0px 0px;.elementor-68437 .elementor-element.elementor-element-385f48f .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-c8ddc53 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-c87aeb4 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-091a98e .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-6e77ca8 .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-6e77ca8 > .elementor-widget-containerpadding:15px 0px 0px 0px;.elementor-68437 .elementor-element.elementor-element-d2ba80e .elementor-heading-titlecolor:#1A277D;.elementor-68437 .elementor-element.elementor-element-d2ba80e > .elementor-widget-containerpadding:15px 0px 0px 0px;@media(min-width:768px).elementor-68437 .elementor-element.elementor-element-dcd2ff3width:35%;.elementor-68437 .elementor-element.elementor-element-03729e0width:65%;

The Illusion of Cost Savings: What DIY IT Really Costs SMBs

In today’s increasingly digital business environment, small and midsize businesses (SMBs) face a critical decision: how to manage their IT infrastructure effectively while balancing costs, security, and scalability. For many, the temptation to adopt a “do-it-yourself” (DIY) IT approach remains strong—often fueled by budget constraints, legacy mindsets, or the belief that internal teams can simply “figure it out.”

At first glance, DIY IT may seem sufficient. After all, what’s wrong with an in-house employee doubling as the go-to tech support person, or using a patchwork of free or inexpensive tools to keep systems running? However, this “good enough” mentality harbors a host of hidden costs, risks, and missed opportunities that can quietly erode profitability, productivity, and competitiveness.

 In this article, we’ll go beyond the usual “outsourcing saves money” narrative and explore the deeper, often-overlooked consequences of DIY IT—helping business leaders and IT decision-makers make more informed, strategic choices.

Direct vs. Indirect Costs

On the surface, DIY IT appears budget-friendly—especially when compared to the perceived expense of managed IT services or professional support. But what’s often overlooked are the indirect costs and hidden risks that chip away at those supposed savings:

Opportunity Costs: When business owners, office managers, or employees moonlight as the IT department, they divert time and focus away from their core roles. This slows business growth, dilutes productivity, and can even harm customer experience.

Downtime Losses: DIY IT setups frequently lack the proactive monitoring, redundancy, and contingency planning necessary to prevent or mitigate downtime. Even brief outages can result in lost sales, reputational damage, and frustrated clients.

Reactive Spending: Without a strategic IT roadmap, SMBs are forced into reactive purchases—overpaying for hardware, software, or emergency fixes during crises.

Real-World Example: The $10,000 “Free Fix”

Consider an SMB that relies on an employee with basic tech skills to manage its email and file servers. When a ransomware attack strikes, the company has no off-site backups, no disaster recovery plan, and no cyber insurance. The cost? Weeks of downtime, thousands in lost revenue, and expensive remediation services. That “free” internal support suddenly looks a lot less affordable.

Productivity Drain: How DIY IT Sabotages Efficiency “Free Fix”

The IT Bottleneck Effect “Free Fix”

In a DIY IT environment, technical issues become roadblocks that bog down the entire organization. Employees spend valuable hours troubleshooting printers, rebooting servers, or wrestling with outdated systems. This creates an IT bottleneck that stifles daily operations and frustrates staff.

The “Shadow IT” Problem

Employees often resort to using unsanctioned tools and cloud services to bypass slow or inadequate IT support—introducing shadow IT risks, compliance vulnerabilities, and data governance nightmares.

Compounding Inefficiencies Over Time

Without strategic oversight, systems and tools become increasingly fragmented, inefficient, and difficult to scale. Processes that should be automated remain manual, leading to error-prone workflows and staff burnout.

Productivity Drain: How DIY IT Sabotages Efficiency “Free Fix”

Outdated Systems = Easy Targets

DIY IT environments are notorious for relying on legacy systems, unpatched software, and outdated security practices. Cybercriminals know this—and target SMBs accordingly. According to a recent study, 43% of cyberattacks target small businesses, many of which lack the defenses to withstand even basic phishing campaigns or malware attacks.

Regulatory Compliance Gaps

In industries subject to regulations like HIPAA, PCI-DSS, or GDPR, DIY IT can inadvertently expose businesses to fines, lawsuits, or lost contracts due to inadequate data protection practices or audit trails.

No Incident Response Plan

Most DIY IT setups lack a formal incident response plan. When a breach or outage occurs, the company scrambles to respond—often making mistakes that escalate costs and consequences.

The Business Case for Moving Beyond DIY IT

From Firefighting to Strategy

Outsourcing IT to a trusted Managed Services Provider (MSP), such as Infradapt, shifts the model from reactive support to proactive strategy—ensuring systems are always optimized, secure, and aligned with business goals.

Predictable Costs, Reduced Surprises

MSPs like Infradapt offer predictable, budget-friendly pricing models, helping businesses avoid costly surprises and enabling smarter financial planning.

Enterprise-Grade Security and Compliance

Partnering with an MSP provides access to enterprise-grade tools, threat intelligence, and compliance expertise that would be cost-prohibitive to maintain in-house.

Future-Proofing the Business

MSPs help SMBs plan for the future—designing IT roadmaps, guiding cloud migrations, and ensuring systems can scale with business growth.

Conclusion: ‘Good Enough’ Is the New Risk You Can’t Afford

In a world where technology underpins every aspect of business, relying on DIY IT is no longer a viable or responsible strategy. The hidden costs—lost productivity, security risks, compliance failures, and stunted growth—far outweigh any perceived savings.

SMBs that shift from DIY to professional, managed IT services position themselves to thrive in a digital-first economy. They gain not just cost efficiency, but also resilience, agility, and competitive advantage.

Next Steps: Let’s Talk About Eliminating Your Hidden IT Costs

At Infradapt, we specialize in helping SMBs uncover the true costs of their current IT approach and build a smarter, scalable technology strategy. Let’s explore how our Managed IT Services, cybersecurity solutions, and cloud infrastructure support can eliminate your hidden risks—and fuel your business growth.

Schedule a free IT risk assessment today and discover what ‘good enough’ might be costing you.

https://www.infradapt.com/news/the-hidden-costs-of-diy-it-why-good-enough-isnt-enough-anymore/

Understanding HDMI 2.1

The latest version of HDMI brings significant changes to the venerable format. Here’s what you need to know.

  Even though the cable looks the same, modern HDMI connections are vastly more capable than when they first arrived over 20 years ago. The latest version, called 2.1b, is only a small update, but 2.1 in general is a big deal with lots of performance improvements and new features. The standard is found in the best new TVs, including recent models from LG, Samsung, Sony, TCL, Vizio and more. HDMI 2.1 is also on both of the next-generation game consoles, the PlayStation 5 and Xbox Series X. In fact, to get the most out of those consoles  you’ll want a TV that supports at least some HDMI 2.1 features.

  That doesn’t mean you need HDMI 2.1, however. For most people the extra features are not a good enough reason to buy a higher-end TV. If you’re on a budget, those new consoles will play perfectly well (and still look spectacular) on a TV that lacks HDMI 2.1. Many midrange and higher-end sets support the new connectivity standard, though, so it’s worthwhile to understand what it means if you are looking to purchase soon.

  The short version is HDMI 2.1 allows for higher resolutions, higher frame rates and a lot more bandwidth. The connector itself isn’t changing, however, so new HDMI 2.1 gear will be backward-compatible with your current cables and equipment. But if you want to take advantage of everything 2.1 has to offer, you’ll need some select upgrades and potentially new cables, too. Here’s what you need to know.

  The really short version

Don’t like reading (much)? Here are the highlights:

  The physical connectors and cables look the same as today’s HDMI.

Improved bandwidth from 18 gigabits per second (HDMI 2.0) to 48Gbps (HDMI 2.1).

Can carry resolutions up to 10K, frame rates up to 120 frames per second.

New cables are required for higher resolutions and/or frame rates.

Many new TVs have at least one HDMI 2.1 input.

The main sources that can take advantage of 2.1 right now are the PlayStation 5 and Xbox Series X, as well as high-end graphics cards.

The increased resolution and frame rate possibilities are a futurist’s dream:

  4K50/60

4K100/120

5K50/60

5K100/120

8K50/60

8K100/120

10K50/60

10K100/120

You should be able to get 4K/60, and a basic 8K/30, with current cables, but the rest will need an Ultra High Speed HDMI cable. More on these new cables below.

  On the color front, 2.1 supports BT.2020 and 16 bits per color. This is the same as HDMI 2.0a/b, and is what makes wide color gamut possible.

    https://www.infradapt.com/news/understanding-hdmi-2-1/

Ensuring Mobile Safety: Avoid These 5 Warning Signs When Downloading Apps

  The Importance of Vigilance in App Downloading Practices

  In the modern era, mobile applications have become an integral part of our lives, providing us with a multitude of conveniences ranging from email checking, music and movie streaming, to secure work access. However, as the number of apps we download and install increases, so does the risk associated with them. A study by York University in Toronto and the University of Connecticut revealed that many users unknowingly consented to give their future firstborn children to a fictitious company named NameDrop, highlighting the lack of due diligence when it comes to reading terms of service (ToS) and privacy policies, or verifying the permissions required by an app.

  Despite the efforts of companies like Apple and Google to prevent app tracking across iOS and Android, it remains crucial to remain vigilant during app installation. This article outlines several warning signs to look out for when downloading apps.

  The Risk of Third-Party App Stores and Sideloaded Apps

  One of the simplest ways to ensure safety when downloading mobile apps is to use official app stores such as Google Play for Android and Apple’s App Store. These platforms meticulously scrutinize apps before listing them. Although occasionally, harmful or unsafe applications may slip through, they are quickly removed by Apple and Google. These first-party app stores also employ additional safety measures. For instance, Google Play Protect scans devices and apps for harmful activity, and the Google Play Store conceals apps that haven’t been updated for years and may have security vulnerabilities.

  We recommend downloading apps directly from official Apple and Google Play app stores rather than alternative sources like APKPure or Aptoide. If you must use third-party app marketplaces, stick to reputable sites like the Amazon App Store or Samsung Galaxy Store. In rare cases where sideloading is the only option, ensure that you download apps directly from the official software website.

  The Complexity of App Privacy Policies and Terms of Service

  If you aren’t meticulously reading each app’s ToS agreement or privacy policy before accepting, you’re in the majority. However, a warning sign to be aware of is when an app’s ToS or privacy policy is so complex that it’s incomprehensible. While intricate language could be harmless, such as poor writing, apps with ToS or privacy policies that obscure what you’re agreeing to are deceptive and should be avoided. A good rule of thumb is not to agree to anything you don’t fully understand. Be sure to look for information on what data is being collected and how it’s used.

  Privacy policies that require implicit consent should also be a cause for concern. Nader Henein, a senior research director and fellow of information privacy at Gartner, cautions against privacy policies with implicit agreements. Instead of opting in, a ToS agreement might state something like “by using this app, you agree to A, B, and C.” With implicit agreements, you’re not giving your consent, but a general disclaimer opts you in. Privacy policies and ToS should provide explicit consent, where you have to accept before using an app. But remember, it’s crucial to read the agreements thoroughly.

  Simplifying Terms of Service and Privacy Policies with TOSDR

  If you’re short on time, consider using the Terms of Service; Didn’t Read (TOSDR) browser addon. TOSDR is a collaborative project where anyone can review the terms and policies of any website. It simplifies these documents into a quick and readable format. TOSDR categorizes privacy policies and website terms into different classes, with Class A being the best and Class E being the worst. Chapter 1: Evaluating App Classifications and User Ratings

  In addition to a general class score, users can provide their evaluations for different sections of the terms, categorizing them as Good, Bad, Blocker, or Neutral. A critical aspect to consider is whether the app is generating revenue by gathering and selling user data. It is not uncommon for apps to be monetized using advertisements. A majority of ad-supported apps are either free or available at a minimal cost, which helps generate income to support ongoing development, such as releasing new features or addressing security flaws. However, the presence of in-app advertisements often implies that the app is profiting from your data.

  While it is acceptable for apps to collect certain essential information, such as tracking app crashes to rectify bugs or observing incorrect clicks to enhance a poorly designed user interface, the collection of extensive data that is either sold to third-party advertisers or at risk of being compromised in a data breach should be a cause for concern. It is recommended to review the policy agreement’s details about data collection before proceeding with the download. Furthermore, consider the app’s revenue model, especially if it is available for free. If there’s no evident monetization strategy, your data might be at risk of being sold.

  The Importance of App Reviews and Download Counts

  Before deciding to download an app, it’s essential to scrutinize the reviews. If an app consistently receives low ratings, it might be indicative of technical issues or a questionable reputation. In any case, poor user ratings should serve as a red flag, making you reconsider before installing the software. Similarly, if a widely popular app like Spotify, Netflix, or Instagram has only been downloaded a limited number of times, it’s worth verifying the listing’s authenticity.

  Understanding App Permission Requests

  The permissions an app requests can also be revealing. For example, a calculator app has no legitimate need to access your microphone or location data. In contrast, it’s logical for social media apps like Instagram or TikTok to request access to your camera and microphone, given that these features are integral to the app’s functionality. Likewise, a dating app requiring your location data makes sense for facilitating geographical matches. However, if an app requests unnecessary permissions and doesn’t provide an option to opt-out, it could be a sign of malicious activity. This could include accessing sensitive data such as call logs or your Wi-Fi connections. It’s important to note that most apps allow you to continue using the app even after denying permissions, and you have the option to temporarily enable these permissions when necessary.

  Identifying Other Potential Warning Signs

  While thoroughly reading a policy agreement is crucial, there are other potential red flags to be aware of. If you notice your device behaving unusually after installing an app, such as rapid battery drainage, frequent freezing, crashing, or overheating, it’s possible that the app has infected your device with malware. While it’s more likely that poor performance following an app installation or update is due to benign issues, such as unoptimized software or a resource-demanding app running in the background, there’s a possibility that a malfunctioning phone could be the result of spyware included with a malicious app. Therefore, it’s essential to keep your device safeguarded with top-tier antivirus software.

https://www.infradapt.com/news/ensuring-mobile-safety-avoid-these-5-warning-signs-when-downloading-apps/

Deepfake Technology Powers Advanced Malware Attacks on Mobile Banking

  Identification of Cyber Threat Actor GoldFactory and its Advanced Banking Trojans

  GoldFactory, a cybercrime group that communicates in Chinese, has been identified as the creators of advanced banking trojans. This includes a previously unknown iOS malware named GoldPickaxe, which is designed to collect identity documents, facial recognition data, and intercept SMS messages. According to a detailed report by Group-IB, a Singapore-based cybersecurity firm, the GoldPickaxe family of malware is operational on both iOS and Android platforms. It is believed that GoldFactory maintains strong ties with Gigabud, another cybercrime organization.

  Since its inception in mid-2023, GoldFactory has been linked to the creation of other Android-based banking malware. These include GoldDigger and its advanced version GoldDiggerPlus, which incorporates an embedded trojan known as GoldKefu.

  Targeted Social Engineering Campaigns in Asia-Pacific

  The malware created by GoldFactory has been distributed through social engineering campaigns, primarily aimed at the Asia-Pacific region. Thailand and Vietnam have been specifically targeted, with the malware disguising itself as local banks and government organizations. In these campaigns, potential victims receive phishing and smishing messages that direct them to switch to instant messaging applications like LINE. They are then sent fraudulent URLs that install GoldPickaxe on their devices.

  Some of the malicious Android applications are hosted on fake websites designed to mimic the Google Play Store or corporate websites, thus facilitating the installation process.

  iOS Distribution Scheme and Sophisticated Evasion Techniques

  The iOS version of GoldPickaxe utilizes a different distribution method. It employs successive versions that take advantage of Apple’s TestFlight platform and malicious URLs. These URLs prompt users to download a Mobile Device Management (MDM) profile, which provides complete control over the iOS device and enables the installation of the rogue app.

  The Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB) uncovered these propagation techniques in November 2023.

  GoldPickaxe also showcases its sophistication by circumventing security measures implemented by Thailand. These measures necessitate users to verify large transactions using facial recognition to deter fraudulent activities.

  Deepfake Videos and Unauthorized Fund Transfers

  Security researchers Andrey Polovinkin and Sharmine Low explain that GoldPickaxe tricks victims into recording a video as a confirmation method in the fake application. This recorded video is then utilized as a source for creating deepfake videos using face-swapping artificial intelligence services.

  Both the Android and iOS versions of the malware are capable of collecting victims’ ID documents and photos, intercepting incoming SMS messages, and routing traffic through the compromised device. It is believed that GoldFactory actors use their own devices to log into the banking application and execute unauthorized fund transfers.

  Comparing the Functionality of iOS and Android Variants

  The iOS variant of GoldPickaxe has fewer functionalities compared to its Android counterpart. This is largely due to the closed nature of the iOS operating system and its relatively stricter permissions.

  The Android version, considered an evolved version of GoldDiggerPlus, disguises itself as over 20 different applications from Thailand’s government, financial sector, and utility companies. Its main aim is to steal login credentials from these services. However, the exact use of this stolen information by the threat actors remains unclear.

  Abuse of Android’s Accessibility Services and Code-Level Similarities

  A noteworthy feature of the malware is its exploitation of Android’s accessibility services to log keystrokes and extract content displayed on the screen.

  GoldDigger shares code-level similarities with GoldPickaxe, although it is primarily designed to steal banking credentials, while GoldPickaxe is more focused on collecting personal information from victims. To date, no GoldDigger artifacts aimed at iOS devices have been discovered.

  Targeting Vietnamese Financial Companies

  “The primary feature of GoldDigger is that it targets over 50 applications from Vietnamese financial companies, including their packages’ names in the trojan,” the researchers said. “Whenever the targeted applications open, it will…

  Unveiling the GoldDigger Malware and its Evolution

  GoldDigger, a base version of a malicious software, was first identified in June 2023. Even though it continues to circulate in the digital space, it has given rise to more advanced versions, including GoldDiggerPlus. This upgraded variant is embedded with an additional Trojan APK component known as GoldKefu, which triggers the malicious activities.

  Introduction to GoldDiggerPlus and GoldKefu

  GoldDiggerPlus made its first appearance in September 2023. GoldKefu, on the other hand, masquerades as a widely used Vietnamese messaging application to extract banking information from ten different financial institutions. Unlike GoldDigger, which primarily relies on Android’s accessibility services, the Android Trojan, used in combination with GoldKefu, leverages fake overlays to gather login details if the most recently opened application is on the target list.

  GoldKefu’s Integration with Agora SDK

  GoldKefu also collaborates with the Agora Software Development Kit (SDK) to enable interactive voice and video calls. It deceives victims into reaching out to a fake bank customer service by sending counterfeit alerts. These alerts create an artificial urgency by falsely claiming that a fund transfer of 3 million Thai Baht has occurred in their accounts.

  The Lucrative Mobile Malware Landscape

  This development is indicative of the mobile malware landscape’s lucrative nature for cybercriminals seeking quick financial gain. These criminals continuously devise methods to bypass the defensive strategies implemented by banks to combat such threats. It also highlights the continuously evolving and dynamic nature of social engineering schemes designed to deliver malware to victims’ devices.

  Mitigating Risks Posed

  To reduce the risks posed by GoldFactory and its mobile banking malware suite, it is strongly recommended to avoid clicking on suspicious links and installing apps from untrusted sites. These sites are a common source of malware. Regularly reviewing the permissions granted to apps, especially those that request Android’s accessibility services, is also advised.

  The Resourcefulness of the GoldFactory Team

  The GoldFactory team is skilled in various tactics, including impersonation, accessibility keylogging, creating fake banking websites, sending fake bank alerts, creating fake call screens, and collecting identity and facial recognition data. The team is divided into separate development and operator groups, each dedicated to specific regions.

  The Operational Maturity of the Gang

  The gang has well-established processes and operational maturity. They continuously enhance their toolkit to match the targeted environment, demonstrating a high level of expertise in malware development.

https://www.infradapt.com/news/deepfake-technology-powers-advanced-malware-attacks-on-mobile-banking/

Ransomware Victims Pay Out a Record-Breaking $1.1 Billion in 2023

The Escalation of Ransomware Attacks in 2023

  Throughout 2023, malicious actors specializing in ransomware significantly amplified their assault on prominent entities and essential infrastructure. These included healthcare facilities, educational institutions, and government bodies. Noteworthy supply chain attacks, exploiting widely used file transfer software such as MOVEit, affected a broad spectrum of organizations – from broadcasting giant BBC to the renowned British Airways. The culminating effect of these and other similar intrusions led ransomware syndicates to an unprecedented feat – amassing over $1 billion in extorted digital currency payments from their victims. The developments of the past year underscore the progressive nature of this cyber menace and its mounting impact on international institutions and overall security.

  A Turning Point for Ransomware

  The year 2023 marked a significant resurgence for ransomware, characterized by a record-breaking surge in payments and a substantial escalation in the scale and sophistication of attacks. This was a marked contrast to the downturn observed in 2022, a trend we had cautioned about in our Mid-Year Crime Update. Ransomware payments in 2023 exceeded the $1 billion threshold, the highest figure ever recorded. Despite a reduction in the volume of ransomware payments in 2022, the overall trajectory from 2019 to 2023 suggests an escalating issue with ransomware. It’s important to remember that this figure doesn’t account for the economic repercussions of lost productivity and recovery expenses linked to these attacks. Cases like the audacious targeting of MGM resorts by ALPHV-BlackCat and Scattered Spider exemplify this, with MGM estimating damages costing the company upwards of $100 million, despite not paying the demanded ransom.

  The Continually Expanding Ransomware Landscape

  The ransomware landscape is not just prolific but continuously expanding, posing a challenge to keep track of every incident or trace all ransom payments made in digital currencies. Our figures represent conservative estimates, with the potential to rise as new ransomware addresses are uncovered over time. For example, our initial reporting for 2022 in last year’s crime report indicated $457 million in ransoms, a figure that has since been adjusted upward by 24.1%.

  2022 – A Deviation, Not a Pattern

  A combination of factors likely led to the reduction in ransomware activities in 2022, including geopolitical events such as the Russian-Ukrainian conflict. This conflict not only disrupted the operations of some cyber actors but also shifted their focus from financial gain to politically motivated cyberattacks intended for espionage and destruction. As we highlighted in our 2023 Crypto Crime Report, other contributing factors to this downturn included hesitance among some Western entities to pay ransoms to specific strains due to potential sanctions risks. The ransomware strain Conti, in particular, faced complications due to its reported ties to sanctioned Russian intelligence agencies, the exposure of the organization’s internal communications, and overall internal turmoil. This led to a decrease in their activities and contributed to the overall reduction in ransomware incidents in 2022. However, researchers have observed that many ransomware actors associated with Conti have continued to migrate or launch new strains, making victims more inclined to pay.

  Law Enforcement’s Response to Ransomware: The Hive Intervention

  A significant factor in the reduction of ransomware in 2022 was the successful penetration of the Hive ransomware strain by the Federal Bureau of Investigation (FBI), as announced by the Department of Justice early in 2023. Our analysis emphasizes the considerable impact of this single enforcement action. During the Hive infiltration, the FBI managed to supply decryption keys to over 1,300 victims, effectively eliminating the need for ransom payments. The FBI estimates that this intervention prevented approximately $130 million in ransom payments to Hive. But the influence of this intervention extends beyond that. The total tracked ransomware payments for 2022 currently stand at just $567 million, indicating that the ransom payments averted by the Hive infiltration significantly reshaped the ransomware landscape last year.

  The Full Impact of the FBI’s Hive Operation: A Comprehensive Analysis

  The $130 million that the FBI saved by infiltrating Hive doesn’t provide a complete picture of the operation’s success. This figure only considers the ransoms that were avoided by supplying the decryptor keys and doesn’t take into account the ripple effects. The Hive operation likely had a wider impact on Hive affiliates’ operations, potentially reducing the number of additional attacks they could launch.

  During the six months the FBI was within Hive, the total ransomware payments across all strains amounted to $290.35 million. However, our statistical models predict a total of $500.7 million for that period, based on the behavior of attackers in the months before and after the operation. This is a cautious estimate. Given this figure, we estimate that the Hive operation may have prevented at least $210.4 million in ransomware payments.

  David Walker, the Special Agent in Charge of the FBI’s Tampa Division, provided further insights into the significance of the operation. He stated, “The Hive investigation exemplifies the gold standard for implementing the key services model. The FBI continues to witness the significant positive impact of actions like the Hive takedown on cyber threat actors through its investigations and victim engagements. We will persist in implementing proactive disruptive measures against adversaries.”

  The Resurgence of Ransomware: A Look at the 2023 Threat Landscape

  In 2023, there was a significant increase in the frequency, scale, and volume of ransomware attacks. These attacks were conducted by a diverse range of actors, from large syndicates to smaller groups and individuals, and their numbers are on the rise, according to experts. Allan Liska, a Threat Intelligence Analyst at cybersecurity firm Recorded Future, stated, “We are witnessing a significant increase in the number of threat actors carrying out ransomware attacks.” In 2023, Recorded Future reported 538 new ransomware variants, indicating the emergence of new, independent groups.

  The graph below shows the most active ransomware strains by quarter from the start of 2022 through 2023. There are also significant variations in the victimization strategies of the top ransomware strains, as shown in the chart below, which plots each strain’s median ransom size against its attack frequency. The chart also shows a number of new entrants and offshoots in 2023, who are known to reuse existing strains’ code. This suggests a rising number of new actors, drawn by the potential for high profits and lower entry barriers.

  The Changing Tactics of Ransomware Strains

  Some strains, such as Cl0p, embody the “big game hunting” strategy, conducting fewer attacks than many other strains, but collecting large payments with each attack. Cl0p exploited zero-day vulnerabilities that allowed it to extort many large, deep-pocketed victims simultaneously, prompting the strain’s operators to adopt a strategy of data exfiltration instead of encryption.

  Over the past few years, big game hunting has emerged as the dominant strategy, with an increasing share of all ransomware payment volume consisting of payments of $1 million or more.

  Other strains, like Phobos, have adopted the Ransomware as a Service (RaaS) model, where outsiders, known as affiliates, can access the malware to conduct attacks, and in return, pay the strain’s core operators a portion of the ransom proceeds. Phobos simplifies the process for less technically advanced hackers to launch ransomware attacks, using the typical encryption process that is the hallmark of ransomware. Despite targeting smaller entities and demanding lower ransoms, the RaaS model increases the strain’s capacity to conduct a large number of these smaller attacks.

  ALPHV-BlackCat is another RaaS strain like Phobos, but it is more selective about the affiliates it allows to use its malware, actively seeking and interviewing potential candidates for their hacking abilities.

  The Evolution of Ransomware Attacks: A Closer Look at the Tactics and Tools

  The landscape of ransomware attacks is ever-evolving, with groups constantly adapting their strategies to target larger entities for more substantial ransoms. One common tactic is the rebranding of ransomware strains or the simultaneous use of several strains by affiliates. This strategy allows attackers to disassociate themselves from strains that have been publicly sanctioned or have attracted too much attention. Furthermore, it enables them to strike the same victims under different strain names, thus increasing their chances of success.

  The Rise of Ransomware-as-a-Service (RaaS) and Initial Access Brokers (IABs)

  The proliferation of Ransomware-as-a-Service (RaaS) and hacking tools has simplified the process of launching a successful ransomware attack. This development has been further facilitated by the emergence of Initial Access Brokers (IABs), who infiltrate potential victims’ networks and sell the access to ransomware attackers for a nominal fee.

  Our research has identified a correlation between the flow of funds into IAB wallets and a surge in ransomware payments. This suggests that monitoring IAB activities could offer early warning signs and open up opportunities for intervention and mitigation of attacks. The combination of IABs and RaaS has significantly reduced the technical skills required to execute a successful ransomware attack. Andrew Davis, General Counsel at Kivu Consulting, a cybersecurity incident response firm, sheds more light on this phenomenon.

  “The surge in attack volume can be attributed to the ease of access provided by the affiliate model and the adoption of ransomware-as-a-service, an alarmingly effective business model for cybercriminals,” Davis explains.

  Tracking Ransomware Funds: The Journey and Destination

  Understanding how ransomware funds move is crucial in identifying the methods and services used by threat actors. This knowledge enables law enforcement agencies to target and disrupt the financial networks and infrastructure of these actors.

  It’s worth noting that threat actors may take a considerable amount of time to launder their ransomware proceeds. The laundering observed in 2023, for instance, includes proceeds from attacks that took place in the past.

  Historically, centralized exchanges and mixers have been the go-to methods for laundering ransomware payments. However, 2023 witnessed the adoption of new laundering services such as bridges, instant exchangers, and gambling services. This shift is likely due to the disruption of preferred laundering methods, the implementation of stricter Anti-Money Laundering (AML) and Know Your Customer (KYC) policies by some services, and the unique laundering preferences of new ransomware actors.

  Concentration of Laundering Services and Lessons from 2023

  There is a significant concentration of specific services within each category that ransomware actors use for laundering. Exchanges exhibit the lowest level of concentration, while gambling services, cross-chain bridges, and sanctioned entities show the highest levels. Mixers, no-KYC exchanges, and underground exchanges fall in between, with about half of all funds from ransomware wallets going to one service.

  The concentration of mixers may have increased due to the takedown of Chipmixer, a popular choice for ransomware attackers. This concentration might expose ransomware actors to bottlenecks, making them vulnerable as law enforcement could disrupt operations by targeting a relatively small number of services.

  The ransomware landscape underwent significant changes in 2023, characterized by shifts in tactics and affiliations among threat actors, as well as the continued spread of RaaS strains.

  Enhanced Speed and Efficacy in Cyber Attacks

  The year 2023 witnessed a significant shift in the strategies employed by cybercriminals. The speed of attack execution was notably improved, indicating a more aggressive and efficient modus operandi. The constant shuffling of affiliates underlines the fluid dynamics of the ransomware underworld, as well as the relentless pursuit of more profitable extortion strategies.

  Adapting to Changing Landscapes

  Despite the ever-evolving tactics of threat actors, they consistently demonstrate their ability to adapt to changes in regulations and law enforcement actions. However, 2023 was not without its triumphs in the battle against ransomware. These victories were largely due to the collaborative efforts of international law enforcement, impacted organizations, cybersecurity companies, and blockchain intelligence.

  Law Enforcement’s Proactive Stance

  Lizzie Cookson from Coveware highlighted the importance of these collaborative efforts, citing the successful takedown of Hive and the disruption of BlackCat as prime examples. She noted, “These operations underscore the FBI’s commitment to assisting victims, providing aid, and imposing penalties on malicious actors.” Andrew Davis of Kivu Consulting echoed these sentiments, observing an increase in proactive involvement from law enforcement. This indicates a more resolute and determined approach to providing support to victims and tracking down cybercriminals.

https://www.infradapt.com/news/ransomware-victims-pay-out-a-record-breaking-1-1-billion-in-2023/

Meta Exposes Eight Firms Behind Spyware Attacks on iOS, Android, and Windows Devices

  Meta Platforms’ Actions Against Surveillance-for-Hire Companies

  Meta Platforms has taken action against eight surveillance-for-hire companies based in Italy, Spain, and the United Arab Emirates (U.A.E.), as per their Adversarial Threat Report for Q4 2023. The companies were reportedly involved in malicious activities, including the development of spyware aimed at iOS, Android, and Windows devices.

  The malware developed by these companies had the ability to gather and access a wide range of device data, including information about the device itself, location data, photos, media, contacts, calendar entries, emails, SMS, and data from social media and messaging apps. The malware could also activate device microphones, cameras, and screenshot functions.

  The companies implicated in these activities are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries. According to Meta Platforms, these companies also engaged in data scraping, social engineering, and phishing activities across a variety of platforms, including Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch, and Telegram.

  Specific Malicious Activities

  RCS Labs, owned by Cy4Gate, reportedly used a network of fake personas to trick users into providing their phone numbers and email addresses, and to click on fraudulent links for reconnaissance purposes. Facebook and Instagram accounts linked to Spanish spyware company Variston IT were used for exploit development and testing, including the sharing of malicious links. Reports suggest that Variston IT is in the process of shutting down its operations.

  Meta Platforms also identified accounts used by Negg Group for testing spyware delivery, and by Mollitiam Industries, a Spanish company offering data collection services and spyware for Windows, macOS, and Android, for scraping public information.

  Actions Against Coordinated Inauthentic Behavior (CIB)

  Alongside these actions, Meta Platforms also removed over 2,000 accounts, Pages, and Groups from Facebook and Instagram due to Coordinated Inauthentic Behavior (CIB) originating from China, Myanmar, and Ukraine. The Chinese cluster targeted U.S. audiences with content criticizing U.S. foreign policy towards Taiwan and Israel and supporting Ukraine. The Myanmar network targeted local residents with articles praising the Burmese army and criticizing ethnic armed organizations and minority groups. The Ukrainian cluster used fake Pages and Groups to post content supporting Ukrainian politician Viktor Razvadovskyi and expressing support for the current government and criticism of the opposition in Kazakhstan.

  Industry-wide Efforts to Curb Spyware Abuse

  This action by Meta Platforms comes as part of a broader initiative involving a coalition of government and tech companies aiming to curb the abuse of commercial spyware for human rights abuses. As part of its countermeasures, Meta Platforms has introduced new features such as Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp to make exploitation more difficult and reduce the overall attack surface.

  The Persistence of the Surveillance Industry

  Despite these efforts, the surveillance industry continues to evolve and thrive in various forms. Last month, 404 Media, building on prior research from the Irish Council for Civil Liberties (ICCL) in November 2023, revealed a surveillance tool called Patternz. This tool utilizes real-time bidding (RTB) advertising data from popular apps like 9gag, Truecaller, and Kik to track mobile devices. The Israeli company behind Patternz, ISA, claims that the tool allows national security agencies to use real-time and historical user advertising data to detect, monitor, and predict user actions, security threats, and anomalies based on user behavior, location patterns, and mobile usage characteristics.

  In addition, last week, Enea unveiled a previously unknown mobile network attack known as MMS Fingerprint.

  The Use of Pegasus-maker NSO Group’s Alleged Techniques

  According to some sources, the Pegasus-maker NSO Group is believed to have employed specific techniques, as stated in a contract they had with Ghana’s telecom regulator in 2015. The exact means used by the group are still somewhat unclear. However, Enea, a Swedish telecom security firm, has put forward a plausible theory.

  The Role of Binary SMS in the Suspected Method

  Enea suggests that the group likely used a unique form of SMS message known as binary SMS, specifically MM1_notification.REQ. This particular message informs the recipient’s device of an MMS (Multimedia Messaging Service) that is pending retrieval from the MMSC (Multimedia Messaging Service Center).

  The Process of Fetching MMS

  The process of fetching the MMS involves the utilization of MM1_retrieve.REQ and MM1_retrieve.RES. The former is an HTTP GET request directed to the URL address contained in the MM1_notification.REQ message.

  The Significance of User Device Information

  What makes this technique particularly interesting is the inclusion of user device information such as User-Agent (distinct from a web browser User-Agent string) and x-wap-profile in the GET request. This data essentially serves as a unique identifier for the device.

  Understanding User-Agent and X-wap-profile

  Enea explains that the User-Agent in this context is a string that typically identifies the device’s OS and model. The x-wap-profile, on the other hand, points to a User Agent Profile (UAProf) file that outlines the capabilities of a mobile handset.

  Potential Exploitation of Device Information

  This device information could potentially be used by a threat actor to deploy spyware. They could exploit specific vulnerabilities, customize their harmful payloads to suit the target device, or even design more efficient phishing campaigns. However, it’s important to note that there is currently no evidence to suggest this security loophole has been exploited in recent times.

https://www.infradapt.com/news/meta-exposes-eight-firms-behind-spyware-attacks-on-ios-android-and-windows-devices/

What is Multifactor Authentication?

      Multi-factor authentication (MFA) is an advanced security mechanism that requires two or more verification methods from different categories to authenticate a user’s identity for a login or transaction. This approach is much more secure than single-factor authentication, which only requires a username and password. MFA is designed to protect both the user’s credentials and the resources the user can access.

    The key components of MFA are:

Something You Know (Knowledge Factor): This is the most common authentication factor, which includes anything that the user knows and can remember. Examples include passwords, PINs, and personal security questions. While passwords are the most common form, they are also the most vulnerable to attacks like phishing and brute force.

  Something You Have (Possession Factor): This involves something the user physically possesses. Examples include security tokens, smartphones, smart cards, and key fobs. These devices can generate time-sensitive codes or receive push notifications for authentication. The idea is that even if someone knows your password, they would still need this physical device to gain access.

  Something You Are (Inherence Factor): This involves biometrics, which rely on the unique physical characteristics of an individual. Common biometric methods include fingerprint scanning, facial recognition, iris or retina scanning, and voice recognition. These methods are becoming increasingly popular due to their convenience and the fact that they are difficult to replicate or steal.

  Somewhere You Are (Location Factor): This factor involves the use of geographical location as a form of authentication. It can be determined through GPS tracking or IP address location. For example, if an access request comes from a location where the user is not usually present, it can be flagged or denied.

  The purpose of MFA is multifaceted:

Enhanced Security: By requiring multiple forms of verification, MFA significantly reduces the risk of unauthorized access. Even if a hacker obtains one credential, such as a password, they are unlikely to have access to the user’s physical device or biometric information.

  Preventing Identity Theft: MFA makes it more difficult for attackers to impersonate users, thereby reducing the chances of identity theft.

  Compliance with Regulations: Many industries have regulations that require enhanced security measures, including MFA, to protect sensitive data.

  Building Trust: MFA can help organizations build trust with their customers by demonstrating a commitment to protecting their data.

  Adaptability: MFA systems can be configured to balance security with user convenience, adapting to various levels of risk associated with different types of access requests.

  Multi-factor authentication provides a robust security framework by combining multiple authentication factors, making it significantly more challenging for unauthorized parties to breach secure systems or data. This not only helps in safeguarding sensitive information but also plays a crucial role in maintaining user trust and complying with regulatory standards.

https://www.infradapt.com/news/what-is-multifactor-authentication/

What is endpoint detection and response

      Endpoint Detection and Response (EDR) represents an advanced layer in cybersecurity strategies, focusing on the endpoints or hosts within an organization’s network. It’s a critical tool in the fight against cyber threats, offering a more dynamic and comprehensive approach than traditional antivirus software. Let’s delve deeper into its aspects:

  Advanced Threat Detection: EDR systems excel in identifying sophisticated cyber threats, including malware, ransomware, and zero-day exploits. They utilize a combination of signature-based, behavioral-based, and heuristic analysis techniques to detect known and unknown threats. This multi-faceted approach allows EDR to identify anomalies that may signify a security breach, even if the threat itself is not yet known in the cybersecurity community.

  Data Collection and Analysis: EDR tools continuously gather vast amounts of data from each endpoint, including system processes, network traffic, file changes, registry settings, and user activities. This data is then analyzed in real-time or near-real-time, leveraging complex algorithms, machine learning, and sometimes artificial intelligence, to detect potentially malicious activities. This continuous monitoring is crucial for identifying threats that slowly evolve over time, which might be missed by periodic scans.

  Automated and Manual Response Capabilities: Upon detection of a threat, EDR systems can take immediate, automated actions such as quarantining files, killing malicious processes, or isolating infected endpoints from the network to prevent lateral movement of the threat. Additionally, they provide tools for security analysts to manually intervene, allowing for a tailored response to complex or sophisticated attacks.

  Forensics and Investigation Tools: EDR solutions offer in-depth investigative capabilities, enabling security teams to trace back the origin of an attack, understand its execution path, and assess the impact. This forensic data is vital for incident response and to prevent similar attacks in the future. It includes detailed logs, timelines of events, and other contextual information about the threat.

  Integration and Collaboration: Effective EDR solutions are designed to seamlessly integrate with other security tools and systems within an organization, such as firewalls, intrusion detection systems, and security information and event management (SIEM) systems. This integration facilitates a coordinated response to threats and enhances the overall security posture by sharing insights and intelligence across different platforms.

  User Behavior Analytics (UBA): Many EDR tools incorporate UBA to detect anomalies based on user behavior. This means monitoring for unusual login times, file access patterns, or network requests, which might indicate a compromised user account or an insider threat.

  Threat Hunting and Proactive Security: Beyond reactive measures, EDR enables proactive threat hunting. Security teams can use EDR tools to actively search for hidden threats that have evaded initial detection, using the extensive data collected to identify subtle indicators of compromise.

  Education and Empowerment of Security Teams: EDR tools also play a role in educating and empowering security teams. They provide rich, contextual information about threats and attacks, which helps in building more effective defense strategies and in training security personnel to recognize and respond to new types of threats.

  In conclusion, EDR is an essential component of modern cybersecurity strategies, offering comprehensive protection for endpoints through its advanced detection capabilities, in-depth analysis, automated response mechanisms, and integration with broader security systems. By continuously monitoring endpoint activity and employing sophisticated analytical tools, EDR provides a robust defense against the increasingly sophisticated and varied threats faced by organizations today.

https://www.infradapt.com/news/what-is-endpoint-detection-and-response/

Alert on Rising CACTUS Ransomware Attacks

Microsoft has recently raised an alarm concerning a surge in CACTUS ransomware attacks. These attacks employ malvertising tactics to utilize DanaBot as the initial access point. The DanaBot infections eventually lead to manual keyboard activity by the ransomware operator identified as Storm-0216 (also known as Twisted Spider or UNC2198), which ultimately results in the deployment of CACTUS ransomware. This information was shared by the Microsoft Threat Intelligence team through a series of posts on X (formerly known as Twitter).

The Role of DanaBot and UNC2198

DanaBot, identified by Microsoft as Storm-1044, is a multi-functional tool. It is similar to Emotet, TrickBot, QakBot, and IcedID in its capabilities. It can act both as a stealer and as an entry point for subsequent payloads. UNC2198 has a history of infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as reported by Mandiant, a subsidiary of Google, in February 2021. According to Microsoft, this threat actor has also exploited initial access granted by QakBot infections. The current shift towards DanaBot is likely a consequence of a synchronized law enforcement operation in August 2023, which dismantled QakBot’s infrastructure.

The Current DanaBot Campaign and its Implications

The ongoing DanaBot campaign, first noticed in November, seems to be employing a private version of the information-stealing malware, as opposed to the malware-as-a-service offering. This observation was made by Redmond. The malware transmits the gathered credentials to a server controlled by the actor. This is followed by lateral movement through RDP sign-in attempts, eventually granting access to Storm-0216.

Recent Developments in CACTUS Ransomware Attacks

This announcement from Microsoft comes shortly after Arctic Wolf disclosed another series of CACTUS ransomware attacks. These attacks are actively exploiting critical vulnerabilities in a data analytics platform known as Qlik Sense to gain entry into corporate networks. In addition, a new macOS ransomware strain named Turtle has been discovered. This strain is written in the Go programming language and is signed with an adhoc signature. This signature prevents the strain from being executed upon launch due to Gatekeeper protections.

https://www.infradapt.com/news/alert-on-rising-cactus-ransomware-attacks/

Simple Strategies for Organizing Your Email

An overflowing email inbox can be overwhelming and counterproductive. Keeping your inbox organized is key to managing your digital communication effectively. This guide provides practical steps to organize your email inbox, helping you stay on top of your messages without feeling overwhelmed.

Why Organize Your Inbox?

Reduce Stress: A cluttered inbox can be a source of stress. Organizing it helps reduce anxiety and makes managing emails less daunting.

Improve Efficiency: A well-organized inbox allows you to find important emails quickly and respond in a timely manner.

Prioritize Tasks: By organizing your emails, you can easily identify and prioritize the most important tasks.

How to Organize Your Email Inbox

Unsubscribe from Unwanted Emails:

Regularly unsubscribe from newsletters, promotions, or updates you no longer read. This reduces the volume of incoming mail.

Use Folders and Labels:

Create folders or labels to categorize emails. For example, use separate folders for work, personal, bills, and social updates.

Move emails to these folders to keep your main inbox less cluttered.

Implement Email Filters:

Set up filters or rules to automatically sort incoming emails into designated folders.

This can be done based on the sender, subject line, or keywords.

Regularly Archive or Delete Old Emails:

Regularly review and clear out old emails. Archive those you might need later and delete the ones you don’t.

Set Specific Times for Checking Emails:

Instead of constantly checking your inbox, set specific times of the day for this task. This helps reduce distractions and increases productivity.

Use the Two-Minute Rule:

If an email can be responded to in two minutes or less, do it immediately. This prevents small tasks from piling up.

Take Advantage of Email Tools:

Use tools like snooze, reminders, or templates to manage your emails more effectively.

Conclusion

Effective email management is essential in the digital age. By implementing these simple strategies, you can keep your inbox organized, reduce stress, and improve your overall productivity. Remember, the goal is not to achieve an empty inbox, but a well-managed one that supports your workflow and daily tasks.

https://www.infradapt.com/news/simple-strategies-for-organizing-your-email/

How to clear your browser cache, and why

Introduction

Clearing your browser cache is a simple yet effective way to improve your online experience. Over time, your browser accumulates a significant amount of data, which can slow down your browsing speed and affect the performance of web pages. This article guides you through the easy steps of clearing your browser cache and explains the benefits of this regular maintenance task.

What is Browser Cache?

The browser cache is a temporary storage area on your computer where web browsers keep copies of the web pages you have visited. This storage allows for quicker access to these pages when you revisit them, as the browser can load the stored data instead of downloading everything again. However, this convenience comes with a downside.

Why Clear Your Browser Cache?

Speed Up Your Browser: Over time, the cache can become cluttered with outdated and unnecessary files, which can slow down your browser. Clearing it out helps in speeding things up.

Resolve Loading Issues: Sometimes, cached data can cause issues with how websites are displayed or function. Clearing the cache can resolve these problems.

Enhance Security: Cached data can include sensitive information. Regularly clearing it out can help protect your privacy.

See Latest Website Versions: Websites are constantly updated. A full cache can prevent you from seeing the most recent version of a site.

How to Clear Your Browser Cache

The process varies slightly depending on the browser you use. Here’s how to do it in some of the most popular browsers:

Google Chrome:

Click the three dots in the upper-right corner.

Go to ‘More tools’ > ‘Clear browsing data’.

Choose the time range (select ‘All time’ for a complete clear-out).

Check ‘Cached images and files’ and click ‘Clear data’.

Mozilla Firefox:

Click the three lines in the upper-right corner.

Go to ‘Options’ > ‘Privacy & Security’.

Under ‘Cookies and Site Data’, click ‘Clear Data’.

Check ‘Cached Web Content’ and click ‘Clear’.

Microsoft Edge:

Click the three dots in the upper-right corner.

Go to ‘Settings’ > ‘Privacy, search, and services’.

Under ‘Clear browsing data’, click ‘Choose what to clear’.

Select ‘Cached images and files’ and click ‘Clear now’.

Safari (for Mac):

Go to ‘Safari’ in the menu bar, then ‘Preferences’.

Click on the ‘Advanced’ tab and check ‘Show Develop menu in menu bar’.

From the ‘Develop’ menu, select ‘Empty Caches’.

Conclusion

Regularly clearing your browser cache is a simple yet effective way to maintain the performance and security of your web browsing experience. It’s a quick process that can lead to noticeable improvements in speed and functionality. Make it a habit to perform this task every few weeks or monthly, depending on your browsing habits.

https://www.infradapt.com/news/how-to-clear-your-browser-cache-and-why/

CISA Highlights High-Severity Flaw in Service Location Protocol

CISA Highlights High-Severity Flaw in Service Location Protocol

The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently included a high-risk vulnerability in the Service Location Protocol (SLP) within its Known Exploited Vulnerabilities (KEV) catalog. This inclusion was made following the detection of active exploitation of this flaw. This vulnerability, designated as CVE-2023-29552 and having a CVSS score of 7.5, is a denial-of-service (DoS) flaw that could potentially be used to initiate large-scale DoS amplification assaults.

Exploring the Vulnerability

According to CISA, the Service Location Protocol (SLP) is plagued by a denial-of-service (DoS) vulnerability. This vulnerability could enable an unauthenticated, remote attacker to register services and use falsified UDP traffic to execute a denial-of-service (DoS) attack with a considerable amplification factor. SLP is a protocol that facilitates the discovery and communication of systems within a local area network (LAN).

Amplification Factor and Potential Exploitation

While the precise details regarding the exploitation of this flaw remain undisclosed, Bitsight had previously cautioned that this deficiency could be manipulated to execute DoS attacks with a high amplification factor. Bitsight stated, “This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflection DoS amplification attack.”

Mandatory Mitigations for Federal Agencies

In response to the real-world attacks leveraging this flaw, federal agencies are mandated to implement the necessary mitigations, including the deactivation of the SLP service on systems operating on untrusted networks. These measures must be taken by November 29, 2023, to protect their networks from potential threats.

https://www.infradapt.com/news/cisa-highlights-high-severity-flaw-in-service-location-protocol/

New Threats to Google Workspace and Cloud

Uncovering New Threats to Google Workspace and Google Cloud Platform

In a recent report, Bitdefender, a Romanian cybersecurity firm, exposed a series of innovative attack strategies that could potentially be used against Google Workspace and the Google Cloud Platform. These strategies could be exploited by cybercriminals to launch ransomware, data theft, and password recovery attacks.

Martin Zugec, the technical solutions director at Bitdefender, explained that these attacks could evolve in several ways from a single compromised machine. The attackers could spread to other cloned machines with Google Credential Provider for Windows (GCPW) installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to expand their attack beyond the Google ecosystem.

However, these attacks require the attacker to have already gained access to a local machine through other means. As such, Google has stated that the bug is not eligible for fixing as it falls outside their threat model and aligns with Chrome’s practices of storing local data.

Exploiting the Vulnerabilities in Google Credential Provider for Windows (GCPW)

The attacks fundamentally depend on an organization’s use of Google Credential Provider for Windows (GCPW). GCPW provides both mobile device management (MDM) and single sign-on (SSO) capabilities, allowing administrators to remotely manage Windows devices within their Google Workspace environments and users to access their Windows devices using the same credentials as their Google accounts.

GCPW operates using a local privileged service account named Google Accounts and ID Administration (GAIA) which connects to Google APIs to verify a user’s credentials during the sign-in step and stores a refresh token to eliminate the need for re-authentication.

Attack Scenarios and their Implications

With this GCPW setup, an attacker with access to a compromised machine can extract an account’s refresh OAuth tokens from either the Windows registry or the user’s Chrome profile directory, effectively bypassing multi-factor authentication (MFA) protections. The attacker can then use the refresh token to construct an HTTP POST request to obtain an access token, which can be misused to access, alter, or delete sensitive data linked to the Google Account.

Another exploit, referred to as the Golden Image lateral movement, targets virtual machine (VM) deployments. This method capitalizes on the fact that cloning a machine with pre-installed GCPW also clones the password associated with the GAIA account. Knowing the password to a local account, and having all local accounts share the same password, essentially gives the attacker access to all machines.

A third attack involves gaining access to plaintext credentials by using the access token obtained through the previous technique to send an HTTP GET request to an undocumented API endpoint and acquire the private RSA key needed to decrypt the password field.

Having access to plaintext credentials, such as usernames and passwords, allows attackers to impersonate legitimate users directly and gain unrestricted access to their accounts, potentially leading to a complete account takeover.

https://www.infradapt.com/news/new-threats-to-google-workspace-and-cloud/

Staying Off the Radar with Smart Location Settings

Understanding the Intricacies of Location Tracking

Our devices and applications are increasingly inclined to track our location. This tracking is often used to provide personalized weather updates, suggest restaurants in our vicinity, or to tailor advertisements to our preferences. However, managing these settings can often be a complex task. Moreover, there may be discrepancies in the location histories recorded by our devices. For instance, you might believe that you have disabled location sharing, only to find out that your movements are still being tracked, or vice versa. This article aims to simplify the complexities of location tracking, enabling you to have better control over your privacy settings.

Demystifying Location Tracking

Have you ever turned off location tracking on a device, only to find your location appearing on a map? Or perhaps you’ve noticed gaps in your location history despite having the feature enabled? The answers to these queries lie in understanding the various ways your location can be logged: by your devices, your applications, and the websites you visit.

Consider this: you might have switched off location tracking on your phone, but it could still be active on your tablet. Or, your laptop might be recording your location in the background, even though you believed you had disabled this feature on your applications. To completely enable or disable location tracking, you must consider all these different methods that can track your location.

Google Account as an Example

If you have a Google account, it serves as a good example of how location tracking works. Navigate to your account settings on the web, and select Data and Privacy and then Location History. Choose Devices on This Account, which might reveal devices that you had forgotten about. Any device with a check next to it in this list is recording your movements to your Google account for future reference.

You can click Turn Off to disable this feature, but there are certain exceptions to keep in mind. Your location might still be recorded by your mobile devices, by the Find My Device service that helps you recover lost hardware, and by Google Maps when you’re navigating or searching around your current location. This Location History setting is more of a general switch, affecting features like the Google Timeline and the ability to quickly look up places you visit regularly.

Other Locations Where Your Data Gets Logged

From the main Google account screen, there are several other places where your location gets logged and shared. Click on Data and Privacy, then Web & App Activity to manage location data saved by Google Maps and other apps and websites. Click on People and Sharing, then Manage Location Sharing to see a list of specific contacts who can see where you are through various Google services.

Managing Location Tracking on Mobile Devices

The process of managing your location on Android varies slightly depending on your phone’s manufacturer, but the instructions are generally similar. On Google Pixel devices, for instance, you can navigate to Settings and then select Location. Here, you’ll see the Use Location toggle switch. If you turn this off, none of your apps will be able to know where you are, nor will Google.

If you leave the Use Location toggle switch on, you can customize location access for individual apps on the same screen. Note that you can choose to allow apps to know where you are at all times, or only when the app in question is running in the foreground.

On iOS, the setup is similar. Select Privacy & Security from Settings, and then tap Location Services. Here, you can turn off location tracking for the phone and all the apps on it. If you choose to leave this enabled, you can manage individual app access to your location via the list underneath. As on Android, you can choose when apps have access to your location. Section 1: Managing Your Location Privacy on Mobile Devices

The ability to control the location access of applications on your mobile device is a critical feature. You have the option to restrict an app’s access to your location only while it’s in use, or to grant it permission to monitor your location even when it’s running in the background. However, deleting the location data that has been gathered about you can be a challenging task. This process involves scrutinizing the records and settings of every app that has ever been granted access to your location.

For those who use Google and its applications, the process involves visiting your Google account on the web. From there, you can navigate to either ‘Location History’ or ‘Web & App Activity’ under the ‘Data and Privacy’ section to erase this data from Google’s records. There are also options to set up automatic deletion of this data after specific periods: 3, 18, or 36 months.

Unlike Google, Apple has a different method of logging your movements. It compiles a list of places you frequently visit, like your home or workplace, for quick access in the future. To clear this list on your iPhone, navigate to ‘Settings,’ then select ‘Privacy & Security,’ ‘Location Services,’ ‘System Services,’ and finally ‘Significant Locations.’ Here, you can clear this list and prevent it from populating in the future.

Controlling Location Tracking on Desktop Computers

Desktop computers and laptops, unlike mobile devices, typically don’t come with GPS capabilities. So, they don’t track your location in the same way as your phone. However, applications, websites, and even the operating system can still have a general idea of your location, primarily based on the locations from which you access the internet.

On Windows, you can manage your location settings by opening ‘Settings,’ then selecting ‘Privacy & Security’ and ‘Location.’ Just like on Android and iOS, you can turn off location tracking for individual applications or disable it for the entire computer. This screen also lets you see which apps have been using your location and allows you to erase the log of your travels.

On macOS, the process is slightly different. You need to click the Apple menu and select ‘System Settings,’ ‘Privacy & Security,’ and ‘Location Services.’ The next screen is quite similar to the Windows one, with toggle switches for individual applications and for macOS itself. If you want to clear the list of “significant locations” Apple has saved for you, just like on iOS, you can do so from this screen.

Managing Browser Location Tracking

If location tracking is enabled on your computer and your preferred browser, individual websites like Facebook, Amazon, or Google Search can also determine your location. While this can be useful for providing accurate weather forecasts, there may be instances when you want to turn it off to maintain your privacy.

Each browser has settings for managing website access to your location. In Chrome, you can find these under ‘Privacy and Security,’ ‘Site Settings,’ and ‘Location’ in the settings pane. In Edge, you need to open settings and choose ‘Cookies and Site Permissions’ then ‘Location.’ On Safari on macOS, select ‘Websites’ and ‘Location’ once you’ve opened the settings dialog. However, changing these settings will not affect data these sites have collected in the past. To manage that, you’ll need to visit the options for the individual sites.

https://www.infradapt.com/news/staying-off-the-radar-with-smart-location-settings/

How Malvertisers are Exploiting Google Ads

A malvertising campaign that manipulates Google Ads to divert users seeking popular software to fraudulent landing pages and deliver subsequent-stage payloads has come to light. Malwarebytes, the firm that unearthed this activity, described it as “distinctive in its methodology of fingerprinting users and distributing time-sensitive payloads.”

This attack specifically targets users looking for Notepad++ and PDF converters to display counterfeit ads on Google’s search results page. When these ads are clicked, the system weeds out bots and other unintended IP addresses by presenting a decoy website. If the visitor is considered valuable to the threat actor, they are rerouted to a cloned website promoting the software, while the system quietly fingerprints the system to ascertain if the request is coming from a virtual machine.

The Intricacies of the Malvertising Campaign

Users who fail the verification are directed to the official Notepad++ website, while a potential target is given a unique ID for “tracking purposes and also to make each download unique and time-sensitive.” The terminal-stage malware is an HTA payload that establishes a connection to a remote domain (“mybigeye[.]icu”) on a custom port and delivers subsequent malware.

Jérôme Segura, Director of Threat Intelligence, stated, “Threat actors are successfully employing evasion strategies that circumvent ad verification checks and enable them to target specific victim types.” He added, “With a dependable malware delivery chain at their disposal, malicious actors can concentrate on enhancing their decoy pages and creating custom malware payloads.”

Overlap with Similar Campaigns and the Use of Punycode

This revelation coincides with a similar campaign that targets users searching for the KeePass password manager with harmful ads that direct victims to a domain using Punycode (keepass[.]info vs. ķeepass[.]info), a unique encoding used to convert Unicode characters to ASCII.

The Role of Decoy Sites and Malicious Installers

Users who arrive at the decoy site are duped into downloading a malicious installer that ultimately triggers the execution of FakeBat (also known as EugenLoader), a loader designed to download other malicious code.

The misuse of Punycode is not entirely new, but its combination with rogue Google Ads indicates that malvertising via search engines is becoming increasingly sophisticated. The objective is to execute a homograph attack and entice victims into installing malware by using Punycode to register domain names similar to a legitimate site.

The Constant Evolution of Threats

Multiple threat actors such as TA569 (also known as SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), ClearFake, and EtherHiding have been noticed exploiting themes related to fake browser updates to disseminate Cobalt Strike, loaders, stealers, and remote access trojans, indicating that these attacks are a persistent, evolving threat.

Dusty Miller, a researcher at Proofpoint, stated in an analysis published this week, “Fake browser updates exploit end user trust with compromised websites and a lure customized to the user’s browser to legitimize the update and fool users into clicking.” He warned, “The threat is only in the browser and can be initiated by a click from a legitimate and expected email, social media site, search engine query, or even just navigating to the compromised site.”

https://www.infradapt.com/news/how-malvertisers-are-exploiting-google-ads/

How to Prevent Google Bard from Saving Your Personal Information

Google Bard, with its latest update, now enables you to sift through your Google Docs collection, unearth old Gmail messages, and search every YouTube video. Before delving into the new extensions available for Google’s chatbot, it’s essential to understand the measures you can implement to safeguard your privacy (and those you can’t). Google Bard was introduced in March of this year, a month after OpenAI made ChatGPT public. You’re probably aware that chatbots are engineered to replicate human conversation, but Google’s recent features aim to provide Bard with more practical functions and uses. However, when every interaction you have with Bard is monitored, recorded, and reused to train the AI, how can you ensure your data’s safety? Here are some suggestions for securing your prompts and gaining some control over the information you provide to Bard. We’ll also talk about location data, where Google unfortunately offers fewer privacy options.

The default setting for Bard is to retain every dialogue you have with the chatbot for 18 months. Bard also records your approximate location, IP address, and any physical addresses linked to your Google account for work or home, in addition to your prompts. While the default settings are active, any conversation you have with Bard may be chosen for human review.

Looking to disable this? In the Bard Activity tab, you can prevent it from automatically saving your prompts and also erase any previous interactions. “We provide this option surrounding Bard Activity, which you can enable or disable, if you prefer to keep your conversations non-reviewable by humans,” explains Jack Krawczyk, a product lead at Google for Bard.

Once you deactivate Bard Activity, your new chats are not submitted for human review, unless you report a specific interaction to Google. But there’s a caveat: If you disable Bard Activity, you can’t use any of the chatbot’s extensions that link the AI tool to Gmail, YouTube, and Google Docs.

You can opt to manually delete interactions with Bard, but the data might not be removed from Google servers until a later time, when the company decides to erase it (if at all). “To aid Bard’s improvement while ensuring your privacy, we pick a subset of conversations and use automated tools to aid in removing personally identifiable information,” reads a Google support page. The conversations chosen for human review are no longer associated with your personal account, and these interactions are stored by Google for up to three years, even if you delete it from your Bard Activity.

It’s also important to mention that any Bard conversation you wish to share with friends or colleagues could potentially be indexed by Google Search. At the time of writing, several Bard interactions were accessible through Search, ranging from a job seeker seeking advice on applying for a position at YouTube Music to someone asking for 50 different ingredients they could blend into protein powder.

To delete any Bard links you’ve shared, navigate to Settings in the top right corner, select Your public links, and click the trash icon to halt online sharing. Google announced on social media that it’s taking measures to prevent shared chats from being indexed by Search.

This might prompt you to question: If I’m using Bard to locate my old emails, do those conversations remain private? Perhaps, perhaps not. “With Bard’s capability to summarize and extract content from your Gmail and your Google Docs, we’ve taken it a step further,” states Krawczyk. “Nothing from there is ever eligible. Regardless of the settings you’ve enabled. Your email will never be read by another human. Your Google Docs will never be read by another human.” Although the absence of human readers might seem somewhat comforting, it’s still ambiguous how Google utilizes your data and interactions to train their algorithm or future versions of the chatbot.

Alright, now what about your location data? Are there any tools to limit when Bard keeps track of where you are? In a pop-up, Bard users are Section 1: The Choice of Location Sharing with Bard Chatbot

Bard, a chatbot developed by Google, allows users the choice of sharing their precise location. However, even if users decide against sharing their exact location, Bard still has access to their general whereabouts. A page on Google’s support site explains, “In order to provide a response that is relevant to your query, Bard always collects location data when in use.”

How Bard Determines Your Location

Bard determines your location through a combination of your IP address, which gives a general sense of your location, and any personal addresses linked to your Google account. Google asserts that the location data provided by users is anonymized by combining it with the data of at least a thousand other users within a tracking area that spans at least two miles.

The Commonality of IP Address Tracking

While some users may feel uneasy about location tracking, the practice of keeping tabs on IP addresses to determine user locations is more common than one might think. For instance, Google Search utilizes your IP address, among other sources, to respond to “near me” inquiries such as “best takeout near me” or “used camping gear near me.” However, just because this practice is widespread doesn’t necessarily mean it’s universally accepted. This is something to consider when using products like Bard.

How to Mask Your IP Address

Despite Google not offering a straightforward way to opt out of Bard’s location tracking, users can mask their IP address by using a virtual private network (VPN). These tools can be used on both PCs and mobile devices.

https://www.infradapt.com/news/how-to-prevent-google-bard-from-saving-your-personal-information/

The Potential Dangers of Public USB Charging Stations

The Federal Bureau of Investigation (FBI) has recently issued a cautionary message to consumers, advising against the use of public phone charging stations due to the potential risk of malware infections. The FBI’s Denver branch highlighted this issue in a recent tweet, indicating that cybercriminals have been exploiting public USB ports, such as those found in shopping centres and airports, to disseminate harmful software and spyware. The FBI, however, did not provide any specific instances to illustrate this concern.

In the tweet, the FBI urged consumers to carry personal chargers and USB cords, and to opt for electrical outlets instead of public charging stations. This advice comes as a response to the increasing reliance on these public facilities, particularly when devices are running low on battery power.

Security experts have been voicing concerns about this potential risk for several years. In fact, the term “juice jacking” was introduced in 2011 to describe this specific type of cyber threat. Drew Paik, who previously worked at security firm Authentic8, explained the concept to CNN in 2017. He stated that merely connecting your phone to a compromised power strip or charger could infect your device, jeopardizing all your data.

The charging cord used for your phone also serves as a conduit for data transfer between your phone and other devices. For example, when you connect your iPhone to your Mac using the charging cord, you can transfer photos from your phone to your computer. If a USB port is compromised, a hacker could potentially gain unrestricted access to your data, including your emails, text messages, photos, and contacts, as Paik further elaborated to CNN.

Vikki Migoya, the public affairs officer at the FBI’s Denver branch, communicated to CNN that the FBI routinely issues reminders and public service announcements in partnership with other organizations. According to Migoya, this particular warning was intended to encourage the general public in the United States to remain vigilant and safe, particularly while travelling.

The Federal Communications Commission (FCC) also echoed this warning in an updated blog post. It pointed out that a corrupted charging port could provide an opportunity for a malicious actor to either lock a device or extract personal data and passwords. The FCC blog post further warned that in some instances, criminals may deliberately leave cables plugged into charging stations. There have even been reported cases of infected cables being distributed as promotional gifts.

https://www.infradapt.com/news/the-potential-dangers-of-public-usb-charging-stations/