Though a municipal agency assures the public that few are affected, hundreds have their data held ransom for $100,000 by the ransomware gang.

Source: dbtravel via Alamy Stock Photo

The Medusa ransomware gang claimed responsibility earlier this week for a March cyberattack on Tarrant County Appraisal District and is threatening to leak 218GB of stolen data with a six-day deadline if the $100,000 ransom is not paid.

Tarrant County Appraisal District determines property values in Fort Worth, Texas, and released an update informing the public that the personal information of roughly 300 individuals was affected.

"On March 21, 2024, Tarrant County Appraisal District experienced a network disruption. In response to the discovery, we took steps to secure our network and are working with leading independent cybersecurity experts to assist with the investigation, response, and restoration process," said Jon Don Bobbitt, chief appraiser in Tarrant Appraisal District, in a statement.

Affected individuals will be contacted to assist them with the protection of their personal information, but it is recommended that any suspicious activity should be reported as soon as possible.

The attack was reported to the FBI, and work is underway to restore operations, though the county offered no update regarding whether the ransom will be paid.

**About the Author(s)**

Medusa Gang Strikes Again, Hits Nearly 300 Fort Worth Property Owners

In a cyberattack more reminiscent of the 2010s, a seemingly lone hacker fleeced a major corporation for millions of open customer records.

Source: Jade Kelly via Alamy Stock Photo

A hacker with no known history has leaked personal information belonging to millions of customers of boAt, a consumer electronics company in India.

The company is India's leading manufacturer of wireless audio and wearables; boAt controlled around 26% of the wearables market as of 2023, according to data from IDC. It sells nearly 40% of all earbuds in the country — more than five times its nearest competitor — according to 2022 data from Counterpoint Research.

The threat actors, operating under the nom de guerre "ShopifyGUY," on April 5 published 2GB worth of files onto the Dark Web, according to reports. The files contained around 7.5 million entries' worth of personally identifiable information (PII) relating to boAt customers, including names, addresses, phone numbers, emails, and more.

The entire lot of it was listed for around only $2, potentially raising suspicion about the data's authenticity. However, multiple news outlets have since contacted samples of affected customers, confirming that their information is correct.

Dark Reading has reached out to boAt's security team to confirm the details of the attack but has not yet received a response.

**Preventing Customer Data Leaks**

To prevent falling victim to such an attack, Darren Williams, CEO and founder of BlackFog, suggests that companies invest in anti-exfiltration tools.

"Anti-data exfiltration is about looking for data leaving the network, and then running AI over the top of all of it to look for if it's a legitimate request," he explains. Programs trained to do this job run on dozens of contextual and behavioral parameters to distinguish legitimate from illegitimate traffic.

With that said, he adds, there are even simpler and lower-tech steps companies can take to make simple leaks more complicated.

"In a mature organization," he explains, "a basic requirement of security is data encryption at rest. That way, if somebody's accessing your database, it doesn't matter, because they can't decrypt it anyway. So it fascinates me that, in this day and age, people don't do the very basic step of encrypting their database.

"It's not hard — it takes 30 seconds, you just have to press the On button. It makes me think \[boAt\] was asleep at the wheel."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Attack on Consumer Electronics Manufacturer boAt Leaks Data on 7.5M Customers

Various anti-detection features, including the use of the ScrubCrypt antivirus-evasion tool, fuel an attack that aims to take over Microsoft Windows machines.

Source: Shane in Sweden via Shutterstock

A newly exposed corporate phishing campaign targeting Microsoft Windows users is delivering a flurry of remote access Trojans (RATs) and other malware under the cover of multiple detection-evasion techniques.

The attackers behind the campaign try to lure users into clicking on an attachment that ultimately employs the tool ScrubCrypt to deliver primarily the VenomRAT version 6, although various other oft-used malware also are associated with the campaign, researchers from Fortinet's FortiGuard Labs Threat Research revealed in a blog post.

While the RAT maintains a connection with attackers' command-and-control (C2) server, the attack drops plug-ins including Remcos RAT, XWorm, NanoCore RAT, and a stealer designed for specific crypto wallets, according to the researchers.

Ultimately the campaign is aimed at stealing critical data from targeted systems — ostensibly to be used in future attacks — as well achieving persistence on a victim's network, according to the post.

"The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems," wrote Cara Lin, senior antivirus analyst at Fortinet. "Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign."

VenomRAT is a tool used previously by the 8220 Gang, a cybercriminal group that uses a powerful botnet as its weapon of choice. ScrubCrypt, meanwhile, converts executables into undetectable batch files, providing "several options to manipulate malware, making it more challenging for antivirus products to detect," Lin noted.

**Phony Invoice Phish**

The campaign typically starts with a phishing email stating that a shipment has been delivered with an attached "invoice" that is actually an SVG file named "INV0ICE\_#TBSBVS0Y3BDSMMX.svg" and contains embedded base64-encoded data.

If a targeted user opens the SVG file, the ECMAScript creates a new blob and utilizes "window.URL.createObjectURL" to drop the decoded data as a ZIP file named "INV0ICE\_#TBSBVS0Y3BDSMMX.zip." The decompressed file reveals an obfuscated batch file with an embedded payload that appears to be created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus program, Lin explained.

The embedded script initially copies a PowerShell execution file to "C:\\Users\\Public\\xkn.exe" and utilizes the copied file in later commands, using parameters that conceal its activity. It then decodes the malicious data and saves it as "pointer.png," which is later executed as "pointer.cmd" and deletes all the previously executed files.

**ScrubCrypt Delivers VenomRAT**

The "pointer.cmd" file serves as the ScrubCrypt batch file, and it's "deliberately cluttered with numerous junk strings to obscure readability," Lin wrote. The file incorporates two payloads, the first of which serves two primary purposes: establishing persistence and loading the targeted malware, VenomRAT. The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass, she noted.

VenomRAT was first identified in 2020 and uses a modified version of the well-known Quasar RAT. It allows attackers to gain unauthorized access and control over targeted systems. "As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victim's knowledge or consent," Lin wrote.

Once deployed, VenomRAT initiates communication with its C2 server to send information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed. It then maintains communication channels with the C2 server to acquire the aforementioned additional plugins for related and other malicious activities as the attack continues from there, Lin wrote.

Notable among those plugins are three RATs often used for various nefarious purposes, including the Remcos RAT, which gives attackers complete system control to capture keystrokes, screenshots, credentials, and other sensitive information; NanoCore RAT, which can remotely access and control a victim's computer; and Xworm, which can load ransomware or act as a persistent backdoor.

**Vigilance Required**

Because this cyberattack campaign uses multiple layers of obfuscation and evasion techniques, it's important for enterprises to stay vigilant.

"The attackers' ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively," Lin noted.

Organizations should educate users about the hallmark signs of phishing campaigns and encourage them to report suspicious activity to IT departments, as well as avoid downloading files or clicking on links from untrusted sources.

Despite its evasive tactics, a strong antivirus-detection system should pick up the malware entering a network, and one that includes a content disarm-and-reconstruction service also is helpful to disable the malicious macros in the document before they can do any harm, Lin wrote.

Fortiguard included a list of indicators of compromise for the specific VenomRAT campaign in the post, including associated C2 domains, URLs associated with the attack, and files the attack distributes.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cagey Phishing Campaign Delivers Multiple RATs to Steal Windows Data

Global organizations and geopolitical entities must adopt new strategies to combat the growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

Source: Dragon Claws via Alamy Stock Photo

COMMENTARY

Today, it's rare for a month to pass without reports of new distributed denial-of-service (DDoS) attacks driven by geopolitical instability. Now, a single attack can include numerous countries and networks. While the war between Russia and Ukraine and elections in NATO countries like Poland drive geopolitically focused DDoS attacks, it's important to understand that these threats were present long before these conflicts, and will be around long after. But why are these attacks against governmental institutions so prominent, and why do they impact all of us in the first place? 

That is partially because changes in political leadership often correlate directly with a spike in DDoS attacks. For example, in Poland, DDoS attack volume increased fourfold within days of its new government being sworn into office. These spikes often result from hacktivist groups (e.g., KillNet, Noname057, Anonymous Sudan) opposing the viewpoints of newly elected officials. They impact the rest of us because DDoS attacks must cross multiple Internet service providers (ISPs) to reach the intended victim. 

Unfortunately, even an attack that is effectively mitigated will use up valuable resources on any ISP network it reaches. We refer to this as the "DDoS tax," which increases the cost of network operation, making it more expensive for everyone. In fact, global ISPs reported a 500% global increase in HTTP/S application layer attacks since 2019, and 17% growth in DNS reflection/amplification volumes in the first half of 2023. Furthermore, it is alarming that carpet-bombing attacks, a technique that simultaneously targets entire IP address ranges, increased by 110% from the first to the second half of 2022, with most attacks occurring against ISP networks.

The bottom line is that there is no escape from DDoS attacks on governmental institutions, and threat intelligence needs to be taken more seriously because of how universal the threat can be when it comes to compromising global ISP networks and additional IT infrastructure. Therefore, it is key for governmental entities to suppress DDoS attacks before they can begin.

**Comprehensive and Adaptive Defenses for Evolving DDoS Attacks**

With nation-states, bad actors often directly target Internet infrastructure to take out critical communications, ecommerce, and other vital infrastructure dependent on Internet connectivity. That means attackers target ISP networks to purposefully degrade Internet connectivity. Further, these bad actors typically have vastly more resources at their disposal than other attackers. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year, such as DNS Water Torture and Carpet Bombing. All the while, as DDoS defenses become more effective, bad actors continue to sidestep these defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.

With the increased persistence of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection solution should identify and stop all types of DDoS attacks before they impact the availability of business-critical services. With today's growing frequency and complexity of DDoS attacks, a multilayer defense strategy is now no longer nice to have, but a requirement. New techniques such as adaptive DDoS strategies, which change vectors based on the defense that is presented, reinforce the need for better agility and efficiency when it comes to managing these increasingly complex attacks.

In the end, threat actors will continue using DDoS attacks as a way to further disrupt and inflame sociopolitical tensions around the world. Security professionals need to consider both local and international conflicts when assessing the DDoS risk factors associated with nation-state attacks. The unfortunate reality is that bad actors continue to find new ways to orchestrate attacks through evolving methodologies. As such, global organizations and geopolitical entities must adopt new strategies right now, such as advanced DDoS defense and suppression, to combat this growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

**About the Author(s)**

Director, Security Solutions, Netscout

Gary is an industry veteran, bringing over 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration, and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held positions with Avaya and Cable & Wireless.

How Nation-State DDoS Attacks Impact Us All

A cheat sheet for all of the most common techniques hackers use, and general principles for stopping them.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Of the hundreds of documented MITRE ATT&CK techniques, two dominate the field: command and scripting interpreters (T1059) and phishing (T1566).

In a report published on April 10, D3 Security analyzed more than 75,000 recent cybersecurity incidents. Its goal was to determine which methods of attack were most common.

The results paint a stark picture: those two techniques outpaced all others by orders of magnitude, with the top technique outpacing the runner-up by a factor of three.

For defenders looking to allocate limited attention and resources, here are just some of the most common ATT&CK techniques, and how to defend against them.

**Execution: Command and Scripting Interpreter (Used in 52.22% of Attacks)**

What it is: Attackers write scripts in popular languages like PowerShell and Python for two primary purposes. Most commonly, they're used to automate malicious tasks such as harvesting data or downloading and extracting a payload. They're also useful for evading detection — bypassing antivirus solutions, extended detection and response (XDR), and the like.

That these scripts are far and away No. 1 on this list is extra surprising to Adrianna Chen, D3's vice president of product and service. "Since Command and Scripting Interpreter (T1059) falls under the Execution tactic, it is in the middle stage of the MITRE ATT&CK kill chain," she says. "So, it is fair to assume that other techniques from earlier tactics have already gone undetected by the time that it's detected by the EDR tool. Given that this one technique was so prominent in our data set, it underscores the importance of having processes to trace back to the origin of an incident."

How to defend against it: Because malicious scripts are diverse and multifaceted, dealing with them requires a thorough incident response plan that combines detection of potentially malicious behaviors with strict watch over privileges and script execution policies.

**Initial Access: Phishing (15.44%)**

What it is: Phishing and its subcategory, spear-phishing (T1566.001-004), are the first and third most common ways attackers gain access to targeted systems and networks. Using the first in general campaigns and the second when aiming for specific individuals or organizations, the goal is to coerce victims into divulging crucial information that will allow a foothold into sensitive accounts and devices.

How to defend against it: Even the smartest and most educated among us fall for sophisticated social engineering. Frequent education and awareness campaigns can go some ways toward protecting employees from themselves and the companies they provide a window into.

**Initial Access: Valid Accounts (3.47%)**

What it is: Often, successful phishing allows attackers access to legitimate accounts. These accounts provide keys to otherwise locked doors, and cover for their various misdeeds.

How to defend against it: When employees inevitably click on that malicious PDF or URL, robust multifactor authentication (MFA) can, if nothing else, act as more hoops for attackers to jump through. Anomaly detection tools can also help if, for example, a strange user connects from a faraway IP address, or simply does something they aren't expected to do.

**Credential Access: Brute Force (2.05%)**

What it is: A more popular option back in the olden days, brute force attacks have stuck around thanks to the ubiquity of weak, reused, and unchanged passwords. Here, attackers use scripts that automatically run through username and password combinations — such as in a dictionary attack — to gain access to desired accounts.

How to defend against it: No item on this list is as easily and wholly preventable as brute-force attacks. Using strong enough passwords fixes the problem on its own, full stop. Other little mechanisms, like locking out a user after repeated login attempts, also do the trick.

**Persistence: Account Manipulation (1.34%)**

What it is: Once an attacker has used phishing, brute force, or some other means to access a privileged account, they can then leverage that account to cement their position in a targeted system. For example, they can change the account's credentials to lock out its original owner, or possibly adjust permissions in order to access even more privileged resources than they already have.

How to defend against it: To mitigate the damage from an account compromise, D3 recommends organizations implement stringent restrictions for accessing sensitive resources, and follow the principle of least privileged access: granting no more than the minimum level of access necessary for any user to perform his or her job.

Besides that, it offers a number of recommendations that can apply to this and other MITRE techniques, including:

*   Maintaining vigilance through continuous monitoring of logs to detect and respond to any suspicious account activities
    
*   Operating under the assumption that the network has already been compromised and adopting proactive measures to mitigate potential damage
    
*   Streamlining response efforts by automating countermeasures upon detection of confirmed security breaches, ensuring swift and effective mitigation
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Top MITRE ATT&amp;CK Techniques and How to Defend Against Them

Google has integrated Mandiant's security offerings into its AI platform to detect, stop, and remediate cybersecurity attacks as quickly as possible.

Source: Klaus Ohlenschlaeger via Alamy Stock Photo

Gemini now has security capabilities: Google has integrated Mandiant's security offerings into its artificial intelligence (AI) platform, the company announced during its Google Cloud Next conference in Las Vegas.

The new capabilities are automated security agents that use generative AI to detect, stop, and remediate cybersecurity attacks as quickly as possible and to to analyze code to find security problems. The agents will assist security operations teams by increasing the speed of investigations.

"Security agents will help you in every stage of the security life cycle, from prevention, detection and response," said Google Cloud CEO Thomas Kurian during a keynote speech at the event.

The security offerings are built around Google's Gemini large language model, which is also being used to summarize documents and generate images. The new security features use generative AI to analyze code to find security problems. Security analysts can run deep queries to get to the root cause of problems and seek answers. The technology will also better explain findings so companies can take action to neutralize threats.

Google is betting its future on AI products such as Gemini, which it introduced earlier this year. Gemini is already being integrated into search and productivity applications. Mandiant's offerings include threat detection and security operations, and Gemini adds AI capabilities to cover detection, analysis, and prevention.

**Using AI to Understand Attacks**

One of the new products, Gemini in Threat Intelligence, uses natural language prompts to get deep insight about malicious behavior.

"We're able to take the experience and intelligence we gather from protecting Google's own services, combine it with Mandiant's leading, frontline insight from their work in incident response to show emerging threats, the severity, and risk factors," Kurian said.

The intelligent threat offers ties into the next product, Gemini in Security Operations, which relies on AI to improve the speed to address threats from malicious behavior. It can also be used to summarize and explain findings, recommend next steps, and put remediation playbooks in action.

Gemini can recommend actions based on factors such as detection rules, and provide recommendations for faster response times.

"Analysts can now ask Gemini for the latest threat intelligence from Mandiant directly in-line — including any indicators of compromise found in their environment — and Gemini will navigate users to the most relevant pages in the integrated platform for deeper investigation," Google wrote in a blog post.

The offering uses Gemini 1.5 Pro's AI capabilities to analyze large samples of potential malicious code or malware, the interaction between modules, and to reveal their true malicious intent, Kurian said.

The final product announced was Gemini in Security Command Center, which evaluates a security posture, provides findings, and summarizes attack paths, which helps companies remediate cloud risks.

"We've leveraged tremendous amounts of machine learning, precision AI, generative AI, to make sure our customers are able to detect, stop, and remediate all cybersecurity attacks as quickly as possible," Kurian said.

AI tools such as Gemini and OpenAI's ChatGPT are improving productivity, but hallucinations and other shortcomings are raising concerns about the technology being used irresponsibly. The White House late last month issued an executive order on responsible use and development of AI development, which also recommends monitoring AI systems to prevent misuse.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Google Gives Gemini a Security Boost

The device management company introduced a Fleet Hardening Score and Privilege Escalation (the good kind) to its endpoint security platform for Apple devices.

Source: baosheng feng via Alamy Stock Photo

Enterprise IT teams responsible for managing Macs and iOS devices are getting new compliance and security tools, device management company Jamf said during its Spring Event. A new capability in Jamf Connect allows the granting of temporary administrative privileges to a local Mac user. That activity data feeds Jamf Protect, which has added a compliance dashboard that presents overall fleet compliance and drills down to individual devices.

Jamf Connect creates a cloud-based identity for each user that, when authenticated, allows them to set up access to the tools and applications they need via VPN. The new feature, Privilege Escalation, temporarily grants end users elevated administrator privileges to perform tasks such as updating device drivers, installing printers, and adding software that's not managed by Self-Service. Once the time IT set for the escalated privileges expires, the user automatically defaults back to the standard user role.

Jamf has also added a compliance dashboard to Jamf Protect, which provides anti-malware tools, threat defense, and metrics for a fleet of macOS and iOS devices. From the dashboard, an administrator can view which devices fall out of compliance with guidelines; update any software, including the OS version, that needs it; and quarantine suspect files automatically. The new Fleet Hardening Score in Jamf Protect is an aggregate baseline score quantifying the organization's overall endpoint security posture. Administrators can drill down to individual devices to understand and remediate issues.

The integration between Jamf Connect and Jamf Protect provides administrators with detailed telemetry about the privileged tasks being performed on the device. Administrators can use the telemetry to audit endpoints and as part of intrusion detection and response.

Apple devices have long established their presence in business. Enterprise-level tools like Jamf's help ensure that those devices stay compliant with expectations for corporate standards in security.

**About the Author(s)**

New Jamf Tools Give Enterprise IT Security and Compliance Controls

Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical."

Source: redbrickstock.com via Alamy Stock Photo

Microsoft outdid itself with this month's Patch Tuesday releases, which contain no zero-day patches, though at least one of the patches addresses a flaw already being actively exploited.

Products affected by the most recent Patch Tuesday updates include Windows and Windows Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot.

Microsoft's April update included 147 CVEs, three rated "Critical," 142 categorized as "Important," and two listed as "Moderate" in severity. That number swells to 155 CVEs if third-party flaws are included. The number represents a record high for Patch Tuesday fixes.

"Microsoft patched 147 CVEs in April, the largest number of CVEs patched in a month since we began tracking this data in 2017," Satnam Narang, senior staff researcher engineer at Tenable, said in a statement. "The last time there were over 100 CVEs patched was October 2023, when Microsoft addressed 103 CVEs." The previous high was in July 2023, with 130 CVEs patched, Narang added.

Microsoft did not indicate any of the April Patch Tuesday CVEs are zero-day threats, a welcome departure from last year's brisk clip of zero-day disclosures.

"This time last year, there were seven zero-day vulnerabilities exploited in the wild," Narang said. This year, there have only been two zero-days exploited and both were in February. "It's difficult to pinpoint why we've seen this decrease, whether it's just a lack of visibility or if it signifies a trend with attackers utilizing known vulnerabilities as part of their attacks on organizations."

However, Dustin Childs of the Zero Day Initiative noted in his April Microsoft Patch Tuesday analysis that his organization has evidence of a known exploited flaw in the list of this month's fixes.

**Patch Tuesday Fixes to Prioritize**

Childs pointed to the max-severity vulnerability in SmartScreen Prompt Security Feature Bypass (CVE-2024-29988) with a CVSS score of 8.8, which was discovered by ZDI but wasn't listed as exploited in Microsoft's Patch Tuesday update.

"However, the bug reported by ZDI threat hunter Peter Girrus was found in the wild," Childs added. "We have evidence this is being exploited in the wild, and I'm listing it as such."

Another max-severity bug impacting the Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2024-20678) was given a CVSS score of 8.8 and patched this month by Microsoft.

A spoofing vulnerability (CVE-2024-20670), listed as max-severity with a base CVSS of 8.1, was fixed in Outlook for Windows. And a Windows DNS Server Remote Code Execution, also listed as max-severity (CVE-2024-26221) with a CVSS score of 7.2, was patched as well.

**Microsoft SQL Gets Plenty of Patches**

Microsoft SQL Server vulnerabilities make up a large share of this month's Patch Tuesday fixes, according to Kev Breen, senior director threat research for Immersive Labs.

"While at first glance, it may appear that Microsoft has called out a large number of vulnerabilities in its latest notes, 40 of them are all related to the same product — Microsoft SQL Server," Breen said in a statement. "The main issue is with the Clients used to connect to an SQL server, not the server itself."

Breen went on to explain that all of these would require social engineering, making the SQL flaws difficult to exploit in any useful capacity.

"All the reported vulnerabilities follow a similar pattern: For an attacker to gain code execution, they must convince an authenticated user inside an organization to connect to a remote SQL server the attacker controls," Breen added. "While not impossible, this is unlikely to be exploited at scale by attackers."

Security teams concerned about these types of attacks should look for anomalous activity and block outbound connections except to trusted servers.

**Microsoft SmartScreen Prompt and Secure Boot Flaws**

Tenable's Narang noted this month's fix for the SmartScreen Prompt security feature bypass (CVE-2024-29988), with its CVSS score of 8.8, likewise relies on social engineering to make exploitation possible. A similar zero-day bug (CVE-2024-21412), discovered by the same researchers was used in a DarkGate campaign impersonating popular brands like Apple iTunes.

"Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites," Narang said. "However, as the name implies, these flaws bypass these security features, which leads to end users being infected with malware."

Narang also suggested security teams take a look at the 24 Windows Secure Boot flaw fixes included in Microsoft's April Patch Tuesday release.

"The last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on Dark Web forums for $5,000," he said.

BlackLotus malware is able to block security protections while booting up.

"While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future," Narang stressed.

Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk

PRESS RELEASE

SAN DIEGO, April 9, 2024/PRNewswire/ -- ESET, a global leader in digital security, is pleased to announce the introduction of ESET Small Business Security, which has been specifically designed to meet the cybersecurity needs of Small Office/Home Office business owners.

According to the Small Business Administration, out of the 33.3 million small businesses in the United States, over 27 million are managed solely by their owners and do not employ any additional personnel. Over 5 million small businesses have under 19 employees1. ESET's new comprehensive security solution is engineered to provide seamless, user-friendly protection, enabling these smaller SMBs to thrive in an increasingly digital landscape.

"This new offering is a testament to ESET's commitment to innovation and its dedication to supporting the growth and security of entrepreneurs, small businesses and home offices," said Brent McCarty, President of ESET North America. "Small businesses have long demanded the power of ESET in a right-sized offering. With this launch, we provide SOHO business owners with a simple yet powerful solution for their businesses that is easily manageable, highly reliable, and tailored to their needs, enabling them to focus on their growth without compromising on security."

The ESET Small Business Security solution supports up to 25 devices and offers an array of features tailored to safeguard online banking transactions and browsing, secure devices, manage passwords, protect Windows servers, encrypt sensitive data, guard against ransomware and counter phishing scams. Furthermore, the offering facilitates safe and anonymous browsing alongside unlimited VPN security where applicable, ensuring both work and personal devices are shielded from cyber threats. This new offering guarantees reliable security with a minimal system footprint, ensuring efficient protection across multiple operating systems, including Windows, Android, and macOS.

ESET Small Business Security includes ESET HOME, security management platform that enables users to have complete security management with information about security status, devices, subscriptions and features currently in use.

ESET HOME is available via a web portal and a mobile application, allowing users to have security of their devices under control anywhere they go.

For more detailed information about ESET Small Business Security, visit here.

About ESET  
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET's high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET's R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter (X).

ESET Launches a New Solution for Small Office/Home Office Businesses

PRESS RELEASE

WEST PALM BEACH, Fla., April 08, 2024 (GLOBE NEWSWIRE) -- Veriato released their next generation Insider Risk Management (IRM) solution, re-imagined from the ground up to deliver superior insider risk management and threat detection. With organizations of all sizes facing a more complex cybersecurity environment, Veriato IRM delivers unprecedented flexibility and scalability using the power of GenAI.

Veriato's IRM solution offers best-in-class technology for companies looking to improve their threat mitigation with AI enabled predictive analytics delivering better detection and predictability. According to IBM, the average cost of a single data breach has reached $4.45 million, a record high. Organizations need a holistic view of employee behavior to get ahead of threats and to reduce their exposure and costs. The new platform provides the agility and usability that make it a must-have in the fight against increasing insider threats. Features such as predictive risk intelligence, risk scoring, baselining and PII identification offer market-leading detection capabilities that are easy to deploy and manage.

Veriato IRM delivers:

*   Unparalleled risk detection capabilities with Generative AI.
    
*   Advanced behavior pattern identification across logon events, document activity, email activity, etc.
    
*   Complex dimensional analysis, including Risk Scoring.
    
*   Comprehensive language and sentiment analysis.
    
*   Automatic PII/PHI identification with RAG pre-trained models.
    
*   Flexible and scalable microservices architecture.
    
*   Multiple deployment options – cloud, on-premise, hybrid.
    

Veriato IRM is the product of close collaboration with Veriato’s global base of customers across a number of industries including financial services, healthcare and government. Designed with a deep understanding of today’s changing workforce and the technology and data needs of today’s modern organization, Veriato IRM is the most advanced and usable solution on the market today.

“Insider Risk Management has become essential for organizations committed to protecting customer data, IP and their employee bases now that the future of work is here. From board rooms to SMBs, IRM is at the top of security agendas. Applying behavioral analytics to cyber allows leaders to get ahead of breaches instead of just reacting to them when they occur,” said Elizabeth Harz, CEO of Veriato. “We are extremely excited to build upon our history as the category creator, and provide a new layer of control, transparency, confidence and perhaps most importantly, proactivity.”

About Veriato

Veriato is reinventing the category it created, using AI-based user behavior analytics to help companies prevent risks and increase productivity in their remote, hybrid and in-office environments. Veriato’s platform offers solutions for Insider Risk Management (IRM), behavioral analytics, user activity monitoring (UAM) and data loss prevention (DLP) in a single powerful platform. Veriato delivers monitoring, salient alerts, reporting and screenshots, allowing customers to be predictive and proactive rather than reactive, critical in cybersecurity. The platform helps global Enterprises, SMBs and Government entities become more engaged, productive and secure.

You May Also Like

Source

DARKReading