New capability streamlines automated testing of cybersecurity and anti-fraud features in android and iOS apps in virtual and cloud testing suites.

**REDWOOD CITY, Calif.****,** **May 23, 2023** **/PRNewswire/ --** Appdome, the mobile app economy's one and only Cyber Defense Automation platform, today announced Build-to-Test which enables mobile developers to streamline the testing of cybersecurity features in mobile apps.

The new capability allows Appdome-protected mobile apps to recognize when automated mobile app testing suites are in use and securely completed without interruption by a vendor, logging all security events for the developer to track and monitor. The Build-to-Test service is part of Appdome's Dev2Cyber initiative and will accelerate the delivery of secure mobile apps globally.

In continuous integration, continuous delivery (CI/CD) pipelines, mobile app quality assurance is done via automated testing services so the functionality of the mobile app can be validated across hundreds of real-world mobile devices and OS versions. However, automated testing services can also leverage methods and tools that violate cybersecurity policies or that cybersecurity professionals find problematic and dangerous such as emulators, virtualization, resigning, debugging, dual spaces, Magisk and more. Once protections are added to a mobile app, security features detect these methods and tools, and the resulting cyber defense may prevent testers from using parts of these testing services.

The new Build-to-Test option on Appdome extends Appdome's support for automated mobile app testing services and allows Appdome-protected mobile applications to recognize the testing vendor and securely complete testing runs without interruption.

"We've always supported automated testing," said Chris Roeckl, Chief Product Officer at Appdome. "Build-to-Test solves one of the last operational challenges of testing mobile applications at scale and maintains end-to-end security in the mobile DevSecOps pipeline."

Appdome-protected mobile apps have always been testable on devices made available through automated mobile application testing vendors. Advantages of the new Build-to-Test feature include:

*   Fully automated testing for Appdome-protected mobile apps;
*   Fully automated mobile app testing services to validate cyber defenses in Appdome protected mobile apps;
*   Reduced complexity when testing protected mobile apps in automated environments;
*   Eliminate the need to test protected and unprotected builds separately; and
*   Protect test builds with Appdome defenses to ensure improved DevSecOps compliance.

"Mobile developers want to test complete Android and iOS builds that include cyber and anti-fraud defenses," said Jamie Bertasi, Chief Customer Officer at Appdome. "Our goal is to remove every ounce of friction that stands in the way of protecting the mobile app economy."

Appdome's Built-to-Test option is available with Appdome-DEV and Appdome-SRM licenses and compatible with all major mobile app testing services including Microsoft App Center, Sauce Labs, BitBar, LambdaTest and BrowserStack to reduce time to market, improve app quality and increase pipeline efficiency.

For more information on how to use Appdome Build-to-Test, please see this knowledge base article.

**About Appdome** 

Appdome's mission is to protect every mobile app in the world and the people who use mobile apps in their lives and at work. Appdome provides the mobile industry's only mobile application Cyber Defense Automation platform, powered by a patented artiﬁcial-intelligence based coding engine, Threat-Events™ Threat-Aware UX/UI Control and ThreatScope™ Mobile XDR. Using Appdome, mobile brands eliminate complexity, save money, and deliver 300+ Certified Secure™ mobile app security, anti-malware, anti-fraud, mobile anti-bot, anti-cheat, MiTM attack prevention, code obfuscation and other protections in Android and iOS apps with ease, inside the mobile DevOps and CI/CD pipeline. Leading ﬁnancial, healthcare, government and m-commerce brands use Appdome to protect Android and iOS apps, mobile customers and mobile businesses globally. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Learn more at www.appdome.com.

SOURCE Appdome

Appdome Launches Build-to-Test, Automated Testing Option for Protected Mobile Apps

Attackers primarily target on-premises IT infrastructures.

**FRISCO, Texas****,** **May 23, 2023** **/PRNewswire/ --** Netwrix, a cybersecurity vendor that makes data security easy, today announced additional findings for the enterprise sector (organizations with more than 1,000 employees) from its annual global 2023 Hybrid Security Trends Report.

According to the survey, 65% of organizations in the enterprise sector suffered a cyberattack within the last 12 months, which is similar to the results among companies of all sizes (68%). The most common security incidents are also the same: phishing, ransomware and user account compromise.

However, larger organizations are a more frequent target for ransomware or other malware attacks: 48% of enterprises experienced this type of security incident on premises, compared to 37% among organizations of all sizes. Malware attacks are less common in the cloud: just 21% of respondents in the enterprise sector experienced one within the last 12 months.

"It is no surprise that the enterprise sector suffers malware attacks at a higher rate than smaller organizations. After all, ransomware operators want to maximize their profits, so they consider which organizations are most able to pay a ransom to reduce business downtime — and the larger an organization is, the costlier an operational disruption will be," says Dmitry Sotnikov, VP of Product Management at Netwrix. "On the other hand, larger organizations have more tools to spot the attack that might stay unnoticed for SMBs. In addition, enterprises have bigger infrastructure with more endpoints that statistically increases the chance of the security incident."

The enterprise sector also reports larger expenses as a result of cyberattacks than their smaller counterparts. Indeed, 28% of enterprises estimated their financial damage from cyberthreats to be $50,000 and higher, compared to just 16% among organizations overall.

"Smaller companies often underestimate their risk of attack, reasoning that cybercriminals tend to target enterprises because they store more intellectual property (IP) and other sensitive data. But our survey shows that organizations suffer cyberattacks with a similar frequency regardless of their size," says Dirk Schrader, VP of Security Research at Netwrix. "Every organization has valuable data, such as customer and employee information, and is therefore a target for attackers. What's more, SMBs are not only a target on their own but as a way into the larger enterprises that consume their services."

To learn more about how enterprises can overcome the ransomware challenge, visit the Netwrix ransomware protection page.

**About Netwrix**  

Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity and infrastructure.  

For more information, visit www.netwrix.com.

Netwrix Report: Enterprises Suffer More Ransomware and Other Malware Attacks Than Smaller Organizations

Security professionals warn that Google's new top-level domains, .zip and .mov, pose social engineering risks while providing little reason for their existence.

Two new top-level domain names — .zip and .mov — have caused concern among security researchers, who say they allow for the construction of malicious URLs that even tech-savvy users are likely to miss.

Google announced the domains in early May, kicking off a slow buildup of criticism from the security community as people became aware of the issues. In a widely circulated post on Medium, security researcher Bobby Rauch pointed to two seemingly identical URLs that appear to go to the same place — downloading a zip file from a GitHub repository — but by using unicode slashes, an "@" sign, and the .zip domain, a potentially malicious URL could instead redirect users to an attacker's website.

While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension, says Tim Helming, security evangelist at DomainTools, a provider of domain-related threat intelligence.

"There's no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware," he says. "Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks."

In the three weeks since Google announced the new domains — along with .dad, .phd, and .foo — security researchers have pointed out the dangers of TLDs that match file extensions. On Tuesday, for example, Trend Micro became the latest security firm to warn users to fine-tune their ability to spot malicious links. In the advisory, the company pointed out that the Vidar info-stealer uses fake URLs to download a "Zoom.zip" file to the victim's computer — and that the .zip domain will make the attack much more effective.

Google did not answer questions about the tradeoffs between risk and utility for the new TLDs but did send a statement to Dark Reading, pointing to other confusing domains, such as 3M's command.com domain as a way of arguing that the issue is not novel.

"The risk of confusion between domain names and file names is not a new one," the company stated. "Applications have mitigations for this — such as Google Safe Browsing — and these mitigations will hold true for TLDs such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip."

Whether the new domains will make phishing better is still a question for some, but the risk of making more effective links seems to outweigh any benefit of the domains, says Erich Kron, security awareness advocate at phishing and security education firm KnowBe4.

"It's the 'why are we doing this?' that kind of gets me, and frankly, it's just a bad idea, right?" he says. "Bad actors have been using .zip files and compressed files to get people to download malware for eons, and then to make a top-level domain that the general public is going to associate with \[legitimate files\] ... we are really opening the doors to some some very easy trickery here."

**No Active Phishing Attacks so Far**

The domain names have already led to some mistakes, and not just on the part of humans. Some tools, such as Google's own malware identification service VirusTotal, are confusing filenames with the .zip extension with URLs with the .zip TLD, according to Johannes Ullrich, dean of research for education organization SANS Technology Institute. Ullrich is in the process of surveying existing .zip domains to see which are malicious.

He has found that evidence of in-the-wild campaigns is scant so far. "This opens up new avenues for more convincing phishing attacks," Ullrich said, with a caveat: "However, there are already many ways to create convincing phishing attacks, so the risk is more incremental."

The good news is that attackers have not yet picked up the technique en masse for real-world attacks, Trend Micro stated in its advisory.

"As of today, Trend Micro has not yet received URLs related to these new TLDs from internal and customer cases," the company stated. "However, we will continue to monitor any related URLs we come across and block them as needed in preparation for potential phishing campaigns."

At this point, the biggest "attack" so far involves "rickrolling" and parked domains, Ullrich says: At least 48 domains have been registered by people who then posted a video of singer Rick Astley and his song, "Never Gonna Give You Up."

**Awareness, Best Security Practices Remain Top Advice**

The creation of file-extension-lookalike domain names will likely lead Google and other browser makers to adopt warnings in their software, alerting users when a domain uses special unicode characters — such as two characters that appear to be slashes (/) — and which could be confused for legitimate URLs.

However, much will still rely on users, who should be careful about checking links, and companies, which can restrict new domain names until cybersecurity providers can assign them a reputation, DomainTools' Helming says.

"There are ways for very savvy users to spot these file paths visually," he adds, "but the most effective defenses are going to be a combination of efforts that include security control detections for things like those characters, risk scoring for newly created domains — in any TLD — and updated user awareness training."

_With reporting by Jaikumar Vijayan_

Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool

A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.

A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.

OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google" — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Security's Salt Labs discovered the flaw, tracked as CVE-2023-28131, in the OAuth implementation in Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.

Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.

The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platform's implementation of OAuth, which is proving to be a tricky standard to implement securely. In March, Salt discovered a flaw in Booking.com's implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

**Third-Party Risk With OAuth Implementation**

The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expo's wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.

"Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater," he says. "It could have impacted the OAuth implementations of hundreds of websites and apps."

Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions.

Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.

However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.

The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.

**Exploiting the Expo Flaw**

When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If it's the user's first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.

Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.

The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. "When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user's credentials to the target website," he says.

Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.

This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users' financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.

**Why OAuth Is Tricky**

OAuth's popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.

To secure an OAuth implementation, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.

"Attackers may attempt to manipulate these inputs, so validating each one is essential," he advises. "This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods."

Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.

OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

Incident response playbooks and frameworks are leaving defenders ill-equipped to recover from the increasing number of successful cyberattacks. Developments in AI offer a new way for stretched teams to manage security incidents and heal swiftly.

The number of successful cyberattacks impacting organizations continues to increase, with recent high-profile breaches such as UK outsourcing firm and government contractor Capita incurring recovery costs of up to £20 million.

Generative AI is allowing attackers to innovate and escalate their approach. Darktrace researchers observed a 135% increase in "novel social engineering attacks" across thousands of active customers from January to February 2023 (based on the average change in email attacks detected across Darktrace customers' email deployments). With that in mind, organizations should focus more than ever on their cyber resilience — namely, their ability to withstand, adapt, and recover from cyberattacks that have achieved initial access. Yet the gap between the growing numbers of successful attacks and effective approaches to recovery continues to widen.

Within this context, security teams need help to prepare, recover, and adapt confidently to cyber incidents, and new developments in AI are offering promising signs that they can do so.

**Evaluating the Current Picture**

With a growing skills shortage in the industry, it has become more and more difficult for humans to keep up with incident management techniques and frameworks. Additionally, the costs associated with tabletop exercises, red/purple team activities, maintaining playbooks, and testing recovery stacks have become increasingly untenable.

Incident response playbooks outline the steps an organization should take to respond to and recover from a particular type of attack and are widely accepted as best practice. These are typically based on predefined, static views of an organization that quickly become outdated and are challenging to maintain and execute in a real-world incident.

Published frameworks are another standard part of the cyber resilience toolkit. These templates and flowcharts tend to lay out discrete linear processes — often lengthy steps designed to occur one after the other, with no concept of the frequent need to shift and adapt as new information arises. Dealing with the complexity gap between the necessarily concise framework and the variety and complexity of real incidents is left to human responders.

Similarly, tabletop exercises, in which stakeholders come together to test incident response plans, can be a useful way of developing experience in decision making. But they are time-intensive and will not test many of the technical tools and processes used in a real-world response.

**Moving From a Reactive to an Adaptive Approach**

Introducing self-learning artificial intelligence (AI) into incident management can allow teams to engage an incident in more detail and at an earlier stage than they currently can, minimizing disruption to the business.

One of the more challenging security tasks is dedicating time to continuously evaluate readiness to handle an incident, which could occur at any time. AI can add value here by combining a deep understanding of every internal asset and continuous evaluation of coverage and functionality of the recovery stack to assess: _How prepared are you for defeating a cyberattack?_

During an incident, especially if on a larger scale, AI-powered systems offer full visibility into the scope and details of the compromise, creating a more informed basis on which to manage it. By holding this complex understanding within the software, it can go further by automating much of recovery management. It can automatically adapt planned recovery steps to precise incident details. It can also prioritize assets for remediation based on its deep understanding of that asset's function and role within the incident and the business.

But AI assistance doesn't have to mean relinquishing human control. Rather, AI should augment human teams by presenting simple choices and recommendations based on real-time developments and simplify and automate technical steps where possible. Working together, AI can shorten the time-consuming recovery processes while providing human teams with relevant and timely context to support faster decision making when it counts.

Time savings from AI can extend to record keeping during and after the incident. By collecting forensic evidence automatically and keeping a record of all defensive actions taken, AI can create incident reports at any time. These reports enable teams to communicate clearly to stakeholders what has happened, what they've done about it, and what further actions they are planning to take.

Critically, incident management needs to interact with detection, immediate response, and preventative measures across the rest of the cybersecurity ecosystem. In a landscape where vendor consolidation is top of mind for CISOs and CFOs, incident recovery products that can integrate with these other capabilities provide a compelling case for a single dashboard approach to cyber resilience.

The reality is that cyber incidents are a question of _when_ and not _if_, so organizations that look to move beyond static incident playbooks and standard frameworks will remain ahead of the game. Leveraging AI and automation to deliver bespoke recovery plans that adapt in real time will allow these companies to achieve new levels of cyber resilience in a fast-moving threat landscape.

**About the Author**

    

Matt Bovbjerg joined Darktrace in 2015, specializing in strategic customer deployment architecture and operationalizing Darktrace within large security stacks, before becoming the Vice President of Integrations Architecture. Matt works closely with Darktrace R&D, Technology Alliance Partners, and customers to develop use case-driven third-party integrations, ensuring organizations get the most out of their security investments. Matt holds a Bachelor’s degree in Industrial and Operations Engineering from the University of Michigan.

How AI Can Help Organizations Adapt and Recover From Cyberattacks

By Owais Sultan
Memcyco Unveils Groundbreaking Solution to Combat Brandjacking in Real Time, Safeguarding Digital Trust and Reinforcing Brand Reputation.
This is a post from HackRead.com Read the original post: Memcyco Introduces Real-Time Solution to Combat Brandjacking

Memcyco, a pioneering cybersecurity firm, has introduced an innovative real-time website impersonation detection and prevention solution that is set to revolutionize the fight against brandjacking.

Brandjacking, a prevalent form of cyberattack, has inflicted substantial financial losses on consumers worldwide. Shockingly, in 2022 alone, imposter scams cost consumers a staggering $2.6 billion, according to (PDF) the U.S. FTC Consumer Sentinel Network’s data book.

The technique involves luring unsuspecting users to fraudulent copies of legitimate brand websites, where their personal and financial information is compromised, resulting in identity theft and financial fraud.

To counter these malicious assaults, Memcyco has developed an agentless Proof of Source Authenticity (PoSA™) technology, delivering unparalleled Zero Day protection and real-time detection capabilities. By identifying attacks at the point of impact, PoSA™ equips brands with comprehensive details of attempted attack sessions, ensuring complete visibility into the threat landscape.

Significantly, Memcyco’s groundbreaking solution is the first to issue a Red Alert to users navigating spoofed websites, warning them of potential dangers. Leveraging artificial intelligence, PoSA™ analyzes behavioural patterns to proactively identify and alert organizations of any irregular activities.

Additionally, PoSA™ integrates a unique digital watermark into a brand’s legitimate website, assuring customers of its authenticity. The watermark can be effortlessly incorporated into a website and personalized with users’ secret preferences, rendering it instantly recognizable and impossible to forge. This fosters a secure environment and cultivates a sense of trust and confidence among customers, promoting digital trust in brands.

By significantly minimizing the financial impact on both brands and their customers, Memcyco’s cutting-edge solution reduces the need for extensive user education efforts. This breakthrough technology effectively breaks the snowball effect that often deters users from interacting with digital properties, ultimately enhancing brand reputation and bolstering trust among end users.

Israel Mazin, CEO and co-founder of Memcyco expressed his enthusiasm for the groundbreaking solution, stating, “At Memcyco, we have introduced a new paradigm for preventing website impersonation by providing multiple layers of protection for companies and their customers. This investment from such experienced leaders in cybersecurity delivers a strong vote of confidence in Memcyco’s ability to deliver a more secure and trustworthy digital ecosystem.”

Memcyco’s remarkable progress in combating brandjacking has not gone unnoticed. The company recently concluded a successful $10 million seed round led by prominent investors Capri Ventures and Venture Guides.

“Almost everyone has been affected by a phishing-based brandjacking scam or knows someone who has,” said Alex Pinchev, Founder and Managing Partner at Capri Ventures. “Memcyco is the first company to offer a real-time solution to this problem, while existing approaches mostly operate after-the-fact, leaving organizations unaware of which users have fallen victim to such attacks.”

In conclusion, Memcyco’s groundbreaking real-time digital brandjacking protection solution is set to revolutionize cybersecurity and safeguard the integrity of online transactions.

**RELATED ARTICLES**

1.  4 Essential Facets of Brand Protection
2.  Brand Protection is Essential for Cybersecurity
3.  Fake branded shoe stores hacked with web skimmer
4.  42K phishing domains masquerading as popular brands
5.  Phishing: Microsoft, PayPal, Facebook most targeted brands

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Memcyco Introduces Real-Time Solution to Combat Brandjacking

Any new cybersecurity technology should be not just a neutral addition to a security stack but a benefit to the other technologies or people managing them.

The cybersecurity technology field is, shall we politely say, crowded. I recently returned from attending RSA, one of the biggest conferences in the industry. Trying to describe just how many new technologies and solutions I saw there feels a lot like trying to describe how big space is: Our brains can't actually process that kind of scale. 

I imagined being a chief information security officer (CISO) at this event, trying to make decisions on what products or technologies would solve their particular organization's security weaknesses. It was, in trying to maintain my earlier commitment to being polite, overwhelming. There _must_ be a better way to quickly figure out if a security technology is worth evaluating. 

This ecosystem we have found ourselves in, of slapping new technologies into our security stacks, isn't working. Security staffs everywhere are pulled too thin trying to manage every new technology, and threat actors are continuously breaking through our protection technologies. 

So, how do we break this cycle? When looking for security technologies, we start assessing how much value the technology provides — not just whether it can do what it promises to do, but also if it provides a net positive for the entire security stack and management teams. 

We are moving into a new era of cybersecurity, and every investment must be prudent. In order to make these decisions, companies must start asking some fundamental questions about these technologies in order to understand the true value — or cost — of a security solution. These questions of proactivity, intelligence, autonomy, scalability, and benefit to the stack as a whole can help you find the most value in every security technology.

Importantly, these questions can also help you evaluate your existing technologies, as you now know in real life how they are (or are not) serving your network and your teams. The answers might surprise you. 

**Question 1: Is the technology proactive or reactive? **

While almost any cybersecurity technology will be quick to use the word "proactive," we first should define what the term really means. A truly proactive technology is one sitting "left of boom," or, more simply, before a successful breach. Recently, almost all cybersecurity technology sits "right of boom," responding to and mitigating the effects of breaches that have already happened. 

In modern security frameworks and stacks such as MITRE/NIST/zero trust, often the only left-of-boom technology in place is the firewall/next-generation firewall (NGFW). These decades-old technologies have been tasked with more and more, and yet they remain standard. We have to help the rest of the security stack by investing in more proactive technologies. 

**Question 2: How much cyber intelligence can the technology leverage? **

It has become increasingly clear that the word of our time is "intelligence" — be it artificial, human, or, more in my world, cyber. The value of intelligence and data has never been higher, and this has proven especially true in the war against cybercriminals. 

The future is intelligence driven, and the more intelligence a cybersecurity technology can act on, the better. Any cybersecurity technology must be informed by as much cyber/threat intelligence as possible. Without the data to make informed decisions about enforcement, threat actors automatically have an upper hand. 

**Question 3: Is the technology (truly) autonomous? **

I cannot think of a cybersecurity technology that doesn't claim it is "autonomous." This has become so common in our industry that the word itself has almost lost meaning. However, with a cybersecurity staffing shortage that does not look to be going away any time soon, it's critical we evaluate what we mean by "autonomous" when thinking about a technology.

How many hours of an employee's day (on average) does this technology require? Does this technology require another full-time employee to manage the alerts or logs? Does this technology automatically update? (And what are the down times like for them?) The answers to these questions should be: zero, no, and yes. Anything else is not an autonomous technology. 

**Question 4: How does the technology scale? **

Threat actors have shown themselves to be nimble, inventive, and persistent in their attacks. The technologies we implement must be able to grow and adapt to these realities. Can they adapt to higher volumes, deeper obfuscations, and yet-unknown attack vectors? Knowing your technologies can grow with your network _and_ adapt to an ever-changing threat landscape is vital in any security technology investment. 

**Question 5: Can the technology work easily with existing technologies? **

One of the biggest drivers of cybersecurity professionals is what's known as "alert fatigue." This is caused by too many technologies that are extremely sensitive in finding threats or breaches, yet are unable to communicate with each other easily, throwing multiple alerts for the same malicious traffic. The cybersecurity teams are then forced to sift through multiple erroneous/duplicate alerts, and are more prone to errors due to the large volume of traffic networks are receiving day and night. Sadly, this is just one example of how multiple technologies that aren't sharing information can impact a network's cybersecurity posture. 

Any new cybersecurity technology you consider should be not just a neutral addition to the security stack, but rather a benefit to the other technologies or people managing them. Some questions to ask in this arena might be: Can it feed intelligence easily to other implemented technologies? Does it ease a pain point of another technology? Can it ingest information from other implemented technologies? 

Rarely will a technology be able to adequately answer for more than one of these questions. For instance, a technology might be able to use lots of intelligence but isn't proactive and needs constant monitoring by employees. These are the challenges security teams face every time they make a decision about a new or existing security technology, but figuring out how much value each technology adds — or doesn't — is the best start.

5 Questions to Ask When Evaluating a New Cybersecurity Technology

Categories: News
Categories: Ransomware
Tags: CISA

Tags:  StopRansomware

Tags:  guide

Tags:  ZTA

Tags:  compromised

Tags:  cloud

Tags:  MDR

CISA has updated its #StopRansomware guide to account for changes in ransomware tactics and techniques.



(Read more...)




The post CISA updates ransomware guidance appeared first on Malwarebytes Labs.

Posted: May 24, 2023 by

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its #StopRansomware guide to account for the fact that ransomware actors have accelerated their tactics and techniques since the original guide was released in September of 2020.

The #StopRansomware guide is set up as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover from them, including step-by-step approaches to address potential attacks.

Specifically, the agency added:

*   Recommendations for preventing common initial infection vectors
*   Updated recommendations to address cloud backups and zero trust architecture (ZTA).
*   Threat hunting tips for detection and analysis of ransomware actors

Since the CISA list of recommendations is huge we will focus on the new points, with links to further Malwarebytes resources, and add our own set of recommendations at the end.

**Updated CISA guidance**

*   **Limit the use of RDP and other remote desktop services.** If RDP is necessary, apply best practices. Threat actors often gain initial access to a network through exposed and poorly secured remote services, and later traverse the network using the native Windows RDP client. Threat actors also often gain access by exploiting virtual private networks (VPNs) or using compromised credentials.
*   **Implement phishing-resistant multi-factor authentication (MFA) for all services,** particularly for email, VPNs, and accounts that access critical systems. Escalate to senior management upon discovery of systems that do not allow MFA, systems that do not enforce MFA, and any users who are not enrolled with MFA.
*   **Consider employing password-less MFA** that replace passwords with two or more verification factors (e.g., a fingerprint, facial recognition, device pin, or a cryptographic key).
*   **Consider subscribing to services** that monitor the dark web for compromised credentials.
*   **Create policies to include cybersecurity awareness training** about advanced forms of social engineering for personnel that have access to your network. Training should include tips on being able to recognize illegitimate websites and search results. It is also important to repeat security awareness training regularly to keep your staff informed and vigilant.
*   **Consider using a multi-cloud solution** to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.
*   **Implement a zero trust architecture (ZTA) to prevent unauthorized access to data and services.** Make access control enforcement as granular as possible. ZTA assumes a network is compromised and provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per request access decisions in information systems and services.
*   **Employ logical or physical means of network segmentation by implementing ZTA** and separating various business units or departmental IT resources within your organization and maintain separation between IT and operational technology.

CISA consider the following to be advanced forms of social engineering:

*   Search Engine Optimization (SEO) poisoning.
*   Drive-by-downloads.
*   Malvertising.

For organizations that have their own threat hunters and do not use an external Managed Detection and Response (MDR) service, CISA added the following points for enterprise and cloud environments.

**For enterprise environments**

*   Newly created Active Directory accounts or accounts with escalated privileges, and recent activity related to privileged accounts such as Domain Admins.
*   Anomalous VPN device logins or other suspicious logins.
*   Endpoint modifications that may impair backups, shadow copy, disk journaling, or boot configurations. Look for anomalous usage of built-in Windows tools such as _bcdedit.exe, fsutil.exe_ (deletejournal), _vssadmin.exe, wbadmin.exe_, and _wmic.exe_ (shadowcopy or shadowstorage). Misuse of these tools is a common ransomware technique to inhibit system recovery.
*   Signs of the presence of Cobalt Strike beacon/client. Cobalt Strike is a commercial penetration testing software suite. Malicious actors often name Cobalt Strike Windows processes with the same names as legitimate Windows processes to obfuscate their presence and complicate investigations.
*   Signs of any unexpected usage of remote monitoring and management (RMM) software (including portable executables that are not installed). RMM software is commonly used by malicious actors to maintain persistence.
*   Any unexpected PowerShell execution or use of PsTools suite.
*   Signs of enumeration of AD and/or LSASS credentials being dumped (e.g., Mimikatz or _NTDSutil.exe_).
*   Signs of unexpected endpoint-to-endpoint (including servers) communications.
*   Potential signs of data being exfiltrated from the network. Common tools for data exfiltration include Rclone, Rsync, various web-based file storage services (also used by threat actors to implant malware/tools on the affected network), and FTP/SFTP.
*   Newly created services, unexpected scheduled tasks, unexpected software installed, etc.

****For cloud environments****

*   Enable tools to detect and prevent modifications to IAM, network security, and data protection resources.
*   Use automation to detect common issues (e.g., disabling features, introduction of new firewall rules) and take automated actions as soon as they occur. For example, if a new firewall rule is created that allows open traffic (0.0.0.0/0), an automated action can be taken to disable or delete this rule and send notifications to the user that created it as well as the security team for awareness. This will help avoid alert fatigue and allow security personnel to focus on critical issues.

**Malwarebytes’ tips to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

**ABOUT THE AUTHOR**

Pieter Arntz  
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

CISA updates ransomware guidance

Companies are starting to address the misuse of artificial intelligence (AI). At Google I/O, for example, executives promised its AI has safety measures.

GOOGLE I/O 2023, MOUNTAIN VIEW, CALIF. — Sandwiched between major announcements at Google I/O, company executives discussed guardrails to its new artificial intelligence (AI) products to ensure they are used responsibly and not misused. They included Google CEO Sundar Pichai, who noted some of the security concerns associated with advanced AI technologies coming out of the labs.

The spread of misinformation, deepfakes, and abusive text or imagery generated by AI would be hugely detrimental if Google were responsible for the model that created this content, said James Sanders, principal analyst at CCS Insight.

"Safety, in the context of AI, concerns the impact of artificial intelligence on society," he said. "Google's interests in responsible AI are motivated, at least in part, by reputation protection and discouraging intervention by regulators."

For example, Universal Translator is a video AI offshoot of Google Translate that can take footage of a person speaking and translate the speech into another language. The app could potentially expand the video's audience to include those who don't speak the original language.

But the technology could also erode trust in the source material, since the AI modifies the lip movement to make it seem as if the person were speaking in the translated language, said James Manyika, Google's senior vice president charged with responsible development of AI, who demonstrated the application on stage.

"There's an inherent tension here," Manyika said. "You can see how this can be incredibly beneficial, but some of the same underlying technology can be misused by bad actors to create deepfakes. We built the service around guardrails to help prevent misuse and to make it accessible only to authorized partners."

**Setting up Custom Guardrails**

Different companies have different approaches to AI guardrails. Google is focused on controlling the output generated by artificial intelligence tools and limiting who can actually use the technologies. Universal Translators are available to fewer than 10 partners, for example. ChatGPT has been programmed to say it can't answer certain types of questions if the question or answer could cause harm.

Nvidia has NeMo Guardrails, an open source tool to ensure responses fit within specific parameters. The technology also prevents the AI from hallucinating, the term for giving a confident response that is not justified by its training data. If the Nvidia program detects that the answer isn't relevant within specific parameters, it can decline to answer the question or send the information to another system to find more relevant answers.

Google shared its research on safeguards in its new PaLM-2 large-language model, which was also announced at Google I/O. That Palm-2 technical paper explains that there are some questions in certain categories the AI engine will not touch.

"Google relies on automated adversarial testing to identify and reduce these outputs. Google's Perspective API, created for this purpose, is used by academic researchers to test models from OpenAI and Anthropic, among others," CCS Insight's Sanders said.

**Kicking the Tires at DEF CON**

Manyika's comments fit into the narrative of responsible use of AI, which took on more urgency following concerns about bad actors misusing technologies like ChatGPT to craft phishing approaches or generate malicious code to break into systems.

AI was already being used for deepfake videos and voices. AI company Graphika, which counts the Department of Defense as a client, recently identified instances of AI-generated footage in use to influence public opinion.

"We believe the use of commercially available AI products will allow IO actors to create increasingly high-quality deceptive content at greater scale and speed," the Graphika team wrote in its deepfakes report.

The White House has chimed in with a call for guardrails to mitigate misuse of AI technology. Earlier this month, the Biden administration secured the commitment of companies including Google, Microsoft, Nvidia, OpenAI, and Stability AI to allow participants to publicly evaluate their AI systems during DEF CON 31, which will be held in August in Las Vegas. The models will be red-teamed using an evaluation platform developed by Scale AI.

"This independent exercise will provide critical information to researchers and the public about the impacts of these models, and will enable AI companies and developers to take steps to fix issues found in those models," the White House statement said.

Google Adds Guardrails to Keep AI in Check

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.19 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-2498: Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

Tag

#intel