Large language models require rethinking how to bake security into the software development process earlier.

Large language models require rethinking how to bake security into the software development process earlier.

Source: Chroma Craft Media Group via Alamy Stock Photo

Question: What do we really know about large language model (LLM) security? And are we willingly opening the front door to chaos by using LLMs in business?

Rob Gurzeev, CEO, CyCognito: Picture it: Your engineering team is harnessing the immense capabilities of LLMs to "write code" and rapidly develop an application. It's a game-changer for your businesses; development speeds are now orders of magnitude faster. You've shaved 30% off time-to-market. It's win-win — for your org, your stakeholders, your end users.

Six months later, your application is reported to leak customer data; it has been jailbroken and its code manipulated. You're now facing SEC violations and the threat of customers walking away.

Efficiency gains are enticing, but the risks cannot be ignored. While we have well-established standards for security in traditional software development, LLMs are black boxes that require rethinking how we bake in security.

**New Kinds of Security Risks for LLMs**

LLMs are rife with unknown risks and prone to attacks previously unseen in traditional software development.

*   Prompt injection attacks involve manipulating the model to generate unintended or harmful responses. Here, the attacker strategically formulates prompts to deceive the LLM, potentially bypassing security measures or ethical constraints put in place to ensure responsible use of the artificial intelligence (AI). As a result, the LLM's responses can deviate significantly from the intended or expected behavior, posing serious risks to privacy, security, and the reliability of AI-driven applications.
    
*   Insecure output handling arises when the output generated by an LLM or similar AI system is accepted and incorporated into a software application or Web service without undergoing adequate scrutiny or validation. This can expose back-end systems to vulnerabilities, such as cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), privilege escalation, and remote code execution (RCE).
    
*   Training data poisoning occurs when the data used to train an LLM is deliberately manipulated or contaminated with malicious or biased information. The process of training data poisoning typically involves the injection of deceptive, misleading, or harmful data points into the training dataset. These manipulated data instances are strategically chosen to exploit vulnerabilities in the model's learning algorithms or to instill biases that may lead to undesired outcomes in the model's predictions and responses.
    

**A Blueprint for Protection and Control of LLM Applications**

While some of this is new territory, there are best practices you can implement to limit exposure.

*   Input sanitization involves, as the name suggestion, the sanitization of inputs to prevent unauthorized actions and data requests initiated by malicious prompts. The first step is input validation to ensure input adheres to expected formats and data types. The next is input sanitization, where potentially harmful characters or code are removed or encoded to thwart attacks. Other tactics include whitelists of approved content, blacklists of forbidden content, parameterized queries for database interactions, content security policies, regular expressions, logging, and continuous monitoring, as well as security updates and testing.
    
*   Output scrutiny is the rigorous handling and evaluation of the output generated by the LLM to mitigate vulnerabilities, like XSS, CSRF, and RCE. The process begins by validating and filtering the LLM's responses before accepting them for presentation or further processing. It incorporates techniques such as content validation, output encoding, and output escaping, all of which aim to identify and neutralize potential security risks in the generated content.
    
*   Safeguarding training data is essential to prevent training data poisoning. This involves enforcing strict access controls, employing encryption for data protection, maintaining data backups and version control, implementing data validation and anonymization, establishing comprehensive logging and monitoring, conducting regular audits, and providing employee training on data security. It's also important to verify the reliability of data sources and ensure secure storage and transmission practices.
    
*   Enforcing strict sandboxing policies and access controls can also help mitigate the risk of SSRF exploits in LLM operations. Techniques that can be applied here include sandbox isolation, access controls, whitelisting and/or blacklisting, request validation, network segmentation, content-type validation, and content inspection. Regular updates, comprehensive logging, and employee training are also key.
    
*   Continuous monitoring and content filtering can be integrated into the LLM's processing pipeline to detect and prevent harmful or inappropriate content, using keyword-based filtering, contextual analysis, machine-learning models, and customizable filters. Ethical guidelines and human moderation play key roles in maintaining responsible content generation, while continuous real-time monitoring, user feedback loops, and transparency ensure that any deviations from desired behavior are promptly addressed.
    

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

You May Also Like

How Do We Integrate LLMs Security Into Application Development?

By Owais Sultan
If used correctly, social media can not only provide businesses with a fantastic (generally free) chance to market…
This is a post from HackRead.com Read the original post: How your business should deal with negative feedback on social media

If used correctly, social media can not only provide businesses with a fantastic (generally free) chance to market their product or services but also, just as importantly, allow them to engage with customers. However, as anyone with any experience on social media will testify, not all the interactions to be had are positive ones.

In this article, limited company formation specialists 1st Formations (who you will find on all major social media platforms) provide a roadmap for how your business should handle any negative feedback that you receive on social media. Let’s get started.

You can’t deal with negative feedback or comments about your business if you don’t see what’s being said. You need to be diligent in ensuring that you catch everything.

Whilst the platforms’ in-built alerts are relatively reliable, it’s still easy to miss important comments, or simply lose track of what’s being said. To ensure that you see everything, use your social media management system (if you’re not yet using one, you really should be) to track all the words and phrases connected to your brand, even if they’re not officially used by you.

This way, if everything has been set up correctly, you will be notified immediately whenever your name is mentioned. This will allow you to keep on top of any discussions that are happening.

Furthermore, you should also set up Google Alerts to cover the feedback that is being shared away from social media on forums and other web pages.

****Deal with the feedback quickly****

Your time is of course precious, and social media activity won’t always be at the top of your to-do list. However, when negative feedback does come through, whether this is a tweet or a comment on Instagram or YouTube, you must respond as soon as you can (within business hours) to prevent the issue from escalating.

If there is a specific issue, rather than a piece of fleeting feedback that you can address there and then, this does not mean that you need to fix the problem immediately. Request all the information that you need (if it’s an existing customer, we’re talking name, order reference, and contact information), and clearly state that you’re looking into the matter and will get back to them shortly.

Providing an exact timeframe in which you will be back in touch is a good idea, but make sure that the deadline you set yourself is realistic, as the customer chasing you down for an update could cause further damage.

Then, when you do get a chance, work with your team and the individuals involved to reach a satisfactory resolution. Hopefully, this isn’t a drawn-out process, but when it is a complicated matter, make sure you provide the individual with regular updates, being sure to thank them for their understanding.

****Take it offline****

The ideal scenario is to take the issue away from public view as soon as possible. At the same time as requesting the information you need to investigate any issue, explain to the individual that you will be in contact with them through email or if convenient, telephone.

This is a genuinely more efficient approach to resolving any issues, rather than the stagnated back and forth that social media provides, and makes sure that the situation isn’t played out in a public forum where reputational damage can be made.

This will not always be convenient for the person you are engaging with. They will generally understand that you will want to tackle the situation in private. When this occurs, simply explain how corresponding away from the social media platform will help resolve the issue quicker. This won’t always work but you must try.

****Remain professional at all times****

Ryanair is perhaps the well-known purveyor of the snarky social media response to less-than-happy customers. This approach works well for them because they’re a household name and it’s very much ‘on-brand’. However, this stance is probably not appropriate for you and your business.

> you may only look out of one https://t.co/goZsZ9zkqb
> 
> — Ryanair (@Ryanair) April 2, 2024

When less than positive comments are made, you must remain professional. Under no circumstances should you partake in an online argument with anyone – even if what they say is wholly incorrect and paints your operation poorly.

Take on an apologetic tone, even if you are in the right. Thank them for the feedback, ask what a satisfactory resolution for them would be, and then do what you can, within your protocols (don’t deviate from these just because it’s on social media) to fix any issues that have arisen.

State your case, if a problem has occurred because the customer has misunderstood something or has not provided the correct information required for their order to be processed, explain this – but again, in a professional manner.

****Know when enough is enough****

When negative feedback oversteps the mark and turns into harassment, you should take necessary action. Certain behaviours do not become acceptable just because it’s aimed at a business account rather than a personal account.

If you are being targeted, you should publicly state your business’s policies regarding harassment. If the abuse continues, you should ignore the comments (admittedly this is easier said than done) and then consider muting or blocking the account in question.

If it continues, you should report the user to the social platform, and if the abuse is extreme, also to the police.

****Try to stay calm****

Anyone who has managed social media activity for business purposes will confirm just how easy it is to take negative feedback personally. Regardless of who is right and who is wrong, it is an upsetting experience. This feeling is magnified if the business that is being criticised is your own, as it does feel personal.

This is completely understandable. Nonetheless, this should not seep into how you deal with the feedback. If you are emotionally affected by what is being said, take the necessary mindful steps to calm and relax yourself, but do not allow this to cloud how the issue is dealt with.

As we stressed above, you must remain polite and professional. If you feel that you are unable to do this, move away from the situation for some time or see if there is someone else on your team who can work to resolve the problem accordingly.

****Listen to the feedback****

No business is perfect. Rather than baulk at the idea of negative feedback coming your way, always try to see these as an opportunity to fix issues and ultimately improve your business.

Once a specific issue has been resolved, do what you can to make sure that it doesn’t happen again. In customer-facing roles, it can be easy to lose empathy for the customer, and simply assume every problem is because of a misunderstanding or basic error on their part. It’s their problem, not yours. This is a big mistake.

Your business must have a joined-up approach. If you have a large team, when situations do occur, ensure that these are shared with all the appropriate people so that permanent fixes can be reached.

****Remember, it’s a branding exercise****

Every interaction you have online is a chance to demonstrate to customers and potential customers just how great your brand is, and how much you appreciate your customers.

When a piece of customer feedback has led to an update in how your service is delivered, shout about this. Publicly thank the customer in question, send them a gift, and ask other customers for their feedback and improvement suggestions.

One of the major benefits of using social media for business is that it allows you to project your brand’s personality. This is done through the tone of voice that you use, the content you share, and more so than anything – the interactions that you have with people.

Whilst negative feedback might not be at the top of your list when it comes to the type of engagement you have, it does provide you with the perfect opportunity to change someone’s impression of you. When handled correctly, even the most scathing reviews can be used to your business’s advantage.

****So, there you have it** **

That’s how your business should deal with negative feedback on social media.

Whilst you’ll never be able to stop these comments coming in (without ceasing all social media activity, which is not advisable for a small business), follow the advice covered in this article to ensure feedback is dealt with in a way that protects your business’s reputation and even enhances it. Thanks for reading.

How your business should deal with negative feedback on social media

By Uzair Amir
The partnership will bring millions of players into the Immutable web3 ecosystem while providing GAM3S.GG with the leading web3 gaming platform on the market.
This is a post from HackRead.com Read the original post: GAM3S.GG and Immutable Announce Partnership for Web3 Gaming Expansion

GAM3S.GG, a web3 gaming onboarding and news platform that aims to bring over 100 million players to web3, and Immutable, the leading web3 gaming platform, today announced a strategic partnership that will bring key Immutable functionality to GAM3S.GG users and introduce millions of players to the Immutable ecosystem via GAM3S.GG’s growing community. 

Notably, the partnership will incorporate multiple GAM3S.GG and Immutable zkEVM platform features, including the integration of Immutable Passport and Immutable Checkout, which will provide a streamlined onboarding and purchasing experience.

Additionally, GAM3S.GG will fund exclusive rewards and questing services to games that are building on Immutable zkEVM, while the integration of the $G3 token on Immutable zkEVM will provide even more choice and utility for gamers and games. 

“It’s been clear to our team since we first started working with GAM3S.GG that we share the same goal – to spearhead the onboarding of millions of gamers into a premiere web3 ecosystem,” said Robbie Ferguson, CEO of Immutable. “We’ve worked closely with them on some of our most popular titles, and now will work together with their team to create the best shared web3 gaming ecosystem in the industry.”

Collaborative efforts between the two companies are already underway. Earlier this year, Immutable and GAM3S.GG launched exclusive quests, community tournaments and in-game content for _Blast Royale_ and _MetalCore_, helping drive player growth and anticipation for both titles. 

“It’s clear that web3 gaming is poised to explode, and we plan to drive this explosion alongside Immutable as a key partner,” said Omar Ghanem, CEO of GAM3S.GG. “We’re incredibly excited to combine our rapidly growing web3 gaming community with the full power of the Immutable ecosystem to bring millions of gamers into the fold and drive the next evolution of the entire games industry.”

Immutable and GAM3S.GG plans to announce future integrations and exclusive content in the coming months, with key support for the launch of several industry-firsts for web3 gaming.

****About GAM3S.GG****

GAM3S.GG is a web3 gaming super app with over 500,000+ registered users that curates and creates content to spotlight the top games and showcase reviews, guides, news, quests, annual awards, and more. Its vision is to become the one-stop-shop for web3 gaming to help onboard millions of gamers, allowing them to engage with blockchain-powered games in unprecedented ways and becoming the ultimate bookmark on every gamer’s device.

GAM3S.GG has built the #1 web3 gaming discovery platform over the past 2 years and is backed by prominent investors such as Mechanism Capital, Polygon Ventures, Merit Circle, Hyperithm, LD Capital, ROK Capital, ArkStream Capital, Double Peak, WWVentures and more.

****About Immutable****

Immutable is a global leader in gaming on a mission to bring digital ownership to every player by making it safe and easy to build great games with blockchain technology. Co-founded by James Ferguson, Robbie Ferguson and Alex Connolly in 2018, Immutable is headquartered in Sydney with a 250+ team, and backed by top transformational tech investors like Temasek, Tencent, Coinbase, BITKRAFT Ventures, King River Capital, Galaxy Interactive and more.  

The Immutable gaming platform makes it easy for game studios and independent developers to safely and confidently build and launch successful games on Ethereum. The product suite includes pre-built solutions, optimised for usability, that help developers get to market faster without sacrificing security or player experience. Builders get personalised web3 guidance, live support for their communities, and access to the largest ecosystem in gaming.

Immutable was the first gaming platform to deliver a zero-knowledge (zk) scaling solution to the Ethereum community and provides developers with multiple zk-based scaling options, including Immutable X, a rollup based on StarkWare technology, and Immutable zkEVM, powered by Polygon.

Immutable Games is a global leader in web3 game development and publishing, backed by a world-class team who have a proven track record of bringing games to millions of players. The studio pioneered the world’s first blockbuster NFT trading-card game Gods Unchained and is currently building the highly anticipated mobile RPG Guild of Guardians.

Alongside its high-quality titles, Immutable Games partners with third-party game developers to provide them with best-in-class strategy and execution expertise to ensure the success of every web3 game deployed within the Immutable ecosystem.

1.  Wilder World Launches The First ‘GTA of Web3’ Game
2.  What is Blockchain Gaming and its Play-to-Earn Model?
3.  Exploring Data Privacy and Security in B2B Gaming Data
4.  Gomble Games Secures $10M Funding for Web3 Gaming
5.  The Rise of Blockchain Gaming and Secure Marketplaces

GAM3S.GG and Immutable Announce Partnership for Web3 Gaming Expansion

By Owais Sultan
Institutions, dApps and users on Flare will now benefit from Hypernative’s industry-leading ecosystem-wide protection suite. 
This is a post from HackRead.com Read the original post: Web3 Security Specialist Hypernative To Provide Proactive Protection To The Flare Ecosystem

Flare is pleased to announce the onboarding of Hypernative, an industry leader in proactive institutional grade Web3 security. The Hypernative platform will protect Flare ecosystem participants against zero-day cyberattacks, alerting the network ahead of emerging risks to digital assets, protocol/dApp vulnerabilities, and evolving threats to web3 users. 

Web3 attacks are becoming more sophisticated and are originating from a broader base of exploit vectors. As the industry continues to grow, it becomes a larger target for bad actors across the globe. By teaming up with an established leader in web3 security, Flare is increasing safety and protection for all users, dApps and institutions in the Flare ecosystem.

The Hypernative platform has developed cutting-edge technology designed to stay several steps ahead of web3 exploits, continuously looking for weaknesses across assets, protocols, and applications. As of today, the platform has detected over 270 exploits that could have potentially cost $14 Billion in damages. A leader in the field, Hypernative serves some of the largest web3 ecosystems in the industry, totalling $37 Billion in total value monitored.

The Hypernative architecture is unique in the web3 space. It can provide “always-on” monitoring of various activities including on-chain, governance, financial, and security-based. It was designed to preemptively detect many risks and attacks before the impact is felt, allowing clients to take action and mitigate any losses. 

To date, over 764K risks have been detected across 1443 protocols that are constantly monitored. Because of the high volume, Hypernative focuses on critical insights, alerts, and recommended actions to avoid false positives (but without compromising via false negatives).

The system is easily integrated across all web3 platforms, complete with API data, alerts, and customization options. This type of security is especially important for those web3 institution groups with heavy financial activity, such as DeFi. These types of platforms are targeted due to the financial opportunities and therefore will benefit from the increased and proactive protection provided by Hypernative. 

Hugo Philion, Co-founder of Flare & CEO of Flare Labs, commented, “Flare has been architected with enshrined oracles to support high transaction value use cases, including DeFi and AI. Hypernative’s monitoring on Flare will help provide applications and their users with an additional layer of defence against potential exploits. We aim to provide the highest level of security possible, so institutions, builders and community members have the confidence to engage with decentralized applications on the network.”

Flare is an EVM smart contract platform optimized for decentralized data acquisition. With a set of integrated oracles secured at the network layer, Flare offers developers secure, low-cost access to a broad range of price and state data for their dApps. As an EVM-based platform, any Solidity-coded applications can be launched and run on the network.

“There is a dawning realization that web3 needs a new security standard that goes beyond audits and bounties,” said Gal Sagie, co-founder and CEO of Hypernative. “It’s encouraging to see leading protocols like Flare take a global approach to security and implement active strategies that protect their entire ecosystem.”

As web3 smart contracts get more and more complex, the intelligence needed to protect them must continuously improve as well. Because of Hypernative’s strong record of protecting some of blockchain’s most advanced platforms, the tools it has developed are not only industrial strength, they are battle-hardened. Hypernative will be instrumental in protecting the over 290 projects built on Flare with real-time, proactive warnings designed to prevent and minimize the potential damage created from even sophisticated attacks.

Along with access to the platform and assistance in setting up their alert configuration, Flare projects will be able to see the monitoring and prevention flows, receive alerts and actions needed, and receive assistance from Hypernative in the event there is an attack.

****About Hypernative** **

Hypernative stops zero-day cyber-attacks, and economic risks, detects on-chain anomalies, and protects digital assets, protocols, and web3 applications from significant losses or threats.  The platform monitors on and off-chain data sources using proprietary machine learning models to accurately predict cyber, economic, and governance threats before they happen and connect these to automated playbooks to prevent and mitigate risks in real time.

****About Flare****

Flare is the blockchain for data: an EVM smart contract platform specifically designed to support data-intensive use cases, including Machine Learning/AI, RWA tokenization, gaming and social. With decentralized, enshrined oracles secured at the network layer, Flare is the only smart contract platform optimized for decentralized data acquisition – price & time series data, blockchain event & state data, and web2 API data.

By giving developers trustless access to the broadest range of data and data proofs at scale and for minimal cost, Flare expands the utility of blockchain and supports the development of new and improved use cases.

1.  5 Ways Smart Contracts Are Making A Real-World Difference
2.  Owning Versus Renting – The Circumstances of Web3 Domains
3.  GoPlus Security Raises $4 Million to Enhance Web3 User Protection
4.  Synthetic Solutions: Redefining Cybersecurity with Data Generation
5.  Blockchain Networks Use API Security Data to Mitigate Web3 Threats

Web3 Security Specialist Hypernative To Provide Proactive Protection To The Flare Ecosystem

Latest campaign underscores wide-ranging functionality and staying power of a decade-old piece of information-stealing malware.

Source: David Chapman via Alamy

More than 11,000 Australian companies were targeted in a recent wave of cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.

Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries that came with a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.

Agent Tesla is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by a variety of threat actors, including cybercriminals and spies, according to researchers at Check Point Software.

Alexander Chailytko, cybersecurity, research, and innovation manager at Check Point, says threat actors have "developed a level of trust" in Agent Tesla's capabilities.

"Its reliability, coupled with its diverse range of functionalities for data exfiltration and information theft, makes it a preferred choice among cybercriminals," Chailytko explains.

The malware offers a range of data exfiltration methods and stealing capabilities that target the most commonly used software, ranging from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms such as Telegram and Discord, which makes it easier for crooks to run hacking campaigns.

Agent Tesla was in the news last year, when cybercriminals exploited a 6-year-old Microsoft Office remote execution flaw to sling Agent Tesla.

**Anatomy of an Agent Tesla Hack**

An analysis by security researchers from Check Point published in a blog post this week offered one of the most detailed inspections of the methodology of an Agent Tesla-based phishing campaign to date. Their work offers a postmortem on a high-volume series of attacks launched in November 2023 against mostly Australian and American targets.

Check Point said a threat actor dubbed "Bignosa" first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.

Cassandra Protector bundles a variety of options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.

Once Agent Tesla was "protected" this way, Bignosa converted the malicious .NET code into an ISO file with a ".img" extension before attaching the resulting file to the spam emails.

Next, Bignosa connected to the newly configured machine via a remote access network protocol connection, created an email address, logged in to webmail, and launched the spam run using a pre-prepared target list. According to Check Point, "a few successful infections" hit Australia in a first wave of the attack.

**Down Under**

The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by the presence of a mailing list file named "AU B2B Lead.txt" on their machines.

"This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the goal of extracting valuable information for financial exploitation," Check Point's Chailytko says.

Bignosa also worked with another more proficient cybercriminal, who immodestly goes by "Gods," in a campaign to hack into Australian and US-based businesses, the researchers found.

Gods offered advice to Bignosa on the content of malicious spam text, according to Jabber chat logs uncovered by the security researchers.

Like with other cybercriminals, the duo struggled with elements of their cybercrime campaign, according to evidence uncovered by Check Point.

In multiple instances, Bignosa wasn't able to clean his machine from the Agent Tesla test infections, so the hapless hacker had to call on remote access from Gods for assistance.

Check Point said it believes that Bignosa is Kenyan and Gods is a Nigerian with a day job as a Web developer.

**How to Block Agent Tesla Infections**

The Agent Tesla-based spear-phishing campaign highlighted by Check Point underscores the still-prevalent threat posed by the mature malware.

Businesses should maintain up-to-date operating systems and applications by promptly installing patches and utilizing other security measures. Commercial spam filtering and blocklist tools can help minimize the volume of junk traffic that appears in user inboxes, according to Check Point.

Even so, end users must exercise caution when encountering unexpected emails containing links, particularly from unfamiliar senders. According to Check Point, that's where regular employee training and education programs can bolster cybersecurity awareness.

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Thousands of Australian Businesses Targeted With 'Reliable' Agent Tesla RAT

By Waqas
Another day, another malware threat!
This is a post from HackRead.com Read the original post: New Latrodectus Downloader Malware Linked to IcedID and Qbot Creators

Image credit: Hackread.com

A new malware threat named Latrodectus has emerged, bypassing detection methods and linked to the developers behind IcedID. This downloader malware empowers cybercriminals (including infamous actors like TA577 and TA588) to breach systems and deploy various malicious payloads.

Cybersecurity researchers at Proofpoint have identified a new malware threat dubbed “Latrodectus.” First observed in November 2023, Latrodectus is a downloader malware used by cybercriminals to gain initial access to victim systems and deploy further malicious payloads.

This malware poses a major threat due to its ability to evade detection techniques commonly employed in sandboxes, which are security environments used to analyze suspicious code.

****Latrodectus: A New Player with Familiar Traits****

Initial analysis suggested Latrodectus might be a variant of the notorious IcedID malware. However, further investigation revealed it to be an entirely new strain, likely created by the same developers behind IcedID. This connection is supported by shared infrastructure and code characteristics.

****Initial Access Brokers Leverage Latrodectus****

Proofpoint report shared with Hackread.com on Thursday 04, 2024 ahead of publication on Tuesday attributes Latrodectus to two specific threat actors: TA577 and TA578. It is worth mentioning that TA578 is known for delivering malware threats like BazaLoader, Cobalt Strike, Ursnif, and KPOT Stealer.

On the other hand, TA577 is infamous for having served as a key affiliate of the Qbot network until its recent disruption. TA577 has been linked by Proofpoint to various campaigns, with subsequent ransomware infections such as Black Basta being notably attributed to them.

These actors are classified as Initial Access Brokers (IABs), specializing in gaining initial footholds within victim networks. Latrodectus serves as their tool to establish a foothold and potentially deploy ransomware or other malicious tools.

Commenting on this, Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit told Hackread.com, _“_Battling eCrime is similar to moving a couch where roaches live, they simply run to another piece of furniture or room nearby to seek harbour and continue business as normal, despite any actions taken by the homeowner._“_

_“_Latrodectus has powerful components upon its emergence, capable of defeating sandboxes, use of RC4 encrypted command and control communications, and more,_“_ Ken warned. _“_It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023._“_

While Latrodectus activity dropped in December 2023 and January 2024, Proofpoint reports a surge in campaigns throughout February and March 2024. This suggests a growing adoption of Latrodectus by cybercriminals.

The specific payloads delivered by Latrodectus remain unknown, but its downloader functionality allows attackers to deploy a wide range of tools through malicious emails depending on their objectives.

Two of the malicious emails used in the campaign to spread Latrodectus (Screenshot: Proofpoint)

While technical details of Latrodectus’s modus operandi are available in Proofpoint’s blog post, here are some to mitigate the risk of Latrodectus:

*   **Maintain strong cybersecurity hygiene:** Regularly update software and firmware on all devices. Utilize robust security solutions with advanced malware detection capabilities.
*   **Be cautious of suspicious emails:** Phishing emails are a common method for distributing malware. Be wary of unsolicited attachments and links.
*   **Educate employees:** Train employees on cybersecurity best practices, including email security awareness and the importance of reporting suspicious activity.

1.  New Malware “BunnyLoader 3.0” Steals Credentials
2.  WordPress Websites Hacked with New Sign1 Malware
3.  TheMoon Malware Hacks 6,000 Asus Routers in 72 Hours
4.  AcidRain Linux Malware Variant “AcidPour” Targeting Ukraine
5.  New Vcurms Malware Targets Popular Browsers for Data Theft

New Latrodectus Downloader Malware Linked to IcedID and Qbot Creators

Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan.

Most of the malicious search ads we have seen have originated from Google, but threat actors are also abusing other search engines. Microsoft Bing is probably the second best target due to its close ties to the Windows ecosystem and Edge browser.

In this blog post, we look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.

The threat actors went ever further by trying to digitally sign a malicious installer and hosting it on Dropbox. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.

We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.

**Fraudulent Bing ad**

When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN. The ad itself looks suspicious because of the URL in the ad snippet. The domain name _nordivpn\[.\]xyz_ was created one day ago (April 3, 2024). It was probably chosen as it looks quite similar to the official name and can deceive users who aren’t looking too closely.

As we often see, the ad URL is simply used as a redirection mechanism to a fake website that is meant to look identical to the one being impersonated. This is true here as well, where we have a redirect to _besthord-vpn\[.\]com_ (note again the spelling chosen with the ‘_h_‘ looking like an ‘_n_‘) which was created today, only a few hours ago.

The website looks incredibly convincing, and victims will be tricked into downloading the app from there. Unlike the legitimate NordVPN that goes through a sign up process, here you can directly download the installer from Dropbox.

Here’s a summary of the traffic flow from the malicious ad to the download link:

**Malware payload**

The downloaded file is called _NordVPNSetup.exe_ and is digitally signed, as if it was from its official vendor; however, the signature is not valid.

The file contains both an installer for NordVPN and a malware payload. The installer for NordVPN is meant to give victims the illusion that they are actually installing a real file.

The payload is injected into _MSBuild.exe_ and will connect to the malware author’s command and control server at 45.141.87\[.\]216 on port 15647.

That network traffic is detected by Emerging Threats as Arechclient2 Backdoor, an alias for SecTopRAT.

**Conclusion**

Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads. Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.

ThreatDown customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

The malicious ad and related indictors have been reported as we work with industry partners to take down this campaign.

**Indicators of Compromise**

Malicious domains

nordivpn\[.\]xyz  
besthord-vpn\[.\]com

Fake NordVPN installer

e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

SecTopRAT C2

45.141.87\[.\]216

 Bing ad for NordVPN leads to SecTopRAT 

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.

Thursday, April 4, 2024 14:00

As my manager knows, I’m not the biggest fan of working in a physical office. I’m a picky worker — I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up.  

So, know that I’m biased going into this, but I also can’t get over the idea that companies are using cybersecurity as an excuse to create return-to-office policies in 2024.  

I started thinking about this because of the video game developer Rockstar, which owns some of the largest video game franchises on the planet like Red Dead Redemption and Grant Theft Auto. 

The company recently started asking its employees to return to its physical office five days a week in the name of productivity and security as the company pushes to finish its highly anticipated title “Grand Theft Auto VI.”  

Rockstar has long faced a number of cybersecurity concerns over the years, including a massive leak featuring early, in-progress gameplay of GTA VI in 2022 and other sensitive data. The attack was eventually attributed to the Lapsus$ group, and the perpetrator was eventually charged and sentenced. The first reveal trailer for the game was also leaked ahead of time.  

Many other companies have started to implement return-to-office policies over the past two years, citing various things ranging from worker productivity to interpersonal camaraderie, real estate costs, and more. I’m willing to hear arguments for all those things, but simply thinking that having employees all in one physical space is going to solve security problems seems far-fetched to me.  

We’ve written and talked about the various ways remote work has influenced cybersecurity since the onset of the COVID-19 pandemic. There’s no doubt that admins have had to implement new login methods, security controls and policies since more workers across the globe started working remotely. But four years into this trend, there’s no excuse to not be prepared to have remote workers anymore. 

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.  

The use of multi-factor authentication during the rise in remote work has skyrocketed, but often, this requirement is actually dropped if a user is physically in the office or accessing an on-site machine because of the perceived security of being in the office.  

The perceived security of a physical office can sometimes lull admins into a false sense of security, too, because machines located on-site may lack pre-boot authentication or encryption that’s commonly found on remote workers’ devices.  

I’m not saying that working in an office is inherently less secure than remote work, but I do believe that the risks are essentially the same. Regardless of where an employee is working from, they should be using app-based MFA to access all their services. Sensitive software and hardware should rely on passkeys or physical token access rather than outdated password policies that create easy-to-guess or shareable text-based passwords.  

And if security is the name of the game when asking employees to come back into the office, there’s still going to be a monetary investment that comes with that, too. 

Cisco’s recently published Global Hybrid Work study found that only 28 percent of responding employees say they would rank their employers’ office’s “Privacy and security features” as “very well.” To me, that says that even if employers want workers back in the office, they still need to upgrade their security, which is always going to mean more money and greater manpower.  

Security fundamentals should stay the same, no matter where your employees are. And suppose security is a chief concern for a company in wanting to go back to the “traditional” office lifestyle. In that case, I’m willing to bet they still have security gaps to overcome that simply can’t be solved by thinking they’ll be able to keep a closer eye on employees while they’re in the office to keep them from clicking on a phishing email. 

**The one big thing **

Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. Cisco Talos Incident Response (Talos IR) has recently seen a spike in actors using this type of software as a method of gaining initial access to a network or to spy on the actions of users. Talos IR noted in its Quarterly Trends report for the third quarter of 2023, “AnyDesk was observed in all ransomware and pre-ransomware engagements \[. . .\], underscoring its role in ransomware affiliates' attack chains.” 

**Why do I care? **

The use of these types of tools has increased since the start of the COVID-19 pandemic when remote work became more common. Since this software is legitimate, it can be easy for an attacker to compromise it and sit undetected on a network, bypassing traditional blocking methods. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. 

**So now what? **

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration. Once a solution is approved and championed for the organization, other remote management/access tools should be explicitly banned by policy. Due to the complexity of implementing all these controls, detection rules can serve as a backup in case an adversary finds a way to circumvent these mitigations. 

**Top security headlines of the week **

**The U.S. and Britain have jointly filed chargers and sanctions against a Chinese state-sponsored actor known as APT31.** The group is accused of a sweeping espionage campaign allegedly linked to China's Ministry of State Security (MSS) in the province of Hubei. The group reportedly targeted thousands of U.S. and foreign politicians, foreign policy experts and other high-profile targets. Individuals in the White House, U.S. State Department and spouses of officials were also among those targeted. The attacks aligned with geopolitical events affecting China, including economic tensions with the U.S., arguments over control of the South China Sea, and pro-democracy rallies in Hong Kong in 2019. A release from the U.S. Department of Justice stated that the campaigns involved more than 10,000 malicious emails, sent to targets in multiple continents, in what it called a “prolific global hacking operation.” The charges go on to say that APT31 hoped to compromise government institution networks and stealing trade secrets. Seven Chinese nationals are the target of the new sanctions for their alleged involvement with APT31, including the Wuhan XRZ corporation that is tied to the threat actor. (Reuters, U.S. Department of Justice) 

**A silent backdoor on Linux machines was almost a massive supply chain attack, before a lone developer found malicious code hidden in software updates.** The malicious code was hidden in two updates to xz Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems. Had it been successfully deployed, adversaries could have stashed malicious code in an SSH login certificate, upload it and execute it on the backdoored device. Whoever is behind this code likely spent years working on it, with open-source updates going back to 2021. The actor never actually took advantage of the malicious code, so it’s unclear what they planned to upload. Researchers eventually identified the vulnerability as CVE-2024-3094. The U.S. Cybersecurity and Infrastructure Security Agency warned government agencies to downgrade their xz Utils to older versions. (Ars Technica, Dark Reading) 

**There is a massive backup with the National Vulnerabilities Database and, consequently, MITRE is unable to compile a list of all new vulnerabilities.** A recent study from Flashpoint found that there was backlog of more than 100,000 vulnerabilities with no CVE number, and consequently, hadn’t been included in the NVD. Of those, 330 vulnerabilities had been exploited in the wild, yet defenders had not been made aware of them. The National Institute of Standards and Technology blamed the backup on an increase in the volume of software available to the public, leading to a larger number of vulnerabilities, as well as “a change in interagency support.” NIST has only analyzed about half of the more than 8,700 vulnerabilities that had been submitted so far in 2024. And in March alone, they only analyzed 199 out of the 3,370 vulnerabilities submitted. Several organizations have tried launching their own alternatives to the NVD, though adoption can still take a long time. NIST has also vowed to remain dedicated to the NVD and that it’s still regrouping its current efforts. (SecurityWeek, The Record by Recorded Future) 

**Can’t get enough Talos? **

*   Enterprise Imperatives: The Critical Importance of Threat Intelligence 
*   Beware the gap between security readiness and confidence levels, Cisco warns 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241  
**MD5:** a5e26a50bf48f2426b15b38e5894b189  
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::1201

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c  
**Typical Filename:** RemComSvc.exe  
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983  
**MD5:** 0211073feb4ba88254f40a2e6611fcef  
**Typical Filename:** UIHost64.exe  
**Claimed Product:** McAfee WebAdvisor  
**Detection Name:** Trojan.GenericKD.68726899

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

By Uzair Amir
It seems each week brings news of another attack – millions drained from DeFi protocols, NFTs swiped, and…
This is a post from HackRead.com Read the original post: 5 Best Crypto Marketing Agencies for Web3 Security Brands in 2024

Image source: Pixabay

It seems each week brings news of another attack – **millions drained f**rom DeFi protocols, NFTs swiped, and Web3 users financially wrecked. So much so that the promise of this technology feels tainted for many users – particularly those who just read the news headline and assume the worst.

But behind the scenes, an elite group of Web3 security brands have been toiling away on next-gen protections to turn the tide. We are talking about blockchain’s unspoken heroes – the brilliant builders creating complex security infrastructure, fraud-detecting AI, and hardened protocols to make the decentralized web broadly safe and ready for mainstream adoption. 

However, engineering chops alone don’t cut it nowadays. Even cyber defenders need savvy marketing behind them if they want to snag users and lock down funding from weary crypto investors.

That’s why many of the leading security brands quietly partner with crypto marketing agencies in the background. Aligned with specialists who understand Web3’s intricacies, these teams boost awareness of the robust safety solutions they’re pioneering. Just as crucially, the agencies give them a mega-phone to spotlight past breaches and clarify why next-gen protections must be priority #1 going forward.

In this article, we want to pull back the curtain on five agencies that are already making this happen for some of the industry’s pioneers. Let’s explore why their marketing might well determine if **Web3** can overcome its somewhat shaky reputation. 

****Top 5 Crypto Marketing Agencies for Web3 Security Brands****

Now, let’s get into the list of the top five crypto marketing agencies for Web3 security brands. 

****Chainstory** **

**Expertise**: Blockchain PR using storytelling & strategic content marketing.

As a results-driven crypto marketing agency, **Chainstory** delivers strategic PR and communications guidance built for impact with blockchain audiences. Since 2016, Chainstory’s special sauce has been the art of storytelling and narrative-shaping.

That’s an invaluable asset for forward-thinking security brands aiming to convey the pressing importance of their protections in simple yet profound terms as Web3 adoption accelerates. In essence, Chainstory helps these businesses translate complex cybersecurity problems into compelling stories the average crypto user can quickly grasp and connect with on an emotional level.

Chainstory has already been able to put out client commentary in mainstream media discussing relevant scams and exploit stories on outlets like CNBC, Reuters and TechCrunch. This external validation helps establish thought leadership benefits and raise awareness – and thanks to their pricing model, you only pay for what they deliver. 

****NinjaPromo** **

**Expertise**: Paid advertising and media campaigns

While a full-service marketing agency operating across several industries, **NinjaPromo** focuses the majority of its Web3 marketing efforts on data-driven advertising campaigns and influencer initiatives engineered to deliver measurable results. The agency deploys precision paid campaigns across platforms to expand awareness and adoption for blockchain companies.

Rather than general hype, NinjaPromo emphasizes transparency on key performance indicators—reporting hard metrics like whitepaper downloads, email sign-ups, social engagements and referral traffic to showcase campaign effectiveness.

With its seasoned team and strategic expertise, NinjaPromo could greatly benefit security innovators looking to accelerate technology rollouts and partnerships. Targeted ads nudging ideal engineers/developers down the conversion funnel can fast-track go-to-market. While not Web3-centric, NinjaPromo possesses the formula to help Web3 security brands gain more visibility.

****Crowdcreate****

**Expertise**: Investor relations and fundraising

As a leading marketing agency across crypto, gaming, eCommerce, and real estate, **Crowdcreate** has built up an extensive Rolodex of active blockchain investors and strategic relationships with funding partners like venture capital firms and crypto hedge funds.

To date, much of their focus has centered on helping Web3 brands shape investment narratives, create decks, and run fundraising campaigns to access capital from their network. The same playbook could be run to support Web3 security enterprises pursuing their mission-critical work.

With Crowdcreate’s connections and fundraising machinery, Web3 companies could potentially gain backing to scale tools protecting Web3 users from catastrophic losses. Crowdcreate has the team and the experience to help craft stories conveying why security deserves more support than short-term speculation.

****Coinbound****

**Expertise:** Community management and content marketing

When it comes to getting attention in the crowded Web3 space, community engagement is huge. Building those human connections and nurturing super fans can be the difference between a brand that fizzles out and one that thrives. This is one of **Coinbound’s** major strengths.

Whether it’s hosting vibrant AMAs, creating informative content, or moderating online discussions, Coinbound helps brands put their best face forward and resonate with audiences in their native digital habitats. That visibility and approachability lead to higher levels of trust and advocacy.

Now for Web3 security brands specifically, nurturing these communities holds even greater significance. By establishing themselves as visible protectors and educators around risks in the Web3 ecosystem, security brands can position themselves as anchors of safety amidst uncertainty. And platforms like Coinbound offer proven strategies to make that happen. 

****Block Tides****

**Expertise:** Asia-specific

Expanding into Asia can feel like entering into a new world for many Western Web3 brands. Between fragmented communities, language barriers, cultural nuances and navigating local regulations – breaking in isn’t easy. But that’s where leveraging a specialist like **Block Tides** can pay dividends.

These guys live and breathe Asia’s Web3 and AI ecosystem. They understand the unique needs of Web3 companies trying to gain footholds across this diverse region. For cybersecurity brands in particular, Block Tides recognizes building trust requires specialized localization and engagement.

As a full-service agency, Block Tides brings extensive capabilities to the table – covering all aspects of digital marketing and beyond. Their offerings span core elements like social media management and influencer collaborations to amplify brand recognition. But the team also handles technical initiatives as well – even supporting software/product launches.

****How Can a Crypto Marketing Agency Help Web3 Security Brands?****

Let’s face it, Web3 security brands have more than enough on their plates to protect networks, fight hackers, and build robust infrastructure. Marketing often takes a backseat to those crucial priorities. But getting the word out is vital. These brands still need to flex their reputation, showcase reliability, and connect with the right communities.

We asked the comparison website **Best Crypto Marketing Agency** to break down some of the ways crypto marketing agencies can help Web3 security brands, they added:

*   **Branding & Messaging**: Agencies know how to make security tools pop for crypto insider audiences – highlighting slick features and next-gen code for locking down wallets, DeFi platforms and NFT markets. Their messaging cuts through the hype to reach VCs, developers, and the engineers calling the shots.  
    
*   **Content Creation:** High-quality articles, videos and visuals from marketing experts spotlight major events and trends while underscoring why advanced protocols from their clients provide such crucial protection. This content cements their reputation as thought leaders.  
    
*   **Community Building:** Agencies rally diehard security devs, engineers and cyber experts by creating online forums and channels for them to chime in. This forms a vocal army of advocates repping their favourite Web3 security platforms.  
    
*   **Media Coverage & Partnerships:** With access to industry connections, security brands score writeups in blockchain publications, a cameo in crypto influencer videos, and ink partnerships with respected players in the space. Heightened visibility and co-signs accelerate success.  
    
*   **Regulatory Guidance:** Rules around Web3 are always changing across regions. Agencies ensure compliance legwork is handled, freeing up security leaders to deliver groundbreaking code instead of paperwork.

****Things to Keep in Mind When Choosing A Web3 Marketing Agency****

As a Web3 security innovator, choosing the right marketing partner is crucial. You need an agency that truly understands the distinct challenges of establishing trust and relevance in the decentralized landscape. Here are a few must-haves to ensure your agency aligns with your specific needs:

*   **Technical Communication** – Can your agency effectively convey highly complex cybersecurity concepts to both investor and engineer audiences? Simplifying messaging around the urgency of your protections is vital.

*   **Web3 Experience** – Have they specifically supported any Web3 security brands before or do they merely dabble in blockchain? You need an agency well-versed in the industry issues facing users right now.

*   **Key Media Relationships** – Does your potential agency have existing connections with influential media platforms? Those relationships can prove invaluable for boosting brand awareness.

*   **Results-Focus –** Rather than vague promises, you need an agency that embraces transparency around campaign analytics and reporting. This keeps everyone accountable while highlighting what concrete actions move the needle.

*   **Bespoke Strategies** – Out-of-the-box campaigns won’t differentiate you in the decentralized world. Make sure your agency develops highly customised go-to-market plans aligned to your specific offerings.

****Parting Words****

Cybersecurity trailblazers play an integral yet often overlooked role in securing the decentralized future. Their ingenious code protects the dreams and financial freedoms of millions of Web3 users worldwide.

However, many in the **crypto community** remain unaware such vital protections even exist. By collaborating with marketing agencies closely attuned to the security threats now engulfing crypto, these unspoken heroes can finally step into the spotlight. 

Strategic outreach and messaging can broadcast how their platforms deflate the hype around crypto scams by engineering ironclad protections behind the scenes. Ultimately, savvy marketing will convey why these teams deserve investor backing to scale essential infrastructure that benefits everyone.

****FAQs********Q. Why do Web3 security brands need marketing help if their technology is so innovative?****

A: Even **game-changing cybersecurity tools** won’t gain traction on technology alone. Strategic marketing is crucial for getting products and software into the hands of developers, while also establishing brands as trusted leaders that investors want to back.

****Q: What results can a marketing agency realistically deliver for a new security startup?****

A: The right agency can significantly expand visibility and credibility amongst key Web3 audiences. We’re talking partnership opportunities, media coverage, community growth and heightened interest from potential customers and VCs.

****Q: How hands-on are these agencies? Will they just execute or collaborate closely with our team?****

A: The best agencies function as true partners, working closely alongside your executives and engineers to deeply understand your offerings before developing high-alignment strategies. Communication should be continual.

****Q: How can we vet agencies to ensure they truly understand cybersecurity in Web3?****

A: Ask probing questions about their experience helping security brands in the past. Check whether staff have worked with blockchain businesses themselves. Validate their technical knowledge across vulnerabilities, exploits, and cryptography topics relevant to your protections.

****Q: This sounds expensive. What does pricing look like?****

A: Packages vary based on the services chosen and the reputation of the agency. Some charge upfront, but others offer results-based pricing based on what they can deliver. It’s up to you which model best suits your budget.

1.  6 of the Best Crypto Bug Bounty Programs
2.  20 Best Amazon PPC Management Agencies
3.  The 10 Best Cybersecurity Companies in the UK
4.  10 Top DDoS Attack Protection and Mitigation Companies
5.  15 Best SaaS SEO Experts That Will Help You Dominate Online

5 Best Crypto Marketing Agencies for Web3 Security Brands in 2024

A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations.

Source: Primakov via Shutterstock

Attackers can exploit a critical SQL injection vulnerability found in a widely used WordPress plug-in to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.

A security researcher called AmrAwad (aka 1337\_Wannabe) discovered the bug in the LayerSlider, a plug-in for creating animated Web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is associated with the "ls\_get\_popup\_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. The vulnerability is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query," according to Wordfence.

"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database," the company said.

Wordfence awarded the researcher a bounty of $5,500 — the company's highest bounty to date — for the discovery, according to a blog post by Wordfence. AmrAwad's March 25 submission came as part of Wordfence's second Bug Bounty Extravaganza, and the company contacted the Kreatura Team, developers of the plug-in, the same day to notify them of the flaw. The team responded the next day and delivered a patch in version 7.10.1 of LayerSlider on March 27.

**Exploiting the LayerSlider SQL Injection Flaw**

The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plug-in's slider popup markup query functionality, which has an "id" parameter, according to Wordfence.

According to the firm, "if the 'id' parameter is not a number, it is passed without sanitization to the find() function in the LS\_Sliders class," which "queries the sliders in a way that constructs a statement without the prepare() function."  

Since that function would "parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks," its absence creates a vulnerable scenario, according to Wordfence.

However, to exploit the flaw requires a "a time-based blind approach" on the part of attackers to extract database information, which is "an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities," according to Wordfence.

"This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database," the company explained.

**Secure WordPress, Secure the Web**

Vulnerable WordPress sites are a popular target for attackers given the content management system's widespread use across the Internet, and often vulnerabilities exist in plug-ins that independent developers create for adding functionality to sites using the platform.

Indeed, at least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Further, the wealth of sensitive data such as user passwords and payment info often stored within their pages represents a significant opportunity for threat actors who seek to misuse it.

Making "the WordPress ecosystem more secure ... ultimately makes the entire web more secure," WordPress noted.

Wordfence advised that WordPress users with LayerSlider installed on sites verify immediately that they are updated to the latest, patched version of the plug-in to ensure it isn't vulnerable to exploit.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#web