North Korean hackers break ground with new exploitation techniques for Windows and macOS.

Source: Stuart Miles via Alamy Stock Photo

This month, MITRE will be adding two sub-techniques to its ATT&CK database that have been widely exploited by North Korean threat actors.

The first, not entirely new, sub-technique involves manipulation of Transparency, Consent, and Control (TCC), a security protocol that regulates application permissions on Apple's macOS.

The other — called "phantom" dynamic link library (DLL) hijacking — is a lesser-known subset of DLL hijacking, where hackers take advantage of referenced but nonexistent DLL files in Windows.

Both TCC manipulation and phantom DLL hijacking have allowed North Korean hackers to gain privileged access into macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.

**TCC Manipulation**

"North Korea is opportunistic," says Marina Liang, threat intelligence engineer at Interpres Security. "They have a dual purpose of espionage and also revenue generation, so they're going to look to be where their targets are. And because macOS is increasing in popularity, that's where they started to pivot."

One way North Korean advanced persistent threats (APTs) have been breaching Macs lately is via TCC, an essential framework for controlling application permissions.

TCC has a user- and system-level database. The former is protected with permissions — a user would require Full Disk Access (FDA), or something similar — and the latter by System Integrity Protection (SIP), a feature first introduced with macOS Sierra. Theoretically, privileges and SIP are guards against malicious TCC access.

In practice, however, there are scenarios where each can be undermined. Administrators and security apps, for example, might require FDA to properly function. And there are times when users circumvent SIP.

"When developers need flexibility on their machine, or they're being blocked by the operating system, they might decrease those controls that Apple has in place to allow them to code and create software," Liang explains. "Anecdotally, I've seen that developers troubleshooting will try to figure out what's in place \[on the system\], and disable it to see if that solves their issue."

When SIP is switched off, or FDA on, attackers have a window to access the TCC database and grant themselves permissions without alerting the user.

There are a number of other ways to potentially get through TCC, too. For example, some sensitive directories such as /tmp fall outside of TCC's domain entirely. The Finder app has FDA enabled by default, and it's not listed in the user's Security & Privacy window, meaning that a user would have to be independently aware and manually revoke its permissions. Attackers can also use social engineering to direct users in disabling security controls.

A number of malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal. Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and CloudMensis by APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, or ScarCruft) doggedly tries to identify where SIP is disabled in order to load its own malicious database.

Dark Reading contacted Apple for a statement regarding TCC abuses and received no reply.

To block attackers taking advantage of TCC, the most important thing is keeping SIP enabled. Short of that, Liang highlights the need to know which apps have what permissions in your system. "It's being aware of what you're granting permissions to. And then — obviously it's easier said than done — exercising \[the principle of\] least privileged \[access\]. If certain apps don't necessarily need certain permissions to function, then remove them," she says.

Besides TCC vulnerabilities, APAC-area threat actors have been exploiting an even stranger flaw in Windows. For some reason, the operating system references a number of DLL files that don't actually exist.

"There are a ton of them," Liang marvels. "Maybe someone was working on a project to create specific DLLs for specific purposes, and maybe it got shelved, or they didn't have enough resources, or just forgot about it."

Dark Reading has reached out to Microsoft for clarification on this point.

To a hacker, a so-called "phantom" DLL file is like a blank canvas. They can simply create their own malicious DLLs with the same name, and write them to the same location, and they'll be loaded by the operating system with nobody the wiser.

The Lazarus Group and APT 41 (aka Winnti, Barium, Double Dragon) have used this tactic with IKEEXT, a service necessary for authentication and key exchange within Internet protocol security. When IKEEXT triggers, it attempts to load the nonexistent "wlbsctrl.dll." APT41 has also targeted other phantom DLLs like "wbemcomn.dll," loaded by the Windows Management Instrumentation (WMI) provider host.

Until Windows rids itself of phantom DLLs, Liang highly recommends companies run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse

Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against **state-sponsored attacks**” to “About Apple threat notifications and protecting against **mercenary spyware**.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

*   Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
*   Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

**How to stay safe**

Apple advises iPhone users to:

*   Enable Lockdown mode.
*   Keep devices up to date.
*   Protect devices with a passcode.
*   Use Multi-Factor-Authentication (MFA) for your Apple ID.
*   Only install apps from the App Store.
*   Use strong and unique passwords online.
*   Don’t click on links or attachments from unknown senders.

We’d like to add:

*   Use an anti-malware solution on your device.
*   If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
*   Use a password manager.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple warns people of mercenary attacks via threat notification system 

In new threat notification information, Apple singled out Pegasus vendor NSO Group as a culprit in mercenary spyware attacks.

Source: nk Drop via Shutterstock

Apple this week updated its spyware threat notification system to alert and assist users it identifies as targeted by mercenary spyware attacks.

To date, Apple has spotted and alerted users in more than 150 countries that they were targeted in these attacks.

Such spyware attacks target individuals largely because of who they are and what they do, Apple said. While most people will never be targeted by these types of attacks, a small number of people — journalists, activists, politicians, and the like — will potentially be victimized. 

Apple said once it detects spyware it notifies the user within two days. The vendor does provide threat actor attribution, however.

In its notice, Apple pointed fingers at the NSO Group, one of the private companies that develops the mercenary spyware Pegasus that is used in such attacks. "According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies," stated the notice on Apple's support page. 

Should an individual receive a threat notification, Apple recommends that they seek the help of either Apple or a third party. Apple's notifications never ask the user to click on any link or install an application; the threat notification can be verified simply by signing into applied.apple.com, where the notification will be at the top of the page. 

**About the Author(s)**

Apple Warns Users in 150 Countries of Mercenary Spyware Attacks

Privacy-focused company DuckDuckGo is launching a tool to remove data from people-search websites, a VPN, and an identity theft restoration service.

For more than a decade, DuckDuckGo has rallied against Google’s extensive online tracking. Now the privacy-focused web search and browser company has another target in its sights: the sprawling, messy web of data brokers that collect and sell your data every single day.

Today, DuckDuckGo is launching a new browser-based tool that automatically scans data broker websites for your name and address and requests that they be removed. Gabriel Weinberg, the company’s founder and CEO, says the personal-information-removal product is the first of its kind where users don’t have to submit any of their details to the tool’s owners. The service will make the requests for information to be removed and then continually check if new records have been added, Weinberg says. “We’ve been doing it to automate it completely end-to-end, so you don't have to do anything.

The personal-information removal is part of DuckDuckGo’s first subscription service, called Privacy Pro, and is bundled with the firm’s first VPN and an identity-theft-restoration service. Weinberg says the subscription offering, which is initially available only in the US for $9.99 per month or $99.99 per year, is part of an effort to add to the privacy-focused tools it provides within its web browser and search engine. “There’s only so much we can do in that browsing loop, there's things happening outside of that, and a big one is data brokers, selling information scraped from different places,” Weinberg says.

The data broker industry is a far-reaching, $200-plus billion market, which collects, buys, and sells as much information as it can. A lack of comprehensive privacy laws in the US allows companies to easily trade everything from people’s names and addresses to financial data and specific GPS coordinates gathered from your phone. (The recently proposed American Privacy Rights Act, if passed, would create a new registry of data brokers and give people some European-style privacy rights).

DuckDuckGo’s personal-information-removal tool—for now, at least—is taking the privacy fight to people-search websites, which allow you to look up names, addresses, and some details of family members. However, Weinberg says DuckDuckGo has created it so the company isn’t gathering details about you, and it is built on technology from Removaly, which the company acquired in 2022.

Ahead of its launch, the company demonstrated how the system works and some of the engineering efforts that went into its creation. On the surface, the removal tool is straightforward: You access it through the company’s browser and enter some information about yourself, such as your name, year of birth, and any addresses. It then scans 53 data broker websites for results linked to you and requests those results to be wiped. (All 53 data brokers included have opt-out schemes that allow people to make requests.) A dashboard shows updates about what has been removed and when it will next scan those websites again, in case new records have been added.

Under the hood, things are more complex. Greg Fiorentino, a product director at DuckDuckGo, says when you enter your personal data into the system, it’s all saved in an encrypted database on your computer (the tool doesn’t work on mobile), and the company isn’t sent this information. “It doesn't go to DuckDuckGo servers at all," he says.

For each of the data brokers’ websites, Fiorentino says, DuckDuckGo looked at its URL structure: For instance, search results may include the name, location, and other personal information that are queried. When the personal information tool looks for you on these websites, it constructs a URL with the details you have entered.

“Each of the 53 sites we cover has a slightly different structure,” Fiorentino says. “We have a template URL string that we substitute the data in from the user to search. There are lots of different nuances and things that we need to be able to handle to actually match the data correctly.”

During testing, the company says, it found most people have between 15 and 30 records on the data broker sites it checks, although the highest was around 150. Weinberg says he added six addresses to be removed from websites. “I found hits on old stuff, and even in the current address, which I really tried to hide a bit from getting spam at, it’s still out there somehow,” Weinberg says. “It’s really hard to avoid your information getting out there.”

Once the scan for records has been completed, the DuckDuckGo system, using a similar deconstruction of each of the data broker websites, will then automatically make requests for the records to be removed, the team working on the product say. Fiorentino says some opt-outs will happen within hours, whereas others can take weeks to remove the data. The product director says that in the future, the tool may be able to remove data from more websites, and the company is looking at potentially including more sensitive data in the opt-outs, such as financial information.

Various personal-information-removal services exist on the web, and they can vary in what they remove from websites or the services they provide. Not all are trustworthy. Recently, Mozilla, the creator of the Firefox browser, stopped working with identity protection service Onerep after investigative journalist Brian Krebs revealed that the founder of Onerep also founded dozens of people-search websites in recent years.

DuckDuckGo’s subscription service marks the first time the company has started charging for a product—its browser and search engine are free to use, and the firm makes its money from contextual ads. Weinberg says that, because subscriptions are purchased through Apple’s App Store, Google Play, or with payment provider Stripe, details about who subscribes are not transferred to DuckDuckGo’s servers. A random ID is created for each user when they sign up, so people don’t have to create an account or hand DuckDuckGo their payment information. The company says it doesn’t have access to people’s Apple IDs or Google account details.

For its identity-theft-restoration service, DuckDuckGo says it is working with identity protection service Iris, which uses trained staff to help with fraudulent banking activity, document replacement, emergency travel, and more. DuckDuckGo says no information is shared between it and Iris.

Weinberg says that while the company’s main focus is providing free and easy-to-use privacy tools to people, running a VPN and the removal tool requires a different business model. “It just takes a lot of bandwidth,” he says of the VPN.

Broadly, the VPN industry, which allows people to hide their web traffic from internet providers and avoid geographic restrictions on streaming, has historically been full of companies with questionable records when it comes to privacy and people’s data. Free VPNs have long been a privacy nightmare.

DuckDuckGo says its VPN, which it built in-house and which uses the WireGuard protocol, does not store any logs of people’s activities and can be used on up to five devices at once. “We don’t have any record of website visits, DNS requests, IP addresses connected, or session lengths,” the company says in its documentation. The VPN runs through its browser, with 13 location options at launch, but shields all internet traffic passing through your phone or computer.

The company says it is conducting a third-party audit of the VPN to allow its claims to be scrutinized, and it will publish the full audit once it’s complete. “We really wanted to do something in the VPN space for a long time, we just didn't have the resources and people to do it,” Weinberg says. “We looked at partnering in different places. If we have to completely trust a partner versus building something where we can make it anonymous, we decided we would want to do it ourselves.”

DuckDuckGo Is Taking Its Privacy Fight to Data Brokers

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.
It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted

Apple Expands Spyware Alert System to Warn Users of Mercenary Attacks

Prioritizing security and user experience will help you build a robust and reliable authentication system for your business.

Source: Tomasz Zajda via Alamy Stock Photo

Authentication protocols serve as the backbone of online security, enabling users to confirm their identities securely and access protected information and services. They define how claimants (users trying to access a digital service) and verifiers (the entities authenticating them) communicate. The protocols exchange information to verify the validity of the authentication service and confirm that the claimant possesses the appropriate token to authenticate their identity.

With myriad authentication protocols available, however, selecting the appropriate one for your organization can be daunting. Following are the key authentication protocols, along with insights into choosing the right one for your business needs.

Each authentication protocol offers unique features tailored to specific use cases and security requirements. If you're trying to figure out which one is best for your business, consider these four authentication protocols and their potential use cases.

OAuth/OpenID Connect (OIDC): OAuth, primarily designed for authorization, allows users to grant third-party applications limited access to their private resources without revealing their credentials. You might consider using OAuth from providers such as Google and GitHub to prioritize quick user registrations while getting validated information.

OpenID Connect (OIDC) is an open standard that builds on OAuth by providing authentication capabilities using an ID token to verify user identity securely. OIDC suits scenarios in which interoperability and user authentication across multiple systems are crucial, such as in federated identity management systems.

Both OAuth and OpenID Connect are widely adopted, allowing for interoperability between different systems, and they let users authenticate once to use the same credentials across multiple services. OAuth and OpenID Connect are, however, susceptible to phishing attacks and token theft if not implemented securely.

Security Assertion Markup Language (SAML): SAML is an XML-based standard for exchanging identity information between the user, the identity provider (IdP), and the service provider (SP). SAML offloads authentication responsibilities to specialized IdPs, reducing the burden on SPs and enhancing security. SAML works best for single sign-on (SSO) authentication in enterprise environments, where centralized authentication and access control are essential.

SAML supports use cases like identity federation, but SAML configurations can be complex and require careful management. SAML's reliance on XML may also introduce complexity owing to it being an older format than more modern ones, like JSON.

FIDO2/WebAuthn: FIDO2 is an open standard for passwordless authentication that relies on registered devices or hardware security keys to verify user identities. WebAuthn, a component of FIDO2, enables passwordless authentication through possession-based and biometric methods. You may want to consider WebAuthn for consumer-facing applications and mobile-first experiences, leveraging native device capabilities for seamless and secure authentication.

Passkeys, which are cross-device credentials based on the WebAuthn standards, have been implemented in several large organizations like Google, Apple, Shopify, Best Buy, TikTok, and GitHub over the past few years. Success stories from early adopters and increased awareness among end users are sure to continue driving adoption in the years to come.

FIDO2 and WebAuthn provide strong security against phishing and other attacks — because they don't rely on shared secrets like passwords — and a user-friendly experience, because users don't need to remember complex passwords. That said, FIDO2 and WebAuthn aren't compatible with all devices and browsers; current support gaps might make these protocols cumbersome for some users.

Time-Based One-Time Password (TOTP): TOTP generates single-use passcodes based on a shared secret key and the current time, often providing an additional layer of security in multifactor authentication (MFA) setups. TOTP supports both hardware tokens and software-based authenticator applications. You should consider TOTP for various authentication scenarios that require enhanced security.

TOTP provides an additional layer of security beyond a password, as the code changes frequently and is tied to the specific device generating it. TOTP does, however, require the user to have a separate device to generate the codes, and it doesn't protect against phishing if the user is tricked into handing the code over to the attacker.

**Factors in Selecting an Authentication Protocol**

It's easy to generalize which of the above four protocols you should use. Business applications targeting enterprises should use SAML because of its robust SSO capabilities and centralized authentication management. Consumer and mobile applications should pick WebAuthn/passkeys to provide a seamless and secure authentication experience that leverages native device features, like biometrics.

That said, each business has unique requirements, and it's not always best to generalize. Here are some factors to keep in mind when choosing an authentication protocol:

1.  Security levels: Prioritize protocols that offer robust security measures to safeguard user data and prevent unauthorized access.
    
2.  Integration: Choose protocols that seamlessly integrate with your existing infrastructure to streamline implementation and maintenance processes.
    
3.  Scalability: Ensure that the selected protocol can accommodate your organization's growth and an increasing user base without compromising performance or security.
    
4.  Authentication method: Consider the authentication methods your users prefer and select protocols that align with their expectations and UX preferences.
    

Choosing the right authentication protocol is critical for maintaining the security and trust of your users. By understanding the features and use cases of different protocols and considering factors such as security, integration, scalability, and user experience, you can select the most suitable protocol for your organization's needs.

**About the Author(s)**

Meir Wahnon is a co-founder at Descope, a drag-and-drop customer authentication and identity management platform. Before Descope, Meir served as senior director of engineering at Palo Alto Networks after the acquisition of Demisto, where he was part of the founding team. Meir is passionate about open source, no-code / low-code platforms, and ML. In his spare time, Meir likes to try out new Michelin-star restaurants around the world.

Selecting the Right Authentication Protocol for Your Business

It's finally happening: Rather than just for productivity and research, threat actors are using LLMs to write malware. But companies need not worry just yet.

Source: Ole.CNX via Shutterstock

Researchers from Proofpoint recently observed a malicious campaign targeting dozens of organizations across various industries in Germany. One part of the attack chain stood out in particular: an otherwise ordinary malware dropper whose code had clearly been generated by artificial intelligence (AI).

What the researchers discovered: Initial access broker (IAB) TA547 is using the AI-generated dropper in phishing attacks.

Though it may be a harbinger of more to come, it's no cause for panic. Defending against malware is the same no matter who or what writes it, and AI malware isn't likely to take over the world just yet.

"For the next few years, I don't see malware coming out of LLMs being more sophisticated than something a human is going to be able to write," says Daniel Blackford, senior manager of threat research at Proofpoint. After all, AI aside, "We've got very talented software engineers who are adversarially working against us."

TA547 has a long history of financially motivated cyberattacks. It came to prominence trafficking Trickbot, but has cycled through handfuls of other popular cybercrime tools, including Gozi/Ursnif, Lumma stealer, NetSupport RAT, StealC, ZLoader, and more.

"We're seeing — not just with TA547, but with other groups as well — much faster iteration through development cycles, adoption of other malware, trying new techniques to see what will stick," Blackford explains. And TA547's latest evolution seems to have been with AI.

Its attacks began with brief impersonation emails — for example, masquerading as the German retail company Metro AG. The emails contained password-protected ZIP files couching compressed LNK files. The LNK files, when executed, triggered a Powershell script that dropped the Rhadamanthys infostealer.

Sounds simple enough, but the Powershell script that dropped Rhadamanthys had one strange characteristic. Within the code, above each and every component, was a hashtag followed by hyper-specific comments about what the component achieved.

A snippet of the TA547 dropper. Source: Proofpoint

As Proofpoint noted, this is characteristic of LLM-generated code, indicating that the group — or whoever originally wrote the dropper — used some sort of chatbot to write it.

**Is Worse AI Malware to Come?**

Like the rest of us, cyberattackers have been experimenting with how AI chatbots can help them achieve their goals more easily, expeditiously, and effectively.

Some have figured out little ways to use AI to enhance their day-to-day operations, for example by aiding research into targets and emerging vulnerabilities. But aside from proofs-of-concept and the odd novelty tool, there hasn't been much evidence that hackers are writing useful malware with the help of AI.

That, Blackford says, is because humans are still far better than robots at writing malicious code. Plus, AI developers have taken steps to prevent the misuse of their software.

At least for now, he says, "the ways that these groups are going to leverage AI to scale up their operations is more of an interesting problem than the idea that they're going to create some new super malware with it."

And even once they do autogenerate super malware, the job of defending against it will remain the same. As Proofpoint concluded in its post, "In the same way LLM-generated phishing emails to conduct business email compromise (BEC) use the same characteristics of human-generated content and are caught by automated detections, malware or scripts that incorporate machine-generated code will still run the same way in a sandbox (or on a host), triggering the same automated defenses."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

TA547 Uses an LLM-Generated Dropper to Infect German Orgs

In a cyberattack more reminiscent of the 2010s, a seemingly lone hacker fleeced a major corporation for millions of open customer records.

Source: Jade Kelly via Alamy Stock Photo

A hacker with no known history has leaked personal information belonging to millions of customers of boAt, a consumer electronics company in India.

The company is India's leading manufacturer of wireless audio and wearables; boAt controlled around 26% of the wearables market as of 2023, according to data from IDC. It sells nearly 40% of all earbuds in the country — more than five times its nearest competitor — according to 2022 data from Counterpoint Research.

The threat actors, operating under the nom de guerre "ShopifyGUY," on April 5 published 2GB worth of files onto the Dark Web, according to reports. The files contained around 7.5 million entries' worth of personally identifiable information (PII) relating to boAt customers, including names, addresses, phone numbers, emails, and more.

The entire lot of it was listed for around only $2, potentially raising suspicion about the data's authenticity. However, multiple news outlets have since contacted samples of affected customers, confirming that their information is correct.

Dark Reading has reached out to boAt's security team to confirm the details of the attack but has not yet received a response.

**Preventing Customer Data Leaks**

To prevent falling victim to such an attack, Darren Williams, CEO and founder of BlackFog, suggests that companies invest in anti-exfiltration tools.

"Anti-data exfiltration is about looking for data leaving the network, and then running AI over the top of all of it to look for if it's a legitimate request," he explains. Programs trained to do this job run on dozens of contextual and behavioral parameters to distinguish legitimate from illegitimate traffic.

With that said, he adds, there are even simpler and lower-tech steps companies can take to make simple leaks more complicated.

"In a mature organization," he explains, "a basic requirement of security is data encryption at rest. That way, if somebody's accessing your database, it doesn't matter, because they can't decrypt it anyway. So it fascinates me that, in this day and age, people don't do the very basic step of encrypting their database.

"It's not hard — it takes 30 seconds, you just have to press the On button. It makes me think \[boAt\] was asleep at the wheel."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Attack on Consumer Electronics Manufacturer boAt Leaks Data on 7.5M Customers

A cheat sheet for all of the most common techniques hackers use, and general principles for stopping them.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Of the hundreds of documented MITRE ATT&CK techniques, two dominate the field: command and scripting interpreters (T1059) and phishing (T1566).

In a report published on April 10, D3 Security analyzed more than 75,000 recent cybersecurity incidents. Its goal was to determine which methods of attack were most common.

The results paint a stark picture: those two techniques outpaced all others by orders of magnitude, with the top technique outpacing the runner-up by a factor of three.

For defenders looking to allocate limited attention and resources, here are just some of the most common ATT&CK techniques, and how to defend against them.

**Execution: Command and Scripting Interpreter (Used in 52.22% of Attacks)**

What it is: Attackers write scripts in popular languages like PowerShell and Python for two primary purposes. Most commonly, they're used to automate malicious tasks such as harvesting data or downloading and extracting a payload. They're also useful for evading detection — bypassing antivirus solutions, extended detection and response (XDR), and the like.

That these scripts are far and away No. 1 on this list is extra surprising to Adrianna Chen, D3's vice president of product and service. "Since Command and Scripting Interpreter (T1059) falls under the Execution tactic, it is in the middle stage of the MITRE ATT&CK kill chain," she says. "So, it is fair to assume that other techniques from earlier tactics have already gone undetected by the time that it's detected by the EDR tool. Given that this one technique was so prominent in our data set, it underscores the importance of having processes to trace back to the origin of an incident."

How to defend against it: Because malicious scripts are diverse and multifaceted, dealing with them requires a thorough incident response plan that combines detection of potentially malicious behaviors with strict watch over privileges and script execution policies.

**Initial Access: Phishing (15.44%)**

What it is: Phishing and its subcategory, spear-phishing (T1566.001-004), are the first and third most common ways attackers gain access to targeted systems and networks. Using the first in general campaigns and the second when aiming for specific individuals or organizations, the goal is to coerce victims into divulging crucial information that will allow a foothold into sensitive accounts and devices.

How to defend against it: Even the smartest and most educated among us fall for sophisticated social engineering. Frequent education and awareness campaigns can go some ways toward protecting employees from themselves and the companies they provide a window into.

**Initial Access: Valid Accounts (3.47%)**

What it is: Often, successful phishing allows attackers access to legitimate accounts. These accounts provide keys to otherwise locked doors, and cover for their various misdeeds.

How to defend against it: When employees inevitably click on that malicious PDF or URL, robust multifactor authentication (MFA) can, if nothing else, act as more hoops for attackers to jump through. Anomaly detection tools can also help if, for example, a strange user connects from a faraway IP address, or simply does something they aren't expected to do.

**Credential Access: Brute Force (2.05%)**

What it is: A more popular option back in the olden days, brute force attacks have stuck around thanks to the ubiquity of weak, reused, and unchanged passwords. Here, attackers use scripts that automatically run through username and password combinations — such as in a dictionary attack — to gain access to desired accounts.

How to defend against it: No item on this list is as easily and wholly preventable as brute-force attacks. Using strong enough passwords fixes the problem on its own, full stop. Other little mechanisms, like locking out a user after repeated login attempts, also do the trick.

**Persistence: Account Manipulation (1.34%)**

What it is: Once an attacker has used phishing, brute force, or some other means to access a privileged account, they can then leverage that account to cement their position in a targeted system. For example, they can change the account's credentials to lock out its original owner, or possibly adjust permissions in order to access even more privileged resources than they already have.

How to defend against it: To mitigate the damage from an account compromise, D3 recommends organizations implement stringent restrictions for accessing sensitive resources, and follow the principle of least privileged access: granting no more than the minimum level of access necessary for any user to perform his or her job.

Besides that, it offers a number of recommendations that can apply to this and other MITRE techniques, including:

*   Maintaining vigilance through continuous monitoring of logs to detect and respond to any suspicious account activities
    
*   Operating under the assumption that the network has already been compromised and adopting proactive measures to mitigate potential damage
    
*   Streamlining response efforts by automating countermeasures upon detection of confirmed security breaches, ensuring swift and effective mitigation
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Top MITRE ATT&amp;CK Techniques and How to Defend Against Them

The device management company introduced a Fleet Hardening Score and Privilege Escalation (the good kind) to its endpoint security platform for Apple devices.

Source: baosheng feng via Alamy Stock Photo

Enterprise IT teams responsible for managing Macs and iOS devices are getting new compliance and security tools, device management company Jamf said during its Spring Event. A new capability in Jamf Connect allows the granting of temporary administrative privileges to a local Mac user. That activity data feeds Jamf Protect, which has added a compliance dashboard that presents overall fleet compliance and drills down to individual devices.

Jamf Connect creates a cloud-based identity for each user that, when authenticated, allows them to set up access to the tools and applications they need via VPN. The new feature, Privilege Escalation, temporarily grants end users elevated administrator privileges to perform tasks such as updating device drivers, installing printers, and adding software that's not managed by Self-Service. Once the time IT set for the escalated privileges expires, the user automatically defaults back to the standard user role.

Jamf has also added a compliance dashboard to Jamf Protect, which provides anti-malware tools, threat defense, and metrics for a fleet of macOS and iOS devices. From the dashboard, an administrator can view which devices fall out of compliance with guidelines; update any software, including the OS version, that needs it; and quarantine suspect files automatically. The new Fleet Hardening Score in Jamf Protect is an aggregate baseline score quantifying the organization's overall endpoint security posture. Administrators can drill down to individual devices to understand and remediate issues.

The integration between Jamf Connect and Jamf Protect provides administrators with detailed telemetry about the privileged tasks being performed on the device. Administrators can use the telemetry to audit endpoints and as part of intrusion detection and response.

Apple devices have long established their presence in business. Enterprise-level tools like Jamf's help ensure that those devices stay compliant with expectations for corporate standards in security.

**About the Author(s)**

Tag

#apple