The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-fc9h-whq2-v747: Valid ECDSA signatures erroneously rejected in Elliptic

Organizations should be on high alert until next month's US presidential election to ensure the integrity of the voting process, researchers warn.

Source: Jon Helgason via Alamy Stock Photo

Cyber-threat actors have ramped up their targeting of the 2024 US elections with a flood of malicious activity expected to peak over the next month, aimed at causing disruption to voters and the election process and requiring increased vigilance on the part of stakeholders.

Specifically, attackers have bolstered election-related threat activity since the beginning of the year with an increase in the sale of phishing kits targeting US voters and campaign donors; the registration of more than 1,000 domains aimed at exploiting election-related content for malicious purposes; and increased ransomware activity targeting government entities, according to research from FortiGuard Labs Threat Research released today.

Since the inception of Internet-related threats, cyber-threat actors have typically increased malicious activity ahead of elections, notes Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet. However, they aim to be especially disruptive during the current election cycle, requiring that all stakeholders be prepared to fend off malicious actors in the upcoming weeks to protect election outcomes.

"As the 2024 US presidential election approaches, it's critical to recognize and understand the cyber threats that may impact the integrity and trustworthiness of the election process and the welfare of the participating citizens," he says.

Indeed, separate research has found that adversaries from Russia, China, and Iran in particular have been using cyber operations to stoke discord and influence election outcomes rather than make direct attacks on voting machines or other voter infrastructure. These more insidious tactics require a different type of vigilance on the part of defenders, the researchers noted.

**Specific Threats to Watch For**

FortiGuard Labs' latest election-threat research is the result of analysis of threats gathered from January 2024 to August 2024 that may affect US-based entities and the electoral process. The researchers discovered several key areas of threat activity that have been on the rise.

One is a significant increase in the availability of affordable phishing kits on the Dark Web designed to target voters and donors by impersonating the presidential candidates and their campaigns. Specifically, the researchers found kits for $1,260 created to impersonate US presidential candidates and to harvest personal information, including names, addresses, and credit card details.

Part of the phishing activity around the current election cycle also includes an increase of highly convincing mobile scams that use phone calls, voicemails, or messaging services that leverage deepfake technology to spread misinformation, which can affect voter outcomes, notes Alex Quilici, CEO at YouMail.

"AI can now create highly convincing voice attacks that make it sound like a trusted figure, such as a candidate, urging you not to vote or spreading false information," he says. "This kind of deception can seriously undermine public trust and disrupt the electoral process."

Attackers also have registered more than 1,000 new potentially malicious domains since the beginning of 2024 that incorporate election-related content and candidates to lure unsuspecting targets and potentially conduct nefarious activities, the researchers noted. The two most-used hosting providers for these election-themed websites are AMAZON-02 and CLOUDFLARENET, demonstrating that attackers are leveraging known, reputable services to bolster the legitimacy of malicious domains.

Another way cyberattackers can spread misinformation and disrupt the democratic process is through the use of people's personal information to directly target them, the researchers noted. Fortinet found that there currently is an abundance of this type of material on the Dark Web, with more than 1.3 billion rows of combo lists — which include usernames, email addresses, and passwords — of US citizens for sale for nefarious use.

The availability of this data poses a considerable risk for credential-stuffing attacks that allow cybercriminals to gain unauthorized access to people's accounts. Overall, the availability of so much personal data of various election stakeholders creates potential indirect disruption in the voting process, notes Casey Ellis, founder and chief strategy officer at Bugcrowd.

"While it may be difficult to use these records to commit the kind of fraud or attacks that would directly modify the outcome of an election, it's certainly a cheap and simple exercise to simply highlight the possibility of their use as a way to instill distrust in the democratic process, and to potential affect and manipulate voter turnout," he says.

FortiGuard Labs researchers also noted a 28% increase in ransomware attacks against the US government year-over-year based on observed leak sites. This type of activity also can threaten the integrity of the election process by undermining citizens' trust in the ability of the government to protect the personal data they collect from them.

**Protect Election Integrity**

To ensure the US presidential election process runs smoothly for all that wish to participate, Fortinet offered some recommendations to prevent and mitigate attacks between now and election day. The researchers advised that individuals and organizations alike always remain vigilant for suspicious behavior or activity leading up to major election-related events and prioritize good cyber hygiene in general to reduce potential threats.

Organizations, especially those related to the election or government agencies, should prioritize employee training and awareness about the cyber threats that exist that aim to disrupt the election process. Enforcing multifactor authentication and a strong password policy across both individuals' and organizations' online accounts also can protect against intrusion.

Finally, any organization with a stake in the election also should install endpoint protection solutions, patch operating systems and Web servers, and update software regularly to ensure systems are as secure as possible, Fortinet recommended.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Unleash Flood of Potentially Disruptive Election-Related Activity

### Impact
Illegal access can be granted to the system.

### References
see https://sakaiproject.atlassian.net/browse/SAK-50571

**SAK-50571 Sakai Kernel users created with type roleview can login as a normal user**

Critical severity GitHub Reviewed Published Oct 14, 2024 in sakaiproject/sakai • Updated Oct 15, 2024

GHSA-cx95-q6gx-w4qp: SAK-50571 Sakai Kernel users created with type roleview can login as a normal user

Typical AI supported scams are after your Google account by pretending to follow up on account recovery requests

Several reputable sources are warning about a very sophisticated Artificial Intelligence (AI) supported type of scam that is bound to trick a lot of people into compromising their Gmail account.

The most recent warning comes from CEO of Y Combinator Garry Tan who posted on X, saying the scammers using AI voices tell you someone has issued a death certificate for you and is trying to recover your account.

> Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified)
> 
> DO NOT CLICK YES ON THIS DIALOG— You will be phished
> 
> They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8
> 
> — Garry Tan (@garrytan) October 10, 2024

The scammers claim to be checking that you are alive and whether they should disregard a filed death certificate. If you click “Yes, it’s me” on the fake account recovery screen then you’ll likely lose access to your Google account.

In another recent example, Windows expert Sam Mitrovic was targeted by a very similar AI recovery scam.

He explained how the scam unfolds: It starts when he receives a notification of an alleged Gmail account recovery attempt, followed 40 minutes later by a call. The first time Sam misses the call, but when they try the same thing a week later, Sam answers.

In both cases, the notifications come from the US but the calls show “Google Sydney” as the caller. A polite American voice claims there’s been suspicious activity on Sam’s Gmail account and asks whether Sam was travelling.

The caller says there’s been a login attempt from Germany which raises suspicions, given that Sam is at home in the US. The caller says the login has been successful, and that an attacker has had access to Sam’s account for a week and downloaded account data.

Sam remembers the email and missed call from last week, and has the presence of mind to quickly check the caller ID. It looks like a legitimate Google Assistant number.

But knowing how easy it is to spoof a telephone number and pretend to be calling from that number, Sam asks for an email to confirm that the caller actually works for Google. Some typing against the typical background noises of a call center and soon enough the email arrives.

Image courtesy of Sam Mitrovic

The email looks convincing. It comes from a Google domain, has a case number, claims to be from the Google Account Security Team, and it confirms the phone number and the name the caller is using.

While Sam reviews the email, the caller repeatedly says “Hello”. From the pronunciation and the spacing Sam realizes it’s an AI voice and hangs up.

Inspecting the email Sam found that the scammers are using the legitimate Salesforce CRM (customer relationship management) tool which allows you to set the sender to whatever you like and send over Gmail/Google servers.

Other targets that took the scam a little further,  were asked to verify their 2FA, so it stands to reason that the scammers are looking to take over your Google account, but this time for real.

The need to confirm an account recovery, or a password reset, is a notorious method used in phishing attacks. They usually try to trick the target into opening a fake login portal where they need to enter their credentials to report the request as not initiated by them.

Prompt asking: Is it you trying to recover your account?

**How to stay safe**

There are a few signs you can use to identify this type of scams.

The “To” field of the confirmation email Sam received contains an email address cleverly named GoogleMail\[@\]InternalCaseTracking\[.\] com, which is a non-Google domain.

Google Assistant calls usually come from an automated system and only in some cases, from a manual operator. Google Support on the other hand will not contact you unsolicited.

To verify if a security alert is from Google, users can check their **Recent security activity**:

*   Tap your Gmail profile photo in the top right corner
*   Tap **Manage your Google Account**
*   Select the **Security** tab
*   You will see something similar to this:

Here you can find the Review Security Activity button

Any messages claiming to be security alerts from Google that are not listed there will not be from Google.

Do not entertain these scammers for longer than necessary. It doesn’t take them very long to fingerprint your voice which would allow their AI to impersonate you by using your voice.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 AI scammers target Gmail accounts, say they have your death certificate 

The inherent intelligence of large language models gives them unprecedented capabilities like no other enterprise tool before.

Shaked Reiner, Principal Security Researcher, CyberArk Labs

October 15, 2024

5 Min Read

Source: Krot\_Studio via Alamy Stock Photo

Today, security teams are treating large language models (LLMs) as a vital and trusted business tool that can automate tasks, free up employees to do more strategic functions, and give their company a competitive edge. However, the inherent intelligence of LLMs gives them unprecedented capabilities like no other enterprise tool before. The models are inherently susceptible to manipulation, so they behave in ways they aren't supposed to, and adding more capabilities makes the impact of that risk even more severe.

This is particularly risky if the LLM is integrated with another system, such as a database containing sensitive financial information. It's similar to an enterprise giving a random contractor access to sensitive systems, telling them to follow all orders given to them by anyone, and trusting them not to be susceptible to coercion.

Because LLMs lack critical thinking capabilities and are designed to just respond to queries with guardrails of limited degrees of strength, they need to be treated as potential adversaries, and security architectures should be designed following a new "assume breach" paradigm. Security teams must operate under the assumption that the LLM can and will act in the best interest of an attacker and build protections around it.

**LLM Security Threats to the Enterprise**

There are a number of security risks LLMs pose to enterprises. One common risk is that they can be jailbroken and forced to operate in a way they were not intended for. This can be accomplished by inputting a prompt in a manner that breaks the model's safety alignment. For example, many LLMs are designed to not provide detailed instructions when prompted for how to make a bomb. They respond that they can't answer that prompt. But there are certain techniques that can be used to get around the guardrails. An LLM that has access to internal corporate user and HR data could conceivably be tricked into providing details and analysis about employee working hours, history, and the org chart to reveal information that could be used for phishing and other cyberattacks.

A second, bigger threat to organizations is that LLMs can contribute to remote code execution (RCE) vulnerabilities in systems or environments. Threat researchers presented a paper at Black Hat Asia this spring that found that 31% of the targeted code bases — mostly GitHub repositories of frameworks and tools that companies deploy in their networks — had remote execution vulnerabilities caused by LLMs.

When LLMs are integrated with other systems within the organization, the potential attack surface expands. For example, if an LLM is integrated with a core business operation like finance or auditing, a jailbreak can be used to trigger a particular action within that other system. This capability could lead to lateral movement to other applications, theft of sensitive data, and even making changes to data within financial documents that might be shared externally, impacting share price or otherwise causing harm to the business.

**Fixing the Root Cause Is More Than a Patch Away**

These are not theoretical risks. A year ago, a vulnerability was discovered in the popular LangChain framework for developing LLM-integrated apps, and other iterations of it have been reported recently. The vulnerability could be used by an attacker to make the LLM execute code, say a reverse shell, which would give access to the server running the system.

Currently, there aren't sufficient security measures in place to address these issues. There are content filtering systems, designed to identify and block malicious or harmful content, possibly based on static analysis or filtering and block lists. And Meta offers Llama Guard, which is an LLM trained to identify jailbreaks and malicious attempts at manipulating other LLMs. But that is more of a holistic approach to treating the problem externally, rather than addressing the root cause.

It's not an easy problem to fix, because it's difficult to detect the root cause. With traditional vulnerabilities, you can patch the specific line of code that is problematic. But LLMs are more obscure, and we don't have visibility into the black box that we need to do specific code fixes like that. The big LLM vendors are working on security, but it's not a top priority; they're all competing for market share, so they're focused on features.

Despite these limitations, there are things enterprises can do to protect themselves. Here are five recommendations to help mitigate the insider threat that LLMs can become:

1.  Enforce the privilege of least privilege: Provide the bare minimum privilege needed to perform a task. Ask yourself: How does providing least privilege materially affect the functionality and reliability of the LLM?
    
2.  Don't use an LLM as a security perimeter: Only give it the abilities you intend it to use, and don't rely on a system prompt or alignment to enforce security.
    
3.  Limit the LLM's scope of action: Restrict its capabilities by making it impersonate the end user.
    
4.  Sanitize the training data and LLM output and the training data: Before using any LLM, make sure there is no sensitive data going into the system, and validate all output. For example, remove XSS payloads that are in the form of markdown syntax or HTML tags.
    
5.  Use a sandbox: In the event you want to use the LLM to run code, you will want to keep the LLM in a protected area.
    

The OWASP Top 10 list for LLMs has additional information and recommendations, but the industry is in the early stages of research in this field. The pace of development and adoption has happened so quickly that threat intel and risk mitigation haven't been able to keep up. Until then, enterprises need to use the insider threat paradigm to protect against LLM threats.

**About the Author**

Principal Security Researcher, CyberArk Labs

Shaked Reiner is a principal security researcher at CyberArk Labs with over a decade of experience in reverse engineering and vulnerability research. His expertise spans malware, low-level systems, operating systems, blockchain, and AI. Shaked has a passion for researching peculiar machines and enjoys explaining complex ideas in an accessible way, whether in cybersecurity or philosophy.

LLMs Are a New Type of Insider Adversary

The US presidential election is stirring fears amongst a third of people who worry that their vote could be exposed to outsiders.

As the United States enters full swing into its next presidential election, people are feeling worried, unsafe, and afraid.

And none of that has to do with who wins.

According to new research from Malwarebytes, people see this election season as a particularly risky time for their online privacy and cybersecurity. Political ads could be hiding online scams, many people feel, and the election, they say, will likely fall victim to some type of “cyber interference.” Amidst this broader turbulence, 32% are “concerned about who could learn \[their\] vote”—be they family, spouses, or cybercriminals.

For this research, Malwarebytes conducted a pulse survey of its newsletter readers between September 5 and 16, 2024, via the Alchemer Survey platform. In total, 1600 people across the globe responded.

Broadly, Malwarebytes found that:

*   74% of people “consider US election season a risky time for personal information.”
*   Despite a tight presidential race, a shocking 3% of people said they **will not vote** because of “privacy or security concerns.”
*   Distrust in political ads is broad—62% said they “disagree” or “strongly disagree” that the information they receive in US election-related ads is trustworthy.
*   The fears around election ads are not just about trustworthiness, but about harm. 52% are “very concerned” or “concerned” about “falling prey to a scam when interacting with political messages.” 
*   57% have responded to these concerns with action, taking several steps to protect their personal information during this election season.

The electoral process is (forgive us) a lot like cybersecurity: It scares people, it’s hopelessly baroque, and, through a lack of participation, it can produce unwanted results.

Here is what Malwarebytes discovered about the intersection of cybersecurity and elections, with additional guidance on how to protect personal information this season.

****Open distrust****

Getting more than 70% of people to agree on anything is remarkable. And yet, 74% of survey participants said that they “consider US election season a risky time for personal information.” Drilling further into the data, 56% said they were “extremely concerned” or “very concerned” about the security of their personal information during this election season.

The reasons could be obvious. Unlike any other season in America, election season might bring the highest volume of advertisements sent directly to people’s homes, phones, and email accounts—and the accuracy and speed at which they come can feel invasive. The network of data brokers that political campaigns rely on to target voters with ads is enormous, as one Washington Post reporter found in 2020, with “3,000 data points on every voter.”

Escaping this data collection regime has proven difficult for most people. Just 9.6% of survey participants said they “have not received any election related ads” this year.

Elsewhere, 60% had received election-related ads through emails, 58% through physical mailers, 55% through text messages, 40% through social media, and 29% through phone calls.

Those ads may be falling on deaf ears, though. When asked whether they trust the information they receive from US election-related ads, just a combined 5% said they “agree” or “strongly agree” with the sentiment.

****A focus on cybercrime****

While people hold a sense of distrust for election-related ads, they also revealed another emotion towards them: Fear.

That’s because the majority of survey participants said they were worried that these ads and other political messages could be hiding dangerous scams underneath. Most people (52%) said they were “very concerned” or “concerned” about “falling prey to a scam when interacting with political messages.” 

It’s a well-founded concern as, once again during this election season, cybercriminals are trying to lure Americans into online scams with messages about updated voter registrations, campaign donations, and more.

Survey participants also showed widespread fear about whether cybercriminals could reveal who they voted for.

Remember that 32% of participants said they were worried that someone “could learn about \[their\] vote.” When asked _who_, specifically, they were worried about, 73% said cybercriminals. A revealing 2% held fears around their votes being exposed to a family member or a spouse.

Finally, though Malwarebytes did not directly tie the concept of “cybercrime” to the election itself, survey participants were asked about “cyber interference.” When rating their own confidence level in whether the election process will be free from cyber interference, a combined 74% said they were “not very confident” or “not confident at all.”

This statistic should not be interpreted to mean that 74% of people believe the election will be “hacked” or that votes will be switched by an adversarial government—a scenario that has never provably occurred in the US. Instead, it may point to how people interpret “cyber interference. It could include, for example, the pilfering of personal data for political advertisements, or the wanton online distribution of political disinformation to sway voters.

****Taking action****

With distrust rampant and anxiety wide, people are refusing to enter this election season without some precautions.

Two thirds of survey participants (66%) have either taken steps or plan to take steps to secure their personal data during this election season. Malwarebytes asked about several cybersecurity and online privacy measures that, particularly when facing off against online scams, could protect people from having their accounts taken over, their identities stolen, or even their personal information exposed for marketing reasons.

Survey participants took on the following measures:

*   77% enabled Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA) across their accounts
*   47% actively use a password manager
*   41% purchased identity theft protection services
*   31% researched the origins of the campaigns they engage with
*   24% locked down their social media profiles
*   12% used a data broker removal service

On the reverse, Malwarebytes found a small but critical number of people who will refuse to vote during this election “due to privacy or security concerns”—a combined 3% “agreed” or “strongly agreed” with this sentiment.

****Staying safe****

There’s good reason this election season for Americans to be concerned about their online privacy and security—but that doesn’t mean that Americans have to spend the next month riddled with anxiety. This month, people can take the following advice to secure their personal information, lock down their sensitive accounts, and, overall, stay safe from malicious scammers and cybercriminals.

*   **Watch out for fake emails and text messages.** Unless you directly reach out, avoid clicking on links or engaging with these political communications. Instead, go directly to the campaign’s website for information or links to donate.  
*   **Be mindful of sharing personal information**. As a general rule, don’t engage in surveys that ask for personal information. You can check what information is already available about you on the dark web with our free Digital Footprint scan or take the first step in removing your personal information from the network of data brokers online with our Personal Data Remover scan.  
*   **Avoid robocalls and phone scams**. Hackers can spoof phone numbers and impersonate official organizations. Be suspicious of unsolicited phone calls. Immediately hang up, don’t share personal information, and report the phone number.

 Election season raises fears for nearly a third of people who worry their vote could be leaked 

As a small business owner, you may think you are too insignificant to ever be on a cybercriminal’s…

As a small business owner, you may think you are too insignificant to ever be on a cybercriminal’s radar. The truth, however, is that in today’s digital world, all businesses can be a target, not only large ones, so believing that it won’t happen to you can only leave you vulnerable to attacks.

It’s understandable that your main priority as a small business is to focus on maintaining profits or your growth. There are many tasks that you need to pay attention to, from managing employees and expanding your customer base to controlling costs, and since you have a lot on your plate, cybersecurity can often fall to the bottom of the to-do list.

However, you risk facing lasting consequences if you don’t prioritize keeping your business secure. You never know when a disaster will strike unexpectedly, jeopardizing all your hard work and the future you’ve envisioned for your small business. 

It can be such a nightmare when this happens. Unfortunately, it happens often, leading to operational disruptions, financial losses, and loss of customer trust – and the truth is that it can be very hard to overcome such setbacks. Instead of having a “it won’t happen to me” mentality, taking the necessary steps to protect your small business is essential.

If you don’t know where to begin when it comes to strengthening cybersecurity, you’ve come to the right place. In this blog, we will offer 5 tips on navigating cybersecurity challenges and keeping your business safe. Read on!

****Educate employees** **

Did you know that around 90% of data breaches happen due to human error? That’s right – your employees are one of the biggest risks when it comes to cybersecurity, so if you want to safeguard your operations and data, you should begin by improving their awareness of cybersecurity challenges and solutions. Begin by assessing what your security culture currently looks like it could be great, terrible, or somewhere in the middle, and once you understand where you’re at, you can start developing solutions to educate employees about it. 

Consider investing in cybersecurity training for your staff, such as teaching them how to recognize phishing emails and developing clear policies on how to manage and protect customer and business data. You may also want to send regular reminders to employees not to open attachments or click on links they receive from unknown individuals. 

****Use MFA****

More than 99% of compromised accounts don’t use multi-factor authentication, and this is a big mistake because it makes them vulnerable to brute-force and phishing attacks. MFA is an excellent way to strengthen your small business’s cybersecurity, protecting accounts from bad actors and offering significant security benefits.

Implementing MFA will protect against external threats and safeguard your small business against insider attacks, which often happen when employee credentials are compromised. MFA requires extra verification factors, helping ensure that even if an employee’s password is compromised, the attacker cannot access sensitive data anyway. For a small business, MFA can be a valuable tool that adds an extra layer of security, reducing considerably the risk of data breaches, protecting sensitive data, and providing business continuity. 

****Monitor, identify, and respond to cyber threats****

Looking for potential threats, spotting them, and taking the necessary steps to reduce or stop the damage is the centerpiece of cybersecurity. The truth is that cyber-attacks never stop, and your cybersecurity efforts shouldn’t stop, either, as this constant vigilance will help you catch threats before they become catastrophes with lasting consequences on your operations. However, as a small business, we know that it can be challenging to monitor and identify potential threats, as there are other things that you need to focus on. That’s where cybersecurity services can help. 

Cybersecurity services are part of managed IT services, bringing in the knowledge and expertise your small venture needs to thrive without significant disruptions. They can help you stay on top of the latest cybersecurity solutions by providing a proactive approach and coming up with a strong cybersecurity plan. Instead of reacting to threats, a cybersecurity service can help you eliminate them before they become an issue that threatens the continuity of your business.

Therefore, if you want to save time and money and ensure your small business runs smoothly, consider looking for a reliable team that can provide top-notch security. It’s a worthwhile investment that will keep your business running smoothly and unharmed by bad actors’ sophisticated attacks. 

****Keep your systems and software up to date****

System exposures and software vulnerabilities can make it easier for cybercriminals to sneak in and compromise your data. As the IT infrastructure evolves, the number of weaknesses that need to be fixed becomes challenging to manage for any business, let alone a small one, as attackers can now employ AI and ML to easily find what’s vulnerable. In this context, it becomes paramount to manage vulnerabilities, which will minimize the probability of exposure to threats and keep your business safe. 

First, it’s important to scan continuously to find new vulnerabilities, or the ones you’ve overlooked previously before cybercriminals can find them. Automating vulnerability management is also a good idea, as this will help ensure that the patches will be installed quickly whenever needed. 

****Have an incident response plan in place****

When a cybersecurity incident occurs, any second you waste can affect your business, so you need a response that operates like a well-oiled machine. The truth is that no matter how prepared you are, you could still become a victim of cybercrime, and it’s essential to know what to do in case that happens. A good incident response plan should outline the responsibilities and roles of each person in the company, along with all the steps needed during a breach. 

With a well-defined incident response plan in place, you can reduce the damage and duration of a cybersecurity incident, speeding up recovery time and reducing negative publicity, among other things, so it’s essential not to overlook this step. 

****The bottom line****

When your defenses are weak, cyber criminals can easily compromise your data and use it for malicious purposes. This can disrupt your business tremendously and cause customers to lose their trust in you. Luckily, this can be prevented if you take the steps outlined in this blog. Remember, you are by no means too small to face a cyber threat, so adopt a security-first mindset and safeguard your business from evolving attacks. 

1.  Top 3 data security risks facing businesses
2.  Approaching Complex Data Security for Small Businesses
3.  Why small business corporations fall easy prey to hackers
4.  The Top Mobile Security Considerations for Business Travelers
5.  Securing Online Business Transactions: Essential Tools, Practices

Small Business Owners Must Prioritize Cybersecurity to Stay Operational

Global Intelligence claims its Cybercheck technology can help cops find key evidence to nail a case. But a WIRED investigation reveals the smoking gun often appears far less solid.

This AI Tool Helped Convict People of Murder. Then Someone Took a Closer Look

Use SSO, don't use SSO. Have MFA, don't have MFA. An analysis of a snapshot of organizations using Push Security's platform finds that 99% of accounts susceptible to phishing attacks.

With organizations adopting cloud services, mobile devices, and other digital technologies to meet customer needs and to support an increasingly remote workforce, identity is the security perimeter. Identity is where organizations authenticate, authorize, and manage users, applications, and devices. This requires organizations to invest in identity technologies such as single sign-on, multifactor authentication, continuous monitoring, and identity access management.

Currently, there are a lot of gaps that leave organizations vulnerable to identity-based attacks such as credential stuffing, brute-force, and phishing.

In an analysis of 300,000 accounts and associated login methods, Push Security’s research team calculated the average employee in an average organization has 15 identities. A little over a third (37%) of identities used password-based logins with no MFA enabled, according to Push Security data.

According to the analysis, 61% of accounts relied only on single sign-on, and 29% had only passwords, and 10% of identities allowed both single sign-on and a password. Almost two-thirds (63%) of accounts — regardless of whether single sign-on was available or not — used some form of MFA. Almost all of them relied on what Push Security deemed “phishable MFA,” which refers to methods vulnerable to bypass attacks such as MFA fatigue or advanced attacker-in-the-middle phishing toolkits. Less than 1% of accounts using single sign-on methods used “phishing-resistant MFA,” according to Push Security.

For accounts that had only a password, 80% did not have MFA enabled, while 40% of accounts that had both SSO login and a password lacked MFA.

The problem with accounts having both SSO and passwords is that it opens the door to ghost logins, or situations where an account has multiple login methods. In this case, despite having single sign-on, these accounts could potentially be compromised if the attacker figures out the password via credential stuffing or brute-force attacks.

Even in cases where SSO is used, there is a password login to the identity provider at the beginning of the flow. A look at the identity provider account shows that 17% does not have MFA enabled, and 10% reused passwords. If this password is somehow compromised — perhaps by credential stuffing or phishing — the accounts with SSO logins are also compromised.

Another thing about MFA: identity provider accounts are among the “most critical accounts that a user can have,” Push Security noted, but 20% are missing MFA.

What was also worrying that 9% of identities had a breached, weak, or reused password and had no MFA enabled, making these identities susceptible to attack. “Accounts that are missing MFA are vulnerable to credential stuffing attacks targeting stolen, weak, or reused passwords, and even the most basic phishing toolkits,” Push Security said.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Even Orgs With SSO Are Vulnerable to Identity-Based Attacks

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates.
French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma.
Hijack Loader, also known as DOILoader, IDAT Loader, and

Threat Detection / Malware

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates.

French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma.

Hijack Loader, also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive.

HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 -

*   A PowerShell script that leverages mshta.exe to execute code hosted on a remote server
*   A remotely-hosted PowerShell script that's directly executed via the Invoke-Expression cmdlet (aka iex)
*   A PowerShell script that employs msiexec.exe to download and execute a payload from a remote URL

The ZIP archive, for its part, includes a genuine executable that's susceptible to DLL side-loading and the malicious DLL (i.e., Hijack Loader) that's to be loaded instead.

"The purpose of the sideloaded HijackLoader DLL is to decrypt and execute an encrypted file which is provided in the package," HarfangLab said. "This file conceals the final HijackLoader stage, which is aimed at downloading and executing a stealer implant."

The delivery mechanism is said to have changed from DLL side-loading to using several signed binaries in early October 2024 in an attempt to evade detection by security software.

It's currently not clear if all the code-signing certificates were stolen or intentionally generated by the threat actors themselves, although the cybersecurity firm assessed with low to medium confidence that it could be the latter. The certificates have since been revoked.

"For several issuing certificate authorities, we noticed that acquiring and activating a code-signing certificate is mostly automated, and only requires a valid company registration number as well as a contact person," it said. "This research underscores that malware can be signed, highlighting that code signature alone cannot serve as a baseline indicator of trustworthiness."

The development comes as SonicWall Capture Labs warned of a surge in cyber attacks infecting Windows machines with a malware dubbed CoreWarrior.

"This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring," it said.

Phishing campaigns have also been observed delivering a commodity stealer and loader malware known as XWorm by means of a Windows Script File (WSF) that, in turn, downloads and executes a PowerShell script hosted on paste\[.\]ee.

The PowerShell script subsequently launches a Visual Basic Script, which acts as a conduit to execute a series of batch and PowerShell scripts to load a malicious DLL that's responsible for injecting XWorm into a legitimate process ("RegSvcs.exe").

The latest version of XWorm (version 5.6) includes the ability to report response time, collect screenshots, read and modify the victim's host file, perform a denial-of-service (DoS) attack against a target, and remove stored plugins, indicating an attempt to avoid leaving a forensic trail.

"XWorm is a multifaceted tool that can provide a wide range of functions to the attacker," Netskope Threat Labs security researcher Jan Michael Alcantara said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git