Shared posts

01 Feb 20:44

Tamper protection on macOS is now generally available

by Camilla_Djamalov

We are pleased to announce that Microsoft Defender for Endpoint's tamper protection feature, previously available in Public Preview, is now generally available on macOS devices and will be rolling out over the next few days. 


Ensure that you are running Microsoft Defender for Endpoint for macOS version 101.75.90 or later, available through Microsoft AutoUpdate, to use the capability.


What is Tamper protection?

Tamper protection brings an additional layer of protection in Microsoft Defender for Endpoint to elevate the endpoint security posture of organizations. Reliably securing endpoints is crucial for any organization. Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security.


What does this mean for me?

This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability.

In audit mode, you will notice the following events will be logged (audited):

  • Actions to uninstall Defender for Endpoint agent
  • Deletion/renaming/modification of Defender for Endpoint files
  • The creation of new files under Defender for Endpoint installation locations

While in Audit mode, TP signals can be viewed via Advanced Hunting and in local on-device logs. No tampering alerts are raised in the Security Center while in Audit mode. Alerts are raised in the portal only in block mode.


To observe tampering events in the portal, you can use the following query in Advanced Hunting:


| where OSPlatform == 'macOS'
| join kind=rightsemi (
| where ActionType contains "TamperingAttempt"
) on DeviceId


Figure 1: The following screenshot demonstrates querying for Tampering events via advanced huntingFigure 1: The following screenshot demonstrates querying for Tampering events via advanced hunting


If you want to check the status of the feature on a single device, you can run the command “mdatp health”. Look for the tamper_protection field, it will display “audit”, “block” or “disabled” according to your configuration.


The logs can also be found locally on the device. Tampering events are logged in: “Library/Logs/Microsoft/mdatp/microsoft_defender_core*.log”


How can I start benefitting from this new capability?

You can leverage the audit mode (default mode) to get a sense of how the feature detects actions that are indicative of tampering attempts. Later this year, we will offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not specifically made a choice to either enable (block mode) or disable the capability.


If you decide to turn the feature on and move it to block mode, logging of each suspected tampering action will be complemented with its actual blocking and a corresponding alert in the security center portal. To turn the feature off entirely you can disable Tamper Protection.


Learn more about tamper protection and how to control it in your environment: Tamper Protection on macOS.


01 Feb 20:44

Network Protection and Web Protection for macOS and Linux

by NickWelton

Update - 1/31/2023 - Microsoft will begin incrementally rolling out the functionality for all macOS devices to enable Network Protection on 1/31/2023 with target completion, subject to change, by 3/24/23.


Over the last two years, the world has dramatically changed both in our daily lives and how companies conduct business. In the pre-pandemic world, eroding network boundaries and the maturity of SaaS applications precipitated endpoint-first design. The pandemic and post-pandemic era demand it, the world is embracing hybrid workplaces and zero trust postures.


When we first launched Network Protection for Windows and built powerful Web Protection and Microsoft Defender for Cloud Apps (MDA) capabilities on top of it, we knew our vision to bring you our proxy-less endpoint first architecture would remain incomplete until we delivered for macOS and Linux. That day has arrived, and we could not be more excited to share that Network and Web Protection for macOS is now General Available and in Public Preview for Linux!


Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.


It is the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protectionWeb content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.


Network protection also integrates Microsoft Defender for Endpoint with Defender for Cloud Apps natively. Currently, the integration for macOS and Linux only supports endpoint enforcement capabilities.

How to evaluate Network Protection and the features it enables:


Explore Network Protection on macOS


For Network Protection for macOS to be active on your devices, Network Protection must be enabled by your organization. We suggest deploying the audit or block mode policy to a small set of devices and verify there are no issues or broken workstreams before gradually deploying to a larger set of devices.


Prerequisites & Requirements  

  • Licensing: Microsoft Defender for Endpoint tenant (can be trial) 
  • Onboarded Machines: 
    • Minimum macOS version: 11 (Big Sur)
    • MDE product version: 101.94.13

Once the prerequisites have been met, follow installation and configuration instructions in Use network protection to help prevent macOS connections to bad sites | Microsoft Docs


Here is how the experience looks on macOS: 



Explore Network Protection on Linux


Prerequisites & Requirements  

Once the prerequisites have been met, follow installation and configuration instructions in Use network protection to help prevent Linux connections to bad sites | Microsoft Docs


How do I verify my Mac/Linux device is configured properly?

  1. Navigate to which will block the browser from loading the page. On macOS an accompanying toast message will also be shown.

 On Linux the connection will be disallowed as shown below. There will be no accompanying toast message in Linux:



Alternatively, you can also test this from the Terminal by running the following command and noticing that the connection is blocked by the Network Protection: 



How do I explore the features?

  1. Protect your organization against web threats | Microsoft Docs
    1. Web threat protection is part of Web protection in Microsoft Defender for Endpoint. It uses network protection to secure your devices against web threats.
  2. Run through the IP/URL Custom Indicators of Compromise flow to get blocks on the Custom Indicator type. 
  3. Explore Web content filtering | Microsoft Docs 
    1. Note: if you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
    2. Pro Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
  4. Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft Docs and your Linux and macOS devices with Network Protection enabled will have endpoint policy enforcement capabilities.

Note: Discovery and other features are currently not supported on macOS and Linux platforms.





On device experience 

When an end user attempts to access monitored domains on macOS/Linux, their navigation effort will be audited/blocked (depending on Network Protection policy). On macOS, the user will also be informed by Microsoft Defender for Endpoint via toast.





The user will get a plain block experience accompanied by the following toast message which will be displayed by the operating system including the name of the blocked application or website (e.g  


No block pages are shown in third-party browsers, and the user sees a "Secure Connection Failed' page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message 'This content is blocked'.




 We are looking forward to hearing your feedback and answering any questions you may have!


Reference Documents

Microsoft Defender for Endpoint on Mac documentation - Microsoft Defender for Endpoint on Mac | Microsoft Docs 

Microsoft Defender for Endpoint on Linux documentation - Microsoft Defender for Endpoint on Linux | Microsoft Docs

About Microsoft Defender for Endpoint Network Protection - Use network protection to help prevent connections to bad sites | Microsoft Docs 

About Microsoft Defender for Endpoint Network Protection on Linux - Use network protection to help prevent Linux connections to bad sites | Microsoft Docs

About Microsoft Defender for Endpoint Network Protection on macOS - Use network protection to help prevent macOS connections to bad sites | Microsoft Docs

Enable Network Protection - Turn on network protection | Microsoft Docs

Web Protection - Web protection | Microsoft Docs 

Custom Indicators - Create indicators | Microsoft Docs 

Web Content Filtering (WCF) - Web content filtering | Microsoft Docs 

Microsoft Defender for Cloud Apps - Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft Docs 

Edge Browser Setup - 


Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

Microsoft Defender for Endpoint team

01 Feb 20:44

How to deploy Attack Surface Reduction rules to Azure VMs using Azure Guest Configurations

by mahmoudmsft

Disclaimer: Under normal circumstances ASR rules should only be deployed using the following methods mentioned in this document:

In rare cases where VMs are server OSs, non-domain joined, and not managed by SCCM or third-party management solutions, Azure Automation State Configuration or the new version of Azure DSC, using the guest configuration feature of Azure Policy, can be used as an alternative solution to centrally deploy ASR rules. Learn more about Azure Guest configuration.


Example Scenario:

Let's assume there is a requirement to enable and deploy the ASR rule: Block execution of potentially obfuscated scripts (GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc) Follow the steps below to accomplish this task.


Step 1: Create the MOF configuration file

The following is a sample state configuration script using the DSC Script resource.


$test= $asr_rules.Contains("5beb7efe-fd9a-4556-801d-275e5ffc04cc")

 Configuration ASRDSC
    Import-DscResource -ModuleName 'PSDscResources'
    Node localhost
        Script ASRTest
          SetScript = { 
                 Add-MpPreference -AttackSurfaceReductionRules_Ids "5beb7efe-fd9a-4556-801d-275e5ffc04cc" -AttackSurfaceReductionRules_Actions AuditMode

          TestScript ={ 

          GetScript = { @{ Result = “String" } }


Once the state configuration checks whether or not the ASR rule ID 5beb7efe-fd9a-4556-801d-275e5ffc04cc exists, it will run the Add-MpPreference command, setting the rule into an audit state on the local VM. ASR rules can also be set into enabled state using the same, Add-MpPreference, command.

This script can be compiled using the dot sourcing method. 




. C:\Scripts\asrtest.ps1


Once resolved, a file called localhost.mof should be created and found under the C:\Scripts\ASRTEST folder.

Step 2: Create the artifacts package

Now that we have the MOF file, we can create the package. Step-by-step instructions can be found here. 


# Create a package 
New-GuestConfigurationPackage `
  -Name 'MyConfig' `
  -Configuration './ASRTEST/localhost.mof' `
  -path 'C:\scripts' `
  -Type Audit `


Step 3: Publish the package

Now that the package is ready, we can publish (upload) the package to an Azure Storage account where it is ready to be consumed by Azure Policy. Step-by-step instructions can be found here.


Step 4: Create a policy definition

To start deploying this package to target VMs in a resource group, for example, a new Azure policy definition needs to be created. We want to create this policy definition by using the "guest configuration" category. Creating this new policy requires using the New-GuestConfigurationPolicy and New-AzPolicyDefinition commands to publish the policy to the Azure Policy portal. Step-by-step instructions can be found here.


Now we can deploy ASR rules centrally and have a compliance view right from Azure Policy.


Please note: This method for deploying ASR should only be used as a last resort due to the complex nature and knowledge necessary for using DSC powershell scripting and its limitation.


We hope that you found this article and the additional step-by-step resources helpful.

01 Feb 20:42

Fox Censors Stopped Batman: The Animated Series From Turning Bruce Wayne Into A Vampire

by Joe Roberts

No one likes censors, but the ones over Fox always seemed to get an especially bad rap — especially back in the '90s. "The Simpsons" killed the Fox censor in the intro to "Treehouse of Horror VIII," and numerous absurd Standards and Practices notes have come to light over the years, including one from Fox Kids' "Spiderman: The Animated Series" which demanded Spidey not "harm the pigeons" when he landed on rooftops.

In fact, "Spiderman: TAS" showrunner John Semper Jr. recalled in an interview how by the time his show debuted in 1994, "there was a LOT of censorship at Fox." The company had seen their mega-popular "Mighty Morphin' Power Rangers" banned in Canada and were more stringent than ever, especially when it came to kids' programming. As Semper recalled:

"When I watch the older episodes of 'Batman' that first aired on Fox, they do all kinds of things that we couldn't do. By the time Spidey came on, Fox wouldn't let us do anything like that. No fists to the face, no realistic guns, no fire, no crashing through glass, no children in peril, no mention of the words death, die, or kill."

In reality, "Batman: The Animated Series" was heavily censored when it arrived in 1992 — the writers just found clever ways around it. Similar to "Spiderman: TAS" There was famously a list of nine things they couldn't show, all of which were immortalized in an infamous illustration designed by Henry Gilroy and Bruce Timm and tweeted by Mark Hamill himself. They included guns, drugs, breaking glass, alcohol, smoking, nudity, child endangerment, religion, and strangulation. And while the writers found clever ways to get around a lot of these, there were some things that they simply couldn't get past Murdoch's watchdogs.

The Unmade Vampire Episode

Despite having a lot of creative freedom, co-creators of "Batman: TAS," Bruce Timm and Eric Radomski often had to yield to the pesky Fox censors. In an interview with, Timm explained how he'd always wanted to do an episode where Batman was transformed into a vampire:

"There's a character in the comics called Nocturna! And it didn't get much past the idea phase, we floated it past Fox Kids and they said 'Nope! No Vampires!' and I said, 'Well what if he wasn't really a Vampire?' And they said, 'No Vampires!'"

Timm even got as far as designing his version of Nocturna, the villainess from the comics whose unfortunate run-in with a radioactive laser resulted in a pallid complexion and sensitivity to light. But according to writer and producer Alan Burnett, in Timm's vision of the character she actually was "a vampire, which would've involved bloodletting, which was a huge no-no for kids' TV." 

It seems that this was one breach of Fox's rules that "Batman: TAS" writers couldn't sneak past the censors. Previously they'd tried tactical cuts to get around showing actual punches, and, as Dorkly explains, "censor decoys" designed to distract from the actual stuff the writers wanted to keep in. But Nocturna and Timm's vision of turning Batman into a vampire was shut down before it could even get to a stage where he could deploy his decoys and clever cuts.

Timm Eventually Got To Do Vampire Batman

Years after "Batman: TAS" ended in 1995, Timm would work on the story for the 2015 animated movie "Justice League: Gods and Monsters" — which just so happens to share part of its name with phase one of James Gunn's new DCU movies. Timm's movie took place in an alternate DC universe where he could create wildly different versions of DC's heroes and villains. Asked about the project in an interview with Den of Geek, the writer and artist recalled how he had read a quote from Batman creator Bob Kane, who said that "Batman is half Dracula and half Zorro," which he credits as the origin of his desire to make the Dark Knight an actual vampire.

Recalling his attempts to do just that on the '90s animated series, Timm clarified that he'd only ever got as far as Nocturna's design before being told "no" by Fox, and that in his original plan, Nocturna would have turned Batman temporarily into a vampire. Unfortunately the idea was nixed so quickly that he never even came up with a design for vampire Bats. 

Thankfully, he got to see his idea come to life in "Gods and Monsters" where Kirk Langstrom becomes a vampire version of Batman. In the DCU proper, Langstron was the scientist who became Man-Bat after testing his bat mutagen serum on himself. Man-Bat was the villain in the very first "Batman: TAS" episode, "On Leather Wings," wherein Langstrom becomes the grotesque beast before being saved by Batman in what is arguably a more upsetting visual than any vampire Batman would have been. Still, at least Timm eventually got to see his vampire Batman vision come to life, even if it took 20 years.

Vampire Batman Vs. Morbius

Considering the dark and foreboding style of "Batman: TAS" and the fact that Langstrom's horrifying Man-Bat transformation was given a pass, it's kind of crazy to think that a vampire storyline was ruled out before it had even started. It would have fit the tone of the show nicely, and could easily have been one of the best episodes of "Batman: TAS". Alas, the Fox censors were clearly keen not to have another one of their shows banned.

Over on the Marvel side, John Semper Jr. did manage to get a vampire episode of "Spider-Man: TAS" past the censors, which has become a point of pride for him. In episode 6 of season 2, Morbius shows up, but only because of some compromises that were made — namely, that the villain would only drain people's blood through suction cups on his hands. In an interview, Semper explained: 

"It was so successful that we decided to stretch it for two more episodes. I have a good relationship with Broadcast Standards and Practices, in that I recognize that what they're trying to do is important, and philosophically I am not opposed to what they're trying to do. I think there were writers on 'Batman' who decided that they were going to wage war against Broadcast Standards and Practices. I think that's an unproductive attitude."

Shots fired! Meanwhile, Timm remained unfazed by the whole thing, telling "["Spider-Man: TAS"] did that really lame one right? He had like suction cups on his hands? So that was fine. Like if I wasn't going to do it properly, I wasn't going to do it."

Ouch! If nothing else, at least the Fox censors helped stoke the most amusingly lame rivalry in entertainment history by getting Semper and Timm all riled up.

Read this next: The Best Animation For Adults Of 2022

The post Fox Censors Stopped Batman: The Animated Series From Turning Bruce Wayne Into A Vampire appeared first on /Film.

01 Feb 20:27

Improving device discoverability and classification within MDE using Defender for Identity

by YakirZilberman

Having visibility into the devices on a network is very important for an organization to help prevent cyberattacks in an ever-expanding threat landscape. Additionally, the more information that can be discovered about the devices, the easier it is to manage them and to protect your network. Having the ability to locate, identify, and accurately classify devices in real-time means you can quickly discover vulnerable devices and carry out intelligent prioritization. 


Leveraging Microsoft Defender for Identity as a data source for Microsoft Defender for Endpoint device discovery can help improve discovery coverage and fine tune the classification accuracy. 

In this blog post, we show how deploying Microsoft Defender for Identity alongside Microsoft Defender for Endpoint can increase both your discovery of devices by ~11% as well as enrich findings by another 33%.  


Device discovery 


Device discovery is a feature included in Microsoft Defender for Endpoint, which uses passive and active network traffic monitoring to discover and classify new devices on the network. The onboarded devices agent collects this network traffic. 

For each newly discovered device, device discovery capabilities attempt to classify information such as device name, device type, OS information, model, and running services. 


Newly discovered devices will appear in the device inventory tab in the Microsoft 365 Defender portal. 



Figure 1 – Device Inventory 



You can use the following capabilities to help defend against threats 

  • Discovering new devices on the network, which can be onboarded to Microsoft Defender for Endpoint. 
  • Mapping vulnerabilities and unsecure configurations on unmanaged devices 
  • Detecting and reacting to suspicious network behavior and anomalies coming from specific devices. 


Enhance the accuracy of device classification with Microsoft Defender for Identity


Device discovery offers an important turnkey capability that allows for ongoing and precise discovery of devices on the network. On average, organizations will gain extended visibility into 31% newly discovered endpoint devices. 


However, there are cases in which identifying and classifying a device based on Microsoft Defender for Endpoint sensor data have a few limitations: 


  • The visibility perspective – The sensor can only observe network communication between the discovered devices and other onboarded devices. In an instance where there aren’t any onboarded devices on the same network segment as the discovered device, the discovery engine will lack the signals necessary to view that new device. Moreover, the environment hardening / configuration settings (such as firewall access lists, Network Access Translation (NAT)) can further impact the network sensor visibility. As a result, using another independent data source to help enhance visibility could prove beneficial. 
  • The precision perspective – Windows workstations and servers using only Microsoft Defender for Endpoint might face a challenge in identifying the most accurate and detailed classification for each discovered device. Thus, using a supplemental independent data source can help us distinguish between such cases. 


This is where combining Microsoft Defender for Identity and Microsoft Defender for Endpoint can help.  Having access to large amounts of high-quality data collected by Microsoft Defender for Identity can significantly improve the classification accuracy of devices detected by Microsoft Defender for Endpoint. 


Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider activity toward an organization. 


After installation on Domain Controllers, the Microsoft Defender for Identity sensor inspects incoming and outgoing network traffic from within Active Directory. The Microsoft Defender for Identity sensor also collects data from Active Directory logs in order to assess the different users and corresponding devices connected to the domain. 


Microsoft Defender for Identity uses this data (device type, OS information, and hostname) in conjunction with device discovery capabilities to enhance classification richness, improve confidence, and provide better visibility   


How Microsoft Defender for Identity and device discovery signal correlation works


Device discovery capabilities attempt to simultaneously correlate Active Directory user authentication data, which is captured by Microsoft Defender for Identity sensors (which are installed on Domain Controllers) from domain joined devices, with other network traffic communication observed by the Microsoft Defender for Endpoint sensors. 

As Microsoft Defender for Identity and Microsoft Defender for Endpoint sensors operate independently, just a single sensor from either or both has the ability to observe each device on a given network. Therefore, by using these tools together, we aim to extract as much discovery and classification data as possible from Microsoft Defender for Identity. 


For devices observed by both Microsoft Defender for Identity and Microsoft Defender for Endpoint, we can enrich the device classification for better device discovery accuracy. Furthermore, devices that were only observed by the Microsoft Defender for Identity sensor will populate in the Microsoft Defender for Endpoint device inventory, extending your device coverage.  


However, as each product has visibility into different strong device identifiers (for example, MAC address for Microsoft Defender for Endpoint network signals and Active Directory Object GUID for Microsoft Defender for Identity authentication signals), the correlation logic relies on shared properties, such as time, IP addresses and hostnames. 




Figure 2 – Microsoft Defender for Identity & Microsoft Defender for Endpoint device discovery 



Impact Evaluation 



Figure 3 – Product discovery impact 



For the average organization, Microsoft Defender for Identity integration increases the number of discovered devices by 11% - these devices benefit from rich classification information. 


When looking at the devices that were observed by both Microsoft Defender for Identity and Microsoft Defender for Endpoint, we can see that for 51% of these devices, Microsoft Defender for Identity managed to enrich the Microsoft Defender for endpoint device information, usually with the OS build version (see Figure 4). 


For 19% of these devices, Microsoft Defender for Identity helped Microsoft Defender for Endpoint to distinguish between Windows Servers and Windows Workstations which share the same OS build version. 



Figure 4 – Discovery timeline 



Our data also demonstrated a correlation between a higher number of discovered devices onboarded to Microsoft Defender for Endpoint and a lower number of new devices discovered by Microsoft Defender for Identity. 






Figure 5 – Device which was discovered via MDI 





Gaining visibility into both your complete asset inventory as well as the rich context of the devices involved has always presented a challenge that remains a top priority for the Microsoft customer support initiative. Last year, we added discovery capabilities to Microsoft Defender for Endpoint, enabling us to start discovering unmanaged endpoints. Since then, we have combined these discovery capabilities with signals from Microsoft Defender for Identity in order to expand overall visibility, improve accuracy and gain a more complete view of all the devices (workstations, servers and mobile) on your network. 


Learn more about Microsoft Defender for Identity, and begin a trial for Microsoft Defender for Identity here. 


01 Feb 20:27

Tamper protection will be turned on for all enterprise customers

by JoshBregman

Tamper protection in Microsoft Defender for Endpoint protects your organization from unwanted changes to your security settings. Tamper protection helps prevent unauthorized users and malicious actors from turning off threat protection features, such as antivirus protection. Tamper protection also includes the detection of, and response to, tampering attempts.


Starting last year, to better protect our customers from ransomware attacks we turned on tamper protection by default for all new customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses. To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal. For customers who haven’t already configured tamper protection, they’ll soon receive a notification stating that it will be turned on in 30 days. For example, public preview customers receive a notification on September 21, 2022 indicating that tamper protection will be turned on 30 days later, on October 24, 2022.


The following screenshot shows what the notification looks like:




Why should tamper protection be turned on?

Human operated ransomware is one of the biggest cybersecurity challenges facing customers today.  Post-mortems of ransomware attacks have revealed two things: 

  • Attackers are using a common set of tactics, techniques, and procedures (TTPs)
  • Defender for Endpoint could have helped more in preventing the attack if the controls that address those TTPs were configured. 

We recommend that you turn tamper protection on and keep it enabled across your organization.


How to opt out

If you prefer that tamper protection not be turned on automatically for your tenant, you can explicitly opt out as follows:

  1. Go to and sign in.
  2. Go to Settings > Endpoints > Advanced features
  3. Turn tamper protection on by selecting its toggle.
  4. Select Save preferences
  5. Turn tamper protection off by selecting its toggle.
  6. Select Save preferences.


By explicitly turning tamper protection off, your intent to keep tamper protection turned off will be registered for your tenant. For more information see Protect security settings with tamper protection | Microsoft Docs.


How to disable tamper protection



If you manage a device with You disable tamper protection by


(Microsoft Endpoint Manager)

Creating a Windows Security experience profile in Microsoft Endpoint Manager
Configuration Manager, version 2006 using tenant attach Creating an endpoint security policy

Microsoft 365 Defender portal

or 3rd party MDM

Using Security Management for Defender for Endpoint

Note: Tamper protection is included in the Windows Security Experience, located within the Virus & threat protection settings section.


Learn more


01 Feb 20:27

Detecting and remediating command and control attacks at the network layer

by OludeleOgunrinde



Update - 11/10/2022 - Network Protection command and control (C2) detection and remediation capabilities are now generally available in Microsoft Defender for Endpoint.


We are excited to announce the general availability of Network Protection command and control (C2) detection and remediation capabilities in Microsoft Defender for Endpoint. These enhancements will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats looking to compromise the endpoint.


Attackers often compromise existing internet-connected servers to become their command and control servers. In the event these servers become compromised, attackers use them to hide malicious traffic and deploy malicious bots used to infect endpoints. Let’s say - in an attacker's ideal scenario - their malicious bots somehow manage to circumvent an organization's existing defenses. In that breach the malicious bots introduce malware into an organization’s environment through a user’s device. The malware can be introduced in a number of ways: from clicking a fraudulent link, downloading a suspicious file, or opening a seemingly legitimate email attachment. If an endpoint contracts any of these types of C2 malware, the compromised computer can communicate back with the malicious C2 servers, completely unbeknownst to the user (Figure 1). The response communication from the endpoint to the C2 server enables the attacker to gain full control of the endpoint. 


This is problematic for security teams as many other unprotected devices that communicate with the previously infected endpoint can become compromised themselves. This can potentially lead to a spread of malware across a network, often referred to as a “botnet” infection.



Figure 1: Sample C2 attack flow



To quickly detect and clean up these botnet infections, SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs. With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries. 





See Protect your network for the full list of requirements.



How does network layer C2 detection and remediation work?


Detecting and blocking C2 connections at the network layer

This capability works by inspecting network packets and examining them for any types of C2 malware configuration patterns. The Network Protection (NP) agent in Defender for Endpoint determines the true nature of the connection by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. If our AI and scoring engines powered by the cloud deem the connection malicious, actions are taken to block the connection and malware binaries are rolled back on the endpoint to the previous clean state.


Generating incident and alert notifications in the M365D portal

After detection, an alert will surface under “Incidents and alerts” in the M365D portal (Figure 2) where the SecOps team can observe the alert name, the severity-level of the detection, device status, and other details. Customers can see more details on the alert with a full timeline and attack flow relative to their environment (Figure 3).



Screenshot 2022-10-11 212433.png

Figure 2: Alert page in the M356D portal



Screenshot 2022-10-11 212214.png

Figure 3: C2 attack flow timeline in the M356D portal



Testing/Validation: C2 detection and remediation  


Once network protection has been enabled, you can test this C2-enhanced protection experience in your environment (using PowerShell) by:


a.  Navigate to your PowerShell prompt.

b.  Type: $Response = Invoke-WebRequest -URI

c.  If the testing URL is successfully blocked, you will get (Figure 4):


Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel. 

At line:1 char:13 

+ $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreen ... 

+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc 


    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand



Figure 4: PowerShell output



d.  Followed by a block notification (Figure 5).



Figure 5: Endpoint notification



e.  On the block notification, click:

  1. “OK” to make the toast notification disappear
  2. “Feedback” to open the network protection feedback page where can submit feedback to the Antimalware and Cybersecurity portal (Figure 6).





Figure 6: Web threat detections over time  



f.  In the unlikely event the testing URL is not successfully blocked, you can get and/or F12 network trace, then send the NP team ( your screenshot. 



Accessing the C2 detection and remediation report in the Microsoft 365 Defender portal  


To access the report:   

1. Go to the Microsoft 365 Defender portal ( and sign in.

2. Navigate to:  

  1. Reports -> Security report -> Devices -> 
    1. Web threat detection over time (Figure 7)
    2. Web threat summary (Figure 8)
  2. Reports -> Web Protection ->
    1. Web threat detection over time (Figure 7)
    2. Web threat summary (Figure 8) 



Figure 7: Web threat detections over time 




Figure 8: Web threat summary



Your feedback counts

We are excited to bring you a new enhancement to the Network Protection stack to further protect against command and control attacks. Try out this new capability and let us know what you think. Share your feedback with us at

01 Feb 20:27

Announcing new removable storage management features on Windows

by Tewang_Chen

External devices like USBs are common tools people use to support daily business tasks like saving work in a convenient and portable way. While these devices help improve employee productivity and provide an easy way to back up files, they can also pose a threat to enterprise data, serving as a potential entry point for malware and viruses.


Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. Some of the common use cases we support include allowing specific users to:

  • Gain writing access to specific removable storage devices
  • Use specific removable storage devices on specific machines
  • Gain read/write/execute access to specific files on removable storage devices
  • Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN


What’s new


Support for file parameters

We are pleased to announce Defender for Endpoint now allows organizations to better control how users read, write, and execute access to specific files on removeable storage. For example, by using file name/path/extension Defender for Endpoint can block end users from executing any file with INK, BAT, BIN, CHM, CMD, COM, CPL, EXE extensions.

For more details, please review Scenario 3 in our documentation found below:


Support for Azure AD machines or user group(s)

With this release, we are expanding the Sid and ComputerSid properties to support AD Object and Azure AD Object Id to satisfy the following common scenarios:

  • An admin who is looking to restrict removable storage device access for both users and their machines. An example of this would be only allowing specific users to interact with specific removable storage devices on a specific machine. In this case, the qualified user must only initiate an authorized removable storage device on an authorized machine.
  • An admin who is looking to use one policy for removable storage management, while using Sid and ComputerSid inside the policy to control which users or machine groups can access certain removable storage.

For details, please review our documentation found here: Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions | Microsoft Learn.


Capturing a file as evidence on a network share

An admin may want to track what files are being moved to an authorized removable storage device. The admin can create a policy to capture a copy of the file on their customized network share.

A new value added into the ‘Options’ attribute allows you to capture a copy of the file as evidence on the network share. The common scenario is as follows:

  • When an end user copies a file to an authorized removable storage device, device control will create a copy of the file as evidence on a network share.


Figure 1 - File information for removable storage event


Improvements to the removable storage access control investigation experience

After collecting user feedback, we found an opportunity to help improve investigation efficiency by providing device control events on the device timeline page. In addition to this improvement, we have made several other enhancements to the investigation experience over the last few months:   

  • The removable storage access control event has been added into the machine timeline under Microsoft 365 security portal -> Devices -> Device page -> Timeline:


Figure 2 - Removable storage events on machine timeline page


  • When a file-level policy is triggered, the file path and name will be captured in the event and documented in the Advanced Hunting Device Control reports.
  • The Device Control report under -> Reports -> Device control – now receives updated data and visualizations in half the time. Reducing latency from 12 hours to 6 hours.


Figure 3 - Device control report


Please take a look at Protect your organization's data with device control | Microsoft Learn for more details.


Network location as a condition

In certain scenarios where admins want to ensure better security across remote devices, they can enforce stricter policies on machines that are not connected to the corporate network by creating different Device control policies based on a machine’s network location using the ‘Network’ and ‘VPNConnection’ group types that were recently created control these policies.


For more information, see our documentation: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | Microsoft Learn.



We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.  


Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today. 


Microsoft Defender for Endpoint team

01 Feb 20:26

Recovering from Attack Surface Reduction rule shortcut deletions

by Scott Woodgate

Updated 1/23/2023 @ 1:10pm PST


On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.


There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0. 


For currently impacted customers: what do I need to do? 

Impacted customers will need both the updated security intelligence build and follow the process to recover start menu and taskbar shortcuts.


The updated security intelligence build

Customers should update to build 1.381.2164.0 or later. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments.  The security intelligence build does not restore deleted shortcuts. Instructions on how to restore those are immediately below. If you turned “Block Win32 calls from Office macros” into audit mode per prior guidance you can now safely turn on block mode.


To recover deleted start menu and taskbar shortcuts

Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted.  


Version 5.0 provides improved error handling for AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in. MpRecoverTaskbar.exe now supports restoring each user’s Chrome and Edge pinned taskbar shortcuts found per profile. For more details click here.


1/ Download both AddShortcuts.ps1 and MpRecoverTaskBar.exe and select from the following options:


Option A/ If you are using System Center Config Manager or Group Policy Object Editor or third-party tools then deploy both files and run the command “powershell -ep bypass -file .\AddShortcuts.ps1 -MpTaskBarRecoverUtilDownload=false as Administrator.


Option B/ If you are using Intune or no management tool then deploy AddShortcuts.ps1 and run the command “powershell -ep bypass -file .\AddShortcuts.ps1” as Administrator.  This will automatically download MPTaskBarRecover.exe from the Microsoft download center onto the user’s machine and run the script. Detailed instructions on how to deploy the script using Microsoft Intune are here. 


2/ The changes will come into effect after users logout and login to their accounts.


3/ The MPRecoverTaskbar.exe can be run multiple times on end-user machines if necessary.  If end-users are missing taskbar icons after completing this process, then try running it a second time from %windir%\MPRecoverTaskbar.exe in the user context.


The script requires PowerShell 5.x and does not currently support PowerShell 7.x.


Version 5.0 includes all the improvements from Version 4.0: restores from Volume Shadow Copy Service by default, recovers .URL files in the user's profile's Favorites and Desktop directories, if those URL files exist in the Volume Shadow Copy Service, contains improvements for non-English language machines, improved error handling and additional checks that help recover more shortcuts and links, better error handling to perform all the actions including running the MpRecoverTaskbar.exe, while adding support for better error handling using AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in, and enabling MPRecoverTaskbar.exe to restore each user’s Chrome and Edge pinned taskbar shortcuts found per profile.


To add programs to the script: edit the $program variable and add a new line with the name of the application lnk and the executable. 


For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links.  Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, follow these instructions:

    1. Windows 10:
      1. Select Start  > Settings  > Apps > Apps & features
      2. Select the app you want to fix.
      3. Select Modify link under the name of the app if it is available.
      4. A new page will launch and allow you to select repair.
    2. Windows 11:
      1. Type “Installed Apps” in the search bar.
      2. Click “Installed Apps”.
      3. Select the app you want to fix.
      4. Click on “…”
      5. Select Modify or Advanced Options if it is available.
      6. A new page will launch and allow you to select repair.

Verifying environment impact

Customers can verify the impact of this issue in their environment through the following advanced hunting queries (AHQs):


This AHQ can retrieve all block events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “Block” mode, run this query.


| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)

| where isAudit == "false"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc


This AHQ can retrieve all events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “block” and “audit” mode, run this query.



| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc


This AHQ can retrieve the device count with this ASR rule “Block Win32 API calls from Office macro” enabled and if the number is exceeding 10K, run this query.



| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize deviceCount = dcount(DeviceId)

| extend IsMoreThanTenThousand = iif(deviceCount> 10000, True, False)


Advanced Hunting Queries are not available in Defender for Endpoint P1 which is also included in E3 and A3 or in Defender for Business.  To identify affected machines run the script here on individual user machines.  



Additional questions are addressed in the FAQ document

01 Feb 20:25

The Best TV Adaptations of Video Games, Ranked - CNET

by Mark Serrels
The Last of Us is going nuts right now, what else is out there?
01 Feb 20:24

AMD Beats Analyst Estimates But Says It Will Under-ship Products In PC Market

by Ramish Zafar

After it beat analyst revenue estimates yesterday, chipmaker Advanced Micro Devices, Inc (AMD) can see growth slowdown this year, according to research and financial firms. AMD's earnings saw the firm post $5.6 billion in revenue for the fourth quarter, marking a small 1% annual growth. This let the firm beat analyst estimates by $80 million, with its earnings per share of $0.69 also hoping the estimates by two cents. At the earnings conference for the report, AMD's chief Dr. Lis Su explained that growth in her cmpany's embedded and data center segments led it to increase the fourth quarter revenue by 16% annually, with the pair accounting for 50% of AMD's overall revenue during the quarter.

AMD Confident About Growing Data Center Sales This Year Through New Products

Heading into the earnings result, analysts speculated that AMD's data center segment would perform well this year, as new product launches place the firm in an advantageous position with respect to its larger rival Intel. This turned out to be true for the previous quarter as well, as data center was the only division that delivered organic revenue growth for AMD.

Other segments, such as client computing and gaming, saw 51% and 7% annual drops, and while the revenue from embedded computing grew, AMD explained that this 1,868% growth had come on the back of its massive Xilinx acquisition. AMD absorbed more costs of the deal during its fourth quarter, which saw the firm post a $149 million GAAP operating loss and a massive 99% net income drop.

AMD's chief, Dr. Lisa Su, shared that sales to North American hyper scalers in the cloud computing segment more than doubled annually, especially as AMD-based instances became more common from leading vendors such as Amazon and Microsoft.

AMD income statement for the fiscal and calendar year 2022
AMD's fiscal year 2022 earnings snapshot. Image: AMD

Dr. Su added that her company continued to manage inventory during the fourth quarter, as it shipped fewer units than were being consumed in the personal computing industry. This stands in sharp contrast to Intel, which is shipping more units to maximize product visibility, according to Bernstein. AMD's client segment, which covers PC sales, was its worst performing segment during the quarter, as it saw a massive 51% annual revenue drop. Commenting on the gaming division, the executive explained that revenue dropped as AMD slowed down shipments, but channel sales of the newer Radeon RX graphics processing units (GPUs) were higher over the previous quarter.

Commenting on AMD's earnings results, research firm Summit Insights states that AMD's outlook for the first quarter is hinting at a slowdown in its loud computing personal computing and gaming markets. It believes that the firm's financial performance, which saw AMD grow its calendar and fiscal year 2022 net income by another whopping 60%, will tone down this year. As opposed to others, such as KeyBanc, which believes that AMD will close the year with a 30% data center market share, Summit Insights believes that AMD's market share gains will be "less meaningful" in 2023.

On the other hand,  research firm Jefferies is more upbeat about AMD. It is enthused by AMD's belief that both the data center and the personal computing markets can bottom out by the end of the current quarter. AMD plans to ship fewer products than are being consumed this quarter as well, as the firm aggressively targets inventory buildup at retailers. Like Intel, AMD also did not provide a full year guidance at its earnings call, explaining that macroeconomic uncertainty had influenced the decision.

The post AMD Beats Analyst Estimates But Says It Will Under-ship Products In PC Market by Ramish Zafar appeared first on Wccftech.

01 Feb 20:22

Resident Evil 4 remake makes huge changes, including new content

by Will Nelson
Resident Evil 4 remake makes huge changes, including new content

The Resident Evil 4 release date edges ever closer, as Capcom sets out to remake the genre-defining third-person shooter and horror game for a modern generation. As we get closer to the release of Resident Evil 4, we’re starting to hear more about what Capcom has changed in the classic game, from the removal of annoying overused mechanics to the inclusion of plenty of new content.

MORE FROM PCGAMESN: Best horror games on PC, Resident Evil 4 system requirements
01 Feb 20:22

Cyber Insights 2023: ICS and Operational Technology

by Kevin Townsend

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.

There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.

Background to the ICS/OT Threatscape

The IT/OT overlap

One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.

“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.” 

For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. “This yields maximum financial or political gain for the attacker,” continued Chassar, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”

Ramsey Hajj
Ramsey Hajj

Ramsey Hajj, Deloitte’s US and global cyber OT leader, expands on this theme. “Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.”

Supply chain attacks cannot be ignored, either on the IT side or directly against OT. “Supply chain attacks continue to evolve for both ICS hardware and software,” comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. “Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors’ file repositories with the purpose of adding implants in the provided software.”

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Geopolitics and the Russia/Ukraine war

“One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT,” says Christopher Budd, senior manager of threat research at Sophos. “While we haven’t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.”

He suspects this will focus both government and industry on strengthening the security of ICS/OT systems, even if it’s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, “a foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.”

Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.

We can expect that government agencies will, and private industry should, work on conforming to CISA’s CPGs during and from 2023. 

Danielle Jablanski

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. “2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification – CyberSentry and RedEye for example – which will broaden the aperture for understanding OT and ICS incidents.”

One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. “Besides the growth of hacktivist activity ‘working’ to internal and external political agendas,” suggests Kaspersky, “we might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.”

Chassar is more direct. “There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,” he says. “Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia/Ukraine war, as well as the current economic climate.”

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.



“There are now more known vulnerabilities impacting IoT devices than IT devices,” says Bud Broomhead, CEO at Viakoo, “and IoT devices are often the easiest for cybercriminals to access.” IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement. 

“Breached IoT devices are having devastating impacts,” he continued, “such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”

The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.

Broomhead believes the shift to open source software presents the most immediate threat. “The dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.”

Wendy Frank, Deloitte’s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.

“Leading organizations,” she says, “will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”

Ransomware and other malware

Thomas Winston

“Ransomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,” states Thomas Winston, director of intelligence content at Dragos. “Based on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.”

Ackerman sees ransomware beginning to target OT specifically. He expects to see: “Ransomware targeting the industrial environment – in contrast to ransomware on the IT side accidentally compromising the OT space – with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).”

Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC’s OS, and paving the way for ransomware and rootkits running on the PLC.

Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that “Ransomware rarely uses novel methods – making the application of key elements of a defensible ICS/OT architecture particularly effective.”

He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.

Beyond ransomware, Winston is concerned about the evolution of Pipedream (also known as Incontroller). “Pipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,” he said. 

“It is already capable of disruption across industries, including CrashOverride-style disruption, pipeline disruption, and servo manipulation. We’ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.” While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development. 

Hijacking remote access sessions

Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. “Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.”

By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. “The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.”

Session hijacking does not involve exploiting a fixable vulnerability – it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. “If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.”

APTs targeting CNI through OT

“Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,” comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia/Ukraine conflict means the stakes are high.

“These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,” he continued.

Although OT and IT networks are converging, there remains a fundamental design difference between the two. “OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,” he added. 

This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” he continued.

According to Kaspersky’s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. “Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,” they say. “Moreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.”

Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. “Other risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,” it says. “These insiders may be active in production facilities as well as technology developers, product vendors and service providers.”

Human costs

Attacks on the OT of critical industries have real world implications, which may worsen in 2023. “Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyberattacks have firsthand,” comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. “While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.”

He is concerned that IT and OT security convergence is still not effective. “Attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs.”

Catastrophic attack on the energy grid

Liebig is also concerned about attacks on the energy grid. “As Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the US’s infrastructure as well,” he warns. “At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.”

As a result, he continued, “The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.”

The way forward

Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS/OT system providers. “Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,” he says. “Most devices don’t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.”

This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. “There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there’s not only lower risk for business, but there’s money to be made and real value to provide.”

He adds, “2023 needs to be the year to reset ICS and OT standards for security.”

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. “From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,” he says.

“My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: ‘Enough guidance and FUD. Help us execute.’” His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.

“A shift from ‘We know better’ to ‘You know better’ will be tough for a cybersecurity industry that is used to being the hero,” he adds. “The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.” There will consequently be continued movement from guidance to regulation.

But Jablanski offers a word of warning, more to do with party politics than geopolitics: “New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.”

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware

Related: ICS Vendors Respond to Log4j Vulnerabilities

Related: U.S. Warns ICS/SCADA Malware Can Damage Critical Infrastructure

Related: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware

The post Cyber Insights 2023: ICS and Operational Technology appeared first on SecurityWeek.

01 Feb 20:21

Cyber Insights 2023: Criminal Gangs

by Kevin Townsend

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

Our intention here is to talk about cybercrime and cybercriminals. Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics.

“With the Russia-Ukraine War, many actors polarized, including players like Conti, Killnet and Anonymous. However, the ecosystem is much larger, and even with setbacks in cryptocurrency brokerage, which advanced the liquidity and economics of criminals online, criminal organizations are thriving, diversifying, and going gangbusters as we enter 2023,” comments Sam Curry, CSO at Cybereason.

“There are no signs of this letting up and all signs indicate that criminal organizations’ real growth is e-crime going forward.”

Know your enemy

An increasing sophistication among the more elite criminals together with a more streamlined organization of the infrastructure from which they operate has been apparent for many years. This process continues and will continue throughout 2023. It is apparent in both how the gangs operate and the tools they use.

“Malware will continue to evolve in 2023 as attackers find new ways to hide it to maintain persistence and get what they came for,” says Mike Parkin, senior technical engineer at Vulcan Cyber – adding, “The attack vectors they use to get a foothold will also evolve, taking advantage of new vulnerabilities, and leveraging variations of old ones.”

But it is the increasing maturity of the criminal business that perhaps poses the greatest threat. “There is a significant maturing of the tools used by cybercriminal groups,” explains Andrew Barratt, VP at Coalfire. “They are becoming platforms (as a service) for other criminal groups with significantly less technical expertise to leverage.”

We’ve had ransomware-as-a-service and infostealers-as-a-service for a few years, but it is becoming more accurate to describe the process as a complete ‘crime-as-a-service’. “While we’ve seen the crime-as-a-service infrastructure become very prevalent, it’s probably likely we’ll see an uptick in volume and/or pricing of these attacks in the year ahead,” adds Barratt.


“We’ve looked at numerous online forums and found such a rise and diversification in the many kinds of criminal ‘as a service’ offerings that people really can set up their own cybercrime business with little to no technical knowledge or skills,” explains Christopher Budd, senior manager of threat research at Sophos. 

“Now you can find a vendor or supplier to cover your needs around targeting and initial compromise of victims, evasion and operational security, and malware delivery, among others.” These offerings often come with good marketing and customer service and support that meets – or even exceeds – those you get when paying for legitimate software.

Andrew Pendergast
Andrew Pendergast

Calling it malware-as-a-service (MaaS) rather than crime-as-a-service, Andrew Pendergast, EVP of product at ThreatConnect, adds, “MaaS operators act like a business, because they are a business – just an illegal one. Their goals are to make as much money as possible selling their product and services. This entails making it as accessible, trustable, reliable, and easy to use as possible for their ‘market’.”

He expects the CaaS providers to continue to improve their support and services to accommodate a broader set of customers and affiliates, adding, “The net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks.”

In fact, the service is now so complete that Benjamin Fabre, CEO at DataDome, points out new cybercriminals no longer need the technical skills to develop and execute cyberattacks on their own. “Cybercrime will require as much brains as holding a baseball bat to a shop owner’s window,” he comments.

Chris Vaughan, a VP of technical account management at Tanium, agrees with this assessment. “Malicious cyber tools are becoming more available to be purchased online which is leading to a greater number of attacks that are also less predictable. This includes vulnerabilities and exploits as well as hackers for hire, dramatically lowering the barrier of entry for anyone interested in launching a cyberattack.”

This leads us to another related concern for 2023: the potential. expansion of a recession-promoted cybercrime gig economy. “People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn,” warns Alex Holland, senior malware analyst at HP Inc.

He fears a potential increase in the number of cyber hustlers seeking to make additional – or, indeed, any – income by scamming consumers who will themselves be looking for opportunities to raise some extra cash. “Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit.”

The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. “And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.”

Crime gang career roles

John Bambenek

Fundamental to the emergence of streamlined CaaS has been the evolution of career specializations within the gangs. “In many ways, the cybercrime ecosystem has developed specialized ‘career fields’ in a similar way that cybersecurity has developed specializations,” comments John Bambenek, principal threat hunter at Netenrich. 

This means there are many more partnerships and boutique actors helping a variety of groups. “Getting initial access is a specialized skill set, just like money laundering (in cryptocurrency) and ransomware development are skill sets,” he added. “This specialization makes the ecosystem as a whole more resilient and more difficult to bring to justice.”

This process of business refinement will continue through 2023. “Criminal organizations will continue to grow in scope and capabilities, with increased focus on functional areas,” suggests Gray, AVP of security strategy at Deepwatch. “Specialization will allow these groups to maintain the razor margins needed to operate at levels that are capable of bypassing security program components at advanced targets and/or operate at scale against more susceptible targets.”

Three categories of CaaS to watch in 2023

Three categories of crime-as-a-service are likely to be prevalent in 2023: ransomware-as-a-service (RaaS), stealer-as-a-service (SaaS), and victims-as-a-service (VaaS).


The ‘pay-per-use’ version of delivering ransomware is, says, Camellia Chan, CEO and founder of X-Phy, “a sophisticated, and yet much more accessible form of ransomware, with malicious actors no longer requiring advanced technical skills to carry out attacks.” This is a win for wannabe criminals who cannot code. 

But it is also a win for the more elite coding criminals trying to avoid the eye of law enforcement. “The number of different entities involved adds another layer of complexity,” explains Chan. “While RaaS operators develop the infrastructure, access brokers focus on the identity posture and external access portals. To finish, the affiliate buying the RaaS handles the exfiltration of data to ransom, then deploying the actual ransomware payload.”

Mike McLellan, director of intelligence at Secureworks, continues: “New RaaS schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes.”

He expects the dominant schemes to increase their capacity to support more affiliates. “Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events.”


A study published by Group-IB on November 23, 2022, reported that 34 Russian-speaking groups were distributing infostealers as part of stealers-as-a-service operations. On average, each of these groups has some 200 active members. 

Twenty-three of the groups distributed the Redline infostealer, while eight concentrated on Raccoon. “An infostealer,” explains Group-IB, “is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then sends all this data to the malware operator.”

Given that credentials remain the starting point for most cyberattacks, the demand is and will remain high. Group-IB suggests “Stealers are one of the top threats to watch in the coming year.” The company notes, “In the first seven months of 2022, the gangs collectively infected over 890,000 user devices and stole over 50 million passwords.”

While the targets are individual computers often used by gamers and remote workers, the potential knock-on effect against corporates should not be under-estimated. “The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Raccoon stealer,” says Group-IB.

Uber itself explained the process in a statement: “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”

This demonstrates both the success of stealers and the failure of MFA to offer a complete access solution. The Uber instance seems to be a variation on what Tanium’s Vaughan describes as an MFA push exhaustion attack. “This,” he explains, “is where an attacker sends a large number of MFA acceptance prompts to a user’s phone which may cause them to click accept in order to stop the barrage of requests.”

This whole process of SaaS-delivered stealers acquiring credentials and attackers defeating MFA will persist and increase in 2023.


Mark Warren, product specialist at Osirium, believes there is a new service offering on the rise: hacker teams offering victims-as-a-service. “For the last couple of years, threat actors have been team-based,” he explains. “Before cryptocurrency, they were lone wolves – or, occasionally, a loosely connected group who’d met online. Then they started working in teams, and because they were paid money those teams became tightly bonded. Over the next year we’ll see more teams divide out into skills-based groups.”

He uses REvil as an example of a successful RaaS model offering an end-to-end solution for attackers that included encryption software, access tools, helpdesks for victims, payment services and much more.  “But,” he says, “there’s still a market for smaller teams that focus on specific attack skills. For example, they may breach defenses to acquire user or admin credentials, or even install malware to provide back door entry for use at a later date.” 

Providers of such a service don’t need to take the risk of executing the attack or handling payment; they can make good money just by selling the access on dark web marketplaces. The access could be obtained via relatively risk-free phishing campaigns.

The approach could be modular. “Company intelligence may be another specialist service,” he suggests. “For example, knowing what cyber insurance a potential victim has could reveal the kinds of defenses they’ll have in place and even how much they’re insured for, so ransomware demands can be tailored.” In this sense, VaaS can be seen as an extension and expansion of the existing access broker criminal service.

And going forward…

Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs, adds further subtleties that will emerge. “Going forward, subscription based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings and related algorithms more broadly for purchase.”

The quasi-APT

This continuing professionalization of the criminal fraternity is causing the inevitable emergence of what Omer Carmi, VP of cyber threat intelligence at Cybersixgill, calls the quasi-APT. “In 2023,” he warns, “the quasi-APT’s emergence will escalate due to the democratization of cyberweapons and the democratization of access enabled by powerful technology now accessible to the cybercrime underground.” 

The growth of specialized roles and CaaS means that for as little as $10, threat actors can purchase access and gain a steady foothold into their targets’ systems. They can get a beachhead into highly secured organizations without having to bother with the complex, drawn-out process of gaining initial access on their own. 

“By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT – hence the birth of the quasi-APT,” he warns.

The constantly improving sophistication and professionalization of the criminal underground will continue through 2023 and beyond. For example, Mikko Hypponen, chief research officer at WithSecure, sees artificial intelligence adding a new string to the criminal bow in 2023.

“Malware campaigns will move from human speed to machine speed,” he warns. “The most capable cybercrime groups will reach the capability to use simple machine learning techniques to automate the deployment and operation of malware campaigns, including automatic reaction to our defenses. Malware automation will include techniques like rewriting malicious emails, registering and creating malicious websites, and rewriting and compiling malware code to avoid detection.”

2023 may see the beginning of a new crime gang service: AI-as-a-Service.

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

The post Cyber Insights 2023: Criminal Gangs appeared first on SecurityWeek.

01 Feb 20:21

Cyber Insights 2023: The Geopolitical Effect

by Kevin Townsend

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

SecurityWeek Cyber Insights 2023 | The Geopolitical Effect – Geopolitics describes the effect of geography on politics, and usually refers to the political relationship between nations. That relationship is always mirrored in cyber. The Russia/Ukraine war that started in early 2022 has been mirrored by a major disturbance in cyber – and that disturbance will continue through 2023.

The physical conflict has forced much of the world to take sides. The US, NATO, the EU, and their allies are providing major support – short of troops – to Ukraine. China, Iran, and North Korea are all supporting Russia. The cyber conflict is similar, largely conforming to the George W Bush ‘axis of evil’ (Iran, Iraq, and North Korea, with the popular addition of Russia and China) versus the US, EU, and their allies.

Here we’re going to discuss how the current state of global geopolitics might play out in cyber during 2023.


“Russia may well resort to increased cyber offensive actions as it contends with on-the-ground setbacks in Ukraine,” comments Bob Ackerman, MD and founder of AllegisCyber. This has been considered likely throughout 2022, but as Russian military setbacks have increased toward the end of 2022, so the likelihood of increasingly aggressive Russian cyber activity will rise. Such offensive actions will not simply target Ukraine – they will be aimed at all countries seen to be supporting Ukraine.

“While we haven’t seen those feared attacks materialize yet,” says Christopher Budd, senior manager of threat research at Sophos, “it would be premature to say that those risks have passed. In 2023, so long as the uncertainty of war exists, everyone should plan for the real possibility of unexpected, large-scale cyberattacks.”

Indeed, the mirror between the kinetic and cyberworlds suggests it is inevitable in 2023. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, expects to see Russian cyber activity becoming more ‘feral’. “We’re increasingly seeing its kinetic war tactics becoming more untamed, targeting energy and water infrastructure with missile strikes,” he says. “We expect the same to apply to cyberwarfare.”

He is concerned that Russia’s more feral activity will have the potential to spill over into other nations, “as Russia becomes more daring, trying to win the war by any means, and Russia could look to use the conflict as a distraction as it targets other nations with cyberattacks.”

Malwarebytes believes that large-scale attacks will appear first in Ukraine, but be accompanied by attacks against European allies. “In recent weeks [Oct/Nov 2022] Russia has been launching a barrage of missiles to cripple Ukraine’s electricity infrastructure. We could expect that at some point availability of such weapons will run low and that the Kremlin will want to increase the cyber effort. We may see further successful malware attacks from the Sandworm group as we have seen previously with the blackouts caused by the BlackEnergy malware,” comments Jerome Segura, senior director of threat intelligence at Malwarebytes.

While malware used to destroy or wipe systems is likely to be used against Ukraine,” he adds, “more stealthy malware such as backdoors are likely to hit European allies as attempts to compromise key leaders, gather intelligence and possibly expose or extort via ‘kompromat’.”

In one sense, the Russia/Ukraine conflict has taken the gloves off the lower-level cyberwarfare that has existed for years. You could say that 2023 may well prove to be a new era of bare-knuckle cyberwarfare. “Nation state cyber warfare will become more openly prevalent,” suggests Chris Gray, AVP of security strategy at Deepwatch. “The Russia/Ukraine conflict has taken away much of the ‘cloak and dagger’ aspects of this area and, in doing so, has also broadened the scope of available targets. Financial impact and the ability to increase chaos due to service interruption will increasingly grow over former levels.”

While we concentrate on Russia as the primary current protagonist in offensive cyber, we should not forget that Russian ‘allies’ will take advantage of the situation. “China is likely to expand the full spectrum of its cyber initiatives targeting economic, political, and military objectives,” continues Ackerman. “Bit actors on the global stage may well exploit Great Power conflict and related global distractions to launch targeted regional cyberattacks,” he added. Such as Iran targeting Israel.

Difficulty in attribution will remain

Increased nation-state cyber activity will become more obvious, but not necessarily legally attributable. The major powers will still seek to avoid direct retribution that could escalate into additional kinetic warfare. “The reality with nation-state attacks is you might never know you’ve been hit by one until another country’s intelligence agency actively identifies it,” warns Andrew Barratt, VP at Coalfire. “The attribution of attacks to specific parties is a highly contentious area with a lot of room for error and deniability. What we really need is crossover from friendly military intelligence partners to support a reasonable conclusion.”

SecurityWeek was told years ago by Luis Corrons, now security evangelist at Gen and co-chairman of the board at AMTSO, “The only people who really know what’s going on are the intelligence agencies, who have close knowledge drawn from signals intelligence and covert agents.” Historically, the intelligence agencies have been reluctant to make too many public accusations of attribution for fear that it might expose their sources.

Marcus Fowler, Darktrace
Marcus Fowler

Direct attribution from countries with mature intelligence agencies is likely to increase in 2023 – as will the strident denials coming from the perpetrators – but it will remain difficult. “The rapid expansion of non-state affiliated cyber actors including hobbyists, hacktivists, criminals, privateers, proxies, vigilantes, or cyber response reserve units, is unlike anything ever seen in traditional warfare,” explains Marcus Fowler, CEO of Darktrace Federal. “The surge in ‘vigilante’ approaches to cyber-crime will continue to alter the course of modern warfare in 2023, introducing unprecedented adversaries and allies for nation-states.”

Zero-day stockpiles

What remains largely unknown is the potential capability of unfettered cyberwarfare – all major nations have been stockpiling zero-days for years. “I dare not speak of the unused kinetic powers available to the nation-states,” comments Brian NeuHaus, CTO of Americas at Vectra AI, “but will digress to one which has only, I believe, been partially used. Cyberwarfare is still a real threat from a broader use of known TTPs, tools tactics procedures, and an unknown equity of zero-days just waiting for the right strategic moment to deploy against one’s foes.” 

Zero-days are not used lightly, especially by nation-states. Once used, they instantly lose their value. The problem is that we have no knowledge of our adversaries’ zero-day stockpiles, nor their ability to unleash widespread destructive capabilities against critical infrastructure. Their use is likely to be one of desperation – a cyber version of nuclear weapons with the potential to escalate into open kinetic conflict. 

We must hope this day never comes, for it is worth remembering Putin’s warning on the use of nuclear weapons: “For the planet, it will be a catastrophe. But for me as a citizen of the Russian Federation and the head of the Russian State, I must ask myself the question. What is the point of a world without Russia?”

Wiperware and other destructive attacks

Our hope must therefore be that no nation-state feels so backed into a corner that it unleashes the full power of stockpiled zero-days against the opponent’s critical infrastructure. That doesn’t mean we can relax – the threat from what we could perhaps describe as conventional cyberweapons remains real and likely to increase through 2023. Wiperware is probably top of the list.

Fleming Shi

“Russia’s invasion of Ukraine this year revealed the modern digital battlefield. Most notably, we have witnessed an increased use of wiperware, a form of destructive malware against Ukrainian organizations and critical infrastructure,” comments Fleming Shi, CTO at Barracuda. “The frequency has dramatically increased as we saw WhisperGate, CaddyWiper, HermeticWiper, and others hitting the news since the war broke out.” 

Unlike the financial motivations and decryption potential of ransomware, wiperware is typically deployed by nation-state actors with the sole intent to damage and destroy an adversary’s systems beyond recovery. “In addition,” he added, in 2023, wiperware emanating from Russia will likely spill over into other countries as geopolitical tensions continue.”

Wiperware can easily be disguised as criminal ransomware with non-functioning decryption, adding deniability to destructive nation-state attacks. There are suspicions that WannaCry was a version of this. “Given the current political climate, Kaspersky experts foresee a record number of disruptive and destructive cyberattacks, affecting both the government sector and key industries,” says Ivan Kwiatkowski, senior security researcher at Kaspersky`s GReAT. 

“It is likely that a portion of them will not be easily traceable to cyberattacks and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations to provide plausible deniability for their real authors,” he added. “High-profile cyberattacks against civilian infrastructure, such as energy grids or public broadcasting, may also become targets, as well as underwater cables and fiber distribution hubs, which are challenging to defend.”

A particular target area for such attacks will likely be ‘dual use’ technologies; that is, those that serve both military and commercial purposes. “Satellite technologies and other advanced communication platforms come under a higher level of focus. Both intellectual property theft and disruption of data delivery to governments and militaries around the world become a stronger focus,” says Kurt Baumgartner, principal security researcher at Kaspersky.

It is noticeable that the cyberattack against Viasat by Russia just prior to the Russian invasion of Ukraine, designed to disrupt Ukrainian military communications, spilled out of the region to also affect some 9,000 European users. Russia seems to have ‘got away with it’ on this occasion, but it effectively remains a nation-state cyberattack against civilians outside of the war zone. We are not aware of any clandestine response from the West, but must wonder if the response would have been different if the spillover had directly affected US users.

John Pescatore, director of emerging security trends at SANS Institute, endorses Baumgartner’s view. “The war in Ukraine will have broader impacts on the commercial sector as operatives on both sides attack dual-use technologies (that is, services used by both the military and civilians) to take down communication and critical infrastructures systems.” He expects to see more attacks in 2023 that will impact business internet connections, communication, and logistics systems. 

“Increasing attacks on key dual-use technologies like cell towers, GPS, and commercial satellites – such as Star Link,” he adds, “will damage connectivity and business operations for private sector companies that depend on these technologies, even if they are not directly targeted themselves.”

Beyond Russia

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea will all increase their activity through 2023 under cover of the European war. China will likely continue concentrating on espionage rather than destruction – although this may change if the separate geopolitical tensions over Taiwan escalate into kinetic activity.

“China has high priority targets to meet in terms of economic and social development, made more pressing by continuing Covid outbreaks and a zero-tolerance stance on Covid,” warns Mike McLellan, director of intelligence at Secureworks. “Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas.”

This focus will be on upgrades to its manufacturing base, food stability, housing, energy supply, and natural resources. “Organizations operating in or supplying any of those areas, particularly high­tech industries,” he continues, “are potential targets of Chinese cyberespionage.”

But he adds, “As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.”

Iran and North Korea are less concerned with maintaining any semblance of diplomacy with the US and EU. Iran may engage in more destructive cyberattacks, largely in the Middle East but potentially elsewhere. “Iran will exploit the blurring of state-sponsored activity with cybercrime, both against regional adversaries and more broadly,” says McLellan. 

The country will make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. This will probably extend beyond the Middle East with Iran merging state and criminal activity. Citing the IRGC-affiliated Cobalt Mirage threat group, McLellan warns, “Iran will exploit this financially motivated activity as a plausible cover for state espionage or disruption operations, which can be dismissed as part of a ‘cybercrime problem’.”

“We’re also seeing North Korea flexing its muscles by flying long range weapons over borders,” adds Venafi’s Bocek. If the mirror between kinetic and cyber activity holds true, we can expect North Korea to become more aggressive in cyber in 2023. Such cyber activity, adds Bocek, “will be replicated by North Korea as it looks to advance its economic and political goals.”


A particular concern for 2023 and beyond is that the diplomatic seal may now be permanently broken. The Russia/Ukraine war will eventually end – but tensions between the two countries and their allies will continue. Aggressive international cyber activity may never return to pre-war levels. “Nation-states will continue to cause each other digital problems amid the constant fight for power and status on the world stage,” comments Zac Warren, chief security advisor for EMEA at Tanium.

“Nations will come to the table to discuss norms; China, Russia and others will inhibit progress,” warns Mike Hamilton, founder and CISO at Critical Insight. He has two specific predictions for 2023 that might take cyber relations beyond the point of no return. Firstly, he suggests, “Russia will have its infrastructure disrupted as a demonstration of seriousness.” Secondly, he adds, “Operational technologies will be disrupted/wiped, likely in the US water sector.”

If either of these incidents occur and can be reliably attributed to a foreign state, they will not be easily forgiven.

As it is in the kinetic world, so it is in the digital. “For everything in the real world, there is a shadow on the Internet,” says Sam Curry, CSO at Cybereason. “More-and-more, we are going to see the Internet as a primary forum for geopolitical activity. The classic diplomacy, information, military and economic (or ‘DIME’) options are seeing the rise of information options and a resurgence of military options from 2022. Going into 2023, it’s to be hoped that diplomacy and economics rise to the fore, but for that to happen, the world would need to see an amenable-to-all-parties resolution to the Russia-Ukraine War or at least motion in that direction with a meaningful ceasefire; and detente in the South China Sea, which although a secondary area is another potential area of rising concern and clash of superpowers.”

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

Related: Wipers Are Widening: Here’s Why That Matters

Related: Economic Warfare: Attacks on CI Part of Geopolitical Conflict

Related: Security Pros Believe Cybersecurity Now Aligned With Cyberwar

Related: U.S. Issues Fresh Warning Over Russian Cyber Threats

The post Cyber Insights 2023: The Geopolitical Effect appeared first on SecurityWeek.

01 Feb 20:21

Intel Making More Preparations For Enabling Future Graphics Platforms On Linux

The last batch of drm-intel-gt-next changes have been sent in to DRM-Next ahead of next month's Linux 6.3 merge window. Notable with this week's changes are more low-level code improvements in preparation for future Intel graphics hardware platforms...
01 Feb 20:20


by Scali

A thing I have been working on, on and off, for many years now, is a set of headers and helper routines for programming DOS machines directly on the hardware in assembly and C.

As you may recall, my earliest retro-programming blogs focused on the Amiga. And for the Amiga you have what is called the “Native Development Kit”, or NDK. It’s a collection of C header files and assembly include files, which contain all sorts of constants, type definitions and such to interface directly with the hardware.

When I started my DOS retroprogramming, there was no equivalent available. So I slowly started building my own include and header files to codify any hardware-specific stuff from the chip manuals or Ralfs Interrupt List and BOCHS’ ports.lst. The idea has always been to eventually release it. But I never got round to that, until now. I have put it on Github here:

And here is the README for a short introduction:

An SDK for developing DOS software for x86 machines, including IBM PC compatibles and NEC PC-98

This SDK (Software Development Kit) is modeled after the Amiga NDK (Native Development Kit). The Amiga NDK contains a set of header files and libraries for both assembly and C development, which provides all the required constants, flags, data structures and whatnot to interface directly with the hardware, and having readable code making use of human-readable symbols and type definitions. An equivalent for the IBM PC platform, or PC DOS/MS-DOS/compatible environments has never been available to my knowledge. This SDK attempts to fill that void. Think of it as Ralfs Interrupt List and Bochs ports.lst turned into .inc/.asm and .h/.c files ready for use in a programming environment.

There are some basic rules in how this SDK is structured. Since a PC is composed of a number of off-the-shelf chips, the SDK is structured in a way to reflect this. This means that the definitions related to specific chips such as the 6845, the 8253, 8259 etc. are separated from how they are implemented in the PC architecture (the IO addresses, memory addresses, IRQ and other resources they use). A header file for a specific chip will only contain the generic information for the chip. A separate system-specific header file (in this case or will then contain the information specific to the implementation of that system. This allows you to use the header file for the chip for any system that implements it. This is especially useful for writing code for both IBM PC and NEC PC-98, which mostly use the same hardware, but not at the same locations. In future, it may also be expanded to other systems, such as the Tandy 2000.

For system-specific or hardware/standard-specific definitions, a prefix is used for the symbols. For example, the IBM PC-specific symbols are prefixed with PC_, and NEC PC-98-specifc symbols are prefixed with PC98_. For graphics standards, we can see MDA_, HERC_, CGA_, EGA_ and VGA_ prefixes.

This is a work-in-progress. Feel free to contribute changes, additions or suggestions to make the SDK as complete as possible.

01 Feb 20:20

Intel Highlights Their Progress On Arc Graphics Drivers Since Launch

Intel this week held a presentation to talk up the progress they've made on their (Windows) graphics driver since launch for Arc Graphics where for many games there are double digit performance improvements to enjoy with the budget-friendly Arc Graphics A750 and A770 graphics cards...
01 Feb 20:20

This Is the Best Beef for Your Stew

by Claire Lower

I am tired of being cold. Unfortunately, given the fact that I live in the Pacific Northwest, I am probably going to go on being cold for at least six more weeks. Luckily, I am not tired of eating warming foods, such as soups, big piles of potatoes, and stews. Stews are especially fortifying—particularly, beef stew.


01 Feb 20:18

Intel Suspends Merit Bonuses, Cuts CEO’s $1.1 Million Paycheck By 25%

by Ramish Zafar

Intel Patrick Gelsinger Fortune Brainstorm Tech December 2021

After another bloodbath of an earnings report, chipmaker Intel COropration has decided to reduce salaries and cut down bonuses for its employees, the firm confirmed to Reuters late night yesterday. Intel's earnings saw the company miss Wall Street estimates and post a 28% annual drop for the quarter and a 16% drop for the full year. At its earnings call, the firm's chief executive officer (CEO), Mr. Patrick Gelsinger, admitted that Intel had slipped but reiterated that the company is taking the right steps to ensure that it will become a market leader once again.

Now, with revenues dropping and capital expenditure picking up, Intel has announced large pay cuts for several employee grades, with the highest cut of 25% being taken by Mr. Gelsinger himself.

Intel Eliminates Quarterly Bonuses, Pauses Annual Bonuses, Suspends Raises and Halves Pension Contributions

The report, initially broken by SemiAnalysis, reveals that the pay cuts are throughout most of Intel's employee grades. Intel has 14 job levels, with fresh college graduates starting in grade 3 to 4m graduate entry level workers starting in grades 5 to 6 and Ph.D. entry level workers starting at grade 7. The grade levels end at 13, and directors and senior vice presidents are ranked below this level.

According to the details from SemiAnalysis and corroborated by Reuters, employees in grades 7 to 11 will take a 5% basic pay cut, vice presidents will take a 10% pay cut, more senior executives will see their basic pay reduced by 15% and Intel's chief Patrick Gelsinger's compensation will be reduced by a quarter, or 25%. An Intel filing with the Securities and Exchange Commission last year revealed that Mr. Gelsinger's base salary was $1.1 million in 2021, alongside a hiring bonus of $1.75 million.

At the same time, the executive also received a whopping $140 million in stock awards and another $29 million in options - with large portions of these also locked and only set to be awarded in case of upward share price performance.

Intel's misfortunes on the stock market has led to AMD nearing in on the firm when it comes to market capitalization. Image: Refinitiv

Additionally, Intel has also paused annual bonuses for employees, removed quarterly bonuses and suspended merit pay raises. Additionally, the firm has halved its defined contribution payments to retirement plans from 5% to 2.5%.

An Intel spokesperson, in a statement made to Reuters, explained that:

changes are designed to impact our executive population more significantly and will help support the investments and overall workforce.

The ongoing economic crunch has also made Intel pause or eliminate non core strategic growth initiatives. These include slowing down equipment purchases, shutting down some facilities, and delaying the construction of new chipmaking facilities. At the same time, the firm is also building new facilities through which it aims to reenter the contract chip manufacturing industry and catch up to its Taiwanese rival, the Taiwan Semiconductor Manufacturing Company (TSMC).

TSMC, which is the world's largest contract chip manufacturer, has rapidly caught up with Intel. Mr. Gelsinger admitted during his company's latest earnings call that Intel has fallen behind the Taiwanese firm, but promised that the American firm, credited by many to have invented the modern day transistor, will catch up next year.

Additionally, Intel also brought forward its manufacturing timeline for advanced technologies late last year, in a strong statement of intent from a firm that has failed to introduce new process nodes for years.

The post Intel Suspends Merit Bonuses, Cuts CEO’s $1.1 Million Paycheck By 25% by Ramish Zafar appeared first on Wccftech.

01 Feb 20:18

Intel Arc A750 Gets Price Cut, Available To Buy At New MSRP Of $249 And 52% Better Performance Per Dollar Than The RTX 3060

by Usman Pirzada

Intel has recently rolled out new drivers for its Arc series GPUs which have not only managed to fix the DX9 issues since launch but are actually making it one of the strong suites of the card now. With the company having delivered an aggregate of 43% performance uplift – which is a generational uplift mind  you – and over a 60% improvement in the 99 percentile values (smoothness) – they are now announcing a small price cut as a the cherry on top of the cake.

A first-party comparison of the RTX 3060 with Intel's Arc A750.

Unlike NVIDIA GPUs which are hard to find at MSRP, you can actually find the Intel Arc series GPUs at MSRP and with this new, very aggressive price point of $249, the Arc A750 8GB actually offers roughly 52% better performance per dollar than the RTX 3060 which has an average selling price of $391 on Newegg. Intel is also packaging their GPU with two game titles, namely The Settlers: New Allies and Nightingale.

Intel was always supposed to be the third player that would break the triopoly but that did not transpire as the Arc GPUs with launch drivers were mostly unstable with exceptionally bad DX9 performance. Now, less than half a year after launch, the company has rolled out 8 major software updates and delivered almost a generations worth of performance improvement simply through the driver stack – redefining the term FineWine. They have also fixed most of the stability issues and are constantly taking feedback from the community in helping them spot major issues in performance.

While it would have been hard to recommend the Intel Arc A750 over the RTX 3060 at launch primarily due to the inconsistent performance of the GPU, it looks like the software side is finally catching up to the true potential of the hardware die and this is something that will hopefully translate over to Battlemage and Celestial as well for Intel to truly have a chance of capturing a piece of the coveted GPU pie.

With this exceptionally good pricing (that you can actually buy) and significantly improved stability and performance, I am sure we will see adoption accelerate as the card finally gets good enough to recommend and pick up (combined with the assurance of constant Intel updates to keep improving your purchase).

Would You Now Pick An Arc A750 Over The RTX 3060?
  • I would have even at launch
  • I will now seeing I am assured constant software updates and support
  • Only AMD/NVIDIA for me
  • Waiting for Battlemage
Vote to see results
Poll Options are limited because JavaScript is disabled in your browser.

The post Intel Arc A750 Gets Price Cut, Available To Buy At New MSRP Of $249 And 52% Better Performance Per Dollar Than The RTX 3060 by Usman Pirzada appeared first on Wccftech.

01 Feb 20:18

Intel’s New Arc GPU Driver Achieves Up To 87% Performance Uplift Since Launch, Aggregate 43% Improvement In DX9 Titles

by Usman Pirzada

Intel’s Arc ambitions have been a dream for PC enthusiasts almost a decade in the making. While everyone realistically expected them to have teething issues in the start, the reality of the Arc launch was that a very capable silicon was combined with immature drivers that were unable to harness its true potential. In exactly what you would expect from a company dedicated to getting a piece of the GPU-market-pie, Intel has slowly but surely turned that story around. DX9 performance especially stuck out like a sore thumb on the Arc graphics and if this recent update is anything to go by – Intel has managed to completely turn that ship around.

You can download the new Intel Arc 4086/4091 driver over here.

2 of 9

Not only has the company managed to improve the raw FPS number but also significantly improved the frame times as well. Here is what the company has managed to achieve in their new 4086 drivers (which should be packaged under the recently launched 4091 drivers) compared to the 3490 launch drivers:

  • 1080p Avg FPS: Up to 77% improvement
  • 1080p 99th Percentile Normalized: Up to 114% improvement
  • 1440p Avg FPS: Up to 87% improvement
  • 1440p 99th Percentile Normalized: Up to 123% improvement
  • Aggregate DX9 FPS improvement: 43%
  • Aggregate DX9 99th Percentile improvement: 60%

It’s not just DX9 titles that are getting the love, DX11 and DX12 titles saw double digit performance improvement since launch too

Interestingly, it is not just DX9 titles that the company is improving. Titles such as Warframe – which are based on DX11 have seen up to a 57% increase since launch. Other DX11 titles that have seen significant performance increase includes Total War Warhammer III, Riders Republic and BeamNG Drive. DX11 and DX12 in general have seen roughly a 20% increase in aggregate since launch. These are truly fantastic driver-based performance uplifts and have provided a generational uplift through what is essentially software updates.

2 of 9

Intel is also now boldly asking people to retest the Arc A750 GPU and is stating that their card now offers up to 52% better performance per dollar than the RTX 3060 which has an average selling price of roughly $391 as of January 26,2023. The Arc A750 at the new price point of $249 (and it is actually available at MSRP!) should now be a safe enough pick for people as it looks like Intel has solved most of the pain points at launch and closed most of the stability and performance gaps that were present. We are also sure that their performance is going to continue to increase over time and in a year, you are going to have a very mature driver stack that will be able to make the upcoming Battlemage very competitive.

2 of 9

Intel has been very candid about the problems they were facing and considering this is the first commercial GPU they ever built, a lot of the problems require scope and breadth that can only be solved once you expose the product to the wider-public. It is good to see that Intel has no intention of treating Arc GPUs like abandonware and is burning the midnight oil in order to get consistent and reliable software updates to its early adopters. Kudos, Intel!

Would You Now Pick An Arc A750 Over The RTX 3060?
  • I would have even at launch
  • I will now seeing I am assured constant software updates and support
  • Only AMD/NVIDIA for me
  • Waiting for Battlemage
Vote to see results
Poll Options are limited because JavaScript is disabled in your browser.

The post Intel’s New Arc GPU Driver Achieves Up To 87% Performance Uplift Since Launch, Aggregate 43% Improvement In DX9 Titles by Usman Pirzada appeared first on Wccftech.

01 Feb 20:18

Intel Slashing CEO and Managers' Pay in a Bid To Preserve Cash

by msmash
Intel, struggling with a rapid drop in revenue and earnings, is cutting management pay across the company to cope with a shaky economy and to preserve cash for an ambitious turnaround plan. From a report: Chief Executive Officer Pat Gelsinger is taking a 25% cut to his base salary, the chipmaker said Tuesday. His executive leadership team will see their pay packages decrease by 15%. Senior managers will take a 10% reduction and mid-level managers a 5% cut. Intel shares climbed 0.1% in premarket trading in New York Wednesday. The stock lost almost half its value last year. "As we continue to navigate macroeconomic headwinds and work to reduce costs across the company, we've made several adjustments to our 2023 employee compensation and rewards programs," Intel said in a statement. "These changes are designed to impact our executive population more significantly and will help support the investments and overall workforce needed to accelerate our transformation and achieve our long-term strategy." The move follows a gloomy outlook from Intel last week, when the company predicted one of the worst quarters in its more than 50-year history. Stiffer competition and a sharp slowdown in personal-computer demand has wiped out profits and eaten into Intel's cash reserves. At the same time, Gelsinger wants to invest in the company's future. He's two years into a turnaround effort aimed at restoring Intel's technological leadership in the $580 billion chip industry.

Read more of this story at Slashdot.

01 Feb 20:17

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing

by Derek Manky

As we reflect on 2022, we’ve seen that malicious actors are constantly coming up with new ways to weaponize technologies at scale to cause more disruption and devastation.

The dangers are showing up everywhere – and more frequently. The volume and variety of threats, including Ransomware-as-a-Service (RaaS) and novel attacks on previously less conventional targets, are of particular concern to CIOs and CISOs.

Increasingly, cybercrime is big business run by highly organized groups rather than individuals. Much like the mythological hydra, cutting off the head of one of these organizations (i.e. just stopping a few low level operators in their tracks) isn’t going to solve the problem; the key is to disrupt the networks themselves. That’s a tall order – one that’s going to require widespread collaboration.

Cybercrime networks and Cybercrime-as-a-Service

We anticipated that in 2022 there would be an increase in pre-attack reconnaissance and weaponization among attackers. This would open the door for the growth of Crime-as-a-Service (CaaS) to accelerate even faster.

That prediction of cybercrime proved to be accurate. The FortiGuard Labs team documented 10,666 new ransomware variations in the first half 2022 compared to just 5,400 in the second half of 2021. That’s an almost 100% increase in the number of new ransomware variants found. The rise in popularity of RaaS on the dark web is the main cause of this sudden increase of new ransomware strains.

RaaS is mostly to blame for the explosive growth in ransomware variants, and ransomware payments are also rising. U.S. financial institutions spent close to $1.2 billion on likely ransomware payments in 2021, according to the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury. That was more than double the prior year, and if that trend continues, results from 2022 will be even higher.

Our current predictions indicate that the CaaS market will grow dramatically through 2023 and beyond, with threat actors soon being able to subscribe to new exploits, services and structured programs.

We’re also predicting that threat actors will soon have access to more readymade, “as a service” products. This means even more cybercriminals of all levels will be able to launch more complex attacks without first devoting time and money to creating their own strategy. Additionally, producing and offering “aaS” attack portfolios is a straightforward, efficient, and repeatable way for seasoned hackers to make money, meaning the business model pays. Prepare yourself for an enhanced CaaS catalog to appear in 2023 and beyond as a result.

Collaboration is key

It can’t be emphasized enough: the key to disrupting cybercrime networks is collaboration across the private and public sector. One illustration is what the World Economic Forum’s Partnership Against Cybercrime is doing (PAC). In response to the pandemic’s unparalleled and exponential development in cybercriminal activity, PAC has concentrated on fusing the digital know-how and data of the business sector with the threat information of the government sector to help disrupt cybercrime ecosystems.

It will be simpler to overcome the restrictions that protect hackers if a worldwide strategy and coordinated effort are used to remove communication barriers. It is everyone’s duty to disrupt bad actors and destroy the attack infrastructure, and this calls for solid, reliable partnerships with other organizations. Cybercriminals run their operations like businesses; therefore, the more we can make them rebuild, change their strategies, and start over, the better off digital assets will be.

Not only do we want to stop attacks from happening, but we also want to take down cybercriminals and make them modify how they operate, which costs them effort, time and resources. Sharing actionable threat intelligence among organizations and influencing how cyberthreat mitigation will be done in the future are crucial.

Private-public collaboration in practice  

An example of how this kind of collaboration can be used to disrupt cybercrime networks is the recent African Cyber Surge Operation. The collaboration between INTERPOL, FortiGuard Labs and other INTERPOL private partners resulted in the successful Cyber Surge operation and the dissemination of intel to several law enforcement organizations in the Africa region.

Partners such as FortiGuard Labs offered actionable threat intelligence based on infrastructure research of malware, botnets and command and control (C2), including C2 and malware victims across Africa. The Africa Cyber Surge Operation, which began in July 2022, has brought together law enforcement (LE) officers from 27 nations. They collaborated for almost four months on actionable intelligence provided by INTERPOL private partners.

Through a coordinated effort between INTERPOL, AFRIPOL and the participating nations, this operation targeted both cybercriminals and compromised network infrastructure in Africa. Member nations were able to identify more than 1,000 malicious IP addresses, dark web marketplaces and specific attackers.

The Africa Cyber Surge Operation is a great example of how joint operations and sharing threat intelligence on threat actors among reliable partners can increase an entire region’s cyber resilience. It also demonstrates the need of cybersecurity education and training in bridging the cyberskills gap and effectively combating cybercrime on a large scale.

Collaboration is the key

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base. Just as cybercrime networks are getting stronger and larger, so too must collaborative strategies between private companies and law enforcement agencies. Disrupting cybercrime networks is going to take collaboration on a large scale.

The post Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing appeared first on SecurityWeek.