Cybersecurity best practices encompass some general best practices — like being cautious when engaging in online activities, abiding by company rules, and reaching out for help when you encounter something suspicious. Here’s a deeper dive into the 10 cybersecurity best practices for businesses that every employee should know and follow.
read moreAlthough surfing the web or watching a video can seem harmless, there are dangers to your computer lurking all over the internet. Various types of malicious software, otherwise known as malware, can be used to monitor what you do online and perhaps steal your personal information. The specific types of malware that hackers use changes frequently but can include:
read moreLibero fugiat ipsum recusandae voluptas. Temporibus et ea quas. Aut quia asperiores ipsam doloribus tempora dolorem. Ut quidem optio sunt molestiae et facere rerum omnis
read moreMicrosoft's war against private exploit and offensive security sellers continues with a strike against Sourgum. On July 15, the Microsoft Threat Intelligence Center (MSTIC) said that the Redmond giant has been quietly tackling the threat posed to Windows operating systems by the organization, dubbed a "private-sector offensive actor" (PSOA). A tip provided by human rights outfit Citizen Lab led Microsoft to the PSOA, dubbed Sourgum, a company said to sell cyberweapons including the DevilsTongue malware. "The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents," Microsoft says. Approximately half of DevilsTongue victims are located in Palestine, but a handful has also been traced back to countries including Israel, Iran, Spain/Catalonia, and the United Kingdom. According to the Citizen Lab, Sourgum is based in Israel and counts government agencies across the globe among its customers With the assistance of Citizen Lab, Microsoft has examined the unique malware family developed by Sourgum and has now pushed protections against it in Windows security products. This includes patching previously unknown vulnerabilities, CVE-2021-31979 and CVE-2021-33771. These two vulnerabilities were listed as actively exploited in Microsoft's latest security update, known as Patch Tuesday, which is issued on a monthly basis. They are both described as Windows Kernel privilege escalation security flaws. Microsoft says that the exploits are "key" elements of wider attack chains used by Sourgum to target Windows PCs and browsers in order to deliver DevilsTongue. Browser exploits appear to be used in one of the initial attack stages, where they are served through malicious URLs and sent via messaging services including WhatsApp. The modular malware is described as "complex" with "novel capabilities." While analysis is ongoing, Microsoft says that DevilsTongue's main functionality is stored in encrypted .DLL files, only decrypted when loaded into memory, and both configuration and tasking data are separate from the main payload. DevilsTongue can be used in both user and kernel modes and is capable of .DLL hijacking, COM hijacking, shellcode deployment, file collection, registry tampering, cookie theft, and the extraction of credentials from browsers. A feature of note is a module dedicated to decrypting and extracting conversations taking place over Signal. The malicious code also contains sophisticated obfuscation and persistence mechanisms. "With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves," Microsoft says. "The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers." Detection data has also been shared with the wider security community. "We're providing this guidance with the expectation that Sourgum will likely change the characteristics we identify for detection in their next iteration of the malware," the company added. "Given the actor's level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance." In related news this week, Microsoft disclosed a third vulnerability impacting the Windows Print Spooler service, joining the duo of security flaws known as PrintNightmare. Tracked as CVE-2021-34481, the bug can be exploited to obtain system-level privileges locally.
The UK government has formally laid the blame for the Microsoft Exchange Server cyberattack at the feet of China. On Monday, the government joined others -- including the victim company itself, Microsoft -- in claiming the cyberattack was the work of Chinese state-sponsored hackers, namely Hafnium, an advanced persistent threat (APT) group. The United States, NATO, and the EU have joined the UK in condemning the attack. Foreign Secretary Dominic Raab deemed the attack "by Chinese state-backed groups" as a "reckless but familiar pattern of behavior." "The Chinese Government must end this systematic cyber sabotage and can expect to be held [to] account if it does not," Raab added. Earlier this year, suspicious activity was detected and linked to four zero-day vulnerabilities in on-prem Microsoft Exchange Servers. In March, the Redmond giant issued emergency patches to mitigate the threat to its customers; however, the vulnerabilities -- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 -- were exploited, compromising an estimated 30 000 organizations in the US alone. The European Banking Authority was one of the most high-profile victims of the attack. Following the incident, the malware was discovered on over 2000 machines belonging to businesses in the United Kingdom.The UK government believes the attack was likely conducted for "large-scale espionage", including the theft of information and intellectual property by hackers sponsored by the People's Republic of China (PRC). Furthermore, UK officials say that the Chinese Ministry of State Security is backing two other groups, known as APT40 (TEMP.Periscope/TEMP.Jumper/Leviathan) and APT31 (Judgement Panda/Zirconium/Red Keres). According to the National Cyber Security Centre (NCSC), APT40 is responsible for targeting the maritime industry and naval contractors in the United States and Europe, and the agency assesses with high confidence that the Chinese Ministry of State Security is backing the group, which "operates to key Chinese State Intelligence requirements." In addition, the NCSC says that APT31 is responsible for targeting government and political figures, including the Finnish Parliament, in 2020. "[The] NCSC is almost certain that APT31 is affiliated to the Chinese State and likely that APT31 is a group of contractors working directly for the Chinese Ministry of State Security," the agency added. "The Chinese government has ignored repeated calls to end its reckless campaign, instead [of] allowing its state-backed actors to increase the scale of their attacks and act recklessly when caught," UK officials commented. "This coordinated action today sees the international community once again urge the Chinese government to take responsibility for its actions and respect the democratic institutions, personal data, and commercial interests of those with whom it seeks to partner." The government has also called on China to desist in its alleged attempts to conduct or support IP and trade secrets theft through cyberattacks. Update 15.33 BST: The UK, NATO, US, and EU have allied in their stance against alleged Chinese cyberattacks. Together with the UK, the White House has issued a joint statement criticizing China's alleged behavior. "In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars," the US government claims. "The PRC's unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts." The US Department of Justice (DoJ) has also indicted four Chinese nationals suspected of being members of China's Ministry of State Security (MSS), as well as APT40. They are accused of "hacking into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018." The DoJ alleges that the MSS has been involved in cyberattacks against victims in the US, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom.