A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.
Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (

A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.

Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (aka UNC2452/2652).

"This latest wave of spear phishing showcases APT29's enduring interests in obtaining diplomatic and foreign policy information from governments around the world," the Mandiant said in a report published last week.

The initial access is said to have been aided through spear-phishing emails masquerading as administrative notices, using legitimate but compromised email addresses from other diplomatic entities.

These emails contain an HTML dropper attachment called ROOTSAW (aka EnvyScout) that, when opened, triggers an infection sequence that delivers and executes a downloader dubbed BEATDROP on a target system.

Written in C, BEATDROP is designed to retrieve next-stage malware from a remote command-and-control (C2) server. It achieves this by abusing Atlassian's Trello service to store victim information and fetch AES-encrypted shellcode payloads to be executed.

Also employed by APT29 is a tool named BOOMMIC (aka VaporRage) to establish a foothold within the environment, followed by escalating their privileges within the compromised network for lateral movement and extensive reconnaissance of hosts.

What's more, a subsequent operational shift observed in February 2022 saw the threat actor pivoting away from BEATDROP in favor of a C++-based loader referred to as BEACON, potentially reflecting the group's ability to periodically alter their TTPs to stay under the radar.

BEACON, programmed in C or C++, is part of the Cobalt Strike framework that facilitates arbitrary command execution, file transfer, and other backdoor functions such as capturing screenshots and keylogging.

The development follows the cybersecurity company's decision to merge the uncategorized cluster UNC2452 into APT29, while noting the highly sophisticated group's propensity for evolving and refining its technical tradecraft to obfuscate activity and limit its digital footprint to avoid detection.

Nobelium, notably, breached multiple enterprises by means of a supply chain attack in which the adversary accessed and tampered with SolarWinds source code, and used the vendor's legitimate software updates to spread the malware to customer systems.

"The consistent and steady advancement in TTPs speaks to its disciplined nature and commitment to stealthy operations and persistence," Mandiant said, characterizing APT29 as an "evolving, disciplined, and highly skilled threat actor that operates with a heightened level of operational security (OPSEC) for the purposes of intelligence collection."

The findings also coincide with a special report from Microsoft, which observed Nobelium attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia

Your Microsoft computer comes with built-in safety software that shields you from the worst threats. Here's how to navigate your toolkit.

For many years, Windows users had to rely on a third-party security tool to keep viruses and malware at bay, but now Microsoft's operating system comes with its own package, in the form of Windows Security.

It's designed to run quietly and efficiently in the background, and you might not have even noticed it's there—but it's important to know how it's keeping your computer safe, and the various options it gives you.

While you can add extra security software to Windows if you want, Windows Security should keep you well protected from danger. You can open it from the Start menu or by clicking its icon in the notification area.

Finding Your Way Around

Windows Security gives you an overview of your system's status.

Microsoft via David Nield

Open the main Windows Security dashboard and you should see a grid of icons, all with reassuring green check marks next to them—if something needs your attention, these check marks will be replaced by yellow exclamation marks. You can click on any of the items on the grid, from **Virus & threat protection** to **Protection history**, to jump to the relevant section inside the app.

The navigation pane on the left gives you another way of jumping between the various parts of Windows Security: The **Home** option is the one to go back to if you need to return to the main dashboard. Choose **Account protection**, for example, for options relating to your Microsoft account and to the way you sign in to Windows on your computer (including face and fingerprint recognition, if available).

**Firewall & network protection** is where you can monitor the firewall put up around Windows, for devices on your local network and in terms of the wider internet. If you decide to install a third-party security package, Windows Security can monitor this too and make sure everything is working correctly—if no firewall is active, you'll see an on-screen warning.

Choose **Settings** from the left-hand navigation bar to customize various aspects of Windows Security: These are mainly around the notifications the program displays, and any third-party security software you've installed. You're also able to click **Protection history** here to see what Windows Security has been up to recently, whether that's virus scans or alerts about security problems.

Running Virus and Malware Scans

Windows Security runs scans in the background while you use your device.

Microsoft via David Nield

In terms of actively keeping your computer safe and protected from threats, the **Virus & threat protection** section of Windows Security is the place to visit. As with the rest of the software, most of the features here will run in the background, but it's good to be aware of what's available and what you can do if you spot anything suspicious.

Click **Quick scan** if you suspect your computer may have been compromised—if you've downloaded and launched an email attachment you shouldn't have, for example. Quick Scan will look out for the most obvious threats and malware on your system and shouldn't take long to complete. You'll be able to see the progress of the scan as it runs, and you can keep working on your computer while it's scanning.

Select **Scan options** to run other types of scans. There's a **Full scan** option, which is more comprehensive than a quick scan and can take over an hour to complete, while a **Custom scan** enables you to focus a scan on specific folders if you think you know where a particular threat might be located. Finally, you'll see an **Offline scan** option that takes around 15 minutes and can remove the most stubborn types of malware.

You don't need to worry about setting a schedule for running virus and malware scans because Windows Security will take care of all of this for you. Click **Manage settings** under **Virus & threat protection settings** to make sure the **Real-time protection** option is turned on: This ensures the program is actively working in the background to spot security threats before they can do any damage to your system.

Other Windows Security Features

Windows Security looks after device maintenance too.

Microsoft via David Nield

If you pick **App & browser control** from the navigation pane on the left of Windows Security, you can have the software scan any applications you download and install: Windows Security considers a variety of factors when assessing whether a program is allowed to run on your computer, and you can customize some of this functionality here.

Select **Device security** to get to some of the more advanced security settings for your system. If your computer supports technologies like secure boot (checking for threats as your system starts up) and a trusted platform module (making it very difficult to tamper with the data on your system), you'll see them here. There are no settings to work through, but you can see if the features are present and working properly.

Then there's the **Device performance & health** page, which shows how Windows Security goes beyond actual security. Here you can see reports on the internal storage and battery of the device you're running Windows on and access what Microsoft calls a **Fresh start** process—this resets a lot of the settings on your system without affecting any of your files or the applications you've installed.

The **Family options** screen will be useful if you've got youngsters using Windows: You can set parental controls covering everything from the times the device can be used to what sort of content can be accessed. This works in tandem with the Microsoft Family Safety tools that you can access through your browser and that can cover multiple devices using the same Microsoft account.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   The takedown of the web’s biggest child abuse site
*   Get ready for a decade of uranus jokes
*   How to use BeReal, the “unfiltered” social media app
*   Should all video games be replayable?
*   The fake agents case baffling US intelligence experts
*   👁️ Explore AI like never before with our new database
*   📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones

How to Use Windows Security to Keep Your PC Protected

Microsoft claims Ukraine has been hit with hundreds of cyberattacks from well-known state-backed Russian hacking groups.
The post Russia continues digital onslaught against Ukrainian systems appeared first on Malwarebytes Labs.

According to Microsoft, at least six Kremlin-backed hacking groups have been attacking Ukraine in the digital space in an onslaught that began before the invasion in late February. The company counted more than 237 cyberattack operations against Ukrainian systems and critical infrastructure.

These attacks involve destructive malware that “threaten civilian welfare”, accompanied by intelligence gathering and reconnaissance.

APT28 (aka FancyBear), DEV-0586, Energetic Bear (aka Dragonfly), Gamaredon, Nobelium, Sandworm, and Turla are the nation-state actors carrying out the attacks.

“Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Microsoft said. The company gave several examples to illustrate this correlation: “While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of ‘abandoning’ Ukrainian citizens.”

Russia was seen using various techniques in its attack to gain initial access. This includes phishing campaigns, vulnerability exploitation, and compromising upstream IT services. The country is also not shy about using wiper malware—destructive malware CISA (the Cybersecurity and Infrastructure Security Agency) and the FBI (Federal Bureau of Investigation) highlighted in an updated alert initially released in late February.

HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper were deployed to Ukrainian networks in January 2022.

Microsoft believes that Russian cyberattacks will continue to escalate. Nation-state threat actors may also expand their destructive attacks outside Ukraine to retaliate against countries helping Ukraine or continuing to inflict punitive measures against Russia.

“We’ve observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey—all NATO member states actively providing political, humanitarian or military support to Ukraine.”

You can read more about Russian cyberattack activities against Ukraine in Microsoft’s Special Report: Ukraine.

Russia continues digital onslaught against Ukrainian systems

Plus: Trump backers breach election systems, Microsoft tracks Russia's war prep, a new Facebook leak reveals a mess, and Bored Ape Yacht Club gets hacked.

Surprising news abounded this week as Ukrainian officials weigh next steps in their digital campaigns against Russia, given that their efforts so far have been unexpectedly successful, if sometimes controversial. Overall, Russia is being pummeled with cyberattacks of all sorts at a scale beyond anything the country has dealt with before.

Meanwhile, new research indicates that a small group of North Koreans have taught themselves to jailbreak smartphones in an effort to bypass the regime's extensive digital restrictions and access forbidden media.

Elon Musk's bid this week to purchase Twitter highlighted a host of potential privacy and security concerns for the platform's users. The United States faced a notable spike in child sexual abuse sites in 2021 as CSAM hosting continued to increase dramatically around the world. Hollywood's fight against VPNs has gotten more heated as the entertainment industry expands its accusations about illegal activity enabled by the services. And Cloudflare recorded a historic DDoS attack that bombarded a cryptocurrency platform with 15.3 million requests.

If you feel like doing something for your own security or that of your business this weekend, we've got a roundup of all the most critical mainstream vulnerabilities from April that you can patch right now. 

And there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

The Office of the Director of National Intelligence released its annual transparency report on Friday, which showed that the FBI conducted as many as 3.4 million warrantless searches of Americans’ data in 2021, including 1.9 million searches related to a Russian cyberattack. This is the first time ODNI has published a number for FBI searches utilizing the Foreign Intelligence Surveillance Act of 1978, or FISA. The law is meant to authorize investigative capabilities related to foreign threats, but it allows for some incidental domestic searches in the process. FISA activity has often been criticized for happening without public transparency.

In an in-depth analysis, Reuters looks at eight incidents around the country in which activists supportive of former President Donald Trump have attempted to breach or successfully compromised local voting systems as part of their quest to uncover evidence of manipulation in the 2020 US presidential election. In most cases, activists persuaded local election officials, all Republicans, to export and leak vote data. In the year and a half since Joe Biden became president, Trump loyalists have continued to falsely assert that voting machines across the US were compromised to produce Biden's win.

“These threats are being fueled by extreme elected officials and political insiders who are spreading the Big Lie”—that the 2020 vote was stolen—“to further suppress the vote, destabilize American elections, and undermine voter confidence,” Colorado Secretary of State Jena Griswold told Reuters in a statement.

In a report on Wednesday, Microsoft said it has found evidence that Russia began setting the stage for its invasion of Ukraine as early as March or April 2021. During that time, Russian state-backed hackers began establishing access points in Ukrainian government and critical infrastructure systems, researchers found. The attackers seem to have been collecting intelligence on the Ukrainian military, NATO member states, and diplomatic targets. In the report, Microsoft calls Russian aggression against Ukraine a “hybrid war” and says that Russian cyberattacks have been “relentless and destructive.” 

Microsoft reports that in early 2021, as Russian troops began to gather at the Ukrainian border, the Russian hacking group known as APT 29, Cozy Bear, and Nobelium began mounting phishing attacks to establish access. Microsoft says the Russian hacking group known as Ghostwriter was also active at this time, targeting Ukrainian military email accounts and networks with phishing attacks.

An internal Facebook document prepared last year and obtained by Motherboard lays out concerns from privacy engineers on the social network's Ad and Business Product team about the company's ability to account for the data it holds and track data as it moves through the service. The revelations are not necessarily surprising, given Facebook's sheer scale and recurrent data control issues, but they are significant as the tech giant works to comply with an increasing array of privacy legislations around the world. 

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document says.

A company spokesperson told Motherboard that the document “does not describe our extensive processes and controls to comply with privacy regulations” and that “this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.”

Hackers compromised the Instagram account of NFT collection Bored Ape Yacht Club on Monday, posting a link to a copycat site that scammed visitors out of NFTs. The company said in a statement to WIRED that “Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m.” NFT scams and other cryptocurrency hustles in which attackers publish a malicious or misleading link to steal coins are unfortunately not new. The BAYC situation is particularly ominous, though, because the company says it had full two-factor authentication enabled on the Instagram account and that “the security practices surrounding the IG account were tight.” The group is investigating how the Instagram takeover occurred.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

FBI Conducted 3.4 Million Warrantless Searches of Americans' Data

A hardcoded cryptographic key in Automation360 22 allows an attacker to decrypt exported RPA packages.

**Born in the cloud. Built for the future of business. This is automation, unleashed.**

Automation 360 is a single, integrated platform that transcends front office and back office technology siloes to automate business processes across all systems and applications, including both SaaS and legacy apps.

 

A must read, one-of-its-kind, industry report

What are top-performing companies doing with RPA to achieve an astounding 380% ROI? Get the inside scoop in the latest Now & Next: State of RPA report.

**Leave no process or employee behind with end-to-end automation, powered by cloud**

Automation 360 has you covered at all angles in the virtuous cycle of hyperautomation

Double your automatable processes by turning every piece of structured and unstructured data in any document into a consumable digital asset through AI and ML with IQ Bot.

Learn about IQ Bot

Take an accurate pulse on every bot and critical insights on every process in real time to enable data-driven decisions and enhancements with Bot Insight.

Learn about Bot Insight

**Unify front and back office with ready-for-anything, access-from-anywhere, end-to-end automation**

Delight employees and customers alike with automation-powered superior experiences

Front Office

Raise your customer satisfaction score with automation that efficiently resolves customer issues and optimizes time spent with customers.

Learn More

Back Office

Turn complex manual processes using legacy systems into streamlined automations, reducing human error and speeding digital transformation.

Learn More

Employee Experience

Empower human ingenuity. Integrate automation into employees' day-to-day, freeing them from mundane tasks and increasing high-value productivity.

Learn More

**Reap the benefits of a modern platform**

Automate 2x more processes\* out of the gate—from simple to highly complex business processes

Increase security, agility, and innovation at 1/5 of the cost\* of infrastructure and maintenance of legacy on-premises and cloud-hosted solutions

Scale 3x faster\* compared to any other platform, with reduced setup, bot creation, and bot deployment time

\*IQ Bot’s pre-trained OOTB solutions for over 100 use cases of document extraction lead to 2x more process automation; AARI enables customers to automate 2x more processes than possible with only RPA  
\*1/5 cost: based only on estimated infrastructure and maintenance cost  
\*3X faster scaling: Based on estimated speeds of development, deployment and maintenance, compared with other RPA platforms  
Actual results will vary by customer deployment

**Solve your business challenges with Automation 360**

Entrenched legacy apps

Begin your automation journey without having to change your existing technology. Gain efficiencies from Automation 360 working across both modern and legacy software.

The need for cloud

Speed up modernization of your on-premises enterprise technologies to SaaS solutions by automating data migration with Automation 360 for fast and accurate results.

Employee experience

Improve the employee experience with digital assistants for every employee to automate swivel-chair tasks.

Customer experience

Increase customer satisfaction with shorter processing times, more accurate data, and better customer service and support.

**A complete 360-degree solution for every nuance**

Security & governance

Automation 360 is ISO27001 and Soc 1 & 2 certified, providing the most comprehensive, multi-layered approach to security including identity and access management, data encryption, audit logs and monitoring, cloud infrastructure security, incident response, and application security.

AI/Machine learning

With AI and machine learning built into the platform, Automation 360 is continuously improving. You can even integrate third-party AI capabilities into your processes with drag and drop ease.

Pre-built Bots

Accelerate and scale automation with prebuilt bots from Bot Store, including more than 1200 prebuilt bots, packages, and digital workers, directly integrated with Automation 360.

Rich partner ecosystem

The extensible, pluggable Automation 360 architecture can easily integrate with additional enterprise solutions offered by our technology partners.

**Leading companies trust Automation Anywhere**

RPA is one of the key tools we have in our toolkit which enables broader digitization of our internal processes.

**– Andrew Davies**, CFO 

RPA brought speed to our operations. The complex processes in treasury and tax are now more accurate and efficient.

**– Vikas Kapoor**, Senior Vice President, Finance 

Our corporate goal is to reach $22 billion of revenue by the year 2022. The only way to scale that much is to do things better. Automation is allowing us to do that.

**– Cynthia Holmecki**, Global Leader Intelligent Automation Solutions 

It just took 3 weeks for small and medium-sized processes to be automated. The heaviest processes took only 9 weeks. The results were delivered fast, giving us the opportunity to assess the fast pace.

**– Ravi Konda**, Sr. Manager, IT 

Combining RPA with cognitive automation and analytics gives us the foundation to transform how we serve customers.

**– Richard Mendoza**, Automation Capabilities Leader 

Bank leadership is excited because we recovered our investment with a 1300% ROI within the first year.

**– Jorge Ivan Otalvaro**, VP Service Delivery and Operations 

With the implementation of RPA for our billing portal, we’ve increased our efficiency and production, decreased processing costs, and scaled for the future.

**– Kevin Tucceri**, Business Process Owner, Credit & Collections 

Once we got a few groups on board with RPA, that was really a game changer for us. People started to see the results and the excitement was contagious.

**– Joe Cotnoir**, Director HRIS—Business Process Enablement, HR Services 

**...and users love us!**

**A+ CUSTOMER SUCCESS**

Maximize return on your automation investment with the most comprehensive customer success program

**Learning and community resources**

Our customers become part of the most comprehensive RPA support ecosystem. Get product education and training with Automation Anywhere University, connect with thousands of RPA practitioners in the A-People online community, and have access to 24/7 technical support.

Automation Anywhere University

Our intelligent automation platform comes with world-class training

Learn More

Community Edition

Instantly start your RPA journey with the FREE Community Edition

Get Started Now

A-People Community

Join the fastest-growing RPA network in the world

Join A-People

**Get started  
with Cloud RPA**

CVE-2022-29856: Cloud Automation | Automation Cloud   | Automation Anywhere

A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-41948: 1-click stored XSS from admin panel to site · Issue #8 · intelliants/subrion-plugin-contact_us

Exclusive Threatpost research examines organizations’ top cloud security concerns, attitudes towards zero-trust and DevSecOps.

Exclusive Threatpost research examines organizations’ top cloud security concerns, attitudes towards zero-trust and DevSecOps.

Over the past 15 years, the cloud has blown business into a new age of networking, for solid reasons: Small businesses can get online fast, using the same tools as the big companies; large companies can scale up and down to match demand; and organizations of all sizes can quickly react to business fluctuations in terms of allocating resources and onboarding applications.

Click to Expand

As well, of course, over the past few years, the pandemic has made cloud resources crucial when it comes to supporting remote workforces.

_\[**Editor’s Note:** This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story\]_

However, the mad dash to set up shop in the cloud can sometimes lead to stormy weather: There are, after all, beaucoup security challenges hidden behind the cloud’s promise of blue skies. As Prevailion CTO Nate Warfield enumerates, cloud marketplaces “are rife with pre-built virtual machine (VM) images containing unpatched vulnerabilities, overly permissive firewall settings, and even malware and coin miners. Cloud providers don’t take a proactive stance towards breach and compromise monitoring and, in many cases, won’t even pass on notifications to their customers which they have received from external researchers.”

Click to Expand

In order to put some quantifiable numbers around how organizations are faring in their journeys to the cloud, Threatpost polled 400+ readers. Topics included what security dangers respondents have encountered, and which ones they most fear they’ll run into. We also asked what security tools they plan to implement in the coming months.

When asked how confident respondents are that their organization had implemented sufficient cloud security, the majority felt bullish (68 percent). Worryingly, almost a quarter (24 percent) said they had no confidence in their organization’s cloud security. Just 8 percent said they feel “highly” confident.

**Lions & Tigers & Shared**

Click to Expand

**Responsibility**

Warfield’s list of challenges is just the tip of the iceberg, according to the poll results. There are also data-privacy and regulatory issues; the basic challenges of implementing cloud, such as staff shortages; the threat of cyberattack and data exposure; and plain old confusion.

Not everyone is sure who’s responsible for what when it comes to the sharedresponsibility model for public cloud deployments. And, a recurring question is what zero-access architecture for access management entails.

Just over half said they have embraced the shared-responsibility model for public cloud deployments (59 percent), but a quarter said they “don’t really understand it” and 12 percent said they did not. When asked if they’ve implemented a zero-trust architecture for access management, 53 percent said, “not yet but plan to,” and 17 percent said it confused them. Just 23 percent said yes. Six percent said absolutely not.

The notion of “DevSecOps,” where security is built into an organization’s cloudnative application lifecycle management, has more support: 71 percent noted that they’ve either adopted the strategy or soon plan to; but a fifth (21 percent) said they didn’t fully grasp what it means.

Meanwhile, organizations perceive there to be a lot of security pitfalls in the cloud. In its poll, Threatpost asked about a number of them, from API vulnerabilities to stolen cloud credentials, and container bugs to a smorgasbord of malware, including ransomware and cryptomining malware.

**Security Pitfall No. 1: Misconfigurations**

The biggest number of respondents – 27 percent – cited misconfigurations and data exposure as the biggest threat to their cloud deployments.

Click to Expand

While many respondents reported that they’ve either experienced a cyberattack on their cloud assets in the past 12 months (18 percent) or that they aren’t exactly sure (2 percent), an even larger portion – 38 percent – reported having experienced a data-exposure incident due to misconfiguration.

Poll respondents’ takes on the issues confirm what’s been a constant over the past few years; namely, misconfigured cloud deployments have been, and continue to be, rampant. In a 2020 survey of 2,064 Google Cloud buckets by Comparitech, 6 percent of all Google Cloud buckets were estimated to be misconfigured and left open to the public internet, for anyone to access their highly sensitive content.

Respondents ranked their other most-worrying cloud security threats as account compromise and stolen cloud credentials, (20 percent); API vulnerabilities (13 percent); advanced attacks against cloud providers (11 percent); ransomware (9 percent); cyberespionage/data theft (6 percent); distributed denial of service (DDoS, 5 percent); other malware (3 percent); and cryptojacking (2 percent).

**How You’re Protecting the Cloud**

Fortunately, efforts to secure the cloud aren’t static. Nor are the technologies. When asked what security tools they’re planning on implementing in the next 12 months, poll respondents listed a host of technologies that will hopefully fill in whatever holes they have in their cybersecurity umbrellas.

For better or worse, multifactor authentication (MFA) on all accounts was cited as the top tool already in use by the most respondents, at 12 percent. It’s important however not to fall into a false sense of security: In January 2021, the feds warned that cloud attacks were bypassing weaker two-factor authentication, such as schemes that use a code sent to a mobile phone via SMS.

Click to Expand

In terms of the top security tools that poll respondents plan to invest in, encryption for data at rest and data in transit (cited by 11 percent) took the lead, followed by identity access management (11 percent) and the adoption of self-managed security controls offered by cloud providers (9 percent).

The top most-cited planned upgrade to cloud security in the poll was user-behavior analytics: i.e., the use of artificial intelligence and machine learning to analyze large datasets and identify patterns that signify security breaches. This can be used to spot anomalous behavior that may indicate data exfiltration or other malicious activity that might otherwise slip by security tools and personnel. In all, 9 percent of respondents said their organizations have behavior analytics in the works in the coming year.

Click to Expand

The next set of top cloud-security tools on the to-do list were cloudconfiguration monitoring tools (cited by 8 percent), a single console to manage security across multiple clouds (7.5 percent), and MFA on all accounts (7.5 percent). Next up were risk assessment and auditing (7.5 percent), policybased data loss prevention (DLP) (7 percent) and data activity monitoring (7 percent).

**What’s Gumming Up the Works**

Some security tools are in place, while more are being implemented. But all of this work to secure the cloud is, well, work, and it often requires more hands than are available. As noted earlier, respondents cited a lack of skilled staff as the biggest challenge when it comes to securing the cloud, (19 percent).

Indeed, the (ISC)²’s 2021 Cybersecurity Workforce Study found that there are 2.72 million open cybersecurity positions globally, and that the worldwide cybersecurity workforce needs to grow 65 percent to effectively defend organizations’ critical assets. Out of those, cloud management and cybersecurity ranked highest when it comes to the biggest talent gaps that companies need to fill.

The next biggest challenge facing organizations is a lack of visibility into what data is held within cloud applications, cited by 13 percent. That’s followed by insufficient identity and access management controls at 11 percent.

It’s clear that cloud security is increasingly top-of-mind at organizations, which have big plans for addressing it. But it’s a proverbial journey, not a sprint. As Prevailion’s Warfield noted, it’s crucial to take it seriously, and the time is now to start implementing controls.

“Cloud networking isn’t inherently insecure,” he said. “But as the world shifts to a cloud-centric and hybrid cloud environment, particularly for remote workforces, organizations need to recognize that their cloud-security strategy, policies, controls and processes must be as robust as in a classic onpremises environment.”

**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** **_FREE downloadable eBook_****_, “Cloud Security: The Forecast for 2022.”_** **_We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**

Security Turbulence in the Cloud: Survey Says…

At least six different Russia-aligned actors launched no less than 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.
"Collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and

At least six different Russia-aligned actors launched no less than 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.

"Collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public's trust in those same institutions," the company's Digital Security Unit (DSU) said in a special report.

The major malware families that have been leveraged for destructive activity as part of Russia's relentless digital assaults include: WhisperGate, HermeticWiper (FoxBlade aka KillDisk), HermeticRansom (SonicVote), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.

WhisperGate, HermeticWiper, IssacWiper, and CaddyWiper are all data wipers designed to overwrite data and render machines unbootable, while DoubleZero is a .NET malware capable of data deletion. DesertBlade, also a data wiper, is said to have been launched against an unnamed broadcasting company in Ukraine on March 1.

SonicVote, on the other hand, is a file encryptor detected in conjunction with HermeticWiper to disguise the intrusions as a ransomware attack, while Industroyer2 specifically targets operational technology to sabotage critical industrial production and processes.

Microsoft attributed HermeticWiper, CaddyWiper, and Industroyer2 with moderate confidence to a Russian state-sponsored actor named Sandworm (aka Iridium). The WhisperGate attacks have been tied to a previously unknown cluster dubbed DEV-0586, which is believed to be affiliated to Russia's GRU military intelligence.

32% of the total 38 destructive attacks are estimated to have singled out Ukrainian government organizations at the national, regional and city levels, with over 40% of the attacks aimed at organizations in critical infrastructure sectors in the nations.

In addition, Microsoft said it observed Nobelium, the threat actor blamed for the 2020 SolarWinds supply chain attack, attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.

Other malicious attacks involve phishing campaigns targeting military entities (Fancy Bear aka Strontium) and government officials (Primitive Bear aka Actinium) as well as data theft (Energetic Bear aka Bromine) and reconnaissance (Venomous Bear aka Krypton) operations.

"Russia's use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians," Tom Burt, corporate vice president of customer security and trust, said.

"Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. It's likely the attacks we've observed are only a fraction of activity targeting Ukraine."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Documents Over 200 Cyberattacks by Russia Against Ukraine

Even the head of the country's online offensive is surprised by the successes—although they’re not without controversy.

When Russian president Vladimir Putin launched his full invasion of Ukraine in February, the world expected Moscow’s cyber and information operations to pummel the country alongside air strikes and shelling. Two months on, however, Kyiv has not only managed to keep the country online amidst a deluge of hacking attempts, but it has brought the fight back to Russia.

Even Ukrainian officials are surprised by how ineffective Russia’s digital war has been.

“I think that the root cause of this is the difference between our systems,” says Mykhailo Fedorov, Ukraine’s 31-year-old minister for digital transformation. “Because the Russian system is centralized. It's monopolized. And it leads to the scale of corruption and graft that is becoming increasingly apparent as the war continues.”

Speaking to WIRED from near Kyiv, Fedorov says his country has been preparing for this moment since Russia first invaded in 2014. “We have had eight years,” he says.

In recent weeks, Fedorov and the Ukrainian government have deployed the controversial face recognition program ClearviewAI to identify killed and captured Russian soldiers. They have deployed thousands of Elon Musk’s Starlink terminals to keep the country connected, even amid Russian bombardment. They have crowdsourced intelligence collection, letting ordinary Ukrainians report troop movements. And, perhaps most critically, they have beaten back aggressive attempts to knock offline their internet, energy, and financial systems.

Fedorov, who also serves as deputy prime minister, ran Ukrainian president Volodmyr Zelensky’s wildly successful election campaign in 2019, winning by nearly 50 points in the second round against incumbent Petro Poroshenko. He did so, in part, by leveraging authentic selfie videos to market the former comedian as an unconventional politician who eschews the normal trappings of politics. It’s exactly that style of video that Zelensky has uploaded regularly from the streets of Kyiv in recent weeks, offering a stark contrast with Putin’s stiff proclamations inside his palatial offices.

Ukraine has brought the war home to Russia in more cutting ways. In March, Reuters reported that Ukraine had purchased face recognition software from American company Clearview AI to identify the bodies of Russian soldiers killed in action—Kyiv later acknowledged that they were using this information to contact the families of the dead soldiers.

“We are pursuing two goals here,” Fedorov says. “First is: We are notifying their relatives, and telling them, basically, that it's not a very good idea to go to war with Ukraine. So that serves as a cautionary tale. And secondly, it's a humanitarian purpose—just telling them where their relatives, or friends, or children are so that they don't try to get this information from the Russian authorities. Because, more often than not, they can't.”

That decision hasn’t come without criticism. Contacting the families of soldiers killed in battle could be seen as harassment. Others have pointed out that being deployed in Ukraine is a PR coup for ClearviewAI, which has been embroiled in scandal over its liberal use by police forces across North America.

Fedorov, for his part, says Russia “can spin this whatever way they want. But the fact of the matter is, there are tens of thousands of Russians dying in Ukraine, and we are just providing this information to their families because that serves, among other things, a humanitarian purpose.”

There is a propaganda element to Kyiv’s use of face recognition technology as well.

“This facial recognition plays to our, let's say, to our advantage in the information space,” Fedorov says. Moscow has projected the image of a professional and volunteer fighting force. “We're trying to say that, for example, Russia is sending conscripts … we are proving that and justifying that with a lot of factual information. We can give you a list of hundreds of people who are 18 and 19 years old, with their names and with their birth dates and how and where specifically, they were conscripted. So that gives some substance to our claims.”

Fedorov says the utility goes beyond just identifying the dead.

“One interesting case study of how we used Clearview AI,” Fedorov says. “There was a man who was found in a Ukrainian hospital, claiming that he was a Ukrainian soldier who suffered from shell shock or some kind of trauma and that he forgot everything. And he was claiming that he was Ukrainian. So the doctor sent the picture to us, and we were able to ID him in a matter of minutes. We found his social network profile, and we established that he was Russian and, of course, he was brought to responsibility.”

Ukrainian officials have said that the frequency of Russian cyberattacks tripled immediately prior to the war, and they have aggressively targeted critical infrastructure since the war began.

But Viktor Zhora, deputy head of Ukraine's State Service of Special Communications and Information Protection, says Moscow may have maxed out its ability to launch attacks. “Russian cyber operations likely reached their full potential," he says.

Zhora told WIRED that years of training, exercises, and cooperation with NATO have made Ukraine far more resilient to cyberattacks. Some attacks are easier to defend against than others—as we spoke, Zhora said he was monitoring an active attack on the state administration of Lviv, which had been publicly announced by Russia hours earlier.

But Zhora stresses that while it is wrong to overestimate how powerful Russia’s cyber capabilities are, it would also be wrong to underestimate its more “sophisticated” operations. “We should continue to observe their potential, like Sandworm, like a Fancy Bear, like Gamaredon, many other groups that are still active, and still very dangerous,” he says, referring to a number of Russian government hacker groups.

Brandon Valeriano, a senior fellow at the Cato Institute who specializes in cyber operations, says offensive cyber operations don’t mesh well with traditional, kinetic warfare. At best, he says, “they’re enabling, they’re complimentary … they don’t transform it.”

Valeriano points to a slowdown in the tempo of Russian-backed cyberattacks targeting the United States as evidence that Moscow’s capacity isn’t as expansive as some have assessed. “They’re not organized for offensive cyber operations in the way that we think they are,” he says.

Kyiv’s ability to beat back against those operations, Valeriano says, can be attributed to “intense collaboration between Ukraine, Western powers, and NATO.” Indeed, Five Eyes signals intelligence agencies have both been providing training and support for Ukraine’s cyber defense and have been sharing threat intelligence. (Zhora stresses that information-sharing is a “two-way road.”)

Ukraine has been able to defend itself, both in cyberspace and in an outright propaganda war, because it has managed to stay online. For that, Fedorov credits a decentralized network of internet service providers and Elon Musk.

“It wouldn't be possible to restore 10 km of cable connection between villages in Chernigiv region after serious battles so quick,” he tweeted earlier this month. “Normally it takes few months.” But with one Starlink satellite, he says, five villages were reconnected in a matter of days.

“We have received over 10,000 Starlink terminals to date, and we use those where we have blind spots with, let's say, more traditional coverage,” Fedorov says. “So we are trying very hard to restore and protect our landline and mobile connections.”

Like any physical infrastructure, those Starlink terminals—which have even managed to keep the embattled city of Mariupol online—have been vulnerable to Russian shelling. Zhora says Russia has managed to hit some of those terminals but has not managed to target the system as a whole. “I suppose that it was coincidence that some shells hit these terminals and locations,” Zhora says. “It's not easy to identify and to attack them systematically.”

Keeping Ukrainians online is a clear strategic objective for Ukraine. Photo and video evidence of the brutality being doled out by the Russian army has galvanized Western support for Kyiv and led to an unprecedented level of support from NATO to help the country defend itself.

It’s also letting regular Ukrainians contribute to the collective defense.

During Zelensky’s presidential campaign, Fedorov made particular use of the messaging app Telegram, which is also popular with Russian intelligence operatives. In recent weeks, the app has been leveraged to collect evidence of possible war crimes in towns like Bucha, but also to enable Ukrainians to upload details of Russian troop movements. A Telegram bot collects photos and videos of Russian military movements, verifying Ukrainians through their digital ID,: a project spearheaded by Fedorov.

“Regular internet users—so, basically, civilians—they can go and post photos of what's happening in Ukraine,” Fedorov says.

The Ukrainian security ministry said in a tweet in March that those crowdsourced reports have directly contributed to drone strikes against Russian tanks.

“There are actually very many ways that regular citizens can contribute to the effort,” Fedorov says. One particularly “successful vector,” he says, is basically trolling. His government has been sending users “into the comment sections of posts by some very high traffic Russian influencers and just trying to talk sense into people and telling them that there's actually a war in Ukraine.”

Fedorov is also responsible for Ukraine’s IT Army, a network of cyber activists and hackers who have targeted Russian systems. In recent weeks, they have dumped huge troves of personal information from large Russian corporations.

Russia’s poor information security has also been a significant factor in their fumbled invasion.

A huge number of technology providers, from cybersecurity firms to cloud hosting services, have pulled out of Russia since the start of the war—either due to sanctions or to a concerted push from Fedorov and others in the Ukrainian government. “If the world were able to stop the delivery of these products to Russia, we see that they will have no infrastructure even to organize attacks,” Zhora says.

Russia’s attempts to knock out mobile and internet connections in Ukraine have mired their own communications. Their encrypted radio platform, Era, has been unreliable, leading Russian soldiers to opt for unencrypted platforms. Numerous outlets have reported details of conversations between Russians troops, their commanders, and their families—some even admitting to possible war crimes over unencrypted channels.

While Fedorov’s reform mission has played a large role in modernizing Ukraine, support from the West has certainly helped. SpaceX and the United States have sent some 5,000 Starlink terminals. Fedorov says the European Union has provided some 10 million euros toward computer systems and workstations.

Asked what Ukraine needs as the war wears into its third month, Fedorov mentions satellite equipment, including more Starlink terminals, as well as laptops, tablets, and other tools “to put our civilian infrastructure back online.” He also jokes: “Let's say that the most surefire way to keep us online for a very long time to come is to provide us with artillery, tanks, and warplanes—because that will effectively end the war. And that will remove the problem altogether.”

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Ukraine’s Digital Battle With Russia Isn’t Going as Expected

The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.

A comprehensive cybersecurity strategy should include physical security. Adversaries don't need to worry about compromising a corporate device or breaching the network if they can just walk into the office and connect directly into the network.

CISOs are increasingly including physical security as part of their strategic investments, says Stephanie McReynolds, head of marketing at Ambient.ai. Organizations are spending a lot of money and effort to lock down cybersecurity, but all of those security controls are useless if the adversary can just enter a restricted space and leave with equipment.

"The last mile of cybersecurity is physical location," McReynolds says.

Ambient.ai uses computer vision technology to solve physical security problems, such as monitoring who is entering the building or a restricted area and monitoring all the video feeds coming from the camera network. Computer vision is a subcategory of artificial intelligence dealing with how computers can process images and videos and derive an understanding of what they are seeing. The idea behind computer vision is to provide computers with eyes to see the same things humans see, and training the algorithm to think about what the eyes saw.

In the case of Ambient.ai, the company's computer vision intelligence platform serves as "the brain" behind physical access control systems, such as security cameras and physical sensors (such as door locks and entry pads). This week, the company expanded the catalog of behaviors the computer vision platform can recognize with 25 threat signatures.

**Computers Help Humans See**  
Traditionally, physical security involves staff in the security center monitoring alerts from the sensors and watching video feeds to try to detect when something untoward is happening. They may receive alerts that a door is open, or that a person swiped the access card to get into the building after-hours. There might be camera footage of someone loitering for quite some time in the building lobby, or a person entering a restricted area carrying an unauthorized laptop. Humans are expected to detect and respond to security incidents, but between fatigue and too much information to process, things can get missed.

"One individual is trying to watch 50 camera feeds at once. This doesn't work," McReynolds notes.

There have been three waves in computer vision, McReynolds says. The first wave was basic detection — that there was an object there, but no insight into what it was. The second wave added recognition, so it knew what it was looking at, such as whether it was a person or a dog. But it was a limited form of recognition, and there was a lot that was still unknown about the object it was looking at. The third wave, the current one, takes in context clues from the broader scene to understand what is happening. Just as a human would look at details around the object to understand what is happening, such as whether the person is sitting or if the person is outside, computer vision technology is now capable of collecting those details.

Ambient.ai breaks down the image or video into "primitives" — which refers to components such as interactions, locations, and objects seen — and constructs a signature to understand what is happening. A signature may be something like a person standing in the lobby for a long time not interacting with anyone, for example.

The new threat signatures expand the platform's ability to catalog over 100 behaviors, McReynolds says.

**Recognizing What Is an Incident**  
The Ambient.ai Context Graph assesses three risk factors to determine next steps: the context of the location, the movements that create behavior signatures, and the type of objects interacting in a scene. Based on these factors, the platform can dispatch security personnel to handle the incident, validate risks, or trigger proactive alerts. With the Context Graph, analysts can also tell which alerts are not security incidents, such as a door that didn't latch properly, and close the ones that don't require any action.

"A person holding a knife running in the kitchen isn't a security incident," McReynolds says. "A person holding a knife running in the lobby, on the other hand, is a security incident."

VMware, an Ambient.ai customer, claims that 93% of its alerts each year were false positives. By integrating Ambient.ai's platform with its physical access control systems, VMware's security teams didn't have to deal with those alerts and were able to focus their attention on dealing with the remaining 7% of alerts to stop security incidents on its campus.

McReynolds described a potential workplace violence scenario, where a former employee tried to use their badge to enter the building. The invalid badge in and of itself is not a security threat, but paired with security footage of the former employees sitting in the lobby and not interacting with anyone, there are enough reasons to be concerned. The alert would then be prioritized to send a guard to approach the individual.

"Sometimes it takes just a conversation and the person will stand down," McReynolds says.

All that is accomplished without resorting to facial recognition, which brings a host of privacy implications. Ambient.ai uses machine learning, pattern-matching, and computer vision to make decisions about what is important.

**Computer Vision in Security**  
Computer vision technology is useful in several security contexts because it can be used to detect manipulations that are less visible to the human eye, says Fernando Montenegro, senior principal analyst at Omdia. For example, the technology can be used to identify spoofed logos and websites used in account takeovers and ecommerce fraud. Another interesting use case is to represent binary samples as images, and then using imaging classification techniques to classify them as malicious or not, he says.

One aspect of computer vision is the capability to analyze "datasets that are not originally 'images' themselves, but can be encoded as such," Montenegro says.

Humans have the capacity to say something doesn't look right, even if they can't specifically point to something that is wrong, says Gunter Ollmann, CSO of Devo. An intriguing application of computer vision research is to train the algorithm to be able to detect something is wrong because of the way it looks, he says. By turning source code into an image, the machine can analyze the structure and other patterns to detect potential issues without having to analyze the code line by line. This kind of analysis can be used for malware analysis, by color-coding different categories of function and analyzing the image to get an understanding of what the application is doing.

There are several computer vision startups tackling cybersecurity issues. Hummingbirds AI uses facial biometrics to authenticate users and grant access to the device. When the computer "sees" a person who is not authorized that is close to the screen, the tool blocks access. Pixm relies on computer vision to identify and stop spear-phishing attacks. The platform runs in the browser window and is available from the moment the user clicks on a link until the campaign is disrupted.

"We are now in an exciting era where \[the machine\] can collaborate with the human," Ambient.ai's McReynolds says, regarding advancements in computer vision.

Tag

#intel