Red Hat Security Advisory 2023-6247-01 - An update for.NET 7.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6247.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 7.0 security updateAdvisory ID:        RHSA-2023:6247-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6247Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 7.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 7.0 packages in Red Hat Enterprise Linux 8 via erratum RHSA-2023:5145, which updated .NET to SDK 7.0.111 and Runtime 7.0.11. However, the fix was not included in the upstream SDK 7.0.112 and Runtime 7.0.12, which was added to Red Hat Enterprise Linux 8 via erratum RHSA-2023:5709, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 7.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.113 and .NET Runtime 7.0.13.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-7-0-update-october-24-2023-kb5032875-1c20c4da-3b7e-414f-b7e7-5947358c33d9https://access.redhat.com/errata/RHSA-2023:5145

Red Hat Security Advisory 2023-6247-01

Red Hat Security Advisory 2023-6246-02 - An update for.NET 7.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6246.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 7.0 security updateAdvisory ID:        RHSA-2023:6246-02Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6246Issue date:         2023-11-02Revision:           02CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 7.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 7.0 packages in Red Hat Enterprise Linux 9 via erratum RHSA-2023:5146, which updated .NET to SDK 7.0.111 and Runtime 7.0.11. However, the fix was not included in the upstream SDK 7.0.112 and Runtime 7.0.12, which was added to Red Hat Enterprise Linux 9 via erratum RHSA-2023:5749, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 7.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.113 and .NET Runtime 7.0.13.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-7-0-update-october-24-2023-kb5032875-1c20c4da-3b7e-414f-b7e7-5947358c33d9https://access.redhat.com/errata/RHSA-2023:5146

Red Hat Security Advisory 2023-6246-02

Red Hat Security Advisory 2023-6245-01 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6245.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 6.0 security updateAdvisory ID:        RHSA-2023:6245-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6245Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 6.0 packages in Red Hat Enterprise Linux 8 via erratum RHSA-2023:5144, which updated .NET to SDK 6.0.122 and Runtime 6.0.22. However, the fix was not included in the upstream SDK 6.0.123 and Runtime 6.0.23, which was added to Red Hat Enterprise Linux 8 via erratum RHSA-2023:5710, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 6.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.124 and .NET Runtime 6.0.24.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-6-0-update-october-24-2023-kb5032874-c7206ee0-8768-496c-a122-eac43b8b85c9https://access.redhat.com/errata/RHSA-2023:5144

Red Hat Security Advisory 2023-6245-01

Red Hat Security Advisory 2023-6242-01 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6242.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 6.0 security updateAdvisory ID:        RHSA-2023:6242-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6242Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 6.0 packages in Red Hat Enterprise Linux 9 via erratum RHSA-2023:5143, which updated .NET to SDK 6.0.122 and Runtime 6.0.22. However, the fix was not included in the upstream SDK 6.0.123 and Runtime 6.0.23, which was added to Red Hat Enterprise Linux 9 via erratum RHSA-2023:5708, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 6.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.124 and .NET Runtime 6.0.24.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-6-0-update-october-24-2023-kb5032874-c7206ee0-8768-496c-a122-eac43b8b85c9https://access.redhat.com/errata/RHSA-2023:5143

Red Hat Security Advisory 2023-6242-01

Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.
"This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week.
"The observed activity aligns with geopolitical goals of

National Security / Cyber Attack

Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.

"This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week.

"The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region."

Targeted organizations include defense, election oversight, human rights, national treasury and finance, commerce, politics, natural resources, and telecommunications.

The assessment stems from the persistent nature of inbound network connections originating from these entities to a China-linked adversarial infrastructure that masquerades as cloud backup and storage services over a "period of several months."

Some of the command-and-control (C2) domain names are listed below -

*   api.infinitycloud\[.\]info
*   connect.infinitycloud\[.\]info
*   connect.infinitybackup\[.\]net
*   file.wonderbackup\[.\]com
*   login.wonderbackup\[.\]com
*   update.wonderbackup\[.\]com

The tactic is likely an attempt on the part of the attackers to fly under the radar and blend in with legitimate network traffic.

What's more, the links to China are based on the fact that the threat actor's activity has been observed primarily during regular business hours in China, with a drop recorded in late September and early October 2023, coinciding with the Golden Week national holidays, before resuming to regular levels on October 9.

China-nexus hacking groups such as Emissary Panda, Gelsemium, Granite Typhoon, Mustang Panda, RedHotel, ToddyCat, and UNC4191 have launched an array of espionage campaigns targeting public- and private sectors across Asia in recent months.

Last month, Elastic Security Labs detailed an intrusion set codenamed REF5961 that was found leveraging custom backdoors such as EAGERBEE, RUDEBIRD, DOWNTOWN, and BLOODALCHEMY in its attacks directed against the Association of Southeast Asian Nations (ASEAN) countries.

The malware families "were discovered to be co-residents with a previously reported intrusion set, REF2924," the latter of which is assessed to be a China-aligned group owing to its use of ShadowPad and tactical overlaps with Winnti and ChamelGang.

The disclosures also follow a report from Recorded Future highlighting the shift in Chinese cyber espionage activity, describing it as more mature and coordinated, and with a strong focus on exploiting known and zero-day flaws in public-facing email servers, security, and network appliances.

Since the beginning of 2021, Chinese state-sponsored groups have been attributed to the exploitation of 23 zero-day vulnerabilities, including those identified in Microsoft Exchange Server, Solarwinds Serv-U, Sophos Firewall, Fortinet FortiOS, Barracuda Email Security Gateway, and Atlassian Confluence Data Center and Server.

The state-sponsored cyber operations have evolved "from broad intellectual property theft to a more targeted approach supporting specific strategic, economic, and geopolitical goals, such as those related to the Belt and Road Initiative and critical technologies," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Launch Covert Espionage Attacks on 24 Cambodian Organizations

Malaysian law enforcement authorities have announced the takedown of a phishing-as-a-service (PhaaS) operation called BulletProofLink.
The Royal Malaysian Police said the effort, which was carried out with assistance from the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI) on November 6, 2023, was based on information that the threat actors behind the platform

Malaysian law enforcement authorities have announced the takedown of a phishing-as-a-service (PhaaS) operation called **BulletProofLink**.

The Royal Malaysian Police said the effort, which was carried out with assistance from the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI) on November 6, 2023, was based on information that the threat actors behind the platform were based out of the country.

To that end, eight individuals aged between 29 and 56, including the syndicate's mastermind, have been arrested across different locations in Sabah, Selangor, Perak, and Kuala Lumpur, New Straits Times reported.

Along with the arrests, authorities confiscated servers, computers, jewelry, vehicles, and cryptocurrency wallets containing approximately $213,000.

BulletProofLink, also called BulletProftLink, is known for offering ready-to-use phishing templates on a subscription basis to other actors for conducting credential harvesting campaigns. These templates mimic the login pages of well-known services like American Express, Bank of America, DHL, Microsoft, and Naver.

According to an analysis from Microsoft in September 2021, BulletProofLink actors also engaged in what's called double theft wherein the stolen credentials are sent to both their customers and the core developers, resulting in additional monetization avenues.

"BulletProftLink is associated with the threat actor AnthraxBP who also went by the online nicknames TheGreenMY and AnthraxLinkers," cybersecurity firm Intel 471 said last week.

"The actor maintained an active website advertising phishing services. The actor has an extensive underground footprint and operated on a number of clear web underground forums and Telegram channels using multiple handles."

Believed to be active since at least 2015, BulletProftLink's online storefront is estimated to have no less than 8,138 active clients and 327 phishing pages templates as of April 2023.

Another noteworthy feature is its integration of the Evilginx2 to facilitate adversary-in-the-middle (AiTM) attacks that make it possible for threat actors to steal session cookies and bypass multi-factor authentication protections.

"PhaaS schemes like BulletProftLink provide the fuel for further attacks," Intel 471 said. "Stolen login credentials are one of the primary ways that malicious hackers gain access to organizations."

In a sign that threat actors are constantly updating tactics in response to disruptions and taking more sophisticated approaches, AiTM attacks have also been observed employing intermediary links to documents hosted on file-sharing solutions like DRACOON that contain the URLs to adversary-controlled infrastructure.

"This new method can bypass email security mitigations since the initial link appears to be from a legitimate source and no files are delivered to the victim's endpoint as the hosted document containing the link can be interacted with via the file-sharing server within the browser," Trend Micro said.

The development comes as a 33-year-old Serbian and Croatian national, Milomir Desnica, pleaded guilty in the U.S. to operating a drug trafficking platform called Monopoly Market on the dark web and for conspiring to distribute over 30 kilograms of methamphetamine to U.S. customers.

The illicit marketplace, which was set up by Desnica in 2019, was taken offline in December 2021 as part of a coordinated exercise in partnership with Germany and Finland. Desnica was arrested in Austria in November 2022 and extradited to the U.S. to face drug trafficking charges in June 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Major Phishing-as-a-Service Syndicate 'BulletProofLink' Dismantled by Malaysian Authorities

By Owais Sultan
In the ever-evolving landscape of financial markets, the US Tech 100 Index, represented by the Nasdaq 100, emerges…
This is a post from HackRead.com Read the original post: Navigating Interconnections: Correlations Between the US Tech 100 Index and Major Indices

In the ever-evolving landscape of financial markets, the US Tech 100 Index, represented by the **Nasdaq 100**, emerges as a guiding star for investors seeking exposure to the dynamic technology sector. Yet, to truly harness the potential of this index, one must unravel the intricate web of correlations it shares with other major indices, particularly the S&P 500 and the Dow Jones Industrial Average (DJIA). 

****The Dance of Titans: Nasdaq 100 and S&P 500****

At the heart of this financial ballet lies the dance between the Nasdaq 100 and the S&P 500, two giants that sway to market trends. The correlation between these indices is palpable, a result of shared constituents that bridge the worlds of technology and diverse sectors. Companies like Apple, Microsoft, and Amazon, pivotal players in the Nasdaq 100, also wield influence in the S&P 500, creating a synchronized ebb and flow in their movements.

Historical market data unveils a narrative of tandem strides during pivotal moments. Whether it be the exuberance of bull markets or the caution of bear markets, the **US Tech 100** and S&P 500 often move harmoniously, echoing sentiments reverberating across the broader market landscape. This interconnectedness underscores the need for strategic portfolio construction, as high correlations between these indices demand a nuanced approach to diversification.

****Harmony and Discord: Nasdaq 100 and DJIA****

Yet, as we get deeper into the financial symphony, we encounter a more complex melody in the relationship between the Nasdaq 100 and the DJIA. With its 30 blue-chip constituents, the Dow brings a different timbre to the ensemble. Its diversified composition, spanning various sectors, introduces nuances to the correlation game.

During economic expansions, the Nasdaq 100 may take center stage, propelled by the **surging performance of technology stocks**. However, with its broader representation, the DJIA might follow a different rhythm, reflecting a more measured response to economic cycles. The result is a correlation that dances to a subtler tune, highlighting the interplay of diverse market forces.

****Strategies in the Symphony: Navigating Correlations****

In this financial symphony, traders and investors become conductors, orchestrating strategies that leverage the interconnections between indices. Portfolio diversification becomes an art, with an awareness that high correlations between the Nasdaq 100 and S&P 500 necessitate a thoughtful selection of assets to achieve true diversification.

Strategic diversification emerges as a key motif. By introducing assets with lower correlations, such as commodities or international equities, investors can fine-tune their portfolios to harmonize with the dynamic rhythms of the market. It’s a strategic dance, adapting to the ever-changing correlations that define the contemporary financial landscape.

Yet, in this intricate ballet, the one constant is change. Economic variables, global events, and the individual movements of stocks all play their part in reshaping correlations. Traders and investors must remain vigilant, adapting their strategies to the evolving dynamics of the market.

1.  The 10 Best Cybersecurity Companies in the UK
2.  Dow Jones’ screening watchlist data exposed online
3.  10 Top DDoS Attack Protection and Mitigation Companies in 2023
4.  Can ordinary companies keep up with data compliance regulations?
5.  3 of 5 Fortune 500 companies vulnerable due to ManageEngine flaws

Navigating Interconnections: Correlations Between the US Tech 100 Index and Major Indices

A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns.
Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a "shift in the persistent actor's tactics."
Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a

Threat Intelligence / Cybercrime

A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns.

Microsoft attributed the activity to a threat actor it calls **Sapphire Sleet**, describing it as a "shift in the persistent actor's tactics."

Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a track record of orchestrating cryptocurrency theft via social engineering.

Earlier this week, Jamf Threat Labs implicated the threat actor to a new macOS malware family called ObjCShellz that's assessed to be a late-stage payload delivered in connection with another macOS malware known as RustBucket.

"Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).

"The threat actor then moves successful communications with targets to other platforms."

The tech giant said past campaigns mounted by the hacking crew involved sending malicious attachments directly or embedding links to pages hosted on legitimate websites like GitHub.

However, the swift detection and deletion of these payloads may have forced Sapphire Sleet to flesh out its own network of websites for malware distribution.

"Several malicious domains and subdomains host these websites, which entice recruiters to register for an account," the company added. "The websites are password-protected to impede analysis."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers

US government officials continue to warn that the public and private sectors need to identify and root out China-backed attackers lurking in industrial control systems.

The United States National Security Agency is often tight-lipped about its work and intelligence. But at the Cyberwarcon security conference in Washington DC on Thursday, two members of the agency’s Cybersecurity Collaboration Center had a “call to action” for the cybersecurity community: Beware the threat of Chinese government-backed hackers embedding in US critical infrastructure.

Alongside its “Five Eyes” intelligence alliance counterparts, the NSA has been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting critical infrastructure networks, including power grids, as part of its activity.

Officials emphasized on Thursday that network administrators and security teams need to be on the lookout for suspicious activity in which hackers manipulate and misuse legitimate tools rather than malware—an approach known as “living off the land”—to carry out clandestine operations. They added that the Chinese government also develops novel intrusion techniques and malware, thanks to a substantial stockpile of zero-day vulnerabilities that hackers can weaponize and exploit. Beijing collects these bugs through its own research, as well as a law that requires vulnerability disclosure.

The People’s Republic of China “works to gain unauthorized access to systems and wait for the best time to exploit these networks,” Morgan Adamski, director of the NSA’s Cybersecurity Collaboration Center, said on Thursday. “The threat is extremely sophisticated and pervasive. It is not easy to find. It is pre-positioning with intent to quietly burrow into critical networks for the long haul. The fact that these actors are in critical infrastructure is unacceptable, and it is something that we are taking very seriously—something that we are concerned about.”

Microsoft’s Mark Parsons and Judy Ng gave an update on Volt Typhoon’s activity later in the day at Cyberwarcon. They noted that after seemingly becoming dormant in the spring and most of the summer, the group reappeared in August with improved operational security to make its activity more difficult to track. Volt Typhoon has continued attacking universities and US Army Reserve Officers’ Training Corps programs—a type of victim the group particularly favors—but it has also been observed targeting additional US utility companies.

“We think Volt Typhoon is doing this for espionage-related activity, but in addition, we think there’s an element that they could use it for destruction or disruption in a time of need,” Microsoft’s Ng said on Thursday.

The NSA’s Adamski and Josh Zaritsky, chief operations officer of the Cybersecurity Collaboration Center, urged network defenders to manage and audit their system logs for anomalous activity and store logs such that they can’t be deleted by an attacker who gains system access and is looking to hide their tracks.

The two also emphasized best practices, like two-factor authentication and limiting users’ and admins’ system privileges to minimize the possibility that attackers can compromise and exploit accounts in the first place. And they emphasized that not only is it necessary to patch software vulnerabilities, it is crucial to then go back and check logs and records to make sure that there aren’t signs that the bug was exploited before it was patched.

“We are going to need internet service providers, cloud providers, endpoint companies, cybersecurity companies, device manufacturers, everybody in this fight together. And this is a fight for our US critical infrastructure,” Adamski said. “The products, the services that we rely on, everything that matters—that’s why this is important.”

The NSA Seems Pretty Stressed About the Threat of Chinese Hackers in US Critical Infrastructure

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Tag

#microsoft