By Habiba Rashid
According to Microsoft, the Royal ransomware is now being spread by a threat actor known as DEV-0569.
This is a post from HackRead.com Read the original post: Royal Ransomware: New Threat Uses Google Ads and Cracked Software

On November 17th, Microsoft Security Threat Intelligence tracked activity from a threat actor known as DEV-0569 regarding the development of new tools to deliver the Royal ransomware. 

Although Microsoft still uses a temporary ‘DEV-####’ designation for it, meaning that they are unsure about its origin or identity, the group is believed to consist of ex-Conti members. 

“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation,” the Microsoft Security Threat Intelligence team said in an analysis.

Traced back to August 2022, the group typically relies on malvertising, phishing link vectors, fake forum pages, and blog comments. They also direct users to a malware downloader called BATLOADER, posing as various legitimate software installers such as TeamViewer, Adobe Flash Player, and Zoom or updates embedded in spam emails. 

BATLOADER posing as a TeamViewer installer

When BATLOADER is launched, it uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands.

BATLOADER also appears to share overlaps with another malware called Zloader. A recent analysis of the strain by eSentire and VMware called out its stealth and persistence, in addition to its use of search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites or attacker-created domains. 

In their blog post, Microsoft security researchers mentioned some of the recently observed changes in the group’s delivery method. This includes the use of contact forms on targeted organizations’ websites to deliver phishing links, hosting fake installer files on seemingly legitimate software download sites, and expansion of their malvertising technique through Google Ads. 

1.  Gootloader exploits websites via SEO to spread ransomware
2.  Google Fails To Remove “App Developer” Behind Malware Scam
3.  Malicious Office documents make up 43% of all malware downloads
4.  Google Drive accounted for 50% of malicious Office docs downloads
5.  Research sector targeted in spear phishing attack using Google Drive

In one particular campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as a national financial authority. When a contracted target responds via email, the threat actor replies with a message containing a link to BATLOADER, hence successfully luring the target into its trap. 

Also utilized is a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are designed to disable antivirus solutions.

Their expansion strategy by employing Google Ads to spread BATLOADER, however, seems to have made the biggest difference in the diversification of the DEV-0569’s distribution vectors. This enabled it to reach more targets and deliver malware payloads. 

“Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists,” Microsoft said.

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Royal Ransomware: New Threat Uses Google Ads and Cracked Software

By Deeba Ahmed
The attackers gain access to the network through decoy documents covering controversial geo-political topics to lure the targeted organizations into downloading and executing the malware. 
This is a post from HackRead.com Read the original post: Research sector targeted in new spear phishing attack using Google Drive

According to Trend Micro researchers, a Chinese government-sponsored advanced persistent threat (APT) group has launched spear-phishing attacks to target education, government, and research sectors worldwide.

The report is unsurprising as earlier this year, researchers linked Google Drive to 50% of malicious MS Office document downloads.

**Campaign Details**

The attackers are delivering custom malware stored in Google Drive. The attacks were discovered between March and October 2022. The primary targets of the group were located in Japan, Australia, Myanmar, Taiwan, and the Philippines. For your information, the espionage group has been active since July 2018.

**How does the Attack Works?**

The attackers gain access to the network through decoy documents covering controversial geo-political topics to lure the targeted organizations into downloading and executing the malware.

In some instances, the phishing messages were sent from email accounts that were previously compromised and belonged to specific entities to enhance the success ratio of this campaign. The archive files display a lure document to the victim.

However, in the background, it loads malware through DLL side-loading. Eventually, the attacker delivers three malware families to download the next-stage payloads. The main backdoor they use is TONESHELL, installed via the TONEINS shellcode loader.

The attackers bypass security mechanisms by embedding link points to a Dropbox or Google Drive folder. These links redirect to download compressed files such as ZIP, RAR, and JAR with custom malware strains like PubLoad and TONESHELL.

> “Once the group has infiltrated a targeted victim’s systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved.”
> 
> Nick Dai, Vickie Su, Sunny Lu – Trend Micro

**Who is the Attacker?**

Researchers claim that the group responsible for the attacks has been identified as Mustang Panda, also known as TA416, Red Lich, Earth Preta, HoneyMyte, and Bronze President. Mustang Panda prefers using China Chopper and PlugX malware to collect data from compromised systems.

In its report, Trend Micro noted that Mustang Panda continually evolves its attack tactics to evade detection and use infection methods that allow them to deploy bespoke malware families such as PUBLOAD, TONEINS, and TONESHELL.

1.  Chinese Hackers Hiding Malware in Windows Logo
2.  APT Groups Trapping Targets with Clever Twitter Scheme
3.  Chinese Hackers Distributing Malware in SMS Bomber Tool
4.  Windows, Linux and macOS Users Targeted by Chinese hackers
5.  Microsoft disrupts activity of Chinese hackers by seizing 42 websites

Research sector targeted in new spear phishing attack using Google Drive

本ブログは、Announcing the Microsoft Machine Learning Membership Inference Competition (MICO)の抄訳版です。最新の情報は原文を参照してく

マイクロソフト 機械学習 メンバーシップ推論コンペティション (MICO) の発表

By Waqas
The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).
This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

In December last year, it was reported that Iranian and Chinese hackers were exploiting the Log4Shell vulnerability in the wild. Now, according to the US CISA (Cyber security infrastructure and security Agency), an advanced persistent threat (APT) group sponsored by the Iranian government compromised the network of a U.S. federal agency.

The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).

**Cyberattack Details**

CISA revealed that the hackers used the Log4Shell vulnerability, tracked as CVE-2021-44228, in the unpatched VMware Horizon server to compromise the network and gain control of the organization’s domain controller (DC). Once they successfully invaded the system, the hackers deployed XMRig crypto mining software to steal credentials and mine for crypto.

For your information, Log4Shell is a zero-day vulnerability in a Java logging framework called Log4j that causes arbitrary code execution and impacts VMware Horizon and an extensive array of products.

**CISA’s Analysis**

As per CISA, their researchers conducted a routine investigation in April 2022 and identified suspicious APT activities on the FCEB network using the EINSTEIN intrusion detection system used by the agency.

They discovered bi-directional traffic passing through the network and an already found malicious I.P. address linked with Log4Shell vulnerability exploitation in VMware Horizon servers.

CISA further noted that an HTTPS activity was launched from I.P. address 51.89.18164 to VMware’s server. Further probe revealed that the I.P. address was associated with Lightweight Directory Access Protocol (LDAP) server operated by attackers to deploy Log4Shell.

**Who are the Attackers?**

In a joint advisory from CISA, the Department of Homeland Security, and the FBI, it was revealed that the attack was launched in February 2022. The attackers moved laterally to DC, stole credentials, and implanted Ngrok reverse proxies on multiple hosts to retain persistence. U.S. security officials responded in June to clean the network.

Reportedly, the hackers were identified as Nemesis Kitten, and they launched the attack with backing from the Iranian government. Nemesis Kitten is an extension of the Phosphorus Iranian malware group, and they regularly utilize well-known, highly exploitable vulnerabilities to facilitate ransomware attacks against organizations.

CISA warned that organizations still using the unpatched server versions should be concerned as they would eventually be compromised.

1.  Dirty Pipe Linux Vulnerability Overwrites Data
2.  Watch Out: Microsoft Office 0-Day Vulnerability Follina
3.  OpenSSL Released Patch for High-Severity Vulnerability
4.  Flaw in GPS Tracker Lets Hackers Remotely Control Vehicles
5.  Critical Amazon Ring Flaw Could Expose Camera Recordings

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware.
Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name DEV-0569.
"Observed DEV-0569 attacks show a pattern of continuous innovation, with

A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware.

Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name **DEV-0569**.

"Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team said in an analysis.

The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

The malware downloader, a strain referred to as BATLOADER, is a dropper that functions as a conduit to distribute next-stage payloads. It has been observed to share overlaps with another malware called ZLoader.

A recent analysis of BATLOADER by eSentire and VMware called out the malware's stealth and persistence, in addition to its use of search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites or attacker-created domains.

Alternatively, phishing links are shared through spam emails, fake forum pages, blog comments, and even contact forms present on targeted organizations' websites.

"DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network," the tech giant noted.

"The management tool can also be an access point for the staging and spread of ransomware."

Also utilized is a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are designed to disable antivirus solutions.

The use of Google Ads to deliver BATLOADER selectively marks a diversification of the DEV-0569's distribution vectors, enabling it to reach more targets and deliver malware payloads, the company pointed out.

It further positions the group to serve as an initial access broker for other ransomware operations, joining the likes of malware such as Emotet, IcedID, Qakbot.

"Since DEV-0569's phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists," Microsoft said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

The company emerges from stealth with an automated security remediation product identifies and remediates cloud misconfigurations.

Some of the most common issues in cloud security involve misconfigured systems. Cloud servers may be mistakenly configured to allow anyone on the Internet to access the data. The firewall rules may have inadvertently created a hole big enough for a threat actor to slip through. These kinds of issues trip up enterprises on a regular basis because securing cloud infrastructure is labor-intensive and security operations rely heavily on manual processes to manage the complex environment.

Enter OpsHelm, a cloud security startup which came out of stealth with its automated security remediation product on Thursday. The product monitors the IT environment looking for cloud misconfigurations and makes it possible to fix the issues in a seamless way. The tool integrates with common enterprise communications tools such as Slack or Microsoft Teams and informs the security operations team of the issues as they are found. The team can address the issues and the tool learns what actions should be taken so that it knows how to handle the situation the next time that issue comes up.

"Companies attempt to solve this problem with enhanced visibility into their cloud infrastructure, yet this isn't enough--they are still stuck doing the time-consuming triage and remediation with their limited team resources," Andrew Peterson, co-founder and CEO of Signal Sciences and an investor in the company, said in a statement.

The company says OpsHelm can detect and fix common cloud issues such as misconfigurations, overly permissive firewall rulesets, potential data exposures, unmanaged resources in Infrastructure as Code (IaC), credential sprawl, and unsecured assets exposed to the Internet.

"For example, if S3 buckets are routinely exposed when you stand up new programs, you can eliminate all exposed S3 buckets in seconds and ensure that any new ones are instantly locked down the second they are exposed," Bill Gambardella, OpsHelm CEO and co-founder, wrote on the company's blog. Gambardella was previously COO at Leviathan Security Group and previously ran security at Sprout Social. Other members of the founding team include OpsHelm CTO Kyle McCullough, who was a platform engineer at Sprout Social; COO Bob Bregant and founding engineer Lee Brotherson.

At the moment, OpsHelm integrates with Google Cloud Platform and Amazon Web Services. Support for Microsoft Azure is “coming soon.” Currently in public beta, general availability is expected early next year, the company says.

New Startup OpsHelm Tackles Cloud Misconfigurations

Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.

CVE-2022-43492: Comments – wpDiscuz

Although the group relies on good old phishing to deliver Royal ransomware, researchers say DEV-0569 regularly uses new and creative discovery techniques to lure victims.

It generally starts with malvertising and ends with the deployment of Royal ransomware, but a new threat group has distinguished itself by its ability to innovate the malicious steps in between to lure in new targets.

The cyberattack group, tracked by Microsoft Security Threat Intelligence as DEV-0569, is notable for its ability to continuously improve its discovery, detection evasion, and post-compromise payloads, according to a report this week from the computing giant.

"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the Microsoft researchers said.

In just a few months, the Microsoft team observed the group's innovations, including hiding malicious links on organizations' contact forms; burying fake installers on legitimate download sites and repositories; and using Google ads in its campaigns to camouflage its malicious activities.

"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," the Microsoft team added. "The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns."

The group's success positions DEV-0569 to serve as an access broker for other ransomware operations, Microsoft Security said.

**How to Combat Cyberattack Ingenuity**

New tricks aside, Mike Parkin, senior technical engineer at Vulcan Cyber, points out the threat group indeed makes adjustments along the edges of their campaign tactics, but consistently relies on users to make mistakes. Thus, for defense, user education is the key, he says.

"The phishing and malvertising attacks reported here rely entirely on getting users to interact with the lure," Parkin tells Dark Reading. "Which means that if the user doesn't interact, there is no breach."

He adds, "Security teams need to stay ahead of the latest exploits and malware being deployed in the wild, but there is still an element of user education and awareness that's required, and will always be required, to turn the user community from the main attack surface into a solid line of defense."

Making users impervious to lures certainly sounds like a solid strategy, but Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Dark Reading it's "both unrealistic and unfair" to expect users to maintain 100% vigilance in the face of increasingly convincing social engineering ploys. Instead, a more holistic approach to security is required, he explains.

"It falls then to the technical and cybersecurity teams at an organization to ensure that a compromise of a single user doesn't lead to widespread organizational damage from the most common cybercriminal goals of mass data theft and ransomware," Clements says.

**IAM Controls Matter**

Robert Hughes, CISO at RSA, recommends starting with identity and access management (IAM) controls.

"Strong identity and access governance can help control the lateral spread of malware and limit its impact, even after a failure at the human and endpoint malware prevention level, such as stopping authorized individual from clicking on a link and installing software that they are allowed to install," Hughes tells Dark Reading. "Once you've ensured that your data and identities are safe, the fallout of a ransomware attack won't be as damaging — and it won't be as much of an effort to re-image an endpoint."

Phil Neray from CardinalOps agrees. He explains that tactics like malicious Google Ads are tough to defend against, so security teams must also focus on minimizing fallout once a ransomware attack occurs.

"That means making sure the SoC has detections in place for suspicious or unauthorized behavior, such as privilege escalation and the use of living-off-the-land admin tools like PowerShell and remote management utilities," Neray says.

DEV-0569 Ransomware Group Remarkably Innovative, Microsoft Cautions

IOBit IOTransfer V4 is vulnerable to Unquoted Service Path.

    # Exploit Title: IOTransfer V4 - Unquoted Service Path
    # Exploit Author: BLAY ABU SAFIAN (Inveteck Global)
    # Discovery Date: 2022-28-07
    # Vendor Homepage: http://www.iobit.com/en/index.php
    # Software Link: https://iotransfer.itopvpn.com/download/
    # Tested Version: V4
    # Vulnerability Type: Unquoted Service Path
    # Tested on OS: Microsoft Windows Server 2019 Standard Evaluation CVE-2022-37197
    # Step to discover Unquoted Service Path:
    
    C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
    
    IOTransfer Updater IOTUpdaterSvc C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe
                          Auto
    
    C:\>sc qc IOTUpdaterSvc
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: IOTUpdaterSvc
            TYPE : 10 WIN32_OWN_PROCESS
            START_TYPE : 2 AUTO_START
            ERROR_CONTROL : 1 NORMAL
            BINARY_PATH_NAME : C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe
    
    
    LOAD_ORDER_GROUP :
            TAG : 0
            DISPLAY_NAME : IOTransfer Updater
            DEPENDENCIES :
            SERVICE_START_NAME : LocalSystem
    
    C:\>systeminfo
    
    OS Name: Microsoft Windows Server 2019 Standard Evaluation
    OS Version: 10.0.17763 N/A Build 17763
    OS Manufacturer: Microsoft Corporation

CVE-2022-37197: Offensive Security’s Exploit Database Archive

How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage?

The Australian government's defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.

How effective the country's newly announced "joint standing operation against cybercriminal syndicates" will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.

**Pressure for Hack-Back Legislation May Be Mounting**

"As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in," says Richard Stiennon, chief research analyst at IT-Harvest. "I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much."

Australian prime minister Anthony Albanese's government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to "investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups."

The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia's total population of some 26 million people.

The cyberattacks were among the largest in scope in the country's history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibank's refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russia's notorious REvil threat group.

The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the _Guardian_ quoted Australian home affairs minister Clare O'Neil promising to "day in, day out hunt down the scumbags" responsible for the recent attacks.

"The smartest and toughest people in our country are going to hack the hackers," the Guardian quoted O'Neil as saying.

**An Ongoing Practice**

The strong language notwithstanding, it's unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.

"It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up," Stiennon says. "Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers."

Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsoft's participation in the takedown of the Zloader botnet operation and its more recent disruption of the Seaborgium phishing operation out of Russia.

"Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption," says Casey Ellis, founder and CTO of Bugcrowd. "In my opinion this makes proactive hunting a viable pursuit," he says, pointing to examples like law enforcement's takedown of the Conti and REvil group operations.

Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.

"Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted," Ellis says.

US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the Active Cyber Defense Certainty Act (ACDC) of 2017, which would have allowed hacking back as a defense measure on an organization's own network under certain circumstances.

Another bill in 2021, titled "Study on Cyber-Attack Response Options Act," would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nation's current computer abuse law to provide provisions for hacking back at attackers.

The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.

**The Need for Caution**

Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.

Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.

"In general, truly attributing an attack is quite difficult," says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. "Attribution may be one of the hardest problems in all of cybersecurity."

There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. "Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action?" he asks.

There are also potential legal landmines to consider. A law that Georgia's state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of "active defense."

As Rapid7 has noted, the term "active defense" as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. "Here is a hypothetical: Remotely breaking into and searching another person's computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access," the company said.

The main con is that you don't want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. "This type of activity certainly has the potential to escalate into an international incident," he says. "The upside is the opportunity to use the cyberattacker's advantage against them, thereby leveling the playing field a little better."

Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. "Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities."

Tag

#microsoft