The internet crosses all borders, and much like people choose sides in "discussions" on forums and social media, so too do the underground actors of all kinds. They are, after all, human beings, even if they don't have "traditional ethics", they do all have some kind of personal ethic.
Revenge and inflation are key drivers behind an 800 percent increase in cyberattacks seen by a managed services provider since the days before the onset of Russia's invasion of Ukraine last month, according to the company's top executive. The attacks are coming not only from groups inside of Russia but also from within the …
Friday 11th March 2022 23:40 GMT PriorKnowledge
Never been a better time to lock down
For businesses: If you use Windows then deploy WDAC using a strict whitelist and start restricting outbound communications per-app using Windows Firewall (in addition to only allowing required inbound on workstations). If you use macOS, turn on the firewall and then consider deploying Santa, while Linux desktop users should get fapolicyd in place. TLS versions older than 1.2 should be blocked (IISCrypto can help with this on Windows) and a solution like chocolatey (Windows) or homebrew (macOS) should be adopted at a minimum to run on a schedule to auto-patch any non-store apps. Start using GPOs or MDM to block macros and remote links in any documents which aren’t in trusted locations. Possibly consider adopting a service to rewrite all Internet URLs in inbound emails to point to a service which checks against phishing databases while implementing strict attachment policies to block abused file types completely.
Home users should: Switch off uPnP on their routers. Get Windows Defender set up with Cloud Extended Protection set to Zero Tolerance, macOS users can grab Sophos for free to supplement the built-in XProtect. Also, adopt OpenDNS FamilyShield, Cloudflare filtered DNS (e.g. 220.127.116.11) or Quad9 to block known malicious domains. Install uBlock Origin and NoScript to help protect web browsers from zero days. If using Chrome with a Google Account, then turn on Enhanced Protection. If using Edge, make sure SmartScreen is enabled. Enforce that all websites be accessed via HTTPS. Disable macros outright in office products. Most importantly, avoid pirating things if you can afford to as untrusted video, music and image files can and will be weaponised. If you must, use Windows Sandbox or a free version of VMWare to run a disposable virtual machine to download and fully transcode pirated content beforehand to clean it prior to use.
Friday 11th March 2022 23:55 GMT Clausewitz 4.0
Re: Never been a better time to lock down
Whielist does not work well if the attacker uses legitimate windows binaries to sideload DLLs, or powershell. A popular brand of ATM uses whitelisting, but attacks using DLLs are still possible.
Firewalls are useless with github, youtube, google drive used as C2. CANVAS from ImmunityInc uses these also.
Finally, zero days.
Saturday 12th March 2022 05:55 GMT man_iii
Saturday 12th March 2022 10:41 GMT PriorKnowledge
WDAC covers DLLs and drivers by default
…and PowerShell can be blocked for end-users via GPO. WDAC will also prevent a custom compiled version which ignores the GPO from running thanks to policy being applied via digital signatures. You can also block cmd.exe, WSH and all other common avenues of automation for regular user accounts this way. while WDAC prevents an attacker from using custom binaries to bypass group policy.
Give it a go and you will find sideloading DLLs which aren’t whitelisted won’t help, the app will just fail to execute. Even setting up a “debugger” via the registry will fall over. If you choose to enforce it for MSIL (not the default), even locally-created DLLs made by ngen.exe will be blocked!