Microsoft dogs Strontium domains to stop attacks on Ukraine Microsoft this week seized seven internet domains run by Russia-linked threat group Strontium, which was using the infrastructure to target Ukrainian institutions as well as think tanks in the US and EU, apparently to support Russian's invasion of its neighbor. The seizure is also part of a long-running legal and technical …
I’m wondering what business reason or mandate Microsoft have to do this. Presumably nothing here is related to Microsoft operated infrastructure or Microsoft deployed and owned s/w? Not saying I disagree with what they are doing just wondering what their rationale is. Anyone got any more details?
Presumably this is part of their effort to protect their customers and users from phishing and more direct attacks. Microsoft have a very large number of users using Outlook, Exchange, Office, Windows, et al. that rely on Microsoft's anti-spam and anti-virus products for their protection.
Preventing future attacks by neutralising the sources responsible frees up their (Microsoft's) resources to focus elsewhere and with the added benefit of being able to educate people who were naïve enough to fall for phishing attempts in the first place by redirecting them to sites that explain exactly why they shouldn't have clicked that link.
Also, I don't know about you, but I don't (knowingly) run any software written by my local government.
What you should really be asking is what are Apple, Google, Amazon, Facebook, Twitter, et al. doing to protect their users?
If Microsoft was serious about protecting their customers they could start with making Windows more secure and extract less information from them.
If they would spend half the money they use for window dressing, marketing and "encouraging" owners to choose Microsoft they would no longer have these problems.
Windows has basic security features integrated into it which the competition doesn't match:
* Firewall filtering by application, user, group, IPSec state, source/dest IP/port/protocol at the same time
* Simple to apply FDE based on combined TPM, Password and Startup Key with emergency escrow
* Fully administrator-controlled, certificate-based whitelisting/blacklisting of all executable code
* A built-in AV/HIPS solution which can be configured to block all unknown software (ala. PrevX)
* Network Intrusion Prevention to identify and block malicious traffic in order to protect legacy software
* Per-binary digital signatures, allowing for a simple integrity check of the entire system, including DLLs
* Advanced compile-time and runtime security mitigations which other OSes are yet to implement by default
* A safe and secure means of enabling backwards compatibility flags for applications up to 25 years old
* Background updating of trusted root certificates independent of Windows Update to keep PCs working
A lot of the development for the above relied upon telemetry data collected as early as Windows XP SP2 through CEIP (which was automatically enabled) if people opted to choose Microsoft Recommended Defaults. Backwards compatibility for instance relied upon Microsoft collecting error reports from older software crashing in order to know which shims to develop to best serve the userbase.
Now let's compare with the competition:
If you use macOS, you need to install Little Snitch, Santa and Sophos to approximate what Windows has built-in for security. FileVault doesn't allow a startup key but does allow a rough equivalent to TPM+Password in newer Macs. In theory, Apple is heading in a better long-term direction, requiring notarisation of binaries through a CA they control while also putting an end to kexts entirely. But right now they still allow users to override the policy to run non-notarised apps as if they're equal. Until Apple makes notarisation mandatory for an app to be considered signed, it's honestly no better off than Windows with WDAC set to block unsigned binaries and Windows Defender Antivirus set to Zero Tolerance.
If you use Linux then good luck to you, as the basics are missing in most places (unless you're using RHEL), so you'll need to write a custom SELinux policy and use a tool like opensnitch to get an equivalent result. If you opt for FreeBSD, then you're even more screwed due to a complete lack of mitigations as basic as full ASLR.
So are we right to say Windows is all bad? Sure it runs a lot of services as SYSTEM, which (when equated to root) Linux and macOS do not. Software patching is also a nightmare on Windows compared to using software repos on RPM/DEB based distros. But at the same time, it has a lot of built-in security tools which are decent which the competition lacks....
And yet, it's implicated in 99% of all ransomware attacks, with the 1% or so reserved for VXware machines which are basically Linux subsystems and can also be breached - I have seen this happen from a Windows infection. To be fair, the victim in this case wasn't exactly good at keeping up with security updates because (if I recall correctly) in a fit of ill judged cost saving they opted for a VMWare license which did not allow live updates and then never allowed the required downtime for patching. Duh. But I digress.
So, you are in effect stating that the said 99% did not do their diligence in securing Windows as it should? Assuming that all these tools are actually built in, is their evident lack of use because they're hard to use, costly, unstable or simply require far more skills than the average admin has?
Available skills and simplicity of deployment matter too - SELinux, for instance, is certainly not a tool for the average beginner to mess around with, Fail2Ban is not a default install and too needs some work to set up and iptables too requires some effort to get right - ditto for Mac security where some of it is buried so deep that you only become aware of it when it blocks something, which implies you also have no view of it working or not (less experience with that).
Last but not least is the effort involved in keeping it safe. The latest Google Chrome/Microsoft Edge alert means again an update which seem to be needed more frequently and with higher data volumes to patch than other platforms. Most platforms come out with a new realease which is followed by a flurry of patches that die down once the release stabilises. Thankfully you can cache this, but it's still a pain, especially since most of these patches require a reboot. I'm hoping that updating browsers won't need it so it can be rolled out quickly - Google would not be keeping its mouth shut about the already-in-the-wild problem if it wasn't serious :(.
@AC “So, you are in effect stating that the said 99% did not do their diligence in securing Windows as it should? Assuming that all these tools are actually built in, is their evident lack of use because they're hard to use, costly, unstable or simply require far more skills than the average admin has?”
99% on its own is not evidence of lack of use. It is not evidence of anything other than what was stated “it's implicated in 99% of all ransomware attacks.”. No conclusions can be draw without further figures.
Such as and I am assuming implicated means successful attack, what % of all (successful and unsuccessful) ransomware attacks on windows were successful. The % distribution of all attacks by platform.
But I think that 99% implicated is not that bad when 95% of all ransomware attacks target windows, or so say Google. ;)
https://www.theregister.com/2021/10/14/googles_virustotal_malware/
If you are going to develop any sort of attack to gain money it makes sense to address the biggest surface area which is Windows. This would explain why most attacks are on that OS rather than any of the others that have much smaller installed bases.
"Also, I don't know about you, but I don't (knowingly) run any software written by my local government."
I'm not suggesting governments write software*. What I'm suggesting is that if someone is running a malicious server on behalf of one country in the territory of another I'd expect the government of that other country to be the one that puts a stop to it, not Microsoft acting as investigating office, judge, jury and jailer.
* I don't expect many members of any government to write software. I, on the other hand, have been a Civil Servant, i.e. employed by a government, and as part of that employment, have written software and run it. OTOH I'm most reluctant to run software written by Microsoft.
I think my (early morning, half asleep) point was that because governments don't produce consumer-level software or provide services of that nature to the general public, they generally don't have access to the data required to identify such threats, let alone act on them in the first place.
If threat prevention were left solely to governments, I think it's safe to assume there wouldn't be any.
I actually emailed the article author just after publication, asking this exact question. I'm not sure how I feel about a private company like Microsoft being able to seize domains - even if, in this case, it's for a good cause. Some context would be really helpful.
RE: "Microsoft being able to seize domains"
I'm not comfortable with any private company having the right to seize any domains they want, but we don't know the domains seized. If they were similar to any Microsoft already have registered, or contained Microsoft product names, it may actually be easier for Microsoft to seize them than a legit law enforcement agency.
After all, the law enforcement agencies might need to go through a potentially lengthy procedure, possibly involving a judge to issue the takedown. Any company logging the claim because their copyright has been infringed may just need to send a strongly worded letter or email to the domain registrar.
It does say in the article that they need judicial authorisation and that there is an “expedited” court process they follow to get it. It is true, though, that the author of the article rather skates over that aspect and more information on it would improve the article and provide a better context and better understanding.
No ulterior motive ? Evidence for that assertion ? I hope its true, but history suggests otherwise. The big question is above. Why a company, not a lawful government taking over the domains? Almost as if western governments are just cover sheets for corporate clowns. Both are incompetent enough to be hard to distinguish at times. Taxpayer money and shareholders money, treated the same careless greedy way
The "ulterior motive", as you put it, is the reputational damage resulting from more exploits and data losses from services they provide. It's in their interest to make Windows, Office, Azure etc as reliable as possible* which in the end means more customers.
*I realize this is an open goal, discard that witty scathing comment now and move along..
What Michael Roe got was a big cease-and-desist letter from Microsoft for what clearly looked like trademark infringement. When it came out that it was a kid that probably did that because he thought it was funny, they actually traded him training, an xbox, and all sorts of goodies for the domain. So in that other, legal-defense-of-their-brand case, MS actually treated the guy pretty well in the end.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
