Information Technology

Microsoft has patched a security weakness in Azure PostgreSQL which could have been exploited to execute malicious code.

On Thursday, researchers from Wiz Research published an advisory on “ExtraReplica,” described as a “cross-account database vulnerability” in Azure’s infrastructure.Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers. According to Wiz, a “chain” of vulnerabilities could be used to bypass Azure’s tenant isolation, which prevents software-as-a-service (SaaS) systems customers from accessing resources belonging to other tenants. ExtraReplica’s core attack vector is based on a flaw that allowed attackers read access to PostgreSQL databases without authorization. Once a target, public PostgreSQL Flexible Server has been selected, an attacker has to find the target’s Azure region “by resolving the database domain name and matching it to one of Azure’s public IP ranges,” according to Wiz. An attacker-controlled database then has to be created in the same region. The first vulnerability, found in Azure’s PostgreSQL engine modifications, would be exploited on the attacker-controlled instance, leading to escalated ‘superuser’ privileges and the ability to execute code. The second bug in the chain, buried in the certificate authentication process, would then be triggered on the target instance via replication to gain read access. While this attack could be used on a subnet, the Certificate Transparency feed could also be abused to retrieve domain SSL certificates and extract a database’s unique identifier, thereby expanding the potential attack surface beyond a subnet. An attacker would need to retrieve target information from the Certificate Transparency feed and purchase a “specifically crafted certificate” from a CA to perform such an exploit. The vulnerability doesn’t, however, impact Single Server instances or Flexible servers with “VNet network configuration (Private access)” enabled, according to the researchers. The vulnerability was disclosed to Microsoft in January. Microsoft’s security team triaged the vulnerability and was able to replicate the flaw. Wiz was awarded a bug bounty of $40,000 for its report and a fix was rolled out by February 25 by the Redmond giant. Now fully mitigated, Azure customers do not need to take any action. Microsoft is not aware of any exploitation in the wild. “We appreciate MSRC’s cooperation and their attentiveness to our report,” the researchers commented. “Their professional approach and close communication throughout the disclosure process is a model for all vendors.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft warns it saw six Russia-aligned, state-sponsored hacking groups launch over 237 cyberattacks against Ukraine starting in the weeks before Russia’s February 24 invasion.Microsoft has released an in-depth report detailing how Russian cyberattacks against Ukraine were “strongly correlated” or “directly timed” with its military operations in the country. 

ZDNet Recommends

For example, on March 1, several Kyiv-based media companies were struck by destructive and information-stealing malware, which coincided with a missile strike on a Kyiv TV tower on the same day. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsThen on March 13, a suspected Russian nation-state actor stole data from a nuclear safety organization, aligning with Russian troops seizing the Chernobyl nuclear power plant and the Zaporizhzhia Nuclear Power plant.The report takes a closer look at Russia’s use of destructive malware during and before the invasion, the first of which was discovered by Microsoft in mid-January and dubbed WhisperGate. The combination of cyber and military points to Russia’s hybrid warfare strategy, according to Microsoft. “Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” says Corporate Vice President, Customer Security & Trust, Tom Burt.According to the report, the day before Russia’s military invaded Ukraine, operators linked to the GRU – Russia’s military intelligence service – launched destructive wiper attacks on hundreds of systems in Ukrainian government, IT, energy, and financial organizations. Microsoft detected 37 destructive malware attacks against Ukraine between February 24 and April 8 through eight known destructive malware families, including FoxBlade, which Microsoft found in February, FiberLake, IsaacWiper/HermeticWiper/SonicVote, and CaddyWiper, as well as Industroyer2, aimed at industrial control systems (ICS). In many cases, the malware used the SecureDelete utility to wipe data.   The US government two weeks ago warned of suspected Russian malware called Pipedream that was customized to compromise multiple vendors’ ICS equipment. Ukraine officials earlier this month also said they stopped a cyberattack on an energy facility that could have cut power to two million people. “Known and suspected Russian threat actors deployed malware and abused legitimate utilities 37 times to destroy data on targeted systems. SecureDelete is a legitimate Windows utility that threat actors abused to permanently delete data from targeted devices,” Microsoft says in the report. “More than 40% of the destructive attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy, and people,” Microsoft says. Additionally, 32% of destructive incidents affected Ukrainian government organizations at the national, regional, and city levels.The three main Russian military agencies Microsoft identifies in the report are the GRU, SVR (Russia’s foreign intelligence service), and the FSB or Federal Security Service. The main methods for initial access were phishing, using unpatched vulnerabilities, and compromising IT service providers. Microsoft says Russia’s cyberattacks appeared to “work in tandem” against targets of military activity. However, it was uncertain whether these were coordinated, centralized or if there was just a common set of understood priorities. “At times, computer network attacks immediately preceded a military attack, but those instances have been rare from our perspective. The cyber operations so far have been consistent with actions to degrade, disrupt, or discredit Ukrainian government, military, and economic functions, secure footholds in critical infrastructure, and to reduce the Ukrainian public’s access to information,” Microsoft says.  SEE: Bronze President spies on Russian targets as Ukraine invasion continuesBurt says following Microsoft’s discovery of WhisperGate, it established a secure line of communication with Ukraine officials and has been providing support ever since. In the lead up to the invasion, Microsoft also observed that Russian cyberattacks were growing increasingly loud and disruptive and usually intensified following diplomatic failures related to the conflict with Ukraine and NATO members.Burt urged all organizations to take heed of alerts published by the US Cybersecurity and Infrastructure Security Agency (CISA) and other US government agencies due to fears that NATO military support to Ukraine could see Russia’s efforts expand beyond Ukrainian targets. “Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression,” warned Burt. This article has been updated to correct the name of the author of Microsoft’s blog, which was by Tom Burt – Corporate Vice President, Customer Security & Trust.
Microsoft More

Google says it blocked 1.2 million apps from being published to the Google Play store because the company detected policy violations in its app review processes, preventing “preventing billions of harmful installations” on Android devices.  Google’s Play Store reviews have often been seen as less strict than those in Apple’s App Store. However, Google is making bigger efforts to protect the privacy and security of people using the three billion active Android devices in use today and it has stopped 1.2 million policy violating apps from being distributed on the Play store through its app review process.  Google says it also banned 190,000 bad accounts in 2021 as part of its efforts to hinder malicious and spammer developers. It also closed 500,00 inactive or abandoned developer accounts. 

“Last year we introduced multiple privacy focused features, enhanced our protections against bad apps and developers, and improved SDK data safety. In addition, Google Play Protect continues to scan billions of installed apps each day across billions of devices to keep people safe from malware and unwanted software,” Google’s Android and Privacy teams said in a blogpost. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyGoogle’s initiatives in 2021 aimed to strike a balance between end-user safety and convenience for the developers whose work drives the Play Store, which had about 3.5 million apps available for download. The volume of transactions on Apple’s and Google’s app stores is staggering. According to mobile ad analytics firm App Annie, consumers spent $170 billion on mobile apps in 2021, with roughly 65% share of revenues going to Apple’s App Store and 35% going to Google Play. Consumers downloaded 230 billion new apps in 2021, or about 435,000 apps per minute. But 98.3 billion of those downloads were by users in China where Google Play is not available, while US consumers accounted for 12 billion of the total.  In an effort to improve transparency for end users, Google introduced a data safety program last May that requires developers to give users details about the types of data collected by an app, the use of encryption, and how data is used. Google requires developers to fix any detected violations of policy. They risk further enforcement if they don’t comply with Google’s requested fixes. Developers have until July 20 to declare to Play store users information required in the data safety initiative.  Google also regularly removes malicious apps from the Play store after they’re discovered by third-party researchers, who still manage to find them on a reasonably regular basis. To help developers manage rejections during the review process, Google has added a Policy and Programs section to the Google Play console for developers. It also has a page to appeal decisions and track the status of a submission.   The benefits of these initiatives are greater for those who’ve upgraded to the latest versions of Android. “As a result of new platform protections and policies, developer collaboration and education, 98% of apps migrating to Android 11 or higher have reduced their access to sensitive APIs and user data,” Google claims. “We’ve also significantly reduced the unnecessary, dangerous, or disallowed use of Accessibility APIs in apps migrating to Android 12, while preserving the functionality of legitimate use cases.”SEE: The best Android phones: Better than the iPhone?Google also noted that it disallowed the collection of Advertising ID (AAID) and other device identifiers from all users in apps solely targeting children. These included identifiers such as the SIM Serial number, MAC address, SSID, IMEI, and IMSI. It also gave all users the ability to delete their Advertising ID entirely, regardless of the app. Google Pixel is a small share of the overall Android market, but these users gained a new Security hub, or a single page to manage all security settings. 

Smartphones More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Shutterstock
During 2021, the top 15 vulnerabilities that were exploited — as observed by the US Cybersecurity and Infrastructure Security Agency, US NSA, US FBI, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre — led to remote code execution (RCE) across a range of products, and left IT administrators with a short window to keep their house in order. “For most of the top exploited vulnerabilities, researchers or other actors released proof of concept code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors,” the agencies said in an alert. Topping the list was the RCE hole in Java logging library Apache Log4j, also known as Log4Shell, that was disclosed in December. “The rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch,” the alert said. This was followed by CVE-2021-40539, an RCE hole in Zoho ManageEngine, and seven vulnerabilities in Exchange that became known as ProxyShell and ProxyLogin. Next on the list was CVE-2021-26084 in Atlassian Confluence, which US Cybercom warned was facing mass exploitation in September. In this instance, the agencies said the exploit code was released a week after it was disclosed. The final vulnerability from 2021 on the list was CVE-2021-21972, which impacted VMware vSphere. Completing the list was a quartet of vulnerabilities that were highlighted in July, consisting of CVE-2020-1472 in Microsoft Netlogon which is also called Zerologon, CVE-2020-0688 in Exchange, CVE-2019-11510 from Pulse Secure Connect, and CVE-2018-13379 impacting Fortinet FortiOS and FortiProxy. A secondary list of another 15 CVEs was also issued, and included holes in Accellion FTA, and additional RCE bugs in VMware vCenter and the Windows print spooler. To mitigate these vulnerabilities, the agencies repeated advice on timely patching, having a centralised patch management system, and shifting to cloud or managed service providers if rapid scanning is not considered doable. The advice added that organisations should enforce multifactor authentication on all users without exception, with VPN logins in particular called out, as well as regularly reviewing privileged accounts at least yearly and adopting the least privilege principle. Companies should also move to allowlisting, properly segment networks to limit lateral movement, and constantly monitor attack surfaces. Related Coverage More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Google has now expanded Google Search removal requests to include additional personally identifiable contact information, such as a person’s phone number, email address, or physical address.Up until now, people have been able to request the removal of other certain sensitive information from Search, such as doxxing content — which is when a person’s contact information is shared in a malicious way — or information like bank account or credit card numbers that could be used for financial fraud.Under the expanded policy, users can also request for the removal of additional information that may pose a risk for identity theft — such as confidential log-in credentials — when it appears in search results. “The availability of personal contact information online can be jarring — and it can be used in harmful ways, including for unwanted direct contact or even physical harm. And people have given us feedback that they would like the ability to remove this type of information from Search in some cases,” Google Search global policy lead Michelle Chang wrote in a post.Chang said when a Google Search removal request is submitted, Google evaluates all the content on the web page. Following the evaluation, Google may remove the provided URL from all search queries; remove the search results in which the query includes a person’s name or other provided identifiers, such as aliases; or in some circumstances deny the request. “We will evaluate all content on the web page to ensure that we’re not limiting the availability of other information that is broadly useful, for instance in news articles,” Chang said. “We’ll also evaluate if the content appears as part of the public record on the sites of government or official sources. In such cases, we won’t make removals.”Google warned, however, that removing content from Google Search does not remove it from the internet, and recommended that people contact the hosting site directly if that is what they want it removed entirely. This latest update follows on from Google rolling out a new policy last October to enable people under the age of 18, or their parents or guardian, to request the removal of their images from Google search results. RELATED COVERAGE More

Security is imperative for companies to deter trespassers and would-be thieves and to protect valuable equipment crucial for businesses to operate successfully.  A robust setup with cameras, sensors, and night vision can take the pressure off security teams and give business owners peace of mind out-of-hours. Luckily for organizations, the emergence of the Internet of Things (IoT) technology, mobile connectivity, apps, and cloud technologies has radically changed the security landscape and made it easier than ever to set up multi-room and on-premise systems. The possibilities are endless: cloud or local feed storage, customizable or automatic alerts and alarms, smartphones and tablet connectivity, wired or wireless, battery-powered or mains options, video capture, night vision, audio feeds of varying quality, and the ability to check-in, in real-time, are all on offer and can be tailored depending on the requirements of your business.  To make navigating the variety of hardware and vendor ecosystems available to today’s company owners less of a challenge, we have assembled our top ten picks for businesses. 

Ring Stick Up Cam Solar

Best home security camera

Ring

Once the case, heavy-duty, wired surveillance systems were the only options available to protect a business premise. Times have changed, and with the explosion in mobile solutions and the increased bandwidth offered by broadband and 4G/5G, there are mobile-friendly options for SMBs seeking a budget-conscious security option.  The benefit of the Ring camera range, including indoor, outdoor, stick-up, and floodlights, lies within its flexibility. Each camera can be connected to the same account and accessed via smartphone, alerting users to motion from all areas.  Of particular note are Stick Up Cams, which can be placed inside or outdoors and on flat surfaces or walls. Battery and wired options are available, as well as devices that come with a solar panel and backup battery pack. The Spotlight and Floodlight models, too, are of interest given their inbuilt security sirens.  As there are a variety of different cameras users can pick from, a mix-and-match set up to protect a premise is possible.ProsFlexible and quick setupsProfessional monitoring availableBolt-on ecosystem additions available, including outdoor camerasConsLong shipping timeMultiple camera costs are high

Google Nest Cam

Discreetly keep an eye out for intruders outside of hours

Nest

Google Nest cameras will be of interest to business owners already in the Nest ecosystem — including users of the Nest Thermostat, Nest CO2 alarms, as well as Nest X Yale Locks. The Nest Cam Indoor and Outdoor cameras are mobile options for on-premise security. They are best suited for budget-friendly users that need basic security measures in place. The cameras can record footage in 1080p HD, and when it comes to the outdoor version, this quality is maintained at night through infrared LEDs. You can pick up battery or wire-powered options. Both versions have inbuilt speakers and will alert users via their mobile devices if suspicious activity or visitors are detected by motion and noise sensors. Once the app has been installed, and an account has been set up, monitoring begins.  Subscriptions vary.ProsEasy setupMobile device monitoring and accessFlexible optionsConsExpensive for single cameras

Wyze Cam v3

Best budget security camera

Wyze

If you want to dip a toe into the world of IoT and intelligent home security devices, you may want to consider the Wyze Cam v3, one of the most affordable options on the market today.The Wyze Cam v3 is a $35 internet-connected camera offering 1080p recording, IP65 quality for indoor or outdoor use, a CMOS sensor designed to improve nighttime vision, a siren, and two-way communication.The camera can be part of a wider Wyze security ecosystem, including outdoor cameras, motion sensors, leak sensors, keypads, and entry monitors. ProsAdditional security products on offer to create a wider security networkSmall, compact designBudget-friendlyConsLimited cloud storage included unless subscribed

Arlo Pro 4

Wireless monitoring for the workplace

Arlo

Another option is the Arlo Pro 4. This slimline, business-ready option can be used either in or outdoors, being a weather-resistant model with a variety of mounting options that can detect both sound and motion. The Arlo Pro 4, available in black or white, can work as a day-to-day camera on the shop floor; a discreet camera placed outside to act as a night watchman, or as a part of a full network of cameras in a large workplace. A spotlight to improve low-light recording is included alongside object scanning and detection.Arlo’s camera is compatible with Amazon Alexa, Google Assistant, and Apple HomeKit. Users will receive real-time alerts whenever motion or sound is detected, and footage is captured in up to 2K HDR resolution. The vendor has also implemented Activity Zones which can be set to reduce unwanted or nuisance notifications.ProsSix months of battery lifeMagnetic mountsConsAn Arlo Secure subscription is required for premium features 

SimpliSafe security systems

Best for small homes and apartments

SimpliSafe

SimpliSafe is another worthy addition to our list and would suit users who need a flexible solution for smaller homes and apartments. SimpliSafe is a Wi-Fi-connected security solution backed by real-time monitoring in remote centers. While wired, in the case of a blackout, devices in the SimpliSafe range have backup batteries. The basic ‘Essentials’ package, starting at $219, includes a base station, keypad, three entry sensors, and one motion sensor. A free HD camera is also included in the bundle at the time of writing.Other packages and bolt-on options include panic buttons, freeze and water sensors, smoke detectors, and sirens. ProsNo drilling requiredStylish, discreet designConsExpensive 

What is the best home security camera?

The Ring Stick Up Cam Solar is the best home security camera, offering an exceptional product at an affordable price. We loved the easy setup, professional monitoring, and the entire range of Ring security products.

How did we choose these security cameras?

The requirements of home and business security cameras vary: the average consumer may lean toward an easy-to-install, budget-conscious product, whereas a company may be more inclined to invest in a more powerful alternative to protect valuable assets. In each case, we have considered as many aspects of a security system as possible, including recording capabilities, environmental use, and cost — both upfront and due to ongoing subscriptions.

Which is the right security camera for you?

When you are selecting your home security camera, you should consider the pain points at home or at your business location. What areas are the most important when it comes to monitoring? What assets do I need to protect? When might my home or premises be most vulnerable?If you’re working from home, for example, you might forgo constant video capture and a subscription, settling instead for clips and the ability to check-in while you’re away. However, if there is valuable stock in an office that is shut at night, you might pivot toward an option including night vision and constant video/audio feeds.Security cameraPricePower sourceVideoRing Stick Up Cam Solar$149Solar1080p HD, Live View, Night VisionGoogle Nest Cam$100Wired1080p HDWyze Cam v3$36Wired1080p HD, Live View, Color Night VisionArlo Pro 4$180Battery/Solar1080p, Color Night VisionSimpliSafe$270BatteryHD video with Night Vision

Is it necessary to subscribe to a monitoring service?

No, but technology services now — ranging from streaming to IoT — will not usually stop at hardware: revenue models are pivoting to subscriptions, too. If you want constant monitoring and footage to be stored beyond a specific period of time, you may need to sign up.

Will pets trigger alerts on a home security camera?

This was once a common problem with earlier forms of IoT and smart cameras, but vendors are constantly improving false-positive rates through improved object detection and the implementation of features such as ‘activity’ zones. 

Do I have to connect my camera to assistants like Amazon Alexa?

This bolt-on integration is usually added to make products more appealing and for the convenience for users, but you do not need to connect your home security system to anything else in your IoT ecosystem.

Are there alternative security cameras worth considering?

While our top picks have included a variety of functions and uses, the below are still worth consideration.

ZDNet Recommends More

Victims of ransomware attacks are paying higher ransoms than ever before, but there are signs that organisations are starting to take heed of cybersecurity advice, making them more resilient to cyber criminals. According to analysis by cybersecurity researchers at Sophos, the average ransom payment made by victims to choose to pay cyber criminals for a decryption key to restore their files and servers following a successful ransomware attack has increased to $812,260 – an almost five-fold increase compared with the 2020 average of $170,000. And the proportion of victims who pay ransoms of over $1 million has also risen substantially, up from 4% of ransom payments in 2020 to 11% in 2021 – meaning one in ten successful ransomware attacks is providing cyber criminals with a million dollar pay day. According to analysis by Sophos, just under half of ransomware victims pay the ransom, perceiving it to be the quickest way to restore the network – even though decryption keys provided by cyber criminals can’t be trusted and paying a ransom might just show that the victim is an easy target who could be extorted again. Ransomware attacks continue to be successful because cyber criminals can still exploit common cybersecurity vulnerabilities to enter networks and carry out campaigns. But while ransomware is still a major cybersecurity issue, there are signs that the situation could be about to get better.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)”I’m a little optimistic for the first time in years about ransomware – I think we might be at the peak of our worst right now and I’m hoping we start to turn a corner,” Chester Wisniewski, principal research scientist at Sophos told ZDNet, citing how government bodies like the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have stepped in in “a meaningful way” to provide accessible and useful advice on how to improve cybersecurity. “The advice they’re giving and the things they’re doing are actually helping – I don’t think enough organisations are listening to them yet, but at least the resources are accessible, approachable and usable, so it’s a good start,” he said In addition to this, cyber insurance providers are demanding better security preparations from companies before issuing policies, while Wisniewski says the US sanctions against Russia following its invasion of Ukraine has had an impact on American businesses which do not want to pay ransoms to cyber criminals who are often working out of that region. “We’re seeing it being a really serious motivator for American companies and insurance companies to not pay ransoms,” said Wisniewski But while there are some encouraging signs, it’s unlikely ransomware is going away anytime soon.  The reason ransomware is so lucrative for cyber criminals is because there are victims who pay the ransoms. And if there are organisations out there who are vulnerable to cyber attacks and are still willing to pay six-figure ransom demands, there’s always going to be ransomware groups trying to exploit this. “I don’t think you’re ever going to deter the hardcore ransomware groups because there’s too much money to be made when they’re getting multi-million dollar hits,” said Wisniewski. “Crooks aren’t going to walk away from that, even if it’s a one in twenty chance – it’s still a million dollars,” he added.  MORE ON CYBERSECURITY More

Bronze President has potentially shifted from Asia to focus on Russia as the invasion of Ukraine continues. Also known as Mustang Panda, TA416, or RedDelta, the Chinese cyberespionage group has been active since at least 2018 and has traditionally focused on gathering intelligence from NGOs, research institutes, and internet service providers (ISPs).

Ukraine Crisis

Past countries and regions on the hit list include Europe, Mongolia, Russia, Vietnam, and South Africa. According to Secureworks Counter Threat Unit (CTU), the group is either “sponsored or at the very least tolerated by the Chinese government” and “appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine.” Recent campaigns have primarily focused on Southeast Asia, with targets infiltrated for “political and economic” data theft and ongoing, long-term surveillance. However, CTU says that Bronze President has now pivoted to Russian speakers alongside European organizations. “This suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the People’s Republic of China (PRC),” the researchers say. Government-sponsored — or, perhaps, tolerated — cyberattackers are tasked with activities that will benefit their government somehow. This often includes intelligence-gathering, spying, and activities that improve situational awareness, especially in times of conflict. These activities don’t only include ‘enemies’ or ‘hostile’ states — it also extends to who a country considers an ally or friend. CTU suggests that the recent Bronze President shift could indicate “an attempt by China to deploy advanced malware to computer systems of Russian officials.”

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Bronze President is suspected of targeting the Russian military. The team analyzed a malicious executable called “Blagoveshchensk – Blagoveshchensk Border Detachment.exe,” which was disguised with a .PDF icon and heavily obfuscated to hide a downloader for PlugX malware. (The city of Blagoveshchensk is close to the Chinese border and is home to part of the Russian military.)If executed, the file will display a decoy document (written in English, oddly), which describes the refugee situation and EU sanctions. In the background, a downloader grabs PlugX from a command-and-control (C2) server previously tied to campaigns in Europe. PlugX is a Remote Access Trojan (RAT) capable of file exfiltration, executing remote command shells, establishing a backdoor, and deploying additional malicious payloads. Bronze President has a wide range of tools, including Cobalt Strike, the China Chopper backdoor, RCSession, and ORat, at its disposal. In March, ESET said the group was taking advantage of the war to spread a new Korplug/PlugX RAT variant, dubbed Hodur, via Ukraine & Russia-themed phishing campaigns. In other cybersecurity news related to Russia and Ukraine, Aqua Security has been tracking the use of cloud repositories by those on both sides of the conflict. The researchers found that 40% of public repositories with descriptions or names linked to the invasion, including tools and guides, promoted denial-of-service (DoS) activities “aimed at disrupting the network traffic of online services.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More