Information Technology

Hackers were much faster to exploit software bugs in 2021, with the average time to exploitation down from 42 days in 2020 to just 12 days. That marks a 71% decrease in ‘time to known exploitation’ or TTKE, according to security firm Rapid7’s new 2021 Vulnerability Intelligence Report. The main reason for the reduction in TTKE was a surge in widespread zero-day attacks, many of which were used by ransomware gangs, according to the company. As Rapid7 notes, 2021 was a grim year for defenders, which kicked off with the SolarWinds Orion supply chain attack which was  pinned on Russian state-sponsored hackers. The year ended with the very different Apache Log4j flaw, which had no obvious main attacker but was spread across millions of IT systems.   Google’s Threat Analysis Group (TAG) and Project Zero researchers also have also observed an uptick in zero-day attacks, where attackers are exploiting a flaw before a vendor has released a patch for it.Rapid7 tracked 33 vulnerabilities disclosed in 2021 it considered to be “widespread”, an additional 10 that were “exploited in the wild”, and seven more where a threat was “impending” because an exploit is available. The company recommends patching impending threats today.   Rapid7’s list excludes browser flaws because they’re already well-covered by Google Project Zero’s zero-day tracker. Instead, Rapid7 focusses on server-side software, meaning its dataset under-represents zero-day exploitation detected in 2021, it said. Rapid7 highlights several startling trends. For example, in 2021, 52% of widespread threats began with a zero-day exploit. What’s “unusual and wildly alarming” about this trend, it said, is that these attacks aren’t just highly targeted ones, as was the case in 2020. Instead, last year 85% of these exploits threatened many organizations rather than just a few. Rapid7 blames much of this trend on the proliferation of affiliates supporting the ransomware industry, which is now dominated by the ransomware-as-a-service model. Last year, 64% of the 33 widely exploited vulnerabilities are known to have been used by ransomware groups, it noted. Its 2021 “widespread” list includes enterprise software from SAP, Zyxel, SonicWall, Accession, VMware, Microsoft Exchange (the ProxyLogon bugs), F5, GitLan, Pulse Connect, QNAP, Forgerock, Microsoft Windows, Kaseya, SolarWinds, Atlassian, Zoho, Apache HTTP Server  and, of course, Apache Log4j. These flaws affected firewalls, virtual private networks (VPNs), Microsoft’s email server, desktop operating system and cloud, a code sharing platform, remote IT management products, and more. Many of the bugs were exploited at a time when most people were still remote working and relying on remote access and VPNs to connect to work. It does however note a few bright spots in 2021, including the US Cybersecurity and Infrastructure Security Agency’s (CISA) frequently updated Known Exploited Vulnerabilities Catalog and its binding directive for federal agencies to patch flaws within a certain timeframe. Also the main reason the security industry can measure such a spike in zero-day attacks is because zero-day exploits are being detected and analyzed quicker. More

Organisations using Russian-linked software or products have been told to take time to consider the risk involved with using those technologies following Russia’s invasion of Ukraine. New guidance from the National Cyber Security Centre (NCSC) – part of GCHQ – says organisations in several key areas in particular should reconsider the risk of using Russian-controlled products as part of their network or supply chain because of the risk of potential cyber attacks. The NCSC said that Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. And while it said there was no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, the absence of evidence is not evidence of absence. “In our view, it would be prudent to plan for the possibility that this could happen,” said Ian Levy, technical director at the NCSC in a blog post. “You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk,” said Levy.He added: “Whatever you choose, remember that cyber security, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.”NCSC said organisations providing services to Ukraine and organisations or individuals doing work that could be seen as being counter to the Russian state’s interests, making them retaliatory targets for cyber attacks, should reconsider their risk.Organisations involved in critical infrastructure, the public sector and high-profile organisations which if compromised, could represent what the NCSC describes as a ‘PR win’ for Russia are also urged to think about the risks of using Russia-linked software and technology products. National security departments in government were advised against using cloud-enabled products where the supply chain included states like Russia in 2017, but following the invasion of Ukraine, others are being urged to consider the risks too. It’s not possible for the NCSC to provide custom guidance on managing risk to every business, but it’s urging organisations to err on the side of caution, particularly if they’re more likely to be a target of Russian cyber aggression because of the invasion of Ukraine. Organisations should also consider how they could protect their network if those services are abused. “This conflict has changed the world order, and the increased risk and uncertainty aren’t going away any time soon. However, the best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans,” said Levy.  SEE: A winning strategy for cybersecurity (ZDNet special report)

Ukraine Crisis

The NCSC also notes that any additional sanctions against Russia could means that services could be stopped at a moment’s notice, so organisations should examine how they would mitigate this. Russian-state backed hackers are accused of being the perpetrators of several major hacking campaigns, including the SolarWinds supply chain attack.  In many instances, these attacks target the lowest hanging fruit, abusing unpatched software, weak passwords and poor network management. Organisations are urged to apply security patches and use strong passwords to help protect networks from nation-state hackers – and other cyber criminals who use the same tactics. One of the most widely used forms of Russian-owned software is Kaspersky antivirus. According to the NCSC, individual users are highly unlikely to be targeted by any potential cyber attacks which look to abuse the software, meaning that “it’s safe to turn on and use at the moment,” according to Levy.Nonetheless, it’s warned that if Kaspersky were to be subject to sanctions and the antivirus software stopped receiving updates, users may need to switch to another provider. The NCSC will continue to evaluate the potential risk of cyber attacks by Russia – and other hostile groups – which could target the UK. The NCSC has previously issued guidance on what organisations can do to help protect their networks from cyber attacks which might occur as a result of Russia’s invasion of the Ukraine. MORE ON CYBERSECURITY More

The Transparent Tribe hacking group is back with a new malware arsenal and victim list including India’s government and military. Active since at least 2013, the advanced persistent threat (APT) group operates in at least 30 countries. However, the APT tends to focus on India and Afghanistan – with the exception being attacks recorded against human rights activists in Pakistan. Transparent Tribe, suspected of being of Pakistani origin, is also tracked by cybersecurity researchers using the labels PROJECTM, APT36, and Mythic Leopard. In 2020, Kaspersky found that the APT was the architect of ongoing cyberattacks against government and military personnel. Malware including Trojans, backdoors, and a propagation tool called USBWorm that quietly copied malicious code to removable drives were used at the time. Cisco Talos has provided an update on Transparent Tribe activities. On Tuesday, cybersecurity researchers Asheer Malhotra, Justin Thattil, and Kendall McKay said in a blog post that a campaign, ongoing since at least June 2021, has chosen the Indian government and military bodies as targets.Transparent Tribe uses phishing to deliver maldocs and malicious web domains to push its malware, which is primarily Windows-based. The fake websites used to deliver payloads mimic government and defense organizations and will serve visitors downloader executables, packaged up to appear to be friendly software, .PDFs, or image files. While past themes have included topics such as COVID-19, the APT moves with the times and adapts to different trends. The latest samples, deployed in 2022, include a fake version of Kavach, a multi-factor authentication (MFA) application. Talos says that the legitimate Kavach app is “widely used” by India’s military for accessing government resources. If a target executes the fake .NET executable, upon installation, a legitimate version of the app is installed — alongside a malware dropper. The second version of this infection vector might raise suspicion, though, as the full MSI installer for Kavach is pulled — as a 141MB package. Malicious payloads, including the Remote Access Trojan (RAT) CrimsonRAT are downloaded and executed. Since 2020, the .NET RAT is considered the APT’s “malware of choice” and is capable of extensive data theft and surveillance. However, Talos notes that Transparent Tribe continues to “incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims.”Among the group’s current toolset are the long-standing ObliqueRAT malware, a new Python-based stager for deploying NET-based spyware and other Trojans, and a new .NET implant for executing arbitrary code. 

The new additions are “quickly deployable” malicious tools and RATs, Talos says. When the smaller payloads are used, the threat actors appear to accept their more limited capabilities as a trade-off compared to CrimsonRAT and ObliqueRAT.In addition, Transparent Tribe has not ignored mobile technologies in its quest for fresh victims. One tool, CapraRAT, is in constant development and has one goal: the theft of data from handsets. “This campaign furthers this targeting and their central goal of establishing long-term access for espionage,” the researchers say. “The use of multiple types of delivery vehicles and file formats indicates that the group is aggressively trying to infect their targets with their implants such as CrimsonRAT. Although not very sophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

SBU
The Security Service of Ukraine (SBU) has destroyed five “enemy” bot farms engaged in activities to frighten Ukrainian citizens.  In a March 28 release, the SBU said that the bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia’s invasion of Ukraine, which started on February 24 and has now lasted over a month.  According to the security service, the bot farms have “tried to inspire panic among Ukrainian citizens and destabilize the socio-political situation in various regions.” The SBU has accused Russia of operating the farms for conducting “large-scale information sabotage.” The farms were found in areas including Kharkiv, Cherkasy, Ternopil and Zakarpattia.  The bots used social media accounts to spread “distorted news” and propaganda related to the invasion.  SBU investigators raided several bot farms and seized items including over 100 GSM gateway devices, close to 10,000 SIM cards, laptops, and other computing equipment. Photos shared by the Ukrainian agency also appear to show the seizure of mobile phones, USB drives, and weaponry. 
SBU
However, investigators have not mentioned any arrests. Ukrinform reports that the country has launched a new fact-check bot, “Perevirka,” that citizens can use to identify fake online content.Ukraine has faced a barrage of cybersecurity incidents and breaches since the beginning of 2022, before the war began. This week, infrastructure belonging to the Ukrainian internet service provider (ISP) Ukrtelecom was the target of a cyberattack. For a time, connectivity collapsed to 13% of pre-invasion levels, but Ukrainian officials say the attack has since been “neutralized.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0. Researchers have warned that Log4Shell is likely to continue for years, especially considering the bug’s simple exploitation. Microsoft previously detected Log4Shell attacks conducted by state-sponsored cybercriminals, but most appear to focus on cryptocurrency mining, ransomware, and bot activities. A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated. According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. The attackers behind the campaign are leveraging the bug to obtain access to vulnerable servers. Once they have infiltrated the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software packages, may be installed, with their purpose twisted into becoming backdoor surveillance tools.The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams. Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin, and Mimu, which mine for Monero (XMR). Previously, Trend Micro found z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084) for cryptojacking attacks.

A PowerShell URL connected to this both campaigns suggests there may also be a link, although that is uncertain. “While z0Miner, JavaX, and some other payloads were downloaded directly by the web shells used for initial compromise, the Jin bots were tied to the use of Sliver, and used the same wallets as Mimo — suggesting these three malware [strains] were used by the same actor,” the researchers say.In addition, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information. “Log4J is installed in hundreds of software products and many organizations may be unaware of the vulnerability lurking in within their infrastructure, particularly in commercial, open-source or custom software that doesn’t have regular security support,” commented Sean Gallagher, Sophos senior security researcher. “And while patching is vital, it won’t be enough if attackers have already been able to install a web shell or backdoor in the network.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Asha Barbaschow/ZDNet
The federal government has released its 2022-23 federal Budget, containing a AU$9.9 billion kitty for bolstering cybersecurity and intelligence capabilities in the midst of a growing cyberthreat landscape around the world. The near-AU$10 billion will be spent across a decade under a program called Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers (REDSPICE). “This is the biggest ever investment in Australia’s cyber preparedness,” said Treasurer Josh Frydenburg, who announced the Budget on Tuesday night. Looking at how the federal government envisions the AU$9.9 billion will be spent, the Australian Signals Directorate (ASD) will be the biggest recipient of these funds. Over the next four years, the ASD will receive AU$4.2 billion to double its employee head count — amounting to 1,900 new jobs — triple its offensive cyber capabilities, double its cyber hunt and response activities as well as preserve its ability to deliver a “strategic advantage”. “The package will help ASD to keep pace with the rapid growth of cyber capabilities of potential adversaries, as well as being able to counter attack and protect our most critical systems,” according to Budget documents. REDSPICE will also provide funding for Australian industry and support new employment pathways through partnerships with educational institutions, particularly in the areas of data science and analysis, artificial intelligence, cybersecurity, and IT engineering.Prior to the federal government’s announcement of the AU$9 billion cybersecurity package, the Coalition had already conveyed a firm posture for ramping up cybersecurity. On Monday, Prime Minister Scott Morrison announced a new cyber and critical technology centre that would be set up within the Office of National Intelligence. “The multi-agency centre will ensure Australia, working with our allies, can better anticipate and capitalise on emerging technologies,” said Morrison, who spoke at an event commemorating the ANZUS Alliance’s 70th anniversary. “With challenging and changing geopolitical realities — where technological advantage for our intelligence agencies is more important than ever — Australia is, as always, stepping up to do more. We look to, but we never leave it to the United States.” Morrison on Friday called organisations to prioritise trust over costs and efficiency when it comes to data security. “I tell you particularly in a more troubled world, especially from a data security point of view, supply chains are frankly more about trust now than they even are about efficiency or cost,” the Prime Minister said at the opening of Macquarie Telecom’s new AU$85 million data centre in Sydney. Days prior to that, Home Affairs Minister Karen Andrews launched an Australian Federal Police-led (AFP) cybercrime centre to bolster the country’s cybercrime fighting efforts, which cost AU$89 million. While the AU$9 billion figure packs a punch, the federal government has not provided details of how it will assess the effectiveness of these newly announced cyber efforts. Read more: The disappointment of Australia’s 2020 cybersecurity strategy Just two years ago, the Coalition handed down its 2020 Cyber Security Strategy along with AU$1.35 billion to Australia’s security agencies for the program called the Cyber Enhanced Situational Awareness and Response (CESAR) package. Since CESAR’s rollout, however, there have been limited updates regarding the effectiveness of the program in stopping cyberthreats. More funding for Australia’s digital economy strategy The federal government has also introduced an incentive for small businesses, companies with less than AU$50 million in turnover, to up their technology investment. The incentive will allow small businesses to deduct an additional 20% of the cost incurred on business expenses and depreciating assets that support their digital adoption, such as portable payment devices, cybersecurity systems, or subscriptions to cloud-based services. “From tonight, every AU$100 these small businesses spend on digital technologies like cloud computing, eInvoicing, cyber security, and web design will see them get a AU$120 tax deduction. Investments of up to $100,000 per year will be supported by this new measure,” Frydenburg said. This year’s federal Budget also sees more funding put towards Australia’s Digital Economy Strategy, which received AU$1 billion in last year’s Budget, with another AU$130 million over four years to be allocated. Of that new amount, AU$38.4 million will be used to implement further Consumer Data Right measures, while AU$30.2 million will be spent on a fourth cyber hub within the Australian Taxation Office, AU$18.6 million will be put towards shaping global critical and emerging technology standards, and AU$13.6 million will be used for continuing the digitalisation of the transport sector. STEM development receives over AU$45 million Outside of cyber, the federal government has pledged AU$45.4 million over five years to support STEM development in Australia. This consists of AU$33.4 million to the National Measurement Institute to deliver essential measurement standards and services that underpin business continuity and international trade and AU$5.3 million to improve the National Science and Technology Council’s provision of science and technology advice to the federal government. In addition, AU$6.7 million of the STEM package will be used to extend support for the Women in STEM Ambassador and Superstars of STEM initiatives, which are both focused on raising the profile of Australian women in STEM. Continuing the women in STEM focus, the federal Budget has also allocated a separate AU$3.9 million over two years to support women shifting into digitally skilled roles. In partnership with industry, this initiative will provide mentoring and coaching to facilitate a mid-career transition into the ‘tech workforce’. The new STEM funding comes after the federal government on Monday announced it made good on one of its commitments from last year’s Budget, delivering AU$10.7 million for digital cadetships — 10 months after the cadetship initiative was announced. Rocket man gets more fuelAustralia’s space sector also saw a big injection in this year’s Budget, with the federal government allocating AU$1.3 billion, AU$38.8 million per year, to grow the sector. The majority of those funds, AU$1.2 billion, will be used to establish a National Space Mission for Earth Observation to secure access to key earth observation data streams, build Australia’s sovereign capability, and enter agreements with international partners including for the procurement and operation of Australian Satellite Cross-Calibration Radiometer satellites. The remaining amounts will be put towards setting the conditions for rocket launches from Australia, fast-tracking the launch of space assets, and planning and streamlining future space plans. The move builds on the federal government’s “mission to triple the size of the sector and create up to 20,000 new jobs by 2030”, a goal that was set out under the Australian Civil Space Strategy. Improving regional connectivity with another AU$1.3 billion Another big-ticket tech item in this year’s Budget is the AU$1.3 billion, to be allocated over six years, for improving regional telecommunications, including through providing greater mobile coverage and targeted solutions to address issues such as mobile congestion. The funding was provided as part of the government’s response to the Regional Telecommunications Review, which found NBN upgrades will widen the digital divide between rural and urban areas. Chief among the list of things that are part of the networking kitty is almost AU$815 million over five years to expand the mobile black spot, regional connectivity, and mobile network hardening programs. Meanwhile, AU$480 million of the AU$1.3 billion has been provided to the company responsible for running the NBN to upgrade its fixed wireless and satellite networks to improve services in regional, remote, and peri-urban Australia. The remaining amount will be used by Australia’s consumer watchdog to review mobile tower access fees. The rest of the techAddressing the floods across Australia’s eastern coast, the federal government announced it will implement a new cell broadcast messaging system, in collaboration with the state and territory governments, to ensure critical information can be provided to the Australian public concerning significant emergencies. The amount allocated to this new system was not disclosed. In terms of upping Australia’s privacy capabilities, AU$17 million over two years will be provided to support the Office of the Australian Information Commissioner in undertaking its privacy and regulatory functions, including in relation to social media and other online platforms. The information commissioner has been calling for more funding for years, having said during Senate Estimates earlier this year that it has been developing an increasing backlog of privacy complaints. For Australia’s eSafety agency, the federal government will invest AU$31.6 million over the next five years towards online safety initiatives as part of its new national plan to end violence against women and children. This includes over AU$27 million for the eSafety Commissioner to expand her office’s capabilities, which includes supporting victim‑survivors of technology-facilitated abuse. This funding was recommended by the parliamentary committee that ran Australia’s social media probe, which found social media companies were not doing enough to reduce online harm. The federal government has also provided an additional AU$96.8 million over four years for system upgrades to Australia’s health system. According to Budget documents, the upgrades will look to reduce manual processing and improve claim timeframes for patients and medical providers for Medicare services, the Pharmaceuticals Benefits Scheme, and other health-related payments. Australia’s flagship digital health initiative, My Health Record, also received more funding in this year’s Budget to the tune of AU$23.8 million over four years. This amount will be used to improve linkages with the My Health Record and provide additional funding to accredited practices for their provision of temporary telehealth services during the COVID-19 pandemic, and enable communities affected by natural disasters to access continued healthcare services via telehealth. At the end of last year, the federal government pledged over AU$100 million to make telehealth a permanent fixture within the country’s healthcare system. According to Budget documents, the federal government is also set to digitalise trust and beneficiary income reporting and processing as of mid-2024, which it said would give all trust tax return filers the option to lodge income tax returns electronically, increasing pre-filling and automating ATO assurance processes. Continuing with the ATO, the government has committed AU$6.6 million over the forward estimates period for the development of IT infrastructure required to allow the ATO to share single touch payroll data with state and territory Revenue Offices on an ongoing basis. The ATO’s patent box initiative, announced in last year’s Budget, has also received approval by the federal government to be expanded. As part of the expansion, the federal government will provide concessional tax treatment for corporate taxpayers who commercialise their eligible patents linked to approved agricultural and veterinary chemical products. “This measure is estimated to decrease receipts by AU$10 million, and increase payments by $13.4 million over the forward estimates period,” Budget documents say. Funding for the three ATO initiatives has already been provided by the federal government. For the ABS, AU$19.9 million over four years has been provided for the development of a new reporting application to enable businesses to submit surveys on business indicators directly through their accounting software. The Budget comes with the federal election looming in May, with the election for both houses set to be held by May 21 at the latest.  Updated at 9:11am, 30 March 2022 AEST: clarified the new 1,900 jobs from the REDSPICE program is part of the ASD doubling its headcount. Related Coverage More

Image: Getty Images
The European Commission and the United States announced a new Trans-Atlantic Data Privacy Framework over the weekend, signalling clarification may be on the way regarding what data flows are allowed after a European court struck down the EU-US Privacy Shield one and a half years ago. The Privacy Shield agreement had set the terms for transatlantic transfers of personal data. The agreement was struck down, however, after the European Court of Justice found US laws did not offer enough data protection safeguards to meet European standards, leading to legal uncertainty regarding what data flows are allowed. The legal uncertainty led to European regulators, in recent months, issuing orders against flows of personal data that passed through products such as Google Analytics. Meta, meanwhile, “threatened” to pull its services out of Europe if governments could not come to an agreement on a new EU-US transatlantic data transfer framework. The company eventually backpedalled from its comments, but it remained staunch in calling for a new framework to be established. According to a White House fact sheet, the new Trans-Atlantic Data Privacy Framework will see the US government implement reforms to better protect the personal data of EU citizens, such as allowing these citizens to seek redress at a newly-created, independent Data Protection Review Court that will have “full authority” to adjudicate claims and direct remedial measures as needed. The US government will also ensure signals intelligence collection may only be undertaken where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties under the framework. “The new framework marks an unprecedented commitment on the US side to implement reforms that will strengthen the privacy and civil liberties protections applicable to US signals intelligence activities,” the European Commission and US government said in a joint statement. With the US committing to these reforms, among others that have yet to be publicly detailed, citizens and companies on both sides of the Atlantic will be able to continue their existing data flows between the EU and US, which companies like Google have already lauded. “We look forward to certifying our processes under the Trans-Atlantic Data Privacy Framework at the first opportunity. For Google, these (and similar) standards serve as a floor, not a ceiling, for the protections we offer our users and customers,” Google VP of public policy Karan Bhatia said. Max Schrems, the privacy lawyer who raised the lawsuit that culminated in the Privacy Shield agreement being canned, was sceptical of the new framework, with its details yet to be released. “Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights,” Schrems said. “This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text but my [first] bet is it will fail again.” Related Coverage More

Credit: Microsoft
Microsoft is adding a new Vulnerable Driver Blocklist feature to Windows Defender on Windows 10, Windows 11, and Windows Server 2016 or newer releases. This feature is aimed at helping IT Pros to protect users against malicious and exploitable drivers.

Microsoft Vice President of OS Security and Enterprise David Weston tweeted about the new Windows security option on March 27.  The feature will be enabled by default on Windows 10 in S Mode, as well as on devices that have the Memory Integrity Core Isolation feature, which relies on virtualization-based security. (This Core Isolation Memory Integrity feature also is known as Hypervisor-protected Code Integrity or HVCI). More details are available in this Microsoft article about recommended driver block rules. This blocking feature will rely on a list of blocked drivers maintained by Microsoft in conjunction with OEM partners. As explained on ghacks.net, the reason these drivers may be marked as blocked is they are known security vulnerabilities that can be exploited to elevate Windows kernel privileges; they act as malware or certificates used to sign malware, or they exhibit behaviors that circumvent the Windows Security Model and can be used to elevate Windows kernel privileges.I’ve asked Microsoft whether this new driver-blocking feature will be available on all versions of Windows 10 and 11 and when it will be fully deployed. No word back so far.In other security-related news, Microsoft announced plans for a new U.S. Government cloud environment — Office 365 Government Secret — on March 28. Currently in government review, this new Secret cloud is designed for the U.S. Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and U.S. Government partners working within Secret environments with Microsoft’s Software as a Service (SaaS) capabilities for all data classifications. The Office 365 Government Secret cloud environment is built on Microsoft’s Azure Government classified environments.  More