We’re excited to welcome more than 400 members of the security research community from around the world to Redmond, Washington for BlueHat 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where the security research community, and Microsoft security professionals, come together as peers to connect, share, learn, and exchange ideas in the …
  BlueHat 2023: Connecting the security research community with Microsoft Read More »

We’re excited to welcome more than 400 members of the security research community from around the world to Redmond, Washington for BlueHat 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where the security research community, and Microsoft security professionals, come together as peers to connect, share, learn, and exchange ideas in the interest of creating a safer and more secure world for all.

The two-day conference builds connections, provides learning opportunities, and strengthens trust between the security researcher community, customers, and partners. BlueHat also showcases thought leadership in the research and vulnerability discovery and mitigation space and provides insight to both internal Microsoft and external audiences on current and emerging security threats and techniques. BlueHat attendees will have the opportunity to listen to our incredible keynote speakers Charlie Bell (Executive Vice President, Microsoft Security Division), Mark Russinovich (Azure CTO and Technical Fellow, Microsoft), and and MSRC leader Aanchal Gupta (Deputy CISO and CVP Engineering, Microsoft). Conference-goers will also listen to 27 security thought leaders discuss a wide range of security topics, including AI/Machine learning based security, advanced hardware security, researching and securing your infrastructure, and more. In addition to the speaker sessions, BlueHat will also host a series of lightning talks from a group of up-and-coming security professionals from Microsoft, Grammarly, Tiktok, Intuit, and Meta. The lightning talks will feature actionable information from security pros about the top threats and concerns companies and organizations are facing today.

In addition to the keynotes, speaker sessions, and lightning talks, BlueHat attendees, hailing from 26 countries and representing 184 companies or organizations, will connect—and reconnect—with the security research community from around the world, building their personal and professional relationships, while gaining valuable insight into ideas that will create a safer and more secure world for all. Opportunities for networking and connecting include the 8 BlueHat Villages, such as the Post-Quantum Village, Cyber Training Village, AI/ML Village, and more.

We’re so excited to host the first in-person BlueHat conference since 2019. Follow MSFTBlueHat on Twitter for updates and announcements, and use #BlueHat to join the conversation. At the conclusion of BlueHat 2023, we’ll share recordings of the keynote talks and speaker sessions.

**Conference sessions**

**Wednesday, February 8th**

**Keynote    
Charlie Bell,** Executive Vice President, Microsoft Security Division and **Aanchal Gupta**, Deputy CISO and CVP Engineering, Microsoft (Twitter)

**Stronger Together: Celebrating the Microsoft Research Community**  
Speakers: **Dr. Abhilasha Bhargav-Spantzel** – Partner Security Architect (Twitter); **Dr. Andre Alfred** – Partner Director, Azure Security; **David Weston** – Vice President, Enterprise and OS Security (Twitter); **Cristin Goodwin** – General Manager and Associate General Counsel (Twitter), moderated by **Stephanie Calabrese**, Principal PM Manager (Twitter)

**MSTIC Ghost Stories**: **A Threat Intelligence Year in Review**  
Speakers: Eunsil Han (Twitter), Emily Hacker (Twitter | LinkedIn), Terri Forslof, Microsoft (Twitter | LinkedIn)  
Abstract: The Microsoft Threat Intelligence Center (MSTIC) discovers, tracks and disrupts the world’s most impactful and well-resourced threats, from state-aligned actors to financially motivated criminals, on a daily basis. As part of this mission, MSTIC works across Microsoft’s security signals gaining firsthand insight into the technical methods and capabilities of threat actors. The intelligence produced by MSTIC is infused into everything Microsoft does, from security products to generic product roadmaps, and BlueHat is no different.   

In a rare opportunity, BlueHat attendees have a chance to hear an entertaining and educational account from MSTIC about its most significant observations from 2022. The talk will look back over the last year of technical threat data, spanning global threat actors of various motivations, to deliver regional trends, insights, and never before heard investigation stories from our work defending customers. The observations delivered in this talk ultimately seek to inform the future, empowering global people and organizations to achieve more, and do so securely. Examples covered in this presentation include:  

*   Overview of multiple trends observed being used by China over the past year 
*   DEV-0228 Leveraging supply chain relationships to target shipping companies in Israel  
*   An onslaught of intrusion activity in Ukraine from STRONTIUM and IRIDIUM leading to espionage, cyber-enabled influence operations, and destructive attacks   
*   Notable trends/activities associated with multiple North Korean groups including ZINC 

**0-Day firmWarez**  
Speaker: Nate Warfield, Eclypsium (Twitter | LinkedIn)  
Abstract: Firmware is the foundation of modern computing. It’s the first code executed when your computer boots, it manages your hardware, runs critical infrastructure, controls systems in nearly every part of our lives, and exists in most electronics sold today. It’s also one of the most vulnerable, poorly maintained, and infrequently patched components of technology.

In this talk, we will discuss recent high-profile firmware vulnerabilities and attacks, including a series of vulnerabilities found in MegaRAC Baseboard Management Controller (BMC) software which powers millions of servers worldwide. We will explore the remote attack surface, the risk due to firmware’s position on devices, and the defensive weaknesses attackers are abusing. In addition to server firmware, we will also cover networking hardware and IoT device risks and threats.

In the second half of the talk, we will showcase open-source tools organizations can utilize to analyze device firmware, identify unpatched vulnerabilities, weak security controls, and find hard-coded credentials. The goal of this portion is not building exploits, but rather empowering organizations to better understand the risk posed by the firmware on their connected systems. These tools don’t require significant skill or time to use and provide valuable information on devices whose security posture is poorly documented, if at all.

Attendees will better understand how to threat model their environments and what additional steps may be required to secure their infrastructure. They will also gain insight into what real world attacks look like, to better defend against them and recognize them should they occur.

**Advanced Hardware Hacking  
**Speaker: Sick Codes (Twitter | LinkedIn)  
Abstract: Modern techniques to find vulnerabilities in modern hardware: this talk will show you techniques, tools, and concepts to assess most devices, especially those which are worth hacking. Sick Codes will bring you up to speed on exact methods to hack brand new smart TVs, watches, tractors, cars, game consoles, and more. Be able to identify and hack any new hardware.

**High Risk Users and Where to Find Them  
**Speaker: Masha Sedova, Elevate Security (Twitter | LinkedIn)  
Abstract: What if you could predict and ultimately prevent most incidents in your organization? 82% of all attacks originate from human fallibility, but an effective risk management approach is impossible without the ability to pinpoint our riskiest users. Research findings from a 300k-employee data set spanning 8 years reveal trends in our most vulnerable populations. We’ll share how 8% of the workforce is responsible for the majority of incidents and dive into what makes workers high-risk, where those high-risk users spend their time, what are their riskiest behaviors, and what that might mean for your organization’s security. From there the talk will explore how security professionals can effectively measure user risk in their own organizations and action on these findings to strengthen their cyber defense. By applying the different stages of user-risk management, from feedback to tailored safeguards & access, learn how to keep your workforce safe and business productive.

**Thursday, February 9th**

**Keynote    
**Mark Russinovich**,** Azure CTO and Technical Fellow, Microsoft (Twitter) with opening remarks by ****Aanchal Gupta**,** Deputy CISO and CVP Engineering, Microsoft (Twitter)

**Hunting Qakbot**  
Speakers: Dan Taylor (LinkedIn) & Ben Magee (Twitter | LinkedIn)  
Abstract: When it comes to attack surfaces, there are few quite as large as that of NHS England’s Microsoft Defender for Endpoint estate. With close to 1.7 million endpoints enrolled in a tenant spanning thousands of separate organizations across the healthcare service, it presents a uniquely challenging environment to protect – one where cyber incidents can have very real, human consequences.​  
How then do we go about defending an IT estate as large and complex as this one?​  
​  
It’s a challenge that couldn’t be better illustrated than with the perpetual battle against Qakbot. With delivery mechanisms and TTPs that shift week to week, a repertoire ranging from access-for-sale to the deployment of ransomware and no scruples about targeting healthcare organizationsfrom its operators, Qakbot truly is a formidable adversary.​  
​  
In this talk we walk through:​  
• A brief overview of the NHS and the role NHS Digital CSOC plays in its defence​  
• The scale of the challenges facing security teams tasked with securing the NHS against the likes of Qakbot, and why common malware poses such an acute threat​  
• The critical role threat hunting (and intelligence) plays in that defence, with technical breakdowns of Qakbot TTPs, the methods we use to stay ahead of them, and the key advantages afforded by Microsoft Defender for Endpoint​  
• Examples of the mistakes, successes, close calls, and critical lessons learned in the interminable battle against Qakbot and its contemporaries

**Houdini of the Terminal**  
Speaker: David Leadbeater, G-Research (Twitter | LinkedIn)  
Abstract: Text based terminals have used escape sequences in some form since at least the 1970s. Windows has for a long time had fairly limited support for them, using a different method to perform out of band messaging. As a result of the support added for Windows Subsystem for Linux (WSL), Windows gained support for common terminal escape sequences and now they are the preferred method for formatting and related functions.

Just like XSS, if an escape sequence ends up being sent unsanitized to a terminal it can be used to do unexpected things. This can range from changing formatting outside of the area where the text should have been inserted or if the terminal has a vulnerability anything from a DoS to remote code execution.

This risk has existed in Unix terminals for many years, for example 20 years ago it was discovered a terminal’s title can be read back and in some cases that can result in code execution. Terminals now disable this by default or do not implement it.

We will explore over 20 years of terminal vulnerabilities, from attacks via Apache’s log files to attacking via Kubernetes.

Our research found several severe bugs in common terminals and we have used them to perform a chained exploit from low privileges on a Kubernetes cluster to obtaining RCE on an administrator’s machine. This builds on the research done by CyberArk in early 2022, which found the original kubectl bug (CVE-2021-25743).

Along the way we’ll discuss some other bugs we found in both Windows and Unix utilities and how to achieve some level of defense-in-depth against this kind of threat.

**Through the Eyes of a Guest**  
Speaker: Callum Carney (Twitter)  
Abstract: This talk will walk you through months of external research into how identities were incorrectly handled within Microsoft internal systems, from uncovering an unusual way to gain access to a privileged Azure AD tenant, to navigating multiple systems with unrestricted access to customer data and confidential information, all the way through to trying to create enough noise to raise awareness and working with MSRC to fix the issue.

**Catch Me If You Can in the Eyes of Authorization  
**Speakers: Cameron Vincent (Twitter) & Sean Hinchee, Microsoft  
Abstract: Ever wonder how one of the top participants in the Microsoft bug bounty program was finding security issues across Azure for many years?  Or what about the other side? Ever wonder what the perspective was like from a MSRC security engineer working on these submissions and finding a more holistic approach towards them? In this talk you are going to get the best of both worlds. Not only will you hear about the offensive side from a former full time bug bounty hunter, but you’ll also get to hear from a MSRC engineer that was dealing with these submissions firsthand. The specific type of issues that will be discussed in this talk are going to be AuthZ/Authorization related issues. This is an extremely common area where many services and companies have been failing. In this talk Cameron Vincent is going to go over how he was hunting across Microsoft and other services for these types of issues. He will discuss some examples and techniques that were used when hunting for specific AuthZ/Authorization issues for many years. Sean Hinchee is then going to talk about what the defensive side was like. He will then dive deep into some open-source tools that he developed to help try and catch these types of authorization issues at a more automated scale.

BlueHat 2023: Connecting the security research community with Microsoft

Cryptocurrency drainers are the latest hot ticket being used in a string of lucrative cyberattacks aimed at virtual currency investors.

There's a trendy new way to con cryptocurrency investors out of the contents of their wallets, no blockchain know-how required.

Threat actors are selling ready-made, spoofed crypto webpages to be served up as phishing lures, loaded with "crypto drainer" scripts that crack wallets and steal the balances in a snap.

In one instance, on a "top-tier Dark Web forum," according to researchers at Recorded Future, cybercrime group iSeeYou was offering a ready-to-use phishing page that when made live, purports to mint nonfungible tokens (NFTs). Instead, it deploys a crypto drainer that empties an unsuspecting victim's connected virtual currency wallet. And adding insult to injury, "once crypto wallets are compromised, no safeguards exist to prevent the theft of crypto assets," the researchers warned.

The gambit is easy to fall for: The phishing lures are certainly convincing, according to the researchers, who added that they convincingly spoof a range of entities, including cryptocurrency exchanges and NFT outlets. The lures often boost their credibility, as was the case in the the iSeeYou campaign, by including access to commonly used third-party services and extensions in the cryptocurrency space, the team said, such as MetaMask. 

"The use of legitimate services on crypto drainer phishing pages may increase the likelihood that the phishing page will pass an otherwise savvy user’s 'scam litmus test,'" according to the report.

The crypto drainer scams were observed in 2022, and Recorded Future raised the alarm in a report this week that they are becoming increasingly popular — so popular, in fact, that Recorded Future recently found 100 phishing pages lurking in the wild, loaded with crypto drainer malware.

"We have observed that Dark Web threat actors are highly interested in this tool," Ilya Volovik, threat intelligence analyst at Recorded Future, tells Dark Reading.

The interest is largely because the scripts are easy to deploy and cheap to acquire (the firm said crypto drainers can cost anywhere from $300 to $500). Sometimes they're even free, as was the case with iSeeYou — but there was a double-crossing catch in that case. 

"Remarkably, the threat actor who posted this crypto drainer phishing template did not charge other threat actors who wished to make use of their tool," Volovik explains. "Unremarkably, this was no act of charity — the crypto drainer was likely designed to defraud other cybercriminals of a portion of their illicit earnings."

In the right social engineering hands, crypto drainers are a potent threat, according to Volovik, who adds that they're helping to usher in a new business model for phishers.

"Designing crypto drainers requires coding skills that phishing specialists may lack," Volovik says. "As a result, many cybercriminals develop crypto drainers to sell or rent out as components in ready-to-go phishing packages; this is likely part of a greater trend toward phishing-as-a-service (PhaaS)." And that, he warns, means that advanced phishing campaigns can scale very quickly.

As cryptocurrency markets mature, it's up to individual services and platforms to keep crypto investors aware of the latest phishing expeditions. 

"Exchange platforms/crypto markets should probably provide education to their users about these crypto drainers and how cybercriminals use them," Volovik adds. "We want to educate the general populace to never send payments to unknown entities (a Nigerian prince or otherwise)."

**Cryptocurrency Cybercrime Is Booming**

Cryptocurrency investors continue to be a prime source of revenue for cybercriminals, with a record-breaking $3.8 billion stolen from crypto businesses in 2022 alone, according to new research from Chainalysis.

During the month of October, the biggest month ever for crypto cyberattacks according to the research firm, there were 32 separate cryptocurrency attacks, with losses totaling $775.7 million.

Much of the crypto cybercrime boom can be attributed to cyberattacks from North Korean state-backed actors, and the targets include crypto wallets, token protocols, decentralized finance (DeFi) protocols, and other centralized cryptocurrency services.

DeFi platforms are the loss leader, the report found, experiencing 82% of cryptocurrency theft for the year. These are platforms that allow cryptocurrency and government-backed fiat currency investors to make trades. Critically, DeFi platforms support a number of different cryptocurrencies like Bitcoin, Ethereum, Solana, and others, and operate outside of a traditional banking structure. Because DeFi platforms are built on the blockchain, an open source protocol, they present a unique opportunity for cybercriminals to get their hands on vast sums of money that would otherwise be protected by those traditional financial institutions.

The now-notorious FTX claimed it was the victim of a cyberattack in November, just hours after filing bankruptcy, which cost the DeFi platform $370 million on top of its already mounting losses. In September, DeFi platform Wintermute lost $160 million to a cyberattack it said was the result of a partner's bad code. And cybercrime group TA4563 was found using an Evilnum backdoor last July that allowed it to drain cryptocurrency out of DeFi platforms automatically.

**Cybersecurity for Cryptocurrency**

Erin Plante, Chainalysis' vice president of investigations, agrees with Volovik that defending cryptocurrency infrastructure, and investors, against cybercrime will require a commitment to user training, but she adds that the DeFi platforms and other crypto services need better in-house cybersecurity too.

"Cryptocurrency services should invest in security measures and training," Plante says. "For example, with North Korean-linked hackers in particular, sophisticated social engineering tactics that take advantage of the trusting and carelessness of human nature to gain access to corporate networks has long been a favored attack vector."

Moving forward, DeFi platforms should model cybersecurity efforts off the traditional finance system, the Chainalysis report advised, adding that robust code auditing practices, simulated attacks, monitoring for suspicious activity, and building in transaction fail-safes to slow down contract execution if suspicious activity is observed.

Crypto Drainers Are Ready to Ransack Investor Wallets

Despite growing awareness, organizations remain plagued with unpatched vulnerabilities and weaknesses in credential policies.

Weak credential policies and a lax approach to patching were among the most common points of IT security failure for organizations in 2022, while a failure to configure tools properly could leave organizations open to attack.

That's according to a recent study by cybersecurity firm Horizon3.ai, based on findings from approximately 7,000 penetration tests that evaluated approximately 1 million assets.

Of the Top 10 vulnerabilities Horizon3.ai detected in 2022, the use of weak or reused credentials topped the list, followed by weak or default credential checks in protocols (SSH and FTP) and threat actors using Dark Web credential dumps from Windows or Linux hosts.

Exploitation of critical vulnerabilities on CISA's list of Top 15 Routinely Exploited Vulnerabilities list, as well as the exploitation of critical VMware vulnerabilities, rounded out the top five.

Corey Sinclair, cyber-threat intelligence analyst for Horizon3.ai, explains that professionals are challenged by balancing the three factors of security, functionality, and usability. The requirements of the end user, usability and functionality, are often at odds with or contradictory to the best security practices.

"To ease our own burden, we as individuals tend to shy away from the difficult, and move to what's easy and convenient," he says. "This means having fewer or easier credential requirements."

Individuals thus tend to reuse credentials when they know they should have unique passwords for everything, and organizations fail to enforce stronger credential requirements or invest in a companywide password solution.

Sinclair adds that sometimes, companies simply don't know to go back and check to see if default credentials were changed when a new technology is brought online.

Security teams should be on notice: The successful combo of using stolen credentials and social engineering to breach networks is increasing the demand for infostealers on the Dark Web, according to Accenture's Cyber Threat Intelligence team (ACTI), which recently surveyed the infostealer malware landscape over 2022.

That report also warned that malicious actors are combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks.

**Patching & Misconfigurations Are a Pain Point**

The survey also found that known critical vulnerabilities were regularly exploited, while popular DevOps tools and resources, including Docker and Kubernetes, were riddled with misconfigurations and vulnerabilities.

"Patching and misconfigurations essentially come down to scale and prioritization," Sinclair says. "Depending on the size and infrastructure of a company's IT department, it will determine how quickly and effectively a company can find what needs to be patched or configured."

Additionally, not all organizations know what to patch, and how to prioritize what needs to be patched first.

"With the plethora of CVEs and vulnerabilities being released daily, most companies find it hard to keep up with, let alone fix what matters, before threat actors exploit them," he adds.

From his perspective, companies must take a different approach to security, in which they view their environments through the eyes of the attacker.

"They need to view their environment and prioritize \[fixes\] based on what is actually reachable, vulnerable, and exploitable," he says. "This mindset shift allows the company to stay one step ahead of the adversary, while ensuring they have a constant pulse on their environment's security posture."

Organizations without the time or talent to patch or review for misconfigurations may find patching-as-a-service (PaaS) a way to improve security, but a successful program will require accurate and robust asset management tools so the vendor knows what's live in the client's environment, he adds.

**Adoption of Multifactor Technologies in 2023**

Sinclair points out that while it is "way too early" to tell what 2023 will bring on the cybersecurity defense front, he believes there are going to be more and more companies adopting new multifactor technologies to aid in the fight against credential reuse and weak credentials.

"By adopting these technologies, it will push cyber-threat actors to find other vulnerabilities and weaknesses to exploit," he says. "As the cybersecurity world is always shifting and evolving, staying one step ahead of malicious cyber-threat actors is paramount."

Patching & Passwords Lead the Problem Pack for Cyber-Teams

Improper buffer restrictions the Intel(R) C++ Compiler Classic before version 2021.7.1. for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® oneAPI Toolkit software Advisory**

**Revision History**

Revision

Date

Description

1.0

01/10/2023

Initial Release

1.1

01/30/2023

Corrected Intel® C++ Compiler (Classic) version to 2021.7.1

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-41342: INTEL-SA-00773

It's time to share threat intelligence and prioritize digital literacy and cyber hygiene to stem the rising money laundering tide.

It's almost impossible to pinpoint the amount of money that's laundered globally, but conservative estimates put it at anywhere from $800 million to $2 trillion, according to the United Nations' Office on Drug and Crimes — and that's likely just the tip of the iceberg. It's a crime that, in turn, fuels some of the world's most heinous criminal activities. It's also a tactic used by cybercriminals to help try to cover up the profits they're making from things like wide-scale ransomware attacks. The rise of cryptocurrency also has made it easier for them to evade detection.

Financial institutions, cryptocurrency companies, and other organizations face increasing fines — sometimes ranging in the millions and billions of dollars — for failure to root out money laundering as government agencies and regulators worldwide seek to crack down on this scourge.

Here's the bad news as we look toward 2023: Automation is going to make the problem worse. We will see the rise of money laundering-as-a-service. But the silver lining is there are ways to stem the tide — and collaboratively reduce bad actors' ability to do so.

**The Crypto-Money Laundering Connection**

A preferred tactic by cybercriminal organizations looking to grow their ranks is to use what are known as money mules. These are individuals who are brought in to help launder money — sometimes, unknowingly. They're often lured in under false pretenses and promises of legitimate jobs, only to discover that "job" is to help launder the profits from cybercrime.

Back in the day, this money shuffling was typically done through anonymous wire transfer services. While they often got away with it, such transfers are far easier for law enforcement and regulators to track. These days, most criminals have moved to using cryptocurrency. Its relative lack of regulatory oversight, coupled with often-anonymous transactions, make it almost the ideal vehicle for money laundering. In fact, a report by Chainalysis found that criminals laundered $8.6 billion in cryptocurrency in 2021. That's a 30% increase from the prior year.

**The Rise of Recruitment**

Setting up recruitment campaigns for money mules takes time and energy. In their efforts to obfuscate their true purpose, cybercriminals will sometimes go to great lengths to build legit-looking websites for fake organizations and post fake job listings aimed at making those businesses seem aboveboard.

However, automation and machine learning (ML) will make this process far easier — and quicker. ML can be used to better target potential recruits in a faster manner, for one thing. We also expect to see some of the manual campaigns replaced with automated services that enable bad actors to move dirty money through the layers of crypto exchanges — that's going to make the process faster and harder to trace. And that means it also will be more difficult to recover stolen funds.

Collectively, these efforts comprise what we're calling money-laundering-as-a-service (MLaaS), and it's going to become another tool in the cybercrime tool chest.

**Cutting 'Em Off at Their Knees**

While cybercriminals are going to look for any methodology possible to make money laundering easier, that doesn't mean we have to accept this as a foregone conclusion.

The biggest factor in combating the rise of MLaaS is going to involve public-private collaboration on a much larger scale. Organizations across the map can share threat intelligence with one another, contributing to building a better defense all around.

It must be reiterated that cyber hygiene and education must be prioritized as well. No matter the type of organization you're in or the role you're in, this is essential for everyone. Everyone can play a key role in helping keep organizations safe from bad actors. This includes things like more digital literacy — and how to recognize a too-good-to-be-true job ad for the scam it really is. And of course, there's the concept of fighting fire with fire — as bad actors adopt more automation and ML-based approaches, so, too, must defenders.

How Cybercriminals Are Operationalizing Money Laundering and What to Do About It

By Waqas
The leaked data apparently belongs to Convex, the leading Russian internet provider.
This is a post from HackRead.com Read the original post: Anonymous Leaks 128 GB of Data from Russian ISP Convex

Caxxii, an affiliate of Anonymous hacktivists, has released 128 GB of documents revealing the Russian government’s illegal surveillance tactics to spy on its citizens.

The hacktivist group **Anonymous** released 128 gigabytes of data from Convex, the leading Russian internet provider, detailing the Kremlin’s alleged illegal monitoring of its citizens across the country.

Such surveillance activities are classified as unauthorized wiretapping, espionage, and warrantless surveillance of civilians, which are against the country’s laws.

In 2015, in **Zakharov v. Russia**, the European Court of Human Rights warned that the laws governing the country’s System for Operative Investigative Activities surveillance system didn’t offer sufficient and impactful guarantees against arbitrariness and abuse of any secret surveillance system, urging Kremlin to circumvent the legal authorization requirements.

The passage of the **Yarovaya Law in 2016** allowed authorities to obtain communication information without needing a court order.

**What Data was Dumped?**

The alleged data reveals how the **Russian government** apparently spies on its citizens’ internet and phone usage, and exclusive details of the yet-undisclosed Green Atom surveillance program, which Anonymous claims. was operated by Russia’s Federal Security Service.

The data also contains records of thousands of Russian citizens who were customers of Russian corporations targeted by this program.

As per Anonymous, the Green Atom data provide evidence of the extent to which the Russian government abuses its legal structures, as Convex virtually captured the entire data. Anonymous also noted that they had more unreleased information on FSB’s intelligence-collecting activities.

**What is Green Atom Surveillance Program?**

In their **Twitter post**, Anonymous stated that the data was stolen from Convex, which led to the revelation that the company had been running a project named Green Atom involving installing and maintaining surveillance equipment for monitoring **Russian citizens** and private corporations’ online activities.

Through the Green Atom program, the government could perform wide-ranging surveillance activities, using the equipment from Convex to monitor their incoming and outgoing traffic.

At the time of publishing this article, the data was available on the official website of DDoSecrets.

**Anonymous – Russia and Ukraine Conflict**

The Ukraine-Russia conflict has reached a new level with Anonymous cyber attacks on Russian networks. Anonymous, the international hacktivist group that works to fight censorship and corruption, has so far claimed responsibility for several cyber and social engineering attacks against the Russian government and the private sector.

Some of the collective’s attacks include hacking the Yandex taxi app **(1)**, Payment processor Qiwi **(2)**, Ministry of Culture **(3)**, State-Run Broadcaster **(4)**, Central Bank of Russia **(5)**, unsecured printers **(6)**, security cameras **(7)**, media censoring agency Roskomnadzor **(8)**, 90% of Russian misconfigured databases **(9)**, TV transmissions **(10)**, Electic vehicle charging station **(11)** and more.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Anonymous Leaks 128 GB of Data from Russian ISP Convex

Moscow promised residents lower crime rates through an expansive smart city project. Then Vladimir Putin invaded Ukraine.

Sergey Vyborov was on his way to the Moscow Metro’s Aeroport station last September when police officers stopped him. The 49-year-old knew that taking the metro could spell trouble. During a protest against Russia’s invasion of Ukraine, police had fingerprinted and photographed him. He’d already been detained four times in 2022. But he was rushing to his daughter’s birthday, so he took a chance.

Vyborov wasn’t arrested that day, but the police informed him that he was under surveillance through Sfera, one of Moscow’s face recognition systems, for participating in unsanctioned rallies. Considered one of the most efficient surveillance systems, Sfera led to the detention of 141 people last year. “Facial recognition, and video cameras in general in a totalitarian state, are an absolute evil,” Vyborov says. 

Vyborov finds himself at the bottom of a slippery slope that privacy advocates have long warned about. Under the guise of smart city technology, authoritarian and democratic governments have rolled out huge networks of security cameras and used artificial intelligence to try to ensure there is no place to hide. Cities have touted the ability of such systems to tackle crime, manage crowds, and better respond to emergencies. Privacy campaigners say such systems could be used as tools of oppression. In Moscow, Vyborov and countless others now face that oppression on a daily basis.

The Russian capital is now the seventh\-most-surveilled city in the world. Across Russia, there are an estimated 21 million surveillance cameras, and the country ranks among the top in the world in terms of the number of connected surveillance cameras. The system created by Moscow’s government, dubbed Safe City, was touted by city officials as a way to streamline its public safety systems. In recent years, however, its 217,000 surveillance cameras, designed to catch criminals and terrorists, have been turned against protestors, political rivals, and journalists. 

“Facial recognition was supposed to be the ‘cherry on top,’ the reason why all of this was built,” says a former employee of NTechLab, one of the principal companies building Safe City’s face recognition system.

Following Russia’s invasion of Ukraine, Safe City’s data collection practices have become increasingly opaque. The project is now seen as a tool of rising digital repression as Russia wages war against Ukraine and dissenting voices within its own borders. It is an example of the danger smart city technologies pose. And for the engineers and programmers who built such systems, its transformation into a tool of oppression has led to a moment of reckoning. 

An Innocent Start

Founded in 2015, NTechLab caught the attention of the global press with the February 2016 launch of FindFace, an app that allowed anyone to identify faces by matching them with images gathered from social network VKontakte, Russia’s Facebook equivalent. Met with warnings of the “end to public anonymity,” the app was reportedly downloaded by 500,000 people within two months of its launch. But for NTechLab, it was primarily a proof of concept for its nascent face recognition algorithm.

NTechLab still felt like a startup when one former employee, who asked not to be named for privacy reasons, joined the company. And he was drawn in by the complexity of the work.

“From \[an\] engineering point of view, it’s very interesting to work with: It’s very difficult,” he says. 

After the release of FindFace, NTechLab began selling its face recognition tech to small businesses, such as shopping malls that could use it to catch shoplifters or see how many people return to certain stores. But NTechLab was also working with the Moscow Department of IT Technology (DIT), the government department tasked with building Moscow’s digital infrastructure. In 2018, when Russia hosted the FIFA World Cup, NTechLab’s face recognition tech was connected to more than 450 security cameras around Moscow, and its tech reportedly helped police detain 180 people whom the state deemed “wanted criminals.”

At its inception, Moscow’s face recognition system was fed official watchlists, like the database of wanted people. The system uses these lists to notify the police once a person on the list is detected, but law enforcement can also upload an image and search for where a person has appeared. Over the years, security and law enforcement agencies have compiled a database of the leaders of the political opposition and prominent activists, according to Sarkis Darbinyan, cofounder of digital rights group Roskomsvoboda, which has been campaigning for a suspension of the technology. It remains unclear who is in charge of adding activists and protesters to watchlists.

In March 2019, following the success of the World Cup trial—some of Russia’s “most wanted” people were arrested while trying to attend matches—the Moscow Department of Transportation, which operates the city’s metro, launched its own surveillance system, Sfera. By October 2019, 3,000 of the city’s 160,000 cameras were enabled with face recognition tech, according to interior minister Vladimir Kolokoltsev.

NTechLab was one of many companies building the slew of systems that would later be branded Safe City. International companies, from US tech firms such as Nvidia, Intel, and Broadcom to South Korea’s Samsung and Chinese camera maker Hikvision, worked alongside local firms such as HeadPoint, Netris, and Rostelecom that have developed various components of the surveillance systems. According to procurement documents cited by the UK’s BBC, three companies besides NTechLab created face recognition tech for Moscow’s growing surveillance apparatus, including Tevian, and Kipod, and VisionLabs. Moscow's Transportation Department said in social media posts that Sfera was built using VisionLabs technology, although the company downplays its involvement.

NtechLab says it operates in compliance with local laws and does not have access to customer data or camera video streams. Nvidia and Intel say they left Russia in 2022, with Nvidia adding that it does not create software or algorithms for surveillance. Broadcom and Samsung also say they stopped doing business in Russia following the invasion. VisionLabs says it only provides the Moscow Metro with its face recognition payment system. Other companies did not respond to requests for comment. The DIT and the Moscow Department of Transportation did not respond to requests for comment.

At the end of 2018, as Russia cracked down harder on political dissent online and in the streets, the DIT started to change, says a former employee who asked to remain anonymous for safety reasons. The department used to just be the “technical guys” providing assistance to security services, with the Moscow government recruiting highly paid IT specialists to make the most efficient systems possible, according to Andrey Soldatov, an investigative journalist and Russian security services expert. But according to the former employee, the DIT was beginning to reflect the Kremlin’s authoritarian bent.

Then came Covid. 

Safe City launched in 2020, at the height of the Covid-19 pandemic. Russia, like some other countries, seemingly used the pandemic as grounds to expand its surveillance systems to catch people breaking self-isolation rules. By mid-March 2020, Safe City’s face recognition system had caught 200 people breaking lockdown restrictions. At the same time, Moscow introduced a regulatory sandbox for the development of AI applications with the participation of large IT companies, exempting authorities from the country’s already lax data protection requirements. “With Covid, \[the DIT\] essentially became a part of the repressive apparatus,” says Soldatov.

In addition to its network of more than 200,000 cameras, Safe City also incorporates data from 169 information systems, managing data on citizens, public services, transportation, and nearly everything else that makes up Moscow’s infrastructure. This includes anonymized cell phone geolocation data collection, vehicle license plate recognition, data from ride-hailing services, and voice recognition devices. As Safe City was still rolling out in 2020, the Russian government announced plans to spend $1.3 billion deploying similar Safe City systems across Russia. From the outside, the potential for the system to be abused seemed obvious. But for those involved in its development, it looked like many other smart city projects. “No one expected that the country would turn into hell in two years,” says one former NTechLab employee, who asked to remain anonymous for safety reasons.

The Black Box Problem

Attempts to break open Moscow’s digital black box have been stonewalled. Alena Popova, whose image was captured during a protest against politician Leonid Eduardovich Slutsky in April 2018, filed the first lawsuit against Moscow’s DIT for allegedly violating her privacy, seeking a ban on face recognition tech. The case was thrown out, but Popova has continued to file lawsuits, including one at the European Court of Human Rights—which Russia is no longer a part of. 

While Moscow operates one of the world’s most pervasive surveillance systems, Russian law does not safeguard individual privacy. With seemingly no hope of recourse, some activists have been forced to leave Russia altogether. Popova is now on the list of foreign agents and is living in an undisclosed overseas location. “I will not apply to any political asylum in any country because I would like to go back to my own country and fight back,” she says.

A key concern is that Moscow’s surveillance system was designed to conceal its data collection from Moscow’s 12 million residents, says Sergey Ross, founder of the Collective Action Center think tank and a former Moscow politician. Although the system is run by the Moscow government, elected members of the Moscow City Duma say they are excluded from regulating face recognition systems and have little insight into how it is being used. “It’s a complete black box,” says Ross.

“It was clear that sooner or later the technology would be used to catch activists and dissenters,” says Roskomsvoboda’s Darbinyan. 

Russia made almost 20,500 political arrests in 2022, according to data from human rights media organization OVD-Info, which characterizes the number as “unprecedented.” The arrests have sparked fears that Safe City will be expanded to catch draft dodgers—although former NTechLab employees say that doing so would be technically difficult to pull it off because of too many false positives. Still, Moscow police appear to be using face recognition to aid Russia’s war efforts in other ways.

In September 2022, just after Putin announced additional mobilization for the war against Ukraine, Viktor Kapitonov, a 27-year-old activist who’d protested regularly since 2013, was stopped by two police officers after being flagged by face recognition surveillance while he approached the turnstiles in Moscow’s marble-covered Avtozavdodskaya metro station. The officers took him to the military recruitment office, where around 15 people were waiting to enlist in Putin’s newly announced draft. 

“They let me in without waiting in line as if I were some sort of VIP person,” he says. The recruiters wanted to force Kapitonov to enlist, but he ended up escaping the draft. “I explained that I am not fit, I have a disability.”

A Guilty Conscience

From 2017 to 2020, NTechLab became one of Russia’s fastest-growing companies. Other face recognition firms have cashed in as well: The revenue of Russian face recognition developers grew between 30 and 35 percent in 2022, thanks in part to deals struck in the Middle East, Southeast Asia, India, and South America. Russia’s national AI strategy has supported such firms with grants, tax exemptions, and subsidies, which have benefited both startups and state corporations, including tech and finance giant Sber, telecom provider Rostelecom, and defense firm Rostec, which previously owned a minority stake in NTechLab. While NTechLab continues to work globally, reporting a revenue increase of 35 percent in 2022, it has also faced a backlash against its work with the Russian state.

In June of last year, a “name-and-shame” list of NTechLab employees was published \[in Russian\] with information collected from social media. The project went viral, and some employees reported being harassed online. Artem Zinnatullin, a software engineer now based in the US, says he published the list after NTechLab sold its new silhouette recognition technology to the Moscow government in June 2022. To him, it signaled support for Russia’s war in Ukraine. In the post, he called NTechLab “the blacksmith of the Digital Gulag.” Zinnatullin, who says he knew people arrested with the help of face recognition technology, believes publishing the list of NTechLab employees was only fair. “You recognize people on the street, it’s only fair if we use public data to recognize who you are,” he says.

Unlike many face recognition companies that keep a low profile, NTechLab’s splash with FindFace has turned it into a recognized brand. Employees say this high profile has made them into scapegoats. 

As arrests of activists and politicians mounted, the ethics of NTechLab’s technology became a recurring topic at company meetings. NTechLab staff have resisted the use of the company’s face recognition in rallies and refused to sell the technology to the military, according to people familiar with these discussions. Still, the NTechLab leadership concluded that the technology was ultimately positive—even if the occasional dissenting voice was arrested because of it. 

“We all saw these positive examples, we saw how it really catches criminals,” says one former NTechLab employee. “Most people in NTechLab would say they were doing something very good, technologies that can help and save people’s lives. It really did.”

As Russia furthered its march toward authoritarianism in 2021, NTechLab leadership began talking about moving the company abroad, according to people familiar with internal company discussions. But with lucrative government contracts abounding—NTechLab received a $13 million investment from the Russian Direct Investment Fund, the country’s sovereign wealth fund, in September 2020—its investors resisted the idea. The company was also changing. Its founders, Alexander Kabakov and Artem Kukharenko, stepped down from NTechLab—and both left Russia in December 2021 and February 2022, respectively, declaring their anti-war stance on social media. 

Other employees left amid an exodus of IT talent from Russia. The war changed how they viewed their work. “Looking back, we realize that we shouldn’t have done it,” says an NTechLab employee. “But even in 2017 and 2018, it was a completely different country. At least, that’s how it seemed to those who weren’t very immersed in politics.”

A Growing Threat

Russia’s Safe City projects show no sign of slowing. As more surveillance systems are deployed across the country, Moscow’s DIT is planning to centralize video streams collected across all regions into its own system. And new projects to digitize public services may make it even easier for the government to eventually create large databases where everyone can be found, according to Popova. “It is really scary,” she says. “If they digitalize all the databases and combine them to make this joint database, they can find everybody.” In July, Putin signed a federal law that funnels personal biometric data collected in the country into a single system—an effort to obtain an “almost unlimited monopoly” on the collection and storage of biometrics, says Roskomsvoboda’s Darbinyan. 

In a further expansion of the Safe City project, Rostec is also reportedly developing software that will help authorities predict riots and prevent their escalation by analyzing media reports, data from social networks, video cameras, and other sources. Rostec did not respond to a request for comment on its development of these systems.

Similar systems have been developed in some Chinese cities, and Russia is now playing catch-up. “The Russian government would probably like to move toward China, but they do not yet have the necessary technology,” says Kiril Koroteev, head of international practice at the Russia-based Agora International Human Rights Group.

For now, many activists in Russia are left to do whatever they can to skirt the country’s growing surveillance apparatus, including avoiding the Moscow Metro. Kapitonov hopes that a balaclava will keep him safe, while Vyborov aims to ride the metro early in the morning, when there are fewer police around to detain him. 

“I think that it was inevitable that such a system would be made sooner or later,” says one former NTechLab employee. Face recognition is like a knife, he says: It can be used to cut food, but it can also be used to cut innocent people. He now regrets that NTechLab played a key role in building Moscow’s Safe City project. He has left Russia and doesn’t think he will work on face recognition again. “I do not want to mess with it anymore,” he says.

_Update 9:25 am ET, February 6, 2023: Clarified the role of VisionLabs in the Sfera system and that NTechLab's founders have since left the company._

Inside Safe City, Moscow’s AI Surveillance Dystopia

We’re excited to welcome more than 400 members of the security research community from around the world to Redmond, Washington for BlueHat 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where the security research community, and Microsoft security professionals, come together as peers to connect, share, learn, and exchange ideas in the interest of creating a safer and more secure world for all.

We’re excited to welcome more than 400 members of the security research community from around the world to Redmond, Washington for BlueHat 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where the security research community, and Microsoft security professionals, come together as peers to connect, share, learn, and exchange ideas in the interest of creating a safer and more secure world for all.

The two-day conference builds connections, provides learning opportunities, and strengthens trust between the security researcher community, customers, and partners. BlueHat also showcases thought leadership in the research and vulnerability discovery and mitigation space and provides insight to both internal Microsoft and external audiences on current and emerging security threats and techniques. BlueHat attendees will have the opportunity to listen to our incredible keynote speakers Charlie Bell (Executive Vice President, Microsoft Security Division), Mark Russinovich (Azure CTO and Technical Fellow, Microsoft), and and MSRC leader Aanchal Gupta (Deputy CISO and CVP Engineering, Microsoft). Conference-goers will also listen to 27 security thought leaders discuss a wide range of security topics, including AI/Machine learning based security, advanced hardware security, researching and securing your infrastructure, and more. In addition to the speaker sessions, BlueHat will also host a series of lightning talks from a group of up-and-coming security professionals from Microsoft, Grammarly, Tiktok, Intuit, and Meta. The lightning talks will feature actionable information from security pros about the top threats and concerns companies and organizations are facing today.

In addition to the keynotes, speaker sessions, and lightning talks, BlueHat attendees, hailing from 26 countries and representing 184 companies or organizations, will connect—and reconnect—with the security research community from around the world, building their personal and professional relationships, while gaining valuable insight into ideas that will create a safer and more secure world for all. Opportunities for networking and connecting include the 8 BlueHat Villages, such as the Post-Quantum Village, Cyber Training Village, AI/ML Village, and more.

We’re so excited to host the first in-person BlueHat conference since 2019. Follow MSFTBlueHat on Twitter for updates and announcements, and use #BlueHat to join the conversation. At the conclusion of BlueHat 2023, we’ll share recordings of the keynote talks and speaker sessions.

  
**Conference sessions Conference sessions****Wednesday, February 8th Wednesday, February 8th****Keynote Keynote**

**Charlie Bell,** Executive Vice President, Microsoft Security Division and **Aanchal Gupta**, Deputy CISO and CVP Engineering, Microsoft (Twitter)

Speakers: **Dr. Abhilasha Bhargav-Spantzel** - Partner Security Architect (Twitter); **Dr. Andre Alfred** - Partner Director, Azure Security; **David Weston** - Vice President, Enterprise and OS Security (Twitter); **Cristin Goodwin** - General Manager and Associate General Counsel (Twitter), moderated by **Stephanie Calabrese**, Principal PM Manager (Twitter)

**MSTIC Ghost Stories: A Threat Intelligence Year in Review MSTIC Ghost Stories: A Threat Intelligence Year in Review**

Speakers: Eunsil Han (Twitter), Emily Hacker (Twitter | LinkedIn), Terri Forslof, Microsoft (Twitter | LinkedIn)  
Abstract: The Microsoft Threat Intelligence Center (MSTIC) discovers, tracks and disrupts the world’s most impactful and well-resourced threats, from state-aligned actors to financially motivated criminals, on a daily basis. As part of this mission, MSTIC works across Microsoft’s security signals gaining firsthand insight into the technical methods and capabilities of threat actors. The intelligence produced by MSTIC is infused into everything Microsoft does, from security products to generic product roadmaps, and BlueHat is no different.

In a rare opportunity, BlueHat attendees have a chance to hear an entertaining and educational account from MSTIC about its most significant observations from 2022. The talk will look back over the last year of technical threat data, spanning global threat actors of various motivations, to deliver regional trends, insights, and never before heard investigation stories from our work defending customers. The observations delivered in this talk ultimately seek to inform the future, empowering global people and organizations to achieve more, and do so securely. Examples covered in this presentation include:

*   Overview of multiple trends observed being used by China over the past year
*   DEV-0228 Leveraging supply chain relationships to target shipping companies in Israel
*   An onslaught of intrusion activity in Ukraine from STRONTIUM and IRIDIUM leading to espionage, cyber-enabled influence operations, and destructive attacks
*   Notable trends/activities associated with multiple North Korean groups including ZINC

**0-Day firmWarez 0-Day firmWarez**

Speaker: Nate Warfield, Eclypsium (Twitter | LinkedIn)  
Abstract: Firmware is the foundation of modern computing. It’s the first code executed when your computer boots, it manages your hardware, runs critical infrastructure, controls systems in nearly every part of our lives, and exists in most electronics sold today. It’s also one of the most vulnerable, poorly maintained, and infrequently patched components of technology.

In this talk, we will discuss recent high-profile firmware vulnerabilities and attacks, including a series of vulnerabilities found in MegaRAC Baseboard Management Controller (BMC) software which powers millions of servers worldwide. We will explore the remote attack surface, the risk due to firmware’s position on devices, and the defensive weaknesses attackers are abusing. In addition to server firmware, we will also cover networking hardware and IoT device risks and threats.

In the second half of the talk, we will showcase open-source tools organizations can utilize to analyze device firmware, identify unpatched vulnerabilities, weak security controls, and find hard-coded credentials. The goal of this portion is not building exploits, but rather empowering organizations to better understand the risk posed by the firmware on their connected systems. These tools don’t require significant skill or time to use and provide valuable information on devices whose security posture is poorly documented, if at all.

Attendees will better understand how to threat model their environments and what additional steps may be required to secure their infrastructure. They will also gain insight into what real world attacks look like, to better defend against them and recognize them should they occur.

**Advanced Hardware Hacking Advanced Hardware Hacking**

Speaker: Sick Codes (Twitter | LinkedIn)  
Abstract: Modern techniques to find vulnerabilities in modern hardware: this talk will show you techniques, tools, and concepts to assess most devices, especially those which are worth hacking. Sick Codes will bring you up to speed on exact methods to hack brand new smart TVs, watches, tractors, cars, game consoles, and more. Be able to identify and hack any new hardware.

**High Risk Users and Where to Find Them High Risk Users and Where to Find Them**

Speaker: Masha Sedova, Elevate Security (Twitter | LinkedIn)  
Abstract: What if you could predict and ultimately prevent most incidents in your organization? 82% of all attacks originate from human fallibility, but an effective risk management approach is impossible without the ability to pinpoint our riskiest users. Research findings from a 300k-employee data set spanning 8 years reveal trends in our most vulnerable populations. We’ll share how 8% of the workforce is responsible for the majority of incidents and dive into what makes workers high-risk, where those high-risk users spend their time, what are their riskiest behaviors, and what that might mean for your organization’s security. From there the talk will explore how security professionals can effectively measure user risk in their own organizations and action on these findings to strengthen their cyber defense. By applying the different stages of user-risk management, from feedback to tailored safeguards & access, learn how to keep your workforce safe and business productive.

**Thursday, February 9th Thursday, February 9th****Keynote Keynote**

**Mark Russinovich**, Azure CTO and Technical Fellow, Microsoft (Twitter) with opening remarks by **Aanchal Gupta**, Deputy CISO and CVP Engineering, Microsoft (Twitter)

**Hunting Qakbot Hunting Qakbot**

Speakers: Dan Taylor (LinkedIn) & Ben Magee (Twitter | LinkedIn)  
Abstract: When it comes to attack surfaces, there are few quite as large as that of NHS England’s Microsoft Defender for Endpoint estate. With close to 1.7 million endpoints enrolled in a tenant spanning thousands of separate organizations across the healthcare service, it presents a uniquely challenging environment to protect – one where cyber incidents can have very real, human consequences.​  
How then do we go about defending an IT estate as large and complex as this one?​  
​  
It’s a challenge that couldn’t be better illustrated than with the perpetual battle against Qakbot. With delivery mechanisms and TTPs that shift week to week, a repertoire ranging from access-for-sale to the deployment of ransomware and no scruples about targeting healthcare organizationsfrom its operators, Qakbot truly is a formidable adversary.​  
​  
In this talk we walk through:​

*   A brief overview of the NHS and the role NHS Digital CSOC plays in its defence​
*   The scale of the challenges facing security teams tasked with securing the NHS against the likes of Qakbot, and why common malware poses such an acute threat​
*   The critical role threat hunting (and intelligence) plays in that defence, with technical breakdowns of Qakbot TTPs, the methods we use to stay ahead of them, and the key advantages afforded by Microsoft Defender for Endpoint​
*   Examples of the mistakes, successes, close calls, and critical lessons learned in the interminable battle against Qakbot and its contemporaries

**Houdini of the Terminal Houdini of the Terminal**

Speaker: David Leadbeater, G-Research (Twitter | LinkedIn)  
Abstract: Text based terminals have used escape sequences in some form since at least the 1970s. Windows has for a long time had fairly limited support for them, using a different method to perform out of band messaging. As a result of the support added for Windows Subsystem for Linux (WSL), Windows gained support for common terminal escape sequences and now they are the preferred method for formatting and related functions.

Just like XSS, if an escape sequence ends up being sent unsanitized to a terminal it can be used to do unexpected things. This can range from changing formatting outside of the area where the text should have been inserted or if the terminal has a vulnerability anything from a DoS to remote code execution.

This risk has existed in Unix terminals for many years, for example 20 years ago it was discovered a terminal’s title can be read back and in some cases that can result in code execution. Terminals now disable this by default or do not implement it.

We will explore over 20 years of terminal vulnerabilities, from attacks via Apache’s log files to attacking via Kubernetes.

Our research found several severe bugs in common terminals and we have used them to perform a chained exploit from low privileges on a Kubernetes cluster to obtaining RCE on an administrator’s machine. This builds on the research done by CyberArk in early 2022, which found the original kubectl bug (CVE-2021-25743).

Along the way we’ll discuss some other bugs we found in both Windows and Unix utilities and how to achieve some level of defense-in-depth against this kind of threat.

**Through the Eyes of a Guest Through the Eyes of a Guest**

Speaker: Callum Carney (Twitter)  
Abstract: This talk will walk you through months of external research into how identities were incorrectly handled within Microsoft internal systems, from uncovering an unusual way to gain access to a privileged Azure AD tenant, to navigating multiple systems with unrestricted access to customer data and confidential information, all the way through to trying to create enough noise to raise awareness and working with MSRC to fix the issue.

**Catch Me If You Can in the Eyes of Authorization Catch Me If You Can in the Eyes of Authorization**

Speakers: Cameron Vincent (Twitter) & Sean Hinchee, Microsoft  
Abstract: Ever wonder how one of the top participants in the Microsoft bug bounty program was finding security issues across Azure for many years? Or what about the other side? Ever wonder what the perspective was like from a MSRC security engineer working on these submissions and finding a more holistic approach towards them? In this talk you are going to get the best of both worlds. Not only will you hear about the offensive side from a former full time bug bounty hunter, but you’ll also get to hear from a MSRC engineer that was dealing with these submissions firsthand. The specific type of issues that will be discussed in this talk are going to be AuthZ/Authorization related issues. This is an extremely common area where many services and companies have been failing. In this talk Cameron Vincent is going to go over how he was hunting across Microsoft and other services for these types of issues. He will discuss some examples and techniques that were used when hunting for specific AuthZ/Authorization issues for many years. Sean Hinchee is then going to talk about what the defensive side was like. He will then dive deep into some open-source tools that he developed to help try and catch these types of authorization issues at a more automated scale.

A popular military tool during the Cold War, spy balloons have since fallen out of favor—for good reason.

On Friday, United States secretary of state Antony Blinken said he was canceling a high-profile diplomatic visit to Beijing following the discovery of a large, high-altitude Chinese balloon that has been drifting over the US this week. The Chinese Ministry of Foreign Affairs said in a statement on Friday that the airship is an off-course weather balloon and has denied that it is an espionage tool. A senior US Department of Defense official told reporters on Thursday, though, that “clearly the intent of this balloon is for surveillance.”

Spy balloons are a historic technology and were widely utilized before the development of low-Earth and geosynchronous satellites, including extensive use in the 1950s by the US during the Cold War. But these days, their use has largely fallen out of favor. Spy balloons have some advantages over satellites. They are cheap to deploy, fly relatively close to their targets, and can continuously monitor a location for longer stints. But balloons have weight restrictions, which also limit how powerful and diverse their onboard sensors can be. And unlike satellites, which are out of sight and out of mind for people on Earth, the situation currently playing out with the Chinese balloon illustrates the biggest limitation of surveillance balloons. 

“You may have noticed that this balloon has caused a massive international incident, and it’s got everyone looking at China and demanding that the US government do something. In terms of surveillance, this is the kind of attention you don't want,” says Brynn Tannehill, a RAND Corporation senior technical analyst and a former naval aviator. “My assessment is that the advantages a balloon offers versus the amount of unwanted attention it creates—I can't answer why the Chinese did this. It attracts ill will.”

Sensor-equipped balloons have onboard steering capabilities but are transported by wind currents. US officials said on Thursday that the spy balloon was floating above commercial air traffic at roughly 60,000 feet and that it does not pose a threat to people or activity on the ground. The senior DOD official noted that the balloon is big enough to cause a potentially dangerous debris field if the US shot down the balloon over an inhabited area. The official added that the military considered taking kinetic action on Wednesday while the balloon was moving over “sparsely populated areas in Montana,” but concluded that the risks weren't low enough. RAND's Tannehill points out that an additional risk of such an operation is that the missile aimed at the balloon will miss “and now you’ve created an even bigger problem,” she says.

Brigadier General Pat Ryder, the Pentagon press secretary, said on Thursday that, "instances of this kind of balloon activity have been observed previously over the past several years. Once the balloon was detected, the US government acted immediately to protect against the collection of sensitive information."

Reports increasingly indicate that the vehicle is part of a broader Chinese spy balloon initiative, and the senior DoD official said of spy balloon US flyovers on Thursday that “it has happened a handful of other times over the past few years, to include before this administration.” The current incident has apparently been the most visible to the US public, though.

Consistently deploying spy balloons is a strategy that the US and other countries may not be fully prepared to counter given that balloons have been less popular as espionage tools in recent decades. The senior Defense Department official said on Thursday, though, “We assess that this balloon has limited additive value from an intelligence-collection perspective” versus what China could get from satellite imagery. Still, the balloon has flown near a few US military bases and other sensitive sites. 

Tannehill says that countersurveillance measures for spy balloons would typically include physically moving equipment or personnel out of sight, rearranging equipment, and if possible, jamming the balloon's sensors.

The Defense Department declined WIRED's request to elaborate on the steps it took to prevent espionage activities.

“The fact is we know that it's a surveillance balloon, and I'm not going to be able to be more specific than that,” Brigadier General Pat Ryder said in additional remarks to reporters on Friday. “And we do know that the balloon has violated US airspace and international law, which is unacceptable. And so we've conveyed this directly to the PRC at multiple levels.” 

The Chinese Ministry of Foreign affairs said of the balloon: “The Chinese side regrets the unintended entry of the airship into US airspace due to force majeure. The Chinese side will continue communicating with the US side and properly handle this unexpected situation.”

But even with this concession, the extremely public nature of the incident can only exacerbate tensions between the US and China. As RAND's Tannehill puts it, “It’s tough to pretend the spying isn’t happening when it’s floating over Kansas City and regular people are like, ‘Oh look, it’s the Chinese spy balloon.’”

The Chinese Spy Balloon Shows the Downsides of Spy Balloons

Apply these nine tips to proactively fight fraudulent websites that use your brand to rip people off.

Brand impersonation is a particularly thorny problem for CISOs. Cybercriminals piggyback off a trusted brand to push scam lures through various means to onto unsuspecting customers. They could disguise themselves as part of the organization's IT team or someone familiar to trick employees into clicking on malicious links or send a message that looks like it is coming from a legitimate source to convince the recipient the contents are real.

Retailers, product creators, and service providers are increasingly having to deal with brand impersonation attacks. Mimecast’s "2022 State of Email Security Report" found that 90% of organizations experienced an impersonation attack over the previous 12 months. Further, the Mimecast "2021 State of Brand Protection Report" found that companies on the BrandZ Top 100 Most Valuable Global Brands 2020 list experienced a 381% rise in brand impersonation attacks over May and June of 2020 compared to before the pandemic. New domains suspected of brand impersonation also rose by 366%. These impersonation attacks include not only the typical phishing or malware attacks, but also fraud that sells or claims to sell products or services on behalf of the brand. These include fencing of stolen items, non-delivery scams, and counterfeit or grey market sales of product.

"\[Brand impersonation\] is a fraud problem and a security incident problem," says Josh Shaul, CEO of Allure Security. "People are stealing from you, and you're trying to prevent the theft."

Experts recommend that CISOs take a systematic and multidisciplinary approach to this problem. The right approach will not only require technology like automated detection, but also security leadership in helping business stakeholders to harden the brand on a number of fronts.

**1\. Engage in Trademark Basics**

Shaul says that a "shocking" number of companies don't go through the most basic actions of establishing and maintaining ownership of their brand's trademark. The most fundamental step for hardening a brand from online attacks is to cover the basics like registering trademarks, logos, and unique product images, as well as keeping trademarks up-to-date.

"Once you lose control of the trademark, somebody else might register your trademark," he says. "It's a real problem for you. You can't enforce it if you don't own it, so you've got to start there."

**2\. Take Ownership of Online Landscape**

From there, the other basic component companies need to think about is taking ownership of a brand's online landscape. This means not only picking up as many potentially relevant domain names as possible for the brand, but also setting up a footprint on all possible social media channels, Shaul says.

"A lot of companies are like, 'Hey, we do social media, but we don't do TikTok,' or 'We don't do Instagram,' and therefore they don't set up a presence there," he says. "If you don't set up a presence for your brand on a major social platform, there's nothing stopping somebody else from setting up a presence for your brand on that major social platform. Then you've got to try to recover it, which is kind of a nightmare. Just planting the flag is important."

**3\. Monitor Domains**

Organizations should not only be watching and monitoring the domains they own, but also their domain ecosystem, says Ihab Shraim, CTO of CSC Digital Brand Services.

"This means understanding the types of domains that are being registered around them because it’s a multidimensional cyber threat," he says.

As he explains, often larger enterprises manage thousands of domains, which can make it difficult to keep tabs on and effectively manage the entire portfolio.

"Companies need to devise policies and procedures to monitor and mitigate threats associated with all their domains as an integral part of their security posture," Shraim says. He explains that they should be continuously monitoring their domains and also digital channels within search engines, marketplaces, mobile apps, social media, and email to look out not only for phishing and malware campaigns but also brand abuse, infringements, and counterfeit selling on digital channels. "It is crucial for companies to understand how their brands are operating on the Internet."

**4\. Leverage Threat Intel**

Doug Saylors, partner and co-lead of cybersecurity for global technology research and advisory firm ISG, believes that organizations should leverage threat intelligence to help them with the adjacent domains and also the tricky tactics, techniques, and procedures used by bad actors in their impersonation attacks.

"Organizations need to invest in threat intelligence platforms that will help identify the use of fake domains, phishing campaigns, and other technologies to defeat the TTPs \[tactics, techniques, and procedures\] used to enable brand impersonation," he says.

**5\. Consider Full-Cycle Brand Protection**

Saylors is also a big believer in full-cycle brand protection. He recommends companies consider these services — not just for their detection capabilities but also their expertise in mitigation.

"They should engage the services of specialty firms that deal with the full lifecycle of brand protection to ensure scalability and absolute focus on reducing fraudulent activity," he says. "These firms have advanced capability to identify fake sites, catalogs, and catalog entries and remove them through industrial-strength takedown procedures."

As organizations evaluate online brand protection companies, they've got to keep in mind that this is another cat-and-mouse game detection category, where mileage may vary based on technology and how well companies keep up with evasive behavior from the attackers.

For example, when attackers found that their scams were being discovered through image processing and logo detection, they began with simple evasive techniques like changing the image file format and then evolved to use multiple nested images and text in a single collapsed image to trip up detection, says Shaul.

"So now, unless you can compare sections of an image, which is a super hard technical problem that some of us have solved, you can't detect these things anymore," he says. "They just bypass the evolving detections that organizations are putting out there."

Another new tactic they've taken is creating generic fake shops and evolving them into branded shops over time, he says.

"The scammers are working hard to understand how detection is evolving in the industry, and doing things to try to evade detection as aggressively as they can," he says.

**6\. Use Incident Responders Judiciously**

Incident responders hate handling the mitigation of brand impersonation because it is a different skillset than a lot of analysts who get into the field for fun investigative work and not to chase down registrars to do takedowns, says Shaul. Even if a company can make it fun for their responders, they have got to be careful that they're using their specialized responders in a cost-effective way.

He likes to tell the story of a banking customer that had been putting this on their IR team, who turned it into a fun exercise by breaking into phishing sites that were targeting the company's brand and doing a lot of offensive security work.

"The IR guys were having a ball with it, but they realized, 'Look how much time we're spending basically just playing games with the attackers,'" he says. "They had their best people doing hard work to just clean up after scams that already happened."

He suggests that by knowing in advance that response to these sites takes a different skillset than advanced analysts have, this might be a way to break in new security ops personnel and give early-career responders some experience through a planned career path that starts with impersonation takedowns.

**7\. Proactively Build Law Enforcement Relationships**

Additionally, organizations should understand that they're likely going to need to help from the authorities in many of these cases. Saylors says that CISOs should be working to proactively build partnerships with law enforcement agencies and other relevant government authorities around the globe.

"They should also have direct relationships with law enforcement organizations that will pursue and prosecute the criminals responsible for brand theft and the resulting revenue loss to legitimate companies," he says.

**8\. Educate Consumers and Employees**

Frequent and detailed awareness campaigns for customers about what brand impersonation looks like compared to the real deal can go a long way toward curbing their risk of falling for common frauds.

"Organizations, other than large banks, tend to fail in this area due to concerns about scaring their customers away," he says. But actually, awareness campaigns like this can bring customers closer to the brand when they're done right. Here's a great example of what an awareness site can look like. This is a detailed fraud awareness article put together by Burton Snowboards that provides examples of fake Burton scam sites, with clues for their customers to look for in detecting a scam and some additional pointers. Communications like these can be used as a technique to not only build trust and goodwill among customers, but also build up the brand.

**9\. Differentiate Your Brand**

One final thing that CISOs can encourage their organizations to do is to find ways to ensure all of their sites, pages, and experiences are visually and contextually recognizable as part of the brand. This is an opportunity for collaboration with the marketing department. Not only can customers recognize distinctive brands more easily, but it's also a lot easier for automated detection searches to automatically find impersonated images and logos out in the wild, says Shaul.

"Ensure there's something a little bit different about your brand that makes it so that your customers and even your employees can recognize it. That's great for marketing but also helps security in a big way," he says. "The more your brand has differentiated itself with the way it looks, the way it feels, the way it's set — with little things like how your VPN looks — and the easier it is to protect the brand."

Tag

#intel