Governments behaving badly.
The European Union a week ago Friday publicly attributed the GhostWriter cyberespionage and disinformation operation to Russia. "The European Union and its Member States strongly denounce these malicious cyber activities, which all involved must put to an end immediately. We urge the Russian Federation to adhere to the norms of responsible state behaviour in cyberspace." The attribution and warning didn't say which nations had received the attentions of GhostWriter, but, as the Washington Post notes, the timing of the communiqué suggests concern for Germany, which held elections last weekend.
Independently, Finland's Security and Intelligence Service called out both Russian and Chinese cyberespionage and influence operations as major continuing threats, Bloomberg reports.
According to Rest of World, Cambodian Prime Minister Hun Sen zoombombed an online conference held by the country's banned opposition party to tell participants that their communications were being monitored.
Microsoft on Monday released its study of a new, persistent, post-exploitation backdoor, "FoggyWeb," used by the Nobelium threat group. FoggyWeb is used both for exfiltration of victims' data (including configuration databases of compromised Active Directory Federation Service servers, decrypted token-signing certificates, and token-decryption certificates) and for deploying and executing additional malware payloads. Nobelium is Microsoft's name for the Russian government threat group others call Cozy Bear; it's associated with Russia's SVR foreign intelligence service (and sometimes with the FSB security service). Microsoft's report includes detailed mitigation advice, including the following:
- "Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
- "Reduce local Administrators’ group membership on all AD FS servers.
- "Require all cloud admins to use multi-factor authentication (MFA).