The two "Exorcist" prequels, "Exorcist: The Beginning" and "Dominion: Prequel to the Exorcist," offer something that may be unique in the whole of cinema; a strange case of one actor playing the same character in two different versions of the same film shot back-to-back. Oh, and the first version was only released after the second proved a total dog. It's a story of epic studio interference that makes the tacked-on ending William Peter Blatty was forced to shoot for "The Exorcist III" seem like a minor tweak. Morgan Creek studio head James G. Robinson was the person responsible for that change, and he one-upped himself when it came to the prequel. 

After two directors parted company with the project, he hired Paul Schrader. That might seem like a shrewd choice given the subject matter of doubting priests and matters of the soul, something that Schrader has wrestled with in his screenplays and directorial works throughout his career. Problems arose when Schrader went ahead and made a Paul Schrader film, which Robinson felt wasn't scary or gory enough.

Apparently deciding that his "Exorcist" prequel needed to be more like "The Mummy" movies, he fired Schrader and hired Renny Harlin to jack things up a bit. It wasn't just a case of re-jigging existing material and shooting a few new scenes: Harlin was given another hefty budget on top of the money Schrader had already spent (via Today), re-writing the script, re-casting most of the actors, and re-shooting the entire film.

The result is a hokey CGI-stuffed horror film totally at odds with the original "Exorcist" trilogy, although a side-by-side comparison of the two prequels will provide a treasure trove for film studies tutors who want to demonstrate just how much a director brings to a project. So let's get into the first one ... or should I say, the second?

The Set Up

"Exorcist: The Beginning" opens in the Middle Ages with a bloodied priest staggering through the carnage of a terrible battle. He finds the body of another priest holding the head of a Pazuzu statuette in his lifeless hand, and the camera swoops out to reveal thousands of men crucified upside down.

Next, we're in Cairo in 1949, where Father Lankester Merrin (Stellan Skarsgård) is drinking away his sorrows, having lost faith after his experiences during the Second World War. He is approached by a shady dealer in antiquities called Semelier (Ben Cross) who asks him to find a demonic artifact buried in a Byzantine Christian church in Kenya. The church shouldn't exist in that location because it dates from before Christianity reached that part of Africa.

On his arrival at the site in the Derati valley, Merrin meets loathsome head excavator, Jefferies (Alan Ford); a kindly doctor, Sarah Novak (Izabella Scorupco); Father Francis (James D'Arcy), a younger priest sent by the Vatican, and Major Granville (Julian Wadham), the British officer overseeing the dig. Merrin learns that the superstitious workmen from the local Turkana tribe won't enter for fear of evil spirits.

Gaining access to the church, Merrin and Francis discover some unsettling features. The weapons held by the statuary point downwards rather than heavenwards, and the effigy of Christ on the Cross has been vandalized and inverted. Meanwhile, sinister events unfold in the camp and nearby tribal village. The lead archaeologist Bession (Patrick O'Kane) has been carted away to a sanatorium in Nairobi after being plagued by demonic visions. When Merrin visits him, the man carves a swastika on his chest with a piece of glass and speaks in a voice that takes the former priest back to the event that caused his crisis of faith.

Father Merrin's Loss Of Faith

"Exorcist: The Beginning" gives us a series of flashbacks that gradually reveal why Father Merrin lost his faith. During the Second World War, he was the priest in a small Dutch town under Nazi occupation. When a German soldier was killed, the local SS Commander demanded a summary execution; after shooting a young girl to make Merrin and the townsfolk realize he means business, he forced the priest to pick ten people to die, otherwise, the whole town would be massacred. Merrin was left with no choice but to point out members of his flock to be shot, starting with elderly men.

"God is not here today," the SS man taunted Merrin, and these same words emerge from the lips of Bession before he slashes his own throat. Father Gionotti (David Bradley), an elderly priest who works at the sanatorium, suggests that Bession wasn't fully possessed but was "touched" by a demon, causing him to have a psychotic breakdown and take his own life. He gives Merrin a copy of the Roman Ritual, the 1614 rites that are used to perform an exorcism. Merrin vows he will never use them.

Back in the Derati valley, a young boy called Joseph (Remy Sweeney) also seems touched, falling into a catatonic state after his brother is ripped to shreds by some incredibly unconvincing CGI hyenas. In the nearby tribal village, the chief's wife gives birth to a stillborn baby covered in maggots, while Jefferies disappears after he is brutally attacked in a bar. Sarah, who has mysteriously begun hemorrhaging blood, tries convincing Merrin that it is all down to a curse. Merrin is still having none of it, stating evil comes from man and not some supernatural entity.

The Terrible History Of The Derati Valley

Tensions are rising between the Turkana and the British; the tribe blames evil coming from the church for the death of the chief's child while the Brits suspect Jefferies was attacked in revenge.

Merrin investigates the church further and discovers a tunnel leading underground to a statue of our old pal Pazuzu, the demon that plagues the protagonists in the original "Exorcist" trilogy. He is also intrigued by a Christian graveyard nearby, supposedly the resting place of villagers who died during a plague 50 years earlier, and decides to excavate a few graves to find out for himself. Meanwhile, tribesmen take the exorcism of Joseph into their own hands and get violently attacked by a demonic force.

Merrin discovers that the graves are empty and confronts Father Francis about it, who tells him the terrible backstory of the Derati valley. 1500 years before, a vast army led by two priests arrived in the area seeking the source of a great evil. The demonic presence lurking in the valley turned the men against each other and only one priest survived. Emperor Justinian of the Byzantine empire ordered a church built over the site to contain the evil below.

All records were meant to be destroyed but, in 1873, a Vatican researcher found a letter referring to the church. Four more priests were dispatched to Kenya to investigate, enlisting the local tribe to help them. Everyone involved disappeared and the Vatican cooked up a cover story, burying empty coffins and keeping people away with rumors of the plague. Father Francis also reveals his true purpose on the dig; he is there to investigate the legend that it is the place where Lucifer fell to earth after the war in Heaven.

The Twist Ending

The animosity between the Turkana tribe and the British troops escalates. After the horribly mutilated body of Jefferies is found strung up in the church, Major Granville takes revenge by executing a tribesman. Merrin's guide, Chuma (Andrew French), tells him that the tribe believes the evil force is inside Joseph and plans to kill him. 

As the British soldiers ready themselves to repel an attack from the tribe, Major Granville shoots himself in the head. Merrin wants to send Father Francis and Joseph to safety in Nairobi, but the CGI sandstorm from "The Mummy" makes an appearance to trap them. Francis suggests taking the boy to the church because the Turkana won't enter; Merrin gives him the copy of the Roman Ritual and heads off to find Sarah.

Merrin makes a shocking discovery in Sarah's room: it is swarming with flies and she has daubed demonic symbols and imagery over the walls in blood. Merrin finds the statuette head of Pazuzu above her bed, the very item he has been hired to find. When he spots a wedding photo revealing that Sarah was married to Bession, he deduces that she also entered the church and became possessed.

This realization comes too late: possessed Sarah sneaks up behind Father Francis in the church and kills him. With things looking bleak, Merrin decides to give God another shot. He enlists Joseph's help to read the rites and vanquish the demon inside Sarah, but she dies shortly afterward. Merrin and the kid emerge from the church to find it has been buried again by the sandstorm and history has repeated itself; the tribal warriors and the British troops lay dead all around. 

Sometime later in Rome, Merrin is a priest again. He meets Semelier to say he was unable to find the demonic trinket and heads off toward the Vatican.

Is Exorcist: The Beginning As Bad As You've Heard?

For those who care about what Rotten Tomatoes says, "Exorcist: The Beginning" is currently tying with "Exorcist II: The Heretic" with a Tomatometer score of 10%, although the latter's audience rating is far worse. This may be because John Boorman's widely-hated film has had four decades of people dunking on it to increase its reputation as one of the worst sequels ever made. Renny Harlin's prequel certainly isn't the berserk shock to the system that Boorman's movie provides, but it is a tedious piece of hackery that suggests not a single original thought ever passed through the director's head.

It's a complete mishandling of the "Exorcist" series typified by cheap jump scares, unnecessary gore, and Alan Ford's cartoonish performance as Jefferies who, from this evidence, was asked to play his character exactly like his gangster Bricktop in "Snatch." It also isn't scary at all, beyond the jolt you get when you have a movie shouting "Boo!" in your face every few minutes. There is none of the original's pervading atmosphere of timeless evil, which was summed up by the hushed but dread-laden moment when Father Merrin faces the statue of Pazuzu across a windswept gully. Harlin quotes this moment, but there is no sense that he appreciates what it means; it feels like fan service without any comprehension of what fans of the original actually love about the first movie.

All that said, "Exorcist: The Beginning" isn't anywhere near as unwatchable as its poor reputation suggests. A large part of that comes down to Stellan Skarsgård, who pulls off the quietly extraordinary feat of carrying a movie as shallow as this with a nuanced performance that deserves far better.

Exorcist: The Beginning Ending Explained

The finale of "Exorcist: The Beginning" perhaps doesn't need much explaining. It's pretty much all there on the screen, a story of a doubting priest who rediscovers his faith just in time to perform the requisite exorcism that the brand demands. It is perhaps more interesting to discuss how it plays out in the context of the original trilogy, particularly William Friedkin's first film.

Renny Harlin's hack job broadly hits the main beats, especially the theme of recurrent age-old evil. You also have Father Merrin's crisis of faith which somewhat mirrors that of Father Karras (Jason Miller) in the original. Unfortunately, Harlin only pays lip service to these ideas while ladling on the cheap scares and nasty gore, resulting in a film that is almost totally devoid of the philosophical and theological underpinnings that made "The Exorcist" so powerful. For all the original film's show-stopping scenes of demonic possession, screenwriter William Peter Blatty was very serious about exploring a battle between good and evil, and Friedkin's quasi-documentary approach added to its chilling believability.

Paul Schrader's prequel (which I'll cover in greater detail in the next explainer article) also treats the nature of evil with the utmost sincerity, but only the barest vestige of his efforts remains in the Renny Harlin version. The jarring disconnect is further tainted by making the possessed person in need of an exorcism Merrin's tacked-on love interest; he and Sarah have a kiss and cuddle earlier in the movie. This stands at odds with the selfless love and integrity of Merrin and Karras in the first film, who sacrifice themselves to save an innocent from evil without any reassurance that God has their backs. This fundamental misunderstanding, or sheer lack of interest, in what made the first film so captivating reduces "Exorcist: The Beginning" to a strictly by-the-numbers origin story for Father Merrin.

Read this next: 14 Horror Movie Flops That Became Cult Classics

The post Exorcist: The Beginning Ending Explained: The Spot Where Lucifer Fell appeared first on /Film.

The 1990s were a bountiful time for fans of cyberpunk, that beautiful science fiction subgenre that deals in transhumanism, the dangers of corporate rule, and exploring the capabilities of artificial intelligence. Films like "Johnny Mnemonic" would introduce the cyberpunk concepts of the 1980s to a wider audience through the magic of the movies, but there are many other, less well-known cyberpunk creations that deserve some love. While it's not technically a movie, the 1993 anime OVA "Gunnm," released in the west as "Battle Angel," is about an hour long and was released in the U.S. on a single VHS, so it sure felt like a movie. It's also an excellent adaptation of one of the best sci-fi manga series ever that inspired James Cameron and Robert Rodriguez to do everything they could to make a live-action adaptation a reality.

"Battle Angel" was based on the "Battle Angel Alita" manga series by Yukito Kishiro, and was comprised of two parts: "Rusty Angel" and "Tears Sign," each serving as a compressed version of one of the first two volumes of the manga. The OVA, directed by Hiroshi Fukutomi, is a shocking look at the future, when the rich can leave everything behind and the rest of us are left fighting for the scraps. There's a reason so many talented creatives have been drawn to this franchise, and the OVA is a great introduction.

Love And Cyborgs

"Battle Angel" follows Alita, a centuries-old cyborg who has lost most of her memories. She is rescued and awoken from her several hundred-year slumber by Daisuke Ido, a cyberphysician who mostly makes his living fixing up people's broken cybernetics. The resurrected Alita goes by the name "Gally," and she has both rare technology inside of her and latent skills in combat that make her something of a super-being among her cyborg peers. Despite being centuries old and having a lifetime of experiences before her hibernation, Gally has the temperament of a teenage girl, which can be a bit frustrating when combined with her incredible speed and skill. She's an unstoppable force, but she's also impetuous and very human (at least her brain and spine are), and ends up falling in love with Yugo, a teenage boy who does maintenance work for Ido and has big dreams of moving up to the city in the sky, Zalem. He's so obsessed with Zalem that he doesn't even take Gally seriously when she shows him affection, so she tries to earn his love by saving up money to get them both to Zalem.

Gally gets that money by being a hunter-warrior (a bounty hunter), putting herself in incredible danger and bloodying her robot hands, but she's pretty darn good at it. (If the OVA had gotten a chance to go further and dig into the other manga volumes, we would have also gotten to see her become an alternative sports champion of sorts by competing in killer rollerball, but sadly, it was cut short at just two episodes.) Despite all of Gally's hard work to get herself and Yugo out of the sprawling dystopian city of Scrapyard and into Zalem, however, things aren't quite that simple.

The City In The Sky

Gally and Yugo will never be allowed into the city in the sky for a variety of reasons, but chief among them is the classism of Zalem. The people who live in the sky believe that they are better than the people of Scrapyard, and the only way anyone's really allowed in from below is if they're the winner of one of the murdery roller derby competitions, earning a kind of celebrity status. It's very "Hunger Games" in that way, though the gladiators in roller combat are there by choice and not because they were selected in some kind of bogus lottery. The classism is all very similar though!

Fears of total separation between the have and have-nots has been a part of fiction going back to Victor Hugo's "The Hunchback of Notre Dame," which positioned that the streets of Paris were Hell itself, but "Battle Angel" takes the idea to another level. Zalem is the idea of heaven, and people in Scrapyard are willing to sacrifice anything in order to get there. It's a timeless fear, but one that becomes far more terrifying in a neo-capitalist cyberpunk future. As we've been heading towards a similarly oppressive world ourselves, the class allegory of "Battle Angel" feels more timely than ever.

A Lasting Impact

In 2019, "Desperado" filmmaker Robert Rodriguez gave us his version of "Gunnm" with "Alita: Battle Angel," starring Rosa Salazar in the eponymous role. It drew heavily from the first two manga volumes and contains a lot of the same story as the "Battle Angel" OVA, including Gally falling in love with a young man intent on getting into Zalem. It also managed to squeeze in some of the roller combat, which is great because it's a proper-sized arc in the manga and beloved by fans. "Alita: Battle Angel" has a deeply loyal fanbase, and even if you didn't like it, "Battle Angel" is worth checking out. It's a little more violent and sexual than its live-action counterpart (anime in the '90s was a helluva thing), so I don't recommend showing any younger fans unless you want to give them serious kindertrauma.

Zalem and "Battle Angel" also bear similarities to Neill Blomkamp's "Elysium," though that movie is significantly more self-serious and doesn't have nearly enough robot rollerblade battles. On the opposite end of the spectrum, Rodriguez's film is more of an action-adventure than the OVA, which is pretty dour in places because its story is ultimately a tragedy that sets Gally's overall adventure into motion.

It would be incredible to see another attempt at an anime series based on "Battle Angel Alita," and since it has fans as famous as James Cameron, Rodriguez, and Guillermo del Toro, it could possibly happen. "Gunnm" is the perfect story for animation, and it's as timely as ever, so maybe we'll get a chance to see Gally kick some cyborg butt again sometime soon. Until then, go back and check out "Battle Angel."

Read this next: 18 Underrated Anime Movies You Really Need To See

The post If You Liked Alita: Battle Angel, It's Time to Check Out Battle Angel appeared first on /Film.

With the world continuing to disintegrate around us in real-time, it can be tempting to cast our eyes skyward in the hope of finding a better future. If KeokeN's Deliver Us games are anything to go by, though, life in outer space isn't all that peachy either. In Deliver Us The Moon, you may remember the scientists in charge of the moon's Earth-saving energy beam tech ended up having a bit of a Rapture moment, sabotaging all their good work (and the future of Earth in the process) and buggering off to goodness knows where to start life afresh in their newly birthed utopia. In its sequel, Deliver Us Mars, you find out those rogue astronauts didn't actually go that far at all. Yep, they hopped on over to the red planet and set up shop there, and when a strange transmission comes through revealing their location, it serves as the catalyst to send yet another crew into space to go and investigate.

This time, though, you're right at the heart of its central conflict. By casting players as Kathy, the daughter of one of those rogue astronauts, Deliver Us Mars tells a much more fraught and personal tale of what kind of future humanity should be pursuing: should we, in fact, be turning our efforts toward a life in outer space, or should we be doing everything in our power to try and save the dire, pretty much almost dead husk of a planet we call home?

Read more

One of the most precise surveys of the structure of the universe has suggested it is "less clumpy" than expected, in findings that could indicate the existence of mysterious forces at work. From a report: The observations by the Dark Energy Survey and the South Pole Telescope chart the distribution of matter with the aim of understanding the competing forces that shaped the evolution of the universe and govern its ultimate fate. The extraordinarily detailed analysis adds to a body of evidence that suggests there may be a crucial component missing from the so-called standard model of physics. "It seems like there is slightly less [clumpiness] in the current universe than we would predict assuming our standard cosmological model anchored to the early universe," said Eric Baxter, an astrophysicist at the University of Hawaii and co-author of the study. The results did not pass the statistical threshold that scientists consider to be ironclad enough to claim a discovery, but they do come after similar findings from previous surveys that hint a crack could be opening up between theoretical predictions and what is actually going on in the universe. "If the finding stands up it's very exciting," said Dr Chihway Chang, an astrophysicist at the University of Chicago and a lead author. "The whole point of physics is to test models and break them. The best scenario is it helps us understand more about the nature of dark matter and dark energy."

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Verge: First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn't answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams -- among other questions -- we would publish a story about the company's lack of answers. It worked. In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted -- they can and did produce unencrypted video streams for Eufy's web portal, like the ones we accessed from across the United States using an ordinary media player. But Anker says that's now largely fixed. Every video stream request originating from Eufy's web portal will now be end-to-end encrypted -- like they are with Eufy's app -- and the company says it's updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request. That's not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it's bringing in outside security and penetration testing companies to audit Eufy's practices, is in talks with a "leading and well-known security expert" to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail. Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It's a little hard to take the company at its word! But we also think Anker Eufy customers, security researchers and journalists deserve to read and weigh those words, particularly after so little initial communication from the company. That's why we're publishing Anker's full responses [here]. As highlighted by Ars Technica, some of the notable statements include: - Its web portal now prohibits users from entering "debug mode." - Video stream content is encrypted and inaccessible outside the portal. - While "only 0.1 percent" of current daily users access the portal, it "had some issues," which have been resolved. - Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol. - Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud. - Outside of the "recent issue with the web portal," all other video uses end-to-end encryption. - A "leading and well-known security expert" will produce a report about Eufy's systems. - "Several new security consulting, certification, and penetration testing" firms will be brought in for risk assessment. - A "Eufy Security bounty program" will be established. - The company promises to "provide more timely updates in our community (and to the media!)."

Read more of this story at Slashdot.

Dangerous fungal infections are on the rise, and a growing body of research suggests warmer temperatures might be a culprit. From a report: The human body's average temperature of 98.6 degrees Fahrenheit has long been too hot for most fungi to thrive, infectious-disease specialists say. But as temperatures have risen globally, some fungi might be adapting to endure more heat stress, including conditions within the human body, research suggests. Climate change might also be creating conditions for some disease-causing fungi to expand their geographical range, research shows. "As fungi are exposed to more consistent elevated temperatures, there's a real possibility that certain fungi that were previously harmless suddenly become potential pathogens," said Peter Pappas, an infectious-disease specialist at the University of Alabama at Birmingham. Deaths from fungal infections are increasing, due in part to growing populations of people with weakened immune systems who are more vulnerable to severe fungal disease, public-health experts said. At least 7,000 people died in the U.S. from fungal infections in 2021, the Centers for Disease Control and Prevention said, up from hundreds of people each year around 1970. There are few effective and nontoxic medications to treat such infections, they said.

Read more of this story at Slashdot.

Most electric vehicles get upgrades to boost performance or range, but Antarctica's one and only EV has received a tune-up due to the realities of climate change. From a report: Venturi has revealed that it upgraded its Venturi Antarctica electric explorer early last year due to warmer conditions on the continent. The original machine was designed to operate in winter temperatures of -58F, but the southern polar region is now comparatively balmy at 14F -- and that affected both crews and performance. The company has added a ventilation system and air intakes to the front of the Antarctica to prevent overheating in the cockpit, while additional intakes keep the power electronics from cooking. Redesigned wheel sprockets were also necessary to maximize the tracked EV's capabilities. The warmer snow was sticking to the sprockets, creating vibrations as it compacted and hardened. Future upgrades will help restore range lost to changing snow consistency. The Antarctica is built to cover 31 miles, but scientists have been limiting that to 25 miles.

Read more of this story at Slashdot.

It seems like the Dead Space remake can run up to 35 frames per second faster on NVIDIA GPUs after the manual activation of the Resizable BAR feature.

The report originated from Reddit user sxKYLE, who tested the game on his PC (powered by GeForce RTX 4080 and Intel i7 9700K) at 3440x1440 with max settings after manually enabling ReBAR and noticed a massive performance boost.

The Reddit post immediately gained a lot of traction, with users wondering why NVIDIA doesn't just enable ReBAR for all games. The answer came swiftly, thanks to NVIDIA rep pidge2k.

It is not so straightforward. We test games across multiple levels and across each new build of a game before release. So while some users may see a bump in performance in one level/map, if you try a different level/map, the game assets might be quite different and users may not benefit as much or, worse, experience a regression in FPS/frame times.

As for the Dead Space remake, we are still testing ReBAR performance, so there is a chance we may enable it in a future driver. For those who are not familiar with Resizable BAR, I encourage you to read our GeForce.com article on this subject: https://www.nvidia.com/en-us/geforce/news/geforce-rtx-30-series-resizable-bar-support

Resizable BAR was introduced by NVIDIA in January 2021 as a response to AMD's Smart Access Memory. If you wish to enable the feature in the Dead Space remake or any other game, you can follow our guide on using the NVIDIA Inspector tool for this purpose.

In other news, EA Motive recently released a patch that lets Dead Space PC players disable Variable Rate Shading when using NVIDIA DLSS or AMD FSR, improving the game's image quality. However, the developers still haven't addressed the pervasive stuttering problems.

The post Dead Space Remake Reportedly Runs Faster on NVIDIA GPUs with Manual Activation of ReBAR by Alessio Palumbo appeared first on Wccftech.

When a story is part of a long-running series, it's harder to appreciate its ending. Doubly so for a film like "Star Trek II: The Wrath of Khan," which innately does not stand on its own. It's a sequel, but not so much to the first film as to the TV series episode "Space Seed." Said episode depicted the Enterprise discovering the ancient ship "SS Botany Bay" adrift in space. Aboard is Khan Noonien Singh (Ricardo Montalban), a genetically enhanced tyrant from Earth's past. After failing to seize the Enterprise, Khan and his crew are exiled to Ceti Alpha V, an uncivilized, out-of-the-way planet: "It's better to reign in Hell than serve in Heaven."

"The Wrath of Khan" is best experienced if you're familiar with its characters' backgrounds. Likewise, its own sequel, "The Search for Spock," is centered around undoing the ending of "Khan," where Spock (Leonard Nimoy) sacrifices himself to save his friends. Thus, looked at as part of a larger canon, "The Wrath of Khan" can feel like a transient film. And yet, it's also a classic and the most satisfying of the six "Star Trek" films starring the original cast.

Divorcing the film from canon and judging it on its own merits, here is how the film's themes and characterizations tie together in a complete package.

Aging And Consequence

"The Wrath of Khan" features the 50th birthday of Captain James T. Kirk (William Shatner). Kirk's character arc in the film is a mid-life crisis. In the series, he was always a clever, larger-than-life adventurer. Now he's unsure if he can be that adventurer anymore and is humanized because of it. As Dr. McCoy (DeForest Kelley) pointedly asks his Captain, "Damn it Jim, what the hell is the matter with you? Other people have birthdays, why are we treating yours like a funeral?" McCoy answered his own question by gifting Kirk a pair of reading glasses, the implication being that Kirk can't rely on his own dulled sense anymore.

All Kirk seems to have left is consequences. For one, there's his son David Marcus (Merritt Butrick), who was raised by his mother Carol (Bibi Besch) since Kirk was never around to be a father. Now that his relationship with David is non-existent, Kirk questions if he made the right decision.

A more unexpected consequence comes from Khan. As it turns out, Ceti Alpha V's neighboring planet exploded a mere six months after Khan's exile. With their new home ravaged by the shockwave, the Botany Bay crew barely clung to survival. Kirk never paid Khan a second thought after "Space Seed." Khan, though, spent every day of those 15 years thinking of Kirk. When the Starfleet ship Reliant visits the Ceti Alpha system, Khan hijacks the ship to get his revenge.

Melville Allusions

While reigning in hell, Khan's only entertainment was a small library of classic literature. Among them is Herman Melville's "Moby Dick." Now Khan has appointed himself in the role of Ahab, determined to get revenge for a long past wound. He even paraphrases Melville to explain his pursuit of Kirk. Khan's levelheaded lieutenant Joachim (Judson Scott) is Starbuck; he offers his leader sound advice only to be ignored.

Of course, anyone who's read "Moby Dick" (and many who haven't) could tell you how it ends. Ahab's obsession with killing the white whale destroys not only the captain himself but his crew too. The same happens to Khan's crew, who follow their leader to defeat and death. As Khan lays dying and makes one final play to destroy the Enterprise, he again quotes Melville: "To the last, I grapple with thee ... From Hell's Heart I stab at thee ... For hate's sake, I spit my last breath at thee."

The beautiful prose, and Montalban's acting, belie how futile this statement is. Ahab utters them just as he stabs the white whale with his harpoon, but fails to inflict any lethal damage. Khan, likewise, fails to kill Kirk.

No-Win Scenario

"The Wrath of Khan" opens with Starfleet cadet Saavik (Kirstie Alley) taking a battle simulation test called the Kobayashi Maru. In said test, the cadet role-plays as a starship captain who has to rescue the eponymous ship trapped in Klingon territory. If you don't rescue the ship, the Kobayashi Maru crew dies. If you try to rescue it, Klingons appear and your crew dies. As explained later, the test is unwinnable and designed to teach cadets about no-win scenarios. Kirk, though, cheated when he took the test, for he doesn't believe in no-win scenarios. The film is designed to test that belief.

During the first battle with Khan, the Enterprise is disabled. Kirk pulls a last-minute ploy, transmitting a code to disable Reliant's shields. If it fails, the Enterprise is doomed. Thankfully, as with so many of Kirk's gambles, the plan works. It's not completely a winning hand, though. Due to the attack, one of the engineering cadets, Scotty's (James Doohan) nephew Peter, is dead, foreshadowing the soon-to-come sacrifice that will break Kirk's heart.

When Khan sets the disabled Reliant to detonate, Spock exposes himself to lethal radiation to reactivate the Enterprise's warp drive. The parallels between this and the Kobayashi Maru test are spelled out when the dying Spock admits to Kirk that he never took the test before: "What do you think of my solution?"

This focus on the no-win scenario is another way that "The Wrath of Khan" is focused on consequences. Not every outcome can be a flawlessly executed Corbomite Maneuver, and sometimes people die because of that.

New Genesis

The MacGuffin of "The Wrath of Khan" is called the Genesis device. Developed by the Marcuses, it can terraform planets to create new life where there was none. When Khan learns of it, acquiring it becomes his secondary goal (after killing Kirk). Khan's last plan to destroy the Enterprise is to activate Genesis — the result is a new planet, where Spock's body is laid to rest.

Genesis is another of the film's literary allusions, this one to the Bible instead of Herman Melville. The metaphor also reflects Kirk, not Khan; the hero undergoes a metaphorical rebirth over the film. He begins "The Wrath of Khan" feeling, "Old and worn out." Subsequent events, as traumatic as they can be, shake him out of this. For one, Kirk has reconciled with David and they now have the chance at building a relationship.

While Spock is gone, Kirk won't let his friend's death be the end of the journey. As Kirk looks out at the Genesis planet, he quotes Charles Dickens' "A Tale of Two Cities," a book Spock had given him for his birthday. That novel ends with one man giving his life to save another from execution. Kirk realizes that this is what Spock has done for him. Ensuring that sacrifice isn't in vain rejuvenates Kirk. Holding back tears, he now declares, "I feel young." Meanwhile, the late Spock is the one who delivers the closing narration ("Space, the final frontier ..."), showing how his memory now pushes Kirk forward.

Read this next: 13 Reasons Why Deep Space Nine Is The Best Star Trek Show

The post Star Trek II: The Wrath of Khan Ending Explained: I Feel Young appeared first on /Film.

Earlier today marked the end of an era, as heavy metal legend Ozzy Osbourne has announced that he's ending his touring career for good. His underlying health issues have made it difficult for the Black Sabbath singer to go through with the demanding requirements that a tour requires. Thankfully, Osbourne hasn't ruled out making an appearance down the line if the circumstances are right, given that he claims that his vocals are in pretty good shape.

For all of the waves he made on stage, however, Osbourne could also be seen popping in a movie every now and then for a small cameo. A few notable examples would be "Moulin Rouge!," "Austin Powers: Goldmember," and "Ghostbusters: Answer the Call" (2016). In most of these cases, he's usually playing a variation on himself. He's become one of those faces that you could recognize almost instantly, due to his larger than life stature. But if we're talking about a film appearance that truly spoke to Osbourne's stature as the Prince of Darkness, then you have to go with "Little Nicky." Although it occupies a strange space in Adam Sandler's career, as the film features one of the comedian's most grating character voices, there are still a few surprisingly funny bright spots every now and then.

The big-budget 2000 horror comedy stars Sandler as Nicky, the son of the Devil who is tasked with restoring balance after his demonic brothers escape the confines of hell to make New York their own personal playground. Regis Philbin, Dan Marino, and Henry Winkler all make cameos throughout the film as themselves, but it's Osbourne's triumphant entrance that gives the film one of its most memorable gags

Deus Ex Osbourne

The climax of "Little Nicky" sees Adrian (Rhys Ifans) literally raising hell in the middle of Central Park, after forcefully claiming his seat on the throne from his father (Harvey Keitel). Nicky, meanwhile, is pulling out his newfound angel powers to combat Adrian's evil with kindness. Say what you will about this film, but Ifans is having way too much fun playing a bratty and stylish son of Satan to not get sucked into his performance. He's practically eating up the screen. But what this larger than life villain didn't account for was someone who would take an even bigger bite.

Down to the last minute, Nicky saves his final trick for last. As it seems like Adrian is about to win, the Prince of Darkness is unleashed. Osbourne grabs the demonic troublemaker, now in the form of a bat, and  bites his freaking head off. Of course, this is in reference to the infamous 1982 concert in Des Moines, Iowa, where the singer bit into the head of a bat after mistaking it for rubber. Whereas that was a case of some really bad luck, here, the bat-biting essentially saves the world from eternal darkness.

One of my favorite things about this moment is that, through the power of Lucifer, Osbourne's mouth becomes unnaturally large, as to make sure he gets the whole bat in his mouth, before spitting it back into a ghost trap-shaped-like a flask. I also love how when Nicky needs to die, Osbourne presents a huge rock to bash his skull in. "Here, kill him with this," he says with a gleeful smile on his face. Ozzy wouldn't have it any other way.

"Little Nicky" is currently available for rental or purchase on most VOD streaming platforms.

Read this next: Adam Sandler's 14 Best Roles Ranked

The post One of Adam Sandler's Weirdest Movies Gave Us One of Ozzy Osbourne's Best Cameos appeared first on /Film.

When Kenya Barris and Jonah Hill came together to write a comedy about a Black woman and Jewish man who fall in love, decide to marry, and suddenly find their parents either objecting to their proposed union or making it really weird, it was impossible to not view the project as a riff on, or an outright remake of Stanley Kramer's "Guess Who's Coming to Dinner." Considering that Kramer's film has aged like a Kroger cheese plate in the sun, and the 2005 remake, despite being a modest box-office success, is only referenced nowadays when people lament that Kramer's film ever existed, a smart director would likely, aggressively deny any influence or association.

Still, watch the movie: if "You People" isn't a post-Obama spin on Kramer's film, what exactly is it? Barris is happy you asked. He had another Hollywood film on his mind, one that was actually good, and recently had its own updated remake. 

Barris Went Minnelli Instead Of Kramer

According to an interview with Simon Thompson for Forbes, "Guess Who's Coming to Dinner" was the furthest thing from his mind when Kenya Barris got to work on the script with Jonah Hill — though he understands why people are so quick to compare the two movies. Still, he thinks their aims and framing are entirely different. As Barris told Thompson:

"The rules are so reversed. That was race-based, and this is culture-based. 'You People' was based upon seeing characters that we haven't seen who are the Black guy who doesn't want his Black daughter to marry a white guy because he feels like he raised a princess. There's the liberal woke mom who really wants this because she secretly fetishizes it in a different kind of way."

Barris viewed "You People" as a wedding movie, so he looked to one of the most beloved comedies from this subgenre. "If I watched anything ..." he said, "Something I watched was 'Father of the Bride,' but when I'm writing things, I try to stay away from things that inspire me because they often will rub off and dilute your own personal freedom."

Prioritizing Inclusivity

Kenya Barris' statement tracks. Though I personally think "You People" is a kind-hearted, reconciliation-minded "Get Out," the never-more-than-perturbed tone is a latter-day complement to Vincente Minnelli's 1950 original "Father of the Bride" and the 1991 Charles Shyer/Nancy Meyers remake of the same name. There's a good deal of critical consternation out there about Barris' movie's lack of an edge, but the creator of "black-ish" has always leaned toward inclusiveness. He wants to bring people together in an honest manner, where people regard each other with good faith.

The parents here are products of a strange era. One set has its guard up, the other couple is basically exoticizing their potential daughter-in-law. Our problems are so much bigger than this, but there's nothing wrong with Barris and Jonah Hill speaking from wide-open hearts. "You People" presents a best-case scenario, one worth wishing for, even if it isn't exactly in line with how the situation would likely play out in real life.

Read this next: Up-And-Coming Black Directors That Will Help Shape The Future Of Entertainment

The post Kenya Barris Took Inspiration From Father Of The Bride When Writing And Directing You People appeared first on /Film.

Netflix has unveiled its plans to prevent password sharing between people in households outside of an account owner's primary location. From a report: As reported by gHacks, the streaming service has detailed how it aims to crackdown on account sharing in an updated FAQ. The information varies between countries, but it looks like the company will be paying careful attention to the devices used to log in to accounts from now on. The FAQ pages for US and UK subscribers currently highlight that devices may require verification if they are not associated with the Netflix household or if they attempt to access an account outside the subscriber's primary location for an extended period of time. The FAQ pages for countries where Netflix is testing extra membership fees for account sharing have tweaked the rules. The Costa Rican Help Center states that devices must connect to the Wi-Fi at the primary location and watch something on Netflix "at least once every 31 days." The company will use information "such as IP addresses, device IDs, and account activity" to determine whether a device signed into an account is connected to the primary location. A device may be blocked from watching Netflix if it's deemed to fall outside of the household. As further set out in the guidelines, if you are the primary account owner and you find yourself travelling between locations, you can request a temporary code to access Netflix for seven consecutive days. Alternatively, you can update your primary location if it has changed.

Read more of this story at Slashdot.

The three Austin Powers movies, released from 1997 to 2002, are a seemingly forgotten pop culture curio that perhaps requires some context. This might be an entertainment franchise that is, in 2023, sliding gently into memory, a huge blockbuster relegated to trivia cards and stories. 

In the late 1990s, a wave of what might be called "ironic nostalgia" swept across the youth landscape. It was a time when postwar lounge music and 1940s swing could be heard on mainstream radio stations alongside the day's hip-hop and grunge records. Squirrel Nut Zippers and Big Bad Voodoo Daddy had hits. Doug Liman's 1996 film "Swingers" fetishized long-gone 1960s cocktail culture, and the films of Quentin Tarantino heavily quote exploitation cinema of the 1970s. Some of these homages were affectionate, many weren't. 

Into the middle of this came Jay Roach's "Austin Powers: International Man of Mystery," a James Bond spoof written by and starring Mike Myers. The "Austin Powers" movies presented an exaggerated version of early Bond flicks, but with its title hero cryogenically frozen and revived in the 1990s when social mores had altered considerably. The first film wasn't initially a hit but gained an enormous audience once it hit home video. After that, the film earned a great deal of cultural traction, and eventually, a sequel was made. In 1999, "Austin Powers: The Spy Who Shagged Me" was a huge, huge hit, making over $200 million on a $30 million budget. 

The third film in the series, 2002's "Austin Powers in Goldmember," now confident in the series' power, was granted a $63 million budget and boasted an impressive litany of cameo appearances. Most baffling to audiences in 2023 will likely be the appearance of Ozzy Osbourne and his family. 

A Cameo From Home

A little context on the Osbournes. Ozzy, the lead man of the metal band Black Sabbath, had become notorious for his on-stage shenanigans, including a well-publicized event in 1982 when he — without really understanding that he was holding a real animal — bit the head off of a bat live on stage. Ozzy's stage persona was threatening and demonic, and he was often seen with wild eyes and a big grimace on his face. Also in 1982, Ozzy married his wife Sharon, and by 2002, they had three teenage kids named Aimee, Jack, and Kelly. MTV, seeing that Ozzy was a family man, figured audiences might be entertained seeing the shock rocker in a domestic situation and launched "The Osbournes," a reality TV show that merely followed Ozzy, Sharon, Jack, and Kelly around with cameras and made note of their propensity for profanity and off-kilter personalities. 

"The Osbournes" only aired from 2002 to 2005, but it took hold of the popular consciousness in a big way. In the early 2000s, a lot of reality TV was not-so-subtly based in schadenfreude, and audiences regularly tuned in to laugh with — but also to laugh at — the Osbourne family. Ozzy (for the second time) and his wife and kids (for the first time) all became celebrities. 

Striking while the iron was hot, the makers of "Goldmember" managed to snag the Osbournes for a cameo. Even at the time, the cameo felt like pandering, the filmmakers clearly trying to bank in on a hot trendy TV show rather than write quality comedy. It's an early example of "comedy of recognition," a tactic that hopes to elicit laughs merely by presenting a specific reference out of context. The Friedberg/Seltzer comedies of the 2000s used this tactic ad nauseum. 

The Boob Joke

The Osbournes' joke wasn't even particularly funny. The "Austin Powers" films were pointedly ribald, using a great deal of sophomoric sexual innuendo and potty humor. The film would use cleverly obscured subtitles to make it look like someone might be cussing, or editing to put naughty words in characters' mouths. 

Case in point: the villain of "Goldmember," Dr. Evil, uses his evil powers to shoot down a satellite. The satellite, to elicit titters, resembles a pair of breasts. This will lead to random strangers gazing up at the heavens and remarking "Hey! That looks like..." and then interrupted by an edit. The next scene would begin with a fruit vendor shouting "Melons! Melons for sale!" The naughty word was immediately turned into something innocuous. It is jejune by design, of course. "The Spy Who Shagged Me" employed a similar gag with a phallic rocket ship. 

During the breast-shaped satellite sequence, the camera cut to the Osbournes sitting on a couch, with Ozzy yelling "Boobs!" as his punchline. The people who made the Austin Powers movies are boobs, the family then agrees. They cuss a lot, with their plentiful f-bombs bleeped out as they would be on their MTV show. After a brief moment of banter, the film resumes. 

While the first "Austin Powers" film was often crass, there was at least a commentary: behavior considered "playful" and "sexy" in the 1960s would, by the 1990s, be understood as sexual harassment. Venerating early James Bond was to condone his bad behavior. By "Goldmember," the commentary was gone, and only the crassness remained. Additionally, the series was getting too big for its britches, using its money for immediately-dated pop references. 

Ozzy may be a metal god, but a (scripted) comedy star he was not. 

Read this next: 20 Underrated Comedy Movies You Need To Watch

The post Austin Powers Cameos Jumped the Shark with The Osbournes appeared first on /Film.

We are pleased to announce that Microsoft Defender for Endpoint's tamper protection feature, previously available in Public Preview, is now generally available on macOS devices and will be rolling out over the next few days. 

 

Ensure that you are running Microsoft Defender for Endpoint for macOS version 101.75.90 or later, available through Microsoft AutoUpdate, to use the capability.

 

What is Tamper protection?

Tamper protection brings an additional layer of protection in Microsoft Defender for Endpoint to elevate the endpoint security posture of organizations. Reliably securing endpoints is crucial for any organization. Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security.

 

What does this mean for me?

This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability.

In audit mode, you will notice the following events will be logged (audited):

• Actions to uninstall Defender for Endpoint agent
• Deletion/renaming/modification of Defender for Endpoint files
• The creation of new files under Defender for Endpoint installation locations

While in Audit mode, TP signals can be viewed via Advanced Hunting and in local on-device logs. No tampering alerts are raised in the Security Center while in Audit mode. Alerts are raised in the portal only in block mode.

 

To observe tampering events in the portal, you can use the following query in Advanced Hunting:

 

DeviceInfo
| where OSPlatform == 'macOS'
| join kind=rightsemi (
    DeviceEvents
    | where ActionType contains "TamperingAttempt"
) on DeviceId

 

Figure 1: The following screenshot demonstrates querying for Tampering events via advanced hunting

 

If you want to check the status of the feature on a single device, you can run the command “mdatp health”. Look for the tamper_protection field, it will display “audit”, “block” or “disabled” according to your configuration.

 

The logs can also be found locally on the device. Tampering events are logged in: “Library/Logs/Microsoft/mdatp/microsoft_defender_core*.log”

 

How can I start benefitting from this new capability?

You can leverage the audit mode (default mode) to get a sense of how the feature detects actions that are indicative of tampering attempts. Later this year, we will offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not specifically made a choice to either enable (block mode) or disable the capability.

 

If you decide to turn the feature on and move it to block mode, logging of each suspected tampering action will be complemented with its actual blocking and a corresponding alert in the security center portal. To turn the feature off entirely you can disable Tamper Protection.

 

Learn more about tamper protection and how to control it in your environment: Tamper Protection on macOS.

 

Over the last two years, the world has dramatically changed both in our daily lives and how companies conduct business. In the pre-pandemic world, eroding network boundaries and the maturity of SaaS applications precipitated endpoint-first design. The pandemic and post-pandemic era demand it, the world is embracing hybrid workplaces and zero trust postures.

 

When we first launched Network Protection for Windows and built powerful Web Protection and Microsoft Defender for Cloud Apps (MDA) capabilities on top of it, we knew our vision to bring you our proxy-less endpoint first architecture would remain incomplete until we delivered for macOS and Linux. That day has arrived, and we could not be more excited to share that Network and Web Protection for macOS is now Generally Available and in Public Preview for Linux!

 

Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

 

It is the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.

 

Network protection also integrates Microsoft Defender for Endpoint with Defender for Cloud Apps natively. Currently, the integration for macOS and Linux only supports endpoint enforcement capabilities.

How to evaluate Network Protection and the features it enables:

 

Explore Network Protection on macOS

 

For Network Protection for macOS to be active on your devices, Network Protection must be enabled by your organization. We suggest deploying the audit or block mode policy to a small set of devices and verify there are no issues or broken workstreams before gradually deploying to a larger set of devices.

 

Prerequisites & Requirements  

• Licensing: Microsoft Defender for Endpoint tenant (can be trial) 
• Onboarded Machines: 
  • Minimum macOS version: 11 (Big Sur)
  • MDE product version: 101.94.13

Once the prerequisites have been met, follow installation and configuration instructions in Use network protection to help prevent macOS connections to bad sites | Microsoft Docs

 

Here is how the experience looks on macOS: 

 

 

Explore Network Protection on Linux

 

Prerequisites & Requirements  

• Licensing: Microsoft Defender for Endpoint tenant (can be trial) and platform specific requirements found in Microsoft Defender for Endpoint for non-Windows platforms | Microsoft Docs
• Onboarded Machines: 

• Minimum Linux distro version: refer to Microsoft Defender for Endpoint on Linux
• Microsoft Defender for Endpoint Linux client version: 101.78.13-insidersfast or 101.78.13-insidersslow

Once the prerequisites have been met, follow installation and configuration instructions in Use network protection to help prevent Linux connections to bad sites | Microsoft Docs

 

How do I verify my Mac/Linux device is configured properly?

1. Navigate to https://smartscreentestratings2.net/ which will block the browser from loading the page. On macOS an accompanying toast message will also be shown.

 On Linux the connection will be disallowed as shown below. There will be no accompanying toast message in Linux:

 

Alternatively, you can also test this from the Terminal by running the following command and noticing that the connection is blocked by the Network Protection: 

curl https://smartscreentestratings2.net

 

How do I explore the features?

1. Protect your organization against web threats | Microsoft Docs
   1. Web threat protection is part of Web protection in Microsoft Defender for Endpoint. It uses network protection to secure your devices against web threats.
2. Run through the IP/URL Custom Indicators of Compromise flow to get blocks on the Custom Indicator type. 
3. Explore Web content filtering | Microsoft Docs 
   1. Note: if you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
   2. Pro Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
4. Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft Docs and your Linux and macOS devices with Network Protection enabled will have endpoint policy enforcement capabilities.

Note: Discovery and other features are currently not supported on macOS and Linux platforms.

 

 

 

 

On device experience 

When an end user attempts to access monitored domains on macOS/Linux, their navigation effort will be audited/blocked (depending on Network Protection policy). On macOS, the user will also be informed by Microsoft Defender for Endpoint via toast.

 

 

macOS

The user will get a plain block experience accompanied by the following toast message which will be displayed by the operating system including the name of the blocked application or website (e.g Blogger.com)  

 

No block pages are shown in third-party browsers, and the user sees a "Secure Connection Failed' page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message 'This content is blocked'.

 

 

 We are looking forward to hearing your feedback and answering any questions you may have!

 

Reference Documents

Microsoft Defender for Endpoint on Mac documentation - Microsoft Defender for Endpoint on Mac | Microsoft Docs 

Microsoft Defender for Endpoint on Linux documentation - Microsoft Defender for Endpoint on Linux | Microsoft Docs

About Microsoft Defender for Endpoint Network Protection - Use network protection to help prevent connections to bad sites | Microsoft Docs 

About Microsoft Defender for Endpoint Network Protection on Linux - Use network protection to help prevent Linux connections to bad sites | Microsoft Docs

About Microsoft Defender for Endpoint Network Protection on macOS - Use network protection to help prevent macOS connections to bad sites | Microsoft Docs

Enable Network Protection - Turn on network protection | Microsoft Docs

Web Protection - Web protection | Microsoft Docs 

Custom Indicators - Create indicators | Microsoft Docs 

Web Content Filtering (WCF) - Web content filtering | Microsoft Docs 

Microsoft Defender for Cloud Apps - Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft Docs 

Edge Browser Setup - https://www.microsoft.com/en-us/edge/features 

 

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

Microsoft Defender for Endpoint team

Disclaimer: Under normal circumstances ASR rules should only be deployed using the following methods mentioned in this document:

• Microsoft Intune
• Mobile Device Management (MDM)
• Microsoft Endpoint Configuration Manager
• Group Policy
• PowerShell

In rare cases where VMs are server OSs, non-domain joined, and not managed by SCCM or third-party management solutions, Azure Automation State Configuration or the new version of Azure DSC, using the guest configuration feature of Azure Policy, can be used as an alternative solution to centrally deploy ASR rules. Learn more about Azure Guest configuration.

 

Example Scenario:

Let's assume there is a requirement to enable and deploy the ASR rule: Block execution of potentially obfuscated scripts (GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc) Follow the steps below to accomplish this task.

 

Step 1: Create the MOF configuration file

The following is a sample state configuration script using the DSC Script resource.

 

 
$asr_rules=(Get-MpPreference).AttackSurfaceReductionRules_Ids
$test= $asr_rules.Contains("5beb7efe-fd9a-4556-801d-275e5ffc04cc")

 Configuration ASRDSC
{
    Import-DscResource -ModuleName 'PSDscResources'
    Node localhost
    {
        Script ASRTest
        {
          SetScript = { 
                 Add-MpPreference -AttackSurfaceReductionRules_Ids "5beb7efe-fd9a-4556-801d-275e5ffc04cc" -AttackSurfaceReductionRules_Actions AuditMode
                          }

          TestScript ={ 
                       $using:test
                          
                          }
                        

          GetScript = { @{ Result = “String" } }
        }
    }
}

 

Once the state configuration checks whether or not the ASR rule ID 5beb7efe-fd9a-4556-801d-275e5ffc04cc exists, it will run the Add-MpPreference command, setting the rule into an audit state on the local VM. ASR rules can also be set into enabled state using the same, Add-MpPreference, command.

This script can be compiled using the dot sourcing method. 

 

Example:

 

. C:\Scripts\asrtest.ps1
asrtest

 

Once resolved, a file called localhost.mof should be created and found under the C:\Scripts\ASRTEST folder.

Step 2: Create the artifacts package

Now that we have the MOF file, we can create the package. Step-by-step instructions can be found here. 

 

# Create a package 
New-GuestConfigurationPackage `
  -Name 'MyConfig' `
  -Configuration './ASRTEST/localhost.mof' `
  -path 'C:\scripts' `
  -Type Audit `
  -Force

 

Step 3: Publish the package

Now that the package is ready, we can publish (upload) the package to an Azure Storage account where it is ready to be consumed by Azure Policy. Step-by-step instructions can be found here.

 

Step 4: Create a policy definition

To start deploying this package to target VMs in a resource group, for example, a new Azure policy definition needs to be created. We want to create this policy definition by using the "guest configuration" category. Creating this new policy requires using the New-GuestConfigurationPolicy and New-AzPolicyDefinition commands to publish the policy to the Azure Policy portal. Step-by-step instructions can be found here.

 

Now we can deploy ASR rules centrally and have a compliance view right from Azure Policy.

 

Please note: This method for deploying ASR should only be used as a last resort due to the complex nature and knowledge necessary for using DSC powershell scripting and its limitation.

 

We hope that you found this article and the additional step-by-step resources helpful.

Update: As of 9/28/2022, the Attack Surface Reduction (ASR) Rules Report 2.0 is now Generally Available.

 

Attack Surface Reduction (ASR) rules reporting was one of the first reports we completed as an end-to-end Endpoint Protection Platform (EPP) report several years ago. We are improving the ASR Rules report based on your feedback. These improvements will make the ASR Rules report easier to understand, enable, and configure in block mode.  We invest in modern ASR rules because they provide strong prevention benefits for organizations.

 

To access the report (detection card, configuration card, and main report respectively), go to the M365D portal (security.microsoft.com) -> Reports ->:

1. Security report -> Devices -> ASR rule detections
2. Security report -> Devices -> ASR rule configuration
3. Reports -> attack surface reduction rules

Requirements: 

• Protected devices have or later, or Windows server 2012 R2 (some rules are not applicable) or later. 
• Your organization uses Microsoft Defender Antivirus with cloud–delivered protection enabled. See Use cloud-delivered protection. 
• Microsoft Defender for Endpoint is in active mode. 
• Engine version is 1.1.17300.4 or later. 

Link: Enable attack surface reduction rules | Microsoft Docs

 

What is new with the ASR rules report 2.0?

1. Insightful summary cards: The new card experience provides summary information about ASR detection and configuration state in your digital estate. The detection card (figure 1) is divided into two sections, that is as shown below:

 

 

Figure 1: Detection card

 

The configuration card (Figure 2) also has top and bottom sections.

• The top section focuses on (Standard rules) which protect against common attack techniques. Moreover, the “Protect devices” button will show only full configuration details for the three rules, and customers can quickly take action to enable these rules.
• The bottom section surfaces six rules based on the number of unprotected devices per rule. The “View configuration” button surfaces all configuration details for all ASR rules. The “Add exclusion” button shows the add exclusion page with all detected file/process names listed for Security Operation Center (SOC) to evaluate.

 

 

 Figure 2: Configuration card

 

2. Filters: A new capability to filter (Figure 3 and Figure 4) based on, date, device group, and includes a toggle to set “Standard protection” or all rules. This will allow users to streamline what they want to view in the report.

 

 

Figure 3: Detection filter

 

 

Figure 4: Detection filter flyout

 

3. New detection trend: The ASR rules report 2.0 includes small but insightful charts (Figure 5) to help the SOC team visualize how ASR detections are trending in their environments.

 

 

Figure 5: Detection trends

 

4. Search bar: A new search capability is added to the detection (Figure 6), configuration (Figure 7), and “Add exclusion” (Figure 8) landing pages. With this capability, you can search by using a file name, process name, or device ID.

 

Figure 6: Detection search bar

 

 

Figure 7: Configuration page search bar

 

 

Figure 8: Add exclusion page search bar

 

5. Actionable flyout: The “Detection” main page has a list of all detections (files/processes) in the last four weeks. By clicking any of the detections (Figure 9), an intuitive flyout with a drill down capability will surface on the right side of the page. The “Possible exclusion and impact” (Figure 9) section provides the impact of the file/process in your digital estate. Customers can click on “Go hunt” (Figure 9) which will open the Advanced Hunting query page (Figure 10). Also, the “Open file page” (Figure 9) will open Microsoft Defender for Endpoint (MDE) detection (Figure 11), and the “Add exclusion” (Figure 9) button is linked with the add exclusion main page.

 

 

Figure 9: Detection flyout

 

 

Figure 10: Advanced hunting page

 

 

Figure 11: MDE page

 

6. Device configuration state: The “configuration” main page has a detailed summary of all ASR rules for all onboarded MDE devices. Also, it has radio buttons (Rules – Figure 12) to select either Standard protection” or “All”. The image (Figure 12) below shows the “Device configuration overview” section on the page.

 

 Figure 12: Device configuration overview section

 

 

7. Device configuration flyout: The flyout (Figure 13) displays the state of each MDE onboarded device in your environment. Also, the flyout surfaces a new category called warn mode. Furthermore, you can add the device to your policy in MEM through “Add policy” (Figure 13) button.

 

Figure 13: Device configuration overview section

 

8. Updated “Add exclusion” page: The page (Figure 14) has two buttons for actions that can be performed on any detected files (after selection). You can “Add exclusion” which will open the ASR policy page in MEM or “Get exclusion paths” which will download file paths in a CSV format.

 

 

Figure 14: Add exclusions page

 

9. Export of detections: The export button (Figure 15) will download 10,000 rows of the detections (CSV format) in your environment.  Note, the ASR team is working on improving the number of downloadable rows.

 

Figure 15: Add exclusions page

 

Let us know what you think! 

We are excited to bring a new ASR Rules report 2.0 to you. Try out the report and let us know what you think. Email: ASR_Report_Support@microsoft.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

No one likes censors, but the ones over Fox always seemed to get an especially bad rap — especially back in the '90s. "The Simpsons" killed the Fox censor in the intro to "Treehouse of Horror VIII," and numerous absurd Standards and Practices notes have come to light over the years, including one from Fox Kids' "Spiderman: The Animated Series" which demanded Spidey not "harm the pigeons" when he landed on rooftops.

In fact, "Spiderman: TAS" showrunner John Semper Jr. recalled in an interview how by the time his show debuted in 1994, "there was a LOT of censorship at Fox." The company had seen their mega-popular "Mighty Morphin' Power Rangers" banned in Canada and were more stringent than ever, especially when it came to kids' programming. As Semper recalled:

"When I watch the older episodes of 'Batman' that first aired on Fox, they do all kinds of things that we couldn't do. By the time Spidey came on, Fox wouldn't let us do anything like that. No fists to the face, no realistic guns, no fire, no crashing through glass, no children in peril, no mention of the words death, die, or kill."

In reality, "Batman: The Animated Series" was heavily censored when it arrived in 1992 — the writers just found clever ways around it. Similar to "Spiderman: TAS" There was famously a list of nine things they couldn't show, all of which were immortalized in an infamous illustration designed by Henry Gilroy and Bruce Timm and tweeted by Mark Hamill himself. They included guns, drugs, breaking glass, alcohol, smoking, nudity, child endangerment, religion, and strangulation. And while the writers found clever ways to get around a lot of these, there were some things that they simply couldn't get past Murdoch's watchdogs.

The Unmade Vampire Episode

Despite having a lot of creative freedom, co-creators of "Batman: TAS," Bruce Timm and Eric Radomski often had to yield to the pesky Fox censors. In an interview with ScienceFiction.com, Timm explained how he'd always wanted to do an episode where Batman was transformed into a vampire:

"There's a character in the comics called Nocturna! And it didn't get much past the idea phase, we floated it past Fox Kids and they said 'Nope! No Vampires!' and I said, 'Well what if he wasn't really a Vampire?' And they said, 'No Vampires!'"

Timm even got as far as designing his version of Nocturna, the villainess from the comics whose unfortunate run-in with a radioactive laser resulted in a pallid complexion and sensitivity to light. But according to writer and producer Alan Burnett, in Timm's vision of the character she actually was "a vampire, which would've involved bloodletting, which was a huge no-no for kids' TV." 

It seems that this was one breach of Fox's rules that "Batman: TAS" writers couldn't sneak past the censors. Previously they'd tried tactical cuts to get around showing actual punches, and, as Dorkly explains, "censor decoys" designed to distract from the actual stuff the writers wanted to keep in. But Nocturna and Timm's vision of turning Batman into a vampire was shut down before it could even get to a stage where he could deploy his decoys and clever cuts.

Timm Eventually Got To Do Vampire Batman

Years after "Batman: TAS" ended in 1995, Timm would work on the story for the 2015 animated movie "Justice League: Gods and Monsters" — which just so happens to share part of its name with phase one of James Gunn's new DCU movies. Timm's movie took place in an alternate DC universe where he could create wildly different versions of DC's heroes and villains. Asked about the project in an interview with Den of Geek, the writer and artist recalled how he had read a quote from Batman creator Bob Kane, who said that "Batman is half Dracula and half Zorro," which he credits as the origin of his desire to make the Dark Knight an actual vampire.

Recalling his attempts to do just that on the '90s animated series, Timm clarified that he'd only ever got as far as Nocturna's design before being told "no" by Fox, and that in his original plan, Nocturna would have turned Batman temporarily into a vampire. Unfortunately the idea was nixed so quickly that he never even came up with a design for vampire Bats. 

Thankfully, he got to see his idea come to life in "Gods and Monsters" where Kirk Langstrom becomes a vampire version of Batman. In the DCU proper, Langstron was the scientist who became Man-Bat after testing his bat mutagen serum on himself. Man-Bat was the villain in the very first "Batman: TAS" episode, "On Leather Wings," wherein Langstrom becomes the grotesque beast before being saved by Batman in what is arguably a more upsetting visual than any vampire Batman would have been. Still, at least Timm eventually got to see his vampire Batman vision come to life, even if it took 20 years.

Vampire Batman Vs. Morbius

Considering the dark and foreboding style of "Batman: TAS" and the fact that Langstrom's horrifying Man-Bat transformation was given a pass, it's kind of crazy to think that a vampire storyline was ruled out before it had even started. It would have fit the tone of the show nicely, and could easily have been one of the best episodes of "Batman: TAS". Alas, the Fox censors were clearly keen not to have another one of their shows banned.

Over on the Marvel side, John Semper Jr. did manage to get a vampire episode of "Spider-Man: TAS" past the censors, which has become a point of pride for him. In episode 6 of season 2, Morbius shows up, but only because of some compromises that were made — namely, that the villain would only drain people's blood through suction cups on his hands. In an interview, Semper explained: 

"It was so successful that we decided to stretch it for two more episodes. I have a good relationship with Broadcast Standards and Practices, in that I recognize that what they're trying to do is important, and philosophically I am not opposed to what they're trying to do. I think there were writers on 'Batman' who decided that they were going to wage war against Broadcast Standards and Practices. I think that's an unproductive attitude."

Shots fired! Meanwhile, Timm remained unfazed by the whole thing, telling ScienceFiction.com: "["Spider-Man: TAS"] did that really lame one right? He had like suction cups on his hands? So that was fine. Like if I wasn't going to do it properly, I wasn't going to do it."

Ouch! If nothing else, at least the Fox censors helped stoke the most amusingly lame rivalry in entertainment history by getting Semper and Timm all riled up.

Read this next: The Best Animation For Adults Of 2022

The post Fox Censors Stopped Batman: The Animated Series From Turning Bruce Wayne Into A Vampire appeared first on /Film.

Having visibility into the devices on a network is very important for an organization to help prevent cyberattacks in an ever-expanding threat landscape. Additionally, the more information that can be discovered about the devices, the easier it is to manage them and to protect your network. Having the ability to locate, identify, and accurately classify devices in real-time means you can quickly discover vulnerable devices and carry out intelligent prioritization. 

 

Leveraging Microsoft Defender for Identity as a data source for Microsoft Defender for Endpoint device discovery can help improve discovery coverage and fine tune the classification accuracy. 

In this blog post, we show how deploying Microsoft Defender for Identity alongside Microsoft Defender for Endpoint can increase both your discovery of devices by ~11% as well as enrich findings by another 33%.  

 

Device discovery 

 

Device discovery is a feature included in Microsoft Defender for Endpoint, which uses passive and active network traffic monitoring to discover and classify new devices on the network. The onboarded devices agent collects this network traffic. 

For each newly discovered device, device discovery capabilities attempt to classify information such as device name, device type, OS information, model, and running services. 

 

Newly discovered devices will appear in the device inventory tab in the Microsoft 365 Defender portal. 

 

Figure 1 – Device Inventory 

 

 

You can use the following capabilities to help defend against threats 

• Discovering new devices on the network, which can be onboarded to Microsoft Defender for Endpoint. 
• Mapping vulnerabilities and unsecure configurations on unmanaged devices 
• Detecting and reacting to suspicious network behavior and anomalies coming from specific devices. 

 

Enhance the accuracy of device classification with Microsoft Defender for Identity

 

Device discovery offers an important turnkey capability that allows for ongoing and precise discovery of devices on the network. On average, organizations will gain extended visibility into 31% newly discovered endpoint devices. 

 

However, there are cases in which identifying and classifying a device based on Microsoft Defender for Endpoint sensor data have a few limitations: 

 

• The visibility perspective – The sensor can only observe network communication between the discovered devices and other onboarded devices. In an instance where there aren’t any onboarded devices on the same network segment as the discovered device, the discovery engine will lack the signals necessary to view that new device. Moreover, the environment hardening / configuration settings (such as firewall access lists, Network Access Translation (NAT)) can further impact the network sensor visibility. As a result, using another independent data source to help enhance visibility could prove beneficial. 

• The precision perspective – Windows workstations and servers using only Microsoft Defender for Endpoint might face a challenge in identifying the most accurate and detailed classification for each discovered device. Thus, using a supplemental independent data source can help us distinguish between such cases. 

 

This is where combining Microsoft Defender for Identity and Microsoft Defender for Endpoint can help.  Having access to large amounts of high-quality data collected by Microsoft Defender for Identity can significantly improve the classification accuracy of devices detected by Microsoft Defender for Endpoint. 

 

Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider activity toward an organization. 

 

After installation on Domain Controllers, the Microsoft Defender for Identity sensor inspects incoming and outgoing network traffic from within Active Directory. The Microsoft Defender for Identity sensor also collects data from Active Directory logs in order to assess the different users and corresponding devices connected to the domain. 

 

Microsoft Defender for Identity uses this data (device type, OS information, and hostname) in conjunction with device discovery capabilities to enhance classification richness, improve confidence, and provide better visibility   

 

How Microsoft Defender for Identity and device discovery signal correlation works

 

Device discovery capabilities attempt to simultaneously correlate Active Directory user authentication data, which is captured by Microsoft Defender for Identity sensors (which are installed on Domain Controllers) from domain joined devices, with other network traffic communication observed by the Microsoft Defender for Endpoint sensors. 

As Microsoft Defender for Identity and Microsoft Defender for Endpoint sensors operate independently, just a single sensor from either or both has the ability to observe each device on a given network. Therefore, by using these tools together, we aim to extract as much discovery and classification data as possible from Microsoft Defender for Identity. 

 

For devices observed by both Microsoft Defender for Identity and Microsoft Defender for Endpoint, we can enrich the device classification for better device discovery accuracy. Furthermore, devices that were only observed by the Microsoft Defender for Identity sensor will populate in the Microsoft Defender for Endpoint device inventory, extending your device coverage.  

 

However, as each product has visibility into different strong device identifiers (for example, MAC address for Microsoft Defender for Endpoint network signals and Active Directory Object GUID for Microsoft Defender for Identity authentication signals), the correlation logic relies on shared properties, such as time, IP addresses and hostnames. 

 

 

Figure 2 – Microsoft Defender for Identity & Microsoft Defender for Endpoint device discovery 

 

 

Impact Evaluation 

 

Figure 3 – Product discovery impact 

 

 

For the average organization, Microsoft Defender for Identity integration increases the number of discovered devices by 11% - these devices benefit from rich classification information. 

 

When looking at the devices that were observed by both Microsoft Defender for Identity and Microsoft Defender for Endpoint, we can see that for 51% of these devices, Microsoft Defender for Identity managed to enrich the Microsoft Defender for endpoint device information, usually with the OS build version (see Figure 4). 

 

For 19% of these devices, Microsoft Defender for Identity helped Microsoft Defender for Endpoint to distinguish between Windows Servers and Windows Workstations which share the same OS build version. 

 

Figure 4 – Discovery timeline 

 

 

Our data also demonstrated a correlation between a higher number of discovered devices onboarded to Microsoft Defender for Endpoint and a lower number of new devices discovered by Microsoft Defender for Identity. 

 

 

 

 

Figure 5 – Device which was discovered via MDI 

 

 

Conclusion 

 

Gaining visibility into both your complete asset inventory as well as the rich context of the devices involved has always presented a challenge that remains a top priority for the Microsoft customer support initiative. Last year, we added discovery capabilities to Microsoft Defender for Endpoint, enabling us to start discovering unmanaged endpoints. Since then, we have combined these discovery capabilities with signals from Microsoft Defender for Identity in order to expand overall visibility, improve accuracy and gain a more complete view of all the devices (workstations, servers and mobile) on your network. 

 

Learn more about Microsoft Defender for Identity, and begin a trial for Microsoft Defender for Identity here. 

 

Tamper protection in Microsoft Defender for Endpoint protects your organization from unwanted changes to your security settings. Tamper protection helps prevent unauthorized users and malicious actors from turning off threat protection features, such as antivirus protection. Tamper protection also includes the detection of, and response to, tampering attempts.

 

Starting last year, to better protect our customers from ransomware attacks we turned on tamper protection by default for all new customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses. To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal. For customers who haven’t already configured tamper protection, they’ll soon receive a notification stating that it will be turned on in 30 days. For example, public preview customers receive a notification on September 21, 2022 indicating that tamper protection will be turned on 30 days later, on October 24, 2022.

 

The following screenshot shows what the notification looks like:

 

 

Why should tamper protection be turned on?

Human operated ransomware is one of the biggest cybersecurity challenges facing customers today.  Post-mortems of ransomware attacks have revealed two things: 

• Attackers are using a common set of tactics, techniques, and procedures (TTPs)
• Defender for Endpoint could have helped more in preventing the attack if the controls that address those TTPs were configured. 

We recommend that you turn tamper protection on and keep it enabled across your organization.

 

How to opt out

If you prefer that tamper protection not be turned on automatically for your tenant, you can explicitly opt out as follows:

1. Go to security.microsoft.com and sign in.
2. Go to Settings > Endpoints > Advanced features
3. Turn tamper protection on by selecting its toggle.
4. Select Save preferences
5. Turn tamper protection off by selecting its toggle.
6. Select Save preferences.

 

By explicitly turning tamper protection off, your intent to keep tamper protection turned off will be registered for your tenant. For more information see Protect security settings with tamper protection | Microsoft Docs.

 

How to disable tamper protection

 

• If you encounter issues with devices, you can use troubleshooting mode to temporarily disable tamper protection: Get started with troubleshooting mode in Microsoft Defender for Endpoint | Microsoft Docs
• If you are concerned about application compatibility with tamper protection, you can specify a subset of devices to disable tamper protection.

 

If you manage a device with	You disable tamper protection by
Intune (Microsoft Endpoint Manager)	Creating a Windows Security experience profile in Microsoft Endpoint Manager
Configuration Manager, version 2006 using tenant attach	Creating an endpoint security policy
Microsoft 365 Defender portal or 3rd party MDM	Using Security Management for Defender for Endpoint Note: Tamper protection is included in the Windows Security Experience, located within the Virus & threat protection settings section.

 

Learn more

• Built-in protection helps guard against ransomware | Microsoft Docs

• Tamper Protection
• Make sure Tamper Protection is turned on
• Protect security settings with tamper protection
• Prevent changes to security settings with Tamper Protection

• Defender for Endpoint security configuration management
• Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint | Microsoft Docs

 

Overview

 

Update - 11/10/2022 - Network Protection command and control (C2) detection and remediation capabilities are now generally available in Microsoft Defender for Endpoint.

 

We are excited to announce the general availability of Network Protection command and control (C2) detection and remediation capabilities in Microsoft Defender for Endpoint. These enhancements will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats looking to compromise the endpoint.

 

Attackers often compromise existing internet-connected servers to become their command and control servers. In the event these servers become compromised, attackers use them to hide malicious traffic and deploy malicious bots used to infect endpoints. Let’s say - in an attacker's ideal scenario - their malicious bots somehow manage to circumvent an organization's existing defenses. In that breach the malicious bots introduce malware into an organization’s environment through a user’s device. The malware can be introduced in a number of ways: from clicking a fraudulent link, downloading a suspicious file, or opening a seemingly legitimate email attachment. If an endpoint contracts any of these types of C2 malware, the compromised computer can communicate back with the malicious C2 servers, completely unbeknownst to the user (Figure 1). The response communication from the endpoint to the C2 server enables the attacker to gain full control of the endpoint. 

 

This is problematic for security teams as many other unprotected devices that communicate with the previously infected endpoint can become compromised themselves. This can potentially lead to a spread of malware across a network, often referred to as a “botnet” infection.

 

Figure 1: Sample C2 attack flow

 

 

To quickly detect and clean up these botnet infections, SecOps teams need precise alerts that can accurately define areas of compromise and previous connections to known malicious IPs. With the new capabilities in Microsoft Defender for Endpoint, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries. 

 

Prerequisites

  

• Windows devices (Builds Windows 10 version 1709 or later)
• Windows Server 1803, Windows Server 2019 or later.  
• Your organization uses Microsoft Defender Antivirus with real-time protection and cloud–delivered protection enabled (active). See Microsoft Defender Antivirus real-time protection and  Use cloud-delivered protection. 
• Microsoft Defender for Endpoint must be in active mode. 
• Network protection must be enabled in block mode (Turn on network protection | Microsoft Learn).
• Engine version is 1.1.17300.4 or later.   

  

See Protect your network for the full list of requirements.

 

 

How does network layer C2 detection and remediation work?

 

Detecting and blocking C2 connections at the network layer

This capability works by inspecting network packets and examining them for any types of C2 malware configuration patterns. The Network Protection (NP) agent in Defender for Endpoint determines the true nature of the connection by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. If our AI and scoring engines powered by the cloud deem the connection malicious, actions are taken to block the connection and malware binaries are rolled back on the endpoint to the previous clean state.

 

Generating incident and alert notifications in the Microsoft 365 Defender portal

After detection, an alert will surface under “Incidents and alerts” in the Microsoft 365 Defender portal (Figure 2) where the SecOps team can observe the alert name, the severity-level of the detection, device status, and other details. Customers can see more details on the alert with a full timeline and attack flow relative to their environment (Figure 3).

 

 

Figure 2: Alert page in the Microsoft 365 Defender portal

 

 

Figure 3: C2 attack flow timeline in the Microsoft 365 Defender portal

 

 

Testing/Validation: C2 detection and remediation  

 

Once network protection has been enabled, you can test this C2-enhanced protection experience in your environment (using PowerShell) by:

 

a.  Navigate to your PowerShell prompt.

b.  Type: $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreentestratings.com

c.  If the testing URL is successfully blocked, you will get (Figure 4):

 

Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel. 

At line:1 char:13 

+ $Response = Invoke-WebRequest -URI https://commandcontrol.smartscreen ... 

+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc 

   eption 

    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

 

Figure 4: PowerShell output

 

 

d.  Followed by a block notification (Figure 5).

 

Figure 5: Endpoint notification

 

 

e.  On the block notification, click:

1. “OK” to make the toast notification disappear
2. “Feedback” to open the network protection feedback page where can submit feedback to the Antimalware and Cybersecurity portal (Figure 6).

 

Figure 6: Web threat detections over time  

 

 

f.  In the unlikely event the testing URL is not successfully blocked, you can get aka.ms/MDEClientAnalyzer and/or F12 network trace, then send the NP team (NP_C2_Support_Team@microsoft.com) your screenshot. 

 

 

Accessing the C2 detection and remediation report in the Microsoft 365 Defender portal  

 

To access the report:   

1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.

2. Navigate to:  

1. Reports -> Security report -> Devices -> 
   1. Web threat detection over time (Figure 7)
   2. Web threat summary (Figure 8)
2. Reports -> Web Protection ->
   1. Web threat detection over time (Figure 7)
   2. Web threat summary (Figure 8) 

 

Figure 7: Web threat detections over time 

 

 

Figure 8: Web threat summary

 

 

Your feedback counts 

We are excited to bring you a new enhancement to the Network Protection stack to further protect against command and control attacks. Try out this new capability and let us know what you think. Share your feedback with us at NP_C2_Support_Team@microsoft.com

External devices like USBs are common tools people use to support daily business tasks like saving work in a convenient and portable way. While these devices help improve employee productivity and provide an easy way to back up files, they can also pose a threat to enterprise data, serving as a potential entry point for malware and viruses.

 

Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. Some of the common use cases we support include allowing specific users to:

• Gain writing access to specific removable storage devices
• Use specific removable storage devices on specific machines
• Gain read/write/execute access to specific files on removable storage devices
• Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN

 

What’s new

 

Support for file parameters

We are pleased to announce Defender for Endpoint now allows organizations to better control how users read, write, and execute access to specific files on removeable storage. For example, by using file name/path/extension Defender for Endpoint can block end users from executing any file with INK, BAT, BIN, CHM, CMD, COM, CPL, EXE extensions.

For more details, please review Scenario 3 in our documentation found below:

• Intune: Deploy and manage Removable Storage Access Control using Intune | Microsoft Learn
•  Group policy: Deploy and manage Removable Storage Access Control using group policy | Microsoft Learn

 

Support for Azure AD machines or user group(s)

With this release, we are expanding the Sid and ComputerSid properties to support AD Object and Azure AD Object Id to satisfy the following common scenarios:

• An admin who is looking to restrict removable storage device access for both users and their machines. An example of this would be only allowing specific users to interact with specific removable storage devices on a specific machine. In this case, the qualified user must only initiate an authorized removable storage device on an authorized machine.
• An admin who is looking to use one policy for removable storage management, while using Sid and ComputerSid inside the policy to control which users or machine groups can access certain removable storage.

For details, please review our documentation found here: Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions | Microsoft Learn.

 

Capturing a file as evidence on a network share

An admin may want to track what files are being moved to an authorized removable storage device. The admin can create a policy to capture a copy of the file on their customized network share.

A new value added into the ‘Options’ attribute allows you to capture a copy of the file as evidence on the network share. The common scenario is as follows:

• When an end user copies a file to an authorized removable storage device, device control will create a copy of the file as evidence on a network share.

Figure 1 - File information for removable storage event

 

Improvements to the removable storage access control investigation experience

After collecting user feedback, we found an opportunity to help improve investigation efficiency by providing device control events on the device timeline page. In addition to this improvement, we have made several other enhancements to the investigation experience over the last few months:   

• The removable storage access control event has been added into the machine timeline under Microsoft 365 security portal -> Devices -> Device page -> Timeline:

Figure 2 - Removable storage events on machine timeline page

 

• When a file-level policy is triggered, the file path and name will be captured in the event and documented in the Advanced Hunting Device Control reports.
• The Device Control report under security.microsoft.com -> Reports -> Device control – now receives updated data and visualizations in half the time. Reducing latency from 12 hours to 6 hours.

Figure 3 - Device control report

 

Please take a look at Protect your organization's data with device control | Microsoft Learn for more details.

 

Network location as a condition

In certain scenarios where admins want to ensure better security across remote devices, they can enforce stricter policies on machines that are not connected to the corporate network by creating different Device control policies based on a machine’s network location using the ‘Network’ and ‘VPNConnection’ group types that were recently created control these policies.

 

For more information, see our documentation: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | Microsoft Learn.

 

 

We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.  

 

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today. 

 

Microsoft Defender for Endpoint team

Microsoft Defender for Endpoint makes its mark at Microsoft Ignite 2022 with three announcements at this year’s event: 

• Save 50% on Microsoft Defender for Endpoint 
• Partnership with Corelight and integrating Windows with open-source project, Zeek, to deliver deep packet inspection 
• Detect and remediate command and control attacks at the network layer 

 

Save 50% on Microsoft Defender for Endpoint 

 

The evolving threat landscape has pushed many organizations to rethink their current security approach. To help organizations adapt to these new dynamics, while considering recent macroeconomic pressures, we’re excited to announce a limited-time offer to save 50% on Microsoft Defender for Endpoint P1 and P2 licenses .

 

Microsoft Defender for Endpoint is a leading endpoint protection solution that goes beyond legacy antivirus, securing organizations with intelligent detection and response capabilities to rapidly stop threats. It enables organizations to save time and resources with automation – managing incidents, prioritizing alerts, and remediating threats automatically, while minimizing complexity across multi-platform environments by streamlining security processes with a unified experience for Windows, Linux, Mac, iOS, and Android devices.

 

For many organizations looking for a comprehensive security strategy, Defender for Endpoint is often the first step towards end-to-end protection with Microsoft 365 Defender – Microsoft’s Extended Detection and Response (XDR) solution. It provides integrated threat protection across endpoints, email, documents, identities, and cloud apps – helping stop breaches throughout the entire organization. 

 

Defender for Endpoint expands capabilities at the network layer 

 

Over the past few years, organizations have been experiencing an uptick in network-based attacks targeted at the endpoint. While many endpoint solutions do a great job at neutralizing these threats, it is difficult for security teams to gather insights that help better identify nefarious network communications occurring on the device in the early stages of an attack. By enhancing our endpoint security defenses to deliver even more protection at the network layer, organizations can be quicker at detecting and remediating these threats.  

 

 

Open source partnership delivers deep packet inspection support 

 

Organizations can improve their investigation efforts and reduce the time it takes to mitigate network-based threats by having better visibility into the endpoint activity happening at the network layer.

 

We are pleased to announce that Microsoft Defender for Endpoint has enhanced the way it addresses these attacks with deep packet inspection support through our newest open source integration with Zeek. This feature provides organizations with greater visibility into network signals across all Defender for Endpoint devices, giving security teams richer signals for advanced threat hunting, complete and accurate discovery of IoT devices, and more powerful detection and response capabilities.

 

Thanks to our partnership with Corelight, a leader in open source Network Detection and Response (NDR), and Microsoft’s commitment to support open source projects, we have integrated Windows and Zeek to help organizations better detect network-based attacks and enhance threat and vulnerability investigation. The new integration will help organizations improve their overall endpoint posture and we are excited to have realized these capabilities with successful partnerships in the open source community.  

 

 

Detecting and remediating command and control attacks at the network layer 

 

To quickly detect and clean up botnet infections, SecOps teams need security tools with strong detection capabilities that generate more precise alerts to accurately define and remediate areas of compromise known to have connected with malicious IPs.

 

We are excited to announce the recent release of Network Protection command and control (C2) detection and remediation capabilities in Microsoft Defender for Endpoint. With these new capabilities, SecOps teams can detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries.

 

This capability works by inspecting network packets and examining them for any types of C2 malware configuration patterns. The Network Protection (NP) agent in Defender for Endpoint determines the true nature of the connection by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. If our AI and scoring engines powered by the cloud deem the connection malicious, actions are taken to block the connection and malware binaries are rolled back on the endpoint to the previous clean state. 

 

After detection, an alert will surface under “Incidents and alerts” in the Microsoft 365 Defender portal where the SecOps team can observe the alert name, the severity-level of the detection, device status, and other details. Security teams can see more details on the alert with a full timeline and attack flow relative to their environment. 

 

 

More at Microsoft Ignite 2022 

 

Make the most out of Microsoft Ignite and learn more about today’s announcements or join a live product roundtable with our product teams.  

• Watch the Microsoft Ignite session “What’s new in SIEM and XDR: Attack disruption and SOC empowerment” for more announcements across SIEM + XDR. 
• Interested in helping our teams design the future of our products? Join one of the roundtable discussions during Microsoft Ignite with our product teams!
  • Securing the hybrid workplace with Microsoft Defender for Endpoint
  • Deploy Microsoft Defender Endpoint and Mitigate Attacks 

• Learn more about XDR innovations in this blog
• Start a trial of Microsoft Defender for Endpoint 

Updated 1/23/2023 @ 1:10pm PST

 

On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.

 

There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0. 

 

For currently impacted customers: what do I need to do? 

Impacted customers will need both the updated security intelligence build and follow the process to recover start menu and taskbar shortcuts.

 

The updated security intelligence build

Customers should update to build 1.381.2164.0 or later. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments.  The security intelligence build does not restore deleted shortcuts. Instructions on how to restore those are immediately below. If you turned “Block Win32 calls from Office macros” into audit mode per prior guidance you can now safely turn on block mode.

 

To recover deleted start menu and taskbar shortcuts

Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted.  

 

Version 5.0 provides improved error handling for AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in. MpRecoverTaskbar.exe now supports restoring each user’s Chrome and Edge pinned taskbar shortcuts found per profile. For more details click here.

 

1/ Download both AddShortcuts.ps1 and MpRecoverTaskBar.exe and select from the following options:

 

Option A/ If you are using System Center Config Manager or Group Policy Object Editor or third-party tools then deploy both files and run the command “powershell -ep bypass -file .\AddShortcuts.ps1 -MpTaskBarRecoverUtilDownload=false” as Administrator.

 

Option B/ If you are using Intune or no management tool then deploy AddShortcuts.ps1 and run the command “powershell -ep bypass -file .\AddShortcuts.ps1” as Administrator.  This will automatically download MPTaskBarRecover.exe from the Microsoft download center onto the user’s machine and run the script. Detailed instructions on how to deploy the script using Microsoft Intune are here. 

 

2/ The changes will come into effect after users logout and login to their accounts.

 

3/ The MPRecoverTaskbar.exe can be run multiple times on end-user machines if necessary.  If end-users are missing taskbar icons after completing this process, then try running it a second time from %windir%\MPRecoverTaskbar.exe in the user context.

 

The script requires PowerShell 5.x and does not currently support PowerShell 7.x.

 

Version 5.0 includes all the improvements from Version 4.0: restores from Volume Shadow Copy Service by default, recovers .URL files in the user's profile's Favorites and Desktop directories, if those URL files exist in the Volume Shadow Copy Service, contains improvements for non-English language machines, improved error handling and additional checks that help recover more shortcuts and links, better error handling to perform all the actions including running the MpRecoverTaskbar.exe, while adding support for better error handling using AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in, and enabling MPRecoverTaskbar.exe to restore each user’s Chrome and Edge pinned taskbar shortcuts found per profile.

 

To add programs to the script: edit the $program variable and add a new line with the name of the application lnk and the executable. 

 

For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links.  Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, follow these instructions:

1. Windows 10:
1. Select Start  > Settings  > Apps > Apps & features
2. Select the app you want to fix.
3. Select Modify link under the name of the app if it is available.
4. A new page will launch and allow you to select repair.
2. Windows 11:
1. Type “Installed Apps” in the search bar.
2. Click “Installed Apps”.
3. Select the app you want to fix.
4. Click on “…”
5. Select Modify or Advanced Options if it is available.
6. A new page will launch and allow you to select repair.

Verifying environment impact

Customers can verify the impact of this issue in their environment through the following advanced hunting queries (AHQs):

 

This AHQ can retrieve all block events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “Block” mode, run this query.

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)

| where isAudit == "false"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

 

This AHQ can retrieve all events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “block” and “audit” mode, run this query.

 

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

 

This AHQ can retrieve the device count with this ASR rule “Block Win32 API calls from Office macro” enabled and if the number is exceeding 10K, run this query.

 

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize deviceCount = dcount(DeviceId)

| extend IsMoreThanTenThousand = iif(deviceCount> 10000, True, False)

 

Advanced Hunting Queries are not available in Defender for Endpoint P1 which is also included in E3 and A3 or in Defender for Business.  To identify affected machines run the script here on individual user machines.  

 

FAQ 

Additional questions are addressed in the FAQ document. 

The Last of Us rules, but what else is out there?

After it beat analyst revenue estimates yesterday, chipmaker Advanced Micro Devices, Inc (AMD) can see growth slowdown this year, according to research and financial firms. AMD's earnings saw the firm post $5.6 billion in revenue for the fourth quarter, marking a small 1% annual growth. This let the firm beat analyst estimates by $80 million, with its earnings per share of $0.69 also hoping the estimates by two cents. At the earnings conference for the report, AMD's chief Dr. Lis Su explained that growth in her cmpany's embedded and data center segments led it to increase the fourth quarter revenue by 16% annually, with the pair accounting for 50% of AMD's overall revenue during the quarter.

AMD Confident About Growing Data Center Sales This Year Through New Products

Heading into the earnings result, analysts speculated that AMD's data center segment would perform well this year, as new product launches place the firm in an advantageous position with respect to its larger rival Intel. This turned out to be true for the previous quarter as well, as data center was the only division that delivered organic revenue growth for AMD.

Other segments, such as client computing and gaming, saw 51% and 7% annual drops, and while the revenue from embedded computing grew, AMD explained that this 1,868% growth had come on the back of its massive Xilinx acquisition. AMD absorbed more costs of the deal during its fourth quarter, which saw the firm post a $149 million GAAP operating loss and a massive 99% net income drop.

AMD's chief, Dr. Lisa Su, shared that sales to North American hyper scalers in the cloud computing segment more than doubled annually, especially as AMD-based instances became more common from leading vendors such as Amazon and Microsoft.

Dr. Su added that her company continued to manage inventory during the fourth quarter, as it shipped fewer units than were being consumed in the personal computing industry. This stands in sharp contrast to Intel, which is shipping more units to maximize product visibility, according to Bernstein. AMD's client segment, which covers PC sales, was its worst performing segment during the quarter, as it saw a massive 51% annual revenue drop. Commenting on the gaming division, the executive explained that revenue dropped as AMD slowed down shipments, but channel sales of the newer Radeon RX graphics processing units (GPUs) were higher over the previous quarter.

Commenting on AMD's earnings results, research firm Summit Insights states that AMD's outlook for the first quarter is hinting at a slowdown in its loud computing personal computing and gaming markets. It believes that the firm's financial performance, which saw AMD grow its calendar and fiscal year 2022 net income by another whopping 60%, will tone down this year. As opposed to others, such as KeyBanc, which believes that AMD will close the year with a 30% data center market share, Summit Insights believes that AMD's market share gains will be "less meaningful" in 2023.

On the other hand,  research firm Jefferies is more upbeat about AMD. It is enthused by AMD's belief that both the data center and the personal computing markets can bottom out by the end of the current quarter. AMD plans to ship fewer products than are being consumed this quarter as well, as the firm aggressively targets inventory buildup at retailers. Like Intel, AMD also did not provide a full year guidance at its earnings call, explaining that macroeconomic uncertainty had influenced the decision.

The post AMD Beats Analyst Estimates But Says It Will Under-ship Products In PC Market by Ramish Zafar appeared first on Wccftech.

M. Night Shyamalan's "Servant" is the kind of show that implores you to ask questions without giving you any answers. It incorporates the creepy and psychological elements of horror, has a very dark sense of humor, and transforms bizarre situations into something thoroughly absurd. Starring Lauren Ambrose, Toby Kebbell, Nell Tiger Free, and Rupert Grint, the Apple TV+ series tells the story of the Turners -- Dorothy and Sean (Ambrose and Kebbell) -- a couple who hire a live-in nanny (Free) to look after their child — a reborn doll — following the tragic death of their baby boy.

The TV show's visual and aesthetic style makes it very mysterious and atmospheric ... and also very, very vague. You can't help but wonder what's going on most of the time -- and you cannot come to trust anyone. Even the familiar-faced Rupert Grint -- who plays Dorothy's younger brother Julian Pearce -- takes on a chaotic, constantly-changing character (save for his love of wine) with a penchant for intruding on others' lives. And Shyamalan considers him the show's secret weapon.

The Story Of Servant Confused Rupert Grint

During a conversation with Interview Magazine, M. Night Shyamalan and Rupert Grint discussed the "Harry Potter" star's audition tape for "Servant." Grint explained how he didn't have much context during the audition stage — he just knew it was "a conversation between two guys who gave out a doll." The actor didn't know much about the show then; he just knew that he felt in tune with the character.

"I didn't understand exactly what I was reading, but just from the dialogue, and the way and the rhythm in which he spoke, I felt very in tune and it felt very easy, more so than anything I've ever read."

Shyamalan praised Grint's audition — the filmmaker mentioned that he was nervous about how "spot-on" it was. "The Sixth Sense" director was in disbelief at how Grint adopted the character. "'He can't be this spot-on. He can't,'" Shyamalan recalled thinking.

When Grint revealed he thought himself to be bad at audition tapes, and that his audition for "Servant" was the only one he felt confident about, Shyamalan was rather surprised. He now had even higher praise for Grint: "You're shocking me. We refer to you in the writers' room as our secret weapon."

Rupert Grint Has Had Ample Practice

The "Servant" showrunner lauded Rupert Grint's versatility as an actor. Everyone knows he started — at age 10 — in the "Harry Potter" film franchise, where he portrayed the protagonist's red-headed best friend, Ron Weasley. As a child actor, Grint had already been commended for his effortless comic timing and physicality. Plus, he worked with directors such as Christopher Columbus and Alfonso Cuarón, not to mention veteran actors in Maggie Smith, Alan Rickman, Michael Gambon, and Imelda Staunton among others. M. Night Shyamalan credits Grint's talent and presence as an actor to his experiences in "Harry Potter:"

"Your flexibility, your agility to do comedy, drama, and physicality in every way. I have to attribute it to the amount of practice you had as a child [...] It didn't even occur to me that you were growing up sparring with some of the great actors of our time."

Grint acknowledged that his decade-long acting stint in the Wizarding World was a "real education." He added, "We worked with so many great directors and people, and when it finished, it did feel like we were graduating from college, in a way."

While the 34-year-old Englishman has largely stayed away from the limelight since his "Harry Potter" days of fame, he has proved his indisputable talent by taking on some distinct roles, with "Servant" being one of them. Three seasons later, Grint has delivered a consistently compelling performance that continues in the ongoing fourth and final season, wrapping up on March 17 on Apple TV+. And he's impressed Shyamalan enough to become a part of the director's latest film, "Knock at the Cabin," out this Friday, February 3 in cinemas.

Read this next: The 15 Best Horror TV Shows Of All Time

The post Rupert Grint Was M. Night Shyamalan's 'Secret Weapon' Behind The Scenes Of Servant appeared first on /Film.

The Resident Evil 4 release date edges ever closer, as Capcom sets out to remake the genre-defining third-person shooter and horror game for a modern generation. As we get closer to the release of Resident Evil 4, we’re starting to hear more about what Capcom has changed in the classic game, from the removal of annoying overused mechanics to the inclusion of plenty of new content.

MORE FROM PCGAMESN: Best horror games on PC, Resident Evil 4 system requirements

SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.

There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.

Background to the ICS/OT Threatscape

The IT/OT overlap

One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.

“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.” 

For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. “This yields maximum financial or political gain for the attacker,” continued Chassar, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”

Ramsey Hajj, Deloitte’s US and global cyber OT leader, expands on this theme. “Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.”

Supply chain attacks cannot be ignored, either on the IT side or directly against OT. “Supply chain attacks continue to evolve for both ICS hardware and software,” comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. “Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors’ file repositories with the purpose of adding implants in the provided software.”

Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com

Geopolitics and the Russia/Ukraine war

“One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT,” says Christopher Budd, senior manager of threat research at Sophos. “While we haven’t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.”

He suspects this will focus both government and industry on strengthening the security of ICS/OT systems, even if it’s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, “a foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.”

Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.

We can expect that government agencies will, and private industry should, work on conforming to CISA’s CPGs during and from 2023. 

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. “2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification – CyberSentry and RedEye for example – which will broaden the aperture for understanding OT and ICS incidents.”

One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. “Besides the growth of hacktivist activity ‘working’ to internal and external political agendas,” suggests Kaspersky, “we might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.”

Chassar is more direct. “There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,” he says. “Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia/Ukraine war, as well as the current economic climate.”

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.

Specifically…

IoT/IIoT 

“There are now more known vulnerabilities impacting IoT devices than IT devices,” says Bud Broomhead, CEO at Viakoo, “and IoT devices are often the easiest for cybercriminals to access.” IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement. 

“Breached IoT devices are having devastating impacts,” he continued, “such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”

The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.

Broomhead believes the shift to open source software presents the most immediate threat. “The dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.”

Wendy Frank, Deloitte’s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.

“Leading organizations,” she says, “will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”

Ransomware and other malware

“Ransomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,” states Thomas Winston, director of intelligence content at Dragos. “Based on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.”

Ackerman sees ransomware beginning to target OT specifically. He expects to see: “Ransomware targeting the industrial environment – in contrast to ransomware on the IT side accidentally compromising the OT space – with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).”

Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC’s OS, and paving the way for ransomware and rootkits running on the PLC.

Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that “Ransomware rarely uses novel methods – making the application of key elements of a defensible ICS/OT architecture particularly effective.”

He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.

Beyond ransomware, Winston is concerned about the evolution of Pipedream (also known as Incontroller). “Pipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,” he said. 

“It is already capable of disruption across industries, including CrashOverride-style disruption, pipeline disruption, and servo manipulation. We’ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.” While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development. 

Hijacking remote access sessions

Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. “Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.”

By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. “The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.”

Session hijacking does not involve exploiting a fixable vulnerability – it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. “If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.”

APTs targeting CNI through OT

“Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,” comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia/Ukraine conflict means the stakes are high.

“These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,” he continued.

Although OT and IT networks are converging, there remains a fundamental design difference between the two. “OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,” he added. 

This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” he continued.

According to Kaspersky’s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. “Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,” they say. “Moreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.”

Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. “Other risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,” it says. “These insiders may be active in production facilities as well as technology developers, product vendors and service providers.”

Human costs

Attacks on the OT of critical industries have real world implications, which may worsen in 2023. “Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyberattacks have firsthand,” comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. “While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.”

He is concerned that IT and OT security convergence is still not effective. “Attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs.”

Catastrophic attack on the energy grid

Liebig is also concerned about attacks on the energy grid. “As Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the US’s infrastructure as well,” he warns. “At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.”

As a result, he continued, “The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.”

The way forward

Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS/OT system providers. “Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,” he says. “Most devices don’t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.”

This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. “There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there’s not only lower risk for business, but there’s money to be made and real value to provide.”

He adds, “2023 needs to be the year to reset ICS and OT standards for security.”

Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com

Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. “From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,” he says.

“My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: ‘Enough guidance and FUD. Help us execute.’” His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.

“A shift from ‘We know better’ to ‘You know better’ will be tough for a cybersecurity industry that is used to being the hero,” he adds. “The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.” There will consequently be continued movement from guidance to regulation.

But Jablanski offers a word of warning, more to do with party politics than geopolitics: “New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.”

Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware

Related: ICS Vendors Respond to Log4j Vulnerabilities

Related: U.S. Warns ICS/SCADA Malware Can Damage Critical Infrastructure

Related: Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware

The post Cyber Insights 2023: ICS and Operational Technology appeared first on SecurityWeek.

Our intention here is to talk about cybercrime and cybercriminals. Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics.

“With the Russia-Ukraine War, many actors polarized, including players like Conti, Killnet and Anonymous. However, the ecosystem is much larger, and even with setbacks in cryptocurrency brokerage, which advanced the liquidity and economics of criminals online, criminal organizations are thriving, diversifying, and going gangbusters as we enter 2023,” comments Sam Curry, CSO at Cybereason.

“There are no signs of this letting up and all signs indicate that criminal organizations’ real growth is e-crime going forward.”

Know your enemy

An increasing sophistication among the more elite criminals together with a more streamlined organization of the infrastructure from which they operate has been apparent for many years. This process continues and will continue throughout 2023. It is apparent in both how the gangs operate and the tools they use.

“Malware will continue to evolve in 2023 as attackers find new ways to hide it to maintain persistence and get what they came for,” says Mike Parkin, senior technical engineer at Vulcan Cyber – adding, “The attack vectors they use to get a foothold will also evolve, taking advantage of new vulnerabilities, and leveraging variations of old ones.”

But it is the increasing maturity of the criminal business that perhaps poses the greatest threat. “There is a significant maturing of the tools used by cybercriminal groups,” explains Andrew Barratt, VP at Coalfire. “They are becoming platforms (as a service) for other criminal groups with significantly less technical expertise to leverage.”

We’ve had ransomware-as-a-service and infostealers-as-a-service for a few years, but it is becoming more accurate to describe the process as a complete ‘crime-as-a-service’. “While we’ve seen the crime-as-a-service infrastructure become very prevalent, it’s probably likely we’ll see an uptick in volume and/or pricing of these attacks in the year ahead,” adds Barratt.

Crime-as-a-Service

“We’ve looked at numerous online forums and found such a rise and diversification in the many kinds of criminal ‘as a service’ offerings that people really can set up their own cybercrime business with little to no technical knowledge or skills,” explains Christopher Budd, senior manager of threat research at Sophos. 

“Now you can find a vendor or supplier to cover your needs around targeting and initial compromise of victims, evasion and operational security, and malware delivery, among others.” These offerings often come with good marketing and customer service and support that meets – or even exceeds – those you get when paying for legitimate software.

Calling it malware-as-a-service (MaaS) rather than crime-as-a-service, Andrew Pendergast, EVP of product at ThreatConnect, adds, “MaaS operators act like a business, because they are a business – just an illegal one. Their goals are to make as much money as possible selling their product and services. This entails making it as accessible, trustable, reliable, and easy to use as possible for their ‘market’.”

He expects the CaaS providers to continue to improve their support and services to accommodate a broader set of customers and affiliates, adding, “The net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks.”

In fact, the service is now so complete that Benjamin Fabre, CEO at DataDome, points out new cybercriminals no longer need the technical skills to develop and execute cyberattacks on their own. “Cybercrime will require as much brains as holding a baseball bat to a shop owner’s window,” he comments.

Chris Vaughan, a VP of technical account management at Tanium, agrees with this assessment. “Malicious cyber tools are becoming more available to be purchased online which is leading to a greater number of attacks that are also less predictable. This includes vulnerabilities and exploits as well as hackers for hire, dramatically lowering the barrier of entry for anyone interested in launching a cyberattack.”

This leads us to another related concern for 2023: the potential. expansion of a recession-promoted cybercrime gig economy. “People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn,” warns Alex Holland, senior malware analyst at HP Inc.

He fears a potential increase in the number of cyber hustlers seeking to make additional – or, indeed, any – income by scamming consumers who will themselves be looking for opportunities to raise some extra cash. “Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit.”

The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. “And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.”

Crime gang career roles

Fundamental to the emergence of streamlined CaaS has been the evolution of career specializations within the gangs. “In many ways, the cybercrime ecosystem has developed specialized ‘career fields’ in a similar way that cybersecurity has developed specializations,” comments John Bambenek, principal threat hunter at Netenrich. 

This means there are many more partnerships and boutique actors helping a variety of groups. “Getting initial access is a specialized skill set, just like money laundering (in cryptocurrency) and ransomware development are skill sets,” he added. “This specialization makes the ecosystem as a whole more resilient and more difficult to bring to justice.”

This process of business refinement will continue through 2023. “Criminal organizations will continue to grow in scope and capabilities, with increased focus on functional areas,” suggests Gray, AVP of security strategy at Deepwatch. “Specialization will allow these groups to maintain the razor margins needed to operate at levels that are capable of bypassing security program components at advanced targets and/or operate at scale against more susceptible targets.”

Three categories of CaaS to watch in 2023

Three categories of crime-as-a-service are likely to be prevalent in 2023: ransomware-as-a-service (RaaS), stealer-as-a-service (SaaS), and victims-as-a-service (VaaS).

RaaS

The ‘pay-per-use’ version of delivering ransomware is, says, Camellia Chan, CEO and founder of X-Phy, “a sophisticated, and yet much more accessible form of ransomware, with malicious actors no longer requiring advanced technical skills to carry out attacks.” This is a win for wannabe criminals who cannot code. 

But it is also a win for the more elite coding criminals trying to avoid the eye of law enforcement. “The number of different entities involved adds another layer of complexity,” explains Chan. “While RaaS operators develop the infrastructure, access brokers focus on the identity posture and external access portals. To finish, the affiliate buying the RaaS handles the exfiltration of data to ransom, then deploying the actual ransomware payload.”

Mike McLellan, director of intelligence at Secureworks, continues: “New RaaS schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes.”

He expects the dominant schemes to increase their capacity to support more affiliates. “Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events.”

SaaS

A study published by Group-IB on November 23, 2022, reported that 34 Russian-speaking groups were distributing infostealers as part of stealers-as-a-service operations. On average, each of these groups has some 200 active members. 

Twenty-three of the groups distributed the Redline infostealer, while eight concentrated on Raccoon. “An infostealer,” explains Group-IB, “is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then sends all this data to the malware operator.”

Given that credentials remain the starting point for most cyberattacks, the demand is and will remain high. Group-IB suggests “Stealers are one of the top threats to watch in the coming year.” The company notes, “In the first seven months of 2022, the gangs collectively infected over 890,000 user devices and stole over 50 million passwords.”

While the targets are individual computers often used by gamers and remote workers, the potential knock-on effect against corporates should not be under-estimated. “The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Raccoon stealer,” says Group-IB.

Uber itself explained the process in a statement: “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”

This demonstrates both the success of stealers and the failure of MFA to offer a complete access solution. The Uber instance seems to be a variation on what Tanium’s Vaughan describes as an MFA push exhaustion attack. “This,” he explains, “is where an attacker sends a large number of MFA acceptance prompts to a user’s phone which may cause them to click accept in order to stop the barrage of requests.”

This whole process of SaaS-delivered stealers acquiring credentials and attackers defeating MFA will persist and increase in 2023.

VaaS

Mark Warren, product specialist at Osirium, believes there is a new service offering on the rise: hacker teams offering victims-as-a-service. “For the last couple of years, threat actors have been team-based,” he explains. “Before cryptocurrency, they were lone wolves – or, occasionally, a loosely connected group who’d met online. Then they started working in teams, and because they were paid money those teams became tightly bonded. Over the next year we’ll see more teams divide out into skills-based groups.”

He uses REvil as an example of a successful RaaS model offering an end-to-end solution for attackers that included encryption software, access tools, helpdesks for victims, payment services and much more.  “But,” he says, “there’s still a market for smaller teams that focus on specific attack skills. For example, they may breach defenses to acquire user or admin credentials, or even install malware to provide back door entry for use at a later date.” 

Providers of such a service don’t need to take the risk of executing the attack or handling payment; they can make good money just by selling the access on dark web marketplaces. The access could be obtained via relatively risk-free phishing campaigns.

The approach could be modular. “Company intelligence may be another specialist service,” he suggests. “For example, knowing what cyber insurance a potential victim has could reveal the kinds of defenses they’ll have in place and even how much they’re insured for, so ransomware demands can be tailored.” In this sense, VaaS can be seen as an extension and expansion of the existing access broker criminal service.

And going forward…

Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs, adds further subtleties that will emerge. “Going forward, subscription based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings and related algorithms more broadly for purchase.”

The quasi-APT

This continuing professionalization of the criminal fraternity is causing the inevitable emergence of what Omer Carmi, VP of cyber threat intelligence at Cybersixgill, calls the quasi-APT. “In 2023,” he warns, “the quasi-APT’s emergence will escalate due to the democratization of cyberweapons and the democratization of access enabled by powerful technology now accessible to the cybercrime underground.” 

The growth of specialized roles and CaaS means that for as little as $10, threat actors can purchase access and gain a steady foothold into their targets’ systems. They can get a beachhead into highly secured organizations without having to bother with the complex, drawn-out process of gaining initial access on their own. 

“By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT – hence the birth of the quasi-APT,” he warns.

The constantly improving sophistication and professionalization of the criminal underground will continue through 2023 and beyond. For example, Mikko Hypponen, chief research officer at WithSecure, sees artificial intelligence adding a new string to the criminal bow in 2023.

“Malware campaigns will move from human speed to machine speed,” he warns. “The most capable cybercrime groups will reach the capability to use simple machine learning techniques to automate the deployment and operation of malware campaigns, including automatic reaction to our defenses. Malware automation will include techniques like rewriting malicious emails, registering and creating malicious websites, and rewriting and compiling malware code to avoid detection.”

2023 may see the beginning of a new crime gang service: AI-as-a-Service.

The post Cyber Insights 2023: Criminal Gangs appeared first on SecurityWeek.