At this very moment, a ransomware assault is hitting hundreds of businesses across the US. The incident appears to be the result of a so-called supply chain attack; hackers were able to push malware to victims through legitimate IT management software from a company called Kaseya. Making matters worse, REvil ransomware operators hit what's known as “managed service providers,” which provide IT infrastructure and support for companies who would rather outsource that sort of thing. When hackers compromise an MSP, it's usually quick work to infect their customers as well, making the scale of this campaign “monumental,” in the words of one cybersecurity professional.
The severity of the REvil strike was almost enough to make one forget about Microsoft's particularly bad week. Almost. In addition to a couple of high-profile cybersecurity incidents that we'll get into more below, the company found itself in a self-generated controversy over which PCs will be allowed to run Windows 11. The new operating system will likely require a processor that came out four years ago at most, meaning plenty of devices you can purchase right now won't qualify. Not only that, but Microsoft had previously announced that it would end support for Windows 10 in 2025, meaning lots of users have only a few years before being forced to choose between losing security updates altogether and buying a new PC—even if their current one works perfectly well.
In other not-great Microsoft news, the same hackers behind the devastating SolarWinds campaign were found to have installed malware on a customer service employee's device. Microsoft said that three customers were affected by the hack, although it's not clear who nor what information was stolen. It should never be surprising that Russia's cyberspies are cyberspying, but it's still alarming that they were able to get that level of access at a company as critical as Microsoft.
A separate set of Russian hackers was caught this week causing trouble as well. Intelligence agencies from the US and UK warned that the notorious Fancy Bear group had been attempting to “brute force” their way into hundreds of target networks. The technique is pretty basic; it just means throwing passwords at an account until one of them works. That doesn't make it any less concerning, though, especially since the campaign appears to be ongoing.
Lastly, browser extensions are handy and fun, but they can also present a security risk if you install the wrong one. Here's our guide to figuring out which ones you should keep and which ones you should skip if you've got privacy concerns (which you should have, generally speaking).
And there's more. Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
If your big new idea could also serve as the opener to a techno-dystopian thriller, perhaps it is best set aside? Just a thought on the heels of the reveal this week of the Worldcoin project, which proposes that a good and rational way to distribute a new cryptocurrency is to sign people up by letting a basketball-sized sphere scan their iris. The ultimate goal is to establish some sort of universal basic income, and Worldcoin's founders stress that they are scanning eyeballs with a large orb with the utmost care for privacy. But given the choice between gazing into the crypto orb and not doing that, we'd strongly suggest the latter.
There's a bit of a mess in Windows world this week, after a proof-of-concept exploit known as PrintNightmare leaked, effectively providing a piping-hot zero-day vulnerability. PrintNightmare is serious, allowing for remote code execution thanks to a flaw in Windows Print Spooler. Almost as troubling as the exploit itself, though, is the apparent sloppiness that led to its release. In June, Microsoft released a patch for what seemed to be this very issue. But a Chinese cybersecurity company this week claimed that the problem wasn't fully fixed; soon after, two researchers from a separate Chinese company published exploit code on GitHub, where it was quickly copied and disseminated. While you're waiting for a patch that actually works you can disable Print Spooler—but then you won't be able to print from the server. So, yes, a bit of a mess!
Using a VPN is always a bit of a crapshoot; the best ones have demonstrated that they keep your browsing as private as advertised, but there's often no way to know for sure. And then there are the VPNs that are allegedly favored by ransomware gangs, to the point that an international consortium of law enforcement agencies takes them down completely. That's what happened this week to DoubleVPN, whose domain and servers were seized by the Dutch National Police and authorities from the US, Canada, and elsewhere in Europe. In a statement, Europol said that DoubleVPN “was being used to compromise networks all around the world.” There are plenty of other VPNs left for them to choose from, of course, but anything that helps disrupt ransomware workflows—and potentially leads to identifying people who deploy it—is a welcome development.
Security researchers warned this week that Chinese hackers were running a sophisticated phishing campaign, posing as the office of Afghanistan's president in an attempt to pass malware to members of the country's National Security Council. The group used a Dropbox account to avoid raising suspicion as it exfiltrated data, and it appears to have targeted other countries in Central Asia.