There are new articles available, click to refresh the page.
Today — 26 May 2022Main stream

Experts warn of a new malvertising campaign spreading the ChromeLoader

26 May 2022 at 14:38

Researchers warn of a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

Researchers from Red Canary observed a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic. Threat actors spread the malware via an ISO file masqueraded as a cracked video game or pirated movie or TV show.

“However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions.” reads the analysis published by the experts.

The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and added the extension to the browser.

Upon running the executable included in the mounted .ISO image file, the ChromeLoader is installed, along with a .NET wrapper for the Windows Task Scheduler used by the threat to achieve the persistence.

“Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe). Notably, ChromeLoader does not call the Windows Task Scheduler (schtasks.exe) to add this scheduled task, as one might expect. Instead, we saw the installer executable load the Task Scheduler COM API, along with a cross-process injection into svchost.exe (which is used to launch ChromeLoader’s scheduled task).” continues the analysis.


In April, the researcher Colin Cowie also published an analysis of the macOS version of ChromeLoader, the malicious code is able to install malicious extensions into both the Chrome and Safari web browsers.

The report published by the experts includes the following detection opportunities for this threat:

  • Detection opportunity 1: PowerShell containing a shortened version of the encodedCommand flag in its command line;
  • Detection opportunity 2: PowerShell spawning chrome.exe containing load-extension and AppData\Local within the command line;
  • Detection opportunity 3: Shell process spawning process loading a Chrome extension within the command line;
  • Detection opportunity 4: Redirected Base64 encoded commands into a shell process

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, chromeloader)

The post Experts warn of a new malvertising campaign spreading the ChromeLoader appeared first on Security Affairs.

Critical 'Pantsdown' BMC Vulnerability Affects QCT Servers Used in Data Centers

26 May 2022 at 13:18
Quanta Cloud Technology (QCT) servers have been identified as vulnerable to the severe "Pantsdown" Baseboard Management Controller (BMC) flaw, according to new research published today. "An attacker running code on a vulnerable QCT server would be able to 'hop' from the server host to the BMC and move their attacks to the server management network, possibly continue and obtain further

FindFunc - Advanced Filtering/Finding of Functions in IDA Pro

FindFunc is an IDA Pro plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.

Filtering with Rules

The main functionality of FindFunc is letting the user specify a set of "Rules" or constraints that a code function in IDA Pro has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be "inverted" to be negative matches. Such rules thus conform to "AND NOT".

FF will schedule the rules in a smart order to minimize processing time. Feature overview:

  • Currently 6 Rules available, see below
  • Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
  • Aware of function chunks
  • Smart scheduling of rules for performance
  • Saving/Loading rules from/to file in simple ascii format
  • Several independent Tabs for experimentation
  • Copying rules between Tabs via clipboard (same format as file format)
  • Saving entire session (all tabs) to file
  • Advanced copying of instruction bytes (all, opcodes only, all except immediates)

Button "Search Functions" clears existing results and starts a fresh search, "Refine Results" considers only results of the previous search.

Advanced Binary Copying

A secondary feature of FF is the option to copy binary representation of instructions with the following options:

  • copy all -> copy all bytes to the clipboard
  • copy without immediates -> blank out (AA ?? BB) any immediate values in the instruction bytes
  • opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)

See "advanced copying" section below for details. This feature nicely complements the Byte Pattern rule!

Building and Installation

FindFunc is an IDA Pro python plugin without external package dependencies. It can be installed by downloading the repository and copying file findfuncmain.py and folder findfunc to your IDA Pro plugin directory. No building is required.

Requirements: IDA Pro 7.x (7.6+) with python3 environment. FindFunc is designed for x86/x64 architecture only. It has been tested with IDA 7.6/7.7, python 3.9 and IDAPython 7.4.0 on Windows 10.

Available Rules

Currently the following six rules are available. They are sorted here from heavy to light with regard to performance impact. With large databases it is a good idea to first cut down the candidate-functions with a cheap rule, before doing heavy matching via e.g. Code Rules. FF will automatically schedule rules in a smart way.

Code Pattern

Rule for filtering function based on them containing a given assembly code snippet. This is NOT a text-search for IDAs textual disassembly representation, but rather performs advanced matching of the underlying instruction. The snippet may contain many consecutive instructions, one per line. Function chunks are supported. Supports special wildcard matching, in addition to literal assembly:

  • "pass" -> matches any instruction with any operands
  • "mov* any,any" -> matches instructions with mnemonic "mov*" (e.g. mov, movzx, ...) and any two arguments.
  • "mov eax, r32" -> matches any instruction with mnemonic "mov", first operand register eax and second operand any 32-bit register.
    • Analogue: r for any register, r8/r16/r32/r64 for register of a specific width, "imm" for any immediate
  • "mov r64, imm" -> matches any move of a constant to a 64bit register
  • "any r64,r64" -> matches any operation between two 64bit registers
  • mov -> matches any instruction of mov mnemonic

more examples:

mov r64, [r32 * 8 + 0x100]
mov r, [r * 8 - 0x100]
mov r64, [r32 * 8 + imm]
mov r, word [eax + r32 * 8 - 0x100]
any r64, r64
push imm
push any

Gotchas: Be careful when copying over assembly from IDA. IDA mingles local variable names and other information into the instruction which leads to matching failure. Also, labels are not supported ("call sub_123456").

Note that Code Patterns is the most expensive Rule, and if only Code Rules are present FF has no option but to disassemble the entire database. This can take up to several minutes for very large binaries. See notes on performance below.

Immediate Value (Constant)

The function must contain the given immediate at least once in any position. An immediate value is a value fixed in the binary representation of the instruction. Examples for instructions matching immediate value 0x100:

mov eax, 0x100
mov eax, [0x100]
and al, [eax + ebx*8 + 0x100]
push 0x100

Note: IDA performs extensive matching of any size and any position of the immediate. If you know it to be of a specific width of 4 or 8 bytes, a byte pattern can be a little faster.

Byte Pattern

The function must contain the given byte pattern at least once. The pattern is of the same format as IDAs binary search, and thus supports wildcards - the perfect match for the advanced-copy feature!


11 22 33 44 aa bb cc
11 22 33 ?? ?? bb cc -> ?? can be any byte

Note: Pattern matching is quiet fast and a good candidate to cut down matches quickly!

String Reference

The function must reference the given string at least once. The string is matched according to pythons 'fnmatch' module, and thus supports wildcard-like matching. Matching is performed case-insensitive. Strings of the following formats are considered: [idaapi.STRTYPE_C, idaapi.STRTYPE_C_16] (this can be changed in the Config class).


  • "TestString" -> function must reference the exact string (casing ignored) at least once
  • "TestStr*" -> function must reference a string starting with 'TestStr (e.g. TestString, TestStrong) at least once (casing ignored)

Note: String matching is fast and a good choice to cut down candidates quickly!

Name Reference

The function must reference the given name/label at least once. The name/label is matched according to pythons 'fnmatch' module, and thus supports wildcard-like matching. Matching is performed case-insensitive.


  • "memset" -> function must reference a location named "memset" at least once
  • "mem*" -> function must reference a location starting with "mem" (memset, memcpy, memcmp) at least once

Note: Name matching is very fast and ideal to cut down candidates quickly!

Function Size

The size of the function must be within the given limit: "min <= functionsize <= max". Data is entered as a string of the form "min,max". The size of a function includes all of its chunks.

Note: Function size matching is very fast and ideal to cut down candidates quickly!

Keyboard Shortcuts & GUI

For ease of use FF can be used via the following keyboard shortcuts:

  • Ctrl+Alt+F -> launch/show TabWidget (main GUI)
    • Or View->FindFunc
  • Ctrl+F -> start search with currently enabled rules
  • Ctrl+R -> refine existing results with currently enabled rules
  • Rules
    • Ctrl+C -> copy selected rules to clipboard
    • Ctrl+V -> paste rules from clipboard into current tab (appends)
    • Ctrl+S -> save selected rules to file
    • Ctrl+L -> load selected rules from file (appends)
    • Ctrl+A -> select all rules
    • Del -> delete selected rules
  • Save Session
    • Ctrl+Shift+S -> Save session to file
    • Ctrl+Shift+L -> Load session from file

Further GUI usage

  • Rules can be edited by double-clicking the Data column
  • Rules can be inverted (negative match) by double-clicking the invert-match column
  • Rules can be enabled/disabled by double-clicking the enabled-column
  • Tabs can be renamed by double-clicking them
  • Sorting is supported both for Rule-List and Result-List
  • Double-click Result item to jump to it in IDA
    • function name: jump to function start
    • any other column: jump to match of last matched rule
  • Checkbox Profile: Outputs profiling information for the search
  • Checkbox Debug: Dumps detailed debugging output for code rule matching - only use it if few functions make it to the code checking rule, otherwise it might take very long!

Advanced Binary Copy

Frequently we want to search for binary patterns of assembly, but without hardcoded addresses and values (immediates), or even only the actual opcodes of the instruction. FindFunc makes this easy by adding three copy options to the disassembly-popupmenu:

Copy all bytes

Copies all instruction bytes as hex-string to clipboard, for use in a Byte-Pattern-Rule (or IDAs binary search).

B8 44332211      mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov word ptr ss:[esp+70],ax

will be copied as

b8 44 33 22 11 68 00 00 00 01 66 89 44 24 70

Copy only non-immediate bytes

Copies instruction bytes for given instruction, masking out any immediate values. Example:

B8 44332211      mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov word ptr ss:[esp+70],ax

will be copied as

b8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 66 89 44 24 ??

Copy only opcodes

Copy all instruction bytes as hex-string to clipboard, masking out any bytes that are not the actual opcode (including sib, modrm, but keeping legacy prefixes).

B8 44332211      mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov word ptr ss:[esp+70],ax

will be copied as

b8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 66 89 ?? ?? ??

Note: This is a "best effort" using IDAs API, thus there may be few cases where it only works partially. For a 100% correct solution we would have to ship a dedicated x86 disasm library.

Similar results can be achieved with Code Pattern Rules, but this might be faster, both for user interaction and the actual search.

Copy disasm

Copies selected disassembly to clipboard, as it appears in IDA.


A brief word on performance:

  1. name, string, funcsize are almost free in all cases
  2. bytepattern is almost free for patterns length > 2
  3. immediate is difficult: We can use idaapi search, or we can disassemble the entire database and search ourselves - we may have to do this anyways if we are looking for code patterns. BUT: scanning for code patterns is in fact much cheaper than scanning for an immediate. An api-search for all matches is relatively costly - about 1/8 as costly as disassembling the entire database. So: If we cut down matches with cheap rules first, then we greatly profit from disassembling the remaining functions and looking for the immediate ourselves, especially if a code-rule is present anyways. However: If no cheap options exist and we have to disassemble large parts of the database anyways (due to presence of code pattern rules), then using one immediate rule as a pre-filter can greatly pay off. api-searching ONE immediate is roughly equivalent to 1/8 searching for any number of code-pattern rules - although this also depends on many different factors...
  4. code pattern are the most expensive by far, however checking one pattern vs checking many is very similar.

Todo (unordered):

  • jcc pseudo-mnemonic
  • Allow named locations in CodeRules ('call memset')
  • 'ignore all following operands' option
  • Rule for parameters to API calls inside function
  • Rule for parent/callsite/child function requirements
  • Rule for function parameters
  • Regex-rule
  • string/name: casing option
  • automatically convert immediate rules to byte pattern if applicable?
  • settings: case sensitivity, string types, range, ...
  • Hexray rules?
  • OR combination of rules
  • Pythonification of code ;)
  • Parallelization
  • Automatic generation of rules to identify a function?

Quadrant Knowledge Solutions Names CrowdStrike a Leader in the 2022 SPARK Matrix for Digital Threat Intelligence Management

26 May 2022 at 08:03

“CrowdStrike is capable of catering to the diverse customer needs across industry verticals, with its comprehensive capabilities, compelling customer references, comprehensive roadmap and vision, cloud-native platform, and product suite with high scalability, have received strong ratings across technology excellence and customer impact.” – Quadrant Knowledge Solutions: 2022 SPARK MatrixTM for Digital Threat Intelligence Management

(Click to enlarge)

We are excited to announce Quadrant Knowledge Solutions has named CrowdStrike as a 2022 technology leader in the SPARK Matrix analysis of the global Digital Threat Intelligence Management market. Among all 28 vendors in the report, CrowdStrike received the highest score in the Technology Excellence category.

The SPARK Matrix evaluates top vendors in the Digital Threat Intelligence Management space on a variety of criteria and groups them into Leaders, Challengers and Aspirants. The criteria are broken down into two categories:

  • Technical Excellence: Sophistication of Technology, Competitive Differentiation Strategy, Application Diversity, Scalability, Integration & Interoperability, and Vision & Roadmap
  • Customer Impact: Product Strategy & Performance, Market Presence, Proven Record, Ease of Deployment & Use, Customer Service Excellence and Unique Value Proposition

How CrowdStrike Falcon X™ Threat Intelligence Stands Apart

The SPARK Matrix analysis takes a deep look into the 28 most significant threat intelligence providers. This broad set of vendors illustrates the diversity of the threat intelligence market and the many use cases customers demand — including dark web monitoring, intelligence automation, machine-readable intelligence, finished intelligence, threat research and threat intelligence platforms

CrowdStrike joins only a few select vendors in this report that provide a comprehensive solution to address all of these use cases. Our customers benefit from access to intelligence using a single workflow with the ability to pivot into intelligence across all use cases — leading to smarter, faster decision making.

You may know CrowdStrike as a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, but you may not know the full extent of how our offerings differ from those of pure-play threat intelligence companies. Here, we take a closer look at the capabilities that set CrowdStrike’s technology apart. 

Raw Intelligence Collection to Bolster Defense

CrowdStrike’s raw intelligence collection strategy is a critical differentiator. Each vendor’s collection plan forms the foundation that determines the intelligence solutions they can deliver. If a collection plan is too narrow — for example, if it only pulls data from the dark web — it will only address a limited number of customer use cases. If it only collects low-fidelity data, such as publicly available information, the resulting intelligence will be similar across vendors because open-source data is the easiest to obtain. (This isn’t to say the data isn’t valuable, or there aren’t valuable solutions built in these areas.) 

We can deliver across multiple use cases and provide unique intelligence due to our comprehensive collection strategy. This starts with the trillions of events per day collected by the CrowdStrike Security Cloud, which powers the protection of millions of endpoints across the globe and provides visibility into real-time and zero-day attacks. In addition, CrowdStrike Intelligence collects raw intelligence from several other sources including:

  • CrowdStrike Services engagements for incident response and compromise assessments, which drive visibility into adversary activity in victims across the globe
  • Open-source intelligence, which is collected in dozens of languages using linguistically capable collectors and analysts to ensure proper comprehension and analysis of the collected material
  • Billions of objects collected from the deep and dark webs, criminal forums and markets, and social media and messaging apps
  • Processing millions of malware samples per day that are interrogated for actionable information such as command and control, persistence, campaign identification and other indicators, which are instantly published to our customers
  • Maintaining honeypots across the internet, which provide visibility into threats propagating via remote exploitation as well as early warning for things that may affect customers
  • Operating freely available sandbox technology, which is utilized by tens of thousands of security personnel and researchers 
  • Maintaining a special collection of data that enables visibility into botnet command and control payloads, spam email and distributed denial of service (DDoS) activity

This comprehensive collection strategy, with the Falcon platform at its core, underscores CrowdStrike’s ability to collect data that no one else can, resulting in threat intelligence that no other vendor can provide.

An Adversary-Focused Approach to Security

Behind every attack is a human being with motivation and intent. As pioneers in actor profiling and attribution, CrowdStrike uses an adversary-focused approach to threat intelligence. We track more than 180 nation-state, cybercrime and hacktivism adversaries to expose their activities and tradecraft and then enable customers to take proactive steps to protect their organization. 

Falcon X intelligence provides information on the malware adversaries use, vulnerabilities they exploit, tactics for accessing systems and indicators of compromise (IOCs) that identify them. An adversary-focused approach shrinks the problem set for you to manage. By filtering adversaries to those most likely to target your business (e.g., by region or business sector) you can focus on the most likely attacks, expose attacker tradecraft, degrade their ability to attack, increase the cost to the adversary and deploy your resources more effectively.

Threat Intelligence for Everyone  

“Threat intelligence for everyone” was one of our core principles when going to market with the Falcon X solution. Threat intelligence has different meanings to different organizations, typically based on the size and skills of their security team. For many organizations early in their intelligence journey, “threat intelligence” may simply describe IOCs to block or open-source news alerts when a new cyberattack happens. As organizations mature, intelligence morphs to include enriched context for detections, help in hunting and investigating threats, then dark web monitoring and malware sandboxing. As intelligence becomes more strategic, it may mean access to finished intelligence or threat research.

It is critical to find a vendor that meets your definition of intelligence, supports where you are, and provides room for your team to grow. Further, it should challenge you to take the next step into a new use case so you can better protect your business and gain an advantage on today’s sophisticated cyberattacks. CrowdStrike Falcon X threat intelligence solutions are designed to meet you where you are in your threat intelligence journey. Thousands of our customers are implementing intelligence for the first time, and many of the most advanced Global 2000 and government entities rely on the superior collection, tradecraft and analysis of Falcon X.  

If you are a CrowdStrike Falcon customer, or would like to become one, Falcon X threat intelligence is built directly into the platform, supporting your daily workflow by providing additional detection context and defensive strategies at your fingertips. If you are not a Falcon platform customer, our CrowdStrike Falcon X intelligence solutions are available separately, cloud-delivered and operational on Day One.

We believe we met our goal to provide “intelligence for everyone.” For the first time, all organizations, regardless of size or expertise, can easily operationalize intelligence within the security operations center (SOC), gain visibility into the cybercriminal underground to protect their brand and executives, and receive best-of-breed intelligence reporting and technical analysis backed by a dedicated team of intelligence professionals.\

Defend Against Threats with Falcon X Intelligence 

CrowdStrike Falcon X Intelligence solutions include:

  • FALCON X: Enriches the events and incidents detected by the CrowdStrike Falcon  platform, automating intelligence so security operations teams can make better, faster decisions 
  • FALCON X RECON: Provides visibility into the cybercriminal underground so customers can effectively mitigate threats to their brands, employees and sensitive data
  • FALCON X PREMIUM: Delivers world-class intelligence reporting, technical analysis, malware analysis and threat hunting capabilities; Falcon X Premium enables organizations to build cyber resiliency and more effectively defend against sophisticated nation-state, eCrime and hacktivist adversaries
  • FALCON X ELITE: Expands your team with access to an intelligence analyst with the expertise to help you better defend against threats targeting your organization

Additional Resources

Experts Warn of Rise in ChromeLoader Malware Hijacking Users' Browsers

26 May 2022 at 11:24
A malvertising threat is witnessing a new surge in activity since its emergence earlier this year. Dubbed ChromeLoader, the malware is a "pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites," Aedan Russell of Red Canary said in a new report. ChromeLoader is a rogue Chrome browser extension and is typically

The Added Dangers Privileged Accounts Pose to Your Active Directory

26 May 2022 at 10:49
In any organization, there are certain accounts that are designated as being privileged. These privileged accounts differ from standard user accounts in that they have permission to perform actions that go beyond what standard users can do. The actions vary based on the nature of the account but can include anything from setting up new user accounts to shutting down mission-critical systems.

Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

26 May 2022 at 10:49
Cybersecurity researchers are calling attention to a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns. "The framework contains numerous features which we assess may be utilized in the enablement of malicious activities," researchers from Team Cymru said in a new report published Wednesday. "The technical entry bar for the

Do not use Tails OS until a flaw in the bundled Tor Browser will be fixed

26 May 2022 at 10:31

The maintainers of the Tails project (The Amnesic Incognito Live System) warn users that the Tor Browser bundled with the OS could expose their sensitive information.

The maintainers confirmed that Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).” reads the advisory published by project maintainers.

Tails is a security and privacy-oriented Linux distribution, it is a portable operating system that protects against surveillance and censorship.

The root cause of the alert is a couple of critical zero-day issues, tracked as CVE-2022-1802 and CVE-2022-1529, in the Firefox browser that was addressed by Mozilla in May. The vulnerabilities were reported by Manfred Paul during the Pwn2Own 2022 hacking contest that took place in Vancouver last week:

The Tor browser is based on the Firefox browser and is developed as part of the Tor Project.

The CVE-2022-1802 vulnerability can allow an attacker to set up a rogue website to bypass some of the security built in Tor Browser and access information from other websites.

“If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.” reads the advisory.

The Tails team pointed out that the flaw doesn’t break the anonymity and encryption of Tor connections, this means that it is still safe and anonymous to access websites from Tails if the users don’t share sensitive information with them.

“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.” reads the alert published by project maintainers.

tails os

The maintainers’ alert states that other applications in OS are not affected by the flaw. Thunderbird, for example, is not affected because JavaScript is disabled.

The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.

This vulnerability will be addressed with the release of Tails 5.1 on May 31.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post Do not use Tails OS until a flaw in the bundled Tor Browser will be fixed appeared first on Security Affairs.

Italy announced its National Cybersecurity Strategy 2022/26

26 May 2022 at 09:13

Italy announced its National Cybersecurity Strategy for 2022/26, a crucial document to address cyber threats and increase the resilience of the country.

Italy presented its National Cybersecurity Strategy for 2022/26 and reinforce the government’s commitment to addressing cyber threats and increasing the resilience of the country to cyber attacks.

The strategy is aligned with the commitments undertaken within international organizations of which Italy is a member party.

The threat landscape rapidly changes and urges the government to review its strategy and propose a series of objectives to achieve in the next four years.

The strategy, developed by the National Cybersecurity Agency, includes 82 objectives and aims to address the following challenges:

  • To ensure a cyber resilient digital transition of the Public Administration (PA) and of the productive system;
  • To predict the evolution of the cyber threats to reduce their impact on national infrastructure and organizations.
  • Preventing online disinformation in a broader context of the hybrid threat;
  • Management of cyber crises;
  • National and European strategic digital sector autonomy.

The strategy recognizes the duty of the State in implementing measures to increase the security of the state, organizations, and its citizens in the digital domain.
The document remarks that cybersecurity is an essential investment and an enabling factor for the
development of the national economy and industry. A secure country is a more competitive country.

“The ongoing evolution of technology that has shaped our current society keeps raising new risks as it continues to develop, along with most sophisticated attack techniques. However, such a scenario doesn’t always match with the society’s cybersecurity awareness level.” reads the strategy. “Given those risks, this strategy aims to target the strengthening of our resilience in the digital transition, by fostering the safe use of technologies essentials for our present and future economic prosperity, the achievement of cybersecurity strategic autonomy, the cyber crises management in complex geopolitical scenarios, as well as anticipating the evolution of cyber threats and tackling the spread of online disinformation, while respecting human rights, our values and principles.”

The strategy promotes a cyber “security-oriented” approach that stresses the importance of collaboration between public and private entities.

The macro-goals of the Italian National Cybersecurity Strategy are:

  • The protection of national strategic assets;
  • The response to cyber threats and the management of incidents and crises;
  • The development of new digital technologies to secure digital assets.
National Cybersecurity Strategy

Below is the link to the strategy:

Italian cybersecurity agency ACN also published the implementation plan which provides for each goal defined in the National Cybersecurity Strategy the measures to implement:

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 


Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, National Cybersecurity Strategy)

The post Italy announced its National Cybersecurity Strategy 2022/26 appeared first on Security Affairs.

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

26 May 2022 at 09:08
The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information. "We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an

Twitter Fined $150 Million for Misusing Users' Data for Advertising Without Consent

26 May 2022 at 08:03
Twitter, which is in the process of being acquired by Tesla CEO Elon Musk, has agreed to pay $150 million to the U.S. Federal Trade Commission (FTC) to settle allegations that it abused non-public information collected for security purposes to serve targeted ads. In addition to the monetary penalty for "misrepresenting its privacy and security practices," the company has been banned from
  • There are no more articles