Microsoft is splitting the Teams calling stack into a new background process on Windows to cut launch times and improve reliability in busy meetings.

The post Major Microsoft Teams Performance Update Rolling Out in January 2026 appeared first on TechRepublic.

Microsoft is splitting the Teams calling stack into a new background process on Windows to cut launch times and improve reliability in busy meetings.

The post Major Microsoft Teams Performance Update Rolling Out in January 2026 appeared first on TechRepublic.

Summary Bullets:

• To protect an expansive mobile environment attack surface in the face of a very dangerous threat environment, organizations are ramping up their security investments, with 75% of the 762 polled in a recent Verizon study reporting they had increased spending this year.
• But concerns still loom large threat actors using AI and other technologies and tactics to breach the enterprise; and only 17% have implemented security controls to stave off AI-driven attacks.

Mobile and IoT devices play an essential role in most organizations’ operations today. However, the convenience and flexibility they bring comes with risk, opening new points of exposure to enterprise assets. Organizations that were quick to embrace bring your own device (BYOD) strategies often didn’t have a solid plan for safeguarding this environment when so many of these devices were under-secured. Enterprises have made progress in layering their defenses to better protect mobile and IoT environments, but there is still room for progress.

In Verizon’s eighth annual Mobile Security Index report, 77% of the people surveyed said deepfake attacks that tap AI-generated voice and video content to impersonate staff or executives, and SMS text phishing campaigns are likely to accomplish their objective. Approximately 38% think AI will make ransomware even more effective.

Despite the increase in cybersecurity spending in most organizations, only 12% have deployed security controls to safeguard their enterprise from deepfake-enhanced voice phishing. Just 16% have implemented protections against zero-day exploits.

Enterprise employees are welcoming AI-driven apps to their mobile devices – with 93% using GenAI as part of their workday routine. They raised red flags, with 64% calling data compromise via GenAI their number one mobile risk. Of 80% of enterprises that ran employee smishing tests, 39% fell for the scam.

AI aside, user error is the most frequently noted contributor to breaches in general, followed by application threats and network threats. Some 80% said they had documented mobile phishing attempts aimed at staff.

While prioritizing cybersecurity spending is important, organizations need to look at whether they are allocating this investment on the right areas. Just 45% said their organization provides comprehensive education on the potential risks mobile AI tools bring. Only half have formal policies regarding GenAI use on mobile devices, and 27% said they aren’t strictly enforced.

The AI Governance Tightrope: Enabling Innovation Without Compromising Security  Cybersecurity leaders are facing a critical inflection point. The rapid emergence of artificial intelligence technologies presents both unprecedented opportunities and significant...

The post Innovator Spotlight: Singulr AI appeared first on Cyber Defense Magazine.

Black Hat USA 2025 was nothing short of groundbreaking. The show floor and conference tracks were buzzing with innovation, but one theme stood above all others – the rapid advancement...

The post AI Takes Center Stage at Black Hat USA 2025 – Booz Allen Leads the Conversation appeared first on Cyber Defense Magazine.

A new, critical zero-day vulnerability dubbed “ToolShell” (CVE-2025-53770) poses a significant threat to on-premises SharePoint Server deployments. This vulnerability enables unauthenticated remote code execution (RCE), posing a significant risk to organizations worldwide. SentinelOne has detected exploitation in the wild, elevating the active threat posed by this new attack and the importance of organizations taking mitigative action as soon as possible.

In this blog, we outline ways to defend against ToolShell and how SentinelOne keeps you ahead of the curve for this critical vulnerability. For a comprehensive technical breakdown of this threat, we published a detailed analysis on the SentinelOne blog.

What is ToolShell?

ToolShell is a critical zero-day remote code execution vulnerability impacting on-premises SharePoint Servers. Its severity stems from several key characteristics:

• Zero-Day Status: It was previously unknown and unpatched, leaving organizations exposed before official fixes were available.
• High CVSS Score (9.8): This indicates near-maximum severity, signifying a critical vulnerability with a high impact.
• No Authentication Required: Attackers can exploit ToolShell without needing valid credentials, making it incredibly easy to compromise vulnerable systems.
• Remote Code Execution (RCE): Successful exploitation grants attackers the ability to execute arbitrary code on the compromised SharePoint Server, potentially leading to full system control, data exfiltration, or further lateral movement across the network.
• In-the-Wild Exploitation: Threat actors are already actively leveraging this vulnerability, highlighting the immediate and tangible danger it poses.

SentinelOne’s Defense Against ToolShell

At SentinelOne, our commitment to proactive security means we are constantly working to identify and neutralize emerging threats, such as ToolShell, often before they become widespread news. SentinelOne was aware and working to defend our customers from ToolShell two days prior to the public announcement of the vulnerability.  This integrated approach ensures that SentinelOne customers are protected from the outset:

• SentinelOne’s Identification and Breakdown of the Vulnerability: Our world-class threat research team, SentinelLABS, along with our MDR team, swiftly identified and performed an in-depth technical analysis of the ToolShell vulnerability. This early insight is critical for developing effective countermeasures.
• Out-of-the-Box Detection Logic for SentinelOne Customers: Based on the detailed analysis from SentinelLABS, our engineering teams rapidly developed and implemented robust, out-of-the-box detection logic directly into the SentinelOne platform. This means that SentinelOne customers automatically received protection against ToolShell.
• Seamless IOC Integration: The IOCs identified by SentinelLABS are automatically integrated into the SentinelOne platform, enhancing its ability to detect and prevent ToolShell-related activity across all monitored endpoints.
• Hunting Queries for Singularity Platform Users: For security teams leveraging the SentinelOne Singularity Platform, we have made specific hunting queries available below, as well as in our technical breakdown of this vulnerability. These queries empower security analysts to proactively search for any signs of ToolShell activity within their environments, ensuring comprehensive visibility and enabling rapid response.
• Proactive Detection Through Singularity Vulnerability Management: SentinelOne customers who use Singularity Vulnerability Management can also detect instances of ToolShell within their environment, enabling teams to identify and mitigate the vulnerability before it is exploited during an active attack.

How to Defend Against ToolShell

Given the critical nature of ToolShell, we strongly recommend that organizations implement a multi-layered defense strategy. Proactive measures are crucial to mitigate the risk of compromise:

Immediate Mitigation & Patching:

• Isolate SharePoint instances from public availability: Whenever possible, restrict access to on-premises SharePoint Servers from the public internet. This significantly reduces your attack surface.
• Enable Antimalware Scan Interface (AMSI) in Full Mode: The Antimalware Scan Interface (AMSI) is an interface standard that enables SharePoint to integrate with your endpoint protection solution’s scanning capabilities. While AMSI was enabled by default in the September 2023 SharePoint update, organizations that do not have this capability configured should enable the integration as soon as possible.
• Apply available patches immediately: Microsoft has released security updates to address ToolShell for SharePoint Subscription and 2019 versions. Organizations should prioritize and deploy these patches as soon as possible.

Enhanced Detection and Monitoring:

• Integrate Indicators of Compromise (IOCs): SentinelLABS has provided specific IOCs related to the ToolShell exploitation, as detailed below and in SentinelOne’s technical breakdown. These should be promptly added to your EDR/XDR and SIEM toolsets for detecting potential exploitation in your environment. SentinelOne customers are encouraged to enable the platform detection rules for ToolShell that have already been added to your Platform Detection Library.
• Monitor for Suspicious SharePoint Behavior: Deploy custom detection rules to monitor key SharePoint directories, specifically the `LAYOUTS` directory, to detect the presence of exploitation and the subsequent web shell. For SentinelOne users, relevant rules are provided in the Platform Detection Library.
• Retroactive Threat Hunting: If you are currently running on-premises SharePoint Server, retroactive threat hunting for ToolShell exploitation is highly recommended.

Conclusion

ToolShell represents a significant vulnerability that leaves many organizations running on-premises SharePoint Server at considerable risk. The potential for unauthenticated remote code execution, coupled with observed in-the-wild exploitation, underscores the urgent need for organizations to take decisive action to maintain their security posture. This includes diligently applying patches, implementing robust monitoring, and leveraging advanced threat detection capabilities to mitigate the risk.

For SentinelOne customers, you can rest assured that you are protected. Our dedicated threat research and MDR teams work tirelessly to stay one step ahead of adversaries, ensuring that our platform provides immediate and effective defense against emerging threats, such as ToolShell. Our proactive identification, rapid deployment of detection logic, and continuous sharing of intelligence empower our customers to maintain a resilient security posture.

Contact SentinelOne today to learn how our AI-powered security platform can provide the comprehensive protection and peace of mind your organization deserves. Don’t wait for the next zero-day; secure your future today.

Indicators of Compromise

SHA-1

f5b60a8ead96703080e73a1f79c3e70ff44df271 – spinstall0.aspx webshell
fe3a3042890c1f11361368aeb2cc12647a6fdae1 – xxx.aspx webshell
76746b48a78a3828b64924f4aedca2e4c49b6735 – App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled version of spinstall0.aspx

IP Addresses

96.9.125[.]147 – attacker IP from “no shell” cluster
107.191.58[.]76 – attacker IP used in 1st wave of spinstall0.aspx cluster
104.238.159[.]149 – attacker IP used in 2nd wave of spinstall0.aspx cluster

New SentinelOne Platform Detection Rules

• Web Shell Creation in LAYOUTS Directory
• Web Shell File Detected in LAYOUTS Directory
• Suspicious Process Spawned by SharePoint IIS Worker Process

SentinelOne Platform Hunting Queries

//Suspicious SharePoint Activity

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint"

//spinstall0.aspx execution traces

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"

Disclaimer

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

On July 19th, Microsoft confirmed that a 0-day vulnerability impacting on-premises Microsoft SharePoint Servers, dubbed “ToolShell” (by researcher Khoa Dinh @_l0gg), was being actively exploited in the wild. This flaw has since been assigned the identifier CVE‑2025‑53770, along with an accompanying bypass tracked as CVE‑2025‑53771. These two new CVEs are being used alongside the previously patched CVEs (49704/49706) which were patched on July 8th, with PoC code surfacing by July 14th.

The advisory also confirmed emergency patches for on-prem SharePoint Subscription Edition and SharePoint Server  2019, with updates scheduled for version 2016 as well. We strongly recommend immediate patching, and following Microsoft’s recommendations of enabling AMSI detection, rotating ASP.NET machine keys, and isolating public-facing SharePoint servers until defenses are in place.

SentinelOne first observed ToolShell exploitation on July 17th, ahead of official Microsoft advisories. Since then, we’ve identified three distinct attack clusters, each with unique tradecraft and objectives. In this blog, we unpack the timeline, explore these clusters, and equip defenders with best-practice mitigation strategies. At this time, we provide no attribution beyond this early clustering as research is ongoing.

Observed Targets

We have observed initial ToolShell exploitation against high value organizations, with victims primarily in technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations. The early targets suggest that the activity was initially carefully selective, aimed at organizations with strategic value or elevated access.

The attacks that we describe in this report were targeted in nature and occurred before public disclosure of the vulnerability spurred mass exploitation efforts from a wider set of actors. We expect broader exploitation attempts to accelerate, driven by both state-linked and financially motivated actors seeking to capitalize on unpatched systems.

SentinelOne has observed multiple state-aligned threat actors, unrelated to the first wave of exploitation, beginning to engage in reconnaissance and early-stage exploitation activities. Additionally, we’ve also identified actors possibly standing up decoy honeypot environments to collect and test exploit implementations , as well as sharing tooling and tradecraft across known sharing platforms. As awareness spreads within these communities, we expect further weaponization and sustained targeting of vulnerable SharePoint infrastructure.

Technical Overview

Both previously patched CVEs (49704/49706) were first disclosed at Pwn2Own Berlin. It was later discovered that these two flaws could be paired together to produce the full RCE ‘ToolShell’ attack chain. The name ‘ToolShell’ refers to the initial abuse of SharePoint’s /ToolPane.aspx (CVE-2025-49704), a system page used for website configuration and management.

This vulnerability chain enables unauthenticated remote code execution by sending a crafted POST request to the URI /layouts/15/ToolPane.aspx?DisplayMode=Edit, exploiting a logic flaw in the Referer header validation. This bypass allows attackers to access SharePoint’s ToolPane functionality without authentication, ultimately leading to code execution via uploaded or in-memory web components.

xxx.aspx

On July 18th, 2025 at 09:58 GMT, SentinelOne observed a single exploitation attempt where the attacker dropped a custom password-protected ASPX webshell named xxx.aspx. This activity appears to be hands-on and exploratory in nature, likely performed by a human operator rather than an automated script.

The webshell was written to the following path:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\xxx.aspx

This webshell provides a basic HTML interface allowing three primary functions:

1. Authentication via an embedded form that sets a cookie.
2. Command Execution by submitting commands through the GTaRkhJ9wz parameter, which are run via cmd.exe and returned to the client.
3. File Upload via a multipart form using fields 0z3H8H8atO (file) and 7KAjlfecWF (destination path).

The shell leverages basic obfuscation and validation mechanisms, including cookie-based authentication and a hardcoded SHA512 hash to restrict access. The password check logic suggests the actor anticipated repeated or remote usage of the shell.

After the webshell was dropped, the attacker issued the following commands:

cmd.exe /c whoami > c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\info.js

The first attempt to redirect the whoami output failed due to a typo (\templa), indicating the activity was likely manual and exploratory. The corrected second command successfully writes the output of whoami into a web-accessible .js file, a common tactic for validating command execution and potentially retrieving output through a browser.

While this activity was limited to a single observed instance, the customized tooling and interactive behavior suggest a deliberate post-exploitation attempt by a threat actor testing or preparing for broader operations.

spinstall0.aspx

SentinelOne observed two distinct waves of activity involving a consistent final payload, spinstall0.aspx, dropped across SharePoint environments from different attacker infrastructure on July 18 and 19, 2025. While the initial dropper scripts varied slightly between waves, both resulted in deployment of the same webshell, designed to extract and expose sensitive cryptographic material from the host.

First Wave – July 18, 2025 (14:54–18:44 GMT)

Source IP: 107.191.58[.]76

This initial wave involved PowerShell-based payload delivery. A base64-encoded blob was decoded and written to the SharePoint LAYOUTS directory:

$base64String = [REDACTED]
$destinationFile = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx"
$decodedBytes = [System.Convert]::FromBase64String($base64String)
$decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
$decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop

The resulting file, spinstall0.aspx, is not a traditional command webshell but rather a reconnaissance and persistence utility:

<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>

This code extracts and prints the host’s MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings—information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.

Second Wave – July 19, 2025 (03:06–07:59 GMT)

Source IP: 104.238.159[.]149

Roughly 12 hours later, a second wave used nearly identical logic to deliver the same spinstall0.aspx payload. The key difference was in the PowerShell staging script:

$b = [REDACTED]
$c = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS\spinstall0.aspx"
$d = [System.Convert]::FromBase64String($b)
$e = [System.Text.Encoding]::UTF8.GetString($d)
$e | Set-Content -Path $c -ErrorAction Stop
Start-Sleep -s 3

While the encoded payload was marginally different in form, it decoded to the same spinstall0.aspx shell. The change in target directory, from 16\TEMPLATE to 15\TEMPLATE, may reflect testing across different SharePoint versions or environments.

Unlike more interactive webshells observed in this campaign, spinstall0.aspx does not support command execution or file upload. Instead, its singular purpose appears to be information gathering, specifically targeting cryptographic secrets that could be reused to forge authentication or session tokens across SharePoint instances.

Given the uniqueness and strategic value of the MachineKey data harvested by this shell, we assess this cluster to be part of a broader effort to establish durable access into high-value SharePoint deployments.

“no shell”

This activity cluster, tracked as “no shell”, represents a more advanced and stealthy approach compared to others in this campaign. SentinelOne observed this cluster operating between July 17, 2025 10:35:04 GMT and July 18, 2025 03:51:29 GMT, making it our earliest known exploitation of CVE-2025-53770 in the wild.

Unlike the other clusters, no persistent webshells were written to disk. Instead, telemetry and behavioral indicators suggest the attackers relied on in-memory .NET module execution, avoiding traditional file-based artifacts entirely. This approach significantly complicates detection and forensic recovery, underscoring the threat posed by fileless post-exploitation techniques.

All observed activity in this cluster originated from a single IP address: 96.9.125[.]147. Despite the lack of file system artifacts, compromised hosts exhibited patterns consistent with SharePoint exploitation, followed by encoded payload delivery and dynamic assembly loading via PowerShell or native .NET reflection.

Given the timing, just days after public proof-of-concept chatter began, and the sophistication of the fileless execution chain, we assess this cluster to be either a skilled red team emulation exercise or the work of a capable threat actor with a focus on evasive access and credential harvesting.

Defenders should be especially vigilant for memory-resident activity following SharePoint exploitation attempts and should employ EDR solutions capable of detecting anomalous .NET execution patterns and assembly loading.

Conclusion

Modern threat actors are maximizing gains from patch diffing, n-day adoption, and iterative development of  exploits through fast adoption. SharePoint servers are attractive to threat actors for the high likelihood that they store sensitive organizational data. Beyond their value as a knowledge store, vulnerable SharePoint servers can be used to stage and deliver additional attack components to the victim organization for internal watering hole attacks. The ease of exploitation and potential value of the data hosted on these servers make ‘ToolShell’ a potent and dangerous attack chain.

As of this writing, SharePoint Online for Microsoft 0365 is not impacted. Our research teams have provided out-of-the-box Platform Detection rules and Hunting Queries to assist in discovering and isolating related behavior.  We recommend that vulnerable organizations apply the available security updates released by Microsoft (released July 21, 2025) to mitigate the related vulnerabilities as soon as possible. SentinelOne is actively monitoring its customer base for impact and is notifying those affected as they are identified.

Indicators of Compromise

SHA-1

f5b60a8ead96703080e73a1f79c3e70ff44df271 - spinstall0.aspx webshell
fe3a3042890c1f11361368aeb2cc12647a6fdae1 - xxx.aspx webshell
76746b48a78a3828b64924f4aedca2e4c49b6735 - App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled version of spinstall0.aspx

IP Addresses

96.9.125[.]147 - attacker IP from “no shell” cluster
107.191.58[.]76 - attacker IP used in 1st wave of spinstall0.aspx cluster
104.238.159[.]149 - attacker IP used in 2nd wave of spinstall0.aspx cluster

New SentinelOne Platform Detection Rules

• Web Shell Creation in LAYOUTS Directory
• Web Shell File Detected in LAYOUTS Directory
• Suspicious Process Spawned by SharePoint IIS Worker Process

SentinelOne Platform Hunting Queries

//Suspicious SharePoint Activity

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint"

//spinstall0.aspx execution traces

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"

Disclaimer

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

Das erste Halbjahr 2020 liegt hinter uns. Sicherlich hat niemand bei seinen Prognosen zu den Cybersicherheitstrends damit gerechnet, dass die ganze Welt durch ein neues Virus in so stürmische Zeiten gerät. Ganze Länder gingen in den Lockdown, der Luftverkehr kam zum Erliegen und auch die größten Unternehmen waren gezwungen, alle ihre Mitarbeiter ins Homeoffice zu schicken.

Angesichts dieser äußerst angespannten Lage ist es schwierig, Prognosen für die zweite Jahreshälfte zu treffen. Dennoch haben wir in den vergangenen sechs Monaten viel gelernt. Versuchen wir also, ein paar zuverlässige Einschätzungen abzugeben.

Allein zu Haus oder in Begleitung von Cyberkriminellen?

Beginnen wir mit den Benutzern (oder Opfern). COVID-19 hat Millionen von Angestellten nach Hause geschickt – einige dauerhaft (weil sie entlassen wurden) und andere ins Homeoffice. Dieser schlagartige Wandel scheint sich teilweise zu manifestieren. Einige der weltweit größten Unternehmen (Twitter, Facebook, Shopify, Zillow) haben bereits erklärt, dass sie das Homeoffice für eine praktikable Arbeitsoption für alle Mitarbeiter halten, die gern weiterhin so arbeiten wollen.

Selbst auf traditionelleren Märkten finden Veränderungen statt. Einer der größten Arbeitgeber Japans, Fujitsu Ltd., wird seine Bürofläche im Laufe der nächsten drei Jahre um 50 Prozent verkleinern und ermutigt 80.000 Büroangestellte, hauptsächlich von zu Hause zu arbeiten. Derzeit arbeiten 42 % der US-amerikanischen Angestellten im Homeoffice. Einige Umfragen legen nahe, dass Unternehmen selbst nach Abflauen der Pandemie, es einigen (oder allen) Mitarbeitern gestatten werden, weiterhin außerhalb des Büros zu arbeiten.

Angesichts der Millionen von Menschen, die nun im Homeoffice arbeiten, eröffnet sich böswilligen Akteuren eine enorme Angriffsfläche. Es ist nicht einfach, für all diese Mitarbeiter, die außerhalb der (relativ) sicheren Peripherie ihrer Büros und des lokalen Intranets arbeiten, das gleiche Sicherheitsniveau zu gewährleisten. Außerdem lässt bei den Mitarbeitern im Laufe der Zeit die Aufmerksamkeit nach, und es gibt zahlreiche IT-„Verlockungen“ (vielleicht dürfen die Kinder mit dem Arbeitslaptop im Internet surfen), wodurch die Anfälligkeit für Cyberkriminalität weiter zunimmt.

Cyberkriminelle Ansatzpunkte nach COVID-19

Cyberkriminalität hat während der COVID-19-Pandemie einen Boom erlebt. Laut dem Internet Crime Complain Center (IC3) des FBI ist die Zahl der Beschwerden über Cyberkriminalität um 300 % gestiegen.

Der Datenverkehr zu Hacking-bezogenen Websites ist angewachsen. Auch Suchen nach Informationen und Tutorials zum Thema Hacken haben in der Zeit von März bis Mai sprunghaft zugenommen. Das deutet darauf hin, dass viele so genannte „n00bs“ (Noobs, also Neulinge in der Hacker-Welt) dabei sind, sich in diesen Bereich einzuarbeiten. Viele cyberkriminelle Aktivitäten der letzten Monate standen im Zusammenhang mit dem Virus. Die Telco Security Alliance meldete allein im Monat März eine Zunahme von 2.000 % bei den Cyberbedrohungen mit COVID-19-Bezug.

Die Zahl cyberkrimineller Aktivitäten nimmt insgesamt zu, doch bestimmte Segmente sind erfolgreicher als andere. So hat zum Beispiel die Nachfrage nach gestohlenen Kreditkarten während der Pandemie nachgelassen. „Althergebrachte“ Betrugsmaschen (Werbung für gefälschte oder ungeeignete Medikamente und medizinische Ausstattung, dubiose Investitionsgeschäfte und vieles mehr) sind hingegen auf dem Vormarsch. Im Unternehmensbereich scheinen die Cyberkriminellen noch dreister geworden zu sein. Sie wenden hier sehr viel aggressivere Techniken an und zielen eher auf das schnelle Geld als auf langfristige Profite ab.

Polizeiliche Cyberüberwachung: Sind die Guten bald besser?

Behörden wissen über diese Situation Bescheid und arbeiten daran, die Bedrohungen zu entschärfen. Ausgangspunkt dafür ist die verstärkte Kooperation zwischen den Ländern, etwa im Rahmen der Partnership Against Cybercrime (Partnerschaft gegen Cyberkriminalität) des Weltwirtschaftsforums. Die im April 2020 ins Leben gerufene Initiative hat die Aufgabe, die öffentlich-private Zusammenarbeit zu erweitern und globale Cyberkriminalität zu bekämpfen. Auch die Kooperation zwischen nationalen Strafverfolgungsbehörden soll sich verstärken und zeigt bereits erste hervorragende Ergebnisse. Wir sind zum Beispiel Zeugen der Ausschaltung von EncroChat (einem verschlüsselten Telefonnetz, das bei Kriminellen sehr beliebt war) durch die französische und niederländische Polizei.

Die Strafverfolgungsbehörden machen zudem Fortschritte bei ihren Bemühungen, die Meldung von Cyberkriminalität zu vereinfachen. Das britische National Cyber Security Center hat beispielsweise eine spezielle E-Mail-Adresse für die Meldung von Online-Betrug eingerichtet. In weniger als zwei Monaten sind bereits eine Million (!) Beschwerden eingegangen.

Der US-Bundesstaat Michigan hat ein ähnliches Angebot, und zwar eine Telefonnummer, unter der Anrufer rund um die Uhr kostenlos Unterstützung und Beratung in Bezug auf Cyberkriminalität erhalten. Großbritannien greift außerdem auf aktivere Maßnahmen zurück, etwa die Lancierung einer bezahlten Online-Werbekampagne, die junge Menschen ansprechen soll, die nach Cyberkriminalitäts-Services suchen, und ihnen stattdessen seriöse Alternativen anbietet.

Hacktivismus: Ein gefährliches Spiel

Auch wenn keine finanzielle Motivation dahintersteht, sind Cyberaktivisten in letzter Zeit stärker hervorgetreten. Die jüngsten sozialen Unruhen in den USA haben eine Welle von Hacktivismus-Aktivitäten ausgelöst, darunter DDoS-Angriffe auf Stadtverwaltungen und Polizeidienststellen. In diesem Jahr haben wir Datenlecks von Millionen von Polizei- und FBI-Datensätzen sowie aggressive Social-Media-Angriffe auf die US-Regierung, Präsident Trump und sogar die beliebte Social-Media-App TikTok erlebt.

Diese Aktivitäten stellen zwar keine direkte Gefährdung für Gesellschaften und Einzelpersonen dar, können sich jedoch gegen einzelne Personen oder Organisationen richten, die als Gegner der Grundsätze der Hacker-Gemeinschaft wahrgenommen werden.

Fazit

In den letzten sechs Monaten war alles anders. Es ist noch zu früh, um die langfristigen Auswirkungen der COVID-19-Pandemie abschätzen zu können. Ziemlich sicher lässt sich jedoch sagen, dass diese Zeit für den größten Wandel in der Arbeitswelt seit Erfindung des modernen Büros sorgt. Das führt auch dazu, dass Unternehmen, Organisationen und Einzelpersonen deutlich anfälliger für böswillige Cyberaktivitäten werden.

Doch es gibt nicht nur schlechte Nachrichten: Die Strafverfolgungsbehörden haben das Problem in seinem vollen Umfang erkannt und verstärken ihre Zusammenarbeit. Den Unternehmen muss klar werden, dass sie die Situation beeinflussen können. Verringern Sie Ihr Risiko, indem Sie eine leistungsfähige verhaltensbasierte KI-Lösung nutzen, die Schäden verhindert, erkennt und behebt, die bekannte und unbekannte Bedrohungen verursachen. Zwingen Sie Cyberkriminelle, sich woanders nach dem schnellen Geld umzusehen. Wenn Sie wissen möchten, wie SentinelOne Sie dabei unterstützen kann, Ihr Unternehmen – die Mitarbeiter im Büro und im Homeoffice – zu schützen, kontaktieren Sie uns noch heute oder fordern Sie eine kostenlose Demonstration an.

The post Cyberkriminalität und Cybersicherheit in der Zeit nach COVID-19 appeared first on SentinelOne DE.