Get deeper into security at Microsoft Ignite 2018

This year at Microsoft Ignite, we will be making some exciting announcementsfrom new capabilities for identity management and information protection to powerful artificial intelligence (AI) innovations that can help you stay ahead of an often overwhelming surge in threats and security alerts.

Join us as we share best practices for current products, reveal highlights of our new offerings, and give you a glimpse of our future product vision.

Start by attending Satya Nadellas keynote. Then kickstart your security journey with this session: Microsoft Security: How the cloud helps us all be more secure featuring Rob Lefferts (GS008). Well highlight whats new in Microsoft security and how our customers and partners are using the Microsoft Cloud to accelerate security and productivity. Watch our demo showcase to see for yourself how unique intelligence and new innovations from Microsoft can help you be more secure across your entire digital estate.

Here are just a few of the other sessions at Ignite that will showcase our security technology and the innovation we have invested in throughout 2018 and into 2019. Add them to your Session Scheduler and check out the Session Catalog for the full list. If you cant attend in person, you can watch the live stream starting on September 24 with on-demand sessions to follow.

  • Leveraging the power of Microsoft threat protection (BRK4000). Learn about the services that make up Microsoft threat protection and how they work together across data, endpoints, identities, and infrastructure.
  • Double your security team productivitywithout doubling capacity (BRK2251). Learn how automated threat protection and remediation works seamlessly out of the box, using AI to respond to alerts and help security teams solve capacity and skill-gap challenges.
  • How to build security applications using the Microsoft Graph Security API (WRK3006). The Microsoft Graph has been extended with a new Security Graph API. Join this lab to get started using the Security API, including creating and authenticating a new app and using sample code to query the API.
  • Azure Active Directory: New features and roadmap (BRK2254). Come to this can’t-miss session for anyone working with or considering their strategy for identity and access management in the cloud. Hear about the newest features and experiences across identity protection, conditional access, single sign-on, hybrid identity environments, managing partner and customer access, and more.
  • Using Microsoft Secure Score to harden your security position (BRK3247). In this session, we help you understand what your current security position is in products like Office 365 and Windows and show you how you can easily increase your position though the built-in recommendations.
  • Getting to a world without passwords (BRK3031). Get the latest info and demos on what’s new with FIDO2, WebAuthN, Azure Active Directory, Windows Hello, and Microsoft Authenticator to help you make passwords a relic of the past.
  • Accelerate deployment and adoption of Azure Information Protection (BRK3009). Learn all about best practices in deploying Azure Information Protection to help protect your sensitive datawherever it lives or travels.
  • Registering and managing apps through Microsoft Azure Portal and Microsoft Graph API (THR2079). Come learn how to register apps to sign in Azure AD and personal Microsoft accounts, manage these apps, and get access to APIs all through Azure Portal, Microsoft Graph API, and PowerShell.
  • Secure enterprise productivity with Office 365 threat protection services (BRK4001). Learn about the latest advanced in services such as Exchange Online Protection (EOP), Advanced Threat Protection (ATP), and Threat Intelligenceand get a detailed roadmap of whats to come.
  • Simplify your IT management and level up with Microsoft 365 (GS004). Come and learn how Microsoft 365 will help you simplify your modern workplace, delight and empower your users, and protect and secure your corporate assets.
  • Managing devices with Microsoft Intunewhats new (BRK3036). Learn how Intune raises the bar once again for Android, Apple, and Windows device management, and hear more about the exciting new features and new use-cases announced at Ignite.
  • Elevate the security for all your cloud apps and services with the Microsoft Cloud App Security (CASB) solution (BRK2158). Gain visibility into your cloud apps and services with sophisticated analytics to identify and combat cyberthreats, and control how your ubiquitous data travels.

And one other exciting note: To see our solutions in action and gain access to a 6-month free trial of our EMS E5 solution, be sure to stop by the Microsoft Showcase for in-depth product demos and discussions with security experts.

For more Ignite news and updates, check back to our Secure Blog as we continue to highlight specific sessions and topics throughout the week.

The post Get deeper into security at Microsoft Ignite 2018 appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Office VBA + AMSI: Parting the veil on malicious macros

As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior.

Macro-based threats have always been a prevalent entry point for malware, but we have observed a resurgence in recent years. Continuous improvements in platform and application security have led to the decline of software exploits, and attackers have found a viable alternative infection vector in social engineering attacks that abuse functionalities like VBA macros. Microsoft, along with the rest of the industry, observed attackers transition from exploits to using malicious macros to infect endpoints. Malicious macros have since showed up in commodity malware campaigns, targeted attacks, and in red-team activities.
Figure 1. Prevalence of the exploit vs macro attack vector observed via Windows Defender ATP telemetry

To counter this threat, we invested in building better detection mechanisms that expose macro behavior through runtime instrumentation within our threat protection solutions in the cloud. Were bringing this instrumentation directly into Office 365 client applications. More importantly, were exposing this capability through AMSI, an open interface, making it accessible to any antivirus solution.

Obfuscation and other forms of detection evasion

Macros are popular among attackers because of the rich capabilities that the VBA runtime exposes and the privileged context in which macros execute. Notably, as with all scripting languages, attackers have another advantage: they can hide malicious code through obfuscation.

To evade detection, malware needs to hide intent. The most common way that attackers do this is through code obfuscation. Macro source codes are easy to obfuscate, and a plethora of free tools are available for attackers to automatically do this. This results in polymorphic malware, with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro.

Theres more: malicious code can be taken out of the macro source and hidden in other document components like text labels, forms, Excel cells, and others. Or why hide at all? A small piece of malicious code can be embedded somewhere in a huge legitimate source and keep a low profile.

How can antivirus and other security solutions cope? Today, antivirus solutions can extract and scan the obfuscated macro source code from an Office document. How can the macros intent be exposed? What if security solutions can observe a macros behavior at runtime and gain visibility into system interactions? Enter Office and AMSI integration.

AMSI on Windows 10

If AMSI rings a bell, its because we talked about how PowerShell adopted AMSI in a blog post when AMSI was introduced back in 2015.

Antimalware Scan Interface (AMSI) is an open interface available on Windows 10 for applications to request, at runtime, a synchronous scan of a memory buffer by an installed antivirus or security solution. Any application can interface with AMSI and request a scan for any data that may be untrusted or suspicious.

Any antivirus can become an AMSI provider and inspect data sent by applications via the AMSI interface. If the content submitted for scan is detected as malicious, the requesting application can take action to deal with the threat and ensure the safety of the device. To learn more, refer to the AMSI documentation.

AMSI also integrates with the JavaScript, VBScript, and PowerShell scripting engines. Over the years, we have been steadily increasing our investments in providing security solutions with deeper visibility into script-based threats. Insights seen via AMSI is consumed by our own security products. The new Office and AMSI integration is yet another addition to the arsenal of protection against script-based malware. Windows Defender Advanced Threat Protection (Windows Defender ATP) leverages AMSI and machine learning to combat script-based threats that live off the land (read our previous blog post to learn more).

Office VBA integration with AMSI

The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection.

Figure 2. Runtime scanning of macros via AMSI

Logging macro behavior

The VBA language offers macros a rich set of functions that can be used to interface with the operating system to run commands, access the file system, etc. Additionally, it allows the ability to issue direct calls to COM methods and Win32 APIs. The VBA scripting engine handles calls from macro code to COM and APIs via internal interfaces that implement the transition between the caller and the callee. These interfaces are instrumented such that the behavior of a macro is trapped and all relevant information, including the function name and its parameters, are logged in a circular buffer.

This monitoring is not tied to specific functions; its generic and works on any COM method or Win32 API. The logged calls can come in two formats:

  • <COM_Object>.<COM_Method>(Parameter 1, , Parameter n);
  • <API_or_function_Name>(Parameter 1, , Parameter n);

Invoked functions, methods, and APIs need to receive the parameters in the clear (plaintext) in order to work; thus, this behavioral instrumentation is not affected by obfuscation. This instrumentation thus reveals a weak spot for macro codes; the antivirus now has visibility on relevant activity of the macro in the clear.

To illustrate, consider the following string obfuscation in a shell command:

Shell(ma+l+ wa+ r + e.e + xe)

With the Office VBA and AMSI integration, this is logged like so:

Shell(malware.exe);

Triggering on suspicious behavior

When a potentially high-risk function or method (a trigger; for example, CreateProcess or ShellExecute) is invoked, Office halts the execution of the macro and requests a scan of the macro behavior logged up to that moment, via the AMSI interface. The AMSI provider (e.g., antivirus software) is invoked synchronously and returns a verdict indicating whether or not the observed behavior is malicious.

The list of high-risk functions or triggers are meant to cover actions at various stages of an attack chain (e.g., payload download, persistence, execution, etc.) and are selected based on their prevalence among malicious and benign macros. The behavior log sent over AMSI can include information like suspicious URLs from which malicious data was downloaded, suspicious file names known to be associated with malware, and others. This data is valuable in determining if the macro is malicious, as well as in the creation of detection indicators all without any influence from obfuscation.

Stopping malicious macros upon detection

If behavior is assessed malicious, macro execution is stopped. The user is notified by the Office application, and the application session is shut down to avoid any further damage. This can stop an attack in its tracks, protecting the device and user.

Figure 3. Malicious macro notification

Case study 1: Heavily obfuscated macro code

(SHA-256: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd)

To illustrate how the Office VBA and AMSI integration can expose malicious macro code, lets look at a recent social engineering attack that uses macro-based malware. The initial vector is a Word document with instructions in the Chinese language to Enable content.

Figure 4: The malicious document instructs to enable the content

If the recipient falls for the lure and enables content, the malicious macro code runs and launches a command to download the payload from a command-and-control server controlled by the attacker. The payload, an installer file, is then run.

The macro code is heavily obfuscated:

Figure 5: Obfuscated macro

However, behavior monitoring is not hindered by obfuscation. It produces the following log, which it passes to AMSI for scanning by antivirus:

Figure 6: De-obfuscated behavior log

The action carried out by the macro code is logged, clearly exposing malicious actions that antivirus solutions can detect much more easily than if the code was obfuscated.

Case study 2: Macro threat that lives off the land

(SHA-256: 7952a9da1001be95eb63bc39647bacc66ab7029d8ee0b71ede62ac44973abf79)

The following is an example of macro malware that lives off the land, which means that it stays away from the disk and uses common tools to run code directly in memory. In this case, it uses shellcode and dynamic pages. Like the previous example, this attack uses social engineering to get users to click Enable Content and run the macro code, but this one uses instructions in the Spanish language in Excel.

Figure 7. Malicious Excel file with instructions to enable content

When run, the macro code dynamically allocates virtual memory, writes shellcode to the allocated location, and uses a system callback to transfer execution control. The malicious shellcode then achieves fileless persistence, being memory-resident without a file.

Figure 8. Macro code utilizing Win32 APIs to launch embedded shellcode

When the shellcode gets execution control, it launches a PowerShell command to download additional payload from a command-and-control server controlled by the attacker.

Figure 9. PowerShell command that downloads payload

Even if the macro code uses fileless code execution technique using shellcode, its behavior is exposed to antivirus solutions via the AMSI interface. Sample log is shown below:

Figure 10. De-obfuscated behavior log

With the AMSI scan integration in both Office VBA and PowerShell, security solutions like Windows Defender ATP can gain clear visibility into malicious behavior at multiple levels and successfully block attacks.

Windows Defender ATP: Force multiplier and protection for down-level platforms

In addition to protecting users running Office 365 applications on Windows 10, detections via AMSI allow modern endpoint protection platforms like Windows Defender ATP to extend protection to customers via the cloud.

Figure 11. Simplified diagram showing how AMSI detections in a few machines are extended to other customers via the cloud

In Windows Defender AVs cloud-delivered antivirus protection, the Office VBA and AMSI integration enriches the signals sent to the cloud, where multiple layers of machine learning models classify and make verdicts on files. When devices encounter documents with suspicious macro code, Windows Defender AV sends metadata and other machine learning features, coupled with signals from Office AMSI, to the cloud. Verdicts by machine learning translate to real-time protection for the rest of Windows Defender AV customers with cloud protection enabled.

This protection is also delivered to the rest of Microsoft 365 customers. Through the Microsoft Intelligent Security Graph, security signals are shared across components of Microsoft 365 threat protection. For example, in the case of macro malware, detections of malicious macro-laced documents by Windows Defender AV are shared with Office 365 ATP, which blocks emails carrying the document, stopping attacks before the documents land in users mailboxes.

Figure 12. The Office and AMSI integration enriches the orchestration of protection across Microsoft 365

Within a few weeks after the release of this new instrumentation in Office VBA and the adoption by Windows Defender ATP, we saw this multiplier effect, with signals from a few hundred devices protecting several tens of thousands of devices. Because Office AMSI feature exposes behaviors of the macro irrespective of content, language, or obfuscation, signals from one part of the world can translate to protection for the rest of the globe this is powerful.

Availability

AMSI integration is now available and turned on by default on the Monthly Channel for all Office 365 client applications that have the ability to run VBA macros including Word, Excel, PowerPoint, and Outlook.

In its default configuration, macros are scanned at runtime via AMSI except in the following scenarios:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from trusted locations
  • Documents that are trusted documents
  • Documents that contain VBA that is digitally signed by a trusted publisher

Office 365 applications also expose a new policy control for administrators to configure if and when macros are scanned at runtime via AMSI:

Group Policy setting name Macro Runtime Scan Scope
Path User Configuration > Administrative templates > Microsoft Office 2016 > Security Settings
Description

This policy setting specifies for which documents the VBA Runtime Scan feature is enabled.

Disable for all documents: If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed.

Enable for low trust documents: If the feature is enabled for low trust documents, the feature will be enabled for all documents for which macros are enabled except:

  • Documents opened while macro security settings are set to “Enable All Macros”
  • Documents opened from a Trusted Location
  • Documents that are Trusted Documents
  • Documents that contain VBA that is digitally signed by a Trusted Publisher

Enable for all documents: If the feature is enabled for all documents, then the above class of documents are not excluded from the behavior.

This protocol allows the VBA runtime to report to the Anti-Virus system certain high-risk code behaviors it is about to execute and allows the Anti-Virus to report back to the process if the sequence of observed behaviors indicates likely malicious activity so the Office application can take appropriate action.

When this feature is enabled, affected VBA projects’ runtime performance may be reduced.

Conclusion: Exposing hidden malicious intent

Macro-based malware continuously evolves and poses challenges in detection using techniques like sandbox evasion and code obfuscation. Antimalware Scan Interface (AMSI)s integration with Office 365 applications enable runtime scanning of macros, exposing malicious intent even with heavy obfuscation. This latest improvement to Office 365 allows modern endpoint security platforms like Windows Defender ATP to defeat macro-based threats.

Code instrumentation and runtime monitoring are powerful tools for threat protection. Combined with runtime scanning via AMSI, they enable antivirus and other security solutions to have greater visibility into the runtime behavior of a macro execution session at a very granular level, while also bypassing code obfuscation. This enables antivirus solutions to (1) detect a wide range of mutated or obfuscated malware that exhibit the same behavior using a smaller but more efficient set of detection algorithms, and (2) impose more granular restrictions on what macros are allowed to do at runtime.

Moreover, AMSI protection is not limited to macros. Other scripting engines like JavaScript, VBScript, and PowerShell also implement a form of code instrumentation and interface with AMSI. Attacks with multiple stages that use different scripts will be under scrutiny by AMSI at each step, exposing all behaviors and enabling detection by antivirus and other solutions.

We believe this is another step forward in elevating security for Microsoft 365 customers. More importantly, AMSI and Office 365 integration enables the broader ecosystem of security solutions to better detect and protect customers from malicious attacks without disrupting day-to-day productivity.

 

 

Giulia Biagini, Microsoft Threat Intelligence Center
Sriram Iyer, Office Security
Karthik Selvaraj, Windows Defender ATP Research

 

 

 

 

The post Office VBA + AMSI: Parting the veil on malicious macros appeared first on Microsoft Secure.

Categories: cybersecurity Tags:

Small businesses targeted by highly localized Ursnif campaign

September 6th, 2018 No comments

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now were seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.

With Windows Defender AVs next gen defense, however, the size of the attack doesnt really matter.

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

The map below shows the location of the targets.

Figure 1. Geographic distribution of target victims

Highly localized social engineering attack

Heres how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when its really not.

The intended effect is for recipients to get documents from local, very familiar business or service providers. Its part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.

Most common lure document file names Top target cities
Dockery_FloorCovering_Statement Johnson City, TN
Kingsport, TN
Knoxville, TN
Dolan_Care_Statement St. Louis, MO
Chesterfield, MO
Lees Summit, MO
DMS_Statement Omaha, NE
Wynot, NE
Norwalk, OH
Dmo_Statement New Braunfels, TX
Seguin, TX
San Antonio, TX
DJACC_Statement Miami, FL
Flagler Beach, FL
Niles, MI
Donovan_Construction_Statement Alexandria, VA
Mclean, VA
Manassas, VA

Table 1. Top target cities of most common document file names

When recipients open the document, they are shown a message that tricks the person into enabling the macro.

Figure 2. Document tricks victim into enabling the macro

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.

Figure 3. Process to deobfuscate PowerShell

Figure 4. PowerShell command

The PowerShell script connects to any of 12 different URLs that all deliver the payload.

Figure 5. Deobfuscated PowerShell command

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.

How machine learning stopped this small-scale, localized attack

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the models verdict and the eventual blocking of the attack.

Figure 6. Impact of features used by one ML model that detected the attack

Next-generation protection against malware campaigns regardless of size

Machine learning and artificial intelligence power Windows Defender AV to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses.

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Across the whole Microsoft 365 threat protection, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.

 

 

Bhavna Soman
Windows Defender Research

 

Indicators of compromise (IOCs)

Infector:

Hashes
407a6c99581f428634f9d3b9ec4b79f79c29c79fdea5ea5e97ab3d280b2481a1
77bee1e5c383733efe9d79173ac1de83e8accabe0f2c2408ed3ffa561d46ffd7
e9426252473c88d6a6c5031fef610a803bce3090b868d9a29a38ce6fa5a4800a
f8de4ebcfb8aa7c7b84841efd9a5bcd0935c8c3ee8acf910b3f096a5e8039b1f

File names
CSC_Statement.doc
DBC_Statement.doc
DDG_Statement.doc
DJACC_Statement.doc
DKDS_Statement.doc
DMII_Statement.doc
dmo_statement.doc
DMS_Statement.doc
Dockery_Floorcovering_Statement.doc
Docktail_Bar_Statement.doc
doe_statement.doc
Dolan_Care_Statement.doc
Donovan_Construction_Statement.doc
Donovan_Engineering_Statement.doc
DSD_Statement.doc
dsh_statement.doc
realty_group_statement.doc
statement.doc
tri-lakes_motors_statement.doc
TSC_Statement.doc
UCP_Statement.doc

Payload (Ursnif)

Hashes
31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f
bd23a2eec4f94c07f4083455f022e4d58de0c2863fa6fa19d8f65bfe16fa19aa
75f31c9015e0f03f24808dca12dd90f4dfbbbd7e0a5626971c4056a07ea1b2b9
070d70d39f310d7b8842f645d3ba2d44b2f6a3d7347a95b3a47d34c8e955885d
15743d098267ce48e934ed0910bc299292754d02432ea775957c631170778d71

URLs
hxxp://vezopilan[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho4[.]tkn
hxxp://vedoriska[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://baberonto[.]com/tst/index[.]php?l=soho3[.]tkn

hxxp://hertifical[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://hertifical[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://condizer[.]com/tst/index[.]php?l=soho1[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho5[.]tkn

hxxp://zedrevo[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://zedrevo[.]com/tst/index[.]php?l=soho10[.]tkn

*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Practical application of artificial intelligence that can transform cybersecurity

September 5th, 2018 No comments

As I write this blog post, Im sitting by the beach on my computer in a sunny destination while my family plays in the water. Were on vacation, but we all have our own definition of fun. For me its writing blogs on the beachreally! The headspace is outstanding for uninterrupted thinking time and focus. However, my employer may not find my vacation destination to be the safest place to access certain applications and data. They want me to strongly authenticate, and they want to understand the health of the systems and devices I am using, as well as the network and geolocation. But thanks to the power of machine learning and conditional access I am able to write this blog when and where I want. My employer is able to enforce all-encompassing security measures to ensure my device, location, and network are safe and confirm its really me trying to sign in.

The ability for my organization to reason over all of the data, including location, device health, sign-in, and app health, is just one example of the way artificial intelligence (AI) is helping us evolve the tools we use to fight cybercrime. In this post Ill focus on two practical use cases for deploying AI in the cybercrime battlefield. In the first example, I explain how layering AI onto on-premises Security Information and Event Management (SIEM) solutions can give you better insights and predictive capabilities. The second use case is the one I just hinted at, which is how we can take AI even further to protect user access. By the end I hope Ive proven to you that there is tremendous opportunity to use AIparticularly machine learningto improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.

If you are skeptical, I understand. I often tell a story about how for many years at the annual RSA Conference, vendors and customers rallied around themes such as the year of the smart card, the year of biometrics, “the year of machine learning, the year of blockchain. Some of these technologies never lived up to their promise, and many are still nascent and immature in their application, architecture, and use cases. But I think there are practical applications of AI that will meet our expectations, especially when it comes to cybersecurity. If one reflects on broad based attacks like WannaCry and NotPetya and critical vulnerabilities like Spectre and Meltdown, it only stands to reason that the attack surface is rapidly growing, the bad actors are becoming more sophisticated, and the need for tool evolution is compelling. AI is the path to that evolution. As an industry, we need to be cautious in how we position and explain machine learning and AI, avoiding confusion, conflating capabilities, and overpromising results. There is definitely a place for both, and they are highly complementary. AI has the power to deliver on some of the legacy promise of machine learning, but only if it is trained, architected, and implemented properly.

Like all technologies, there is a risk that AI will be misused or poorly used. For the purpose of this blog, I ask you to make the assumption that the tech is being used ethically, the engines are properly trained in a non-biased manner, and the user understands the full capability of the technology they are deploying. Am I asking you to suspend reality? No, I am simply asking you to imagine the potential if we fully harness AI to further improve our cybersecurity defenses and recognize the threat of bad actors who will also embrace AI now and in the future. Please also read The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum for a broader vision on AI and its role in society.

Using AI to gain powerful insights

There are several use cases where AI is interesting for cybersecurity applications but lets first start with what is possibly the most obvious use casemaking sense of signal and intelligence. Collective sigh readers before continuing. I understand the consternation related to legacy SIEM solutions, and your visceral response. SIEM solutions were purpose-built to collect logs and data from a wide range of sources, largely for compliance, and they do this particularly well. They also enable users to effectively produce reporting specific to a use case. They do not, however, work well in detecting real-time attacks and allowing an organization to automate and/or orchestrate defenses that will minimize damage to the organization.

Take a moment to think about how powerful it would be to apply the machine learning algorithms that exist today to the data and logs that SIEM collects. AI could reason over the data at global scale in near real-time using the cloud and produce attack scenarios, which you could then tie to a security operations tool that automates the response and defenses based on the outcome of the AI reasoning. With a large volume of globally sourced data, you could use AI to look at anomalies in the behavior patterns of humans, devices, data, and applications at scale and make accurate predictions of the threats to your enterpriseallowing you to deploy defenses well in advance of a specific attack. AI, when trained and deployed properly, has the ability to allow your enterprise to be this effective. You can continue to gain value from the on-premise SIEM infrastructure you built and use the data you gathered for historical context. The cloud provides a true value in this use case in its ability to analyze the data at a global scale. And finally, AI will become predictive as it learns what is normal and what isnt normal. You can then automate responses via tooling that will allow your admins to focus only on the highest value tasks.AI will reduce the workload of security administrators in the short term, reducing duplication and increasing efficacy of signal.

Intelligently secure conditional access

My ability to write this blog from the beach is evidence that todays systems for conditional access are good and getting better. The ability to provide access control based on the authentication of the user, device, data, application, and known geo-location provide us a certain level of confidence. The tools that exist can potentially maintain state, have the potential to be quite granular, and are powered by global cloud networks. They often use machine learning to detect anomalous behavior, but todays tooling suffers from a dependence on legacy architecture, technical debt, dependence on the integration of disparate authentication systems, and hybrid systems. The tooling is often built for just one environment, one use case, or one system of record. In most large, complex enterprises, security admins dont have the luxury of using the most up-to-date tools for a single environment or use case. Their environments are complex, the attack surface is large, and their users are often unaware of sophisticated security risks. I encounter this in my own home when I explain to family members the inherent risks of free, public Wi-Fi, as an example.

AI for conditional access use cases is not only practical, its necessary. We have long lived with an employee base that is working from a large variety of personal and company-issued devices and working from a wide range of locations including corporate owned office space, shared work facilities, coffee houses, hotel rooms, conference facilities, and other global locations. There is also still a gap in the security industry related to the percentage of the population that owns and successfully deploys Multi-Factor Authentication (MFA) tooling. Biometrics HAS actually made MFA more ubiquitous by reducing the friction and expense of purchasing and deploying authentication systems, but organizations are still not investing in MFA across 100 percent of their enterprises. Cybersecurity, like many fields, operates on a risk model. High risk applications and users equal higher security profiles and tools. Now, imagine if we can reduce the risk while also reducing the friction of rolling out tools? AI is dependent on data and good architects and developers to truly live up to its promise, but it is systems agnostic. The data you supply from your mainframe is not ranked higher in priority than the data you supply from the cloud, unless you create a scenario where you desire specific data types to be higher priority or ordinal in ranking.

Conditional accesspowered by AI reasoning over the behavior of the user, device, data, application, network, location, etc.has the ability to create much safer data access for companies and reduce the overall risk. Imagine a dynamic, real-time, global environment whereregardless of where your users choose to workyou can determine their precise level of access and change their level of access in real-time without human intervention. Did something change that causes concern, and would you like your user to reauthenticate? Do you want to block access to some or all systems? Do you want to block access to certain data sets or require some level of encryption? The AI enginelinked with automated toolingwill give you this ability and provide the logging and reporting needed to support the automated actions or human intervention. Your ability to integrate with current tooling to enforce the actions will be the highest bar to full usage in your environment.

There are no silver bullets when it comes to technology and, particularly, cybersecurity. I have talked about two use cases where I believe AI can improve cybersecurity, but there are others a well, such as AI’s ability to allow more robust device-related IoT detection, sophisticated malware detection, and improvements in vulnerability management. The bad actors will continue to innovate and create weapons that can be deployed for large scale attacks. The attack surface is growing with the proliferation of IoT devices on corporate networks on control systems. As an industry, we have a moral responsibility and imperative to continue improving processes, training, and technology to meet new and yet to be developed threats. Artificial intelligence is one weapon in our tool bag. It must be used prudently. And when used effectively, it can truly be a change agent for the industry. Check out my blog, Application fuzzing in the era of Machine Learning and AI, where I wrote about application fuzzing and AI.

Check back in a month when I will blog about how we can use AI to improve device-related IoT detection. In the meantime, I invite you to follow me at @ajohnsocyber.

Categories: cybersecurity Tags:

Protecting user identities

September 4th, 2018 No comments

Image of four hands collaborating over a drawing of a lightbulb.

This is a blog series that responds to common questions we receive from customers about the deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out Cybersecurity threats: How to discover, remediate, and mitigate, the third blog in our eight-part series on deploying Intelligent Security scenarios.

Its not just a problem for consumers. Identity theft in the workplace is also on the riseand with good reason. Stealing employee credentials is an easy path to bypassing security around sensitive data, making unauthorized purchases, and many other cybercrimes.

Microsoft 365 security solutions help you protect users and corporate accounts. By making identity the control plane, Microsoft 365 offerings manage identities as the first step to providing access to corporate resources and restricting users who are high risk. Tools like single sign-on (SSO), Multi-Factor Authentication (MFA), and Windows 10 Hello for Business help you secure access. Additionally, there are actions you can take if an identity is compromised and ways to lock down or wipe devices to protect sensitive data in case of loss or theft.

How do I provide secure access for my users?

Managing identities is the first step in protecting your environment. You can provision user identities through Azure Active Directory (Azure AD) and then connect to your on-premises Active Directory, allowing you to centralize identities for each user. Then you can set conditional access policies in Azure AD (Figure 1) for users in your organization. Conditional access policies allow you to control how users access cloud apps. You can set conditions that restrict access based on sign-in risk, user location, or client app, as well as only allowing access to managed devices. Start by implementing recommended identity access policies.

Managing user access is your next step. Azure AD SSO lets you manage authentication across devices, cloud apps, and on-premises apps with one user sign-in. Once you enable SSO, your employees can access resources in real-time on any device in addition to confidential or sensitive work documents away from the office. Next, deploy MFA in Azure AD to reauthenticate high-risk users, and take automated action to secure your network.

Figure 1. Set user policies using Azure AD conditional access.

Finally, encourage your employees to use Windows Hello for Business. Its a security feature that allows users unlock their device using their PCs camera, PIN, or their fingerprint.

How do I ensure that my employees credentials are not compromised?

Whats needed is a multi-layered approach to identity protection that goes beyond passwords and starts to identify risk even before a password is entered.

Early and active monitoring of potential threats is essential. With Azure AD Identity Protection, you get an overview of risk and vulnerabilities that may be affecting your organizations identities. You can then set up risk-based conditional access policies to automatically mitigate threats. Risk-based conditional access uses machine learning to identify high-risk users. For example, a user may be flagged based on unfamiliar locations or failed sign-ins from the same IP address. Once flagged, a user can be required to use MFA in Azure AD or be blocked altogether (Figure 1).

Another useful monitoring tool is Azure AD Privileged Identity Management (PIM). With Azure AD PIM, you can monitor admin access to resources and minimize the number of people who have access to them. By continuously monitoring these high access points, you limit vulnerabilities. You can configure Azure AD PIM in the Azure portal to generate alerts when theres suspicious or unsafe activity in your environment and then recommend mitigation strategies.

Along with monitoring, Microsoft 365 security solutions offer tools to better protect a users credentials. Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them, thus helping prevent unauthorized access to these secrets which can lead to credential theft attacks.

Deployment tips from the experts

Start by managing user identities as your control plane. Provision your user identities through Azure AD and use Azure AD Connect to integrate identities across Azure AD and your on-premises AD. Enable MFA for all administrators, set conditional access policies, and initiate SSO.

Manage your devices from the cloud. Managing employee devices remotely engenders productivity and bolsters security. Deploy Microsoft Intune as your mobile device manager for company- and employee-owned devices.

Plan for success with Microsoft FastTrack. FastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the Protect your users and their identity white paper. You can find additional security resources on Microsoft.com.

More blog posts from this series:

Categories: cybersecurity Tags:

Building the security operations center of tomorrow—harnessing the law of data gravity

August 30th, 2018 No comments

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, and , EMEA Chief Security Advisor, Cybersecurity Solutions Group.

Youve got a big dinner planned and your dishwasher goes on the fritz. You call the repair company and are lucky enough to get an appointment for that afternoon. The repairperson shows up and says, Yes, its broken, but to figure out why I will need to run some tests. They start to remove your dishwasher from the outlet. What are you doing? you ask. Im taking it back to our repair shop for analysis and then repair, they reply. At this point, youre annoyed. You have a big party in three hours, and taking the dishwasher all the way back to the shop for analysis means someone will be washing dishes by hand after your partywhy not test it right here and right now so it can be fixed on the spot?

Now, imagine the dishwasher is critical business data located throughout your organization. Sending all that data to a centralized location for analysis will give you insights, eventually, but not when you really need it, which is now. In cases where the data is extremely large, you may not be able to move it at all. Instead it makes more sense to bring services and applications to your data. This at the heart of a concept called data gravity, described by Dave McCrory back in 2010. Much like a planet, your data has mass, and the bigger that mass, the greater its gravitational pull, or gravity well, and the more likely that apps and services are drawn to it. Gravitational movement is accelerated when bandwidth and latency are at a premium, because the closer you are to something the faster you can process and act on it. This is the big driver of the intelligent cloud/intelligent edge. We bring analytics and compute to connected devices to make use of all the data they collect in near real-time.

But what might not be so obvious is what, if anything, does data gravity have to do with cybersecurity and the security operations center (SOC) of tomorrow. To have that discussion, lets step back and look at the traditional SOCs, built on security information and event management (SIEM) solutions developed at the turn of the century. The very first SIEM solutions were predominantly focused on log aggregation. Log information from core security tools like firewalls, intrusion detection systems, and anti-virus/malware tools were collected from all over a company and moved to a single repository for processing.

That may not sound super exciting from our current vantage point of 2018, but back in 2000 it was groundbreaking. Admins were struggling with an increasing number of security tools, and the ever-expanding logs from those tools. Early SIEM solutions gave them a way to collect all that data and apply security intelligence and analytics to it. The hope was that if we could gather all relevant security log and reporting data into one place, we could apply rules and quickly gather insights about threats to our systems and security situational awareness. In a way this was antidata gravity, where data moved to the applications and services rather than vice versa.

After the initial hype for SIEM solutions, SOC managers realized a few of their limitations. Trying to write rules for security analytics proved to be quite hard. A minor error in a rule led to high false positives that ate into analyst investigative time. Many companies were unable to get all the critical log data into the SIEM, leading to false negatives and expensive blind spots. And one of the biggest concerns with traditional SIEM was the latency. SIEM solutions were marketed as real-time analytics, but once an action was written to a log, collected, sent to the SIEM, and then parsed through the SIEM analytics engine, quite a bit of latency was introduced. When it comes to responding to fast moving cyberthreats, latency is a distinct disadvantage.

Now think about these challenges and add the explosive amounts of data generated today by the cloud and millions of connected devices. In this environment its not uncommon that threat campaigns go unnoticed by an overloaded SIEM analytics engine. And many of the signals that do get through are not investigated because the security analysts are overworked. Which brings us back to data gravity.

What was one of the forcing factors for data gravity? Low tolerance for latency. What was the other? Building applications by applying insights and machine learning to data. So how can we build the SOC of tomorrow? By respecting the law of data gravity. If we can perform security analytics close to where the data already is, we can increase the speed of response. This doesnt mean the end of aggregation. Tomorrows SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells.

Does this sound like an intriguing idea? We think so. Being practitioners, though, we most appreciate when great theories can be turned into real-world implementations. Please stay tuned for part 2 of this blog series, where we take the concept of tomorrows SOC and data gravity into practice for today.

Partnering with the industry to minimize false positives

August 16th, 2018 No comments

Every day, antivirus capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) protect millions of customers from threats. To effectively scale protection, Windows Defender ATP uses intelligent systems that combine multiple layers of machine learning models, behavior-based detection algorithms, generics, and heuristics that make a verdict on suspicious files, most of the time in a fraction of a second.

This multilayered approach allows us to proactively protect customers in real-time, whether in the form of stopping massive malware outbreaks or detecting limited sophisticated cyberattacks. This quality of antivirus capabilities is reflected in the consistently high scores that Windows Defender ATP gets in independent tests and the fact that our antivirus solution is the most deployed in the enterprise.

The tradeoff of an intelligent, scalable approach is that some of our more aggressive classifiers from time to time misclassify normal files as malicious (false positives). While false positives are a very tiny occurrence compared to the large number of malware we correctly identify (true positives) and protect customers from, we are aware of the impact that misclassified files might have. Keeping false positives at a minimum is an equally important quality metric that we continually work to improve on.

Avoiding false positives is a two-way street between security vendors and developers. Publishing apps to the Microsoft Store is the best way for vendors and developers to ensure their programs are not misclassified. For customers, apps from the Microsoft Store are trusted and Microsoft-verified.

Here are other ways developers can raise the level of trust by both security vendors and customers and help make sure programs and files are not inadvertently detected as malware.

Digitally sign files

Digital signatures are an important way to ensure the integrity of software. By verifying the identity of the software publisher, a signature assures customers that they know who provided the software theyre installing or running. Digital signatures also assure customers that the software they received is in the same condition as when the publisher signed it and the software has not been tampered with.

Code signing does not necessarily guarantee the quality or functionality of software. Digitally signed software can still contain flaws or security vulnerabilities. However, because software vendors reputations are based on the quality of their code, there is an incentive to fix these issues.

We use the reputation of digital certificates to help determine the reputation of files signed by them. The reverse is also true: we use the reputation of digitally signed files to determine the reputation of the digital certificates they are signed with. One of the most effective ways for developers to reduce the chances of their software being detected as malware is it to digitally sign files with a reputable certificate.

The second part of reducing the risk of unintended detection is to build a good reputation on that certificate. Microsoft uses many factors to determine the reputation of a certificate, but the most important are the files that are signed by it. If all the files using a certificate have good reputation and the certificate is valid, then the certificate keeps a good reputation.

Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. This process requires a more comprehensive identity verification and authentication process for each developer. The EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of code signing certificates. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP even if no prior reputation exists for that file or publisher.

Keep good reputation

To gain positive reputation on multiple programs and files, developers sign files with a digital certificate with positive reputation. However, if one of the files gains poor reputation (e.g., detected as malware) or if the certificate was stolen and used to sign malware, then all of the files that are signed with that certificate will inherit the poor reputation. This situation could lead to unintended detection. This framework is implemented this way to prevent the misuse of reputation sharing.

We thus advise developers to not share certificates between programs or other developers. This advice particularly holds true for programs that incorporate bundling or use advertising or freemium models of monetization. Reputation accruesif a software bundler includes components that have poor reputation, the certificate that bundler is signed with gets the poor reputation.

Be transparent and respect users ability to choose

Malware threats use a variety of techniques to hide. Some of these techniques include file obfuscation, being installed in nontraditional install locations, and using names that dont reflect that purpose of the software.

Customers should have choice and control over what happens on their devices. Using nontraditional install locations or misleading software names reduce user choice and control.

Obfuscation has legitimate uses, and some forms of obfuscation are not considered malicious. However, many techniques are only employed to evade antivirus detection. Developers should refrain from using non-commercial packers and obfuscation software.

When programs employ malware-like techniques, they trigger flags in our detection algorithms and greatly increase the chances of false positives.

Keep good company

Another indicator that can influence the reputation of a file are the other programs the file is associated with. This association can come from what the program installs, what is installed at the same time as the program, or what is seen on the same machines as the file. Not all of these associations directly lead to detections, however, if a program installs other programs or files that have poor reputation, then by association that program gains poor reputation.

Understand the detection criteria

Microsofts policy aims to protect customers against malicious software while minimizing the restrictions on developers. The diagram below demonstrates the high-level evaluation criteria Microsoft uses for classifying files:

  • Malicious software: Performs malicious actions on a computer
  • Unwanted software: Exhibits the behavior of adware, browser modifier, misleading, monitoring tool, or software bundler
  • Potentially unwanted application (PUA): Exhibits behaviors that degrade the Windows experience
  • Clean: We trust the file is not malicious, is not inappropriate for an enterprise environment, and does not degrade the Windows experience

These evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. Developers should make sure their programs and files dont demonstrate undesirable characteristics or behavior to minimize chances their programs are not misclassified.

Challenging a detection decision

If you follow these pieces of advice and we unintentionally detect your file, you can help us fix the issue by reporting it through the Windows Defender Security Intelligence portal.

Customer protection is our top priority. We deliver this through Windows Defender ATPs unified endpoint security platform. Helping Microsoft maintain high-quality protection benefits customers and developers alike, allowing for an overall productive and secure computing experience.

 

 

Michael Johnson

Windows Defender Research

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity, Tips & Talk Tags:

Finding the signal of community in all the noise at Black Hat

August 16th, 2018 No comments

I dont know about you, but I find large conferences overwhelming. Dont get me wrong, nothing beats the innovative potential of bringing a diverse group of brilliant people together to hash through thorny issues and share insights. But there are so many speakers, booths, and people, it can be a challenge to find the signal in all the noisedid I mention conferences are also really loud?

So last week when I stepped into the first of multiple showrooms at the Mandalay Hotel in Las Vegas for the Black Hat Briefing, I have to admit I felt a little nostalgia for the very first Black Hat Conference. It was 1997 at the old Aladdin Casino in Las Vegas. A casino with a long and colorful history, slated to close a few months after the conference ended. 1997: That was before Facebook and the iPhone, before the cloud. At the time, the RSA Conference was still mostly focused on cryptography, and those of us concerned about security vulnerabilities and how they impacted practitioners day in and day out had few opportunities to just get together and talk. The first Black Hat Briefing was very special. If my memory serves, there were only a couple hundred of us in attendancecompared to thousands todayand through those connections we built a community and an industry.

Building a community was key to creating the information security industry that exists today, and I believe that building community is just as critical now as we face down the new security threats of a cloud-and-edge world, an IoT world. We need the whole defender communitywhite hat hackers, industry, and governmentworking together to protect the security of our customers.

The security research community plays a fundamental role in community-based defense

Over the last few years, Microsoft has been expanding and redefining what makes up our security communityone of the many positive evolutions since that first Black Hat. Like most tech companies, we once believed that any hacker outside of the organization posed a risk, but as weve gotten to know each other through many years of hard-earned trust and collaboration, we, and the security research community, have learned that our values arent so different. Sometimes the only way to make something stronger is to break it. We know we cant on our own find all the gaps and errors in code that lead to vulnerabilities that criminals exploit to steal money and data. We need great minds both inside and outside our organization. Many of those great minds in the security research community collaborate with us through the Microsoft Security Response Center, and Black Hat was the perfect place to announce the subset of those researchers that made our annual Top 100 Security Researchers List.

Image of the Top 100 sign at the Black Hat Conference.

 

We really appreciate the ongoing support from the community and encourage new researchers to report vulnerabilities to the Microsoft Security Response Center and participate in the Microsoft Bounty Program.

It takes a community to protect the security of our customers

As much as Microsoft values the relationship we have with researchers, we also attended Black Hat as industry partners. We want to help educate our peers on notable vulnerabilities and exploits, and share knowledge following major security events. As an example, one of our sessions focused on how Spectre and Meltdown are a wake-up call on multiple dimensions: how we engineer, how we partner, how we react when we find new security vulnerabilities, and how we need to become more coordinated. When I think about what was so exciting about that first conference, this is what comes to mind: those moments when we hear what our partners have learned, share what we know, and build on those insights to strengthen our collective response. The tech industry is increasingly interdependent. Its going to take all of us working together to protect the safety and security of our customers devices and data.

Image of the Black Hat Conference in Las Vegas.

 

But the meeting of the minds at annual security conferences, while important, is not enough. Microsoft also believes that we need a more structured approach to our collaboration. Cybersecurity is not just about threats from hackers and criminal groups; it has increasingly become a situation where we’re facing a cyberweapons arms race with governments attacking users around the world. We know this is a challenge we must pursue with our partners and customers, with a sense of shared responsibility and a focus on constantly making it easier for everyone to benefit from the latest in security advances. Microsoft has been working to help organize the industry in pursuit of this goal.

This past April during the RSA Conference, we came together as initially 34 companies, now 44 companies, and agreed to a new Cybersecurity Tech Accord. In this accord, we all pledge to help protect every customer, regardless of nationality, and will refrain from helping governments attack innocent civilians. It’s a foundationon which we are buildingto take coordinated action and to work with all our partners and many others to strengthen the resilience of the ecosystem for all our customers.

I admit it, I do sometimes miss attending those small, tightly knit conferences of old. But Im even more inspired about the possibilities that I see as we continue to build on these collaborative models. Weve seen a lot of progress recently working with our partners and the security research community. If you listen closely, I think you can hear the signal breaking through.

How Microsoft 365 Security integrates with your broader IT ecosystem—part 3

August 14th, 2018 No comments

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting with the broader security community, and in part 2, we looked at how Microsoft services help secure non-Microsoft services of an organizations IT environment.

In the final part of this blog series, we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.

Helping enable a mobile workforce at a healthcare network

Sutter Health is a not-for-profit network of healthcare professionals and hospitals serving Northern California. CTO Wes Wrights main goal is to provide IT and software solutions that allow employees to maximize their time spent on patient and family care. Sutter Healths network employs nearly 52,000 people, supporting 24 acute care hospitals and care centers, serving more than 100 communities. Sutter has an ecosystem of 65,000 mobile devices and modernizing IT was not trivial for them. They deployed Microsoft Intune to help manage and support an internal app store called the Sutter Intune Store. Intune also helps ensure Sutters clinical and business partners can access and use Sutter Health authorized apps from anywhere, at any time. Their Intune-powered solution is designed to:

  • Manage and secure any mobile device used by the workforce to access company data.
  • Manage and secure the mobile apps used by their workforce.
  • Protect company information even after it is accessed.
  • Ensure devices and apps are compliant with company security policies.

With services like Intune (Figure 1), simplifying security management and reducing IT complexity, Sutter Health can support the latest devices, embrace modern apps, leverage a distributed workforce, and deliver the highest quality patient care.

Figure 1. The Intune architecture diagram.

Enhancing productivity through security at a power company

Wrtsil is a Finnish company manufacturing and servicing power sources and other equipment for the marine and energy markets. Joachim Kjellman, solutions manager at Wrtsil was looking for a solution with conditional access and multifactor authentication (MFA) capabilities. He selected Azure Active Directory (Azure AD), which enables single sign-on capability for all company resources anywhere with internet access, removing the need of unreliable VPN connections. Additionally, with Conditional Access, Wrtsil can provide remote access to apps that can be secured with MFA and managed when originating from unmanaged devices.Azure AD (Figure 2) is designed to help organizations:

  • Provide seamless access.
  • Facilitate collaboration.
  • Unlock IT efficiencies.
  • Enhance security and compliance.

Figure 2. Azure AD overview.

Azure AD also supports seamless collaboration (even on large-scale, complex projects) between Wrtsil and its contractors and partners. Azure AD B2B collaboration features ensure that access to shared resources is heavily protected. Azure AD has helped Wrtsil IT staffers save time and money, enabling Wrtsil to remain focused on serving their global customer base.

Securing an entire IT environment at a transportation firm

Throughout this series, we have discussed how Microsoft 365 Security services integrate well with the myriad IT solutions our customers utilize. However, some of our customers chose Microsoft 365 Security services to help secure their entire environment. HS1 Limited operates and maintains infrastructure for the high-speed railway connecting St. Pancras International Station in London and the Channel Tunnel, joining international high-speed routes between London, Paris, and Brussels, along with several domestic routes. The 50-person firm works with hundreds of counterparts and vendors, so security and collaboration are high priorities. Shawn Marcellin, IT and facilities manager at HS1 Limited needed a highly secure, collaborative solution without investing in a full datacenter and turned to Microsoft 365 E5. Marcellin adopted Microsoft 365 E5 for its advanced security features, including Windows Defender Advanced Threat Protection, Office 365 Advanced Threat Protection, and Office 365 Threat Intelligence. Identity management through Microsoft Azure Active Directory Premium P2 was another advantage of his choosing Microsoft 365 E5protecting data with Microsoft Cloud App Security and Office 365 Advanced Threat Protection. Marcellin is confident that the move to a total cloud-based, secure solution will continue to benefit HS1 Limited.

Figure 3. The entire Microsoft 365 Security reference architecture.

To learn more about how Microsoft security solutions fit together, read Cybersecurity Reference Architecture: Security for a Hybrid Enterprise.

Digging deeper

These are only a few examples of organizations using Microsoft 365 Security services to secure their extended or entire IT ecosystem. We encourage you to visit the Microsoft Secure site and learn more about the full scope of Microsoft 365 Security capabilities. Also, check out more customer stories to learn how organizations leverage Microsoft 365 Security.

To get started envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance Form.

Thanks for reading this series. We hope you will try the services discussed in this blog to start benefitting from their capabilities, which include:

Categories: cybersecurity Tags:

Cybersecurity threats: How to discover, remediate, and mitigate

August 13th, 2018 No comments

Image of four hands collaborating over a drawing of a lightbulb.

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Protect your data in files, apps, and devices.

Constantly evolving threats to your company data can cause even the most conscientious employee to unknowingly open infected files or click on malicious web links. Security breaches are inevitable. You need to discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches.

Many common types of threats target attack vectors such as email, network endpoints, and user credentials. In this blog, we explain how Microsoft 365 threat protection solutions interoperate threat detection across these attack vectors (Figure 1).

Figure 1. Threat detection interoperates across Microsoft 365.

Protect identities: Azure Active Directory (Azure AD) and Azure Advanced Threat Protection (Azure ATP)

Azure ATP provides end-to-end network security by protecting user identities and credentials in stored in Azure Active Directory. To prevent identity credential attacks, Azure AD conditional access detects risk events, such as users with leaked credentials, sign-ins from anonymous IP addresses, impossible travel to atypical locations, infected devices, and IP addresses with suspicious activity or unfamiliar locations.

Azure ATP detects suspicious activities across the network attack surface, such as:

  • Reconnaissance work, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist.
  • Lateral movement cycles, during which attackers invest time and effort in spreading their attack deeper inside your network.
  • Domain dominance (persistence), during which attackers capture the information, allowing them to resume their campaign using various sets of entry points, credentials, and techniques.

These services that protect specific parts of the attack surface can also share signals to alert services protecting other surfaces of the enterprise.

Azure ATP detects these suspicious activities and surfaces the information, including a clear view of who, what, when, and how, in the Azure ATP workspace portal, which can be accessed by signing in to your Azure AD user account.

Protect email: Microsoft Office 365 Advanced Threat Protection (Office 365 ATP)

Threat protection for Office 365 begins with Microsoft Exchange Online Protection, which provides protection against all known malicious links and malware. Office 365 ATP builds on this protection by offering holistic and ongoing protection across your Office 365 environment, including email and business apps, by securing user mailboxes, business-critical files, and online storage against malware campaigns in real-time.

Office 365 ATP Safe Links helps protect your environment by offering time-of-click protection from malicious links. If a link is unsafe, the user is warned not to visit the site or informed that the site has been blocked. Office 365 ATP and Exchange Online Protection can be configured in the Office 365 admin center.

Protect endpoints: Windows Defender Advanced Threat Protection (Windows Defender ATP)

For endpoint attacks, Windows Defender ATP provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristic solutions. These endpoint sensors collect and process behavioral signals from the operating system, which are then translated into insights, detections, and recommended responses to advanced threats. Windows Defender ATP offers dedicated protection updates based on machine learning, human and automated big-data analyses, and in-depth threat resistance research to identify attacker tools, techniques, and procedures, and to generate alerts when these are observed in collected sensor data.

Microsoft Device Guard is a feature of Windows 10 that provides increased security against malware and zero-day attacks by blocking anything other than trusted apps. Device Guard is managed in Microsoft System Center Configuration Manager (ConfigMgr).

Deployment tips from the experts

Now that you know more about how Microsoft 365 security solutions can protect your data, here are several proven tips to put it all into action.

Consider the key attack vectors. Devices, email, network, and identity credentials are the most common areas for cybersecurity attacks. To help secure these vectors:

Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches coming soon!

More blog posts from this series:

Categories: cybersecurity Tags:

Protecting the protector: Hardening machine learning defenses against adversarial attacks

Harnessing the power of machine learning and artificial intelligence has enabled Windows Defender Advanced Threat Protection (Windows Defender ATP) next-generation protection to stop new malware attacks before they can get started often within milliseconds. These predictive technologies are central to scaling protection and delivering effective threat prevention in the face of unrelenting attacker activity.

Consider this: On a recent typical day, 2.6 million people encountered newly discovered malware in 232 different countries (Figure 1). These attacks were comprised of 1.7 million distinct, first-seen malware and 60% of these campaigns were finished within the hour.

Figure 1. A single day of malware attacks: 2.6M people from 232 countries encountering malware

While intelligent, cloud-based approaches represent a sea change in the fight against malware, attackers are not sitting idly by and letting advanced ML and AI systems eat their Bitcoin-funded lunch. If they can find a way to defeat machine learning models at the heart of next-gen AV solutions, even for a moment, theyll gain the breathing room to launch a successful campaign.

Today at Black Hat USA 2018, in our talk Protecting the Protector: Hardening Machine Learning Defenses Against Adversarial Attacks, we presented a series of lessons learned from our experience investigating attackers attempting to defeat our ML and AI protections. We share these lessons in this blog post; we use a case study to demonstrate how these same lessons have hardened Microsofts defensive solutions in the real world. We hope these lessons will help provide defensive strategies on deploying ML in the fight against emerging threats.

Lesson: Use a multi-layered approach

In our layered ML approach, defeating one layer does not mean evading detection, as there are still opportunities to detect the attack at the next layer, albeit with an increase in time to detect. To prevent detection of first-seen malware, an attacker would need to find a way to defeat each of the first three layers in our ML-based protection stack.

Figure 2. Layered ML protection

Even if the first three layers were circumvented, leading to patient zero being infected by the malware, the next layers can still uncover the threat and start protecting other users as soon as these layers reach a malware verdict.

Lesson: Leverage the power of the cloud

ML models trained on the backend and shipped to the client are the first (and fastest) layer in our ML-based stack. They come with some drawbacks, not least of which is that an attacker can take the model and apply pressure until it gives up its secrets. This is a very old trick in the malware authors playbook: iteratively tweak prospective threats and keep scanning it until its no longer detected, then unleash it.

Figure 3. Client vs. cloud models

With models hosted in the cloud, it becomes more challenging to brute-force the model. Because the only way to understand what the models may be doing is to keep sending requests to the cloud protection system, such attempts to game the system are out in the open and can be detected and mitigated in the cloud.

Lesson: Use a diverse set of models

In addition to having multiple layers of ML-based protection, within each layer we run numerous individual ML models trained to recognize new and emerging threats. Each model has its own focus, or area of expertise. Some may focus on a specific file type (for example, PE files, VBA macros, JavaScript, etc.) while others may focus on attributes of a potential threat (for example, behavioral signals, fuzzy hash/distance to known malware, etc.). Different models use different ML algorithms and train on their own unique set of features.

Figure 4. Diversity of machine learning models

Each stand-alone model gives its own independent verdict about the likelihood that a potential threat is malware. The diversity, in addition to providing a robust and multi-faceted look at potential threats, offers stronger protection against attackers finding some underlying weakness in any single algorithm or feature set.

Lesson: Use stacked ensemble models

Another effective approach weve found to add resilience against adversarial attacks is to use ensemble models. While individual models provide a prediction scoped to a particular area of expertise, we can treat those individual predictions as features to additional ensemble machine learning models, combining the results from our diverse set of base classifiers to create even stronger predictions that are more resilient to attacks.

In particular, weve found that logistic stacking, where we include the individual probability scores from each base classifier in the ensemble feature set provides increased effectiveness of malware prediction.

Figure 5. Ensemble machine learning model with individual model probabilities as feature inputs

As discussed in detail in our Black Hat talk, experimental verification and real-world performance shows this approach helps us resist adversarial attacks. In June, the ensemble models represented nearly 12% of our total malware blocks from cloud protection, which translates into tens of thousands of computers protected by these new models every day.

Figure 6. Blocks by ensemble models vs. other cloud blocks

Case study: Ensemble models vs. regional banking Trojan

“The idea of ensemble learning is to build a prediction model by combining the strengths of a collection of simpler base models.”
— Trevor Hastie, Robert Tibshirani, Jerome Friedman

One of the key advantages of ensemble models is the ability to make a high-fidelity prediction from a series of lower-fidelity inputs. This can sometimes seem a little spooky and counter-intuitive to researchers, but uses cases weve studied show this approach can catch malware that the singular models cannot. Thats what happened in early June when a new banking trojan (detected by Windows Defender ATP as TrojanDownloader:VBS/Bancos) targeting users in Brazil was unleashed.

The attack

The attack started with spam e-mail sent to users in Brazil, directing them to download an important document with a name like Doc062108.zip inside of which was a document that is really a highly obfuscated .vbs script.

Figure 7. Initial infection chain

Figure 8. Obfuscated malicious .vbs script

While the script contains several Base64-encoded Brazilian poems, its true purpose is to:

  • Check to make sure its running on a machine in Brazil
  • Check with its command-and-control server to see if the computer has already been infected
  • Download other malicious components, including a Google Chrome extension
  • Modify the shortcut to Google Chrome to run a different malicious .vbs file

Now whenever the user launches Chrome, this new .vbs malware instead runs.

Figure 9. Modified shortcut to Google Chrome

This new .vbs file runs a .bat file that:

  • Kills any running instances of Google Chrome
  • Copies the malicious Chrome extension into %UserProfile%\Chrome
  • Launches Google Chrome with the load-extension= parameter pointing to the malicious extension

Figure 10. Malicious .bat file that loads the malicious Chrome extension

With the .bat files work done, the users Chrome instance is now running the malicious extension.

Figure 11. The installed Chrome extension

The extension itself runs malicious JavaScript (.js) files on every web page visited.

Figure 12. Inside the malicious Chrome extension

The .js files are highly obfuscated to avoid detection:

Figure 13. Obfuscated .js file

Decoding the hex at the start of the script, we can start to see some clues that this is a banking trojan:

Figure 14. Clues in script show its true intention

The .js files detect whether the website visited is a Brazilian banking site. If it is, the POST to the site is intercepted and sent to the attackers C&C to gather the users login credentials, credit card info, and other info before being passed on to the actual banking site. This activity is happening behind the scenes; to the user, theyre just going about their normal routine with their bank.

Ensemble models and the malicious JavaScript

As the attack got under way, our cloud protection service received thousands of queries about the malicious .js files, triggered by a client-side ML model that considered these files suspicious. The files were highly polymorphic, with every potential victim receiving a unique, slightly altered version of the threat:
Figure 15. Polymorphic malware

The interesting part of the story are these malicious JavaScript files. How did our ML models perform detecting these highly obfuscated scripts as malware? Lets look at one of instances. At the time of the query, we received metadata about the file. Heres a snippet:

Report time 2018-06-14 01:16:03Z
SHA-256 1f47ec030da1b7943840661e32d0cb7a59d822e400063cd17dc5afa302ab6a52
Client file type model SUSPICIOUS
File name vNSAml.js
File size 28074
Extension .js
Is PE file FALSE
File age 0
File prevalence 0
Path C:\Users\<user>\Chrome\1.9.6\vNSAml.js
Process name xcopy.exe

Figure 16 File metadata sent during query to cloud protection service

Based on the process name, this query was sent when the .bat file copied the .js files into the %UserProfile%\Chrome directory.

Individual metadata-based classifiers evaluated the metadata and provided their probability scores. Ensemble models then used these probabilities, along with other features, to reach their own probability scores:

Model Probability that file is malware
Fuzzy hash 1 0.01
Fuzzy hash 2 0.06
ResearcherExpertise 0.64
Ensemble 1 0.85
Ensemble 2 0.91

Figure 17. Probability scores by individual classifiers

In this case, the second ensemble model had a strong enough score for the cloud to issue a blocking decision. Even though none of the individual classifiers in this case had a particularly strong score, the ensemble model had learned from training on millions of clean and malicious files that this combination of scores, in conjunction with a few other non-ML based features, indicated the file had a very strong likelihood of being malware.

Figure 18. Ensemble models issue a blocking decision

As the queries on the malicious .js files rolled in, the cloud issued blocking decisions within a few hundred milliseconds using the ensemble models strong probability score, enabling Windows Defender ATPs antivirus capabilities to prevent the malicious .js from running and remove it. Here is a map overlay of the actual ensemble-based blocks of the malicious JavaScript files at the time:

Figure 19. Blocks by ensemble model of malicious JavaScript used in the attack

Ensemble ML models enabled Windows Defender ATPs next-gen protection to defend thousands of customers in Brazil targeted by the unscrupulous attackers from having a potentially bad day, while ensuring the frustrated malware authors didnt hit the big pay day they were hoping for. Bom dia.

 

Further reading on machine learning and artificial intelligence in Windows Defender ATP

Indicators of compromise (IoCs)

  • Doc062018.zip (SHA-256: 93f488e4bb25977443ff34b593652bea06e7914564af5721727b1acdd453ced9)
  • Doc062018-2.vbs (SHA-256: 7b1b7b239f2d692d5f7f1bffa5626e8408f318b545cd2ae30f44483377a30f81)
  • zobXhz.js 1f47(SHA-256: ec030da1b7943840661e32d0cb7a59d822e400063cd17dc5afa302ab6a52)

 

 

 

Randy Treit, Holly Stewart, Jugal Parikh
Windows Defender Research
with special thanks to Allan Sepillo and Samuel Wakasugui

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity Tags:

Building on experience: a framework for cybersecurity policy

August 9th, 2018 No comments

Each year, more and more governments are developing policies to address security challenges presented by an increasingly digitized world. And to support those efforts, Im excited today to announce the release of Microsofts new Cybersecurity Policy Framework, a resource for policymakers that provides an overview of the building blocks of effective cybersecurity policies and that is aligned with the best practices from around the globe. Nations coming online today, and building their cybersecurity infrastructures, should notand need notbe burdened with the stumbling blocks that characterized previous generations of cybersecurity policies. Instead, such nations should be empowered to leapfrog outdated challenges and unnecessary hurdles.

For years, Microsoft has worked with policymakers in advanced and emerging economies, and across many social and political contexts, to support the development of policies to address a wide range of cybersecurity challenges. This new publication captures and distills the important lessons learned from those years of experience partnering with governments. And as increasing numbers of countries wrestle with how to best address cybersecurity challenges, the Cybersecurity Policy Framework is an indispensable resource for the policymakers joining this work.

According to the last analysis provided by the United Nations, half of the countries on earth today either have or are developing national cybersecurity strategies. I have little doubt that in the next decade every single outstanding country will add its name to that list. And this trend highlights the importance of this new resource. The policies established today will impact how technologies are used for years to come and how safe or dangerous the online world becomes for all of us. Truly, there is no going back, only forward.

The Cybersecurity Policy Framework is not one-stop shopping for cybersecurity policymakers, but it does serve as an important umbrella document, providing a high-level overview of concepts and priorities that must be top of mind when developing an effective and resilient cybersecurity policy environment.

Specifically, this new resource outlines:

  • National strategies for cybersecurity.
  • How to establish a national cyber agency.
  • How to develop and update cybercrime laws.
  • How to develop and update critical infrastructure protections.
  • International strategies for cybersecurity.

We at Microsoft have been at this work for a long time and have developed a wide variety of resources to help those who are working to position their industries and nations to capitalize on the benefits of new technologiesso many that they can often be difficult to find! And this highlights another strength of the Cybersecurity Policy Framework, while it is not one-stop shopping, each section does provide an overview of a critical policy topic as well as links to the associated and more in-depth resources my team has developed over the years to assist policymakers. In this way, this new resource serves not only as essential, high-level guidance, but also as a key to a broader catalogue of resources built on years of experience partnering with governments around the world.

Reading through this new resource, I am proud of the work we have done in pursuit of a safer online world. Important progress has been made and these foundational principles underscore much todays cybersecurity discourse. However, we haveand will always havemore work to do as a result of the changes and innovations in technology always on the horizon, and their implications for cybersecurity. Im glad to put this resource forward today to support a new generation of policymakers and also look forward to partnering with them to tackle the new challenges we will face together tomorrow.

Download your copy of the Cybersecurity Policy Framework today.

Categories: Cybersecurity Policy Tags:

Protecting the modern workplace from a wide range of undesirable software

Security is a fundamental component of the trusted and productive Windows experience that we deliver to customers through modern platforms like Windows 10 and Windows 10 in S mode. As we build intelligent security technologies that protect the modern workplace, we aim to always ensure that customers have control over their devices and experiences.

To protect our customers from the latest threats, massive amounts of security signals and threat intelligence from the Microsoft Intelligent Security Graph are processed by security analysts and intelligent systems that identify malicious and other undesirable software. Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. This classification of threats is reflected in the protection delivered by the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified endpoint security platform.

Malware: Malicious software and unwanted software

Among the big classifications of threats, customers may be most familiar with malicious software. Malicious software might steal personal information, lock devices until a ransom is paid, use devices to send spam, or download other malicious software. Examples of these types of threats are keyloggers and ransomware. Malware can get into devices through various infection vectors, including exploits, which undermine users choice and control of their devices. Windows Defender ATP’s next generation protections detect and block these malicious programs using local machine learning models, behavior-based detection, generics and heuristics, and cloud-based machine learning models and data analytics.

Some threats, on the other hand, are classified as unwanted software. These are applications that dont keep customers in control of devices through informed choices and accessible controls are considered unwanted. Examples of unwanted behavior include modifying browsing experience without using supported browser extensibility models, using alarming and coercive messages to scare customers into buying premium versions of software, and not providing a clear and straightforward way to install, uninstall or disable applications. Like malicious software, unwanted software threats are malware.

Using a model that leverages predictive technologies, machine learning, applied science, and artificial intelligence powers Windows Defender ATP to detect and stop malware at first sight, as reflected in consistently high scores in independent antivirus tests.

Potentially unwanted applications

Some applications do not exhibit malicious behavior but can adversely impact the performance or use of devices. We classify these as potentially unwanted applications (PUA). For example, we noted the increased presence of legitimate cryptocurrency miners in enterprise environments. While some forms of cryptocurrency miners are not malicious, they may not be authorized in enterprise networks because they consume computing resources.

Unlike malicious software and unwanted software, potentially unwanted applications are not malware. Enterprise security administrators can use the PUA protection feature to block these potentially unwanted applications from downloading and installing on endpoints. PUA protection is enabled by default in Windows Defender ATP when managed through System Center Configuration Manager.

In March 2018, we started surfacing PUA protection definitions on VirusTotal. We have also updated our evaluation criteria page to describe the specific categories and descriptions of software that we classify as PUA. These are:

Browser advertising software: Software that displays advertisements or promotions or prompts the user to complete surveys for other products or services in software other than itself. This includes, for example, software that inserts advertisements in browser webpages.

Torrent software: Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.

Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.

Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.

Marketing software: Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.

Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.

Customer protection is our top priority. Windows Defender Advanced Threat Protection (Windows Defender ATP) incorporates next-generation protection, attack surface reduction, endpoint detection and response, and automated investigation and remediation, and advanced hunting capabilities. We adjust, expand, and update our evaluation criteria based on customer feedback as well as new and emerging trends in the threat landscape. We encourage customers to help us identify new threats and other undesirable software by submitting programs that exhibit behaviors outlined in the evaluation criteria.

 

 

Michael Johnson

Windows Defender Research

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Attending Black Hat USA 2018? Here’s what to expect from Microsoft.

Black Hat USA 2018 brings together professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. This is an exciting time as our Microsoft researchers, partners, and security experts will showcase the latest collaborations in defense strategies for cybersecurity, highlight solutions for security vulnerabilities in applications, and bring together an ecosystem of intelligent security solutions. Our objective is to arm business, government, and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products.

Security researchers play an essential role in Microsofts security strategy and are key to community-based defense. To show our appreciation for their hard work and partnership, each year at Black Hat USA, the Microsoft Security Response Center (MSRC) highlights the contributions of these researchers through the list of Top 100 security researchers reporting to Microsoft (either directly or through a third party) during the previous 12 months. While one criterion for the ranking is volume of fixed reports a researcher has made, the severity and impact of the reports is very important to the ranking also. Given the number of individuals reporting to Microsoft, anyone ranked among the Top 100 is among some of the top talent in the industry.

In addition to unveiling the Top 100 and showcasing Microsoft security solutions at Booth #652, there are a number of featured Microsoft speakers and sessions:

Join us at these sessions during the week of August 4-9, 2018 in Las Vegas and continue the discussion with us in Booth #652, where we will have product demonstrations, theatre presentations, and an opportunity to learn more about our Top 100 and meet with some of Microsofts security experts and partners.

Categories: cybersecurity Tags:

Protect your data in files, apps, and devices

August 2nd, 2018 No comments

Image of four hands collaborating over a drawing of a lightbulb.

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Enable your users to work securely from anywhere, anytime, across all of their devices.

Most companies focus their security solutions around users, devices, and apps, but often overlook the data that they are trying to protect. In this blog, we dig into some of the most challenging data protection scenarios our customers encounter.

How can I make sure company data is safe when employees use their own devices for work?

To help ensure your organizations data is safe on employee-owned devices, Microsoft 365 security solutions give you control and protection throughout the data lifecycle. With interoperating solutions for identity and access management, endpoint protection, information protection, and mobile device management (MDM), Microsoft 365 helps you protect your data against the complicated risks of a mobile landscape.

To build a comprehensive strategy for information protection, start by managing employee identities with Azure Active Directory (Azure AD). Azure AD gives you visibility and control over user identities, allowing you to manage what users can access. It allows your users the ability to securely sign in to business apps and access appropriate company data on their own devices.

Your employees use mobile devices for both personal and work tasks throughout the day, moving quickly among apps and files and potentially mixing up work and personal data. You want to make sure users can be productive while you prevent data loss. You also want to have the ability to protect company data even when accessed from devices that arent managed by you.

You can use Microsoft Intune app protection policies (Figure 1) to help protect your companys data. Because Intune app protection policies can be used independent of any MDM solution, you can use it to protect your companys data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department. These policies enable you to provide parameters for how your users interact with or use data in their Intune-managed apps, for example by restricting copy-and-paste and save-as functions.

Figure 1. Intune App Protection policies allow you to restrict access to company resources.

Conditional access in Azure AD (Figure 2) lets you assign conditions that must be met in order for users to gain access. By setting conditional access policies, you can apply the right access controls under the required conditions. Configure conditional access policies to address risks based on user sign-in, network location, unmanaged devices, and client applications.

Figure 2. Conditional access lets you assign conditions that must be met in order for users to gain access.

Protect against accidental data leaks by using Windows Information Protection (WIP) to help secure business data when it leaves your employees’ devices. WIP can be configured through Intune and it allows you to restrict copy-and-paste functions, prevent unauthorized apps from accessing business data, and discriminate between corporate and personal data on the device so it can be wiped if necessary.

How can I make it easier for employees to meet my companys strict compliance requirements for data access and sharing?

Classify and protect documents and emails by applying labels with Azure Information Protection. Labels can be applied automatically by administrators who define rules and conditions manually by users, or by a combination where users are given recommendations. The classification is identifiable regardless of where the data is stored or with whom its shared. For example, you can configure a report document so that it can be accessed only by people in your organization, and control whether that document can be edited, or restricted to read-only, or prevent it from being printed. You can configure emails similarly, and also prevent them from being forwarded or prevent the use of the Reply All option.

How can I protect data when an employee loses their device?

If your employees use their own devices to access or store company information, you can remotely wipe data from managed business apps, like Word and SharePoint, with Intune. Company-owned devices can be managed through Intune MDM, giving you the flexibility to wipe an entire device (factory reset) or just wipe company data.

Deployment tips from our experts

Now that you know more about how Microsoft 365 security solutions can protect your data, here are three proven tips to put it all into action.

Keep your identities safe. Manage employee identities with Azure AD for visibility over user identities and control over what users can access. Configure conditional access policies to apply the right access controls to address access risks.

Manage the devices in your environment with Intune. Enable Intune to be your mobile management strategy to manage the apps that employees use to do business. You can control the apps employees can access, and you can wipe a device when someone leaves the company.

Keep your company data safe. Restrict access to company resources using Intune app protection policies to help protect your companys data. Deploy Azure Information Protection and set up your data classification, labels, and automatic policies to control access by labeling, classifying, and encrypting documents according to their level of security. Then use WIP to protect against accidental data leaks.

Plan for success with FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Protect your data in files, apps, and devices, within and across organizations coming soon!

More blog posts from this series:

Categories: cybersecurity Tags:

How Microsoft 365 Security integrates with your broader IT ecosystem—part 2

July 31st, 2018 No comments

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

In part 1 of our blog series, we shared the Microsoft 365 Security strategy for integrating with the broader security community. Today, we cover the services Microsoft 365 Security offers customers to protect assets beyond the Microsoft ecosystem. These are only some examples among a broad and rich set of capabilities helping customers leveraging tools beyond Microsofts services.

Securing the cloud application ecosystem

Microsoft Cloud App Security is Microsofts Cloud Access Security Broker (CASB), which has been fully integrated with Microsoft 365 Security services since Microsofts acquisition of Adallom. Cloud App Security gives visibility into cloud apps and services, provides sophisticated analytics to identify and mitigate cyberthreats, and enables control over how data travels. The service integrates with Azure Active Directory and Azure Information Protection to enrich insights, strengthen security, and automate security operations.

Cloud App Security is designed to:

  • Discover Shadow IT and assess associated risks.
  • Protect data assets when they travel outside of your organization.
  • Provide real-time monitoring and control of user sessions.
  • Detect threats and anomalies.
  • Provide configuration of remediation actions.

Cloud App Security is available for over 16,000 cloud apps and leverages more than 70 parametersincluding regulatory certifications, industry standards, and best practicesto assign a risk score to each app.

Figure 1. Cloud App Security dashboard.

Protecting the worlds endpoints

Windows Defender Advanced Threat Protection (ATP) is Microsofts unified endpoint security platform protecting endpoints from cyberthreats.

Windows Defender ATP is built-in and cloud-powered to:

  • Eliminate risky or unnecessary surface areas.
  • Restrict dangerous code from running.
  • Protect against file-based and file-less malware.
  • Detect and respond to advanced attacks.
  • Automatically investigate alerts and remediate complex threats in minutes.
  • Gain real-time visibility and identify ways to improve your security posture.
  • Empower SecOps to actively hunt for evasive breach activity.

Many customers want to benefit from the advanced security offered by Windows Defender ATP while having the flexibility to use various operating systems. In fact, many organizations today encourage employees to bring their own devicesproviding individuals freedom of choice, but also increasing complexity for IT. Through several partnerships and cross-platform integrations (Figure 2), Windows Defender ATP reduces the complexity of securing these endpoints, providing a single pane of glass for endpoint security visibility across the entire install base.

Figure 2. Windows Defender ATP industry partners.

These partnerships enable Windows Defender ATP to protect, detect, and respond to security threats on macOS, Linux, iOS, and Android devices.

Share encrypted email with anyone on any device

Data protection is fundamental for all organizations. Email encryption is one of the most basic, yet powerful capabilities employed to protect data.

Office 365 Message Encryption comes standard in Office 365 E3 and E5 licenses enabling organizations to:

  • Protect sensitive data.
  • Control data through automatic polices or ad-hoc end user controls in Outlook (desktop and web).
  • Help meet compliance obligations for sensitive data.

For organizations that collaborate on sensitive emails with customers using consumer email services such as Gmail (Figure 3) or Yahoo, users can sign in using their Gmail or Yahoo identities, and open and read messages (including email attachments) encrypted with Office 365 Message Encryption. Once signed in, recipients can use the Office 365 Message Encryption web portal to read and collaborate on encrypted emails.

Figure 3. Office 365 encrypted email opened by a Gmail user.

The experience is completely seamless for Office 365 users, who can view and collaborate on encrypted messages in their Outlook client on any endpoint including desktop, Mac, web, iOS, or Android (Figure 4). For users not using Outlook for mobile, admins can enable other Exchange ActiveSync (EAS) mobile email clients, like the native Mail app on iOS, to receive and respond to encrypted emails.

Figure 4. Office 365 Message Encryption experience in the Outlook mobile.

Digging deeper

These are only a few examples of Microsoft 365 Security services extending protection beyond the Microsoft ecosystem. You will be surprised to see the number of security offerings designed to help protect your organization, no matter which IT solutions you have in place. To get started with envisioning a plan, onboarding, and driving user adoption, go to FastTrack.microsoft.com, sign in with your subscription ID, and complete the Request for Assistance form.

In part 3 of our series, we will highlight real-world examples of Microsoft 365 Security protecting an organizations extended IT environment. Meanwhile, learn more about the depth and breadth ofMicrosoft 365 Securityand start trials of our advanced solutions, which include:

Categories: cybersecurity Tags:

Attack inception: Compromised supply chain within a supply chain poses new risks

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

  • What created xbox-service.exe and pagefile.sys files on the host?
  • Why is xbox-service.exe being launched as a service with high privileges?
  • What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

  1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

  • Maintain a highly secure build and update infrastructure.

    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.

  • Build secure software updaters as part of the software development lifecycle.

    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and dont let the software updater accept generic input and commands.

  • Develop an incident response process for supply chain attacks.

    • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

  • Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
  • Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
  • Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.

 

 

Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team

 

 

Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Be like a Moomin: How to establish trust between competitors so we can fight cybercrime

July 24th, 2018 No comments

Image of a Moomin keychain sitting on a hotel desk.Do you know the Moomins? They’re a tight-knit, happy, collaborative cartoon family. I’d never heard of them until I was lucky enough to spend a few days at the Microsoft offices in Helsinki, Finland.

The Moomin keychain in the photo was a gift from the Finnish CISO. As I did a little research into Moomin lore, I discovered a family of wonderful trolls who work with each other, their friends, and acquaintances to overcome adversity. In the first book, The Moomins and the Great Flood, the Moomins become separated. With the landscape flooded, they are unable to find their village, Moominpappa, until they befriend a stork who offers to help them with a winged ride, giving them an aerial vantage point.

The collaborative problem-solving approach of the Moomins fits right into the overall story of trust I frequently heard during my Finland trip. The country has one of the most trusted police and governments in the world. This may partly be due to the fact that trust in the government has been historically high inNordic countries. In 2015, Finland was the second least corrupt country according to theTransparency International organization.

In the online world, Finland has one of thefastest internet speeds in the worldrunningonsome of theleast malware infected pipes. How are they doing this? With tools, such as theCERT-FI Autoreporter system, which help admins find and respond to breaches faster and empowers admins to take actions to protect their networks. This level of engaged partnership in the overall health of the country’s network is valued. The cybersecurity professionals I spoke with are very focused on maintaining this trust and continue toidentifyand buildopportunities for collaboration between the public and private sectors.

Theres some great learning in there for the international cybersecurity community. Its no secret that cyber-adversaries are selectively collaborating to help make themselves more effective. Operating in dark web exchanges and via encrypted messenger, they share exploits, malcode, and successful attack techniques. But if, as the saying goes, theres no honor amongst thieves, how has an international collective of attackers figured out a model for collaboration that in some ways rivals the trust and collaboration between organizations and countries?

Arguably, their collaboration use case is substantively different from large multinational corporations and governments. The value of an exploit generally degrades the longer it is in the wild. This means that part of the cybercriminal financial model is highly dependent on the speed of dissemination. If they hold onto an exploit for too long, they risk having a valueless asset. Finding and monetizing a SQL injection vulnerability is a fairly straightforward and rapid activity. This is in high contrast to large organizations doing business around the globe that must spend a significant amount of time planning and executing their business strategies. Not to mention the fact that, by definition, criminals dont operate under any governmental laws, have any employee protection rules, or pay employee taxes.

On the legal side of cybersecurity, we need to plan for long-term success and adhere to a long list of mandates and regulations. And because were not in the business of selling exploits, sharing with others how one company defends against them could be seen as giving away part of a competitive edge. When it comes to governments, the hurdles to collaborative trust can be much higherespecially when some of those governments are in virtual trade wars with each other.

Despite the hurdles, we can move forward with cyber-collaborationwithout losing our collective competitive edgeby following these three steps:

  1. Agree on the rulesWho shares what and when? And whats the quid pro quo? Asymmetric sharing becomes lopsided and abandoned. Also, how will the information be protected and, as needed, anonymized?
  2. Leverage whats thereISACs are already up and running, with their own rules. There are also industry consortiums like Cloud Security Alliance (CSA) and vendor associations like the Microsoft Intelligent Security Association.
  3. Enforce the rulesIf members of an association dont play fair, it wont be long before members who are following the rules feel cheated. Voluntary trust is good, but there needs to be an enforcement mechanism to ensure fairness. Organizations that dont follow the rules risk getting cut out.

Much like the stork in the story helped the Moomins get an aerial vantage point of the landscape to help find their way to Moominpappa, so too can a collaborative and open sharing approachsubject to the rules, processes, and parameters defined in the steps abovegive you a different perspective of the landscape that your business needs to traverse from a security standpoint.

But keep in mind that, in the story, the stork doesnt do all the worktheres action required on the part of the Moomins too. They need to find the stork in the first place. In our world, this means a systematic effort to reach out to and engage with information-sharing partners and active cultivation of these relationships. Likewise, knowing how to employ that information is also critical. To this end, threat intelligence tools that enhance visibility and detective controls, such as SIM and IDS, help you understand the current state of your environment to better utilize information you receive from information-sharing partners.

Lastly, the Moomins need to know about their village (Moominpappa) to be able to recognize it from a distance. Even if the stork provides them with a better view, they still need to recognize the village from the air, which anybody whos been in an airplane can attest isnt always easy. By analogy, this means that the better security teams understand the normative state of their own networks and infrastructure, the better equipped they are to leverage data they learn through sharing and gathered from visibility-enhancing tools.

Were not living in a cartoon world of Moomins, but that doesnt mean we cant take a valuable lesson from them about trust and collaboration.

Categories: cybersecurity Tags:

March-April 2018 test results: More insights into industry AV tests

In a previous post, in the spirit of our commitment to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions, we shared insights and context into the results of AV-TESTs January-February 2018 test cycle. We released a transparency report to help our customers and the broader security community to stay informed and understand independent test results better.

In the continued spirit of these principles, wed like to share Windows Defender AVs scores in the March-April 2018 test. In this new iteration of the transparency report, we continue to investigate the relationship of independent test results and the real-world protection of antivirus solutions. We hope that you find the report insightful.

Download the complete transparency report on March-April 2018 AV-TEST results

 

Below is a summary of the transparency report:

Protection: Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). With the latest results, Windows Defender AV has achieved 100% on 9 of the 12 most recent tests (combined “Real World” and “Prevalent malware”).
Usability (false positives):Windows Defender AV maintained its previous score of 5.5/6.0. Based on telemetry, most samples that Windows Defender AV incorrectly classified as malware (false positive) had very low prevalence and are not commonly used in business context. This means that it is unlikely for these false positives to affect enterprise customers.
Performance: Windows Defender AV maintained its previous score of 5.5/6.0 and continued to outperform the industry in most areas. These results reflect the investments we made in optimizing Windows Defender AV performance for high-frequency actions.

 

The report aims to help customers evaluate the extent to which test results are reflective of the quality of protection in the real world. At the same time, insights from the report continue to drive further improvements in the intelligent security services that Microsoft provides for customers.

Windows Defender AV and the rest of the built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. In real customer environments, this unified security platform provides intelligent protection, detection, investigation, and response capabilities that are not currently reflected in independent tests. We tested the two malware samples that Windows Defender AV missed in the March-April 2018 test and proved that for both missed samples, at least three other components of Windows Defender ATP would detect or block the malware in a true attack scenario. You can find these details and more in the transparency report.

Download the complete transparency report on March-April 2018 AV-TEST results

 

The Windows Defender ATP security platform incorporates attack surface reduction, next-generation protection, endpoint detection and response, and advanced hunting capabilities. To see these capabilities for yourself, sign up for a 90-day trial of Windows Defender ATP, or enable Preview features on existing tenants.

 

 

 

Zaid Arafeh

Senior Program Manager, Windows Defender Research team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Jumpstart your Microsoft Graph Security API integration with the new JavaScript sample app

July 18th, 2018 No comments

The Microsoft Graph Security API, which launched this spring, is a unified REST API for integrating data and intelligence from Microsoft products, services, and partners. Using Microsoft Graph, developers can easily build applications that consolidate and correlate security alerts from multiple sources, unlock contextual data to inform investigations, and automate security operations for greater efficiency.

We just launched a new sample app that makes it easier than ever for developers to get started. Similar to the Python sample and C# sample, currently available, the new JavaScript sample app provides ready-to-run code to:

  • Display a list of all security alerts for a tenant. Filter by top alerts, category, provider, and severity, or alerts related to a particular user or device.
  • View rich alert details in JSON.
  • Show additional information from Microsoft Graph about a user or device.
  • Update the status of an alert, provide feedback, and add comments.
  • Subscribe to notifications of all new and updated alerts that meet your filters.

Get started with the JavaScript sample app today!

Categories: cybersecurity Tags: