Hive ransomware gets upgrades in Rust

Hive ransomware is only about one year old, having been first observed in June 2021, but it has grown into one of the most prevalent ransomware payloads in the ransomware-as-a-service (RaaS) ecosystem. With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem.

The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237.

Microsoft Threat Intelligence Center (MSTIC) discovered the new variant while analyzing detected Hive ransomware techniques for dropping .key files. We know that Hive drops its encryption keys file, which contains encrypted keys used to decrypt encrypted files, and uses a consistent naming pattern:

[KEY_NAME].key.[VICTIM_IDENTIFIER] 
(e.g., BiKtPupMjgyESaene0Ge5d0231uiKq1PFMFUEBNhAYv_.key.ab123)

The said .key files were missing the [VICTIM_IDENTIFIER] part of the file name, prompting deeper analysis of the Hive ransomware that dropped them. This analysis led to the discovery of the new Hive variant and its multiple versions, which exhibit slightly different available parameters in the command line and the executed processes.

Analyzing these patterns in samples of the new variants, we discovered even more samples, all with a low detection rate and none being correctly identified as Hive. In this blog we will share our in-depth analysis of the new Hive variant, including its main features and upgrades, with the aim of equipping analysts and defenders with information to better identify and protect organizations against malware attacks relying on Hive.

Analysis and key findings

The switch from GoLang to Rust

The main difference between the new Hive variant and old ones is the programming language used. The old variants were written in Go (also referred to as GoLang), while the new Hive variant is written in Rust.

Hive isn’t the first ransomware written in Rust—BlackCat, another prevalent ransomware, was the first. By switching the underlying code to Rust, Hive benefits from the following advantages that Rust has over other programming languages:

  • It offers memory, data type, and thread safety
  • It has deep control over low-level resources
  • It has a user-friendly syntax
  • It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
  • It has a good variety of cryptographic libraries
  • It’s relatively more difficult to reverse-engineer

String encryption

The new Hive variant uses string encryption that can make it more evasive. Strings reside in the .rdata section and are decrypted during runtime by XORing with constants. The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.

For example, let’s look at the section where part of the string “!error no flag -u <login>:<password> provided” is decrypted. In one sample (SHA-256: f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3), the constants are 0x9F2E3F1F and 0x95C9:

Partial screenshot of a code-level analysis of a Hive sample.
Figure 1 – String decryption using constants 0x9F2E3F1F and 0x95C9

In another sample (SHA-256: 6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053), the constants are 0x3ECF7CC4 and 0x198F:        

Partial screenshot of a code-level analysis of a Hive sample.
Figure 2 – String decryption using constants 0x3ECF7CC4 and 0x198F

Some samples do share constants when decrypting the same string. For example, let’s look where the parameter string “-da” is decrypted. In one sample (SHA-256: 88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037), the constants are 0x71B4 and 2:

Partial screenshot of a code-level analysis of a Hive sample.
Figure 3 – String decryption using constants 0x71B4 and 2

In another sample (SHA-256: 33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724), the constants are the same:

Partial screenshot of a code-level analysis of a Hive sample.
Figure 4 – String decryption in a different sample also using constants 0x71B4 and 2

Command-line parameters

In old Hive variants, the username and the password used to access the Hive ransom payment website are embedded in the samples. In the new variant, these credentials must be supplied in the command line under the “-u” parameter, which means that they can’t be obtained by analysts from the sample itself.

Partial screenshot of a command prompt showing an error message.
Figure 5 – Without a username and a password, the sample won’t continue its execution

Like most modern ransomware, Hive introduces command-line parameters, which allow attackers flexibility when running the payload by adding or removing functionality. For example, an attacker can choose to encrypt files on remote shares or local files only or select the minimum file size for encryption. In the new Hive variant, we found the following parameters across different samples:

Parameter Functionality
-no-local Don’t encrypt local files
-no-mounted Don’t encrypt files on mounted network shares
-no-discovery Don’t discover network shares
-local-only Encrypt only local files
-network-only Encrypt only files on network shares
-explicit-only Encrypt specific folder(s). For example, ‘-explicit-only c:\mydocs c:\myphotos’
-min-size Minimum file size, in bytes, to encrypt. For example, ‘-min-size 102400’ will encrypt files with size equal or greater than 100kb
-da [Usage is being analyzed.]
-f [Usage is being analyzed.]
-force [Usage is being analyzed.]
-wmi [Usage is being analyzed.]

Overall, it appears different versions have different parameters that are constantly updated. Unlike in previous variants where there was a ‘help’ menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.

Stopped services and processes

Like most sophisticated malware, Hive stops services and processes associated with security solutions and other tools that might get in the way of its attack chain. Hive tries to impersonate the process tokens of trustedinstaller.exe and winlogon.exe so it can stop Microsoft Defender Antivirus, among other services.

Hive stops the following services:

windefend, msmpsvc, kavsvc, antivirservice, zhudongfungyu, vmm, vmwp, sql, sap, oracle, mepocs, veeam, backup, vss, msexchange, mysql, sophos, pdfservice, backupexec, gxblr, gxvss, gxclmgrs, gxvcd, gxcimgr, gxmmm, gxvsshwprov, gxfwd, sap, qbcfmonitorservice, qbidpservice, acronisagent, veeam, mvarmor, acrsch2svc

It also stops the following processes:

dbsnmp, dbeng50, bedbh, excel, encsvc, visios, firefox, isqlplussvc, mspub, mydesktopqos, notepad, ocautoupds, ocomm, ocssd, onenote, outlook, sqbcoreservice, sql, steam, tbirdconfig, thunderbird, winword, wordpad, xfssvccon, vxmon, benetns, bengien, pvlsvr, raw_agent_svc, cagservice, sap, qbidpservice, qbcfmonitorservice, teamviewer_service, teamviewer, tv_w32, tv_x64, cvd, saphostexec, sapstartsrv, avscc, dellsystemdetect, enterpriseclient, veeam, thebat, cvfwd, cvods, vsnapvss, msaccess, vaultsvc, beserver, appinfo, qbdmgrn, avagent, spooler, powerpnt, cvmountd, synctime, oracle, wscsvc, winmgmt, *sql*

Launched processes

As part of its ransomware activity, Hive typically runs processes that delete backups and prevent recovery. There are differences between versions, and some samples may not execute all these processes, but one sample that starts the most processes is SHA-256: 481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e:

  • “vssadmin.exe delete shadows /all /quiet”
  • “wmic.exe shadowcopy delete”
  • “wbadmin.exe delete systemstatebackup”
  • “wbadmin.exe delete catalog -quiet”
  • “bcdedit.exe /set {default} recoveryenabled No”
  • “bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”
  • “wbadmin.exe delete systemstatebackup -keepVersions:3”

Ransom note

Hive’s ransom note has also changed, with the new version referencing the .key files with their new file name convention and adding a sentence about virtual machines (VMs).

The older variants had an embedded username and password (marked as hidden). In the new variant, the username and password are taken from the command line parameter -u and are labeled test_hive_username and test_hive_password.

Old ransom note text:

 Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
 
To decrypt all the data and to prevent exfiltrated files to be disclosed at 
http://hive[REDACTED].onion/
you will need to purchase our decryption software.
 
Please contact our sales department at:
 
   http://hive[REDACTED].onion/
  
      Login:    [REDACTED]
      Password: [REDACTED]
 
To get an access to .onion websites download and install Tor Browser at:
   https://www.torproject.org/ (Tor Browser is not related to us)
 
 
Follow the guidelines below to avoid losing your data:
 
- Do not modify, rename or delete *.key.abc12 files. Your data will be 
   undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
   They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key. 
   They also don't care about your business. They believe that they are 
   good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.

New ransom note text:

Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
 
To decrypt all the data and to prevent exfiltrated files to be disclosed at 
http://hive[REDACTED].onion/
you will need to purchase our decryption software.
 
Please contact our sales department at:
 
   http://hive[REDACTED].onion/
 
      Login:    test_hive_username
      Password: test_hive_password
 
To get an access to .onion websites download and install Tor Browser at:
   https://www.torproject.org/ (Tor Browser is not related to us)
 
 
Follow the guidelines below to avoid losing your data:
 
- Do not delete or reinstall VMs. There will be nothing to decrypt.
- Do not modify, rename or delete *.key files. Your data will be 
   undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
   They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key. 
   They also don't care about your business. They believe that they are 
   good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.

Encryption

The most interesting change in the Hive variant is its cryptography mechanism. The new variant was first uploaded to VirusTotal on February 21, 2022, just a few days after a group of researchers from Kookmin University in South Korea published the paper “A Method for Decrypting Data Infected with Hive Ransomware” on February 17, 2022. After a certain period of development, the new variant first appeared in Microsoft threat data on February 22.

The new variant uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).

A unique encryption approach

The new Hive variant uses a unique approach to file encryption. Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.

To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set). Once it’s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding .key file. This way, the attacker can decrypt the file using these offsets.

For example, after running Hive, we got the following files dropped to the C:\ drive:

  • C:\3bcVwj6j.key
  • C:\l0Zn68cb.key

In this example, a file named myphoto.jpg would be renamed to C:\myphoto.jpg.l0Zn68cb _ -B82BhIaGhI8. As we discuss in the following sections, the new variant’s keys set generation is entirely different from old variants. However, its actual file encryption is very similar.

Keys set generation

A buffer of size 0xCFFF00 bytes is allocated. Using two custom functions to generate random bytes (labeled “random_num_gen” and “random_num_gen_2” for demonstration purposes) the buffer is filled. The first 0xA00000 bytes of this buffer are filled with random bytes and the remaining 0x2FFF00 bytes are simply copied from the first 0x2FFF00 random bytes that were copied earlier to the buffer.

The content of each buffer is a keys set (a collection of symmetric keys). Since two buffers are allocated, there are two keys sets. In the encryption process, the malware randomly selects different keys (byte sequences) for each file from one of the keys set and uses them to encrypt the file by XORing the byte sequence of the keys with the file’s content.

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 6 – Original keys set generation
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 7 – Inside get_random_byte

A custom 64-byte hash is prepared for each keys set. This hash will be used later.

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 8 – Preparing the custom hash of the keys set

After the hash is computed and several other strings are decrypted, the encryption process takes the following steps:

  1. Generate victim_private_key using the same functions introduced above.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 9 – Generating victim_private_key
  1. Generate victim_public_key using ECDH with Curve25519. The input is victim_private_key and the basepoint is 9 followed by 31 zeros (embedded in the sample).
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 10 – Generating victim_public_key
  1. Generate a 24-byte nonce for the XChaCha algorithm, later in Poly1305-XChaCha20.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 11 – Generating a 24-byte nonce
  1. Generate shared_secret using ECDH with Curve25519. The input is victim_private_key and hive_public_key. Then, the  shared_secret (as a key) with hive_public_key (as a nonce) is used to derive the derived_key using ChaCha20.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 12 – Generating shared_secret
  1. Encrypt the keys set using Poly1305-XChaCha20. The values used for the encryption are the keys set, derived_key, nonce, and the embedded associated data (AD). This function encrypts the keys set and adds a 16-byte authentication tag at the end of the buffer of the encrypted keys. It’s unclear if the authentication tag is ever checked.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 13 – Encrypting the keys set

Now that the keys set is finally encrypted, the nonce, victim_public_key, the now-encrypted keys set, and the authentication tag are copied to a new buffer, one after another. This buffer (which we label encrypted_structure_1) is treated as a new keys set, which is again encrypted using the same method described above but with a second hive_public_key. This time, the function outputs new nonce, victim_private_key, and others. Only the associated data is the same.

Finally, the new buffer, which contains the second_nonce, second_victim_public_key, and the encryptedencrypted_structure_1, is written to the root of the drive it’s encrypting (for example, C:\). The create_extension function generates a Base64 string based on the first six bytes of the custom hash that was created earlier. This Base64 string serves as the file name, and the extension of the file is simply “.key”.

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 14 – Generating a Base64 string based on the first six bytes of the custom hash
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 15 – Using the Base64 string as the file name

The diagram below illustrates the encryption scheme described above:

Diagram containing icons and arrows illustrating the new Hive variant's encryption scheme.
Figure 16 – The keys set encryption scheme of the new Hive variant

As seen in the diagram above, “Keys sets encryption flow” is executed twice. In the first round it is executed with the original keys set as an input. In the second round it is executed with the “encrypted structure 1” as an input. In its second execution, all other input values are different except the AD (associated data) and the Basepoint 9.

Hence, the following values are new in the second execution: victim_private_key, victim_public_key, hive_public_key, nonce, shared_secret and derived_key.

File encryption

After both keys files are written to the disk, the multi-threaded file encryption starts. Before encrypting each file, the malware checks its name and extension against a list of strings. If there is a match, then the file will not be encrypted. For example, a file with .exe extension will not be encrypted if .exe is in the list of strings. It should be noted that this list is encrypted and decrypted during runtime.

The same file encryption method seen in old variants is used in the new one: two random numbers are generated and used as offsets to the keys set. Each offset is four bytes:

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 17 – Generating the offsets

For the encryption, the file’s content is XORed with bytes from the keys set, according to the offsets. The file bytes are XORed twice—once according to the first offset and a second time according to the second offset. Files are encrypted in blocks of 0x100000 bytes, with the maximum number of blocks at 100. There is an interval between the encrypted blocks as defined by block_space. After the encryption is finished in memory, the encrypted data is written to the disk, overwriting the original file.

Partial screenshot of a code snippet
Figure 18 – Calculation of number of blocks
Partial screenshot of a code snippet
Figure 19 – Actual encryption of the file bytes
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 20 – Reading a file, encrypting it, and writing it back to the disk

Looking at when create_extension is called once file encryption has started, we recognized a similar structure in the previous variant:

Partial screenshot of a Hive variant's structure in assembly code.
Figure 21 – Creating the extension for the file

Let us look at the value (72 D7 A7 A3 F5 5B FF EF 21 6B 11 7C 2A 18 CD 00) in the address of r9 register just before create_extension is called on a file called EDBtmp.log

Partial screenshot of a hexadecimal value

Recall that in the older variants, 0xFF was used as a delimiter to separate the key file name from the offset values. We can also see it here. Converting the first six bytes (72 D7 A7 A3 F5 5B) to Base64 yields the following:

cteno/Vb

And if we step over create_extension, the result is similar—we get cteno_Vb as the .key file name (note: Since Hive uses a different Base64 character set, “/” was replaced with “_”):

Partial screenshot of hexadecimal values

Microsoft will continue to monitor the Hive operators’ activity and implement protections for our customers. The current detections, advanced detections, and indicators of compromise (IOCs) in place across our security products are detailed below.

Recommended customer actions

The techniques used by the new Hive variant can be mitigated by adopting the security considerations provided below:

  • Use the included IOCs to investigate whether they exist in your environment and assess for potential intrusion.

Our recent blog on the ransomware-as-a-service economy has an exhaustive guide on how to protect yourself from ransomware threats that dive deep into each of the following areas. We encourage readers to refer to that blog for a comprehensive guide on:

For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.
  • Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
  • Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.

Indicators of compromise (IOCs)

The below list provides a partial list of the IOCs observed during our investigation and included in this blog. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Indicator Type Description
f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3 SHA-256 Hive Rust variant payload
88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037 SHA-256 Hive Rust variant payload
065208b037a2691eb75a14f97bdbd9914122655d42f6249d2cca419a1e4ba6f1 SHA-256 Hive Rust variant payload
33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724 SHA-256 Hive Rust variant payload
afab34235b7f170150f180c7afb9e3b4e504a84559bbd03ab71e64e3b6541149 SHA-256 Hive Rust variant payload
36759cab7043cd7561ac6c3968832b30c9a442eff4d536e901d4ff70aef4d32d SHA-256 Hive Rust variant payload
481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e SHA-256 Hive Rust variant payload
6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053 SHA-256 Hive Rust variant payload
32ff0e5d87ec16544b6ff936d6fd58023925c3bdabaf962c492f6b078cb01914 SHA-256 Hive Rust variant payload

NOTE: These indicators shouldn’t be considered exhaustive for this observed activity.

Detections

Microsoft 365 Defender

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides detection for this threat under the following family names with build version 1.367.405.0 or later.

  • Ransom:Win64/Hive
  • Ransom:Win32/Hive

Microsoft Defender for Endpoint detection

Microsoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of a Hive compromise, but should be investigated:

  • Ransomware behavior detected in the file system
  • File backups were deleted
  • Possible ransomware infection modifying multiple files
  • Possible ransomware activity
  • Ransomware-linked emerging threat activity group detected

Advanced hunting queries

Microsoft Sentinel

To locate possible Hive ransomware activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed below:

Identify Hive ransomware IOCs

This query identifies a match across various data feeds for IOCs related to Hive ransomware.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HiveRansomwareJuly2022.yaml

Identify backup deletion

This hunting query helps detect a ransomware’s attempt to delete backup files.

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/BackupDeletion.yaml

Identify Microsoft Defender Antivirus detection of Hive ransomware

This query looks for Microsoft Defender Antivirus detections related to the Hive ransomware and joins the alert with other data sources to surface additional information such as device, IP, signed-in users, etc.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/HiveRansomwareAVHits.yaml

The post Hive ransomware gets upgrades in Rust appeared first on Microsoft Security Blog.

Toll fraud malware: How an Android application can drain your wallet

Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware – and it continues to evolve.

Compared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique behaviors. Whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve.

For example, we saw new capabilities related to how this threat targets users of specific network operators. It performs its routines only if the device is subscribed to any of its target network operators. It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available. Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so. It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service.

Another unique behavior of toll fraud malware is its use of dynamic code loading, which makes it difficult for mobile security solutions to detect threats through static analysis, since parts of the code are downloaded onto the device in certain parts of the attack flow. Despite this evasion technique, we’ve identified characteristics that can be used to filter and detect this threat. We also see adjustments in Android API restrictions and Google Play Store publishing policy that can help mitigate this threat.

Toll fraud has drawn media attention since Joker, its first major malware family, found its way to the Google Play Store back in 2017. Despite this attention, there’s not a lot of published material about how this type of malware carries out its fraudulent activities. Our goal for this blog post is to share an in-depth analysis on how this malware operates, how analysts can better identify such threats, and how Android security can be improved to mitigate toll fraud. This blog covers the following topics:

The WAP billing mechanism: An overview

To understand toll fraud malware, we need to know more about the billing mechanism that attackers use. The commonly used type of billing in toll fraud is Wireless Application Protocol (WAP). WAP billing is a payment mechanism that enables consumers to subscribe to paid content from sites that support this protocol and get charged directly through their mobile phone bill. The subscription process starts with the customer initiating a session with the service provider over a cellular network and navigating to the website that provides the paid service. As a second step, the user must click a subscription button, and, in some cases, receive a one-time password (OTP) that has to be sent back to the service provider to verify the subscription. The overall process is depicted below:

A diagram of how the Wireless Application Protocol billing process works. Interactions between the mobile device and premium service provider are mapped out, from the moment the device browses through services until the confirmation of service subscription.
Figure 1. The WAP billing process in a nutshell

It should be noted that the process depends on the service provider, thus not all steps are always present. For example, some providers do not require an OTP, which means that the mobile user can subscribe to a service by simply clicking the subscription button while the device is connected to a cellular network.  

Fraudulent subscriptions via toll fraud

We classify a subscription as fraudulent when it takes place without a user’s consent. In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable through the following steps:

  1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
  2. Silently navigate to the subscription page
  3. Auto-click the subscription button
  4. Intercept the OTP (if applicable)
  5. Send the OTP to the service provider (if applicable)
  6. Cancel the SMS notifications (if applicable)

One significant and permissionless inspection that the malware does before performing these steps is to identify the subscriber’s country and mobile network through the mobile country codes (MCC) and mobile network codes (MNC). This inspection is done to target users within a specific country or region. Both codes can be fetched by using either the TelephonyManageror the SystemPropertiesclass. The TelephonyManager.getSimOperator() API call returns the MCC and MNCcodes as a concatenated string, while other functions of the same class can be used to retrieve various information about the mobile network that the device is currently subscribed to. As the network and SIM operator may differ (e.g., in roaming), the getSimOperatorfunction is usually preferred by malware developers.

The same type of information can be fetched by using the SystemProperties.get(String key) function where the key parameter may be one or several (using multiple calls) of the following strings: gsm.operator.numeric, gsm.sim.operator.numeric, gsm.operator.iso-country, gsm.sim.operator.iso-country, gsm.operator.alpha, gsm.sim.operator.alpha

The difference with the first call is that the android.os.SystemProperties class is marked as @SystemApi, therefore an application has to use Java reflection to invoke the function. The MNC and MCC codes are also used to evade detection, as the malicious activity won’t be performed unless the SIM operator belongs to the ones targeted:

A screenshot of code snippet from the Joker malware. The code specifies that the malware will only run if the device is under a South African mobile operator.
Figure 2. Joker malware running its payload, targeting South African mobile operators

The following sections present an analysis of the fraudulent subscription steps in the context of the Android operating system. This analysis can help identify the API calls and the permissions needed for the implementation of a toll fraud scheme.

Forcing cellular communication

Variants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by invoking the setWifiEnabled method of the WifiManager class. The permissions needed for this call are ACCESS_WIFI_STATE and CHANGE_WIFI_STATE. Since the protection level for both permissions is set to normal, they are automatically approved by the system.

Meanwhile, malware targeting a higher API level uses the requestNetwork function of the ConnectivityManagerclass. The Android developers page describes the requestNetwork method as:

This method will attempt to find the best network that matches the given NetworkRequest, and to bring up one that does if none currently satisfies the criteria. The platform will evaluate which network is the best at its own discretion. Throughput, latency, cost per byte, policy, user preference and other considerations may be factored in the decision of what is considered the best network.

The required permission for this call is either CHANGE_NETWORK_STATE (protection level: normal) or WRITE_SETTINGS(protection level: signature|preinstalled|appop|pre23), but since the latter is protected, the former is usually preferred by malware developers. In the code snippet depicted below from a malware sample that can perform toll fraud, the function vgy7is requesting a TRANSPORT_CELLULAR transport type (Constant Value: 0x00000000) with NET_CAPABILITY_INTERNET (Constant Value: 0x0000000c):

A screenshot of code snippet from a Joker malware where the malware requests for a TRANSPORT_CELLULAR transport type.
Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type

Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type

The NetworkCallbackis used to monitor the network status and retrieve a networktype variable that can be used to bind the process to a particular network via the ConnectivityManager.bindProcessToNetworkfunction. This allows the malware to use the mobile network even when there is an existing Wi-Fi connection. The proof-of-concept code depicted below uses the techniques described above to request a TRANSPORT_CELLULAR transport type. If the transport type is available, it binds the process to the mobile network to load the host at example.com in the application’s WebView:

A screenshot of proof-of-concept code to demonstrate a request for a TRANSPORT_CELLULAR transport type.
Figure 4. Proof-of-concept code to request a TRANSPORT_CELLULAR transport type

While it is expected that the Wi-Fi connection is preferred even when mobile connection is also available, the process exclusively uses the cellular network to communicate with the server:

A screenshot of two Android mobile browser screens, side by side. The browser screen on the left loads the content of example.com, while the browser screen on the right loads a blank page.
Figure 5. The mobile browser loads example.com when TRANSPORT_CELLULAR transport type is available and loads a blank page when only Wi-Fi is available

In fact, the user must manually disable mobile data to prevent the malware from using the cellular network. Even though the setWifiEnabledhas been deprecated, it can still be used by malware targeting API level 28 or lower.

Fetching premium service offers and initiating subscriptions

Assuming that the SIM operator is on the target list and the device is using a TRANSPORT_CELLULARtype network, the next step is to fetch a list of websites offering premium services and attempt to automatically subscribe to them.

The malware will communicate with a C2 server to retrieve a list of offered services. An offer contains, between else, a URL which will lead to a redirection chain that will end up to a web page, known as landing page.

What happens next depends on the way that the subscription process is initiated, thus the malware usually includes code that can handle various subscription flows. In a typical case scenario, the user has to click an HTML element similar to the one depicted below (JOIN NOW), and as a second step, send a verification code back to the server:

A screenshot of a website offering subscriptions to apps and premium services. There are two banners on the website, with the one above displaying the text "Join Now". The banner at the bottom displays sports-related images (football and car racing).
Figure 6. A subscription page that’s loaded in the background without the user’s knowledge.

For the malware to do this automatically, it observes the page loading progress and injects JavaScript code designed to click HTML elements that initiate the subscription. As the user can only subscribe once to one service, the code also marks the HTML page using a cookie to avoid duplicate subscriptions. The following is an example of such a code:

Figure 7. JavaScript injected code scraping related HTML elements

On line 76, getElementsByTagNamereturns a collection of all the Document Object Model (DOM) elements tagged as input. The loop on line 78 goes through every element and checks its typeas well as its name, value, and altproperties. When an element is found to contain keywords, such as “confirm”, “click”, and “continue”, it is sent to the cfunction, as depicted below:

A screenshot of JavaScript code of a function where it simulates clicks on selected HTML elements.
Figure 8. JavaScript function simulating clicks on selected HTML elements

The if statement on line 36 checks if the element has already been clicked by calling the jdh function, displayed below in Figure 12. Finally, the c function invokes the click() or submit() function by the time the branch on line 37 (see figure 11) is followed:

A screenshot of the JavaScript code where the malware checks if a premium service page has already been visited.
Figure 9. JavaScript code checking if the page has already been visited

The HTML page loading process is tracked using an onPageFinishedcallback of the WebViewClientattached to the WebView. Subsequently, a handler that listens for relative message types acts depending on the next steps that are required for the subscription to take place. In the code snippet below, the URL loaded in the WebView and a signalwith id “128”is sent to handler2to evaluate the service and initiate the subscription process:

A screenshot of malware code where it checks for specific message types to determine the next steps required for a subscription to take place.
Figure 10. Malware evaluating the steps required to initiate the subscription process

Multi-step or target subscription processes may require additional verification steps. The handler depicted below checks the page URL loaded in the WebView. If the URL matches doi[.]mtndep.co.za/service/, then the handler runs the JavaScript code assigned to the Properties.call_jbridge_dump variable:

A screenshot of malware code where it identifies the conditions required to determine what routine to run next. It assigns code based on specific conditions such as URL displayed.
Figure 11. Malware running code depending on certain conditions

A signal with id “107” triggers some additional steps that require communication with the command and control (C2) server. This case is demonstrated in the following figures:

A screenshot of malware code that is run when a signal with the ID number "107" is identified.
Figure 12. Malware running code depending on the specific signal id

Upon receiving the signal, the handler invokes the v1.bhu8 function:

A screenshot of malware code where the handler invokes the v1.bhu8 function. The said function checks if a service related to anti-fraud protection is running on the device.
Figure 13. Malware attacking anti-fraud protection

After checking for the web-zdm[.]secure-d[.]io/api/v1/activatein the server’s reply, the malware invokes the tpack[.]l2.bhu8[.]vgy7 function. This function sends the current URL loaded in the application’s WebView as well as some extra information like country code, and HTML code:

A screenshot if malware code where the malware sends information from the device to its C2 server. Sent information include country code, the HTML code of the website shown on the browser.
Figure 14. Malware sending information to the C2 server
A screenshot of malware code where a solver-type service is offered by the C2 server.
Figure 15. A solver-type service offered by the C2 server

Intercepting OTPs

In most cases, the service provider sends an OTP that must be sent back to the server to complete the subscription process. As the OTP can be sent by using either the HTTP or USSD protocol or SMS, the malware must be capable of intercepting these types of communication. For the HTTP protocol, the server’s reply must be parsed to extract the token. For the USSD protocol, on the other hand, the only way to intercept is by using the accessibility service.

One method of intercepting an SMS message, requiring android.permission.RECEIVE_SMS permission, is to instantiate a BroadcastReceiver that listens for the SMS_RECEIVED action.

The following code snippet creates a BroadcastReceiverand overrides the onReceivecallback of the superclass to filter out messages that start with “rch”:

A screenshot of malware code where the malware filters SMS messages that start with "rch"
Figure 16. Code that filters out SMS messages that start with “rch”

Subsequently, it creates an IntentFilter, which renders the receiver capable of listening for an SMS_RECEIVED action, and finally the receiver is registered dynamically:

A screenshot of the IntentFilter code, enabling the receiver to listen for any received SMS messages.
Figure 17. The IntentFilter enabling the receiver to listen for an SMS_RECEIVED action

To handle OTP messages that are sent using the HTTP protocol, the malware parses the HTML code to search for keywords indicating the verification token. The following code contains a flow where the extracted token is sent to the server using the sendTextMessage API call:

A screenshot of the malware code where an extracted verification token from the OTP message is sent to the C2 server. The code indicates that this is done through the sendTextMessage API.
Figure 18. Extracted token is sent to the C2 server using the sendTextMessage API call

The additional permission that is required to enable this flow is SEND_SMS.

Another way of intercepting SMS messages is to extend the NotificationListenerService. This service receives calls from the system when new notifications are posted or removed, including the ones sent from the system’s default SMS application. The code snippet below demonstrates this functionality:

A screenshot of malware code where the NotificationLIstenerService is extended. This enables the app to receive calls from the system when new notifications are posted or removed.
Figure 19. Extending the NotificationListenerService service

We triggered a notification with the title “SMS_Received” and text “Pin:12345” during our analysis, resulting in the following output in the application’s logcat:

A screenshot of the malware's logcat. The logcat output shows that it is able to capture contents of a notification received by the device.
Figure 20. Logcat output after a notification is posted

Finally, besides the broadcast receiver and the notification listener techniques of intercepting an SMS message, a ContentObserver can be used to receive callbacks for changes to specific content. The onChange callback of the SmsObserver class (depicted below) is called each time the system changes the SMS content provider state:

A screenshot of proof-of-concept code to demonstrate how the malware monitors for incoming SMS messages.
Figure 21. The proof-of-concept code monitoring for incoming SMS messages through SmsObserver

Suppressing notifications

Since API level 18, an application that extends the NotificationListenerService is authorized to suppress notifications triggered from other applications. The relevant API calls are:

  • cancelAllNotifications() to inform the notification manager to dismiss all notifications
  • cancelNotification(String key) to inform the notification manager to dismiss a single notification
  • cancelNotifications(String [] keys) to inform the notification manager to dismiss multiple notifications at once.

This API subset is abused by malware developers to suppress service subscription notification messages posted by the default SMS application. More specifically, upon successful subscription, the service provider sends a message to the user to inform them about the charges and offers the option to unsubscribe. By having access to the notification listener service, the malware can call any of the functions mentioned above to remove the notification.

Using dynamic code loading for cloaking

Cloaking refers to a set of techniques used to hide malicious behavior. For example, most toll fraud malware won’t take any action if the mobile network is not among its targets. Another example of a cloaking mechanism used by these threats is dynamic code loading. This means that certain malware codes are only loaded when certain conditions are met, making it difficult to detect by static analysis.

The following is a characteristic example of a multi-stage toll fraud malware with SHA-256: 2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 and package name: com.cful.mmsto.sthemes.

Stage one

This malware’s entry point is found to be the com.android.messaging.BugleApplication, a subclass of the Application class. The malicious flow leads to the function below:

A screenshot of malware code showing the function where the entry point of the malware leads to. This is the starting point of the dynamic code loading done by the malware.
Figure 22. The function where the entry point of the malware leads to

The call on line 21 fills the filesarray with the filenames fetched from the assets directory. The for loop enters theif branch at line 32 if the name of the asset file ends with “355”. Querying the asset files of the app for such a filename yields the following result:

A screenshot of the result when querying the malware's asset file for a file name that ends with "355". The result is a file with the name PhoneNUmberAlternateFormatsProto_355
Figure 23. Query result when searching for “355”

The PhoneNumberAlternateFormatsProto_355 is the source file which, in conjunction with a destination file and the string “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, is given as parameters to the ns.j function:

A screenshot of the code of the ns.j function. It shows that the function accepts parameters from the source file PhotoNumberAlternateFormatsProto_355.
Figure 24. The ns.j function

The SecretKeySpec on line 68 is constructed from the first 16 bytes of the SHA-1 digest of the password string. This key is used to decrypt the file fetched from the assets using Advanced Encryption Standard (AES) in electronic codebook (ECB) mode. The decryption result is an ELF file that is saved in the application’s cache directory and loaded using the System.load function.

Stage two

The loaded library fetches the PhoneNumberAlternateFormatsProto_300file from the assets folder using the AAssetManager_fromJava function and writes it to a temporary file with the name b in the /data/data/<package_name>/ directory, as seen on line 93 below:

A screenshot of code wherein the malware fetches the second payload from the assets directory.
Figure 25. Fetching the second payload from the assets directory.

The file b is then decrypted using an XOR operation with the key “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, which is given from the Java side (see following figures). The decrypted payload is saved with the name l in the application’s data directory:

A screenshot of code where the malware decrypts the asset with the name "l_file_fd".
Figure 26. Decrypting asset

Figure 27. The native handleTask called from the Java code

The same function loads the decrypted payload l and invokes the com.AdsView.pulgn using the DexClassLoader class loader (variable names have been changed for clarity):

A screenshot of the malware code where it loads the decrypted asset using the DexClassLoader class loader.
Figure 28. Dynamically loading the decrypted asset using the DexClassLoader

Decrypting the second payload manually yields the following APK file:

A screenshot of the code of the decrypted asset which is an APK file.
Figure 29. The decrypted APK file

It must be mentioned that the DexClassLoadercan be used to load classes from .jar and .apk files that contain a classes.dex entry.

Stage three

This decrypted APK consists of two main classes: the com.Helperand com.AdsView. The com.AdsView.pulgnfunction is the first to be invoked by the native library described in the previous section:

A screenshot of the code for the pulgn function, which is the first to be invoked once the payload is loaded.
Figure 30. pulgn is the first function to be invoked when the payload is loaded

The runnable thread’s main functionality is to connect the host to xn3o[.]oss-accelerate[.]aliyuncs[.]com and download a JAR file named xn30, which is saved to the cache directory with name nvi and then loaded using the startSdk function, as shown on line 81 below:

A screenshot of the malware code where it triggers the download of the final payload.
Figure 31. Download and trigger the final payload

The file xn30 is the final payload of stage three and is the one that performs the toll fraud activities previously described.

Mitigating the threat of toll fraud malware

Toll fraud is one of the most common malware categories with high financial loss as its main impact. Due to its sophisticated cloaking techniques, prevention from the side of the user plays a key role in keeping the device secure. A rule of thumb is to avoid installing Android applications from untrusted sources (sideloading) and always follow up with device updates. We also recommend end users take the following steps to protect themselves from toll fraud malware:

  • Install applications only from the Google Play Store or other trusted sources.
  • Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed.
  • Use a solution such as Microsoft Defender for Endpoint on Android to detect malicious applications.
  • If a device is no longer receiving updates, strongly consider replacing it with a new device.

Identifying potential malware

For security analysts, it is important to be aware that conventional mitigation techniques based on static detection of malware code patterns can only offer limited remediation against this malware. This is due to the extended use of reflection, encryption, compression, obfuscation, steganography, and dynamic code loading.

There are, however, characteristics that can be used to identify this type of malware. We can classify these characteristics into three:

  • Primary characteristics – patterns in plaintext included in the application that can be analyzed statically
  • Secondary characteristics – common API calls used to conduct toll fraud activities
  • Tertiary characteristics – patterns in Google Play Store metadata such as the application’s category, the developer’s profile, and user reviews, among others

The tertiary characteristics are useful for initial filtering for potential malware. Patterns observed in the apps’ metadata are related to malware developers’ attempts to infect as many devices as possible in a short amount of time, while remaining published on the Google Play Store for as long as they can. We’ve observed that attackers often follow these steps to keep their apps in the Google Play Store:  

  1. Use open-source applications that belong to popular categories and can be trojanized with minimal effort. The preferred application categories include personalization (like wallpaper and lock screen apps), beauty, editor, communication (such as messaging and chat apps), photography, and tools (like cleaner and fake antivirus apps).
  2. Upload clean versions until the application gets a sufficient number of installs.
  3. Update the application to dynamically load malicious code.
  4. Separate the malicious flow from the uploaded application to remain undetected for as long as possible.

These applications often share common characteristics:

  • Excessive use of permissions that are not suitable to the application’s usage (for example, wallpaper, editor, and camera apps that bind the notification listener service or ask for SMS permissions)
  • Consistent user interfaces, with similar icons, policy pages, and buttons
  • Similar package names
  • Suspicious developer profile (fake developer name and email address)
  • Numerous user complaints in the reviews

Once potential malware samples are identified based on these tertiary characteristics, the primary characteristics can be used for further filtering and confirmation. Applications cannot obfuscate their permission requests, use of the notification listener service, or use of accessibility service. These requests must appear in the AndroidManifest.xml file within the APK, where they can be easily detected using static analysis. The commonly requested permissions by malware performing toll fraud may include: READ_SMS, RECEIVE_SMS, SEND_SMS, CHANGE_WIFI_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE. Requests for notification listener and accessibility service should be considered extremely suspicious.

Secondary characteristics also include suspicious API calls including: setWifiEnabled, requestNetwork, setProccessDefaultnetwork, bindProcessToNetwork, getSimOperator and cancelAllNotifications. However, since these calls may be obfuscated and may be hard to identify during static analysis, a more in-depth analysis may be necessary for certainty.

Improving Android security and privacy

Google continuously improves Android security and privacy as the mobile threat landscape evolves and new threats and adversary techniques are discovered. For example, in the operating system, API calls that can reveal potentially sensitive information continue to be removed or restricted, and in the Google Play Store, the publication policies guard against use of certain high-risk permissions (for example, the ability to receive or send SMSs) by requiring a Permission Declaration Form to be completed justifying their use. We anticipate Android security will continue to evolve to address abuse.

As discussed, applications currently can identify the cellular network operator and can send network traffic over the cellular network without any transparency to the user. Additionally, applications can request access to read and dismiss notifications, a very powerful capability, without needing to justify this behavior.

Conclusion

Toll fraud has been one of the most prevalent types of Android malware in Google Play Store since 2017, when families like Joker and their variants made their first appearance. It accounted for 34.8% of installed Potentially Harmful Application (PHA) from the Google Play Store in the first quarter of 2022, ranking second only to spyware.

By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges. Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.

With this blog, we want to inform end users about the details of this threat and how they can protect themselves from toll fraud. We also aim to provide security analysts with guidance on how to identify other malicious applications that use these techniques.

Our in-depth analysis of this threat and its continuous evolution informs the protection we provide through solutions like Microsoft Defender for Endpoint on Android.

Learn how Microsoft Defender for Endpoint provides cross-platform security, including mobile threat defense capabilities.

Dimitrios Valsamaras and Sang Shin Jung
Microsoft 365 Defender Research Team

Appendix

Samples (SHA-256)

Sample SHA-256
Initial APK file 2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 (com.cful.mmsto.sthemes)
Payload of stage two: Elf File (loader) 904169162209a93ac3769ae29c9b16d793d5d5e52b5bf198e59c6812d7d9eb14 (PhoneNumberAlternateFormatsProto_355, decrypted)
Payload of stage three: APK (hostile downloader) 61130dfe436a77a65c04def94d3083ad3c6a18bf15bd59a320716a1f9b39d826 (PhoneNumberAlternateFormatsProto_300, decrypted)
Payload of stage four: DEX (billing fraud) 4298952f8f254175410590e4ca2121959a0ba4fa90d61351e0ebb554e416500f

Common API calls and permissions

API Calls Permissions SDK
setWifiEnabled CHANGE_WIFI _STATE ACCESS_WIFI_STATE <29
requestNetwork CHANGE_NETWORK_STATE >28
setProcessDefaultNetwork   <23
bindProcessToNetwork   >22
getActiveNetworkInfo ACCESS_NETWORK_STATE  
getSimOperator    
get (SystemProperties)    
addJavascriptInterface    
evaluateJavascript   >18
onPageFinished    
onPageStarted    
onReceive for SMS BroadcastReceiver w/ android.provider.Telephony.SMS_RECEIVED RECEIVE_SMS >19
createFromPdu RECEIVE_SMS  
getMessageBody    
onChange for SMS ContentObserver w/ android.provider.telephony.SmsProvider’s content URI (“content://sms”) READ_SMS  
sendTextMessage    
onNotificationPosted    

References

The post Toll fraud malware: How an Android application can drain your wallet appeared first on Microsoft Security Blog.

Using process creation properties to catch evasion techniques

We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques breaks some assumptions made by security products and enables attackers to escape antimalware scans by circumventing process creation callbacks using a legacy process creation syscall. Publicly known variations of this class are process doppelganging, process herpaderping, and process ghosting.

Evasion techniques used by attackers often involve running malware within the context of a trusted process or hiding code from filesystem and memory scanners. More sophisticated attackers even carefully choose their process host so that their actions are run by a process that often performs these actions for benign reasons. For example, a browser process communicating with the internet seems completely normal, while an instance of cmd.exe doing the same sticks out like a sore thumb. This class of stealthy execution techniques, however, allows malware to create its own malicious process and prevent antimalware engines from detecting it.

This blog post presents our detailed analysis of how this process execution class works and how it takes advantage of Windows functionalities to evade detection. It also presents a peek into the research, design, and engineering concerns that go into the development of a detection method aiming to be as robust and future-proof as possible.

Common classes of stealthy process execution

On Windows systems, most methods attackers use to run code within another process fall within two classes: process injection and process hollowing. These classes allow attackers to run their code within another process without explicitly creating it from an executable, or making it load a dynamic link library (DLL).  Similar classes of techniques are often also called process injection, but this term will be used in a more specific definition for clarity.

Process injection

Process injection, the widest and most common class, consists of different techniques that introduce attacker-supplied executable memory into an already running process. Techniques in this class consist of two main parts:

  • Write primitive: A Windows API function, or a set of APIs, used to introduce malware into the target process.
  • Execution primitive: A Windows API method to redirect the execution of the process to the code provided by the attacker.

An example of a classic process injection flow is malware using the VirtualAllocEx API to allocate a buffer within a target process, WriteProcessMemory to fill that buffer with the contents of a malware module, and CreateRemoteThread to initiate a new thread in the target process, running the previously injected code.

Process hollowing

In process hollowing, instead of abusing an already running process, an attacker might start a new process in a suspended state and use a write primitive to introduce their malware module before the process starts running. By redirecting the entry point of the process before unsuspending, the attacker may run their code without using an explicit execution primitive.

Variants (and sometimes combinations) of both classes exist and differ from each other mostly by the  APIs being used. The APIs vary because a different function used to achieve the goal of one of the steps may not go through the numerous points at which an endpoint protection product intercepts such behavior, which can break detection logic.

New stealth techniques

In the past few years, stealth techniques from a process execution class have emerged that don’t strictly fit into any of the previously mentioned classes. In this class, instead of modifying the memory of an already created (but perhaps not yet executing) process, a new process is created from the image section of a malware. By the time a security product is ready to scan the file, the malware bits aren’t there anymore, effectively pulling the rug from under antimalware scanners. This technique requires defenders to use a different detection method to catch attacks that use it. As of today, the following variations of this class are known publicly as the following:

  • Process doppelganging1: Abusing transactional NTFS features to create a volatile version of an executable file used for process creation, with the file never touching the disk.
  • Process herpaderping2: Utilizing a writable handle to an executable file to overwrite the malware bits on disk before antimalware services can scan the executable, but after a process has already been created from the malicious version.
  • Process ghosting3: Abusing a handle with delete permissions to the process executable to delete it before it has a chance to be scanned.

This process execution class, including the variations mentioned above, takes advantage of the way the following functionalities in the operating system are designed to evade detection by security products:

  • Antimalware engines don’t scan files after every single modification.
  • Process creation callbacks, the operating system functionality that allows antimalware engines to scan a process when it’s created, is invoked only when the first thread is inserted into a process.
  • NtCreateProcessEx, a legacy process creation syscall, allows the creation of a process without populating it with any thread.

The following sections explain in more detail how these functionalities are abused.

When are files scanned?

A key feature of this process execution class is circumventing a file scan. Ideally, files are scanned whenever they’re modified. Otherwise, an attacker could simply modify an existing file into a malicious one, use it to create a process, and then either revert the file or delete it. So, why aren’t files scanned on every file change?

The answer lies in performance concerns. Consider a scenario in which a 1MB file is opened, and it’s overwritten by calling an API like WriteFile for every byte that needs to be overwritten. While only 1MB would be written to disk, the file would have to be scanned one million times, resulting in ~1 terabyte of data being scanned!

While the example is a good way to assure no detectably malicious content is written to disk, the amount of computing power it will use up makes it an unviable solution. Even a caching solution would simply shift the high resource usage to memory, as a product would need to keep information about the content of every single open file on the machine to be useful.

Therefore, the most common design for file scanning engines ignores the various transient states of the file content and initiates a scan whenever the handle to the file is closed.  This is an optimal signal that an application is done modifying a file for now, and that a scan would be meaningful. To determine what the file is about to execute as a process, the antimalware engine scans the file’s content at the time of process creation through a process creation callback.

Process creation callbacks in the kernel, such as those provided by the PsSetCreateProcessNotifyRoutineEx API, is the functionality in the operating system that allows antimalware engines to inspect a process while it’s being created. It can intercept the creation of a process and perform a scan on the relevant executable, all before the process runs.

Process creation notification isn’t invoked right when a process creation API is called, but rather when the first thread is inserted into a process. But since NtCreateUserProcess, the syscall used by all common high-level APIs to create a process, is designed to do a lot of the work required to create a process in the kernel, the insertion of the initial thread into the created process happens within the context of the syscall itself. This means that the callback launches while the process is still being created, before user mode has a chance to do anything.

A screenshot of code with a list of process creation callbacks invoked from the syscall NtCreateUserProcess.
Figure 1. Process creation callbacks being invoked from NtCreateUserProcess

The call stack indicates that in this scenario, PspCallProcessNotifyRoutines, the function responsible for invoking process creation callbacks, is called from PspInsertthread during the insertion of the initial thread into the process. It also indicates that the subsequent process creation callbacks are all called from within NtCreateUserProcess, and that they both finish executing before the syscall returns. This enables the antimalware to scan the process for malware activity as it’s created. This works if the process is created using NtCreateUserProcess. However, as researchers have found, there are other ways to create a process apart from this syscall.

How are processes created?                                                                                        

The syscall NtCreateUserProcess has only been available since the release of Windows Vista. Processes created by the CreateProcess API or any API using the NtCreateUserProcess syscall only provide the path to the executable. Meanwhile, the kernel opens the file without any share access that could allow modification (no SHARE_WRITE/SHARE_DELETE), creates an image section, and returns to user mode with the process pretty much ready to run (most legitimate Windows processes would require additional work to be done in user mode to operate correctly, but the NtCreateUserProcess syscall does the minimum work needed for a process to execute some code). This means that an attacker doesn’t have the time or the capability to modify an executable file after calling NtCreateUserProcess, but only before it’s scanned.

Versions of the NT kernel prior to the release of Windows Vista used a different syscall called NtCreateProcessEx. This function doesn’t adhere to the principle of doing a lot of the work in the kernel and in fact delegates a lot of the work normally associated with process creation on modern Windows platforms to user mode.

Screenshot of code of the function signature of the syscall NtCreateProcessEx. Unlike NtCreateUserProcess, this syscall does not have contain code that receives a path argument.
Figure 2. The function signature of NtCreateProcessEx. Note the absence of a path argument and the presence of SectionHandle.

One difference between the two is that NtCreateProcessEx doesn’t receive a path to the process executable as an argument, as is the case with NtCreateUserProcess.  NtCreateProcessEx expects the application to open the file on its own and create an image section from that file, which will be used as the main image section of the process, and the handle to which will be passed to NtCreateProcessEx.

Also, unlike NtCreateUserProcess, NtCreateProcessEx  creates a process object without populating the process with any threads, and the user application needs to explicitly insert the initial thread into the process using an API like NtCreateThread.

A screenshot of a callstack with the invocation of PspCallProcessNotifyRoutine and PspInsertThread. It is observed that the invocation of both happens from within NtCreateThreadEx.
Figure 3. In this callstack, the invocation of PspCallProcessNotifyRoutine and PspInsertThread happens from within NtCreateThreadEx, not from within a process creation syscall.

Combining this information with what we know about process creation callbacks allows us to come up with a generic flow for this stealthy process creation technique:

  1. The attacker opens the malware file and brings it into a transient modifiable state (writable without closing a handle, delete pending or an uncommitted transaction, and some other unpublished ones) while having malware content. The attacker doesn’t close the file yet.
  2. The attacker creates an image section from the file handle using NtCreateSection(Ex).
  3. The attacker creates a process using the image section handle as input.
  4. The attacker reverts the file’s transient state to a benign state (the file is deleted or overwritten, or a transaction is rolled back), and the handle is closed. At this point, the bits of the malware still exist in memory as the image section object is still there, but there is no trace of the malware content on the disk.
  5. The attacker inserts the initial thread into the process, and only then will the process creation notification callback for that process be launched. At that point, there is no malware content left to scan.
  6. The attacker now runs the malware process without its backing file ever being scanned.

In this generalized flow, a security product should be able to detect any variation of the technique if it can recognize that the process was created using the legacy NtCreateProcessEx syscall, which allows an adversary to run the process from a file in a transient state.

Of course, one could circumvent the need for NtCreateProcessEx by performing a similar trick with loading DLLs. However, in this scenario, the adversary can either load a new DLL into a process they already have full code execution capabilities without changing its identity, or remotely place the offending DLL into another process, performing what is essentially process injection. In both cases, the technique’s effectiveness as an evasion method is greatly diminished.

Detecting legacy process creation

The first anomaly to recognize to detect attacks using this technique is to find out whether a process was created using the legacy NtCreateProcessEx syscall.

The simplest way to do so would be to utilize user-mode hooking on the appropriate function in the NTDLL library. However, this approach would be easy to bypass, as it’s assumed that the adversary has arbitrary execution capabilities in the process calling the syscall. This means they would be able to unhook any functions intercepted by a security product, or simply directly call the syscall from their own assembly code. Even if the security product was to traverse the user-mode call stack from a process creation callback and check the return address against known values, the product would still be subject to evasion since an attacker could employ some creative pushes and jumps in assembly code to construct a spoofed user-mode call stack to their liking.

To create a robust detection for this behavior, information that can’t be modified or spoofed by a user-mode adversary should be used. A good example of this is a Windows file system concept called extra create parameters (ECPs).

ECPs are concepts that allow the kernel or a driver to attach some key-value information to a file create/open operation. The idea is very similar to extended file attributes, but instead of applying to an entire file on disk, ECPs are a transient property related to a specific instance of an open file. This mechanism allows the operating system and drivers to respond to a file being opened under some special circumstances.

An example of such special circumstances is a file being opened via Server Message Block (SMB). When this happens, an SRV_OPEN_ECP_CONTEXT structure is added to the IRP_MJ_CREATE IRP with GUID_ECP_SRV_OPEN as a key.

This ECP context contains information on the socket used for the communication with the SMB client, the name of the share which has been accessed, and some oplock information. A driver would then be able to use this information to appropriately handle the open operation, which might need some special treatment since the operation happened remotely.  

Interestingly, an exported, documented function named FsRtlIsEcpFromUserMode exists to determine whether an ECP originated in user mode or kernel mode. This raises the concern that forgetting to use this function in a driver or the OS would cause potential security issues, as a user mode adversary could spoof an ECP. That isn’t the case, though, as there is no functionality in the OS which allows a user to directly supply any ECP from user mode. The function itself checks whether a specific flag is set in the opaque ECP header structure, but there exists no code in the OS which can modify this flag.

Using ECPs for process creation API recognition

Starting with Windows 10, a very interesting ECP has been added to the operating system whenever a new process is created using NtCreateUserProcess. The GUID_ECP_CREATE_USER_PROCESS ECP and its related CREATE_USER_PROCESS_ECP_CONTEXT context are applied to the IRP_MJ_CREATE operation when the Windows kernel opens the process executable file. This ECP contains the token of the process to be created. In fact, the function used to open the executable path was changed from ZwOpenFile to IoCreateFileEx specifically to support ECPs on this operation.

A screenshot of code showing the CREATE_USER_PROCESS_ECP_CONTEXT.
Figure 4. The CREATE_USER_PROCESS_ECP_CONTEXT

On the other hand, as covered earlier, NtCreateProcessEx doesn’t open the process executable on its own but instead relies on the user to supply a section handle created from a file opened by the user themselves. Seeing as there is no way for the user to set the process creation ECP on their own handle, any process created using NtCreateProcessEx would be missing this ECP on the IRP_MJ_CREATE for its main image. Some cases exist in which the ECP wouldn’t be present even when the legacy API wasn’t used, but those can still be recognized. Barring those cases, the existence of the CREATE_USER_PROCESS ECP in the IRP_MJ_CREATE operation of the file object related to the main image of the process can now be used to precisely differentiate between processes created by NtCreateUserProcess and those created by NtCreateProcessEx.

Detecting processes created from files in a transient state

Since it’s now possible to check when the legacy process creation API has been used, the next step would be to check if the usage of the legacy process creation API was used to abuse the time-of-check-time-of-use (TOCTOU) issue involving process creation callbacks. This means that the executable image used to create the process has been opened and used in a transient state, which would already be rolled back when it’s to be scanned by an antimalware engine. To identify if TOCTOU was abused, it is important to examine the image section of the main executable of the process.

Windows loads executable images into memory and shares their memory between processes using memory sections (also called memory-mapped files). Each FILE_OBJECT structure for an open file contains a member called SectionObjectPointers, which contains pointers to the data and image section control areas relevant to the file, depending on whether if it has been mapped as a data file or an executable. The bits described by such a section may be backed either by a file on disk or by the page file (in which case the bits of the section won’t persist on disk). This property determines whether the mapped section can be flushed and recovered from a file or disk, or simply paged out.

However, an interesting thing happens when the connection between an image section and its backing file is severed. This can happen if, for example, the file is located on a remote machine or some removable storage, Copy-on-Write has been triggered, or most importantly, if the file has been somehow modified after the section has been created or could be modified in the future. During such cases, the image section becomes backed by the page file instead of the original file from which it was created.

A screenshot of the resulting code when the connection between an image section and its backing file is severed. A line of code with the WritableUserReferences member being set is highlighted.
Figure 5. The control area of a section breaking coherency with disk. Note the WritableUserReferences member being set.

The MmDoesFileHaveUserWritableReferences function provides the caller with the number of writable (or, more correctly, modifiable) references to the file object of a section and is used by the kernel transaction manager to preserve the atomicity of transactions. Otherwise, a file can be written, deleted, or simply gone when a transaction is to be committed. This function can be used for detection because a non-zero return value means that section coherency has been broken, and the logic switching the backing of the section to the page file has been triggered. This can help determine that the file is in one of the same transient states needed to abuse TOCTOU and evade detection.

Detection through Microsoft Defender for Endpoint

The two primitives discussed earlier can now be combined into detection logic. First, the absence of the GUID_ECP_CREATE_USER_PROCESS ECP will verify if the process was created using the legacy API NtCreateProcessEx. Then, the function MmDoesFileHaveUserWritableReferences checks if the file’s image section is backed by the page file, confirming that the process was created while the file is in a transient state. Meeting both conditions can determine that TOCTOU has been abused, whether by any of the published techniques, or a variation of it that uses similar concepts but abuses a functionality built into a driver to create a similar effect.

Microsoft Defender for Endpoint can detect each of the known techniques in this class of stealthy process execution and gives out a specific alert for variations of process ghosting, herpaderping, and doppelganging found in the wild. Apart from the specific alerts for each variation, detections exist for the generalized flow and any abuse of the legacy process creation API, including unpublished variations.

A sample screenshot of the notifications from Microsoft Defender for Endpoint for detections related to process ghosting, herpaderping, and doppelganging.
Figure 6. Microsoft Defender for Endpoint detections for variations of process ghosting, herpaderping, and doppelganging.

This blog post shares Windows internals knowledge and showcases a new detection method in Microsoft Defender for Endpoint that can help prevent detection evasion. Since data and signals from Microsoft Defender for Endpoint also feed into Microsoft 365 Defender, this new detection method further enriches our protection technologies, providing customers a comprehensive and coordinated threat defense against threats.

The stealth execution techniques discussed further prove that the threat landscape is constantly evolving, and that attackers will always look for new avenues to evade detection. This highlights the importance of continuous research on potential attack vectors, as well as future-proof solutions. We hope that the principles presented in this blog post can be used by other researchers in developing similar solutions.

Philip Tsukerman, Amir Kutcher, and Tomer Cabouly
Microsoft 365 Defender Research Team


1 https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

2 https://jxy-s.github.io/herpaderping/

3 https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

The post Using process creation properties to catch evasion techniques appeared first on Microsoft Security Blog.

Microsoft at RSA 2022: Envisioning the future of security

June 29th, 2022 No comments

Like most of you, I was glad to see the 2022 RSA Conference return to its in-person roots after a two-year digital hiatus. This year’s event was a great success, drawing 26,000 attendees to three days of cutting-edge security sessions, tutorials, seminars, and special events at Moscone Center in San Francisco. The conference included more than 600 speakers and 400-plus exhibitors, along with hundreds of media representatives. Microsoft Security was on the ground, interacting with customers and security professionals at Microsoft’s 20-plus earned sessions, as well as showcasing new solutions like Microsoft Entra that help realize our goal of comprehensive security.

I was honored to give a keynote address (video courtesy of RSA Conference) on the future of cybersecurity, including a look at where technology and human expertise are headed, as well as why creating a more inclusive and diverse security workforce will be critical in our defense against evolving threats. Also addressing a subject that’s become more urgent with the growth of the decentralized enterprise, my colleague Bret Arsenault, Microsoft Corporate Vice President (CVP) and Chief Information Security Officer (CISO), gave a special presentation on managing Shadow IT. All in all, it was a fun, collegial, and productive five days. Let’s look at some of the highlights.

Vasu Jakkal, Corporate Vice President, Microsoft Security, Compliance, Identity and Privacy, speaking at RSA Conference 2022.

Figure 1. Vasu Jakkal gives the keynote address—Innovation, Ingenuity, and Inclusivity: The Future of Security is Now.

Microsoft Security Hub—you made it shine

Thanks to our guests and some hard work by our onsite team, the Microsoft pre-day event was a huge hit. We registered 430 attendees for this all-day event held on June 5, 2022, at Bespoke Event Center. Attendees were able to partake in Q&As with security experts about Zero Trust, threat intelligence, multicloud protection, risk management, and how Microsoft is re-envisioning the future of identity and access with Microsoft Entra.

I hosted Bret Arsenault in a fireside chat about navigating today’s security challenges and my colleague Joy Chik, CVP of Identity and Access, made a special presentation on Microsoft Entra and the trust fabric of identity.

Joy Chik, Corporate Vice President of Identity and Access, speaking at RSA Conference 2022.

Figure 2. CVP of Identity and Access Joy Chik speaks at the 2022 RSA Conference.

Attendees also enjoyed our immersive walkthrough art experience (and of course, the custom swag bar). Many guests took advantage of the reception to network with other security professionals and reconnect with old friends. It was great to see some familiar faces and share new insights with defenders across our community—a big thank you to everyone who joined us!

Visitors explore the Microsoft Security Hub and network with other security professionals.

Figure 3. Attendes network at the Microsoft Security Hub.

Microsoft had a booth at the North Expo of RSA which showcased Microsoft comprehensive security solutions across our six product families: Microsoft Entra, Microsoft Endpoint Manager, Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Microsoft Priva. More than 7,300 people visited the Microsoft booth.

People explore the Microsoft Security booth at RSA Conference 2022.

Figure 4. Microsoft Security booth at RSA Conference 2022.

Standout sessions

Microsoft speakers appeared in more than 20 earned sessions at this year’s RSA, addressing everything from supply chain attacks to ransomware, botnets, and ways to protect our democracy. We also hosted 40 sessions in our booth. Some of our most popular sessions included:

  • Practical Learnings for Threat Hunting and Improving Your Security Posture: Hosted by Jessica Payne, Principal Security Researcher and Threat Intelligence Strategist at Microsoft, and Simon Dyson, Cyber Security Operations Centre Lead in NHS Digitals Data Security Centre, this 50-minute session addressed threat hunting and security posture improvements from a threat intelligence-informed perspective. Attendees gained insights from Jessica’s experience in demystifying and defusing real-world ransomware attacks. They also got a first-hand recounting of Simon’s work securing the complex network maintained by England’s National Health Service (NHS) during the pandemic, and how his team’s experience can benefit all of us.
  • Conti Playbook: Infiltrate the Most Profitable Ransomware Gang: Participants learned how a disgruntled affiliate exposed one of the most infamous ransomware gangs, divulging its ransomware-as-a-service (RaaS) secrets to help take them down. This immersive, hands-on workshop guided attendees through a typical Conti attack sequence and provided tips to defend against advanced persistent threats. Thanks to Tom D’Aquino, Fabien Guillot, and Arpan Sarkar of Microsoft partner Vectra AI for this presentation.
  • Microsoft Defender Experts for Hunting Has Got Your Back: Abhishek Agarwal, Chief Security and Technology Officer at Helix Biotech, examined threat hunting’s virtuous cycle: track, hunt, and analyze. Specifically, attendees learned how Microsoft Defender Experts for Hunting uses AI to accomplish all three components of the cycle faster, providing automated detection, hunting, and analysis to help the team track and stop threats across the company’s multi-national enterprise.
  • Microsoft Security Research—How We Responsibly Disclose Vulnerabilities to Apple, Google, and the Linux Community: Jonathan Bar Or, Principal Security Researcher at Microsoft, discussed how disclosing bugs makes the world safer and benefits users, as well as giving Microsoft Security a better understanding of the technologies we work to protect.​ The goal is to challenge our own detections and prove product truth—making Microsoft Defender stronger by challenging our own blue teams.​
  • Solve Secure Access Needs for Workload Identities with Microsoft Entra: Microsoft Product Managers Nick Wryter and Sandy Jiang led this informative session on the phenomenon of exploding workload identities. Currently, workload identities outnumber user identities five to one; the challenge being that many traditional identity and access management solutions don’t manage these prevalent and frequently over-permitted identities. Nick and Sandy explained how the new Microsoft Entra addresses this problem by providing a comprehensive view of every action performed by any identity on any resource, detecting anomalous permission usage at cloud scale.
  • Tracking Highly Evasive APTs with Vectra Detect & Microsoft Sentinel: Tom D’ Aquino, Senior Security Engineer at Vectra AI, led this demonstration of real-life threat-hunting using Vectra Detect and Microsoft Sentinel. Tom demonstrated real-world workflows for threat tracking, including individual threat severity, lateral movement, threat targets, and more.
  • The Shift of “Why” and “How” of Ransomware Attacks; How Microsoft Helps Customers Survive Ransomware: Led by MacKenzie Brown of Microsoft’s Detection and Response Team (DART), this session examined the how and why behind the recent increase in ransomware attacks. Attendees learned how attackers have evolved their methods to exert minimum effort for maximum return on investment (ROI), and why DART’s methodology can help you defeat them.

Shining a light on Shadow IT

Shadow IT can be broadly defined as a “set of applications, services, and infrastructure that are developed and managed outside of defined company standards.” These kinds of ad-hoc systems can pose a compliance risk, especially for security, privacy, data governance, and accessibility. Like any organization, Microsoft has not been immune to the proliferation of Shadow IT.

Vasu Jakkal and Bret Arsenault  on stage at the Microsoft pre-event.

Figure 5. Vasu Jakkal and Bret Arsenault speak at the Microsoft pre-day event.

In keeping with our commitment to security for all, Microsoft CVP and CISO Bret Arsenault gave a special presentation on June 8, 2022, addressing Microsoft’s approach to managing Shadow IT. Bret discussed how Microsoft’s security team is enabling engineers and developers to build and operate security capabilities in the cloud, as well as Microsoft’s three primary principles for managing and addressing Shadow IT. For attendees wanting to learn more, we followed up the event with a free white paper on managing Shadow IT.  We’ve also made Bret’s presentation slides available to everyone.

2022 Excellence Awards

The Microsoft Security Excellence Awards (formerly Microsoft Security 20/20 Awards) recognize Microsoft Intelligent Security Association (MISA) members’ success during the past 12 months. This year’s 10 award categories were carefully selected to recognize the unique ways MISA members support their customers and help improve Microsoft security products. Our cross-functional panel carefully examined hundreds of nominations, narrowing the field to just three finalists for each category.

In the spirit of collaboration, Microsoft and MISA members alike voted on the winners. After dinner and cocktails, the awards were handed out at the San Francisco Design Center by Microsoft executives Phil Montgomery, Andrew Conway, Alym Rayani, Irina Nechaeva, Desmond Forbes, Sue Bohn, Mandana Javaheri, Madhu Prasha, Scott Woodgate, and myself. MISA members are a critical part of our approach to comprehensive security. We’re grateful for their vision and dedication to our shared mission of helping customers do more, safely. To all of this year’s finalists and winners—congratulations!

Comprehensive security year-round

Microsoft now protects 785,000 customers around the world, including our own digital estate. Our goal is to provide comprehensive security for our customers while enabling greater security for our shared online world. Microsoft’s best-in-breed protection, built-in intelligence, and simplified management integrates more than 50 product categories in six product families, allowing you to be fearless in the pursuit of your vision.  Our newest product family, Microsoft Entra, helps fulfill that mission by creating a secure entry point for end-to-end security. Entra provides a unified admin center for Azure Active Directory (Azure AD), Entra Permissions Management, and Entra Verified ID where your organization can quickly verify and secure every identity or access request—all in one place.

Our commitment to comprehensive security also means providing the latest research and first-hand knowledge to help keep your organization secure. You can learn more at Cyber Signals, a cyberthreat intelligence brief drawn from the latest Microsoft data and research. If you attended RSA and engaged with Microsoft, please take a few minutes to respond to our RSAC 2022 survey so we can continue to improve your experience. My thanks to everyone who attended, and we’ll see you next year!  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft at RSA 2022: Envisioning the future of security appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Service Fabric Privilege Escalation from Containerized Workloads on Linux

June 28th, 2022 No comments

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster. Though the bug exists on …

Service Fabric Privilege Escalation from Containerized Workloads on Linux Read More »

Categories: Uncategorized Tags:

How security leaders can help their teams avoid burnout

June 28th, 2022 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Voice of the Community blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Maria Markstedter, Chief Executive Offer (CEO) of Azeria Labs, former Chief Product Officer (CPO) at Corellium, a Black Hat1 Review Board member, Forbes Person of the Year in Cybersecurity, and the author of a soon-to-be-published book on Arm assembly internals and reverse-engineering.2 The thoughts below reflect Maria’s views, not the views of Microsoft, and are not legal advice. In this blog post, Maria talks about the industry’s growing interest in Arm assembly and how to help security professionals avoid burnout.

Brooke: How did you become passionate about Arm as a processing language and how is it gaining momentum in security?

Maria: While working as a penetration tester, I attended a conference where security researcher Marion Marschalek gave a talk about reverse-engineering the computer worm Stuxnet and I was fascinated. I built up the courage to ask her to teach me. This is when I learned about x86 assembly and malware analysis. I got interested in Arm assembly and realized that I had way more Arm-based devices around me than x86 processors.

When I started studying the Arm architecture, the only devices based on Arm were IoT and mobile devices. Digging into it more, I realized that Arm was working on a 64-bit architecture and could take off in the desktop and server world. I was anticipating this shift. Arm is a very scalable platform and offers significant advantages over other processors, like power consumption and performance. Apple switched all their Macs to the Arm processing language. That raised the bar for high-powered yet energy-efficient computers. This shift puts pressure on other vendors that want to compete with laptops that are just as efficient and that have battery life that lasts just as long. It didn’t take long for Microsoft to catch up, with the SQ1 processor for Windows on Arm. Microsoft Azure recently implemented an entire cloud service. It’s gaining momentum because the architecture has become more powerful. It’s a new era.

There’s a huge gap in educational resources for people to learn about Arm. That’s why my current job involves training security teams on Arm reverse-engineering and exploitation. I also wrote a book about Arm assembly and reverse-engineering to fill that gap in a digestible format with lots of graphics. I’ve been working on it for two years and it’s about to be published. I hope that this book will help a lot of people ease their way into becoming proficient in something that is rather dry and hard to learn on your own.

Brooke: What is the biggest challenge facing security professionals today?

Maria: The biggest challenge is keeping up with new technologies and changes. From my work as a penetration tester, you get a new gig and new clients with a new product that uses a completely different stack of technologies, and you have to quickly familiarize yourself with it. Different technologies mean different attack vectors. That goes in every direction of security research. I know great reverse-engineers who have spent their whole career reverse-engineering malware and product components based on x86. If the architecture of these components changes, everything changes. If you are used to reading x86_64 assembly and are suddenly presented with a completely different assembly language, it’s like trying to understand Spanish if you are familiar only with French.  

Organizations expect their security teams to keep up with these rapid changes. How will these security teams find the time to learn and stay on top of it all? It’s not reasonable to expect security professionals to learn outside of work hours when they should focus on their family and maintaining a healthy work-life balance because it’s easy to burn out in our industry.

Brooke: What are some signs of burnout that security leaders can look out for?

Maria: Last year, I experienced my first major burnout. I was taking on way too many responsibilities. As a result, I had to take a couple of months off of work to recover. I always thought, “When I burn out, I’ll take a week off and go on vacation.” It’s not as easy as that. It starts off very subtle and is very difficult to notice before it’s too late.

Some of the causes of burnout—and why I advocate for training—is if your employee feels they don’t have any impact, feels overwhelmed or like they can’t keep up, feels like they are expected to figure it all out in their free time, or doesn’t get the time to work on interesting things that feed their curiosity. In our field, we constantly see someone coming up with something really cool and think, “I wish I could do that.” But yet, we rarely get the time to explore and learn new skills and techniques, especially when they don’t directly correlate with our current role. Security leaders need to help their team nourish their inner curiosity and give them enough breaks and research time, and the opportunity to learn.

Also, people in the process of getting burnout have a hard time saying no. If you give them new tasks, they’re going to say, “Sure!” because they feel like they’re not contributing enough and that they need to prove themselves. As a manager, ask the right questions and monitor their workload. You get more out of someone if they work a little slower but don’t burn out. If they must take sick days off or are so anxious or depressed by the end of the week that they barely get any work done, you’re not getting your results either. If they do less in a focused and balanced way with a clear mind, they will produce more value. Keep your employees happy and motivated; don’t treat them like workhorses.

Brooke: Should the opportunity to study and grow be considered a recruitment and retention tool?

Maria: Yes. People in our profession are generally very curious and driven. Otherwise, they wouldn’t be in this field. They are very eager to learn. If you feed the curiosity of your security team and give them new learning opportunities, you might be surprised at what they come up with. It makes them more versatile, confident, and motivated. Every security area overlaps with another, so they might come up with an idea that you haven’t thought of, which could lead to security advancements internally.

At my first company, I was working as a penetration tester and wanted to attend a training course about forensics, because we’d had a couple of forensics incidents, and they would send us penetration testers, even the ones who had little knowledge in forensics. But they said they wouldn’t pay for it, mainly because they didn’t want to invest in their employees and were scared that this investment would lead to them leaving the company. I ended up leaving the company because they would not give me continuous educational opportunities and expected employees to learn everything in their free time instead of investing in their skill development.  

Brooke: What would you recommend to Chief Security Officers (CSOs) filling cybersecurity roles?

Maria: You’re better off if you hire for potential and character. You can always train people. Hire for potential and pick people who are fast learners, are curious, and have demonstrated that they have invested in their own skill development as best as they could. Train them internally and send them to security conferences where they can meet like-minded people and learn. If you’re waiting for the perfect candidate, it’s rather hard to find enough people for the job. If you train them up, you have a better chance of filling all the spots.

You can outsource certain security teams, like penetration testing and incident response, as many organizations do, but it’s risky to not have an in-house security team. If an incident happens and your people are not skilled enough to respond to it, you may try to contract with an external firm, but they could be overflowing with projects because it’s a global incident. CSOs should expand their own security teams and leave room for skill development, not just in their own niche but also nurture their interests. It’s the organization’s responsibility to provide the resources and space for employees to evolve their skills.

Brooke: What is the biggest threat to organizations right now?

Maria: If you focus on one threat, it will become irrelevant in no time. The biggest threat is the rapidly changing environment and that security professionals might fall behind. So, when it’s time to act, they are not able to. Your security team is the backbone of your security posture. If you neglect that, you will not be able to keep up with evolving trends. I have seen people being sent to security incidents last minute who had to pull that off on the fly and work all day, every day for weeks on short notice with no prior knowledge. Things are always so rapidly changing that it’s all about how quickly you can respond. Do you have the resources to respond to what’s being thrown at you?

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Black Hat USA 2022, Black Hat.

2Upcoming Book Series: Arm Exploitation, Maria Markstedter.

The post How security leaders can help their teams avoid burnout appeared first on Microsoft Security Blog.

4 breakthrough ideas for compliance and data security

June 27th, 2022 No comments

Compliance management will never be easy, but there are ways to make it simpler and more transparent. Every year, organizations confront a growing volume and diversity of data and ever-evolving industry and government regulations. But the answer to more data, more devices, and more regulations isn’t more point security solutions. In fact, it may be possible to simplify compliance even as everything around you gets more complex.

Through research and conversations with customers, we’ve identified four key data security challenges that many organizations face as they implement hybrid work and multicloud environments. You can dig into our findings and recommendations by signing up and downloading the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security. In the meantime, let us walk you through some of the highlights.

1. Addressing insider risk created by hybrid work and the Great Reshuffle

By now, you’re probably familiar with the news that record numbers of workers are quitting and switching jobs. The phenomenon has even been given a name: the Great Reshuffle. Many of these career changers have prioritized flexible work environments that enable them to work remotely at least some of the time. This creates a great opportunity for businesses with the right technology to attract top talent; however, job-hopping also comes with risk. Employees may inadvertently—or, unfortunately, intentionally—take sensitive data with them when they leave. And it’s common for new workers to make mistakes while they are getting up to speed on security policies.

To improve risk management, it’s important to implement an effective insider risk program. The right security program will focus on both culture shifts that help people make the right decisions and privacy controls that don’t impede productivity. If you’re uncertain where to start, you’ll find more detail in the e-book, which outlines several recommended best practices.

2. Knowing your data

Our customers tell us that running a multicloud environment and supporting a hybrid workforce makes it extremely difficult to know what data they have and where it’s located. Employees, customers, and IoT devices are continuously creating new information, storing it on various clouds and devices, and frequently moving it to new locations. Data protection must be balanced with governance that doesn’t impede productivity.

Automate discovery to amplify data governance. Classification is key to defining which data is sensitive and who should have access to it. But if you’re doing this process manually, it’s nearly impossible. We recommend solutions that use AI to automatically classify data based on pre-defined requirements. With the right processes and technology, you can dramatically reduce your workload and enhance data protection.

3. Securing data in a borderless world

The network perimeter is widely held to be an ineffective strategy, and we’ve now entered a world where the office walls are also disappearing. Your company resources aren’t just stored inside your on-premises data center, they also exist in cloud environments and apps. People, IoT devices, and services from all over the place—including other countries—legitimately need to access those resources to get things done. Working from anywhere is more convenient than ever, but it’s also created more opportunities for bad actors to get a hold of sensitive data.

To help ensure that only authorized users can access your data, implement a Zero Trust framework. With Zero Trust, you don’t automatically trust any access request, even if it comes from inside the network. To prevent a breach, it’s important to verify every request explicitly. When access is granted, individuals, services, and smart devices should only be given as much access as they need and only for the amount of time that they need it. A notable tenet of a Zero Trust strategy is that teams should assume that the organization has already been breached, which is why it’s critical to make verification and access controls ingrained as protocol.

Zero Trust isn’t a product: It’s a strategy and process. Refer to the e-book for several recommended tips that will help you implement this important framework in your own organization.

4. Managing security platform complexity

If you have a patchwork system of unintegrated security solutions that you’ve acquired over time, you’re not alone. Many of our customers struggle to coordinate across multiple systems, losing precious time that they could put toward threat management.

You can significantly reduce complexity by unifying compliance solutions and data protection strategies. By replacing your point solutions with a platform from a single vendor, you can reduce cyberattacks, save time, and recover from an attack more quickly. Look for the following when choosing a vendor:

  • Easy deployment, maintenance, and governance.
  • A lower cost than a multiple-solution strategy.
  • Easier deployment and user training.
  • Solutions that work well with your current environment and tools.
  • In-place data management.

Putting it all together

Respecting privacy while enabling productivity has only gotten more challenging as the way people work has shifted, but you can make your job a little bit easier with the proven strategies outlined in this blog.

Dive deeper into these four challenges and best practices in the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security.

Learn more about Microsoft Purview, a family of governance and compliance solutions that work together to give you greater visibility and control over your data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 breakthrough ideas for compliance and data security appeared first on Microsoft Security Blog.

4 breakthrough ideas for compliance and data security

June 27th, 2022 No comments

Compliance management will never be easy, but there are ways to make it simpler and more transparent. Every year, organizations confront a growing volume and diversity of data and ever-evolving industry and government regulations. But the answer to more data, more devices, and more regulations isn’t more point security solutions. In fact, it may be possible to simplify compliance even as everything around you gets more complex.

Through research and conversations with customers, we’ve identified four key data security challenges that many organizations face as they implement hybrid work and multicloud environments. You can dig into our findings and recommendations by signing up and downloading the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security. In the meantime, let us walk you through some of the highlights.

1. Addressing insider risk created by hybrid work and the Great Reshuffle

By now, you’re probably familiar with the news that record numbers of workers are quitting and switching jobs. The phenomenon has even been given a name: the Great Reshuffle. Many of these career changers have prioritized flexible work environments that enable them to work remotely at least some of the time. This creates a great opportunity for businesses with the right technology to attract top talent; however, job-hopping also comes with risk. Employees may inadvertently—or, unfortunately, intentionally—take sensitive data with them when they leave. And it’s common for new workers to make mistakes while they are getting up to speed on security policies.

To improve risk management, it’s important to implement an effective insider risk program. The right security program will focus on both culture shifts that help people make the right decisions and privacy controls that don’t impede productivity. If you’re uncertain where to start, you’ll find more detail in the e-book, which outlines several recommended best practices.

2. Knowing your data

Our customers tell us that running a multicloud environment and supporting a hybrid workforce makes it extremely difficult to know what data they have and where it’s located. Employees, customers, and IoT devices are continuously creating new information, storing it on various clouds and devices, and frequently moving it to new locations. Data protection must be balanced with governance that doesn’t impede productivity.

Automate discovery to amplify data governance. Classification is key to defining which data is sensitive and who should have access to it. But if you’re doing this process manually, it’s nearly impossible. We recommend solutions that use AI to automatically classify data based on pre-defined requirements. With the right processes and technology, you can dramatically reduce your workload and enhance data protection.

3. Securing data in a borderless world

The network perimeter is widely held to be an ineffective strategy, and we’ve now entered a world where the office walls are also disappearing. Your company resources aren’t just stored inside your on-premises data center, they also exist in cloud environments and apps. People, IoT devices, and services from all over the place—including other countries—legitimately need to access those resources to get things done. Working from anywhere is more convenient than ever, but it’s also created more opportunities for bad actors to get a hold of sensitive data.

To help ensure that only authorized users can access your data, implement a Zero Trust framework. With Zero Trust, you don’t automatically trust any access request, even if it comes from inside the network. To prevent a breach, it’s important to verify every request explicitly. When access is granted, individuals, services, and smart devices should only be given as much access as they need and only for the amount of time that they need it. A notable tenet of a Zero Trust strategy is that teams should assume that the organization has already been breached, which is why it’s critical to make verification and access controls ingrained as protocol.

Zero Trust isn’t a product: It’s a strategy and process. Refer to the e-book for several recommended tips that will help you implement this important framework in your own organization.

4. Managing security platform complexity

If you have a patchwork system of unintegrated security solutions that you’ve acquired over time, you’re not alone. Many of our customers struggle to coordinate across multiple systems, losing precious time that they could put toward threat management.

You can significantly reduce complexity by unifying compliance solutions and data protection strategies. By replacing your point solutions with a platform from a single vendor, you can reduce cyberattacks, save time, and recover from an attack more quickly. Look for the following when choosing a vendor:

  • Easy deployment, maintenance, and governance.
  • A lower cost than a multiple-solution strategy.
  • Easier deployment and user training.
  • Solutions that work well with your current environment and tools.
  • In-place data management.

Putting it all together

Respecting privacy while enabling productivity has only gotten more challenging as the way people work has shifted, but you can make your job a little bit easier with the proven strategies outlined in this blog.

Dive deeper into these four challenges and best practices in the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security.

Learn more about Microsoft Purview, a family of governance and compliance solutions that work together to give you greater visibility and control over your data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 breakthrough ideas for compliance and data security appeared first on Microsoft Security Blog.

A Man of Action: Meet Callum Carney

Hidden Talents: He was a competitive swimmer for many years. Instrument of Choice: His fingers were made for the keyboard, but he used to play the trumpet. 5 pieces of entertainment for the rest of his life: The Office, World War Z, The Matrix, Breaking Bad, The Thick of It. Favorite non-profit: RSPCA How he …

A Man of Action: Meet Callum Carney Read More »

Categories: Uncategorized Tags:

Security baseline for Microsoft Edge v103

June 24th, 2022 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 103!


 


We have reviewed the new settings in Microsoft Edge version 103 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 98 package continues to be our recommended baseline. That baseline package can be downloaded from the Microsoft Security Compliance Toolkit.


 


However, there is 1 setting we would like to call out, Origin-keyed agent clustering enabled by default.


 


Origin-keyed agent clustering enabled by default (Consider Testing)


Historically, JavaScript could adjust the document.domain property  to relax Same-Origin-Policy and allow content from different subdomains of a site to interact.  This new setting will prohibit that ability and starting in version 106 will be enabled by default. We highly encourage customers to begin compatibility testing now with this setting to account for this upcoming change. In the future, the security baseline will also enforce the setting.  Additional details on this setting can be found in this article.


 


Microsoft Edge version 103 introduced 4 new computer settings and 4 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


 


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


 


Please continue to give us feedback through the Security Baselines Discussion site or this post.

Categories: Uncategorized Tags:

Detecting malicious key extractions by compromised identities for Azure Cosmos DB

June 23rd, 2022 No comments

Azure Cosmos DB is a fully managed NoSQL cloud database service for modern app development. It offers a variety of advanced built-in features, such as automatic worldwide data replication, lightning-fast response types, and a variety of APIs. In this blog post, we describe security practices for securing access to Azure Cosmos DB and show how monitoring relevant control plane operations, when performed by Microsoft Defender for Azure Cosmos DB, can help detect potentially compromised identities.

Authentication and authorization

Operating Azure Cosmos DB databases requires valid credentials to be provided for each request. The main type of credentials is a pair of access keys, known as primary and secondary, which are generated as part of the Azure Cosmos DB account creation and can be retrieved through management API using the ListKeys operation. These keys provide full control over the account, including configuration of databases, deployment of server-side logic, and common read and write data transactions. The keys are generated as a pair to enable continuous availability during key rotations. When the primary key is in use, the secondary key is being rotated, and vice versa.

Another type of authentication and access control supported by Azure Cosmos DB is the role-based access control (RBAC) mechanism based on Microsoft Azure Active Directory (Azure AD).1 Principals authenticated in Azure AD can be assigned distinct roles that grant specific permissions to the databases and various objects in the Cosmos DB account. The roles can be chosen from several built-in alternatives or customized by the account owner.

Secured architecture controls

When an application design contains a database there are access control security practices that should be applied to improve the security posture. These practices are well known in database security and should be implemented through the built-in capabilities of Azure Cosmos DB. Here are two examples:

  1. Employ three-tier architecture to restrict access to databases only by application servers but not directly by clients. Implementation of such a design can be achieved by properly configuring the Cosmos DB firewall to provide access only to specific IP addresses or subnets.
  2. Assign least privileged access to the entities that communicate with the databases. By using RBAC authorization, as mentioned previously, it is possible to set a strict access model to Azure Cosmos DB and minimize its attack surface. Application servers that perform data transactions should be authorized to perform those, but not environment configuration activities such as deleting collections or uploading stored procedures. On the other hand, authorization to deployment operations can be given to engineering teams and continuous integration and continuous delivery (CI/CD) systems. When all the entities are configured with proper roles and access, it is advised to disable the access keys to mitigate a leaked key threat.

Cloud-based attack vector

With all the aforementioned security controls in place, there is another attack vector that needs to be addressed when securing a cloud application. The potential threat can be realized through authorized control plane access to Azure Resource Manager (ARM), which is responsible for resource provisioning and their configuration. In the context of Azure Cosmos DB, ARM can be queried to retrieve Cosmos DB access keys, as well as handle requests for changes in the database firewall rules. Bypassing the access control of the management interface is a high barrier for threat actors, so their widely adopted tactic is to get credentials through attacks on the users. Therefore, a supplemental layer of security against compromised customer accounts is achieved by continuous monitoring of authorized operations.

If the access keys are disabled according to security practices, then the key leakage scenario is not valid. An interesting point to note is that in these cases there are no entities that should perform the ListKeys operation. Thus, if it is monitored by a security service it serves as a detection of a potential compromise of the acting identity.

Monitoring suspicious key extractions

Data traffic of your Azure Cosmos DB accounts—including any attempts to access, read, or change the stored data—is monitored by Microsoft Defender for Azure Cosmos DB. Defender contains a growing collection of detections that cover various security scenarios. For example, signals are triggered when the account is accessed from an anomalous or suspicious location, an abnormally high amount of data is extracted, or a potentially malicious query is executed. In case a significantly suspicious pattern is detected, a security alert is sent to the account’s security administrator, with descriptive information and suggested steps to mitigate the detected threats and prevent future attacks. Securing and monitoring access to Azure Cosmos DB content is important and should be augmented with monitoring of control plane operations. In modern databases, such as Cosmos DB, authentication is provided using shared keys. If keys are leaked or compromised, their use by malicious actors blends among legitimate usage—as no individual user profile is visible in the data plane logs. Additionally, in case of attacks (such as data exfiltration for theft and data encryption for ransomware), early detection increases the effectiveness of incident response and reduces the damage.

Control plane monitoring enables the analyses of management activities of resources (such as changing access policies, and listing and setting access keys) and allows mapping them to authorized users. It is important to monitor management operations that are relevant for security scenarios. For example, accessing data in Azure Cosmos DB requires getting access keys, which appear as ListKeys operation in the control plane log. Other examples of operations include encryption and changing access policies or keys.

These operations are important, but in most cases they are normal and legitimate. However, if the operation is significantly anomalous (performed from an unexpected IP address, by a seldomly seen user, or using weak authentication, for example), it might indicate a malicious attempt to access the account and should be investigated by the resource owner. Alternatively, massive execution of such operations could indicate a breach even if no anomalous pattern exists.

We recommend flagging suspicious important management operations based on several types of indicators:

  1. New anomalous entity, such as previously unseen and unexpected source IP, application, and authentication type. In case the set of known entities is small enough, and no new entities are routinely appearing, any new entity is deemed unexpected. Thus, it might indicate either addition of a legitimate entity or the appearance of a malicious actor, and should be investigated.
  2. Anomalous pairing indicates an anomalous connection between two existing variables. For example, an important operation performed by a known user who previously never worked on a related resource group might indicate something like a compromised identity, or a connection between the source device and target resource that have never communicated before. This can be detected by modeling the probability of similarity of connection between meaningful pairs of variables.
  3. Suspicious indicators, such as source IPs flagged with threat intelligence signals, operation patterns resembling known penetration testing, or attack tool usage. Additional secondary indicators that increase the likelihood of potential misuse should be monitored as well. Examples include operations performed using weak authentication (no multifactor authentication) and suspicious errors (indicating potential reconnaissance efforts). These indicators are commonly derived from security research of known vulnerabilities and attack patterns.
  4. Mass operation: Even in case no anomalous indicators exist, a sufficiently high amount of successful or failed operations should be investigated due to potential high impact. Such an event can indicate enumerating or gaining access to resources en masse. Even though a substantial number of failed operations is a weaker signal, it is important, since it can be an early indication of an attack that employs blind scanning.

Various indicators can be integrated into cumulative anomaly scores for individual operations or a batch, depending on the scenario. Since the monitored operations are important, high anomaly scores may indicate a malicious access attempt and need to be investigated promptly. In the case of a true positive, real damage can be prevented before a malicious payload is executed. In the case of a false positive, the item can be quickly dismissed by the resource owner after steps for future prevention of such cases are considered.

Detect security threats with Microsoft Defender for Azure Cosmos DB

Microsoft Defender for Azure Cosmos DB is a part of Microsoft Defender for Cloud. It covers alerts on both the data plane and the control plane, detecting potential SQL injections, known bad actors based on Microsoft threat intelligence, suspicious access patterns, and potential exploitation of databases by compromised identities or malicious insiders. Read Overview of Defender for Azure Cosmos DB to learn about its capabilities and detections.

Microsoft encourages you to develop a security strategy for your deployments in the cloud and protect Cosmos DB instances with the proposed detection solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Early RBAC capabilities are also provided by a legacy authentication method based on resource token, but it is largely obsolete now.

The post Detecting malicious key extractions by compromised identities for Azure Cosmos DB appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Microsoft Defender for Office 365 receives highest award in SE Labs Enterprise Email Security Services test

June 22nd, 2022 No comments

In today’s evolving threat landscape, email represents the primary attack vector for cybercrime, making effective email protection a key component of any security strategy.1

In Q1 2022, Microsoft participated in an evaluation of email security solutions, carried out by SE labs—a testing lab focused on assessing the efficacy of security solutions. In their latest Enterprise Email Security Services test, they evaluated email security vendors against a range of real-world email attack scenarios.

Today we are excited to share that Microsoft received an AAA Protection Award for Microsoft Defender for Office 365, the highest possible award that vendors can achieve in this test.

Microsoft Defender for Office 365 helps organizations protect against advanced threats including phishing and business email compromise. It provides a wide range of email protection capabilities including protection from impersonation, spoofing, as well as holistic attack campaign views, using machine learning and other heuristics to identify phishing attacks across the entire organization.

Another core component of Microsoft Defender for Office 365 is user training. Even at Microsoft, we continuously run exercises to educate our employees and senior leaders to raise their awareness to real-life phishing attacks, using the attack simulation training capabilities in Microsoft Defender for Office 365.

In the SE labs report, Microsoft received a total score of 89 percent based on the evaluation of two key criteria:

  • 97 percent of emails that contained threats were blocked
  • 73 percent of legitimate email was correctly identified

The near-perfect score on containing threats demonstrates the industry-leading email security protection we provide and the effectiveness by which Microsoft Defender for Office 365 can protect customers from business email compromise. At the same time, the slightly lower score around legitimate email is due to the strong focus on executive accounts in the test, for which Microsoft configured an enhanced level of protection based on insights and best practices for how organizations actually use the service. This resulted in more blocked mail, but that we believe is appropriately cautious.

The Microsoft Defender for Office 365 engine is always learning from email traffic in the environment and adjusting as a result, but the highly configurable nature of Exchange Online also allows customers to tailor their experience. While in this test, we tailored the controls to the highest level of available protections, admins have a wide range of options to customize the delivery sensitivity and their preferred level of tolerance for potentially unwanted email.

The SE labs report validates that Microsoft Defender for Office 365, part of Microsoft Defender 365, is a leading choice for email protection, used by corporations worldwide. To learn more about how some customers are using Microsoft Defender for Office 365 today, read this customer story from St. Luke’s.

Microsoft continues to invest heavily to protect organizations from phishing and business email compromise with the backing of hundreds of researchers, engineers, and threat intelligence insights from billions of pieces of mail that Microsoft processes every single day and directly inform our machine learning engines.

Trust Microsoft’s XDR solution for protection against threats across Office 365 and more 

Microsoft Defender for Office 365 provides comprehensive coverage, both through the lifecycle of an attack and across email and collaboration tools like email, SharePoint, OneDrive, and Microsoft Teams.

These capabilities are part of Microsoft’s extended detection and response (XDR) solution Microsoft 365 Defender, which helps organizations secure their users with integrated threat protection, detection, and response across endpoints, email, identities, applications, and data.

To take advantage of our industry-leading protection in your environment, get started today!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 Internet Crime Report 2020, Federal Bureau of Investigation. 2020.

The post Microsoft Defender for Office 365 receives highest award in SE Labs Enterprise Email Security Services test appeared first on Microsoft Security Blog.

Improving AI-based defenses to disrupt human-operated ransomware

June 21st, 2022 No comments

Microsoft’s deep understanding of human-operated ransomware attacks, which are powered by a thriving cybercrime gig economy, continuously informs the solutions we deliver to protect customers. Our expert monitoring of threat actors, investigations into real-world ransomware attacks, and the intelligence we gather from the trillions of signals that the Microsoft cloud processes every day provide a unique insight into these threats. For example, we track human-operated ransomware attacks not only as distinct ransomware payloads, but more importantly, as a series of malicious activities that culminate in the deployment of ransomware. Detecting and stopping ransomware attacks as early as possible is critical for limiting the impact of these attacks on target organizations, including business interruption and extortion.

To disrupt human-operated ransomware attacks as early as possible, we enhanced the AI-based protections in Microsoft Defender for Endpoint with a range of specialized machine learning techniques that find and swiftly incriminate – that is, determine malicious intent with high confidence – malicious files, processes, or behavior observed during active attacks.

The early incrimination of entities – files, user accounts, and devices – represents a sophisticated mitigation approach that requires an examination of both the attack context as well as related events on either the targeted device or within the organization. Defender for Endpoint combines three tiers of AI-informed inputs, each of which generates a risk score, to determine whether an entity is associated with an active ransomware attack:

  • A time-series and statistical analysis of alerts to look for anomalies at the organization level
  • Graph-based aggregation of suspicious events across devices within the organization to identify malicious activity across a set of devices
  • Device-level monitoring to identify suspicious activity with high confidence

Aggregating intelligence from these sources enables Defender for Endpoint to draw connections between different entities across devices within the same network. This correlation facilitates the detection of threats that might otherwise go unnoticed. When there’s enough confidence that a sophisticated attack is taking place on a single device, the related processes and files are immediately blocked and remediated to disrupt the attack.

Disrupting attacks in their early stages is critical for all sophisticated attacks but especially human-operated ransomware, where human threat actors seek to gain privileged access to an organization’s network, move laterally, and deploy the ransomware payload on as many devices in the network as possible. For example, with its enhanced AI-driven detection capabilities, Defender for Endpoint managed to detect and incriminate a ransomware attack early in its encryption stage, when the attackers had encrypted files on fewer than four percent (4%) of the organization’s devices, demonstrating improved ability to disrupt an attack and protect the remaining devices in the organization. This instance illustrates the importance of the rapid incrimination of suspicious entities and the prompt disruption of a human-operated ransomware attack.

Line chart illustrating how Defender for Endpoint detected and incriminated a ransomware attack when attackers had encrypted files on 3.9% of the organization’s devices.
Figure 1: Chart showing Microsoft Defender for Endpoint incriminating a ransomware attack when attackers had encrypted files on 3.9% of the organization’s devices

As this incident shows, the swift incrimination of suspicious files and processes mitigates the impact of ransomware attacks within an organization. After incriminating an entity, Microsoft Defender for Endpoint stops the attack via feedback-loop blocking, which uses Microsoft Defender Antivirus to block the threat on endpoints in the organization. Defender for Endpoint then uses the threat intelligence gathered during the ransomware attack to protect other organizations.

Diagram with icons and lines depicting the incrimination and protection process.
Figure 2: Overview of incrimination using cloud-based machine learning classifiers and blocking by Microsoft Defender Antivirus

In this blog, we discuss in detail how Microsoft Defender for Endpoint uses multiple innovative, AI-based protections to examine alerts at the organization level, events across devices, and suspicious activity on specific devices to create a unique aggregation of signals that can identify a human-operated ransomware attack.

Detecting anomalies in alerts at the organization level

A human-operated ransomware attack generates a lot of noise in the system. During this phase, solutions like Defender for Endpoint raise many alerts upon detecting multiple malicious artifacts and behavior on many devices, resulting in an alert spike. Figure 3 shows an attack that occurred across a single organization.

Line chart depicting the spread of a human-operated ransomware in an organization.
Figure 3: Graph showing a spike in alerts during the ransomware phase of an attack

Defender for Endpoint identifies an organization-level attack by using time-series analysis to monitor the aggregation of alerts and statistical analysis to detect any significant increase in alert volume. In the event of an alert spike, Defender for Endpoint analyzes the related alerts and uses a specialized machine learning model to distinguish between true ransomware attacks and spurious spikes of alerts.

If the alerts involve activity characteristic of a ransomware attack, Defender for Endpoint searches for suspicious entities to incriminate based on attack relevance and spread across the organization. Figure 4 shows organization-level detection.

Diagram with icons showing organization-level anomaly detection, including monitoring for alerts, anomaly detection based on alert counts, analysis of each alert, and incrimination of suspicious entities on individual devices.
Figure 4: Overview of organization-level anomaly detection

Graph-based monitoring of connections between devices

Organization-level monitoring can pose challenges when attacks don’t produce enough noise at the organization level. Aside from monitoring anomalous alert counts, Defender for Endpoint also adopts a graph-based approach for a more focused view of several connected devices to produce high-confidence detections, including an overall risk score. For this level of monitoring, Defender for Endpoint examines remote activity on a device to generate a connected graph. This activity can originate from popular admin tools such as PsExec / wmi / WinRm when another device in the organization connects to a device using admin credentials. This remote connection can also indicate previous credential theft by an attacker.

As administrators often use such connectivity tools for legitimate purposes, Defender for Endpoint differentiates suspicious activity from the noise by searching specifically for suspicious processes executed during the connection timeframe.

Diagram with icons and arrows showing a typical attack pattern involving the command line as an initial attack vector via credential theft and compromised with tools such as psexec and wmi. The target then scans the network to connect to Active Directory and spread throughout the organization.
Figure 5: Diagram of a typical attack pattern from initial attack vector to scanning and lateral movement

Figure 5 shows a typical attack pattern wherein a compromised device A is the initial attack vector, and the attacker uses remote desktop protocol (RDP) or a remote shell to take over the device and start scanning the network. If possible, the attackers move laterally to device B. At this point, the remote processes wmic.exe on the command line and wmiprvse.exe on the target can spawn a new process to perform remote activities.

Graph-based detection generates the entities in memory to produce a virtual graph of connected components to calculate a total risk score, wherein each component represents a device with suspicious activities. These activities might produce low-fidelity signals, such as scores from certain machine learning models or other suspicious signals on the device. The edges of the graph show suspicious network connections. Defender for Endpoint then analyzes this graph to produce a final risk score. Figure 6 highlights an example of graph-based aggregation activities and risk score generation.

Diagram with text and arrows showing the aggregation of signals to produce a risk score for multiple devices. A numerical algorithm is used to analyze the risk score of each device based on suspicious activity.
Figure 6: Diagram showing the aggregation of signals to produce a risk score for multiple devices

Identifying suspicious activity with high confidence on a single device

The final detection category is identifying suspicious activity on a single device. Sometimes, suspicious signals from only one device represent enough evidence to identify a ransomware attack, such as when an attack uses evasion techniques like spreading activity over a period of time and across processes unrelated to the attack chain. As a result, such an attack can fly under the radar, if defenses fail to recognize these processes as related. If the signals are not strong enough for each process chain, no alerts will generate.

Figure 7 depicts a simplified version of evasion activity using the Startup folder and autostart extension points. After taking over a device, an attacker opens cmd.exe and writes a file to the Startup folder to carry out malicious activities. When the device restarts, the file in the Startup folder performs additional commands using the parent process ID explorer.exe, which is unrelated to the original cmd.exe that wrote the file. This behavior splits the activity into two separate process chains occurring at different times, which could prevent security solutions from correlating these commands. As a result, when neither individual process produces enough noise, an alert might not appear.

Diagram with icons and arrows depicting evasion activity using four different processes, wherein cmd.exe commands the device to restart and then open explorer.exe which appears as an entirely separate process.
Figure 7: Evasion activity split into two separate process chains occurring at different times

The enhanced AI-based detections in Defender for Endpoint can help connect seemingly unrelated activity by assessing logs for processes that resemble DLL hijacking, autostart entries in the registry, creation of files in startup folder, and similar suspicious changes. The incrimination logic then maps out the initiation of the first process in relation to the files and tasks that follow.

Human-operated ransomware protection using AI

Attackers behind human-operated campaigns make decisions depending on what they discover in environments they compromise. The human aspect of these attacks results in varied attack patterns that evolve based on unique opportunities that attackers find for privilege escalation and lateral movement. AI and machine learning present innovative methods for surfacing sophisticated attacks known for using advanced tools and techniques to stay persistent and evasive.

In this blog, we discussed enhancements to cloud-based AI-driven protections in Microsoft Defender for Endpoint that are especially designed to help disrupt human-operated ransomware attacks. These enhanced protections use AI to analyze threat data from multiple levels of advanced monitoring and correlate malicious activities to incriminate entities and stop attacks in their tracks. Today, these AI protections are triggered in the early stages of the ransomware phase, as the attack starts to encrypt data on devices. We’re now working to expand these protections to trigger even earlier in the attack chain, before the ransomware deployment, and to expand the scope to incriminate and isolate compromised user accounts and devices to further limit the damage of attacks.  

This innovative approach to detection adds to existing protections that Microsoft 365 Defender delivers against ransomware. This evolving attack disruption capability exemplifies Microsoft’s commitment to harness the power of AI to explore novel ways of detecting threats and improve organizations’ defenses against an increasingly complex threat landscape.

Learn how Microsoft helps you defend against ransomware.

Learn how machine learning and AI drives innovation at Microsoft security research.

Arie Agranonik, Charles-Edouard Bettan, Sriram Iyer
Microsoft 365 Defender Research Team

The post Improving AI-based defenses to disrupt human-operated ransomware appeared first on Microsoft Security Blog.

Securing your IoT with Edge Secured-core devices

June 21st, 2022 No comments

A recent study conducted by Microsoft in partnership with Ponemon Institute included a survey of companies that have adopted IoT solutions and 65 percent of them mentioned that security is a top priority when implementing IoT. Attacks targeting IoT devices put businesses at risk. Impacted devices can be bricked, held for ransom, employed as launch points for further network attacks, or used for malicious purposes. Among many consequences, we often see intellectual property (IP) and data theft and compromised regulatory status, all of which can have brand and financial implications on the business. 

Subsequently, we did a survey to understand the top concerns around the security of IoT devices, and we shared the findings in a previous blog about best practices for managing IoT security concerns. The following list summarizes the top security concerns from companies that have adopted IoT solutions:

  • Ensuring data privacy (46 percent).
  • Ensuring network-level security (40 percent).
  • Security endpoints for each IoT device (39 percent).
  • Tracking and managing each IoT device (36 percent).
  • Making sure all existing software is updated (35 percent).
  • Updating firmware and other software on devices (34 percent).
  • Performing hardware/software tests and device evaluation (34 percent).
  • Updating encryption protocols (34 percent).
  • Conducting comprehensive training programs for employees involved in IoT environment (33 percent).
  • Securely provisioning devices (33 percent).
  • Shifting from device-level to identity-level control (29 percent).
  • Changing default passwords and credentials (29 percent).

To help address these concerns, Microsoft is thrilled to announce today the general availability of the extension of our Secured-core platform to IoT devices along with new Edge Secured-core certified devices from our partners Aaeon, Asus, Lenovo and Intel in the Azure certified device catalog. We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation.   

As outlined in Microsoft’s Zero Trust paper, a key investment, especially around new devices, is to choose devices with built-in security. Devices built with Azure Sphere benefit from industry-leading built-in security, with servicing by Microsoft.

Announcements for Edge Secured-core

Edge Secured-core is a certification in the Azure Certified Device program for IoT devices. Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver the following security benefits:

  • Hardware-based device identity: In addition to the various security properties that a hardware-based device identity provides, this also enables the use of the hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.  
  • Capable of enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
  • Stays up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
  • Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
  • Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
  • Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure from threats.

In addition to addressing many of the top concerns that we’ve heard from customers around the security of their IoT devices, our data shows that Secured-core PCs are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. We’ve brought the learnings from Secured-core PCs to define the requirements for Edge secured-core devices.

Today, we’re excited to announce the availability of Windows IoT Edge Secured-core devices available in the Azure Certified Device catalog.

ASUS PE200 Lenovo ThinkEdge SE30 Intel NUC AAEON SRG-TG01

Additionally, Microsoft invests with semiconductor partners to build IoT-connected industry certified MCU security platforms that align with Microsoft’s security standards.  

Get started with Microsoft Security

Email us to request a call for more information about Azure Sphere, Edge Secured-core devices, or industry-certified devices. Learn more about Azure IoT security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing your IoT with Edge Secured-core devices appeared first on Microsoft Security Blog.

Categories: cybersecurity, IoT Tags:

How one Microsoft software engineer works to improve access management

June 20th, 2022 No comments

There’s still a perception that the most successful computer scientists learn programming at a young age, study engineering at a top school, and then get a software development job right out of college. While that’s how many people enter the field, it’s not the only path. Microsoft Software Engineer Rebecca Nzioki is living proof. She started out studying business but switched disciplines because she found IT more interesting. She decided to switch disciplines again after she started working and discovered a passion for solving customer problems. She then dedicated herself to learning how to code so she could find permanent fixes to issues that were frustrating the customers she supported.

In my experience, no matter what path they followed in the field of computer science, the best engineers are those who, like Rebecca, focus on solving problems for customers and making sure their experience just gets better and better. There’s no reason to think that, just because you weren’t a “child genius” who already knew how to program before you reached high school, you can’t enter the field now and still be incredibly successful. Rebecca impressed us so much that we tried to recruit her multiple times. Now she’s a software engineer in the identity and network access group, working from her native country, Kenya, as part of our Africa Development Center (ADC). While she’s only been at Microsoft for a short time, her contributions are already notable. I can’t wait to watch her grow.

Rebecca’s interview with Igor Sakhnov, Corporate Vice President of Identity Engineering at Microsoft, has been edited for clarity and length. We’ve included some video snippets so you can learn more about her personal journey to Microsoft.

Igor: Rebecca, I’m in Redmond and you’re in Nairobi, and here we are working for the same company, on the same problems and challenges. That’s the beauty of the current world! So, tell me about your history. Let’s start at the beginning. What was your first experience with computers? For me, it was playing games.

Rebecca: Mine too, it was gaming. When I was in primary school, we had computer lessons, but I wasn’t interested in anything to do with the history of computers. I joined so that I could play games.

Igor: I think most people started learning about computers this way. As you grew older, did you always know you wanted to be an engineer?

Rebecca: I went to college to study business administration, but when I was applying, my mom advised me to do something that had a little bit of IT, because everything revolves around computer science and IT now. She felt it was important to have that background. While I was studying, I found I was more interested in the IT side of things than the business administration side, so I ended up focusing on that.

Igor: Your mom gave you great advice! Did you jump right into coding after you finished college?

Rebecca: My first job after college was in support. The company focused on telecommunications; specifically, selling mobile phone airtime. Our boss created graphs that we would watch to make sure our markets were up and running. I watched up to 22 screens. I did that for two years and then got the opportunity to go to the next level—creating the screens myself.

At that point, we had just launched a new market that had many problems. It was always down because it was totally new, and we were trying so many new things. Not only was I now creating the screens, but I was also moving into customer care, so I knew how our work was impacting customers, allowing them to borrow airtime credit when they really needed it. I was communicating with customers and working on the technical side of things.

Seeing the engineers solve problems that came up—getting to the root cause of the issues—got me interested in programming. I became curious with each new problem: how can we solve this and make it go away completely? We want new problems, not the same ones over and over! After two years on the support side, I finally started coding. For a while I did both, but I transitioned slowly as I built up my confidence.

Igor: What a journey! You mentioned that you really liked solving customer problems, which is so near and dear to my heart. What was your motivation?

Rebecca: Knowing that the customers would be able to use the service any time, and they would be happy. Knowing they could use the service smoothly and knowing that I could give them a service that is also dependable.

Igor: It’s awesome that customer focus defines how you think through your work and your next steps. And that’s something that defines our organization at Microsoft. I’ve heard that you were asked to come talk to us three times. Can you tell me more about that?

Rebecca: Microsoft first called in December 2019, when I had first gotten into engineering. I wasn’t confident enough at that point to interview. It wasn’t the right time for me to change my career, so I didn’t respond to that call. They reached out again the following September, but they were looking for senior software engineers. By this time, however, I really wanted to do something different. The recruiter told me to reach out to them in December 2020. When I interviewed in January 2021, I felt ready.

Igor: I guess the third time was the charm! And I love that you built your confidence up to succeed in the interview. I’m curious, did the recruiters give you any support in terms of how to prepare for the interview?

Rebecca: They gave us a PDF document of algorithms and other things we needed to go through. I had a really good recruiter who would call to ask if I was actually preparing for the interview.

Igor: It’s great that these resources were useful to you. It’s awesome that you’re here now and that between building your confidence and getting those resources, you were set up for success.

Rebecca: Yes!

Igor: You’ve been at Microsoft for about a year. What is your perspective on Microsoft and the Africa Development Center?

Rebecca: I’m loving the experience. It has been a steep learning curve, but I’m here for the challenge. We were all new, on my team, so we didn’t have anyone in ADC to guide us on how to go about it. We’ve navigated it together, and at this point we have it figured out. We’re still learning, but we’ve gotten our pattern going.

Igor: Technology-wise, what are you most excited about working on?

Rebecca: My project right now is working on the Microsoft Authenticator App. We’re letting the user sign in through the application without using their passwords, or have two-factor or multifactor authentication, where you’re not using your password only, but you have levels of security. And knowing we’re driving such changes is pretty exciting.

I’m loving the authentication experience and going passwordless. Our laptops have always been using passwordless, but I hadn’t seen it before on the browser, or signing in to Skype without using a password. It’s exciting because I used to always forget these things! Also, seeing the way we manage code, the way we collaborate, the way we push and deploy—it’s all been very interesting.

Igor: Before we go, what’s your motivation in terms of your growth, your path forward? What do you want to achieve or move towards?

Rebecca: Right now, I just want to continue improving my coding abilities. I haven’t thought that I want to be a manager yet; for now, I just want to specialize in the technologies we use, grow my experience, and continue becoming a better engineer.

Learn more

Learn more about Microsoft identity and access management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How one Microsoft software engineer works to improve access management appeared first on Microsoft Security Blog.

Categories: Identity and access management Tags:

Making the world a safer place with Microsoft Defender for individuals

June 16th, 2022 No comments

Today’s sophisticated cyber threats require a modern approach to security. And this doesn’t apply only to enterprises or government entities—in recent years we’ve seen attacks increase exponentially against individuals. There are 921 password attacks every second.1 We’ve seen ransomware threats extending beyond their usual targets to go after small businesses and families. And we know, as bad actors become more and more sophisticated, we need to increase our personal defenses as well.

That is why it is so important for us to protect your entire digital life, whether you are at home or work—threats don’t end when you walk out of the office or close your work laptop for the day. We need solutions that help keep you and your family secure in how you work, play, and live.

That’s why I’m excited to share the availability of Microsoft Defender for individuals, a new online security application for Microsoft 365 Personal and Family subscribers. We believe every person and family should feel safe online. This is an exciting step in our journey to bring security to all and I’m thrilled to share with you more about this new app, available with features for you to try today.

Introducing Microsoft Defender

As our digital footprints grow, and with more devices and family members online, protecting your personal data and devices becomes more important than ever. On top of that, you and your family’s device preferences may result in Windows, iOS, Android, and macOS devices all represented in a single household—I know from personal experience in my own family. As threats grow more sophisticated, and time spent online has increased during the pandemic, we are more vulnerable than ever.  

To help keep your data private and devices secure, people often turn to multiple security products, with scattered security monitoring and device management. This fragmentation makes keeping up with increasing online threats even harder.

We must evolve our security solutions to meet unique customer needs at home and work by bringing together existing technologies in a new way. That is why we are introducing Microsoft Defender for individuals. It was built on our Microsoft Defender for Endpoint technology, leveraging the same trusted security that enterprises rely on. It joins our comprehensive set of security products and services as the newest member of our family of Microsoft Defender solutions and extends the protection already built into Windows Security.

What does Microsoft Defender do?

Microsoft Defender is simplified online security that meets you and your family where you are by bringing multiple protections together into a single dashboard. It provides online protection across the devices you and your family use. It offers tips and recommendations to strengthen your protection further. And, as you grow your digital footprint by adding family members and devices, Defender grows with you and keeps your defenses up-to-date using trusted technology.  

This seamless solution, which includes continuous antivirus and anti-phishing protection for your data and devices, will enable you to:

  • Manage your security protections and view security protections for everyone in your family, from a single easy-to-use, centralized dashboard.2
  • View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
  • Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.3, 4
  • Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.5

This is just the start. As we look forward, we will continue to bring more protections together under a single dashboard, including features like identity theft protection and secure online connection. Microsoft Defender is simplified online security that grows with you and your family to help keep you safe. 

Try it today!

The expansion of our security portfolio with Microsoft Defender for individuals is the natural and exciting progression in our journey as a security company. The Microsoft Defender app is available to Microsoft 365 subscribers beginning today, across Windows, macOS, iOS, and Android. It was shaped based on the thoughts and feedback from so many families and people who use our products, and we are so excited to have this available today. Read more about the value to Microsoft 365 subscribers and the journey to get here from the Microsoft 365 team, or try Microsoft Defender today. There is so much more to come, and we look forward to sharing more on this journey to make the world a safer place for all!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1According to Microsoft Azure Active Directory (Azure AD) authentication log data. 2022. 

2App requires a Microsoft 365 Family or Personal subscription and is available as a separate download. 

3App is available on Windows, macOS, Android, and iOS in select Microsoft 365 Family or Personal billing regions.

4New malware protection is not available where these protections exist on iOS and Windows.

5Security tips are available on Windows and macOS only.

The post Making the world a safer place with Microsoft Defender for individuals appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Why strong security solutions are critical to privacy protection

June 15th, 2022 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Voice of the Community blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Ann Cavoukian, Ph.D., Founder and Chief Executive Officer (CEO) of Global Privacy & Security by Design, former three-term Information and Privacy Commissioner for Ontario, Canada, and author of “Privacy by Design: The 7 Foundational Principles.” The thoughts below reflect Ann’s views, not the views of her employer or Microsoft, and are not legal advice. In this blog post, Ann shares insights on how to better protect people’s privacy.  

Brooke: What are the seven foundational principles of Privacy by Design?

Ann: When I joined the Commission, I had to train my lawyers on the need to be proactive relating to privacy and security. I wanted something that would ideally prevent privacy harms from arising.  

I created Privacy by Design at my kitchen table over three nights. Privacy by Design was unanimously passed as an international standard in 2010. In 2018, a new law in the European Union, the General Data Protection Regulation (GDPR), included Privacy by Design. It’s been translated into 40 languages and not a week goes by when I don’t hear from some jurisdiction around the world. Brazil also included Privacy by Design in their new privacy law. 

There are seven foundational principles to Privacy by Design. The first one is you’ve got to be proactive to prevent the harms from arising. Be preventative, not remedial.  

The second one is privacy as the default setting. You don’t have to wade through all the terms of service and legalese referenced in your privacy policy to find the opt-out box saying do not use my personal information for any purpose other than for the intended primary purpose of the data collection. We give you privacy automatically!  

The third principle is privacy embedded into design. I always say bake it into the code and into all of your operations. Make it one of those essential features that is always present.  

The fourth principle is to reject zero-sum models—privacy versus security or privacy versus data utility. It’s one interest over another. It’s win-lose: reject this! Positive sum releases better outcomes, with privacy and security going hand-in-hand.  

The fifth principle is end-to-end security. You must have full lifecycle protection, from end to end, in this day and age of daily hacking. 

The sixth principle is visibility and transparency. If you keep what you’re doing open to your clients and citizens, they will assist you by increasing the accuracy and quality of the information.  

The seventh principle is respect for user privacy. If you focus on users, all of this will work to your advantage again and again. 

Brooke: With new privacy issues, how can governments and people protect identity data?

Ann: The growth of surveillance has been massive and digital identities are being explored. This terrifies me, because if your identity is digital, it’s not in your hands. Someone, usually in government, is controlling it. I read an article about the push for mobile drivers licenses. The second half was about identity theft. They’re pushing the Biden government for funding because of the identity theft that’s going to arise. Are you kidding me?  

Instead of focusing on identity theft, focus on protections you can engage in digitally. End-to-end encryption is huge. There’s biometric encryption, which encrypts your biometric—your fingerprints, your facial image, your iris scans—in such a way that no one can gain access to it. If someone successfully hacks into it, they don’t get your biometric identity but whatever was biometrically encrypted.  

It should be the obligation of the government that is demanding data from you to protect it. To expect individuals to know how to protect their data is expecting too much. I want everyone to put the brakes on digital identity and have conferences on how we can protect this data with biometric encryption and why that’s better than regular encryption. We must explore all of this, and we must do it now. 

Brooke: Have there been any unique threats to privacy in the past two or three years?

Ann: Because of the pandemic, people are being forced to reveal their private health status. If you were required to reveal vaccine information, that’s a huge infringement of your privacy. Medical data is the most sensitive personal information in existence, and it belongs to no one other than you and your physician. To require members of the public to reveal their vaccine status is appalling and that’s been one of the things I’ve been fighting. Fortunately, the pandemic is lifting, and the restrictions are lifting but the worst thing is that you’ll be compelled to reveal your health data.  

Brooke: What are the biggest barriers facing organizations today regarding privacy?

Ann: Often, there’s a chief privacy officer but they’re not part of the higher-level management team. When I talk to boards of directors and chief executive officers, I say, “You have to bring the privacy operation as an essential component of working with security and reporting to the CEO or to someone just underneath the CEO.”   

The other thing I ask is, “Do you have a data map at your organization?” When data first comes into your organization, people consent to the primary purpose of the data collection. But then the data flows throughout your organization in a variety of ways, where secondary uses are often made of the data. If you have a privacy map, you see how the data flows from one department to another. Are additional consents required because a use is secondary or are these uses intertwined with the primary purpose?  

Brooke: Will governments around the world be able to keep up with emerging technology?

Ann: Absolutely not. They need to rely on private sector companies advancing in these areas. I searched for “biometric encryption” and 10 companies are leading on this globally so there are a lot out there that governments can access, but they’ve got to do that.  

The Germans developed a term called “informational self-determination” that means it should be the individual who determines the fate of their personal information. It’s no accident that Germany is the leading privacy and data protection country in the world. They had to endure the abuses of the Third Reich and when that ended, they said never again will we subject our population to those kinds of abuses. They have enormous privacy laws at the state level. All these privacy commissioners at the state and federal levels get together for conferences twice a year. They’re amazing.

Brooke: What are the biggest privacy vulnerabilities?

Ann: A lot of times, it’s law enforcement. The police say there’s been this problem and we need access to your data. Companies generally just readily give it. I urge them not to do that. At first, they’re shocked when I say that. If law enforcement has a legitimate need for the data, namely probable cause, they can then make their case to a judge. The judge will give them a warrant and then you know it’s legitimate and have total authority to give it to them. You can’t be taken to court by customers because you had to do this. That’s the same with other departments that might come knocking at your door, like companies you’re doing work with or third parties. Any data collection and data disclosure must be authorized. 

Brooke: Is there any good reason to infringe upon privacy to do surveillance on someone?

Ann: I don’t think there is any great reason. Law enforcement understandably requires information at times, but they should always go to court to get a warrant.  

A facial recognition company was collecting 3.3 billion facial images scrubbed from the web and selling it to law enforcement agencies all over the world. The police were buying this up. When the chief of police in Toronto learned that his police officers were buying this data, he stopped it immediately. The company has been stopped now in Canada. I want other governments to do the same. 

You can’t have this underhanded, quiet surveillance taking place by the government or by private sector entities. When people in government collect information, it’s supposed to be for a particular purpose and not for whatever purposes they want. Surveillance is abounding now, and surveillance is the antithesis of privacy. We must get it under control.  

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why strong security solutions are critical to privacy protection appeared first on Microsoft Security Blog.

Security baseline for Microsoft 365 Apps for enterprise v2206

June 14th, 2022 No comments

Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2206. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate.


 


This baseline builds on the previous Office baseline we released December 2021. The highlights of this baseline include:



  • Removed the recommendation for the policy “Junk E-mail protection”. This policy controls a deprecated feature of SmartScreen for Exchange that’s been replaced and setting this policy can cause junk email filtering issues. The Outlook and Defender product groups are working on retiring this feature and policy.

  • Default change to block macros in files obtained from the internet is releasing to all supported Office versions; Current Channel as of June 2022, with future releases and timelines listed in the Admin article.

  • Mismatched recommendations corrected. The Office team upgraded the tooling that creates the resources and documentation for the Security Baselines. These improvements found some mismatches between the “MSFT Microsoft 365 Apps v2112 – User” GPO and the spreadsheet documentation. See the list of corrections below in the details.

  • Known issue: The Solver add-in that ships with Excel may not work properly when the recommended security baselines policy “Prevent Excel from running XLM macros” is enabled. See more in the details below.

  • Published new article on Security Baselines for Office apps which contains general information and links to the latest baseline.


 


The recommended settings in this security baseline correspond with the administrative templates version 4287, released on 2/9/2022.


 


Deployment options for the baseline


IT Admins can apply baseline settings in different ways. Depending on the method(s) chosen different registry keys will be written and they will be observed in order of precedence: Office cloud policies will override ADMX/Group Policies which will override end user settings in the Trust Center.


 



  • Cloud policies may be deployed with the Office cloud policy service for policies in HKCU.  Cloud policies apply to a user on any device accessing files in Office apps with their AAD account. In Office cloud policy service, you can create a filter for the Area column to display the current Security Baselines, and within each policy’s context pane the recommended baseline setting is set by default. Learn more about Office cloud policy service.

  • ADMX policies may be deployed with Microsoft Endpoint Manager (MEM) for both HKCU and HKLM policies. These settings are written to the same place as Group Policy, but managed from the cloud in MEM. There are two methods to create and deploy policy configurations: Administrative templates or the settings catalog.

  • Group Policy may be deployed with on premise AD DS to deploy Group Policy Objects (GPO) to users and computers. The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file.


 


GPOs included in the baseline


Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We’ve broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed.


 


“MSFT Microsoft 365 Apps v2206” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs:


 



  • “DDE Block – User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.

  • “Legacy File Block – User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.

  • “Legacy JScript Block – Computer” disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.

  • “Require Macro Signing – User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.


 


Removed the recommendation for Junk E-mail protection policy


This policy controls the deprecated feature of SmartScreen for Exchange that’s been replaced by Exchange Online Protection (EOP) as of 2016, learn more in this blog article. Previously, we recommended setting the policy to HIGH, however, this can conflict with EOP and cause false negatives and other junk email filtering issues. The SmartScreen for Exchange service is no longer supported and we are removing this recommendation from the security baselines.


 


New Office default: VBA macros blocked in files from the Internet


VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware, for years we’ve recommended enabling this policy as part of the security baselines, and we’re now enabling this behavior by default for everyone. If you’ve already set this policy in your organization, this default change will not affect you as policy will take precedence over this default. If however, you have not configured “Block macros in files obtained from the internet” for Office apps (Access, Excel, PowerPoint, Visio, Word) this change will impact you. Learn more in the blog article in Tech Community, and the Admin article listing all release timeframes and options for administration.


 


Mismatched recommendations corrected


The Office team upgraded the tooling that creates the Office resources and documentation for the Compliance Toolkit. These improvements found some mismatches between the “MSFT Microsoft 365 Apps v2112 – User” GPO and the spreadsheet documentation, we have corrected these:



  • It is recommended for Access to Enable the policy “Disable Trust Bar Notification for unsigned application add-ins and block them”


    • The “MSFT Microsoft 365 Apps v2112 – User” GPO in the Compliance Toolkit correctly had this policy enabled, while our documentation was incorrect. The documentation is now fixed.


  • It is recommended for Access to not configure the policy “Require that application add-ins are signed by Trusted Publisher”.


    • The documentation was correct and the “MSFT Microsoft 365 Apps v2112 – User” GPO was incorrect. The GPO is now fixed.


  • It is recommended for Excel to Enable the policy “Require that application add-ins are signed by Trusted Publisher”.


    • The documentation was correct and the “MSFT Microsoft 365 Apps v2112 – User” GPO was incorrect. The GPO is now fixed.



 


Known Issue: The Solver add-in that ships with Excel may not work properly with a certain security policy enabled: When the recommended security baselines policy “Prevent Excel from running XLM macros” is enabled, the Solver and Analysis ToolPak add-ins will not function properly. Functionality may be missing, and results may not be computed, even if the user is informed of a successful computation. A fix is in progress and workarounds, current status, and availability are included in the article.


 


When can I expect the next release of Microsoft 365 Apps for enterprise Security Baseline?


In the future, we’ll plan to release new security baselines every 6 months, usually in June and December.


 


If you have questions or issues, please let us know via the Security Baseline Community or this post.


 

Categories: Uncategorized Tags:

The many lives of BlackCat ransomware

June 13th, 2022 No comments

The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid.

First observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware families written in the Rust programming language. By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and operating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare instances.

As we previously explained, the RaaS affiliate model consists of multiple players: access brokers, who compromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who perform other activities like moving laterally across the network and exfiltrating data before ultimately launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a target organization’s network varies, depending on the RaaS affiliate that deploys it. For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).

Such variations and adoptions markedly increase an organization’s risk of encountering BlackCat and pose challenges in detecting and defending against it because these actors and groups have different tactics, techniques, and procedures (TTPs). Thus, no two BlackCat “lives” or deployments might look the same. Indeed, based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe.

Human-operated ransomware attacks like those that deploy BlackCat continue to evolve and remain one of the attackers’ preferred methods to monetize their attacks. Organizations should consider complementing their security best practices and policies with a comprehensive solution like Microsoft 365 Defender, which offers protection capabilities that correlate various threat signals to detect and block such attacks and their follow-on activities.

In this blog, we provide details about the ransomware’s techniques and capabilities. We also take a deep dive into two incidents we’ve observed where BlackCat was deployed, as well as additional information about the threat activity groups that now deliver it. Finally, we offer best practices and recommendations to help defenders protect their organizations against this threat, including hunting queries and product-specific mitigations.

BlackCat’s anatomy: Payload capabilities

As mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats.

BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered.

In the instances we’ve observed where the BlackCat payload did not have administrator privileges, the payload was launched via dllhost.exe, which then launched the following commands below (Table 1) via cmd.exe. These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.

The flags used by the attackers and the options available were the following: -s -d -f -c; –access-token; –propagated; -no-prop-servers

Screenshot of BlackCat ransomware deployment options and subcommands with corresponding descriptions.
Figure 1. BlackCat payload deployment options
Command Description
[service name] /stop Stops running services to allow encryption of data  
vssadmin.exe Delete Shadows /all /quiet Deletes backups to prevent recovery
wmic.exe Shadowcopy Delete Deletes shadow copies
wmic csproduct get UUID Gets the Universally Unique Identifier (UUID) of the target device
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f Modifies the registry to change MaxMpxCt settings; BlackCat does this to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology)
for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\” Clears event logs
fsutil behavior set SymlinkEvaluation R2L:1 Allows remote-to-local symbolic links; a symbolic link is a file-system object (for example, a file or folder) that points to another file system object, like a shortcut in many ways but more powerful
fsutil behavior set SymlinkEvaluation R2R:1 Allows remote-to-remote symbolic links
net use \\[computer name]  /user:[domain]\[user] [password] /persistent:no Mounts network share
Table 1. List of commands the BlackCat payload can run

User account control (UAC) bypass

BlackCat can bypass UAC, which means the payload will successfully run even if it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary process under dllhost.exe with sufficient permissions needed to encrypt the maximum number of files on the system.

Domain and device enumeration

The ransomware can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device. The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices.

Self-propagation

BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices. The ransomware then attempts to replicate itself on the answering servers using the credentials specified within the config via PsExec.

Hampering recovery efforts

BlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might be launched by the payload, as well as their purposes:

  • Modify boot loader
    • “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default}”
    • “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default} recoveryenabled No”
  • Delete volume shadow copies
    • “C:\Windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”
    • “C:\Windows\system32\cmd.exe” /c “wmic.exe Shadowcopy Delete”
  • Clear Windows event logs
    • “C:\Windows\system32\cmd.exe” /c “cmd.exe /c  for /F \”tokens=*\” Incorrect function. in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl \”Incorrect function. \””

Slinking its way in: Identifying attacks that can lead to BlackCat ransomware

Consistent with the RaaS model, threat actors utilize BlackCat as an additional payload to their ongoing campaigns. While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly different.

For example, our research noted that one affiliate that deployed BlackCat leveraged unpatched Exchange servers or used stolen credentials to access target networks. The following sections detail the end-to-end attack chains of these two incidents we’ve observed.

Case study 1: Entry via unpatched Exchange

In one incident we’ve observed, attackers took advantage of an unpatched Exchange server to enter the target organization.

Diagram with icons and timeline depicting different attack stages, starting with the exploitation of an Exchange server vulnerability and ending with the deployment of BlackCat ransomware and double extortion.
Figure 2. Observed BlackCat ransomware attack chain via Exchange vulnerability exploitation

Discovery

Upon exploiting the Exchange vulnerability, the attackers launched the following discovery commands to gather information about the device they had compromised:

  • cmd.exe and the commands ver and systeminfo – to collect operating system information
  • net.exe – to determine domain computers, domain controllers, and domain admins in the environment

After executing these commands, the attackers navigated through directories and discovered a passwords folder that granted them access to account credentials they could use in the subsequent stages of the attack. They also used the del command to delete files related to their initial compromise activity.

The attackers then mounted a network share using net use and the stolen credentials and began looking for potential lateral movement targets using a combination of methods. First, they used WMIC.exe using the previously gathered device name as the node, launched the command whoami /all, and pinged google.com to check network connectivity. The output of the results were then written to a .log file on the mounted share. Second, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to gather the last sign-in event.

Lateral movement

Two and a half days later, the attackers signed into one of the target devices they found during their initial discovery efforts using compromised credentials via interactive sign-in. They opted for a credential theft technique that didn’t require dropping a file like Mimikatz that antivirus products might detect. Instead, they opened Taskmgr.exe, created a dump file of the LSASS.exe process, and saved the file to a ZIP archive.

The attackers continued their previous discovery efforts using a PowerShell script version of ADRecon (ADRecon.ps1), which is a tool designed to gather extensive information about an Active Directory (AD) environment. The attacker followed up this action with a net scanning tool that opened connections to devices in the organization on server message block (SMB) and remote desktop protocol (RDP). For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign into these devices, once again using the compromised account credentials.

These behaviors continued for days, with the attackers signing into numerous devices throughout the organization, dumping credentials, and determining what devices they could access.

Collection and exfiltration

On many of the devices the attackers signed into, efforts were made to collect and exfiltrate extensive amounts of data from the organization, including domain settings and information and intellectual property. To do this, the attackers used both MEGAsync and Rclone, which were renamed as legitimate Windows process names (for example, winlogon.exe, mstsc.exe).

Exfiltration of domain information to identify targets for lateral movement

Collecting domain information allowed the attackers to progress further in their attack because the said information could identify potential targets for lateral movement or those that would help the attackers distribute their ransomware payload. To do this, the attackers once again used ADRecon.ps1with numerous PowerShell cmdlets such as the following:

  • Get-ADRGPO – gets group policy objects (GPO) in a domain
  • Get-ADRDNSZone – gets all DNS zones and records in a domain
  • Get-ADRGPLink – gets all group policy links applied to a scope of management in a domain

Additionally, the attackers dropped and used ADFind.exe commands to gather information on persons, computers, organizational units, and trust information, as well as pinged dozens of devices to check connectivity.

Exfiltration for double extortion

Intellectual property theft likely allowed the attackers to threaten the release of information if the subsequent ransom wasn’t paid—a practice known as “double extortion.” To steal intellectual property, the attackers targeted and collected data from SQL databases. They also navigated through directories and project folders, among others, of each device they could access, then exfiltrated the data they found in those. 

The exfiltration occurred for multiple days on multiple devices, which allowed the attackers to gather large volumes of information that they could then use for double extortion.

Encryption and ransom

It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to be the most common attack method.

Screenshot of the ransom note displayed by BlackCat ransomware. It informs affected users that sensitive data from their network has been downloaded and that they must act quicky and pay the ransom if they don't want the data to be published.
Figure 3. Ransom note displayed by BlackCat upon successful infection

Case study 2: Entry via compromised credentials

In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in.

Diagram with icons and timeline depicting different attack stages, starting with the attacker using stolen credentials to sign into Remote Desktop and ending with the deployment of BlackCat ransomware.
Figure 4. Observed BlackCat ransomware attack chain via stolen credentials

Lateral movement

Once the attackers gained access to the target environment, they then used SMB to copy over and launch the Total Deployment Software administrative tool, allowing remote automated software deployment. Once this tool was installed, the attackers used it to install ScreenConnect (now known as ConnectWise), a remote desktop software application.

Credential theft

ScreenConnect was used to establish a remote session on the device, allowing attackers interactive control. With the device in their control, the attackers used cmd.exe to update the Registry to allow cleartext authentication via WDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the Task Manager to dump the LSASS.exe process to steal the password, now in cleartext.

Eight hours later, the attackers reconnected to the device and stole credentials again. This time, however, they dropped and launched Mimikatz for the credential theft routine, likely because it can grab credentials beyond those stored in LSASS.exe. The attackers then signed out.

Persistence and encryption

A day later, the attackers returned to the environment using ScreenConnect. They used PowerShell to launch a command prompt process and then added a user account to the device using net.exe. The new user was then added to the local administrator group via net.exe.

Afterward, the attackers signed in using their newly created user account and began dropping and launching the ransomware payload. This account would also serve as a means of additional persistence beyond ScreenConnect and their other footholds in the environment to allow them to re-establish their presence, if needed. Ransomware adversaries are not above ransoming the same organization twice if access is not fully remediated.

Chrome.exe was used to navigate to a domain hosting the BlackCat payload. Notably, the folder structure included the organization name, indicating that this was a pre-staged payload specifically for the organization. Finally, the attackers launched the BlackCat payload on the device to encrypt its data.

Ransomware affiliates deploying BlackCat

Apart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats.

Microsoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.

DEV-0504 is another active affiliate group that we’ve seen switching to BlackCat for their ransomware attacks. Like many RaaS affiliate groups, the following TTPs might be observed in a DEV-0504 attack:

  • Entry vector that can involve the affiliate remotely signing into devices with compromised credentials, such as into devices running software solutions that allow for remote work
  • The attackers’ use of their access to conduct discovery on the domain
  • Lateral movement that potentially uses the initial compromised account
  • Credential theft with tools like Mimikatz and Rubeus

DEV-0504 typically exfiltrates data on devices they compromise from the organization using a malicious tool such as StealBit—often named “send.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload. The group has been observed delivering the following ransom families before their adoption of BlackCat beginning December 2021:

  • BlackMatter
  • Conti
  • LockBit 2.0
  • Revil
  • Ryuk

Defending against BlackCat ransomware

Today’s ransomware attacks have become more impactful because of their growing industrialization through the RaaS affiliate model and the increasing trend of double extortion. The incidents we’ve observed related to the BlackCat ransomware leverage these two factors, making this threat durable against conventional security and defense approaches that only focus on detecting the ransomware payloads. Detecting threats like BlackCat, while good, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks they’re deployed or the attackers they work for.

Instead, organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above, while attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by hardening their networks through various best practices such as access monitoring and proper patch management. We provide detailed steps on building these defensive strategies against ransomware in this blog.

In the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers. Therefore, defenders should review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible. The financial impact, reputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not worth forgoing downtime, service interruption, and other pain points related to applying security updates and implementing best practices.

Leveraging Microsoft 365 Defender’s comprehensive threat defense capabilities

Microsoft 365 Defender helps protect organizations from attacks that deliver the BlackCat ransomware and other similar threats by providing cross-domain visibility and coordinated threat defense. It uses multiple layers of dynamic protection technologies and correlates threat data from email, endpoints, identities, and cloud apps. Microsoft Defender for Endpoint detects tools like Mimikatz, the actual BlackCat payload, and subsequent attacker behavior. Threat and vulnerability management capabilities also help discover vulnerable or misconfigured devices across different platforms; such capabilities could help detect and block possible exploitation attempts on vulnerable devices, such as those running Exchange. Finally, advanced hunting lets defenders create custom detections to proactively surface this ransomware and other related threats.

Additional mitigations and recommendations

Defenders can also follow the following steps to reduce the impact of this ransomware:

Microsoft 365 Defender customers can also apply the additional mitigations below:

  • Use advanced protection against ransomware.
  • Turn on tamper protection in Microsoft Defender for Endpoint to prevent malicious changes to security settings. Enable network protection in Microsoft Defender for Endpoint and Microsoft 365 Defender to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Ensure Exchange servers have applied the mitigations referenced in the related Threat Analytics report.
  • Turn on the following attack surface reduction rules to block or audit activity associated with this threat:
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    • Block process creations originating from PSExec and WMI commands
    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

For a full list of ransomware mitigations regardless of threat, refer to this article: Rapidly protect against ransomware and extortion.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

Microsoft 365 Defender Threat Intelligence Team

Appendix

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender for Endpoint EDR

Alerts with the following titles in the security center can indicate threat activity on your network:

  • An active ‘BlackCat’ ransomware was detected
  • ‘BlackCat’ ransomware was detected
  • BlackCat ransomware

Hunting queries

Microsoft 365 Defender

To locate possible ransomware activity, run the following queries.

Suspicious process execution in PerfLogs path

Use this query to look for processes executing in PerfLogs—a common path used to place the ransomware payloads.

DeviceProcessEvents
| where InitiatingProcessFolderPath has "PerfLogs"
| where InitiatingProcessFileName matches regex "[a-z]{3}.exe"
| extend Length = strlen(InitiatingProcessFileName)
| where Length == 7

Suspicious registry modification of MaxMpxCt parameters

Use this query to look for suspicious running processes that modify registry settings to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology).

DeviceProcessEvents
| where ProcessCommandLine has_all("LanmanServer", "parameters", "MaxMpxCt", "65535")

Suspicious command line indicative of BlackCat ransom payload execution

Use these queries to look for instances of the BlackCat payload executing based on a required command argument for it to successfully encrypt ‘–access-token’.

DeviceProcessEvents
| where ProcessCommandLine has_all("--access-token", "-v") 
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments
| where CommandArguments matches regex "^[A-Fa-f0-9]{64}$"
DeviceProcessEvents
| where InitiatingProcessCommandLine has "--access-token"
| where ProcessCommandLine has "get uuid"

Suspected data exfiltration

Use this query to look for command lines that indicate data exfiltration and the indication that an attacker may attempt double extortion.

DeviceNetworkEvents
| where InitiatingProcessCommandLine has_all("copy", "--max-age", "--ignore-existing", "--multi-thread-streams", "--transfers") and InitiatingProcessCommandLine has_any("ftp", "ssh", "-q")

The post The many lives of BlackCat ransomware appeared first on Microsoft Security Blog.

5 ways to connect with Microsoft Security at Identiverse 2022

June 13th, 2022 No comments

Identiverse is where the industry gathers to discuss all things identity. The 2022 conference will take place June 21 to 24 in Denver, Colorado, and I’m absolutely thrilled that Microsoft will be there. At Identiverse, we’ll share how we help customers secure access in a hybrid, multicloud, and decentralized world—everyone needs a digital identity they own. Identity is the center of digital transformation and we always learn a ton from the experiences and ideas our partners, customers, and even competitors share. I’m eager to connect with our amazing partners and chat with new folks interested in identity and security. Here are five ways you can connect with us while there:

1. Attend my keynote

Alex Simons, CVP Identity Program Management

Alex Simons, Corporate Vice President, Identity Program Management

I’m honored to be delivering a keynote address from 8∶30 AM to 9∶00 AM Mountain Time on Wednesday, June 22, 2022, in the Aurora Ballroom at the convention center. During my “Open Standards and the Identity Trust Fabric” keynote, I’ll share our vision for the future of identity, and highlight critical open standards efforts that will form the foundation of the identity trust fabric we need to secure the hybrid, multicloud, decentralized world of tomorrow.

I don’t want to give too much away but can share a few hints. Expect to hear my thoughts on privacy and portability (they’re a priority!), on cross-cloud (it exists and is important!), and on the ability to secure this new infused world (it’s possible!). And of course, there will be a demo!

2. Check out our Microsoft-sponsored sessions

From left to right: Principal Product Manager David Gregory, Principal Program Manager Ramiro Calderon, Principal Program Manager for Decentralized Identity Ankur Patel, and Senior Product Manager Nick Wryter.

We’re sponsoring a few sessions in the main theater at the conference:

  • Microsoft Presents: Upgrade from AD FS to Azure AD cloud auth: We led a session on this topic in 2020. In this 25-minute session, Microsoft Principal Product Manager David Gregory and Microsoft Principal Program Manager Ramiro Calderon will explore how the accelerated digital transformation that started in 2020 exposed the challenges of using on-premises federation servers.
  • Faster onboarding with verifiable credentials: In this 15-minute session in Theater 1 on the Expo floor, Microsoft Principal Program Manager for Decentralized Identity Ankur Patel pulls back the curtain on verified ID to reveal a simpler, cost-saving approach to onboarding.  
  • Evaluating your identity risks with a comprehensive cloud infrastructure assessment: During this 15-minute session in Theater 2 on the Expo floor, Senior Product Manager Nick Wryter will discuss how a cloud infrastructure assessment and machine learning-based detection can help companies identify top risks across workloads.

3. Enjoy conversations with us

If you’re like us, you’ve missed in-person events like Identiverse. As appreciative as I am of fast-acting planners who took in-person conferences virtual, I’m thrilled to meet face-to-face again—as are the other members of the Microsoft team. We’ll be attending all Identiverse receptions and are excited to meet people who share our interest in identity:

  • Welcome reception and Expo Hall Grand Opening—6∶00 PM to 8∶00 PM Mountain Time on Tuesday, June 21, 2022.
  • Speaker Reception—8∶00 PM to 9∶00 PM Mountain Time on Tuesday, June 21, 2022.
  • Expo Hall Reception—5∶00 PM to 7∶00 PM Mountain Time on Wednesday, June 22, 2022.
  • Expo Hall Reception—6∶00 PM to 10∶00 PM Mountain Time on Thursday, June 23, 2022.

Hope to see you at one or more of these networking opportunities!

4. Visit us in Expo Booth #1215

Speaking of how much we enjoy face-to-face conversations, we’ll be in Booth #1215 in the Expo Hall throughout the conference, not far from the VIP meeting lounge. In our booth, you can chat with our solution experts and schedule a private meeting with Microsoft in our hospitality suite. Curious about Azure Active Directory (Azure AD), part of Microsoft Entra; Microsoft Entra Permissions Management; or Microsoft Entra Verified ID? See these Microsoft identity solutions in action at one of three demo stations in our booth.

5. Attend Microsoft earned sessions

Microsoft will deliver more than a dozen sessions at Identiverse. Topics will include verifiable credentials, OAuth demonstration of proof of possession, the impact of Zero Trust standards, and how novel identity attacks bypass your defenses. Session highlights include:

  • Hey FIDO, Meet Passkey!: 5∶30 PM to 5∶55 PM Mountain Time on Tuesday, June 21, 2022—Microsoft Digital Identity Standards Architect Tim Cappalli and Microsoft Senior Program Manager Scott Bingham will introduce the big question: What would it take to rid the world of passwords? They’ll dive deep into the evolving landscape for strong, phishing-resistant authentication and into the security properties that enable passkeys to be used across consumer and enterprise use cases.
  • As Diverse as Our Adversaries: The Mandate, Challenges and Opportunities of Diversifying Leadership in Identity: 4∶10 PM to 5∶00 PM Mountain Time on Wednesday, June 22, 2022—Microsoft Director of Identity Security Alexander Weinert and Microsoft Principal Product Manager Nicole Hart will discuss the importance of defenders matching—or even exceeding—the diversity of organizations attacking identity systems. They’ll also talk about the challenges of finding, hiring, and retaining talent and what it means to “go first” as a diverse leader in identity.
  • Beg, Borrow, or Steal: MFA Compromise on the Rise: 4∶00 PM to 4∶25 PM Mountain Time on Thursday, June 23, 2022—Microsoft Senior Program Manager Sarah Handler and Senior Data Scientist Sergio Romero will share stories of attacks leveraging multifactor authentication through phishing, token replay, and abusing multifactor authentication fatigue. They’ll offer ways for organizations to reduce their risk and considerations for the industry to strengthen authentication in the future.

Looking forward to seeing you at Identiverse!

There’s so much to see and do at Identiverse while surrounded by the brightest minds in the identity space. I’m looking forward to meeting as many attendees as possible and hope you’re among them!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 ways to connect with Microsoft Security at Identiverse 2022 appeared first on Microsoft Security Blog.