Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

September 17th, 2021 No comments

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:  CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.  Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to …

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions Read More »

Categories: Uncategorized Tags:

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

September 15th, 2021 No comments

In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.

The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document. Customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in these attacks. While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact. This illustrates the importance of investing in attack surface reduction, credential hygiene, and lateral movement mitigations. Customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability.

This blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for Microsoft 365 Defender customers, and lists mitigation steps for hardening networks against this and similar attacks. Our colleagues at RiskIQ conducted their own analysis and coordinated with Microsoft in publishing this research.

Exploit delivery mechanism

The initial campaigns in August 2021 likely originated from emails impersonating contracts and legal agreements, where the documents themselves were hosted on file-sharing sites. The exploit document used an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content that results in (1) the download of a CAB file containing a DLL bearing an INF file extension, (2) decompression of that CAB file, and (3) execution of a function within that DLL. The DLL retrieves remotely hosted shellcode (in this instance, a custom Cobalt Strike Beacon loader) and loads it into wabmig.exe (Microsoft address import tool.)

Screenshot of code showing the original exploit vector

Figure 1. The original exploit vector: an externally targeted oleObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on infrastructure that has similar qualities to the Cobalt Strike Beacon infrastructure that the loader’s payload communicates with.

Content that is downloaded from an external source is tagged by the Windows operating system with a mark of the web, indicating it was downloaded from a potentially untrusted source. This invokes Protected Mode in Microsoft Office, requiring user interaction to disable it to run content such as macros. However, in this instance, when opened without a mark of the web present, the document’s payload executed immediately without user interaction – indicating the abuse of a vulnerability.

diagram showing attack chain of DEV-0413 campaign that used CVE-2021-40444

Figure 2. Attack chain of DEV-0413 campaign that used CVE-2021-40444

DEV-0413 observed exploiting CVE-2021-40444

As part of Microsoft’s ongoing commitment to tracking both nation state and cybercriminal threat actors, we refer to the unidentified threat actor as a “development group” and utilize a threat actor naming structure with a prefix of “DEV” to indicate an emerging threat group or unique activity during the tracking and investigation phases before MSTIC reaches high confidence about the origin or identity of the actor behind an operation. MSTIC tracks a large cluster of cybercriminal activity involving Cobalt Strike infrastructure under the name DEV-0365.

The infrastructure we associate with DEV-0365 has several overlaps in behavior and unique identifying characteristics of Cobalt Strike infrastructure that suggest it was created or managed by a distinct set of operators. However, the follow-on activity from this infrastructure indicates multiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware). One explanation is that DEV-0365 is involved in a form of command- and-control infrastructure as a service for cybercriminals.

Additionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.

Due to the uncertainty surrounding the nature of the shared qualities of DEV-0365 infrastructure and the significant variation in malicious activity, MSTIC clustered the initial email campaign exploitation identified as CVE-2021-40444 activity separately, under DEV-0413.

The DEV-0413 campaign that used CVE-2021-40444 has been smaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure. We observed the earliest exploitation attempt of this campaign on August 18. The social engineering lure used in the campaign, initially highlighted by Mandiant, aligned with the business operations of targeted organizations, suggesting a degree of purposeful targeting. The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted. In most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.

It is worth highlighting that while monitoring the DEV-0413 campaign, Microsoft identified active DEV-0413 infrastructure hosting CVE-2021-40444 content wherein basic security principles had not been applied. DEV-0413 did not limit the browser agents able to access the server to their malware implant or known targets, thereby permitting directory listing for their web server. In doing so, the attackers exposed their exploit to anyone who might have gained interest based on public social media discussion.

Screenshot of content of email in DEV-0413 campaign that used CVE-2021-40444

Figure 3. Content of the original DEV-0413 email lure seeking application developers

At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.

In a later wave of DEV-0413 activity on September 1, Microsoft identified a lure change from targeting application developers to a “small claims court” legal threat.

Screenshot of another email lure used in the campaigns

Figure 4. Example of the “Small claims court” lure utilized by DEV-0413 

Vulnerability usage timeline

On August 21, 2021, MSTIC observed a social media post by a Mandiant employee with experience tracking Cobalt Strike Beacon infrastructure. This post highlighted a Microsoft Word document (SHA-256: 3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf) that had been uploaded to VirusTotal on August 19, 2021. The post’s focus on this document was highlighting the custom Cobalt Strike Beacon loader and did not focus on the delivery mechanism.

MSTIC analyzed the sample and determined that an anomalous oleObject relationship in the document was targeted at an external malicious HTML resource with an MHTML handler and likely leading to abuse of an undisclosed vulnerability. MSTIC immediately engaged the Microsoft Security Response Center and work began on a mitigation and patch. During this process, MSTIC collaborated with the original finder at Mandiant to reduce the discussion of the issue publicly and avoid drawing threat actor attention to the issues until a patch was available. Mandiant partnered with MSTIC and did their own reverse engineering assessment and submitted their findings to MSRC.

On September 7, 2021, Microsoft released a security advisory for CVE-2021-40444 containing a partial workaround. As a routine in these instances, Microsoft was working to ensure that the detections described in the advisory would be in place and a patch would be available before public disclosure. During the same time, a third-party researcher reported a sample to Microsoft from the same campaign originally shared by Mandiant. This sample was publicly disclosed on September 8. We observed a rise in exploitation attempts within 24 hours.

Line graph showing volume of observed exploitation attempts

Figure 5. Graphic showing original exploitation on August 18 and attempted exploitation increasing after public disclosure

Microsoft continues to monitor the situation and work to deconflict testing from actual exploitation. Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopting publicly disclosed proof-of-concept code into their toolkits. We will continue to provide updates as we learn more.

Mitigating the attacks

Microsoft has confirmed that the following attack surface reduction rule blocks activity associated with exploitation of CVE-2021-40444 at the time of publishing:

  • ​Block all Office applications from creating child processes

Apply the following mitigations to reduce the impact of this threat and follow-on actions taken by attackers.

  • Apply the security updates for CVE-2021-40444. Comprehensive updates addressing the vulnerabilities used in this campaign are available through the September 2021 security updates.
  • Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.
  • Use a supported platform, such as Windows 10, to take advantage of regular security updates.
  • Turn on cloud-delivered protectionin Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants.
  • Turn on tamper protectionin Microsoft Defender for Endpoint, to prevent malicious changes to security settings.
  • Run EDR in block modeso that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
  • Enable investigation and remediationin full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discoveryto increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.

Microsoft 365 Defender detection details


Microsoft Defender Antivirus detects threat components as the following malware:

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Possible exploitation of CVE-2021-40444 (requires Defender Antivirus as the Active AV)

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • Suspicious Behavior By Office Application (detects the anomalous process launches that happen in exploitation of this CVE, and other malicious behavior)
  • Suspicious use of Control Panel item

Microsoft Defender for Office365

Signals from Microsoft Defender for Office 365 informs Microsoft 365 Defender, which correlates cross-domain threat intelligence to deliver coordinated defense, that this vulnerability has been detected when a document is delivered via email when detonation is enabled.

The following alerts in your portal will indicate that a malicious attachment has been blocked,  although these alerts are also used for many different threats:

  • Malware campaign detected and blocked
  • Malware campaign detected after delivery
  • Email messages containing malicious file removed after delivery

Advanced hunting

To locate possible exploitation activity, run the following queries.

Relative path traversal (requires Microsoft 365 Defender)

Use the following query to surface abuse of Control Panel objects (.cpl) via URL protocol handler path traversal as used in the original attack and public proof of concepts at time of publishing:

| where (FileName in~(“control.exe”,”rundll32.exe”) and ProcessCommandLine has “.cpl:”)
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'


The post Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability appeared first on Microsoft Security Blog.

The passwordless future is here for your Microsoft account

September 15th, 2021 No comments

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games.

We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.

But what alternative do we have?

For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.

The problem with passwords

My friend, Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft likes to say, “Hackers don’t break in, they log in.” That has stuck with me ever since I first heard him say it because it’s so true.

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? There are two big reasons.

Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Graphic depicting how new passwords that are secure enough are hard to remember.

Graphic depicting how a new password that is easy to remember is not secure enough.

Forgetting a password can be painful too. I was shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. One of our recent surveys found that 15 percent of people use their pets’ names for password inspiration. Other common answers included family names and important dates like birthdays. We also found 1 in 10 people admitted reusing passwords across sites, and 40 percent say they’ve used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022.

Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Hackers also have a lot of tools and techniques. They can use automated password spraying to try many possibilities quickly. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.

Go passwordless today with a few quick clicks

First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.

Next, visit your Microsoft account, sign in, and choose Advanced Security Options. Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.

Microsoft Authenticator screen showing the option to go passwordless.

Finally, follow the on-screen prompts, and then approve the notification from your Authenticator app. Once you’ve approved, you’re free from your password!

Microsoft Authenticator screen showing password has been successfully removed.

If you decide you prefer using a password, you can always add it back to your account. But I hope you’ll give passwordless a try—I don’t think you’ll want to go back.

Learn more about going passwordless

We’ve heard great feedback from our enterprise customers who have been on the passwordless journey with us. In fact, Microsoft itself is a great test case—nearly 100 percent of our employees use passwordless options to log in to their corporate accounts.

You can read more about our passwordless journey in a blog from Joy Chik, Corporate Vice President of Identity, or hear more about the benefits for people using Edge or Microsoft 365 apps from Liat Ben-Zur. To learn more about how Microsoft solutions, such as Microsoft Azure Active Directory and Microsoft Authenticator, are allowing users in organizations to forget their passwords while staying protected, join our digital event Your Passwordless Future Starts Now on October 13, 2021.

Learn more about enabling passwordless sign-in with the Microsoft Authenticator app here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The passwordless future is here for your Microsoft account appeared first on Microsoft Security Blog.

Categories: cybersecurity, Identity Tags:

Security baseline for Microsoft Edge v93

September 13th, 2021 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 93!


We have reviewed the settings in Microsoft Edge version 93 and updated our guidance with the addition of 1 setting and the removal of 1 setting. Additionally, there is 1 setting worth mentioning. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 93 package from the Security Compliance Toolkit.


Enable 3DES cipher suites in TLS (added)

We are enforcing this setting to ensure it remains disabled. 3DES will be completely removed from Microsoft Edge in version 95 (around October 2021) and this policy will stop working at that point. Once it does, we will remove this setting from the baseline. If your server relies upon 3DES support, it should be updated as soon as possible to ensure that modern browsers can continue to connect.


Default Adobe Flash setting (removed)

Now that Adobe Flash support has ended and been removed from Microsoft Edge, we have removed the requirement to disable this setting.


Configure users’ ability to override feature flags (worth mentioning)

Some customers have been asking for this policy setting to further lock down what feature flag settings an end-user may configure. If this policy is configured, it can prevent users from reconfiguring Edge settings exposed by the edge://flags page and/or via command line arguments. A tech-savvy user may uncover unsupported mechanisms for adjusting feature flag settings, but this policy allows blocking both supported mechanisms.


Microsoft Edge version 93 introduced 31 new computer settings and 26 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


Please continue to give us feedback through the Security Baseline Community or this post.

Categories: Uncategorized Tags:

Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors

September 13th, 2021 No comments

Information has long been wielded as an instrument of national power and influence. In today’s digital world, misinformation can also be just as powerful.

On a special episode of Afternoon Cyber Tea with Ann Johnson, Sandra Joyce, Executive Vice President and Head of Mandiant Intelligence at FireEye joined me to talk about threat attribution and accountability when it comes to the use of technology by bad actors to help spread misinformation.

As a US Air Force Reserve officer and faculty member at the National Intelligence University with four master’s degrees in cyber policy, international affairs, science and technology intelligence, and military operational art and science, Sandra is an expert in understanding how nation-state actors leverage traditional and social media channels to erode confidence in free and fair elections. Sometimes, those bad actors will use these core values, such as freedom of speech, against us, according to Sandra. For instance, she recounts the story of a foreign group that used those values against the US by fabricating letters from concerned citizens to be published in US newspapers.

In this powerful episode, Sandra discusses how threat actors are adopting new threat techniques—shifting from signature malware to commodity malware—and pivoting to smaller malware families that they hope will be overlooked by cybersecurity professionals. That combination will make it harder to detect threats amid the noise. She recommends that organizations research threats and undertake a threat profile on themselves to learn their vulnerabilities and the biggest threats that could target them. That can shape priorities. Using the metaphor of bank robbers, she says it’s not so hard to rush the guards in a building but is hard to learn the location of the safe, get the combination to the safe, and escape undetected. The latter is where the bulk of business intrusion happens. Companies need to root out threats in that lateral stage.

During our conversation, we also spoke about threat intelligence and what’s involved in threat actor attribution. After recognizing a cluster of threat activity, there’s a lot of work required to identify which organization or country is behind the threat. It usually takes months to collect information about the threat’s techniques, infrastructure, and command and control (C2) channel, which is the channel a threat actor uses to commandeer an individual host or to control a botnet of millions of machines. For years, FireEye’s Mandiant Threat Intelligence team has been tracking financial crime group Fin11, which deploys point-of-sale malware targeting the financial, retail, restaurant, and pharmaceutical industries. Both technical indicators and the targeting information prove useful in these investigations, in part as you learn about the bad actors’ intentions. To learn what organizations can do to combat threats, listen to Afternoon Cyber Tea with Ann Johnson: Taking a “when, not if” approach to cybersecurity on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson launches this October 2021 on The CyberWire! In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Combat attacks with security solutions from Trustwave and Microsoft

September 9th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

In 2021, cyberattacks and instances of ransomware demands against companies, agencies, and institutions have dominated the headlines. These kinds of attacks are on the rise and often have long-reaching impacts that can spill over across supply chains. In just the first half of the year, there have been several high-profile cyberattacks in the United States including Colonial Pipeline1, JBS (the world’s largest meat supplier)2, the Washington, D.C. Police Department3, and the MTA of New York City4, to name a few.

The SolarWinds cybersecurity breach5 opened US government networks and private companies’ security systems around the world to threat actors in late 2020. This breach allowed access to confidential government data and intel before being discovered. The innovative bad actors attached their malware to a software update from SolarWinds’ Orion software in March through June of 2019, which led to tens of thousands of customers’ security being compromised. SolarWinds serves as an unfortunate example of how organizations around the world operate under the perpetual threat of becoming a target of a cyberattack or the victim of a cybercrime, even from a trusted partner.

Some believe the escalation in attacks and data breaches in the past year likely originated with new remote working environments, which exponentially increased the number of endpoints that required protection putting strain on already over-extended IT resources6.

Take a proactive approach to your security

To identify, contain, and eradicate these relentless threats properly, security operations must include effective platforms, processes, and people. With attacks on the rise and bad actors only becoming more sophisticated, security that meets the minimum is no longer effective, and organizations need to consider a more proactive approach. Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavior-based next-generation protection, rich APIs, and unified security management.

Microsoft security solutions have native capability designed to work cohesively to provide integrated threat detection and response capabilities, but technology alone is not enough. The benefits derived from leveraging best-in-breed tools can mean the difference in capturing a threat or letting it linger, unnoticed in your environment indefinitely. Partnering with a Managed Detection and Response (MDR) team/Managed Security Services Provider (MSSP) who is a trusted Microsoft technology partner can help you operationalize these transformations and derive the most value from your existing technology investments.

Trustwave removes the complexity and burden of threat detection and response with an entire portfolio of cybersecurity solutions that work with existing Microsoft investments to fight cybercrime, protect data, and reduce risk. Knowing what to look for in your security partners is crucial, especially among the noise of an industry saturated with providers claiming to be the “best.” Search for partners that can offer:

  • All-day monitoring/notification, incident response, and remediation.
  • Data forensics and investigation response (DFIR).
  • Proactive, human-led threat hunting.

With organizations facing overwhelmed security teams and resource limitations, finding the time and staff to properly protect their environments—on-premises, in the cloud, or a hybrid of both—is a constant challenge. Implementing proactive endpoint detection and response (EDR) and MDR solutions can relieve your teams, prevent breaches, and appease your stakeholders. For real examples of how effective the EDR plus MDR combination can be when aligned to create a layered security posture, view Trustwave’s case study on the GoldenSpy malware or view their industry accolades showcasing the industry expertise their teams have worked to earn for the safety of organizations like yours.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Colonial Pipeline Attack Spotlights the Importance of Ransomware Preparedness, Trustwave, 11 May 2021.

2JBS: Cyber-attack hits world’s largest meat supplier, BBC News, 02 June 2021.

3D.C. Police Department Data Is Leaked in a Cyberattack, The New York Times, 27 April 2021.

4MTA breached by hackers with reported ties to China, Kevin Duggan, MSN, 03 June 2021.

5A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack, Dina Temple-Raston, Monika Evstatieva, NPR, 16 April 2021.

6How Your Security Testing Mindset Should Change After COVID-19, Mark Whitehead, Trustwave, 04 May 2021.

The post Combat attacks with security solutions from Trustwave and Microsoft appeared first on Microsoft Security Blog.

Why diversity is important for a strong cybersecurity team

September 9th, 2021 No comments

Medicine. Aeronautics. Academia. When you’re a cybersecurity professional, the colleague next to you could have started in one of these industries—or just about any other you can imagine. The backgrounds of cybersecurity professionals are more diverse than those of professionals in other industries. And because cybersecurity as an industry is so new, these professionals likely didn’t study security in school either. That includes LinkedIn’s Chief Information Security Officer (CISO) Geoff Belknap, who graduated college with a business degree. I hosted Geoff on a recent episode of Security Unlocked with Bret Arsenault to talk about strategies for recruiting cybersecurity talent and for solving the cybersecurity skills gap.

Strengthen your cybersecurity team through diversity

Geoff, who joined LinkedIn in 2019, leads the organization’s internal security teams in building a safe, trusted, and professional platform. He brings more than 22 years of experience in network architecture and security leadership to his role at LinkedIn. He previously was the CISO at Slack, where he built the security organization from the ground up, including laying the groundwork for Slack’s production incident management process. He earned a Bachelor of Science degree in Business Management at Western Governors University. One of his favorite things about cybersecurity is that it’s a multi-disciplinary and inter-disciplinary practice where people from different specialties, including business and other non-technical backgrounds, can contribute.

One of cybersecurity’s much-discussed biggest challenges is the skills gap. The cybersecurity industry is projected to triple year-over-year through 2022, but the shortage of cybersecurity professionals is in the millions globally, according to an article in The CyberWire1. The skills gap is caused, in part, because the industry is relatively new and people don’t receive training on how to work in cybersecurity, according to Geoff. If a company wants to interview 10 candidates with 20 years of experience for a cloud security engineer role, it could be waiting for a very long time.

He recommends that organizations expand their idea of the right person for an open cybersecurity position. Stop thinking that the only person that is right for a role in cybersecurity majored in cybersecurity in college and that a principal-level network security cloud architect will be an expert in all three cloud platforms. Instead, consider people who can process and analyze a collection of information, understand your company’s technology, and understand what the organization is trying to accomplish and the tools available. Inquisitive people who are passionate about problem-solving can grow into a cybersecurity position and become effective contributors to the organization. By investing in people with useful raw skills and developing their cybersecurity skills, organizations fill roles and add valuable diverse perspectives to their cybersecurity teams.

Once you fill those cybersecurity roles, retaining employees is critical. The secret to that is always company culture, Geoff said. Compassion and empathy are not only good traits to adopt but also essentials for an organization wanting to attract and retain the best talent. Authentic organizations care about their people and recognize that they need time outside work. After all, psychologically healthy people are the best asset for any organization.

During our conversation, Geoff also shared his appreciation for the Zero Trust approach because it reinforces the idea that there is no safe haven. Security is a thought process rather than an end goal you can attain. Acknowledging that there is no castle where you can lock away your data and keep it safe makes you rethink your production environment and your risk assessment. That’s a powerful realization because it puts you on a path to explore why things aren’t as secure as they should be, according to Geoff. To learn why he thinks cybersecurity professionals from nontraditional career paths can be especially successful in a Zero Trust environment, listen to Building a Stronger Security Team on The CyberWire.

What’s next

In this important cyber series, I talk with cybersecurity peers and Microsoft leaders about today’s biggest challenges in cybersecurity and practical guidance for security practitioners.

You can listen to Security Unlocked with Bret Arsenault on:

  • Apple Podcasts, Amazon Music, Google Podcasts, and Spotify. You can also download the episode by clicking The CyberWire link below.
  • The CyberWire: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics, such as building a security team and securing hybrid work.

To learn more, visit our website. In the meantime, bookmark the Security blog to keep up with our coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Understanding the cybersecurity skills gap and how education can solve it, Ingrid Toppelberg, The CyberWire, 19 April 2021.

The post Why diversity is important for a strong cybersecurity team appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Windows Server 2022 Security Baseline

September 9th, 2021 No comments

We are pleased to announce the release of the security baseline package for Windows Server 2022!


Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.


Three new settings have been added for this release, an AppLocker update for Microsoft Edge, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions.



Now that Microsoft Edge is included within Window Server we have updated the domain controller browser restriction list. The browser restriction list now restricts Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge. Should additional browsers be used on your domain controllers please update accordingly.


Script Scanning

Script scanning was a parity gap we had between Group Policy and MDM. Since this gap is now closed we are enforcing the enablement of script scanning (Administrative Templates\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning).


Restrict Driver Installations

In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide custom administrative template for SecGuide.admx/l (Administrative Templates\MS Security Guide\Limits print driver installation to Administrators) and enforced the enablement.


Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

Categories: Uncategorized Tags:

Coordinated disclosure of vulnerability in Azure Container Instances Service

September 8th, 2021 No comments

Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI). Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.

Categories: Azure Tags:

3 steps to prevent and recover from ransomware

September 7th, 2021 No comments

On July 14, 2021, the National Cybersecurity Center of Excellence1 (NCCoE) at the National Institute of Standards and Technology2 (NIST) hosted a virtual workshop3 to seek feedback from government and industry experts on practical approaches to preventing and recovering from ransomware and other destructive cyberattacks. After we wrote up our feedback for NIST, we realized it would be helpful to share this perspective more broadly to help organizations better protect themselves against the rising tide of (highly profitable) ransomware attacks. While ransomware and extortion attacks are still evolving rapidly, we want to share a few critical lessons learned and shed some light on common misconceptions about ransomware attacks.

Clarifying attack terminology and scope

One common misconception about ransomware attacks is that they only involve ransomware—”pay me to get your systems and data back”—but these attacks have actually evolved into general extortion attacks. While ransom is still the main monetization angle, attackers are also stealing sensitive data (yours and your customers’) and threatening to disclose or sell it on the dark web or internet (often while holding onto it for later extortion attempts and future attacks).

We’re also seeing a widespread perception that ransomware is still constrained to basic cryptolocker style attacks, first seen in 2013, that only affect a single computer at a time (also known as the commodity model). Today’s attackers have evolved far beyond this—using toolkits and sophisticated affiliate business models to enable human operators to target whole organizations, deliberately steal admin credentials, and maximize the threat of business damage to targeted organizations. The ransomware operators often buy login credentials to organizations from other attack groups, rapidly turning what seems like low-priority malware infections into significant business risks.

Simple, prioritized guidance

We’ve also seen that many organizations still struggle with where to start, especially smaller operations with limited staff and experience. We believe all organizations should begin with simple and straightforward prioritization of efforts (three steps) and we have published this, along with why each priority is important.

Microsoft's recommended mitigation prioritizations: prepare, limit, and prevent.

Figure 1: Recommended mitigation prioritization.

Create detailed instructions

Microsoft has also found that many organizations struggle with the next level of the planning process. As a result, we built guidance to make following these steps as clear and easy as possible. Microsoft already works with NIST NCCoE on several efforts, including the Zero Trust effort, which supports Presidential Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. We welcome the opportunity for any additional ransomware-related work by providing clarifying guidance using whatever tools and technologies organizations have available.

Secure backup instructions from Microsoft's human-operated ransomware page.

Figure 2: Secure backup instructions from Microsoft’s human-operated ransomware page.

Microsoft’s recommended mitigation prioritization

Based on our experience with ransomware attacks, we’ve found that prioritization should focus on these three steps: prepare, limit, and prevent. This may seem counterintuitive since most people want to simply prevent an attack and move on. But the unfortunate truth is that we must assume breach (a key Zero Trust principle) and focus on reliably mitigating the most damage first. This prioritization is critical because of the high likelihood of a worst-case scenario with ransomware. While it’s not a pleasant truth to accept, we’re facing creative and motivated human attackers who are adept at finding a way to control the complex real-world environments in which we operate. Against that reality, it’s important to prepare for the worst and establish frameworks to contain and prevent attackers’ abilities to get what they’re after.

While these priorities should govern what to do first, we encourage organizations to run as many steps in parallel as possible (including pulling quick wins forward from step three whenever you can).

Step 1. Prepare a recovery plan: Recover without paying

  • What: Plan for the worst-case scenario and expect that it will happen at any level of the organization.
  • Why: This will help your organization:
    • Limit damage for the worst-case scenario: Restoring all systems from backups is highly disruptive to business, but it’s still more efficient than trying to do recovery using low-quality attacker-provided decryption tools after paying to get the key. Remember: paying is an uncertain path; you have no guarantee that the attackers’ key will work on all your files, that the tools will work effectively, or the attacker—who may be an amateur using a professional’s toolkit—will act in good faith.
    • Limit the financial return for attackers: If an organization can restore business operations without paying, the attack has effectively failed and resulted in zero return on investment for the attackers. This makes it less likely they will target your organization again in the future (and deprives them of funding to attack others). Remember: attackers may still attempt to extort your organization through data disclosure or abusing/selling the stolen data, but this gives them less leverage than possessing the only means of accessing your data and systems.
  • How: Organizations should ensure they:
    • Register risk. Add ransomware to the risk register as a high-likelihood and high-impact scenario. Track mitigation status via your Enterprise Risk Management (ERM) assessment cycle.
    • Define and backup critical business assets. Automatically back up critical assets on a regular schedule, including correct backup of critical dependencies, such as Microsoft Active Directory.
    • Protect backups. To safeguard against deliberate erasure and encryption, use offline storage, immutable storage, and/or out-of-band steps (multifactor authentication or PIN) before modifying or erasing online backups.
    • Test ‘recover from zero’ scenario. Ensure that your business continuity and disaster recovery (BC/DR) can rapidly bring critical business operations online from zero functionality (all systems down). Conduct practice exercises to validate cross-team processes and technical procedures, including out-of-band employee and customer communications (assume all email and chat are down). Important: protect (or print) supporting documents and systems required for recovery, including restoration-procedure documents, configuration management databases (CMDBs), network diagrams, and SolarWinds instances. Attackers regularly destroy these documents.
    • Reduce on-premises exposure. Move data to cloud services with automatic backup and self-service rollback.

Step 2. Limit the scope of damage: Protect privileged roles (starting with IT admins)

  • What: Ensure you have strong controls (prevent, detect, respond) for privileged accounts, such as IT admins and other roles with control of business-critical systems.
  • Why: This slows or blocks attackers from gaining complete access to steal and encrypt your resources. Taking away the attacker’s ability to use IT admin accounts as a shortcut to resources will drastically lower the chances that they’ll be successful in controlling enough resources to impact your business and demand payment.
  • How: Enable elevated security for privileged accounts—tightly protect, closely monitor, and rapidly respond to incidents related to these roles. See Microsoft’s recommended steps that:
    • Cover end-to-end session security (including multifactor authentication for admins).
    • Protect and monitor identity systems.
    • Mitigate lateral traversal.
    • Promote rapid threat response.

Step 3. Make it harder to get in: Incrementally remove risks

  • What: Prevent a ransomware attacker from entering your environment, as well as rapidly respond to incidents and remove attacker access before they can steal and encrypt data.
  • Why: This causes attackers to fail earlier and more often, undermining their profits. While prevention is the preferred outcome, it may not be possible to achieve 100 percent prevention and rapid response across a real-world organization with a complex multi-platform, multi-cloud estate and distributed IT responsibilities.
  • How: Identify and execute quick wins that strengthen security controls to prevent entry and rapidly detect and evict attackers, while implementing a sustained program that helps you stay secure. Microsoft recommends following the principles outlined in the Zero Trust strategy. Against ransomware, organizations should prioritize:
    • Improving security hygiene by reducing the attack surface and focusing on vulnerability management for assets in their estate.
    • Implementing protection, detection, and response controls for digital assets, as well as providing visibility and alerting on attacker activity while responding to active threats.

The takeaway

To counter the threat of ransomware, it’s critical to identify, secure, and be ready to recover high-value assets—whether data or infrastructure—in the likely event of an attack. This requires a sustained effort involving obtaining buy-in from the top level of your organization (like the board) to get IT and security stakeholders working together asking nuanced questions. For example, what are the critical parts of the business that could be disrupted? Which digital assets map to these business segments (files, systems, databases)? How can we secure these assets? This process may be challenging, but it will help set up your organization to make impactful changes using the steps recommended above.

To learn more, visit our page on how to rapidly protect against ransomware and extortion.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1National Cybersecurity Center of Excellence.

2National Institute of Standards and Technology, US Department of Commerce.

3Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events, National Cybersecurity Center of Excellence, 14 July 2021.

The post 3 steps to prevent and recover from ransomware appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

A deep-dive into the SolarWinds Serv-U SSH vulnerability

September 2nd, 2021 No comments

Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributed the attack with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures. In this blog, we share technical information about the vulnerability, tracked as CVE-2021-35211, that we shared with SolarWinds, who promptly released security updates to fix the vulnerability and mitigate the attacks.

This analysis was conducted by the Microsoft Offensive Research & Security Engineering team, a focused group tasked with supporting teams like MSTIC with exploit development expertise. Our team’s remit is to make computing safer. We do this by leveraging our knowledge of attacker techniques and processes to build and improve protections in Windows and Azure through reverse engineering, attack creation and replication, vulnerability research, and intelligence sharing.

In early July, MSTIC provided our team with data that seemed to indicate exploit behavior against a newly-discovered vulnerability in the SolarWinds Serv-U FTP server’s SSH component. Although the intel contained useful indicators, it lacked the exploit in question, so our team set out to reconstruct the exploit, which required to first find and understand the new vulnerability in the Serv-U SSH-related code.

As we knew this was a remote, pre-auth vulnerability, we quickly constructed a fuzzer focused on the pre-auth portions of the SSH handshake and noticed that the service captured and passed all access violations without terminating the process. It immediately became evident that the Serv-U process would make stealthy, reliable exploitation attempts simple to accomplish. We concluded that the exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages. Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation.

We shared these findings, as well as the fuzzer we created, with SolarWinds through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and worked with them to fix the issue. This is an example of intelligence sharing and industry collaboration that result in comprehensive protection for the broader community through detection of attacks through products and fixing vulnerabilities through security updates.

Vulnerability in Serv-U’s implementation of SSH

Secure Shell (SSH) is a widely adopted protocol for secure communications over an untrusted network. The protocol behavior is defined in multiple requests for comment (RFCs), and existing implementations are available in open-source code; we primarily used RFC 4253, RFC 4252, and libssh as references for this analysis.

The implementation of SSH in Serv-U was found by enumerating references to the “SSH-“ string, which must be present in the first data sent to the server. The most likely instance of such code was the following:

Screenshot of code showing instance of SSH

Figure 1. Promising instance of “SSH-” string

Putting a breakpoint on the above code and attempting to connect to Serv-U with an SSH client confirmed our hypothesis and resulted in the breakpoint being hit with the following call stack:

Screenshot of code showing call stack resulting from break point

Figure 2. The call stack resulting from a break point set on code in Figure 1.

At this point, we noticed that Serv-U.dll and RhinoNET.dll both have ASLR support disabled, making them prime locations for ROP gadgets, as any addresses within them will be constant across any server instances running on the internet for a given Serv-U version.

After reversing related code in the RhinoNET and Serv-U DLLs, we could track SSH messages’ paths as Serv-U processes them. To handle an incoming SSH connection, Serv-U.dll creates a CSUSSHSocket object, which is derived from the RhinoNET!CRhinoSocket class. The CSUSSHSocket object lifetime is the length of the TCP connection—it persists across possibly many individual TCP packets. The underlying CRhinoSocket provides a buffered interface to the socket such that a single TCP packet may contain any number of bytes. This implies a single packet may include any number of SSH messages (provided they fit in the maximum buffer size), as well as partial SSH messages. The CSUSSHSocket::ProcessRecvBuffer function is then responsible for parsing the SSH messages from the buffered socket data.

CSUSSHSocket::ProcessRecvBuffer begins by checking for the SSH version with ParseBanner. If ParseBanner successfully parses the SSH version from the banner, ProcessRecvBuffer then loops over ParseMessage, which obtains a pointer to the current message in the socket data and extracts the msg_id and length fields from the message (more on the ParseMessage function later).

Screenshot of code

Figure 3. Selection of code from CSUSSHSocket::ProcessRecvBuffer processing loop

The socket data being iterated over is conceptually an array of the pseudo-C structure ssh_msg_t, as seen below. The message data is contained within the payload buffer, the first byte of which is considered the msg_id:

Screenshot of code

ProcessRecvBuffer then dispatches handling of the message based on the msg_id. Some messages are handled directly from the message parsing loop, while others get passed to ssh_pkt_others, which posts the message to a queue for another thread to pick up and process.

Screenshot of code

Figure 4.Pre-auth reachable handlers in CSUSSHSocket::ProcessRecvBuffer

If the msg_id is deferred to the alternate thread, CSSHSession::OnSSHMessage processes it. This function mainly deals with messages that need to interact with Serv-U managed user profile data (e.g., authentication against per-user credentials) and UI updates. CSSHSession::OnSSHMessage turned out to be uninteresting in terms of vulnerability hunting as most message handlers within it require successful user authentication (initial telemetry indicated this was a pre-authentication vulnerability), and no vulnerabilities were found in the remaining handlers.

When initially running fuzzers against Serv-U with a debugger attached, it was evident that the application was catching exceptions which would normally crash a process (such as access violations), logging the error, modifying state just enough to avoid termination of the process, and then continuing as if there had been no problem. This behavior improves uptime of the file server application but also results in possible memory corruption lingering around in the process and building up over time. As an attacker, this grants opportunities like brute-forcing addresses of code or data with dynamic addresses.

This squashing of access violations assists with exploitation, but for fuzzing, we filtered out “uninteresting” exceptions generated by read/write access violations and let the fuzzer run until hitting a fault wherein RIP had been corrupted. This quickly resulted in the following crashing context:

Screenshot of Wndbg

Figure 5. WinDbg showing crashing context from fuzzer-generated SSH messages

As seen above, CRYPTO_ctr128_encrypt in libeay32.dll (part of OpenSSL) attempted to call an invalid address. The version of OpenSSL used is 1.0.2u, so we obtained the sources to peruse. The following shows the relevant OpenSSL function:

Screenshot of code

Meanwhile, the following shows the structure that is passed:

Screenshot of code

The crashing function was reached from the OpenSSL API boundary via the following path: EVP_EncryptUpdate -> evp_EncryptDecryptUpdate -> aes_ctr_cipher -> CRYPTO_ctr128_encrypt.

Looking further up the call stack, it is evident that Serv-U calls EVP_EncryptUpdate from CSUSSHSocket::ParseMessage, as seen below:

Screenshot of code showing location of SSL

Figure 6. Location of call into OpenSSL, wherein attacker-controlled function pointer may be invoked

At this point, we manually minimized the TCP packet buffer produced by the fuzzer until only the SSH messages required to trigger the crash remained. In notation like that used in the RFCs, the required SSH messages were:

Screenshot of code

Note that the following description references “encrypt” functions being called when the crashing code path is clearly attempting to decrypt a buffer. This is not an error: Serv-U uses the encrypt OpenSSL API and, while not optimal for code clarity, it is behaviorally correct since Advanced Encryption Standard (AES) is operating in counter (CTR) mode.

After taking a Time Travel Debugging trace and debugging through the message processing sequence, we found that the root cause of the issue was that Serv-U initially creates the OpenSSL AES128-CTR context with code like the following:

Screenshot of code

Calling EVP_EncryptInit_ex with NULL key and/or IV is valid, and Serv-U does so in this case because the context is created while handling the KEXINIT message, which is before key material is ready. However, AES key expansion is not performed until the key is set, and the data in the ctx->cipher_data structure remains uninitialized until the key expansion is performed. We can (correctly) surmise that our sequence of messages to hit the crash has caused enc_algo_client_to_server->decrypt to be called before the key material is initialized. The Serv-U KEXINIT handler creates objects for all parameters given in the message. However, the corresponding objects currently active for the connection are not replaced with the newly created ones until the following NEWKEYS message is processed. The client always completes the key exchange process In a normal SSH connection before issuing a NEWKEYS message. Serv-U processed NEWKEYS (thus setting the m_bCipherActive flag and replacing the cipher objects) no matter the connection state or key exchange. From this, we can see that the last message type in our fuzzed sequence does not matter—there only needs to be some data remaining to be processed in the socket buffer to trigger decryption after the partially initialized AES CTR cipher object has been activated.


As the vulnerability allows loading RIP from uninitialized memory and as there are some modules without ASLR in the process, exploitation is not so complicated: we can find a way to control the content of the uninitialized cipher_data structure, point the cipher_data->block function pointer at some initial ROP gadget, and start a ROP chain. Because of the exception handler causing any fault to be ignored, we do not necessarily need to attain reliable code execution upon the first packet. It is possible to retry exploitation until code execution is successful, however this will leave traces in log files and as such it may be worthwhile to invest more effort into a different technique which would avoid logging.The first step is to find the size of the cipher_data allocation, as the most direct avenue to prefill the buffer is to spray allocations of the target allocation size and free them before attempting to reclaim the address as cipher_data. ctx->cipher_data is allocated and assigned in EVP_CipherInit_ex with the following line:

Screenshot of code

With a debugger, we can see the ctx_size in our case is 0x108, and that this allocator winds up calling ucrtbase!_malloc_base. From previous reversing, we know that both CRhinoSocket and CSUSSHSocket levels of packet parsing call operator new[] to allocate space to hold the packets we send. Luckily, that also winds up in ucrtbase!_malloc_base, using the same heap. Therefore, prefilling the target allocation is as simple as sending a properly sized TCP packet or SSH message and then closing the connection to ensure it is freed. Using this path to spray does not trigger other allocations of the same size, so we don’t have to worry about polluting the heap.

Another important value to pull out of the debugger/disassembly is offsetof(EVP_AES_KEY, block), as that offset in the sprayed data needs to be set to the initial ROP gadget. This value is 0xf8. Conveniently, most of the rest of the EVP_AES_KEY structure can be used for the ROP chain contents itself, and a pointer to the base of this structure exists in registers rbx, r8, and r10 at the time of the controlled function pointer call.

As a simple proof of concept, consider the following python code:

Screenshot of code

The above results in the following context in the debugger:

Screenshot of code showing machine context

Figure 7. Machine context showing rcx, rdx, and rip controlled by attacker

Conclusion: Responsible disclosure and industry collaboration improves security for all

Our research shows that the Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration. An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported.

We shared our findings to SolarWinds through Coordinated Vulnerability Disclosure (CVD). We also shared the fuzzer we created. SolarWinds released an advisory and security patch, which we strongly encourage customers to apply. If you are not sure if your system is affected, open a support case in the SolarWinds Customer Portal.

In addition to sharing vulnerability details and fuzzing tooling with SolarWinds, we also recommended enabling ASLR compatibility for all binaries loaded in the Serv-U process. Enabling ASLR is a simple compile-time flag which is enabled by default and has been available since Windows Vista. ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U.

We would like to thank SolarWinds for their prompt response. This case further underscores the need for constant collaboration among software vendors, security researchers, and other players to ensure the safety and security of users’ computing experience.


Microsoft Offensive Research & Security Engineering team


The post A deep-dive into the SolarWinds Serv-U SSH vulnerability appeared first on Microsoft Security Blog.

Get free DMARC visibility with Valimail Authenticate and Microsoft Office 365

September 1st, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

Phishing and email spoofing not only erode brand trust but also leave recipients vulnerable to financial loss and serious invasions of privacy. These tactics have been around for years, but their breadth and sophistication today pose a formidable threat. According to the FBI, fraudulent emails sent under the guise of their own domains cost companies over $13 billion between 2016 and 2020.1

Microsoft has industry-leading solutions for protecting customers from such attacks. Recently, Microsoft was named a leader in the 2021 Enterprise Email Security Wave2, with Microsoft Defender for Office 365 receiving the highest possible scores in categories like incident response, threat intelligence, endpoint detection and response (EDR) integration, product strategy, and customer success. This acknowledgment is the latest testament to Microsoft’s continued innovation as a best-of-breed solution for email and collaboration security.

Valimail joined the Microsoft Intelligence Security Association3 (MISA) to transform Domain-based Message Authentication, Reporting, and Conformance (DMARC), one of the most reliable—yet often incredibly complex—ways to successfully strengthen email security. Valimail Authenticate, the first true DMARC-as-a-service offering, gives Microsoft Office 365 users free visibility into every service sending emails under their domains, plus additional tools to achieve DMARC enforcement faster than with any other solution.

Instead of struggling to set up DMARC or hiring expensive consultants to reach enforcement, Microsoft customers can use Valimail Authenticate to automate the process of DMARC enforcement using simple, guided workflows.

The combined power and deep integration of these two technologies is in the results: Microsoft users, such as the MLB, Uber, Citgo, Nestle, and the Department of Transportation currently reduce email fraud, increase deliverability across every domain, and protect their brands’ reputations.

DMARC-as-a-service: A new approach to email security

For those who have only heard of DMARC in passing or not at all, it might sound like just another enterprise email acronym. However, DMARC enforcement has already proven to be a valuable protector of enterprise email. According to Gartner®, DMARC is one of the top 1o security projects4, based on Gartner forecasts and adjusted for the impact of COVID-19. The problem with most approaches to DMARC, however, has been in the tenuous implementation.

Here is some quick context on what DMARC is, and how many cycles IT has had to spend working with it in the past. At its most simple definition, DMARC is a way to tell other email servers that messages coming from your domains are legitimate. Typically, IT would insert a line of code in a text record under DNS settings for each domain, which triggers recipient servers to send a report of every IP address claiming to be valid senders from your organization.

v=DMARC1; p=reject;

Someone would then need to read through sender lists in XML, confirm that each IP address is connected to an approved service, set up DomainKeys Identified Mail (DKIM) and Send Policy Framework (SPF) individually for each, and check back regularly to see if new suspicious senders have appeared.

This process can be tedious. That’s why many companies are genuinely concerned about email fraud and deliverability never finish the DMARC projects they start. Last year alone 53,000 companies added a DMARC record, with only 10 percent successfully getting themselves to enforcement. Valimail Authenticate removes the significant manual upkeep from email security workflows, making the whole process seamless for Microsoft Office 365 users. Microsoft Office 365 users can get free visibility into their environment and turn on Valimail Authenticate with a single click.

How Microsoft Office 365 and Valimail Authenticate work together

Microsoft launched Office 365 to drive an industry-wide shift toward cloud-based services and API-driven integrations. As cloud became the norm for even the most security-conscious enterprises, companies authorized more and more vendors to send an email on their behalfs—such as Salesforce, Marketo, Splunk, Workday, DocuSign, Twilio SendGrid, and more.

Valimail built Authenticate to address this new, cloud-connected landscape. By automating the identification of email senders and the subsequent policy-setting needed to keep domains protected, Valimail Authenticate offers users a modern, efficient path to DMARC enforcement. Native integration to Microsoft Office 365 ensures Microsoft customers don’t have to worry about configurations, manually identifying senders, or pulling in extra resources to get DMARC done right.

Here’s how Microsoft Office 365 customers can get started with Authenticate and reach DMARC enforcement in just a few minutes:

Image demonstrating process to start utilizing Valimail Authenticate.

Figure 1. Microsoft users can get started with one click. Authenticate configures DNS settings for DKIM and SPF automatically behind the scenes.

You’ll then run through a few steps that help Authenticate enforce your DMARC policy. First, Authenticate will automatically match all your known email senders with its existing catalog—you won’t see IP addresses, you’ll see the names of services you know.

Image demonstrating visibility of services sending email under your domain.

Figure 2. Get free visibility into the services sending email under your domain.

For unrecognizable or possibly fraudulent services, quickly mark them to be blocked or quarantined. You’ll be notified if any new ones are found later, so you’ll never wonder if you’ve caught everything.

Image demonstrating intuitive workflow of Valimail Authenticate’s tasks.

Figure 3. Guided task lists make Authenticate easy for anyone to use; work through each task to authenticate domain services in a simple, intuitive workflow.

Authenticate will ensure your SPF and DKIM records stay up to date. If you ever need to check the logs or do a technical deep-dive, you can access detailed information on your DMARC settings whenever you wish.

Image demonstrating Valimail Authenticate’s ability to display activity in every domain and service at every stage of the process.

Figure 4. Authenticate shows you what’s happening for every domain and service at every stage of the process.

Together, Microsoft’s unparalleled protection through Microsoft 365, coupled with Valimail Authenticate, makes protecting your domain globally as easy as 1, 2, 3. It starts with Microsoft 365 users getting free visibility into DMARC enforcement, plus a free trial of all the features of Valimail Authenticate. Get started today.

About Valimail

Valimail is the global leader in Zero Trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world’s largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the US Federal Aviation Administration. Valimail is the fastest-growing DMARC solution with the largest global market share and is the premier DMARC partner for Microsoft 365 environments. For more information visit their website.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Internet Crime Report, Internet Crime Complaint Center (IC3), Federal Bureau of Investigation, 2020.

2Forrester names Microsoft a Leader in the 2021 Enterprise Email Security Wave, Rob Lefferts, Microsoft 365 Security, 6 May 2021.

3Valimail Joins Microsoft Intelligent Security Association, Cision, PR Newswire, 25 September 2018.

4Smarter with Gartner, Gartner Top 10 Security Projects for 2020-2021, Kasey Panetta, September 15, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Get free DMARC visibility with Valimail Authenticate and Microsoft Office 365 appeared first on Microsoft Security Blog.

Microsoft a Leader in 2021 Gartner® Magic Quadrant™ for Unified Endpoint Management Tools

August 31st, 2021 No comments

In today’s changing business world, where flexibility is more crucial than ever, we’re honored that Gartner has again recognized Microsoft as a Leader in the Magic Quadrant for Unified Endpoint Management (UEM) Tools1. Over the last 18 months, millions of employees worldwide have had to shift their work from the office to the home, and millions more continue to deal with dramatically reconfigured workplaces. Whether it’s hybrid or remote work, the one common aspect is the endpoint-as-conduit through which people remain connected and participate in today’s workplace. Throughout this massive shift, it’s become clear that digital endpoints—PCs, phones, operating systems, and essential apps—are the new workplace. It’s the need for this ubiquitous connectivity that underpins the significance of endpoint management and security as vital for organizational success.

Adapt and thrive

This year, we focused on meeting our customers’ needs to adapt to today’s evolving business landscape. They responded with increasing reliance on Microsoft Endpoint Manager to enable their employees’ remote and hybrid work. Our cloud-connected Microsoft 365 apps, devices, and Windows innovation—with integrated security and protection—help build resiliency for today’s shifting world of work.

By using Endpoint Manager to apply the principles of a Zero Trust security model to apps and endpoints, Microsoft customers can transform their security posture across their entire endpoint estate. This ability is foundational to enabling employee productivity in hybrid work environments. From remote to frontline workers and from large enterprises to small, Microsoft is recognized for its ability to execute and completeness of vision for Endpoint Manager.

Four by four Magic Quadrant for Unified Endpoint Management measuring completeness of vision and ability to execute which shows service providers named in the Gartner report across all four quadrants with Microsoft as a Leader.


Windows endpoint management in the cloud

Our focus on helping businesses adapt continues as organizations move to cloud management, starting with their Windows endpoints. In the past fiscal year, we’ve seen more than 250 percent growth in customers managing their Windows endpoints exclusively in the cloud. We anticipate that the recently announced Windows 365 will further accelerate this growth, with our UEM solution essential to implementing an end-to-end process for deploying, configuring, and scaling the new Windows 365 experience.

When Windows 11 becomes generally available later in 2021, cloud management will be key to reducing complexity as IT teams determine how their workforce will update to this new operating system built for hybrid work. Building on Windows innovation and our investments in AI with endpoint analytics, we’ll continue to help customers deliver seamless endpoint and management experiences for their employees—all while protecting data and ensuring endpoint compliance.

Automation improves security

Connecting our cloud capabilities has also helped increase cooperation between security operations (SecOps) and IT teams through automation and modern management. We’ve evolved Endpoint Manager into a hub for Microsoft 365 management and security, building automation based on the billions of signals we get from the Microsoft intelligent security cloud. Actions required to remediate vulnerabilities are automatically communicated between cloud services and implemented immediately. We’ve built Endpoint Manager to provide role-based visibility back to the security teams, relaying information about actions taken and policies implemented. These advances help drive the modern workplace by empowering organizations to adapt and scale as their business evolves.

Increasing endpoints and protection

The demands of the modern workplace require securing a diverse set of endpoints, including productivity apps and non-traditional devices. With Microsoft Teams at the core of the hybrid work environment, we continue to grow the scope of devices under management across the ecosystem. In the last nine months alone, we’ve seen the number of endpoints under management more than double. Our service continues working across platforms for customers worldwide, including those from highly regulated industries, with deep integration into Microsoft apps and endpoints enabling increased security and flexibility. Customers appreciate having the choice to support both managed and unmanaged experiences with a consistent security promise—applying app-protection policies and configurations to protect sensitive information without device enrollment. Learn how Siemens transitioned to Microsoft Endpoint Manager to manage all of the company’s mobile endpoints in less than 12 months—advancing its Zero Trust journey and improving employee experiences.

Learn more

The endpoint is the new workplace, and we’re committed to helping organizations build business resiliency with Microsoft Endpoint Manager. We’re grateful to again be recognized by Gartner as a Leader in Unified Endpoint Management, and we’re humbled every day as we continue learning from our customers. You’re invited to read the full Gartner Magic Quadrant report or view a snapshot of the UEM Magic Quadrant above. Keep up with ongoing developments on UEM and hybrid work by following the Microsoft Endpoint Manager Blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Gartner, Magic Quadrant for Unified Endpoint Management Tools, Dan Wilson, Chris Silva, Tom Cipolla, 16 August 2021.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER and MAGIC QUADRANT are registered trademarks of Gartner, Inc and/or its affiliates and are used herein with permission. All rights reserved. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

The post Microsoft a Leader in 2021 Gartner® Magic Quadrant™ for Unified Endpoint Management Tools appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud

August 30th, 2021 No comments

In 2020, the US Department of Defense (DoD) began the phased rollout of a new framework for protecting their supply chain, known as the defense industrial base (DIB). This new Cybersecurity Maturity Model Certification1 (CMMC) system requires regular audits that will bolster the security of the DIB, which comprises approximately 350,000 commercial companies producing everything from Abrams tanks, satellites, and Reaper drones down to laptop computers, uniforms, food rations, medical supplies, and much more.

It’s no secret why the DoD would want to tighten security on its supply chain. According to DoD officials, organizations in the DIB are under constant attack both from nation-states and rogue actors seeking sensitive information (like weapon systems designs). Any breach of a DIB contractor not only poses a risk to national security but also results in a significant loss to US taxpayers. According to a 2021 report by CyberSecurity Ventures2, it’s estimated that cybercrime will cost businesses worldwide $10.5 trillion annually by 2025. Coincidentally, 2025 is the year every business in the DIB will be required to show compliance with CMMC if they want to continue doing business with the Pentagon. Learn more about Microsoft’s CMMC Acceleration Program and leverage these resources to get started on your compliance journey.

How does CMMC work?

While the CMMC Interim Rule allows companies to attest to their compliance with NIST 800-171, the ability to self-attest will eventually be retired. Starting in 2021, a phased-in approach will cause DoD contractors to need certification from an independent Certified Third-Party Assessor Organization (C3PAO). Certification provides the DoD with the assurance that a contractor (prime or sub) can be trusted to store Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC model is created and managed by the DoD and confers a cybersecurity “maturity”—the efficacy of process and automation of practices—ranging from “basic” to “advanced.”

Far from being a one-and-done checkbox, CMMC compliance is ongoing and must be re-assessed every three years.

The five levels of CMMC.

Figure 1: The five levels of CMMC.

  • Level 1 certification primarily involves people and processes and is required for any company that deals with FCI not intended for public release. Most DIB suppliers will land in this category. Level 1 aligns best with commercial clouds.
  • Level 3 is required for any company that handles CUI or is bound by International Trade in Arms Regulations (ITAR)—roughly 50,000 DIB contractors. However, market pressure may see some companies certify to Level 3 just for a competitive edge. Level 3 aligns best with government clouds.
  • Level 5 is required for only a small segment of DIB contractors that are most likely to be targeted by advanced persistent threats (APT) and nation-state activity. Level 5 aligns best with government clouds.

Levels 2 and 4 are considered transitional; it’s not expected that contracts will require them.

In September 2021, the DoD will be overseeing 75 pilot contracts adhering to CMMC. By the same time in 2023, that number will reach 250, then up to 479 pilot contracts in 2024. By October 2025, every business in the DIB must be compliant with CMMC.

Microsoft knows compliance

Microsoft has been doing business with the DoD for four decades. Of the 350,000 companies in the DIB, 80 percent are small-to-medium-sized businesses (SMB). So, whether you’re a prime contractor working directly with the DoD, or a smaller subcontractor, Microsoft Office 365 Government plans can provide your business with all the features of Office 365 you expect—but in a segmented government community cloud (GCC). Plus, Microsoft lightens the burden of compliance by encrypting your data and enforcing strict access controls for employees, vendors, and subcontractors.

Microsoft Office 365 Government – GCC High is a sovereign cloud platform located in the Contiguous US (CONUS) that complies with US government requirements for cloud services. Office 365 Government – GCC High is designed specifically for use by the DoD and DIB, requiring that organizations be validated before they can deploy to this cloud. Along with all the expected features and capabilities of Office 365, deploying to GCC High ensures:

  • Your content is logically segregated from customer content in commercial Office 365 services.
  • Your organization’s content is stored within the US.
  • Access to DIB content is restricted to screened Microsoft personnel who have passed rigorous background checks.
  • Your cloud deployment complies with certifications and accreditations that are required for US public sector customers.

Microsoft Azure Government is a sovereign CONUS cloud platform that also offers hybrid flexibility—customers can maintain some data and functionality on-premises while enabling the broadest level of certifications of any cloud provider. Only US federal, state, local, and tribal governments and their partners have access to this dedicated instance, with operations controlled only by screened US citizens.

Comparison chart of Microsoft Commercial, M365 GCC, and M365 GCC High.

Figure 2: Microsoft 365 Government + Azure Government compliance.

Though different cloud platforms may have a level of cybersecurity maturity in alignment with CMMC, Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government – GCC High in alignment with CMMC Levels 3 through 5. Microsoft Consulting Services can help you decide on the right platform to enable CMMC compliance for your organization.

Microsoft CMMC Acceleration Program

To help speed your journey to CMMC compliance, our CMMC Acceleration Program provides resources for partners and DIB companies alike. Our goal is to provide a baseline framework that can help close the gap for compliance of infrastructure, applications, and services hosted in Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365. We work with partners and customers to help them mitigate risks and assist tenants with their shared customer responsibility, as well as provide solutions for assessment and certification.

Recent updates to Microsoft CMMC Acceleration Program include:

  • Microsoft Product Placemat for CMMC: an interactive view representing how Microsoft cloud products and services satisfy requirements for CMMC practices.
  • Azure Sentinel CMMC Workbook: provides a mechanism for viewing Microsoft Azure Sentinel log queries from across your Azure environment—Office 365, Teams, Intune, Windows Virtual Desktop, and more—helping you gain better visibility into your cloud architecture while reinforcing CMMC principles across all five maturity levels.
  • Compliance Manager available in commercial and government cloud environments: helps organizations manage CMMC compliance requirements with greater ease and convenience, from taking inventory of data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
  • Azure Policy and blueprint sample for CMMC Level 3: Azure Policy and Azure Blueprints allow organizations to easily establish compliant environments via a centrally managed policy initiative. This helps avoid misconfigurations while practicing consistent resource governance.
  • Quickly deploy DoD STIG-compliant images and visualize compliance using Azure: Security Technical Implementation Guides (STIGs) are secure configuration standards for installation and maintenance of DoD Information Assurance (IA)-enabled devices and systems. The Azure team has created sample solutions using first-party Azure tooling to deliver STIG automation and compliance reporting. Use these quickstart resources.
  • Azure Blueprint for Azure Security Benchmark Foundation: enables developers and security administrators to create hardened environments for their application workloads, helping to implement Zero Trust controls across identities, devices, applications, data, infrastructure, and networks.

No provider can guarantee a positive adjudication, but Microsoft’s CMMC Acceleration Program can help improve your CMMC posture going into a formal review in accordance with CMMC Accreditation Body (AB) standards.

Zero Trust is key to CMMC

Microsoft is experienced in facilitating Zero Trust architectures in federal frameworks, a concept that’s critical to preventing attackers from elevating access within your environment. Zero Trust is built around three basic principles: verify, based on all available data points; use least-privileged access with just-in-time and just-enough-access (JIT/JEA); and assume breach to minimize blast radius and prevent lateral movement. Microsoft employs several references for implementing Zero Trust in federal information systems, including the National Institute of Standards and Technology (NIST) SP 800-207, Trusted Internet Connections (TIC) 3.0, and Continuous Diagnostics and Mitigation (CDM). We view these principles as technology-agnostic and apply them across endpoints, on-premises systems, cloud platforms, and operational technology (OT).

The Azure Sentinel: Zero Trust (TIC 3.0) Workbook provides an overlay of Microsoft security offerings onto Zero Trust models, enabling security analysts and managed security service providers (MSSPs) to gain awareness of their cloud security posture. This workbook features more than 76 control cards aligned to TIC 3.0 security capabilities and can augment security operations center (SOC) efforts through automation, AI, machine learning, query/alerting, visualizations, tailored recommendations, and documentation references. Each panel aligns to a specific control, providing an actionable path to help cover gaps and improve alerting, even incorporating third-party security solutions.

If your organization is interested in pursuing contracts with the DoD or its suppliers, it’s in your interest to be proactive about cybersecurity maturity. To learn more about how Microsoft can help your organization improve your compliance standing, visit our new CMMC homepage.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Cybersecurity Maturity Model Certification, CMMC Accreditation Body.

22021 Report: Cyberwarfare in the C-Suite, Cybersecurity Ventures, 21 January 2021.

The post How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature

August 27th, 2021 No comments

On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. We mitigated the vulnerability immediately.   Our investigation indicates that no customer data was accessed because of this …

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature Read More »

Categories: Uncategorized Tags:

Widespread credential phishing campaign abuses open redirector links

August 26th, 2021 No comments

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

The use of open redirects in email communications is common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.

For instance, users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it. Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.

Diagram showing attack chain of phishing campaigns that use open redirect links

Figure 1. Attack chain for the open redirect phishing campaign

This phishing campaign is also notable for its use of a wide variety of domains for its sender infrastructure—another attempt to evade detection. These include free email domains from numerous country code top-level domains (ccTLDs), compromised legitimate domains, and attacker-owned domain generated algorithm (DGA) domains. As of this writing, we have observed at least 350 unique phishing domains used for this campaign. This not only shows the scale with which this attack is being conducted, but it also demonstrates how much the attackers are investing in it, indicating potentially significant payoffs.

Today’s email threats rely on three things to be effective: a convincing social engineering lure, a well-crafted detection evasion technique, and a durable infrastructure to carry out an attack. This phishing campaign exemplifies the perfect storm of these elements in its attempt to steal credentials and ultimately infiltrate a network. And given that 91% of all cyberattacks originate with email, Organizations must therefore have a security solution that will provide them multilayered defense against these types of attacks.

Microsoft Defender for Office 365 detects these emails and prevents them from being delivered to user inboxes using multiple layers of dynamic protection technologies, including a built-in sandbox that examines and detonates all the open redirector links in the messages, even in cases where the landing page requires CAPTCHA verification. This ensures that even the embedded malicious URLs are detected and blocked. Microsoft Defender for Office 365 is backed by Microsoft experts who enrich the threat intelligence that feeds into our solutions through expert monitoring of email campaigns.

Attack analysis: Credential phishing via open redirector links

Credential phishing emails represent an extremely prevalent way for threat actors to gain a foothold in a network. The use of open redirects from legitimate domains is far from new, and actors continue to abuse its ability to overcome common precautions.

Phishing continues to grow as a dominant attack vector with the goal of harvesting user credentials. From our 2020 Digital Defense Report, we blocked over 13 billion malicious and suspicious mails in the previous year, with more than 1 billion of those emails classified as URL-based phishing threats.

In this campaign, we noticed that the emails seemed to follow a general pattern that displayed all the email content in a box with a large button that led to credential harvesting pages when clicked. The subject lines for the emails varied depending on the tool they impersonated. In general, we saw that the subject lines contained the recipient’s domain and a timestamp as shown in the examples below:

  • [Recipient username] 1 New Notification
  • Report Status for [Recipient Domain Name] at [Date and Time]
  • Zoom Meeting for [Recipient Domain Name] at [Date and Time]
  • Status for [Recipient Domain Name] at [Date and Time]
  • Password Notification for [Recipient Domain Name] at [Date and Time]
  • [Recipient username] eNotification

Screenshot of email that uses open redirect link

Figure 2. Sample phishing email masquerading as an Office 365 notification

Once recipients hover their cursor over the link or button in the email, they are shown the full URL. However, since the actors set up open redirect links using a legitimate service, users see a legitimate domain name that is likely associated with a company they know and trust. We believe that attackers abuse this open and reputable platform to attempt evading detection while redirecting potential victims to phishing sites.

Screenshot of email showing open redirector link when mouse is hovered the link in the email

Figure 3. Hover tip showing an open redirect link with a legitimate domain and phishing link in the URL parameters

The final domains used in the campaigns observed during this period mostly follow a specific domain-generation algorithm (DGA) pattern and use .xyz and .club TLDs. The “Re-view invitation” button in Figure 3 points to a URL with a trusted domain followed by parameters, with the actor-controlled domain (c-hi[.]xyz) hidden in plain sight.

Figure 4. The actor-controlled domain uses a DGA pattern and a .XYZ top-level domain

In August, we detected a fresh spam run from this campaign that used a slightly updated Microsoft-spoofing lure and redirect URL but leveraged the same infrastructure and redirection chain.

Figure 5. Sample phishing email from a recent spam run from this phishing campaign

These crafted URLs are made possible by open redirection services currently in use by legitimate organizations. Such redirection services typically allow organizations to send out campaign emails with links that redirect to secondary domains from their own domains. For example, a hotel might use open redirects to take email recipients to a third-party booking website, while still using their primary domain in links embedded in their campaign emails.

Attackers abuse this functionality by redirecting to their own malicious infrastructure, while still maintaining the legitimate domain in the full URL. The organizations whose open redirects are being abused are possibly unaware that this is even occurring.

Redirecting to phishing pages

Users who clicked one of the crafted redirect links are sent to a page in attacker-owned infrastructure. These pages used Google reCAPTCHA services to possibly evade attempts at dynamically scanning and checking the contents of the page, preventing some analysis systems from advancing to the actual phishing page.

Screenshot of landing page with CAPTCHA challenge

Figure 6. reCAPTCHA service used by phishing page

Upon completion of the CAPTCHA verification, the user is shown a site that impersonates a legitimate service, such as Microsoft Office 365, which asks the user for their password. The site is prepopulated with the recipient’s email address to add legitimacy to the request. This technique leverages familiar single sign-on (SSO) behavior to trick users into keying in corporate credentials or other credentials associated with the email address.

To do this, attackers send unique URLs to each recipient with PHP parameters that cause tailored information to render in the phishing page. In some instances, phishing pages are specially crafted to include company logos and other branding tied to the recipient’s domain.

Screenshnot of phishing page

Figure 7. Fake sign-in page prefilled with the recipient email address alongside a fake error message prompting users to re-enter their passwords

If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, allowing attackers to ensure they obtain the correct password.

Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.

Screenshot of legitimate website that phishing page redirects to

Figure 8. Legitimate Sophos page displayed after users re-enter their passwords

Tracking attacker-controlled domains

Some of the domains used this campaign include the following:

  • c-tl[.]xyz
  • a-cl[.]xyz
  • j-on[.]xyz
  • p-at[.]club
  • i-at[.]club
  • f-io[.]online

For the observed campaigns, the sender infrastructure was fairly unique and notable as the actors used a wide variety of sender domains, with most of the domains having at least one of the following characteristics:

  • Free email domains
  • Compromised legitimate domains
  • Domains ending in
  • Attacker-owned DGA domains

Many of the final domains hosting the phishing pages follow a specific DGA pattern:

  • [letter]-[letter][letter].xyz
  • [letter]-[letter][letter].club

The free email domains span a wide variety of ccTLDs, such as:

  • de
  • ca

The attacker-owned DGA domains follow a few distinct patterns, including:

  • [word or string of characters]-[word][number], incrementing by one, for example: masihtidur-shoes08[.]com
  • [number][word or string of characters]-[number], incrementing by one, for example: 23moesian-17[.]com
  • [word][word][number], incrementing by one, for example: notoficationdeliveryamazon10[.]com
  • [word or letters][number]-[number], incrementing by one, for example: dak12shub-3[.]com

While these are the most prevalent patterns observed by Microsoft security researchers, over 350 unique domains have been observed during these campaigns.

How Microsoft Defender for Office 365 protects against modern email threats

The abuse of open redirectors represents an ongoing threat that Microsoft experts constantly monitor, along with other threat trends and attacker techniques used in attacks today. Microsoft’s breadth of visibility into threats combined with our deep understanding of how attackers operate will continue to inform the advanced protection delivered by Microsoft Defender for Office 365  against email-based attacks.

For mitigations against the abuse of open redirector links via known third-party platforms or services, users are advised to follow the recommended best practices of their service providers, such as updating to the latest software version, if applicable, to prevent their domains from being abused in future phishing attempts.

Microsoft Defender for Office 365 protects customers from this threat by leverages its deep visibility into email threats and advanced detection technologies powered by AI and machine learning. We strongly recommend that organizations configure recommended settings in Microsoft Defender for Office 365, such as applying anti-phishing, Safe Links, and Safe Attachments policies. We also recommend installing the Report Message add-in for Outlook to enable users to report suspicious messages to their security teams and optionally to Microsoft.

Attack simulation lets organizations run realistic, yet safe, simulated phishing and password attack campaigns in your organization. These simulated attacks can help identify and find vulnerable users before a real attack makes a real impact.

Investigation capabilities in Microsoft Defender 365 allows organizations to respond phishing and other email-based attacks. Microsoft 365 Defender correlates signals from emails and other domains to deliver coordinated defense.  Microsoft Defender for Endpoint blocks malicious files and other malware as well as malicious behavior that result from initial access via email. Microsoft Defender SmartScreen integrates with Microsoft Edge to block malicious websites, including phishing sites, scam sites, and other malicious sites, while Network protection blocks connections to  malicious domains and IP addresses.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.


 Microsoft 365 Defender Threat Intelligence Team


Advanced hunting queries

To locate possible credential phishing activity, run the following advanced hunting queries in Microsoft 365 Defender.

Open redirect URLs in t-dot format

Find URLs in emails with a leading “t”, indicating possible open redirect URLs. Note: the use of a redirector URL does not necessitate malicious behavior. You must verify whether the emails surfaced via this AHQ are legitimate or malicious.

| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?"

Open redirect URLs pointing to attacker infrastructure

Find URLs in emails possibly crafted to redirect to attacker-controlled URLs.

//This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns
| where Url matches regex @"^[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop|online)"

Indicators of compromise

Following is a list of domains that match the DGA pattern used in sender addresses in this and other malicious campaigns. Note that these have not all been observed in mail flow related to this campaign.

masihtidur-shoes08[.]com masihtidur-shoes07[.]com masihtidur-shoes04[.]com
masihtidur-shoes02[.]com masihtidur-shoes01[.]com wixclwardwual-updates9[.]com
wixclwardwual-updates8[.]com wixclwardwual-updates7[.]com wixclwardwual-updates6[.]com
wixclwardwual-updates5[.]com wixclwardwual-updates10[.]com wixclwardwual-updates1[.]com
zxcsaxb-good8[.]com zxcsaxb-good6[.]com zxcsaxb-good5[.]com
zxcsaxb-good4[.]com zxcsaxb-good3[.]com zxcsaxb-good10[.]com
trashxn-euyr9[.]com trashxn-euyr7[.]com trashxn-euyr6[.]com
trashxn-euyr5[.]com trashxn-euyr3[.]com trashxn-euyr20[.]com
trashxn-euyr2[.]com trashxn-euyr19[.]com trashxn-euyr18[.]com
trashxn-euyr17[.]com trashxn-euyr16[.]com trashxn-euyr15[.]com
trashxn-euyr14[.]com trashxn-euyr12[.]com trashxn-euyr11[.]com
trashxn-euyr10[.]com trashxn-euyr1[.]com berangberang-9[.]com
berangberang-7[.]com berangberang-12[.]com berangberang-6[.]com
notoficationdeliveryamazon8[.]com berangberang-8[.]com berangberang-3[.]com
berangberang-4[.]com berangberang-10[.]com berangberang-11[.]com
berangberang-13[.]com berangberang-5[.]com 77support-update23-4[.]com
posher876ffffff-30[.]com posher876ffffff-5[.]com posher876ffffff-25[.]com
fenranutc0x24ai-11[.]com organix-xtc21[.]com fenranutc0x24ai-13[.]com
fenranutc0x24ai-4[.]com fenranutc0x24ai-17[.]com fenranutc0x24ai-18[.]com
adminsecurity102[.]com adminsecurity101[.]com 23moesian-17[.]com
23moesian-10[.]com 23moesian-11[.]com 23moesian-26[.]com
23moesian-19[.]com 23moesian-2[.]com cokils2ptys-3[.]com
cokils2ptys-1[.]com 23moesian-20[.]com 23moesian-15[.]com
23moesian-18[.]com 23moesian-16[.]com sux71a37-net19[.]com
sux71a37-net1[.]com sux71a37-net25[.]com sux71a37-net14[.]com
sux71a37-net18[.]com sux71a37-net15[.]com sux71a37-net12[.]com
sux71a37-net13[.]com sux71a37-net20[.]com sux71a37-net11[.]com
sux71a37-net27[.]com sux71a37-net2[.]com sux71a37-net21[.]com
bimspelitskalix-xuer9[.]com account-info005[.]com irformainsition0971a8-net16[.]com
bas9oiw88remnisn-12[.]com bas9oiw88remnisn-27[.]com bas9oiw88remnisn-26[.]com
bas9oiw88remnisn-11[.]com bas9oiw88remnisn-10[.]com bas9oiw88remnisn-5[.]com
bas9oiw88remnisn-13[.]com bas9oiw88remnisn-1[.]com bas9oiw88remnisn-7[.]com
bas9oiw88remnisn-3[.]com bas9oiw88remnisn-20[.]com bas9oiw88remnisn-8[.]com
bas9oiw88remnisn-23[.]com bas9oiw88remnisn-24[.]com bas9oiw88remnisn-4[.]com
bas9oiw88remnisn-25[.]com romanseyilefreaserty0824r-2[.]com romanseyilefreaserty0824r-1[.]com
sux71a37-net26[.]com sux71a37-net10[.]com sux71a37-net17[.]com
maills-activitymove02[.]com maills-activitymove04[.]com solution23-servviue-26[.]com
maills-activitymove01[.]com copris7-yearts-6[.]com copris7-yearts-9[.]com
copris7-yearts-5[.]com copris7-yearts-8[.]com copris7-yearts-37[.]com
securityaccount102[.]com copris7-yearts-4[.]com copris7-yearts-40[.]com
copris7-yearts-7[.]com copris7-yearts-38[.]com copris7-yearts-39[.]com
romanseyilefreaserty0824r-6[.]com rick845ko-3[.]com rick845ko-2[.]com
rick845ko-10[.]com fasttuamz587-4[.]com winb2as-wwersd76-19[.]com
winb2as-wwersd76-4[.]com winb2as-wwersd76-6[.]com org77supp-minty662-8[.]com
winb2as-wwersd76-18[.]com winb2as-wwersd76-1[.]com winb2as-wwersd76-10[.]com
org77supp-minty662-9[.]com winb2as-wwersd76-12[.]com winb2as-wwersd76-20[.]com
account-info003[.]com account-info012[.]com account-info002[.]com
laser9078-ter17[.]com account-info011[.]com account-info007[.]com
notoficationdeliveryamazon1[.]com notoficationdeliveryamazon20[.]com notoficationdeliveryamazon7[.]com
notoficationdeliveryamazon17[.]com notoficationdeliveryamazon12[.]com contackamazon1[.]com
notoficationdeliveryamazon6[.]com notoficationdeliveryamazon5[.]com notoficationdeliveryamazon4[.]com
notoficationdeliveryamazon18[.]com notoficationdeliveryamazon13[.]com notoficationdeliveryamazon3[.]com
notoficationdeliveryamazon14[.]com gaplerr-xt5[.]com posher876ffffff-29[.]com
kenatipurecehkali-xt3[.]com kenatipurecehkali-xt13[.]com kenatipurecehkali-xt4[.]com
kenatipurecehkali-xt12[.]com kenatipurecehkali-xt5[.]com wtbwts-junet1[.]com
kenatipurecehkali-xt6[.]com hayalanphezor-2sit[.]com hayalanphezor-1sit[.]com
noticesumartyas-sc24[.]com noticesumartyas-sc13[.]com noticesumartyas-sc2[.]com
noticesumartyas-sc17[.]com noticesumartyas-sc22[.]com noticesumartyas-sc5[.]com
noticesumartyas-sc4[.]com noticesumartyas-sc21[.]com noticesumartyas-sc25[.]com
appgetbox3[.]com notoficationdeliveryamazon19[.]com notoficationdeliveryamazon10[.]com
appgetbox9[.]com appgetbox8[.]com appgetbox6[.]com
notoficationdeliveryamazon2[.]com appgetbox7[.]com appgetbox5[.]com
notoficationdeliveryamazon23[.]com appgetbox10[.]com notoficationdeliveryamazon16[.]com
hvgjgj-shoes08[.]com hvgjgj-shoes13[.]com jgkxjhx-shoes09[.]com
hvgjgj-shoes15[.]com hvgjgj-shoes16[.]com hvgjgj-shoes18[.]com
hvgjgj-shoes20[.]com hvgjgj-shoes12[.]com jgkxjhx-shoes02[.]com
hvgjgj-shoes10[.]com jgkxjhx-shoes03[.]com hvgjgj-shoes11[.]com
hvgjgj-shoes14[.]com jgkxjhx-shoes05[.]com jgkxjhx-shoes04[.]com
hvgjgj-shoes19[.]com jgkxjhx-shoes08[.]com hpk02h21yyts-6[.]com
romanseyilefreaserty0824r-7[.]com gets25-amz[.]net gets30-amz[.]net
gets27-amz[.]net gets28-amz[.]net gets29-amz[.]net
gets32-amz[.]net gets3-amz[.]net gets31-amz[.]net
noticesumartyas-sc19[.]com noticesumartyas-sc23[.]com noticesumartyas-sc18[.]com
noticesumartyas-sc15[.]com noticesumartyas-sc20[.]com noticesumartyas-sc16[.]com
noticesumartyas-sc29[.]com rick845ko-1[.]com bas9oiw88remnisn-9[.]com
rick845ko-5[.]com bas9oiw88remnisn-21[.]com bas9oiw88remnisn-2[.]com
bas9oiw88remnisn-19[.]com rick845ko-6[.]com bas9oiw88remnisn-22[.]com
bas9oiw88remnisn-17[.]com bas9oiw88remnisn-16[.]com adminmabuk103[.]com
account-info008[.]com suppamz2-piryshj01-3[.]com dak12shub-1[.]com
securemanageprodio-02[.]com securemanageprodio-05[.]com securemanageprodio-01[.]com
dak12shub-3[.]com dak12shub-9[.]com dak12shub-8[.]com
dak12shub-6[.]com dak12shub-10[.]com dak12shub-4[.]com
securemanageprodio-03[.]com org77supp-minty662-7[.]com winb2as-wwersd76-7[.]com
org77supp-minty662-10[.]com bimspelitskalix-xuer2[.]com gets34-amz[.]net
gets35-amz[.]net service-account-7254[.]com service-account-76357[.]com
service-account-7247[.]com account-info004[.]com service-account-5315[.]com
bas9oiw88remnisn-14[.]com solution23-servviue-23[.]com organix-xtc18[.]com
romanseyilefreaserty0824r-4[.]com hayalanphezor-7sit[.]com bimspelitskalix-xuer7[.]com
securemanageprodio-04[.]com solution23-servviue-15[.]com solution23-servviue-1[.]com
suppamz2-piryshj01-9[.]com suppamz2-piryshj01-6[.]com solution23-servviue-25[.]com
solution23-servviue-7[.]com solution23-servviue-16[.]com solution23-servviue-11[.]com
solution23-servviue-27[.]com romanseyilefreaserty0824r-5[.]com cokils2ptys-6[.]com
solution23-servviue-9[.]com solution23-servviue-19[.]com solution23-servviue-8[.]com
solution23-servviue-17[.]com solution23-servviue-18[.]com suppamz2-piryshj01-1[.]com
solution23-servviue-30[.]com solution23-servviue-13[.]com solution23-servviue-12[.]com
solution23-servviue-10[.]com solution23-servviue-4[.]com solution23-servviue-20[.]com
solution23-servviue-24[.]com solution23-servviue-5[.]com solution23-servviue-14[.]com
service-account-7243[.]com service-account-735424[.]com service-account-8457845[.]com
service-account-374567[.]com service-account-764246[.]com service-account-762441[.]com
gxnhfghnjzh809[.]com xcfhjxfyxnhnjzh10[.]com accountservicealert002[.]com
accountservicealert003[.]com care887-yyrtconsumer23-24[.]com bas9oiw88remnisn-15[.]com
care887-yyrtconsumer23-23[.]com care887-yyrtconsumer23-27[.]com care887-yyrtconsumer23-25[.]com
care887-yyrtconsumer23-26[.]com laser9078-ter11[.]com bimspelitskalix-xuer6[.]com
laser9078-ter10[.]com hayalanphezor-6sit[.]com hayalanphezor-4sit[.]com
hayalanphezor-3sit[.]com romanseyilefreaserty0824r-3[.]com solution23-servviue-6[.]com
ressstauww-6279-3[.]com ressstauww-6279-10[.]com sytesss-tas7[.]com
ressstauww-6279-7[.]com ressstauww-6279-1[.]com hvgjgj-shoes01[.]com
ketiak-muser14[.]com ketiak-muser13[.]com ketiak-muser15[.]com
spammer-comingson01[.]com spammer-comingson02[.]com spammer-comingson04[.]com
spammer-comingson05[.]com spammer-comingson07[.]com posidma-posidjar01[.]com
posidma-posidjar03[.]com posidma-posidjar05[.]com posidma-posidjar06[.]com
tembuslah-bandar01[.]com tembuslah-bandar02[.]com tembuslah-bandar03[.]com
tembuslah-bandar04[.]com tembuslah-bandar05[.]com tembuslah-bandar06[.]com
tembuslah-bandar07[.]com tembuslah-bandar08[.]com tembuslah-bandar09[.]com

The post Widespread credential phishing campaign abuses open redirector links appeared first on Microsoft Security Blog.

Cybersecurity’s next fight: How to protect employees from online harassment

August 25th, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Leigh Honeywell, CEO and Co-founder of Tall Poppy, which builds tools and services to help companies protect their employees from online harassment and abuse. In this blog, Leigh talks about company strategies for fighting online harassment.

Natalia: What are some examples of online harassment experienced in the workplace?

Leigh: Online harassment breaks down into two types. The first is harassment related to your job. One example of this would be that an ex-employee has a conflict with the company and is harassing former colleagues. In other cases, it has to do with a policy decision or a moderation decision that the company made, resulting in people within the organization experiencing harassment.

The other type of harassment has nothing to do with somebody’s day job. For instance, an employee had a bad breakup and their ex is bothering them at work. It’s not strictly related to the employee’s day-to-day work, but it’s going to impact their ability to be present at work and participate in work life. Many folks who are dealing with harassment—whether related to work or not—experience lost productivity, attrition, and burnout.

Discover how communication compliance in Microsoft 365 can help you detect harassing or threatening language and take action to protect your employees.

Natalia: How widespread of a problem is online harassment?

Leigh: Online harassment is a significant phenomenon. In 2020, 41 percent of Americans experienced it and 28 percent experienced the more severe kinds, like threats of violence, stalking, sexual harassment, and persistent harassment, according to the Pew Online Harassment Update1. That’s a huge number of people experiencing these issues. It has made us prioritize motivating people to improve their security hygiene around personal accounts.

Your employees’ personal accounts are part of the attack surface of the company. Social engineering attacks are when cybercriminals use psychological manipulation on their targets. If someone is being extorted based on their personal life, it has the potential to impact the company. In a classic CEO scam, somebody breaks into an executive’s personal email account, emails a person in accounting posing as the executive, and asks them to send a wire transfer to a bank account controlled by the scammer.

Natalia: What are recent trends in online harassment?

Leigh: According to the most recent Pew study, online harassment went up. Project Include just published a study2 on the internal company harassment landscape during COVID-19, and there has been a sharp uptick in workplace harassment.

Even though the numbers are stable in terms of how many people are experiencing online harassment, before COVID-19, if you were dealing with harassment from outside the company in the course of your work, you still got to go home and have that mental separation. When people work remotely, it’s a different experience, and it feels a lot more personal and vulnerable for those dealing with this kind of harassment.

Natalia: What should organizations understand about online harassment?

Leigh: It’s clear under US and Canadian law that organizations have a duty to ensure that employees don’t harass each other within the organization. When harassment in the workplace comes from outside the company, such as internet harassment, there isn’t a ton of clarity. I think it’s important to make sure that employees have clear policies and internal recourse.

In a typical harassment scenario, an employee says something controversial on Twitter, and people try to get them fired from their company. Sometimes, the things that people say that get them fired are racist or homophobic or biased in some way. When people talk about cancel culture, they are typically talking about consequences. You say something, and you get held to that word.

However, it’s hard to arbitrate. Is the controversial statement fireable, or is it controversial because they are members of an underrepresented group and are being targeted for standing up for themselves? That’s one of the lenses I use to unpack these situations.

Natalia: How can online harassment lead to hacking?

Leigh: After abuse on social channels and unwanted emails, online harassment sometimes gets more aggressive. You see password reset attempts that you have not requested. The next level is credential stuffing, where an attacker obtains a person’s email and password combo from old breaches and tries the credentials on different accounts. Another potential escalation is SIM swapping, which involves the attacker impersonating the victim to a phone company and porting their phone number away to a fresh SIM card. This attack usually targets folks who are high profile and is less common in stalking situations.

Natalia: What does the incident response process look like when an employee is under attack?

Leigh: When dealing with an urgent incident in a workplace, such as somebody hacking into a printer at a branch office, there are known playbooks for responding to different attacks. Likewise, we have different playbooks based on the type of harassment situation an employee is dealing with, for example, harassment by an ex-employee or an employee being targeted due to a company policy decision.

We also pay a lot of attention to the adversaries. We’ll typically make sure the person has safe devices and ensure the adversary does not have access to their personal accounts. We’ll walk them through changing relevant passwords and checking authorized applications. From there, it’s about making sure that the person is OK, and that includes making sure they know about internal resources like an employee assistance program for counseling services.

Natalia: What are the best practices a company can institute to mitigate online harassment or assist those impacted by it?

Leigh: First, have clear internal policies and escalation points around acceptable social media use. There are some industries where it’s understandable that you don’t want employees having a social media presence, but those are rare these days. In general, it’s not realistic to tell employees not to exist online in public, so what’s important is to make boundaries, expectations, and guardrails clear via a written social media policy. Employees want to have long-lived careers and build their personal brands—trying to shut that down wholesale will end up with unfair enforcement and isn’t realistic.

The second best practice is to make sure people have tools and resources available to secure their personal lives, whether it’s a hardware security key such as a Yubikey or a quality password manager. All those day-to-day tools are as important in the workplace as they are in people’s personal lives. Online harassment training teaches employees how to keep attackers out of their personal accounts such as email, bank accounts, and social media. It can be overwhelming trying to understand all the information available about staying safe online. And there’s an argument to be made that you shouldn’t have to become an expert on personal cybersecurity to be able to live your life with an internet presence in the modern world.

The third one would be to ensure there are available resources within the organization that are clear and accessible, so it’s understood where the escalation paths are—whether it’s providing training to management and having management communicate to frontline staff or using internal communications tools to inform employees of resources.

Helping employees improve their personal cybersecurity can help them feel confident that their personal digital infrastructure is secure and helps ensure that online harassment isn’t going to escalate to an incident like an account takeover.

Learn more

Learn how communication compliance in Microsoft 365 can help you detect harassing or threatening language and take action to foster a culture of safety.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1The State of Online Harassment, Emily A. Vogels, Pew Research Center, 13 January 2021.

2Remote work since COVID-19 is exacerbating harm: What companies need to know and do, Yang Hong, McKensie Mack, Ellen Pao, Caroline Sinders, Project Include, March 2021.

The post Cybersecurity’s next fight: How to protect employees from online harassment appeared first on Microsoft Security Blog.

How Vodafone Global Security Director creates an inclusive and secure workplace

August 23rd, 2021 No comments

Moving to more flexible remote work policies has caused telecommunications giant Vodafone to rethink cybersecurity and the potential friction to users. Instead of relying on physical security controls in the office, the company has embraced a Zero Trust strategy that requires authenticating everyone before granting access. I hosted Emma Smith on a recent episode of Security Unlocked: CISO Series with Bret Arsenault to talk about Vodafone’s cybersecurity approach and the importance of workplace inclusion.

The importance of employee inclusion and security

When employees don’t feel included, they’re not going to do their best work, according to Emma, who is Vodafone’s Global Cybersecurity Director. She believes it’s up to managers, supervisors, and global security directors to create a workplace where everyone feels heard.

Emma recalls attending her first industry event after taking over as Chief Information Security Officer at Royal Bank of Scotland in 2011. She was one of only six women out of 120 people in the room. That experience made her personally aware of how important it is to feel included and she said workplace inclusion is a subject she holds close to her heart. Vodafone focuses on diversity and inclusion and on how to hire, retain, and progress people of different backgrounds, ethnicities, genders, and ages.

Besides looking out for employees on the issue of inclusion, companies should protect them from security threats. One consistent cybersecurity message from employees—as well as from customers and security teams—is that passwords are extremely frustrating, according to Emma. Because of people’s strong views on passwords, Vodafone has been on a mission to remove them from its environments entirely and instead use secure, simple multifactor authentication. It’s an objective that also comes from knowing there’s one group that loves passwords: cybercriminals. Switching to multifactor authentication can help remove them from the equation by eliminating a favorite way to sneak into a network.

To fight cyber threats, it’s important that threat intelligence teams collaborate with colleagues from different companies to share information on threats and prevention strategies. Fighting as one security community is far more powerful than trying to do it on our own, Emma explains.

During our conversation, Emma also shared her thoughts on the benefits of cloud and secure developer operations (DevSecOps) in cybersecurity and offered four cybersecurity strategies that security practitioners should implement immediately to secure employees, data, and devices. One of them? Don’t get so distracted by new and shiny cybersecurity techniques that you forget security basics. To hear details of this strategy and learn about the other three strategies, listen to Leading an Inclusive Workforce on The CyberWire.

Guest bio

Emma Smith is Global Cybersecurity Director at Vodafone. She began her career in auditing. She worked for two years at Royal Bank of Scotland as Head of Internal Audit, Technology, before taking roles at the bank as Head of Group Information Security, Records and Payments Security, Chief Information Security Officer, and Director of Security and Resilience.

Bret Arsenault bio

Bret Arsenault is Corporate and Chief Information Security Officer at Microsoft, where he’s responsible for enterprise-wide information security, compliance, and business continuity efforts. He has more than 25 years of cybersecurity experience. He is Chairman of Microsoft’s Information Risk Management Council and hosts Microsoft’s Security Council.

What’s next

In this podcast series, I talk with cybersecurity peers and Microsoft leaders about today’s biggest challenges in cybersecurity and practical guidance for security practitioners. To learn more, visit our website. In the meantime, bookmark the Security blog to keep up with our coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

You can listen to “Security Unlocked: CISO Series with Bret Arsenault” on:

The post How Vodafone Global Security Director creates an inclusive and secure workplace appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

How to proactively defend against Mozi IoT botnet

August 19th, 2021 No comments

Mozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records (DVRs). It works by exploiting weak telnet passwords1 and nearly a dozen unpatched IoT vulnerabilities2 and it’s been used to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution3.

While the botnet itself is not new, Microsoft’s IoT security researchers recently discovered that Mozi has evolved to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE. It does this using clever persistence techniques that are specifically adapted to each gateway’s particular architecture.

Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks. Adversaries can search the internet for vulnerable devices via scanning tools like Shodan, infect them, perform reconnaissance, and then move laterally to compromise higher value targets—including information systems and critical industrial control system (ICS) devices in the operational technology (OT) networks.

By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities. In the diagram below we show just one example of how the vulnerabilities and newly discovered persistence techniques could be used together. Of course, there are many more possibilities.

Attack flow for Mozi botnet.

Figure 1: Attack flow for Mozi botnet.

Guidance: Proactive defense

Businesses and individuals that are using impacted network gateways (Netgear, Huawei, and ZTE) should take the following steps immediately to ensure they are resistant to the attacks described in this blog:

  1. Ensure all passwords used on the device are created using strong password best practices.
  2. Ensure devices are patched and up-to-date.

Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques described in more detail below.

The intelligence of our security cloud and all of our Microsoft Defender products, including Microsoft 365 Defender (XDR), Azure Sentinel (cloud-native SIEM/SOAR), as well as Azure Defender for IoT also provide protection from this malware and are continuously updated with the latest threat intelligence as the threat landscape continues to evolve. The recent acquisition of ReFirm Labs will further enhance Azure Defender for IoT’s ability to protect customers with its upcoming deep firmware scanning, analysis capabilities which will be integrated with Device Update for Azure IoT Hub’s patching capabilities.

Technical description of new persistence capabilities

Apart from its known extensive P2P and DDoS abilities, we have recently observed several new and unique capabilities of the Mozi botnet.

Targeting Netgear, Huawei, and ZTE gateways, the malware now takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation. Here are some examples:

Achieving privileged persistence

A specific check is conducted for the existence of the /overlay folder, and whether the malware does not have write permissions to the folder /etc. In this case, it will try to exploit CVE-2015-1328.

Successful exploitation of the vulnerability will grant the malware access to the following folders:

  • /etc/rc.d
  • /etc/init.d

Then the following actions are taken:

  • It places the script file named in these folders.
  • The script runs the files /usr/networks or /user/networktmp. These are copies of the executable.
  • It adds the script to /etc/rcS.d and /etc/rc.local in case it lacks privileges.

ZTE devices

A specific check is conducted for the existence of the /usr/local/ct folder; this serves as an indicator of the device being a ZTE modem/router device.

The following actions are taken:

  • It copies its other instance (/usr/networks) to /usr/local/ct/ctadmin0; this provides persistency for the malware.
  • It deletes the file /home/httpd/web_shell_cmd.gch. This file can be used to gain access through exploitation of the vulnerability CVE-2014-2321; deleting it prevents future attacks.
  • It executes the following commands. These disable Tr-069 and its ability to connect to auto-configuration server (ACS). Tr-069 is a protocol for remote configuration of network devices; it’s usually utilized by service providers to configure customers’ equipment.
sendcmd 1 DB set MgtServer 0 Tr069Enable 1 
sendcmd 1 DB set PdtMiddleWare 0 Tr069Enable 0 
sendcmd 1 DB set MgtServer 0 URL 
sendcmd 1 DB set MgtServer 0 UserName notitms 
sendcmd 1 DB set MgtServer 0 ConnectionRequestUsername notitms 
sendcmd 1 DB set MgtServer 0 PeriodicInformEnable 0 
sendcmd 1 DB save

Huawei devices

Execution of the following commands changes the password and disables the management server for Huawei modem/router devices. It also prevents others from gaining access to the device through the management server.

cfgtool set /mnt/jffs2/hw_ctree.xml 
InternetGatewayDevice.ManagementServer URL
cfgtool set /mnt/jffs2/hw_ctree.xml 
InternetGatewayDevice.ManagementServer ConnectionRequestPassword acsMozi

To provide an additional level of persistence it also creates the following files if needed and appends an instruction to run its copy from /usr/networks.


Preventing remote access

The malware blocks the following TCP ports:

  • 23—Telnet
  • 2323—Telnet alternate port
  • 7547—Tr-069 port
  • 35000—Tr-069 port on Netgear devices
  • 50023—Management port on Huawei devices
  • 58000—Unknown usage

These ports are used to gain remote access to the device. Shutting them increases the malware’s chances of survival.

Script infector

It scans for .sh files in the filesystem, excluding the following paths:

/tmp /dev /var /lib /haha /proc /sys

It also appends a line to each file. The line instructs the script to run a copy of the malware from /usr/networks. This increases its chances of survival on various devices.

Traffic injection and DNS spoofing capabilities

The malware receives commands from its distributed hash table (DHT) network. The latter is a P2P protocol for decentralized communications. The commands are received and stored in a file, of which parts are encrypted. This module works only on devices capable of IPv4 forwarding. It checks whether /proc/sys/net/ipv4/ip_forward is set to 1; such positive validation is characteristic of routers and gateways. This module works on ports UDP 53 (DNS) and TCP 80 (HTTP).

Configuration commands

Apart from the previously documented commands in Table 1—for more information, read A New Botnet Attack Just Mozied Into Town—we also discovered these commands:

[hi] – Presence of the command indicates it needs to use the MiTM module.
[set] – Contains encrypted portion which describes how to use the MiTM module.
Command Description
[ss] Bot role
[ssx] enable/disable tag [ss]
[cpu] CPU architecture
[cpux] enable/disable tag [cpu]
[nd] new DHT node
[hp] DHT node hash prefix
[atk] DDoS attack type
[ver] Value in V section in DHT protocol
[sv] Update config
[ud] Update bot
[dr] Download and execute payload from the specified URL
[rn] Execute specified command
[dip] ip:port to download Mozi bot
[idp] report bot
[count] URL that used to report bot

Table 1. Previously documented Mozi commands.

DNS spoofing

Mozi receives a very simple list of DNS names which are then spoofed. Its structure is as follows:

<DNS to spoof>:<IP to spoof>

Each DNS request is answered with the spoofed IP. This is an efficient technique to redirect traffic to the attackers’ infrastructure.

HTTP session hijacking

This part of the MITM functionality is responsible for hijacking HTTP sessions. Not every HTTP request is processed. There are several conditions for it to be qualified for hijacking, most of which are meant to restrict the module’s “level of noise” to lower the chances of it being discovered by network defenders.

The following are some of the rules:

  • It works only for HTTP GET requests. This means forms and more complex requests are ignored.
  • A random number in the configuration states how many queries it would inject. This shows the attackers understand the importance of hiding this functionality. In other words, they are lowering its footprint in order to avoid alerting the user of the hijacking.
  • Some domains are ignored, most likely to avoid interference with the normal operation of certain types of equipment or to avoid detection by various security countermeasures.
  • It only spoofs external traffic; HTTP requests inside the LAN are ignored.
  • A test is conducted to validate that the URL doesn’t contain the string “veri=20190909”—this is done to prevent injecting the already-injected pages.
  • It returns a random HTTP response derived from a predefined list of responses. It has nine different types of hijacking; the specific type of hijacking and its parameters are derived from the configuration file. Below are a few examples of these hijacking techniques.
  • Some of the spoofing occurs via redirection using the HTTP Location header, as seen below.

Spoofing via redirection using the HTTP Location header. This should automatically redirect without any user interaction.

Example 1: Spoofing via redirection using the HTTP Location header. This should automatically redirect without any user interaction.

A hijacking method which only injects JavaScript; it is designed for ajax calls that evaluate the response, so this hijack method will inject a new script into the page.

Example 2: A hijacking method that only injects JavaScript; it is designed for ajax calls that evaluate the response, so this hijack method will inject a new script into the page.

Protecting from Mozi Malware

It is important to note that Microsoft Security solutions have already been updated to protect, detect, and respond to Mozi and its enhanced capabilities.

Customers can use the network device discovery capabilities found in Microsoft Defender for Endpoint to discover impacted internet gateways on their IT networks and run vulnerability assessments. Additionally, the agentless network-layer capabilities of Azure Defender for IoT can be used to perform continuous asset discovery, vulnerability management, and threat detection for IoT and OT devices on their OT networks. This solution can be rapidly deployed (typically less than one day per site), and it is available for both on-premises and cloud-connected environments.

Defender for IoT is also tightly integrated with Azure Sentinel, which provides a bird’s eye view across your entire enterprise—leveraging AI and automated playbooks to detect and respond to multi-stage attacks that often cross IT and OT boundaries.

In addition to detecting targeted attacks and living-off-the-land (LOTL) tactics via IoT/OT-aware behavioral analytics, Defender for IoT incorporates threat information derived from trillions of signals analyzed daily by Microsoft’s global team of security experts using AI and machine learning. This helps ensure our customers are continuously protected against both new and existing threats.

While we offer many solutions, it remains critical that each of the recommendations in the “Guidance: Proactive defense” section above be implemented on the impacted internet gateways to prevent them from becoming a vector of attack.

To learn more about how our integrated SIEM/XDR solutions, combined with Azure Defender for IoT, can help secure your organization, please refer to the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Mozi, Another Botnet Using DHT, Alex Turing, Hui Wang, NetLab 360, 23 December 2019.

2Mozi IoT Botnet, CERT-In, Ministry of Electronics and Information Technology Government of India, 12 November 2020.

3New Mozi Malware Family Quietly Amasses IoT Bots, Black Lotus Labs, Lumen, 13 April 2020.

The post How to proactively defend against Mozi IoT botnet appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Announcing the Launch of the Azure SSRF Security Research Challenge

August 19th, 2021 No comments

Microsoft is excited to announce the launch of a new, three-month security research challenge under the Azure Security Lab initiative. The Azure Server-Side Request Forgery (SSRF) Research Challenge invites security researchers to discover and share high impact SSRF vulnerabilities in Microsoft Azure. Qualified submissions are eligible for bounty rewards up to $60,000 USD, with additional …

Announcing the Launch of the Azure SSRF Security Research Challenge Read More »