Attacks exploiting Netlogon vulnerability (CVE-2020-1472)

October 29th, 2020 No comments

Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be …

Attacks exploiting Netlogon vulnerability (CVE-2020-1472) Read More »

The post Attacks exploiting Netlogon vulnerability (CVE-2020-1472) appeared first on Microsoft Security Response Center.

It’s Cybersecurity Awareness Month and there is still a lot to do

October 29th, 2020 No comments

October is National Cyber Security Awareness Month (NCSAM). And there is still a lot to do!

For the last 17 years, the National Cybersecurity Awareness Month (NCSAM) campaign, driven by the Department of Homeland Security, has raised awareness about the importance of cyber security across the Nation with the mission of ensuring that all Americans have the resources they need to be safer and more secure online.

In alignment with this noble mission, Microsoft Security is providing educational content and executive speakers to empower our customers, employees and families. Tune into the CyberTalks recap to listen to the keynoted delivered by @Ann Johnson, Corporate Vice President of Security, Compliance and Identity, on how to future proof your security strategy.

Cyber security podcasts

In addition to the blog series that is taking over our blog in October, Microsoft Security is also sponsoring two security podcasts in CyberScoop.com we want to encourage our community to tune in and listen to both conversations.

  • Available nowEnabling secure remote work by embracing Zero Trust—One of the greatest challenges we often hear from public and private sector CISOs, when it comes to achieving a Zero Trust IT operating environment, is the question of how to tackle such a massive undertaking—and where to begin. Tune in to listen to CTO, Steve Faehl, to learn more about Microsoft’s journey towards Zero Trust.
  • Available October 19: Risk Reduction—Podcast featuring GM, Alym Rayani who delivers an in-depth conversation about compliance and its connection to security.

Additional security blogs to read

Government agency audit traceability

The reality today for many government agencies is there is no audit traceability to determine which email messages and content an attacker may have seen during a breached session into a user’s mailbox. The standard level of Office 365 auditing includes events that a user logged into their mailbox but does not include detailed information on the activity that occurs within the mailbox. As a result, organizations have no choice but to assume all content within the mailbox is compromised whether sensitive data or PII was viewed by the adversary. To learn more about how using Advanced Audit can help improve forensic investigation capability, read this blog from Matthew Littleton, Principal Technical Specialist on this Public Sector blog.

Top 5 security questions asked by US Government customers

In an era of remote work, end users wanted to collaborate with outside agencies but in a way that meant their data was secure. IT Admins wanted to know which configuration options best fit their organization’s security posture. CIO’s wanted to lean in and give their workforce the best in class technology, all while following US Government accreditation standards. The common theme in most questions asked by our customers was around security. Read more about the top 5 security questions asked by our US Government customers for Microsoft Teams.

October is my favorite time of year, between the change of season, Major League Baseball playoffs, and with football underway. It’s also National Cybersecurity Awareness Month, though with so many cyberattacks and incidents in the news, one month of dedicated focus hardly seems sufficient. Learn how Microsoft delivers on an end-to-end security strategy to reduce risk and deliver on its commitment to customers.

To learn more about how to be #Cybersmart visit the cybersecurity website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post It’s Cybersecurity Awareness Month and there is still a lot to do appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Unilever CISO on balancing business risks with cybersecurity

October 29th, 2020 No comments

Imagine showing up to work every day knowing that your job requires protecting 160,000 employees creating more than 450 products around the world—tea, ice cream, personal care, laundry and dish soaps—across a customer base of more than two and a half billion people every day. Unilever Chief Information Security Officer (CISO) Bobby Ford embraces the challenge, summing up his proactive approach this way: “I believe the responsibility of our group—the cybersecurity risk management group—is to enable the business to take risks.”

In this episode of “The Shiproom” I talk with Bobby about striking that balance between risk versus business needs, along with some of his strategies for protecting Unilever’s global workforce. We also discuss the ongoing challenges of communication and collaboration between the business and security sides of an organization. “I’m not the captain of the ‘no’ police,” Bobby explains. “Recognizing that the organization has to take risks—that’s what it means to be in business.”

On managing those risks, Bobby provides a useful metaphor: “For me, a mature cybersecurity strategy happens at the intersection of business intelligence and threat intelligence.” We discuss what constitutes threat intelligence, and why it’s important to maintain an ongoing conversation between business and security—so that decisions aren’t made in a vacuum.

Bobby also addresses the importance of diversity in the workplace, including “diversity of thought” and why a diverse workforce makes for better security. “The simplest answer is that the adversary is diverse. It’s hard to combat and defend against a diverse opponent when you lack diversity [on your team].”

We also discuss British food, arm wrestling, the Queen, shampoo, quesadillas, wombats, and more. Check out the whole discussion on:

What’s next

In an upcoming Shiproom episode, I’ll talk with Kurt John, CISO at Siemens USA. Kurt is listed in Security Magazine’s top 10 most influential cybersecurity leaders, and he’s a board member of the Virginia Innovation Partnership Authority tasked with enhancing Virginia’s tech-based economy. Kurt also serves on a special cybersecurity committee organized by the Under-Secretary-General of the United Nations. Don’t miss it.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Unilever CISO on balancing business risks with cybersecurity appeared first on Microsoft Security.

Back to the future: What the Jericho Forum taught us about modern security

October 28th, 2020 No comments

Some of the earliest formal work on what we now call Zero Trust started around in a security consortium known as the Jericho Forum (which later merged into The Open Group Security Forum). This started as a group of like-minded CISOs wrestling with the limitations of the dominant and unquestioned philosophy of securing all resources by putting them on a ‘secure’ network behind a security perimeter.

The Jericho Forum promoted a new concept of security called de-perimeterisation that focused on how to protect enterprise data flowing in and out of your enterprise network boundary instead of striving to convince users and the business to keep it on the corporate network. This shift to “secure assets where they are” proved quite prophetic, especially when you consider that the original iPhone didn’t release until 2007 (which triggered the sea change of user preferences shaping enterprise technology decisions that is now just normal).

One CISO: Our network has become a mini-internet

A lot has changed since the days when we knew exactly what is on our network. A CISO of a multinational organization once remarked that its corporate network has become a miniature internet. With hundreds of thousands of devices connected at all hours including many unmanaged devices, the network has lost its ability to create trust for the devices on it. While network controls still have a place in a security strategy, they are no longer the foundation upon which we can build the assurances we need to protect business assets.

In this blog, we will examine how these concepts (captured succinctly in the Jericho® Forum Commandments) have helped shape what has become Zero Trust today, including Microsoft’s Zero Trust vision and technology.

Accepting de-perimeterisation frees security architects and defenders to re-think their approach to securing data. Securing data where it is (vs. artificially confining it to a network) also naturally more aligned to the business and enables the business to securely operate.

Blocking is a blunt instrument

While security folks love the idea of keeping an organization safe by blocking every risk, the real world needs flexible solutions to gracefully handle the grey areas and nuances.

The classic approach of applying security exclusively at the network level limits what context security sees (e.g. what the user/application trying to do at this moment) and usually limits the response options to only blocking or allowing.

This is comparable to a parent filtering content for their children by blocking specific TV channels or entire sites like YouTube. Just like blocking sites in security, the rough grain blocking causes issues when kids need YouTube to do their online classes or find websites and other TV channels with inappropriate content.

We have found that it’s better to offer users a safe path to be productive rather than just blocking a connection or issuing an “access denied.” Microsoft has invested heavily in zero trust to address both the usability and security needs in this grey area

  • Providing easy ways to prove trustworthiness using multi-factor authentication (MFA) and Passwordless authentication that do not repeatedly prompt for validation if risk has not changed as well as hardware security assurances that silently protect their devices.
  • Enabling users to be productive in the grey areas – Users must be productive for their jobs even if they are working from unmanaged networks or unusual locations. Microsoft allows users to increase their trust with MFA prompts and enables organizations to limit or monitor sessions to mitigate risk without blocking productivity.

While it’s tempting to think “but it’s just safer if we block it entirely”, beware of this dangerous fallacy. Users today control how they work and they will find a way to work in a modern way, even if they must use devices and cloud services completely outside the control of IT and security departments. Additionally, attackers are adept at infiltrating approved communication channels that are supposed to be safe (legitimate websites, DNS (Domain Name Servers) traffic, email, etc.).

The Jericho Forum recognized emerging trends that are now simply part of normal daily life. As we make security investments in the future, we must embrace new ways of working, stop confining assets unnaturally to a network they do not belong on, and secure those assets and users where they are and wherever they go.

Learn more about Why Zero Trust. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Back to the future: What the Jericho Forum taught us about modern security appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Cyberattacks against machine learning systems are more common than you think

October 22nd, 2020 No comments

Machine learning (ML) is making incredible transformations in critical areas such as finance, healthcare, and defense, impacting nearly every aspect of our lives. Many businesses, eager to capitalize on advancements in ML, have not scrutinized the security of their ML systems. Today, along with MITRE, and contributions from 11 organizations including IBM, NVIDIA, Bosch, Microsoft is releasing the Adversarial ML Threat Matrix, an industry-focused open framework, to empower security analysts to detect, respond to, and remediate threats against ML systems.

During the last four years, Microsoft has seen a notable increase in attacks on commercial ML systems. Market reports are also bringing attention to this problem: Gartner’s Top 10 Strategic Technology Trends for 2020, published in October 2019, predicts that “Through 2022, 30% of all AI cyberattacks will leverage training-data poisoning, AI model theft, or adversarial samples to attack AI-powered systems.” Despite these compelling reasons to secure ML systems, Microsoft’s survey spanning 28 businesses found that most industry practitioners have yet to come to terms with adversarial machine learning. Twenty-five out of the 28 businesses indicated that they don’t have the right tools in place to secure their ML systems. What’s more, they are explicitly looking for guidance. We found that preparation is not just limited to smaller organizations. We spoke to Fortune 500 companies, governments, non-profits, and small and mid-sized organizations.

Our survey pointed to marked cognitive dissonance especially among security analysts who generally believe that risk to ML systems is a futuristic concern. This is a problem because cyber attacks on ML systems are now on the uptick. For instance, in 2020 we saw the first CVE for an ML component in a commercial system and SEI/CERT issued the first vuln note bringing to attention how many of the current ML systems can be subjected to arbitrary misclassification attacks assaulting the confidentiality, integrity, and availability of ML systems. The academic community has been sounding the alarm since 2004, and have routinely shown that ML systems, if not mindfully secured, can be compromised.

Introducing the Adversarial ML Threat Matrix

Microsoft worked with MITRE to create the Adversarial ML Threat Matrix, because we believe the first step in empowering security teams to defend against attacks on ML systems, is to have a framework that systematically organizes the techniques employed by malicious adversaries in subverting ML systems. We hope that the security community can use the tabulated tactics and techniques to bolster their monitoring strategies around their organization’s mission critical ML systems.

  1. Primary audience is security analysts: We think that securing ML systems is an infosec problem. The goal of the Adversarial ML Threat Matrix is to position attacks on ML systems in a framework that security analysts can orient themselves in these new and upcoming threats. The matrix is structured like the ATT&CK framework, owing to its wide adoption among the security analyst community – this way, security analysts do not have to learn a new or different framework to learn about threats to ML systems. The Adversarial ML Threat Matrix is also markedly different because the attacks on ML systems are inherently different from traditional attacks on corporate networks.
  2. Grounded in real attacks on ML Systems: We are seeding this framework with a curated set of vulnerabilities and adversary behaviors that Microsoft and MITRE have vetted to be effective against production ML systems. This way, security analysts can focus on realistic threats to ML systems. We also incorporated learnings from Microsoft’s vast experience in this space into the framework: for instance, we found that model stealing is not the end goal of the attacker but in fact leads to more insidious model evasion. We also found that when attacking an ML system, attackers use a combination of “traditional techniques” like phishing and lateral movement alongside adversarial ML techniques.

Open to the community

We recognize that adversarial ML is a significant area of research in academia, so we also garnered input from researchers at the University of Toronto, Cardiff University, and the Software Engineering Institute at Carnegie Mellon University. The Adversarial ML Threat Matrix is a first attempt at collecting known adversary techniques against ML Systems and we invite feedback and contributions. As the threat landscape evolves, this framework will be modified with input from the security and machine learning community.

When it comes to Machine Learning security, the barriers between public and private endeavors and responsibilities are blurring; public sector challenges like national security will require the cooperation of private actors as much as public investments. So, in order to help address these challenges, we at MITRE are committed to working with organizations like Microsoft and the broader community to identify critical vulnerabilities across the machine learning supply chain.

This framework is a first step in helping to bring communities together to enable organizations to think about the emerging challenges in securing machine learning systems more holistically.”

– Mikel Rodriguez, Director of Machine Learning Research, MITRE

This initiative is part of Microsoft’s commitment to develop and deploy ML systems securely. The AI, Ethics, and Effects in Engineering and Research (Aether) Committee provides guidance to engineers to develop safe, secure, and reliable ML systems and uphold customer trust. To comprehensively protect and monitor ML systems against active attacks, the Azure Trustworthy Machine Learning team routinely assesses the security posture of critical ML systems and works with product teams and front-line defenders from the Microsoft Security Response Center (MSRC) team. The lessons from these activities are routinely shared with the community for various people:

  • For engineers and policymakers, in collaboration with Berkman Klein Center at Harvard University, we released a taxonomy documenting various ML failure modes.
  • For developers, we released threat modeling guidance specifically for ML systems.
  • For security incident responders, we released our own bug bar to systematically triage attacks on ML systems
  • For academic researchers, Microsoft opened a $300K Security AI RFP, and as a result, partnering with multiple universities to push the boundary in this space.
  • For industry practitioners and security professionals to develop muscle in defending and attacking ML systems, Microsoft hosted a realistic machine learning evasion competition.

This effort is aimed at security analysts and the broader security community: the matrix and the case studies are meant to help in strategizing protection and detection; the framework seeds attacks on ML systems, so that they can carefully carry out similar exercises in their organizations and validate the monitoring strategies.

To learn more about this effort, visit the Adversarial ML Threat Matrix GitHub repository and read about the topic from MITRE’s announcement, and SEI/CERT blog.

The post Cyberattacks against machine learning systems are more common than you think appeared first on Microsoft Security.

Addressing cybersecurity risk in industrial IoT and OT

October 21st, 2020 No comments

As the industrial Internet of Things (IIoT) and operational technology (OT) continue to evolve and grow, so too, do the responsibilities of the Chief Information Security Officer (CISO). The CISO now needs to mitigate risks from cloud-connected machinery, warehouse systems, and smart devices scattered among hundreds of workstations. Managing those security risks includes the need to ensure safety in manufacturing, oil and gas facilities, public utilities, transportation, civic infrastructure, and more.

Analysts predict that we’ll have roughly 21.5 billion IoT devices connected worldwide in 2025, drastically increasing the surface area for attacks. Because embedded devices often go unpatched, CISO’s need new strategies to mitigate IIoT/OT risks that differ in crucial ways from those found in information technology (IT). The difference needs to be understood by your Board of Directors (BoD) and leadership team. Costly production outages, safety failures with injuries or loss of life, environmental damage leading to liability—all are potentially disastrous scenarios that have moved IIoT and OT to the center of cyber threat management.

An evolving threat landscape

Both IIoT and OT are considered cyber-physical systems (CPS); meaning, they encompass both the digital and physical worlds. This makes any CPS a desirable target for adversaries seeking to cause environmental contamination or operational disruption. As recent history shows, such attacks are already underway. Examples include the TRITON attack—intended to cause a serious safety incident—on a Middle East chemical facility and the Ukrainian electrical-grid attacks. In 2017, ransomware dubbed NotPetya paralyzed the mighty Maersk shipping line and nearly halted close to a fifth of the world’s shipping capacity. It also spread to pharma giant Merck, FedEx, and numerous European firms before boomeranging back to Russia to attack the state oil company, Rosneft.

In 2019, Microsoft observed a Russian state-sponsored attack using IoT smart devices—a VOIP phone, an office printer, and a video decoder—as entry points into corporate networks, from which they attempted to elevate privileges. Attackers have even compromised building access control systems to move into corporate networks using distributed denial-of-service (DDoS) attacks; wherein, a computer system is overwhelmed and crashed with an onslaught of traffic.

The current model

Since the 1990’s, the Purdue Enterprise Reference Architecture (PERA), aka the Purdue Model, has been the standard model for organizing (and segregating) enterprise and industrial control system (ICS) network functions. PERA divides the enterprise into various “Levels,” with each representing a subset of systems. Security controls between each level are typified by a “demilitarized zone” (DMZ) and a firewall.

Conventional approaches restrict downward access to Level 3 from Levels 4, 5 (and the internet). Heading upward, only Layer 2 or 3 can communicate with Layers 4 and 5, and the lowest two Levels (machinery and process) must keep their data and communications within the organization’s OT.

But in our IIoT era, data no longer flows in a hierarchical fashion as prescribed by the Purdue Model. With the rise of edge computing, smart sensors, and controllers (Levels O, 1) now bypass firewalls and communicate directly with the cloud, creating new risks for system exposure.

Modernizing this model with Zero Trust principles at Levels 4 and 5 can help bring an organization’s IIoT/OT into full compliance for the cloud era.

A new strategy

Consequence-driven cyber-informed engineering (CCE) is a new methodology designed by Idaho National Labs (INL) to address the unique risks posed by IIoT/OT. Unlike conventual approaches to cybersecurity, CCE views consequence as the first aspect of risk management and proactively engineers for potential impacts. Based on CCE, there are four steps that your organization—public or private—should prioritize:

  1. Identify your “crown jewel” processes: Concentrate on protecting critical “must-not-fail” functions whose failure could cause safety, operational, or environmental damage.
  2. Map your digital estate: Examine all the digital pathways that could be exploited by adversaries. Identify all of your connected assets—IT, IoT, building management systems (BMS), OT, smart personal devices—and understand who has access to what, including vendors, maintenance people, and remote workers.
  3. Spotlight likely attack paths: Analyze vulnerabilities to determine attack routes leading to your crown jewel processes, including possible social engineering schemes and physical access to your facilities.
  4. Mitigate and protect: Prioritize options that allow you to “engineer out” cyber risks that present the highest consequences. Implement Zero Trust segmentation policies to separate IIoT and OT devices from other networks. Reduce the number of internet-accessible entry points and patch vulnerabilities in likely attack paths.

Making the case in real terms

Your leadership and BoD have a vested interest in seeing a return on investment (ROI) for any new software or hardware. Usually, the type of ROI they want and expect is increased revenue. But returns on security software often can’t be seen in a quarterly statement. That means cybersecurity professionals have to present a solid case. Here are some straightforward benefits to investing in IIoT/OT cybersecurity software that you can take into the boardroom:

  • Prevent safety or environmental costs: Security failures at chemical, mining, oil, transportation, or other industrial facilities can cause consequences more dire than an IT breach. Lives can be lost, and costs incurred from toxic clean-up, legal liability, and brand damage can reach into the hundreds of millions.
  • Minimize downtime: As the NotPetya and LockerGoga attacks demonstrated, downtime incurs real financial losses that affect everyone—from plant personnel all the way up to shareholders.
  • Stop IP theft: Companies in the pharmaceutical industry, energy production, defense, high-tech, and others spend millions on research and development. Losses from having their intellectual property stolen by nation states or competitors can also be measured in the millions.
  • Avoid regulatory fines: Industries such as pharmaceuticals, oil/gas, transportation, and healthcare are heavily regulated. Therefore, they are vulnerable to large fines if a security breach in IIoT/OT causes environmental damage or loss of life.

The way forward

For today’s CISO, securing the digital estate now means being accountable for all digital security—IT, OT, IIoT, BMS, and more. This requires an integrated approach—embracing people, processes, and technology. A good checklist to start with includes:

  • Enable IT and OT teams to embrace their common goal—supporting the organization.
  • Bring your IT security people onsite so they can understand how OT processes function.
  • Show OT personnel how visibility helps the cybersecurity team increase safety and efficiency.
  • Bring OT and IT together to find shared solutions.

With attackers now pivoting across both IT and OT environments, Microsoft developed Azure Defender for IoT to integrate seamlessly with Azure Sentinel and Azure Sphere—making it easy to track threats across your entire enterprise. Azure Defender for IoT utilizes:

  • Automated asset discovery for both new greenfield and legacy unmanaged IoT/OT devices.
  • Vulnerability management to identify IIoT/OT risks, detect unauthorized changes, and prioritize mitigation.
  • IIoT/OT-aware behavioral analytics to detect advanced threats faster and more accurately.
  • Integration with Azure Sentinel and third-party solutions like other SIEMs, ticketing, and CMDBs.

Azure Defender for IoT makes it easier to see and mitigate risks and present those risks to your BoD. Microsoft invests more than USD1 billion annually on cybersecurity research, which is why Azure has more compliance certifications than any other cloud provider.

Plain language and concrete examples go far when making the case for IIoT/OT security software. Your organization should define what it will—and more importantly, will not—tolerate as operational risks. For example: “We tolerate no risk to human life or safety”; “no permanent damage to the ecosystem”; “no downtime that will cost jobs.” Given the potential for damages incurred from downtime, injuries, environmental liability, or tarnishing your brand, an investment in cybersecurity software for IIoT/OT makes both financial and ethical sense.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Addressing cybersecurity risk in industrial IoT and OT appeared first on Microsoft Security.

Security baseline (DRAFT): Windows 10 and Windows Server, version 20H2

October 20th, 2020 No comments

We are pleased to announce the proposed draft release of the for Windows 10 and Windows Server, version 20H2 (a.k.a. October 2020 Update) security baseline package!


 


Please download this draft baseline (attached to this post), evaluate the proposed baselines, and provide us your comments/feedback below.


 


This Windows 10 feature update brings very few new policy settings, which we list in the accompanying documentation. At this point, no new 20H2 policy settings meet the criteria for inclusion in the security baseline, but there are a few policies we are going to be making changes to, which we highlight below along with our recommendations.


 


Block at first sight


We started the journey for cloud protection several years ago. Based on our analysis of the security value versus the cost of implementation, we feel it’s time to add Microsoft Defender Antivirus’ Block At First Sight (BAFS) feature to the security baseline. BAFS was first introduced in Windows 10, version 1607 and allows new malware to be detected and blocked within seconds by leveraging various machine learning techniques and the power of our cloud.


 


BAFS currently requires 6 settings to be configured. Our baseline already sets 2 of them, Join Microsoft MAPS and Send file sample when further analysis is required. We are now recommending the addition of the following settings to enable BAFS:


 



  • Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure the ‘Block at first sight’ feature set to Enabled


 



  • Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Scan all downloaded files and attachments set to Enabled


 



  • Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn off real-time protection set to Disabled


 



  • Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MPEngine\Select cloud protection level set to High blocking level


 


These new settings have been added to the MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus group policy.


 


Additional details on BAFS can be found here.


 


Attack Surface Reduction Rules


We routinely evaluate our Attack Surface Reduction configuration, and based on telemetry and customer feedback we are now recommending configuring two additional Attack Surface Reduction controls: Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Use advanced protection against ransomware and Block persistence through WMI event subscription.


 


Introduced in Windows 10, version 1709 the Use advanced protection against ransomware rule will scan any executable files and determine, using advanced cloud analytics, if the file looks malicious .  If so, it will be blocked unless that file is added to an exclusion list. This rule does have a cloud dependency, so you must have Join Microsoft MAPS also configured (which is already part of the security baseline).


 


Block persistence through WMI event subscription is a rule that was released in Windows 10, version 1903. This rule attempts to ensure WMI persistence is not achieved – a common technique adversaries use to evade detection. Unlike many of the other ASR rules, this rule does not allow any sort of exclusions since it is solely based on the WMI repository.


 


A friendly reminder that the security baselines set all ASR rules to block mode. We recommend first configuring them to audit mode, then testing to ensure you understand the impacts these rules will have in your environment, and then configuring them to block mode. Microsoft Defender for Endpoints (formally Microsoft Defender Advanced Threat Protection, MDATP) will greatly enhance the experience of testing, deployment, and operation of ASR rules. We would encourage you to look at evaluating, monitoring and customizing links to better prepare your environment.


 


These new settings have been added to the MSFT Windows 10 20H2 and Server 20H2 – Defender Antivirus group policy.


 


UEFI MAT


You might recall in the draft release of our security baseline for Windows 10, version 1809 we enabled UEFI Memory Attributes Tables, but based on your feedback we removed that recommendation from the final version (thank you to the testers who provided that feedback!). After further testing and discussions, we are again recommending that you enable Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security\Require UEFI Memory Attributes Table.


 


Microsoft Edge


Starting with Windows 10, version 20H2 the new Microsoft Edge (based on Chromium) is now installed as part of the operating system. Please ensure you are applying the security baseline for Microsoft Edge to your Windows 10, version 20H2 machines. We have gotten questions about including it on the Windows security baseline, but since Microsoft Edge is a cross platform product and has a different release cadence, we are going to keep it a separate security baseline.


 


Baseline criteria


We follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially:



  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.

  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.

  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:


    • If a non-administrator can set an insecure state, enforce the default.

    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.



For additional discussion, please see the “Why aren’t we enforcing more defaults?” section in this blog post.


 

Categories: Uncategorized Tags:

CISO Spotlight: How diversity of data (and people) defeats today’s cyber threats

October 20th, 2020 No comments

This year, we have seen five significant security paradigm shifts in our industry. This includes the acknowledgment that the greater the diversity of our data sets, the better the AI and machine learning outcomes. This diversity gives us an advantage over our cyber adversaries and improves our threat intelligence. It allows us to respond swiftly and effectively, addressing one of the most difficult challenges for any security team. For Microsoft, our threat protection is built on an unparalleled cloud ecosystem that powers scalability, pattern recognition, and signal processing to detect threats at speed, while correlating these signals accurately to understand how the threat entered your environment, what it affected, and how it currently impacts your organization. The AI capabilities built into Microsoft Security solutions are trained on 8 trillion daily threat signals from a wide variety of products, services, and feeds from around the globe. Because the data is diverse, AI and machine learning algorithms can detect threats in milliseconds.

All security teams need insights based on diverse data sets to gain real-time protection for the breadth of their digital estates. Greater diversity fuels better AI and machine learning outcomes, improving threat intelligence and enabling faster, more accurate responses. In the same way, a diverse and inclusive cybersecurity team also drives innovation and diffuses group think.

Jason Zander, Executive Vice President, Microsoft Azure, knows firsthand the advantages organizations experience when embracing cloud-based protections that look for insights based on diverse data sets. Below, he shares how they offer real-time protection for the breadth of their digital estates:

How does diverse data make us safer?

The secret ingredient lies in the cloud itself. The sheer processing power of so many data points allows us to track more than 8 trillion daily signals from a diverse collection of products, services, and the billions of endpoints that touch the Microsoft cloud every month. Microsoft analyzes hundreds of billions of identity authentications and emails looking for fraud, phishing attacks, and other threats. Why am I mentioning all these numbers? It’s to demonstrate how our security operations take petabytes’ worth of data to assess the worldwide threat, then act quickly. We use that data in a loop—get the signals in, analyze them, and create even better defenses. At the same time, we do forensics to see where we can raise the bar.

Microsoft also monitors the dark web and scans 6 trillion IoT messages every day, and we leverage that data as part of our security posture. AI, machine learning, and automation all empower your team by reducing the noise of constant alerts, so your people can focus on meeting the truly challenging threats.

Staying ahead of the latest threats

As the pandemic swept the globe, we were able to identify new COVID-19 themed threats—often in a fraction of a second—before they breached customers’ networks. Microsoft cyber defenders determined that adversaries added new pandemic-themed lures to existing and familiar malware. Cybercriminals are always changing their tactics to take advantage of recent events. Insights based on diverse data sets empower robust real-time protection as our adversaries’ tactics shift.

Microsoft also has the Cyber Defense Operations Center (CDOC) running 24/7. We employ over 3,500 full-time security employees and spend about $1 billion in operational expenses (OPEX) every year. In this case, OPEX includes all the people, equipment, algorithms, development, and everything else needed to secure the digital estate. Monitoring those 8 trillion signals is a core part of that system protecting our end users.

Tried and proven technology

If you’re part of the Microsoft ecosystem—Windows, Teams, Microsoft 365, or even Xbox Live—then you’re already benefitting from this technology. Azure Sentinel is built on the same cybersecurity technology we use in-house. As a cloud-native security information and event management (SIEM) solution, Azure Sentinel uses scalable machine learning algorithms to provide a birds-eye view across your entire enterprise, alleviating the stress that comes from sophisticated attacks, frequent alerts, and long resolution time frames. Our research has shown that customers who use Azure Sentinel achieved a 90 percent reduction in alert fatigue.

Just as it does for us, Azure Sentinel can work continuously for your enterprise to:

  • Collect data across all users, devices, applications, and infrastructure—both on-premises and in multiple clouds.
  • Detect previously undetected threats (while minimizing false positives) using analytics and threat intelligence.
  • Investigate threats and hunt down suspicious activities at scale using powerful AI that draws upon years of cybersecurity work at Microsoft.
  • Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Diversity equals better protection

As Jason explained, Microsoft is employing AI, machine learning, and quantum computing to shape our responses to cyber threats. We know we must incorporate a holistic approach that includes people at its core because technology alone will not be enough. If we don’t, cybercriminals will exploit group preconceptions and biases. According to research, gender-diverse teams make better business decisions 73 percent of the time. Additionally, teams that are diverse in age and geographic location make better decisions 87 percent of the time. Just as diverse data makes for better cybersecurity, the same holds true for the people in your organization, allowing fresh ideas to flourish. Investing in diverse teams isn’t just the right thing to do—it helps future proof against bias while protecting your organization and customers.

Watch for upcoming posts on how your organization can benefit from integrated, seamless security, and be sure to follow @Ann Johnson and @Jason Zander on Twitter for cybersecurity insights.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Spotlight: How diversity of data (and people) defeats today’s cyber threats appeared first on Microsoft Security.

Announcing the Zero Trust Deployment Center

October 15th, 2020 No comments

Organizations have been digitally transforming at warp speed in response to the way businesses operate and how people work. As a result, digital security teams have been under immense pressure to ensure their environments are resilient and secure. Many have turned to a Zero Trust security model to simplify the security challenges from this transformation and the shift to remote work.

Over the past year, we have been hard at work helping customers navigate these challenges by listening to their difficulties, sharing our own learnings, and building controls, tools, and practices that enable the implementation of Zero Trust. However, one of the things we hear most consistently is the need for additional deployment support.

We are excited to announce the launch of the Zero Trust Deployment Center—a repository of information to improve their Zero Trust readiness as well as specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure. The Zero Trust Deployment Center breaks down deployment guidance into plain-language objectives across each of the technology pillars, providing an actionable list of steps needed to implement Zero Trust principles in your environment.

This repository is the perfect place to start planning and deploying your Zero Trust strategy.

A screenshot of the Zero Trust Deployment Center web page

Figure 1:  Zero Trust Deployment Center web page.

If you are already well underway in your journey, these objectives will provide a great framework to help measure your progress and ensure you are meeting critical milestones. If you’re interested in measuring your Zero Trust maturity, we’ve also created a Zero Trust assessment tool to help measure your current maturity and identify possible next milestones and priorities along with technologies.

Learn more about Zero Trust and Microsoft Security. Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Announcing the Zero Trust Deployment Center appeared first on Microsoft Security.

Categories: cybersecurity, security, Zero Trust Tags:

CISO Stressbusters: 7 tips for weathering the cybersecurity storms

October 15th, 2020 No comments

An essential requirement of being a Chief Information Security Officer (CISO) is stakeholder management. In many organizations, security is still seen as a support function; meaning, any share of the budget you receive may be viewed jealously by other departments. Bringing change to an organization that’s set in its ways can be a challenge (even when you’ve been hired to do just that). But whether you’ve been brought on to initiate digital transformation or to bring an organization into compliance, you’ll need everyone to see that it’s in their best interest to work together on the program.

I sat down to discuss some CISO Stressbuster tips with my colleague Abbas Kudrati who has worked as a CISO in many different organizations for over 20 years before joining Microsoft. Here are several things we identified as important to weathering the cybersecurity storms and in Abbas’s own words.

Abbas Kudrati, a Chief Cybersecurity Advisor at Microsoft shares his advice for relieving stress in today’s CISO Stressbuster post.

1. Business engagement makes a difference

My passion is for building or fixing things. My reputation in those areas means that I am often engaged to work on a new project or implement changes to an existing system. I’m a generalist CISO who works across industries, but in every role I’ve undertaken I’ve managed to get something unique done, and often received an award as well. My tasks have ranged from achieving better compliance to improving incident response plans or aligning with international standards such as CREST UK or COBIT 5.

My focus is on implementing the changes that are needed to make a difference and then finding a good successor to take over maintaining and operating a large, complex environment. My typical tenure as a CISO was two to three years, but I know some CISOs, particularly in large, complex environments such as mining organizations, where they’ve been in their role for six to eight years and running. They have a good rapport with their management; the CISO feels supported and they’re able to support the business in return. Those two things—engagement with management and reciprocal organizational support—are essential to being a successful CISO.

2. Know what you want to accomplish

It’s often difficult to gauge the state of an organization until you’re in it. Sometimes when you start a role you’ll realize how bad it is and think, “What have I gotten into?” You don’t want to mess up your CV by staying for only six months; so, you try to stick it out. But if the support and communication aren’t there, it’s not worth the stress of staying for more than two years. This is the common reason many CISO’s leave.

A different frustration can occur when you exceed targets. There have been instances when I’ve been brought on board to deliver a targeted result within three years but managed to accomplish it within 18 months to 2 years. Then in the second stage, the company says it can afford to keep it running. That’s not what I want. I want to make a difference and be planning around that; so, I can then choose to move on.

3. Hire and build the right talent

The final challenge, particularly in the countries where I’ve worked, is hiring the right talent. In the Asia-Pacific region, there’s a very competitive market for skilled individuals. In some situations, I’ve looked to use my academic connections to hire fresh minds and build them up. Not only do I get the skills I need, but I’m helping to support the development of our profession. This isn’t easy to achieve, but I’ve developed some of my most passionate employees this way.

4. Find mentors and advisors

It can be lonely being a CISO. Not many people understand what you do, and you often won’t get the internal support you need. It helps to find a mentor. I’ve always sought out mentors in the role of CISO who are doing security in a more advanced way. Don’t be limited just to finding this in your immediate location. Find the right mentor in any industry or region, and today that person can be anywhere in the world. In Australia, there are only a handful of people in organizations large enough to have a CISO at an executive level. Finding that international connection was invaluable to me.

Vendors and partners also can be a good sounding board and source of advice. I had a good relationship with the account team at Cisco and they introduced me to their CISO, who gave me a lot of valuable insights. This is something I’ve carried into my role at Microsoft—I provide our customers with the same kinds of insights and external viewpoint that I appreciated receiving in my earlier roles. Customers appreciate the insights you can provide, helping them to make tough decisions and evolve their strategy.

5. Burnout is real and career progression can be a challenge

Being a CISO is not an easy job. You’re on the frontline during security incidents; a routine 9-5 schedule is almost impossible. In the Asia-Pacific region, there are also limitations on where you can go to develop your career. Some countries are not big enough to have sufficient mature organizations that need a CISO. For example, there is a limit on how many CISO roles will exist in Malaysia or Indonesia. Australia is slightly bigger. Singapore has even more opportunities, but it’s still not on the same scale as countries in other parts of the world.

CISO’s often move on to be advisors, consultants, or even into early retirement. It’s quite common to see CISO’s retire and become non-executive directors on company boards, where their experience is invaluable. Being a virtual CISO allows you to share expertise and support, work on specific projects (such as hiring a team), share expertise, or educate an organization without being tied into permanent employment. When moving on, a CISO will often take a reduction in salary in exchange for a reduction in stress and regained family time.

For me, the move to being Chief Security Advisor for the Asia-Pacific region at Microsoft was a logical and fulfilling step. I can pay forward to customers that support that I received from vendors as a CISO. My experience and expertise can help organizations better consider the changes required to undertake a successful digital transformation.

6. Discipline and human connections are essential

There is so much disruption in a CISO’s working life; it’s important to focus on your physical and mental well-being as much as your work. Take regular breaks; go outdoors and get some fresh air. Take time for mental well-being with meditation or physical exercise. COVID-19 has underlined how important it is to connect with your family. Since a crisis may interrupt your holidays and weekends, don’t count on those times to relax.

Building your ally network both within the company and outside is essential to maintaining your sense of balance, perspective, and support. I really like the concept of allies that Microsoft fosters across different groups, backgrounds, and environments. We all need to be there to support each other. Now that the whole world is connected, we can be, too. Checking how people are and supporting them is core to managing our group stress, and has never been more important than during a pandemic. Take the time to connect.

7. Truths to remember

This is a wake-up call for organizations that may be thinking of hiring a CISO, or just looking to fill a spot in an organizational chart—having a warm body in that position is not enough. Business executive and leadership teams must provide adequate resources and give the CISO the ability to manage risk and help the business be successful. Keep these tips in mind when you’re hiring:

  • CISO’s don’t own security incidents; they manage them.
  • CISO’s need access to all business units for success.
  • CISOs need to understand the business to be effective; please mentor them.
  • CISO’s need to collaborate with their peers; so, don’t isolate them.
  • CISOs need to be involved in all technology decisions to manage risks.

Being a CISO is a dream job for many cybersecurity professionals, including me. The job is stressful; however, many CISOs accept the challenges because they feel they’re making a difference. I enjoyed having that sense of purpose and leading teams toward a specific goal. That focus—and the opportunity to be part of a leadership team—is becoming a requirement for today’s modern security executive. With this in mind, how will your business optimize its practices for the sake of your CISO’s success?

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Stressbusters: 7 tips for weathering the cybersecurity storms appeared first on Microsoft Security.

Categories: CISO series, cybersecurity Tags:

Announcing the Top MSRC 2020 Q3 Security Researchers

October 15th, 2020 No comments

Following the MSRC’s 2020 Most Valuable Security Researchers announced during this year’s Black Hat, we’re excited to announce the top contributing researchers for the 2020 Third Quarter (Q3)! The top three researchers of the 2020 Q3 Security Researcher Leaderboard are: David Dworken (1800 points), Cameron Vincent (1780 points), and Yuki Chen (1380 points). Congratulations to …

Announcing the Top MSRC 2020 Q3 Security Researchers Read More »

The post Announcing the Top MSRC 2020 Q3 Security Researchers appeared first on Microsoft Security Response Center.

Security Analysis of CHERI ISA

October 14th, 2020 No comments

Is it possible to get to a state where memory safety issues would be deterministically mitigated? Our quest to mitigate memory corruption vulnerabilities led us to examine CHERI (Capability Hardware Enhanced RISC Instructions), which provides memory protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits. We’ve looked at …

Security Analysis of CHERI ISA Read More »

The post Security Analysis of CHERI ISA appeared first on Microsoft Security Response Center.

Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

October 14th, 2020 No comments

It’s hard to keep pace with all the changes happening in the world of cybersecurity. Security experts and leaders must continue learning (and unlearning) to stay ahead of the ever-evolving threat landscape. In fact, many of us are in this field because of our desire to continuously challenge ourselves and serve the greater good.

So many of the advancements in security are now utilizing this amorphous, at times controversial, and complex term called “artificial intelligence” (AI). Neural networks, clustering, fuzzy logic, heuristics, deep learning, random forests, adversarial machine learning (ML), unsupervised learning. These are just a few of the concepts that are being actively researched and utilized in security today.

But what do these techniques do? How do they work? What are the benefits? As security professionals, we know you have these questions, and so we decided to create Security Unlocked, a new podcast launching today, to help unlock (we promise not to overuse this pun) insights into these new technologies and the people creating them.

In each episode, hosts Nic Fillingham and Natalia Godyla take a closer look at the latest in threat intelligence, security research, and data science. Our expert guests share insights into how modern security technologies are being built, how threats are evolving, and how machine learning and artificial intelligence are being used to secure the world.

Each episode will also feature an interview with one of the many experts working in Microsoft Security. Guests will share their unique path to Microsoft and the infosec field, what they love about their calling and their predictions about the future of ML and AI.

New episodes of Security Unlocked will be released twice a month with the first three episodes available today on all major podcast platforms. We will talk about specific topics in future blogs and provide links to podcasts to get more in-depth.

Episode 1: Going ‘deep’ to identify attacks, and Holly Stewart

Listen here.

Guests: Arie Agranonik and Holly Stewart

Blog referenced: Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection

In this episode, Nic and Natalia invited Arie Agranonik, Senior Data Scientist at Microsoft, to better understand how we’re using deep learning models to look at behavioral signals and identify malicious process trees. In their chat, Arie explains the differences and use cases for techniques such as deep learning, neural networks, and transfer learning.

Nic and Natalia also speak with Holly Stewart, Principal Research Manager at Microsoft, to learn how, and when, to use machine learning, best practices for building an awesome security research team, and the power of diversity in security.

Episode 2: Unmasking threats with AMSI and ML, and Dr. Josh Neil

Listen here.

Guests: Ankit Garg, Geoff McDonald, and Dr. Josh Neil

Blog referenced: Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning

In this episode, members of the Microsoft Defender ATP Research team chat about how the antimalware scripting interface (AMSI) and machine learning are stopping active directory attacks.

They’re also joined by Josh Neil, Principal Data Science Manager at Microsoft, as he discusses his path from music to mathematics, one definition of “artificial intelligence,” and the importance of combining multiple weak signals to gain a comprehensive view of an attack.

Episode 3: Behavior-based protection for the under-secured, and Dr. Karen Lavi

Listen here.

Guests: Hardik Suri and Dr. Karen Lavi

Blog referenced: Defending Exchange servers under attack

In this episode, Nic and Natalia chat with Hardik Suri on the importance of keeping servers up-to-date and how behavior-based monitoring is helping protect under-secured Exchange servers.

Dr. Karen Lavi, Senior Data Scientist Lead at Microsoft, joins the discussion to talk about commonalities between neuroscience and cybersecurity, her unique path to Microsoft (Teaser: She started in the Israeli Defense Force and later got her PhD in neuroscience), and her predictions on the future of AI.

Please join us monthly on the Microsoft Security Blog for new episodes. If you have feedback on how we can improve the podcast or suggestions for topics to cover in future episodes, please email us at securityunlocked@microsoft.com, or talk to us on our @MSFTSecurity Twitter handle.

And don’t forget to subscribe to Security Unlocked.

The post Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions appeared first on Microsoft Security.

Categories: cybersecurity, security Tags:

Becoming resilient by understanding cybersecurity risks: Part 1

October 13th, 2020 No comments

All risks have to be viewed through the lens of the business or organization. While information on cybersecurity risks is plentiful, you can’t prioritize or manage any risk until the impact (and likelihood) to your organization is understood and quantified.

This rule of thumb on who should be accountable for risk helps illustrate this relationship:

The person who owns (and accepts) the risk is the one who will stand in front of the news cameras and explain to the world why the worst case scenario happened.

This is the first in a series of blogs exploring how to manage challenges associated with keeping an organization resilient against cyberattacks and data breaches. This series will examine both the business and security perspectives and then look at the powerful trends shaping the future.

This blog series is unabashedly trying to help you build a stronger bridge between cybersecurity and your organizational leadership.

A visualization of how to manage organizational risk through leadership

Organizations face two major trends driving both opportunity and risk:

  • Digital disruption: We are living through the fourth industrial revolution, characterized by the fusion of the physical, biological, and digital worlds. This is having a profound impact on all of us as much as the use of steam and electricity changed the lives of farmers and factory owners during early industrialization.
    Tech-disruptors like Netflix and Uber are obvious examples of using the digital revolution to disrupt existing industries, which spurred many industries to adopt digital innovation strategies of their own to stay relevant. Most organizations are rethinking their products, customer engagement, and business processes to stay current with a changing market.
  • Cybersecurity: Organizations face a constant threat to revenue and reputation from organized crime, rogue nations, and freelance attackers who all have their eyes on your organization’s technology and data, which is being compounded by an evolving set of insider risks.

Organizations that understand and manage risk without constraining their digital transformation will gain a competitive edge over their industry peers.

Cybersecurity is both old and new

As your organization pulls cybersecurity into your existing risk framework and portfolio, it is critical to keep in mind that:

  • Cybersecurity is still relatively new: Unlike responding to natural disasters or economic downturns with decades of historical data and analysis, cybersecurity is an emerging and rapidly evolving discipline. Our understanding of the risks and how to manage them must evolve with every innovation in technology and every shift in attacker techniques.
  • Cybersecurity is about human conflict: While managing cyber threats may be relatively new, human conflict has been around as long as there have been humans. Much can be learned by adapting existing knowledge on war, crime, economics, psychology, and sociology. Cybersecurity is also tied to the global economic, social, and political environments and can’t be separated from those.
  • Cybersecurity evolves fast (and has no boundaries): Once a technology infrastructure is in place, there are few limits on the velocity of scaling an idea or software into a global presence (whether helpful or malicious), mirroring the history of rail and road infrastructures. While infrastructure enables commerce and productivity, it also enables criminal or malicious elements to leverage the same scale and speed in their actions. These bad actors don’t face the many constraints of legitimate useage, including regulations, legality, or morality in the pursuit of their illicit goals. These low barriers to entry on the internet help to increase the volume, speed, and sophistication of cyberattack techniques soon after they are conceived and proven. This puts us in the position of continuously playing catch up to their latest ideas.
  • Cybersecurity requires asset maintenance: The most important and overlooked aspect of cybersecurity is the need to invest in ‘hygiene’ tasks to ensure consistent application of critically important practices.
    One aspect that surprises many people is that software ‘ages’ differently than other assets and equipment, silently accumulating security issues with time. Like a brittle metal, these silent issues suddenly become massive failures when attackers find them. This makes it critical for proactive business leadership to proactively support ongoing technology maintenance (despite no previous visible signs of failure).

Stay pragmatic

In an interconnected world, a certain amount of playing catch-up is inevitable, but we should minimize the impact and probabilities of business impact events with a proactive stance.

Organizations should build and adapt their risk and resilience strategy, including:

  1. Keeping threats in perspective: Ensuring stakeholders are thinking holistically in the context of business priorities, realistic threat scenarios, and reasonable evaluation of potential impact.
  2. Building trust and relationships: We’ve learned that the most important cybersecurity approach for organizations is to think and act symbiotically—working in unison with a shared vision and goal.
    Like any other critical resource, trust and relationships can be strained in a crisis. It’s critical to invest in building strong and collaborative relationships between security and business stakeholders who have to make difficult decisions in a complex environment with incomplete information that is continuously changing.
  3. Modernizing security to protect business operations wherever they are: This approach is often referred to as Zero Trust and helps security enable the business, particularly digital transformation initiatives (including remote work during COVID-19) versus the traditional role as an inflexible quality function.

One organization, one vision

As organizations become digital, they effectively become technology companies and inherit both the natural advantages (customer engagement, rapid scale) and difficulties (maintenance and patching, cyberattack). We must accept this and learn to manage this risk as a team, sharing the challenges and adapting to the continuous evolution.

In the coming blogs, we will explore these topics from the perspective of business leaders and from cybersecurity leaders, sharing lessons learned on framing, prioritizing, and managing risk to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 1 appeared first on Microsoft Security.

Advanced protection for web applications in Azure with Radware’s Microsoft Security integration

October 12th, 2020 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA here.

The state of application security

Companies face a wide range of security challenges, such as Open Source Foundation for Application Security Project (OWASP) vulnerabilities, advanced BOT threats and the need to manage BOTs, securing APIs, and protecting against volumetric and non-volumetric DDoS attacks. Advanced threats mean that application security solutions must do much more. Organizations require a synchronized attack-mitigation system that provides advanced application protection against all the above threats, across all platforms and environments at all times; providing comprehensive security and a single view of application security events for quick incident response and a minimum impact on business.

Customers are increasingly requesting, if not requiring, a fully managed service option for security elements. Beyond the obvious complexity of managing the positive and negative security model rules, today’s attacks are dynamic and evolving. Teams managing application security are stressed by the rapid pace of new application development and application changes, all of which require vulnerability assessment and remediation in the form of automated continuous and consistent security policies.

Cloud is disrupting technology and security is the biggest challenge for customers around the world. Radware is embracing this shift by focusing on ‘Strength in Security’ with Microsoft Azure and is focused on helping Microsoft Azure customers secure their workloads and applications. Radware works closely with Microsoft’s engineering teams to create new and innovative solutions in Azure that benefit from Microsoft’s unique cloud capabilities and services like Azure DDoS Protection and Microsoft Azure Sentinel to build a more secure digital infrastructure, enabling customers to overcome security challenges. Radware Security for Azure provides local availability and easy deployment capabilities across any Azure region, enabling organizations to move to Azure with the knowledge that their applications, networks, and data will be secure around the world.

The application threat landscape

Application vulnerabilities are now the fastest-growing cybersecurity threat to organizations, according to a year-over-year comparison of Radware’s annual Global Application & Network Security Report. Applications, and the APIs they leverage, must be protected against an expanding variety of attack methods. In addition, DevOps and Agile development practices mean that applications are in a state of constant flux, and security policies must adapt to keep pace. Web application security solutions must be smarter and address a broad spectrum of vulnerability exploitation scenarios and attack types and vectors. On top of protecting the application from these common vulnerabilities, they have to protect APIs and mitigate denial-of-service (DoS) attacks, manage bot traffic, and make a distinction between legitimate bots and malicious bots.

Web applications are a critical part of most modern businesses, but many organizations continue to overlook web application security, despite escalating threats. According to a recent Gartner report, by 2023, more than 30 percent of public-facing web applications will be protected by cloud web application and API protection services that combine DDoS protection, bot mitigation, API protection, and web application firewalls (WAFs).

Cloud web application and API security and integrated BOT and DDoS protection is the evolution of cloud-delivered WAF services. Comprehensive cloud-delivered managed security services is a more comprehensive runtime protection successor to WAF appliances. It is faster to deploy and easier for organizations to maintain. Customers want to consume security products without managing the underlying infrastructure which is a big benefit that a product like Radware Security for Azure brings to customers in Azure.

Radware Security for Azure is a managed service that provides network and application security protection against small-scale to even the most sophisticated large-scale attacks ensuring applications are protected from malicious DDoS attacks and zero-day web attacks and common vulnerabilities.

By leveraging the global scale of the Microsoft network and integrating with Azure DDoS Protection, Radware Security for Azure provides enhanced Layer 3 – Layer 7 DDoS mitigation capabilities tuned for applications and resources deployed in virtual networks backed by an industry-leading service level agreement (SLA) and 24/7 incident response team.

Six steps on how to neutralize the application threat

Radware provides advanced protection for web applications in Azure with an integrated application and API security service. Radware Security for Azure provides:

Details on security solutions offered by Radware Security for Azure

To learn more about Radware Security for Azure, visit our listing in the Azure Marketplace or visit Radware.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Advanced protection for web applications in Azure with Radware’s Microsoft Security integration appeared first on Microsoft Security.

Trickbot disrupted

October 12th, 2020 No comments

As announced today, Microsoft took action against the Trickbot botnet, disrupting one of the world’s most persistent malware operations. Microsoft worked with telecommunications providers around the world to take down key Trickbot infrastructure. As a result, operators will no longer be able to use this infrastructure to distribute the Trickbot malware or activate deployed payloads like ransomware.

Microsoft actively tracks the threat landscape, monitoring threat actors, their campaigns, specific tactics, and evolution of malware. We share this intelligence with the community and use our research to continuously improve our products. Below, we will detail the evolution of the Trickbot malware, associated tactics, recent campaigns, and dive into the anatomy of a particular attack we observed.

Trickbot was first spotted in 2016 as a banking trojan that was created as a successor to Dyre and designed to steal banking credentials. Over the years, Trickbot’s operators were able to build a massive botnet, and the malware evolved into a modular malware available for malware-as-a-service. The Trickbot infrastructure was made available to cybercriminals who used the botnet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads, most notably Ryuk ransomware, in target networks.

Trickbot was typically delivered via email campaigns that used current events or financial lures to entice users to open malicious file attachments or click links to websites hosting the malicious files. Trickbot campaigns usually used Excel or Word documents with malicious macro codes, but other types of attachments have been used. The campaigns were observed in a wide range of verticals and geolocation, with operators frequently reusing previously compromised email accounts from earlier campaigns to distribute emails without narrowing targets.

In addition to phishing emails, Trickbot was also deployed through lateral movement via Server Message Block (SMB) or as a second-stage payload of other malware like Emotet. Once Trickbot was launched, operators utilized it to install reconnaissance tools like PowerShell Empire, Metasploit, and Cobalt Strike. They used these tools to steal credentials and network configuration information, move laterally to high-value assets, or deliver additional malicious payloads.

Threat data from Microsoft 365 Defender, which correlates signals from endpoints, email and data, identities, and cloud apps to deliver comprehensive protection against threats, shows that Trickbot showed up in both large and small enterprises across the globe, helped no doubt by its modular nature and widespread misconception of it being a “commodity” banking trojan.

Anatomy of a Trickbot campaign

Trickbot is one of the most prolific malware operations in the world, churning out multiple campaigns in any given period. In one specific campaign, the Trickbot operators used several disparate compromised email accounts to send out hundreds of malicious emails to both enterprise and consumer accounts. Recipients were from a variety of industry verticals and geolocations and do not appear to have been specifically targeted. This campaign used a shipping and logistics theme, and had the following subject lines:

  • Shipment receipt
  • Delivery finished
  • Urgent receipt comment
  • Essential receipt reminder
  • Required declaration

The emails contained a malicious Excel attachment that, when opened, prompted the user to enable macros. If enabled, the macro wrote a malicious JScript Encoded (JSE) file to the disk, which is then executed via WScript. The JSE script connected to the affected organization’s domain controller and performed several LDAP queries to gather information about Active Directory, including the schema and user lists. The script then exfiltrated the information to attacker-controlled infrastructure. The script used the jscript.encode command to encode both server-side and client-side files in order to obfuscate content and evade detection.

Next, the JSE file performed several reconnaissance queries to obtain information about the device’s network adapter, antivirus products, domain role, and email. Once the exfiltration was completed, a dropped .bat file established a connection with two separate C2 servers: an IP address and a domain hosted on a separate IP address. Trickbot used both these C2 servers to evade network filtering configurations. The .bat file performed reconnaissance commands to find domain administrators on the network. It then dropped and launched the Greenshot screenshot tool and Cobalt Strike beacon on the device.

At this point, the operators had gained control of the affected device, only 8.5 hours after the user opened the malicious email attachment. The operators then started to copy the freeware tool ADFind.exe, which they used for discovery as well as for gathering domain configuration and organization information. They then archived data found during this discovery to a .7z file for later exfiltration.

The attackers ran several commands to obtain information about the domain controller and gather Kerberos tickets, conducted port scanning on SMB port 445, NetBIOS 139, and queried LDAP for multiple server devices. Using the information gathered, attackers pinged several potentially high-value devices. From there, they viewed the contents of specific text and log files, likely gleaned from their reconnaissance. Upon finding a device with an open port 445, they used runas /netonly (logon type 9, which is intentionally used to confuse analysis of logon events) for authentication and interactively executed commands on the device.

Once authenticated, the attackers viewed existing RDP files from prior unrelated sessions for RDP settings and credentials. From there, they dropped a Trickbot executable and stole credentials from the Windows Vault and Credentials Manager, allowing the attackers to evade many well-known security mechanisms that monitor processes accessing Local Security Authority Subsystem Service (LSASS) memory to dump the credentials. They used a .bat file to view multiple shares, ping additional servers, and read several text files. Finally, the attackers exfiltrated all gathered data.

The attackers persisted in the network via a copy of the malicious .jse file in the Startup folder. Using this .jse file, they have the capability to return to this network later and attempt to log on to other, more valuable devices and steal additional information or drop additional payloads. This highlights the importance of comprehensive response to “commodity malware” like Trickbot: the original banking trojan infection may be triaged and remediated, but without a full understanding of Trickbot as an entry vector to human adversaries, the real threat remains in the network.

Modular, multi-stage malware

Trickbot is a multi-stage malware typically composed of a wrapper, a loader, and a main malware module. The wrapper, which uses multiple templates that constantly change, is designed to evade detection by producing unique samples, even if the main malware code remains the same.

When the wrapper process runs, it runs the loader fully in its memory. The loader has a highly modular design. It decrypts each function at runtime before running it, and then encrypts it back. Likewise, all human-readable strings are decrypted and all APIs are resolved at runtime. In some scenarios, Trickbot uses UAC bypasses to elevate the privileges of its processes. On 64-bit systems, Trickbot uses the “Heaven’s Gate” technique to switch 32-bit code to 64-bit, and has an additional stage where a 64-bit loader injects the main module into the suspended process.

The loader runs the main malware module directly in memory. After creating scheduled tasks for persistence, the main malware module decrypts a configuration file, which contains the information it needs for its next steps:

  • Establish HTTPS communication with command and control (C2) server
  • Download modules from the C2 server
  • Monitor the status of the downloaded modules
  • Synchronize communication between the main module and the downloaded modules

The modules are likewise run in memory via injection into the suspended process. Over the years, Trickbot has used a wide range of modules for various malicious activities. These include the following:

 

Modules Purpose
pwgrab Gathers credentials, autofill data, history and so on from browsers
networkDll Gathers network and system information
importDll Gathers browser data
injectDll Main banker module; uses static and dynamic web browser injection and data theft
tabDll Propagates Trickbot via EternalRomance Exploit
Propagates Trickbot via SMB EternalBlue Exploit
shareDll Propagates Trickbot via Windows network shares
vncDll, BCTestDll Remote control/Virtual Network Computing module; provides backdoor for further module downloads
rdpscanDll Launches brute force attacks against selected Windows systems running Remote Desktop Protocol (RDP) connection exposed to the Internet
Systeminfo Gathers system information
mailsearcher Searches all files on disk and compares their extensions to a predefined list to harvest emails addresses
outlookDll Gather Outlook credentials
psfin Gathers point of sale (POS) software credentials
squlDll Gathers email addresses stored in SQL servers
aDll Runs various commands on a Windows domain controller to steal Active Directory credentials

Trickbot sends information like domain names and IP ranges of compromised networks back to operators, who then select some of these networks for additional exploitation and reconnaissance activities. On selected networks, Trickbot operators installed additional tools like Cobalt Strike, and switch to a hands-on-keyboard attacks. Once the operators gain foothold on a network, they used tools like Mimikatz and LaZagne to steal additional credentials and tools like BloodHound and ADFind to perform reconnaissance actions. Apart from using the stolen credentials and collected data to further the attack, operators also exfiltrated data. They then leave multiple persistence points on the network to enable the eventual delivery of other payloads like Ryuk ransomware.

While much has been made of the Trickbot’s supposed antivirus evasion capabilities, it’s a simple PowerShell command being run to turn off Microsoft Defender Antivirus, but it can perform this action only if the user has administrative rights.

Recent prominent Trickbot campaigns

In June 2020, we tracked multiple Trickbot campaigns. As is typical with Trickbot, some of the email campaigns took advantage of current events as lures to entice users to click on malicious attachments. These lures include Black Lives Matter and COVID-19. Earlier in the year, we reported that Trickbot was the most prolific malware operation using COVID-19-themed lures. Many other simultaneous campaigns used more generic lures, such as shipping and logistics, invoicing and payments, customer complaints, and various financial lures.

The email body was often simple but maintained consistency with the lure used in the subject line. The emails used a wide range of attachment types, including:

  • Word macro attachments
  • Excel VBA macro attachments
  • Excel 4.0 macro attachments
  • Java Network Launch Protocol (.jnlp) attachments

Some campaigns do away with the attachments and instead use malicious links to websites that host malicious files.

The sender infrastructure for all these emails varied as well. In most campaigns, operators used compromised legitimate email accounts and compromised marketing platforms to distribute the malicious emails. However, in one instance, the operators registered several domains using less popular top-level domains (TLDs) such as “.monster” and “.us” to create their own mail server and send malicious emails from attacker-defined email addresses. At least one of these campaigns used attacker-owned email sender infrastructure that was later used to deliver Dridex malware in a separate campaign. The Dridex malware is known to be associated with the CHIMBORAZO (also known as TA505) crime group. Additionally, CHIMBORAZO ran simultaneous campaigns that delivered Trickbot.

The following graphic illustrates the various campaigns, tactics, and techniques used by the operators. The complexity of these simultaneous campaigns and techniques indicates that this is a coordinated and professional effort conducted by a sophisticated activity group.

Extended detection and response for the full range of threats

The action against Trickbot is one of the ways in which Microsoft provide real-world protection against threats. This action will result in protection for a wide range of organizations, including financial services institutions, government, healthcare, and other verticals from malware and human-operated campaigns delivered via the Trickbot infrastructure.

In the recently released Microsoft Digital Defense Report, we called out that cybercriminals of all skill sets take advantage of the perception that commodity threats are less impactful to businesses. Trickbot is proof that this assumption is obsolete, and organizations need to treat and address Trickbot and other malware infections as the broadly damaging threats that they are.

To help protect customers from the full range of threats, from common malware to highly modular, multi-stage threats like Trickbot, as well as nation-state level attacks, Microsoft 365 Defender delivers coordinated protection for identities, endpoints, cloud apps, email and documents. Microsoft Defender for Office 365 detects malicious attachments and links in email campaigns. Microsoft Defender for Endpoint detects and blocks the Trickbot malware and all related components, as well as malicious activities on endpoints. Microsoft Defender for Identity identifies and detects suspicious user activities and compromised identities.

This breadth of cross-domain visibility allows Microsoft 365 Defender to correlate signals and comprehensively detect and resolve attack chains. Security operations teams can then use the rich set of tools in Microsoft 365 Defender to further hunt for threats and gain insights for hardening networks from compromise.

 

 

Microsoft 365 Defender Threat Intelligence Team

Microsoft 365 Defender Research Team

Digital Crimes Unit (DCU)

Detection and Response Team (DART)

 

The post Trickbot disrupted appeared first on Microsoft Security.

Security baseline for Microsoft Edge version 86

October 9th, 2020 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 86!


 


We have reviewed the new settings in Microsoft Edge version 86 and determined that there are no additional security settings that require enforcement. The settings from the Microsoft Edge version 85 package continue to be our recommended baseline. That baseline package can be downloaded from the Microsoft Security Compliance Toolkit.


 


Microsoft Edge version 86 introduced 32 new computer settings and 28 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.


 


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


 


Please continue to give us feedback through the Security Baselines Discussion site or this post.

Categories: Uncategorized Tags:

Sophisticated new Android malware marks the latest evolution of mobile ransomware

October 8th, 2020 No comments

Attackers are persistent and motivated to continuously evolve – and no platform is immune. That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows. The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) now delivers protection on all major platforms.

Microsoft’s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks, as well as provide more tools to detect and respond to threats across domains and across platforms. Like all of Microsoft’s security solutions, these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats.

For example, we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms. The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.

As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.

Screenshot of mobile ransom note in Russian language

Figure 1. Sample ransom note used by older ransomware variants

What’s innovative about this ransomware is how it displays its ransom note. In this blog, we’ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven’t seen leveraged by malware before, as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note.

New scheme, same goal

In the past, Android ransomware used a special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note. Apps that have this permission can draw a window that belongs to the system group and can’t be dismissed. No matter what button is pressed, the window stays on top of all other windows. The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device.

To catch these threats, security solutions used heuristics that focused on detecting this behavior. Google later implemented platform-level changes that practically eliminated this attack surface. These changes include:

  1. Removing the SYSTEM_ALERT_WINDOW error and alert window types, and introducing a few other types as replacement
  2. Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “above dangerous” category, which means that users have to go through many screens to approve apps that ask for permission, instead of just one click
  3. Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window

To adapt, Android malware evolved to misusing other features, but these aren’t as effective. For example, some strains of ransomware abuse accessibility features, a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services. Other ransomware families use infinite loops of drawing non-system windows, but in between drawing and redrawing, it’s possible for users to go to settings and uninstall the offending app.

The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we’ve seen before. To surface its ransom note, it uses a series of techniques that take advantage of the following components on Android:

  1. The “call” notification, among several categories of notifications that Android supports, which requires immediate user attention.
  2. The “onUserLeaveHint()” callback method of the Android Activity (i.e., the typical GUI screen the user sees) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, for example, when the user presses the Home key.

The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback.

Screenshot of malware code

Figure 2. The notification with full intent and set as “call’ category

As the code snippet shows, the malware creates a notification builder and then does the following:

  1. setCategory(“call”) – This means that the notification is built as a very important notification that needs special privilege.
  2. setFullScreenIntent() – This API wires the notification to a GUI so that it pops up when the user taps on it. At this stage, half the job is done for the malware. However, the malware wouldn’t want to depend on user interaction to trigger the ransomware screen, so, it adds another functionality of Android callback:

Figure 3. The malware overriding onUserLeaveHint

As the code snippet shows, the malware overrides the onUserLeaveHint() callback function of Activity class. The function onUserLeaveHint() is called whenever the malware screen is pushed to background, causing the in-call Activity to be automatically brought to the foreground. Recall that the malware hooked the RansomActivity intent with the notification that was created as a “call” type notification. This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window.

Machine learning module indicates continuous evolution

As mentioned, this ransomware is the latest variant of a malware family that has undergone several stages of evolution. The knowledge graph below shows the various techniques this ransomware family has been seen using, including abusing the system alert window, abusing accessibility features, and, more recently, abusing notification services.

Knowledge graph showing techniques used by the Android rasomware family

Figure 4. Knowledge graph of techniques used by ransomware family

This ransomware family’s long history tells us that its evolution is far from over. We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices.

The frozen TinyML model is useful for making sure images fit the screen without distortion. In the case of this ransomware, using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable, increasing the chances of the user paying for the ransom.

The library that uses tinyML is not yet wired to the malware’s functionalities, but its presence in the malware code indicates the intention to do so in future variants. We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats.

Protecting organizations from threats across domains and platforms

Mobile threats continue to rapidly evolve, with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal, whether financial gain or finding an entry point to broader network compromise.

This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow. It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals.

Microsoft Defender for Endpoint on Android, now generally available, extends Microsoft’s industry-leading endpoint protection to Android. It detects this ransomware (AndroidOS/MalLocker.B), as well as other malicious apps and malicious apps and files using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection. It also protects users and organizations from other mobile threats, such as mobile phishing, unsafe network connections, and unauthorized access to sensitive data. Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android.

Malware, phishing, and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center, allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint’s rich set of tools for detection, investigation, and response.

Threat data from endpoints are combined with signals from email and data, identities, and apps in Microsoft 365 Defender (previously Microsoft Threat Protection), which orchestrates detection, prevention, investigation, and response across domains, providing coordinated defense. Microsoft Defender for Endpoint on Android further enriches organizations’ visibility into malicious activity, empowering them to comprehensively prevent, detect, and respond to against attack sprawl and cross-domain incidents.

Technical analysis

Obfuscation

On top of recreating ransomware behavior in ways we haven’t seen before, the Android malware variant uses a new obfuscation technique unique to the Android platform. One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file.

Malware code showing manifest file

Figure 5. Manifest file

The classes.dex has implementation for only two classes:

  1. The main application class gCHotRrgEruDv, which is involved when the application opens
  2. A helper class that has definition for custom encryption and decryption

This means that there’s no code corresponding to the services declared in the manifest file: Main Activity, Broadcast Receivers, and Background. How does the malware work without code for these key components? As is characteristic for obfuscated threats, the malware has encrypted binary code stored in the Assets folder:

Screenshot of Assets folder with encrypted executable code

Figure 6. Encrypted executable code in Assets folder

When the malware runs for the first time, the static block of the main class is run. The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names:

Figure 7. Static block

Decryption with a twist

The malware uses an interesting decryption routine: the string values passed to the decryption function do not correspond to the decrypted value, they correspond to junk code to simply hinder analysis.

On Android, an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task. It’s a messaging object that can be used to request an action from another app component.

The Intent object carries a string value as “action” parameter. The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent. It then decrypts a hardcoded encrypted value and sets the “action” parameter of the Intent using the setAction API. Once this Intent object is generated with the action value pointing to the decrypted content, the decryption function returns the Intent object to the callee. The callee then invokes the getAction method to get the decrypted content.

Figure 8. Decryption function using the Intent object to pass the decrypted value

Payload deployment

Once the static block execution is complete, the Android Lifecycle callback transfers the control to the OnCreate method of the main class.

Malware code showing onCreate method

Figure 9. onCreate method of the main class decrypting the payload

Next, the malware-defined function decryptAssetToDex (a meaningful name we assigned during analysis) receives the string “CuffGmrQRT” as the first argument, which is the name of the encrypted file stored in the Assets folder.

Malware code showing decryption of assets

Figure 10. Decrypting the assets

After being decrypted, the asset turns into the .dex file. This is a notable behavior that is characteristic of this ransomware family.

Comparison of code of Asset file before and after decryption

Figure 11. Asset file before and after decryption

Once the encrypted executable is decrypted and dropped in the storage, the malware has the definitions for all the components it declared in the manifest file. It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload.

Malware code showing loading of decrypted dex file

Figure 12. Loading the decrypted .dex file into memory and triggering the main payload

Main payload

When the main payload is loaded into memory, the initial detonator hands over the control to the main payload by invoking the method XoqF (which we renamed to triggerInfection during analysis) from the gvmthHtyN class (renamed to PayloadEntry).

Malware code showing handover from initial module to main payload

Figure 13. Handover from initial module to the main payload

As mentioned, the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config.

Malware code showing definition of populateConfigMap

Figure 14. Definition of populateConfigMap, which loads the map with values

Correlating the last two steps, one can observe that the malware payload receives the configuration for the following properties:

  1. number – The default number to be send to the server (in case the number is not available from the device)
  2. api – The API key
  3. url – The URL to be used in WebView to display on the ransom note

The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers. This action registers code components to get notified when certain system events happen. This is done in the function initComponents.

Malware code showing initializing broadcast receiver

Figure 15. Initializing the BroadcastReceiver against system events

From this point on, the malware execution is driven by callback functions that are triggered on system events like connectivity change, unlocking the phone, elapsed time interval, and others.

 

Dinesh Venkatesan

Microsoft Defender Research

 

The post Sophisticated new Android malware marks the latest evolution of mobile ransomware appeared first on Microsoft Security.

Best practices for defending Azure Virtual Machines

October 7th, 2020 No comments

One of the things that our Detection and Response Team (DART) and Customer Service and Support (CSS) security teams see frequently during investigation of customer incidents are attacks on virtual machines from the internet.

This is one area in the cloud security shared responsibility model where customer tenants are responsible for security. Security is a shared responsibility between Microsoft and the customer and as soon as you put just one virtual machine on Azure or any cloud you need to ensure you apply the right security controls.

The diagram below illustrates the layers of security responsibilities:

Image of the shared responsibility model showing customer, service, and cloud responsibilities

Fortunately, with Azure, we have a set of best practices that are designed to help protect your workloads including virtual machines to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your virtual machines.

The areas of the shared responsibility model we will touch on in this blog are as follows:

  • Tools
  • Identity and directory infrastructure
  • Applications
  • Network Controls
  • Operating System

We will refer to the Azure Security Top 10 best practices as applicable for each:

Best practices

1. Use Azure Secure Score in Azure Security Center as your guide

Secure Score within Azure Security Center is a numeric view of your security posture. If it is at 100 percent, you are following best practices. Otherwise, work on the highest priority items to improve the current security posture. Many of the recommendations below are included in Azure Secure Score.

2. Isolate management ports on virtual machines from the Internet and open them only when required

The Remote Desktop Protocol (RDP) is a remote access solution that is very popular with Windows administrators. Because of its popularity, it’s a very attractive target for threat actors. Do not be fooled into thinking that changing the default port for RDP serves any real purpose. Attackers are always scanning the entire range of ports, and it is trivial to figure out that you changed from 3389 to 4389, for example.

If you are already allowing RDP access to your Azure VMs from the internet, you should check the configuration of your Network Security Groups. Find any rule that is publishing RDP and look to see if the Source IP Address is a wildcard (*). If that is the case, you should be concerned, and it’s quite possible that the VM could be under brute force attack right now.

It is relatively easy to determine if your VMs are under a brute force attack, and there are at least two methods we will discuss below:

  • Azure Defender (formerly Azure Security Center Standard) will alert you if your VM is under a brute force attack.
  • If you are not using Security Center Standard tier open the Windows Event Viewer and find the Windows Security Event Log. Filter for Event ID 4625 (an account failed to log on). If you see many such events occurring in quick succession (seconds or minutes apart), then it means you are under brute force attack.

Other commonly attacked ports would include: SSH (22), FTP (21), Telnet (23), HTTP (80), HTTPS (443), SQL (1433), LDAP 389. This is just a partial list of commonly published ports. You should always be cautious about allowing inbound network traffic from unlimited source IP address ranges unless it is necessary for the business needs of that machine.

A couple of methods for managing inbound access to Azure VMs:

Just-in-time will allow you to reduce your attack service while also allowing legitimate users to access virtual machines when necessary.

Network security groups contain rules that allow or deny traffic inbound to, or outbound traffic from several types of Azure resources including VMs. There are limits to the number of rules and they can become difficult to manage if many users from various network locations need to access your VMs.

For more information, see this top Azure Security Best Practice:

3. Use complexity for passwords and user account names

If you are required to allow inbound traffic to your VMs for business reasons, this next area is of critical importance. Do you have complete confidence that any user account that would be allowed to access this machine is using a complex username/password combination? What if this VM is also domain joined? It’s one thing to worry about local accounts, but now you must worry about any account in the domain that would have the right to log on to that Virtual Machine.

For more information, see this top Azure Security Best Practice:

4. Keep the operating system patched

Vulnerabilities of the operating system are particularly worrisome when they are also combined with a port and service that is more likely to be published. A good example is the recent vulnerabilities affecting the Remote Desktop Protocol called “BlueKeep.” A consistent patch management strategy will go a long way towards improving your overall security posture.

5. Keep third-party applications current and patched

Applications are another often overlooked area, especially third-party applications installed on your Azure VMs. Whenever possible use the most current version available and patch for any known vulnerabilities. An example is an IIS Server using a third-party Content Management Systems (CMS) application with known vulnerabilities. A quick search of the Internet for CMS vulnerabilities will reveal many that are exploitable.

For more information, see this top Azure Security Best Practice:

6. Actively monitor for threats

Utilize the Azure Security Center Standard tier to ensure you are actively monitoring for threats. Security Center uses machine learning to analyze signals across Microsoft systems and services to alert you to threats to your environment. One such example is remote desktop protocol (RDP) brute-force attacks.

For more information, see this top Azure Security Best Practice:

7. Azure Backup Service

In addition to turning on security, it’s always a good idea to have a backup. Mistakes happen and unless you tell Azure to backup your virtual machine there isn’t an automatic backup. Fortunately, it’s just a few clicks to turn on.

Next steps

Equipped with the knowledge contained in this article, we believe you will be less likely to experience a compromised VM in Azure. Security is most effective when you use a layered (defense in depth) approach and do not rely on one method to completely protect your environment. Azure has many different solutions available that can help you apply this layered approach.

If you found this information helpful, please drop us a note at csssecblog@microsoft.com.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best practices for defending Azure Virtual Machines appeared first on Microsoft Security.

Why we invite security researchers to hack Azure Sphere

October 6th, 2020 No comments

Fighting the security battle so our customers don’t have to

IoT devices are becoming more prevalent in almost every aspect of our lives—we will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.

Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Sphere’s approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?

As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterday’s and today’s, but against even tomorrow’s attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.

Partnering with MSRC to design a unique challenge

Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Sphere’s security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the world’s best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.

Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.

Researchers identify high impact vulnerabilities before hackers

The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system—something often referred to in the field as “by design.” The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.

Graph showing the submission breakdown and the total amount of money eligible to be received through the bounty system.

Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewell’s 20.07 blog.

While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from one of our research partners, we highly recommend McAfee ATR’s blog post.

What it takes to provide renewable and improving security

With Azure Sphere, we provide our customers with a robust defense based on the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state—even if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering team—that our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.

We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.

Our engagement with the security research community

On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.

Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.

Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys do—so you don’t have to!

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Why we invite security researchers to hack Azure Sphere appeared first on Microsoft Security.