Archive

Archive for the ‘Security Intelligence’ Category

Latest Astaroth living-off-the-land attacks are even more invisible but not less observable

March 23rd, 2020 No comments

Following a short hiatus, Astaroth came back to life in early February sporting significant changes in its attack chain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate processes to attempt running undetected on compromised machines. The updated attack chain, which we started seeing in late 2019, maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion.

Figure 1. Microsoft Defender ATP data showing revival of Astaroth campaigns

Heat map showing Astaroth encounters, with Brazil accounting for majority of encounters

Figure 2. Geographic distribution of Astaroth campaigns this year, with majority of encounters recorded in Brazil

When we first blogged about Astaroth’s methods, we noted how it completely lived off the land to avoid detection: only system tools that are already existing on the machine are ever executed. In fact, it was an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC) that prompted our investigation and eventually exposed the Astaroth campaign.

Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detections. Instead, the attackers introduced new techniques that make the attack chain even stealthier:

  • Abusing Alternate Data Streams (ADS) to hide malicious payloads
  • Abusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload

Astaroth exemplifies how living-off-the-land techniques have become standard components of today’s attacks intent on evading security solutions. However, as we mentioned in our previous blog on Astaroth, fileless threats are very much observable. These threats still leave a great deal of memory footprint that can be inspected and blocked as they happen. Next-generation protection and behavioral containment and blocking capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) lead the charge in exposing threats like Astaroth.

In this blog, we’ll share our technical analysis of the revamped Astaroth attack chain and demonstrate how specific Microsoft technologies tackle the multiple advanced components of the attack.

Dismantling the new Astaroth attack chain

The attackers were careful to ensure the updates didn’t make Astaroth easier to detect; on the contrary, the updates only make Astaroth’s activities even more invisible.

One of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several stages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The stream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in plain sight.

Astaroth 2020 attack chain

Figure 2. Astaroth attack chain 2020

In the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.

Screenshot comparing contents of desktop.ini before and after infection

Figure 3. Desktop.ini before and after infection

The complex attack chain, which involves the use of multiple living-off-the-land binaries (LOLBins), results in the eventual loading of the Astaroth malware directly in memory. When running, Astaroth decrypts plugins that allow it to steal sensitive information, like email passwords and browser passwords.

In the succeeding sections, we describe each step of Astaroth’s attack chain in detail.

Arrival

The attack begins with an email with a message in Portuguese that translates to: “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The email contains a link that points to URL hosting an archive file, Arquivo_PDF_<date>.zip, which contains a LNK file with a similarly misleading name. When clicked, the LNK file runs an obfuscated BAT command line.

Email used in Astaroth campaign

Figure 4. Sample email used in latest Astaroth attacks

The BAT command drops a single-line JavaScript file to the Pictures folder and invokes explorer.exe to run the JavaScript file.

Malware code showing GetObject technique

The dropped one-liner script uses the GetObject technique to fetch and run the much larger main JavaScript directly in memory:

Malware code showing BITSAdmin abuse

BITSAdmin abuse

The main script then invokes multiple instances of BITSAdmin using a benign looking command-line to download multiple binary blobs from a command-and-control (C2) server:

Malware code showing downloaded content showing ADS

The downloaded payloads are encrypted and have the following file names:

  • masihaddajjaldwwn.gif
  • masihaddajjalc.jpg
  • masihaddajjala.jpg
  • masihaddajjalb.jpg
  • masihaddajjaldx.gif
  • masihaddajjalg.gif
  • masihaddajjalgx.gif
  • masihaddajjali.gif
  • masihaddajjalxa.~
  • masihaddajjalxb.~
  • masihaddajjalxc.~
  • masihaddajjal64w.dll
  • masihaddajjal64q.dll
  • masihaddajjal64e.dll

Alternate Data Streams abuse

As mentioned, the new Astaroth attacks use a clever technique of copying downloaded data to the ADS of desktop.ini. For each download, the content is copied to the ADS, and then the original content is deleted. These steps are repeated for all downloaded payloads.

Malware code showing abuse of ADS to run script to find security products

Another way that Astaroth abuses ADS is when it runs a script to find installed security products. A malicious script responsible for enumerating security products is dropped and then copied as an ADS to an empty text file. The execution command-line looks like this:

ExtExport.exe abuse

The main script combines three separately downloaded binary blobs to form the first-stage malware code:

Malware code showing three blobs forming first-stage malware code

The script then uses a LOLBin not previously seen in Astaroth attacks to load the first-stage malware code: ExtExport.exe, which is a legitimate utility shipped as part of Internet Explorer. Attackers can load any DLL by passing an attacker-controlled path to the tool. The tool searches for any DLL with the following file names: mozcrt19.dll, mozsqlite3.dll, or sqlite3.dll. Attackers need only to rename the malicious payload to one of these names, and it is loaded by ExtExport.exe.

Malware code showing ExtExport.exe abuse

Userinit.exe abuse

The newly loaded DLL (mozcrt19.dll, mozsqlite3.dll, or sqlite3.dll) is a proxy that reads three binary ADS streams (desktop.ini:masihaddajjalxa.~, desktop.ini:masihaddajjalxb.~, and desktop.ini:masihaddajjalxc.~) and combines these into a DLL. The newly formed DLL is the second-stage malware code and is loaded in the same process using the reflective DLL loading technique.

The newly loaded DLL is also a proxy that reads and decrypts another ADS stream (desktop.ini:masihaddajjalgx.gif) into a DLL. This DLL is injected into userinit.exe using the process hollowing technique.

The newly loaded DLL inside userinit.exe is again a proxy that reads and decrypts another ADS stream (desktop.ini:masihaddajjalg.gif) into a DLL. This DLL is the malicious info-stealer known as Astaroth and is reflectively loaded inside userinit.exe. Hence, Astaroth never touches the disk and is loaded directly in memory, making it very evasive.

Astaroth payload

When running, the Astaroth payload then reads and decrypts more components from the ADS stream of desktop.ini (desktop.ini:masihaddajjaldwwn.gif, desktop.ini:masihaddajjalc.jpg, desktop.ini:masihaddajjala.jpg, desktop.ini:masihaddajjalb.jpg, and desktop.ini:masihaddajjali.gif).

Some of these components are credential-stealing plugins hidden inside the ADS stream of desktop.ini. Astaroth abuses these plugins to steal information from compromised systems:

  • NirSoft’s MailPassView – an email client password recovery tool
  • NirSoft’s WebBrowserPassView – a web browser password recovery tool

As mentioned, Astaroth also finds installed security products. It then attempts to disable these security products. For Microsoft Defender Antivirus customers, tamper protection prevents such malicious and unauthorized changes to security settings.

Comprehensive, dynamic protection against living-off-the-land, fileless, and other sophisticated threats with Microsoft Threat Protection

Attackers are increasingly turning to living-off-the-land techniques to attempt running undetected for as long as possible on systems. Because these attacks use multiple executables that are native to the system and have legitimate uses, they require a comprehensive, behavior-based approach to detection.

Microsoft Threat Protection combines and orchestrates into a single solution the capabilities of multiple Microsoft security services to coordinate protection, detection, response, and prevention across endpoints, email, identities, and apps.

In the case of Astaroth, Office 365 ATP detects the malware delivery via email. Using detonation-based heuristics and machine learning, Office 365 ATP inspects links and attachments to identify malicious artifacts.

On endpoints, next-generation protection capabilities in Microsoft Defender ATP detect and prevent some components of Astaroth’s new attack chain. Notably, through Antimalware Scan Interface (AMSI), Microsoft Defender ATP can inspect the encrypted malicious scripts used in the initial stages of the attack.

For the more sophisticated sections of the attack chain, behavioral blocking and containment capabilities provide dynamic protection that can stop malicious behaviors and process trees. Behavior-based protections are key to exposing living-off-the-land threats that abuse and hide behind legitimate processes. These protections identify suspicious behavior sequences and advanced attack techniques observed on the client, which are used as triggers to analyze the process tree using real-time machine learning models in the cloud.

Diagram showing preventive and behavior-based blocking & containment solutions against Astaroth

Figure 5. Preventive and behavior-based blocking & containment protections against Astaroth

These behavior-based detections raise alerts in Microsoft Defender Security Center. With behavioral blocking and containment, not only are evasive threats exposed, detected, and stopped; security operations personnel are also notified so they can thoroughly investigate and remediate the root cause.

Figure 6. Sample Microsoft Defender ATP alerts on behavior-based detections of Astaroth’s activities

Microsoft Defender ATP’s EDR capabilities also have very strong coverage of advanced techniques employed by Astaroth, including cross-process migration, code injection, and use of LOLBins.

Figure 7. Sample Microsoft Defender ATP EDR alert and process tree on Astaroth’s behaviors

We expect Astaroth to further develop and increase in complexity, as long-running malware campaigns do. We will continue to watch this evolving threat and ensure that customers are protected from future updates through durable behavior-based protections.

 

 

Hardik Suri

Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft Defender ATP tech communities.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Latest Astaroth living-off-the-land attacks are even more invisible but not less observable appeared first on Microsoft Security.

Welcoming more women into cybersecurity: the power of mentorships

March 19th, 2020 No comments

From the way our industry tackles cyber threats, to the language we have developed to describe these attacks, I’ve long been a proponent to challenging traditional schools of thought—traditional cyber-norms—and encouraging our industry to get outside its comfort zones. It’s important to expand our thinking in how we address the evolving threat landscape. That’s why I’m not a big fan of stereotypes; looking at someone and saying they “fit the mold.” Looking at my CV, one would think I wanted to study law, or politics, not become a cybersecurity professional. These biases and unconscious biases shackle our progression. The scale of our industry challenges is too great, and if we don’t push boundaries, we miss out on the insights that differences in race, gender, ethnicity, sexuality, neurology, ability, and degrees can bring.

As we seek to diversify the talent pool, a key focus needs to be on nurturing female talent. Microsoft has hired many women in security, and we will always focus on keeping a diverse workforce. That’s why as we celebrate Women in Cybersecurity Month and International Women’s Day, the security blog will feature a few women cybersecurity leaders who have been implementing some of their great ideas for how to increase the number of women in this critical field. I’ll kick it off the series with some thoughts on how we can build strong mentoring relationships and networks that encourage women to pursue careers in cybersecurity.

There are many women at Microsoft who lead our security efforts. I’m incredibly proud to be among these women, like Joy Chik, Corporate Vice President of Identity, who is pushing the boundaries on how the tech industry is thinking about going passwordless, and Valecia Maclin, General Manager of Security Engineering, who is challenging us to think outside the box when it comes to our security solutions. On my own team, I think of the many accomplishments of  Ping Look, who co-founded Black Hat and now leads our Detection and Response Team (DART), Sian John, MBE, who was recently recognized as one of the top 50 influencers in cybersecurity in the U.K., and Diana Kelley, Microsoft CTO, who tirelessly travels to the globe to share how we are empowering our customers through cybersecurity—just to name a few. It’s important we continue to highlight women like these, including our female cybersecurity professionals at Microsoft who made the Top 100 Cybersecurity list in 2019. The inspiration from their accomplishments goes far beyond our Microsoft campus. These women represent the many Microsoft women in our talented security team. This month, you’ll also hear from some of them in subsequent blog posts on how to keep the diverse talent you already have employed. And to conclude the month, Theresa Payton, CEO at Fortalice Solutions, LLC., and the host of our CISO Spotlight series will share tips from her successful experience recruiting talented women into IT and cybersecurity.

Our cyber teams must be as diverse as the problems we are trying to solve

You’ve heard me say this many times, and I truly believe this: As an industry, we’ve already acknowledged the power of diversity—in artificial intelligence (AI). We have clear evidence that a variety of data across multiple sources and platforms enhances and improves AI and machine learning models. Why wouldn’t we apply that same advantage to our teams? This is one of several reasons why we need to take diversity and inclusion seriously:

  • Diverse teams make better and faster decisions 87 percent of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20 percent. What ideas have we missed by not including more women?
  • With an estimated shortfall of 3.5 million security professionals by 2021, the current tech talent pipeline needs to expand—urgently.
  • Cyber criminals will continue to exploit the unconscious bias inherent in the industry by understanding and circumventing the homogeneity of our methods. If we are to win the cyber wars through the element of surprise, we need to make our strategy less predictable.

Mentoring networks must start early

Mentorship can be a powerful tool for increasing the number of women in cybersecurity. People select careers that they can imagine themselves doing. This process starts young. Recently a colleague’s pre-teen daughter signed up for an after-school robotics class. When she showed up at the class, only two other girls were in the room. Girls are opting out of STEM before they can (legally) opt into a PG-13 movie. But we can change this. By exposing girls to technology earlier, we can reduce the intimidation factor and get them excited. One group that is doing this is the Security Advisor Alliance. Get involved in organizations like this to reach girls and other underrepresented groups before they decide cybersecurity is not for them.

Building a strong network

Mentoring young people is important, but to solve the diversity challenges, we also need to bring in people who started on a different career path or who don’t have STEM degrees. You simply won’t find the talent you need through the anemic pipeline of college-polished STEM graduates. I recently spoke with Mari Galloway, a senior security architect in the gaming industry and CEO of the Women’s Society of Cyberjutsu (WSC) about this very topic in my podcast. She agreed on the importance of finding a mentor, and being a mentee.

Those seeking to get into cybersecurity need a network that provides the encouragement and constructive feedback that will help them grow. I have mentored several non-technical women who have gone on to have successful roles in cybersecurity. These relationships have been very rewarding for me and my mentees, which is why I advocate that everybody should become a mentor and a mentee.

If you haven’t broken into cybersecurity yet, or if you are in the field and want to grow your career, here are a few tips:

  • Close the skills gap through training and certificate programs offered by organizations like Sans Institute and ISC2. I am especially excited about Girls Go Cyberstart, a program for young people that Microsoft is working on with Sans Institute.
  • Build up your advocate bench with the following types of mentors:
    • Career advocate: Someone who helps you with your career inside your company or the one you want to enter.
    • Coach: Someone outside your organization who brings a different perspective to troubleshooting day-to-day problems.
    • Senior advisor: Someone inside or outside your organization who looks out for the next step in your career.
  • Use social media to engage in online forums, find local events, and reach experts. Several of my mentees use LinkedIn to start the conversation.
  • When you introduce yourself to someone online be clear that you are interested in their cumulative experience not just their job status.

For those already in cybersecurity, be open to those from the outside seeking guidance, especially if they don’t align with traditional expectations of who a cybersecurity professional is.

Mentorship relationships that yield results

A mentorship is only going to be effective if the mentee gets valuable feedback and direction from the relationship. This requires courageous conversations. It’s easy to celebrate a mentee’s visible wins. However, those moments are the result of unseen trench work that consists of course correcting and holding each other accountable to agreed upon actions. Be prepared to give and receive constructive, actionable feedback.

Creating inclusive cultures

More women and diverse talent should be hired in security not only because it is the right thing to do, but because gaining the advantage in fighting cybercrime depends on it. ​Mentorship is one strategy to include girls before they opt out of tech, and to recruit people from non-STEM backgrounds.

What’s next

Watch for Diana Kelley’s blog about how to create a culture that keeps women in the field.

Learn more about Girls Go Cyberstart.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

The post Welcoming more women into cybersecurity: the power of mentorships appeared first on Microsoft Security.

Guarding against supply chain attacks—Part 3: How software becomes compromised

March 11th, 2020 No comments

Do you know all the software your company uses? The software supply chain can be complex and opaque. It’s comprised of software that businesses use to run operations, such as customer relationship management (CRM), enterprise resource planning (ERP), and project management. It also includes the third-party components, libraries, and frameworks that software engineers use to build applications and products. All this software can be difficult to track and can be vulnerable to attack if not known and/or not managed properly.

In the U.S. Department of Defense’s Defense Federal Acquisition Regulation Supplement, a supply chain risk is defined as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”

If you rely on a web of software providers, it’s important that you understand and mitigate your risk. This Part 3 of our five-part blog series entitled “Guarding against supply chain attacks” illustrates how software supply chain attacks are executed and offers best practices for improving the quality of the software that undergirds your applications and business.

Examples of software supply chain attacks with global reach

Starting in 2012 the industry began to see a marked increase in the number of attacks targeted at software supply chains each year. Like other hacking incidents, a well-executed software supply chain attack can spread rapidly. The following examples weaponized automatic software updates to infect computers in large and small companies in countries all over the world and highlight how they have evolved over time.

  • The Flame malware of 2012 was a nation-state attack that tricked a small number of machines in the Middle East into thinking that a signed update had come from Microsoft’s trusted Windows Update mechanism, when in fact it had not. Flame had 20 modules that could perform a variety of functions. It could turn on your computer’s internal microphone and webcam to record conversations or take screenshots of instant messaging and email. It could also serve as a Bluetooth beacon and tap into other devices in the area to steal info. Believed to come from a nation state, Flame sparked years of copycats. While Flame was a supply chain “emulation” (it only pretended to be trusted), the tactic was studied and adopted by both nation states and criminals, and included noted update attacks like Petya/NotPetya (2017), another nation-state attack, which hit enterprises in over 20 countries. It included the ability to self-propagate (like worms) by building a list of IP addresses to spread to local area networks (LANS) and remote IPs.
  • CCleaner affected 2.3 million computers in 2018, some for more than a month. Nation-state actors replaced original software versions with malware that had been used to modify the CCleaner installation file used by customers worldwide. Access was gained through the Piriform network, a company that was acquired by Avast before the attack was launched on CCleaner users. As Avast says in a blog on the subject, “Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure.”
  • In May 2017, Operation WilySupply compromised a text editor’s software updater to install a backdoor on target organizations in the financial and IT sectors. Microsoft Defender Advanced Threat Protection (ATP) discovered the attack early and Microsoft worked with the vendor to contain the attack and mitigate the risk.

Implanting malware

There are three primary ways that malicious actors infect the software supply chain:

  • Compromise internet accessible software update servers. Cybercrooks hack into the servers that companies use to distribute their software updates. Once they gain access, they replace legitimate files with malware. If an application auto-updates, the number of infections can proliferate quickly.
  • Gain access to the software infrastructure. Hackers use social engineering techniques to infiltrate the development infrastructure. After they’ve tricked users into sharing sign-in credentials, the attackers move laterally within the company until they are able to target the build environment and servers. This gives them the access needed to inject malicious code into software before it has been complied and shipped to customers. Once the software is signed with the digital signature it’s extremely difficult to detect that something is wrong.
  • Attack third-party code libraries. Malware is also delivered through third-party code, such as libraries, software development kits, and frameworks that developers use in their applications.

Safeguarding your software supply chain

There are several steps you can take to reduce the vulnerabilities in your software. (We’ll address the vulnerabilities and mitigation strategies related to people and processes in our next post.):

  • Much like the hardware supply chain, it’s important to inventory your software suppliers. Do your due diligence to confirm there are no red flags. The NIST Cyber Supply Chain Best Practices provide sample questions that you can use to screen your software suppliers, such as what malware protection and detection are performed and what access controls—both cyber and physical—are in place.
  • Set a high standard of software assurance with partners and suppliers. Governmental organizations such as the Department of Homeland Security, SafeCODE, the OWASP SAMM, and the U.K. National Cyber Security Centre’s Commercial Product Assurance (CPA) provide a model. You can also refer to Microsoft’s secure development lifecycle (SDL). The SDL defines 12 best practices that Microsoft developers and partners utilize to reduce vulnerabilities. Use the SDL to guide a software assurance program for your engineers, partners, and suppliers.
  • Manage security risks in third-party components. Commercial and open-source libraries and frameworks are invaluable for improving efficiency. Engineers shouldn’t create a component from scratch if a good one exists already; however, third-party libraries are often targeted by bad actors. Microsoft’s open source best practices can help you manage this risk with four steps:
    1. Understand what components are in use and where.
    2. Perform security analysis to confirm that none of your components contain vulnerabilities
    3. Keep components up to date. Security fixes are often fixed without explicit notification.
    4. Establish an incident response plan, so you have a strategy when a vulnerability is reported.

Learn more

“Guarding against supply chain attacks” is a five-part blog series that decodes supply chain threats and provides concrete actions you can take to better safeguard your organization. Previous posts include an overview of supply chain risks and an examination of vulnerabilities in the hardware supply chain.

We also recommend you explore NIST Cybersecurity Supply Chain Risk Management.

Stay tuned for these upcoming posts as we wrap up our five-part series:

  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. For more information about Microsoft Security solutions, visit our website: https://www.microsoft.com/en-us/security/business. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guarding against supply chain attacks—Part 3: How software becomes compromised appeared first on Microsoft Security.

Microsoft identity acronyms—what do they mean and how do they relate to each other?

March 2nd, 2020 No comments

As a security advisor working with one to three Chief Information Security Officers (CISOs) each week, the topic of identity comes up often. These are smart people who have often been in industry for decades. They have their own vocabulary of acronyms that only security professionals know such as DDoS, CEH, CERT, RAT, and 0-Day (if you don’t know one or several of these terms, I encourage you to look them up to build your vocabulary), but they often find themselves confused by Microsoft’s own set of acronyms.

This is the first in a blog series that aims to lessen some confusion around identity by sharing with you some of the terms used at Microsoft. Terms like MFA, PIM, PAM, MIM, MAM, MDM, and a few others. What do they mean and how do they relate to each other?

Multi-Factor Authentication or MFA

Let’s start with what identity means to Microsoft. Identity is the ability to clearly and without doubt ensure the identification of a person, device, location, or application. This is done by establishing trust verification and identity verification using what Microsoft calls Multi-Factor Authentication or MFA. This is a combination of capabilities that allow the entity to establish trust and verify who or what they are.

MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: something the user and only the user knows (such as a password or PIN), something the user and only the user has (such as a mobile device or FIDO key), and something the user and only the user is (a biometric such as a fingerprint or iris scan).

Microsoft does this with technologies such as Azure Active Directory (Azure AD) in the cloud combined with Windows Hello. Azure AD is Microsoft’s identity and access management solution. Windows Hello is a Windows capability that allows a user to verify who they are with an image, a pin, or other biometric. The person’s identity is stored via an encrypted hash in the cloud, so it’s never shared in the clear (unencrypted). A cryptographic hash is a checksum that allows someone to proof that they know the original input (e.g., a password) and that the input (e.g., a document) has not been modified.

Privileged Identity Management or PIM

What is Privileged Identity Management or PIM? Organizations use PIM to assign, activate, and approve privileged identities in Azure AD. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to sensitive resources.

Key features of PIM include:

  • Just-in-time privileged access to Azure AD and Azure resources.
  • Time-bound access to resources.
  • An approval process to activate privileged roles.
  • MFA enforcement.
  • Justification to understand why users activate.
  • Notifications when roles are activated.
  • Access reviews and internal and external audit history.

Privileged Access Management or PAM

What is Privileged Access Management or PAM? Often confused with PIM, PAM is a capability to help organizations manage identities for existing on-premises Active Directory environments. PAM is an instance of PIM that is accessed using Microsoft Identity Manager or MIM. Confused? Let me explain.

PAM helps organizations solve a few problems including:

  • Making it harder for attackers to penetrate a network and obtain privileged account access.
  • Adding protection to privileged groups that control access to domain-joined computers and the applications on those computers.
  • Providing monitoring, visibility, and fine-grained controls so organizations can see who their privileged admins are and what they are doing.

PAM gives organizations more insight into how admin accounts are being used in the environment.

Microsoft Identity Manager or MIM

But I also mentioned MIM… What is this? Microsoft Identity Manager or MIM helps organizations manage the users, credentials, policies, and access within their organizations and hybrid environments. With MIM, organizations can simplify identity lifecycle management with automated workflows, business rules, and easy integration with heterogenous platforms across the datacenter. MIM enables Active Directory to have the right users and access rights for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Office 365 and cloud-hosted apps.

OK, so now we know that:

  • PIM is a capability to help companies manage identities in Azure AD.
  • PAM is an on-premises capability to manage identities in Active Directory.
  • MIM helps organizations manage users, credentials, policies, and on-premises access.

Mobile Application Management or MAM

What’s left… Oh yes: Mobile Application Management or MAM. MAM is important because if organizations can only manage identities—but not the apps then they miss a key aspect of protecting data. MAM is connected to a Microsoft capability called Microsoft Intune and is a suite of management features to publish, push, configure, secure, monitor, and update mobile apps for users.

MAM works with or without enrollment of the device, which means organizations can protect sensitive data on almost any device using MAM-WE (without enrollment). If organizations enable MFA, they can verify the user on the device. MAM also helps manage that apps the trusted user or entity can access. If you add in the Mobile Device Management or MDM feature of Intune, you can force enrollment of devices and then use MAM to manage the apps.

It’s well known that Microsoft has a lot of acronyms. This is the first in a series of blog posts aimed to assist you in navigating the acronym forest created by companies and industry. The Microsoft Platform includes a powerful set of capabilities to help encourage users to make the right decisions and gives security leadership, like you, the ability to manage and monitor identities and control access to critical files and network assets.

The post Microsoft identity acronyms—what do they mean and how do they relate to each other? appeared first on Microsoft Security.

Defending the power grid against supply chain attacks—Part 1: The risk defined

February 18th, 2020 No comments

Most people don’t think about electricity. If the internet works, their food is refrigerated, and their debit card is approved, why should they? Its ubiquity and reliability render it invisible—a bit of magic that powers much of modern life. That is, until a large storm passes through. Localized outages can be quite disruptive to those impacted, and the utility industry has learned to respond rapidly and effectively to these events. But what happens if service interruptions become more unpredictable and affect large geographical regions with huge populations?

This is a risk that utilities and their supply chain must continue to address. Nation state actors and other adversaries have demonstrated that they possess the ambition and the skills necessary to launch cyberattacks that could cause widescale and continuous power outages. Whether your organization is a utility or a supplier of the industry, you may be vulnerable.

This blog series, “Defending the power grid against supply chain attacks,” analyzes how these attacks are conducted and the steps utilities, device manufacturers, and software providers can take to better secure critical infrastructure.

Why it matters

Modern warfare is no longer conducted exclusively on the battlefield. Nation-state actors also deploy sophisticated cybercampaigns to disrupt daily life or sow confusion. The power grid is one such target. The financial system, sewer and water lines, transportation networks, computers, cellphones, kitchen appliances, and more run on electricity. Several hours of disrupted power can grind economic activity to a halt in the affected areas. An outage of days or weeks could incite greater unrest.

Accelerated adoption of the Internet of Things (IoT) compounds the risk. IoT innovations allow the utility industry to harness the power of the internet, data, and artificial intelligence to optimize its operations and deliver energy more efficiently and reliably to its customers. But these devices can introduce new vulnerabilities. Existing sensors often don’t have security or centralized management built into them. Some devices are so small, it’s difficult to place traditional protections on them. Manufacturers, who feel pressured to deliver solutions quickly, may fail to incorporate critical security controls and safeguards in their products. Bad actors are skilled at uncovering these weaknesses and exploiting them.

How attacks are executed

A typical cyberattack includes lengthy reconnaissance to uncover all the vendors that serve a utility and their vulnerabilities. Bad actors even go after suppliers who exist outside the software and hardware space but have vital access. A few examples:

  • Software libraries and frameworks—Modern software relies on open source and industry libraries and frameworks to reduce time to market and take advantage of pre-tested solutions. This is fertile ground for hackers to insert malware that wreaks havoc once the software reaches its destination.
  • Digitally signed software—Much software is digitally signed by the vendor to prove its legitimacy. Hackers who break into servers may be able to infect software before it’s digitally signed or spoof the signature after altering the software.
  • Software update servers—Bad actors hack into the servers that distribute software updates. This can be very effective since many applications auto-update.
  • Hardware interdiction—While hardware and parts are in-transit, a cybercriminal intercepts the shipment and inserts malicious code in the hardware or firmware.
  • Hardware seeding—Cybercriminals infect IoT devices, such as phones, cameras, sensors, drones and USB drives, with malware inserted on the manufacturing floor.
  • Onsite vendors—Companies that come on site to provide services may not be as security focused as software and hardware companies. Attackers exploit this vulnerability and then use the relationship to gain access to the ultimate target.
  • Remote servicing vendors—Bad actors also attack the companies who provide remote support to the systems at the target organization.

Looking ahead

The next two installments of the Defending the power grid against supply chain attacks series will offer practical advice for both the utilities and their vendors.

Stay tuned for:

  • Part 2: Secure the hardware and software used by utilities
  • Part 3: Risk management strategies for the utilities industry

In the meantime, whether you are a utility or one its suppliers, you can begin to address these risks by inventorying your vendors. Where do you buy software, what processes do you use to select software libraries? Who builds your hardware? Where do your hardware manufacturers source parts?

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 1: The risk defined appeared first on Microsoft Security.

Afternoon Cyber Tea—From threat intelligence to chatbots: A look at AI in cybersecurity

February 10th, 2020 No comments

I’ve often said our teams should be as diverse as the problems we are trying to solve. Hiring a diverse security team isn’t just the right thing to do, it’s also good business. This is a topic I’m very passionate about, so I was delighted to interview Jane Frankland for the second podcast of Afternoon Cyber Tea, From threat intelligence to chatbots.

Jane founded and ran a cybersecurity company that conducted penetration testing. She also authored the book Insecurity: Why a Failure to Attract and Retain Women in Cybersecurity Is Making Us All Less Safe, and she provides consulting for the cybersecurity community.

Jane and I talked about how important it is for defenders to think like an attacker and the security challenges facing chatbots and other artificial intelligence (AI) technologies. One critical concern that we need to address is the replication of cultural bias in our AI. We both agreed that staffing AI teams with a diverse group of people can help. Jane is a powerful advocate for making cybersecurity and technology spaces more inclusive of women, and she talked through a few research-backed approaches that organizations can take to attract more women to their organizations. It was a great conversation, and I hope you’ll listen to this episode of Afternoon Cyber Tea with Ann Johnson on Apple Podcasts or Podcast One.

Join me at RSA Conference 2020

If you will be in San Francisco in February for the RSA Conference, I will be delivering a keynote, “Why your people are still your best cyber defense,” on February 26, 2020 at 4:05 PM. Over the years, I’ve learned that the companies that are most successful at recovering from a cyberattack tend to have two things in common: the right technology and good people. AI and machine learning will be vital tools in the fight for cybersecurity, but so will the human spirit. Join me at this keynote to hear how to create a culture where people are your best defense.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea—From threat intelligence to chatbots: A look at AI in cybersecurity appeared first on Microsoft Security.

Guarding against supply chain attacks—Part 2: Hardware risks

February 3rd, 2020 No comments

The challenge and benefit of technology today is that it’s entirely global in nature. This reality is brought into focus when companies assess their supply chains, and look for ways to identify, assess, and manage risks across the supply chain of an enterprise. Part 2 of the “Guarding against supply chain attacks” blog series examines the hardware supply chain, its vulnerabilities, how you can protect yourself, and Microsoft’s role in reducing hardware-based attacks.

Unpacking the hardware supply chain

A labyrinth of companies produces mobile phones, Internet of Things (IoT) devices, servers, and other technology products that improve our lives. Product designers outsource manufacturing to one or more vendors. The manufacturer buys components from known suppliers. Each supplier buys parts from its preferred vendors. Other organizations integrate firmware. During peak production cycles, a vendor may subcontract to another company or substitute its known parts supplier with a less familiar one. This results in a complex web of interdependent companies who aren’t always aware that they are connected.

Tampering with hardware using interdiction and seeding

Tampering with hardware is not an easy path for attackers, but because of the significant risks that arise out of a successful compromise, it’s an important risk to track. Bad actors compromise hardware by inserting physical implants into a product component or by modifying firmware. Often these manipulations create a “back door” connection between the device and external computers that the attacker controls. Once the device reaches its final destination, adversaries use the back door to gain further access or exfiltrate data.

But first they must get their hands on the hardware. Unlike software attacks, tampering with hardware requires physical contact with the component or device.

So how do they do it? There are two known methods: interdiction and seeding. In interdiction, saboteurs intercept the hardware while it’s on route to the next factory in the production line. They unpackage and modify the hardware in a secure location. Then they repackage it and get it back in transit to the final location. They need to move quickly, as delays in shipping may trigger red flags.

As hard as interdiction is, it’s not nearly as challenging as seeding. Seeding attacks involve the manipulation of the hardware on the factory floor. To infiltrate a target factory, attackers may pose as government officials or resort to old fashioned bribery or threats to convince an insider to act, or to allow the attacker direct access to the hardware.

Why attack hardware?

Given how difficult hardware manipulation is, you may wonder why an attacker would take this approach. The short answer is that the payoff is huge. Once the hardware is successfully modified, it is extremely difficult to detect and fix, giving the perpetrator long-term access.

  • Hardware makes a good hiding place. Implants are tiny and can be attached to chips, slipped between layers of fiberglass, and designed to look like legitimate components, among other surreptitious approaches. Firmware exists outside the operating system code. Both methods are extremely difficult to detect because they bypass traditional software-based security detection tools.
  • Hardware attacks are more complex to investigate. Attackers who target hardware typically manipulate a handful of components or devices, not an entire batch. This means that unusual device activity may resemble an anomaly rather than a malicious act. The complexity of the supply chain itself also resists easy investigation. With multiple players, some of whom are subcontracted by vendors, discovering what happened and how can be elusive.
  • Hardware issues are expensive to resolve. Fixing compromised hardware often requires complete replacement of the infected servers and devices. Firmware vulnerabilities often persist even after an OS reinstall or a hard drive replacement. Physical replacement cycles and budgets can’t typically accommodate acceleration of such spending if the hardware tampering is widespread.

For more insight into why supply chains are vulnerable, how some attacks have been executed, and why they are so hard to detect, we recommend watching Andrew “bunny” Huang’s presentation, Supply Chain Security: If I were a Nation State…, at BlueHat IL, 2019.

Know your hardware supply chain

What can you do to limit the risk to your hardware supply chain? First: identify all the players, and ask important questions:

  • Where do your vendors buy parts?
  • Who integrates the components that your vendor buys and who manufactures the parts?
  • Who do your vendors hire when they are overloaded?

Once you know who all the vendors are in your supply chain, ensure they have security built into their manufacturing and shipping processes. The National Institute of Standards and Technology (NIST) recommends that organizations “identify those systems/components that are most vulnerable and will cause the greatest organizational impact if compromised.” Prioritize resources to address your highest risks. As you vet new vendors, evaluate their security capabilities and practices as well as the security of their suppliers. You may also want to formalize random, in-depth product inspections.

Microsoft’s role securing the hardware supply chain

As a big player in the technology sector, Microsoft engages with its hardware partners to limit the opportunities for malicious actors to compromise hardware.

Here are just a few examples of contributions Microsoft and its partners have made:

  • Microsoft researchers defined seven properties of secure connected devices. These properties are a useful tool for evaluating IoT device security.
  • The seven properties of secure connected devices informed the development of Azure Sphere, an IoT solution that includes a chip with robust hardware security, a defense-in-depth Linux-based OS, and a cloud security service that monitors devices and responds to emerging threats.
  • Secured-core PCs apply the security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system.

Project Cerberus is a collaboration that helps protect, detect, and recover from attacks on platform firmware.

Learn more

The “Guarding against supply chain attacks” blog series untangles some of the complexity surrounding supply chain threats and provides concrete actions you can take to better safeguard your organization. Read Part 1: The big picture for an overview of supply chain risks.

Also, download the Seven properties of secure connected devices and read NIST’s Cybersecurity Supply Chain Risk Management.

Stay tuned for these upcoming posts:

  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guarding against supply chain attacks—Part 2: Hardware risks appeared first on Microsoft Security.

Introducing Microsoft Application Inspector

January 16th, 2020 No comments

Modern software development practices often involve building applications from hundreds of existing components, whether they’re written by another team in your organization, an external vendor, or someone in the open source community. Reuse has great benefits, including time-to-market, quality, and interoperability, but sometimes brings the cost of hidden complexity and risk.

You trust your engineering team, but the code they write often accounts for only a tiny fraction of the entire application. How well do you understand what all those external software components actually do? You may find that you’re placing as much trust in each of the thousands of contributors to those components as you have in your in-house engineering team.

At Microsoft, our software engineers use open source software to provide our customers high-quality software and services. Recognizing the inherent risks in trusting open source software, we created a source code analyzer called Microsoft Application Inspector to identify “interesting” features and metadata, like the use of cryptography, connecting to a remote entity, and the platforms it runs on.

Application Inspector differs from more typical static analysis tools in that it isn’t limited to detecting poor programming practices; rather, it surfaces interesting characteristics in the code that would otherwise be time-consuming or difficult to identify through manual introspection. It then simply reports what’s there, without judgement.

For example, consider this snippet of Python source code:

Here we can see that a program that downloads content from a URL, writes it to the file system, and then executes a shell command to list details of that file. If we run this code through Application Inspector, we’ll see the following features identified which tells us a lot about what it can do:

  • FileOperation.Write
  • Network.Connection.Http
  • Process.DynamicExecution

In this small example, it would be trivial to examine the snippet manually to identify those same features, but many components contain tens of thousands of lines of code, and modern web applications often use hundreds of such components. Application Inspector is designed to be used individually or at scale and can analyze millions of lines of source code from components built using many different programming languages. It’s simply infeasible to attempt to do this manually.

Application Inspector is positioned to help in key scenarios

We use Application Inspector to identify key changes to a component’s feature set over time (version to version), which can indicate anything from an increased attack surface to a malicious backdoor. We also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny, under the theory that a vulnerability in a component that is involved in cryptography, authentication, or deserialization would likely have higher impact than others.

Using Application Inspector

Application Inspector is a cross-platform, command-line tool that can produce output in multiple formats, including JSON and interactive HTML. Here is an example of an HTML report:

Each icon in the report above represents a feature that was identified in the source code. That feature is expanded on the right-hand side of the report, and by clicking any of the links, you can view the source code snippets that contributed to that identification.

Each feature is also broken down into more specific categories and an associated confidence, which can be accessed by expanding the row.

Application Inspector comes with hundreds of feature detection patterns covering many popular programming languages, with good support for the following types of characteristics:

  • Application frameworks (development, testing)
  • Cloud / Service APIs (Microsoft Azure, Amazon AWS, and Google Cloud Platform)
  • Cryptography (symmetric, asymmetric, hashing, and TLS)
  • Data types (sensitive, personally identifiable information)
  • Operating system functions (platform identification, file system, registry, and user accounts)
  • Security features (authentication and authorization)

Get started with Application Inspector

Application Inspector can identify interesting features in source code, enabling you to better understand the software components that your applications use. Application Inspector is open source, cross-platform (.NET Core), and can be downloaded at github.com/Microsoft/ApplicationInspector. We welcome all contributions and feedback.

The post Introducing Microsoft Application Inspector appeared first on Microsoft Security.

Categories: Automation, Security Intelligence Tags:

Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks

December 18th, 2019 No comments

Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.

Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections. Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.

In a brute force attack, adversaries attempt to sign in to an account by effectively using one or more trial-and-error methods. Many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds, are usually associated with these attacks. A brute force attack might also involve adversaries attempting to access one or more accounts using valid usernames that were obtained from credential theft or using common usernames like “administrator”. The same holds for password combinations. In detecting RDP brute force attacks, we focus on the source IP address and username, as password data is not available.

In the Windows operating system, whenever an attempted sign-in fails for a local machine, Event Tracing for Windows (ETW) registers Event ID 4625 with the associated username. Meanwhile, source IP addresses connected to RDP can be accessed; this information is very useful in assessing if a machine is under brute force attack. Using this information in combination with Event ID 4624 for non-server Windows machines can shed light on which sign-in sessions were successfully created and can further help in detecting if a local machine has been compromised.

In this blog we’ll present a study and a detection logic that uses these signals. This data science-driven approach to detecting RDP brute force attacks has proven valuable in detecting human adversary activity through Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender Advanced Threat Protection. This work is an example of how the close collaboration between data scientists and threat hunters results in protection for customers against real-world threats.

Insights into brute force attacks

Observing a sudden, relatively large count of Event ID 4625 associated with RDP network connections might be rare, but it does not necessarily imply that a machine is under attack. For example, a script that performs the following actions would look suspicious looking at a time series of counts of failed sign-in but is most likely not malicious:

  • uses an expired password
  • retries sign-in attempts every N-minutes with different usernames
  • over a public IP address within a range owned by the enterprise

In contrast, behavior that includes the following is indicative of an attack:

  • extreme counts of failed sign-ins from many unknown usernames
  • never previously successfully authenticated
  • from multiple RDP connections
  • from new source IP addresses

Understanding the context of failed sign-ins and inbound connections is key to discriminating between true positive (TP) and false positive (FP) brute force attacks, especially if the goal is to automatically raise only high-precision alerts to the appropriate recipients, as we do in Microsoft Defender ATP.

We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Figure 1: Empirical distribution in number of days per machine where we observed 1 or more brute force attacks

As discussed in numerous other studies [1], large counts of failed sign-ins are often associated with brute force attacks. Looking at the count of daily failed sign-ins, 90% of cases exceeded 10 attempts, with a median larger than 60. In addition, these unusual daily counts had high positive correlation with extreme counts in shorter time windows (see Figure 2). In fact, the number of extreme failed sign-ins per day typically occurred under 2 hours, with about 40% failing in under 30 minutes.

Figure 2: Count of daily and maximum hourly network failed sign-ins for a local machine under brute force attack

While a detection logic based on thresholding the count of failed sign-ins during daily or finer grain time window can detect many brute force attacks, this will likely produce too many false positives. Worse, relying on just this will yield false negatives, missing successful enterprise compromises: our analysis revealed several instances where brute force attacks generated less than 5-10 failed attempts at a daily granularity but often persisted for many days, thereby avoiding extreme counts at any point in time. For such a brute force attack, thresholding the cumulative number of failed sign-ins across time could be more useful, as depicted in Figure 3.

Figure 3: Daily and cumulative failed network sign-in

Looking at counts of network failed sign-ins provides a useful but incomplete picture of RDP brute force attacks. This can be further augmented with additional information on the failed sign-in, such as the failure reason, time of day, and day of week, as well as the username itself. An especially strong signal is the source IP of the inbound RDP connection. Knowing if the external IP has a high reputation of abuse, as can be looked up on sites like https://www.abuseipdb.com/, can directly confirm if an IP is a part of an active brute force.

Unfortunately, not all IP addresses have a history of abuse; in addition, it can be expensive to retrieve information about many external IP addresses on demand. Maintaining a list of suspicious IPs is an option, but relying on this can result in false negatives as, inevitably, new IPs continually occur, particularly with the adoption of cloud computing and ease of spinning up virtual machines. A generic signal that can augment failed sign-in and user information is counting distinct RDP connections from external IP addresses. Again, extreme values occurring at a given time or cumulated over time can be an indicator of attack.

Figure 4 shows histograms (i.e., counts put into discrete bins) of daily counts of RDP public connections per machine that occurred for an example enterprise with known brute force attacks. It’s evident that normal machines have a lower probability of larger counts compared to machines attacked.

Figure 4: Histograms of daily count of RDP inbound across machines for an example enterprise

Given that some enterprises have machines under brute force attack daily, the priority may be to focus on machines that have been compromised, defined by a first successful sign-in following failed attempts from suspicious source IP addresses or unusual usernames. In Windows logs, Event ID 4624 can be leveraged to measure successful sign-in events for local machine in combination with failed sign-ins (Event ID 4625).

Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days. Figure 5 shows a bubble chart of the average abuse score of external IPs associated with RDP brute force attacks that successfully compromised machines. The size of the bubbles is determined by the count of distinct machines across the enterprises analyzed having a network connection from each IP. While there is diversity in the origin of the source IPs, Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Figure 5: Bubble chart of IP abuse score versus counts of machine with inbound RDP

A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events. In the following sections we describe a methodology to do this. This methodology was leveraged by Microsoft Threat Experts to augment threat hunting and resulted in new targeted attack notifications.

Combining many relevant signals

As discussed earlier (with the example of scripts connecting via RDP using outdated passwords yielding failed sign-ins), simply relying on thresholding failed attempts per machine for detecting brute force attacks can be noisy and may result in many false positives. A better strategy is to utilize many contextually relevant signals, such as:

  • the timing, type, and count of failed sign-in
  • username history
  • type and frequency of network connections
  • first-time username from a new source machine with a successful sign-in

This can be even further extended to include indicators of attack associated with brute force, such as port scanning.

Combining multiple signals along the attack chain has been proposed and shown promising results [2]. We considered the following signals in detecting RDP inbound brute force attacks per machine:

  • hour of day and day of week of failed sign-in and RDP connections
  • timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • cumulative count of distinct username that failed to sign in without success
  • count (and cumulative count) of failed sign-ins
  • count (and cumulative count) of RDP inbound external IP
  • count of other machines having RDP inbound connections from one or more of the same IP

Unsupervised probabilistic time series anomaly detection

For many cybersecurity problems, including detecting brute force attacks, previously labeled data is not usually available. Thus, training a supervised learning model is not feasible. This is where unsupervised learning is helpful, enabling one to discover and quantify unknown behaviors when examples are too sparse. Given that several of the signals we consider for modeling RDP brute force attacks are inherently dependent on values observed over time (for example, daily counts of failed sign-ins and counts of inbound connections), time series models are particularly beneficial. Specifically, time series anomaly detection naturally provides a logical framework to quantify uncertainty in modeling temporal changes in data and produce probabilities that then can be ranked and thresholded to control a desirable false positive rate.

Time series anomaly detection captures the temporal dynamics of signals and accurately quantifies the probability of observing values at any point in time under normal operating conditions. More formally, if we introduce the notation Y(t) to denote the signals taking on values at time t, then we build a model to compute reliable estimates of the probability of Y(t) exceeding observed values given all known and relevant information, represented by P[y(t)], sometimes called an anomaly score. Given a false positive tolerance rate r (e.g., .1% or 1 out of 10,000 per time), for each time t, values y*(t) satisfying P[y*(t)] < r would be detected as anomalous. Assuming the right signals reflecting the relevant behaviors of the type of attacks are chosen, then the idea is simple: the lowest anomaly scores occurring per time will be likely associated with the highest likelihood of real threats.

For example, looking back at Figure 2, the time series of daily count of failed sign-ins occurring on the brute force attack day 8/4/2019 had extreme values that would be associated with an empirical probability of about .03% out of all machine and days with at least 1 failed network sign-in for the enterprise.

As discussed earlier, applying anomaly detection to 1 or a few signals to detect real attacks can yield too many false positives. To mitigate this, we combined anomaly scores across eight signals we selected to model RDP brute force attack patterns. The details of our solution are included in the Appendix, but in summary, our methodology involves:

  • updating statistical discrete time series models sequentially for each signal, capturing time of day, day of week, and both point and cumulative effects
  • combining anomaly scores using an approach that yields accurate probability estimates, and
  • ranking the top N anomalies per day to control a desired number of false positives

Our approach to time series anomaly detection is computationally efficient, automatically learns how to update probabilities and adapt to changes in data.

As we describe in the next section, this approach has yielded successful attack detection at high precision.

Protecting customers from real-word RDP brute force attacks through Microsoft Threat Experts

The proposed time series anomaly detection model was deployed and utilized by Microsoft Threat Experts to detect RDP brute force attacks during threat hunting activities. A list that ranks machines across enterprises with the lowest anomaly scores (indicating the likelihood of observing a value at least as large under expected conditions in all signals considered) is updated and reviewed every day. See Table 1 for an example.

Table 1: Sample ranking of detected RDP inbound brute force attacks

For each machine with detection of a probable brute force attack, each instance is assigned TP, FP, or unknown. Each TP is then assigned priority based on the severity of the attack. For high-priority TP, a targeted attack notification is sent to the associated organization with details about the active brute force attack and recommendations for mitigating the threat; otherwise the machine is closely monitored until more information is available.

We also added an extra capability to our anomaly detection: automatically sending targeted attack notifications about RDP brute force attacks, in many cases before the attack succeeds or before the actor is able to conduct further malicious activities. Looking at the most recent sample of about two weeks of graded detections, the average precision per day (i.e., true positive rate) is approximately 93.7% at a conservative false positive rate of 1%.

In conclusion, based on our careful selection of signals found to be highly associated with RDP brute force attacks, we demonstrated that proper application of time series anomaly detection can be very accurate in identifying real threats. We have filed a patent application for this probabilistic time series model for detecting RDP inbound brute force attacks. In addition, we are working on integrating this capability into Microsoft Defender ATP’s endpoint and detection response capabilities so that the detection logic can raise alerts on RDP brute force attacks in real-time.

Monitoring suspicious activity in failed sign-in and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution. While Microsoft Defender ATP already has many anomaly detection capabilities integrated into its EDR capabilities, we will continue to enhance these detections to cover more security scenarios. Through data science, we will continue to combine robust statistical and machine learning approaches with threat expertise and intelligence to deliver industry-leading protection to our customers.

 

 

Cole Sodja, Justin Carroll, Joshua Neil
Microsoft Defender ATP Research Team

 

 

Appendix 1: Models formulation

We utilize hierarchical zero-adjusted negative binomial dynamic models to capture the characteristics of the highly discrete count time series. Specifically, as shown in Figure 2, it’s expected that most of the time there won’t be failed sign-ins for valid credentials on a local machine; hence, there are excess zeros that would not be explained by standard probability distributions such as the negative binomial. In addition, the variance of non-zero counts is often much larger than the mean, where for example, valid scripts connecting via RDP can generate counts in the 20s or more over several minutes because of an outdated password. Moreover, given a combination of multiple users or scripts connecting to shared machines at the same time, this can generate more extreme counts at higher quantiles resulting in heavier tails, as seen in Figure 6.

Figure 6: Daily count of network failed sign-in for a machine with no brute force attack

Parametric discrete location/scale distributions do not generate well-calibrated p-values for rare time series, as seen in Figure 6, and thus if used to detect anomalies can result in too many FPs when looking across many machines at high time frequencies. To overcome this challenge dealing with the sparse time series of counts of failed sign-in and RDP inbound public connections we specify a mixture model, where, based on our analysis, a zero-inflated two-component negative binomial distribution was adequate.

Our formulation is based on thresholding values that determine when to transition to a distribution with larger location and/or scale as given in Equation 1. Hierarchical priors are given from empirical estimates of the sample moments across machines using about 1 month of data.

Equation 1: Zero-adjusted negative binomial threshold model

Negative binomial distribution (NB):

To our knowledge, this formulation does not yield a conjugate prior, and so directly computing probabilities from the posterior predicted density is not feasible. Instead, anomaly scores are generated based on drawing samples from all distributions and then computing the empirical right-tail p-value.

Updating parameters is done based on applying exponential smoothing. To avoid outliers skewing estimates, such as machines under brute force or other attacks, trimming is applied to sample from the distribution at a specified false positive rate, which was set to .1% for our study. Algorithm 1 outlines the logic.

The smoothing parameters were learned based on maximum likelihood estimation and then fixed during each new sequential update. To induce further uncertainty, bootstrapping across machines is done to produce a histogram of smoothing weights, and samples are drawn in accordance to their frequency. We found that weights concentrated away from 0 vary between .06% and 8% for over 90% of machines, thus leading to slow changes in the parameters. An extension using adaptive forgetting factors will be considered in future work to automatically learn how to correct smoothing in real time.

Algorithm 1: Updating model parameters real-time

Appendix 2: Fisher Combination

For a given device, for each signal that exists a score is computed defined as a p-value, where lower values are associated with higher likelihood of being an anomaly. Then the p-values are combined to yield a joint score across all signals based on using the Fisher p-value combination method as follows:

The use of Fisher’s test applied to anomaly scores produces a scalable solution that yields interpretable probabilities that thus can be controlled to achieve a desired false positive rate. This has even been applied in a cybersecurity context. [3]

 

 

[1] Najafabadi et al, Machine Learning for Detecting Brute Force Attacks at the Network Level, 2014 IEEE 14th International Conference on Bioinformatics and Bioengineering
[2] Sexton et al, Attack chain detection, Statistical Analysis and Data Mining, 2015
[3] Heard, Combining Weak Statistical Evidence in Cyber Security, Intelligent Data Analysis XIV, 2015

The post Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks appeared first on Microsoft Security.

GALLIUM: Targeting global telecom

December 12th, 2019 No comments

Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.

To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.

This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

Following Microsoft’s internal practices of assigning chemical elements to activity groups, GALLIUM is the code name for this activity group.

GALLIUM’s profile

Reconnaissance methods

As is often the case with the reconnaissance methods, it’s difficult to be definitive about those employed by GALLIUM. This is due to the passive nature of reconnaissance activities by the actor including the use of freely available data from open sources, such as public websites and social media outlets. However, based on MSTIC analyst assessments, GALLIUM’s exploitation of internet-facing services indicates it’s likely they use open source research and network scanning tools to identify likely targets.

Delivery and exploitation

To gain initial access a target network, GALLIUM locates and exploits internet-facing services such as web servers. GALLIUM has been observed exploiting unpatched web services, such as WildFly/JBoss, for which exploits are widely available. Compromising a web server gives GALLIUM a foothold in the victim network that doesn’t require user interaction, such as traditional delivery methods like phishing.

Following exploitation of the web servers, GALLIUM actors typically install web shells, and then install additional tooling to allow them to explore the target network.

Lateral movement

GALLIUM uses a variety of tools to perform reconnaissance and move laterally within a target network. The majority of these are off-the-shelf tools or modified versions of known security tools. MSTIC investigations indicate that GALLIUM modifies its tooling to the extent it evades antimalware detections rather than develop custom functionality. This behavior has been observed with GALLIUM actors across several operational areas.

GALLIUM has been observed using several tools. Samples of the most prevalent are noted in Table 1.

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Table 1: GALLIUM tooling.

GALLIUM has signed several tools using stolen code signing certificates. For example, they’ve used a credential dumping tool signed using a stolen certificate from Whizzimo, LLC, as shown in Figure 1. The code signing certificate shown in Figure 1 was no longer valid at the time of writing; however, it shows GALLIUM had access to such certificates.

Image showing "Signers" using in the credential dumping tool signed using a stolen Whizzimo, LLC certificate.

Figure 1. Credential dumping tool signed using a stolen Whizzimo, LLC certificate.

GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network.

Installation

GALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it’s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.

Infrastructure

GALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure for their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. MSTIC analysis indicates the use of dynamic DNS providers as opposed to registered domains is in line with GALLIUM’s trend towards low cost and low effort operations.

GALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan.

When connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation.

A package of GALLIUM indicators containing GALLIUM command and control domains used during this operation have been prepared for Azure Sentinel and is available on the Microsoft GitHub.

Image showing an Azure Sentinel query of GALLIUM indicators.

Figure 2. Azure Sentinel query of GALLIUM indicators.

GALLIUM use of malware

First stage

GALLIUM does not typically use a traditional first stage installer for their malware. Instead, the group relies heavily on web shells as a first method of persistence in a victim network following successful exploitation. Subsequent malware is then delivered through existing web shell access.

Microsoft Defender Advanced Threat Protection (ATP) exposes anomalous behavior that indicate web shell installation and post compromise activity by analysing script file writes and process executions. Microsoft Defender ATP offers a number of detections for web shell activity protecting customers not just from GALLIUM activity but broader web shell activity too. Read the full report in your Microsoft Defender ATP portal.

Image showing Microsoft Defender ATP web shell detection.

Figure 3. Microsoft Defender ATP web shell detection.

When alerted of these activities, the security operations team can then use the rich capabilities in Microsoft Defender ATP to investigate web shell activity and subsequent reconnaissance and enumeration activity to resolve web shell attacks.

Image showing a Microsoft Defender ATP web shell process tree.

Figure 4. Microsoft Defender ATP web shell process tree.

In addition to standard China Chopper, GALLIUM has been observed using a native web shell for servers running Microsoft IIS that is based on the China Chopper web shell; Microsoft has called this “BlackMould.”

BlackMould contains functionality to perform the following tasks on a victim host:

  • Enumerate local drives.
  • Employ basic file operations like find, read, write, delete, and copy.
  • Set file attributes.
  • Exfiltrate and infiltrate files.
  • Run cmd.exe with parameters.

Commands are sent in the body of HTTP POST requests.

Second stage

In cases where GALLIUM has deployed additional malware on a victim network, they’ve used versions of the Gh0st RAT (modified Ghost RAT detected as QuarkBandit) and Poison Ivy malware. In both cases, GALLIUM has modified the communication method used by the malware, likely to prevent detection through existing antimalware signatures since both malware families have several detections based on their original communication methods. Malware families are noted in Table 2.

Malware family Description and primary usage
BlackMould Native IIS web shell based on the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version that appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Table 2. GALLIUM malware families.

GALLIUM’s malware and tools appear to be highly disposable and low cost. In cases where GALLIUM has invested in modifications to their toolset, they appear to focus on evading antimalware detection, likely to make the malware and tooling more effective.

The MSTIC team works closely with Microsoft security products to implement detections and protections for GALLIUM malware and tooling in a number of Microsoft products. Figure 4 shows one such detection for a GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Image showing the GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Figure 5. GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Additionally, MSTIC has authored a number of antimalware signatures for Windows Defender Antivirus covering the aforementioned malware families, a list of GALLIUM exclusive signature can be found in the Related indicators” section.

In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network.

Recommended defenses

The following are recommended defenses security operations teams can take to mitigate the impact of threats like GALLIUM in your corporate environment:

  • Maintain web server patching and log audits, run web services with minimum required operating system permissions
  • Install security updates on all applications and operating systems promptly. Check the Security Update Guide for detailed information about available Microsoft security updates.
  • For efficient incident response, maintain a forensics-ready network with centralized event logging, file detonation services, and up-to-date asset inventories.
  • Enable cloud-delivered protection and maintain updated antivirus.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.
  • Use behavior detection solutions to catch credential dumping or other activity that may indicate a breach.
  • Adopt Azure ATP—a cloud-based security solution that leverages your on-premises Active Directory signals—to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
  • Use Microsoft Defender ATP to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Institute Multi-Factor Authentication (MFA) to mitigate against compromised accounts.

Related indicators

The list below provides known GALLIUM tooling and Indicators of Compromise (IOCs) observed during this activity. Microsoft encourages customers to implement detections and protections to identify possible prior campaigns or prevent future campaigns against their systems.

Tooling

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Malware

Malware Notes
BlackMould Native IIS version of the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Indicators

Indicator Type
asyspy256[.]ddns[.]net Domain
hotkillmail9sddcc[.]ddns[.]net Domain
rosaf112[.]ddns[.]net Domain
cvdfhjh1231[.]myftp[.]biz Domain
sz2016rose[.]ddns[.]net Domain
dffwescwer4325[.]myftp[.]biz Domain
cvdfhjh1231[.]ddns[.]net Domain
9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd Sha256
7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b Sha256
657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 Sha256
2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 Sha256
52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 Sha256
a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 Sha256
5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 Sha256
6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 Sha256
3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e Sha256
1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 Sha256
fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 Sha256
7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c Sha256
178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 Sha256
51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 Sha256
889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 Sha256
332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf Sha256
44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 Sha256
63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef Sha256
056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 Sha256
TrojanDropper:Win32/BlackMould.A!dha Signature Name
Trojan:Win32/BlackMould.B!dha Signature Name
Trojan:Win32/QuarkBandit.A!dha Signature Name
Trojan:Win32/Sidelod.A!dha Signature Name

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post GALLIUM: Targeting global telecom appeared first on Microsoft Security.

Zero Trust strategy—what good looks like

November 11th, 2019 No comments

Zero Trust has managed to both inspire and confuse the cybersecurity industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy (and arguably the first formal strategy, as I recently heard Dr. Chase Cunningham, Principal Analyst at Forrester, aptly point out).

Microsoft believes that the Zero Trust strategy should be woven throughout your organization’s architectures, technology selections, operational processes, as well as the throughout the culture of your organization and mindset of your people.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey. Microsoft is publishing learnings and guidance from many perspectives to help organizations understand, anticipate, and manage the implications of this new strategy. This guidance will continue to grow as we learn more. A few highlights include:

In previous posts of this series, we described Microsoft’s vision for an optimal Zero Trust model and the journey of our own IT organization from a classic enterprise security to Zero Trust. Today, we focus on what a good strategy looks like and recommended prioritization (with a bit of history for context).

Zero Trust security continuously validates trustworthiness of each entity in your enterprise (identities, applications and services, devices) starting each with a trust level of zero.

Evolution of security strategy

The central challenge of cybersecurity is that the IT environment we defend is highly complex, leading security departments (often with limited budgets/resources) to find efficient ways to mitigate risk of advanced, intelligent, and continuously evolving attackers.

Most enterprises started with the use of a “trusted enterprise network,” but have since found fundamental limitations of that broad trust approach. This creates a natural pressure to remove the “shortcut” of a trusted enterprise network and do the hard work of measuring and acting on the trustworthiness of each entity.

Network or identity? Both (and more)!

The earliest coherent descriptions of the Zero Trust idea can be traced to proposals in the wake of the major wave of cybersecurity attacks. Beginning in the early 2000s, businesses and IT organizations were rocked by worms like ILOVEYOU, Nimda, and SQL Slammer. While painful, these experiences were a catalyst for positive security initiatives like Microsoft’s Security Development Lifecycle (SDL) and began serious discussions on improving computer security. The strategy discussions during this timeframe formed into two main schools of thought—network and identity:

  • Network—This school of thought doubled down on using network controls for security by creating smaller network segments and measuring trust of devices before network controls allow access to resources. While promising, this approach was highly complex and saw limited uptake outside a few bright spots like Google’s BeyondCorp.
  • Identity—Another approach, advocated by the Jericho Forum, pushed to move away from network security controls entirely with a “de-perimeterisation” approach. This approach was largely beyond the reach of technology available at the time but planted important seeds for the Zero Trust of today.

Microsoft ultimately recommends an approach that includes both schools of thought that leverage the transformation of the cloud to mitigate risk spanning the modern assets and (multiple generations of) legacy technology in most enterprises.

Prioritizing and planning Zero Trust

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI). This default prioritization is based on learnings from our experience, our customers, and others in the industry.

  1. Align strategies and teams—Your first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs. We often find that network, identity, and application teams each have different approaches of logically dividing up the enterprise that are incompatible with each other, creating confusion and conflict. See the CISO workshop video, Module 3 Part 3: Strategy and Priorities, for more discussion of this topic.
  2. Build identity-based perimeter—Starting immediately (in parallel to priority #1), your organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect your identities. You should quickly grow this into a phased plan that measures (and enforces) trustworthiness of users and devices accessing resources, and eventually validating trust of each resource being accessed. See the CISO workshop video, Module 3 Part 6: Build an Identity Perimeter, for more information on identity perimeters.
  3. Refine network perimeter—The next priority is to refine your network security strategy. Depending on your current segmentation and security posture, this could include:
    • Basic segmentation/alignment—Adopt a clear enterprise segmentation model (built in #1) from a “flat network” or fragmented/non-aligned segmentation strategy. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.
    • Micro-segmenting datacenter—Implement increasingly granular controls on your datacenter network to increase attacker cost. This requires detailed knowledge of applications in the datacenter to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises datacenter.
    • Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, dedicated administrative workstations, and potentially other initiatives before “rolling back” the firewalls from clients.

What good looks like

Zero Trust is a model that will ultimately be infused throughout your enterprise and should inform virtually all access decisions and interactions between systems.

Expanding on the three principles of Zero Trust from the Zero Trust vision paper—Verify Explicitly, Least Privilege Access, and Assume Breach—the hallmarks of a good enterprise Zero Trust strategy include:

  • Continuously measure trust and risk—Ensure all users and devices attempting to access resources are validated as trustworthy enough to access the target resource (based on sensitivity of target resource). As technology becomes available to do it, you should also validate the trustworthiness of the target resources.
  • Enterprise-wide consistency—Ensure that you have a single Zero Trust policy engine to consistently apply your organizations policy to all of your resources (versus multiple engines whose configuration could diverge). Most organizations shouldn’t expect to cover all resources immediately but should invest in technology that can apply policy to all modern and legacy assets.
  • Enable productivity—For successful adoption and usage, ensure that the both security and business productivity goals are appropriately represented in the policy. Make sure to include all relevant business, IT, and security stakeholders in policy design and refine the policy as the needs of the organization and threat landscape evolve. For more information, see Meet Productivity and Security Goals.
  • Maximize signal to increase cost of attack—The more measurements you include in a trust decision—which reflect good/normal behavior—the more difficult/expensive it is for attackers to mimic legitimate sign-ins and activities, deterring or degrading an attacker’s ability to damage your organization.
  • Fail safe—The system operation should always stay in a safe state, even after a failed/incorrect decision (for example, preserve life/safety and business value via confidentiality, integrity, and availability assurances). Consider the possible and likely failures (for example, mobile device unavailable or biometrics unsuccessful) and design fallbacks to safely handle failures for both:
    • Security (for example, detection and response processes).
    • Productivity (remediation mechanisms via helpdesk/support systems).
  • Contain risk of attacker movement into smaller zones—This is particularly important when you’re reliant on legacy/static controls that cannot dynamically measure and enforce trustworthiness of inbound access attempts (for example, static network controls for legacy applications/servers/devices).

Into the future

Over time, we expect Zero Trust will become accepted and commonplace where people simply learn it in “Security 101” (much like the least privilege principle today). Zero Trust is expected to evolve as we all become more comfortable with what this new normal entails and have ideas on how to optimize efficiency and address the attackers’ ongoing attempts to find a chink in the new armor.

Zero Trust

Reach the optimal state in your Zero Trust journey.


Learn more

Our next blog will discuss how to make Zero Trust real in your enterprise starting with technology available today, which you may already have deployed or have access to! In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust strategy—what good looks like appeared first on Microsoft Security.

Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise

October 28th, 2019 No comments

Microsoft Threat Experts is the managed threat hunting service within Microsoft Defender Advanced Threat Protection (ATP) that includes two capabilities: targeted attack notifications and experts on demand.

Today, we are extremely excited to share that experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations.

With experts on demand, Microsoft Defender ATP customers can engage directly with Microsoft security analysts to get guidance and insights needed to better understand, prevent, and respond to complex threats in their environments. This capability was shaped through partnership with multiple customers across various verticals by investigating and helping mitigate real-world attacks. From deep investigation of machines that customers had a security concern about, to threat intelligence questions related to anticipated adversaries, experts on demand extends and supports security operations teams.

The other Microsoft Threat Experts capability, targeted attack notifications, delivers alerts that are tailored to organizations and provides as much information as can be quickly delivered to bring attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. Together, the two capabilities make Microsoft Threat Experts a comprehensive managed threat hunting solution that provides an additional layer of expertise and optics for security operations teams.

Experts on the case

By design, the Microsoft Threat Experts service has as many use cases as there are unique organizations with unique security scenarios and requirements. One particular case showed how an alert in Microsoft Defender ATP led to informed customer response, aided by a targeted attack notification that progressed to an experts on demand inquiry, resulting in the customer fully remediating the incident and improving their security posture.

In this case, Microsoft Defender ATP endpoint protection capabilities recognized a new malicious file in a single machine within an organization. The organization’s security operations center (SOC) promptly investigated the alert and developed the suspicion it may indicate a new campaign from an advanced adversary specifically targeting them.

Microsoft Threat Experts, who are constantly hunting on behalf of this customer, had independently spotted and investigated the malicious behaviors associated with the attack. With knowledge about the adversaries behind the attack and their motivation, Microsoft Threat Experts sent the organization a bespoke targeted attack notification, which provided additional information and context, including the fact that the file was related to an app that was targeted in a documented cyberattack.

To create a fully informed path to mitigation, experts pointed to information about the scope of compromise, relevant indicators of compromise, and a timeline of observed events, which showed that the file executed on the affected machine and proceeded to drop additional files. One of these files attempted to connect to a command-and-control server, which could have given the attackers direct access to the organization’s network and sensitive data. Microsoft Threat Experts recommended full investigation of the compromised machine, as well as the rest of the network for related indicators of attack.

Based on the targeted attack notification, the organization opened an experts on demand investigation, which allowed the SOC to have a line of communication and consultation with Microsoft Threat Experts. Microsoft Threat Experts were able to immediately confirm the attacker attribution the SOC had suspected. Using Microsoft Defender ATP’s rich optics and capabilities, coupled with intelligence on the threat actor, experts on demand validated that there were no signs of second-stage malware or further compromise within the organization. Since, over time, Microsoft Threat Experts had developed an understanding of this organization’s security posture, they were able to share that the initial malware infection was the result of a weak security control: allowing users to exercise unrestricted local administrator privilege.

Experts on demand in the current cybersecurity climate

On a daily basis, organizations have to fend off the onslaught of increasingly sophisticated attacks that present unique security challenges in security: supply chain attacks, highly targeted campaigns, hands-on-keyboard attacks. With Microsoft Threat Experts, customers can work with Microsoft to augment their security operations capabilities and increase confidence in investigating and responding to security incidents.

Now that experts on demand is generally available, Microsoft Defender ATP customers have an even richer way of tapping into Microsoft’s security experts and get access to skills, experience, and intelligence necessary to face adversaries.

Experts on demand provide insights into attacks, technical guidance on next steps, and advice on risk and protection. Experts can be engaged directly from within the Microsoft Defender Security Center, so they are part of the existing security operations experience:

We are happy to bring experts on demand within reach of all Microsoft Defender ATP customers. Start your 90-day free trial via the Microsoft Defender Security Center today.

Learn more about Microsoft Defender ATP’s managed threat hunting service here: Announcing Microsoft Threat Experts.

 

 

The post Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise appeared first on Microsoft Security.

IoT security will set innovation free: Azure Sphere general availability scheduled for February 2020

October 28th, 2019 No comments

Today, at the IoT Solutions World Congress, we announced that Azure Sphere will be generally available in February of 2020. General availability will mark our readiness to fulfill our security promise at scale, and to put the power of Microsoft’s expertise to work for our customers every day—by delivering over a decade of ongoing security improvements and OS updates delivered directly to each device.

Since we first introduced Azure Sphere in 2018, the IoT landscape has quickly expanded. Today, there are more connected things than people in the world: 14.2 billion in 2019, according to Gartner, and this number is expected to hit 20 billion by 2020. Although this number appears large, we expect IoT adoption to accelerate to provide connectivity to hundreds of billions of devices. This massive growth will only increase the stakes for devices that are not secured.

Recent research by Bain & Co. lists security as the leading barrier to IoT adoption. In fact, enterprise customers would buy at least 70 percent more IoT devices if a product addresses their concerns about cybersecurity. According to Bain & Co., enterprise executives, with an innate understanding of the risk that connectivity opens their brands and customers to, are willing to pay a 22 percent premium for secured devices.

Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. We believe that for innovation to deliver durable value, it must be built on a foundation of security. Our customers need and expect reliable, consistent security that will set innovation free. To deliver on this, we’ve made several strategic investments and partnerships that make it possible to meet our customers wherever they are on their IoT journey.

Delivering silicon choice to enable heterogeneity at the edge

By partnering with silicon leaders, we can combine our expertise in security with their unique capabilities to best serve a diverse set of customer needs.

MediaTek’s MT3620, the first Azure Sphere certified chip produced, is designed to meet the needs of the more traditional MCU space, including Wi-Fi-enabled scenarios. Today, our customers across industries are adopting the MT3620 to design and produce everything from consumer appliances to retail and manufacturing equipment—these chips are also being used to power a series of guardian modules to securely connect and protect mission-critical equipment.

In June, we announced our collaboration with NXP to deliver a new Azure Sphere certified chip. This new chip will be an extension of their popular i.MX 8 high-performance applications processor series and be optimized for performance and power. This will bring greater compute capabilities to our line-up to support advanced workloads, including artificial intelligence (AI), graphics, and richer UI experiences.

Earlier this month, we announced our collaboration with Qualcomm to deliver the first cellular-enabled Azure Sphere chip. With ultra-low-power capabilities this new chip will light up a broad new set of scenarios and give our customers the freedom to securely connect anytime, anywhere.

Streamlining prototyping and production with a diverse hardware ecosystem

Manufacturers are looking for ways to reduce cost, complexity, and time to market when designing new devices and equipment. Azure Sphere development kits from our partners at Seeed Studios and Avnet are designed to streamline the prototyping and planning when building Azure Sphere devices. When you’re ready to shift gears into production mode, there are a variety of modules by partners including AI-Link, USI, and Avnet to help you reduce costs and accelerate production so you can get to market faster.

Adding secured connectivity to existing mission-critical equipment

Many enterprises are looking to unlock new value from existing equipment through connectivity. Guardian modules are designed to help our customers quickly bring their existing investments online without taking on risk and jeopardizing mission-critical equipment. Guardian modules plug into existing physical interfaces on equipment, can be easily deployed with common technical skillsets, and require no device redesign. The deployment is fast, does not require equipment to be replaced before its end of life, and quickly pays for itself. The first guardian modules are available today from Avnet and AI-Link, with more expected soon.

Empowering developers with the right tools

Developers need tools that are as modern as the experiences they aspire to deliver. In September of 2018, we released our SDK preview for Visual Studio. Since then, we’ve continued to iterate rapidly, making it quicker and simpler to develop, deploy, and debug Azure Sphere apps. We also built out a set of samples and solutions on GitHub, providing easy building blocks for developers to get started. And, as we shared recently, we’ll soon have an SDK for Linux and support for Visual Studio Code. By empowering their developers, we help manufacturers bring innovation to market faster.

Creating a secure environment for running an RTOS or bare-metal code

As manufacturers transform MCU-powered devices by adding connectivity, they want to leverage existing code running on an RTOS or bare-metal. Earlier this year, we provided a secured environment for this code by enabling the M4 core processors embedded in the MediaTek MT3620 chip. Code running on these real-time cores is programmed and debugged using Visual Studio. Using these tools, such code can easily be enhanced to send and receive data via the protection of a partner app running on the Azure Sphere OS, and it can be updated seamlessly in the field to add features or to address issues. Now, manufacturers can confidently secure and service their connected devices, while leveraging existing code for real-time processing operations.

Delivering customer success

Deep partnerships with early customers have helped us understand how IoT can be implemented to propel business, and the critical role security plays in protecting their bottom line, brand, and end users. Today, we’re working with hundreds of customers who are planning Azure Sphere deployments, here are a few highlights from across retail, healthcare, and energy:

  • Starbucks—In-store equipment is the backbone of not just commerce, but their entire customer experience. To reduce disruptions and maintain a quality experience, Starbucks is partnering with Microsoft to deploy Azure Sphere across its existing mission-critical equipment in stores globally using guardian modules.
  • Gojo—Gojo Industries, the inventor of PURELL Hand Sanitizer, has been driving innovation to improve hygiene compliance in health organizations. Deploying motion detectors and connected PURELL dispensers in healthcare facilities made it possible to quantify hand cleaning behavior in a way that made it possible to implement better practices. Now, PURELL SMARTLINK Technology is undergoing an upgrade with Azure Sphere to deploy secure and connected dispensers in hospitals.
  • Leoni—Leoni develops cable systems that are central components within critical application fields that manage energy and data for the automotive sector and other industries. To make cable systems safer, more reliable, and smarter, Leoni uses Azure Sphere with integrated sensors to actively monitor cable conditions, creating intelligent and connected cable systems.

Looking forward

We want to empower every organization on the planet to connect and create secure and trustworthy IoT devices. While Azure Sphere leverages deep and extensive Microsoft heritage that spans hardware, software, cloud, and security, IoT is our opportunity to prove we can deliver in a new space. Our work, our collaborations, and our partnerships are evidence of the commitment we’ve made to our customers—to give them the tools and confidence to transform the world with new experiences. As we close in on the milestone achievement of Azure Sphere general availability, we are already focused on how to give our customers greater opportunities to securely shape the future.

The post IoT security will set innovation free: Azure Sphere general availability scheduled for February 2020 appeared first on Microsoft Security.

Patching as a social responsibility

October 9th, 2019 No comments

In the wake of the devastating (Not)Petya attack, Microsoft set out to understand why some customers weren’t applying cybersecurity hygiene, such as security patches, which would have helped mitigate this threat. We were particularly concerned with why patches hadn’t been applied, as they had been available for months and had already been used in the WannaCrypt worm—which clearly established a ”real and present danger.”

We learned a lot from this journey, including how important it is to build clearer industry guidance and standards on enterprise patch management. To help make it easier for organizations to plan, implement, and improve an enterprise patch management strategy, Microsoft is partnering with the U.S. National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE).

NIST and Microsoft are extending an invitation for you to join this effort if you’re a:

  • Vendor—Any vendor who has technology offerings to help with patch management (scan, report, deploy, measure risk, etc.).
  • Organization or individual—All those who have tips and lessons learned from a successful enterprise management program (or lessons learned from failures, challenges, or any other situations).

If you have pertinent learnings that you can share, please reach out to cyberhygiene@nist.gov.

During this journey, we also worked closely with additional partners and learned from their experience in this space, including the:

  • Center for Internet Security (CIS)
  • U.S. Department of Homeland Security (DHS) Cybersecurity
  • Cybersecurity and Infrastructure Security Agency (CISA) (formerly US-CERT / DHS NCCIC)

A key part of this learning journey was to sit down and listen directly to our customer’s challenges. Microsoft visited a significant number of customers in person (several of which I personally joined) to share what we learned—which became part of the jointly endorsed mitigation roadmap—and to have some really frank and open discussions to learn why organizations really aren’t applying security patches.

While the discussions mostly went in expected directions, we were surprised at how many challenges organizations had on processes and standards, including:

  • “What sort of testing should we actually be doing for patch testing?”
  • “How fast should I be patching my systems?”

This articulated need for good reference processes was further validated by observing that a common practice for “testing” a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum.

This realization guided the discussions with our partners towards creating an initiative in the NIST NCCoE in collaboration with other industry vendors. This project—kicking off soon—will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.

Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think.

In many ways, patching is a social responsibility because of how much society has come to depend on technology systems that businesses and other organizations provide. This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology.

Ultimately, we want to make it easier for everyone to do the right thing and are issuing this call to action. If you’re a vendor that can help or if you have relevant learnings that may help other organizations, please reach out to cyberhygiene@nist.gov. Now!

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Patching as a social responsibility appeared first on Microsoft Security.

Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers

December 3rd, 2018 No comments

Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.

Our sensors revealed that the campaign primarily targeted public sector institutions and non-governmental organizations like think tanks and research centers, but also included educational institutions and private-sector corporations in the oil and gas, chemical, and hospitality industries.

Microsoft customers using the complete Microsoft Threat Protection solution were protected from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages. Office 365 Advanced Threat Protection caught the malicious URLs used in emails, driving the blocking of said emails, including first-seen samples. Meanwhile, numerous alerts in Windows Defender Advanced Threat Protection exposed the attacker techniques across the attack chain.

Third-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely overlaps with the activity group that Microsoft calls YTTRIUM. While our fellow analysts make a compelling case, Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.

Regardless, due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of the Defending Democracy Program, Microsoft encourages eligible organizations to participate in Microsoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats.

Attack overview

The aggressive campaign began early in the morning of Wednesday, November 14. The targeting appeared to focus on organizations that are involved with policy formulation and politics or have some influence in that area.

Phishing targets in different industry verticals

Although targets are distributed across the globe, majority are located in the United States, particularly in and around Washington, D.C. Other targets are in Europe, Hong Kong, India, and Canada.

Phishing targets in different locations

The spear-phishing emails mimicked sharing notifications from OneDrive and, as noted by Reuters, impersonated the identity of individuals working at the United States Department of State. If recipients clicked a link on the spear-phishing emails, they began an exploitation chain that resulted in the implantation of a DLL backdoor that gave the attackers remote access to the recipients machines.

Attack chain

Analysis of the campaign

Delivery

The spear-phishing emails used in this attack resemble file-sharing notifications from OneDrive.

The emails contain a link to a legitimate, but compromised third-party website:

hxxps://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJl[random string]

The random strings are likely used to identify distinct targeted individuals who clicked on the link. However, all observed variants of this link redirect to a specific link on the same site:

hxxps://www.jmj.com/personal/nauerthn_state_gov/VFVKRTdRSm

When users click the link, they are served a ZIP archive containing a malicious LNK file. All files in a given attack have the same file name, for example, ds7002.pdf, ds7002.zip, and ds7002.lnk.

Installation

The LNK file represents the first stage of the attack. It executes an obfuscated PowerShell command that extracts a base64-encoded payload from within the LNK file itself, starting at offset 0x5e2be and extending 16,632 bytes.

Encoded content in the LNK file

The encoded payloadanother heavily obfuscated PowerShell scriptis decoded and executed:

Decoded second script

The second script carves out two additional resources from within the .LNK file:

  • ds7002.PDF (A decoy PDF)
  • cyzfc.dat (The first stage implant)

Command and control

The first-stage DLL, cyzfc.dat, is created by the PowerShell script in the path %AppData%\Local\cyzfc.dat. It is a 64-bit DLL that exports one function: PointFunctionCall.

The PowerShell script then executes cyzfc.dat by calling rundll32.exe. After connecting to the first-stage command-and-control server at pandorasong[.]com (95.216.59.92), cyzfc.dat begins to install the final payload by taking the following actions:

  1. Allocate a ReadWrite page for the second-stage payload
  2. Extract the second-stage payload as a resource
  3. Take a header that is baked into the first payload with a size 0xEF bytes
  4. Concatenate the header with the resource, starting at byte 0x12A.
  5. De-XOR the second-stage payload with a rolling XOR (ROR1), starting from key 0xC5.

The second stage is an instance of Cobalt Strike, a commercially available penetration testing tool, which performs the following steps:

  1. Define a local named pipe with the format \\.\pipe\MSSE-<number>-server, where <number> is a random number between 0 and 9897
  2. Connecting to the pipe, write it global data with size 0x3FE00
  3. Implement a backdoor over the named pipe:

    1. Read from the pipe (maximum 0x3FE00 bytes) to an allocated buffer
    2. DeXOR the payload onto a new RW memory region, this time with a much simple XOR key: simple XORing every 4 bytes with 0x7CC2885F
    3. Turn the region to be RX
    4. Create a thread that starts running the payload’

The phase that writes to global data to the pipe actually writes a third payload. That payload is XORed with the same XORing algorithm used for reading. When decrypted, it forms a PE file with a Meterpreter header, interpreting instructions in the PE header and moving control to a reflective loader:

The third payload eventually gets loaded and connects to the command-and-control (C&C) server address that is baked-in inside configuration information in the PE file. This configuration information is de-XORed at the third payload runtime:

The configuration information itself mostly contains C&C information:

CobaltStrike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities, including escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI, performing reconnaissance, communicating with C&C servers over various protocols, and downloading and installing additional malware.

End-to-end defense through Microsoft Threat Protection

Microsoft Threat Protection is a comprehensive solution for enterprise networks, protecting identities, endpoints, user data, cloud apps, and infrastructure. By integrating Microsoft services, Microsoft Threat Protection facilitates signal sharing and threat remediation across services. In this attack, Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection quickly mitigated the threat at the onset through durable behavioral protections.

Office 365 ATP has enhanced phishing protection and coverage against new threats and polymorphic variants. Detonation systems in Office 365 ATP caught behavioral markers in links in the emails, allowing us to successfully block campaign emailsincluding first-seen samplesand protect targeted customers. Three existing behavioral-based detection algorithms quickly determined that the URLs were malicious. In addition, Office 365 ATP uses security signals from Windows Defender ATP, which had a durable behavior-based antivirus detection (Behavior:Win32/Atosev.gen!A) for the second-stage malware.If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

Safe Links protection in Office 365 ATP protects customers from attacks like this by analyzing unknown URLs when customers try to open them. Zero-hour Auto Purge (ZAP) actively removes emails post-delivery after they have been verified as maliciousthis is often critical in stopping attacks that weaponize embedded URLs after the emails are sent.

All of these protections and signals on the attack entry point are shared with the rest of the Microsoft Threat Protection components. Windows Defender ATP customers would see alerts related to the detection of the malicious emails by Office 365 ATP, as well the behavior-based antivirus detection.

Windows Defender ATP detects known filesystem and network artifacts associated with the attack. In addition, the actions of the LNK file are detected behaviorally. Alerts with the following titles are indicative of this attack activity:

  • Artifacts associated with an advanced threat detected
  • Network activity associated with an advanced threat detected
  • Low-reputation arbitrary code executed by signed executable
  • Suspicious LNK file opened

Network protection blocks connections to malicious domains and IP addresses. The following attack surface reduction rule also blocks malicious activities related to this attack:

  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria

Through Windows Defender Security Center, security operations teams could investigate these alerts and pivot to machines, users, and the new Incidents view to trace the attack end-to-end. Automated investigation and response capabilities, threat analytics, as well as advanced hunting and new custom detections, empower security operations teams to defend their networks from this attack.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

The following Advanced hunting query can help security operations teams search for any related activities within the network:

//Query 1: Events involving the DLL container
let fileHash = "9858d5cb2a6614be3c48e33911bf9f7978b441bf";
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents, 
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where EventTime > ago(10d)

//Query 2: C&C connection
NetworkCommunicationEvents 
| where EventTime > ago(10d) 
| where RemoteUrl == "pandorasong.com" 

//Query 3: Malicious PowerShell
ProcessCreationEvents 
| where EventTime > ago(10d) 
| where ProcessCommandLine contains 
"-noni -ep bypass $zk=' JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0" 

//Query 4: Malicious domain in default browser commandline
ProcessCreationEvents 
| where EventTime > ago(10d) 
| where ProcessCommandLine contains 
"https://www.jmj.com/personal/nauerthn_state_gov" 

//Query 5: Events involving the ZIP
let fileHash = "cd92f19d3ad4ec50f6d19652af010fe07dca55e1";
find in (FileCreationEvents, ProcessCreationEvents, MiscEvents, 
RegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)
where SHA1 == fileHash or InitiatingProcessSHA1 == fileHash
| where EventTime > ago(10d)

The provided queries check events from the past ten days. Change EventTime to focus on a different period.

 

 

 

Windows Defender Research team, Microsoft Threat Intelligence Center, and Office 365 ATP research team

 

 

 

Indicators of attack

Files (SHA-1)

  • ds7002.ZIP: cd92f19d3ad4ec50f6d19652af010fe07dca55e1
  • ds7002.LNK: e431261c63f94a174a1308defccc674dabbe3609
  • ds7002.PDF (decoy PDF): 8e928c550e5d44fb31ef8b6f3df2e914acd66873
  • cyzfc.dat (first-stage): 9858d5cb2a6614be3c48e33911bf9f7978b441bf

URLs

  • hxxps://www.jmj[.]com/personal/nauerthn_state_gov/VFVKRTdRSm

C&C servers

  • pandorasong[.]com (95.216.59.92) (first-stage C&C server)

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

 

The post Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers appeared first on Microsoft Secure.

Small businesses targeted by highly localized Ursnif campaign

September 6th, 2018 No comments

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now were seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.

With Windows Defender AVs next gen defense, however, the size of the attack doesnt really matter.

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

The map below shows the location of the targets.

Figure 1. Geographic distribution of target victims

Highly localized social engineering attack

Heres how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when its really not.

The intended effect is for recipients to get documents from local, very familiar business or service providers. Its part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.

Most common lure document file names Top target cities
Dockery_FloorCovering_Statement Johnson City, TN
Kingsport, TN
Knoxville, TN
Dolan_Care_Statement St. Louis, MO
Chesterfield, MO
Lees Summit, MO
DMS_Statement Omaha, NE
Wynot, NE
Norwalk, OH
Dmo_Statement New Braunfels, TX
Seguin, TX
San Antonio, TX
DJACC_Statement Miami, FL
Flagler Beach, FL
Niles, MI
Donovan_Construction_Statement Alexandria, VA
Mclean, VA
Manassas, VA

Table 1. Top target cities of most common document file names

When recipients open the document, they are shown a message that tricks the person into enabling the macro.

Figure 2. Document tricks victim into enabling the macro

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.

Figure 3. Process to deobfuscate PowerShell

Figure 4. PowerShell command

The PowerShell script connects to any of 12 different URLs that all deliver the payload.

Figure 5. Deobfuscated PowerShell command

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.

How machine learning stopped this small-scale, localized attack

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the models verdict and the eventual blocking of the attack.

Figure 6. Impact of features used by one ML model that detected the attack

Next-generation protection against malware campaigns regardless of size

Machine learning and artificial intelligence power Windows Defender AV to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses.

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Across the whole Microsoft 365 threat protection, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.

 

 

Bhavna Soman
Windows Defender Research

 

Indicators of compromise (IOCs)

Infector:

Hashes
407a6c99581f428634f9d3b9ec4b79f79c29c79fdea5ea5e97ab3d280b2481a1
77bee1e5c383733efe9d79173ac1de83e8accabe0f2c2408ed3ffa561d46ffd7
e9426252473c88d6a6c5031fef610a803bce3090b868d9a29a38ce6fa5a4800a
f8de4ebcfb8aa7c7b84841efd9a5bcd0935c8c3ee8acf910b3f096a5e8039b1f

File names
CSC_Statement.doc
DBC_Statement.doc
DDG_Statement.doc
DJACC_Statement.doc
DKDS_Statement.doc
DMII_Statement.doc
dmo_statement.doc
DMS_Statement.doc
Dockery_Floorcovering_Statement.doc
Docktail_Bar_Statement.doc
doe_statement.doc
Dolan_Care_Statement.doc
Donovan_Construction_Statement.doc
Donovan_Engineering_Statement.doc
DSD_Statement.doc
dsh_statement.doc
realty_group_statement.doc
statement.doc
tri-lakes_motors_statement.doc
TSC_Statement.doc
UCP_Statement.doc

Payload (Ursnif)

Hashes
31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f
bd23a2eec4f94c07f4083455f022e4d58de0c2863fa6fa19d8f65bfe16fa19aa
75f31c9015e0f03f24808dca12dd90f4dfbbbd7e0a5626971c4056a07ea1b2b9
070d70d39f310d7b8842f645d3ba2d44b2f6a3d7347a95b3a47d34c8e955885d
15743d098267ce48e934ed0910bc299292754d02432ea775957c631170778d71

URLs
hxxp://vezopilan[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho4[.]tkn
hxxp://vedoriska[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://baberonto[.]com/tst/index[.]php?l=soho3[.]tkn

hxxp://hertifical[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://hertifical[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://condizer[.]com/tst/index[.]php?l=soho1[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho5[.]tkn

hxxp://zedrevo[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://zedrevo[.]com/tst/index[.]php?l=soho10[.]tkn

*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Building the security operations center of tomorrow—harnessing the law of data gravity

August 30th, 2018 No comments

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, and , EMEA Chief Security Advisor, Cybersecurity Solutions Group.

Youve got a big dinner planned and your dishwasher goes on the fritz. You call the repair company and are lucky enough to get an appointment for that afternoon. The repairperson shows up and says, Yes, its broken, but to figure out why I will need to run some tests. They start to remove your dishwasher from the outlet. What are you doing? you ask. Im taking it back to our repair shop for analysis and then repair, they reply. At this point, youre annoyed. You have a big party in three hours, and taking the dishwasher all the way back to the shop for analysis means someone will be washing dishes by hand after your partywhy not test it right here and right now so it can be fixed on the spot?

Now, imagine the dishwasher is critical business data located throughout your organization. Sending all that data to a centralized location for analysis will give you insights, eventually, but not when you really need it, which is now. In cases where the data is extremely large, you may not be able to move it at all. Instead it makes more sense to bring services and applications to your data. This at the heart of a concept called data gravity, described by Dave McCrory back in 2010. Much like a planet, your data has mass, and the bigger that mass, the greater its gravitational pull, or gravity well, and the more likely that apps and services are drawn to it. Gravitational movement is accelerated when bandwidth and latency are at a premium, because the closer you are to something the faster you can process and act on it. This is the big driver of the intelligent cloud/intelligent edge. We bring analytics and compute to connected devices to make use of all the data they collect in near real-time.

But what might not be so obvious is what, if anything, does data gravity have to do with cybersecurity and the security operations center (SOC) of tomorrow. To have that discussion, lets step back and look at the traditional SOCs, built on security information and event management (SIEM) solutions developed at the turn of the century. The very first SIEM solutions were predominantly focused on log aggregation. Log information from core security tools like firewalls, intrusion detection systems, and anti-virus/malware tools were collected from all over a company and moved to a single repository for processing.

That may not sound super exciting from our current vantage point of 2018, but back in 2000 it was groundbreaking. Admins were struggling with an increasing number of security tools, and the ever-expanding logs from those tools. Early SIEM solutions gave them a way to collect all that data and apply security intelligence and analytics to it. The hope was that if we could gather all relevant security log and reporting data into one place, we could apply rules and quickly gather insights about threats to our systems and security situational awareness. In a way this was antidata gravity, where data moved to the applications and services rather than vice versa.

After the initial hype for SIEM solutions, SOC managers realized a few of their limitations. Trying to write rules for security analytics proved to be quite hard. A minor error in a rule led to high false positives that ate into analyst investigative time. Many companies were unable to get all the critical log data into the SIEM, leading to false negatives and expensive blind spots. And one of the biggest concerns with traditional SIEM was the latency. SIEM solutions were marketed as real-time analytics, but once an action was written to a log, collected, sent to the SIEM, and then parsed through the SIEM analytics engine, quite a bit of latency was introduced. When it comes to responding to fast moving cyberthreats, latency is a distinct disadvantage.

Now think about these challenges and add the explosive amounts of data generated today by the cloud and millions of connected devices. In this environment its not uncommon that threat campaigns go unnoticed by an overloaded SIEM analytics engine. And many of the signals that do get through are not investigated because the security analysts are overworked. Which brings us back to data gravity.

What was one of the forcing factors for data gravity? Low tolerance for latency. What was the other? Building applications by applying insights and machine learning to data. So how can we build the SOC of tomorrow? By respecting the law of data gravity. If we can perform security analytics close to where the data already is, we can increase the speed of response. This doesnt mean the end of aggregation. Tomorrows SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells.

Does this sound like an intriguing idea? We think so. Being practitioners, though, we most appreciate when great theories can be turned into real-world implementations. Please stay tuned for part 2 of this blog series, where we take the concept of tomorrows SOC and data gravity into practice for today.

Attack inception: Compromised supply chain within a supply chain poses new risks

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

  • What created xbox-service.exe and pagefile.sys files on the host?
  • Why is xbox-service.exe being launched as a service with high privileges?
  • What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

  1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

  • Maintain a highly secure build and update infrastructure.

    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.

  • Build secure software updaters as part of the software development lifecycle.

    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and dont let the software updater accept generic input and commands.

  • Develop an incident response process for supply chain attacks.

    • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

  • Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
  • Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
  • Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.

 

 

Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team

 

 

Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Taking apart a double zero-day sample discovered in joint hunt with ESET

In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcher Anton Cherpanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same PDF. One exploit affected Adobe Acrobat and Reader, while the other exploit affected older platforms, Windows 7 and Windows Server 2008. Microsoft and Adobe have since released corresponding security updates:

The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.

Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.

Finding and neutralizing a double zero-day exploit before an attacker had a chance to use it was an amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers.

Heres some more information about the exploit process. This analysis is based on a sample we found after additional hunting (SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01).

Exploit overview

The Adobe Acrobat and Reader exploit is incorporated in a PDF document as a malicious JPEG 2000 stream containing the JavaScript exploit code. The following diagram provides an overview of the exploit process.

Figure 1. Overview of the exploit process

As shown in the diagram, the exploit process takes place in several stages:

  1. JavaScript lays out heap spray memory.
  2. Malicious JPEG 2000 stream triggers an out-of-bounds access operation.
  3. The access operation is called upon out-of-bounds memory laid out by the heap spray.
  4. The access operation corrupts the virtual function table (vftable).
  5. The corrupted vftable transfers execution to a return-oriented programming (ROP) chain.
  6. The ROP chain transfers execution to the main shellcode.
  7. The main elevation-of-privilege (EoP) module loads through reflective DLL loading.
  8. The main PE module launches the loaded Win32k EoP exploit.
  9. When the EoP exploit succeeds, it drops a .vbs file in the Startup folder. The .vbs file appears to be proof-of-concept malware designed to download additional payloads.

Malicious JPEG 2000 stream

The malicious JPEG 2000 stream is embedded with the following malicious tags.

Figure 2. Malicious JPEG 2000 stream

The following image shows the CMAP and PCLR tags with malicious values. The length of CMAP array (0xfd) is smaller than the index value (0xff) referenced in PCLR tagsthis results in the exploitation of the out-of-bounds memory free vulnerability.

Figure 3. Out-of-bounds index of CMAP array

Combined with heap-spray technique used in the JavaScript, the out-of-bounds exploit leads to corruption of the vftable.

Figure 4. vftable corruption with ROP chain to code execution

The shellcode and portable executable (PE) module is encoded in JavaScript.

Figure 5 Shellcode in JavaScript

Reflective DLL loading

The shellcode (pseudocode shown below) loads the main PE module through reflective DLL loading, a common technique seen in advanced attacks to attempt staying undetected in memory. On Windows 10, the reflective DLL loading technique is exposed by Windows Defender Advanced Threat Protection (Windows Defender ATP).

The shellcode searches for the start of the PE record and parses PE sections, copying them to the newly allocated memory area. It then passes control to an entry point in the PE module.

Figure 6. Copying PE sections to allocated memory

Figure 7. Passing control to an entry point in the loaded DLL

Main Win32k EoP exploit

The main Win32k elevation-of-privilege (EoP) exploit runs from the loaded PE module. It appears to target machines running Windows 7 SP1 and takes advantage of the previously unreported CVE-2018-8120 vulnerability, which is not present on Windows 10 and newer products. The exploit uses a NULL page to pass malicious records and copy arbitrary data to an arbitrary kernel location. The NULL page dereference exploitation technique is also mitigated by default for x64 platforms running Windows 8 or later.

Figure 8. EoP exploit flow

Heres how the main exploit proceeds:

  1. The exploit calls NtAllocateVirtualMemory following sgdt instructions to allocate a fake data structure at the NULL page.
  2. It passes a malformed MEINFOEX structure to the SetImeInfoEx Win32k kernel function.
  3. SetImeInfoEx picks up the fake data structure allocated at the NULL page.
  4. The exploit uses the fake data structure to copy malicious instructions to +0x1a0 on the Global Descriptor Table (GDT).
  5. It calls an FWORD instruction to call into the fake GDT entry instructions.
  6. The exploit successfully calls instructions in the fake GDT entry.
  7. The instructions run shellcode allocated in user mode from kernel mode memory space.
  8. The exploit modifies the EPROCESS.Token of the shellcode process to grant SYSTEM privileges.

On Windows 10, the EPROCESS.Token modification behavior would be surfaced by Windows Defender ATP.

The malformed IMEINFOEX structure in combination with fake data at the NULL page triggers corruption of the GDT entry as shown below.

Figure 9. Corrupted GDT entry

The corrupted GDT has actual instructions that run through call gate through a call FWORD instruction.

Figure 10. Patched GDT entry instructions

After returning from these instructions, the extended instruction pointer (EIP) returns to the caller code in user space with kernel privileges. The succeeding code elevates privileges of the current process by modifying the process token to SYSTEM.

Figure 11. Replacing process token pointer

Persistence

After privilege escalation, the exploit code drops the .vbs, a proof-of-concept malware, into the local Startup folder.

Figure 12. Code that drops the .vbs file to the Startup folder

Recommended defenses

To protect against attacks leveraging the exploits found in the PDF:

While we have not seen attacks distributing the PDF, Office 365 Advanced Threat Protection (Office 365 ATP) would block emails that carry malformed PDF and other malicious attachments. Office 365 ATP uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time.

Windows 10 users are not impacted by the dual exploits, thanks to platform hardening and exploit mitigations. For attacks against Windows 10, Windows Defender Advanced Threat Protection (Windows Defender ATP) would surface kernel attacks with similar exploitation techniques that use process token modification to elevate privileges, as shown below (sample process privilege escalation alert).

Figure 13. Sample Windows Defender ATP alert for process token modification

With Advanced hunting in Windows Defender ATP, customers can hunt for related exploit activity using the following query we added to the Github repository:

Figure 14. Advanced hunting query

Windows Defender ATP provides complete endpoint protection platform (EPP) and endpoint detection response (EDR) solutions for Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. Additional support for devices running Windows 7 and Windows 8.1 is currently in preview. Additionally, Windows Defender ATP can surface threats on macOS, Linux, and Android devices via security partners.

Windows Defender ATP integrates with other technologies in Windows, Office 365, and Enterprise Mobility + Security platforms to automatically update protection and detection and orchestrate remediation across Microsoft 365.

To experience the power of Windows Defender ATP for yourself, sign up for a free trial now.

Indicators of compromise

SHA-256: dd4e4492fecb2f3fe2553e2bcedd44d17ba9bfbd6b8182369f615ae0bd520933
SHA-1: 297aef049b8c6255f4461affdcfc70e2177a71a9
File type: PE
Description: Win32k exploit

SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01
SHA-1: 0d3f335ccca4575593054446f5f219eba6cd93fe
File type: PDF
Description: Test exploit

SHA-256: 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8
SHA-1: c82cfead292eeca601d3cf82c8c5340cb579d1c6
File type: PDF
Description: PDF exploit testing sample (Win32k part missing)

SHA-256: d2b7065f7604039d70ec393b4c84751b48902fe33d021886a3a96805cede6475
SHA-1: edeb1de93dce5bb84752276074a57937d86f2cf7
File type: JavaScript
Description: JavaScript embedded in 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8

 

 

Matt Oh
Windows Defender ATP Research

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Machine learning vs. social engineering

Machine learning is a key driver in the constant evolution of security technologies at Microsoft. Machine learning allows Microsoft 365 to scale next-gen protection capabilities and enhance cloud-based, real-time blocking of new and unknown threats. Just in the last few months, machine learning has helped us to protect hundreds of thousands of customers against ransomware, banking Trojan, and coin miner malware outbreaks.

But how does machine learning stack up against social engineering attacks?

Social engineering gives cybercriminals a way to get into systems and slip through defenses. Security investments, including the integration of advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security into Microsoft 365, have significantly raised the cost of attacks. The hardening of Windows 10 and Windows 10 in S mode, the advancement of browser security in Microsoft Edge, and the integrated stack of endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) further raise the bar in security. Attackers intent on overcoming these defenses to compromise devices are increasingly reliant on social engineering, banking on the susceptibility of users to open the gate to their devices.

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents, typically in combination with social engineering lures. Every month, Windows Defender AV detects non-PE threats on over 10 million machines. These threats may be delivered as email attachments, through drive-by web downloads, removable drives, browser exploits, etc. The most common non-PE threat file types are JavaScript and VBScript.

Figure 1. Ten most prevalent non-PE threat file types encountered by Windows Defender AV

Non-PE threats are typically used as intermediary downloaders designed to deliver more dangerous executable malware payloads. Due to their flexibility, non-PE files are also used in various stages of the attack chain, including lateral movement and establishing fileless persistence. Machine learning allows us to scale protection against these threats in real-time, often protecting the first victim (patient zero).

Catching social engineering campaigns big and small

In mid-May, a small-scale, targeted spam campaign started distributing spear phishing emails that spoofed a landscaping business in Calgary, Canada. The attack was observed targeting less than 100 machines, mostly located in Canada. The spear phishing emails asked target victims to review an attached PDF document.

When opened, the PDF document presents itself as a secure document that requires action a very common social engineering technique used in enterprise phishing attacks. To view the supposed secure document, the target victim is instructed to click a link within the PDF, which opens a malicious website with a sign-in screen that asks for enterprise credentials.

Phished credentials can then be used for further attacks, including CEO fraud, additional spam campaigns, or remote access to the network for data theft or ransomware. Our machine learning blocked the PDF file as malware (Trojan:Script/Cloxer.A!cl) from the get-go, helping prevent the attack from succeeding.

Figure 2. Phishing email campaign with PDF attachment

Beyond targeted credential phishing attacks, we commonly see large-scale malware campaigns that use emails with archive attachments containing malicious VBScript or JavaScript files. These emails typically masquerade as an outstanding invoice, package delivery, or parking ticket, and instruct targets of the attack to refer to the attachment for more details. If the target opens the archive and runs the script, the malware typically downloads and runs further threats like ransomware or coin miners.

Figure 3. Typical social engineering email campaign with an archive attachment containing a malicious script

Malware campaigns like these, whether limited and targeted or large-scale and random, occur frequently. Attackers go to great lengths to avoid detection by heavily obfuscating code and modifying their attack code for each spam wave. Traditional methods of manually writing signatures identifying patterns in malware cannot effectively stop these attacks. The power of machine learning is that it is scalable and can be powerful enough to detect noisy, massive campaigns, but also specific enough to detect targeted attacks with very few signals. This flexibility means that we can stop a wide range of modern attacks automatically at the onset.

Machine learning models zero in on non-executable file types

To fight social engineering attacks, we build and train specialized machine learning models that are designed for specific file types.

Building high-quality specialized models requires good features for describing each file. For each file type, the full contents of hundreds of thousands of files are analyzed using large-scale distributed computing. Using machine learning, the best features that describe the content of each file type are selected. These features are deployed to the Windows Defender AV client to assist in describing the content of each file to machine learning models.

In addition to these ML-learned features, the models leverage expert researcher-created features and other useful file metadata to describe content. Because these ML models are trained for specific file types, they can zone in on the metadata of these file types.

Figure 4. Specialized file type-specific client ML models are paired with heavier cloud ML models to classify and protect against malicious script files in real-time

When the Windows Defender AV client encounters an unknown file, lightweight local ML models search for suspicious characteristics in the files features. Metadata for suspicious files are sent to the cloud protection service, where an array of bigger ML classifiers evaluate the file in real-time.

In both the client and the cloud, specialized file-type ML classifiers add to generic ML models to create multiple layers of classifiers that detect a wide range of malicious behavior. In the backend, deep-learning neural network models identify malicious scripts based on their full file content and behavior during detonation in a controlled sandbox. If a file is determined malicious, it is not allowed to run, preventing infection at the onset.

File type-specific ML classifiers are part of metadata-based ML models in the Windows Defender AV cloud protection service, which can make a verdict on suspicious files within a fraction of a second.

Figure 5. Layered machine learning models in Windows Defender ATP

File type-specific ML classifiers are also leveraged by ensemble models that learn and combine results from the whole array of cloud classifiers. This produces a comprehensive cloud-based machine learning stack that can protect against script-based attacks, including zero-day malware and highly targeted attacks. For example, the targeted phishing attack in mid-May was caught by a specialized PDF client-side machine learning model, as well as several cloud-based machine learning models, protecting customers in real-time.

Microsoft 365 threat protection powered by artificial intelligence and data sharing

Social engineering attacks that use non-portable executable (PE) threats are pervasive in todays threat landscape; the impact of combating these threats through machine learning is far-reaching.

Windows Defender AV combines local machine learning models, behavior-based detection algorithms, generics, and heuristics with a detonation system and powerful ML models in the cloud to provide real-time protection against polymorphic malware. Expert input from researchers, advanced technologies like Antimalware Scan Interface (AMSI), and rich intelligence from the Microsoft Intelligent Security Graph continue to enhance next-generation endpoint protection platform (EPP) capabilities in Windows Defender Advanced Threat Protection.

In addition to antivirus, components of Windows Defender ATPs interconnected security technologies defend against the multiple elements of social engineering attacks. Windows Defender SmartScreen in Microsoft Edge (also now available as a Google Chrome extension) blocks access to malicious URLs, such as those found in social engineering emails and documents. Network protection blocks malicious network communications, including those made by malicious scripts to download payloads. Attack surface reduction rules in Windows Defender Exploit Guard block Office-, script-, and email-based threats used in social engineering attacks. On the other hand, Windows Defender Application Control can block the installation of untrusted applications, including malware payloads of intermediary downloaders. These security solutions protect Windows 10 and Windows 10 in S mode from social engineering attacks.

Further, Windows Defender ATP endpoint detection and response (EDR) uses the power of machine learning and AMSI to unearth script-based attacks that live off the land. Windows Defender ATP allows security operations teams to detect and mitigate breaches and cyberattacks using advanced analytics and a rich detection library. With the April 2018 Update, automated investigation and advance hunting capabilities further enhance Windows Defender ATP. Sign up for a free trial.

Machine learning also powers Office 365 Advanced Threat Protection to detect non-PE attachments in social engineering spam campaigns that distribute malware or steal user credentials. This enhances the Office 365 ATP comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against threats.

These and other technologies power Microsoft 365 threat protection to defend the modern workplace. In Windows 10 April 2018 Update, we enhanced signal sharing across advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph. This integration enables these technologies to automatically update protection and detection and orchestrate remediation across Microsoft 365.

 

Gregory Ellison and Geoff McDonald
Windows Defender Research

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.