Archive

Archive for the ‘Microsoft security intelligence’ Category

Latest Astaroth living-off-the-land attacks are even more invisible but not less observable

March 23rd, 2020 No comments

Following a short hiatus, Astaroth came back to life in early February sporting significant changes in its attack chain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate processes to attempt running undetected on compromised machines. The updated attack chain, which we started seeing in late 2019, maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion.

Figure 1. Microsoft Defender ATP data showing revival of Astaroth campaigns

Heat map showing Astaroth encounters, with Brazil accounting for majority of encounters

Figure 2. Geographic distribution of Astaroth campaigns this year, with majority of encounters recorded in Brazil

When we first blogged about Astaroth’s methods, we noted how it completely lived off the land to avoid detection: only system tools that are already existing on the machine are ever executed. In fact, it was an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC) that prompted our investigation and eventually exposed the Astaroth campaign.

Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detections. Instead, the attackers introduced new techniques that make the attack chain even stealthier:

  • Abusing Alternate Data Streams (ADS) to hide malicious payloads
  • Abusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload

Astaroth exemplifies how living-off-the-land techniques have become standard components of today’s attacks intent on evading security solutions. However, as we mentioned in our previous blog on Astaroth, fileless threats are very much observable. These threats still leave a great deal of memory footprint that can be inspected and blocked as they happen. Next-generation protection and behavioral containment and blocking capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) lead the charge in exposing threats like Astaroth.

In this blog, we’ll share our technical analysis of the revamped Astaroth attack chain and demonstrate how specific Microsoft technologies tackle the multiple advanced components of the attack.

Dismantling the new Astaroth attack chain

The attackers were careful to ensure the updates didn’t make Astaroth easier to detect; on the contrary, the updates only make Astaroth’s activities even more invisible.

One of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several stages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The stream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in plain sight.

Astaroth 2020 attack chain

Figure 2. Astaroth attack chain 2020

In the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.

Screenshot comparing contents of desktop.ini before and after infection

Figure 3. Desktop.ini before and after infection

The complex attack chain, which involves the use of multiple living-off-the-land binaries (LOLBins), results in the eventual loading of the Astaroth malware directly in memory. When running, Astaroth decrypts plugins that allow it to steal sensitive information, like email passwords and browser passwords.

In the succeeding sections, we describe each step of Astaroth’s attack chain in detail.

Arrival

The attack begins with an email with a message in Portuguese that translates to: “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The email contains a link that points to URL hosting an archive file, Arquivo_PDF_<date>.zip, which contains a LNK file with a similarly misleading name. When clicked, the LNK file runs an obfuscated BAT command line.

Email used in Astaroth campaign

Figure 4. Sample email used in latest Astaroth attacks

The BAT command drops a single-line JavaScript file to the Pictures folder and invokes explorer.exe to run the JavaScript file.

Malware code showing GetObject technique

The dropped one-liner script uses the GetObject technique to fetch and run the much larger main JavaScript directly in memory:

Malware code showing BITSAdmin abuse

BITSAdmin abuse

The main script then invokes multiple instances of BITSAdmin using a benign looking command-line to download multiple binary blobs from a command-and-control (C2) server:

Malware code showing downloaded content showing ADS

The downloaded payloads are encrypted and have the following file names:

  • masihaddajjaldwwn.gif
  • masihaddajjalc.jpg
  • masihaddajjala.jpg
  • masihaddajjalb.jpg
  • masihaddajjaldx.gif
  • masihaddajjalg.gif
  • masihaddajjalgx.gif
  • masihaddajjali.gif
  • masihaddajjalxa.~
  • masihaddajjalxb.~
  • masihaddajjalxc.~
  • masihaddajjal64w.dll
  • masihaddajjal64q.dll
  • masihaddajjal64e.dll

Alternate Data Streams abuse

As mentioned, the new Astaroth attacks use a clever technique of copying downloaded data to the ADS of desktop.ini. For each download, the content is copied to the ADS, and then the original content is deleted. These steps are repeated for all downloaded payloads.

Malware code showing abuse of ADS to run script to find security products

Another way that Astaroth abuses ADS is when it runs a script to find installed security products. A malicious script responsible for enumerating security products is dropped and then copied as an ADS to an empty text file. The execution command-line looks like this:

ExtExport.exe abuse

The main script combines three separately downloaded binary blobs to form the first-stage malware code:

Malware code showing three blobs forming first-stage malware code

The script then uses a LOLBin not previously seen in Astaroth attacks to load the first-stage malware code: ExtExport.exe, which is a legitimate utility shipped as part of Internet Explorer. Attackers can load any DLL by passing an attacker-controlled path to the tool. The tool searches for any DLL with the following file names: mozcrt19.dll, mozsqlite3.dll, or sqlite3.dll. Attackers need only to rename the malicious payload to one of these names, and it is loaded by ExtExport.exe.

Malware code showing ExtExport.exe abuse

Userinit.exe abuse

The newly loaded DLL (mozcrt19.dll, mozsqlite3.dll, or sqlite3.dll) is a proxy that reads three binary ADS streams (desktop.ini:masihaddajjalxa.~, desktop.ini:masihaddajjalxb.~, and desktop.ini:masihaddajjalxc.~) and combines these into a DLL. The newly formed DLL is the second-stage malware code and is loaded in the same process using the reflective DLL loading technique.

The newly loaded DLL is also a proxy that reads and decrypts another ADS stream (desktop.ini:masihaddajjalgx.gif) into a DLL. This DLL is injected into userinit.exe using the process hollowing technique.

The newly loaded DLL inside userinit.exe is again a proxy that reads and decrypts another ADS stream (desktop.ini:masihaddajjalg.gif) into a DLL. This DLL is the malicious info-stealer known as Astaroth and is reflectively loaded inside userinit.exe. Hence, Astaroth never touches the disk and is loaded directly in memory, making it very evasive.

Astaroth payload

When running, the Astaroth payload then reads and decrypts more components from the ADS stream of desktop.ini (desktop.ini:masihaddajjaldwwn.gif, desktop.ini:masihaddajjalc.jpg, desktop.ini:masihaddajjala.jpg, desktop.ini:masihaddajjalb.jpg, and desktop.ini:masihaddajjali.gif).

Some of these components are credential-stealing plugins hidden inside the ADS stream of desktop.ini. Astaroth abuses these plugins to steal information from compromised systems:

  • NirSoft’s MailPassView – an email client password recovery tool
  • NirSoft’s WebBrowserPassView – a web browser password recovery tool

As mentioned, Astaroth also finds installed security products. It then attempts to disable these security products. For Microsoft Defender Antivirus customers, tamper protection prevents such malicious and unauthorized changes to security settings.

Comprehensive, dynamic protection against living-off-the-land, fileless, and other sophisticated threats with Microsoft Threat Protection

Attackers are increasingly turning to living-off-the-land techniques to attempt running undetected for as long as possible on systems. Because these attacks use multiple executables that are native to the system and have legitimate uses, they require a comprehensive, behavior-based approach to detection.

Microsoft Threat Protection combines and orchestrates into a single solution the capabilities of multiple Microsoft security services to coordinate protection, detection, response, and prevention across endpoints, email, identities, and apps.

In the case of Astaroth, Office 365 ATP detects the malware delivery via email. Using detonation-based heuristics and machine learning, Office 365 ATP inspects links and attachments to identify malicious artifacts.

On endpoints, next-generation protection capabilities in Microsoft Defender ATP detect and prevent some components of Astaroth’s new attack chain. Notably, through Antimalware Scan Interface (AMSI), Microsoft Defender ATP can inspect the encrypted malicious scripts used in the initial stages of the attack.

For the more sophisticated sections of the attack chain, behavioral blocking and containment capabilities provide dynamic protection that can stop malicious behaviors and process trees. Behavior-based protections are key to exposing living-off-the-land threats that abuse and hide behind legitimate processes. These protections identify suspicious behavior sequences and advanced attack techniques observed on the client, which are used as triggers to analyze the process tree using real-time machine learning models in the cloud.

Diagram showing preventive and behavior-based blocking & containment solutions against Astaroth

Figure 5. Preventive and behavior-based blocking & containment protections against Astaroth

These behavior-based detections raise alerts in Microsoft Defender Security Center. With behavioral blocking and containment, not only are evasive threats exposed, detected, and stopped; security operations personnel are also notified so they can thoroughly investigate and remediate the root cause.

Figure 6. Sample Microsoft Defender ATP alerts on behavior-based detections of Astaroth’s activities

Microsoft Defender ATP’s EDR capabilities also have very strong coverage of advanced techniques employed by Astaroth, including cross-process migration, code injection, and use of LOLBins.

Figure 7. Sample Microsoft Defender ATP EDR alert and process tree on Astaroth’s behaviors

We expect Astaroth to further develop and increase in complexity, as long-running malware campaigns do. We will continue to watch this evolving threat and ensure that customers are protected from future updates through durable behavior-based protections.

 

 

Hardik Suri

Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft Defender ATP tech communities.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Latest Astaroth living-off-the-land attacks are even more invisible but not less observable appeared first on Microsoft Security.

Human-operated ransomware attacks: A preventable disaster

March 5th, 2020 No comments

Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.

These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads. And while ransomware is the very visible action taken in these attacks, human operators also deliver other malicious payloads, steal credentials, and access and exfiltrate data from compromised networks.

News about ransomware attacks often focus on the downtimes they cause, the ransom payments, and the details of the ransomware payload, leaving out details of the oftentimes long-running campaigns and preventable domain compromise that allow these human-operated attacks to succeed.

Based on our investigations, these campaigns appear unconcerned with stealth and have shown that they could operate unfettered in networks. Human operators compromise accounts with higher privileges, escalate privilege, or use credential dumping techniques to establish a foothold on machines and continue unabated in infiltrating target environments.

Human-operated ransomware campaigns often start with “commodity malware” like banking Trojans or “unsophisticated” attack vectors that typically trigger multiple detection alerts; however, these tend to be triaged as unimportant and therefore not thoroughly investigated and remediated. In addition, the initial payloads are frequently stopped by antivirus solutions, but attackers just deploy a different payload or use administrative access to disable the antivirus without attracting the attention of incident responders or security operations centers (SOCs).

Some well-known human-operated ransomware campaigns include REvil, Samas, Bitpaymer, and Ryuk. Microsoft actively monitors these and other long-running human-operated ransomware campaigns, which have overlapping attack patterns. They take advantage of similar security weaknesses, highlighting a few key lessons in security, notably that these attacks are often preventable and detectable.

Combating and preventing attacks of this nature requires a shift in mindset, one that focuses on comprehensive protection required to slow and stop attackers before they can succeed. Human-operated attacks will continue to take advantage of security weaknesses to deploy destructive attacks until defenders consistently and aggressively apply security best practices to their networks. In this blog, we will highlight case studies of human-operated ransomware campaigns that use different entrance vectors and post-exploitation techniques but have overwhelming overlap in the security misconfigurations they abuse and the devastating impact they have on organizations.

PARINACOTA group: Smash-and-grab monetization campaigns

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. Microsoft has been tracking this group for some time, but now refers to them as PARINACOTA, using our new naming designation for digital crime actors based on global volcanoes.

PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.

The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.

PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.

The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.

Wadhrama PARINACOTA attack chain

Figure 1. PARINACOTA infection chain

We gained insight into these attacks by investigating compromised infrastructure that the group often utilizes to proxy attacks onto their next targets. To find targets, the group scans the internet for machines that listen on RDP port 3389. The attackers do this from compromised machines using tools like Masscan.exe, which can find vulnerable machines on the entire internet in under six minutes.

Once a vulnerable target is found, the group proceeds with a brute force attack using tools like NLbrute.exe or ForcerX, starting with common usernames like ‘admin’, ‘administrator’, ‘guest’, or ‘test’. After successfully gaining access to a network, the group tests the compromised machine for internet connectivity and processing capacity. They determine if the machine meets certain requirements before using it to conduct subsequent RDP brute force attacks against other targets. This tactic, which has not been observed being used by similar ransomware operators, gives them access to additional infrastructure that is less likely to be blocked. In fact, the group has been observed leaving their tools running on compromised machines for months on end.

On machines that the group doesn’t use for subsequent RDP brute-force attacks, they proceed with a separate set of actions. This technique helps the attackers evade reputation-based detection, which may block their scanning boxes; it also preserves their command-and-control (C2) infrastructure. In addition, PARINACOTA utilizes administrative privileges gained via stolen credentials to turn off or stop any running services that might lead to their detection. Tamper protection in Microsoft Defender ATP prevents malicious and unauthorized to settings, including antivirus solutions and cloud-based detection capabilities.

After disabling security solutions, the group often downloads a ZIP archive that contains dozens of well-known attacker tools and batch files for credential theft, persistence, reconnaissance, and other activities without fear of the next stages of the attack being prevented. With these tools and batch files, the group clears event logs using wevutil.exe, as well as conducts extensive reconnaissance on the machine and the network, typically looking for opportunities to move laterally using common network scanning tools. When necessary, the group elevates privileges from local administrator to SYSTEM using accessibility features in conjunction with a batch file or exploit-laden files named after the specific CVEs they impact, also known as the “Sticky Keys” attack.

The group dumps credentials from the LSASS process, using tools like Mimikatz and ProcDump, to gain access to matching local administrator passwords or service accounts with high privileges that may be used to start as a scheduled task or service, or even used interactively. PARINACOTA then uses the same remote desktop session to exfiltrate acquired credentials. The group also attempts to get credentials for specific banking or financial websites, using findstr.exe to check for cookies associated with these sites.

Microsoft Defender ATP alert for credential theft

Figure 2. Microsoft Defender ATP alert for credential theft

With credentials on hand, PARINACOTA establishes persistence using various methods, including:

  • Registry modifications using .bat or .reg files to allow RDP connections
  • Setting up access through existing remote assistance apps or installing a backdoor
  • Creating new local accounts and adding them to the local administrators group

To determine the type of payload to deploy, PARINACOTA uses tools like Process Hacker to identify active processes. The attackers don’t always install ransomware immediately; they have been observed installing coin miners and using massmail.exe to run spam campaigns, essentially using corporate networks as distributed computing infrastructure for profit. The group, however, eventually returns to the same machines after a few weeks to install ransomware.

The group performs the same general activities to deliver the ransomware payload:

  • Plants a malicious HTA file (hta in many instances) using various autostart extensibility points (ASEPs), but often the registry Run keys or the Startup folder. The HTA file displays ransom payment instructions.
  • Deletes local backups using tools like exe to stifle recovery of ransomed files.
  • Stops active services that might interfere with encryption using exe, net.exe, or other tools.

Figure 3. PARINACOTA stopping services and processes

  • Drops an array of malware executables, often naming the files based on their intended behavior. If previous attempts to stop antivirus software have been unsuccessful, the group simply drops multiple variants of a malware until they manage to execute one that is not detected, indicating that even when detections and alerts are occurring, network admins are either not seeing them or not reacting to them.

As mentioned, PARINACOTA has recently mostly dropped the Wadhrama ransomware, which leaves the following ransom note after encrypting target files:

Figure 4. Wadhrama ransom note

In several observed cases, targeted organizations that were able to resolve ransomware infections were unable to fully remove persistence mechanisms, allowing the group to come back and deploy ransomware again.

Figure 5. Microsoft Defender ATP machine view showing reinfection by Wadhrama

PARINACOTA routinely uses Monero coin miners on compromised machines, allowing them to collect uniform returns regardless of the type of machine they access. Monero is popular among cybercriminals for its privacy benefits: Monero not only restricts access to wallet balances, but also mixes in coins from other transactions to help hide the specifics of each transaction, resulting in transactions that aren’t as easily traceable by amount as other digital currencies.

As for the ransomware component, we have seen reports of the group charging anywhere from .5 to 2 Bitcoins per compromised machine. This varies depending on what the attackers know about the organization and the assets that they have compromised. The ransom amount is adjusted based on the likelihood the organization will pay due to impact to their company or the perceived importance of the target.

Doppelpaymer: Ransomware follows Dridex

Doppelpaymer ransomware recently caused havoc in several highly publicized attacks against various organizations around the world. Some of these attacks involved large ransom demands, with attackers asking for millions of dollars in some cases.

Doppelpaymer ransomware, like Wadhrama, Samas, LockerGoga, and Bitpaymer before it, does not have inherent worm capabilities. Human operators manually spread it within compromised networks using stolen credentials for privileged accounts along with common tools like PsExec and Group Policy. They often abuse service accounts, including accounts used to manage security products, that have domain admin privileges to run native commands, often stopping antivirus software and other security controls.

The presence of banking Trojans like Dridex on machines compromised by Doppelpaymer point to the possibility that Dridex (or other malware) is introduced during earlier attack stages through fake updaters, malicious documents in phishing email, or even by being delivered via the Emotet botnet.

While Dridex is likely used as initial access for delivering Doppelpaymer on machines in affected networks, most of the same networks contain artifacts indicating RDP brute force. This is in addition to numerous indicators of credential theft and the use of reconnaissance tools. Investigators have in fact found artifacts indicating that affected networks have been compromised in some manner by various attackers for several months before the ransomware is deployed, showing that these attacks (and others) are successful and unresolved in networks where diligence in security controls and monitoring is not applied.

The use of numerous attack methods reflects how attackers freely operate without disruption – even when available endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect their activities. In many cases, some machines run without standard safeguards, like security updates and cloud-delivered antivirus protection. There is also the lack of credential hygiene, over-privileged accounts, predictable local administrator and RDP passwords, and unattended EDR alerts for suspicious activities.

Figure 6. Sample Microsoft Defender ATP alert

The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access. Attackers utilize various methods to gain access to privileged accounts, including common credential theft tools like Mimikatz and LaZange. Microsoft has also observed the use of the Sysinternals tool ProcDump to obtain credentials from LSASS process memory. Attackers might also use LSASecretsView or a similar tool to access credentials stored in the LSA secrets portion of the registry. Accessible to local admins, this portion of the registry can reveal credentials for domain accounts used to run scheduled tasks and services.

Figure 7. Doppelpaymer infection chain

Campaign operators continually steal credentials, progressively gaining higher privileges until they control a domain administrator-level account. In some cases, operators create new accounts and grant Remote Desktop privileges to those accounts.

Apart from securing privileged accounts, attackers use other ways of establishing persistent access to compromised systems. In several cases, affected machines are observed launching a base64-encoded PowerShell Empire script that connects to a C2 server, providing attackers with persistent control over the machines. Limited evidence suggests that attackers set up WMI persistence mechanisms, possibly during earlier breaches, to launch PowerShell Empire.

After obtaining adequate credentials, attackers perform extensive reconnaissance of machines and running software to identify targets for ransomware delivery. They use the built-in command qwinsta to check for active RDP sessions, run tools that query Active Directory or LDAP, and ping multiple machines. In some cases, the attackers target high-impact machines, such as machines running systems management software. Attackers also identify machines that they could use to stay persistent on the networks after deploying ransomware.

Attackers use various protocols or system frameworks (WMI, WinRM, RDP, and SMB) in conjunction with PsExec to move laterally and distribute ransomware. Upon reaching a new device through lateral movement, attackers attempt to stop services that can prevent or stifle successful ransomware distribution and execution. As in other ransomware campaigns, the attackers use native commands to stop Exchange Server, SQL Server, and similar services that can lock certain files and disrupt attempts to encrypt them. They also stop antivirus software right before dropping the ransomware file itself.

Attempts to bypass antivirus protection and deploy ransomware are particularly successful in cases where:

  • Attackers already have domain admin privileges
  • Tamper protection is off
  • Cloud-delivered protection is off
  • Antivirus software is not properly managed or is not in a healthy state

Microsoft Defender ATP generates alerts for many activities associated with these attacks. However, in many of these cases, affected network segments and their associated alerts are not actively being monitored or responded to.

Attackers also employ a few other techniques to bypass protections and run ransomware code. In some cases, we found artifacts indicating that they introduce a legitimate binary and use Alternate Data Streams to masquerade the execution of the ransomware binary as legitimate binary.

Command prmpt dump output of the Alternate Data Stream

Figure 8. Command prompt dump output of the Alternate Data Stream

The Doppelpaymer ransomware binary used in many attacks are signed using what appears to be stolen certificates from OFFERS CLOUD LTD, which might be trusted by various security solutions.

Doppelpaymer encrypts various files and displays a ransom note. In observed cases, it uses a custom extension name for encrypted files using information about the affected environment. For example, it has used l33tspeak versions of company names and company phone numbers.

Notably, Doppelpaymer campaigns do not fully infect compromised networks with ransomware. Only a subset of the machines have the malware binary and a slightly smaller subset have their files encrypted. The attackers maintain persistence on machines that don’t have the ransomware and appear intent to use these machines to come back to networks that pay the ransom or do not perform a full incident response and recovery.

Ryuk: Human-operated ransomware initiated from Trickbot infections

Ryuk is another active human-operated ransomware campaign that wreaks havoc on organizations, from corporate entities to local governments to non-profits by disrupting businesses and demanding massive ransom. Ryuk originated as a ransomware payload distributed over email, and but it has since been adopted by human operated ransomware operators.

Like Doppelpaymer, Ryuk is one of possible eventual payloads delivered by human operators that enter networks via banking Trojan infections, in this case Trickbot. At the beginning of a Ryuk infection, an existing Trickbot implant downloads a new payload, often Cobalt Strike or PowerShell Empire, and begins to move laterally across a network, activating the Trickbot infection for ransomware deployment. The use of Cobalt Strike beacon or a PowerShell Empire payload gives operators more maneuverability and options for lateral movement on a network. Based on our investigation, in some networks, this may also provide the added benefit to the attackers of blending in with red team activities and tools.

In our investigations, we found that this activation occurs on Trickbot implants of varying ages, indicating that the human operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the ransomware. In many cases, however, this activation phase comes well after the initial Trickbot infection, and the eventual deployment of a ransomware payload may happen weeks or even months after the initial infection.

In many networks, Trickbot, which can be distributed directly via email or as a second-stage payload to other Trojans like Emotet, is often considered a low-priority threat, and not remediated and isolated with the same degree of scrutiny as other, more high-profile malware. This works in favor of attackers, allowing them to have long-running persistence on a wide variety of networks. Trickbot, and the Ryuk operators, also take advantage of users running as local administrators in environments and use these permissions to disable security tools that would otherwise impede their actions.

Figure 9. Ryuk infection chain

Once the operators have activated on a network, they utilize their Cobalt Strike or PowerShell tools to initiate reconnaissance and lateral movement on a network. Their initial steps are usually to use built-in commands such as net group to enumerate group membership of high-value groups like domain administrators and enterprise administrators, and to identify targets for credential theft.

Ryuk operators then use a variety of techniques to steal credentials, including the LaZagne credential theft tool. The attackers also save various registry hives to extract credentials from Local Accounts and the LSA Secrets portion of the registry that stores passwords of service accounts, as well as Scheduled Tasks configured to auto start with a defined account. In many cases, services like security and systems management software are configured with privileged accounts, such as domain administrator; this makes it easy for Ryuk operators to migrate from an initial desktop to server-class systems and domain controllers. In addition, in many environments successfully compromised by Ryuk, operators are able to utilize the built-in administrator account to move laterally, as these passwords are matching and not randomized.

Once they have performed initial basic reconnaissance and credential theft, the attackers in some cases utilize the open source security audit tool known as BloodHound to gather detailed information about the Active Directory environment and probable attack paths. This data and associated stolen credentials are accessed by the attacker and likely retained, even after the ransomware portion is ended.

The attackers then continue to move laterally to higher value systems, inspecting and enumerating files of interest to them as they go, possibly exfiltrating this data. The attackers then elevate to domain administrator and utilize these permissions to deploy the Ryuk payload.

The ransomware deployment often occurs weeks or even months after the attackers begin activity on a network. The Ryuk operators use stolen Domain Admin credentials, often from an interactive logon session on a domain controller, to distribute the Ryuk payload. They have been seen doing this via Group Policies, setting a startup item in the SYSVOL share, or, most commonly in recent attacks, via PsExec sessions emanating from the domain controller itself.

Improving defenses to stop human-operated ransomware

In human-operated ransomware campaigns, even if the ransom is paid, some attackers remain active on affected networks with persistence via PowerShell Empire and other malware on machines that may seem unrelated to ransomware activities. To fully recover from human-powered ransomware attacks, comprehensive incident response procedures and subsequent network hardening need to be performed.

As we have learned from the adaptability and resourcefulness of attackers, human-operated campaigns are intent on circumventing protections and cleverly use what’s available to them to achieve their goal, motivated by profit. The techniques and methods used by the human-operated ransomware attacks we discussed in this blog highlight these important lessons in security:

  1. IT pros play an important role in security

Some of the most successful human-operated ransomware campaigns have been against servers that have antivirus software and other security intentionally disabled, which admins may do to improve performance. Many of the observed attacks leverage malware and tools that are already detected by antivirus. The same servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords. Oftentimes these protections are not deployed because there is a fear that security controls will disrupt operations or impact performance. IT pros can help with determining the true impact of these settings and collaborate with security teams on mitigations.

Attackers are preying on settings and configurations that many IT admins manage and control. Given the key role they play, IT pros should be part of security teams.

  1. Seemingly rare, isolated, or commodity malware alerts can indicate new attacks unfolding and offer the best chance to prevent larger damage

Human-operated attacks involve a fairly lengthy and complex attack chain before the ransomware payload is deployed. The earlier steps involve activities like commodity malware infections and credential theft that Microsoft Defender ATP detects and raises alerts on. If these alerts are immediately prioritized, security operations teams can better mitigate attacks and prevent the ransomware payload. Commodity malware infections like Emotet, Dridex, and Trickbot should be remediated and treated as a potential full compromise of the system, including any credentials present on it.

  1. Truly mitigating modern attacks requires addressing the infrastructure weakness that let attackers in

Human-operated ransomware groups routinely hit the same targets multiple times. This is typically due to failure to eliminate persistence mechanisms, which allow the operators to go back and deploy succeeding rounds of payloads, as targeted organizations focus on working to resolve the ransomware infections.

Organizations should focus less on resolving alerts in the shortest possible time and more on investigating the attack surface that allowed the alert to happen. This requires understanding the entire attack chain, but more importantly, identifying and fixing the weaknesses in the infrastructure to keep attackers out.

While Wadhrama, Doppelpaymer, Ryuk, Samas, REvil, and other human-operated attacks require a shift in mindset, the challenges they pose are hardly unique.

Removing the ability of attackers to move laterally from one machine to another in a network would make the impact of human-operated ransomware attacks less devastating and make the network more resilient against all kinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns are to practice credential hygiene and stop unnecessary communication between endpoints.

Here are relevant mitigation actions that enterprises can apply to build better security posture and be more resistant against cyberattacks in general:

  • Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
  • Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.
  • Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
  • Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102 when this occurs.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications Other. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if you have Office 365.
  • Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

Figure 10. Improving defenses against human-operated ransomware

How Microsoft empowers customers to combat human-operated attacks

The rise of adaptable, resourceful, and persistent human-operated attacks characterizes the need for advanced protection on multiple attack surfaces. Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure. Through built-intelligence, automation, and integration, Microsoft Threat Protection combines and orchestrates into a single solution the capabilities of Microsoft Defender Advanced Threat Protection (ATP), Office 365 ATP, Azure ATP, and Microsoft Cloud App Security, providing customers integrated security and unparalleled visibility across attack vectors.

Building an optimal organizational security posture is key to defending networks against human-operated attacks and other sophisticated threats. Microsoft Secure Score assesses and measures an organization’s security posture and provides recommended improvement actions, guidance, and control. Using a centralized dashboard in Microsoft 365 security center, organizations can compare their security posture with benchmarks and establish key performance indicators (KPIs).

On endpoints, Microsoft Defender ATP provides unified protection, investigation, and response capabilities. Durable machine learning and behavior-based protections detect human-operated campaigns at multiple points in the attack chain, before the ransomware payload is deployed. These advanced detections raise alerts on the Microsoft Defender Security Center, enabling security operations teams to immediately respond to attacks using the rich capabilities in Microsoft Defender ATP.

The Threat and Vulnerability Management capability uses a risk-based approach to the discovery, prioritization, and remediation of misconfigurations and vulnerabilities on endpoints. Notably, it allows security administrators and IT administrators to collaborate seamlessly to remediate issues. For example, through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click.

Microsoft experts have been tracking multiple human operated ransomware groups. To further help customers, we released a Microsoft Defender ATP Threat Analytics report on the campaigns and mitigations against the attack. Through Threat Analytics, customers can see indicators of Wadhrama, Doppelpaymer, Samas, and other campaign activities in their environments and get details and recommendations that are designed to help security operations teams to investigate and respond to attacks. The reports also include relevant advanced hunting queries that can further help security teams look for signs of attacks in their network.

Customers subscribed to Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender ATP, get targeted attack notification on emerging ransomware campaigns that our experts find during threat hunting. The email notifications are designed to inform customers about threats that they need to prioritize, as well as critical information like timeline of events, affected machines, and indicators of compromise, which help in investigating and mitigating attacks. Additionally, with experts on demand, customers can engage directly with Microsoft security analysts to get guidance and insights to better understand, prevent, and respond to human-operated attacks and other complex threats.

 

Microsoft Threat Protection Intelligence Team

 

The post Human-operated ransomware attacks: A preventable disaster appeared first on Microsoft Security.

Ghost in the shell: Investigating web shell attacks

February 4th, 2020 No comments

Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.

DART’s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbstat.exe, and eventually move laterally using PsExec.

The attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an Exchange transport agent, which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information. The backdoor also performed additional discovery activities as well as downloaded other malware payloads. In addition, the attackers sent special emails that the DLL backdoor interpreted as commands.

Figure 1. Sample web shell attack chain

The case is one of increasingly more common incidents of web shell attacks affecting multiple organizations in various sectors. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization.

With the use of web shells in cyberattacks on the rise, Microsoft’s DART, the Microsoft Defender ATP Research Team, and the Microsoft Threat Intelligence Center (MSTIC) have been working together to investigate and closely monitor this threat.

Web shell attacks in the current threat landscape

Multiple threat actors, including ZINC, KRYPTON, and GALLIUM, have been observed utilizing web shells in their campaigns. To implant web shells, adversaries take advantage of security gaps in internet-facing web servers, typically vulnerabilities in web applications, for example CVE-2019-0604 or CVE-2019-16759.

In our investigations into these types of attacks, we have seen web shells within files that attempt to hide or blend in by using names commonly used for legitimate files in web servers, for example:

  • index.aspx
  • fonts.aspx
  • css.aspx
  • global.aspx
  • default.php
  • function.php
  • Fileuploader.php
  • help.js
  • write.jsp
  • 31.jsp

Among web shells used by threat actors, the China Chopper web shell is one of the most widely used. One example is written in JSP:

We have seen this malicious JSP code within a specially crafted file uploaded to web servers:

Figure 2. Specially crafted image file with malicious JSP code

Another China Chopper variant is written in PHP:

Meanwhile, the KRYPTON group uses a bespoke web shell written in C# within an ASP.NET page:

Figure 3. Web shell written in C# within an ASP.NET page

Once a web shell is successfully inserted into a web server, it can allow remote attackers to perform various tasks on the web server. Web shells can steal data, perpetrate watering hole attacks, and run other malicious commands for further compromise.

Web shell attacks have affected a wide range of industries. The organization in the public sector mentioned above represents one of the most common targeted sectors.

Aside from exploiting vulnerabilities in web applications or web servers, attackers take advantage of other weaknesses in internet-facing servers. These include the lack of the latest security updates, antivirus tools, network protection, proper security configuration, and informed security monitoring. Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to.

Unfortunately, these gaps appear to be widespread, given that every month, Microsoft Defender Advanced Threat Protection (ATP) detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.

Figure 3: Web shell encounters 

Detecting and mitigating web shell attacks

Because web shells are a multi-faceted threat, enterprises should build comprehensive defenses for multiple attack surfaces. Microsoft Threat Protection provides unified protection for identities, endpoints, email and data, apps, and infrastructure. Through signal-sharing across Microsoft services, customers can leverage Microsoft’s industry-leading optics and security technologies to combat web shells and other threats.

Gaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. The installation of web shells can be detected by monitoring web application directories for web script file writes. Applications such as Outlook Web Access (OWA) rarely change after they have been installed and script writes to these application directories should be treated as suspicious.

After installation, web shell activity can be detected by analyzing processes created by the Internet Information Services (IIS) process w3wp.exe. Sequences of processes that are associated with reconnaissance activity such as those identified in the alert screenshot (net.exe, ping.exe, systeminfo.exe, and hostname.exe) should be treated with suspicion. Web applications such as OWA run from well-defined Application Pools. Any cmd.exe process execution by w3wp.exe running from an application pool that doesn’t typically execute processes such as ‘MSExchangeOWAAppPool’ should be treated as unusual and regarded as potentially malicious.

Microsoft Defender ATP exposes these behaviors that indicate web shell installation and post-compromise activity by analyzing script file writes and process executions. When alerted of these activities, security operations teams can then use the rich capabilities in Microsoft Defender ATP to investigate and resolve web shell attacks.

Figure 4. Sample Microsoft Defender ATP alerts related to web shell attacks

Figure 5. Microsoft Defender ATP alert process tree

As in most security issues, prevention is critical. Organizations can harden systems against web shell attacks by taking these preventive steps:

  • Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Deploy latest security updates as soon as they become available.
  • Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
  • Enable cloud-delivered protection to get the latest defenses against new and emerging threats.
  • Educate end users about preventing malware infections. Encourage end users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges.

 

 

Detection and Response Team (DART)

Microsoft Defender ATP Research Team

Microsoft Threat Intelligence Center (MSTIC)

 

The post Ghost in the shell: Investigating web shell attacks appeared first on Microsoft Security.

sLoad launches version 2.0, Starslord

January 21st, 2020 No comments

sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has launched version 2.0. The new version comes on the heels of a comprehensive blog we published detailing the malware’s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors.

With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines.

We’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that the name “sLoad” may have been derived from a popular comic book superhero.

We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.

Tracking the stage of infection

With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups.

The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server.

As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.

The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*):

  • Value #1 is a URL to download additional payload using a download BITS job
  • Value #2 specifies the action, which can be any of the following, to be taken on the payload downloaded from the URL in value#1:
    • “eval” – Run (possibly very large) PowerShell scripts
    • “iex” – Load and invoke (possibly small) PowerShell code
    • “run” – Download encoded PE file, decode using exe, and run the decoded executable
  • Value #3 is an integer that can signify the stage of infection for the machine

Supplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on different servers from the active C2 servers responding to the exfiltration BITS jobs.

Value#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional payload using the URL provided in value #1 and executing it as specified by the command in value #2, then a variable is used to form the string “td”:”<value#3>”,”tds”:”3”. However, if the final stage fails to download and execute the payload, then the string formed is “td”:”<value #3>”,”tds”:”4”.

The infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure can then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes the said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always aware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for value #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize infected hosts and could potentially set off individual groups on unique infection paths. For example, when responding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value #2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for different groups.

Anti-analysis trap

Starslord comes built-in with a function named checkUniverse, which is in-fact an anti-analysis trap.

As mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by decoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a variable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted PowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for further analysis.

The sLoad dropper PowerShell script drops four files:

  • a randomly named .tmp file
  • a randomly named .ps1 file
  • a ini file
  • a ini file

It then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file is a proxy that does nothing but run the .ps1 file, which decrypts the contents of main.ini into the final stage. The final stage then decrypts contents of domain.ini to obtain active C2 and perform other activities as documented.

As a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the analyst could end up naming it something other than the original random name. When this dumped code is run from such differently named file on the disk, a function named checkUniverse returns the value 1, and the analyst gets trapped:

What comes next is not very desirable for a security researcher: being profiled by the malware operator.

If the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS job, if any, is discarded and overwritten by the following new tuple:

hxxps://<active C2>/doc/updx2401.jpg*eval*-1

In this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped hosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell script. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple suggests (hxxps://<active C2>/doc/updx2401.jpg).

However, the string that is included in all successive exfiltration BITS jobs from such host is “td”:”-1”,”tds”:”3”, eventually leading to all such hosts getting grouped under value “td”:”-1”. This forms the group of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has been delivering the file infector Ramnit intermittently.

Durable protection against evolving malware

sLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its polymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into a new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk.

Starslord can track and group affected machines based on the stage of infection, which can allow for unique infection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of as universes in a multiverse. In fact, the malware uses a function called checkUniverse to determine if a host is an analyst machine.

Microsoft Threat Protection defends customers from sophisticated and continuously evolving threats like sLoad using multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing across multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure.

On endpoints, behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) ensure durable protection against evolving threats. Through cloud-based machine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop malicious behaviors from threats, both old and new, in real-time.

 

 

Sujit Magar

Microsoft Defender ATP Research Team

The post sLoad launches version 2.0, Starslord appeared first on Microsoft Security.

Rethinking cyber scenarios—learning (and training) as you defend

January 14th, 2020 No comments

In two recent posts I discussed with Circadence the increasing importance of gamification for cybersecurity learning and how to get started as a practitioner while being supported by an enterprise learning officer or security team lead. In this third and final post in the series, Keenan and I address more advanced SecOps scenarios that an experienced practitioner would be concerned with understanding. We even show how Circadence and Microsoft help seasoned practitioners defend against some of the most prevalent and advanced attackers we see across industries.

Here are more of Keenan’s insights from our Q&A:

Q: Keenan, thanks for sharing in this digital conversation with me again. I admire your passion for gamified cyber learning. I’d not put the two ideas together, that you can adopt gaming concepts—and consoles—in a way that makes learning the often difficult and evolving subject matter of “cyber” much more fun and impactful. Now that I’ve used Project Ares for a year, it’s hard to imagine NOT having an interactive, gamified platform to help me build and refine cybersecurity concepts and skills. Several friends and colleagues have also registered their teenagers for Circadence’s Project Ares Academy subscriptions to kickstart their learning journey toward a cyber career path. If kids are going to game, let’s point them to something that will build employable skills for the future.

In our last two blogs, we introduced readers to a couple of new ideas:

Now, let’s pivot and focus on practical cyber scenarios (let’s say Tier 1 or Tier 2 defender scenarios)—situations that would likely be directed to experienced cyber professionals to handle. Walk us through some of detail about how Circadence has built SecOps gaming experiences into Project Ares through mission scenarios that are inspired by real cyber incidents pulled from news headlines incorporating today’s most common attack methods such as ransomware, credential theft, and even nation-state attacks?

A: Sure. I’ll start with descriptions of a couple of our foundational missions.

Scenario one: Ransomware—Project Ares offers several mission scenarios that address the cyber kill chain around ransomware. The one I’ll focus on is Mission 10, Operation Crimson Wolf. Acting as a cyber force member working for a transportation company, the user must secure networks so the company can conduct effective port activity. However, the company is in danger as ransomware has encrypted data and a hacker has launched a phishing attack on the network, impacting how and when operators offload ships. The player must stop the ransomware from spreading and attacking other nodes on the network before it’s too late. I love this scenario because 1) it’s realistic, 2) ransomware attacks occur far too often, and 3) it allows the player to engage in a virtual environment to build skills.

Users who engage in this mission learn core competencies like:

  • Computer network defense.
  • Incident response management.
  • Data forensics and handling.

We map all our missions to the NIST/NICE work role framework and Mission 10 touches on the following work roles: System Security Analyst, Cyber Defense Analyst, Cyber Defense Incident Responder, and the Cyber Defense Forensics Analyst.

Image from scenario one: Ransomware

Scenario two: Credential theft—Another mission that’s really engaging is Mission 1, Operation Goatherd. It teaches how credential theft can occur via a brute force attack. In this mission, the user must access the command and control server of a group of hackers to disable a botnet network in use. The botnet is designed to execute a widespread financial scam triggering the collapse of a national bank! The user must scan the command and control server located at myloot.com for running services, identify a vulnerable service, perform a brute force attack to obtain credentials, and then kill the web server acting as the command and control orchestrator.

This scenario is powerful because it asks the player to address the challenge by thinking from an adversary’s perspective. It helps the learner understand how an attacker would execute credential theft (though there are many ways) and gives the learner a different perspective for a well-rounded comprehension of the attack method.

Users who engage in this mission learn core competencies like:

  • Network protocols.
  • Reconnaissance and enumeration.
  • Password cracking and exploration.

The NIST/NICE work role aligned to this mission is a Cyber Operator. Specific tasks this work role must address include:

  • Analyzing target operational architecture for ways to gain access.
  • Conducting network scouting and vulnerability analysis of systems within a network.
  • Detecting exploits against targeted networks.

Image from scenario two: Credential theft

Q: Can you discuss how Project Ares’ learning curriculum addresses critical threats from advanced state or state-backed attackers. While we won’t name governments directly, the point for our readers to understand is that the national and international cybersecurity stage is built around identifying and learning how to combat the tools, tactics, and procedures that threat actors are using in all industries.

A: Here’s a good example.

Scenario three: Election security—In this mission, we deploy in our next release of Project Ares, which now leverages cloud native architecture (running on Microsoft Azure), is Mission 15, Operation Raging Mammoth. It helps a cyber professional protect against an election attack—something we are all too familiar with through recent headlines about election security. As an election security official, the user must monitor voting systems to establish a baseline of normal activity and configurations from which we identify anomalies. The user must detect and report changes to an administrator’s access permissions and/or modifications to voter information.

The NIST/NICE work roles aligned to this mission include professionals training as a Cyber Defense Analyst, Cyber Defense Incident Responder, or Threat/Warning Analyst.

Image from scenario three: Election security

I’ve reviewed some of the specific cyber scenarios a Tier 1 or Tier 2 defender might experience on the job. Now I’d like to share a bit how we build these exercises for our customers.

It really comes down to the professional experiences and detailed research from our Mission and Battle Room design teams at Circadence. Many of them have explicit and long-standing professional experience as on-the-job cyber operators and defenders, as well as cyber professors and teachers at renowned institutions. They really understand what professionals need to learn, how they need to learn, and the most effective ways to learn.

We profile Circadence professionals in the Living Our Mission Blog Series to help interested readers understand the skill and dedication of the people behind Project Ares. By sharing the individual faces behind the solution, we hope current and prospective customers will appreciate Project Ares more knowing that Circadence is building the most relevant learning experiences available to support immersive, gamified learning of today’s cyber professionals.

Learn more

To see Project Ares “in action” visit Circadence and request a demonstration, or speak with your local Microsoft representative. You can also try your hand at it by attending an upcoming Microsoft Ignite: The Tour event, which features a joint Microsoft/Circadence “Into the Breach” capture the flag exercise.

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, including guidance on Zero Trust, visit Reach the optimal state in your Zero Trust journey.

The post Rethinking cyber scenarios—learning (and training) as you defend appeared first on Microsoft Security.

Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks

December 18th, 2019 No comments

Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.

Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections. Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.

In a brute force attack, adversaries attempt to sign in to an account by effectively using one or more trial-and-error methods. Many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds, are usually associated with these attacks. A brute force attack might also involve adversaries attempting to access one or more accounts using valid usernames that were obtained from credential theft or using common usernames like “administrator”. The same holds for password combinations. In detecting RDP brute force attacks, we focus on the source IP address and username, as password data is not available.

In the Windows operating system, whenever an attempted sign-in fails for a local machine, Event Tracing for Windows (ETW) registers Event ID 4625 with the associated username. Meanwhile, source IP addresses connected to RDP can be accessed; this information is very useful in assessing if a machine is under brute force attack. Using this information in combination with Event ID 4624 for non-server Windows machines can shed light on which sign-in sessions were successfully created and can further help in detecting if a local machine has been compromised.

In this blog we’ll present a study and a detection logic that uses these signals. This data science-driven approach to detecting RDP brute force attacks has proven valuable in detecting human adversary activity through Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender Advanced Threat Protection. This work is an example of how the close collaboration between data scientists and threat hunters results in protection for customers against real-world threats.

Insights into brute force attacks

Observing a sudden, relatively large count of Event ID 4625 associated with RDP network connections might be rare, but it does not necessarily imply that a machine is under attack. For example, a script that performs the following actions would look suspicious looking at a time series of counts of failed sign-in but is most likely not malicious:

  • uses an expired password
  • retries sign-in attempts every N-minutes with different usernames
  • over a public IP address within a range owned by the enterprise

In contrast, behavior that includes the following is indicative of an attack:

  • extreme counts of failed sign-ins from many unknown usernames
  • never previously successfully authenticated
  • from multiple RDP connections
  • from new source IP addresses

Understanding the context of failed sign-ins and inbound connections is key to discriminating between true positive (TP) and false positive (FP) brute force attacks, especially if the goal is to automatically raise only high-precision alerts to the appropriate recipients, as we do in Microsoft Defender ATP.

We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Figure 1: Empirical distribution in number of days per machine where we observed 1 or more brute force attacks

As discussed in numerous other studies [1], large counts of failed sign-ins are often associated with brute force attacks. Looking at the count of daily failed sign-ins, 90% of cases exceeded 10 attempts, with a median larger than 60. In addition, these unusual daily counts had high positive correlation with extreme counts in shorter time windows (see Figure 2). In fact, the number of extreme failed sign-ins per day typically occurred under 2 hours, with about 40% failing in under 30 minutes.

Figure 2: Count of daily and maximum hourly network failed sign-ins for a local machine under brute force attack

While a detection logic based on thresholding the count of failed sign-ins during daily or finer grain time window can detect many brute force attacks, this will likely produce too many false positives. Worse, relying on just this will yield false negatives, missing successful enterprise compromises: our analysis revealed several instances where brute force attacks generated less than 5-10 failed attempts at a daily granularity but often persisted for many days, thereby avoiding extreme counts at any point in time. For such a brute force attack, thresholding the cumulative number of failed sign-ins across time could be more useful, as depicted in Figure 3.

Figure 3: Daily and cumulative failed network sign-in

Looking at counts of network failed sign-ins provides a useful but incomplete picture of RDP brute force attacks. This can be further augmented with additional information on the failed sign-in, such as the failure reason, time of day, and day of week, as well as the username itself. An especially strong signal is the source IP of the inbound RDP connection. Knowing if the external IP has a high reputation of abuse, as can be looked up on sites like https://www.abuseipdb.com/, can directly confirm if an IP is a part of an active brute force.

Unfortunately, not all IP addresses have a history of abuse; in addition, it can be expensive to retrieve information about many external IP addresses on demand. Maintaining a list of suspicious IPs is an option, but relying on this can result in false negatives as, inevitably, new IPs continually occur, particularly with the adoption of cloud computing and ease of spinning up virtual machines. A generic signal that can augment failed sign-in and user information is counting distinct RDP connections from external IP addresses. Again, extreme values occurring at a given time or cumulated over time can be an indicator of attack.

Figure 4 shows histograms (i.e., counts put into discrete bins) of daily counts of RDP public connections per machine that occurred for an example enterprise with known brute force attacks. It’s evident that normal machines have a lower probability of larger counts compared to machines attacked.

Figure 4: Histograms of daily count of RDP inbound across machines for an example enterprise

Given that some enterprises have machines under brute force attack daily, the priority may be to focus on machines that have been compromised, defined by a first successful sign-in following failed attempts from suspicious source IP addresses or unusual usernames. In Windows logs, Event ID 4624 can be leveraged to measure successful sign-in events for local machine in combination with failed sign-ins (Event ID 4625).

Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days. Figure 5 shows a bubble chart of the average abuse score of external IPs associated with RDP brute force attacks that successfully compromised machines. The size of the bubbles is determined by the count of distinct machines across the enterprises analyzed having a network connection from each IP. While there is diversity in the origin of the source IPs, Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Figure 5: Bubble chart of IP abuse score versus counts of machine with inbound RDP

A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events. In the following sections we describe a methodology to do this. This methodology was leveraged by Microsoft Threat Experts to augment threat hunting and resulted in new targeted attack notifications.

Combining many relevant signals

As discussed earlier (with the example of scripts connecting via RDP using outdated passwords yielding failed sign-ins), simply relying on thresholding failed attempts per machine for detecting brute force attacks can be noisy and may result in many false positives. A better strategy is to utilize many contextually relevant signals, such as:

  • the timing, type, and count of failed sign-in
  • username history
  • type and frequency of network connections
  • first-time username from a new source machine with a successful sign-in

This can be even further extended to include indicators of attack associated with brute force, such as port scanning.

Combining multiple signals along the attack chain has been proposed and shown promising results [2]. We considered the following signals in detecting RDP inbound brute force attacks per machine:

  • hour of day and day of week of failed sign-in and RDP connections
  • timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • cumulative count of distinct username that failed to sign in without success
  • count (and cumulative count) of failed sign-ins
  • count (and cumulative count) of RDP inbound external IP
  • count of other machines having RDP inbound connections from one or more of the same IP

Unsupervised probabilistic time series anomaly detection

For many cybersecurity problems, including detecting brute force attacks, previously labeled data is not usually available. Thus, training a supervised learning model is not feasible. This is where unsupervised learning is helpful, enabling one to discover and quantify unknown behaviors when examples are too sparse. Given that several of the signals we consider for modeling RDP brute force attacks are inherently dependent on values observed over time (for example, daily counts of failed sign-ins and counts of inbound connections), time series models are particularly beneficial. Specifically, time series anomaly detection naturally provides a logical framework to quantify uncertainty in modeling temporal changes in data and produce probabilities that then can be ranked and thresholded to control a desirable false positive rate.

Time series anomaly detection captures the temporal dynamics of signals and accurately quantifies the probability of observing values at any point in time under normal operating conditions. More formally, if we introduce the notation Y(t) to denote the signals taking on values at time t, then we build a model to compute reliable estimates of the probability of Y(t) exceeding observed values given all known and relevant information, represented by P[y(t)], sometimes called an anomaly score. Given a false positive tolerance rate r (e.g., .1% or 1 out of 10,000 per time), for each time t, values y*(t) satisfying P[y*(t)] < r would be detected as anomalous. Assuming the right signals reflecting the relevant behaviors of the type of attacks are chosen, then the idea is simple: the lowest anomaly scores occurring per time will be likely associated with the highest likelihood of real threats.

For example, looking back at Figure 2, the time series of daily count of failed sign-ins occurring on the brute force attack day 8/4/2019 had extreme values that would be associated with an empirical probability of about .03% out of all machine and days with at least 1 failed network sign-in for the enterprise.

As discussed earlier, applying anomaly detection to 1 or a few signals to detect real attacks can yield too many false positives. To mitigate this, we combined anomaly scores across eight signals we selected to model RDP brute force attack patterns. The details of our solution are included in the Appendix, but in summary, our methodology involves:

  • updating statistical discrete time series models sequentially for each signal, capturing time of day, day of week, and both point and cumulative effects
  • combining anomaly scores using an approach that yields accurate probability estimates, and
  • ranking the top N anomalies per day to control a desired number of false positives

Our approach to time series anomaly detection is computationally efficient, automatically learns how to update probabilities and adapt to changes in data.

As we describe in the next section, this approach has yielded successful attack detection at high precision.

Protecting customers from real-word RDP brute force attacks through Microsoft Threat Experts

The proposed time series anomaly detection model was deployed and utilized by Microsoft Threat Experts to detect RDP brute force attacks during threat hunting activities. A list that ranks machines across enterprises with the lowest anomaly scores (indicating the likelihood of observing a value at least as large under expected conditions in all signals considered) is updated and reviewed every day. See Table 1 for an example.

Table 1: Sample ranking of detected RDP inbound brute force attacks

For each machine with detection of a probable brute force attack, each instance is assigned TP, FP, or unknown. Each TP is then assigned priority based on the severity of the attack. For high-priority TP, a targeted attack notification is sent to the associated organization with details about the active brute force attack and recommendations for mitigating the threat; otherwise the machine is closely monitored until more information is available.

We also added an extra capability to our anomaly detection: automatically sending targeted attack notifications about RDP brute force attacks, in many cases before the attack succeeds or before the actor is able to conduct further malicious activities. Looking at the most recent sample of about two weeks of graded detections, the average precision per day (i.e., true positive rate) is approximately 93.7% at a conservative false positive rate of 1%.

In conclusion, based on our careful selection of signals found to be highly associated with RDP brute force attacks, we demonstrated that proper application of time series anomaly detection can be very accurate in identifying real threats. We have filed a patent application for this probabilistic time series model for detecting RDP inbound brute force attacks. In addition, we are working on integrating this capability into Microsoft Defender ATP’s endpoint and detection response capabilities so that the detection logic can raise alerts on RDP brute force attacks in real-time.

Monitoring suspicious activity in failed sign-in and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution. While Microsoft Defender ATP already has many anomaly detection capabilities integrated into its EDR capabilities, we will continue to enhance these detections to cover more security scenarios. Through data science, we will continue to combine robust statistical and machine learning approaches with threat expertise and intelligence to deliver industry-leading protection to our customers.

 

 

Cole Sodja, Justin Carroll, Joshua Neil
Microsoft Defender ATP Research Team

 

 

Appendix 1: Models formulation

We utilize hierarchical zero-adjusted negative binomial dynamic models to capture the characteristics of the highly discrete count time series. Specifically, as shown in Figure 2, it’s expected that most of the time there won’t be failed sign-ins for valid credentials on a local machine; hence, there are excess zeros that would not be explained by standard probability distributions such as the negative binomial. In addition, the variance of non-zero counts is often much larger than the mean, where for example, valid scripts connecting via RDP can generate counts in the 20s or more over several minutes because of an outdated password. Moreover, given a combination of multiple users or scripts connecting to shared machines at the same time, this can generate more extreme counts at higher quantiles resulting in heavier tails, as seen in Figure 6.

Figure 6: Daily count of network failed sign-in for a machine with no brute force attack

Parametric discrete location/scale distributions do not generate well-calibrated p-values for rare time series, as seen in Figure 6, and thus if used to detect anomalies can result in too many FPs when looking across many machines at high time frequencies. To overcome this challenge dealing with the sparse time series of counts of failed sign-in and RDP inbound public connections we specify a mixture model, where, based on our analysis, a zero-inflated two-component negative binomial distribution was adequate.

Our formulation is based on thresholding values that determine when to transition to a distribution with larger location and/or scale as given in Equation 1. Hierarchical priors are given from empirical estimates of the sample moments across machines using about 1 month of data.

Equation 1: Zero-adjusted negative binomial threshold model

Negative binomial distribution (NB):

To our knowledge, this formulation does not yield a conjugate prior, and so directly computing probabilities from the posterior predicted density is not feasible. Instead, anomaly scores are generated based on drawing samples from all distributions and then computing the empirical right-tail p-value.

Updating parameters is done based on applying exponential smoothing. To avoid outliers skewing estimates, such as machines under brute force or other attacks, trimming is applied to sample from the distribution at a specified false positive rate, which was set to .1% for our study. Algorithm 1 outlines the logic.

The smoothing parameters were learned based on maximum likelihood estimation and then fixed during each new sequential update. To induce further uncertainty, bootstrapping across machines is done to produce a histogram of smoothing weights, and samples are drawn in accordance to their frequency. We found that weights concentrated away from 0 vary between .06% and 8% for over 90% of machines, thus leading to slow changes in the parameters. An extension using adaptive forgetting factors will be considered in future work to automatically learn how to correct smoothing in real time.

Algorithm 1: Updating model parameters real-time

Appendix 2: Fisher Combination

For a given device, for each signal that exists a score is computed defined as a p-value, where lower values are associated with higher likelihood of being an anomaly. Then the p-values are combined to yield a joint score across all signals based on using the Fisher p-value combination method as follows:

The use of Fisher’s test applied to anomaly scores produces a scalable solution that yields interpretable probabilities that thus can be controlled to achieve a desired false positive rate. This has even been applied in a cybersecurity context. [3]

 

 

[1] Najafabadi et al, Machine Learning for Detecting Brute Force Attacks at the Network Level, 2014 IEEE 14th International Conference on Bioinformatics and Bioengineering
[2] Sexton et al, Attack chain detection, Statistical Analysis and Data Mining, 2015
[3] Heard, Combining Weak Statistical Evidence in Cyber Security, Intelligent Data Analysis XIV, 2015

The post Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks appeared first on Microsoft Security.

Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities

December 12th, 2019 No comments

Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS.

Background Intelligent Transfer Service (BITS) is a component of the Windows operating system that provides an ability to transfer files in an asynchronous and throttled fashion using idle bandwidth. Abusing BITS, which provides the ability to create self-contained jobs that can be prioritized and queued up and that can launch other programs, has become a prevalent attack technique. Recent sophisticated malware campaigns like Astaroth have found success in the use of BITS for downloading payloads or additional components, especially in systems where the firewall is not configured to block malicious traffic from BITS jobs.

sLoad, detected by Windows Defender Antivirus as TrojanDownloader:PowerShell/sLoad, is used by adversaries for exfiltrating system information and delivering additional payloads in targeted attacks. It has been around for a few years and has not stopped evolving. What hasn’t changed, though, is its use of BITS for all of its exfiltration activities, as well as command-and-control (C2) communications from handshake to downloading additional payloads.

Once sLoad has infiltrated a machine, it can allow attackers to do further, potentially more damaging actions. Using exfiltrated information, attackers can identify what security solutions are running and test payloads before they are sneaked into the compromised system or, worse, high-priced targets. sLoad uses scheduled tasks, which runs the malware every three minutes, opening the window of opportunity for further compromise—hence raising the risk for the affected machine—every time it runs. We have already seen the malware attempt to deliver several other, potentially more dangerous Trojans to compromised machines.

While several malware campaigns have leveraged BITS, sLoad’s almost exclusive use of the service is notable. sLoad uses BITS as an alternative protocol to perform data exfiltration and most of its other malicious activities, enabling the malware to evade defenders and protections that may not be inspecting this unconventional protocol. Cloud-based machine learning-driven behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection detect and block sLoad’s activities as Behavior:Win32/sLoad.A.

In this blog we’ll share our analysis of the multiple ways in which sLoad is abusing BITS and share how Microsoft Defender Advanced Threat Protection defeats these advanced malware techniques.

Stealthy installation via multiple cascaded scripts

sLoad is known to infect machines using spear-phishing emails and a common but effective detection evasion technique: the cascaded scripts. One script drops or downloads one or more scripts, passes control to one of these scripts, and repeats the process multiple times until the final component is installed.

Over time, we’ve seen some variations of this technique. One sLoad campaign used the link target field of a LNK file to run PowerShell commands that extracts and runs the first-stage PowerShell code, which is appended to the end of the LNK file or, in one instance, the end of the ZIP file that originally contained the LNK file. In another campaign, the first-stage PowerShell code itself uses a download BITS job to download either the sLoad script and the C2 URL file or the sLoad dropper PowerShell script that embeds the encrypted sLoad script and C2 URL file within itself.

In the most recent attacks, for the first stage, sLoad shifted from using PowerShell script to VBScript. The randomly named VBScript file is simply a proxy that builds and then drops and runs a PowerShell script, always named rr.ps1. This is none other than the same sLoad PowerShell dropper mentioned earlier that embeds the encrypted sLoad script and C2 URL file within itself.

In most variations of the installation, the sLoad dropper script is the last intermediate stage that performs the following actions, and eventually decrypts and runs the final sLoad script:

  1. Creates an installation folder in the %APPDATA% folder named after the first 6 characters of the Win32 Product UUID. 
  2. Drops an infection marker file named _in, and during the successive executions, uses the LastWriteTime on this file to check whether the malware is installed within last 30 mins, in which case, it terminates. 
  3. Drops the encrypted sLoad script and the C2 URL file as config.ini and web.ini, respectively. 
  4. Builds and drops two more randomly named scripts: one VBScript and one PowerShell script. 
  5. Uses schtasks.exe to create a scheduled task named AppRunLog to run the randomly named VBScript from the previous step with decryption key supplied as a command line parameter; deletes the previously created related tasks (if found) before creating this one. The scheduled task is configured to start at 7:00 AM and run every 3 mins. 

The dropped VBScript that runs under the scheduled task is yet another proxy that simply runs the dropped PowerShell script with the same command line parameter (the decryption key). The PowerShell script decrypts the contents of the previously dropped config.ini in the memory into another piece of PowerShell code, which it then runs. This is the final component, the script detected as TrojanDownloader:PowerShell/sLoad, that uses BITS to perform every important malicious activity.

BITS abuse

The sLoad PowerShell script (the final component) then abuses BITS to carry out all of the following activities:

Finding an active C2 server

The malware decrypts the contents of previously dropped web.ini into a set of 2 URLs and creates a BITS download jobs to test the connection to these URLs. It then saves the URL that responds in the form of a file that contains a message “sok”, being downloaded as part of created BITS job. This ensures that the handshake is complete.

If none responds, the script appends the number “1” to the domain names in both URLs, saves the encrypted data back to the web.ini file, and exits from the script. As a result, the next time the scheduled job runs, the script uses the modified web.ini to obtain the modified URLs to attempt connecting to an active C2. With each unsuccessful attempt of connecting with C2s, the number appended to the domain names is increased by increments of 1 until it reaches 50, at which time it resets to 1. This technique offers a bit of a cushion and ensures continued contact between a compromised machine and a C2, in case the primary C2 is blocked.

This prevents the malware infrastructure from losing a compromised host if the primary C2 is blocked. It’s also interesting to see how the URLs used to reach C2 are structured to appear related to CAPTCHA verification, an attempt to escape watchful eyes.

Fetching a new list of C2s

For continued exfiltration of information, it’s important to maintain contact with an active C2. As the malicious domains cannot stay up running for a long time, the malware packs a functionality to refresh the list of C2 every time the scheduled task runs. Using a BITS download job, the malware downloads a new copy of web.ini from the active C2 to provisions a new set of C2s for future use.

Exfiltrating system information

Once an active C2 is identified, the malware starts collecting system information by performing the following:

  • saves the output of “net view” command
  • enumerates network drives and saves the provider names and device ids
  • produces the list of all running processes
  • obtains the OS caption
  • looks for Outlook folder, as well as Independent Computing Architecture (ICA) files, which are used by Citrix application servers to store configuration information

It then creates a BITS download job with the RemoteURL built using the URL for active C2 and the system information collected up this point.

Crafting URLs infused with stolen info is not a novel attacker technique. In addition, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information stands out and is relatively easy to detect. However, this malware’s use of a download job instead of an upload job is a clever move to achieve stealth.

Deploying additional payloads

Because the malware exfiltrates system information using a BITS download job, it gets an opportunity to receive a response in the form of a file downloaded to the machine. It uses this opportunity to obtain additional payloads from the C2.

It sleeps and waits for the file to be downloaded. If the downloaded file instructs to download and invoke additional PowerShell codes, the supplied URL is used for the task. If not, then the URL is assumed to be pointing to an encoded PE image payload. The malware creates another BITS download job to download this payload, creates a copy of this newly downloaded encoded file, and uses another Windows utility, certutil.exe, to decode it into a portable executable (PE) file with .exe extension. Finally, it uses PowerShell.exe to run the decoded PE payload. One more BITS download job is created to download additional files.

Spying

The malware comes built with one of the most notorious spyware features: uploading screenshots. At several stages during the installation as well as when running additional payloads, the malware takes several screenshots at short intervals. It then uses a BITS upload job to send the stolen screenshots to the active C2. This is the only time that it uses an upload job, and these are the only files it uploads to the C2. Once uploaded, the screenshots are deleted from the machine.

Conclusion: Multiple layers of protection against multi-stage living-off-the-land threats

sLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious activities by simply living off the land. In this case, it’s a dangerous threat that’s equipped with notorious spyware capabilities, infiltrative payload delivery, and data exfiltration capabilities. sLoad’s behavior can be classified as a Type III fileless technique: while it drops some malware files during installation, its use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an almost fileless presence on compromised machines.

To defeat multi-stage, stealthy, and persistent threats like sLoad, Microsoft Defender ATP’s antivirus component uses multiple next-generation protection engines on the client and in the cloud. While most threats are identified and stopped by many of these engines, behavioral blocking and containment capabilities detects malicious behaviors and blocks threats after they have started running:

These detections are also surfaced in Microsoft Defender Security Center. Security operations teams can then use Microsoft Defender ATP’s other capabilities like endpoint detection and response (EDR), automated investigation and response, Threat and Vulnerability Management, and Microsoft Threat Experts to investigate and respond to attacks. This reflects the defense-in-depth strategy that is central to the unified endpoint protection provided by Microsoft Defender ATP.

As part of Microsoft Threat Protection, Microsoft Defender ATP shares security signals about this threat to other security services, which likewise inform and enrich endpoint protection. For example, Office 365 ATP’s intelligence on the emails that carry sLoad is shared to and used by Microsoft Defender ATP to build even stronger defenses at the source of infection. Real-time signal-sharing across Microsoft’s security services gives Microsoft Threat Protection unparalleled visibility across attack vectors and the unique ability to provide comprehensive protection against identities, endpoints, data, cloud apps, and infrastructure.

 

Sujit Magar
Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

 

The post Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities appeared first on Microsoft Security.

GALLIUM: Targeting global telecom

December 12th, 2019 No comments

Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.

To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.

This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

Following Microsoft’s internal practices of assigning chemical elements to activity groups, GALLIUM is the code name for this activity group.

GALLIUM’s profile

Reconnaissance methods

As is often the case with the reconnaissance methods, it’s difficult to be definitive about those employed by GALLIUM. This is due to the passive nature of reconnaissance activities by the actor including the use of freely available data from open sources, such as public websites and social media outlets. However, based on MSTIC analyst assessments, GALLIUM’s exploitation of internet-facing services indicates it’s likely they use open source research and network scanning tools to identify likely targets.

Delivery and exploitation

To gain initial access a target network, GALLIUM locates and exploits internet-facing services such as web servers. GALLIUM has been observed exploiting unpatched web services, such as WildFly/JBoss, for which exploits are widely available. Compromising a web server gives GALLIUM a foothold in the victim network that doesn’t require user interaction, such as traditional delivery methods like phishing.

Following exploitation of the web servers, GALLIUM actors typically install web shells, and then install additional tooling to allow them to explore the target network.

Lateral movement

GALLIUM uses a variety of tools to perform reconnaissance and move laterally within a target network. The majority of these are off-the-shelf tools or modified versions of known security tools. MSTIC investigations indicate that GALLIUM modifies its tooling to the extent it evades antimalware detections rather than develop custom functionality. This behavior has been observed with GALLIUM actors across several operational areas.

GALLIUM has been observed using several tools. Samples of the most prevalent are noted in Table 1.

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Table 1: GALLIUM tooling.

GALLIUM has signed several tools using stolen code signing certificates. For example, they’ve used a credential dumping tool signed using a stolen certificate from Whizzimo, LLC, as shown in Figure 1. The code signing certificate shown in Figure 1 was no longer valid at the time of writing; however, it shows GALLIUM had access to such certificates.

Image showing "Signers" using in the credential dumping tool signed using a stolen Whizzimo, LLC certificate.

Figure 1. Credential dumping tool signed using a stolen Whizzimo, LLC certificate.

GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network.

Installation

GALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it’s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.

Infrastructure

GALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure for their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. MSTIC analysis indicates the use of dynamic DNS providers as opposed to registered domains is in line with GALLIUM’s trend towards low cost and low effort operations.

GALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan.

When connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation.

A package of GALLIUM indicators containing GALLIUM command and control domains used during this operation have been prepared for Azure Sentinel and is available on the Microsoft GitHub.

Image showing an Azure Sentinel query of GALLIUM indicators.

Figure 2. Azure Sentinel query of GALLIUM indicators.

GALLIUM use of malware

First stage

GALLIUM does not typically use a traditional first stage installer for their malware. Instead, the group relies heavily on web shells as a first method of persistence in a victim network following successful exploitation. Subsequent malware is then delivered through existing web shell access.

Microsoft Defender Advanced Threat Protection (ATP) exposes anomalous behavior that indicate web shell installation and post compromise activity by analysing script file writes and process executions. Microsoft Defender ATP offers a number of detections for web shell activity protecting customers not just from GALLIUM activity but broader web shell activity too. Read the full report in your Microsoft Defender ATP portal.

Image showing Microsoft Defender ATP web shell detection.

Figure 3. Microsoft Defender ATP web shell detection.

When alerted of these activities, the security operations team can then use the rich capabilities in Microsoft Defender ATP to investigate web shell activity and subsequent reconnaissance and enumeration activity to resolve web shell attacks.

Image showing a Microsoft Defender ATP web shell process tree.

Figure 4. Microsoft Defender ATP web shell process tree.

In addition to standard China Chopper, GALLIUM has been observed using a native web shell for servers running Microsoft IIS that is based on the China Chopper web shell; Microsoft has called this “BlackMould.”

BlackMould contains functionality to perform the following tasks on a victim host:

  • Enumerate local drives.
  • Employ basic file operations like find, read, write, delete, and copy.
  • Set file attributes.
  • Exfiltrate and infiltrate files.
  • Run cmd.exe with parameters.

Commands are sent in the body of HTTP POST requests.

Second stage

In cases where GALLIUM has deployed additional malware on a victim network, they’ve used versions of the Gh0st RAT (modified Ghost RAT detected as QuarkBandit) and Poison Ivy malware. In both cases, GALLIUM has modified the communication method used by the malware, likely to prevent detection through existing antimalware signatures since both malware families have several detections based on their original communication methods. Malware families are noted in Table 2.

Malware family Description and primary usage
BlackMould Native IIS web shell based on the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version that appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Table 2. GALLIUM malware families.

GALLIUM’s malware and tools appear to be highly disposable and low cost. In cases where GALLIUM has invested in modifications to their toolset, they appear to focus on evading antimalware detection, likely to make the malware and tooling more effective.

The MSTIC team works closely with Microsoft security products to implement detections and protections for GALLIUM malware and tooling in a number of Microsoft products. Figure 4 shows one such detection for a GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Image showing the GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Figure 5. GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Additionally, MSTIC has authored a number of antimalware signatures for Windows Defender Antivirus covering the aforementioned malware families, a list of GALLIUM exclusive signature can be found in the Related indicators” section.

In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network.

Recommended defenses

The following are recommended defenses security operations teams can take to mitigate the impact of threats like GALLIUM in your corporate environment:

  • Maintain web server patching and log audits, run web services with minimum required operating system permissions
  • Install security updates on all applications and operating systems promptly. Check the Security Update Guide for detailed information about available Microsoft security updates.
  • For efficient incident response, maintain a forensics-ready network with centralized event logging, file detonation services, and up-to-date asset inventories.
  • Enable cloud-delivered protection and maintain updated antivirus.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.
  • Use behavior detection solutions to catch credential dumping or other activity that may indicate a breach.
  • Adopt Azure ATP—a cloud-based security solution that leverages your on-premises Active Directory signals—to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
  • Use Microsoft Defender ATP to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Institute Multi-Factor Authentication (MFA) to mitigate against compromised accounts.

Related indicators

The list below provides known GALLIUM tooling and Indicators of Compromise (IOCs) observed during this activity. Microsoft encourages customers to implement detections and protections to identify possible prior campaigns or prevent future campaigns against their systems.

Tooling

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Malware

Malware Notes
BlackMould Native IIS version of the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Indicators

Indicator Type
asyspy256[.]ddns[.]net Domain
hotkillmail9sddcc[.]ddns[.]net Domain
rosaf112[.]ddns[.]net Domain
cvdfhjh1231[.]myftp[.]biz Domain
sz2016rose[.]ddns[.]net Domain
dffwescwer4325[.]myftp[.]biz Domain
cvdfhjh1231[.]ddns[.]net Domain
9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd Sha256
7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b Sha256
657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 Sha256
2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 Sha256
52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 Sha256
a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 Sha256
5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 Sha256
6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 Sha256
3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e Sha256
1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 Sha256
fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 Sha256
7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c Sha256
178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 Sha256
51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 Sha256
889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 Sha256
332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf Sha256
44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 Sha256
63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef Sha256
056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 Sha256
TrojanDropper:Win32/BlackMould.A!dha Signature Name
Trojan:Win32/BlackMould.B!dha Signature Name
Trojan:Win32/QuarkBandit.A!dha Signature Name
Trojan:Win32/Sidelod.A!dha Signature Name

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post GALLIUM: Targeting global telecom appeared first on Microsoft Security.

The quiet evolution of phishing

December 11th, 2019 No comments

The battle against phishing is a silent one: every day, Office 365 Advanced Threat Protection detects millions of distinct malicious URLs and email attachments. Every year, billions of phishing emails don’t ever reach mailboxes—real-world attacks foiled in real-time. Heuristics, detonation, and machine learning, enriched by signals from Microsoft Threat Protection services, provide dynamic, robust protection against email threats.

Phishers have been quietly retaliating, evolving their techniques to try and evade these protections. In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Notably, these techniques involve the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. At Microsoft, we have aggressive processes to identify and take down nefarious uses of our services without affecting legitimate applications.

In this blog we’ll share three of the most notable attack techniques we spotted this year. We uncovered these attacks while studying Office 365 ATP signals, which we use to track and deeply understand attacker activity and build durable defenses against evolving and increasingly sophisticated email threats.

Hijacked search results lead to phishing

Over the years, phishers have become better at evading detection by hiding malicious artifacts behind benign ones. This tactic manifests in, among many others, the use of URLs that point to legitimate but compromised websites or multiple harmless-looking redirectors that eventually lead to phishing.

One clever phishing campaign we saw in 2019 used links to Google search results that were poisoned so that they pointed to an attacker-controlled page, which eventually redirected to a phishing page. A traffic generator ensured that the redirector page was the top result for certain keywords.

Figure 1. Phishing attack that used poisoned search results

Using this technique, phishers were able to send phishing emails that contained only legitimate URLs (i.e., link to search results), and a trusted domain at that, for example:

  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EhOJoXatrCPy%3C/a%3E
  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EyEg5xg1736iIgQVF%3C/a%3E

The campaign was made even stealthier by its use of location-specific search results. When accessed by users in Europe, the phishing URL led to the redirector website c77684gq[.]beget[.]tech, and eventually to the phishing page. Outside Europe, the same URL returned no search results.

For this to work, attackers had to make sure that their website, c77684gq[.]beget[.]tech, was the top search result for the keyword “hOJoXatrCPy” when queried from certain regions. The website’s HTML code is composed of a redirector script and a series of anchor elements:

Figure 2. Redirector code

These anchor elements were designed to be crawled by search engines so that the page is indexed and returned as result for the search keywords that attackers wanted to use for their campaign.

Figure 3. Anchor tags containing search keywords

The attackers then set up a traffic generator to poison search results. Because the phishing URL used the open redirector functionality, it redirected to the top search result, hence the redirector page.

404 Not Found pages customized to be phishing sites

The other way that phishers evade detection is to use multiple URLs and sometimes even multiple domains for their campaigns. They use techniques like subdomain generation algorithms to try and always get ahead of solutions, which, without the right dynamic technologies, will be forced continually catch up as phishers generate more and more domains and URLs.

This year, attackers have found another shrewd way to serve phishing: custom 404 pages. We uncovered a phishing campaign targeting Microsoft that used 404 pages crafted as phishing pages, which gave phishers virtually unlimited phishing URLs.

Figure 4. Phishing attack that uses specially crafted 404 Not Found error page

The custom 404 page was designed to look like the legitimate Microsoft account sign-in page.

Figure 5. 404 page designed as phishing page

Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers could use random URLs for their campaigns. For example, we saw these two URLs used in phishing campaigns; the attackers added a single character to the second one to generate a new URL but serve the same phishing page:

  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQ
  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQs

We also found that the attackers randomized domains, exponentially increasing the number of phishing URLs:

  • outlookloffice365usertcph4l3q[.]web[.]app
  • outlookloffice365userdqz75j6h[.]web[.]app
  • outlookloffice365usery6ykxo07[.]web[.]app

All of these non-existent URLs returned the 404 error page, i.e., the phishing page:

Figure 6. When phishing URL is accessed, server responds with HTTP 404 error message, which is a phishing page

Man-in-the-middle component for dynamic phishing attack

Phishers have also been getting better at impersonation: the more legitimate the phishing emails looked, the better their chances at tricking recipients. Countless brands both big and small have been targets of spoofing by phishers.

One particular phishing campaign in 2019 took impersonation to the next level. Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft’s rendering site.

Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages. The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the exact same experience as the legitimate sign-page, which could significantly reduce suspicion.

Figure 7. Phishing attack that abuses Microsoft’s rendering site

Using the same URL, the phishing site was rendered differently for different targeted users. To generate legitimate-looking phishing sites, the server used the following code to retrieve the banner used by the target’s victim company as identified by the domain information in the email address; the response is the URL for the company banner:

Figure 8. Code snippet for requesting the banner

The server also retrieved the text used in the company’s sign-in page; the response is the actual text specific to the target victim’s company:

Figure 9. Code snippet for requesting the company-specific text

To complete the legitimate-looking phishing page, the server requested the background image using the code below; the response is the URL to the image:

Figure 10. Codes snippets for requesting background image

Office 365 ATP: Durable and dynamic defense for evolving email threats

The phishing techniques that we discussed in this blog are vastly different from each, but they are all clever attempts to achieve something that’s very important for phishers and other cybercrooks: stealth. The longer phishers can quietly hide from security solutions, the more chances they have to invade inboxes and trick people into divulging sensitive information.

To hunt down phishing and other threats that don’t want to be found, Office 365 ATP uses advanced security technologies that expose sophisticated techniques. Our URL detonation technology can follow the attack chain so it can detect threats even if they hide behind legitimate services and multiple layers of redirectors.

This rich visibility into email threats allows Office 365 ATP to continuously inform and improve its heuristic and machine learning protections so that new and emerging campaigns are blocked in real-time—silently protecting customers from attacks even when they don’t know it. The insights from Office 365 ATP also allow our security experts to track emerging techniques and other attacker activities like the ones we discussed in this blog, allowing us to ensure that our protections are effective not just for the campaigns that we see today but those that might emerge in the future.

In addition, with the new campaign views in Office 365 ATP currently in preview, enterprises can get a broad picture of email campaigns observed in their network, with details like when the campaign started, the sending pattern and timeline, the list of IP addresses and senders used in the attack, which messages were blocked or otherwise, and other important information.

As an important component of Microsoft Threat Protection, Office 365 ATP provides critical security signals about threat that arrive via email—a common entry point for cyberattacks—to the rest of Microsoft’s security technologies, helping provide crucial protection at the early stages of attacks. Through signal-sharing and remediation orchestration across security solutions, Microsoft Threat Protection provides comprehensive and integrated protection for identities, endpoints, user data, apps, and infrastructure.

 

Patrick Estavillo
Office 365 ATP Research Team

 

 

 


Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post The quiet evolution of phishing appeared first on Microsoft Security.

Insights from one year of tracking a polymorphic threat

November 26th, 2019 No comments

A little over a year ago, in October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code.

The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

In the months that followed, we closely tracked the threat and witnessed the attackers upgrade the malware, target new processes, and work around defensive measures:

Timeline of evolution of Dexphot malware

While Microsoft Defender Advanced Threat Protection’s pre-execution detection engines blocked Dexphot in most cases, behavior-based machine learning models provided protection for cases where the threat slipped through. Given the threat’s persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors.

Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign. Over time, Dexphot-related malicious behavior reports dropped to a low hum, as the threat lost steam.

Number of machines that encountered Dexphot over time

Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat. More importantly, one year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s authors, but of cybercriminals in general.

Complex attack chain

The early stages of a Dexphot infection involves numerous files and processes. During the execution stage, Dexphot writes five key files to disk:

  1. An installer with two URLs
  2. An MSI package file downloaded from one of the URLs
  3. A password-protected ZIP archive
  4. A loader DLL, which is extracted from the archive
  5. An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing

Except for the installer, the other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult. These legitimate system processes include msiexec.exe (for installing MSI packages), unzip.exe (for extracting files from the password-protected ZIP archive), rundll32.exe (for loading the loader DLL), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). In later stages, Dexphot targets a few other system processes for process hollowing: svchost.exe, tracert.exe, and setup.exe.

Dexphot attack chain

Multiple layers of security evasion

Based on Microsoft Defender ATP signals, SoftwareBundler:Win32/ICLoader and its variants are primarily used to drop and run the Dexphot installer. The installer uses two URLs to download malicious payloads. These are the same two URLs that Dexphot use later to establish persistence, update the malware, and re-infect the device.

The installer downloads an MSI package from one of the two URLs, and then launches msiexec.exe to perform a silent install. This is the first of several instances of Dexphot employing living-off-the-land techniques, the use of legitimate system processes for nefarious purposes.

Dexphot’s package often contains an obfuscated batch script. If the package contains this file, the script is the first thing that msiexec.exe runs when it begins the installation process. The said obfuscated script is designed to check for antivirus products. Dexphot halts the infection process immediately if an antivirus product is found running.

When we first began our research, the batch script only checked for antivirus products from Avast and AVG. Later, Windows Defender Antivirus was added to the checklist.

If the process is not halted, Dexphot decompresses the password-protected ZIP archive from the MSI package. The password to this archive is within the MSI package. Along with the password, the malware’s authors also include a clean version of unzip.exe so that they don’t have to rely on the target system having a ZIP utility. The unzip.exe file in the package is usually named various things, such as z.exe or ex.exe, to avoid scrutiny.

The ZIP archive usually contains three files: the loader DLL, an encrypted data file (usually named bin.dat), and, often, one clean unrelated DLL, which is likely included to mislead detection.

Dexphot usually extracts the decompressed files to the target system’s Favorites folder. The files are given new, random names, which are generated by concatenating words and numbers based on the time of execution (for example, C:\Users\<user>\Favorites\\Res.Center.ponse\<numbers>). The commands to generate the new names are also obfuscated, for example:

Msiexec.exe next calls rundll32.exe, specifying loader DLL (urlmon.7z in the example above) in order to decrypt the data file. The decryption process involves ADD and XOR operations, using a key hardcoded in the binary.

The decrypted data contains three executables. Unlike the files described earlier, these executables are never written to the filesystem. Instead, they exist only in memory, and Dexphot runs them by loading them into other system processes via process hollowing.

Stealthy execution through fileless techniques

Process hollowing is a technique that can hide malware within a legitimate system process. It replaces the contents of the legitimate process with malicious code. Detecting malicious code hidden using this method is not trivial, so process hollowing has become a prevalent technique used by malware today.

This method has the additional benefit of being fileless: the code can be run without actually being saved on the file system. Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the process has stopped.

To initiate process hollowing, the loader DLL targets two legitimate system processes, for example svchost.exe or nslookup.exe, and spawns them in a suspended state. The loader DLL replaces the contents of these processes with the first and second decrypted executables. These executables are monitoring services for maintaining Dexphot’s components. The now-malicious processes are released from suspension and run.

Next, the loader DLL targets the setup.exe file in SysWoW64. It removes setup.exe’s contents and replaces them with the third decrypted executable, a cryptocurrency miner. Although Dexphot always uses a cryptocurrency miner of some kind, it’s not always the same miner. It used different programs like XMRig and JCE Miner over the course of our research.

Persistence through regularly scheduled malware updates

The two monitoring services simultaneously check the status of all three malicious processes. Having dual monitoring services provides redundancy in case one of the monitoring processes is halted. If any of the processes are terminated, the monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device. This forced update/re-infection process is started by a PowerShell command similar to the one below:

The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly. As a final fail-safe, Dexphot uses schtasks.exe to create scheduled tasks, with the command below.

This persistence technique is interesting, because it employs two distinct MITRE ATT&CK techniques: Scheduled Task and Signed Binary Proxy Execution.

The scheduled tasks call msiexec.exe as a proxy to run the malicious code, much like how msiexec.exe was used during installation. Using msiexec.exe, a legitimate system process, can make it harder to trace the source of malicious activity.

Furthermore, the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run. They automatically update all of Dexphot’s components, both upon system reboot as well as every 90 or 110 minutes while the system is running.

Dexphot also generates the names for the tasks at runtime, which means a simple block list of hardcoded task names will not be effective in preventing them from running. The names are usually in a GUID format, although after we released our first round of Dexphot-blocking protections, the threat authors began to use random strings.

The threat authors have one more evasion technique for these scheduled tasks: some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name, such as %AppData%\<random>.exe. This makes the system process running malicious code a literal moving target.

Polymorphism

Dexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files, as shown in the table below. The MSI packages generally include a clean version of unzip.exe, a password-protected ZIP file, and a batch file that checks for currently installed antivirus products. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the password for extracting the ZIP file, all change from one package to the next.

In addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in the ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the attacker bundles the files together. Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot.

 

MSI package ID MSI package contents Password for ZIP file Contents of encrypted ZIP
Unzip.exe name ZIP file name Batch file name Loader DLL file name Encrypted data name
MSI-1 ex.exe webUI.r0_ f.bat kjfhwehjkf IECache.dll bin.dat
MSI-2 ex.exe analog.tv f.bat ZvDagW kernel32.bin bin.dat
MSI-3 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-4 unzip.exe ERDNT.LOC.zip iso100 ERDNT.LOC data.bin
MSI-5 pck.exe mse.zip kika _steam.dll bin.dat
MSI-6 z.exe msi.zip arima ic64.dll bin.dat
MSI-7 z.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-8 z.exe mse.zip kika _steam.dll bin.dat
MSI-9 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-10 hf.exe update.dat f.bat namr x32Frame.dll data.bin
MSI-11 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-12 unzip.exe PkgMgr.iso.zip pack PkgMgr.iso data.bin
MSI-13 ex.exe analog.tv f.bat kjfhwefkjwehjkf urlmon.7z bin.dat
MSI-14 ex.exe icon.ico f.bat ZDADW default.ocx bin.dat
MSI-15 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-16 pck.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-17 z.exe mse.zip f.bat joft win2k.wim bin.dat
MSI-18 ex.exe plugin.cx f.bat ZDW _setup.ini bin.dat
MSI-19 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-20 ex.exe installers.msu f.bat 000cehjkf MSE.Engine.dll bin.dat
MSI-21 z.exe msi.zip f.bat arima ic64.dll bin.dat
MSI-22 z.exe archive00.x f.bat 00Jmsjeh20 chrome_watcher.dll bin.dat

A multitude of payload hosts

Besides tracking the files and processes that Dexphot uses to execute an attack, we have also been monitoring the domains used to host malicious payloads. The URLs used for hosting all follow a similar pattern. The domain address usually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters, similar to the randomness previously seen being used to generate file names and scheduled tasks. Some examples from our research are shown in the table below.

 

Scheduled task name Download URL
hboavboja https://supe********709.info/xoslqzu.pdi
{C0B15B19-AB02-0A10-259B-1789B8BD78D6} https://fa*****r.com/jz5jmdouv4js.uoe
ytiazuceqeif https://supe********709.info/spkfuvjwadou.bbo
beoxlwayou https://rb*****.info/xgvylniu.feo
{F1B4C720-5A8B-8E97-8949-696A113E8BA5} https://emp*******winc.com/f85kr64p1s5k.naj
gxcxhbvlkie https://gu*****me.net/ssitocdfsiu.pef
{BE7FFC87-6635-429F-9F2D-CD3FD0E6DA51} https://sy*****.info/pasuuy/xqeilinooyesejou.oew
{0575F553-1277-FB0F-AF67-EB649EE04B39} https://sumb*******on.info/gbzycb.kiz
gposiiobhkwz https://gu*****me.net/uyuvmueie.hui
{EAABDEAC-2258-1340-6375-5D5C1B7CEA7F} https://refr*******r711.info/3WIfUntot.1Mb
zsayuuec https://gu*****me.net/dexaeuioiexpyva.dil
njibqhcq https://supe********709.info/aodoweuvmnamugu.fux
{22D36F35-F5C2-29D3-1CF1-C51AC19564A4} https://pr*****.info/ppaorpbafeualuwfx/hix.ayk
qeubpmnu https://gu*****me.net/ddssaizauuaxvt.cup
adeuuelv https://supe********709.info/tpneevqlqziee.okn
{0B44027E-7514-5EC6-CE79-26EB87434AEF} https://sy*****.info/huauroxaxhlvyyhp/xho.eqx
{5A29AFD9-63FD-9F5E-F249-5EC1F2238023} https://refr*******r711rb.info/s28ZXoDH4.78y
{C5C1D86D-44BB-8EAA-5CDC-26B37F92E411} https://fa*****r.com/rbvelfbflyvf.rws

Many of the URLs listed were in use for an extended period. However, the MSI packages hosted at each URL are frequently changed or updated. In addition, every few days more domains are generated to host more payloads. After a few months of monitoring, we were able to identify around 200 unique Dexphot domains.

Conclusion: Dynamic, comprehensive protection against increasingly complex everyday threats

Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.

To combat threats, several next-generation protection engines in Microsoft Defender Advanced Threat Protection’s antivirus component detect and stop malicious techniques at multiple points along the attack chain. For Dexphot, machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe, stopping the attack chain in its early stages. Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands.

Behavioral blocking and containment capabilities are especially effective in defeating Dexphot’s fileless techniques, detection evasion, and persistence mechanisms, including the periodic and boot-time attempts to update the malware via scheduled tasks. As mentioned, given the complexity of the attack chain and of Dexphot’s persistence methods, we released a remediation solution that prevents re-infection by removing artifacts.

Microsoft Defender ATP solutions for Dexphot attack

The detection, blocking, and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center, where Microsoft Defender ATP’s rich capabilities like endpoint detection and response, automated investigation and remediation, and others enable security operations teams to investigate and remediate attacks in enterprise environments. With these capabilities, Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day.

 

Sample indicators of compromise (IoCs)

Installer (SHA-256):
72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f

MSI files (SHA-256):
22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3
65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a
ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88

Loader DLLs  (SHA-256):
537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e
504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5
aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152

 

 

 

Hazel Kim

Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

 

The post Insights from one year of tracking a polymorphic threat appeared first on Microsoft Security.

Going in-depth on the Windows 10 random number generation infrastructure

November 25th, 2019 No comments

Throughout the years, we’ve had ongoing conversations with researchers, developers, and customers around our implementation of certain security features within the Windows operating system. Most recently, we have open-sourced our cryptography libraries as a way to contribute and show our continued support to the security community

For our most recent contribution, we have decided to go in-depth on our implementation of pseudo-random number generation in Windows 10.

We are happy to release to the public The Windows 10 random number generation infrastructure white paper.

This whitepaper explores details about the Windows 10 pseudo-random number generator (PRNG) infrastructure, and lists the primary RNG APIs. The whitepaper also explains how the entropy system works, what the entropy sources are, and how initial seeding works.

We expect academic and security researchers, as well as operating system developers and people with an in-depth understanding of random number generation, to get the most value out of this whitepaper. Note: Some of the terminology used in this whitepaper assumes prior knowledge of random number generators and entropy collection terms.

We welcome and look forward to your feedback on this whitepaper and the technologies it describes in the comments below. We also appreciate any reports of security vulnerabilities that you may find in our implementation.

 

The post Going in-depth on the Windows 10 random number generation infrastructure appeared first on Microsoft Security.

Rethinking cyber learning—consider gamification

November 25th, 2019 No comments

As promised, I’m back with a follow-up to my recent post, Rethinking how we learn security, on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun. Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris. I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft/Circadence joint Into the Breach capture the flag exercise.

If you missed Ignite, we’re planning several additional Microsoft Ignite The Tour events around the world, where you’ll be able to try your hand at this capture the flag experience. Look for me at the Washington, DC event in early February.

In the meantime, due to the great feedback I received from my previous blog—which I do really appreciate, especially if you have ideas for how we should tackle the shortage of cyber professionals—I’ll be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape.

Today, I want to address the important questions of how a new employee could actually ramp up their learning, and how employers can prepare employees for success and track the efficacy of the learning curriculum. Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, Colorado-based Circadence.

Here are some of some of her recommendations from our Q&A:

Q: Keenan, in our last blog, you discussed Circadence’s “Project Ares” cyber learning platform. How do new cyber practitioners get started on Project Ares?

A: The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched. It’s important to understand what kind of work roles you’re looking to learn about as a user as well as what kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals such as ports and protocols, regular expressions, and the cyber kill chain. Then they can transition into Battle Rooms, where they’ll start to learn about very specific tools, tactics, and procedures or TTPs, for a variety of different work roles. If you’re a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.

Project Ares also has a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area based entirely on the work role. This aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you’re a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that role as you see below:

Assessment pathway.

Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?

A: You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena as seen in the illustrations below. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All this practice helps prepare professionals to take official cyber certifications and exams.

Battle School questionnaire.

Battle School mission.

Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning.

A: One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console. So we really tried to put a lot of gaming elements inside Project Ares. Since everything is scored within Project Ares, everything you do from learning about ports and protocols, to battle rooms and missions, gives you experience points. Experience points add up to skill badges. All these things make learning more fun for the user. For example, if you’re a defender, you might have skill badges in infrastructure, network design, network defense, etc. And the way Project Ares is set up, once you have a certain combination of those skill badges you can earn a work role achievement certificate within Project Ares.

This kind of thing is taken very much from Call of Duty and other types of games where you can really build up your skills by doing a very specific skill-based activity and earn points towards badges. One of the other things that is great about Project Ares is it’s quite immersive. For example, Missions allows a user to come into a specific cyber situation or cyber response situation (e.g., water treatment plant cyberattack) and have multimedia effects that demonstrate what is going—very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience as shown in the illustration below.

Athena was inspired by the trends of personal assistants like Cortana and other such AI-bots, which have been integrated into games. So things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It’s so much more fun, and easier to learn things in this way, as opposed to sitting through a static presentation or watching someone on a video and trying to learn the skill passively.

Athena—the in-game advisor.

Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness?

A: Project Ares offers a couple great features that are good for managers, all the way up to the C-Suite, who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can jump into the Project Ares environment, with the students or with the enterprise team members, and observe in a couple of different ways.

The instructor or the manager can jump into the environment as Athena, so the user doesn’t know that they are there. They can then provide additional insight or help that is needed to a student. A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything and maybe make it a little more challenging. Or they can just observe and leave comments for the individuals. This piece is really helpful when we’re talking about managers who are looking to understand their team’s skill level in much more detail.

The other piece of this is a product we have coming out soon called Dendrite—an analytics tool that looks at everything that happens at Project Ares. We record all the key strokes and chats a user had with Athena or any with other team members while in a mission or battle room. Cyber team leads can then see what’s going on. Users can see what they’re doing well, and not doing well. This feedback can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is in their particular skill path. It helps the cyber team leads understand what tools are being used appropriately and which tools are not being used appropriately.

For example, if you’re a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how to use tools in your organization or look at how you train your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they’re really on top of their game.

The Dendrite assessment and analysis solution.

Q: How can non-technical employees improve their cyber readiness?

A: At Circadence, we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCyt. Now, inCyt is a very fun browser-based game of strategy where players have some hackable devices they must protect—like operating systems and phones. Meanwhile, your opponent has the same objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyberattacks. While they’re doing this, players get a fundamental understanding of the cyber kill chain. They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so they can start to recognize that behavior in their everyday interactions online.

Some people ask why this is important and I always say, “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.

It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial after they have already clicked a link in a suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we’re susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So if you demonstrate a very high aptitude within inCyt, we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity to see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy, which is just a lighter version of Project Ares.

Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning, from novice to expert cyber defender. You’ll be able to track all metrics of where you started, how far you came, what kind of skill path you’re on, and what kind of skill path you want to be on. Very crucial items for your own work role pathway.

How to close the cybersecurity talent gap

Keenan’s perspective and the solution offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want. We’re in interesting times, right? With innovations in machine learning and artificial intelligence (AI), we’re increasingly able to pivot from reactive cyber defense to get more predictive. Still, right now we’re facing a cybersecurity talent gap of up to 4 million people, depending on which analyst group you follow. The only way that we’re going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.

Make it something that they can attain, they can grow in, and see themselves going from a novice to a leader in an organization. This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout. With uncertain and undefined career paths beyond tactical SecOps, what is there to look forward to?

We need to get better as a community in cybersecurity, not only protect the cybersecurity defenders that we have already, but also help to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we’re at today. This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning to improve the learning experience and put our people in a position to succeed.

Learn more

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, see Achieve an optimal state of Zero Trust.

You can also watch my full interview with Keenan.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Rethinking cyber learning—consider gamification appeared first on Microsoft Security.

The new CVE-2019-0708 RDP exploit attacks, explained

November 7th, 2019 No comments

On November 2, 2019, security researcher Kevin Beaumont reported that his BlueKeep honeypot experienced crashes and was likely being exploited. Microsoft security researchers collaborated with Beaumont as well as another researcher, Marcus Hutchins, to investigate and analyze the crashes and confirm that they were caused by a BlueKeep exploit module for the Metasploit penetration testing framework.

BlueKeep is what researchers and the media call CVE-2019-0708, an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft released a security fix for the vulnerability on May 14, 2019.

While similar vulnerabilities have been abused by worm malware in the past, initial attempts at exploiting this vulnerability involved human operators aiming to penetrate networks via exposed RDP services.

Microsoft had already deployed a behavioral detection for the BlueKeep Metasploit module in early September, so Microsoft Defender ATP customers had protection from this Metasploit module by the time it was used against Beaumont’s honeypot. The module, which appears to be unstable as evidenced by numerous RDP-related crashes observed on the honeypot, triggered the behavioral detection in Microsoft Defender ATP, resulting in the collection of critical signals used during the investigation.

Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines. We saw:

  • An increase in RDP service crashes from 10 to 100 daily starting on September 6, 2019, when the Metasploit module was released
  • A similar increase in memory corruption crashes starting on October 9, 2019
  • Crashes on external researcher honeypots starting on October 23, 2019

Figure 1. Increase in RDP-related service crashes when the Metasploit module was released

Coin miner campaign using BlueKeep exploit

After extracting indicators of compromise and pivoting to various related signal intelligence, Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner. This indicated that the same attackers were likely responsible for both coin mining campaigns—they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal.

Our machine learning models flagged the presence of the coin miner payload used in these attacks on machines in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries.

Figure 2. Geographic distribution of coin miner encounters

​These attacks were likely initiated as port scans for machines with vulnerable internet-facing RDP services. Once attackers found such machines, they used the BlueKeep Metasploit module to run a PowerShell script that eventually downloaded and launched several other encoded PowerShell scripts.

Figure 3. Techniques and components used in initial attempts to exploit BlueKeep

We pieced together the behaviors of the PowerShell scripts using mostly memory dumps. The following script activities have also been discussed in external researcher blogs:

  1. Initial script downloaded another encoded PowerShell script from an attacker-controlled remote server (5.135.199.19) hosted somewhere in France via port 443.
  2. The succeeding script downloaded and launched a series of three to four other encoded PowerShell scripts.
  3. The final script eventually downloaded the coin miner payload from another attacker-controlled server (109.176.117.11) hosted in Great Britain.
  4. Apart from downloading the payload, the final script also created a scheduled task to ensure the coin miner stayed persistent.​

Figure 4. Memory dump of a PowerShell script used in the attacks

The final script saved the coin miner as the following file:

C:\Windows\System32\spool\svchost.exe

The coin miner connected to command-and-control infrastructure at 5.100.251.106 hosted in Israel. Other coin miners deployed in earlier campaigns that did not exploit BlueKeep also connected to this same IP address.

Defending enterprises against BlueKeep

Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.

The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

To this end, Microsoft customers can use the rich capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to gain visibility on exploit activities and defend networks against attacks. On top of the behavior-based antivirus and endpoint detection and response (EDR) detections, we released a threat analytics report to help security operations teams to conduct investigations specific to this threat. We also wrote advanced hunting queries that customers can use to search for multiple components of the attack.

 

The post The new CVE-2019-0708 RDP exploit attacks, explained appeared first on Microsoft Security.

Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM

November 5th, 2019 No comments

Just a month ago, I communicated the details about Azure Sentinel reaching general availability. Since then, many customers have shared how Azure Sentinel has empowered their teams to be nimble and more efficient. ASOS, one of the largest online fashion retailers, is an excellent example of this. Using Azure Sentinel, ASOS has created a bird’s-eye view of everything it needs to spot threats early, allowing it to safeguard its business and its customers proactively. As a result, it has cut issue resolution times in half.

“Sentinel has helped improve the efficiency of our security operations by allowing us to quickly consolidate a large number of disparate security and contextual data sources.”
—George Mudie, Chief Information Security Officer, ASOS

Learn more about how ASOS has benefitted from Azure Sentinel.

I am thrilled to come back and share new features available in preview starting this week. These new features highlight continued innovation and progress towards our goal of empowering defenders to do more.

Azure Sentinel

Intelligent security analytics for your entire enterprise.


Learn more

Collect data from more sources with built-in connectors

Azure Sentinel enables you to collect security data across different sources, including Azure, on-premises solutions, and across clouds. Many built-in connectors are available to simplify integration, and new ones are being added continually. Connectors recently introduced by Zscaler, F5, Barracuda, Citrix, ExtraHop, One Identity, and Trend Micro make it easy to collect relevant data and use built-in workbooks and queries to gain insight into data from these solutions. Read more information on the Connect data sources page.

Screenshot showing Azure Sentinel data connectors.

Accelerate threat hunting with new capabilities

The work of threat hunters gets much easier with the addition of built-in hunting queries for Linux and network events. These queries, developed by Microsoft security researchers and community experts, provide a starting point to look for suspicious activity. You can customize hunting queries with the help of IntelliSense and bookmark interesting results for further investigation or sharing with fellow analysts. View the bookmarks alongside alerts in the Investigation graph and make them part of an incident.

You can now receive an Azure notification when there are new results on a query using the hunting livestream. Promote the livestream query to an Analytic rule if you want to make it part of your incident response workflow.

Image showing an Azure Sentinel threat hunting dash.

In addition, you can now launch Azure Notebooks directly from Azure Sentinel, making it easy to create and execute Jupyter notebooks to analyze your data. Notebooks combine live code, graphics, visualizations, and text, making them a valuable tool for threat hunters. Choose from a built-in gallery of notebooks developed by Microsoft security researchers or import others from GitHub to get started. These notebooks are the same professional-strength hunting solutions Microsoft’s threat hunters use every day.

Image showing Azure Sentinel notebooks, now in preview.

Connect threat intelligence sources using STIX/TAXII

The existing Threat Intelligence Platforms data connector allows you to integrate threat indicators from a variety of sources for use with Azure Sentinel analytics, hunting, and workbooks. A new Threat Intelligence TAXII connector will add support for threat indicator feeds from open source threat intelligence (OSINT) and threat intelligence platforms supporting this standard protocol and STIX data format. Once your threat intelligence sources are connected, you can:

  • Use built-in analytics or create your own rules to generate alerts and incidents when events match your threat indicators.
  • Track the health of your threat intelligence pipeline and gain insights into alerts generated with threat intelligence using built-in threat intelligence workbooks.
  • Correlate threat intelligence with event data via hunting queries to add contextual insights to your investigations.
  • Investigate anomalies and hunt for malicious behaviors in Azure Notebooks.

Screenshot showing Azure Sentinel data connectors.

Tap into Microsoft threat intelligence

Microsoft has an unparalleled view of the evolving threat landscape informed by analyzing trillions of signals from its cloud customers, services, and infrastructure. And now, Azure Sentinel customers can begin to leverage this intelligence to detect threats in their data. The first of these built-in detections matches Microsoft URL threat intelligence with new CEF logs (for example, from Palo Alto Networks or Zscaler). Retrospective lookbacks that match URL threat intelligence with historical event data will also be coming soon.

When a match is found, an alert is generated and an incident is created to enable further investigation. The matched indicator is also added to the Threat Intelligence Indicator table, which can be used just like any other indicator. Sign up for the Microsoft Cloud + AI Security Preview Program to enable these detections today, and keep an eye out for new matches coming soon.

Image showing phishing threats detected by Azure Sentinel.

Automatically detonate URLs to speed investigation

Azure Sentinel customers can now use the power of URL detonation to enrich alerts and discover threats related to malicious URLs. When creating scheduled alerts, any URL data in the query results can map to a new URL entity type. Whenever an alert containing a URL entity is generated, the mapped URL is automatically detonated, and the investigation graph is immediately enriched with the detonation results. A verdict, final URL, and screenshot (especially useful for identifying phishing) can be used to quickly assess a potential threat. As a quick tip, when ingesting data from an IDS or IPS, enable threat logging to log URL data. You can try this feature during the preview at no cost.

Image showing an investigation conducted using a Palo Alto Alert Rule.

Integrate with ticketing and security management solutions

New Microsoft Graph Security API integrations enable you to sync alerts from Azure Sentinel, as well as other Microsoft solutions, with ticketing and security management solutions such as ServiceNow. You can learn more by reading the Microsoft Graph Security API overview page.

Get started with Azure Sentinel and the new features

It’s easy to get started. You can access the latest public preview features in the Azure Sentinel dashboard today. If you’re not using Azure Sentinel, we welcome you to start a trial.

We collaborated with strategic partners to help you quickly design, implement, and operationalize your security operations using Azure Sentinel.

Partners including Accenture, Avanade, Ascent, DXC Technology, EY Global, KPMG, Infosys, Insight, Optiv, PwC, Trustwave, and Wipro are now offering a variety of services from architecture, deployment, and consultancy to a fully managed security service.

We have a lot of information available to help you, from great documentation to connecting with us via Yammer and email.

Visit us at Microsoft Ignite 2019

I will be joining many of our team members at Microsoft Ignite. Please stop by the Azure Sentinel booth. We would love to meet you.

You can also get more information on SIEM strategies and Azure Sentinel in many of the sessions at Ignite:

Looking forward to meeting you all at Ignite!

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.


Learn more

The post Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM appeared first on Microsoft Security.

Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise

October 28th, 2019 No comments

Microsoft Threat Experts is the managed threat hunting service within Microsoft Defender Advanced Threat Protection (ATP) that includes two capabilities: targeted attack notifications and experts on demand.

Today, we are extremely excited to share that experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations.

With experts on demand, Microsoft Defender ATP customers can engage directly with Microsoft security analysts to get guidance and insights needed to better understand, prevent, and respond to complex threats in their environments. This capability was shaped through partnership with multiple customers across various verticals by investigating and helping mitigate real-world attacks. From deep investigation of machines that customers had a security concern about, to threat intelligence questions related to anticipated adversaries, experts on demand extends and supports security operations teams.

The other Microsoft Threat Experts capability, targeted attack notifications, delivers alerts that are tailored to organizations and provides as much information as can be quickly delivered to bring attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. Together, the two capabilities make Microsoft Threat Experts a comprehensive managed threat hunting solution that provides an additional layer of expertise and optics for security operations teams.

Experts on the case

By design, the Microsoft Threat Experts service has as many use cases as there are unique organizations with unique security scenarios and requirements. One particular case showed how an alert in Microsoft Defender ATP led to informed customer response, aided by a targeted attack notification that progressed to an experts on demand inquiry, resulting in the customer fully remediating the incident and improving their security posture.

In this case, Microsoft Defender ATP endpoint protection capabilities recognized a new malicious file in a single machine within an organization. The organization’s security operations center (SOC) promptly investigated the alert and developed the suspicion it may indicate a new campaign from an advanced adversary specifically targeting them.

Microsoft Threat Experts, who are constantly hunting on behalf of this customer, had independently spotted and investigated the malicious behaviors associated with the attack. With knowledge about the adversaries behind the attack and their motivation, Microsoft Threat Experts sent the organization a bespoke targeted attack notification, which provided additional information and context, including the fact that the file was related to an app that was targeted in a documented cyberattack.

To create a fully informed path to mitigation, experts pointed to information about the scope of compromise, relevant indicators of compromise, and a timeline of observed events, which showed that the file executed on the affected machine and proceeded to drop additional files. One of these files attempted to connect to a command-and-control server, which could have given the attackers direct access to the organization’s network and sensitive data. Microsoft Threat Experts recommended full investigation of the compromised machine, as well as the rest of the network for related indicators of attack.

Based on the targeted attack notification, the organization opened an experts on demand investigation, which allowed the SOC to have a line of communication and consultation with Microsoft Threat Experts. Microsoft Threat Experts were able to immediately confirm the attacker attribution the SOC had suspected. Using Microsoft Defender ATP’s rich optics and capabilities, coupled with intelligence on the threat actor, experts on demand validated that there were no signs of second-stage malware or further compromise within the organization. Since, over time, Microsoft Threat Experts had developed an understanding of this organization’s security posture, they were able to share that the initial malware infection was the result of a weak security control: allowing users to exercise unrestricted local administrator privilege.

Experts on demand in the current cybersecurity climate

On a daily basis, organizations have to fend off the onslaught of increasingly sophisticated attacks that present unique security challenges in security: supply chain attacks, highly targeted campaigns, hands-on-keyboard attacks. With Microsoft Threat Experts, customers can work with Microsoft to augment their security operations capabilities and increase confidence in investigating and responding to security incidents.

Now that experts on demand is generally available, Microsoft Defender ATP customers have an even richer way of tapping into Microsoft’s security experts and get access to skills, experience, and intelligence necessary to face adversaries.

Experts on demand provide insights into attacks, technical guidance on next steps, and advice on risk and protection. Experts can be engaged directly from within the Microsoft Defender Security Center, so they are part of the existing security operations experience:

We are happy to bring experts on demand within reach of all Microsoft Defender ATP customers. Start your 90-day free trial via the Microsoft Defender Security Center today.

Learn more about Microsoft Defender ATP’s managed threat hunting service here: Announcing Microsoft Threat Experts.

 

 

The post Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise appeared first on Microsoft Security.

Microsoft and partners design new device security requirements to protect against targeted firmware attacks

October 21st, 2019 No comments

Recent developments in security research and real-world attacks demonstrate that as more protections are proactively built into the OS and in connected services, attackers are looking for other avenues of exploitation with firmware emerging as a top target. In the last three years alone, NIST’s National Vulnerability Database has shown nearly a five-fold increase in the number of firmware vulnerabilities discovered.

To combat threats specifically targeted at the firmware and operating system levels, we’re announcing a new initiative we’ve been working on with partners to design what we call Secured-core PCs. These devices, created in partnership with our PC manufacturing and silicon partners, meet a specific set of device requirements that apply the security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system. These devices are designed specifically for industries like financial services, government and healthcare, and for workers that handle highly-sensitive IP, customer or personal data, including PII as these are higher value targets for nation-state attackers.

 

In late 2018, security researchers discovered that hacking group, Strontium has been using firmware vulnerabilities to target systems in the wild with malware delivered through a firmware attack. As a result, the malicious code was hard to detect and difficult to remove – it could persist even across common cleanup procedures like an OS re-install or a hard drive replacement.

Why attackers and researchers are devoting more effort toward firmware

Firmware is used to initialize the hardware and other software on the device and has a higher level of access and privilege than the hypervisor and operating system kernel thereby making it an attractive target for attackers. Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised. Compounding the problem is the fact that endpoint protection and detection solutions have limited visibility at the firmware layer given that they run underneath of the operating system, making evasion easier for attackers going after firmware.

What makes a Secured-core PC?

Secured-core PCs combine identity, virtualization, operating system, hardware and firmware protection to add another layer of security underneath the operating system. Unlike software-only security solutions, Secured-core PCs are designed to prevent these kinds of attacks rather than simply detecting them. Our investments in Windows Defender System Guard and Secured-core PC devices are designed to provide the rich ecosystem of Windows 10 devices with uniform assurances around the integrity of the launched operating system and verifiable measurements of the operating system launch to help mitigate against threats taking aim at the firmware layer. These requirements enable customers to boot securely, protect the device from firmware vulnerabilities, shield the operating system from attacks, prevent unauthorized access to devices and data, and ensure that identity and domain credentials are protected.

The built-in measurements can be used by SecOps and IT admins to remotely monitor the health of their systems using System Guard runtime attestation and implement a zero-trust network rooted in hardware. This advanced firmware security works in concert with other Windows features to ensure that Secured-core PCs provide comprehensive protections against modern threats.

 

Removing trust from the firmware

Starting with Windows 8, we introduced Secure Boot to mitigate the risk posed by malicious bootloaders and rootkits that relied on Unified Extensible Firmware Interface (UEFI) firmware to only allow properly signed bootloaders like the Windows boot manager to execute. This was a significant step forward to protect against these specific types of attacks. However, since firmware is already trusted to verify the bootloaders, Secure Boot on its own does not protect from threats that exploit vulnerabilities in the trusted firmware. That’s why we worked with our partners to ensure these new Secured-core capabilities are shipped in devices right out of the box.

Using new hardware capabilities from AMD, Intel, and Qualcomm, Windows 10 now implements System Guard Secure Launch as a key Secured-core PC device requirement to protect the boot process from firmware attacks. System Guard uses the Dynamic Root of Trust for Measurement (DRTM) capabilities that are built into the latest silicon from AMD, Intel, and Qualcomm to enable the system to leverage firmware to start the hardware and then shortly after re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path. This mechanism helps limit the trust assigned to firmware and provides powerful mitigation against cutting-edge, targeted threats against firmware. This capability also helps to protect the integrity of the virtualization-based security (VBS) functionality implemented by the hypervisor from firmware compromise. VBS then relies on the hypervisor to isolate sensitive functionality from the rest of the OS which helps to protect the VBS functionality from malware that may have infected the normal OS even with elevated privileges. Protecting VBS is critical since it is used as a building block for important OS security capabilities like Windows Defender Credential Guard which protects against malware maliciously using OS credentials and Hypervisor-protected Code Integrity (HVCI) which ensures that a strict code integrity policy is enforced and that all kernel code is signed and verified.

 

Being able to measure that the device booted securely is another critical piece of this additional layer of protection from firmware compromise that gives admins added confidence that their endpoints are safe. That’s why we implemented Trusted Platform Module 2.0 (TPM) as one of the device requirements for Secured-core PCs. By using the Trusted Platform Module 2.0 (TPM) to measure the components that are used during the secure launch process, we help customers enable zero trust networks using System Guard runtime attestation. Conditional access policies can be implemented based on the reports provided by the System Guard attestation client running in the isolated VBS environment.

In addition to the Secure Launch functionality, Windows implements additional safeguards that operate when the OS is running to monitor and restrict the functionality of potentially dangerous firmware functionality accessible through System Management Mode (SMM).

Beyond the hardware protection of firmware featured in Secured-core PCs, Microsoft recommends a defense-in-depth approach including security review of code, automatic updates, and attack surface reduction. Microsoft has provided an open-source firmware project called Project-Mu that PC manufactures can use as a starting point for secure firmware.

How to get a Secured-core PC

Our ecosystem partnerships have enabled us to add this additional layer of security in devices that are designed for highly-targeted industries and end-users who handle mission-critical data in some of the most data-sensitive industries like government, financial services, and healthcare, right-out-of-the-box. These innovations build on the value of Windows 10 Pro that comes with built-in protections like firewall, secure boot, and file-level information-loss protection which are standard on every device.

More information on devices that are verified Secured-core PC including those from Dell, Dynabook, HP, Lenovo, Panasonic and Surface can be found on our web page.

 

David Weston (@dwizzzleMSFT)
Partner Director, OS Security

The post Microsoft and partners design new device security requirements to protect against targeted firmware attacks appeared first on Microsoft Security.

Top 6 email security best practices to protect against phishing attacks and business email compromise

October 16th, 2019 No comments

Most cyberattacks start over email—a user is tricked into opening a malicious attachment, or into clicking a malicious link and divulging credentials, or into responding with confidential data. Attackers dupe victims by using carefully crafted emails to build a false sense of trust and/or urgency. And they use a variety of techniques to do this—spoofing trusted domains or brands, impersonating known users, using previously compromised contacts to launch campaigns and/or using compelling but malicious content in the email. In the context of an organization or business, every user is a target and, if compromised, a conduit for a potential breach that could prove very costly.

Whether it’s sophisticated nation-state attacks, targeted phishing schemes, business email compromise or a ransomware attacks, such attacks are on the rise at an alarming rate and are also increasing in their sophistication. It is therefore imperative that every organization’s security strategy include a robust email security solution.

So, what should IT and security teams be looking for in a solution to protect all their users, from frontline workers to the C-suite? Here are 6 tips to ensure your organization has a strong email security posture:

You need a rich, adaptive protection solution.

As security solutions evolve, bad actors quickly adapt their methodologies to go undetected. Polymorphic attacks designed to evade common protection solutions are becoming increasingly common. Organizations therefore need solutions that focus on zero-day and targeted attacks in addition to known vectors. Purely standards based or known signature and reputation-based checks will not cut it.

Solutions that include rich detonation capabilities for files and URLs are necessary to catch payload-based attacks. Advanced machine learning models that look at the content and headers of emails as well as sending patterns and communication graphs are important to thwart a wide range of attack vectors including payload-less vectors such as business email compromise. Machine learning capabilities are greatly enhanced when the signal source feeding it is broad and rich; so, solutions that boast of a massive security signal base should be preferred. This also allows the solution to learn and adapt to changing attack strategies quickly which is especially important for a rapidly changing threat landscape.

Complexity breeds challenges. An easy-to-configure-and-maintain system reduces the chances of a breach.

Complicated email flows can introduce moving parts that are difficult to sustain. As an example, complex mail-routing flows to enable protections for internal email configurations can cause compliance and security challenges. Products that require unnecessary configuration bypasses to work can also cause security gaps. As an example, configurations that are put in place to guarantee delivery of certain type of emails (eg: simulation emails), are often poorly crafted and exploited by attackers.

Solutions that protect emails (external and internal emails) and offer value without needing complicated configurations or emails flows are a great benefit to organizations. In addition, look for solutions that offer easy ways to bridge the gap between the security teams and the messaging teams. Messaging teams, motivated by the desire to guarantee mail delivery, might create overly permissive bypass rules that impact security. The sooner these issues are caught the better for overall security. Solutions that offer insights to the security teams when this happens can greatly reduce the time taken to rectify such flaws thereby reducing the chances of a costly breach

A breach isn’t an “If”, it’s a “When.” Make sure you have post-delivery detection and remediation.

No solution is 100% effective on the prevention vector because attackers are always changing their techniques. Be skeptical of any claims that suggest otherwise. Taking an ‘assume breach’ mentality will ensure that the focus is not only on prevention, but on efficient detection and response as well. When an attack does go through the defenses it is important for security teams to quickly detect the breach, comprehensively identify any potential impact and effectively remediate the threat.

Solutions that offer playbooks to automatically investigate alerts, analyze the threat, assess the impact, and take (or recommend) actions for remediations are critical for effective and efficient response. In addition, security teams need a rich investigation and hunting experience to easily search the email corpus for specific indicators of compromise or other entities. Ensure that the solution allows security teams to hunt for threats and remove them easily.
Another critical component of effective response is ensuring that security teams have a good strong signal source into what end users are seeing coming through to their inbox. Having an effortless way for end users to report issues that automatically trigger security playbooks is key.

Your users are the target. You need a continuous model for improving user awareness and readiness.

An informed and aware workforce can dramatically reduce the number of occurrences of compromise from email-based attacks. Any protection strategy is incomplete without a focus on improving the level of awareness of end users.

A core component of this strategy is raising user awareness through Phish simulations, training them on things to look out for in suspicious emails to ensure they don’t fall prey to actual attacks. Another, often overlooked, but equally critical, component of this strategy, is ensuring that the everyday applications that end-users use are helping raise their awareness. Capabilities that offer users relevant cues, effortless ways to verify the validity of URLs and making it easy to report suspicious emails within the application — all without compromising productivity — are very important.

Solutions that offer Phish simulation capabilities are key. Look for deep email-client-application integrations that allow users to view the original URL behind any link regardless of any protection being applied. This helps users make informed decisions. In addition, having the ability to offer hints or tips to raise specific user awareness on a given email or site is also important. And, effortless ways to report suspicious emails that in turn trigger automated response workflows are critical as well.

Attackers meet users where they are. So must your security.

While email is the dominant attack vector, attackers and phishing attacks will go where users collaborate and communicate and keep their sensitive information. As forms of sharing, collaboration and communication other than email, have become popular, attacks that target these vectors are increasing as well. For this reason, it is important to ensure that an organization’s anti-Phish strategy not just focus on email.

Ensure that the solution offers targeted protection capabilities for collaboration services that your organization uses. Capabilities like detonation that scan suspicious documents and links when shared are critical to protect users from targeted attacks. The ability in client applications to verify links at time-of-click offers additional protection regardless of how the content is shared with them. Look for solutions that support this capability.

Attackers don’t think in silos. Neither can the defenses.

Attackers target the weakest link in an organization’s defenses. They look for an initial compromise to get in, and once inside will look for a variety of ways increase the scope and impact of the breach. They typically achieve this by trying to compromise other users, moving laterally within the organization, elevating privileges when possible, and the finally reaching a system or data repository of critical value. As they proliferate through the organization, they will touch different endpoints, identities, mailboxes and services.

Reducing the impact of such attacks requires quick detection and response. And that can only be achieved when the defenses across these systems do not act in silos. This is why it is critical to have an integrated view into security solutions. Look for an email security solution that integrates well across other security solutions such as endpoint protection, CASB, identity protection, etc. Look for richness in integration that goes beyond signal integration, but also in terms of detection and response flows.

 

 

The post Top 6 email security best practices to protect against phishing attacks and business email compromise appeared first on Microsoft Security.