Archive

Archive for April, 2016

Microsoft Bounty Programs Expansion – Nano Server Technical Preview Bounty

April 30th, 2016 No comments

Microsoft is pleased to announce another expansion of the Microsoft Bounty Programs. Today we begin a bounty for the Nano Server installation option of Windows Server 2016 Technical Preview 5. Please visit https://aka.ms/BugBounty to find more details.

Nano Server is a remotely administered, headless installation option of the server operating system. In this first release, the Nano Server deployment is focused on two scenarios:

  1. As the host for compute and/or storage clusters
  2. As a lightweight OS in a VM or container for “born in the cloud” applications.

In summary:

  • All binaries included in the Nano Server configuration of Windows Server 2016 Technical Preview 5 and any subsequent Betas, Technical Previews or Release Candidates during the bounty period
  • Hyper-V escapes and Mitigation Bypass vulnerabilities will be evaluated against the Mitigation Bypass Bounty instead
  • The bounty will run April 29, 2016 – July 29, 2016
  • Bounty payouts will range from $500 USD to $15,000 USD

These additions to the Microsoft Bounty Program will be part of the rigorous security programs at Microsoft. Bounties complement the Microsoft Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

Categories: Bounty Program, Nano Server Tags:

Changes to Security Update Links

April 29th, 2016 No comments

Updates have historically been published on both both the Microsoft Download Center and the Microsoft Update Catalog and Security Bulletins linked directly to update packages on the Microsoft Download Center. Starting May 10, some updates will no longer be available from the Microsoft Download Center.

Security bulletins will continue to link directly to the updates, but will now point to the packages on the Microsoft Update Catalog for updates not available on the Microsoft Download Center. Customers that use tools linking to the Microsoft Download Center should follow the links provided in the Security Bulletins or search directly on the Microsoft Update Catalog.

For tips on searching the Microsoft Update Catalogue visit the frequently asked questions page.

What will cybersecurity look like in the next decade?

April 27th, 2016 No comments

Earlier this year the New America Foundation organized its annual “Cybersecurity for a new America” Summit. This year’s focus was on shaping the cybersecurity of the future. Speakers tackled the evolution of cyberspace and the implications for cybersecurity. They explored and examined questions such as How will we secure growing networks of cars, health devices and other “things”? What can we do to ensure that our cyber workforce is more diverse and representative? How can complex networks of actors work together to mitigate the next Heartbleed-scale software vulnerability? How will global trends affect the cybersecurity challenges that will threaten the United States?

Microsoft’s senior director of cybersecurity policy, Paul Nicholas talked about the role geopolitics and individual governments will play in this space in the next decade. He also highlighted some of the challenges that governments around the world face and examined their emerging responses. You can watch his presentation here.

Categories: cybersecurity Tags:

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

A call to raise awareness and adoption of vulnerability disclosure and handling best practices

April 25th, 2016 No comments

Over the past few years, technology companies have increasingly moved toward partnering with security researchers to better protect their products, services, and customers. Recognizing that vulnerability research is a valuable part of securing the online environment, they have matured programs to work together with researchers in receiving, triaging, and responding to reports.

Microsoft’s focus on coordinating with researchers has developed over time. As we launched our first BlueHat Briefing in 2005, there was a significant level of distrust on both sides, and we listened to the security community as we evolved our approach. In 2011, we announced a new Coordinated Vulnerability Disclosure (CVD) policy and set of practices, aiming to be transparent and encouraging vulnerability finders to work with us. Since then, we have expanded our BlueHat prizes and bug bounty programs, further incentivizing researchers to work with us as we continue to strengthen our platforms.

Many companies are increasingly becoming software companies. In cars, elevators, wearable devices, and many other products and services, the practice of incorporating software components is exponentially growing. All of these devices and programs can suffer from vulnerabilities that are exploited by criminals. Moreover, unfortunately, for various reasons, including lack of resources, expertise, or understanding of vulnerability research, not all of these companies partner with security researchers that find and report potential vulnerabilities.

To address this gap and promote greater collaboration, Microsoft is working with the U.S. Department of Commerce National Telecommunications & Information Administration (NTIA) and numerous other stakeholders, including security researchers, technology providers, and civil society. In particular, we are co-chairing an NTIA working group that’s focused on increasing awareness and adoption of vulnerability disclosure and handling best practices. The group aims to highlight the overlapping interests of technology providers and security researchers and to develop resources that can support new partners in coordination and ecosystem security.

To guide our working group toward developing the most responsive and helpful resources, we’re seeking information about how vulnerability disclosure and handling is currently being approached. While we already have an appreciation of where concerns and obstacles might lie, we want to ensure that we are addressing the real needs and gaps that are being experienced in the ecosystem. To this end, we have developed short surveys, targeting both security researchers and technology providers and operators, and we encourage you to share and respond to them. Responses will be anonymized, and the surveys will close in mid-May.

The security researcher survey is available here:

https://www.surveymonkey.com/r/securityresearcher

The technology provider and operator survey is available here:

https://www.surveymonkey.com/r/techprovider

Ultimately, all stakeholders within and impacted by the vulnerability information sharing ecosystem—including security researchers, technology providers, technology operators, non-profit coordinators, bug bounty providers, governments, and users—have responsibilities to keep users safe. With your participation in this NTIA working group survey and broader engagement on this issue, we can learn more about how the ecosystem is maturing and what more we can do to support its advancement.

Categories: cybersecurity, Cybersecurity Policy Tags:

Ransomware: Understanding the Risk

April 22nd, 2016 No comments

Ransomware is a type of malware that holds computers or files for ransom by encrypting files or locking the desktop or browser on systems that are infected with it, then demanding a ransom in order to regain access. Criminals have used high pressure techniques to get victims to pay the ransom, such as:

  • Make encrypted data unrecoverable after a certain period of time
  • Threaten to post captured (potentially sensitive) data publicly
  • Use fear by claiming to be law enforcement and threaten prosecution
  • Increase the ransom payment amount as time goes on
  • Render the machine unbootable when it overwrites the Master Boot Record and encrypts physical sectors on disk
  • Threaten to erase all data and render all enterprise computers inoperable

Figure 1: An example of a ransomware ransom demand
042216_01

There is heightened concern across the industry about ransomware because of some high profile cases that illustrate ransomware isn’t just a threat for consumers to worry about, as it is being used in attacks on enterprises as well.

Although we know attackers that leverage ransomware are motivated by profit, the underlying reasons they have attacked specific organizations or industries are not as straight forward. Some attackers might very well be targeting specific industries with ransomware attacks. Other attackers might simply be leveraging their capabilities; i.e. they have developed the capability to exploit specific vulnerabilities in specific platforms or specific line-of-business applications that happen to be primarily used in, or get heavy use by, specific industries.

Ransomware is a topic that I have written about in the past (Ransomware: Ways to Protect Yourself & Your Business, Ransomware is on the Rise, Especially in Europe) and that we have covered extensively in some volumes of the Microsoft Security Intelligence Report. The Microsoft Malware Protection Center has provided extensive information about this category of threats (Ransomware, No mas, Samas: What’s in this ransomware’s modus operandi?, The three heads of the Cerberus-like Cerber ransomware, Locky malware, lucky to avoid it, MSRT October 2015: Tescrypt, MSRT September 2015: Teerac, MSRT July 2015: Crowti, Emerging ransomware: Troldesh, Your Browser is (not) Locked, etc.)

Given the heightened concern in the industry, I thought it was time to examine if the risk associated with this threat category has been increasing. This will help CISOs, security teams, and risk managers understand if they should prioritize this risk differently now than they have in the past. As always, risk is the combination of probability and impact.
042216_02

Let me start by providing some data and insights that will help organizations understand the probability component associated with the risk of ransomware. Using data from the Microsoft Security Intelligence Report, which includes data based on telemetry from hundreds of millions of systems around the world, we can see that ransomware has been encountered worldwide much less frequently than almost all other types of malware. Figure 2 illustrates the encounter rates for malware categories for each quarter ending in the second quarter of 2015. The encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software during a quarter. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender reporting that they blocked malware from installing on them.

Figure 2: Encounter rates for significant malware categories, third quarter of 2014 (3Q14) – second quarter of 2015 (2Q15)
042216_03

The worldwide ER for ransomware in the first quarter of 2015 (1Q15) was 0.35 percent and 0.16 percent in the second quarter (2Q15) as seen in Figure 2. While the ER for Trojans was 3.92 percent and 4.45 percent in 1Q15 and 2Q15 respectively. That means the ER for Trojans was 11 times higher than the ransomware ER in 1Q15 and 28 times higher in 2Q15. More recent data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware. The most recent data, from the last month (March 2016), suggests that the worldwide ER for ransomware was 0.2 percent, putting it almost on par with the ER for Trojan Downloaders & Droppers, but still lower than viruses (file infectors) and most other threat categories.

Although the global encounter rate is just a fraction of a percent, there are some countries/regions that have higher ransomware encounter rates. i.e. the probability of encountering ransomware is higher in some locations than others. For example, the ER in Mexico was 5 times higher at 0.8 percent during the same period. France and Canada had ransomware encounter rates 4.4 times higher than the worldwide average at 0.7 percent, while the United States, Russia and Turkey all had elevated ransomware encounter rates, 3.75 times higher than the worldwide average, at 0.6 percent.

The locations that had the highest ransomware ERs in the world in 2015 are listed in Figures 3 and 4. Portugal and Italy were among the locations with the highest ransomware ERs in both halves of 2015.

Figure 3 (left): The countries/regions with the highest ransomware encounter rates in the world in the first half of 2015; Figure 4 (right): The countries/regions with the highest ransomware encounter rates in the world in the second half of 2015
042216_04042216_05

Although the ransomware ER in the UAE, for example, in the first half of 2015 was the highest in the world, ransomware is still one of the least encountered categories of threats there as Figure 5 illustrates. A ransomware family does not appear in the top 10 list of threats in the UAE.

Figure 5: Malware encountered in the United Arab Emirates in the second quarter of 2015, by category
042216_06

The infection rate is typically a fraction of the ER because systems have to encounter malware before they can get infected. Data in several volumes of the Security Intelligence Report suggests that 70 percent to 80 percent of systems that run the MSRT also run up-to-date real time antivirus. This means most systems will be able to block the installation of known commodity ransomware before they can become infected. Thus ER is typically much greater than the actual infection rate.

The malware infection rate, called the Computers Cleaned per Mille (CCM), is measured by the number of computers cleaned for every 1,000 unique computers that run the Windows Malicious Software Removal Tool (MSRT). For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).

Detection for new malware families are typically added to the MSRT every month. The MSRT cleans many of the most prevalent families of ransomware like Win32/Crowti, Ransom: Win32/Reveton, and Win32/Samas. Of these, Crowti had the highest CCM in the second half of 2015, 0.04 in 3Q15 and 0.01 in 4Q15. This means that for every 1,000 systems the MSRT executed on in the fourth quarter of 2015, 0.01 was cleaned of Crowti; that’s 1/1000 of a percent of the hundreds of millions of systems the MSRT executes on each month.

The ER data I outlined above suggests that ransomware represents a risk that has been lower probability relative to other types of malware in most parts of the world. But the rapid evolution of ransomware suggests that these numbers could rise in the future. Email (spam, spear-phishing, etc), social engineering using Word and Excel macros, drive-by download attacks, and removable storage devices (USB drives) are among the most common ways attackers have distributed ransomware. This has been evolving rapidly.

The ability for less-skilled attackers to mount ransomware campaigns has increased recently, due to the emergence of ransomware-as-a-service (RaaS) offerings on the darkweb. Sarento and Enrume are ransomware families that are examples of this approach. Ransomware is being increasingly paired with exploit kits, such as JS/Axpergle (a.k.a. Angler), and other malware to gain persistence in victims’ environments. More attackers using more distribution points has led to more enterprises encountering ransomware as figures 6 and 7 illustrate. Additionally, ransomware can be distributed to systems via other malware, i.e. existing infections, to increase attacker monetization of the assets they control.

When comparing these figures, notice how the ER for ransomware increased between the first and second halves of 2015 surpassing the ER of Password Stealers & Monitoring Tools. Also notice that the ER for ransomware on domain joined systems surpassed that of non-domain joined systems.

Figure 6: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the first half of 2015, by category
042216_07

Figure 7: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the second half of 2015, by category
042216_08

More sophisticated attackers that target enterprises try to encrypt as much of their target’s critical data as possible. To do this, they need to move beyond encrypting data on a single device. They use all the dirty tricks in their toolkits to get a foothold in an organization’s IT environment including exploiting unpatched vulnerabilities, taking advantage of misconfigured systems and weak passwords, and of course social engineering.
042216_09

The main entry points for these attacks are vulnerable Internet facing servers and user workstations. Once they have compromised a single system, they use tactics similar to “APT” style attacks to traverse the infrastructure looking for more data to encrypt. To do this, they will gather credentials on the initial point of entry, attempt to gain elevated privileges (e.g. domain administrator), use those credentials to map out the organization’s network, then move laterally to new hosts, gathering more credentials that will allow them to encrypt data on as many machines as possible. Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom.

Once attackers have access to data (.pdf, .xlsx, .docx, etc) they believe is valuable to the victim organization, they encrypt it. As ransomware has been evolving, more of this malware has been employing correctly implemented strong encryption algorithms (Advanced Encryption Standards (AES) for example), that prevents recovery without a valid decryption key or restoring the original files from backup. Without backups, the impact of this type of attack to a business could be severe; the loss of intellectual property, customer data, and financial records could have irreversible consequences on a business.

The Samas family (Ransom:MSIL/Samas) of ransomware is a great example of ransomware using some of these tactics.  The MMPC has published a great article on this family: No mas, Samas: What’s in this ransomware’s modus operandi?

Detection for Samas was added to the MSRT in April 2016. The infection rate (CCM) for Samas is virtually zero, as it has only been seen used in targeted attacks versus used in broad attacks as commodity ransomware.

Figure 8: Ransom:MSIL/Samas infection chain
042216_10

Ransomware has been evolving quickly. Last month (March 2016) the top 5 ransomware families encountered included Ransom:Win32/Tescrypt, Ransom:Win32/Locky, Ransom:Win32/Crowti, Ransom:JS/Brolo, Ransom:Win32/Teerac.

Although commodity ransomware has relatively low encounter rates and low infection rates, when determining the probability and impact in ransomware risk calculations it’s important to consider that ransomware is also being used as part of ransomware-as-a-service kits and by determined adversaries in targeted attacks.

The fact that ransomware families aren’t very prevalent at this point is good news. But that doesn’t make it any less painful to the users and organizations that have been victimized. This is why Microsoft is so committed to continually raising the bar on attackers and helping our customers with these threats. There is a plethora of mitigations available for enterprise customers, both on-premises and cloud-based. Windows 10 has numerous advanced security features that can make it much harder for attackers to be successful with ransomware. The Office 365 Security team published an excellent article that provides some great mitigations, a highly recommended read: How to Deal with Ransomware.

Additionally, I asked some of the experts in Microsoft’s Enterprise Cybersecurity Group to provide some guidance based on the work they are doing to help enterprise customers protect, detect and respond to ransomware cases. The Enterprise Cybersecurity Group has unique, industry-leading cybersecurity expertise from client to cloud that I’m excited to tap. They have helped numerous enterprise customers protect, detect and respond to some of the most sophisticated ransomware attacks to date. This experience informs their approach, something partially summarized in the table below.

Detect Ingress protections
Auto-scale endpoint protections
Behavioral and deterministic detections leveraging Deep Packet Inspection
Protect Reputational services
High Value Asset protection, containment, isolation
Respond Response planning
Offline backups
Regular hunting and validation

We will share more from the Enterprise Cybersecurity Group in the next article in this series on ransomware.

Tim Rains
Director, Security
Microsoft

3152550 – Update to Improve Wireless Mouse Input Filtering – Version: 1.1

Revision Note: V1.1 (April 22, 2016): Added FAQs and additional information to clarify that only standalone mouse devices are affected. This is an informational change only.
Summary: Microsoft is announcing the availability of an update to improve input filtering for certain Microsoft wireless mouse devices. The update enhances security by filtering out QWERTY key packets in keystroke communications issued from receiving USB wireless dongles to wireless mouse devices. This improvement is part of ongoing efforts to improve the effectiveness of security in Windows and Microsoft devices. For more information, see Microsoft Knowledge Base Article 3152550.

Categories: Uncategorized Tags:

3152550 – Update to Improve Wireless Mouse Input Filtering – Version: 1.1

Revision Note: V1.1 (April 22, 2016): Added FAQs and additional information to clarify that only standalone mouse devices are affected. This is an informational change only.
Summary: Microsoft is announcing the availability of an update to improve input filtering for certain Microsoft wireless mouse devices. The update enhances security by filtering out QWERTY key packets in keystroke communications issued from receiving USB wireless dongles to wireless mouse devices. This improvement is part of ongoing efforts to improve the effectiveness of security in Windows and Microsoft devices. For more information, see Microsoft Knowledge Base Article 3152550.

Categories: Uncategorized Tags:

A brief discourse on ‘Changing browsing experience’

In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

For us, “changing browsing experience” means behaviors that modify the content of webpages.

We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

Examples of programs that modify browsing access include:

  • VPNs – software type that provides access
  • Parental control programs – software type that restricts access

If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.

 

Barak Shein and Michael Johnson

MMPC

A brief discourse on ‘Changing browsing experience’

In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

For us, “changing browsing experience” means behaviors that modify the content of webpages.

We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

Examples of programs that modify browsing access include:

  • VPNs – software type that provides access
  • Parental control programs – software type that restricts access

If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.

 

Barak Shein and Michael Johnson

MMPC

MS15-NOV – Microsoft Security Bulletin Summary for November 2015 – Version: 3.1

Revision Note: V3.1 (April 21, 2016): For MS15-112, added a Known Issue to the Executive Summaries table. After you install security update 3100773, you cannot type Korean characters correctly. For information about the solution for this Known Issue, see Microsoft Knowledge Base Article 3154996.
Summary: This bulletin summary lists security bulletins released for November 2015.

Categories: Uncategorized Tags:

MS15-NOV – Microsoft Security Bulletin Summary for November 2015 – Version: 3.1

Revision Note: V3.1 (April 21, 2016): For MS15-112, added a Known Issue to the Executive Summaries table. After you install security update 3100773, you cannot type Korean characters correctly. For information about the solution for this Known Issue, see Microsoft Knowledge Base Article 3154996.
Summary: This bulletin summary lists security bulletins released for November 2015.

Categories: Uncategorized Tags:

Microsoft Trust Center adds new cloud services and certifications

The Microsoft Trust Center is expanding, and today we’re adding more of our enterprise cloud services—Microsoft Commercial Support, Microsoft Dynamics AX, and Microsoft Power BI. These services join Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and Microsoft Office 365 into the Trust Center.

Additionally, we are adding two new compliance attestations, ENS in Spain and FACT in the UK. These two new certifications, added to those announced in March—CS Mark in Japan and MPAA— bring our total to 37—the most comprehensive of any major cloud service provider in the world.

We launched the Trust Center in November 2015 to create a central point of reference for cloud trust resources and to detail our commitments to security, privacy and control, compliance, and transparency. It is here that we document our adherence to international and regional compliance certifications and attestations, and lay out the policies and processes that Microsoft uses to protect your privacy and your data. Here, too, you’ll find descriptions of the security features and functionality in our services as well as the policies that govern the location and transfer of the data you entrust to us.

The new Microsoft compliance certifications and attestations include:

  • ENS. The Esquema Nacional de Seguridad (National Security Framework) in Spain provides ICT security guidance to public administrations and service providers. Microsoft was the first cloud service provider to receive the ENS certification—for Azure and Office 365.
  • FACT. The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on physical and digital security to protect against the theft of intellectual property. Azure was the first multitenant public cloud to achieve FACT certification.
  • MPAA. Azure was the first hyperscale cloud provider to comply with the Motion Picture Association of America guidance and control framework for the security of digital film assets.
  • CS Mark. The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Azure for IaaS and PaaS, and Office 365 for SaaS.

The Trust Center website reflects the principles that underpin our products and services:

  • Security. Get an overview of how security is built into the Microsoft Cloud from the ground up, with protection at the physical, network, host, application, and data layers so that our online services are resilient to attack.
  • Privacy and control. Get visibility into our datacenter locations worldwide, data access policies, and data retention policies, backed with strong contractual commitments in the Microsoft Online Services Terms.
  • Compliance. Here you’ll find comprehensive information on Microsoft Cloud certifications and attestations such as EU Model Clauses, FedRAMP, HIPAA, ISO/IEC 27001 and 27018, PCI-DSS, and SOC 1 and SOC 2. Each compliance page provides background on the certification, a list of compliant services, and detailed information such as implementation guides and best practices.
  • Transparency. The Microsoft Cloud is built on the premise that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled. You’ll find a summary of the policies and procedures here.

Visit the Microsoft Trust Center.

Categories: Cloud Computing Tags:

MS16-039 – Critical: Security Update for Microsoft Graphics Component (3148522) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (April 19, 2016): To comprehensively address CVE-2016-0145, Microsoft re-released security update 3144432 for affected editions of Microsoft Live Meeting 2007 Console. Customers running Microsoft Live Meeting 2007 Console should install the update to be fully protected from the vulnerability. See Microsoft Knowledge Base Article 3144432 for more information.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.

Categories: Uncategorized Tags:

MS16-039 – Critical: Security Update for Microsoft Graphics Component (3148522) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (April 19, 2016): To comprehensively address CVE-2016-0145, Microsoft re-released security update 3144432 for affected editions of Microsoft Live Meeting 2007 Console. Customers running Microsoft Live Meeting 2007 Console should install the update to be fully protected from the vulnerability. See Microsoft Knowledge Base Article 3144432 for more information.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.

Categories: Uncategorized Tags:

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

JavaScript-toting spam emails: What should you know and how to avoid them?

We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

Microsoft Trusted Cloud Security Summit

April 13th, 2016 No comments

Earlier this month, Microsoft hosted its third Trusted Cloud Security Summit in Washington DC. The event brought together a wide range of security stakeholders from the different Microsoft cloud offerings and over a 100 federal department and agency participants, particularly those looking to adapt the FedRAMP High baseline, such as the Department of Homeland Security, Federal Bureau of Investigations, Department of Justice, State Department, the Treasury and the Food and Drug Administration, amongst others. The interest in the event reflected the broader US government prioritization of cybersecurity, which was underlined by the announcement made by President Obama in February, introducing the new Cybersecurity National Action Plan.

Ensuring the security of government agencies using cloud technologies follows a similar vein and has been central to the government since the introduction of the Cloud First policy in 2011. The Federal Risk and Authorization Management Program, better known as FedRAMP, was developed shortly thereafter and has for a number of years served as a process which provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud services. The original process supported migration of low and moderate impact workloads to the cloud and has helped many government agencies make that critical move. However, that has not been the case for some of the more critical services.
041315_01

The FedRAMP High baseline aims to provide a higher categorization level for confidentiality, integrity and availability of cloud services; i.e. for those considered critical to government operations. While the High baseline addresses only 20% of government information and systems, it comprises over 50% of federal IT spend, reflecting a significant cost savings potential when migrating these workloads to the cloud. The pilot we participated in represented the last step in a year-long effort to develop the High baseline. The draft baseline has already been through two rounds of public comment and review from a Tiger Team from across multiple federal agencies.

Since FedRAMP was established, Microsoft has worked closely with the FedRAMP program management office to ensure our Federal cloud solutions meet or exceed public sector security, privacy and compliance standards. Our March Summit established that this has not changed, as it confirmed Microsoft as one of only three cloud service providers to be included in the FedRAMP High Baseline pilot and was on that point on track to achieve the appropriate level. Building on the FedRAMP authorization, Azure Government is also on track to achieve the DISA Level 4 authorization shortly, covering unclassified data that requires protection against unauthorized disclosure or other mission-critical data (i.e. controlled unclassified data).

The event itself, examined the development process of the FedRAMP High Baseline, as well its impact on federal cloud adoption. Matt Goodrich, Director for FedRAMP in GSA’s Office of Citizen Services and Innovative Technologies (OCSIT) talked about how the revision of the process will benefit both providers and the government, for example by limiting the certification time and providing more transparency, predictability and risk focus upfront through a focus on core capabilities instead of an exclusively controls-centric approach.

The Summit also served to examine some of Microsoft’s security capabilities that address other federal government cloud security priorities, including DOD’s FedRAMP+ and DHS’s Trusted Internet Connections programs. While both initiatives leverage the original FedRAMP process, they augment unique requirements for providers to demonstrate additional levels of assurance and operational visibility- capabilities that Microsoft’s cloud offerings can meet today.

For more on the security announcement made by Azure on the day, take a look at Matt Rathbun’s (Cloud Security Director, Azure) blog here.

Categories: Cloud Computing Tags:

MS16-APR – Microsoft Security Bulletin Summary for April 2016 – Version: 1.1

Revision Note: V1.1 (April 13, 2016): Added a Known Issues reference to the Executive Summaries table for MS16-039. For more information, see Microsoft Knowledge Base Article 3148522, and a Known Issues reference to the Executive Summaries table for MS16-042. For more information, see Microsoft Knowledge Base Article 3148775.
Summary: This bulletin summary lists security bulletins released for April 2016.

Categories: Uncategorized Tags: