Swedish Windows Security User Group

Part of what we do at the Microsoft Malware Protection Center involves keeping tabs on known activity groups. This is some of the most interesting and intriguing work we do.

One particularly aggressive and persistent group we track is known within Microsoft by the code-name “STRONTIUM” (following our internal practice of assigning chemical element names to such groups).

Whereas most cyber-attack groups are ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary targets include government bodies, diplomatic institutions, and military forces. The group has also been known to target journalists, political advisors, and organizations associated with political activism. With such lofty targets, you might expect the group to be highly sophisticated, and it is.

STRONTIUM primarily attempts to ensnare individuals using spear phishing tactics through email or social networking channels. The idea is to dupe people into giving up their login credentials so the group can perform reconnaissance on a target organization. Their lure messages are typically tied to current events such as an upcoming conference or real-world news, and STRONTIUM’s email senders are usually associated with well-known email providers, using plausible names and titles designed to give the messages credibility.

The ultimate goal of this reconnaissance phase is to compile a list of high-value individuals who have information or access that STRONTIUM wants. With this list at hand, the group moves to the next phase of operations — installing malware on the high-value targets’ computers and thereby gaining access to the institution’s network. Depending on the specific attack used, they might send a message with a link that will launch a drive-by download when clicked, or a malicious attachment such as a document file containing an exploit.

It is not yet clear whether the group researches vulnerabilities and develops the exploits themselves, or purchases them on the black market, but Microsoft researchers have observed STRONTIUM moving swiftly to take advantage of newly disclosed vulnerabilities. They are also known for zero-day exploits targeting vulnerabilities where the software vendor has not yet released a security update. STRONTIUM also targets older vulnerabilities that simply haven’t been patched by the organization, and attacks involving non-Windows computers are a concern as well.

Considering STRONTIUM’s broad range of technical capabilities and its determination to keep up an attack for months or years until it succeeds, the group represents a significant threat that is difficult to defend against. Nevertheless, there are steps an organization can take to significantly decrease the probability of a successful attack:

• Deploy vendor security updates quickly after they are released. STRONTIUM looks for out-of-date software installations inside target institutions. Keeping software current denies the group this avenue of infiltration.
• Take advantage of the latest mitigation technologies. Recent versions of Windows (most notably Windows 10) and other software include critical mitigations that can render many of STRONTIUM’s exploits ineffective.
• Enforce segregation of privileges and apply all possible safety measures to protect Admin accounts. STRONTIUM relies on pass-the-hash techniques and elevation of privileges to successfully move laterally across networks.
• Conduct enterprise software security awareness training. STRONTIUM heavily relies on social engineering to entice individuals into clicking links to malware. Security training can raise awareness around this attack vector.
• Institute multi-factor authentication. As STRONTIUM extensively uses credential-stealing spear phishing attacks, multi-factor authentication can be an effective tool to prevent unauthorized access even if credentials are stolen.
• Prepare your network to be forensically ready. A forensically ready network that records authentications, password changes, and other significant network events can help to quickly identify affected systems.
• Keep personnel and personal data private. STRONTIUM uses open-source intelligence to obtain its initial lists of victims, which might include names and email addresses, but can expand into employment information and other items of interest. Make sure your email is kept confidential and privacy settings on social media don’t disclose sensitive information publicly. These are all pieces of information STRONTIUM can use to devise a realistic attack.

For a deeper look at the STRONTIUM adversary, including technical information that can help your IT department keep your organization safe, see the latest Microsoft Security Intelligence Report here.

To learn more about how Microsoft helps protect your security and privacy in the cloud, visit Trusted Cloud.

Revision Note: V3.1 (March 25, 2016): For MS16-028, removed Windows Server 2012 (Server Core installation) from Windows Operating Systems and Components (Table 1 of 2) because it is not affected. This is an informational change only.
Summary: This bulletin summary lists security bulletins released for March 2016.

Revision Note: V3.1 (March 25, 2016): For MS16-028, removed Windows Server 2012 (Server Core installation) from Windows Operating Systems and Components (Table 1 of 2) because it is not affected. This is an informational change only.
Summary: This bulletin summary lists security bulletins released for March 2016.

Severity Rating: Critical
Revision Note: V1.1 (March 24, 2016): Removed Windows Server 2012 (Server Core installation) from the Affected Software and Vulnerability Severity Ratings table because it is not affected. This is an informational change only.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

Severity Rating: Critical
Revision Note: V1.1 (March 24, 2016): Removed Windows Server 2012 (Server Core installation) from the Affected Software and Vulnerability Severity Ratings table because it is not affected. This is an informational change only.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

Since we published the Keeping Browsing Experience in Users’ Hands blog in December 2015, we’ve received feedback from the ecosystem and engaged in discussions with the industry. Based on those discussions and feedback, we are making a couple of updates.

We are broadening the scope of the evaluation criteria we blogged about to state:

Programs that change the user browsing experience must only use the browsers’ supported extensibility model for installation, execution, disabling and removal. Browsers without supported extensibility models will be considered non-extensible.

This addition addresses software that modifies the browsing experience, not just those that insert ads into the browsing experience.

Accordingly, we are moving the criterion from the Advertising criteria to become an expansion of our BrowserModifier criteria.

By doing so we are closing additional gaps that impact the browsing experience from outside the browser, not just ad injection software, and are pointing developers to comply with the browser’s respective extensibility models.

Internet Explorer and Microsoft Edge’s policy, for example, can be found at aka.ms/browserpolicy.

In addition, and due to the broadening of the policy, we are further extending the notification up until May 2, 2016.

We continue to encourage developers who may be affected by this policy to work with us during the notification time, and fix their software to become compliant with the new criteria and follow the respective browser policies.

Enforcement starts on May 2, 2016.

Barak Shein and Michael Johnson

MMPC

Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.

Macro-based malware infection is still increasing

Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.

Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.

In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.

The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.

Block the macro, block the threat

In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:

1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.
2. Block easy access to enable macros in scenarios considered high risk.
3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).

Let’s walk through a common attack scenario and see this feature in action.

Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.

Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.

James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.

When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.

However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to lure James into making decisions detrimental to his organization’s security. James follows the instructions in the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.

James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.

This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.

Use Group Policy to enforce the setting, or configure it individually

Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:

1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor, go to User configuration.
3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.

You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.

Final tips

For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.

For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.

A few weeks back I had the opportunity to I speak at the Cloud Security Alliance Summit 2016 held in San Francisco, California. Microsoft was a Platinum sponsor of the event. I participated in a panel discussion on cloud security that focused on lessons learned from a cloud services provider’s point of view. Google, Dropbox, and Rackspace also participated on the panel.

The panel was moderated by Robert Herjavec, CEO of the Herjavec Group and star of ABC’s Shark Tank. Robert was a gracious and fun moderator to work with and I managed to survive the panel without a shark bite!

Also from Microsoft, Bruce Cowper delivered a keynote titled “Trusted Cloud” in which Bruce discussed the gap between how much people trust their on-premises infrastructure and the enterprise cloud services they consume, and examined reasons for the difference.

Tim Rains
Director, Security
Microsoft

Data is today’s currency. Cloud computing and the Internet of Things are driving a business transformation that measures value in billions of petabytes. The cloud is a powerful game-changer for businesses all over the world, but with that power comes great responsibility. Managing the volume, variety, and disparate sources of data generated through mobile devices and other activities is a global challenge for enterprise.

Unsurprisingly, businesses have many questions about how customer and enterprise data is managed, used, and protected in the cloud. According to a recent Intralinks survey of over 300 IT decision makers, less than half of companies surveyed “monitor user activities and provide alerts to data policy violations,” while only 53 percent “classify information to align with access controls.” And here’s the kicker: a little under half of the surveyed companies have no policies or controls in place to govern access.

Data privacy and access control must be taken together because it’s impossible to meaningfully achieve the one without robustly addressing the other. An organization may set up its cloud with the world’s best security to keep data private, but then fail to use access control policies effectively to prevent data leaks or unauthorized access. From both a technological and a privacy perspective, CIOs and IT leaders must pay attention to how, when, where, and by whom their company’s petabytes may be legitimately accessed. Moreover, they need to manage access control to ensure compliance from legal, risk management, and regulatory standpoints.

The issue has become more urgent since the invalidation of the EU – US Safe Harbor Framework impelled nations as well as businesses and individual citizens to examine the meaning of privacy in data residency regulations around the globe. How government surveillance and law enforcement relate to the access control policies governing private data is a current, evolving concern for enterprise.

This is why we’ve put all of our engineering expertise as well as our industry leadership into the privacy and control commitment that underpins the Microsoft cloud. When you entrust your data to our cloud services, you retain control of the data as well as access to it. Learn how to use access control policies and get technical resources in the Microsoft Trust Center.

What privacy and control mean in the Trusted Cloud

Our Trusted Cloud principles drive our commitment to use customers’ data responsibly, be transparent about our privacy practices, and offer meaningful privacy and control choices to our customers.

You own your data, not us. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse.

Your data is not used for marketing. Our enterprise business model is not based on exploiting customer data. We do not use your data for purposes such as advertising that are unrelated to providing the cloud service.

We don’t use standing access.   We’ve engineered our cloud services so that the majority of operations are fully automated. Only a small set of activities require human involvement; access to your data by Microsoft personnel is granted only when necessary for support or operations, then revoked when no longer needed.

You can choose your datacenter location. Depending on which Microsoft cloud services you have, you may have flexibility in choosing where your data physically resides. Your data may be replicated for redundancy within the geographic area, but not transmitted outside it.

We protect data from government surveillance. Over several years, we’ve expanded encryption across all our services and reinforced legal protections for customer data. And we’ve enhanced transparency so that you can be assured that Microsoft does not build “back doors” into our products and services, nor do we provide any government with direct or unfettered access to customer data.

Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. We’ll attempt to redirect third parties to request customer data directly from the data owner.

At Microsoft, we continue to add new properties to our security bug bounty programs to help keep our customer’s secure. Today, I’m pleased to announce the addition of Microsoft OneDrive to the Microsoft Online Services Bug Bounty Program.

This addition further incentivizes security researchers to report service vulnerabilities to Microsoft. As part of the Microsoft Online Services Bug Bounty Program, the payouts will range from $500 – $15,000 USD.

Join us at the Microsoft Booth at CanSecWest 2016 in Vancouver, Canada to learn more about Microsoft OneDrive and the bounty programs. You can find the updated terms here. Send your submissions to secure@microsoft.com.

Happy Hunting,

Jason Shirk

Figure 1:  Ransom:MSIL/Samas infection chain 

Samas ransomware’s tools of trade

The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.

Java-based vulnerabilities were also observed to have been utilized, such as direct use of unsafe JNI with outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.

One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.

Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:

1. Look for certain file extensions that are related to backup files in the system.
2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
3. Delete the backup files.

Ransom:MSIL/Samas demonstrates typical ransomware behavior by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.

So far, we’ve seen a new Ransom:MSIL/Samas variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.  An example below shows that the files extension names to encrypt has been converted to hex strings:

Figure 3:  Version 1 – Ransom:MSIL/Samas.A

Figure 4: Version 2 – Ransom:MSIL/Samas.B

It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

Figure 5: Majority of the Ransom:MSIL/Samas infections are detected in North America, and a few instances in Europe

Mitigation and prevention

But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware.

To help prevent yourself from falling prey to Samas or other ransomware attacks, use Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:

Marianne Mallen

MMPC

We’re proud to announce Secure Development at Microsoft, our developer focused security blog at Microsoft. The blog was created to inform developers of new security tools, services, open source projects and best development practices in order to help instill a security mindset across the development community and enable cross collaboration amongst its members.

Blog posts will be written by Microsoft engineers to give developers the right level of technical depth in order to get them up and running with integrating security assurance into their projects right away. We’ll cross reference their posts to make sure anyone following this blog can also check out the technical side of what we do.

Check them out!

At Microsoft, we continue to add new properties to our security bug bounty programs to help keep our customer’s secure. Today, I’m pleased to announce the addition of Microsoft OneDrive to the Microsoft Online Services Bug Bounty Program.
This addition further incentivizes security researchers to report service vulnerabilities to Microsoft. As part of the Microsoft Online Services Bug Bounty Program, the payouts will range from $500 – $15,000 USD.

Revision Note: V3.0 (March 16, 2016): For MS16-029, added the 3138327 update for Microsoft Office 2016 for Mac, and the 3138328 update for Microsoft Office for Mac 2011, which are available as of March 16, 2016. Please note that the 3138327 update for Microsoft Outlook 2016 for Mac was not released on March 16. This update will be released as soon as it is available, and users will be notified via a bulletin revision. For more information, see Microsoft Knowledge Base Article 3138327 and Microsoft Knowledge Base Article 3138328.
Summary: This bulletin summary lists security bulletins released for March 2016.

Severity Rating: Important
Revision Note: V2.0 (March 16, 2016): Bulletin revised to announce that the 3138327 update is available for Microsoft Office 2016 for Mac, and the 3138328 update is available for Microsoft Office for Mac 2011. Please note that the 3138327 update for Microsoft Outlook 2016 for Mac was not released on March 16. This update will be released as soon as it is available and users will be notified via a bulletin revision. For more information, see Microsoft Knowledge Base Article 3138327 and Microsoft Knowledge Base Article 3138328.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Revision Note: V3.0 (March 16, 2016): For MS16-029, added the 3138327 update for Microsoft Office 2016 for Mac, and the 3138328 update for Microsoft Office for Mac 2011, which are available as of March 16, 2016. Please note that the 3138327 update for Microsoft Outlook 2016 for Mac was not released on March 16. This update will be released as soon as it is available, and users will be notified via a bulletin revision. For more information, see Microsoft Knowledge Base Article 3138327 and Microsoft Knowledge Base Article 3138328.
Summary: This bulletin summary lists security bulletins released for March 2016.

Severity Rating: Important
Revision Note: V2.0 (March 16, 2016): Bulletin revised to announce that the 3138327 update is available for Microsoft Office 2016 for Mac, and the 3138328 update is available for Microsoft Office for Mac 2011. Please note that the 3138327 update for Microsoft Outlook 2016 for Mac was not released on March 16. This update will be released as soon as it is available and users will be notified via a bulletin revision. For more information, see Microsoft Knowledge Base Article 3138327 and Microsoft Knowledge Base Article 3138328.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Revision Note: V2.2 (March 15, 2016): Added Known Issues references to the Executive Summaries table for MS16-035. For more information, see Microsoft Knowledge Base Article 3135996, Microsoft Knowledge Base Article 3136000, and Microsoft Knowledge Base Article 3149737.
Summary: This bulletin summary lists security bulletins released for March 2016.

Revision Note: V2.2 (March 15, 2016): Added Known Issues references to the Executive Summaries table for MS16-035. For more information, see Microsoft Knowledge Base Article 3135996, Microsoft Knowledge Base Article 3136000, and Microsoft Knowledge Base Article 3149737.
Summary: This bulletin summary lists security bulletins released for March 2016.

Severity Rating: Critical
Revision Note: V1.1 (March 10, 2016): Corrected the Updates Replaced for Windows 8.1 and Windows RT 8.1. This is an informational change only.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens specially crafted media content that is hosted on a website.