Swedish Windows Security User Group

Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware – and it continues to evolve.

Compared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique behaviors. Whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve.

For example, we saw new capabilities related to how this threat targets users of specific network operators. It performs its routines only if the device is subscribed to any of its target network operators. It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available. Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so. It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service.

Another unique behavior of toll fraud malware is its use of dynamic code loading, which makes it difficult for mobile security solutions to detect threats through static analysis, since parts of the code are downloaded onto the device in certain parts of the attack flow. Despite this evasion technique, we’ve identified characteristics that can be used to filter and detect this threat. We also see adjustments in Android API restrictions and Google Play Store publishing policy that can help mitigate this threat.

Toll fraud has drawn media attention since Joker, its first major malware family, found its way to the Google Play Store back in 2017. Despite this attention, there’s not a lot of published material about how this type of malware carries out its fraudulent activities. Our goal for this blog post is to share an in-depth analysis on how this malware operates, how analysts can better identify such threats, and how Android security can be improved to mitigate toll fraud. This blog covers the following topics:

• The WAP billing mechanism: An overview
• Fraudulent subscriptions via toll fraud
  • Forcing cellular communication
  • Fetching premium service offers and initiating subscriptions
  • Intercepting OTPs
  • Suppressing notifications
  • Using dynamic code loading for cloaking
• Mitigating the threat of toll fraud malware
  • Identifying potential malware
  • Improving Android security and privacy

The WAP billing mechanism: An overview

To understand toll fraud malware, we need to know more about the billing mechanism that attackers use. The commonly used type of billing in toll fraud is Wireless Application Protocol (WAP). WAP billing is a payment mechanism that enables consumers to subscribe to paid content from sites that support this protocol and get charged directly through their mobile phone bill. The subscription process starts with the customer initiating a session with the service provider over a cellular network and navigating to the website that provides the paid service. As a second step, the user must click a subscription button, and, in some cases, receive a one-time password (OTP) that has to be sent back to the service provider to verify the subscription. The overall process is depicted below:

It should be noted that the process depends on the service provider, thus not all steps are always present. For example, some providers do not require an OTP, which means that the mobile user can subscribe to a service by simply clicking the subscription button while the device is connected to a cellular network.  

Fraudulent subscriptions via toll fraud

We classify a subscription as fraudulent when it takes place without a user’s consent. In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable through the following steps:

1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
2. Silently navigate to the subscription page
3. Auto-click the subscription button
4. Intercept the OTP (if applicable)
5. Send the OTP to the service provider (if applicable)
6. Cancel the SMS notifications (if applicable)

One significant and permissionless inspection that the malware does before performing these steps is to identify the subscriber’s country and mobile network through the mobile country codes (MCC) and mobile network codes (MNC). This inspection is done to target users within a specific country or region. Both codes can be fetched by using either the TelephonyManageror the SystemPropertiesclass. The TelephonyManager.getSimOperator() API call returns the MCC and MNCcodes as a concatenated string, while other functions of the same class can be used to retrieve various information about the mobile network that the device is currently subscribed to. As the network and SIM operator may differ (e.g., in roaming), the getSimOperatorfunction is usually preferred by malware developers.

The same type of information can be fetched by using the SystemProperties.get(String key) function where the key parameter may be one or several (using multiple calls) of the following strings: gsm.operator.numeric, gsm.sim.operator.numeric, gsm.operator.iso-country, gsm.sim.operator.iso-country, gsm.operator.alpha, gsm.sim.operator.alpha

The difference with the first call is that the android.os.SystemProperties class is marked as @SystemApi, therefore an application has to use Java reflection to invoke the function. The MNC and MCC codes are also used to evade detection, as the malicious activity won’t be performed unless the SIM operator belongs to the ones targeted:

The following sections present an analysis of the fraudulent subscription steps in the context of the Android operating system. This analysis can help identify the API calls and the permissions needed for the implementation of a toll fraud scheme.

Forcing cellular communication

Variants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by invoking the setWifiEnabled method of the WifiManager class. The permissions needed for this call are ACCESS_WIFI_STATE and CHANGE_WIFI_STATE. Since the protection level for both permissions is set to normal, they are automatically approved by the system.

Meanwhile, malware targeting a higher API level uses the requestNetwork function of the ConnectivityManagerclass. The Android developers page describes the requestNetwork method as:

This method will attempt to find the best network that matches the given NetworkRequest, and to bring up one that does if none currently satisfies the criteria. The platform will evaluate which network is the best at its own discretion. Throughput, latency, cost per byte, policy, user preference and other considerations may be factored in the decision of what is considered the best network.

The required permission for this call is either CHANGE_NETWORK_STATE (protection level: normal) or WRITE_SETTINGS(protection level: signature|preinstalled|appop|pre23), but since the latter is protected, the former is usually preferred by malware developers. In the code snippet depicted below from a malware sample that can perform toll fraud, the function vgy7is requesting a TRANSPORT_CELLULAR transport type (Constant Value: 0x00000000) with NET_CAPABILITY_INTERNET (Constant Value: 0x0000000c):

Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type

The NetworkCallbackis used to monitor the network status and retrieve a networktype variable that can be used to bind the process to a particular network via the ConnectivityManager.bindProcessToNetworkfunction. This allows the malware to use the mobile network even when there is an existing Wi-Fi connection. The proof-of-concept code depicted below uses the techniques described above to request a TRANSPORT_CELLULAR transport type. If the transport type is available, it binds the process to the mobile network to load the host at example.com in the application’s WebView:

While it is expected that the Wi-Fi connection is preferred even when mobile connection is also available, the process exclusively uses the cellular network to communicate with the server:

In fact, the user must manually disable mobile data to prevent the malware from using the cellular network. Even though the setWifiEnabledhas been deprecated, it can still be used by malware targeting API level 28 or lower.

Fetching premium service offers and initiating subscriptions

Assuming that the SIM operator is on the target list and the device is using a TRANSPORT_CELLULARtype network, the next step is to fetch a list of websites offering premium services and attempt to automatically subscribe to them.

The malware will communicate with a C2 server to retrieve a list of offered services. An offer contains, between else, a URL which will lead to a redirection chain that will end up to a web page, known as landing page.

What happens next depends on the way that the subscription process is initiated, thus the malware usually includes code that can handle various subscription flows. In a typical case scenario, the user has to click an HTML element similar to the one depicted below (JOIN NOW), and as a second step, send a verification code back to the server:

For the malware to do this automatically, it observes the page loading progress and injects JavaScript code designed to click HTML elements that initiate the subscription. As the user can only subscribe once to one service, the code also marks the HTML page using a cookie to avoid duplicate subscriptions. The following is an example of such a code:

On line 76, getElementsByTagNamereturns a collection of all the Document Object Model (DOM) elements tagged as input. The loop on line 78 goes through every element and checks its typeas well as its name, value, and altproperties. When an element is found to contain keywords, such as “confirm”, “click”, and “continue”, it is sent to the cfunction, as depicted below:

The if statement on line 36 checks if the element has already been clicked by calling the jdh function, displayed below in Figure 12. Finally, the c function invokes the click() or submit() function by the time the branch on line 37 (see figure 11) is followed:

The HTML page loading process is tracked using an onPageFinishedcallback of the WebViewClientattached to the WebView. Subsequently, a handler that listens for relative message types acts depending on the next steps that are required for the subscription to take place. In the code snippet below, the URL loaded in the WebView and a signalwith id “128”is sent to handler2to evaluate the service and initiate the subscription process:

Multi-step or target subscription processes may require additional verification steps. The handler depicted below checks the page URL loaded in the WebView. If the URL matches doi[.]mtndep.co.za/service/, then the handler runs the JavaScript code assigned to the Properties.call_jbridge_dump variable:

A signal with id “107” triggers some additional steps that require communication with the command and control (C2) server. This case is demonstrated in the following figures:

Upon receiving the signal, the handler invokes the v1.bhu8 function:

After checking for the web-zdm[.]secure-d[.]io/api/v1/activatein the server’s reply, the malware invokes the tpack[.]l2.bhu8[.]vgy7 function. This function sends the current URL loaded in the application’s WebView as well as some extra information like country code, and HTML code:

Intercepting OTPs

In most cases, the service provider sends an OTP that must be sent back to the server to complete the subscription process. As the OTP can be sent by using either the HTTP or USSD protocol or SMS, the malware must be capable of intercepting these types of communication. For the HTTP protocol, the server’s reply must be parsed to extract the token. For the USSD protocol, on the other hand, the only way to intercept is by using the accessibility service.

One method of intercepting an SMS message, requiring android.permission.RECEIVE_SMS permission, is to instantiate a BroadcastReceiver that listens for the SMS_RECEIVED action.

The following code snippet creates a BroadcastReceiverand overrides the onReceivecallback of the superclass to filter out messages that start with “rch”:

Subsequently, it creates an IntentFilter, which renders the receiver capable of listening for an SMS_RECEIVED action, and finally the receiver is registered dynamically:

To handle OTP messages that are sent using the HTTP protocol, the malware parses the HTML code to search for keywords indicating the verification token. The following code contains a flow where the extracted token is sent to the server using the sendTextMessage API call:

The additional permission that is required to enable this flow is SEND_SMS.

Another way of intercepting SMS messages is to extend the NotificationListenerService. This service receives calls from the system when new notifications are posted or removed, including the ones sent from the system’s default SMS application. The code snippet below demonstrates this functionality:

We triggered a notification with the title “SMS_Received” and text “Pin:12345” during our analysis, resulting in the following output in the application’s logcat:

Finally, besides the broadcast receiver and the notification listener techniques of intercepting an SMS message, a ContentObserver can be used to receive callbacks for changes to specific content. The onChange callback of the SmsObserver class (depicted below) is called each time the system changes the SMS content provider state:

Suppressing notifications

Since API level 18, an application that extends the NotificationListenerService is authorized to suppress notifications triggered from other applications. The relevant API calls are:

• cancelAllNotifications() to inform the notification manager to dismiss all notifications
• cancelNotification(String key) to inform the notification manager to dismiss a single notification
• cancelNotifications(String [] keys) to inform the notification manager to dismiss multiple notifications at once.

This API subset is abused by malware developers to suppress service subscription notification messages posted by the default SMS application. More specifically, upon successful subscription, the service provider sends a message to the user to inform them about the charges and offers the option to unsubscribe. By having access to the notification listener service, the malware can call any of the functions mentioned above to remove the notification.

Using dynamic code loading for cloaking

Cloaking refers to a set of techniques used to hide malicious behavior. For example, most toll fraud malware won’t take any action if the mobile network is not among its targets. Another example of a cloaking mechanism used by these threats is dynamic code loading. This means that certain malware codes are only loaded when certain conditions are met, making it difficult to detect by static analysis.

The following is a characteristic example of a multi-stage toll fraud malware with SHA-256: 2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 and package name: com.cful.mmsto.sthemes.

Stage one

This malware’s entry point is found to be the com.android.messaging.BugleApplication, a subclass of the Application class. The malicious flow leads to the function below:

The call on line 21 fills the filesarray with the filenames fetched from the assets directory. The for loop enters theif branch at line 32 if the name of the asset file ends with “355”. Querying the asset files of the app for such a filename yields the following result:

The PhoneNumberAlternateFormatsProto_355 is the source file which, in conjunction with a destination file and the string “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, is given as parameters to the ns.j function:

The SecretKeySpec on line 68 is constructed from the first 16 bytes of the SHA-1 digest of the password string. This key is used to decrypt the file fetched from the assets using Advanced Encryption Standard (AES) in electronic codebook (ECB) mode. The decryption result is an ELF file that is saved in the application’s cache directory and loaded using the System.load function.

Stage two

The loaded library fetches the PhoneNumberAlternateFormatsProto_300file from the assets folder using the AAssetManager_fromJava function and writes it to a temporary file with the name b in the /data/data/<package_name>/ directory, as seen on line 93 below:

The file b is then decrypted using an XOR operation with the key “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, which is given from the Java side (see following figures). The decrypted payload is saved with the name l in the application’s data directory:

Figure 27. The native handleTask called from the Java code

The same function loads the decrypted payload l and invokes the com.AdsView.pulgn using the DexClassLoader class loader (variable names have been changed for clarity):

Decrypting the second payload manually yields the following APK file:

It must be mentioned that the DexClassLoadercan be used to load classes from .jar and .apk files that contain a classes.dex entry.

Stage three

This decrypted APK consists of two main classes: the com.Helperand com.AdsView. The com.AdsView.pulgnfunction is the first to be invoked by the native library described in the previous section:

The runnable thread’s main functionality is to connect the host to xn3o[.]oss-accelerate[.]aliyuncs[.]com and download a JAR file named xn30, which is saved to the cache directory with name nvi and then loaded using the startSdk function, as shown on line 81 below:

The file xn30 is the final payload of stage three and is the one that performs the toll fraud activities previously described.

Mitigating the threat of toll fraud malware

Toll fraud is one of the most common malware categories with high financial loss as its main impact. Due to its sophisticated cloaking techniques, prevention from the side of the user plays a key role in keeping the device secure. A rule of thumb is to avoid installing Android applications from untrusted sources (sideloading) and always follow up with device updates. We also recommend end users take the following steps to protect themselves from toll fraud malware:

• Install applications only from the Google Play Store or other trusted sources.
• Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed.
• Use a solution such as Microsoft Defender for Endpoint on Android to detect malicious applications.
• If a device is no longer receiving updates, strongly consider replacing it with a new device.

Identifying potential malware

For security analysts, it is important to be aware that conventional mitigation techniques based on static detection of malware code patterns can only offer limited remediation against this malware. This is due to the extended use of reflection, encryption, compression, obfuscation, steganography, and dynamic code loading.

There are, however, characteristics that can be used to identify this type of malware. We can classify these characteristics into three:

• Primary characteristics – patterns in plaintext included in the application that can be analyzed statically
• Secondary characteristics – common API calls used to conduct toll fraud activities
• Tertiary characteristics – patterns in Google Play Store metadata such as the application’s category, the developer’s profile, and user reviews, among others

The tertiary characteristics are useful for initial filtering for potential malware. Patterns observed in the apps’ metadata are related to malware developers’ attempts to infect as many devices as possible in a short amount of time, while remaining published on the Google Play Store for as long as they can. We’ve observed that attackers often follow these steps to keep their apps in the Google Play Store:  

1. Use open-source applications that belong to popular categories and can be trojanized with minimal effort. The preferred application categories include personalization (like wallpaper and lock screen apps), beauty, editor, communication (such as messaging and chat apps), photography, and tools (like cleaner and fake antivirus apps).
2. Upload clean versions until the application gets a sufficient number of installs.
3. Update the application to dynamically load malicious code.
4. Separate the malicious flow from the uploaded application to remain undetected for as long as possible.

These applications often share common characteristics:

• Excessive use of permissions that are not suitable to the application’s usage (for example, wallpaper, editor, and camera apps that bind the notification listener service or ask for SMS permissions)
• Consistent user interfaces, with similar icons, policy pages, and buttons
• Similar package names
• Suspicious developer profile (fake developer name and email address)
• Numerous user complaints in the reviews

Once potential malware samples are identified based on these tertiary characteristics, the primary characteristics can be used for further filtering and confirmation. Applications cannot obfuscate their permission requests, use of the notification listener service, or use of accessibility service. These requests must appear in the AndroidManifest.xml file within the APK, where they can be easily detected using static analysis. The commonly requested permissions by malware performing toll fraud may include: READ_SMS, RECEIVE_SMS, SEND_SMS, CHANGE_WIFI_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE. Requests for notification listener and accessibility service should be considered extremely suspicious.

Secondary characteristics also include suspicious API calls including: setWifiEnabled, requestNetwork, setProccessDefaultnetwork, bindProcessToNetwork, getSimOperator and cancelAllNotifications. However, since these calls may be obfuscated and may be hard to identify during static analysis, a more in-depth analysis may be necessary for certainty.

Improving Android security and privacy

Google continuously improves Android security and privacy as the mobile threat landscape evolves and new threats and adversary techniques are discovered. For example, in the operating system, API calls that can reveal potentially sensitive information continue to be removed or restricted, and in the Google Play Store, the publication policies guard against use of certain high-risk permissions (for example, the ability to receive or send SMSs) by requiring a Permission Declaration Form to be completed justifying their use. We anticipate Android security will continue to evolve to address abuse.

As discussed, applications currently can identify the cellular network operator and can send network traffic over the cellular network without any transparency to the user. Additionally, applications can request access to read and dismiss notifications, a very powerful capability, without needing to justify this behavior.

Conclusion

Toll fraud has been one of the most prevalent types of Android malware in Google Play Store since 2017, when families like Joker and their variants made their first appearance. It accounted for 34.8% of installed Potentially Harmful Application (PHA) from the Google Play Store in the first quarter of 2022, ranking second only to spyware.

By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges. Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.

With this blog, we want to inform end users about the details of this threat and how they can protect themselves from toll fraud. We also aim to provide security analysts with guidance on how to identify other malicious applications that use these techniques.

Our in-depth analysis of this threat and its continuous evolution informs the protection we provide through solutions like Microsoft Defender for Endpoint on Android.

Learn how Microsoft Defender for Endpoint provides cross-platform security, including mobile threat defense capabilities.

Dimitrios Valsamaras and Sang Shin Jung
Microsoft 365 Defender Research Team

Appendix

Samples (SHA-256)

Sample	SHA-256
Initial APK file	2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 (com.cful.mmsto.sthemes)
Payload of stage two: Elf File (loader)	904169162209a93ac3769ae29c9b16d793d5d5e52b5bf198e59c6812d7d9eb14 (PhoneNumberAlternateFormatsProto_355, decrypted)
Payload of stage three: APK (hostile downloader)	61130dfe436a77a65c04def94d3083ad3c6a18bf15bd59a320716a1f9b39d826 (PhoneNumberAlternateFormatsProto_300, decrypted)
Payload of stage four: DEX (billing fraud)	4298952f8f254175410590e4ca2121959a0ba4fa90d61351e0ebb554e416500f

Common API calls and permissions

API Calls	Permissions	SDK
setWifiEnabled	CHANGE_WIFI _STATE ACCESS_WIFI_STATE	<29
requestNetwork	CHANGE_NETWORK_STATE	>28
setProcessDefaultNetwork		<23
bindProcessToNetwork		>22
getActiveNetworkInfo	ACCESS_NETWORK_STATE
getSimOperator
get (SystemProperties)
addJavascriptInterface
evaluateJavascript		>18
onPageFinished
onPageStarted
onReceive for SMS BroadcastReceiver w/ android.provider.Telephony.SMS_RECEIVED	RECEIVE_SMS	>19
createFromPdu	RECEIVE_SMS
getMessageBody
onChange for SMS ContentObserver w/ android.provider.telephony.SmsProvider’s content URI (“content://sms”)	READ_SMS
sendTextMessage
onNotificationPosted

References

• Everything You Need to Know About Toll Fraud – Voice & Video – Twilio
• Google Online Security Blog: PHA Family Highlights: Bread (and Friends) (googleblog.com)
• Malware categories  |  Play Protect  |  Google Developers
• ConnectivityManager  |  Android Developers
• DexClassLoader  |  Android Developers
• Use of the AccessibilityService API – Play Console Help (google.com)

The post Toll fraud malware: How an Android application can drain your wallet appeared first on Microsoft Security Blog.

We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques breaks some assumptions made by security products and enables attackers to escape antimalware scans by circumventing process creation callbacks using a legacy process creation syscall. Publicly known variations of this class are process doppelganging, process herpaderping, and process ghosting.

Evasion techniques used by attackers often involve running malware within the context of a trusted process or hiding code from filesystem and memory scanners. More sophisticated attackers even carefully choose their process host so that their actions are run by a process that often performs these actions for benign reasons. For example, a browser process communicating with the internet seems completely normal, while an instance of cmd.exe doing the same sticks out like a sore thumb. This class of stealthy execution techniques, however, allows malware to create its own malicious process and prevent antimalware engines from detecting it.

This blog post presents our detailed analysis of how this process execution class works and how it takes advantage of Windows functionalities to evade detection. It also presents a peek into the research, design, and engineering concerns that go into the development of a detection method aiming to be as robust and future-proof as possible.

Common classes of stealthy process execution

On Windows systems, most methods attackers use to run code within another process fall within two classes: process injection and process hollowing. These classes allow attackers to run their code within another process without explicitly creating it from an executable, or making it load a dynamic link library (DLL).  Similar classes of techniques are often also called process injection, but this term will be used in a more specific definition for clarity.

Process injection

Process injection, the widest and most common class, consists of different techniques that introduce attacker-supplied executable memory into an already running process. Techniques in this class consist of two main parts:

• Write primitive: A Windows API function, or a set of APIs, used to introduce malware into the target process.
• Execution primitive: A Windows API method to redirect the execution of the process to the code provided by the attacker.

An example of a classic process injection flow is malware using the VirtualAllocEx API to allocate a buffer within a target process, WriteProcessMemory to fill that buffer with the contents of a malware module, and CreateRemoteThread to initiate a new thread in the target process, running the previously injected code.

Process hollowing

In process hollowing, instead of abusing an already running process, an attacker might start a new process in a suspended state and use a write primitive to introduce their malware module before the process starts running. By redirecting the entry point of the process before unsuspending, the attacker may run their code without using an explicit execution primitive.

Variants (and sometimes combinations) of both classes exist and differ from each other mostly by the  APIs being used. The APIs vary because a different function used to achieve the goal of one of the steps may not go through the numerous points at which an endpoint protection product intercepts such behavior, which can break detection logic.

New stealth techniques

In the past few years, stealth techniques from a process execution class have emerged that don’t strictly fit into any of the previously mentioned classes. In this class, instead of modifying the memory of an already created (but perhaps not yet executing) process, a new process is created from the image section of a malware. By the time a security product is ready to scan the file, the malware bits aren’t there anymore, effectively pulling the rug from under antimalware scanners. This technique requires defenders to use a different detection method to catch attacks that use it. As of today, the following variations of this class are known publicly as the following:

• Process doppelganging¹: Abusing transactional NTFS features to create a volatile version of an executable file used for process creation, with the file never touching the disk.
• Process herpaderping²: Utilizing a writable handle to an executable file to overwrite the malware bits on disk before antimalware services can scan the executable, but after a process has already been created from the malicious version.
• Process ghosting³: Abusing a handle with delete permissions to the process executable to delete it before it has a chance to be scanned.

This process execution class, including the variations mentioned above, takes advantage of the way the following functionalities in the operating system are designed to evade detection by security products:

• Antimalware engines don’t scan files after every single modification.
• Process creation callbacks, the operating system functionality that allows antimalware engines to scan a process when it’s created, is invoked only when the first thread is inserted into a process.
• NtCreateProcessEx, a legacy process creation syscall, allows the creation of a process without populating it with any thread.

The following sections explain in more detail how these functionalities are abused.

When are files scanned?

A key feature of this process execution class is circumventing a file scan. Ideally, files are scanned whenever they’re modified. Otherwise, an attacker could simply modify an existing file into a malicious one, use it to create a process, and then either revert the file or delete it. So, why aren’t files scanned on every file change?

The answer lies in performance concerns. Consider a scenario in which a 1MB file is opened, and it’s overwritten by calling an API like WriteFile for every byte that needs to be overwritten. While only 1MB would be written to disk, the file would have to be scanned one million times, resulting in ~1 terabyte of data being scanned!

While the example is a good way to assure no detectably malicious content is written to disk, the amount of computing power it will use up makes it an unviable solution. Even a caching solution would simply shift the high resource usage to memory, as a product would need to keep information about the content of every single open file on the machine to be useful.

Therefore, the most common design for file scanning engines ignores the various transient states of the file content and initiates a scan whenever the handle to the file is closed.  This is an optimal signal that an application is done modifying a file for now, and that a scan would be meaningful. To determine what the file is about to execute as a process, the antimalware engine scans the file’s content at the time of process creation through a process creation callback.

Process creation callbacks in the kernel, such as those provided by the PsSetCreateProcessNotifyRoutineEx API, is the functionality in the operating system that allows antimalware engines to inspect a process while it’s being created. It can intercept the creation of a process and perform a scan on the relevant executable, all before the process runs.

Process creation notification isn’t invoked right when a process creation API is called, but rather when the first thread is inserted into a process. But since NtCreateUserProcess, the syscall used by all common high-level APIs to create a process, is designed to do a lot of the work required to create a process in the kernel, the insertion of the initial thread into the created process happens within the context of the syscall itself. This means that the callback launches while the process is still being created, before user mode has a chance to do anything.

The call stack indicates that in this scenario, PspCallProcessNotifyRoutines, the function responsible for invoking process creation callbacks, is called from PspInsertthread during the insertion of the initial thread into the process. It also indicates that the subsequent process creation callbacks are all called from within NtCreateUserProcess, and that they both finish executing before the syscall returns. This enables the antimalware to scan the process for malware activity as it’s created. This works if the process is created using NtCreateUserProcess. However, as researchers have found, there are other ways to create a process apart from this syscall.

How are processes created?                                                                                        

The syscall NtCreateUserProcess has only been available since the release of Windows Vista. Processes created by the CreateProcess API or any API using the NtCreateUserProcess syscall only provide the path to the executable. Meanwhile, the kernel opens the file without any share access that could allow modification (no SHARE_WRITE/SHARE_DELETE), creates an image section, and returns to user mode with the process pretty much ready to run (most legitimate Windows processes would require additional work to be done in user mode to operate correctly, but the NtCreateUserProcess syscall does the minimum work needed for a process to execute some code). This means that an attacker doesn’t have the time or the capability to modify an executable file after calling NtCreateUserProcess, but only before it’s scanned.

Versions of the NT kernel prior to the release of Windows Vista used a different syscall called NtCreateProcessEx. This function doesn’t adhere to the principle of doing a lot of the work in the kernel and in fact delegates a lot of the work normally associated with process creation on modern Windows platforms to user mode.

One difference between the two is that NtCreateProcessEx doesn’t receive a path to the process executable as an argument, as is the case with NtCreateUserProcess.  NtCreateProcessEx expects the application to open the file on its own and create an image section from that file, which will be used as the main image section of the process, and the handle to which will be passed to NtCreateProcessEx.

Also, unlike NtCreateUserProcess, NtCreateProcessEx  creates a process object without populating the process with any threads, and the user application needs to explicitly insert the initial thread into the process using an API like NtCreateThread.

Combining this information with what we know about process creation callbacks allows us to come up with a generic flow for this stealthy process creation technique:

1. The attacker opens the malware file and brings it into a transient modifiable state (writable without closing a handle, delete pending or an uncommitted transaction, and some other unpublished ones) while having malware content. The attacker doesn’t close the file yet.
2. The attacker creates an image section from the file handle using NtCreateSection(Ex).
3. The attacker creates a process using the image section handle as input.
4. The attacker reverts the file’s transient state to a benign state (the file is deleted or overwritten, or a transaction is rolled back), and the handle is closed. At this point, the bits of the malware still exist in memory as the image section object is still there, but there is no trace of the malware content on the disk.
5. The attacker inserts the initial thread into the process, and only then will the process creation notification callback for that process be launched. At that point, there is no malware content left to scan.
6. The attacker now runs the malware process without its backing file ever being scanned.

In this generalized flow, a security product should be able to detect any variation of the technique if it can recognize that the process was created using the legacy NtCreateProcessEx syscall, which allows an adversary to run the process from a file in a transient state.

Of course, one could circumvent the need for NtCreateProcessEx by performing a similar trick with loading DLLs. However, in this scenario, the adversary can either load a new DLL into a process they already have full code execution capabilities without changing its identity, or remotely place the offending DLL into another process, performing what is essentially process injection. In both cases, the technique’s effectiveness as an evasion method is greatly diminished.

Detecting legacy process creation

The first anomaly to recognize to detect attacks using this technique is to find out whether a process was created using the legacy NtCreateProcessEx syscall.

The simplest way to do so would be to utilize user-mode hooking on the appropriate function in the NTDLL library. However, this approach would be easy to bypass, as it’s assumed that the adversary has arbitrary execution capabilities in the process calling the syscall. This means they would be able to unhook any functions intercepted by a security product, or simply directly call the syscall from their own assembly code. Even if the security product was to traverse the user-mode call stack from a process creation callback and check the return address against known values, the product would still be subject to evasion since an attacker could employ some creative pushes and jumps in assembly code to construct a spoofed user-mode call stack to their liking.

To create a robust detection for this behavior, information that can’t be modified or spoofed by a user-mode adversary should be used. A good example of this is a Windows file system concept called extra create parameters (ECPs).

ECPs are concepts that allow the kernel or a driver to attach some key-value information to a file create/open operation. The idea is very similar to extended file attributes, but instead of applying to an entire file on disk, ECPs are a transient property related to a specific instance of an open file. This mechanism allows the operating system and drivers to respond to a file being opened under some special circumstances.

An example of such special circumstances is a file being opened via Server Message Block (SMB). When this happens, an SRV_OPEN_ECP_CONTEXT structure is added to the IRP_MJ_CREATE IRP with GUID_ECP_SRV_OPEN as a key.

This ECP context contains information on the socket used for the communication with the SMB client, the name of the share which has been accessed, and some oplock information. A driver would then be able to use this information to appropriately handle the open operation, which might need some special treatment since the operation happened remotely.  

Interestingly, an exported, documented function named FsRtlIsEcpFromUserMode exists to determine whether an ECP originated in user mode or kernel mode. This raises the concern that forgetting to use this function in a driver or the OS would cause potential security issues, as a user mode adversary could spoof an ECP. That isn’t the case, though, as there is no functionality in the OS which allows a user to directly supply any ECP from user mode. The function itself checks whether a specific flag is set in the opaque ECP header structure, but there exists no code in the OS which can modify this flag.

Using ECPs for process creation API recognition

Starting with Windows 10, a very interesting ECP has been added to the operating system whenever a new process is created using NtCreateUserProcess. The GUID_ECP_CREATE_USER_PROCESS ECP and its related CREATE_USER_PROCESS_ECP_CONTEXT context are applied to the IRP_MJ_CREATE operation when the Windows kernel opens the process executable file. This ECP contains the token of the process to be created. In fact, the function used to open the executable path was changed from ZwOpenFile to IoCreateFileEx specifically to support ECPs on this operation.

On the other hand, as covered earlier, NtCreateProcessEx doesn’t open the process executable on its own but instead relies on the user to supply a section handle created from a file opened by the user themselves. Seeing as there is no way for the user to set the process creation ECP on their own handle, any process created using NtCreateProcessEx would be missing this ECP on the IRP_MJ_CREATE for its main image. Some cases exist in which the ECP wouldn’t be present even when the legacy API wasn’t used, but those can still be recognized. Barring those cases, the existence of the CREATE_USER_PROCESS ECP in the IRP_MJ_CREATE operation of the file object related to the main image of the process can now be used to precisely differentiate between processes created by NtCreateUserProcess and those created by NtCreateProcessEx.

Detecting processes created from files in a transient state

Since it’s now possible to check when the legacy process creation API has been used, the next step would be to check if the usage of the legacy process creation API was used to abuse the time-of-check-time-of-use (TOCTOU) issue involving process creation callbacks. This means that the executable image used to create the process has been opened and used in a transient state, which would already be rolled back when it’s to be scanned by an antimalware engine. To identify if TOCTOU was abused, it is important to examine the image section of the main executable of the process.

Windows loads executable images into memory and shares their memory between processes using memory sections (also called memory-mapped files). Each FILE_OBJECT structure for an open file contains a member called SectionObjectPointers, which contains pointers to the data and image section control areas relevant to the file, depending on whether if it has been mapped as a data file or an executable. The bits described by such a section may be backed either by a file on disk or by the page file (in which case the bits of the section won’t persist on disk). This property determines whether the mapped section can be flushed and recovered from a file or disk, or simply paged out.

However, an interesting thing happens when the connection between an image section and its backing file is severed. This can happen if, for example, the file is located on a remote machine or some removable storage, Copy-on-Write has been triggered, or most importantly, if the file has been somehow modified after the section has been created or could be modified in the future. During such cases, the image section becomes backed by the page file instead of the original file from which it was created.

The MmDoesFileHaveUserWritableReferences function provides the caller with the number of writable (or, more correctly, modifiable) references to the file object of a section and is used by the kernel transaction manager to preserve the atomicity of transactions. Otherwise, a file can be written, deleted, or simply gone when a transaction is to be committed. This function can be used for detection because a non-zero return value means that section coherency has been broken, and the logic switching the backing of the section to the page file has been triggered. This can help determine that the file is in one of the same transient states needed to abuse TOCTOU and evade detection.

Detection through Microsoft Defender for Endpoint

The two primitives discussed earlier can now be combined into detection logic. First, the absence of the GUID_ECP_CREATE_USER_PROCESS ECP will verify if the process was created using the legacy API NtCreateProcessEx. Then, the function MmDoesFileHaveUserWritableReferences checks if the file’s image section is backed by the page file, confirming that the process was created while the file is in a transient state. Meeting both conditions can determine that TOCTOU has been abused, whether by any of the published techniques, or a variation of it that uses similar concepts but abuses a functionality built into a driver to create a similar effect.

Microsoft Defender for Endpoint can detect each of the known techniques in this class of stealthy process execution and gives out a specific alert for variations of process ghosting, herpaderping, and doppelganging found in the wild. Apart from the specific alerts for each variation, detections exist for the generalized flow and any abuse of the legacy process creation API, including unpublished variations.

This blog post shares Windows internals knowledge and showcases a new detection method in Microsoft Defender for Endpoint that can help prevent detection evasion. Since data and signals from Microsoft Defender for Endpoint also feed into Microsoft 365 Defender, this new detection method further enriches our protection technologies, providing customers a comprehensive and coordinated threat defense against threats.

The stealth execution techniques discussed further prove that the threat landscape is constantly evolving, and that attackers will always look for new avenues to evade detection. This highlights the importance of continuous research on potential attack vectors, as well as future-proof solutions. We hope that the principles presented in this blog post can be used by other researchers in developing similar solutions.

Philip Tsukerman, Amir Kutcher, and Tomer Cabouly
Microsoft 365 Defender Research Team

---

¹ https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

² https://jxy-s.github.io/herpaderping/

³ https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

The post Using process creation properties to catch evasion techniques appeared first on Microsoft Security Blog.

本ブログは、 Service Fabric Privilege Escalation from Containerized Workloads on Linux の抄訳版です。最新の情報は原文を参照してください。 協調的な脆弱性の公開

Like most of you, I was glad to see the 2022 RSA Conference return to its in-person roots after a two-year digital hiatus. This year’s event was a great success, drawing 26,000 attendees to three days of cutting-edge security sessions, tutorials, seminars, and special events at Moscone Center in San Francisco. The conference included more than 600 speakers and 400-plus exhibitors, along with hundreds of media representatives. Microsoft Security was on the ground, interacting with customers and security professionals at Microsoft’s 20-plus earned sessions, as well as showcasing new solutions like Microsoft Entra that help realize our goal of comprehensive security.

I was honored to give a keynote address (video courtesy of RSA Conference) on the future of cybersecurity, including a look at where technology and human expertise are headed, as well as why creating a more inclusive and diverse security workforce will be critical in our defense against evolving threats. Also addressing a subject that’s become more urgent with the growth of the decentralized enterprise, my colleague Bret Arsenault, Microsoft Corporate Vice President (CVP) and Chief Information Security Officer (CISO), gave a special presentation on managing Shadow IT. All in all, it was a fun, collegial, and productive five days. Let’s look at some of the highlights.

Figure 1. Vasu Jakkal gives the keynote address—Innovation, Ingenuity, and Inclusivity: The Future of Security is Now.

Microsoft Security Hub—you made it shine

Thanks to our guests and some hard work by our onsite team, the Microsoft pre-day event was a huge hit. We registered 430 attendees for this all-day event held on June 5, 2022, at Bespoke Event Center. Attendees were able to partake in Q&As with security experts about Zero Trust, threat intelligence, multicloud protection, risk management, and how Microsoft is re-envisioning the future of identity and access with Microsoft Entra.

I hosted Bret Arsenault in a fireside chat about navigating today’s security challenges and my colleague Joy Chik, CVP of Identity and Access, made a special presentation on Microsoft Entra and the trust fabric of identity.

Figure 2. CVP of Identity and Access Joy Chik speaks at the 2022 RSA Conference.

Attendees also enjoyed our immersive walkthrough art experience (and of course, the custom swag bar). Many guests took advantage of the reception to network with other security professionals and reconnect with old friends. It was great to see some familiar faces and share new insights with defenders across our community—a big thank you to everyone who joined us!

Figure 3. Attendes network at the Microsoft Security Hub.

Microsoft had a booth at the North Expo of RSA which showcased Microsoft comprehensive security solutions across our six product families: Microsoft Entra, Microsoft Endpoint Manager, Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Microsoft Priva. More than 7,300 people visited the Microsoft booth.

Figure 4. Microsoft Security booth at RSA Conference 2022.

Standout sessions

Microsoft speakers appeared in more than 20 earned sessions at this year’s RSA, addressing everything from supply chain attacks to ransomware, botnets, and ways to protect our democracy. We also hosted 40 sessions in our booth. Some of our most popular sessions included:

• Practical Learnings for Threat Hunting and Improving Your Security Posture: Hosted by Jessica Payne, Principal Security Researcher and Threat Intelligence Strategist at Microsoft, and Simon Dyson, Cyber Security Operations Centre Lead in NHS Digitals Data Security Centre, this 50-minute session addressed threat hunting and security posture improvements from a threat intelligence-informed perspective. Attendees gained insights from Jessica’s experience in demystifying and defusing real-world ransomware attacks. They also got a first-hand recounting of Simon’s work securing the complex network maintained by England’s National Health Service (NHS) during the pandemic, and how his team’s experience can benefit all of us.
• Conti Playbook: Infiltrate the Most Profitable Ransomware Gang: Participants learned how a disgruntled affiliate exposed one of the most infamous ransomware gangs, divulging its ransomware-as-a-service (RaaS) secrets to help take them down. This immersive, hands-on workshop guided attendees through a typical Conti attack sequence and provided tips to defend against advanced persistent threats. Thanks to Tom D’Aquino, Fabien Guillot, and Arpan Sarkar of Microsoft partner Vectra AI for this presentation.
• Microsoft Defender Experts for Hunting Has Got Your Back: Abhishek Agarwal, Chief Security and Technology Officer at Helix Biotech, examined threat hunting’s virtuous cycle: track, hunt, and analyze. Specifically, attendees learned how Microsoft Defender Experts for Hunting uses AI to accomplish all three components of the cycle faster, providing automated detection, hunting, and analysis to help the team track and stop threats across the company’s multi-national enterprise.
• Microsoft Security Research—How We Responsibly Disclose Vulnerabilities to Apple, Google, and the Linux Community: Jonathan Bar Or, Principal Security Researcher at Microsoft, discussed how disclosing bugs makes the world safer and benefits users, as well as giving Microsoft Security a better understanding of the technologies we work to protect.​ The goal is to challenge our own detections and prove product truth—making Microsoft Defender stronger by challenging our own blue teams.​
• Solve Secure Access Needs for Workload Identities with Microsoft Entra: Microsoft Product Managers Nick Wryter and Sandy Jiang led this informative session on the phenomenon of exploding workload identities. Currently, workload identities outnumber user identities five to one; the challenge being that many traditional identity and access management solutions don’t manage these prevalent and frequently over-permitted identities. Nick and Sandy explained how the new Microsoft Entra addresses this problem by providing a comprehensive view of every action performed by any identity on any resource, detecting anomalous permission usage at cloud scale.
• Tracking Highly Evasive APTs with Vectra Detect & Microsoft Sentinel: Tom D’ Aquino, Senior Security Engineer at Vectra AI, led this demonstration of real-life threat-hunting using Vectra Detect and Microsoft Sentinel. Tom demonstrated real-world workflows for threat tracking, including individual threat severity, lateral movement, threat targets, and more.
• The Shift of “Why” and “How” of Ransomware Attacks; How Microsoft Helps Customers Survive Ransomware: Led by MacKenzie Brown of Microsoft’s Detection and Response Team (DART), this session examined the how and why behind the recent increase in ransomware attacks. Attendees learned how attackers have evolved their methods to exert minimum effort for maximum return on investment (ROI), and why DART’s methodology can help you defeat them.

Shining a light on Shadow IT

Shadow IT can be broadly defined as a “set of applications, services, and infrastructure that are developed and managed outside of defined company standards.” These kinds of ad-hoc systems can pose a compliance risk, especially for security, privacy, data governance, and accessibility. Like any organization, Microsoft has not been immune to the proliferation of Shadow IT.

Figure 5. Vasu Jakkal and Bret Arsenault speak at the Microsoft pre-day event.

In keeping with our commitment to security for all, Microsoft CVP and CISO Bret Arsenault gave a special presentation on June 8, 2022, addressing Microsoft’s approach to managing Shadow IT. Bret discussed how Microsoft’s security team is enabling engineers and developers to build and operate security capabilities in the cloud, as well as Microsoft’s three primary principles for managing and addressing Shadow IT. For attendees wanting to learn more, we followed up the event with a free white paper on managing Shadow IT.  We’ve also made Bret’s presentation slides available to everyone.

2022 Excellence Awards

The Microsoft Security Excellence Awards (formerly Microsoft Security 20/20 Awards) recognize Microsoft Intelligent Security Association (MISA) members’ success during the past 12 months. This year’s 10 award categories were carefully selected to recognize the unique ways MISA members support their customers and help improve Microsoft security products. Our cross-functional panel carefully examined hundreds of nominations, narrowing the field to just three finalists for each category.

In the spirit of collaboration, Microsoft and MISA members alike voted on the winners. After dinner and cocktails, the awards were handed out at the San Francisco Design Center by Microsoft executives Phil Montgomery, Andrew Conway, Alym Rayani, Irina Nechaeva, Desmond Forbes, Sue Bohn, Mandana Javaheri, Madhu Prasha, Scott Woodgate, and myself. MISA members are a critical part of our approach to comprehensive security. We’re grateful for their vision and dedication to our shared mission of helping customers do more, safely. To all of this year’s finalists and winners—congratulations!

Comprehensive security year-round

Microsoft now protects 785,000 customers around the world, including our own digital estate. Our goal is to provide comprehensive security for our customers while enabling greater security for our shared online world. Microsoft’s best-in-breed protection, built-in intelligence, and simplified management integrates more than 50 product categories in six product families, allowing you to be fearless in the pursuit of your vision.  Our newest product family, Microsoft Entra, helps fulfill that mission by creating a secure entry point for end-to-end security. Entra provides a unified admin center for Azure Active Directory (Azure AD), Entra Permissions Management, and Entra Verified ID where your organization can quickly verify and secure every identity or access request—all in one place.

Our commitment to comprehensive security also means providing the latest research and first-hand knowledge to help keep your organization secure. You can learn more at Cyber Signals, a cyberthreat intelligence brief drawn from the latest Microsoft data and research. If you attended RSA and engaged with Microsoft, please take a few minutes to respond to our RSAC 2022 survey so we can continue to improve your experience. My thanks to everyone who attended, and we’ll see you next year!  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft at RSA 2022: Envisioning the future of security appeared first on Microsoft Security Blog.

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster. Though the bug exists on …

Service Fabric Privilege Escalation from Containerized Workloads on Linux Read More »

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Voice of the Community blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Maria Markstedter, Chief Executive Offer (CEO) of Azeria Labs, former Chief Product Officer (CPO) at Corellium, a Black Hat¹ Review Board member, Forbes Person of the Year in Cybersecurity, and the author of a soon-to-be-published book on Arm assembly internals and reverse-engineering.² The thoughts below reflect Maria’s views, not the views of Microsoft, and are not legal advice. In this blog post, Maria talks about the industry’s growing interest in Arm assembly and how to help security professionals avoid burnout.

Brooke: How did you become passionate about Arm as a processing language and how is it gaining momentum in security?

Maria: While working as a penetration tester, I attended a conference where security researcher Marion Marschalek gave a talk about reverse-engineering the computer worm Stuxnet and I was fascinated. I built up the courage to ask her to teach me. This is when I learned about x86 assembly and malware analysis. I got interested in Arm assembly and realized that I had way more Arm-based devices around me than x86 processors.

When I started studying the Arm architecture, the only devices based on Arm were IoT and mobile devices. Digging into it more, I realized that Arm was working on a 64-bit architecture and could take off in the desktop and server world. I was anticipating this shift. Arm is a very scalable platform and offers significant advantages over other processors, like power consumption and performance. Apple switched all their Macs to the Arm processing language. That raised the bar for high-powered yet energy-efficient computers. This shift puts pressure on other vendors that want to compete with laptops that are just as efficient and that have battery life that lasts just as long. It didn’t take long for Microsoft to catch up, with the SQ1 processor for Windows on Arm. Microsoft Azure recently implemented an entire cloud service. It’s gaining momentum because the architecture has become more powerful. It’s a new era.

There’s a huge gap in educational resources for people to learn about Arm. That’s why my current job involves training security teams on Arm reverse-engineering and exploitation. I also wrote a book about Arm assembly and reverse-engineering to fill that gap in a digestible format with lots of graphics. I’ve been working on it for two years and it’s about to be published. I hope that this book will help a lot of people ease their way into becoming proficient in something that is rather dry and hard to learn on your own.

Brooke: What is the biggest challenge facing security professionals today?

Maria: The biggest challenge is keeping up with new technologies and changes. From my work as a penetration tester, you get a new gig and new clients with a new product that uses a completely different stack of technologies, and you have to quickly familiarize yourself with it. Different technologies mean different attack vectors. That goes in every direction of security research. I know great reverse-engineers who have spent their whole career reverse-engineering malware and product components based on x86. If the architecture of these components changes, everything changes. If you are used to reading x86_64 assembly and are suddenly presented with a completely different assembly language, it’s like trying to understand Spanish if you are familiar only with French.  

Organizations expect their security teams to keep up with these rapid changes. How will these security teams find the time to learn and stay on top of it all? It’s not reasonable to expect security professionals to learn outside of work hours when they should focus on their family and maintaining a healthy work-life balance because it’s easy to burn out in our industry.

Brooke: What are some signs of burnout that security leaders can look out for?

Maria: Last year, I experienced my first major burnout. I was taking on way too many responsibilities. As a result, I had to take a couple of months off of work to recover. I always thought, “When I burn out, I’ll take a week off and go on vacation.” It’s not as easy as that. It starts off very subtle and is very difficult to notice before it’s too late.

Some of the causes of burnout—and why I advocate for training—is if your employee feels they don’t have any impact, feels overwhelmed or like they can’t keep up, feels like they are expected to figure it all out in their free time, or doesn’t get the time to work on interesting things that feed their curiosity. In our field, we constantly see someone coming up with something really cool and think, “I wish I could do that.” But yet, we rarely get the time to explore and learn new skills and techniques, especially when they don’t directly correlate with our current role. Security leaders need to help their team nourish their inner curiosity and give them enough breaks and research time, and the opportunity to learn.

Also, people in the process of getting burnout have a hard time saying no. If you give them new tasks, they’re going to say, “Sure!” because they feel like they’re not contributing enough and that they need to prove themselves. As a manager, ask the right questions and monitor their workload. You get more out of someone if they work a little slower but don’t burn out. If they must take sick days off or are so anxious or depressed by the end of the week that they barely get any work done, you’re not getting your results either. If they do less in a focused and balanced way with a clear mind, they will produce more value. Keep your employees happy and motivated; don’t treat them like workhorses.

Brooke: Should the opportunity to study and grow be considered a recruitment and retention tool?

Maria: Yes. People in our profession are generally very curious and driven. Otherwise, they wouldn’t be in this field. They are very eager to learn. If you feed the curiosity of your security team and give them new learning opportunities, you might be surprised at what they come up with. It makes them more versatile, confident, and motivated. Every security area overlaps with another, so they might come up with an idea that you haven’t thought of, which could lead to security advancements internally.

At my first company, I was working as a penetration tester and wanted to attend a training course about forensics, because we’d had a couple of forensics incidents, and they would send us penetration testers, even the ones who had little knowledge in forensics. But they said they wouldn’t pay for it, mainly because they didn’t want to invest in their employees and were scared that this investment would lead to them leaving the company. I ended up leaving the company because they would not give me continuous educational opportunities and expected employees to learn everything in their free time instead of investing in their skill development.  

Brooke: What would you recommend to Chief Security Officers (CSOs) filling cybersecurity roles?

Maria: You’re better off if you hire for potential and character. You can always train people. Hire for potential and pick people who are fast learners, are curious, and have demonstrated that they have invested in their own skill development as best as they could. Train them internally and send them to security conferences where they can meet like-minded people and learn. If you’re waiting for the perfect candidate, it’s rather hard to find enough people for the job. If you train them up, you have a better chance of filling all the spots.

You can outsource certain security teams, like penetration testing and incident response, as many organizations do, but it’s risky to not have an in-house security team. If an incident happens and your people are not skilled enough to respond to it, you may try to contract with an external firm, but they could be overflowing with projects because it’s a global incident. CSOs should expand their own security teams and leave room for skill development, not just in their own niche but also nurture their interests. It’s the organization’s responsibility to provide the resources and space for employees to evolve their skills.

Brooke: What is the biggest threat to organizations right now?

Maria: If you focus on one threat, it will become irrelevant in no time. The biggest threat is the rapidly changing environment and that security professionals might fall behind. So, when it’s time to act, they are not able to. Your security team is the backbone of your security posture. If you neglect that, you will not be able to keep up with evolving trends. I have seen people being sent to security incidents last minute who had to pull that off on the fly and work all day, every day for weeks on short notice with no prior knowledge. Things are always so rapidly changing that it’s all about how quickly you can respond. Do you have the resources to respond to what’s being thrown at you?

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Black Hat USA 2022, Black Hat.

²Upcoming Book Series: Arm Exploitation, Maria Markstedter.

The post How security leaders can help their teams avoid burnout appeared first on Microsoft Security Blog.

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster.

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster.

Compliance management will never be easy, but there are ways to make it simpler and more transparent. Every year, organizations confront a growing volume and diversity of data and ever-evolving industry and government regulations. But the answer to more data, more devices, and more regulations isn’t more point security solutions. In fact, it may be possible to simplify compliance even as everything around you gets more complex.

Through research and conversations with customers, we’ve identified four key data security challenges that many organizations face as they implement hybrid work and multicloud environments. You can dig into our findings and recommendations by signing up and downloading the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security. In the meantime, let us walk you through some of the highlights.

1. Addressing insider risk created by hybrid work and the Great Reshuffle

By now, you’re probably familiar with the news that record numbers of workers are quitting and switching jobs. The phenomenon has even been given a name: the Great Reshuffle. Many of these career changers have prioritized flexible work environments that enable them to work remotely at least some of the time. This creates a great opportunity for businesses with the right technology to attract top talent; however, job-hopping also comes with risk. Employees may inadvertently—or, unfortunately, intentionally—take sensitive data with them when they leave. And it’s common for new workers to make mistakes while they are getting up to speed on security policies.

To improve risk management, it’s important to implement an effective insider risk program. The right security program will focus on both culture shifts that help people make the right decisions and privacy controls that don’t impede productivity. If you’re uncertain where to start, you’ll find more detail in the e-book, which outlines several recommended best practices.

2. Knowing your data

Our customers tell us that running a multicloud environment and supporting a hybrid workforce makes it extremely difficult to know what data they have and where it’s located. Employees, customers, and IoT devices are continuously creating new information, storing it on various clouds and devices, and frequently moving it to new locations. Data protection must be balanced with governance that doesn’t impede productivity.

Automate discovery to amplify data governance. Classification is key to defining which data is sensitive and who should have access to it. But if you’re doing this process manually, it’s nearly impossible. We recommend solutions that use AI to automatically classify data based on pre-defined requirements. With the right processes and technology, you can dramatically reduce your workload and enhance data protection.

3. Securing data in a borderless world

The network perimeter is widely held to be an ineffective strategy, and we’ve now entered a world where the office walls are also disappearing. Your company resources aren’t just stored inside your on-premises data center, they also exist in cloud environments and apps. People, IoT devices, and services from all over the place—including other countries—legitimately need to access those resources to get things done. Working from anywhere is more convenient than ever, but it’s also created more opportunities for bad actors to get a hold of sensitive data.

To help ensure that only authorized users can access your data, implement a Zero Trust framework. With Zero Trust, you don’t automatically trust any access request, even if it comes from inside the network. To prevent a breach, it’s important to verify every request explicitly. When access is granted, individuals, services, and smart devices should only be given as much access as they need and only for the amount of time that they need it. A notable tenet of a Zero Trust strategy is that teams should assume that the organization has already been breached, which is why it’s critical to make verification and access controls ingrained as protocol.

Zero Trust isn’t a product: It’s a strategy and process. Refer to the e-book for several recommended tips that will help you implement this important framework in your own organization.

4. Managing security platform complexity

If you have a patchwork system of unintegrated security solutions that you’ve acquired over time, you’re not alone. Many of our customers struggle to coordinate across multiple systems, losing precious time that they could put toward threat management.

You can significantly reduce complexity by unifying compliance solutions and data protection strategies. By replacing your point solutions with a platform from a single vendor, you can reduce cyberattacks, save time, and recover from an attack more quickly. Look for the following when choosing a vendor:

• Easy deployment, maintenance, and governance.
• A lower cost than a multiple-solution strategy.
• Easier deployment and user training.
• Solutions that work well with your current environment and tools.
• In-place data management.

Putting it all together

Respecting privacy while enabling productivity has only gotten more challenging as the way people work has shifted, but you can make your job a little bit easier with the proven strategies outlined in this blog.

Dive deeper into these four challenges and best practices in the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security.

Learn more about Microsoft Purview, a family of governance and compliance solutions that work together to give you greater visibility and control over your data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 breakthrough ideas for compliance and data security appeared first on Microsoft Security Blog.

Compliance management will never be easy, but there are ways to make it simpler and more transparent. Every year, organizations confront a growing volume and diversity of data and ever-evolving industry and government regulations. But the answer to more data, more devices, and more regulations isn’t more point security solutions. In fact, it may be possible to simplify compliance even as everything around you gets more complex.

Through research and conversations with customers, we’ve identified four key data security challenges that many organizations face as they implement hybrid work and multicloud environments. You can dig into our findings and recommendations by signing up and downloading the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security. In the meantime, let us walk you through some of the highlights.

1. Addressing insider risk created by hybrid work and the Great Reshuffle

By now, you’re probably familiar with the news that record numbers of workers are quitting and switching jobs. The phenomenon has even been given a name: the Great Reshuffle. Many of these career changers have prioritized flexible work environments that enable them to work remotely at least some of the time. This creates a great opportunity for businesses with the right technology to attract top talent; however, job-hopping also comes with risk. Employees may inadvertently—or, unfortunately, intentionally—take sensitive data with them when they leave. And it’s common for new workers to make mistakes while they are getting up to speed on security policies.

To improve risk management, it’s important to implement an effective insider risk program. The right security program will focus on both culture shifts that help people make the right decisions and privacy controls that don’t impede productivity. If you’re uncertain where to start, you’ll find more detail in the e-book, which outlines several recommended best practices.

2. Knowing your data

Our customers tell us that running a multicloud environment and supporting a hybrid workforce makes it extremely difficult to know what data they have and where it’s located. Employees, customers, and IoT devices are continuously creating new information, storing it on various clouds and devices, and frequently moving it to new locations. Data protection must be balanced with governance that doesn’t impede productivity.

Automate discovery to amplify data governance. Classification is key to defining which data is sensitive and who should have access to it. But if you’re doing this process manually, it’s nearly impossible. We recommend solutions that use AI to automatically classify data based on pre-defined requirements. With the right processes and technology, you can dramatically reduce your workload and enhance data protection.

3. Securing data in a borderless world

The network perimeter is widely held to be an ineffective strategy, and we’ve now entered a world where the office walls are also disappearing. Your company resources aren’t just stored inside your on-premises data center, they also exist in cloud environments and apps. People, IoT devices, and services from all over the place—including other countries—legitimately need to access those resources to get things done. Working from anywhere is more convenient than ever, but it’s also created more opportunities for bad actors to get a hold of sensitive data.

To help ensure that only authorized users can access your data, implement a Zero Trust framework. With Zero Trust, you don’t automatically trust any access request, even if it comes from inside the network. To prevent a breach, it’s important to verify every request explicitly. When access is granted, individuals, services, and smart devices should only be given as much access as they need and only for the amount of time that they need it. A notable tenet of a Zero Trust strategy is that teams should assume that the organization has already been breached, which is why it’s critical to make verification and access controls ingrained as protocol.

Zero Trust isn’t a product: It’s a strategy and process. Refer to the e-book for several recommended tips that will help you implement this important framework in your own organization.

4. Managing security platform complexity

If you have a patchwork system of unintegrated security solutions that you’ve acquired over time, you’re not alone. Many of our customers struggle to coordinate across multiple systems, losing precious time that they could put toward threat management.

You can significantly reduce complexity by unifying compliance solutions and data protection strategies. By replacing your point solutions with a platform from a single vendor, you can reduce cyberattacks, save time, and recover from an attack more quickly. Look for the following when choosing a vendor:

• Easy deployment, maintenance, and governance.
• A lower cost than a multiple-solution strategy.
• Easier deployment and user training.
• Solutions that work well with your current environment and tools.
• In-place data management.

Putting it all together

Respecting privacy while enabling productivity has only gotten more challenging as the way people work has shifted, but you can make your job a little bit easier with the proven strategies outlined in this blog.

Dive deeper into these four challenges and best practices in the e-book Blueprint for Data Protection: 4 Breakthrough Ideas for Compliance and Data Security.

Learn more about Microsoft Purview, a family of governance and compliance solutions that work together to give you greater visibility and control over your data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 4 breakthrough ideas for compliance and data security appeared first on Microsoft Security Blog.

Hidden Talents: He was a competitive swimmer for many years. Instrument of Choice: His fingers were made for the keyboard, but he used to play the trumpet. 5 pieces of entertainment for the rest of his life: The Office, World War Z, The Matrix, Breaking Bad, The Thick of It. Favorite non-profit: RSPCA How he …

A Man of Action: Meet Callum Carney Read More »

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 103!

 

We have reviewed the new settings in Microsoft Edge version 103 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 98 package continues to be our recommended baseline. That baseline package can be downloaded from the Microsoft Security Compliance Toolkit.

 

However, there is 1 setting we would like to call out, Origin-keyed agent clustering enabled by default.

 

Origin-keyed agent clustering enabled by default (Consider Testing)

Historically, JavaScript could adjust the document.domain property  to relax Same-Origin-Policy and allow content from different subdomains of a site to interact.  This new setting will prohibit that ability and starting in version 106 will be enabled by default. We highly encourage customers to begin compatibility testing now with this setting to account for this upcoming change. In the future, the security baseline will also enforce the setting.  Additional details on this setting can be found in this article.

 

Microsoft Edge version 103 introduced 4 new computer settings and 4 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.

 

As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

 

Please continue to give us feedback through the Security Baselines Discussion site or this post.

Hidden Talents : He was a competitive swimmer for many years.
Instrument of Choice : His fingers were made for the keyboard, but he used to play the trumpet.
5 pieces of entertainment for the rest of his life : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

Hidden Talents : He was a competitive swimmer for many years.
Instrument of Choice : His fingers were made for the keyboard, but he used to play the trumpet.
5 pieces of entertainment for the rest of his life : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

Azure Cosmos DB is a fully managed NoSQL cloud database service for modern app development. It offers a variety of advanced built-in features, such as automatic worldwide data replication, lightning-fast response types, and a variety of APIs. In this blog post, we describe security practices for securing access to Azure Cosmos DB and show how monitoring relevant control plane operations, when performed by Microsoft Defender for Azure Cosmos DB, can help detect potentially compromised identities.

Authentication and authorization

Operating Azure Cosmos DB databases requires valid credentials to be provided for each request. The main type of credentials is a pair of access keys, known as primary and secondary, which are generated as part of the Azure Cosmos DB account creation and can be retrieved through management API using the ListKeys operation. These keys provide full control over the account, including configuration of databases, deployment of server-side logic, and common read and write data transactions. The keys are generated as a pair to enable continuous availability during key rotations. When the primary key is in use, the secondary key is being rotated, and vice versa.

Another type of authentication and access control supported by Azure Cosmos DB is the role-based access control (RBAC) mechanism based on Microsoft Azure Active Directory (Azure AD).¹ Principals authenticated in Azure AD can be assigned distinct roles that grant specific permissions to the databases and various objects in the Cosmos DB account. The roles can be chosen from several built-in alternatives or customized by the account owner.

Secured architecture controls

When an application design contains a database there are access control security practices that should be applied to improve the security posture. These practices are well known in database security and should be implemented through the built-in capabilities of Azure Cosmos DB. Here are two examples:

1. Employ three-tier architecture to restrict access to databases only by application servers but not directly by clients. Implementation of such a design can be achieved by properly configuring the Cosmos DB firewall to provide access only to specific IP addresses or subnets.
2. Assign least privileged access to the entities that communicate with the databases. By using RBAC authorization, as mentioned previously, it is possible to set a strict access model to Azure Cosmos DB and minimize its attack surface. Application servers that perform data transactions should be authorized to perform those, but not environment configuration activities such as deleting collections or uploading stored procedures. On the other hand, authorization to deployment operations can be given to engineering teams and continuous integration and continuous delivery (CI/CD) systems. When all the entities are configured with proper roles and access, it is advised to disable the access keys to mitigate a leaked key threat.

Cloud-based attack vector

With all the aforementioned security controls in place, there is another attack vector that needs to be addressed when securing a cloud application. The potential threat can be realized through authorized control plane access to Azure Resource Manager (ARM), which is responsible for resource provisioning and their configuration. In the context of Azure Cosmos DB, ARM can be queried to retrieve Cosmos DB access keys, as well as handle requests for changes in the database firewall rules. Bypassing the access control of the management interface is a high barrier for threat actors, so their widely adopted tactic is to get credentials through attacks on the users. Therefore, a supplemental layer of security against compromised customer accounts is achieved by continuous monitoring of authorized operations.

If the access keys are disabled according to security practices, then the key leakage scenario is not valid. An interesting point to note is that in these cases there are no entities that should perform the ListKeys operation. Thus, if it is monitored by a security service it serves as a detection of a potential compromise of the acting identity.

Monitoring suspicious key extractions

Data traffic of your Azure Cosmos DB accounts—including any attempts to access, read, or change the stored data—is monitored by Microsoft Defender for Azure Cosmos DB. Defender contains a growing collection of detections that cover various security scenarios. For example, signals are triggered when the account is accessed from an anomalous or suspicious location, an abnormally high amount of data is extracted, or a potentially malicious query is executed. In case a significantly suspicious pattern is detected, a security alert is sent to the account’s security administrator, with descriptive information and suggested steps to mitigate the detected threats and prevent future attacks. Securing and monitoring access to Azure Cosmos DB content is important and should be augmented with monitoring of control plane operations. In modern databases, such as Cosmos DB, authentication is provided using shared keys. If keys are leaked or compromised, their use by malicious actors blends among legitimate usage—as no individual user profile is visible in the data plane logs. Additionally, in case of attacks (such as data exfiltration for theft and data encryption for ransomware), early detection increases the effectiveness of incident response and reduces the damage.

Control plane monitoring enables the analyses of management activities of resources (such as changing access policies, and listing and setting access keys) and allows mapping them to authorized users. It is important to monitor management operations that are relevant for security scenarios. For example, accessing data in Azure Cosmos DB requires getting access keys, which appear as ListKeys operation in the control plane log. Other examples of operations include encryption and changing access policies or keys.

These operations are important, but in most cases they are normal and legitimate. However, if the operation is significantly anomalous (performed from an unexpected IP address, by a seldomly seen user, or using weak authentication, for example), it might indicate a malicious attempt to access the account and should be investigated by the resource owner. Alternatively, massive execution of such operations could indicate a breach even if no anomalous pattern exists.

We recommend flagging suspicious important management operations based on several types of indicators:

1. New anomalous entity, such as previously unseen and unexpected source IP, application, and authentication type. In case the set of known entities is small enough, and no new entities are routinely appearing, any new entity is deemed unexpected. Thus, it might indicate either addition of a legitimate entity or the appearance of a malicious actor, and should be investigated.
2. Anomalous pairing indicates an anomalous connection between two existing variables. For example, an important operation performed by a known user who previously never worked on a related resource group might indicate something like a compromised identity, or a connection between the source device and target resource that have never communicated before. This can be detected by modeling the probability of similarity of connection between meaningful pairs of variables.
3. Suspicious indicators, such as source IPs flagged with threat intelligence signals, operation patterns resembling known penetration testing, or attack tool usage. Additional secondary indicators that increase the likelihood of potential misuse should be monitored as well. Examples include operations performed using weak authentication (no multifactor authentication) and suspicious errors (indicating potential reconnaissance efforts). These indicators are commonly derived from security research of known vulnerabilities and attack patterns.
4. Mass operation: Even in case no anomalous indicators exist, a sufficiently high amount of successful or failed operations should be investigated due to potential high impact. Such an event can indicate enumerating or gaining access to resources en masse. Even though a substantial number of failed operations is a weaker signal, it is important, since it can be an early indication of an attack that employs blind scanning.

Various indicators can be integrated into cumulative anomaly scores for individual operations or a batch, depending on the scenario. Since the monitored operations are important, high anomaly scores may indicate a malicious access attempt and need to be investigated promptly. In the case of a true positive, real damage can be prevented before a malicious payload is executed. In the case of a false positive, the item can be quickly dismissed by the resource owner after steps for future prevention of such cases are considered.

Detect security threats with Microsoft Defender for Azure Cosmos DB

Microsoft Defender for Azure Cosmos DB is a part of Microsoft Defender for Cloud. It covers alerts on both the data plane and the control plane, detecting potential SQL injections, known bad actors based on Microsoft threat intelligence, suspicious access patterns, and potential exploitation of databases by compromised identities or malicious insiders. Read Overview of Defender for Azure Cosmos DB to learn about its capabilities and detections.

Microsoft encourages you to develop a security strategy for your deployments in the cloud and protect Cosmos DB instances with the proposed detection solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Early RBAC capabilities are also provided by a legacy authentication method based on resource token, but it is largely obsolete now.

The post Detecting malicious key extractions by compromised identities for Azure Cosmos DB appeared first on Microsoft Security Blog.

In today’s evolving threat landscape, email represents the primary attack vector for cybercrime, making effective email protection a key component of any security strategy.¹

In Q1 2022, Microsoft participated in an evaluation of email security solutions, carried out by SE labs—a testing lab focused on assessing the efficacy of security solutions. In their latest Enterprise Email Security Services test, they evaluated email security vendors against a range of real-world email attack scenarios.

Today we are excited to share that Microsoft received an AAA Protection Award for Microsoft Defender for Office 365, the highest possible award that vendors can achieve in this test.

Microsoft Defender for Office 365 helps organizations protect against advanced threats including phishing and business email compromise. It provides a wide range of email protection capabilities including protection from impersonation, spoofing, as well as holistic attack campaign views, using machine learning and other heuristics to identify phishing attacks across the entire organization.

Another core component of Microsoft Defender for Office 365 is user training. Even at Microsoft, we continuously run exercises to educate our employees and senior leaders to raise their awareness to real-life phishing attacks, using the attack simulation training capabilities in Microsoft Defender for Office 365.

In the SE labs report, Microsoft received a total score of 89 percent based on the evaluation of two key criteria:

• 97 percent of emails that contained threats were blocked
• 73 percent of legitimate email was correctly identified

The near-perfect score on containing threats demonstrates the industry-leading email security protection we provide and the effectiveness by which Microsoft Defender for Office 365 can protect customers from business email compromise. At the same time, the slightly lower score around legitimate email is due to the strong focus on executive accounts in the test, for which Microsoft configured an enhanced level of protection based on insights and best practices for how organizations actually use the service. This resulted in more blocked mail, but that we believe is appropriately cautious.

The Microsoft Defender for Office 365 engine is always learning from email traffic in the environment and adjusting as a result, but the highly configurable nature of Exchange Online also allows customers to tailor their experience. While in this test, we tailored the controls to the highest level of available protections, admins have a wide range of options to customize the delivery sensitivity and their preferred level of tolerance for potentially unwanted email.

The SE labs report validates that Microsoft Defender for Office 365, part of Microsoft Defender 365, is a leading choice for email protection, used by corporations worldwide. To learn more about how some customers are using Microsoft Defender for Office 365 today, read this customer story from St. Luke’s.

Microsoft continues to invest heavily to protect organizations from phishing and business email compromise with the backing of hundreds of researchers, engineers, and threat intelligence insights from billions of pieces of mail that Microsoft processes every single day and directly inform our machine learning engines.

Trust Microsoft’s XDR solution for protection against threats across Office 365 and more 

Microsoft Defender for Office 365 provides comprehensive coverage, both through the lifecycle of an attack and across email and collaboration tools like email, SharePoint, OneDrive, and Microsoft Teams.

These capabilities are part of Microsoft’s extended detection and response (XDR) solution Microsoft 365 Defender, which helps organizations secure their users with integrated threat protection, detection, and response across endpoints, email, identities, applications, and data.

To take advantage of our industry-leading protection in your environment, get started today!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

1 Internet Crime Report 2020, Federal Bureau of Investigation. 2020.

The post Microsoft Defender for Office 365 receives highest award in SE Labs Enterprise Email Security Services test appeared first on Microsoft Security Blog.

Microsoft’s deep understanding of human-operated ransomware attacks, which are powered by a thriving cybercrime gig economy, continuously informs the solutions we deliver to protect customers. Our expert monitoring of threat actors, investigations into real-world ransomware attacks, and the intelligence we gather from the trillions of signals that the Microsoft cloud processes every day provide a unique insight into these threats. For example, we track human-operated ransomware attacks not only as distinct ransomware payloads, but more importantly, as a series of malicious activities that culminate in the deployment of ransomware. Detecting and stopping ransomware attacks as early as possible is critical for limiting the impact of these attacks on target organizations, including business interruption and extortion.

To disrupt human-operated ransomware attacks as early as possible, we enhanced the AI-based protections in Microsoft Defender for Endpoint with a range of specialized machine learning techniques that find and swiftly incriminate – that is, determine malicious intent with high confidence – malicious files, processes, or behavior observed during active attacks.

The early incrimination of entities – files, user accounts, and devices – represents a sophisticated mitigation approach that requires an examination of both the attack context as well as related events on either the targeted device or within the organization. Defender for Endpoint combines three tiers of AI-informed inputs, each of which generates a risk score, to determine whether an entity is associated with an active ransomware attack:

• A time-series and statistical analysis of alerts to look for anomalies at the organization level
• Graph-based aggregation of suspicious events across devices within the organization to identify malicious activity across a set of devices
• Device-level monitoring to identify suspicious activity with high confidence

Aggregating intelligence from these sources enables Defender for Endpoint to draw connections between different entities across devices within the same network. This correlation facilitates the detection of threats that might otherwise go unnoticed. When there’s enough confidence that a sophisticated attack is taking place on a single device, the related processes and files are immediately blocked and remediated to disrupt the attack.

Disrupting attacks in their early stages is critical for all sophisticated attacks but especially human-operated ransomware, where human threat actors seek to gain privileged access to an organization’s network, move laterally, and deploy the ransomware payload on as many devices in the network as possible. For example, with its enhanced AI-driven detection capabilities, Defender for Endpoint managed to detect and incriminate a ransomware attack early in its encryption stage, when the attackers had encrypted files on fewer than four percent (4%) of the organization’s devices, demonstrating improved ability to disrupt an attack and protect the remaining devices in the organization. This instance illustrates the importance of the rapid incrimination of suspicious entities and the prompt disruption of a human-operated ransomware attack.

As this incident shows, the swift incrimination of suspicious files and processes mitigates the impact of ransomware attacks within an organization. After incriminating an entity, Microsoft Defender for Endpoint stops the attack via feedback-loop blocking, which uses Microsoft Defender Antivirus to block the threat on endpoints in the organization. Defender for Endpoint then uses the threat intelligence gathered during the ransomware attack to protect other organizations.

In this blog, we discuss in detail how Microsoft Defender for Endpoint uses multiple innovative, AI-based protections to examine alerts at the organization level, events across devices, and suspicious activity on specific devices to create a unique aggregation of signals that can identify a human-operated ransomware attack.

Detecting anomalies in alerts at the organization level

A human-operated ransomware attack generates a lot of noise in the system. During this phase, solutions like Defender for Endpoint raise many alerts upon detecting multiple malicious artifacts and behavior on many devices, resulting in an alert spike. Figure 3 shows an attack that occurred across a single organization.

Defender for Endpoint identifies an organization-level attack by using time-series analysis to monitor the aggregation of alerts and statistical analysis to detect any significant increase in alert volume. In the event of an alert spike, Defender for Endpoint analyzes the related alerts and uses a specialized machine learning model to distinguish between true ransomware attacks and spurious spikes of alerts.

If the alerts involve activity characteristic of a ransomware attack, Defender for Endpoint searches for suspicious entities to incriminate based on attack relevance and spread across the organization. Figure 4 shows organization-level detection.

Graph-based monitoring of connections between devices

Organization-level monitoring can pose challenges when attacks don’t produce enough noise at the organization level. Aside from monitoring anomalous alert counts, Defender for Endpoint also adopts a graph-based approach for a more focused view of several connected devices to produce high-confidence detections, including an overall risk score. For this level of monitoring, Defender for Endpoint examines remote activity on a device to generate a connected graph. This activity can originate from popular admin tools such as PsExec / wmi / WinRm when another device in the organization connects to a device using admin credentials. This remote connection can also indicate previous credential theft by an attacker.

As administrators often use such connectivity tools for legitimate purposes, Defender for Endpoint differentiates suspicious activity from the noise by searching specifically for suspicious processes executed during the connection timeframe.

Figure 5 shows a typical attack pattern wherein a compromised device A is the initial attack vector, and the attacker uses remote desktop protocol (RDP) or a remote shell to take over the device and start scanning the network. If possible, the attackers move laterally to device B. At this point, the remote processes wmic.exe on the command line and wmiprvse.exe on the target can spawn a new process to perform remote activities.

Graph-based detection generates the entities in memory to produce a virtual graph of connected components to calculate a total risk score, wherein each component represents a device with suspicious activities. These activities might produce low-fidelity signals, such as scores from certain machine learning models or other suspicious signals on the device. The edges of the graph show suspicious network connections. Defender for Endpoint then analyzes this graph to produce a final risk score. Figure 6 highlights an example of graph-based aggregation activities and risk score generation.

Identifying suspicious activity with high confidence on a single device

The final detection category is identifying suspicious activity on a single device. Sometimes, suspicious signals from only one device represent enough evidence to identify a ransomware attack, such as when an attack uses evasion techniques like spreading activity over a period of time and across processes unrelated to the attack chain. As a result, such an attack can fly under the radar, if defenses fail to recognize these processes as related. If the signals are not strong enough for each process chain, no alerts will generate.

Figure 7 depicts a simplified version of evasion activity using the Startup folder and autostart extension points. After taking over a device, an attacker opens cmd.exe and writes a file to the Startup folder to carry out malicious activities. When the device restarts, the file in the Startup folder performs additional commands using the parent process ID explorer.exe, which is unrelated to the original cmd.exe that wrote the file. This behavior splits the activity into two separate process chains occurring at different times, which could prevent security solutions from correlating these commands. As a result, when neither individual process produces enough noise, an alert might not appear.

The enhanced AI-based detections in Defender for Endpoint can help connect seemingly unrelated activity by assessing logs for processes that resemble DLL hijacking, autostart entries in the registry, creation of files in startup folder, and similar suspicious changes. The incrimination logic then maps out the initiation of the first process in relation to the files and tasks that follow.

Human-operated ransomware protection using AI

Attackers behind human-operated campaigns make decisions depending on what they discover in environments they compromise. The human aspect of these attacks results in varied attack patterns that evolve based on unique opportunities that attackers find for privilege escalation and lateral movement. AI and machine learning present innovative methods for surfacing sophisticated attacks known for using advanced tools and techniques to stay persistent and evasive.

In this blog, we discussed enhancements to cloud-based AI-driven protections in Microsoft Defender for Endpoint that are especially designed to help disrupt human-operated ransomware attacks. These enhanced protections use AI to analyze threat data from multiple levels of advanced monitoring and correlate malicious activities to incriminate entities and stop attacks in their tracks. Today, these AI protections are triggered in the early stages of the ransomware phase, as the attack starts to encrypt data on devices. We’re now working to expand these protections to trigger even earlier in the attack chain, before the ransomware deployment, and to expand the scope to incriminate and isolate compromised user accounts and devices to further limit the damage of attacks.  

This innovative approach to detection adds to existing protections that Microsoft 365 Defender delivers against ransomware. This evolving attack disruption capability exemplifies Microsoft’s commitment to harness the power of AI to explore novel ways of detecting threats and improve organizations’ defenses against an increasingly complex threat landscape.

Learn how Microsoft helps you defend against ransomware.

Learn how machine learning and AI drives innovation at Microsoft security research.

Arie Agranonik, Charles-Edouard Bettan, Sriram Iyer
Microsoft 365 Defender Research Team

The post Improving AI-based defenses to disrupt human-operated ransomware appeared first on Microsoft Security Blog.

A recent study conducted by Microsoft in partnership with Ponemon Institute included a survey of companies that have adopted IoT solutions and 65 percent of them mentioned that security is a top priority when implementing IoT. Attacks targeting IoT devices put businesses at risk. Impacted devices can be bricked, held for ransom, employed as launch points for further network attacks, or used for malicious purposes. Among many consequences, we often see intellectual property (IP) and data theft and compromised regulatory status, all of which can have brand and financial implications on the business. 

Subsequently, we did a survey to understand the top concerns around the security of IoT devices, and we shared the findings in a previous blog about best practices for managing IoT security concerns. The following list summarizes the top security concerns from companies that have adopted IoT solutions:

• Ensuring data privacy (46 percent).
• Ensuring network-level security (40 percent).
• Security endpoints for each IoT device (39 percent).
• Tracking and managing each IoT device (36 percent).
• Making sure all existing software is updated (35 percent).
• Updating firmware and other software on devices (34 percent).
• Performing hardware/software tests and device evaluation (34 percent).
• Updating encryption protocols (34 percent).
• Conducting comprehensive training programs for employees involved in IoT environment (33 percent).
• Securely provisioning devices (33 percent).
• Shifting from device-level to identity-level control (29 percent).
• Changing default passwords and credentials (29 percent).

To help address these concerns, Microsoft is thrilled to announce today the general availability of the extension of our Secured-core platform to IoT devices along with new Edge Secured-core certified devices from our partners Aaeon, Asus, Lenovo and Intel in the Azure certified device catalog. We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation.   

As outlined in Microsoft’s Zero Trust paper, a key investment, especially around new devices, is to choose devices with built-in security. Devices built with Azure Sphere benefit from industry-leading built-in security, with servicing by Microsoft.

Announcements for Edge Secured-core

Edge Secured-core is a certification in the Azure Certified Device program for IoT devices. Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver the following security benefits:

• Hardware-based device identity: In addition to the various security properties that a hardware-based device identity provides, this also enables the use of the hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.  
• Capable of enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
• Stays up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
• Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
• Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
• Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure from threats.

In addition to addressing many of the top concerns that we’ve heard from customers around the security of their IoT devices, our data shows that Secured-core PCs are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. We’ve brought the learnings from Secured-core PCs to define the requirements for Edge secured-core devices.

Today, we’re excited to announce the availability of Windows IoT Edge Secured-core devices available in the Azure Certified Device catalog.

ASUS PE200

Lenovo ThinkEdge SE30

Intel NUC

AAEON SRG-TG01

Additionally, Microsoft invests with semiconductor partners to build IoT-connected industry certified MCU security platforms that align with Microsoft’s security standards.  

Get started with Microsoft Security

Email us to request a call for more information about Azure Sphere, Edge Secured-core devices, or industry-certified devices. Learn more about Azure IoT security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing your IoT with Edge Secured-core devices appeared first on Microsoft Security Blog.

There’s still a perception that the most successful computer scientists learn programming at a young age, study engineering at a top school, and then get a software development job right out of college. While that’s how many people enter the field, it’s not the only path. Microsoft Software Engineer Rebecca Nzioki is living proof. She started out studying business but switched disciplines because she found IT more interesting. She decided to switch disciplines again after she started working and discovered a passion for solving customer problems. She then dedicated herself to learning how to code so she could find permanent fixes to issues that were frustrating the customers she supported.

In my experience, no matter what path they followed in the field of computer science, the best engineers are those who, like Rebecca, focus on solving problems for customers and making sure their experience just gets better and better. There’s no reason to think that, just because you weren’t a “child genius” who already knew how to program before you reached high school, you can’t enter the field now and still be incredibly successful. Rebecca impressed us so much that we tried to recruit her multiple times. Now she’s a software engineer in the identity and network access group, working from her native country, Kenya, as part of our Africa Development Center (ADC). While she’s only been at Microsoft for a short time, her contributions are already notable. I can’t wait to watch her grow.

Rebecca’s interview with Igor Sakhnov, Corporate Vice President of Identity Engineering at Microsoft, has been edited for clarity and length. We’ve included some video snippets so you can learn more about her personal journey to Microsoft.

Igor: Rebecca, I’m in Redmond and you’re in Nairobi, and here we are working for the same company, on the same problems and challenges. That’s the beauty of the current world! So, tell me about your history. Let’s start at the beginning. What was your first experience with computers? For me, it was playing games.

Rebecca: Mine too, it was gaming. When I was in primary school, we had computer lessons, but I wasn’t interested in anything to do with the history of computers. I joined so that I could play games.

Igor: I think most people started learning about computers this way. As you grew older, did you always know you wanted to be an engineer?

Rebecca: I went to college to study business administration, but when I was applying, my mom advised me to do something that had a little bit of IT, because everything revolves around computer science and IT now. She felt it was important to have that background. While I was studying, I found I was more interested in the IT side of things than the business administration side, so I ended up focusing on that.

Igor: Your mom gave you great advice! Did you jump right into coding after you finished college?

Rebecca: My first job after college was in support. The company focused on telecommunications; specifically, selling mobile phone airtime. Our boss created graphs that we would watch to make sure our markets were up and running. I watched up to 22 screens. I did that for two years and then got the opportunity to go to the next level—creating the screens myself.

At that point, we had just launched a new market that had many problems. It was always down because it was totally new, and we were trying so many new things. Not only was I now creating the screens, but I was also moving into customer care, so I knew how our work was impacting customers, allowing them to borrow airtime credit when they really needed it. I was communicating with customers and working on the technical side of things.

Seeing the engineers solve problems that came up—getting to the root cause of the issues—got me interested in programming. I became curious with each new problem: how can we solve this and make it go away completely? We want new problems, not the same ones over and over! After two years on the support side, I finally started coding. For a while I did both, but I transitioned slowly as I built up my confidence.

Igor: What a journey! You mentioned that you really liked solving customer problems, which is so near and dear to my heart. What was your motivation?

Rebecca: Knowing that the customers would be able to use the service any time, and they would be happy. Knowing they could use the service smoothly and knowing that I could give them a service that is also dependable.

Igor: It’s awesome that customer focus defines how you think through your work and your next steps. And that’s something that defines our organization at Microsoft. I’ve heard that you were asked to come talk to us three times. Can you tell me more about that?

Rebecca: Microsoft first called in December 2019, when I had first gotten into engineering. I wasn’t confident enough at that point to interview. It wasn’t the right time for me to change my career, so I didn’t respond to that call. They reached out again the following September, but they were looking for senior software engineers. By this time, however, I really wanted to do something different. The recruiter told me to reach out to them in December 2020. When I interviewed in January 2021, I felt ready.

Igor: I guess the third time was the charm! And I love that you built your confidence up to succeed in the interview. I’m curious, did the recruiters give you any support in terms of how to prepare for the interview?

Rebecca: They gave us a PDF document of algorithms and other things we needed to go through. I had a really good recruiter who would call to ask if I was actually preparing for the interview.

Igor: It’s great that these resources were useful to you. It’s awesome that you’re here now and that between building your confidence and getting those resources, you were set up for success.

Rebecca: Yes!

Igor: You’ve been at Microsoft for about a year. What is your perspective on Microsoft and the Africa Development Center?

Rebecca: I’m loving the experience. It has been a steep learning curve, but I’m here for the challenge. We were all new, on my team, so we didn’t have anyone in ADC to guide us on how to go about it. We’ve navigated it together, and at this point we have it figured out. We’re still learning, but we’ve gotten our pattern going.

Igor: Technology-wise, what are you most excited about working on?

Rebecca: My project right now is working on the Microsoft Authenticator App. We’re letting the user sign in through the application without using their passwords, or have two-factor or multifactor authentication, where you’re not using your password only, but you have levels of security. And knowing we’re driving such changes is pretty exciting.

I’m loving the authentication experience and going passwordless. Our laptops have always been using passwordless, but I hadn’t seen it before on the browser, or signing in to Skype without using a password. It’s exciting because I used to always forget these things! Also, seeing the way we manage code, the way we collaborate, the way we push and deploy—it’s all been very interesting.

Igor: Before we go, what’s your motivation in terms of your growth, your path forward? What do you want to achieve or move towards?

Rebecca: Right now, I just want to continue improving my coding abilities. I haven’t thought that I want to be a manager yet; for now, I just want to specialize in the technologies we use, grow my experience, and continue becoming a better engineer.

Learn more

Learn more about Microsoft identity and access management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How one Microsoft software engineer works to improve access management appeared first on Microsoft Security Blog.

Today’s sophisticated cyber threats require a modern approach to security. And this doesn’t apply only to enterprises or government entities—in recent years we’ve seen attacks increase exponentially against individuals. There are 921 password attacks every second.¹ We’ve seen ransomware threats extending beyond their usual targets to go after small businesses and families. And we know, as bad actors become more and more sophisticated, we need to increase our personal defenses as well.

That is why it is so important for us to protect your entire digital life, whether you are at home or work—threats don’t end when you walk out of the office or close your work laptop for the day. We need solutions that help keep you and your family secure in how you work, play, and live.

That’s why I’m excited to share the availability of Microsoft Defender for individuals, a new online security application for Microsoft 365 Personal and Family subscribers. We believe every person and family should feel safe online. This is an exciting step in our journey to bring security to all and I’m thrilled to share with you more about this new app, available with features for you to try today.

Introducing Microsoft Defender

As our digital footprints grow, and with more devices and family members online, protecting your personal data and devices becomes more important than ever. On top of that, you and your family’s device preferences may result in Windows, iOS, Android, and macOS devices all represented in a single household—I know from personal experience in my own family. As threats grow more sophisticated, and time spent online has increased during the pandemic, we are more vulnerable than ever.  

To help keep your data private and devices secure, people often turn to multiple security products, with scattered security monitoring and device management. This fragmentation makes keeping up with increasing online threats even harder.

We must evolve our security solutions to meet unique customer needs at home and work by bringing together existing technologies in a new way. That is why we are introducing Microsoft Defender for individuals. It was built on our Microsoft Defender for Endpoint technology, leveraging the same trusted security that enterprises rely on. It joins our comprehensive set of security products and services as the newest member of our family of Microsoft Defender solutions and extends the protection already built into Windows Security.

What does Microsoft Defender do?

Microsoft Defender is simplified online security that meets you and your family where you are by bringing multiple protections together into a single dashboard. It provides online protection across the devices you and your family use. It offers tips and recommendations to strengthen your protection further. And, as you grow your digital footprint by adding family members and devices, Defender grows with you and keeps your defenses up-to-date using trusted technology.  

This seamless solution, which includes continuous antivirus and anti-phishing protection for your data and devices, will enable you to:

• Manage your security protections and view security protections for everyone in your family, from a single easy-to-use, centralized dashboard.²
• View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
• Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.^{3, 4}
• Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.⁵

This is just the start. As we look forward, we will continue to bring more protections together under a single dashboard, including features like identity theft protection and secure online connection. Microsoft Defender is simplified online security that grows with you and your family to help keep you safe. 

Try it today!

The expansion of our security portfolio with Microsoft Defender for individuals is the natural and exciting progression in our journey as a security company. The Microsoft Defender app is available to Microsoft 365 subscribers beginning today, across Windows, macOS, iOS, and Android. It was shaped based on the thoughts and feedback from so many families and people who use our products, and we are so excited to have this available today. Read more about the value to Microsoft 365 subscribers and the journey to get here from the Microsoft 365 team, or try Microsoft Defender today. There is so much more to come, and we look forward to sharing more on this journey to make the world a safer place for all!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹According to Microsoft Azure Active Directory (Azure AD) authentication log data. 2022. 

²App requires a Microsoft 365 Family or Personal subscription and is available as a separate download. 

³App is available on Windows, macOS, Android, and iOS in select Microsoft 365 Family or Personal billing regions.

⁴New malware protection is not available where these protections exist on iOS and Windows.

⁵Security tips are available on Windows and macOS only.

The post Making the world a safer place with Microsoft Defender for individuals appeared first on Microsoft Security Blog.