The U.S. Government’s One-Stop Location to Stop Ransomware

 

You are subscribed to National Cyber Awareness System Current Activity for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.

New StopRansomware.gov website – The U.S. Government’s One-Stop Location to Stop Ransomware

07/15/2021 07:20 AM EDT

 

Original release date: July 15, 2021

The U.S. Government launched a new website to help public and private organizations defend against the rise in ransomware cases. StopRansomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. We encourage organizations to use this new website to understand the threat of ransomware, mitigate risk, and in the event of an attack, know what steps to take next.

The StopRansomware.gov webpage is an interagency resource that provides our partners and stakeholders with ransomware protection, detection, and response guidance that they can use on a single website. This includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners.

We look forward to growing the information and resources on StopRansomware.gov and plan to partner with additional Federal Agencies who are working to curb the rise in ransomware.

Kaseya Provides Security Updates for VSA On-Premises Software Vulnerabilities

You are subscribed to National Cyber Awareness System Current Activity for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.

Kaseya Provides Security Updates for VSA On-Premises Software Vulnerabilities

07/12/2021 03:00 PM EDT

 

Original release date: July 12, 2021

Kaseya has released VSA version 9.5.7a for their VSA On-Premises software. This version addresses vulnerabilities that enabled the ransomware attacks on Kaseya’s customers.

CISA strongly urges Kaseya customers closely follow the instructions detailed in the Kaseya security notice and contact Kaseya should they require implementation assistance. Note: the Kaseya security notice includes Startup Runbooks and Hardening and Best Practice Guides for both VSA On-Premises and VSA SaaS.

Microsoft Releases Out-of-Band Security Updates for PrintNightmare

 

You are subscribed to National Cyber Awareness System Current Activity for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.

Microsoft Releases Out-of-Band Security Updates for PrintNightmare

07/06/2021 07:53 PM EDT

 

Original release date: July 6, 2021

Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), “The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”

The updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675. The updates do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016—Microsoft states updates for these versions are forthcoming. Note: According to CERT/CC, “the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.” See CERT/CC Vulnerability Note VU #383432 for workarounds for the LPE variant.

CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

 

You are subscribed to National Cyber Awareness System Current Activity for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.

CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

07/04/2021 12:29 PM EDT

 

Original release date: July 4, 2021

CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.

CISA and FBI recommend affected MSPs:

• Contact Kaseya at support@kaseya.com with the subject “Compromise Detection Tool Request” to obtain and run Kaseya's Compromise Detection Tool available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers' systems.
• Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
• Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
• Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

• Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
• Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
• Implement:
• Multi-factor authentication; and
• Principle of least privilege on key network resources admin accounts.

Resources:

CISA and FBI provide these resources for the reader’s awareness.  CISA and FBI do not endorse any non-governmental entities nor guarantee the accuracy of the linked resources.

• For the latest guidance from Kaseya, see Kaseya's Important Notice July 3rd, 2021.
• For indicators of compromise, see Peter Lowe's GitHub page REvil Kaseya CnC Domains. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content.
• For guidance specific to this incident from the cybersecurity community, see Cado Security's GitHub page, Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content.
• For advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin Stone's article, How secure is your RMM, and what can you do to better secure it?.
• For general incident response guidance, CISA encourages users and administrators to see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.

What's new: ASIM Authentication, Process, Registry and enhanced Network schemas

 New Microsoft Blog

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-asim-authentication-process-registry-and-enhanced/ba-p/2502268

Hello everyone,  Continuing our normalization journey, we added to the networking and DNS schemas the Authentication, Process Events, and Registry Events schemas and delivered normalized content based on the two. We also added ARM template deployment and support for Microsoft Defender for Endpoints to the Network Schema.  Special thanks to @Yuval Naor , @Yaron Fruchtmann , and @Batami Gold , who made all this possible.  Why should you care?  Cross source detection: Normalized Authentication analytic rules work across sources, on-prem and cloud, now detecting attacks such as brute force or impossible travel across systems including Okta, AWS, and Azure. Source agnostic rules: process event analytics support any source that a customer may use to bring in the data, including Defender for Endpoint, Windows Events, and Sysmon. We are ready to add Sysmon for Linux and WEF once released! EDR support: Process, Registry, Network, and Authentication consist the core of EDR event telemetry. Ease of use: The Network Schema introduced last year is now easier to use with a single-click ARM template deployment.  Deploy the Authentication, Process Events, Registry Events, or Network Session parser packs in a single click using ARM templates.   Jon us to learn more about the Azure Sentinel information model in two webinars: The Information Model: Understanding Normalization in Azure Sentinel Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content Why normalization, and what is the Azure Sentinel Information Model?  Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.  The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM: Allows source agnostic content and solutions Simplifies analyst use of the data in sentinel workspaces  The current implementation is based on query time normalization using KQL functions. And includes the following: Normalized schemas cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values. Parsers map existing data to the normalized schemas. Parsers are implemented using KQL functions. Content for each normalized schema includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.

Use Premium Assessments in Microsoft Compliance Manager to Meet Your Regulatory Compliance Needs

 New Microsoft Blog

The pandemic has permanently changed how organizations of all sizes work. A substantial increase in hybrid and remote work has presented new compliance challenges, and organizations have responded by growing their compliance functions. A recent study shows that there were 257 average daily regulatory alerts across 190 countries in 2020 and keeping up with regulatory changes continues to be the top compliance challenge[1].

 

To help organizations simplify compliance and reduce risk, we built Microsoft Compliance Manager, generally available since September 2020. Compliance Manager translates complex regulatory requirements into specific recommended actions and makes them available through premium assessment templates, covering over 300 regulations and standards. By leveraging the universal mapping of actions and controls, premium assessment templates allow customers to comply with several requirements across multiple regulations or standards with one action, providing an efficient solution to manage overlapping compliance requirements. Premium assessment templates along with built-in workflows and continuous compliance updates allow organizations to constantly assess, monitor, and improve their compliance posture.

 

To meet customers where they are in their compliance journey, we are excited to announce that Compliance Manager premium assessment templates will no longer require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite. This update enables all enterprise customers to assess compliance with the regulations most relevant to them and meet their unique compliance needs. Starting July 1^st, 2021, all Enterprise customers, both commercial and government, can purchase premium assessment templates as long as they have any Microsoft 365 or Office 365 subscription. Customers who have already purchased a premium assessment template or are using the default templates included with their subscription will not experience any disruption or change. Customers with Microsoft 365 E1/E3 or Office 365 E1/E3 subscriptions will now be able to see the list of 300+ premium assessment templates in their tenants. The capability to create a new template, customize an existing template, or add customized actions to a given template will continue to require a Microsoft 365 E5 or Office 365 E5 subscription.

 We look forward to hearing your feedback.

 Get Started

Navigate to the Microsoft 365 compliance center or sign up for a Microsoft 365 E5 Compliance trial to get started with Compliance Manager premium assessments today! Compliance Manager premium assessment SKUs can be purchased in Microsoft admin center.

 Learn more:

1. Compliance Manager licensing details.
2. List of premium assessment templates here.
3. Learn more about Compliance Manager here.

URL: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/use-premium-assessments-in-microsoft-compliance-manager-to-meet/ba-p/2494789