More Security Blogs From Microsoft

 

Title: Terranova Security Gone Phishing Tournament reveals continued weak
spot in cybersecurity
URL: https://www.microsoft.com/security/blog/2020/12/16/terranova-security-gone-phishing-tournament-reveals-continued-weak-spot-in-cybersecurity/

Overview: See which industries had the highest click rates, as well as results
sorted by organization size, previous training, and more.

 

Title: Data Connector Health – Push Notification Alerts
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/data-connector-health-push-notification-alerts/ba-p/1996442

Overview: This enhanced solution builds on the existing “Connector Health
Workbook” described in this video. The Logic App leverages underlying KQL queries to
provide you with an option to configure “Push notifications” to e-mail and/or a
Microsoft Teams channel based on user defined anomaly scores as well as time
since the last “Heartbeat” from Virtual Machines connected to the workspace.
Below is a detailed description of how the rule and the logic app are put
together. The solution is available for deployment from the official Azure
Sentinel GitHub repo on this link .

 

Title: Becoming resilient by understanding cybersecurity risks: Part 2
URL: https://www.microsoft.com/security/blog/2020/12/17/becoming-resilient-by-understanding-cybersecurity-risks-part-2/

Overview: Whilst this may be uncomfortable reading, the ability to pre-empt and
respond quickly to these attacks is now an organizational imperative that requires
a level of close collaboration and integration throughout your organization
(which may not have happened to date).

 

Title: A breakthrough year for passwordless technology
URL: https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/ 

Overview: Learn how Microsoft and its partners are advancing IAM through secure
passwordless access.

 

Title: A “quick wins” approach to securing Azure Active Directory and
Office 365 and improving your security posture

URL: https://www.microsoft.com/security/blog/2020/12/17/a-quick-wins-approach-to-securing-azure-active-directory-and-office-365-and-improving-your-security-posture/
Overview: This blog post will explain simple Microsoft security defaults and
Secure Score—two features you should take advantage of that are easy to utilize
and can significantly improve security in Azure AD and Office 365
configurations.

 

Title: New Advanced Hunting data source assists recent nation-state
attack investigations

URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-advanced-hunting-data-source-assists-recent-nation-state/ba-p/1999523
Overview: We are happy to announce the availability of a new data source in Microsoft 365 Defender Advanced Hunting.

 

Title: Announcing new Microsoft Information Protection capabilities to
know and protect your sensitive data
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-new-microsoft-information-protection-capabilities-to/ba-p/1999692

Overview: Microsoft Information Protection (MIP) is a built-in,
intelligent, unified, and extensible solution to protect sensitive data in
documents and emails across your organization. MIP provides a unified set of
capabilities to know and protect your data and prevent data loss across
Microsoft 365 apps (e.g., Word, PowerPoint, Excel, Outlook), services (e.g.,
Microsoft Teams, SharePoint, Exchange, Power BI), on-premises locations (e.g.,
SharePoint Server, on-premises files shares), devices, and third-party apps and
services (e.g., Box and Dropbox).

 

Title: Collaborative innovation on display in Microsoft’s insider risk
management strategy

URL: https://www.microsoft.com/security/blog/2020/12/17/collaborative-innovation-on-display-in-microsofts-insider-risk-management-strategy/

Overview: Partnering with organizations like Carnegie Mellon University allows
us to bring their rich research and insights to our products and services, so
customers can fully benefit from our breadth of signals.  

 

Title: New Threat analytics report shares the latest intelligence on
recent nation-state cyber attacks

URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-threat-analytics-report-shares-the-latest-intelligence-on/ba-p/2001095

Overview: Microsoft security researchers have been investigating and responding
to the recent nation-state cyber-attack involving a supply-chain compromise
followed by cloud assets compromise.

Free, self-paced tutorials for Windows Virtual Desktop

 Deploy
and scale virtualized desktops and apps on Azure for more secure, productive
remote work—for all employees at any location. Explore these tutorials from
Microsoft Learn to get started with Windows Virtual Desktop.

Take
the tutorials to:

  • Understand configuration
    workflow steps and get a checklist to help you prepare, deploy, and
    optimize.
  • Learn how to enable concurrent
    users on a single virtual machine (VM) with simplified server
    management—and learn your options to load balance users using VM host pools.

Find out how to virtualize across
devices—including Windows, Mac, iOS, and Android—to access remote desktops and
apps.


Go here

Solorigate Resources

     Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate (also referred to as Sunburst by FireEye) involving a supply chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessments are ongoing, Microsoft is providing visibility into the attack chains and related threat intelligence to the defender community as early as possible so organizations can identify and take action to stop this attack, understand the potential scope of its impact, and begin the recovery process from this active threat. We have established a resource center that is constantly updated as more information becomes available at https://aka.ms/solorigate.

    Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers.

For detail info click here

CISA Releases CISA Insights and Creates Webpage on Ongoing APT Cyber Activity

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

CISA
Releases CISA Insights and Creates Webpage on Ongoing APT Cyber Activity

12/23/2020 12:55 PM EST

 

Original
release date: December 23, 2020

CISA is tracking a known compromise involving SolarWinds Orion products that
are currently being exploited by a malicious actor. An advanced persistent
threat (APT) actor is responsible for compromising the SolarWinds Orion
software supply chain, as well as widespread abuse of commonly used
authentication mechanisms. If left unchecked, this threat actor has the
resources, patience, and expertise to resist eviction from compromised networks
and continue to hold affected organizations at risk.

In response to this threat, CISA has issued CISA Insights: What
Every Leader Needs to Know About the Ongoing APT Cyber Activity
. This CISA
Insights provides information to leaders on the known risk to organizations and
actions that they can take to prioritize measures to identify and address these
threats.

CISA has also created a new Supply
Chain Compromise webpage
to consolidate the many resources—including Emergency
Directive (ED) 21-01
and Activity Alert AA20-352A:
Advanced Persistent Threat Compromise of Government Agencies, Critical
Infrastructure, and Private Sector Organizations
—that we have released on
this compromise. CISA will update the webpage to include partner resources that
are of value to the cyber community.

To read the latest CISA Insights, visit CISA.gov/insights.
For more information on the SolarWinds Orion software compromise, visit CISA.gov/supply-chain-compromise.

This product is provided subject to this Notification
and this Privacy
& Use
policy.

CERT Active Exploitation of SolarWinds Software

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of
active exploitation of SolarWinds Orion Platform software versions 2019.4
through 2020.2.1, released between March 2020 and June 2020.

CISA encourages affected organizations to read the SolarWinds and FireEye advisories for
more information and FireEye’s GitHub page for detection countermeasures:

This product is provided subject to this Notification
and this Privacy
& Use
policy.

CISA Releases Free Detection Tool for Azure/M365 Environment

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber
Awareness System Current Activity for Cybersecurity and Infrastructure
Security Agency. This information has recently been updated, and is now
available.

CISA Releases Free Detection Tool for Azure/M365
Environment

12/24/2020
07:19 PM EST

 

Original release date: December 24, 2020

CISA has created a free tool for
detecting unusual and potentially malicious activity that threatens users and
applications in an Azure/Microsoft O365 environment. The tool is intended for
use by incident responders and is narrowly focused on activity that is
endemic to the recent identity- and authentication-based attacks seen in
multiple sectors.

CISA strongly encourages users and
administrators to visit the following
GitHub page for additional information and detection
countermeasures.

This product is
provided subject to this
Notification and this Privacy & Use policy.

Having trouble viewing this
message? 
View it as a webpage

You are subscribed to updates from the
Cybersecurity and
Infrastructure Security Agency

(CISA)
Manage Subscriptions  |  Privacy Policy  |  Help

Connect with CISA:
Facebook 
Twitter 
Instagram 
LinkedIn 
|  
YouTube



This email was sent to [email protected] using GovDelivery Communications Cloud,
on behalf of: Cybersecurity and Infrastructure Security Agency · 707 17th
St, Suite 4000 · Denver, CO 80202

GovDelivery logo

Protecting Microsoft 365 from on-premises attacks

 This Post by Alex Weinert is important to read 

Protecting Microsoft 365 from on-premises attacks

Many customers connect their private corporate networks to Microsoft 365 to benefit their users, devices, and applications. However, there are many well-documented ways these private networks can be compromised. As we have seen in recent events related to the SolarWinds compromise, on-premises compromise can propagate to the cloud. Because Microsoft 365 acts as the “nervous system” for many organizations, it is critical to protect it from compromised on-premises infrastructure.

 

This document will show you how to configure your systems to protect your Microsoft 365 cloud environment from on-premises compromise. We primarily focus on Azure AD tenant configuration settings, the ways Azure AD tenants can be safely connected to on-premises systems, and the tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises compromise.

 

We strongly recommend you implement this guidance to secure your Microsoft 365 cloud environment.

Please read the Full Blog HERE

Microsoft Advice for incident responders on recovery from systemic identity compromises

 As Microsoft alongside our industry partners and the security community continues to investigate the extent of the Solorigate attack, our goal is to provide the latest threat intelligence including IOCs and guidance across our products and solutions to help the community fight back against, harden your infrastructure, and begin to recover from this attack of unprecedented scale. As new information becomes available, we will make updates to this article.

This blog will outline lessons learned from this and other incident response to date in on-premises and cloud environments. This latest guidance is for customers looking to re-establish trusted identities for credentials that are suspected of compromise by Solorigate malware.

This article is intended to give experienced incident responders some advice on techniques to consider when helping an organization respond to a suspected systemic identity compromise, like we’re seeing in some victims of the Solorigate malware, based on our experience in the field in similar scenarios. Re-establishing trust in the organization’s on-premises and cloud environments with minimal business impact requires in-depth investigation and an understanding of potential methods of persistence. While not meant to cover every possible scenario, this guidance is intended to summarize our experience with similar customer breaches and will be updated if we learn of new information that would help with successful recovery. Please review the resources referenced at the end of this article for additional information. This information is provided as-is and constitutes generalized guidance; the ultimate determination about how to apply this guidance to your IT environment and tenant(s) must consider your unique environment and needs, which each Customer is in the best position to determine.

The Solorigate investigation referenced in this guidance is ongoing at the time of publication and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog.

Overview of the intrusion

As described in this Microsoft blog post, the hallmarks of this actor’s activity include, but are not limited to, the following techniques that are likely to result in systemic identity compromise:

  • An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Read our in-depth technical analysis of the Solorigate malware.
  • An intruder using administrative permissions (acquired through an on-premises compromise) to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens to impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
  • Anomalous logins using the SAML tokens signed with a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. An organization may miss the use of illegitimate SAML tokens because they are signed with a legitimate certificate.
  • The use of highly privileged accounts (acquired through the technique above or other means) to add illegitimate credentials to existing application service principals, enabling the attacker to call APIs with the permission assigned to that application.

Overview of response objectives

Organizations that have experienced systemic identity compromise need to start recovery by re-establishing trustworthy communications. This will enable effective triage and coordination of business operations recovery.

Many organizations have complex internal and external interdependencies. Core business processes and applications in an organization are likely to be temporarily impacted during recovery efforts until trust within your environment is re-established. Microsoft recommends that Incident Responders establish secure communications with key organizational personnel as the first step toward organizational recovery. If your investigation indicates that the attacker has used techniques outside of identity compromise at lower levels of your organizations’ infrastructure, such as hardware or firmware attacks, you will need to address those threats to reduce the risk of re-compromise.

Response objectives in approximate order:

  1. Establish secure communications for personnel key to the investigation and response effort.
  2. Investigate the environment for persistence and initial access point, while establishing continuous monitoring operations during recovery efforts.
  3. Regain and retain administrative control of your environment and remediate or block possible persistence techniques and initial access exploits.
  4. Improve posture by enabling security features and capabilities following best practice recommendations.

We recommend that incident responders review and digest the entirety of this guidance before taking action, as the specific order of actions taken to achieve the response objectives is very situational and depends heavily on the results (and completeness) of investigation and the business constraints of the specific organization. The following sections describe the incident Response techniques we recommend you consider for each of the above objectives.

Establish secure communications and productivity

Successful response requires being able to communicate without the attacker eavesdropping on your communications. Until you have achieved assurance in the privacy of your communications on your current infrastructure, use completely isolated identities and communication resources to coordinate your response and discuss topics that could potentially tip off the attacker to your investigation. Until your investigation has achieved assurance in actor eviction, we strongly recommend that you keep all incident-related comms isolated to enable you to have the element of surprise when taking remediation actions.

  • Initial one-on-one and group communications can be achieved through phone (PSTN) calling, conference bridges not connected to the corporate infrastructure, and end-to-end encrypted messaging solutions.
  • One way that many customers have established secure productivity and collaboration is to create a new Office 365 tenant which is completely isolated from the organization’s production tenant and create accounts only for the key personnel needed, and any incident response vendors or partners who need to be part of the response.
    • Make sure to follow best practices for securing this tenant, especially administrative accounts and rights by default. The new tenant should be limited on Administrative rights along with no trusts with outside applications or vendors. If you need further assistance or want information on hardening Microsoft 365, you can review the guidance here.

Investigate your environment

Once your incident responders and key personnel have a secure place to collaborate, the next step is to investigate the suspected compromised environment. Successful investigation will be a balance between getting to the bottom of every anomalous behavior to fully scope the extent of attacker activity and persistence and taking action quickly to stop any further activity on objectives by the attacker. Successful remediation requires as complete an understanding of the initial method of entry and persistence mechanisms controlled by the attacker as possible. Any persistence mechanisms missed could result in continued access by the attacker and potential for re-compromise.

  • Investigate and review cloud environment logs for suspicious actions and attacker IOCs, including:
    • Unified Audit Logs (UAL).
    • Azure Active Directory (Azure AD) logs.
    • Active Directory logs.
    • Exchange on-prem logs.
    • VPN logs.
    • Engineering systems logging.
    • Antivirus and endpoint detection logging.

  • Review endpoint audit logs for changes from on-premises for actions including, but not limited to, the following:
    • Group membership changes.
    • New user account creation.
    • Delegations within Active Directory.
    • Along with other typical signs of compromise or activity.

  • Review Administrative rights in your environments

    • Review privileged access in the cloud and remove any unnecessary permissions. Implement Privileged Identity Management (PIM); setup Conditional Access policies to limit administrative access during hardening.
    • Review privileged access on-premise and remove unnecessary permissions. Reduce membership of built-in groups, verify Active Directory delegations, harden Tier 0 environment, and limit who has access to Tier 0 assets.
    • Review all Enterprise Applications for delegated permissions and consent grants that allow (sample script to assist):
      • Modification of privileged users and roles.
      • Reading or accessing all mailboxes.
      • Sending or forwarding email on behalf of other users.
      • Accessing all OneDrive or SharePoint sites content.
      • Adding service principals that can read/write to the Directory.

    • Review access and configuration settings for the following Office 365 products:
      • SharePoint Online Sharing
      • Teams
      • PowerApps
      • OneDrive for Business

    • Review user accounts

      • Review and remove guest users that are no longer needed.
      • Review email configurations using Hawk or something similar.
        • Delegates
        • Mailbox folder permissions
        • ActiveSync mobile device registrations
        • Inbox Rules
        • Outlook on the Web Options

      • Validate that both MFA and self-service password reset (SSPR) contact information for all users is correct.

You may find that one or more of the logging sources above are data sources that the organization does not currently include in its security program. Some of them, especially the logging available in the cloud, are available only if configured and we recommend that you configure them as soon as possible to enable both the detections in the next section and forensics review of logs going forward. Make sure to configure your log retention to support your organization’s investigation goals going forward and retain evidence, if needed for legal, regulatory, or insurance purposes.

Establish continuous monitoring

There are many ways to detect activity associated with this campaign. Exactly how your organization will detect attacker behavior depends on which security tools you have available, or choose to deploy in response. Microsoft has provided examples publicly for some of the core security products and services that we offer and are continually updating those documents as new threat intelligence is identified related to this attacker. If you use other vendor’s products, review your vendor’s recommendations, and review the Microsoft documentation below to understand the detection techniques if you need to implement analogous detections in your environment on your own.

For readers using Azure Sentinel in their environments, review SolarWinds Post-Compromise Hunting guidance.

For readers using Microsoft Defender for Endpoint, review our guidance here, and review Microsoft Defender Antivirus guidance.

To Learn More go here

Microsoft Responding to sophisticated cyberattacks

Microsoft
is aware of a sophisticated attack that utilizes malicious SolarWinds software.
On December 17, 2020, Brad Smith posted a blog sharing the most up to date information
and detailed technical information for defenders.

As this is an ongoing investigation, Microsoft cybersecurity teams continue to
act as first responders to these attacks. We know that customers and partners
will have ongoing questions and Microsoft is committed to providing timely
updates as new information becomes available. We will make updates through our
Microsoft Security Response Center (MSRC) blog at https://aka.ms/solorigate.

There are a number of published resources to assist customers in securing their
environments:



We have published a blog outlining this dynamic threat landscape
and the principles with which we are approaching the investigation.

We have published an anchor blog with technical details of the attack.
This blog will be updated with new information as the investigation
continues. Customers should look to this blog as the one stop for updates on
the sophisticated attack.

Microsoft Defender antivirus and Microsoft Defender for
Endpoint have released protections for the malicious SolarWinds software and
other artifacts from the attack.

Microsoft Azure Sentinel has released guidance to help Azure Sentinel customers
hunt in their environments for related activity we have observed with this
sophisticated attack.

Microsoft 365 Defender and Microsoft Defender for Endpoint
customers should review the Threat Analytics article within the Defender console
(sign-in is required)
for information about detection and
potential impact to their environments.

For any Microsoft Threat Experts (MTE) customers, where we
have observed suspicious activity in the customers’ environments, we have
completed Targeted Account Notifications.

If a customer has any product support related needs, please
continue to direct them to Microsoft Support (CSS) who remain the primary
place for all customer support needs.

For Identity professionals and Microsoft 365 admin, we have
published a blog with guidance on how to protect Microsoft 365 from on-premises attacks.




Microsoft Blog Posts

December 13 – Customer Guidance on Recent Nation-State Cyber Attacks
– Microsoft Security Response Center

December 13 – Important steps for customers to protect themselves
from recent nation-state cyberattacks

December 15 – Ensuring customers are protected from Solorigate

December 16 – SolarWinds Post-Compromise Hunting with Azure Sentinel
– Microsoft Tech Community

December 17 – A moment of reckoning: the need for a strong and global
cybersecurity response

December 18 – Analyzing Solorigate, the compromised DLL file that
started a sophisticated cyberattack, and how Microsoft Defender helps protect
– Microsoft Security

December 18 – Protecting Microsoft 365 from on-premises attacks




Advisories
& Additional Resources




If your customer has a specific question regarding FireEye,
please refer them to the FireEye Advisory.

If your customer has a specific question regarding SolarWinds,
please refer them to the SolarWinds Advisory.

The Cybersecurity and Infrastructure Security Agency (CISA)
has published a set of information and guidance here. For individual country-specific
guidance, customers and partners should refer to information from the
appropriate law enforcement or other government entity in that jurisdiction.

Three million internet users are believed to have installed extensions that contain malicious code

 Browser extensions are usually useful, sometimes fun —  and occasionally dangerous.

That’s the case for at least 28 browser extensions analyzed by Avast Threat Intelligence researchers after the threat was identified by Czech researchers at CZ.NIC. The affected extensions contain malware and include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, as well as additional browser extensions for Google Chrome and Microsoft Edge. According to the browser store download numbers, more than three million people may be affected worldwide.

Avast said it found code to:

  • redirect user traffic to ads
  • redirect user traffic to phishing sites
  • collect personal data, such as birth dates, email addresses, and active devices
  • collect browsing history
  • download further malware onto a user’s device

“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware,” Avast researcher Jan Rubin says. “It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards.”

The infected JavaScript-based extensions contain malicious code that makes it possible to download even more malware to a person’s computer. They also manipulate all links that the victims click on after downloading the extensions. For example, links in Google Search leads users to other, seemingly random, sites. This includes phishing sites and ads. 

“We believe that these domains are not owned by the cybercriminals, but that the owners of these domains pay the cybercriminals for every redirection,” Rubin says.

Clicking on the links also causes the extensions to send information to the attacker’s control server, creating a log of all of their clicks. That log is then sent to third-party websites and can be used to collect personal information about the user, including birth date, email addresses, device information, first sign in time, last login time, name of their device, operating system, browser used and version, and IP address.

The Avast Threat Intelligence team started monitoring this threat in November 2020, but believe that it could have been active for years without anyone noticing. In fact, there are reviews on the Chrome Web Store mentioning link hijacking from as far back as December 2018. That means it’s possible this has been infecting people’s devices for much longer than researchers have been aware of the threat.

At the time of publishing, the infected extensions are still available for download. If you suspect you might have downloaded one, Avast researchers recommend disabling and uninstalling them immediately and then scan for and remove malware. They have also reported the issue to Microsoft and Google, who are  into it.

Below is the list of Chrome extensions that Avast said it found to contain malicious code:

Below is the list of Edge extensions that Avast said it found to contain malicious code:

Source: Malicious Browser Extensions | Avast