Month: December 2020

 

Intended
audience:  CNAs (CVE Numbering Authorities), Authorized Data Publishers]

NIST
announces the publication of NISTIR
8246, Collaborative
Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities
(CNAs) and Authorized Data Publishers.

The
number of Common Vulnerabilities and Exposures identifiers (CVE IDs) created
year over year has rapidly increased, and this trend is expected to continue
indefinitely. Currently, a National
Vulnerability Database (NVD) analyst manually reviews each CVE
and attaches multiple forms of CVE metadata used by downstream consumers to
prioritize and assist automated vulnerability scanning tools. This is a
manually intensive process, and in many cases, this metadata is provided by the
source, or CNA (CVE Numbering Authority), of the CVE with no policies or
procedures in place to validate and accept the information.

This
NISTIR leverages the technical knowledge provided by the CNAs and the
application of consistent CVE metadata provided by NVD analysts through the
formalization of a CVE entry metadata submission process. This allows for more
efficient integration of the CNAs’ efforts into the NVD analyst workflow, which
directly benefits downstream users and improves the security of our national IT
infrastructure.

Publication
details:
https://csrc.nist.gov/publications/detail/nistir/8246/final

National
Vulnerability Database (NVD):
https://nvd.nist.gov/

 If you trust Google, and trust Chrome, the Chrome web store is a trusted place to look for extensions. Some are extremely useful, some are capable of blocking-ads, some make the browser look like a game, and some have a little more than expected. Over 80 million Chrome users installed one of 295 Chrome extensions that hijack and insert ads in to Google and Bing search results. AdGuard, an ad-blocking company, uncovered many of these extensions on the Chrome Web Store. The malicious browser extensions were divided into 3 groups:

·     Extensions that load what appears to be an analytics script which transforms based on cookies to allow it to add an obfuscated script into each freshly opened tab. This new script checks the page and loads an image that has ads ‘coded in’ if it’s a Bing or Google search results page. Most of the discoveries were of this group and consisted of background extensions.

·   Extensions that utilize ‘cookie stuffing’ and ‘ad fraud’ where it generates “affiliate” cookies, which makes revenue for site owners, despite not visiting the site. Only 6 were discovered but with 1,650,000 total users.

·    Extensions that are spam but could be malicious in the future. Although AdGuard did not disclose how many existed, the top 5 has 10 million users combined. These can share a similar name with a valid extension or perform a legitimate function, but the potential malice exists in the  ‘Google Tag Manager’ code. The Google Tag Manager account owner can change the ‘tag’ to upload new potentially malicious code.

The biggest problem here is not that they were created, but that they persist. Google tried to put in strict review guidelines to help secure extensions, but they just frustrate legitimate developers who suffer through complicated review processes without limiting malware. Last year, Google included Chrome extensions into their bug bounty program. The blog writers at AdGuard believe “Google fails with managing Chrome Web Store and keeping it safe.” They do acknowledge “Google did do one thing right — they introduced a position of Chrome Extensions Developer Advocate.” But if the malicious extensions aren’t violating Chrome extension policies (and understand that remote code is allowed, meaning extensions can change their behavior at any time and be within policy) they will be difficult to remove. Until Google fixes these issues, what can you do to protect yourself? The blog authors offered the following suggestions:

· Consider if a browser extension is the only way to achieve a goal.

· Install extensions only from the developers you trust.

· Don’t believe what you read in the extension’s description.

· Users reviews won’t help. It can have excellent reviews & still be malicious.

· Don’t use the Chrome Web Store internal search, follow the links on the trusted developers’ website directly.

Sources:

· https://www.zdnet.com/article/cluster-of-295-chrome-extensions-caught-hijacking-google-and-bing-search-results/

· https://adguard.com/en/blog/fake-ad-blockers-part-3.html

 

 

Attacks on specific chips or chipsets usually have wide reaching implications. Devices tend to use off the shelf chips inside rather than develop their own for a number of reasons. For Android phones the most popular processor chip family is the Qualcomm Snapdragon family of system on a chip (SoC). The Snapdragon is used in phones made by Samsung, Google, LG, and Xiaomi, to name a few. Recently at the DEFCON Safe Mode security conference, researchers from Check Point security revealed 6 critical flaws in the popular Snapdragon SoC that open nearly 40% of smartphones to attack.

Snapdragon is a SoC, meaning it contains various embedded components instead of just being a traditional processor with a single task. One component it embeds is the digital signal processor (DSP), which is responsible for turning data from various sensors into digital data that the operating system can work with. The DSP is where the researchers focused their efforts after discovering a software development kit (SDK) for the component was available. The SDK is available for legitimate software to utilize when it requires functionality that the DSP provides. The researchers instead were able to use it to get a clearer understanding of how to interface with the DSP, which normally operates like a black box to external software.

The researchers were able to develop their own instructions for the DSP that would allow them to do things like start a persistent DoS attack only fixable via a complete factory reset. They were also able to demonstrate a privilege escalation attack on the system, allowing them to completely take over the handset. Once the system is compromised in this manner further malware would be able to completely hide its activity and become un-removable. In order to perform these attacks, the researchers say that a user needs to be tricked into running a malicious executable. This might not be too difficult as the code can be embedded into legitimate looking apps. Normal phone virus scanners won’t detect the presence of malicious code because they don’t scan the SDK instruction sets.

Qualcomm was notified about the vulnerabilities between February and March of this year according to the researchers. Patches to the vulnerable components were developed in July but do not appear to have been pushed to handsets yet. Users of the affected devices should watch for future updates to ensure that their devices do not remain vulnerable to the attacks.

Sources

Qualcomm Bugs Open 40 Percent of Android Handsets to Attack | Threatpost

 

 Title: Cyberattacks targeting health care must stop

URL: https://www.microsoft.com/security/blog/2020/11/18/cyberattacks-targeting-health-care-must-stop/
Overview: In recent months, we’ve detected cyberattacks from three nation-state
actors targeting seven prominent companies directly involved in researching
vaccines and treatments for COVID-19. The targets include leading
pharmaceutical companies and vaccine researchers in Canada, France, India,
South Korea, and the United States. The attacks came from Strontium, an actor
originating from Russia, and two actors…

Title: Hunt across cloud app activities with Microsoft 365 Defender
advanced hunting
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857
Overview: We’re thrilled to share that the new CloudAppEvents table
is now available as a public preview in advanced hunting for Microsoft 365
Defender.

Title: Using the VirusTotal V3 API with MSTICPy and Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-virustotal-v3-api-with-msticpy-and-azure-sentinel/ba-p/1893121
Overview: MSTICPy, our CyberSec toolset for Jupyter notebooks, has supported
VirusTotal lookups since the very earliest days (the earliest days being only
around two years ago!). We recently had a contribution to MSTICPy from Andres
Ramirez and Juan Infantes at VirusTotal (VT), which provides a new Python
module to access the recently-released version 3 of their API.

Title: Modernize secure access for your on-premises resources with Zero
Trust
URL: https://www.microsoft.com/security/blog/2020/11/19/modernize-secure-access-for-your-on-premises-resources-with-zero-trust/
Overview: Change came quickly in 2020. More likely than not, a big chunk of
your workforce has been forced into remote access. And with remote work came an
explosion of bring-your-own-device (BYOD) scenarios, requiring your
organization to extend the bounds of your network to include the entire
internet (and the added security risks that come with…

Title: Upcoming Changes to Microsoft Information Protection Metadata
Storage
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/upcoming-changes-to-microsoft-information-protection-metadata/ba-p/1904418
Overview: In Microsoft Information Protection (MIP) SDK version 1.7, changes
were made to support a new label metadata storage location for Office files –
Word, Excel, and PowerPoint. For your applications and services to continue
reading and writing MIP sensitivity labels for Office file types, it’s critical
that you update to MIP SDK version 1.7. Applications running older versions
will not be capable of reading the updated metadata format.

Title: Enriching DDoS Protection Alerts with Logic Apps
URL: https://techcommunity.microsoft.com/t5/azure-network-security/enriching-ddos-protection-alerts-with-logic-apps/ba-p/1928000
Overview: This post will detail how to create enriched DDoS Protection alerts
that will provide the information needed to triage and respond.

Title: IoT security: how Microsoft protects Azure Datacenters
URL: https://www.microsoft.com/security/blog/2020/11/23/iot-security-how-microsoft-protects-azure-datacenters/
Overview: Azure Sphere first entered the IoT Security market in 2018 with a
clear mission—to empower every organization on the planet to connect and create
secure and trustworthy IoT devices. Security is the foundation for durable
innovation and business resilience. Every industry investing in IoT must
consider the vulnerabilities of the cyberthreat landscape. For our customers,…

Title: Go inside the new Azure Defender for IoT including CyberX

URL: https://www.microsoft.com/security/blog/2020/11/25/go-inside-the-new-azure-defender-for-iot-including-cyberx/
Overview: In 2020, the move toward digital transformation and Industry 4.0 took
on new urgency with manufacturing and other critical infrastructure sectors
under pressure to increase operational efficiency and reduce costs. But the
cybersecurity model for operational technology (OT) was already shown to be
lacking before the pandemic. A series of major cyberattacks across industries
served… 

Title: Zerologon is now detected by Microsoft Defender for Identity
URL: https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/
Overview: There has been a huge focus on the recently patched CVE-2020-1472
Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While
Microsoft strongly recommends that you deploy the latest security updates to
your servers and devices, we also want to provide you with the best detection
coverage possible for your domain controllers. Microsoft Defender for…

Title: What’s New: Azure Sentinel Logic Apps Connector improvements and
new capabilities
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-logic-apps-connector-improvements-and/ba-p/1888416
Overview: Azure Sentinel Logic Apps connector is the bridge between Sentinel
and Playbooks, serving as the basis of incident automation scenarios. As we
prepare for new Incident Trigger capabilities (coming soon), we have made some
improvements to bring the most updated experience to playbooks users.

Title: Deploying DDoS Protection Standard with Azure Policy
URL: https://techcommunity.microsoft.com/t5/azure-network-security/deploying-ddos-protection-standard-with-azure-policy/ba-p/1942133
Overview: One of the most important questions customers ask when deploying
Azure DDoS Protection Standard for the first time is how to manage the
deployment at scale. A DDoS Protection Plan represents an investment in
protecting the availability of resources, and this investment must be applied
intentionally across an Azure environment.

Title: Threat actor leverages coin miner techniques to stay under the
radar – here’s how to spot them
URL: https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/
Overview: BISMUTH, which has been running increasingly complex cyberespionage
attacks as early as 2012, deployed Monero coin miners in campaigns from July to
August 2020. The group’s use of coin miners was unexpected, but it was
consistent with their longtime methods of blending in.

The Cybersecurity and
Infrastructure Security Agency (CISA) is aware of active exploitation of a
vulnerability in SolarWinds Orion Platform software versions 2019.4 through
2020.2.1, which was released between March 2020 through June 2020.

In response CISA has published an urgent Current Activity Alert “Active Exploitation of SolarWinds
Software“ which can be found at:

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
and Emergency Directive 21-01, “Mitigate
SolarWinds Orion Code Compromise,” directed at Federal
Civilian Agencies, further emphasizing the urgency of this 

Alert: https://cyber.dhs.gov/ed/21-01/

CISA encourages affected organizations to read the SolarWinds and
FireEye advisories for more information and FireEye’s GitHub
page for detection countermeasures:

SolarWinds Security Advisory

• FireEye
  Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to
  Compromise Multiple Global Victims With SUNBURST Backdoor
• FireEye
  GitHub page: Sunburst Countermeasures

We kindly request any
questions, feedback, or related incidents related to this product be reported
to CISA at Central@cisa.gov or
888-282-0870.

 Defining IoT Cybersecurity Requirements: Draft
Guidance for Federal Agencies and IoT Device Manufacturers (SP 800-213, NISTIRs
8259B/C/D)

An
incredible variety and volume of Internet of Things (IoT) devices are being
produced. IoT devices are ever more frequently becoming integral elements of
federal information systems. The NIST Cybersecurity for
IoT Team is releasing public drafts of four documents providing
guidance for federal agencies and IoT device manufacturers on defining IoT
cybersecurity requirements, including supporting non-technical requirements, so
that federal organizations can procure and integrate IoT securely and continue
to meet their FISMA obligations. These four new documents expand the range of
guidance for IoT cybersecurity. The initial foundation documents in this series
are:

• NISTIR 8259,
  Foundational
  Cybersecurity Activities for IoT Device Manufacturers
• NISTIR 8259A,
  IoT Device Cybersecurity
  Capability Core Baseline

The
new 800-series Special Publication (SP) and the three new documents in the
NISTIR 8259 series that are being released as drafts for comment provide
guidance to federal agencies and IoT device manufacturers, complementing the
guidance in the initial foundational documents:

• Draft NIST SP 800-213, IoT Device Cybersecurity
  Guidance for the Federal Government: Establishing IoT Device Cybersecurity
  Requirements, has background and recommendations to
  help federal agencies consider how an IoT device they plan to acquire can
  integrate into a federal information system. IoT devices and their support
  for security controls are presented in the context of organizational and
  system risk management. SP 800-213 provides guidance on considering system
  security from the device perspective. This allows for the identification
  of IoT device cybersecurity requirements—the abilities and actions a
  federal agency will expect from an IoT device and its manufacturer and/or
  third parties, respectively.
• Draft NISTIR
  8259B, IoT Non-Technical Supporting Capability Core Baseline, complements the NISTIR 8259A device cybersecurity
  core baseline by detailing additional, non-technical supporting activities
  typically needed from manufacturers and/or associated third parties. This
  non-technical baseline collects and makes explicit supporting capabilities
  like documentation, training, customer feedback, etc.
• Draft NISTIR 8259C, Creating a Profile Using the
  IoT Core Baseline and Non-Technical Baseline,
  describes a process, usable by any organization, that starts with the core
  baselines provided in NISTIRs 8259A and 8259B and explains how to
  integrate those baselines with organization- or application-specific
  requirements (e.g., industry standards, regulatory guidance) to develop a
  IoT cybersecurity profile suitable for specific IoT device customers or
  applications. The process in NISTIR 8259C guides organizations needing to
  define a more detailed set of capabilities responding to the concerns of a
  specific sector, based on some authoritative source such as a standard or
  other guidance, and could be used by organizations seeking to procure IoT
  technology or by manufacturers looking to match their products to customer
  requirements.
• Draft NISTIR 8259D, Profile Using the IoT Core
  Baseline and Non-Technical Baseline for the Federal Government,
  provides a worked example result of applying the NISTIR 8259C process,
  focused on the federal government customer space, where the requirements
  of the FISMA process and the SP 800-53 security and privacy controls
  catalog are the essential guidance. NISTIR 8259D provides a
  device-centric, cybersecurity-oriented profile of the NISTIR 8259A and
  8259B core baselines, calibrated against the FISMA low baseline described
  in NIST SP 800-53B as an example of the criteria for minimal securability
  for federal use cases.

NIST
appreciates all comments, concerns and identification of areas needing
clarification. Ongoing discussion with the stakeholder community is welcome as
we work to improve the cybersecurity of IoT devices. Community input is specifically sought
regarding the mapping of specific reference document content to the items in
Table 1 of NISTIR 8259B and Tables 1 and 2 of NISTIR 9258D, to populate the
fourth column, “IoT Reference Examples” column. Table 1 in NISTIR 8259A can be
used as a model for these informative reference mappings.

A public comment period for these documents is open through
February 12, 2021. See the publications’ details (linked above)
for copies of the drafts and instructions for submitting comments.

Comments,
questions, and other concerns should be sent to iotsecurity@nist.gov.

NOTE:
A call for patent claims is included in each document.  For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications. 

Publication
details:

Draft
SP 800-213, https://csrc.nist.gov/publications/detail/sp/800-213/draft

Draft
NISTIR 8259B, https://csrc.nist.gov/publications/detail/nistir/8259b/draft

Draft
NISTIR 8259C, https://csrc.nist.gov/publications/detail/nistir/8259c/draft

Draft
NISTIR 8259D, https://csrc.nist.gov/publications/detail/nistir/8259d/draft

NISTIR
8259, https://csrc.nist.gov/publications/detail/nistir/8259/final

NISTIR
8259A, https://csrc.nist.gov/publications/detail/nistir/8259a/final

 

NIST
Cybersecurity for IoT Program:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

ITL
Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications

Title: Microsoft Information Protection and Microsoft Azure Purview:
Better Together

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-information-protection-and-microsoft-azure-purview/ba-p/1957481
Overview: Data is growing exponentially. Organizations are under pressure to
turn that data into insights, while also meeting regulatory compliance
requirements. But to truly get the insights you need – while keeping up with
compliance requirements like the General Data Protection Requirement (GDPR) –
you need to know what data you have, where it resides, and how to govern it.
For most organizations, this creates arduous ongoing challenges. 

Title: Deliver productive and seamless users experiences with Azure
Active Directory
URL: https://www.microsoft.com/security/blog/2020/12/07/deliver-productive-and-seamless-users-experiences-with-azure-active-directory/
Overview: Learn how identity has become the new security perimeter and how an
identity-based framework reduces risk and improves productivity.

Title: Microsoft Defender for Endpoint on iOS is generally available
URL: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-on-ios-is-generally-available/ba-p/1962420
Overview: Today, we’re excited to announce that Microsoft has reached a new
milestone in our cross-platform security commitment with the general
availability of our iOS offering for Microsoft Defender for Endpoint, which
adds to the already existing Defender offerings on macOS, Linux, and Android.

Title: What’s New: 80 out of the box hunting queries!
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-80-out-of-the-box-hunting-queries/ba-p/1892067
Overview: Threat hunting is a powerful way for the SOC to reduce organizational
risk, but it’s commonly portrayed and seen as a complex and mysterious art form
for deep experts only, which can be counterproductive. Sophisticated
cybercriminals burrow their way into network caverns, avoiding detection for
weeks or even months, as they gather information and escalate privileges. If
you wait until these advanced persistent threats (APT) become visible, it can
be costly and time-consuming to address. In today’s cybersecurity landscape, SOC
analysts need controls and integrated toolsets to search, filter, and pivot
through their telemetry to derive relevant insights faster. 

Title: Digital Defense integrates with Microsoft to detect attacks missed
by traditional endpoint security
URL: https://www.microsoft.com/security/blog/2020/12/08/digital-defense-integrates-with-microsoft-to-detect-attacks-missed-by-traditional-endpoint-security/
Overview: Cybercriminals have ramped up their initial compromises through
phishing and pharming attacks using a variety of tools and tactics that, while
numerous, are simple and can often go undetected.

Title: How to setup a Canarytoken and receive incident alerts on Azure
Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-setup-a-canarytoken-and-receive-incident-alerts-on-azure/ba-p/1964076
Overview: With Azure Sentinel you can receive all sorts of security telemetry,
events, alerts, and incidents from many different and unique sources. Those
sources can be firewall logs, security events, audit logs from identity and cloud
platforms. In addition, you can create digital trip wires and send that data to
Azure Sentinel. Ross Bevington first explained this concept for Azure Sentinel
in “Creating
digital tripwires with custom threat intelligence feeds for Azure Sentinel”.
Today you can walkthrough and expand your threat detection capabilities in
Azure Sentinel using Honey Tokens or in this case Canarytokens.

Title: Bring threat intelligence from Sixgill using TAXII Data Connector
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-threat-intelligence-from-sixgill-using-taxii-data/ba-p/1965440
Overview: As discussed in the blog Bring your threat intelligence to Azure Sentinel, Azure
Sentinel provides various ways to import threat intelligence into the ThreatIntelligenceIndicator
log analytics table from where it can be used in various parts of the product
like hunting, investigation, analytics, workbooks etc.

 Microsoft latest security blogs, including some with more information
about recent attacks.

Title: Announcing EDR in block mode general availability
URL: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-edr-in-block-mode-general-availability/ba-p/1972064
Overview: We’re very excited to announce today that endpoint detection and
response (EDR) in block mode is generally available.

Title: EDR in block mode stops IcedID cold
URL: https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/
Overview: Endpoint detection and response (EDR) in block mode in Microsoft
Defender for Endpoint turns EDR detections into real-time blocking of threats.
Learn how it stopped an IcedID attack.

Title: Building a Zero Trust business plan
URL: https://www.microsoft.com/security/blog/2020/12/09/building-a-zero-trust-business-plan/
Overview: These past six months have been a remarkable time of transformation
for many IT organizations. With the forced shift to remote work, IT
professionals have had to act quickly to ensure people continue working
productively from home—in some cases bringing entire organizations online over
a weekend. While most started by scaling existing approaches, many
organizations…

Title: Widespread malware campaign seeks to silently inject ads into
search results, affects multiple browsers
URL: https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
Overview: A persistent malware campaign has been actively distributing Adrozek,
an evolved browser modifier malware at scale since at least May 2020. At its
peak in August, the threat was observed on over 30,000 devices every day. The
malware is designed to inject ads into search engine results pages and affects
multiple browsers.

Title: New cloud-native breadth threat protection capabilities in Azure
Defender
URL: https://www.microsoft.com/security/blog/2020/12/10/new-cloud-native-breadth-threat-protection-capabilities-in-azure-defender/
Overview: As the world adapts to working remotely, the threat landscape is
constantly evolving, and security teams struggle to protect workloads with
multiple solutions that are often not well integrated nor comprehensive enough.
This results in serious threats avoiding detection, as well as security teams
suffering from alert fatigue. Azure Defender helps security professionals with
an…

Title: Additional email data in advanced hunting
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/additional-email-data-in-advanced-hunting/ba-p/1985849
Overview: We’re thrilled to share new enhancements to the advanced hunting data
for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added
new columns and optimized existing columns to provide more email attributes you
can hunt across. These additions are now available in public preview.

Title: Siemens USA CISO: 3 essentials to look for in a cloud provider
URL: https://www.microsoft.com/security/blog/2020/12/14/siemens-usa-ciso-3-essentials-to-look-for-in-a-cloud-provider/
Overview: Learn why Kurt John of Siemens USA sees continued migration to the
cloud as inevitable across industries.

Title: Ensuring customers are protected from Solorigate
URL: https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
Overview: Microsoft is monitoring a dynamic threat environment surrounding the
discovery of a sophisticated attack that included compromised binaries from a
legitimate software. These binaries, which are related to the SolarWinds Orion
Platform, could be used by attackers to remotely access devices. On Sunday, December
13, Microsoft released detections that alerted customers to the presence of…

 

 Microsoft
recently blogged about the Recent Nation-State Cyber Attacks that has impacted high
value targets both across the government and private sector. This attack is
also known as Solorigate or Sunburst. This threat actor is believed to be highly
sophisticated and motivated. Relevant security data required for hunting and
investigating such a complex attack is produced in multiple locations – cloud,
on-premises and across multiple security tools and product logs.  Being
able to analyze all the data from a single point makes it easier to spot trends
and attacks. Azure Sentinel has made it easy to collect data from multiple data
sources across different environments both on-premises and cloud with the goal of
connecting that data together more easily. This blog post contains guidance and
generic approaches to hunt for attacker activity (TTPs) in data that is
available by default in Azure Sentinel or can be onboarded to Azure Sentinel.

The
goal of this article is post-compromise investigation strategies and is focused
on TTPs and not focused on specific IOCs.  Azure Sentinel customers are
encouraged to review advisories and IOC’s shared by Microsoft MSRC and security
partners to search on specific IOC’s in their environment using Azure Sentinel. 
Links to these IOC’s are listed in the reference section at the end.

Link to article:

URL: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095

This week,
the NSA released an announcement saying, “Russian state- sponsored malicious
cyber actors are exploiting a vulnerability in VMware Access and VMware
Identity Manager2 products, allowing the actors access to protected data and
abusing federated authentication.” This vulnerability is tracked as
CVE-2020-4006 (7.2 CVSS score) which was issued on 23 November 2020 but updated
recently with VMWare’s patch release on 3 December 2020.

The issue can be
tracked as VMWare’s advisory VMSA-2020-0027.2. The advisory lists the
impacted products as: VMware Workspace One Access (Access), VMware Workspace
One Access Connector (Access Connector), VMware Identity Manager (vIDM),
VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation,
and vRealize Suite Lifecycle Manager.

Exploitation is
via command injection which leads to installation of a web shell allowing
further malicious activity. The exploitation however, requires both password
knowledge and access. Strong passwords and having the web-based management
interface inaccessible from the internet mitigate the issue. Although
patching is the recommended solution, workarounds such as disabling the
configurator service can put a temporary fix in place until patching can be
accomplished.

The release notes that detection
methods are unlikely to identify this exploit since the compromise activity
occurs exclusively inside a TLS tunnel for the web -interface. Indicators in
systems logs can suggest a compromise may have occurred, such an
indicator can look like an exit statement followed by a 3-digit number like
“exit 123”.

The VMWare advisory also provided direct reference to their
knowledge base in a matrix addressing all the impacted products, patches,
versions, workarounds, etc.

This article has
highlighted two things that will likely never change. First, you need to stay
patched and current it’s the best way to be proactive and prevent a compromise
in any system. Second, the human factor will always be vulnerable – be it
spear-fishing or brute force attacks on weak user passwords. Do everything
you can to educate and when that fails, clean and disable bad links and enforce
policy that deters users from making bad choices. You’ve read these countless times before here… but
we can’t tell you anymore. Go do it.

Sources:

CSA_VMWARE ACCESS_U_OO_195076_20.PDF (defense.gov) 

VMSA-2020-0027.2 (vmware.com)

NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks (thehackernews.com)