|
Month: January 2021
New security blogs from Microsoft
Title:
Microsoft Cloud App Security User Interface Updates
Overview: In the coming months, Cloud App Security will be updating its UI to provide a more consistent experience across Microsoft 365 security portals.
Title: Protect your Box
environment and Data using Microsoft Cloud App Security
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/protect-your-box-environment-and-data-using-microsoft-cloud-app/ba-p/2080226
We have a new Microsoft Security blog for your consideration.
Title: What’s new:
Dedicated clusters for Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-dedicated-clusters-for-azure-sentinel/ba-p/2072539
Overview: If you ingest over 1Tb per day into your Azure Sentinel workspace and/or
have multiple Azure Sentinel workspaces in your Azure enrolment, you may want
to consider migrating to a dedicated cluster, a recent addition to the
deployment options for Azure Sentinel.
Title: Categorizing
Microsoft alerts across data sources in Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/categorizing-microsoft-alerts-across-data-sources-in-azure/ba-p/1503367
Overview: In today’s security operation centers (SOCs),
analysts have a large set of security solutions that they leverage to protect
their organization and monitor activity. However, when setting up a SIEM it is
challenging to prioritize what data to ingest and what protections each
solution provides. SOCs must consider size and cost of ingestion, detections,
and necessary use cases for each data source they would like to connect to
their SIEM. Because of these considerations, SOCs should focus on
ingesting data that is critical and has a low level of overlap to reduce the
probability of double ingestion
Title:
Deep dive into the Solorigate second-stage activation: From SUNBURST to
TEARDROP and Raindrop
URL: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
Overview: One missing link in the complex Solorigate attack chain is the handover from
the Solorigate DLL backdoor to the Cobalt Strike loader. How exactly does the
jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader
(TEARDROP, Raindrop, and others) happen? What code gets triggered, and what
indicators should defenders look for?
Title: What’s new:
Managed Identity for Azure Sentinel Logic Apps connector
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-managed-identity-for-azure-sentinel-logic-apps/ba-p/2068204
Overview: Now available: Grant permissions
directly to a playbook to operate on Azure Sentinel, instead of creating additional identities.
Title: Microsoft
Defender for Endpoint: Automation defaults are changing
Overview: We are excited to announce that we are about to increase our customers’
protection by upgrading the default automation level of our Microsoft Defender
for Endpoint customers who have opted into public previews from Semi – require approval for any remediation
to Full – remediate
threats automatically.
Title:
The dynamic duo: How to build a red and blue team to strengthen your
cybersecurity, Part 2
URL: https://www.microsoft.com/security/blog/2021/01/21/the-dynamic-duo-how-to-build-a-red-and-blue-team-to-strengthen-your-cybersecurity-part-2/
Overview:
In this blog Jake Williams, Founder of Rendition InfoSec shares his insights
on the 2020 threat landscape—who to watch for and why—and offers cybersecurity
guidance and best practices on how to structure and evolve red and blue teaming
within your organization.
Free Training in Azure Sentinel
EU drafts data breach notification guidelines
EDPB Publishes Guidelines on Examples Regarding Data Breach Notification
Tuesday, January 19, 2021
On January 18, 2021, the European Data Protection Board (“EDPB”) released draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “Guidelines”). The Guidelines complement the initial Guidelines on personal data breach notification under the EU General Data Protection Regulation (“GDPR”) adopted by the Article 29 Working Party in February 2018. The new draft Guidelines take into account supervisory authorities’ common experiences with data breaches since the GDPR became applicable in May 2018. The EDPB’s aim is to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.
To read the full article go here
CERT/CC and CISA Report Multiple Vulnerabilities in Dnsmasq
01/21/2021 07:13 AM EST
Original
release date: January 21, 2021
CISA and the CERT Coordination Center (CERT/CC) are aware of multiple
vulnerabilities affecting Dnsmasq version 2.82 and prior. Dnsmasq is a
widely-used, open-source software that provides Domain Name Service forwarding
and caching and is common in Internet-of-Things (IoT) and other embedded
devices. A remote attacker could exploit some of these vulnerabilities to take
control of an affected system.
CISA encourages users and vendors of IoT and embedded devices that use
Dnsmasq to review CERT/CC VU#434904
and CISA ICSA-21-019-01
21 for more information and to apply the necessary update. Refer to vendors
for appropriate patches, when available.
Are you a good candidate for 2021 CDPSE
|
|
|
Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environment
Attackers Exploit Poor Cyber Hygiene to Compromise
Cloud Security Environments
01/13/2021 02:44 PM EST
Original
release date: January 13, 2021
CISA is aware of several recent successful cyberattacks against various
organizations’ cloud services. Threat actors used a variety of tactics and
techniques, including phishing and brute force logins, to attempt to exploit
weaknesses in cloud security practices.
In response, CISA has released Analysis
Report AR21-013A: Strengthening Security Configurations to Defend Against
Attackers Targeting Cloud Services which provides technical details
and indicators of compromise to help detect and respond to potential attacks.
CISA encourages users and administrators to review AR21-013A and
apply the recommendations to strengthen cloud environment configurations.
resilience against Solorigate and other sophisticated attacks
Title:
Increasing resilience against Solorigate and other sophisticated attacks with
Microsoft Defender
URL: https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/
Published On
(YYYY-dd-MM): 2021-14-01
Overview:
This blog is a guide for security administrators using Microsoft 365
Defender and Azure Defender to identify and implement security configuration
and posture improvements that harden enterprise environments against
Solorigate’s attack patterns.
The post Increasing
resilience against Solorigate and other sophisticated attacks with Microsoft
Defender appeared first on Microsoft Security.
Cisco Releases Security Updates for Multiple Products
Original
release date: January 14, 2021
Cisco has released security updates to address vulnerabilities in Cisco
products. A remote attacker could exploit some of these vulnerabilities to take
control of an affected system. For updates addressing lower severity
vulnerabilities see the Cisco
Security Advisories page.
CISA encourages users and administrators to review the following Cisco
Advisories and apply the necessary updates:
- AnyConnect Secure Mobility Client for Windows DLL Injection
Vulnerability cisco-sa-anyconnect-dll-injec-pQnryXLf
- Connected Mobile Experiences Privilege Escalation
Vulnerability cisco-sa-cmxpe-75Asy9k
- Small Business RV110W, RV130, RV130W, and RV215W
Routers Management Interface Command Injection Vulnerabilities cisco-sa-rv-command-inject-LBdQ2KRN
- Small Business RV110W, RV130, RV130W, and RV215W
Routers Management Interface Remote Command Execution and Denial of
Service Vulnerabilities cisco-sa-rv-overflow-WUnUgv4U
Secret Backdoor Account in Several Zycel Firewall, VPN Products
CVE: CVE-2020-29583
Summary
Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers recently reported by researchers from EYE Netherlands. Users are advised to install the applicable firmware updates for optimal protection.
What is the vulnerability?
A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products and are releasing firmware patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates. For those not listed, they are not affected. Contact your local Zyxel support team if you require further assistance.
| Affected product series | Patch available in |
|---|---|
| Firewalls | |
| ATP series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG FLEX series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| VPN series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| AP controllers | |
| NXC2500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
| NXC5500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |