Month: July 2021

 

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

New
StopRansomware.gov website – The U.S. Government’s One-Stop Location to Stop
Ransomware

07/15/2021 07:20 AM EDT

 

Original
release date: July 15, 2021

The U.S. Government launched a new website to help public and private
organizations defend against the rise in ransomware cases. StopRansomware.gov is a
whole-of-government approach that gives one central location for ransomware
resources and alerts. We encourage organizations to use this new website to
understand the threat of ransomware, mitigate risk, and in the event of an
attack, know what steps to take next.

The StopRansomware.gov webpage is
an interagency resource that provides our partners and stakeholders with
ransomware protection, detection, and response guidance that they can use on a
single website. This includes ransomware alerts, reports, and resources from
CISA, the FBI, and other federal partners.

We look forward to growing the information and resources on StopRansomware.gov and plan to partner
with additional Federal Agencies who are working to curb the rise in
ransomware.

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

Kaseya
Provides Security Updates for VSA On-Premises Software Vulnerabilities

07/12/2021 03:00 PM EDT

 

Original
release date: July 12, 2021

Kaseya has released VSA version 9.5.7a for their VSA On-Premises software.
This version addresses vulnerabilities that enabled the ransomware attacks on
Kaseya’s customers.

CISA strongly urges Kaseya customers closely follow the instructions
detailed in the Kaseya
security notice and contact Kaseya should they require implementation
assistance. Note:
the Kaseya security notice includes Startup Runbooks and Hardening and Best
Practice Guides for both VSA On-Premises and VSA SaaS.

 

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

Microsoft
Releases Out-of-Band Security Updates for PrintNightmare

07/06/2021 07:53 PM EDT

 

Original
release date: July 6, 2021

Microsoft has released out-of-band
security updates to address a remote code execution (RCE)
vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print
spooler service. According to the CERT Coordination Center (CERT/CC), “The
Microsoft Windows Print Spooler service fails to restrict access to
functionality that allows users to add printers and related drivers, which can
allow a remote authenticated attacker to execute arbitrary code with SYSTEM
privileges on a vulnerable system.”

The updates are cumulative and contain all previous fixes as well as
protections for CVE-2021-1675. The updates do not include Windows 10 version
1607, Windows Server 2012, or Windows Server 2016—Microsoft states updates for
these versions are forthcoming. Note: According to CERT/CC, “the Microsoft
update for CVE-2021-34527 only appears to address the Remote Code Execution
(RCE via SMB and RPC) variants of the PrintNightmare, and not the Local
Privilege Escalation (LPE) variant.” See CERT/CC Vulnerability Note VU
#383432 for workarounds for the LPE variant.

 

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

CISA-FBI
Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain
Ransomware Attack

07/04/2021 12:29 PM EDT

 

Original
release date: July 4, 2021

CISA and the Federal Bureau of Investigation (FBI) continue to respond to
the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya
VSA software against multiple managed service providers (MSPs) and their
customers. CISA and FBI strongly urge affected MSPs and their customers to
follow the guidance below.

CISA and FBI recommend affected MSPs:

• Contact Kaseya at support@kaseya.com
  with the subject “Compromise Detection Tool Request” to obtain and run
  Kaseya’s Compromise Detection Tool available to Kaseya VSA customers. The
  tool is designed to help MSPs assess the status of their systems and their
  customers’ systems.
• Enable and enforce multi-factor authentication (MFA) on
  every single account that is under the control of the organization, and—to
  the maximum extent possible—enable and enforce MFA for customer-facing
  services.
• Implement allowlisting to limit communication with
  remote monitoring and management (RMM) capabilities to known IP address
  pairs, and/or
• Place administrative interfaces of RMM behind a virtual
  private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend MSP customers affected by this attack take immediate
action to implement the following cybersecurity best practices. Note: these actions
are especially important for MSP customer who do not currently have their RMM
service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

• Ensure backups are up to date and stored in an easily
  retrievable location that is air-gapped from the organizational network;
• Revert to a manual patch management process that
  follows vendor remediation guidance, including the installation of new
  patches as soon as they become available;
• Implement:
• Multi-factor
  authentication; and
• Principle of least
  privilege on key network resources admin accounts.

Resources:

CISA and FBI provide these resources for the reader’s awareness.  CISA
and FBI do not endorse any non-governmental entities nor guarantee the accuracy
of the linked resources.

• For the latest guidance from Kaseya, see Kaseya’s Important
  Notice July 3rd, 2021.
• For indicators of compromise, see Peter Lowe’s GitHub
  page REvil
  Kaseya CnC Domains. Note:
  due to the urgency to share this information, CISA and FBI
  have not yet validated this content.
• For guidance specific to this incident from the
  cybersecurity community, see Cado Security’s GitHub page, Resources
  for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply
  Chain Attack. Note:
  due to the urgency to share this information, CISA and FBI
  have not yet validated this content.
• For advice from the cybersecurity community on securing
  against MSP ransomware attacks, see Gavin Stone’s article, How
  secure is your RMM, and what can you do to better secure it?.
• For general incident response guidance, CISA encourages
  users and administrators to see Joint Cybersecurity
  Advisory AA20-245A: Technical Approaches to Uncovering and Remediating
  Malicious Activity.

 New Microsoft Blog

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-asim-authentication-process-registry-and-enhanced/ba-p/2502268

Hello everyone,  Continuing our normalization journey, we added to the networking and DNS schemas the Authentication, Process Events, and Registry Events schemas and delivered normalized content based on the two. We also added ARM template deployment and support for Microsoft Defender for Endpoints to the Network Schema.  Special thanks to @Yuval Naor , @Yaron Fruchtmann , and @Batami Gold , who made all this possible.  Why should you care?  Cross source detection: Normalized Authentication analytic rules work across sources, on-prem and cloud, now detecting attacks such as brute force or impossible travel across systems including Okta, AWS, and Azure. Source agnostic rules: process event analytics support any source that a customer may use to bring in the data, including Defender for Endpoint, Windows Events, and Sysmon. We are ready to add Sysmon for Linux and WEF once released! EDR support: Process, Registry, Network, and Authentication consist the core of EDR event telemetry. Ease of use: The Network Schema introduced last year is now easier to use with a single-click ARM template deployment.  Deploy the Authentication, Process Events, Registry Events, or Network Session parser packs in a single click using ARM templates.   Jon us to learn more about the Azure Sentinel information model in two webinars: The Information Model: Understanding Normalization in Azure Sentinel Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content Why normalization, and what is the Azure Sentinel Information Model?  Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.  The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM: Allows source agnostic content and solutions Simplifies analyst use of the data in sentinel workspaces  The current implementation is based on query time normalization using KQL functions. And includes the following: Normalized schemas cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values. Parsers map existing data to the normalized schemas. Parsers are implemented using KQL functions. Content for each normalized schema includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.

 New Microsoft Blog

The pandemic has permanently changed how organizations of all sizes work. A
substantial increase in hybrid and remote work has presented new compliance
challenges, and organizations have responded by growing their compliance
functions. A recent study shows that there were 257 average daily regulatory
alerts across 190 countries in 2020 and keeping up with regulatory changes continues
to be the top compliance challenge[1].

 

To help organizations simplify compliance and reduce risk,
we built Microsoft Compliance Manager, generally available since September 2020. Compliance
Manager translates complex regulatory requirements into specific recommended
actions and makes them available through premium assessment templates, covering
over 300 regulations and standards. By leveraging the universal mapping of
actions and controls, premium assessment templates allow customers to comply
with several requirements across multiple regulations or standards with one
action, providing an efficient solution to manage overlapping compliance
requirements. Premium assessment templates along with built-in workflows and
continuous compliance updates allow organizations to constantly assess,
monitor, and improve their compliance posture.

 

To meet customers where they are in their compliance journey, we are excited
to announce that Compliance Manager premium assessment templates will no longer
require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite. This
update enables all enterprise customers to assess compliance with the
regulations most relevant to them and meet their unique compliance needs.
Starting July 1^st, 2021, all Enterprise customers, both commercial
and government, can purchase premium assessment templates as long as they have
any Microsoft 365 or Office 365 subscription. Customers who have already
purchased a premium assessment template or are using the default templates
included with their subscription will not experience any disruption or change.
Customers with Microsoft 365 E1/E3 or Office 365 E1/E3 subscriptions will now
be able to see the list of 300+ premium assessment templates in their tenants.
The capability to create a new template, customize an existing template, or add
customized actions to a given template will continue to require a Microsoft 365
E5 or Office 365 E5 subscription.

 We look forward to hearing your feedback.

 Get Started

Navigate to the Microsoft 365 compliance center or sign up for a
Microsoft 365 E5 Compliance trial to get started with Compliance Manager premium
assessments today! Compliance Manager premium assessment SKUs can be
purchased in Microsoft
admin center.

 Learn more:

1. Compliance Manager licensing details.
2. List of premium assessment templates here.
3. Learn more about Compliance Manager here.

URL: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/use-premium-assessments-in-microsoft-compliance-manager-to-meet/ba-p/2494789