Researchers at Positive Technologies have published a proof-of-concept exploit for CVE-2020-3580. There are reports of researchers pursuing bug bounties using this exploit.
n October 21, 2021, Cisco released a security advisory and patches to address multiple cross-site scripting (XSS) vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software web services. In April, Cisco updated the advisory to account for an incomplete fix of CVE-2020-3581.
Shortly after, Mikhail Klyuchnikov, a researcher at Positive Technologies also tweeted that other researchers are chasing bug bounties for this vulnerability. Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild.
Analysis
All four vulnerabilities exist because Cisco ASA and FTD software web services do not sufficiently validate user-supplied inputs. To exploit any of these vulnerabilities, an attacker would need to convince “a user of the interface” to click on a specially crafted link. Successful exploitation would allow the attacker to execute arbitrary code within the interface and access sensitive, browser-based information.
These vulnerabilities affect only specific AnyConnect and WebVPN configurations:
Proof of concept
As mentioned earlier, there is a public PoC published by Positive Technologies on Twitter, which has gained significant attention.
Vendor response
Cisco has not issued any additional information or updates since the PoC was published.
Throughout the last several months there have been
many new features, updates, and happenings in the world of Information
Protection at Microsoft. As we continue to build out more of this story, we
wanted to use this opportunity to connect with customers, partners, and more on
some of these updates to keep you informed and provide a single pane of glass
on everything we have been working on for the last several months. In addition,
we hope to give you some insight into the next big things being built within
MIP overall.
Office apps (Word, Excel, PowerPoint, Outlook) will now
respect the Admin policy setting to require users to apply a
label to documents and emails on Windows, Mac, iOS,
and Android (for the Office 365 subscription version of the
apps).
Co-authoring and AutoSave on Microsoft Information
Protection-encrypted documents
Client-based automatic and recommended labeling on Mac
Mandatory labeling requiring users to apply a label to
their email and documents
Availability of audit label activities in Activity
Explorer
Native support for variables and per-app content marking
You can leverage co-authoring using:
Production or test tenant
Microsoft 365 apps with the following versions:
Windows – Current Channel 16.0.14026.20270+ (2105)
Mac: 16.50.21061301+
If AIP Unified Labeling Client
Version is in use, verify that in addition to the updated Microsoft
365 app, you use version 2.10.46.0 of the Unified Labeling
client.
PLEASE NOTE: That Co-authoring for Native/Built-In
Labeling will be added in the upcoming Current Channel within
2 weeks
Azure Information Protection client audit logs are now
available in Activity Explorer for existing AIP Analytics customers and
this functionality is in public preview. Azure Information Protection client audit logs are now
available in Activity Explorer for existing AIP Analytics
customers and this functionality is in public preview.
Microsoft announces the General Availability of the
Microsoft Data Loss Prevention Alerts Dashboard. This latest
addition in the Microsoft’s data loss prevention solution
provides customers with the ability to holistically investigate DLP policy
violations across:
The DLP on-premises scanner crawls on-premises data-at-rest
in file shares and SharePoint document libraries and folders for sensitive
items that, if leaked, would pose a risk to your organization or pose a
risk of compliance policy violation
This gives you the visibility and control you need to
ensure that sensitive items are used and protected properly, and to help
prevent risky behavior that might compromise them
You need to leverage the Scanner binaries from AIP UL
Client Version 2.10.43.0
The Microsoft Threat Intelligence Center is tracking new activity from the NOBELIUM threat actor. Our investigation into the methods and tactics being used continues, but we have seen password spray and brute-force attacks and want to share some details to help our customers and communities protect themselves.
This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date. All customers that were compromised or targeted are being contacted through our nation-state notification process.
This type of activity is not new, and we continue to recommend everyone take security precautions such as enabling multi-factor authentication to protect their environments from this and similar attacks. This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services. The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted.
As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device. The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust “least privileged access” approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.
This activity reinforces the importance of best practice security precautions such as Zero-trust architecture and multi-factor authentication and their importance for everyone. Additional information on best practice security priorities is listed below:
Cybersecurity Framework Profile for Ransomware Risk Management (Preliminary Draft)
NISTIR 8374
Announcement
Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. In some instances, attackers may also steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware can disrupt or halt organizations’ operations. This report defines a Ransomware Profile, which identifies security objectives from the NIST Cybersecurity Framework that support preventing, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to mitigate ransomware threats and to react to the potential impact of events.
NOTE: NIST is adopting an agile and iterative methodology to publish this content, making it available as soon as possible, rather than delaying its release until all the elements are completed. NISTIR 8374 will have at least one additional public comment period before final publication.
The Activity log is a platform log in Azure that provides insight into
subscription-level events. This includes such information as when a resource is
modified or when a virtual machine is started. You can view the Activity log in
the Azure portal or retrieve entries with PowerShell and CLI. For additional
functionality, you should create a diagnostic setting to send the Activity log
to your Azure Sentinel.
What changed?
The Azure Activity connector used a legacy method for collecting Activity
log events, prior to its adoption of the diagnostic settings pipeline. If
you’re using this legacy method, you are strongly encouraged to upgrade to the
new pipeline, which provides better functionality and consistency with resource
logs.
Diagnostic settings send the same data as the legacy method used to send the
Activity log with some changes to the structure of the AzureActivity table.
The columns in the following table have been deprecated in the updated
schema. They still exist in AzureActivity but
they will have no data. The replacement for these columns are not new, but they
contain the same data as the deprecated column. They are in a different format,
so in the event, you have any private or internal content (such as hunting
queries, analytics rules, workbooks, etc.) based on the deprecated columns, you
may need to modify it and make sure that it points to the right columns.
Here are some of the key improvements resulting from the move to the
diagnostic settings pipeline:
Improved ingestion latency (event ingestion within 2-3
minutes of occurrence instead of 15-20 minutes).
Improved reliability.
Improved performance.
Support for all categories of events logged by the
Activity log service (the legacy mechanism supports only a subset – for
example, no support for Service Health events).
Management at scale with Azure policy.
Support for MG-level activity logs (coming in preview now).
Set up the (new) Azure Activity connector
The new Azure Activity connector includes two main steps- Disconnect the existing
subscriptions from the legacy method, and then Connect all the relevant subscriptions to the
new diagnostics settings pipeline via azure policy.
We are excited to announce the general availability of a new set of APIs for
Microsoft threat and vulnerability management that allow security
administrators to drive efficiencies and customize their vulnerability
management program. While previous versions were dependable and feature-rich,
we built the new APIs with enterprises in mind that are looking for economies
of scale within their vulnerability management program and need to handle large
datasets and device inventories daily. These new APIs provide the ability to design and export
customized reports and dashboards, automate tasks, and allow teams to build or
leverage existing integrations with third party tools.
Security teams will get detailed information as part of a full data snapshot
or they can limit the dataset to only include changes since the last data
download for a more focused view. Information from the following threat and
vulnerability management areas is included:
Vulnerabilities
assessment
– discovered vulnerabilities on devices
Secure
Configuration Assessment – detected misconfigurations on devices
Software
inventory
– a full list of installed software products across devices
Now let’s look at how you can use these new APIs to boost and customize your
vulnerability management program.
Create custom reports
Customized reports and dashboards enable you to pool the most meaningful
data and insights about your organization’s security posture into a more
focused view based on what your organization or specific teams and stakeholders
need to know and care about most. Custom reports can increase the actionability
of information and improve efficiencies across teams, because it reduces the
workload of busy security teams and allows them to focus on the most critical
vulnerabilities.
Before building custom views using tools such as PowerBI and Excel, you can
enrich the native datasets provided by Microsoft’s threat and vulnerability
management solution with additional data from Microsoft Defender for Endpoint
or a third-party tool of your choice.
In addition, these reports/dashboards give you an easy way to report key
information and trends to top management to track business KPIs and provide
meaningful insights on the overall status of the vulnerability management
program in your organization.
With a custom interface you can show the information that your teams need
and nothing more, creating a simpler task view or list of day-to-day work
items. It provides flexibility in using any of the solution’s components, such
as vulnerability report, missing security updates, installed software,
end-of-support products, and operating systems, and combining them with
advanced filtering capabilities. This can help optimize and streamline the end
user experience according to your organization’s needs.
Let’s look at
examples of reports that you can create:
Vulnerabilities
report
This report gives you a snapshot of the security posture of your
organization and allows you to identify the most critical and exploitable
vulnerabilities, see the most exposed devices distributed by OS, or drill down
into specific CVEs. You can user filters to show when a CVE was detected for
the first time, or use advanced properties such as Device tags, Device groups,
Device health (activeinactive), and more.
Image 1: Vulnerabilities report
Image 2:
Vulnerabilities report – severity and vulnerable devices by OS
Missing Windows
security updates
This report gives you a complete picture of all missing Windows security
updates across your organization. You can see what the most exposed operating
systems are, or search for a particular security update to show all affected
devices.
You can filter the report by the associated CVE criticality, by age of each
security update, or filter by advanced properties such as device tags, device
groups, device health (activeinactive) and more.
Image 3:
Missing Windows security updates
Software inventory
This report gives an overview of your software inventory. In addition to the
org-level view, you can explore recent installations and on which devices,
when, and in what version they were installed.
You can filter the report by number of the weaknesses associated with each
software, by software namevendor, or filter by advanced properties such as
Device tags, Device groups, Device health (activeinactive) and more.
Image 4: Software inventory report
You can create your own reports, use any of the templates we have shown
above, or check out more report templates in our GitHub library:
End-of-support operating systems
End-of-support software and versions
Misconfigurations per device
Software vulnerability recommendations
Non-windows security updates
Exposure score visualizations
Have you created your own report or used these published templates? We would
love to see how you’re using these new capabilities!
A big part of a successful vulnerability management (VM) program is the
ability to automate tasks and reduce the manual workload of security and IT
teams, as well as integrating the VM solution with existing tools that are part
of an established workflow process in your organization.
Our new threat and vulnerability management APIs enable you to build a data
exchange between natively provided data and your existing tools. At the same
time, we are working with partners to continuously expand the portfolio of
out-of-the-box integrations with third party solutions. You can already
leverage our Skybox
integration today and we are in the process of releasing additional integrations
for ServiceNow VR and Kenna Security and in the coming weeks.
The Kenna Security partnership will strengthen the overall prioritization
capabilities, combining threat and vulnerability management data with real-world
threat and exploit intelligence and advanced data science to determine which
vulnerabilities pose the highest risk to your organization. To learn more about
the upcoming integration join our webinar on 6/24.
By integrating with ServiceNow Vulnerability Response you will be able to
easily automate and track workflows. We will share more information soon!
While we will have more news on integrations and automation in the coming
months, if there are specific integrations you would like to see on our
roadmap, go to the Partner Application page in the Microsoft Defender
Security Center, and click Recommend
other partners.
More
information and feedback
The threat and vulnerability management capabilities are part of Microsoft Defender for Endpoint and enable organizations to
effectively identify, assess, and remediate endpoint weaknesses to reduce
organizational risk.
Check out our documentation for a complete overview of how you can
consume these new APIs.
Identity
as a service (IDaaS) is when a company offers identity, credential, and access
management (ICAM) services to customers through a software-as-a-service (SaaS)
cloud-service model. Public safety organizations (PSOs) could potentially
reduce costs and adopt new standards and authenticators more easily by using
IDaaS to provide authentication services for their own applications. This would
allow PSOs to offload some or most of their authentication responsibilities to
the IDaaS provider.
This
report informs PSOs about IDaaS and how they can benefit from it. It also lists
questions that PSOs can ask IDaaS providers when evaluating their services to
ensure the PSOs’ authentication needs are met and the risk associated with
authentication is mitigated properly. PSOs considering IDaaS usage are
encouraged to use this NISTIR. This report was developed in joint partnership
between the NCCoE and the Public Safety Communications Research Division (PSCR)
at NIST.
The public comment period for this draft is open through August 2,
2021. See the publication
details for a copy of the draft and instructions for submitting
comments. You can also contact us at psfr-nccoe@nist.gov.
Microsoft’s Azure Sentinel now provides a Timeline view within the Incident
where alerts now display remediation steps. The list of alerts that have
remediations provided by Microsoft will continue to grow. As you can see in the
graphic below, one or more remediation steps are contained in each alert. These
remediation steps tell you what to do with the alert or Incident in
question.
However, what if you
want to have your own steps, or what if you have alerts without any remediation
steps?
Now available to address this is the Get-SOCActions Playbook found in GitHub
(Azure-Sentinel/Playbooks/Get-SOCActions at master ·
Azure/Azure-Sentinel (github.com)). This playbook uses a .csv file uploaded
your Azure Sentinel instance, as a Watchlist containing the steps your
organization wants an analyst to take to remediate the Incident they are
triaging. More on this in a minute.
Below is an example of a provided Remediation from one of the Alerts:
Example Remediation
Steps Provided by Microsoft
Enforce the use of strong passwords and do not re-use
them across multiple resources and services
Remediation steps were
added to the Timeline View recently in Azure Sentinel, as shown above
We highly encourage you to look at the SOC Process Framework blog, Playbook and the amazing
Workbook; you may have already noticed the SocRA Watchlist which was called out
in that article, it is a .csv file that Rin published, and is the template you
need to build your own steps (or just use the enhanced ones provided by
Rin).
It’s this .csv file that creates the Watchlist that forms the basis of
enhancing your SOC process for remediation, its used in the Workbook and
Playbook. The .csv file has been used as it’s an easy to edit format (in Excel
or Notepad etc…), you just need to amend the rows or even add your own rows and
columns for new Alerts or steps you would like. There are columns called A1, A2 etc… these
are essentially Answer1
(Step1), Answer
2(Step2) etc…
Example of a new Alert that has been added.
You can also in the last column add a DATE (of when the line in the
watchlist was updated).
Note that any URL link will appear its own column in the [Incident Overview]
workbook – we parse the string so it can be part of a longer line of text in
any of the columns headed A1
thru A19
(you can add more answers if required, just inset more columns named A20, A21
etc…after column A19). Just remember to save your work as a .CSV.
Then when you name the Watchlist, our suggestion is “SOC Recommended
Actions”, make sure you set the ‘Alias’ to: SocRA
Important: SocRA is case sensitive,
you need an uppercase S, R and A.
You should now have entries in Log Analytics for the SocRA alias.
The SocRA watchlist .csv file serves both the Incident Overview Workbook and
supports the Get-SOCActions Playbook, should you want to push Recommended Actions
to the Comments
section of the Incident your Analyst is working on. You will want to keep this
in mind when you edit the SocRA watchlist. The Get-SOCActions Playbook
leverages the formatting of the SocRA watchlist, i.e. A1 – A19, Alert, Date
when querying the watchlist for Actions. If the alert is not found, or has not
been onboarded, the Playbook then defaults to a set of questions pulled from
the SOC Process Framework Workbook to help the analyst triage the alert &
Incident.
Important
– Should you decide to add more steps to the watchlist .csv file beyond A1-A19
you will need to edit the Playbooks conditions to include the additional
step(s) you added both in the JSON response, the KQL query, and the variable
HTML formatting prior to committing the steps to the Incidents Comments
section.
Incident Overview Workbook
To make Investigation easier, we have integrated the above Watchlist with
the default “Investigation Overview” Workbook you see, just simply click on the
normal link from within the Incident blade:
This will still open Workbook as usual. Whist I was making changes, I
have also colour coded the alert status
and severity
fields (Red, Amber and Green), just to make them stand out a little, and Blue
for new alerts.
If an alert has NO remediations, nothing will be visible in the
workbook. However, if the alert has a remediation and there is no
Watchlist called: SocRA then you will be able to expand the menu that will
appear:
This will show the default or basic remediations that the alert has, in this
example there are 3 remediation steps shown.
If you have
the SocRA
watchlist installed, then you will see that data shown instead (as the Watchlist
is the authoritative source, rather than the steps in the alert). In this
example there is a 4th step (A4) shown, which is specific to the
Watchlist and the specific alert called “Suspicious authentication activity”.
Conclusion
In conclusion, these Workbooks, the Playbook, and Watchlist all work
together in concert to provide you with a customized solution to creating
remediation steps that are tailored to a specific line of business. As you
on-board custom analytics/detections that are pertinent to your business, you will
have actions you will want an analyst to take and this solution provides a
mechanism for delivering the right actions per analytic/use-case.
Thanks for reading!
We hope you found the details of this article interesting. Thanks CliveWatson and RinUre for writing this
Article and creating the content for this solution.
And a special thanks to Sarah
Young and Liat
Lisha for helping us to deploy this solution.
This installment is part
of a broader series to keep you up to date with the latest
features/enhancements in Azure Sentinel. The installments will be bite-sized to
enable you to easily digest the new content.
Introduction
Security operations (SecOps) teams need to be equipped with the tools that
empower them to efficiently detect, investigate, and respond to threats across
your enterprise. Azure Sentinel watchlists empower organizations to shorten
investigation cycles and enable rapid threat remediation by providing the
ability to collect external data sources for correlation with security events.
Additionally, correlations and analytics help SecOps stay appraised of bad
actors and compromised entities across the environment. Incorporating external
data and performing correlation across analytics allows security teams to get a
better view of their entire infrastructure and take steps to reduce risk.
Due to evolving and constant change in the cybersecurity landscape that we
live in, it is very challenging for SecOps to stay appraised of new indicators
of compromise.
Azure Sentinel Watchlists provides the ability to quickly import IP
addresses, file hashes, etc. from csv files into your Azure Sentinel
workspace. Then utilize the watchlist name/value pairs for joining and
filtering for use in alert rules, threat hunting, workbooks, notebooks and for
general queries.
Due to the constant change, security analysts need the flexibility to update
watchlists to stay ahead. With that in mind, we are super excited to
announce the Azure Sentinel Watchlist enhancements that empower security
analysts to drive efficiency by enabling the ability to update or add items to
a watchlist using an intuitive user interface.
———————————————————————
For additional use case examples, please refer to these relevant blog posts:
Utilize Watchlists to Drive Efficiency during Azure Sentinel Investigations:
At the annual Microsoft Build 2021 Developer Conference, we announced two
new products that are based on blockchain technology. Azure Confidential
Ledger, now in preview, offers a fully managed service for customers who
need to store sensitive data with high integrity and confidentiality. Azure SQL Database ledger,
also in preview, enables storage of sensitive relational data in a
tamper-evident way.
In this blog post, we’ll introduce you to both of these new products as well
as help you understand when it makes sense to use them individually, together,
and even with an existing blockchain system.
Azure
Confidential Ledger
Enterprises running sensitive workloads need a secure way to store their
logs and important metadata while collaborating with other parties.
The Confidential Consortium Framework (CCF) is a
Microsoft-created open framework for building confidential permissioned
blockchain services. By running a confidential blockchain network of nodes in secure enclaves, data remains append-only with immutability
guarantees and the data from the client goes straight to the ledger’s
enclaves.
Building on the CCF framework, Azure Confidential
Ledger (preview) provides the ability to store sensitive data records
with integrity and confidentiality guarantees, all in a highly available and
performant manner. Stored data remains immutable and tamper-proof in the
append-only ledger with the benefits of a fully managed solution that provides
infrastructure and operations so customers can get started quickly. The service
provides these assurances by harnessing the power of Confidential Computing‘s secure enclaves when setting up
the decentralized blockchain network. Microsoft’s access is limited to setting
up and managing the network, and this specialized design means that only the
customer has access to transaction data in the Confidential Ledger.
Asking yourself the following questions can help you decide if Azure
Confidential Ledger is right for you:
Do you need to store unstructured data (i.e. files,
digests) that must remain intact for recordkeeping purposes?
Are you working with sensitive workflows where
confidentiality must be maintained?
Are you in need of a service that has high integrity
and security with a minimalistic trusted computing base?
Are you working with parties that need irrefutable
evidence that tampering did not occur to the stored data?
If you said yes to one or more of these, Azure Confidential Ledger is right
for you. Customers have been using Azure Confidential Ledger in various
ways. Novaworks,
an e-parliamentary software solution, is using Azure Confidential Ledger to
securely log votes in a tamper-proof ledger for a high-fidelity voting process.
Azure
SQL Database ledger
Azure SQL Database
ledger (preview) is a tamper-evident solution for your databases that
provides cryptographic proof of your database’s integrity. Using a
blockchain data structure implemented as system tables in your database, the
ledger feature ensures that any transaction which modifies relational data in
your database can be tracked, and any potential tampering detected and easily
remediated. Providing proof that your data has not been tampered with is
as simple as running a stored procedure that compares the calculated
cryptographic hashes in your database against a database digest, which is
published automatically in a secure location, such as Azure Confidential
Ledger.
Ledger is a feature of Azure SQL Database, meaning there is no additional
cost to add tamper-evidence capabilities. You don’t have to migrate data
from your existing SQL databases to add tamper-evidence capabilities and no
changes are needed to your applications as ledger is an extension of existing
SQL table functionality.
Asking yourself the following questions can help you decide if Azure SQL
Database ledger is right for you.
Do you have business-critical data in Azure SQL
Database where you must ensure data integrity is intact?
Can 3rd parties who interact with your
data accept a “trust, but verify” model rather than each party having a
copy of the ledger?
Do you need to prove to auditors or regulators that
your data has not been tampered with?
Do you have a need for queryability and strong data
management capabilities, such as streaming data from a blockchain to an
off-chain store while maintaining integrity from on-chain to off-chain?
If you can answer “yes” to any of these questions, then Azure SQL Database
ledger is right for you. Customers like RTGS.global, who provide a
global liquidity network for banks, are already using this capability to
provide a ledger of transactions to regulators to prove that global banking
transactions have not been tampered. Read our blog to learn
more.
Putting
it all together
Trust is foundational in any business process that spans organizational
boundaries. Microsoft goes beyond traditional blockchains, using the
building blocks of this technology as the underpinning for the distributed
ledger of Azure Confidential Ledger and the consolidated data store of Azure
SQL Database ledger. These solutions empower our customers to apply the
power of blockchain to sensitive data, simplifying solution development,
reducing cost and providing a new level of digital trust to transactions.
Deciding which technology is best for your needs ultimately depends on the
level of trust between parties transacting with the data, and the type of data
being protected. In addition to the points mentioned above, consider the
following when deciding whether Azure SQL Database ledger or Azure Confidential
Ledger is right for you.
Learn
more
Read the Azure Confidential Ledger announcement blog and documentation to learn more about how this new
service is empowering our customers and securing their work.
Read the Azure SQL Database ledger documentation and whitepaper to
learn more about how the ledger feature works and how to use it with your
Azure SQL Database.
