Month: June 2023

Fraudulent In-Browser WinRAR Screen With Opened .ZIP Archive. Image Source: BleepingComputer

In May 2023, Google launched several new top-level domains (TLDs), including .ZIP. The use of .ZIP for filename extensions and domain names is legitimate; however, threat actors are exploiting the .ZIP domain name in a new phishing technique called “file archiver in the browser.” These .ZIP websites can automatically turn a string ending in .ZIP into a malicious link used in phishing campaigns to steal credentials or deliver malware. If clicked, the browser opens the .ZIP website, redirects the target to a website displayed as an HTML page, and prompts the target to download the malicious .ZIP file.  In the above example, when the .ZIP website is launched, a fraudulent WinRAR archiver software window is embedded in the browser to purportedly display an opened .ZIP archive and its contained files. To appear more convincing, a fraudulent security scan button is also displayed. If clicked, a message appears indicating that “the files were scanned and no threats were detected.” If one of these files is selected, the target is redirected to another website and prompted to enter their credentials to view the file.

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Google is aware that an exploit for CVE-2023-3079 exists in the wild.

Systems Affected

Google Chrome versions prior to 114.0.5735.110 for Windows. Google Chrome versions prior to 114.0.5735.106 for Mac and Linux.

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary A vulnerability has been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution.

Recommendations

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

References Google: https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3079

Harden Baseboard Management Controllers

This Joint Cybersecurity Information Sheet, authored by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), highlights threats to Baseboard Management Controllers (BMCs) and details actions organizations can use to harden them.

BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system and firmware to allow for remote management and control, even when the system is shut down.

A BMC differs from the basic input output system and the Unified Extensible Firmware Interface, which have a later role in booting a computer, and management engine, which has different remote management functionality. BMC firmware is highly privileged, executes outside the scope of operating system (OS) controls, and has access to all resources of the server-class platform on which it resides. It executes the moment power is applied to the server. Therefore, boot to a hypervisor or OS is not necessary as the BMC functions even if the server is shut down.

Today, CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. This guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates. Additionally, it includes recommended mitigations to help reduce the likelihood and impact of future ransomware incidents. In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. The LockBit Ransomware-as-a-Service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks. Affiliates have attacked organizations of various sizes across an array of critical infrastructure sectors including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit has been successful through its innovation and continual development of the group’s administrative panel (i.e., a simplified, point-and-click interface making ransomware deployment accessible to those with lower degrees of technical skill), affiliate supporting functions, and constant revision of TTPs.

CISA and the authoring agencies of this joint CSA encourage the implementation of recommendations provided to proactively improve their organization’s defenses against this global ransomware operation, and to reduce the likelihood and impact of future ransomware incidents

On May 24, CISA joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor. 

This advisory highlights how PRC cyber actors use techniques called “living off the land” to evade detection by using built-in networking administration tools to compromise networks and conduct malicious activity. This enables the cyber actor to blend in with routine Windows system and network activities, limit activity and data captured in default logging configurations, and avoid endpoint detection and response (EDR) products that could alert to the introduction of third-party applications on the host or network. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide. The authoring agencies have identified potential indicators associated with these techniques. To hunt for this activity, CISA and partners encourage network defenders to use the actor’s commands and detection signatures provided in this advisory. CISA and partners further encourage network defenders to view the indicators of compromise (IOCs) and mitigations summaries to detect this activity.

View and understand compliance posture across your multi-cloud environment

The first step in achieving and maintaining an optimal compliance posture is understanding how your current environment maps to your regulatory responsibilities. Compliance Manager supports over 350 regulations and standards, affording you a front-row seat to your organization’s current compliance posture within the context of the requirements or best practices you care about most. This view extends across your cloud services as well, providing a summary view of your posture across all relevant clouds.

Figure 1: Compliance Manager dashboard showing multicloud posture assessments

Zoom into a specific posture assessment, such as this one for PCI DSS 3.2.1, and you’ll see a detailed drilldown of your performance for each of your clouds, allowing you to effectively plan and prioritize any remediation efforts, as well as monitor your organization’s progress. Compliance Manager partners with Microsoft Defender for Cloud to provide the most up to date results across your clouds, running nearly 1,000 tests across connected clouds and services every day. These tests are mapped across the relevant regulatory framework, allowing you to see precisely which control is impacted, and assign an owner or take action yourself as needed.

Figure 2: Detail view of PCI DSS posture assessment

Leverage clear and detailed guidance to remediate issues across your clouds

Dive into a specific control, and you’ll see that Compliance Manager provides a set of recommended actions necessary to meet the control requirements, each specially tailored to your multi-cloud environment. This guidance takes the guess-work out of managing your compliance posture, allowing your users to spend more time taking action and less time parsing control language or searching for relevant functionality. In the case of Control 10.1 for PCI DSS 3.2.1, Compliance Manager advises a set of specific actions to help you ensure that your audit trails are as robust as possible, using its knowledge of your clouds’ configurations to recommend features or capabilities that you are not utilizing to their potential.

Figure 3: Status details of PCI control 10.1, with list of associated actions and test results

Tailor remediation efforts with resource-level evidence

Compliance Manager provides clear implementation steps to help you tackle the necessary configuration changes, then goes the extra mile with resource-level details showing you exactly where changes are needed.

Figure 4: Action drilldown with instructions for enabling Firewall rule logging in GCP

In the case of enabling firewall rule logging for GCP, all firewall rules across your selected GCP accounts are displayed alongside their logging status, allowing an admin to jump into GCP and follow the provided guidance to enable logging where it’s needed. This saves time and effort and helps reduce unnecessary changes. Once the changes are complete, Compliance Manager will update the status of each rule on its next test pass and preserve the record of the change for auditing and evidence collection.

Figure 5: Detail view of GCP Firewall rules and their logging status

Figure 6: The GCP firewall rule configuration page reached by following the deeplink on the Compliance Manager action

Simplify posture management and maintenance

Purview Compliance Manager also helps you maintain your compliance posture and retain the progress you’ve made – we do this by ensuring that our regulatory guidance incorporates the latest updates, as well as adding and updating our action recommendations as new features are released across supported clouds. These capabilities allow Purview Compliance Manager to be your one-stop shop for your compliance posture needs across your clouds, informing you of relevant changes, monitoring your configuration and recommending changes, and helping you reduce risk and keep your multi-cloud enterprise running smoothly.

Explore more Purview Compliance Manager resources 
We are thrilled to share these announcements with you. Here is a summary of the next steps and other resources to help you and your organization get started with these capabilities: 

• Learn more about Compliance Manager in our technical documentation. 
• Compliance Manager is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you would like to experience Compliance Manager and other Purview solutions for yourself, check out our E5 Purview trial. 
• If you’re interested in learning more about Compliance Manager’s multi-cloud capabilities and how you can upgrade your own Assessments to multi-cloud, visit our guide to multicloud support.

Great blog post By Microsoft

The shift toward hybrid work environments has led to a significant increase in cloud service adoption in recent years. In fact, on average, organizations now use 147 public cloud services across SaaS, PaaS, and IaaS, compared with just 38 services in 2020*. While cloud services offer many benefits, they also raise concerns about the security of sensitive data that can flow and be stored everywhere without a clear perimeter. The loss of sensitive data remains the top security concern in cloud services* for IT and security professionals, and it’s crucial to have integrated data security solutions that can protect sensitive data in multicloud environments at scale to address these challenges effectively.

It’s essential to keep in mind that data doesn’t move by itself, it’s people who move and interact with data, and that’s where the majority of data security risks stem from. According to research by Gartner®, “90% of employees who admitted undertaking a range of unsecure actions during their work activities knew that their actions would increase risk to the organization and undertook the actions anyway for speed and convenience.**” This finding reinforces what we discussed in the previous blog post: the most significant cybersecurity risks often come from insiders within your organization. Therefore, managing insider risks related to data is crucial when it comes to ensuring data security in different environments.

Today, we are pleased to announce new features to help tailor the Insider Risk Management solution for your organization’s use across multiple environments:

• Bring your own detections to manage insider risks across multiple environments holistically
• Prevent high risk users from pasting sensitive data into browser applications
• Customize insider risk detections for different user groups
• Bolster your investigation efforts with new enhancements
• Get started easily with insider risk analytics and enhanced quick policies

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Bring your own detections to manage insider risks across multiple environments holistically

With our new bring your own detections feature coming into public preview in the next few weeks, admins with the right permissions can bring in user activity signals from multiple sources, extending the power of the solution to a broader set of environments.

For instance, you can import events from CRM systems, such as Salesforce, including signals like sharing and exporting reports that may be considered risky and therefore could lead to a data security incident. These signals can then be used as custom indicators in insider risk policies and combined with other native signals to give organizations comprehensive detection and understanding of potential insider risks across their broader environments.

Figure 1 Bring in a Salesforce event, downloading reports, as an insider risk indicator

As a result, all the insider risk indicators can be viewed in one place on the user activity chart. In the following scenario, for example, the custom indicator, sensitive reports downloaded from Salesforce, is weaved into the user activities timeline, which provides security teams with a holistic view of a potential data security incident across applications.

Figure 2 Review Salesforce events along with other user activities that could potentially lead to data security incidents from one place

In addition, you can also leverage these indicators to configure user’s risk levels for Adaptive Protection, the capability we announced in February that helps dynamically tailor Microsoft Purview Data Loss Prevention policies to mitigate data security risks. For example, you can use the custom indicator, “sensitive reports downloaded from Salesforce”, as a condition, to define the elevated risk level and automatically add users who match the conditions to a strict DLP policy.

Figure 3 Admins can use the detections they brought in from other environments and the variants they created for indicators (explained more in the section “Tailor insider risk detections for your different user groups”) to configure risk levels for Adaptive Protection

Prevent high risk users from pasting sensitive data into browser applications

In addition to bringing in detections from other applications, we are also announcing a new Microsoft Data Loss Prevention capability to help organizations prevent the pasting of sensitive data into supported web browsers. To balance productivity, customers can leverage this new feature with Adaptive Protection to prevent certain actions from high-risk users.

For example, a user who has engaged in risky data exfiltration activities will be identified as a high-risk user in Adaptive Protection. If this high-risk user then attempts to paste sensitive information into a web browser, they will be blocked from doing so. Whereas a low-risk user can paste sensitive data into a web browser and provide justification for doing so. You can learn more about configuring paste to browser in Data Loss Prevention here and how to leverage Adaptive Protection for this capability here.

Tailor insider risk detections for your different user groups

While Insider Risk Management offers dozens of ready-to-use indicators, the detection of insider risks may not be a one-size-fits-all solution for all users in an organization. For example, the marketing and legal departments might need to send emails to different external domains, such as marketing agencies versus outside legal counsel, to collaborate and complete their tasks. 

Coming soon in a few weeks, organizations can add variants to the built-in insider risk indicators and tailor detections for different sets of users. In the scenario above, administrators can configure two variants for the “sending email with attachments to recipients outside the organization” indicator, allowing marketing and legal teams to have a different set of allowed domains that won’t generate alerts:

1. Sending email with attachments to external recipients other than MarketingFirm – will only generate alerts when users send emails to an external domain that is not part of the MarketingFirm allowed list
2. Sending email with attachment to external recipients other than LegalFirm – will only generate alerts when users send emails to an external domain that is not part of the LegalFirm allowed list

Figure 4 Creating a variant of the “Sending email with attachments to recipients outside the organization” indicator for marketing teams

This customization empowers security teams to create tailored insider risk policies for each team and reduce the number of false positives, leading to more accurate detection of insider risks. Similar to the bring-your-own-detections announcement above, security teams can also use these variants to configure Adaptive Protection to dynamically apply DLP policies based on user’s risk levels.

Figure 5 Use the variant of an indicator to create an insider risk management policy for marketing teams

Bolster your investigation efforts with new enhancements

Managing insider risks is a collaborative effort that often involves a team of analysts and investigators working together to review and prioritize alerts. Recognizing the importance of teamwork, we are excited to announce the rollout of a few enhancements that will help bolster your security team’s investigation efforts, while preserving end user privacy with pseudonymization.

Coming soon in public preview, security teams can easily assign alerts or cases to a dedicated owner to help clarify ownership and ensure accountability. Additionally, each alert and case will be assigned a static and unique ID, making it easier to communicate when pseudonymization is on. These improvements can help enable better tracking and communication among team members.

Figure 6 Insider risk alerts can be assigned to a dedicated owner and have a static and unique ID

When investigating an insider risk alert, analysts typically use various filters and columns, such as date, workload, and sensitivity label, in the activity explorer to gain insights into risky activities that could potentially result in data security incidents. To further streamline this process and enhance efficiency when working on recurring activities, we are introducing the new saved views feature in the activity explorer, available in public preview in a few weeks. This feature allows you to access a previously configured combination of filters and columns with just one click, eliminating the need to manually set them up each time.

Furthermore, the activity explorer’s export limit will increase from 10K to 100K records. This update will benefit organizations that prefer exporting insights of user activities that may lead to data security incidents to a CSV file, as they now can filter, sort, or pivot a bigger data set more conveniently.

Get started easily with insider risk analytics and enhanced quick policies

To help jump start your journey into leveraging the power of Insider Risk Management in your organization, we announced the public preview of the one-step policy creation in a blog post in July 2022. During the preview, we learned and improved the quick policy defaults tailored to various tenants, ensuring that you can start identifying risky activity in a healthy state while working on optimizing your policies over time. We’re thrilled to announce that this feature will become generally available to both commercial and government cloud customers in the next few weeks.

Think of the one-step policy creation as a shortcut that leads you to the right path. Security teams can easily set up a policy in just one click, based on the aggregated insights from Analytics in Insider Risk Management. It evaluates your organization’s insider risk posture, and then based on that, recommends a default set of policy configurations and thresholds. The quick policies give you a solid starting point, so you can begin receiving alerts and insights and finetune the policies further.

Figure 7 Admins can create a data leak policy with one click based on the aggregated insights of an organization’s insider risk posture.

Explore more Insider Risk Management resources

• Learn more about Insider Risk Management in our technical documentation.
• Insider Risk Management is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you are an organization using Microsoft 365 E3 and would like to experience Insider Risk and other Purview solutions for yourself, check out our E5 Purview trial.
• If you own Insider Risk Management and are interested in learning more about Insider Risk Management, leveraging Insider Risk Management to understand your environment, or building policies for your organization or investigate potential risky user actions, check out the resources available on our “Become an Insider Risk Management Ninja” resource page.

– Erin Miyake, Principal Product Manager, Microsoft Purview Insider Risk Management

Learn how to empower employees to work, learn, and collaborate from anywhere at Microsoft 365 Virtual Training Day: Enable Hybrid Work with Microsoft Teams. Join us at this free event from Microsoft Learn to see how to use Teams to facilitate teamwork and communication, both on- and off-premises. You’ll gain an understanding of how Teams provides a comprehensive and flexible environment for collaboration across apps and devices to accelerate hybrid work. You will have the opportunity to:  Plan, configure, and monitor a Teams environment. Manage chat, calling, meetings, teams, channels, events, and apps in Teams. Configure and manage Teams devices, including Microsoft Surface Hub. Join us at an upcoming two-part event: Thursday, July 13, 2023 | 9:00 AM – 1:00 PM | (GMT-08:00) Pacific Time (US & Canada) Friday, July 14, 2023 | 9:00 AM – 11:15 AM | (GMT-08:00) Pacific Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Anatomy of a modern attack surface: Six areas for organizations to manage   Keeping up with today’s threats means securing multiple attack surfaces. Read Anatomy of a modern attack surface to explore the vulnerabilities cybercriminals are currently exploiting the most—and how to help stop them from succeeding. Learn the importance of: Addressing evolving email threats such as phishing and ransomware.Maintaining a comprehensive understanding of your identity and access security posture.Reducing the blind spots associated with unmanaged devices and IoT.Gaining end-to-end visibility across multiple clouds and hybrid environments.Expanding your security strategy to include your whole third-party digital ecosystem.

Read the brief

Webinar date: Wednesday, June 14, 2023 11:00 AM Pacific Time / 2:00 PM Eastern Time Macroeconomic changes in business are driving the need to cut costs, enhance productivity, and make intelligent investments. Hardware will play a crucial role in maintaining an efficient business and enhancing workflow in your organization. Join this live webinar with Connection and Microsoft experts to get insights on the benefits of modern devices, such as Microsoft Surface, in streamlining the management of engagement data and allowing employees to focus more effectively on their best work. In a live Q&A session, you will explore: Enhanced protection through chip-to-cloud security Simplified IT management with versatile hardware Improved productivity and collaboration with more reliable uptime

Maximize your cloud investment with modern devices

Register now >