SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits. The technique uncovered in this blog post was discovered during routine malware hunting and is similar to the one used in the Shrootless vulnerability (CVE-2021-30892) that we published in 2021. By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritableentitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks.
Cyber-security is consistently one of the top concerns for business leaders across every industry and when you consider that the average cost of a breach is upwards of USD4.35 million[1], its no surprise why. While this focus has often led to investment and the implementation of robust security practices, it’s also forced cyber-criminals to rethink their attack strategies. Some of the most rapidly growing threat areas are identity-based attacks where malicious actors look to exploit identities, or the underlying infrastructure and policies that govern them. Identity Threat Detection and Response (ITDR) is an emerging security category designed to counter these types of attacks and help businesses streamline their identity protection.
At Microsoft, we see ITDR as the point where Identity and Access Management (IAM) meets Extended Detection and Response (XDR). The critical challenge organizations are faced with however, is in extending the necessary posture and protections across the entirety of their identity landscape. Modern Identity environments consist of multiple, often fragmented, components spanning on-premises infrastructure and the cloud. Leveraging our leadership and expertise in both Identity and Security, our goal has been to help our customers prevent, detect, and remediate identity-based attacks across their entire identity environment.
Detecting advanced attacks with threat level intelligence.
Through the years, we have seen identity attacks become more and more advanced with multifaceted strategies designed to exploit increasingly tiny gaps and establish a foothold from where attackers can move laterally. For instance, an initial compromise may begin with spear-phishing emails aimed at employees, tricking a few into unwittingly divulging their credentials. Armed with these stolen identities, they can exploit misconfigurations in the connections between on-premises and cloud identities to stealthily expand their reach into the connected cloud environments and applications. Other more sophisticated attacks focus on compromising identity infrastructure to mint their own certificates and navigate through the network, escalating their privileges and gaining deeper access as they go.
Analyzing 65 trillion signals daily from across Microsoft’s ecosystem of B2B and consumer offerings including Microsoft Azure, LinkedIn, Microsoft 365, and XBOX we are uniquely positioned to quickly spot emerging attack strategies and build detections for our customers. Some more recent examples you have may have heard of include: DnsHostName Spoofing, DFSCoerce, and KrbRelayUp tactics to name a few. Our ITDR strategy doesn’t stop there though, we further augment these powerful identity detections with correlated data from across security domains to deliver XDR-level insights and enhanced visibility across the kill-chain.
Powerful identity detections:
Let’s take a common tactic in identity attacks, lateral movement. While this may sound like a relatively simple use case, it requires robust monitoring and analysis of user activities across on-premises and cloud environments. Domain Controllers (DC) serve as the central authentication and authorization hub for on-premises networks and play a crucial role in managing who is given access to those resources. With the Microsoft Defender for Identity sensor installed on a Domain Controller, security leaders can see valuable information into user authentication events, account activities, and access permissions. Monitoring these logs can help identify suspicious activities like unauthorized account logins, privilege escalation attempts, or abnormal resource access.
Similarly, in cloud environments, Azure Active Directory (Azure AD) serves as a central identity and access management platform, sending valuable data to Microsoft Defender for Identity and the Security Operations Center teams. Leveraging Azure AD’s comprehensive auditing and monitoring capabilities as well as Azure Active Directory Identity Protection, organizations can track user sign-ins, access attempts, and other security-related events. By enabling Azure Active Directory Conditional Access policies, organizations can proactively detect and respond to anomalous activities or attack attempts, whether done in the cloud or on-premises. Some examples include simultaneous sign-ins from different locations, unusual access patterns, token replay attacks, or attacks aiming to take control of the identity infrastructure which may indicate unauthorized lateral movement between cloud and on-premises resources. See our documentation for more details on our identity detections.
Threat level intelligence:
To detect the sophisticated attack strategies we discussed earlier, identity detections alone are not enough. Microsoft Defender for Identity, the cornerstone of our identity security capabilities, is natively integrated within our XDR platform, Microsoft 365 Defender.
Microsoft 365 Defender offers unified visibility, investigation, and response across the cyber-attack kill chain. Leveraging AI and automation, it correlates alerts from different sources to provide a single incident view with rich contextual information. It also enables teams to quickly and efficiently investigate emerging threats. By corelating all the available information, including signals from endpoints, identity providers, identity infrastructure, collaboration tools and cloud applications, we can give a greater view into the entire end to end life cycle of the identity.
Figure 1: Advanced hunting tables[3] allow users to hunt for emerging threats across your identity data and activities within a single view, regardless of environment or provider. Create custom detections and enhance existing investigations with identity signals.
Respond and remediate attacks at machine speed.
When it comes to identity-based attacks, the ability to swiftly and effectively remediate the compromised systems and disrupt the attacker’s operations becomes crucial. For example, the median time for an attacker to access your private data after you fall victim to a phishing email is 1 hour, 12 minutes[4]. In a situation like this you need to be able to detect, investigate, and respond to the breach in under 72 minutes. Working across teams and tools this can be especially challenging, so we have focused on two critical areas to help our customers respond and remediate attacks at machine speed:
Enabling intelligent automation:
AI and automation are reshaping almost every facet of business today and security is no exception. A recent study in fact found organizations incurred 80% higher costs where security AI and automation weren’t fully deployed[1]. Capitalizing again on the native integration between our Identity protection capabilities and XDR platform, we leverage XDR-level intelligence and AI to automatically disrupt even the most advanced attacks.
Automatic attack disruption is designed to contain attacks in progress by automatically disabling or restricting compromised devices and user accounts—stopping progression and limiting the impact to organizations. This is a big innovation; today most security teams can’t respond fast enough to sophisticated attacks and are forced to reactively handle the fallout from a breach. With attack disruption, attacks are contained to a small number of assets, dramatically minimizing the impact and improving business continuity.
In an Identity attack, Microsoft Defender for Identity can take immediate action to disable the user, trigger multi-factor authentication, disable unauthorized accounts authentication using or even isolate affected systems using Microsoft Defender for Endpoint. These automated tactics not only limit the attacker’s ability to move laterally and access critical resources but also prevent further damage and data exfiltration.
Figure 2: Incident view showing the yellow bar where automatic attack disruption took action
Maximizing user experience and efficiency.
ITDR is a team sport and while collaboration between SOC and Identity teams is crucial, each personas unique needs require distinctly different information and capabilities to do their job. At Microsoft we can help maximize your team’s effectiveness with integrated, persona-based experiences designed to surface and prioritize information and alerts.
SOC analysts gain greater visibility across their identity landscape with a unified Identity Inventory, showing all corporate identities in one, easy to search view. Going a layer deeper, Identity Pages offer more detailed information on each unique identity including recent behavior via the Identity Timeline. On top of all the Identity specific views and benefits, SOC teams can also capitalize on Microsoft’s Secure Score which correlates signals from across workloads to curate identity related recommendations and reduce your security posture risk.
Figure 3: Identity Inventory delivers a comprehensive inventory of all your identities regardless of type, environment or vendor.
Figure 4: Identity page and Identity Activity Timeline view aggregate relevant data from multiple workloads to provides security teams will additional insight and detail into individual identities and recent behavior.
Figure 5: Microsoft Secure Score correlate signals from across workloads to curate and prioritize identity related recommendations and reduce your security posture risk.
Identity Admins and IT practitioners also benefit from their own unique portal and prioritized view where they can quickly sory by risk level and prevent potential account compromise.
Figure 6: Azure Active Directory Identity Protection
Learn more about Microsoft’s ITDR strategy and find out how you can maximize your investments to save up to 60% with Microsoft 365 E5 Security and Microsoft 365 E5 Compliance[5].
A Vulnerability has been discovered in Progress Moveit Transfer, which could allow for potential unauthorized access to the environment, escalated privileges, and remote code execution. MOVEit Transfer is a managed file transfer software that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat IntelligenceThere is threat intelligence of this vulnerability being exploited in the wild.
Systems Affected
MOVEit Transfer prior to 2023.0.1 MOVEit Transfer prior to 2022.1.5 MOVEit Transfer prior to 2022.0.4 MOVEit Transfer prior to 2021.1.4 MOVEit Transfer prior to 2021.0.6
Risk Government: – Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High – Small business entities: Medium
Home Users: Low
Technical Summary A vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. Successful exploitation allows attackers to download and steal sensitive information such as list of stored files, usernames who uploaded the files, file paths, configured Azure Blob Storage accounts, data from Azure Blob Storage containers, data from servers, and so on. The attackers can also insert and delete a new random named MOVEit Transfer user with the login name ‘Health Check Service’ and create new MySQL sessions. Progress Software is advising MOVEit customers to check for indicators of unauthorized access over “at least the past 30 days”, as well as other remediation recommendations.
Recommendations In addition to Progress remediation recommendations, the following actions are recommend to be taken:
Ensure your MOVEit application is receiving and applying updates, definitions, and security patches and mitigations recommended by Progress. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Block execution of code on a system through application control, and/or script blocking. Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. Use signatures or heuristics to detect malicious software.
The Federal Bureau of Investigation (FBI), the US Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA), have issued a Joint Cybersecurity Advisory to highlight the use of social engineering by Democratic People’s Republic of Korea (DPRK a.k.a. North Korea) state-sponsored cyber actors to enable computer network exploitation (CNE) globally against individuals employed by research centers and think tanks, academic institutions, and news media organizations. These North Korean cyber actors are known to conduct spearphishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets.
North Korea’s cyber program provides the regime with broad intelligence collection and espionage capabilities. The Governments of the United States and the Republic of Korea (ROK a.k.a. South Korea) have observed sustained information-gathering efforts originating from these North Korean cyber actors. North Korea’s primary military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council, is primarily responsible for this network of actors and activities.
We assess the primary goals of the DPRK regime’s cyber program include maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any political, military, or economic threat to the regime’s security and stability.
Currently, the US and ROK Governments, and private sector cyber security companies, track a specific set of DPRK cyber actors conducting these large-scale social engineering campaigns as Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. Kimsuky is administratively subordinate to an element within North Korea’s RGB and has conducted broad cyber campaigns in support of RGB objectives since at least 2012. Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime.
Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyber espionage efforts. However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts. Further, successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets. The authoring agencies believe that raising awareness of some of these campaigns and employing basic cyber security practices may frustrate the effectiveness of Kimsuky spearphishing operations.
This Joint Cybersecurity Advisory provides detailed information on how Kimsuky actors operate; red flags to consider as you encounter common themes and campaigns; and general mitigation measures for entities worldwide to implement to better protect against Kimsuky’s CNE operations.
The goal of this project is to define and facilitate a reference architecture(s) for digital identities that protects privacy, is implemented in a secure way, enables equity, is widely adoptable, and easy to use. The concepts of cybersecurity, privacy, and adoptability are critically important to this overall effort and will be interweaved into the work of this project from the beginning.
The NCCoE intends to help accelerate the adoption of standards, investigate what “works” and “what does not” based upon current efforts being performed by various entities, and provide a forum/environment to discuss and resolve challenges in implementing ISO/IEC 18013-5 (attended) and ISO/IEC 18013-7 (over-the-internet) standards.
Next Steps
In the coming months, the NCCoE will publish a Federal Register Notice (FRN) based on the final project description. A notification will be distributed once this is available. If you have interest in participating in this project as a collaborator, you will have the opportunity to complete a Letter of Interest (LOI) where you can present your capabilities. Completed LOIs are considered on a first-come, first-served basis within each category of components or characteristics listed in the FRN, up to the number of participants in each category necessary to carry out the project.
If you have any questions, please reach out to the project team at [email protected].
To learn more about the project and to join the Community of Interest, visit the project page.
Today at the annual NICE Conference & Expo, Rodney Petersen, the Director of NICE, announced a new Notice of Funding Opportunity (NOFO) from the National Institute of Standards and Technology (NIST). Following a successful pilot program in 2016, NIST is again offering funding to establish Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development. As part of the Department of Commerce’s Principles for Highly Effective Workforce Investments and Good Jobs Principles, RAMPS will support the NIST-led NICE program. Effective partnerships will focus on bringing together employers and educators to develop a skilled workforce to meet industry needs within a local or regional economy. NIST anticipates funding up to eighteen awards of up to $200,000 through cooperative agreements. Applicants must demonstrate through letters of commitment that at least one of each of the following types of organizations is committed to being part of the proposed regional alliance: institution of higher education or nonprofit training organization, and local employer or owner or operator of critical infrastructure. The deadline to apply is August 7, 2023, by 11:59pm Eastern Time. A webinar for interested applicants will be held on June 13, 2023 at 1-2pm Eastern Time to provide general information regarding this funding opportunity, offer general guidance on preparing applications, and answer questions. View this Funding Opportunity on Grants.gov
Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Thursday, July 6, 2023 | 10:00 AM – 12:45 PM | (GMT-05:00) Eastern Time (US & Canada) Friday, July 7, 2023 | 10:00 AM – 12:00 PM | (GMT-05:00) Eastern Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
As cloud computing continues its global expansion, security teams must adapt and find new ways to keep digital estates protected. That’s why it’s essential to build an identity and access management (IAM) strategy that can govern identities, manage permissions, and mitigate risks across any multicloud or hybrid environment. Learn more about a continuous, cloud-based approach to identity management. Read the e-book, Evolving Identity and Access Management for the Multicloud World, to: Understand how unmanaged permissions increase your risk of a breach.Discover the benefits of an integrated, scalable, cloud-native approach to identity management.See how the cloud infrastructure entitlement management (CIEM) lifecycle approach helps discover, remediate, and monitor risks continuously.Explore the capabilities of a decentralized identity solution.
