Author: blogmirnet

We are very excited and pleased to announce this edition of the Ninja Training Series. We have compiled several videos, document guides, and other resources to aid users in mastering the Microsoft Priva Ninja training realm. Our goal is to get you the most current links to the community blogs, training videos, Interactive Guides, learning paths, and any other relevant documentation.  

To make it easier for you to start and advance your knowledge gradually we split content for each Priva module, Risk Management and Subject Rights Requests, into three levels: beginner, intermediate, and advanced.   

Introduction to Microsoft Priva 

Privacy is top of mind for organizations and consumers today, and concerns about how personal data is handled are steadily increasing. Regulations and laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) impact people around the world, setting rules for how organizations store personal data and giving people rights to manage personal data collected by an organization. 

To meet regulatory requirements and build customer trust, organizations need to take a “privacy by default” stance. Rather than manual processes and a patchwork of tools, organizations need a comprehensive solution to address common challenges such as: 

• Protecting the increasing amounts of unstructured data from privacy issues arising from human error 
• Helping employees adopt sound data handling practices and training them to spot and fix issues 
• Understanding the potential risks in the amount and type of personal data they store and share 
• Fulfilling data subject requests, or subject rights requests, efficiently and on-time 

Microsoft Priva helps organizations meet these challenges so they can achieve their privacy goals. 

Priva Introduction Video  

Overview 

Microsoft Priva provides a set of solutions that help companies safeguard personal data and build a privacy-resilient workplace by proactively identifying and protecting against privacy risks such as data hoarding, data transfers, and data oversharing, empowering information workers to make smart data handling decisions, and automating and managing subject requests at scale. 

1. Identify critical privacy risks and conflicts: Gain visibility into your private data and associated risks with automated data discovery, user mapping intelligence, and correlated signals. 
2. Automate privacy operations and response to subject rights requests: Effectively mitigate privacy risks with automated policies, built-in risk detection and remediation, and collaboration workflows, and automate and manage subject rights requests at scale. 
3. Empower employees to make smart data handling decisions: Foster a proactive privacy culture by increasing awareness of and accountability towards privacy violations and risks without hindering employee productivity. 

Manage data privacy and data protection with Microsoft Priva – Document 

Priva Risk Management Module 

Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you: 

• Detect overexposed personal data so that users can secure it. 
• Spot and limit transfers of personal data across departments or regional borders. 
• Help users identify and reduce the amount of unused personal data that you store. 

Privacy Risk Management offers built-in templates for these scenarios to help you easily create policies. You can also fine-tune your approach by creating custom policies, using any of these templates as a starting point. 

Figure 1: Templates for Custom Policies

When policy matches are found, admins can review alerts about the findings and make decisions about how to handle the data by creating issues for further action by your users. To learn more, see Investigate and remediate alerts in Privacy Risk Management. You can also configure email notifications and, for supported policy types, Teams notifications to notify your content owners directly about policy matches. They can take corrective action from these notifications and learn more about best practices for handling data with links you provide to your own training materials 

Beginner Training 

1. Getting started with Priva the below information includes perquisites, administrator roles and permissions, and settings
   1. Get started with Priva – Document 
   2. Priva Adminstrator Experience – YouTube 
   3. Set user permissions and assign roles in Priva – Document 
   4. Configure Priva settings – Document 
2. In this section, we will get familiar with how to assess your organization’s data and risks in the Priva dashboards
   1. Optimizing your initial setup – Document 
   2. Explore the Overview page – Document 
   3. Explore the data profile page – Document 

Intermediate 

1. Learn about how to create and manage policies within Priva to mitigate risk
   1. Learn about key risk scenarios – Document 
2. Follow this link to learn how to configure Priva policies
   1. Priva Risk Management policies – Document 
   2. Sending IW digest notification – Document 
   3. Managing your policies – YouTube 
   4. Live PII policy blocking in Teams – YouTube 
3. Policy wizard to setup policies using the built-in templates
   1. Data overexposure policy setup – Document 
   2. Data transfer policy setup – Document 
   3. Data minimization policy setup – Document   

IW Digest Matrix 

Figure 2: IW Digest Matrix

Advanced 

1. Follow this link to how admins can view and manage policy alerts and create issues
   1. Investigate and remediate alerts in Priva Risk Management – Document  
2. Now that you have advanced your learning on Priva Risk Management Module use the below interactive guide for practical application of your new Priva skills and knowledge
   1. Priva Risk Management Interactive Guide 

Priva Subject Rights Requests Module 

Several privacy regulations around the world grant individuals—or data subjects—the right to make requests to review or manage the personal data that companies have collected about them. These subject rights requests are also referred to as data subject requests (DSRs), data subject access requests (DSARs), or consumer rights requests.  

For companies that store large amounts of information, finding the relevant data can be a formidable task. Fulfilling the requests, for most organizations, is a highly manual and time-consuming process. 

The Microsoft Priva Subject Rights Requests solution is designed to help alleviate the complexity and length of time involved in responding to data subject inquires. It provides automation, insights, and workflows to help organizations fulfill requests more confidently and efficiently. 

Learn about Priva Subjects Rights Requests – Document 

Beginner 

1. Priva Subject Rights Requests Module Overview – YouTube 
2. Learn how to control access within Priva Subject Rights Requests Set user permissions and assign roles in Microsoft Priva – Microsoft Priva | Microsoft Learn = Document
   1. Subject Rights Request Administrator 
   2. Collaborator (Privacy Management Contributors) 
   3. Approver (Delete requests only) 
3. Learn about Priva settings related to Subject Rights Requests Learn about Priva Subject Rights Requests – Microsoft Priva | Microsoft Learn – Document
   1. Retention 
   2. Privacy Data Match Data matching for Subject Rights Requests – Microsoft Priva | Microsoft Learn -Document 
   3. Teams integration Learn about Priva Subject Rights Requests – Microsoft Priva | Microsoft Learn – Document 
4. Learn how to understand each of the stages and how to navigate details of the SRR dashboard
   1. Understand the workflow and request details pages – Document  
5. How to initiate a SRR request in Priva
   1. Create a request and define search settings – Document 

Intermediate 

1. Stages of the SRR
   1. Date estimate and retrieval – Document 
   2. Review data and collaborate – Document 
   3. Generate reports and close a request – Document 
2. Tasks for reviewing data – Document
   1. Import additional files – Document  
   2. Mark items as Include or Exclude – Document  
   3. Download files – Document  
   4. Apply data review tags – Document  
   5. Use Annotate command to redact text – Document 
   6. Enter notes about a file – Document  
3. Learn more about Priva’s new delete type SRR – right to be forgotten feature
   1. Create and manage a delete request – Document 
   2. Priva Right to Be Forgotten – YouTube 

Advanced 

1. Integrate with Microsoft Graph API and Power Automate – Document  
2. Now that you have advanced your learning on Priva Subject Rights Requests module use the below interactive guide for practical application of your new Priva skills and knowledge
   1. Subject Rights Requests Interactive Guide 

Organizations often encounter significant challenges when attempting to gain a unified view of insider risks in their multicloud environments. Typically, this entails cross-checking multiple systems and manually correlating information to gain a comprehensive understanding of a specific user’s activities that could potentially lead to data security incidents.

As we announced in the previous blogpost, Microsoft Purview Insider Risk Management allows you to bring your own detections and create custom indicators. Admins with the appropriate permissions can incorporate detections from homegrown analytics or SIEM/UEBA platforms like Sentinel, as well as directly from non-Microsoft systems such as Salesforce and Dropbox. These detections can then be used in Insider Risk Management policies, to detect scenarios such as data theft and data leaks. By weaving a user’s risky activities across different environments into a unified timeline view, security teams can obtain a comprehensive understanding of potential security incidents across various applications.

In this blogpost, we will show you how you can automate the process to bring your own risk detections into Microsoft Purview Insider Risk Management, which correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Automate the process of bringing in detections with Microsoft Sentinel

Here’s an example of automating the process to bring detections into Microsoft Purview Insider Risk Management through Microsoft Sentinel and Azure Logic Apps:

The Contoso organization has discovered instances in which GitHub privileged administrators or repository owners exposed confidential source code files to the public, leading to leakage of intellectual property. The Contoso security team aims to investigate these incidents and develop strategies to identify potential risky activities on GitHub before they escalate into full-blown data security incidents.

To achieve the above objectives, the team can utilize Analytics in Microsoft Sentinel to create rules that define risky activities that may lead to a data security incident by GitHub users in their organization. They can then leverage the bring-your-own-detections capability and Azure Logic Apps to automatically bring the detected risky activities into Microsoft Purview Insider Risk Management, a purpose-built solution that is designed for managing and mitigating insider risks. This approach enables Contoso to consolidate risky user activity signals across various workloads, including GitHub, Microsoft 365, endpoints, and other cloud services and apps, and conduct a holistic assessment of users’ risk levels.

Here are the four steps that the Contoso security team can follow:

1. Author Analytics rules in Microsoft Sentinel to detect risky user activities that may potentially lead to data security incidents in GitHub
2. Stream risk detections from Microsoft Sentinel to Microsoft Purview Insider Risk Management through the Insider risk indicators connector
3. Create Custom Indicators in Microsoft Purview Insider Risk Management and use them in a Data leak policy
4. Conduct in-depth investigations of risky user activities that have the potential to result in data security incidents across environments

In the following sections, we will provide detailed explanations of each step, accompanied by screenshots as illustrative examples.

Step 1: Author Analytics rules in Microsoft Sentinel to detect risky user activities that may potentially lead to data security incidents in GitHub

Before incorporating detections into Microsoft Purview Insider Risk Management, it is essential to process activity logs to identify risky events that should be included. Step 1 guides you through connecting the log data to Microsoft Sentinel and curating them into the relevant risky activities you want to bring into Microsoft Purview Insider Risk Management.

To begin, an admin can create a Microsoft Sentinel workspace and establish a connection with their enterprise GitHub account using the GitHub Enterprise Audit Log connector. Microsoft Sentinel provides data connectors for over 240 SaaS/PaaS workloads, enabling administrators to perform this process for any application relevant to their organization, in addition to GitHub.

Figure 1 Admin leverages GitHub Enterprise Audit Log connector to pull GitHub audit logs and ingest them into Sentinel

Once connected, users’ GitHub activities, including repo creation, deletion, making a repo private, and adding external users, will be captured in the GitHubAuditData table within the Sentinel Logs. Security teams can leverage these logs to enhance visibility into their organization’s GitHub repositories, formulate queries, and detect potential security incidents.

Figure 2 User actions in GitHub are collected and captured in Microsoft Sentinel Logs

After establishing the GitHub connection in Microsoft Sentinel, admins can proceed to create custom Analytics rules that aid in identifying risks and detecting anomalous activities. These Analytics rules are designed to search for specific events or event patterns across your environment. Once certain event thresholds or conditions are met, Microsoft Sentinel would trigger alerts, generating incidents that security teams can then triage and investigate.

For instance, in this particular scenario, admins can develop Analytics rules that target risky source code activities, such as GitHub repository switched from private to public or adding external users to a source code project.

Figure 3 Admins create a Microsoft Sentinel Analytics rule to detect risky activity, GitHub repo switched from private to public

Figure 4 Admins define the logic of the Analytics rule to detect risky activity, GitHub repo switched from private to public

Once the Analytics rule is created, admins can see alerts in Microsoft Sentinel Incidents when users perform activities that match the Analytics rules.

Figure 5 Admins can view the incidents and alerts corresponding to the Analytics rules configured

Figure 6 Incident details are also captured in Microsoft Sentinel Logs

Step 2: Stream risk detections from Microsoft Sentinel to Microsoft Purview Insider Risk Management through the Insider risk indicators connector

Security teams can use Microsoft Sentinel for their general security operations. However, when it comes to managing insider risks, organizations need to use Microsoft Purview Insider Risk Management. In Step 2, we will show you how to automate the workflows to constantly bring the detected risky activities into Insider Risk Management.

Admins with appropriate permissions can create an Insider risk indicators connector within the Data Connectors page of the Microsoft Purview Compliance portal. Firstly, they can upload a sample file containing the Sentinel detections, which assists in defining the data type and mapping of the detected activities they wish to bring in.

Figure 7 Admins define the data type and mapping that will be available to review in insider risk alerts

To automate the import of detections, an admin can create an Azure Logic App that queries Sentinel Logs periodically and streams the detections into Insider Risk Management automatically. This approach saves time by eliminating the need for manual imports and streamlines the process to bring in risk detections. For guidance on creating an Azure Logic App using the provided JSON template, please refer to the article “How to import an existing Logic App template.”

Figure 8 Admins use Azure Logic Apps to automate the bring-your-own-detections process

Step 3: Create custom indicators in Microsoft Purview Insider Risk Management and use them in a Data leak policy

Once the detections have been imported into Microsoft Purview Insider Risk Management, you can begin incorporating them into your insider risk policies, which then can generate alerts that are derived from risk insights across environments. To achieve this, admins need to define indicators for the imported detections.

Admins with appropriate permissions can navigate to the Insider risk settings and create custom indicators. By selecting the relevant element and value from the detections imported through the connector established in Step 2, administrators can define these custom indicators and how to use them.

Figure 9 Admins create a new custom indicator, Source code theft indicator from GitHub, as an indicator or policy trigger

Figure 10 Admins use custom indicators as insider risk policy triggers, which will initiate risk score assignments to users who match the condition.

Figure 11 Admins use custom indicators as policy indicators, which are used to generate alerts.

After the custom indicator is created, it can be used within Insider Risk Management policies, such as data leaks and data theft by departing users. The policies will then incorporate custom indicators when generating alerts and calculating risk scores.

Step 4: Conduct in-depth investigations of risky user activities that have the potential to result in data security incidents across environments

When alerts are generated based on the user activities that may lead to data security incidents, the custom indicators are integrated into the user activity timeline. This capability allows insider risk investigators to access all the insights and underlying activity in a single location, providing a comprehensive understanding of the impact and scope of a potential data security incident. By weaving together the custom indicators and other native user activity signals, the investigator gains a holistic view of a potential incident and its possible ramifications.

Figure 12 Insider risk indicators are presented in one comprehensive view for investigators to have a holistic understanding of the potential data security incident.

Explore more Insider Risk Management resources

This new feature is currently in public preview, and we eagerly await your feedback. To help you learn more about Microsoft Purview Insider Risk Management, here are some additional resources for your reference:

• Learn more about Insider Risk Management in our technical documentation.
• Insider Risk Management is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you are an organization using Microsoft 365 E3 and would like to experience Insider Risk and other Purview solutions for yourself, check out our E5 Purview trial.
• If you own Insider Risk Management and are interested in learning more about Insider Risk Management, leveraging Insider Risk Management to understand your environment, or building policies for your organization or investigate potential risky user actions, check out the resources available on our “Become an Insider Risk Management Ninja” resource page.

Did you know that 88% of organizations lack the confidence to prevent sensitive data loss?¹ Discovery and classification of sensitive data is important for organizations who want to better protect sensitive personally identifiable information (PII) and corporate intellectual property. When these sensitive labeled files are used in business intelligence and analytics solutions, it’s important they remain protected and are shared and accessed only by authorized individuals.

With Microsoft Purview Information Protection, we provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate. This includes Microsoft clouds such as Microsoft 365 and Azure, as well as on-premises, hybrid and third-party clouds, and SaaS applications. 

In addition, to ensure the security of your organization’s data, it’s imperative to also enable governance over your organization’s data estate. We are pleased to announce new capabilities in both Microsoft Fabric and Power BI.

With Fabric, Microsoft provides centralized visibility into what’s happening with your data, gives insights into usage and adoption, and enables organizations to secure and govern data end to end with a single central data repository. Fabric provides a unified intelligent data foundation for all first-party analytics workloads and integrates Power BI, Data Factory, and the next generation of Synapse to offer customers an easy –to use and powerful modern analytics solution.

Figure 1: Microsoft Fabric key components

Today we are announcing the following Microsoft Purview capabilities in Fabric, all in public preview:

1. Integration with Information Protection sensitivity labels
2. Microsoft Purview Hub support
3. Audit logs support

Fabric natively integrates the same familiar unified Information Protection sensitivity labels that are used in Microsoft 365, so users can easily see if a file or email is confidential and whether they are blocked from exporting the file. Data owners can apply a sensitivity label to a lakehouse or any other Fabric item, and the label will flow with the data to all downstream items in Fabric. These labels and their protection settings are also automatically applied to Microsoft 365 files that are exported from Fabric.  Learn more about Information protection in Fabric.

Figure 2: Using Information Protection sensitivity labels in Fabric.

Fabric admins can also use the Microsoft Purview hub, which contains insights about sensitive data as well as certified and promoted items. It also serves as a gateway to advanced capabilities in Microsoft Purview and analytics information showing labeled versus unlabeled files containing sensitive data that need to be addressed.  

.

Figure 3: Microsoft Purview hub portal view

In addition, Fabric is also integrated with Microsoft Purview audit, which provides Fabric and compliance admins with comprehensive logs of Fabric activities. All user and system operations are captured in the audit logs and made available in the Microsoft Purview compliance portal. Learn more about audit logs in Fabric.

Finally, we are also pleased to announce the following capabilities in Power BI now in general availability:

1. Inheritance of sensitivity labels from connected data sources in Power BI
2. Data Loss Prevention support for Power BI

Power BI datasets that connect to sensitivity-labeled data in Azure Synapse Analytics Azure SQL Database and Excel files stored in OneDrive or SharePoint Online can automatically inherit those labels, so that the data remains classified and secure when brought into Power BI. Power BI is also supported as a workload in Data Loss Prevention policies, so that sensitive data can be automatically detected and prevented from data exfiltration. Learn more about DLP policies in Power BI.  

An example of downstream inheritance and inheritance from data sources is illustrated below. At the top, we see the Excel file RegionalSales, that is labeled as Highly Confidential. Below that in lineage view we see the Excel file as an external data source, and how its sensitivity label filters down and gets applied to the dataset and its downstream content, which in the image below are the reports built from the dataset.

Figure 4: Screenshot of lineage view that illustrates label inheritance from data sources and downstream inheritance

Along with inheritance from data sources, inheritance upon creation of new content, inheritance upon export to file (e.g., Excel), and other capabilities for applying sensitivity labels, downstream inheritance helps ensure that sensitive data remains protected throughout its journey in Power BI, from data source to point of consumption. Confidential and highly sensitive data that is labeled and protected by Microsoft Purview Information Protection can continue to be protected in Power BI datasets and reports throughout its lifecycle. This provides organizations with more comprehensive visibility, manual or automated protection of sensitive information, and end-to-end information protection within Power BI. Learn more about how to apply sensitivity labels in Power BI here.

How to Get Started 

Read this blog to see how you can get a free trial to Fabric and view Fabric trial documents.

Get access to Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a trial. By enabling the trial in the Purview compliance portal, you can quickly access these advanced classifiers. Visit your Microsoft Purview compliance portal for more details or check out the Microsoft Purview solutions trial.

Synopsis As the United States moves to establish space as an operational domain and seeks to support a space economy, there are corresponding challenges to addressing cybersecurity vulnerabilities and threats to the sector. While many existing cybersecurity principles and practices remain applicable to space as an emerging commercial critical infrastructure sector, there are many nuances and specialties that will require augmenting existing cybersecurity education and training content and learning experiences, and requirements for new work roles or competency areas are likely to emerge.  Register Today

Today, the National Security Agency (NSA) and CISA published 5G Network Slicing: Security Considerations for Design, Deployment, and Maintenance. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s). This guidance builds upon the 2022 ESF guidance Potential Threats to 5G Network Slicing. 

CISA encourages 5G providers, integrators, and network operators to review this guidance and implement the recommended actions. For additional 5G guidance, visit CISA.gov/5G-library.

CISA has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transitioning into a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security. Free Tools for Cloud Environments provides network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, mitigating, and detecting cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment. 

Cloud service platforms and cloud service providers (CSPs) have developed built-in security capabilities for organizations to enhance security capabilities while operating in cloud environments. Organizations are encouraged to use the built-in security features from CSPs and to take advantage of free CISA- and partner-developed tools/applications to fill security gaps and complement existing security features. Publicly available PowerShell tools exist to all network defenders for investigation and aid of an organization’s security posture, including:  

• Cybersecurity Evaluation Tool (CSET),
• Secure Cloud Business Applications (SCuBA) Gear,
• Untitled Goose Tool,
• Decider, and
• Memory Forensic on Cloud (JPCERT/CC).

Note: These tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing and are provided for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis.

CISA encourages network defenders to take the measures above and consult the Free Tools for Cloud Environments factsheet to reduce the likelihood of a damaging cyber incident, detect malicious activity, respond to confirmed incidents, and strengthen resilience. 

Adobe has released security updates to address a critical vulnerability (CVE-2023-38203) affecting ColdFusion. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Adobe security release APSB23-41 and apply the necessary updates.

The National Cybersecurity Center of Excellence (NCCoE) today released for public comment the initial public draft of NIST Internal Report (NIST IR) 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. The comment period is open through August 28, 2023.

About the Report

This Cybersecurity Framework Profile (Profile) has been developed for the Electric Vehicle Extreme Fast Charging (EV/XFC) ecosystem and the subsidiary functions that support each of the four domains: (i) Electric Vehicles (EV); (ii) Extreme Fast Charging (XFC); (iii) XFC Cloud or Third-Party Operations; (iv) and Utility and Building Networks. The document provides a foundation that relevant parties may use to develop profiles specific to their organization to assess their cybersecurity posture as a part of their risk management process. This non-regulatory, voluntary profile is intended to supplement, not replace, an existing risk management program or the current cybersecurity standards, regulations, and industry guidelines that are in current use by the EV/XFC industry.

Purpose

The EV/XFC Cybersecurity Framework Profile is designed to be part of an enterprise risk management program to aid organizations in managing threats to systems, networks, and assets within the EV/XFC ecosystem. The EV/XFC Cybersecurity Framework Profile is not intended to serve as a solution or compliance checklist. Users of this profile will understand that its application cannot eliminate the likelihood of disruption or guarantee some level of assurance.

Use of the Profile will help organizations:

• Identify key assets and interfaces in each of the ecosystem domains.
• Address cybersecurity risk in the management and use of EV/XFC services.
• Identify the threats, vulnerabilities, and associated risks to EV/XFC services, equipment, and data.
• Apply protection mechanisms to reduce risk to manageable levels.
• Detect disruptions and manipulation of EV/XFC services.
• Respond to and recover from EV/XFC service anomalies in a timely, effective, and resilient manner.

Submit Comments

The public comment period closes at 11:59 p.m. EDT on Monday, August 28, 2023. Please email all draft comments to [email protected]. We encourage you to submit all feedback using the comment template found on our project page.

Join the Community of Interest

If you have expertise in EV/XFC and/or cybersecurity, consider joining the Community of Interest (COI) to receive the latest project news and announcements. Email the team at [email protected] declaring your interest or complete the sign-up form on our project page.Learn More

Create more business impact using proactive and predictive analytics at Azure Virtual Training Day: Digitally Transform with Modern Analytics from Microsoft Learn. Join us for this free training event to learn how to build an analytics solution using Azure Synapse Analytics. Maximize your organization’s intelligent decision-making capabilities and learn to build an end-to-end solution by preparing data for storage, processing, and analysis. You will have the opportunity to: Create a data warehouse in the cloud. Accelerate your big data engineering with Spark in Azure Synapse Analytics. Build automated data integration with Azure Synapse Pipelines. Learn to perform operation analytics with Azure Synapse Link. Join us at an upcoming two-part event: Monday, August 14, 2023 | 9:00 AM – 12:15 PM | (GMT-08:00) Pacific Time (US & Canada) Tuesday, August 15, 2023 | 9:00 AM – 10:45 AM | (GMT-08:00) Pacific Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.

Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.

Storm-0978 is known to target organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Storm-0978’s targeted operations have impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs. Identified ransomware attacks have impacted the telecommunications and finance industries, among others.

Microsoft 365 Defender detects multiple stages of Storm-0978 activity. Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office. Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. More mitigation recommendations are outlined in this blog.

Targeting

Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.

The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.

Tools and TTPs

Tools

Storm-0978 uses trojanized versions of popular, legitimate software, leading to the installation of RomCom, which Microsoft assesses is developed by Storm-0978. Observed examples of trojanized software include Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal. To host the trojanized installers for delivery, Storm-0978 typically registers malicious domains mimicking the legitimate software (for example, the malicious domain advanced-ip-scaner[.]com).

In financially motivated attacks involving ransomware, Storm-0978 uses the Industrial Spy ransomware, a ransomware strain first observed in the wild in May 2022, and the Underground ransomware. The actor has also used the Trigona ransomware in at least one identified attack.

Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.

Read the full article on Microsoft Here