Author: blogmirnet

Get the skills to drive employee engagement at Microsoft 365 Virtual Training Day: Introduction to Microsoft Viva. Join us at this free event from Microsoft Learn to explore how the Viva employee experience platform works with Microsoft Teams to connect Viva Connections, Viva Insights, Viva Topics, and Viva Learning, helping you create more continuity and balance in a hybrid work environment. Learn how to help teams collaborate more effectively, use data-driven insights to work smarter, learn on the job, and nurture well-being. Discover how to create a more informed, connected, and inspired workforce and easily connect Viva with your existing systems and tools. You will have the opportunity to: Create a thriving culture that improves employee well-being through an employee experience platform. Use AI to recommend related documents and subject matter experts in the apps you use every day. Use data-driven, personalized insights to identify opportunities to improve employee well-being. Create a personalized destination for employees to discover relevant news, conversations, and the tools they need to succeed. Join us at an upcoming two-part event: Wednesday, August 9, 2023 | 10:00 AM – 12:20 PM | (GMT-05:00) Eastern Time (US & Canada) Thursday, August 10, 2023 | 10:00 AM – 11:45 AM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

NIST Digital Identity Events | Public Workshop (7/25) & Government-Only Meeting (7/26) Coming up in about two weeks! During these two separate events, NIST presenters will provide updates on Digital Identity Guidelines, share major themes from our recent public comment period, discuss plans for substantive updates and changes, and talk about the Identity and Access Management (IAM) Roadmap. Public Workshop (all are encouraged to attend) July 25, 2023 | 9:00 a.m. – 1:30 p.m. EDT | Hybrid Event (in-person and virtual) – Agenda just added! This event will give the public an opportunity to participate in discussions and talk about potential changes to our guidance as we continue the adjudication of comments received on NIST Special Publication 800-63, Digital Identity Guidelines (Draft NIST SP 800-63-4). The focus will be on key themes and major changes.Learn More & Register Now! NIST Cybersecurity and Privacy Program Questions/Comments about this notice: [email protected] NCCoE Website questions: [email protected]

If you are a cybersecurity/IT practitioner or developer or a human-centered cybersecurity researcher, we want to hear from you!

The National Institute of Standards and Technology (NIST) is conducting a survey to understand the interactions between human-centered cybersecurity researchers and practitioners, including if/how practitioners use human-centered cybersecurity insights.

The survey results will lead to the creation of mutually beneficial “bridges” between the research and practitioner communities that facilitate the relevance and application of research findings to real-world practice.

We invite you to share your thoughts and experiences by responding to our survey, which is open through July 31:

PRACTITIONERS – Take the survey here: https://usability.gov1.qualtrics.com/jfe/form/SV_80us9OFNHPPjiPs?so=govdel

(Note: You don’t have to be familiar with human-centered cybersecurity to take the survey.)

HUMAN-CENTERED SECURITY RESEARCHERS – Take the survey here: https://usability.gov1.qualtrics.com/jfe/form/SV_3CqcCk5wMAeFLqm?so=govdel

Are you BOTH a practitioner and a researcher? Choose one of the surveys above!

We understand that your time is valuable. The practitioner survey should only take about 5 minutes to complete, and the researcher survey about 10 minutes. Your responses will be anonymous.

Contact Susanne Furman [email protected] (through July 21) or Clyburn Cunningham (after July 21) at [email protected] should you have any questions about the study. We also encourage you to forward this email to your colleagues.

We hope you can participate in the survey. Thank you!

Search engine optimization (SEO) is the process of improving the quality and quantity of website traffic to a website or a web page from search engines. SEO poisoning is a tactic in which threat actors strategically create malicious websites and use techniques such as keyword stuffing to insert irrelevant keywords into a webpage’s text, meta tags, and other areas of the website. This technique deceives search engine algorithms to increase the website’s visibility and rankings, causing these websites to display at the top of search engine result pages (SERPs). Unsuspecting users who click on these “poisoned” search results without scrutiny could navigate to these malicious sites, potentially leading to financial losses, credential theft, and malware infections.

Threat actors employ SEO poisoning and impersonation to display fraudulent customer service or technical support numbers for reputable companies and retail services with the intent to steal funds and sensitive information, including account login credentials. Cybercriminals often attempt to exploit trending topics , such as Amazon Prime Day, for financial gain. For example, when a user conducted a search to cancel Amazon Prime Membership, the Google SERP displayed an illegitimate Amazon customer service phone number that, when called, directed the user to the threat actor rather than the correct Amazon customer service department. The threat actor stated the membership could not be canceled online because the user supposedly had several pending gift card and Bitcoin purchases. Although the user stated they did not authorize these pending purchases, the threat actor attempted to obtain new financial information. Threat actors also spoof utility websites in SERPs to convince potential victims to contact a fraudulent customer service number. If called, the threat actors attempt to obtain sensitive information and login credentials that can be leveraged to compromise other accounts belonging to the victim. They also impersonate reputable clothing, footwear, and apparel brands—such as Nike, Puma, Adidas, New Balance, and more—to scam unsuspecting customers into purchasing items on fraudulent websites, potentially exposing financial and personal information.

Image Source: MalwareBytes Labs

Additionally, threat actors impersonate legitimate brands and advertisers on SERPs and malicious websites via malvertising, or malicious advertising. For example, a malvertising campaign via brand impersonation was discovered when performing a search for USPS tracking . The legitimate-looking ad contained the official USPS website and branding and targeted both mobile and desktop users; however, the advertiser’s identity and location did not match. If clicked, victims are redirected to a phishing website and prompted to enter their tracking number, resulting in an error message. The target is then directed to enter their full address and credit card information to pay a small fee in order to receive the package. The website also requests the financial institution’s account login credentials to confirm the credit card, allegedly to protect against fraud.

Malvertising campaigns may also be used to distribute malware via spoofed webpages of legitimate organizations. For example, a user searching for WinSCP (a popular open-source Windows application for file transfer) may inadvertently click on a malvertisement, which leads to a malicious website containing a “Download” button. If clicked, an ISO file downloads to their system and the malicious payload is dropped. This activity was identified as a BlackCat (aka ALPHV) infection, and the threat actors utilized SpyBoy terminator in an attempt to tamper with security protection agents. Additionally, researchers discovered a new Big Head ransomware variant distributed through malvertising of fraudulent Windows updates and Microsoft Word installers.

SUMMARY
In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.
CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this
advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.

TECHNICAL DETAILS
In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and
CISA.
Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]
The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.
LOGGING
CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments
and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the
cloud environment or natively through Microsoft by creating an audit log retention policy. In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:

• Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5
  level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
• Ensure logs are searchable by operators. The relevant logs need to be accessible to
  operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
• Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
• Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.
  
• GENERAL CLOUD MITIGATIONS
  All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, CISA and the FBI recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments. Note: These
  mitigations align with CISA’s SCuBA Technical Reference Architecture (TRA), which describes essential components of security services and capabilities to secure and harden cloud business applications, including the platforms hosting the applications

Discover how to simplify and customize audio and video calling at Microsoft 365 Virtual Training Day: Microsoft Teams Phone. Join us at this free event from Microsoft Learn to see how to enable seamless collaboration by setting up calling plans, operator connect, and direct routing within Teams Phone. You will have the opportunity to:  Configure, deploy, and manage Teams Phone devices. Deploy and configure an AudioCodes virtual session border controller for direct routing within Teams Phone. Join us at an upcoming event: Wednesday, July 19, 2023 | 10:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.

Threat Intelligence There are reports of vulnerabilities CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136 being exploited in the wild.

Systems Affected

Android OS patch levels prior to 2023-07-05

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the affected component.

Recommendations

Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from untrusted sources. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Google: https://source.android.com/docs/security/bulletin/2023-07-01#arm-components

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29256 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28350 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20918 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20942 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21087 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21246 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21247 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21250 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21256 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21257 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21262 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22667 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24851 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24854 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25012 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28542

The 2023 NICE K12 Cybersecurity Education Conference Planning Committee is announcing an extension of the deadline for its Call for Proposals to accommodate educators who have requested us to provide more time given their summer schedules and the July 4^th holiday.  The Planning Committee is seeking timely and thought-provoking K12 cybersecurity education topics that will challenge and inform educational leaders from across the stakeholder community.

They encourage proposals from a diverse array of organizations and individuals with different perspectives, including K12 educators, school counselors, students, institutions of higher education faculty, employers and practitioners, non-profits, curriculum providers, research centers, and training and certification providers. Topics should support one or more of the National K12 Cybersecurity Education Implementation Plan components and align with one of the five conference tracks:

1.   Increasing Cybersecurity Career Awareness
2.   Infusing Cybersecurity Across the Education Portfolio
3.   Integrating Innovative Cybersecurity Educational Approaches
4.   Designing Cybersecurity Academic and Career Pathways
5.   Promoting Cyber Awareness
 

The NICE K12 Cybersecurity Education Conference takes place on December 4-5, 2023, at the Hilton Phoenix Resort at the Peak in Phoenix, Arizona.

Act now – Submissions close on July 28, 2023 at 11:59pm PST.

Submit a Proposal

Security Operations Analyst

The Microsoft security operations analyst collaborates with organizational stakeholders to secure information technology systems for the organization. Their goal is to reduce organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate stakeholders.

Security Operations Analyst Associate Certificate

• Microsoft Certified: Security Operations Analyst Associate – Certifications
• Security Operations Analyst Associate self-paced training

• LEARNING PATH SC-200: Mitigate threats using Microsoft 365 Defender
  • 11 modules
• LEARNING PATH SC-200: Mitigate threats using Microsoft Defender for Endpoint
  • 9 modules
• LEARNING PATH SC-200: Mitigate threats using Microsoft Defender for Cloud
  • 6 modules
• LEARNING PATH SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)
  • 4 modules
• LEARNING PATH SC-200: Configure your Microsoft Sentinel environment
  • 5 modules
• LEARNING PATH SC-200: Connect logs to Microsoft Sentinel
  • 7 modules
• LEARNING PATH SC-200: Create detections and perform investigations using Microsoft Sentinel
  • 8 modules
• LEARNING PATH SC-200: Perform threat hunting in Microsoft Sentinel
  • 5 modules

Security Operations Analyst Coursen or

Instructor led course SC-200T00. The course covers the majority of topics within the self-paced training section above.

• Course SC-200T00–A: Microsoft Security Operations Analyst – Training
  • 4 Days

Explore core AI concepts at Azure Virtual Training Day: AI Fundamentals from Microsoft Learn. Join us for this free training event to learn how organizations use AI technology to solve real-world challenges and see how to build intelligent applications using Azure AI services. This training is suitable for anyone interested in AI solutions—including those in technical or business roles. You will have the opportunity to: Understand foundational AI concepts and real-world use cases. Get started using AI services on Azure and machine learning in Azure Machine Learning Studio. Identify common AI workloads and ways to use AI responsibly. Join us at an upcoming event: Wednesday, July 26, 2023 | 2:00 PM – 5:30 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >