Author: blogmirnet

Ever had a virtual machine crash? Azure Serial console is a great way to directly connect to your Virtual machine and debug what went wrong. Azure Serial Console is a feature that’s available for free for everyone. While the primary intent of this feature is to assist users debug their machine, there are several interesting ways to abuse the features and compromise sensitive information. Let’s dive deep into the feature and explore various ways to exploit various features and ways to detect exploitation activity.

Contents 

• What’s Azure Serial Console?
• Why Azure Serial Console can be a good target for an adversary?
• Enable logging for user operation tracking
• Different techniques to exploit features of Azure Serial Console
• Hunting for suspicious operations
• Best practices
• Conclusion

What’s Azure Serial Console? 

Azure Serial Console connects to “ttyS0” or “COM1” serial ports of the Virtual Machine (VM) or Virtual Machine scale set (VMSS) instance and provide access independent of network or operating system state. It’s a text based console for VM and VMSS on Azure that’s generally available for public, in all Azure regions (except Azure China Cloud) and is in public preview in Azure Government. To know more

Pre-conditions to access Azure Serial Console: 

• Boot diagnostics must be enabled for the VM (This can be enabled while creating a VM)
• An identity with at-least “Virtual Machine Contributor role”.
• Adversary is able to access https://portal.azure.com
• Credentials to the VM/VMSS (for few attack scenarios, this is not required.)

Why Azure Serial Console can be a good target for an adversary? 

Azure Serial Console is very leveraged to circumvent security features and that’s precisely the reason why it’s a sweet target for Adversaries.

• Imagine a scenario where your Virtual machine is lockdown with RDP/SSH or other access has been disabled/restricted. This is typically the case for a lot of production grade setups where the authentication is locked down to specific IPs or subnets. Azure Serial Console isn’t bound by the NSG restrictions and can assist an attacker get CLI access to the machine.
• Microsoft Defender for Cloud offers Just in time access (JIT), a great feature that allows admins to enable access only when access is needed, on the ports needed, and for the period of time needed. For VMs where JIT is enabled, Azure Serial Console can still be used to connect to VMs without having to request access through JIT.

Enable logging for user operation tracking 

There are several ways to stream logs and analyze but for the sake of this blog, we will be creating a log analytics workspace and stream logs to the created workspace. This would allow us to analyze the activity without owning a logging solution. However, this would differ according to your setup. If your setup has an SIEM, the schema, query language might be different.

Creation of Log Analytics Workspace 

Step-1: Go to Creation of Log Analytics Workspace on Azure Portal, select the appropriate subscription, resource group and Name. Please note that Azure Monitor comes in 2 SKU’s. For more information about the pricing details on Azure Log Analytics, please check here.

Enabling Azure Activity Log monitoring 

Step-1: Go to Activity Log, and click on “Export Activity Logs”.

Step-2: Click on “Add diagnostic setting” and select “Administrative” and “Security” Categories. Click on “Send to Log Analytics Workspace” and select the log analytics workspace that was created here.

Enabling Windows Event Log monitoring 

Please note that this might not be required depending on your current setup. Feel free to skip this step if your cloud compute workloads are already being monitored either with Microsoft Sentinel or another Security monitoring solution (such as SIEM).

Step-1: Install Sysmon using the guide here.

Step-2: Download Azure Monitor and Configure it. Go to Agents, download Windows Agent 64 Bit or 32 Bit. Follow on-screen instructions and install the agent. Once the installation is complete, proceed to the next step.

Step-3: Create a data collection rule. Go to Creation Wizard and fill in the name, resource group and location. Follow the instructions in the video below to complete the log configuration. Use the following XPath to backup “Sysmon” logs.Copy

<QueryList>
    <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
    </Query>
</QueryList>

Step-4: Verify if the Azure activity logs and Windows Event Logs are properly received by using the following KQL queries. Go to the VM that you have created for testing and check the Logs section in the left side navigation bar

• Check Azure Activity Logs

Copy

AzureActivity
| summarize count() by OperationNameValue
| count

• Check Windows Event Logs

Copy

Event
| count

If the output is anything greater than 0, it means you have successfully configured logging.

Different techniques to exploit features of Azure Serial Console 

Please note that the following are limited to possibilities on a Windows Operating System.

Execution of Command: 

Azure Serial console’s primary feature is to enable execution of commands. Provided that the attacker has credentials to the VM, an adversary can execute commands with root/admin privileges on a VM. This doesn’t provide a GUI access but the CLI access can be used to execute commands, maintain persistance and move laterally across the network. To execute commands on a VM using Azure serial console, the following steps can be followed.

1. Go to Serial Console option on the left navigation bar and once the prompt loads, enter cmd to create a command prompt channel.
2. Enter ch -sn Cmd0001 to switch to the channel’s context, press ENTER and then enter the credentials to login into the CLI of the VM.

The same can be done using Az CLI. The command az serial-console connect -n <VM_Name> -g <ResourceGroup_Name> can be used to connect using Az CLI. Know more

Tracing of User activity performed using Azure Serial Console: 

Assuming that you have followed all the steps (Installing Sysmon, Configuring Windows Event logging), the following KQL query can be used to trace activities performed using Azure Serial Console. The logic that’s used for the query is gathering all the logon IDs from windows event ID: 4624 where the LogonProcess is scaccess.exe and identifying processes whose SubjectLogonId belongs to the list of Logon IDs gathered in previous step.Copy

let PIDs = Event
| where EventID == 4624
| extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","")
| where LoginProcessName has "sacsess.exe"
| extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"")
| distinct LogonID;
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"")
| where LogonID in (PIDs)

Using, Azure Activity Logs, we can trace the connection attempts performed by an adversary:Copy

AzureActivity
| where OperationNameValue =~ "MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION"
| where ActivityStatusValue =~ "Success"

Dumping of a specific process 

One of the most interesting attack vector that Azure serial console enables is dumping a process without any authentication. The following are the steps that can be followed to achieve the same.

1. Use t command to list of all the processes. Once you identify the process and identify the PID of the process that you want to dump.

2. Use the PID identified in the previous step and use the command procdump <PID> <LOCATION_OF_THE_FILE>. In the following example, we are dumping LSASS.exe’s process memory.

Tracing of dumping activity performed using Azure Serial Console: 

For the process dumps that are created using this process, the following query can be used.Copy

Event
| where EventID == 11
| where RenderedDescription has "lsass.dmp"

The query searches for the creation of the file lsass.dmp in the event logs related to File creation (Event ID: 11 generated by Sysmon).

Further analysis indicated that the dump file is created by svchost.exe [Command Line of the file creation process: C:\Windows\system32\svchost.exe -k netsvcs -p ]whose parent process is services.exe and grandparent process is wininit.exe. This is interesting as there is no indication that this activity was performed using the serial console.

This activity is currently detected by Microsoft Defender for Endpoint. Further guidance on how to detect and prevent LSASS dumping is documented here.

The process tree evidence as seen in Defender for Endpoint is below:

The creation of the lsass dumping can be detected with the help of the below Yara rule.Copy

rule creation_of_dmp {
    meta:
        author = "Subhash P <@pbssubhash>"
        filetype = "DUMP File"
        date = "1/1/2023"
        version = "1.0"
    strings:
        $md = { 4d 44 4d 50 }
        $a1 = "SeDebugPrivilege" fullword wide 
        $a2 = "\\pipe\\lsass" fullword wide
        $a3 = "lsasspirpc" fullword wide
    condition:
        ($md at 0) and all of ($a*)
}

Enumeration and other capabilities 

Azure Serial Console offers few other capabilities in unauthenticated SAC console mode.Please note that the following is an exhaustive list of commands(other than procdump) that are available with SAC:

Command	Short Description	Security Implication
ch	Channel management commands	None
cmd	Create a command prompt channel	Execute Commands on the VM
d	Dump the current kernel log	Aid an adversary in performing recon
f	Toggle detailed or abbreviated tlist info	Aid an adversary in performing recon
i	List all IP network numbers and their IP addresses and set IP info	Aid an adversary in performing recon
id	Display the computer identification information	Aid an adversary in performing recon
k <pid>	Kill the given process	Aid an adversary to cause Denial of Service
l <pid>	Lower the priority of a process to the lowest possible.	Aid an adversary to degrade performance of a service
lock	Lock access to Command Prompt channels.	Aid an adversary to cause Denial of Service
m <pid> <MB-allow>	Limit the memory usage of a process to .	Aid an adversary to degrade performance of a service
p	Toggle paging the display.	None
r <pid>	Raise the priority of a process by one	None
s	Display the current time and date (24 hour clock used).	None
s mm/dd/yyyy hh:mm	Set the current time and date (24 hour clock used).	Aid an adversary to cause Denial of service
t	Display the task list.	Aid an adversary in performing recon
restart	Restart the system immediately.	Aid an adversary to cause Denial of Service
shutdown	Shutdown the system immediately.	Aid an adversary to cause Denial of Service
crashdump	Crash the system. You must have crash dump enabled.	Aid an adversary to cause Denial of Service
livedump [-u] [-h]	Create a live kernel dump. Optional arguments will include userspace (-u) and hypervisor (-h) memory in the dump.	Exfiltrate Secrets from the dump

Tracing of the activity performed by an adversary: 

The actions performed by an adversary using Azure Serial Console (inside the command line channel and otherwise) can be traced using Boot diagnostics logs. They can be viewed in the Help section in the left navigation bar. They can’t be exported or streamed to an external location.

The log itself enables an attacker to mint credentials and other secrets present in command line parameters for commands such as net user <username> <password> /add. As any command typed in, using Azure Serial Console is logged here, if an admin uses commands with secrets in command line, they can be extracted by an adversary. To identify if an adversary has visited Boot diagnostics, the following query can be used:Copy

AzureActivity
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION"
| where ActivityStatusValue == "Success"

Hunting for suspicious operations 

Suspicious Azure Serial Console Interactions in Azure Activity logs: 

• Unusual IP or user interaction: The following query identifies any Azure Serial console interaction done using an identity from an IP address that isn’t used in the last 30 days. While this is a very naive way of filtering, advanced techniques such as UEBA are available with Azure Sentinel.Copylet 30DaysData = AzureActivity | where TimeGenerated >= ago(30d) | distinct Caller, CallerIpAddress; let Callers = 30DaysData | distinct Caller; let IPs = 30DaysData | distinct CallerIpAddress; AzureActivity | where TimeGenerated >= ago(1d) | where not(Caller has_any(Callers) and CallerIpAddress has_any(IPs))
• Failed access attempts: The following query identifies failed attempts to access Azure Serial Console. This may be due to an adversary performing recon to identify if they have access to console.CopyAzureActivity | where TimeGenerated >= ago(7d) | where OperationNameValue =~ "MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" | where ActivityStatusValue != "Success"
• Risky Signin with subsequent serial console action: The following query identifies risky users accessing Azure Serial Console. Please note that logging has to be enabled by following this guide.. The following query can be used to get the list of risky users and check if the same IP that triggered Microsoft Identity security algorithms have been used to access serial console.Copylet RiskyUsersData = AADUserRiskEvents |summarize by UserPrincipalName, IpAddress; let RiskyCallers = RiskyUsersData | distinct UserPrincipalName; let RiskyIPs = RiskyUsersData | distinct IpAddress; AzureActivity | where OperationNameValue == "MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION" | where Caller has_any (RiskyCallers) and CallerIpAddress has_any (RiskyIPs)

Suspicious operations in Windows Event logs: 

• LOLBIN Execution through Azure Serial Console: The following query extracts the list of LOLBINs from the lolbas API and with a bit of pre-processing, identifies processes created using Azure Serial console and checks if any binaries identified previously are present.Copylet LolBins = externaldata(Name:string,Description:string,Author:string,Created:datetime , Commands: dynamic, FullPath:dynamic, Detection:dynamic)[ "https://lolbas-project.github.io/api/lolbas.json" ] with(format="multijson"); let ExecLols = LolBins | mv-expand Commands | extend Category = Commands['Category'] | distinct Name; let PIDs = Event | where EventID == 4624 | extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","") | where LoginProcessName has "sacsess.exe" | extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"") | distinct LogonID; Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1 | extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"") | where LogonID in (PIDs) | where EventID == 1 // and EventData has "svchost" | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""), ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""), ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""), CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","") | extend ProcessName = split(ProcessName,@"\")[-1] | where ProcessName has_any(ExecLols)
• Powershell execution through Azure Serial Console: The following query identifies processes that are created using Azure Serial console and have the keyword powershell in them.Copylet PIDs = Event | where EventID == 4624 | extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","") | where LoginProcessName has "sacsess.exe" | extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"") | distinct LogonID; Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1 | extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"") | where LogonID in (PIDs) | where EventID == 1 // and EventData has "svchost" | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""), ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""), ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""), CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","") | where CommandLine has "powershell"
• Network Connections through processes initiated through Azure Serial Console: The following query identifies processes that are created using Azure Serial console and checks if there are any Sysmon Event ID: 3 events which are created when a network connection is initiated.Copylet PIDs = Event | where EventID == 4624 | extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","") | where LoginProcessName has "sacsess.exe" | extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"") | distinct LogonID; let ProcID =Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1 | extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"") | where LogonID in (PIDs) | where EventID == 1 | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""), ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""), ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""), CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","") | distinct ProcessId; Event | where EventID == 3 | extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>","") | where ProcessId has_any(ProcID)
• Creation of Services using Azure Serial Console (using command line parameters): The following query detects the usage of sc.exe to create services.

Copy

let PIDs = Event
| where EventID == 4624
| extend LoginProcessName = replace_string(extract(@"Process Name:[\t]+[\w|\\|:|.]+",0,RenderedDescription),"Process Name:","")
| where LoginProcessName has "sacsess.exe"
| extend LogonID = replace_string(extract(@"TargetLogonId.>[\w|\d]+",0,EventData),'TargetLogonId">',"")
| distinct LogonID;
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend LogonID = replace_string(extract(@"LogonId.>[\w|\d]+",0,EventData),'LogonId">',"")
| where LogonID in (PIDs)
| where EventID == 1 // and EventData has "svchost"
| extend ProcessId = replace_string(replace_string(replace_string(extract(@"<Data Name=.ProcessId.>[\S]+</Data>",0,EventData),'ProcessId">',""),@'<Data Name="',''),"</Data>",""),
         ProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.Image.>.*?</Data>",0,EventData),'Image">',""),@'<Data Name="',''),"</Data>",""),
         ParentProcessName = replace_string(replace_string(replace_string(extract(@"<Data Name=.ParentImage.>.*?</Data>",0,EventData),'ParentImage">',""),@'<Data Name="',''),"</Data>",""),
         CommandLine = replace_string(replace_string(replace_string(extract(@"<Data Name=.CommandLine.>.*?</Data>",0,EventData),'CommandLine">',""),@'<Data Name="',''),"</Data>","")
| where CommandLine has "sc" 

Best Practices: 

The following is a non-exhaustive list of best practices that we recommend for keeping Azure Serial Console secure:

• Enforce usage of MFA for all the users with “Virtual machine contributor” access.
• Regularly audit for RBAC permissions of users to ensure that the list of privileged users it’s up-to-date.
• Perform regular monitoring of activity using Azure Serial console by leveraging Azure Activity and Host based logs.

Conclusion 

While Azure Serial Console is a really good feature that allows developers and administrators to troubleshoot during tough times, it can become a security liability if not monitored and locked down. In the next part, we intend to cover Azure Serial console attack and defend when using a Linux flavoured OS.

• Security Research
• Microsoft Threat Hunting
• Azure Serial Console

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Wednesday, September 13, 2023 | 2:30 PM – 5:15 PM | (GMT-05:00) Eastern Time (US & Canada) Thursday, September 14, 2023 | 2:30 PM – 4:30 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Summary 

On 30 March 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a security issue concerning Power Platform Custom Connectors using Custom Code. This feature allows customers to write code for custom connectors. This issue has been fully addressed for all customers and no customer remediation action is required.

Customer Impact 

The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors. The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function.  

Our investigation into the report identified anomalous access only by the security researcher that reported the incident, and no other actors. All impacted customers have been notified of this anomalous access by the researcher through the Microsoft 365 Admin Center (MC665159).

Fix Release 

Microsoft issued an initial fix on 7 June 2023 to mitigate this issue for a majority of customers. Investigation into the subsequent report from Tenable on 10 July 2023 revealed that a very small subset of Custom Code in a soft deleted state were still impacted. This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism. Microsoft engineering took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions. This work was completed on 2 August 2023.  

As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix. Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.  The purpose of an embargo period is to provide time for a quality fix.  Not all fixes are equal.  Some can be completed and safely applied very quickly, others can take longer.  In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit. As both a service provider and a security company, Microsoft appreciates being part of an ecosystem of organizations focused on protecting customers as the highest priority over all other goals.

Microsoft also appreciates the security community’s research and disclosure of vulnerabilities. Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission.

References 

• How to implement authentication in Custom Connecters

Customer FAQs 

Q: How do I know if I was affected by this unauthorized information disclosure?

A: Microsoft notified affected customers about this issue via Microsoft 365 Admin Center (MC665159) starting on 4 August 2023. If you did not receive this notification, then no action is required.

Q: How do I know if a notification was sent to my organization?

A: We sent Microsoft 365 Admin Center notifications to affected customers using a Data Privacy tag which means only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them here.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners are releasing a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities. This advisory provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, and the associated Common Weakness Enumeration(s) (CWE), to help organizations better understand the impact exploitation could have on their systems. International partners include: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), New Zealand Computer Emergency Response Team (CERT-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory.  The advisory provides vendors, designers, and developers recommendations on implementing secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations’ recommendations to reduce the risk of compromise by malicious cyber actors. 

Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks.

In the U.S., organizations should inform CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870, or an FBI field office.

• Did you know the average person has over 100 passwords online? Here’s an easy pro tip: a Password Manager can do all the managing of strong, unique passwords for each account. Learn more: https://staysafeonline.org/online-safety-privacy-basics/password-managers/ #CybersecurityAwarenessMonth
• Default passwords are NOT secure. Put cybersecurity first and secure all internet-connected devices before using them. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
• When it comes to passwords, long and complex is best! Make sure they are unique for each account and at least 12 characters long. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
• No matter the account, all #passwords should be created with these 3 words in mind: Long (12+ characters) Unique (never reuse passwords) and Complex (a combination of upper and lower case letters, spaces, numbers and special characters) Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
• What are the advantages of a password manager? They 1. Save time 2. Suggest strong passwords and 3. Identify weak passwords. Learn more: https://staysafeonline.org/online-safety-privacy-basics/password-managers/ #CybersecurityAwarenessMonth
• Organize your ever growing list of online accounts with a password manager. They can manage all your online credentials like usernames and passwords. It stores them in a safe, encrypted database and also generates new ones when needed.  Learn more: https://staysafeonline.org/online-safety-privacy-basics/password-managers/ #CybersecurityAwarenessMonth
• Lock it up! Strong passwords are your first line of defense against cyber threats. Don’t settle for weak combinations. Create unique and complex passwords for each account, and consider using a password manager for added convenience and security. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
• Avoid common password pitfalls! Hackers love easy targets, so don’t make it easy for them. Say no to password123 or qwerty. Opt for unique and complex passwords – let a password manager do the heavy lifting for you. It’s time to level up your security. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth

Check out Roboform

• #CybersecurityAwarenessMonth Tip: If you connect it, protect it. Outsmart cyber criminals by regularly updating your software. Learn more: https://staysafeonline.org/resources/software-updates/
• Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browser and operating systems up to date. Turn on auto-updates! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenessMonth
• All those update alerts from your software are important to install! Not only do they fix things that might be buggy, they also patch up any security holes. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
• Pay attention to software update alerts and set your software to auto-update–it’s an easy way to keep things safe. Set it and forget it! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
• Don’t let vulnerabilities linger! Update, update, update! Keeping your software up to date is crucial for a secure digital life.  Enable automatic updates to protect your devices against the latest threats. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
• Set it and forget it! With automatic software updates, you don’t have to worry about manually checking for updates. Embrace the convenience and let your devices take care of themselves. Stay on top of security and enjoy peace of mind. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
• Outsmart the cyber threats! Hackers are always looking for vulnerabilities to exploit. Stay a step ahead by enabling automatic software updates. Think of them as an invisible shield that fortifies your devices against emerging risks. Stay safe, stay updated! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
• The power of timely updates! Automatic software updates work silently to protect your devices. Say goodbye to outdated software and embrace the power of the latest features, enhanced performance, and tightened security. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth

• Reporting a scam is your best line of defense against cyber incidents. Don’t hesitate to call out phishing attempts. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
• Most cyber incidents start with a phish. To stop it, report it. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
• Cybercriminals cast wide nets with #phishing tactics, hoping to drag in victims. They may offer a financial reward, threaten you if you don’t engage, or claim that someone is in need of help. Stop, take a moment, and think before you click. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
• Tips for Spotting a Phish: 1) They create a sense of urgency or claim to need help. 2) They ask for your personal info. 3) They want you to download a file or click on a link. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
• Think before you click! Phishing emails disguise themselves as harmless messages, but they’re actually dangerous digital piranhas swimming in your inbox. Stay vigilant, spot the signs, and report those fraudulent emails. Together, we can #StaySafeOnline! Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
• Don’t get hooked! Phishing emails are like sneaky bait trying to reel you in. Learn how to spot them and report those fishy attempts to keep your inbox clean and your personal information safe. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
• Phishing: The art of deception. Cybercriminals are getting crafty, sending emails that look legit but aim to steal your information. Trust your gut, stay cautious, and report those phishing emails. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
• Your inbox is your fortress! Phishing emails try to breach your defenses, but you can outsmart them. Learn the telltale signs of phishing, such as misspellings, suspicious attachments, or urgent requests, and report those fraudulent messages. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth

• Make it harder for cybercriminals to access your account by enabling multi-factor authentication. Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth
• Multi-factor authentication adds an extra layer of protection to your accounts, making it harder for hackers to get in. Stay one step ahead and lock them out! Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/
• Where should you use MFA?

1. On accounts with your financial info like banks, or online stores

2. On accounts with personal info, like social media

3. On accounts with info you use for work

TLDR: Use MFA everywhere!

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth

Adding MFA to an account greatly increases your security. It may include:

• A biometric identifier like a fingerprint
  • A unique number yes or no prompt generated by an authenticator app

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor- authentication/ #CybersecurityAwarenessMonth

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth

• Adding MFA to an account greatly increases your security. It may include:
  • A code emailed to an account or texted
  • A biometric identifier like a fingerprint
  • A unique number yes or no prompt generated by an authenticator app

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-  authentication/ #CybersecurityAwarenessMonth

• Passwords are like the gatekeepers of your online kingdom! But why settle for one guard when you can have two? Multi-factor authentication doubles the security, making your accounts nearly impenetrable. Keep the baddies at bay! Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth
• There’s no one like you in the whole world… except the cybercriminal with your password. Don’t get hacked. Use multi-factor authentication. Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth
• One lock, two locks, three locks…who needs a keychain? With multi-factor authentication, you’re like an expert online locksmith! Don’t give hackers an easy way in. Protect your accounts and sleep like a baby! Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth

The Final Countdown to Cybersecurity Awareness Month 2023

Since 2004, the President of the United States and Congress have declared the month of October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) are working together to create resources and messaging for organizations to use when they talk with their employees and customers, and information for the public, about staying safe online.

2023 marks the 20^th Cybersecurity Awareness Month, and this year CISA is launching a new theme that will encourage actions we can take, and online behaviors we can change, to reduce cyber risk not only during Cybersecurity Awareness Month, but every day throughout the year.

The new theme will be announced in time for Cybersecurity Awareness Month. In the meantime, we encourage you to share the important actions and key messages below:

• Turn on multifactor authentication (MFA): You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked.
• Use strong passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember these unique passwords for each of your accounts. A password manager will encrypt passwords and secure them for you!
• Recognize & report phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
• Update your software: Don’t delay – If you see a software update notification, act promptly. Better yet, turn on automatic updates.

The following materials will also be made available later this summer to help you promote your organization’s participation in Cybersecurity Awareness Month and create your own campaign:

·       Partner Toolkit

·       Tipsheets on the Four Key Behaviors

·       Cybersecurity Awareness Month 101 Presentation

·       Sample Social Media Posts & Graphics

·       And More!

For more information, and to become a CISA Cybersecurity Awareness Month partner, contact us at [email protected].

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious.

Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.

Midnight Blizzard’s latest credential phishing attack

Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.

Use of security-themed domain names in lures

To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.

Social engineering attack chain

In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.

Step 1: Teams request to chat

The target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team.

Step 2: Request authentication app action

If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

Recommendations

Microsoft recommends the following mitigations to reduce the risk of this threat.

• Pilot and start deploying phishing-resistant authentication methods for users.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
• Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
• Understand and select the best access settings for external collaboration for your organization.
• Allow only known devices that adhere to Microsoft’s recommended security baselines.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
• Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and , and never share their account information or authorize sign-in requests over chat.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.

Indicators of compromise

Indicator	Type	Description
msftprotection.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
identityVerification.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
accountsVerification.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
azuresecuritycenter.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain
teamsprotection.onmicrosoft[.]com	Domain name	Malicious actor-controlled subdomain

Hunting guidance

Microsoft Purview

Customers hunting for related activity in their environment can identify users that were targeted with the phishing lure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes (which include Teams messages) using the following keywords (remove the [] around the “.” before use): 

• msftprotection.onmicrosoft[.]com
• identityVerification.onmicrosoft[.]com 
• accountsVerification.onmicrosoft[.]com
• azuresecuritycenter.onmicrosoft[.]com
• teamsprotection.onmicrosoft[.]com 
• We detected a recent change to your preferred Multi-Factor Authentication (MFA)

The search results will include the messages that match the criteria. The first result will appear to be from <threadid>@unq.gbl.spaces addressed to the target user and the threat actor (i.e., the request to chat as described in Step 1), followed by the message sent by the threat actor, as shown in the Microsoft Purview image below:

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to automatically match indicators associated with Midnight Blizzard in Microsoft Defender Threat Intelligence with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the Defender Threat Intelligence connector and analytics rule deployed in their Sentinel workspace. Learn more about the Content Hub.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect activity related to the activity described in this blog:

• Azure portal sign-in from another Azure tenant
• Successful sign-in from non-compliant device
• User accounts – Sign-in failure due to CA spikes
• New onmicrosoft domain added to tenant

Further reading

Read about the threat actor Midnight Blizzard (formerly tracked as NOBELIUM).