No matter the account, all #passwords should be created with these 3 words in mind: Long (12+ characters) Unique (never reuse passwords) and Complex (a combination of upper and lower case letters, spaces, numbers and special characters) Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
Organize your ever growing list of online accounts with a password manager. They can manage all your online credentials like usernames and passwords. It stores them in a safe, encrypted database and also generates new ones when needed. Learn more: https://staysafeonline.org/online-safety-privacy-basics/password-managers/ #CybersecurityAwarenessMonth
Lock it up! Strong passwords are your first line of defense against cyber threats. Don’t settle for weak combinations. Create unique and complex passwords for each account, and consider using a password manager for added convenience and security. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
Avoid common password pitfalls! Hackers love easy targets, so don’t make it easy for them. Say no to password123 or qwerty. Opt for unique and complex passwords – let a password manager do the heavy lifting for you. It’s time to level up your security. Learn more: https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/ #CybersecurityAwarenessMonth
Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browser and operating systems up to date. Turn on auto-updates! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenessMonth
All those update alerts from your software are important to install! Not only do they fix things that might be buggy, they also patch up any security holes. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Pay attention to software update alerts and set your software to auto-update–it’s an easy way to keep things safe. Set it and forget it! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Don’t let vulnerabilities linger! Update, update, update! Keeping your software up to date is crucial for a secure digital life. Enable automatic updates to protect your devices against the latest threats. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Set it and forget it! With automatic software updates, you don’t have to worry about manually checking for updates. Embrace the convenience and let your devices take care of themselves. Stay on top of security and enjoy peace of mind. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Outsmart the cyber threats! Hackers are always looking for vulnerabilities to exploit. Stay a step ahead by enabling automatic software updates. Think of them as an invisible shield that fortifies your devices against emerging risks. Stay safe, stay updated! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
The power of timely updates! Automatic software updates work silently to protect your devices. Say goodbye to outdated software and embrace the power of the latest features, enhanced performance, and tightened security. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
Cybercriminals cast wide nets with #phishing tactics, hoping to drag in victims. They may offer a financial reward, threaten you if you don’t engage, or claim that someone is in need of help. Stop, take a moment, and think before you click. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Tips for Spotting a Phish: 1) They create a sense of urgency or claim to need help. 2) They ask for your personal info. 3) They want you to download a file or click on a link. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Think before you click! Phishing emails disguise themselves as harmless messages, but they’re actually dangerous digital piranhas swimming in your inbox. Stay vigilant, spot the signs, and report those fraudulent emails. Together, we can #StaySafeOnline! Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Don’t get hooked! Phishing emails are like sneaky bait trying to reel you in. Learn how to spot them and report those fishy attempts to keep your inbox clean and your personal information safe. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Phishing: The art of deception. Cybercriminals are getting crafty, sending emails that look legit but aim to steal your information. Trust your gut, stay cautious, and report those phishing emails. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Your inbox is your fortress! Phishing emails try to breach your defenses, but you can outsmart them. Learn the telltale signs of phishing, such as misspellings, suspicious attachments, or urgent requests, and report those fraudulent messages. Learn more: https://staysafeonline.org/theft-fraud-cybercrime/phishing/ #CybersecurityAwarenessMonth
Passwords are like the gatekeepers of your online kingdom! But why settle for one guard when you can have two? Multi-factor authentication doubles the security, making your accounts nearly impenetrable. Keep the baddies at bay! Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth
The Final Countdown to Cybersecurity Awareness Month 2023
Since 2004, the President of the United States and Congress have declared the month of October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) are working together to create resources and messaging for organizations to use when they talk with their employees and customers, and information for the public, about staying safe online.
2023 marks the 20th Cybersecurity Awareness Month, and this year CISA is launching a new theme that will encourage actions we can take, and online behaviors we can change, to reduce cyber risk not only during Cybersecurity Awareness Month, but every day throughout the year.
The new theme will be announced in time for Cybersecurity Awareness Month. In the meantime, we encourage you to share the important actions and key messages below:
Turn on multifactor authentication (MFA): You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked.
Use strong passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember these unique passwords for each of your accounts. A password manager will encrypt passwords and secure them for you!
Recognize & report phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
Update your software: Don’t delay – If you see a software update notification, act promptly. Better yet, turn on automatic updates.
The following materials will also be made available later this summer to help you promote your organization’s participation in Cybersecurity Awareness Month and create your own campaign:
· Partner Toolkit
· Tipsheets on the Four Key Behaviors
· Cybersecurity Awareness Month 101 Presentation
· Sample Social Media Posts & Graphics
· And More!
For more information, and to become a CISA Cybersecurity Awareness Month partner, contact us at AwarenessCampaigns@cisa.dhs.gov.
Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious.
Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.
Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.
Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.
Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.
Use of security-themed domain names in lures
To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.
Social engineering attack chain
In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.
After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.
Step 1: Teams request to chat
The target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team.
Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account
Step 2: Request authentication app action
If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.
Figure 2: A Microsoft Teams prompt with a code and instructions.
Step 3: Successful MFA authentication
If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.
The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.
Recommendations
Microsoft recommends the following mitigations to reduce the risk of this threat.
Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and , and never share their account information or authorize sign-in requests over chat.
Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
Customers hunting for related activity in their environment can identify users that were targeted with the phishing lure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes (which include Teams messages) using the following keywords (remove the [] around the “.” before use):
msftprotection.onmicrosoft[.]com
identityVerification.onmicrosoft[.]com
accountsVerification.onmicrosoft[.]com
azuresecuritycenter.onmicrosoft[.]com
teamsprotection.onmicrosoft[.]com
We detected a recent change to your preferred Multi-Factor Authentication (MFA)
The search results will include the messages that match the criteria. The first result will appear to be from <threadid>@unq.gbl.spaces addressed to the target user and the threat actor (i.e., the request to chat as described in Step 1), followed by the message sent by the threat actor, as shown in the Microsoft Purview image below:
Figure 3: Message sent by the threat actor, as shown in Microsoft Purview
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to automatically match indicators associated with Midnight Blizzard in Microsoft Defender Threat Intelligence with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the Defender Threat Intelligence connector and analytics rule deployed in their Sentinel workspace. Learn more about the Content Hub.
Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect activity related to the activity described in this blog:
Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14 for more information and apply the necessary updates.
Empower your workforce with a new partner in productivity Read the e-book, Working Smarter with AI, to discover how AI-powered tools like Microsoft 365 Copilot can unlock new levels of productivity.
For years now, AI has played a crucial role behind the scenes, powering everything from online searches to personalized streaming recommendations. Now, we are entering a transformative phase where AI is no longer just an unseen assistant but a powerful partner in enhancing productivity. Download the Working Smarter with AI e-book to: Discover the untapped potential of language models and generative AI and explore innovative ways to leverage their capabilities.Gain valuable insights on how to ensure the secure and responsible use of AI, including how to build an ethical and transparent AI ecosystem.Learn how to maximize the intelligent features of Copilot and enable your workforce to achieve its potential.
Sensitive information on the Wi-Fi connection settings stored in the memories of inkjet printers (home and office/large format) may not be deleted by the usual initialization process.
Affected Products/Versions
Please check the affected inkjet printer models from here.
Mitigation/Remediation
When your printer may be in the hand of any third party, such as when repairing, lending or disposing the printer, take the following steps from the printer unit:
Reset all settings (Reset settings ‐> Reset all)
Enable the wireless LAN
Reset all settings one more time
For models that do not have the Reset all settings function, take the following steps:
Reset LAN settings
Enable the wireless LAN
Reset LAN settings one more time
Please refer to the operation manual of relevant model for specific Reset all or Reset LAN settings.
When investigating an incident, analysts follow certain steps – tasks – to ensure that the investigation is conducted effectively and efficiently. Standardizing the process is necessary for both generic steps and specific types of incidents, and their availability in the context of the incident allows for faster and more efficient management and remediation.
Tasks in Microsoft Sentinel can help security analysts streamline their workflow and improve their efficiency. Analysts can add tasks to specific incidents or alerts, enabling them to track the progress of investigations and remediation activities. While tasks can be added manually from within the Sentinel console, playbooks, and automation rules can be used to automatically create tasks based on certain conditions. Today we’re happy to announce the release of new playbooks, a workbook, and Log Analytics logs as well as an update to the SOC Process Framework. Along with a new integration with Microsoft 365 Defender SecOps playbooks, this will allow even more efficiency in managing incidents and the SOC’s tasks, with out-of-the-box content delivered by our security experts.
New playbooks with tasks for BEC, Ransomware, and Phishing investigation
Handling complex incidents can be a long, challenging task that requires lots of expertise in different fields. Microsoft 365 Defender SecOps workflows offer security analysts a detailed guided response playbook for investigating and responding to security incidents, including Phishing, Ransomware, and BEC. Developed by some of the world’s top security researchers and backed by Microsoft’s extensive experience in threat detection and response, these workflows provide unparalleled security value, significantly bolstering an organization’s defenses.. And now, with dedicated playbooks in Sentinel, these workflows can be easily transformed into tasks. Simply deploy the phishing, BEC, and ransomware playbooks in your workspace and apply them to the corresponding incidents. By integrating Defender workflows with Sentinel tasks, security teams can enjoy a more structured and efficient workflow, enabling them to respond to threats with greater speed and accuracy. The playbooks are now published in the “SOAR essentials” solution in Content Hub and are ready for use by your SOC.
New workbook to manage tasks in the SOC
Now that tasks are integrated into the SOC’s incidents, the new tasks workbook offers a way for security teams to analyze task progress and completion, providing a comprehensive overview of all the tasks that exist in the Sentinel workspace. This is particularly important for SOC managers, as it allows them to easily monitor and manage the security workflow of their team. With a centralized view of all tasks, managers can quickly identify any bottlenecks or areas for improvement, including tasks that take the longest to complete. Additionally, a dashboard that shows tasks per incident/incidents and owner can help managers gain greater visibility into the workload of their team and allows analysts to manage their tasks in a timely and organized manner. The new Workbook allows toggling between those perspectives. The Workbook is now published in the “SOAR essentials” solution in Content hub.
The new workbook is based on new information in Log Analytics’ SecurityIncident table. Please refer to Appendix 2 for documentation of the new tasks fields.
Tasks details in SecurityIncident table
Task details in Log Analytics can be used as dashboards to monitor task progress, investigate security incidents, and track compliance and auditing activities. The tasks details include the task name and status, task number, last completed time (in case the task was modified after it was closed), and more. If you wish to explore the new task details in the SecurityIncident table, please refer to documentation and some recommended queries provided in Appendix 2 at the end of this blog post.
Updates to the SOC Process Framework
The SOC Process Framework solution, which can be found in Content Hub, is also updated to support Tasks. With the new version, instead of writing tasks into incident comments, the SOC Process Framework will create tasks defined in the watchlist into Microsoft Sentinel Incident Tasks. As a reminder, the SOC Process Framework Solution is designed to easily integrate with Microsoft Sentinel and establish a standard SOC Process and Procedure Framework within your organization, including incident or alert tasks.
Summary
Automating task management in Microsoft Sentinel using playbooks and automation rules can help security analysts streamline their workflow and improve efficiency. Integrating Microsoft Defender workflows with Sentinel tasks provides security teams with a more structured and effective way to investigate and respond to security incidents, significantly improving an organization’s security posture. Additionally, Workbooks offer valuable insights into task progress and completion, enabling security teams to monitor their workflow and identify areas for improvement. The new SecurityIncident audits allow for full flexibility in querying tasks details and integrating them into more of the SOC’s tools.
