Author: blogmirnet

Microsoft Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event:
Wednesday, September 13, 2023 | 2:30 PM – 5:15 PM | (GMT-05:00) Eastern Time (US & Canada)
Thursday, September 14, 2023 | 2:30 PM – 4:30 PM | (GMT-05:00) Eastern Time (US & Canada)

Delivery Language: English
Closed Captioning Language(s): English
 
REGISTER TODAY >

Microsoft mitigates Power Platform Custom Code information disclosure vulnerability by Tenable

Summary 

On 30 March 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a security issue concerning Power Platform Custom Connectors using Custom Code. This feature allows customers to write code for custom connectors. This issue has been fully addressed for all customers and no customer remediation action is required.

Customer Impact 

The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors. The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function.  

Our investigation into the report identified anomalous access only by the security researcher that reported the incident, and no other actors. All impacted customers have been notified of this anomalous access by the researcher through the Microsoft 365 Admin Center (MC665159).

Fix Release 

Microsoft issued an initial fix on 7 June 2023 to mitigate this issue for a majority of customers. Investigation into the subsequent report from Tenable on 10 July 2023 revealed that a very small subset of Custom Code in a soft deleted state were still impacted. This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism. Microsoft engineering took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions. This work was completed on 2 August 2023.  

As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix. Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.  The purpose of an embargo period is to provide time for a quality fix.  Not all fixes are equal.  Some can be completed and safely applied very quickly, others can take longer.  In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit. As both a service provider and a security company, Microsoft appreciates being part of an ecosystem of organizations focused on protecting customers as the highest priority over all other goals.

Microsoft also appreciates the security community’s research and disclosure of vulnerabilities. Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission.

References 

Customer FAQs 

Q: How do I know if I was affected by this unauthorized information disclosure?

A: Microsoft notified affected customers about this issue via Microsoft 365 Admin Center (MC665159) starting on 4 August 2023. If you did not receive this notification, then no action is required.

Q: How do I know if a notification was sent to my organization?

A: We sent Microsoft 365 Admin Center notifications to affected customers using a Data Privacy tag which means only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them here.

CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners are releasing a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities. This advisory provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, and the associated Common Weakness Enumeration(s) (CWE), to help organizations better understand the impact exploitation could have on their systems. International partners include: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), New Zealand Computer Emergency Response Team (CERT-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory.  The advisory provides vendors, designers, and developers recommendations on implementing secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations’ recommendations to reduce the risk of compromise by malicious cyber actors. 

Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks.

In the U.S., organizations should inform CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or an FBI field office.

Passwords and password managers

Check out Roboform

Software Updates

  • #CybersecurityAwarenessMonth Tip: If you connect it, protect it. Outsmart cyber criminals by regularly updating your software. Learn more: https://staysafeonline.org/resources/software-updates/
  • Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browser and operating systems up to date. Turn on auto-updates! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenessMonth
  • All those update alerts from your software are important to install! Not only do they fix things that might be buggy, they also patch up any security holes. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
  • Pay attention to software update alerts and set your software to auto-update–it’s an easy way to keep things safe. Set it and forget it! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
  • Don’t let vulnerabilities linger! Update, update, update! Keeping your software up to date is crucial for a secure digital life.  Enable automatic updates to protect your devices against the latest threats. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
  • Set it and forget it! With automatic software updates, you don’t have to worry about manually checking for updates. Embrace the convenience and let your devices take care of themselves. Stay on top of security and enjoy peace of mind. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
  • Outsmart the cyber threats! Hackers are always looking for vulnerabilities to exploit. Stay a step ahead by enabling automatic software updates. Think of them as an invisible shield that fortifies your devices against emerging risks. Stay safe, stay updated! Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth
  • The power of timely updates! Automatic software updates work silently to protect your devices. Say goodbye to outdated software and embrace the power of the latest features, enhanced performance, and tightened security. Learn more: https://staysafeonline.org/resources/software-updates/ #CybersecurityAwarenssMonth

Phishing

Multi-factor authentication

1. On accounts with your financial info like banks, or online stores

2. On accounts with personal info, like social media

3. On accounts with info you use for work

TLDR: Use MFA everywhere!

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth

Adding MFA to an account greatly increases your security. It may include:

  • A biometric identifier like a fingerprint
    • A unique number yes or no prompt generated by an authenticator app

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor- authentication/ #CybersecurityAwarenessMonth

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/ #CybersecurityAwarenessMonth

  • Adding MFA to an account greatly increases your security. It may include:
    • A code emailed to an account or texted
    • A biometric identifier like a fingerprint
    • A unique number yes or no prompt generated by an authenticator app

Learn more: https://staysafeonline.org/online-safety-privacy-basics/multi-factor-  authentication/ #CybersecurityAwarenessMonth

CISA Community Bulletin Special Edition: Cybersecurity Awareness Month 2023

The Final Countdown to Cybersecurity Awareness Month 2023

Since 2004, the President of the United States and Congress have declared the month of October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) are working together to create resources and messaging for organizations to use when they talk with their employees and customers, and information for the public, about staying safe online.

2023 marks the 20th Cybersecurity Awareness Month, and this year CISA is launching a new theme that will encourage actions we can take, and online behaviors we can change, to reduce cyber risk not only during Cybersecurity Awareness Month, but every day throughout the year.

The new theme will be announced in time for Cybersecurity Awareness Month. In the meantime, we encourage you to share the important actions and key messages below:

  • Turn on multifactor authentication (MFA): You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked.
  • Use strong passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember these unique passwords for each of your accounts. A password manager will encrypt passwords and secure them for you!
  • Recognize & report phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
  • Update your software: Don’t delay – If you see a software update notification, act promptly. Better yet, turn on automatic updates.

The following materials will also be made available later this summer to help you promote your organization’s participation in Cybersecurity Awareness Month and create your own campaign:

·       Partner Toolkit

·       Tipsheets on the Four Key Behaviors

·       Cybersecurity Awareness Month 101 Presentation

·       Sample Social Media Posts & Graphics

·       And More!

For more information, and to become a CISA Cybersecurity Awareness Month partner, contact us at AwarenessCampaigns@cisa.dhs.gov.

Microsoft Blog: Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious.

Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.

Midnight Blizzard’s latest credential phishing attack

Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.

Use of security-themed domain names in lures

To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.

Social engineering attack chain

In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.

Step 1: Teams request to chat

The target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team.

Screenshot of Microsoft TEams message request from an account controlled by the threat actor Midnight Blizzard
Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account

Step 2: Request authentication app action

If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.

Screenshot of a Microsoft Teams prompt with an MFA code and instructions
Figure 2: A Microsoft Teams prompt with a code and instructions.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

Recommendations

Microsoft recommends the following mitigations to reduce the risk of this threat.

Indicators of compromise

IndicatorTypeDescription
msftprotection.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
identityVerification.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
accountsVerification.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
azuresecuritycenter.onmicrosoft[.]comDomain nameMalicious actor-controlled subdomain
teamsprotection.onmicrosoft[.]com   Domain nameMalicious actor-controlled subdomain

Hunting guidance

Microsoft Purview

Customers hunting for related activity in their environment can identify users that were targeted with the phishing lure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes (which include Teams messages) using the following keywords (remove the [] around the “.” before use): 

  • msftprotection.onmicrosoft[.]com
  • identityVerification.onmicrosoft[.]com 
  • accountsVerification.onmicrosoft[.]com
  • azuresecuritycenter.onmicrosoft[.]com
  • teamsprotection.onmicrosoft[.]com 
  • We detected a recent change to your preferred Multi-Factor Authentication (MFA)

The search results will include the messages that match the criteria. The first result will appear to be from <threadid>@unq.gbl.spaces addressed to the target user and the threat actor (i.e., the request to chat as described in Step 1), followed by the message sent by the threat actor, as shown in the Microsoft Purview image below:

Screemsjot of a message sent by the threat actor as can be seen in Microsoft Purview
Figure 3: Message sent by the threat actor, as shown in Microsoft Purview

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to automatically match indicators associated with Midnight Blizzard in Microsoft Defender Threat Intelligence with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the Defender Threat Intelligence connector and analytics rule deployed in their Sentinel workspace. Learn more about the Content Hub.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect activity related to the activity described in this blog:

Further reading

Read about the threat actor Midnight Blizzard (formerly tracked as NOBELIUM).

Mozilla Releases Security Updates for Firefox and Firefox ESR

Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14 for more information and apply the necessary updates.