My information Resource (blog.mir.net)

Original
release date: January 14, 2021

Cisco has released security updates to address vulnerabilities in Cisco
products. A remote attacker could exploit some of these vulnerabilities to take
control of an affected system. For updates addressing lower severity
vulnerabilities see the Cisco
Security Advisories page.

CISA encourages users and administrators to review the following Cisco
Advisories and apply the necessary updates:

• AnyConnect Secure Mobility Client for Windows DLL Injection
  Vulnerability cisco-sa-anyconnect-dll-injec-pQnryXLf
  
• Connected Mobile Experiences Privilege Escalation
  Vulnerability cisco-sa-cmxpe-75Asy9k
  
• Small Business RV110W, RV130, RV130W, and RV215W
  Routers Management Interface Command Injection Vulnerabilities cisco-sa-rv-command-inject-LBdQ2KRN
  
• Small Business RV110W, RV130, RV130W, and RV215W
  Routers Management Interface Remote Command Execution and Denial of
  Service Vulnerabilities cisco-sa-rv-overflow-WUnUgv4U
  

 CVE: CVE-2020-29583

Summary

Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers recently reported by researchers from EYE Netherlands. Users are advised to install the applicable firmware updates for optimal protection.

What is the vulnerability?

A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products and are releasing firmware patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates. For those not listed, they are not affected. Contact your local Zyxel support team if you require further assistance.

Go Here For more details go Here   or Here

 

Title: Terranova Security Gone Phishing Tournament reveals continued weak
spot in cybersecurity
URL: https://www.microsoft.com/security/blog/2020/12/16/terranova-security-gone-phishing-tournament-reveals-continued-weak-spot-in-cybersecurity/

Overview: See which industries had the highest click rates, as well as results
sorted by organization size, previous training, and more.

 

Title: Data Connector Health – Push Notification Alerts
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/data-connector-health-push-notification-alerts/ba-p/1996442

Overview: This enhanced solution builds on the existing “Connector Health
Workbook” described in this video. The Logic App leverages underlying KQL queries to
provide you with an option to configure “Push notifications” to e-mail and/or a
Microsoft Teams channel based on user defined anomaly scores as well as time
since the last “Heartbeat” from Virtual Machines connected to the workspace.
Below is a detailed description of how the rule and the logic app are put
together. The solution is available for deployment from the official Azure
Sentinel GitHub repo on this link .

 

Title: Becoming resilient by understanding cybersecurity risks: Part 2
URL: https://www.microsoft.com/security/blog/2020/12/17/becoming-resilient-by-understanding-cybersecurity-risks-part-2/

Overview: Whilst this may be uncomfortable reading, the ability to pre-empt and
respond quickly to these attacks is now an organizational imperative that requires
a level of close collaboration and integration throughout your organization
(which may not have happened to date).

 

Title: A breakthrough year for passwordless technology
URL: https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/ 

Overview: Learn how Microsoft and its partners are advancing IAM through secure
passwordless access.

 

Title: A “quick wins” approach to securing Azure Active Directory and
Office 365 and improving your security posture
URL: https://www.microsoft.com/security/blog/2020/12/17/a-quick-wins-approach-to-securing-azure-active-directory-and-office-365-and-improving-your-security-posture/
Overview: This blog post will explain simple Microsoft security defaults and
Secure Score—two features you should take advantage of that are easy to utilize
and can significantly improve security in Azure AD and Office 365
configurations.

 

Title: New Advanced Hunting data source assists recent nation-state
attack investigations
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-advanced-hunting-data-source-assists-recent-nation-state/ba-p/1999523
Overview: We are happy to announce the availability of a new data source in Microsoft 365 Defender Advanced Hunting.

 

Title: Announcing new Microsoft Information Protection capabilities to
know and protect your sensitive data
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-new-microsoft-information-protection-capabilities-to/ba-p/1999692

Overview: Microsoft Information Protection (MIP) is a built-in,
intelligent, unified, and extensible solution to protect sensitive data in
documents and emails across your organization. MIP provides a unified set of
capabilities to know and protect your data and prevent data loss across
Microsoft 365 apps (e.g., Word, PowerPoint, Excel, Outlook), services (e.g.,
Microsoft Teams, SharePoint, Exchange, Power BI), on-premises locations (e.g.,
SharePoint Server, on-premises files shares), devices, and third-party apps and
services (e.g., Box and Dropbox).

 

Title: Collaborative innovation on display in Microsoft’s insider risk
management strategy
URL: https://www.microsoft.com/security/blog/2020/12/17/collaborative-innovation-on-display-in-microsofts-insider-risk-management-strategy/

Overview: Partnering with organizations like Carnegie Mellon University allows
us to bring their rich research and insights to our products and services, so
customers can fully benefit from our breadth of signals.  

 

Title: New Threat analytics report shares the latest intelligence on
recent nation-state cyber attacks
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-threat-analytics-report-shares-the-latest-intelligence-on/ba-p/2001095

Overview: Microsoft security researchers have been investigating and responding
to the recent nation-state cyber-attack involving a supply-chain compromise
followed by cloud assets compromise.

 Deploy
and scale virtualized desktops and apps on Azure for more secure, productive
remote work—for all employees at any location. Explore these tutorials from
Microsoft Learn to get started with Windows Virtual Desktop.

Take
the tutorials to:

• Understand configuration
  workflow steps and get a checklist to help you prepare, deploy, and
  optimize.
• Learn how to enable concurrent
  users on a single virtual machine (VM) with simplified server
  management—and learn your options to load balance users using VM host pools.

Find out how to virtualize across
devices—including Windows, Mac, iOS, and Android—to access remote desktops and
apps.

     Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate (also referred to as Sunburst by FireEye) involving a supply chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessments are ongoing, Microsoft is providing visibility into the attack chains and related threat intelligence to the defender community as early as possible so organizations can identify and take action to stop this attack, understand the potential scope of its impact, and begin the recovery process from this active threat. We have established a resource center that is constantly updated as more information becomes available at https://aka.ms/solorigate.

    Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers.

For detail info click here

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

CISA
Releases CISA Insights and Creates Webpage on Ongoing APT Cyber Activity

12/23/2020 12:55 PM EST

 

Original
release date: December 23, 2020

CISA is tracking a known compromise involving SolarWinds Orion products that
are currently being exploited by a malicious actor. An advanced persistent
threat (APT) actor is responsible for compromising the SolarWinds Orion
software supply chain, as well as widespread abuse of commonly used
authentication mechanisms. If left unchecked, this threat actor has the
resources, patience, and expertise to resist eviction from compromised networks
and continue to hold affected organizations at risk.

In response to this threat, CISA has issued CISA Insights: What
Every Leader Needs to Know About the Ongoing APT Cyber Activity. This CISA
Insights provides information to leaders on the known risk to organizations and
actions that they can take to prioritize measures to identify and address these
threats.

CISA has also created a new Supply
Chain Compromise webpage to consolidate the many resources—including Emergency
Directive (ED) 21-01 and Activity Alert AA20-352A:
Advanced Persistent Threat Compromise of Government Agencies, Critical
Infrastructure, and Private Sector Organizations—that we have released on
this compromise. CISA will update the webpage to include partner resources that
are of value to the cyber community.

To read the latest CISA Insights, visit CISA.gov/insights.
For more information on the SolarWinds Orion software compromise, visit CISA.gov/supply-chain-compromise.

This product is provided subject to this Notification
and this Privacy
& Use policy.

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of
active exploitation of SolarWinds Orion Platform software versions 2019.4
through 2020.2.1, released between March 2020 and June 2020.

CISA encourages affected organizations to read the SolarWinds and FireEye advisories for
more information and FireEye’s GitHub page for detection countermeasures:

• SolarWinds
  Security Advisory
• FireEye
  Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to
  Compromise Multiple Global Victims With SUNBURST Backdoor
• FireEye
  GitHub page: Sunburst Countermeasures 
   

This product is provided subject to this Notification
and this Privacy
& Use policy.

 This Post by Alex Weinert is important to read 

Protecting Microsoft 365 from on-premises attacks

 As Microsoft alongside our industry partners and the security community continues to investigate the extent of the Solorigate attack, our goal is to provide the latest threat intelligence including IOCs and guidance across our products and solutions to help the community fight back against, harden your infrastructure, and begin to recover from this attack of unprecedented scale. As new information becomes available, we will make updates to this article.

This blog will outline lessons learned from this and other incident response to date in on-premises and cloud environments. This latest guidance is for customers looking to re-establish trusted identities for credentials that are suspected of compromise by Solorigate malware.

This article is intended to give experienced incident responders some advice on techniques to consider when helping an organization respond to a suspected systemic identity compromise, like we’re seeing in some victims of the Solorigate malware, based on our experience in the field in similar scenarios. Re-establishing trust in the organization’s on-premises and cloud environments with minimal business impact requires in-depth investigation and an understanding of potential methods of persistence. While not meant to cover every possible scenario, this guidance is intended to summarize our experience with similar customer breaches and will be updated if we learn of new information that would help with successful recovery. Please review the resources referenced at the end of this article for additional information. This information is provided as-is and constitutes generalized guidance; the ultimate determination about how to apply this guidance to your IT environment and tenant(s) must consider your unique environment and needs, which each Customer is in the best position to determine.

The Solorigate investigation referenced in this guidance is ongoing at the time of publication and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog.

Overview of the intrusion

As described in this Microsoft blog post, the hallmarks of this actor’s activity include, but are not limited to, the following techniques that are likely to result in systemic identity compromise:

• An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Read our in-depth technical analysis of the Solorigate malware.
• An intruder using administrative permissions (acquired through an on-premises compromise) to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens to impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
• Anomalous logins using the SAML tokens signed with a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. An organization may miss the use of illegitimate SAML tokens because they are signed with a legitimate certificate.
• The use of highly privileged accounts (acquired through the technique above or other means) to add illegitimate credentials to existing application service principals, enabling the attacker to call APIs with the permission assigned to that application.

Overview of response objectives

Organizations that have experienced systemic identity compromise need to start recovery by re-establishing trustworthy communications. This will enable effective triage and coordination of business operations recovery.

Many organizations have complex internal and external interdependencies. Core business processes and applications in an organization are likely to be temporarily impacted during recovery efforts until trust within your environment is re-established. Microsoft recommends that Incident Responders establish secure communications with key organizational personnel as the first step toward organizational recovery. If your investigation indicates that the attacker has used techniques outside of identity compromise at lower levels of your organizations’ infrastructure, such as hardware or firmware attacks, you will need to address those threats to reduce the risk of re-compromise.

Response objectives in approximate order:

1. Establish secure communications for personnel key to the investigation and response effort.
2. Investigate the environment for persistence and initial access point, while establishing continuous monitoring operations during recovery efforts.
3. Regain and retain administrative control of your environment and remediate or block possible persistence techniques and initial access exploits.
4. Improve posture by enabling security features and capabilities following best practice recommendations.

We recommend that incident responders review and digest the entirety of this guidance before taking action, as the specific order of actions taken to achieve the response objectives is very situational and depends heavily on the results (and completeness) of investigation and the business constraints of the specific organization. The following sections describe the incident Response techniques we recommend you consider for each of the above objectives.

Establish secure communications and productivity

Successful response requires being able to communicate without the attacker eavesdropping on your communications. Until you have achieved assurance in the privacy of your communications on your current infrastructure, use completely isolated identities and communication resources to coordinate your response and discuss topics that could potentially tip off the attacker to your investigation. Until your investigation has achieved assurance in actor eviction, we strongly recommend that you keep all incident-related comms isolated to enable you to have the element of surprise when taking remediation actions.

• Initial one-on-one and group communications can be achieved through phone (PSTN) calling, conference bridges not connected to the corporate infrastructure, and end-to-end encrypted messaging solutions.
• One way that many customers have established secure productivity and collaboration is to create a new Office 365 tenant which is completely isolated from the organization’s production tenant and create accounts only for the key personnel needed, and any incident response vendors or partners who need to be part of the response.
  • Make sure to follow best practices for securing this tenant, especially administrative accounts and rights by default. The new tenant should be limited on Administrative rights along with no trusts with outside applications or vendors. If you need further assistance or want information on hardening Microsoft 365, you can review the guidance here.

Investigate your environment

Once your incident responders and key personnel have a secure place to collaborate, the next step is to investigate the suspected compromised environment. Successful investigation will be a balance between getting to the bottom of every anomalous behavior to fully scope the extent of attacker activity and persistence and taking action quickly to stop any further activity on objectives by the attacker. Successful remediation requires as complete an understanding of the initial method of entry and persistence mechanisms controlled by the attacker as possible. Any persistence mechanisms missed could result in continued access by the attacker and potential for re-compromise.

• Investigate and review cloud environment logs for suspicious actions and attacker IOCs, including:
  • Unified Audit Logs (UAL).
  • Azure Active Directory (Azure AD) logs.
  • Active Directory logs.
  • Exchange on-prem logs.
  • VPN logs.
  • Engineering systems logging.
  • Antivirus and endpoint detection logging.

• Review endpoint audit logs for changes from on-premises for actions including, but not limited to, the following:
  • Group membership changes.
  • New user account creation.
  • Delegations within Active Directory.
  • Along with other typical signs of compromise or activity.

• Review Administrative rights in your environments

  • Review privileged access in the cloud and remove any unnecessary permissions. Implement Privileged Identity Management (PIM); setup Conditional Access policies to limit administrative access during hardening.
  • Review privileged access on-premise and remove unnecessary permissions. Reduce membership of built-in groups, verify Active Directory delegations, harden Tier 0 environment, and limit who has access to Tier 0 assets.
  • Review all Enterprise Applications for delegated permissions and consent grants that allow (sample script to assist):
    • Modification of privileged users and roles.
    • Reading or accessing all mailboxes.
    • Sending or forwarding email on behalf of other users.
    • Accessing all OneDrive or SharePoint sites content.
    • Adding service principals that can read/write to the Directory.

  • Review access and configuration settings for the following Office 365 products:
    • SharePoint Online Sharing
    • Teams
    • PowerApps
    • OneDrive for Business

  • Review user accounts

    • Review and remove guest users that are no longer needed.
    • Review email configurations using Hawk or something similar.
      • Delegates
      • Mailbox folder permissions
      • ActiveSync mobile device registrations
      • Inbox Rules
      • Outlook on the Web Options

    • Validate that both MFA and self-service password reset (SSPR) contact information for all users is correct.

You may find that one or more of the logging sources above are data sources that the organization does not currently include in its security program. Some of them, especially the logging available in the cloud, are available only if configured and we recommend that you configure them as soon as possible to enable both the detections in the next section and forensics review of logs going forward. Make sure to configure your log retention to support your organization’s investigation goals going forward and retain evidence, if needed for legal, regulatory, or insurance purposes.

Establish continuous monitoring

There are many ways to detect activity associated with this campaign. Exactly how your organization will detect attacker behavior depends on which security tools you have available, or choose to deploy in response. Microsoft has provided examples publicly for some of the core security products and services that we offer and are continually updating those documents as new threat intelligence is identified related to this attacker. If you use other vendor’s products, review your vendor’s recommendations, and review the Microsoft documentation below to understand the detection techniques if you need to implement analogous detections in your environment on your own.

For readers using Azure Sentinel in their environments, review SolarWinds Post-Compromise Hunting guidance.

For readers using Microsoft Defender for Endpoint, review our guidance here, and review Microsoft Defender Antivirus guidance.

To Learn More go here