My information Resource (blog.mir.net)

Microsoft
is aware of a sophisticated attack that utilizes malicious SolarWinds software.
On December 17, 2020, Brad Smith posted a blog sharing the most up to date information
and detailed technical information for defenders.

As this is an ongoing investigation, Microsoft cybersecurity teams continue to
act as first responders to these attacks. We know that customers and partners
will have ongoing questions and Microsoft is committed to providing timely
updates as new information becomes available. We will make updates through our
Microsoft Security Response Center (MSRC) blog at https://aka.ms/solorigate.

There are a number of published resources to assist customers in securing their
environments:

•	We have published a blog outlining this dynamic threat landscape and the principles with which we are approaching the investigation.
•	We have published an anchor blog with technical details of the attack. This blog will be updated with new information as the investigation continues. Customers should look to this blog as the one stop for updates on the sophisticated attack.
•	Microsoft Defender antivirus and Microsoft Defender for Endpoint have released protections for the malicious SolarWinds software and other artifacts from the attack.
•	Microsoft Azure Sentinel has released guidance to help Azure Sentinel customers hunt in their environments for related activity we have observed with this sophisticated attack.
•	Microsoft 365 Defender and Microsoft Defender for Endpoint customers should review the Threat Analytics article within the Defender console (sign-in is required) for information about detection and potential impact to their environments.
•	For any Microsoft Threat Experts (MTE) customers, where we have observed suspicious activity in the customers’ environments, we have completed Targeted Account Notifications.
•	If a customer has any product support related needs, please continue to direct them to Microsoft Support (CSS) who remain the primary place for all customer support needs.
•	For Identity professionals and Microsoft 365 admin, we have published a blog with guidance on how to protect Microsoft 365 from on-premises attacks.

Microsoft Blog Posts

•	December 13 – Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center
•	December 13 – Important steps for customers to protect themselves from recent nation-state cyberattacks
•	December 15 – Ensuring customers are protected from Solorigate
•	December 16 – SolarWinds Post-Compromise Hunting with Azure Sentinel – Microsoft Tech Community
•	December 17 – A moment of reckoning: the need for a strong and global cybersecurity response
•	December 18 – Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect – Microsoft Security
•	December 18 – Protecting Microsoft 365 from on-premises attacks

Advisories
& Additional Resources

•	If your customer has a specific question regarding FireEye, please refer them to the FireEye Advisory.
•	If your customer has a specific question regarding SolarWinds, please refer them to the SolarWinds Advisory.
•	The Cybersecurity and Infrastructure Security Agency (CISA) has published a set of information and guidance here. For individual country-specific guidance, customers and partners should refer to information from the appropriate law enforcement or other government entity in that jurisdiction.

 Browser extensions are usually useful, sometimes fun —  and occasionally dangerous.

That’s the case for at least 28 browser extensions analyzed by Avast Threat Intelligence researchers after the threat was identified by Czech researchers at CZ.NIC. The affected extensions contain malware and include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, as well as additional browser extensions for Google Chrome and Microsoft Edge. According to the browser store download numbers, more than three million people may be affected worldwide.

Avast said it found code to:

• redirect user traffic to ads
• redirect user traffic to phishing sites
• collect personal data, such as birth dates, email addresses, and active devices
• collect browsing history
• download further malware onto a user’s device

“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware,” Avast researcher Jan Rubin says. “It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards.”

The infected JavaScript-based extensions contain malicious code that makes it possible to download even more malware to a person’s computer. They also manipulate all links that the victims click on after downloading the extensions. For example, links in Google Search leads users to other, seemingly random, sites. This includes phishing sites and ads. 

“We believe that these domains are not owned by the cybercriminals, but that the owners of these domains pay the cybercriminals for every redirection,” Rubin says.

Clicking on the links also causes the extensions to send information to the attacker’s control server, creating a log of all of their clicks. That log is then sent to third-party websites and can be used to collect personal information about the user, including birth date, email addresses, device information, first sign in time, last login time, name of their device, operating system, browser used and version, and IP address.

The Avast Threat Intelligence team started monitoring this threat in November 2020, but believe that it could have been active for years without anyone noticing. In fact, there are reviews on the Chrome Web Store mentioning link hijacking from as far back as December 2018. That means it’s possible this has been infecting people’s devices for much longer than researchers have been aware of the threat.

At the time of publishing, the infected extensions are still available for download. If you suspect you might have downloaded one, Avast researchers recommend disabling and uninstalling them immediately and then scan for and remove malware. They have also reported the issue to Microsoft and Google, who are  into it.

Below is the list of Chrome extensions that Avast said it found to contain malicious code:

• Direct Message for Instagram
• DM for Instagram
• Invisible mode for Instagram Direct Message
• Downloader for Instagram
• App Phone for Instagram
• Stories for Instagram
• Universal Video Downloader
• Video Downloader for FaceBook™
• Vimeo™ Video Downloader
• Zoomer for Instagram and FaceBook
• VK UnBlock. Works fast.
• Odnoklassniki UnBlock. Works quickly.
• Upload photo to Instagram™
• Spotify Music Downloader
• The New York Times News

Below is the list of Edge extensions that Avast said it found to contain malicious code:

• Direct Message for Instagram™
• Instagram Download Video & Image
• App Phone for Instagram
• Universal Video Downloader
• Video Downloader for FaceBook™
• Vimeo™ Video Downloader
• Volume Controller
• Stories for Instagram
• Upload photo to Instagram™
• Pretty Kitty, The Cat Pet
• Video Downloader for YouTube
• SoundCloud Music Downloader
• Instagram App with Direct Message DM

Source: Malicious Browser Extensions | Avast

 

Intended
audience:  CNAs (CVE Numbering Authorities), Authorized Data Publishers]

NIST
announces the publication of NISTIR
8246, Collaborative
Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities
(CNAs) and Authorized Data Publishers.

The
number of Common Vulnerabilities and Exposures identifiers (CVE IDs) created
year over year has rapidly increased, and this trend is expected to continue
indefinitely. Currently, a National
Vulnerability Database (NVD) analyst manually reviews each CVE
and attaches multiple forms of CVE metadata used by downstream consumers to
prioritize and assist automated vulnerability scanning tools. This is a
manually intensive process, and in many cases, this metadata is provided by the
source, or CNA (CVE Numbering Authority), of the CVE with no policies or
procedures in place to validate and accept the information.

This
NISTIR leverages the technical knowledge provided by the CNAs and the
application of consistent CVE metadata provided by NVD analysts through the
formalization of a CVE entry metadata submission process. This allows for more
efficient integration of the CNAs’ efforts into the NVD analyst workflow, which
directly benefits downstream users and improves the security of our national IT
infrastructure.

Publication
details:
https://csrc.nist.gov/publications/detail/nistir/8246/final

National
Vulnerability Database (NVD):
https://nvd.nist.gov/

 If you trust Google, and trust Chrome, the Chrome web store is a trusted place to look for extensions. Some are extremely useful, some are capable of blocking-ads, some make the browser look like a game, and some have a little more than expected. Over 80 million Chrome users installed one of 295 Chrome extensions that hijack and insert ads in to Google and Bing search results. AdGuard, an ad-blocking company, uncovered many of these extensions on the Chrome Web Store. The malicious browser extensions were divided into 3 groups:

·     Extensions that load what appears to be an analytics script which transforms based on cookies to allow it to add an obfuscated script into each freshly opened tab. This new script checks the page and loads an image that has ads ‘coded in’ if it’s a Bing or Google search results page. Most of the discoveries were of this group and consisted of background extensions.

·   Extensions that utilize ‘cookie stuffing’ and ‘ad fraud’ where it generates “affiliate” cookies, which makes revenue for site owners, despite not visiting the site. Only 6 were discovered but with 1,650,000 total users.

·    Extensions that are spam but could be malicious in the future. Although AdGuard did not disclose how many existed, the top 5 has 10 million users combined. These can share a similar name with a valid extension or perform a legitimate function, but the potential malice exists in the  ‘Google Tag Manager’ code. The Google Tag Manager account owner can change the ‘tag’ to upload new potentially malicious code.

The biggest problem here is not that they were created, but that they persist. Google tried to put in strict review guidelines to help secure extensions, but they just frustrate legitimate developers who suffer through complicated review processes without limiting malware. Last year, Google included Chrome extensions into their bug bounty program. The blog writers at AdGuard believe “Google fails with managing Chrome Web Store and keeping it safe.” They do acknowledge “Google did do one thing right — they introduced a position of Chrome Extensions Developer Advocate.” But if the malicious extensions aren’t violating Chrome extension policies (and understand that remote code is allowed, meaning extensions can change their behavior at any time and be within policy) they will be difficult to remove. Until Google fixes these issues, what can you do to protect yourself? The blog authors offered the following suggestions:

· Consider if a browser extension is the only way to achieve a goal.

· Install extensions only from the developers you trust.

· Don’t believe what you read in the extension’s description.

· Users reviews won’t help. It can have excellent reviews & still be malicious.

· Don’t use the Chrome Web Store internal search, follow the links on the trusted developers’ website directly.

Sources:

· https://www.zdnet.com/article/cluster-of-295-chrome-extensions-caught-hijacking-google-and-bing-search-results/

· https://adguard.com/en/blog/fake-ad-blockers-part-3.html

 

 

Attacks on specific chips or chipsets usually have wide reaching implications. Devices tend to use off the shelf chips inside rather than develop their own for a number of reasons. For Android phones the most popular processor chip family is the Qualcomm Snapdragon family of system on a chip (SoC). The Snapdragon is used in phones made by Samsung, Google, LG, and Xiaomi, to name a few. Recently at the DEFCON Safe Mode security conference, researchers from Check Point security revealed 6 critical flaws in the popular Snapdragon SoC that open nearly 40% of smartphones to attack.

Snapdragon is a SoC, meaning it contains various embedded components instead of just being a traditional processor with a single task. One component it embeds is the digital signal processor (DSP), which is responsible for turning data from various sensors into digital data that the operating system can work with. The DSP is where the researchers focused their efforts after discovering a software development kit (SDK) for the component was available. The SDK is available for legitimate software to utilize when it requires functionality that the DSP provides. The researchers instead were able to use it to get a clearer understanding of how to interface with the DSP, which normally operates like a black box to external software.

The researchers were able to develop their own instructions for the DSP that would allow them to do things like start a persistent DoS attack only fixable via a complete factory reset. They were also able to demonstrate a privilege escalation attack on the system, allowing them to completely take over the handset. Once the system is compromised in this manner further malware would be able to completely hide its activity and become un-removable. In order to perform these attacks, the researchers say that a user needs to be tricked into running a malicious executable. This might not be too difficult as the code can be embedded into legitimate looking apps. Normal phone virus scanners won’t detect the presence of malicious code because they don’t scan the SDK instruction sets.

Qualcomm was notified about the vulnerabilities between February and March of this year according to the researchers. Patches to the vulnerable components were developed in July but do not appear to have been pushed to handsets yet. Users of the affected devices should watch for future updates to ensure that their devices do not remain vulnerable to the attacks.

Sources

Qualcomm Bugs Open 40 Percent of Android Handsets to Attack | Threatpost

 

 Title: Cyberattacks targeting health care must stop

URL: https://www.microsoft.com/security/blog/2020/11/18/cyberattacks-targeting-health-care-must-stop/
Overview: In recent months, we’ve detected cyberattacks from three nation-state
actors targeting seven prominent companies directly involved in researching
vaccines and treatments for COVID-19. The targets include leading
pharmaceutical companies and vaccine researchers in Canada, France, India,
South Korea, and the United States. The attacks came from Strontium, an actor
originating from Russia, and two actors…

Title: Hunt across cloud app activities with Microsoft 365 Defender
advanced hunting
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857
Overview: We’re thrilled to share that the new CloudAppEvents table
is now available as a public preview in advanced hunting for Microsoft 365
Defender.

Title: Using the VirusTotal V3 API with MSTICPy and Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-virustotal-v3-api-with-msticpy-and-azure-sentinel/ba-p/1893121
Overview: MSTICPy, our CyberSec toolset for Jupyter notebooks, has supported
VirusTotal lookups since the very earliest days (the earliest days being only
around two years ago!). We recently had a contribution to MSTICPy from Andres
Ramirez and Juan Infantes at VirusTotal (VT), which provides a new Python
module to access the recently-released version 3 of their API.

Title: Modernize secure access for your on-premises resources with Zero
Trust
URL: https://www.microsoft.com/security/blog/2020/11/19/modernize-secure-access-for-your-on-premises-resources-with-zero-trust/
Overview: Change came quickly in 2020. More likely than not, a big chunk of
your workforce has been forced into remote access. And with remote work came an
explosion of bring-your-own-device (BYOD) scenarios, requiring your
organization to extend the bounds of your network to include the entire
internet (and the added security risks that come with…

Title: Upcoming Changes to Microsoft Information Protection Metadata
Storage
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/upcoming-changes-to-microsoft-information-protection-metadata/ba-p/1904418
Overview: In Microsoft Information Protection (MIP) SDK version 1.7, changes
were made to support a new label metadata storage location for Office files –
Word, Excel, and PowerPoint. For your applications and services to continue
reading and writing MIP sensitivity labels for Office file types, it’s critical
that you update to MIP SDK version 1.7. Applications running older versions
will not be capable of reading the updated metadata format.

Title: Enriching DDoS Protection Alerts with Logic Apps
URL: https://techcommunity.microsoft.com/t5/azure-network-security/enriching-ddos-protection-alerts-with-logic-apps/ba-p/1928000
Overview: This post will detail how to create enriched DDoS Protection alerts
that will provide the information needed to triage and respond.

Title: IoT security: how Microsoft protects Azure Datacenters
URL: https://www.microsoft.com/security/blog/2020/11/23/iot-security-how-microsoft-protects-azure-datacenters/
Overview: Azure Sphere first entered the IoT Security market in 2018 with a
clear mission—to empower every organization on the planet to connect and create
secure and trustworthy IoT devices. Security is the foundation for durable
innovation and business resilience. Every industry investing in IoT must
consider the vulnerabilities of the cyberthreat landscape. For our customers,…

Title: Go inside the new Azure Defender for IoT including CyberX

URL: https://www.microsoft.com/security/blog/2020/11/25/go-inside-the-new-azure-defender-for-iot-including-cyberx/
Overview: In 2020, the move toward digital transformation and Industry 4.0 took
on new urgency with manufacturing and other critical infrastructure sectors
under pressure to increase operational efficiency and reduce costs. But the
cybersecurity model for operational technology (OT) was already shown to be
lacking before the pandemic. A series of major cyberattacks across industries
served… 

Title: Zerologon is now detected by Microsoft Defender for Identity
URL: https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/
Overview: There has been a huge focus on the recently patched CVE-2020-1472
Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While
Microsoft strongly recommends that you deploy the latest security updates to
your servers and devices, we also want to provide you with the best detection
coverage possible for your domain controllers. Microsoft Defender for…

Title: What’s New: Azure Sentinel Logic Apps Connector improvements and
new capabilities
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-logic-apps-connector-improvements-and/ba-p/1888416
Overview: Azure Sentinel Logic Apps connector is the bridge between Sentinel
and Playbooks, serving as the basis of incident automation scenarios. As we
prepare for new Incident Trigger capabilities (coming soon), we have made some
improvements to bring the most updated experience to playbooks users.

Title: Deploying DDoS Protection Standard with Azure Policy
URL: https://techcommunity.microsoft.com/t5/azure-network-security/deploying-ddos-protection-standard-with-azure-policy/ba-p/1942133
Overview: One of the most important questions customers ask when deploying
Azure DDoS Protection Standard for the first time is how to manage the
deployment at scale. A DDoS Protection Plan represents an investment in
protecting the availability of resources, and this investment must be applied
intentionally across an Azure environment.

Title: Threat actor leverages coin miner techniques to stay under the
radar – here’s how to spot them
URL: https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/
Overview: BISMUTH, which has been running increasingly complex cyberespionage
attacks as early as 2012, deployed Monero coin miners in campaigns from July to
August 2020. The group’s use of coin miners was unexpected, but it was
consistent with their longtime methods of blending in.

The Cybersecurity and
Infrastructure Security Agency (CISA) is aware of active exploitation of a
vulnerability in SolarWinds Orion Platform software versions 2019.4 through
2020.2.1, which was released between March 2020 through June 2020.

In response CISA has published an urgent Current Activity Alert “Active Exploitation of SolarWinds
Software“ which can be found at:

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
and Emergency Directive 21-01, “Mitigate
SolarWinds Orion Code Compromise,” directed at Federal
Civilian Agencies, further emphasizing the urgency of this 

Alert: https://cyber.dhs.gov/ed/21-01/

CISA encourages affected organizations to read the SolarWinds and
FireEye advisories for more information and FireEye’s GitHub
page for detection countermeasures:

SolarWinds Security Advisory

• FireEye
  Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to
  Compromise Multiple Global Victims With SUNBURST Backdoor
• FireEye
  GitHub page: Sunburst Countermeasures

We kindly request any
questions, feedback, or related incidents related to this product be reported
to CISA at [email protected] or
888-282-0870.

 Defining IoT Cybersecurity Requirements: Draft
Guidance for Federal Agencies and IoT Device Manufacturers (SP 800-213, NISTIRs
8259B/C/D)

An
incredible variety and volume of Internet of Things (IoT) devices are being
produced. IoT devices are ever more frequently becoming integral elements of
federal information systems. The NIST Cybersecurity for
IoT Team is releasing public drafts of four documents providing
guidance for federal agencies and IoT device manufacturers on defining IoT
cybersecurity requirements, including supporting non-technical requirements, so
that federal organizations can procure and integrate IoT securely and continue
to meet their FISMA obligations. These four new documents expand the range of
guidance for IoT cybersecurity. The initial foundation documents in this series
are:

• NISTIR 8259,
  Foundational
  Cybersecurity Activities for IoT Device Manufacturers
• NISTIR 8259A,
  IoT Device Cybersecurity
  Capability Core Baseline

The
new 800-series Special Publication (SP) and the three new documents in the
NISTIR 8259 series that are being released as drafts for comment provide
guidance to federal agencies and IoT device manufacturers, complementing the
guidance in the initial foundational documents:

• Draft NIST SP 800-213, IoT Device Cybersecurity
  Guidance for the Federal Government: Establishing IoT Device Cybersecurity
  Requirements, has background and recommendations to
  help federal agencies consider how an IoT device they plan to acquire can
  integrate into a federal information system. IoT devices and their support
  for security controls are presented in the context of organizational and
  system risk management. SP 800-213 provides guidance on considering system
  security from the device perspective. This allows for the identification
  of IoT device cybersecurity requirements—the abilities and actions a
  federal agency will expect from an IoT device and its manufacturer and/or
  third parties, respectively.
• Draft NISTIR
  8259B, IoT Non-Technical Supporting Capability Core Baseline, complements the NISTIR 8259A device cybersecurity
  core baseline by detailing additional, non-technical supporting activities
  typically needed from manufacturers and/or associated third parties. This
  non-technical baseline collects and makes explicit supporting capabilities
  like documentation, training, customer feedback, etc.
• Draft NISTIR 8259C, Creating a Profile Using the
  IoT Core Baseline and Non-Technical Baseline,
  describes a process, usable by any organization, that starts with the core
  baselines provided in NISTIRs 8259A and 8259B and explains how to
  integrate those baselines with organization- or application-specific
  requirements (e.g., industry standards, regulatory guidance) to develop a
  IoT cybersecurity profile suitable for specific IoT device customers or
  applications. The process in NISTIR 8259C guides organizations needing to
  define a more detailed set of capabilities responding to the concerns of a
  specific sector, based on some authoritative source such as a standard or
  other guidance, and could be used by organizations seeking to procure IoT
  technology or by manufacturers looking to match their products to customer
  requirements.
• Draft NISTIR 8259D, Profile Using the IoT Core
  Baseline and Non-Technical Baseline for the Federal Government,
  provides a worked example result of applying the NISTIR 8259C process,
  focused on the federal government customer space, where the requirements
  of the FISMA process and the SP 800-53 security and privacy controls
  catalog are the essential guidance. NISTIR 8259D provides a
  device-centric, cybersecurity-oriented profile of the NISTIR 8259A and
  8259B core baselines, calibrated against the FISMA low baseline described
  in NIST SP 800-53B as an example of the criteria for minimal securability
  for federal use cases.

NIST
appreciates all comments, concerns and identification of areas needing
clarification. Ongoing discussion with the stakeholder community is welcome as
we work to improve the cybersecurity of IoT devices. Community input is specifically sought
regarding the mapping of specific reference document content to the items in
Table 1 of NISTIR 8259B and Tables 1 and 2 of NISTIR 9258D, to populate the
fourth column, “IoT Reference Examples” column. Table 1 in NISTIR 8259A can be
used as a model for these informative reference mappings.

A public comment period for these documents is open through
February 12, 2021. See the publications’ details (linked above)
for copies of the drafts and instructions for submitting comments.

Comments,
questions, and other concerns should be sent to [email protected].

NOTE:
A call for patent claims is included in each document.  For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications. 

Publication
details:

Draft
SP 800-213, https://csrc.nist.gov/publications/detail/sp/800-213/draft

Draft
NISTIR 8259B, https://csrc.nist.gov/publications/detail/nistir/8259b/draft

Draft
NISTIR 8259C, https://csrc.nist.gov/publications/detail/nistir/8259c/draft

Draft
NISTIR 8259D, https://csrc.nist.gov/publications/detail/nistir/8259d/draft

NISTIR
8259, https://csrc.nist.gov/publications/detail/nistir/8259/final

NISTIR
8259A, https://csrc.nist.gov/publications/detail/nistir/8259a/final

 

NIST
Cybersecurity for IoT Program:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

ITL
Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications

Title: Microsoft Information Protection and Microsoft Azure Purview:
Better Together

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-information-protection-and-microsoft-azure-purview/ba-p/1957481
Overview: Data is growing exponentially. Organizations are under pressure to
turn that data into insights, while also meeting regulatory compliance
requirements. But to truly get the insights you need – while keeping up with
compliance requirements like the General Data Protection Requirement (GDPR) –
you need to know what data you have, where it resides, and how to govern it.
For most organizations, this creates arduous ongoing challenges. 

Title: Deliver productive and seamless users experiences with Azure
Active Directory
URL: https://www.microsoft.com/security/blog/2020/12/07/deliver-productive-and-seamless-users-experiences-with-azure-active-directory/
Overview: Learn how identity has become the new security perimeter and how an
identity-based framework reduces risk and improves productivity.

Title: Microsoft Defender for Endpoint on iOS is generally available
URL: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-on-ios-is-generally-available/ba-p/1962420
Overview: Today, we’re excited to announce that Microsoft has reached a new
milestone in our cross-platform security commitment with the general
availability of our iOS offering for Microsoft Defender for Endpoint, which
adds to the already existing Defender offerings on macOS, Linux, and Android.

Title: What’s New: 80 out of the box hunting queries!
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-80-out-of-the-box-hunting-queries/ba-p/1892067
Overview: Threat hunting is a powerful way for the SOC to reduce organizational
risk, but it’s commonly portrayed and seen as a complex and mysterious art form
for deep experts only, which can be counterproductive. Sophisticated
cybercriminals burrow their way into network caverns, avoiding detection for
weeks or even months, as they gather information and escalate privileges. If
you wait until these advanced persistent threats (APT) become visible, it can
be costly and time-consuming to address. In today’s cybersecurity landscape, SOC
analysts need controls and integrated toolsets to search, filter, and pivot
through their telemetry to derive relevant insights faster. 

Title: Digital Defense integrates with Microsoft to detect attacks missed
by traditional endpoint security
URL: https://www.microsoft.com/security/blog/2020/12/08/digital-defense-integrates-with-microsoft-to-detect-attacks-missed-by-traditional-endpoint-security/
Overview: Cybercriminals have ramped up their initial compromises through
phishing and pharming attacks using a variety of tools and tactics that, while
numerous, are simple and can often go undetected.

Title: How to setup a Canarytoken and receive incident alerts on Azure
Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-setup-a-canarytoken-and-receive-incident-alerts-on-azure/ba-p/1964076
Overview: With Azure Sentinel you can receive all sorts of security telemetry,
events, alerts, and incidents from many different and unique sources. Those
sources can be firewall logs, security events, audit logs from identity and cloud
platforms. In addition, you can create digital trip wires and send that data to
Azure Sentinel. Ross Bevington first explained this concept for Azure Sentinel
in “Creating
digital tripwires with custom threat intelligence feeds for Azure Sentinel”.
Today you can walkthrough and expand your threat detection capabilities in
Azure Sentinel using Honey Tokens or in this case Canarytokens.

Title: Bring threat intelligence from Sixgill using TAXII Data Connector
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-threat-intelligence-from-sixgill-using-taxii-data/ba-p/1965440
Overview: As discussed in the blog Bring your threat intelligence to Azure Sentinel, Azure
Sentinel provides various ways to import threat intelligence into the ThreatIntelligenceIndicator
log analytics table from where it can be used in various parts of the product
like hunting, investigation, analytics, workbooks etc.

 Microsoft latest security blogs, including some with more information
about recent attacks.

Title: Announcing EDR in block mode general availability
URL: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-edr-in-block-mode-general-availability/ba-p/1972064
Overview: We’re very excited to announce today that endpoint detection and
response (EDR) in block mode is generally available.

Title: EDR in block mode stops IcedID cold
URL: https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/
Overview: Endpoint detection and response (EDR) in block mode in Microsoft
Defender for Endpoint turns EDR detections into real-time blocking of threats.
Learn how it stopped an IcedID attack.

Title: Building a Zero Trust business plan
URL: https://www.microsoft.com/security/blog/2020/12/09/building-a-zero-trust-business-plan/
Overview: These past six months have been a remarkable time of transformation
for many IT organizations. With the forced shift to remote work, IT
professionals have had to act quickly to ensure people continue working
productively from home—in some cases bringing entire organizations online over
a weekend. While most started by scaling existing approaches, many
organizations…

Title: Widespread malware campaign seeks to silently inject ads into
search results, affects multiple browsers
URL: https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
Overview: A persistent malware campaign has been actively distributing Adrozek,
an evolved browser modifier malware at scale since at least May 2020. At its
peak in August, the threat was observed on over 30,000 devices every day. The
malware is designed to inject ads into search engine results pages and affects
multiple browsers.

Title: New cloud-native breadth threat protection capabilities in Azure
Defender
URL: https://www.microsoft.com/security/blog/2020/12/10/new-cloud-native-breadth-threat-protection-capabilities-in-azure-defender/
Overview: As the world adapts to working remotely, the threat landscape is
constantly evolving, and security teams struggle to protect workloads with
multiple solutions that are often not well integrated nor comprehensive enough.
This results in serious threats avoiding detection, as well as security teams
suffering from alert fatigue. Azure Defender helps security professionals with
an…

Title: Additional email data in advanced hunting
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/additional-email-data-in-advanced-hunting/ba-p/1985849
Overview: We’re thrilled to share new enhancements to the advanced hunting data
for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added
new columns and optimized existing columns to provide more email attributes you
can hunt across. These additions are now available in public preview.

Title: Siemens USA CISO: 3 essentials to look for in a cloud provider
URL: https://www.microsoft.com/security/blog/2020/12/14/siemens-usa-ciso-3-essentials-to-look-for-in-a-cloud-provider/
Overview: Learn why Kurt John of Siemens USA sees continued migration to the
cloud as inevitable across industries.

Title: Ensuring customers are protected from Solorigate
URL: https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
Overview: Microsoft is monitoring a dynamic threat environment surrounding the
discovery of a sophisticated attack that included compromised binaries from a
legitimate software. These binaries, which are related to the SolarWinds Orion
Platform, could be used by attackers to remotely access devices. On Sunday, December
13, Microsoft released detections that alerted customers to the presence of…