Posted on Leave a comment

Ransomware response — to pay or not to pay

The increased connectivity of computers and the growth of Bring Your Own Device (BYOD) in most organizations is making the distribution of malicious software (malware) easier. Unlike other types of malicious programs that may usually go undetected for a longer period, a ransomware attack is usually experienced immediately, and its impact on information technology infrastructure is often irreversible.

As part of Microsoft’s Detection and Response Team (DART) Incident Response engagements, we regularly get asked by customers about “paying the ransom” following a ransomware attack. Unfortunately, this situation often leaves most customers with limited options, depending on the business continuity and disaster recovery plans they have in place.

The two most common options are either to pay the ransom (with the hopes that the decryption key obtained from the malicious actors works as advertised) or switch gears to a disaster recovery mode, restoring systems to a known good state.

The unfortunate truth about most organizations is that they are often only left with the only option of paying the ransom, as the option to rebuild is taken off the table by lack of known good backups or because the ransomware also encrypted the known good backups. Moreover, a growing list of municipalities around the U.S. has seen their critical infrastructure, as well as their backups, targeted by ransomware, a move by threat actors to better guarantee a payday.

We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers. The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored.

So, what options do we recommend? The fact remains that every organization should treat a cybersecurity incident as a matter of when it will happen and not whether it will happen. Having this mindset helps an organization react quickly and effectively to such incidents when they happen. Two major industry standard frameworks, the Sysadmin, Audit, Network, and Security (SANS) and the National Institute of Standards and Technology (NIST), both have published similar concepts on responding to malware and cybersecurity incidents. The bottom line is that every organization needs to be able to plan, prepare, respond, and recover when faced with a ransomware attack.

Outlined below are steps designed to help organizations better plan and prepare to respond to ransomware and major cyber incidents.

How to plan and prepare to respond to ransomware

1. Use an effective email filtering solution

According to the Microsoft Security Intelligence Report Volume 24 of 2018, spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, every organization needs to adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats. By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.

2. Regular hardware and software systems patching and effective vulnerability management

Many organizations are still failing to adopt one of the age-old cybersecurity recommendations and important defenses against cybersecurity attacks—applying security updates and patches as soon as the software vendors release them. A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident. Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware and are steps in the right direction to ensure every organization does not become a victim of ransomware.

3. Use up-to-date antivirus and an endpoint detection and response (EDR) solution

While owning an antivirus solution alone does not ensure adequate protection against viruses and other advanced computer threats, it’s very important to ensure antivirus solutions are kept up to date with their software vendors. Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. Complementary to owning and updating an antivirus solution is the use of EDR solutions that collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by this solution can help to stop advanced threats and are often leveraged for responding to security incidents.

4. Separate administrative and privileged credentials from standard credentials

Working as a cybersecurity consultant, one of the first recommendations I usually provide to customers is to separate their system administrative accounts from their standard user accounts and to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single account doesn’t lead to the compromise of the entire IT infrastructure. Additionally, using Multi-Factor Authentication (MFA), Privileged Identity Management (PIM), and Privileged Access Management (PAM) solutions are ways to effectively combat privileged account abuse and a strategic way of reducing the credential attack surface.

5. Implement an effective application whitelisting program

It’s very important as part of a ransomware prevention strategy to restrict the applications that can run within an IT infrastructure. Application whitelisting ensures only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.

6. Regularly back up critical systems and files

The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, it’s of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack.

Learn more and keep updated

Learn more about how DART helps customers respond to compromises and become cyber-resilient. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Posted on Leave a comment

Facing ransomware demands, one company had an unusual response

“What would you get from paying a ransom in such an attack?” Gimnes Are asks. “You will potentially get back your encrypted data – if the attacker gives you the key. Paying the ransom would not help you to rebuild the company infrastructure, all the servers, all the PCs, all the networks.

“Paying the ransom will not help you out of the situation. You will need to rebuild your infrastructure to be safe and be sure that the attacker is not still part of it,” he adds.

At Microsoft, Eric Doerr serves as general manager of the Microsoft Security Response Center, which protects customers from being harmed by security vulnerabilities in Microsoft’s products and services. The center also rapidly repulses attacks against the Microsoft Cloud. Doerr strongly promotes transparency among organizations that suffer cyberattacks.

“Norsk Hydro set the example for the industry in this incident,” Doerr says.

“Choosing not to pay the ransom and digging in with DART to evict the attacker is great. Sharing those learnings with the world is priceless. When companies do this, it makes us all better and makes the attackers work harder,” he adds.

Of course, some companies facing a ransomware attack may be highly tempted to pay bad actors to regain their hijacked data. But paying hackers doesn’t guarantee that a company will ever recover the goods, says Ann Johnson, Microsoft’s corporate vice president of cybersecurity solutions.

There’s a smarter way – following the plan executed by Norsk Hydro, says Johnson, whose team oversees DART.

“Your data is a strategic asset for you, and for cybercriminals. That’s why they want it. It is also why your data must be protected, and it should be backed up,” Johnson says.

At the same time, companies must invest in cybersecurity, she adds.

At Norsk Hydro, for example, the IT department works to increase security awareness among its employees, says Molland, the media relations SVP. That includes sending workers test emails to help train them to look for common phishing tactics like fake login pages and malicious attachments.

If companies fail to commit to cybersecurity, Johnson warns, bad actors will become repeat customers.

“You’ve likely seen signs that read, ‘Don’t feed the birds,’ when dining at an outdoor café. That’s because the birds will keep returning to the same places where they know it’s easy to be fed. It’s the same concept for cybercriminals,” Johnson says. “They know if you have weak cyber-defenses, and they will want to exploit those weaknesses over-and-over.

“The best defense is to ensure you have the right combination of people, processes and technology. We recommend you implement multifactor authentication, have a mature update process, and back up your data,” she adds.

Two Norsk Hydro workers work their way through the cyberattack using paper data.
At a Norsk Hydro extrusion plant in Norway, sales project manager Rune Johansen and extrusion anodizing fabrication manager Sten Stolpe dig through paper documentation to manually complete customer orders during the cyberattack.

In Hungary and Norway last March, DART members helped Norsk Hydro develop safe processes to restore their servers with an improved security posture. They also educated the company about the current threat landscape and known attacker behaviors to help reduce the risk of future attacks, Moeller says.

Inside Norsk Hydro, the internal response focused on multiple fronts. They launched old-school methods to resume full production and repair business operations. And they worked to protect the safety of employees and the environment.

“We operate heavy machinery. If the power is lost in an uncontrolled manner, it could risk severe safety incidents for people,” says Molland, the media relations SVP.

“Safety is always first priority with us. Secondly, it’s the concern for the environment and ensuring we don’t have any uncontrolled emissions (due to sudden machine stoppages) out to the air, land or water.”

Executives handwrote signs warning of the cyberattack, photographed them with their smart phones and texted the images to managers at Norsk Hydro plants and offices around the world. At those facilities, the staff used local printing shops to create paper signs, posting them on entryways, stairwells and elevators for employees to read as they arrived for the workday.

“Please do not connect any devices to the Hydro network. Do not turn on any devices connected to the Hydro network. Please disconnect devices from the Hydro network,” read some written alerts that also carried a simple signature: “Security.”

Two Norsk Hydro workers use pen and paper to restore production amid the cyberattack.
Two workers at a Norsk Hydro plant in Portland, Oregon manually operate machines to produce specific customer orders during the initial phase of the cyberattack.

The entire workforce did their jobs with pen and paper during the attack’s first days. Some plants switched to manual procedures to meet manufacturing orders. Retired employees – familiar with the old paper system – volunteered to return to their plants to keep production rolling.

“The way we pulled together to make the company come through the situation in one piece and get back into production has been an extreme team-building session,” Molland says.

“We have an organized emergency preparedness methodology within the company – in the corporate level, in the business area and at the plant level,” he adds. “That worked to our benefit. When this hit us, we were able to handle the situation in a constructive, organized manner.”

In other words, prevention is important but locking out all cyberattackers should not be a company’s sole security focus, says Jo De Vliegher, Norsk Hydro’s chief information officer.

“If hackers want to get in, they will get in,” De Vliegher says. “We now have an improved incident response to make sure that – should something similar happen – we are much better equipped to limit the damage in time and geography.”

Norsk Hydro reported the incident to Norway’s National Criminal Investigation Service (Kripos). The case remains under investigation, Molland says.

Video and photos courtesy of Norsk Hydro. 

Posted on Leave a comment

How we help protect small and medium businesses — the most often attacked on earth

There are 79 million businesses worldwide who meet the “small or medium business” (SMB) definition of having 300 or fewer employees, and those businesses represent 95 percent of all the companies on earth—which amounts to a staggering 63 percent of the world’s workforce. As gigantic as those figures might be, they’re belied by other numbers that cast a shadow across worldwide employment: Last year, 55 percent of SMBs weathered cyberattacks, 52 percent of these breaches were caused by human error, and, in a quarter of these cases, sensitive customer data was breached. The average cyberattack will cost an SMB U.S. $190,000 and, after a ransomware attack, only one-third of SMBs can remain profitable.

This year, these numbers will only increase because 90 percent of SMBs do not currently have any data protection.

In an era where nearly every company is, in some regard, a technology company, the upcoming end of support for Windows 7 on January 14, 2020 only adds to the pressure on these businesses.

We considered our responsibility to this community

During my keynote at Microsoft Ignite, I spoke at length about the challenges associated with app compatibility, and I shared how Microsoft has taken on a responsibility for compatibility. The reasoning behind this is simple: Among other reasons, when more organizations are operating modern infrastructures, it’s much simpler to keep attacks from spreading throughout the world. Similarly, as my team looked at the needs of the SMB community, we considered our responsibility to their security posture. After some analysis, we discovered a way to help them that didn’t exist within the enterprise offering of Microsoft 365 (a product we had fine-tuned to the needs of large companies).

The answer was Microsoft 365 Business, and I believe it offers SMBs the best possible opportunity to be secure and productive at the lowest possible cost. Microsoft 365 Business offers the same security tools used by many banks, governments, and multi-national corporations, as well as the very same productivity tools in Office 365.

Recently, we’ve undertaken an effort to think and talk about this topic differently.

While many SMBs don’t have the resources to hire a Chief Security Officer (CSO) of their own, I think this community can use Microsoft 365 Business like a CSO. I encourage you to spend a few minutes at YourNewCSO to learn how to use these resources right away. No matter where you are on your security journey, the site and these eight quick (and funny?) videos will show you steps to better secure your business.

Our data clearly demonstrates that combining security with a huge boost in productivity is the type of innovation that will set an SMB apart in a competitive environment. A recent study of two customers by Qualtrics found that employees using modern tools were 50 percent more likely to say they could better serve their customers, and they were 121 percent more likely to feel valued by their company—a sentiment that is directly tied to improved productivity, loyalty, and a positive organizational culture.

Fully use what you already have

Rather than simply try to sell something throughout this post, I’d like to point out some ways SMBs who already own Office 365 can improve their security without spending any additional money. Included below are seven steps to improve your security at no extra cost—you can also read how to do it or watch this quick overview.

  1. Check your Microsoft Secure Score.
  2. Set up Multi-Factor Authentication (MFA). Setting up MFA will prevent 99 percent of identity attacks.
  3. Use the built-in mobile application management tools in Office 365.
  4. Set up a separate account for performing administrative tasks.
  5. Use an antivirus solution that leverages the cloud to protect from the latest threats. Office 365 Advanced Threat Protection (ATP) is included in your Office 365 subscription and can do this for you. Microsoft Defender ATP also provides some great out-of-the-box capabilities in Windows 10 that more than 50 percent of enterprises are using.
  6. Store files in OneDrive for Business, and the cloud becomes your backup. No more manual PC backups, which saves you time and money. Even better, if you are hacked and are regularly saving your documents to OneDrive, you can simply revert your files back to before the hack occurred.
  7. Stop email auto-forwarding.

As we found from talking with hundreds of SMBs, creating a culture of security is one of the biggest first steps you can take. Right now is the time to educate your employees about how to identify security threats (e.g., don’t click that suspicious link, and if you do, please let someone know), and with Windows 7 very quickly reaching end of support, use this as an opportunity to move to our best available, most secure platform. Microsoft 365 Business can help.

Office 365 security tips

Seven security features in Office 365 you can use to secure your organization.

Watch the video

Why move from Office 365 to Microsoft 365 Business

Office 365 provides the suite of productivity tools you know and love, including capabilities like Exchange Online, SharePoint Online, and OneDrive for Business. But when you move to Microsoft 365 Business, you get that power of Office 365 as well as a comprehensive, cloud-based security solution that lets you defend your business against advanced threats. Microsoft 365 helps you to protect against cyberthreats with sophisticated phishing and ransomware protection; lets you control access to sensitive information, using encryption to keep data from being accidentally shared with someone not authorized to see it; and enables you to secure the devices that connect to your data, helping keep iOS, Android, Windows, and Mac devices secure and up-to-date. Microsoft 365 Business is fully integrated with Office 365, so you have one place for administration, billing, and 24×7 support.

Next steps

In addition to visiting YourNewCSO, consider the value of insuring yourself against a cyberattack. I’m excited to announce that, starting today, we’re piloting a new program in the U.S. in collaboration with AXA XL (a global insurer) and Slice Labs (on-demand insurance platform) to offer a free cybersecurity health check and support AXA XL’s provision of cyber insurance for qualified customers that use Microsoft 365 Business, Office 365 Business, and Office 365 Business Premium.

With your permission, AXA XL will assess your organization’s security and offer their services to qualifying customers, potentially with a discount. You can find more information about the collaboration in the AXA XL and Slice Labs press release, and you can read more about their offering and purchase insurance.

Posted on Leave a comment

Microsoft Security—a Leader in 5 Gartner Magic Quadrants

Gartner has named Microsoft Security a Leader in five Magic Quadrants. This is exciting news that we believe speaks to the breadth and depth of our security offerings. Gartner places vendors as Leaders who demonstrate balanced progress and effort in all execution and vision categories. This means that Leaders not only have the people and capabilities to deliver strong solutions today, they also understand the market and have a strategy for meeting customer needs in the future. Microsoft was identified as a Leader in the following five security areas:

  • Cloud Access Security Broker (CASB) solutions1
  • Access Management2
  • Enterprise Information Archiving3
  • Unified Endpoint Management (UEM) tools4
  • Endpoint Protection Platforms5

Given this, Microsoft Security doesn’t just deliver strong security products in five crucial security areas only. We provide a comprehensive set of security solutions that are built to work together, from identity and access management to threat protection to information protection and cloud security.

Our products integrate easily and share intelligence from the trillions of signals generated daily on the Microsoft Intelligent Security Graph. And they work with non-Microsoft solutions too. You can monitor and safeguard your assets across clouds—whether you use Microsoft Azure, Amazon Web Services, Slack, Salesforce, or all the above.

By unifying security tools, you get visibility into your entire environment across on-premises and the cloud, to better protect all your users, data, devices, and applications. Today, we’ll review the five areas where Microsoft is recognized as a Leader in security.

A Leader in CASB

Our cloud security solutions provide cross-cloud protection, whether you use Amazon Web Services, Azure, Google Cloud Platform—or all three. We also help you safeguard your data in third-party apps like Salesforce and Slack.

Gartner named Microsoft a Leader in CASB based on the ability to execute and completeness of vision. Cloud App Security provides rich visibility into your shadow IT, enables you to identify and remediate cloud native attacks, and allows you to control how your data travels across all your cloud apps—whether they’re from Microsoft or third-party applications.

As Gartner says in the CASB Magic Quadrant, “platforms from leading CASB vendors were born in the cloud and designed for the cloud. They have a deeper understanding of users, devices, applications, transactions, and sensitive data than CASB functions designed to be extensions of traditional network security and SWG security technologies.”

We work closely with customer to improve our products, which is one of the reasons our customer base for Cloud App Security continues to grow.

Gartner graph showing Microsoft as a Leader in Cloud App Security.

A Leader in Access Management

Azure Active Directory (Azure AD) is a universal identity and access management platform that provides the right people the right access to the right resources. It safeguards identities and simplifies access for users. Users sign in once with a single identity to access all the apps they need—whether they’re on-premises apps, Microsoft apps, or third-party cloud apps. Microsoft was recognized for high scores in market understanding and customer experience.

Gartner says, “Vendors that have developed Access Management as a service have risen in popularity. Gartner estimates that 90 percent or more of clients based in North America and approximately 65 percent in Europe and the Asia/Pacific region countries are also seeking SaaS-delivered models for new Access Management purchases. This demonstrates a preference for agility, quicker time to new features, elimination of continual software upgrades, reduction of supported infrastructure and other SaaS versus software benefits demonstrated in the market.”

Gartner graph showing Microsoft as a Leader in Access Management.

A Leader in Enterprise Information Archiving

Enterprise information archiving solutions help organizations archive emails, instant messages, SMS, and social media content. Gartner recognized us as a Leader in this Magic Quadrant based on ability to execute and completeness of vision.

Gartner estimates, “By 2023, 45 percent of enterprise customers will adopt an enterprise information archiving (EIA) solution to meet new requirements driven by data privacy regulations; this is a major increase from five percent in 2019.”

Gartner graph showing Microsoft as a Leader in Enterprise Information Archiving.

A Leader in Unified Endpoint Management (UEM)

Unified Endpoint Management (UEM) solutions provide a comprehensive solution to manage mobile devices and traditional endpoints, like PCs and Macs. Microsoft’s solution, Microsoft Intune, lets you securely support company-provided devices and bring your own device policies. You can even protect company apps and data on unmanaged devices. We have seen rapid growth in Intune deployments and expect that growth to continue.

Gartner noted that, “Leaders are identified as those vendors with strong execution and vision scores with products that exemplify the suite of functions that assist organizations in managing a diverse field of mobile and traditional endpoints. Leaders provide tools that catalyze the migration of PCs from legacy CMT management tools to modern, UEM-based management.”

Intune is built to work with other Microsoft 365 security solutions, such as Cloud App Security and Azure AD to unify your security approach across all your clouds and devices. As Gartner writes, “Achieving a truly simplified, single-console approach to endpoint management promises many operational benefits.”

Gartner graph showing Microsoft as a Leader in Unified Endpoint Management.

A Leader in Endpoint Protection Platforms

Our threat protection solutions provide tools to identify, investigate, and respond to threats across all your endpoints. Gartner named Microsoft a Leader for Endpoint Protection Platforms, recognizing our products and our strengths and ability to execute and completeness of vision. Azure Advanced Threat Protection (ATP) detects and investigates advanced attacks on-premises and in the cloud. Windows Defender Antivirus protects PCs against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.

Gartner says, “A Leader in this category will have broad capabilities in advanced malware protection, and proven management capabilities for large-enterprise accounts.”

Gartner graph showing Microsoft as a Leader in Endpoint Protection Platforms.

Learn more

Microsoft is committed to helping our customers digitally transform while providing the security solutions that enable them to focus on what they do best. Learn more about our comprehensive security solutions across identity and access management, cloud security, information protection, threat protection, and universal endpoint management by visiting our website.

1Gartner “Magic Quadrant for Cloud Access Security Brokers,” by Steve Riley, Craig Lawson, October 2019

2Gartner “Magic Quadrant for Access Management,” by Michael Kelley, Abhyuday Data, Henrique, Teixeira, August 2019

3Gartner “Magic Quadrant for Enterprise Information Archiving,” by Julian Tirsu, Michael Hoech, November 2019

4Gartner “Magic Quadrant for Unified Endpoint Management Tools,” by Chris Silva, Manjunath Bhat, Rich Doheny, Rob Smith, August 2019

5Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, August 2019

These graphics were published by Gartner, Inc. as part of larger research documents and should be evaluated in the context of the entire document. The Gartner documents are available upon request from Microsoft. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Posted on Leave a comment

Spear phishing campaigns—they’re sharper than you think

Even your most security-savvy users may have difficulty identifying honed spear phishing campaigns. Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. They are so targeted, in fact, that we sometimes refer to them as “laser” phishing. And because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email. That’s how good they are.

Even though spear phishing campaigns can be highly effective, they aren’t foolproof. If you understand how they work, you can put measures in place to reduce their power. Today, we provide an overview of how these campaigns work and steps you can take to better protect your organization and users.

Graph showing that the percentage of inbound emails associated with phishing on average increased in the past year.

Figure 1. Percentage of inbound emails associated with phishing on average increased in the past year, according to Microsoft security research (source: Microsoft Security Intelligence Report).

Step 1: Select the victims

To illustrate how clever some of these campaigns are, imagine a busy recruiter who is responsible for filling several IT positions. The IT director is under a deadline and desperate for good candidates. The recruiter posts the open roles on their social networks asking people to refer leads. A few days later they receive an email from a prospective candidate who describes the role in the email. The recruiter opens the attached resume and inadvertently infects their computer with malware. They have just been duped by a spear phisher.

How did it happen?

In a spear phishing campaign, the first thing an attacker needs to do is identify the victims. These are typically individuals who have access to the data the attacker wants. In this instance, the attackers want to infiltrate the human resources department because they want to exfiltrate employee social security numbers. To identify potential candidates they conduct extensive research, such as:

  • Review corporate websites to gain insight into processes, departments, and locations.
  • Use scripts to harvest email addresses.
  • Follow company social media accounts to understand company roles and the relationships between different people and departments.

In our example, the attackers learned by browsing the website that the convention for emails is first.last@company.com. They browsed the website, social media, and other digital sources for human resources professionals and potential hooks. It didn’t take long to notice several job openings. Once the recruiter shared details of jobs online, would-be attackers had everything they needed.

Why it might work: In this instance it would be logical for the victim to open the attachment. One of their job responsibilities is to collect resumes from people they don’t know.

Infographic showing the typical campaign path for phish emails, from Reconnaissance to Exfiltration.

Figure 2. Research and the attack are the first steps in a longer strategy to exfiltrate sensitive data.

Step 2: Identify the credible source

Now let’s consider a new executive who receives an email late at night from their boss, the CEO. The CEO is on a trip to China meeting with a vendor, and in the email, the CEO references the city they’re in and requests that the executive immediately wire $10,000 to pay the vendor. The executive wants to impress the new boss, so they jump on the request right away.

How did it happen?

In spear phishing schemes, the attacker needs to identify a credible source whose emails the victim will open and act on. This could be someone who appears to be internal to the company, a friend, or someone from a partner organization. Research into the victim’s relationships informs this selection. In the first example, we imagined a would-be job seeker that the victim doesn’t know. However, in many spear phishing campaigns, such as with our executive, the credible source is someone the victim knows.

To execute the spear phishing campaign against the executive, the attackers uncovered the following information:

  • Identified senior leaders at the company who have authority to sign off on large sums of money.
  • Selected the CEO as the credible source who is most likely to ask for the money.
  • Discovered details about the CEO’s upcoming trip based on social media posts.

Why it might work: Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee. People are inclined to respond quickly when the boss emails—especially if they say it’s urgent. This scenario takes advantage of those human power dynamics.

Infographic of the Attack Spectrum, from Broad to Targeted.

Figure 3. The more targeted the campaign, the bigger the potential payoff.

Step 3: Victim acts on the request

The final step in the process is for the victim to act on the request. In our first example, the human resources recruiter could have initiated a payload that would take over his computer or provide a tunnel for the attacker to access information. In our second scenario, the victim could have wired large sums of money to a fraudulent actor. If the victim does accidentally open the spear phishing email and respond to the call to action, open a malicious attachment, or visit an infected webpage, the following could happen:

  • The machine could be infected with malware.
  • Confidential information could be shared with an adversary.
  • A fraudulent payment could be made to an adversary.

Catch more phishy emails

Attackers have improved their phishing campaigns to better target your users, but there are steps you can take to reduce the odds that employees will respond to the call to action. We recommend that you do the following:

  • Educate users on how to detect phishing emails—Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users identify phish using training tools that simulate a real phish. Here are a few tells that are found in some phish that you can incorporate into your training:
    • An incorrect email address or one that resembles what you expect but is slightly off.
    • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
    • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
    • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?

  • Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.

Figure 4. Enhanced anti-phishing capabilities are available in Microsoft Office 365.

  • Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 (see Figure 4 above) and improving catch rates of phishing emails.

Get in touch

Reach out to Diana Kelley on LinkedIn or Twitter or Seema Kathuria on LinkedIn or Twitter and let them know what you’d like to see us cover as they talk about new security products and capabilities.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Posted on Leave a comment

Insights from 1 year of tracking a polymorphic threat

A little over a year ago, in October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code.

The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

In the months that followed, we closely tracked the threat and witnessed the attackers upgrade the malware, target new processes, and work around defensive measures:

Timeline of evolution of Dexphot malware

While Microsoft Defender Advanced Threat Protection’s pre-execution detection engines blocked Dexphot in most cases, behavior-based machine learning models provided protection for cases where the threat slipped through. Given the threat’s persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors.

Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign. Over time, Dexphot-related malicious behavior reports dropped to a low hum, as the threat lost steam.

Number of machines that encountered Dexphot over time

Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat. More importantly, one year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s authors, but of cybercriminals in general.

Complex attack chain

The early stages of a Dexphot infection involves numerous files and processes. During the execution stage, Dexphot writes five key files to disk:

  1. An installer with two URLs
  2. An MSI package file downloaded from one of the URLs
  3. A password-protected ZIP archive
  4. A loader DLL, which is extracted from the archive
  5. An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing

Except for the installer, the other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult. These legitimate system processes include msiexec.exe (for installing MSI packages), unzip.exe (for extracting files from the password-protected ZIP archive), rundll32.exe (for loading the loader DLL), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). In later stages, Dexphot targets a few other system processes for process hollowing: svchost.exe, tracert.exe, and setup.exe.

Dexphot attack chain

Multiple layers of security evasion

Based on Microsoft Defender ATP signals, SoftwareBundler:Win32/ICLoader and its variants are primarily used to drop and run the Dexphot installer. The installer uses two URLs to download malicious payloads. These are the same two URLs that Dexphot use later to establish persistence, update the malware, and re-infect the device.

The installer downloads an MSI package from one of the two URLs, and then launches msiexec.exe to perform a silent install. This is the first of several instances of Dexphot employing living-off-the-land techniques, the use of legitimate system processes for nefarious purposes.

Dexphot’s package often contains an obfuscated batch script. If the package contains this file, the script is the first thing that msiexec.exe runs when it begins the installation process. The said obfuscated script is designed to check for antivirus products. Dexphot halts the infection process immediately if an antivirus product is found running.

When we first began our research, the batch script only checked for antivirus products from Avast and AVG. Later, Windows Defender Antivirus was added to the checklist.

If the process is not halted, Dexphot decompresses the password-protected ZIP archive from the MSI package. The password to this archive is within the MSI package. Along with the password, the malware’s authors also include a clean version of unzip.exe so that they don’t have to rely on the target system having a ZIP utility. The unzip.exe file in the package is usually named various things, such as z.exe or ex.exe, to avoid scrutiny.

The ZIP archive usually contains three files: the loader DLL, an encrypted data file (usually named bin.dat), and, often, one clean unrelated DLL, which is likely included to mislead detection.

Dexphot usually extracts the decompressed files to the target system’s Favorites folder. The files are given new, random names, which are generated by concatenating words and numbers based on the time of execution (for example, C:\Users\<user>\Favorites\\Res.Center.ponse\<numbers>). The commands to generate the new names are also obfuscated, for example:

Msiexec.exe next calls rundll32.exe, specifying loader DLL (urlmon.7z in the example above) in order to decrypt the data file. The decryption process involves ADD and XOR operations, using a key hardcoded in the binary.

The decrypted data contains three executables. Unlike the files described earlier, these executables are never written to the filesystem. Instead, they exist only in memory, and Dexphot runs them by loading them into other system processes via process hollowing.

Stealthy execution through fileless techniques

Process hollowing is a technique that can hide malware within a legitimate system process. It replaces the contents of the legitimate process with malicious code. Detecting malicious code hidden using this method is not trivial, so process hollowing has become a prevalent technique used by malware today.

This method has the additional benefit of being fileless: the code can be run without actually being saved on the file system. Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the process has stopped.

To initiate process hollowing, the loader DLL targets two legitimate system processes, for example svchost.exe or nslookup.exe, and spawns them in a suspended state. The loader DLL replaces the contents of these processes with the first and second decrypted executables. These executables are monitoring services for maintaining Dexphot’s components. The now-malicious processes are released from suspension and run.

Next, the loader DLL targets the setup.exe file in SysWoW64. It removes setup.exe’s contents and replaces them with the third decrypted executable, a cryptocurrency miner. Although Dexphot always uses a cryptocurrency miner of some kind, it’s not always the same miner. It used different programs like XMRig and JCE Miner over the course of our research.

Persistence through regularly scheduled malware updates

The two monitoring services simultaneously check the status of all three malicious processes. Having dual monitoring services provides redundancy in case one of the monitoring processes is halted. If any of the processes are terminated, the monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device. This forced update/re-infection process is started by a PowerShell command similar to the one below:

The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly. As a final fail-safe, Dexphot uses schtasks.exe to create scheduled tasks, with the command below.

This persistence technique is interesting, because it employs two distinct MITRE ATT&CK techniques: Scheduled Task and Signed Binary Proxy Execution.

The scheduled tasks call msiexec.exe as a proxy to run the malicious code, much like how msiexec.exe was used during installation. Using msiexec.exe, a legitimate system process, can make it harder to trace the source of malicious activity.

Furthermore, the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run. They automatically update all of Dexphot’s components, both upon system reboot as well as every 90 or 110 minutes while the system is running.

Dexphot also generates the names for the tasks at runtime, which means a simple block list of hardcoded task names will not be effective in preventing them from running. The names are usually in a GUID format, although after we released our first round of Dexphot-blocking protections, the threat authors began to use random strings.

The threat authors have one more evasion technique for these scheduled tasks: some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name, such as %AppData%\<random>.exe. This makes the system process running malicious code a literal moving target.

Polymorphism

Dexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files, as shown in the table below. The MSI packages generally include a clean version of unzip.exe, a password-protected ZIP file, and a batch file that checks for currently installed antivirus products. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the password for extracting the ZIP file, all change from one package to the next.

In addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in the ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the attacker bundles the files together. Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot.

MSI package ID MSI package contents Password for ZIP file Contents of encrypted ZIP
Unzip.exe name ZIP file name Batch file name Loader DLL file name Encrypted data name
MSI-1 ex.exe webUI.r0_ f.bat kjfhwehjkf IECache.dll bin.dat
MSI-2 ex.exe analog.tv f.bat ZvDagW kernel32.bin bin.dat
MSI-3 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-4 unzip.exe ERDNT.LOC.zip iso100 ERDNT.LOC data.bin
MSI-5 pck.exe mse.zip kika _steam.dll bin.dat
MSI-6 z.exe msi.zip arima ic64.dll bin.dat
MSI-7 z.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-8 z.exe mse.zip kika _steam.dll bin.dat
MSI-9 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-10 hf.exe update.dat f.bat namr x32Frame.dll data.bin
MSI-11 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-12 unzip.exe PkgMgr.iso.zip pack PkgMgr.iso data.bin
MSI-13 ex.exe analog.tv f.bat kjfhwefkjwehjkf urlmon.7z bin.dat
MSI-14 ex.exe icon.ico f.bat ZDADW default.ocx bin.dat
MSI-15 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-16 pck.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-17 z.exe mse.zip f.bat joft win2k.wim bin.dat
MSI-18 ex.exe plugin.cx f.bat ZDW _setup.ini bin.dat
MSI-19 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-20 ex.exe installers.msu f.bat 000cehjkf MSE.Engine.dll bin.dat
MSI-21 z.exe msi.zip f.bat arima ic64.dll bin.dat
MSI-22 z.exe archive00.x f.bat 00Jmsjeh20 chrome_watcher.dll bin.dat

A multitude of payload hosts

Besides tracking the files and processes that Dexphot uses to execute an attack, we have also been monitoring the domains used to host malicious payloads. The URLs used for hosting all follow a similar pattern. The domain address usually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters, similar to the randomness previously seen being used to generate file names and scheduled tasks. Some examples from our research are shown in the table below.

Scheduled task name Download URL
hboavboja https://supe********709.info/xoslqzu.pdi
{C0B15B19-AB02-0A10-259B-1789B8BD78D6} https://fa*****r.com/jz5jmdouv4js.uoe
ytiazuceqeif https://supe********709.info/spkfuvjwadou.bbo
beoxlwayou https://rb*****.info/xgvylniu.feo
{F1B4C720-5A8B-8E97-8949-696A113E8BA5} https://emp*******winc.com/f85kr64p1s5k.naj
gxcxhbvlkie https://gu*****me.net/ssitocdfsiu.pef
{BE7FFC87-6635-429F-9F2D-CD3FD0E6DA51} https://sy*****.info/pasuuy/xqeilinooyesejou.oew
{0575F553-1277-FB0F-AF67-EB649EE04B39} https://sumb*******on.info/gbzycb.kiz
gposiiobhkwz https://gu*****me.net/uyuvmueie.hui
{EAABDEAC-2258-1340-6375-5D5C1B7CEA7F} https://refr*******r711.info/3WIfUntot.1Mb
zsayuuec https://gu*****me.net/dexaeuioiexpyva.dil
njibqhcq https://supe********709.info/aodoweuvmnamugu.fux
{22D36F35-F5C2-29D3-1CF1-C51AC19564A4} https://pr*****.info/ppaorpbafeualuwfx/hix.ayk
qeubpmnu https://gu*****me.net/ddssaizauuaxvt.cup
adeuuelv https://supe********709.info/tpneevqlqziee.okn
{0B44027E-7514-5EC6-CE79-26EB87434AEF} https://sy*****.info/huauroxaxhlvyyhp/xho.eqx
{5A29AFD9-63FD-9F5E-F249-5EC1F2238023} https://refr*******r711rb.info/s28ZXoDH4.78y
{C5C1D86D-44BB-8EAA-5CDC-26B37F92E411} https://fa*****r.com/rbvelfbflyvf.rws

Many of the URLs listed were in use for an extended period. However, the MSI packages hosted at each URL are frequently changed or updated. In addition, every few days more domains are generated to host more payloads. After a few months of monitoring, we were able to identify around 200 unique Dexphot domains.

Conclusion: Dynamic, comprehensive protection against increasingly complex everyday threats

Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.

To combat threats, several next-generation protection engines in Microsoft Defender Advanced Threat Protection’s antivirus component detect and stop malicious techniques at multiple points along the attack chain. For Dexphot, machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe, stopping the attack chain in its early stages. Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands.

Behavioral blocking and containment capabilities are especially effective in defeating Dexphot’s fileless techniques, detection evasion, and persistence mechanisms, including the periodic and boot-time attempts to update the malware via scheduled tasks. As mentioned, given the complexity of the attack chain and of Dexphot’s persistence methods, we released a remediation solution that prevents re-infection by removing artifacts.

Microsoft Defender ATP solutions for Dexphot attack

The detection, blocking, and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center, where Microsoft Defender ATP’s rich capabilities like endpoint detection and response, automated investigation and remediation, and others enable security operations teams to investigate and remediate attacks in enterprise environments. With these capabilities, Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day.

Sample indicators of compromise (IoCs)

Installer (SHA-256):
72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f

MSI files (SHA-256):
22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3
65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a
ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88

Loader DLLs  (SHA-256):
537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e
504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5
aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152

Hazel Kim

Microsoft Defender ATP Research Team


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

Posted on Leave a comment

Set up single sign-on for Fedora Project services

In addition to an operating system, the Fedora Project provides services for users and developers. Services such as Ask Fedora, the Fedora Project wiki and the Fedora Project mailing lists help users learn how to best take advantage of Fedora. For developers of Fedora, there are many other services such as dist-git, Pagure, Bodhi, COPR and Bugzilla for the packaging and release process.

These services are available with a free account from the Fedora Accounts System (FAS). This account is the passport to all things Fedora! This article covers how to get set up with an account and configure Fedora Workstation for browser single sign-on.

Signing up for a Fedora account

To create a FAS account, browse to the account creation page. Here, you will fill out your basic identity data:

Account creation page

Once you enter your data, the account system sends an email to the address you provided, with a temporary password. Pick a strong password and use it.

Password reset page

Next, the account details page appears. If you want to contribute to the Fedora Project, you should complete the Contributor Agreement now. Otherwise, you are done and you can use your account to log into the various Fedora services.

Account details page

Configuring Fedora Workstation for single sign-On

Now that you have your account, you can sign into any of the Fedora Project services. Most of these services support single sign-on (SSO), so you can sign in without re-entering your username and password.

Fedora Workstation provides an easy workflow to add your Fedora credentials. The GNOME Online Accounts tool helps you quickly set up your system to access many popular services. To access it, go to the Settings menu.

Click on the option labeled Fedora. A prompt opens for you to provide your username and password for your Fedora Account.

GNOME Online Accounts stores your password in GNOME Keyring and automatically acquires your single-sign-on credentials for you when you log in.

Single sign-on with a web browser

Today, Fedora Workstation supports three web browsers out of the box with support for single sign-on with the Fedora Project services. These are Mozilla Firefox, GNOME Web, and Google Chrome.

Due to a bug in Chromium, single sign-on doesn’t work currently if you have more than one set of Kerberos (SSO) credentials active on your session. As a result, Fedora doesn’t enable this function out of the box for Chromium in Fedora.

To sign on to a service, browse to it and select the login option for that service. For most Fedora services, this is all you need to do; the browser handles the rest. Some services such as the Fedora mailing lists and Bugzilla support multiple login types. For them, select the Fedora or Fedora Account System login type.

That’s it! You can now log into any of the Fedora Project services without re-entering your password.

Special consideration for Google Chrome

To enable single sign-on out of the box for Google Chrome, Fedora takes advantage of certain features in Chrome that are intended for use in “managed” environments. A managed environment is traditionally a corporate or other organization that sets certain security and/or monitoring requirements on the browser.

Recently, Google Chrome changed its behavior and it now reports Managed by your organization or possibly Managed by fedoraproject.org under the ⋮ menu in Google Chrome. That link leads to a page that says, “If your Chrome browser is managed, your administrator can set up or restrict certain features, install extensions, monitor activity, and control how you use Chrome.” However, Fedora will never monitor your browser activity or restrict your actions.

Enter chrome://policy in the address bar to see exactly what settings Fedora has enabled in the browser. The AuthNegotiateDelegateWhitelist and AuthServerWhitelist options will be set to *.fedoraproject.org. These are the only changes Fedora makes.

Posted on Leave a comment

Microsoft works with researchers to detect and protect against new RDP exploits

On November 2, 2019, security researcher Kevin Beaumont reported that his BlueKeep honeypot experienced crashes and was likely being exploited. Microsoft security researchers collaborated with Beaumont as well as another researcher, Marcus Hutchins, to investigate and analyze the crashes and confirm that they were caused by a BlueKeep exploit module for the Metasploit penetration testing framework.

BlueKeep is what researchers and the media call CVE-2019-0708, an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft released a security fix for the vulnerability on May 14, 2019.

While similar vulnerabilities have been abused by worm malware in the past, initial attempts at exploiting this vulnerability involved human operators aiming to penetrate networks via exposed RDP services.

Microsoft had already deployed a behavioral detection for the BlueKeep Metasploit module in early September, so Microsoft Defender ATP customers had protection from this Metasploit module by the time it was used against Beaumont’s honeypot. The module, which appears to be unstable as evidenced by numerous RDP-related crashes observed on the honeypot, triggered the behavioral detection in Microsoft Defender ATP, resulting in the collection of critical signals used during the investigation.

Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines. We saw:

  • An increase in RDP service crashes from 10 to 100 daily starting on September 6, 2019, when the Metasploit module was released
  • A similar increase in memory corruption crashes starting on October 9, 2019
  • Crashes on external researcher honeypots starting on October 23, 2019

Figure 1. Increase in RDP-related service crashes when the Metasploit module was released

Coin miner campaign using BlueKeep exploit

After extracting indicators of compromise and pivoting to various related signal intelligence, Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner. This indicated that the same attackers were likely responsible for both coin mining campaigns—they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal.

Our machine learning models flagged the presence of the coin miner payload used in these attacks on machines in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries.

Figure 2. Geographic distribution of coin miner encounters

​These attacks were likely initiated as port scans for machines with vulnerable internet-facing RDP services. Once attackers found such machines, they used the BlueKeep Metasploit module to run a PowerShell script that eventually downloaded and launched several other encoded PowerShell scripts.

Figure 3. Techniques and components used in initial attempts to exploit BlueKeep

We pieced together the behaviors of the PowerShell scripts using mostly memory dumps. The following script activities have also been discussed in external researcher blogs:

  1. Initial script downloaded another encoded PowerShell script from an attacker-controlled remote server (5.135.199.19) hosted somewhere in France via port 443.
  2. The succeeding script downloaded and launched a series of three to four other encoded PowerShell scripts.
  3. The final script eventually downloaded the coin miner payload from another attacker-controlled server (109.176.117.11) hosted in Great Britain.
  4. Apart from downloading the payload, the final script also created a scheduled task to ensure the coin miner stayed persistent.​

Figure 4. Memory dump of a PowerShell script used in the attacks

The final script saved the coin miner as the following file:

C:\Windows\System32\spool\svchost.exe

The coin miner connected to command-and-control infrastructure at 5.100.251.106 hosted in Israel. Other coin miners deployed in earlier campaigns that did not exploit BlueKeep also connected to this same IP address.

Defending enterprises against BlueKeep

Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.

The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

To this end, Microsoft customers can use the rich capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to gain visibility on exploit activities and defend networks against attacks. On top of the behavior-based antivirus and endpoint detection and response (EDR) detections, we released a threat analytics report to help security operations teams to conduct investigations specific to this threat. We also wrote advanced hunting queries that customers can use to look for multiple components of the attack.


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

Posted on Leave a comment

CVP Ann Johnson: How to balance compliance and security with limited resources

Today, many organizations still struggle to adhere to General Data Protection Regulation (GDPR) mandates even though this landmark regulation took effect nearly two years ago. A key learning for some: being compliant does not always mean you are secure. Shifting privacy regulations, combined with limited resources like budgets and talent shortages, add to today’s business complexities. I hear this concern time and again as I travel around the world meeting with our customers to share how Microsoft can empower organizations successfully through these challenges.

Most recently, I sat down with Emma Smith, Global Security Director at Vodafone Group to talk about their own best practices when navigating the regulatory environment. Vodafone Group is a global company with mobile operations in 24 countries and partnerships that extend to 42 more. The company also operates fixed broadband operations in 19 markets, with about 700 million customers. This global reach means they must protect a significant amount of data while adhering to multiple requirements.

Emma and her team have put a lot of time and effort into the strategies and tactics that keep Vodafone and its customers compliant no matter where they are in the world. They’ve learned a lot in this process, and she shared these learnings with me as we discussed the need for organizations to be both secure and compliant, in order to best serve our customers and maintain their trust. You can watch our conversation and hear more in our CISO Spotlight episode.

Cybersecurity enables privacy compliance

As you work to balance compliance with security keep in mind that, as Emma said, “There is no privacy without security.” If you have separate teams for privacy and security, it’s important that they’re strategically aligned. People only use technology and services they trust, which is why privacy and security go hand in hand.

Vodafone did a security and privacy assessment across all their big data stores to understand where the high-risk data lives and how to protect it. They were then able to implement the same controls for privacy and security. It’s also important to recognize that you will never be immune from an attack, but you can reduce the damage.

Emma offered three recommendations for balancing security with privacy compliance:

  • Develop a risk framework so you can prioritize your efforts.
  • Communicate regularly with the board and executive team to align on risk appetite.
  • Establish the right security capabilities internally and/or through a mix of partners and third parties.

I couldn’t agree more, as these are also important building blocks for any organization as they work to become operationally resilient.

I also asked Emma for her top five steps for becoming compliant with privacy regulations:

  • Comply with international standards first, then address local rules.
  • Develop a clear, board-approved strategy.
  • Measure progress against your strategy.
  • Develop a prioritized program of work with clear outcomes.
  • Stay abreast of new technologies and new threats.

The simplest way to manage your risk is to minimize the amount of data that you store. Privacy assessments will help you know where the data is and how to protect it. Regional and local laws can provide tools to guide your standards. Protecting online privacy and personal data is a big responsibility, but with a risk management approach, you can go beyond the “letter of the law” to better safeguard data and support online privacy as a human right.

Learn more

Watch my conversation with Emma about balancing security with privacy compliance. To learn more about compliance and GDPR, read Microsoft Cloud safeguards individual privacy.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

CISO Spotlight Series

Address cybersecurity challenges head-on with 10-minute video episodes that discuss cybersecurity problems and solutions from AI to Zero Trust.

Watch today

Posted on Leave a comment

Cloning a MAC address to bypass a captive portal

If you ever attach to a WiFi system outside your home or office, you often see a portal page. This page may ask you to accept terms of service or some other agreement to get access. But what happens when you can’t connect through this kind of portal? This article shows you how to use NetworkManager on Fedora to deal with some failure cases so you can still access the internet.

How captive portals work

Captive portals are web pages offered when a new device is connected to a network. When the user first accesses the Internet, the portal captures all web page requests and redirects them to a single portal page.

The page then asks the user to take some action, typically agreeing to a usage policy. Once the user agrees, they may authenticate to a RADIUS or other type of authentication system. In simple terms, the captive portal registers and authorizes a device based on the device’s MAC address and end user acceptance of terms. (The MAC address is a hardware-based value attached to any network interface, like a WiFi chip or card.)

Sometimes a device doesn’t load the captive portal to authenticate and authorize the device to use the location’s WiFi access. Examples of this situation include mobile devices and gaming consoles (Switch, Playstation, etc.). They usually won’t launch a captive portal page when connecting to the Internet. You may see this situation when connecting to hotel or public WiFi access points.

You can use NetworkManager on Fedora to resolve these issues, though. Fedora will let you temporarily clone the connecting device’s MAC address and authenticate to the captive portal on the device’s behalf. You’ll need the MAC address of the device you want to connect. Typically this is printed somewhere on the device and labeled. It’s a six-byte hexadecimal value, so it might look like 4A:1A:4C:B0:38:1F. You can also usually find it through the device’s built-in menus.

Cloning with NetworkManager

First, open nm-connection-editor, or open the WiFI settings via the Settings applet. You can then use NetworkManager to clone as follows:

  • For Ethernet – Select the connected Ethernet connection. Then select the Ethernet tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.
  • For WiFi – Select the WiFi profile name. Then select the WiFi tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.

Bringing up the desired device

Once the Fedora system connects with the Ethernet or WiFi profile, the cloned MAC address is used to request an IP address, and the captive portal loads. Enter the credentials needed and/or select the user agreement. The MAC address will then get authorized.

Now, disconnect the WiFi or Ethernet profile, and change the Fedora system’s MAC address back to its original value. Then boot up the console or other device. The device should now be able to access the Internet, because its network interface has been authorized via your Fedora system.

This isn’t all that NetworkManager can do, though. For instance, check out this article on randomizing your system’s hardware address for better privacy.