Tag: Security

Today, we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.

We obtained a court order from the United States District Court for the Northern District of Georgia allowing us to take control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its botnet. The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.

During our investigation, we identified one of the perpetrators behind the creation of a component used in the ZLoader botnet to distribute ransomware as Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula. We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes. Today’s legal action is the result of months of investigation that pre-date the current conflict in the region.

Originally, the primary goal of Zloader was financial theft, stealing account login IDs, passwords and other information to take money from people’s accounts. Zloader also included a component that disabled popular security and antivirus software, thereby preventing victims from detecting the ZLoader infection. Over time those behind Zloader began offering malware as a service, a delivery platform to distribute ransomware including Ryuk. Ryuk is well known for targeting health care institutions to extort payment without regard to the patients that they put at risk.

DCU led the investigative effort behind this action in partnership with ESET, Black Lotus Labs (the threat intelligence arm of Lumen), and Palo Alto Networks Unit 42, with additional data and insights to strengthen our legal case from our partners the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC), in addition to our Microsoft Threat Intelligence Center and Microsoft Defender team. We also recognize the additional contribution from Avast in supporting our DCU field in Europe.

Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers (ISPs) to identify and remediate victims. As always, we’re ready to take additional legal and technical action to address Zloader and other botnets.

Tags: cyberattacks, cybercrime, ransomware

In a world marked by change and uncertainty, innovation is more than a nice-to-have—it’s vital to any healthy organization. But fearless innovation becomes impossible when gaps in security can put those ideas at risk.

Many organizations try to increase their defenses by piecing together a patchwork of security solutions over time. Not only is this piecemeal approach costly and difficult to manage, but it also leaves many security administrators wondering, “Did I miss something?”

Safeguard your future with the latest security innovations

On May 12, 2022, at the Microsoft Security Summit digital event, join other cybersecurity professionals in exploring how a comprehensive approach to security can empower organizations to innovate fearlessly—even in the face of evolving cyberthreats.

You’ll also be among the first to hear exciting announcements from Vasu Jakkal, Corporate Vice President of Security, Compliance, Identity, and Management at Microsoft, and engage in energizing conversations with leading cybersecurity experts about the role comprehensive security will play in our collective future.

Register for the Microsoft Security Summit today.

Get up to date on the security trends and projections

The security landscape is constantly evolving as the world continues to embrace a new model of hybrid work and bad actors shift their mode of attack. Cybercriminals are becoming more brazen and more sophisticated. It’s up to the collective security community to learn all we can about these criminals, familiarize ourselves with their techniques, and discover new ways to create better defenses against them.

At Microsoft, we’re doing all we can to help our customers stay ahead of bad actors and respond quickly when attacks occur. This includes informing security professionals about emerging risks and ensuring everyone who seeks to protect their organization is acquainted with the latest technologies.

This digital event is a great opportunity for you to listen in as Microsoft cybersecurity experts and technical researchers discuss the current threat landscape, the future of holistic threat intelligence, and share demos of brand-new security, compliance, identity, and privacy technologies already making waves in the industry. Staying informed is the first step to building a strong, resilient security strategy for your organization. We hope you’ll join us.

Extend protection to the outer limits

Comprehensive security starts with end-to-end coverage. Today’s organizations are moving increasingly more data and resources to the cloud while also working to integrate a growing number of unprotected devices into their security ecosystems. And the pace isn’t slowing.

To defend against sophisticated threats that move laterally across systems and platforms, you need a holistic view of your multicloud environment and a way to centrally manage the protection of your devices.

At this digital event, learn how to achieve least-privilege access across your multicloud, enable seamless information protection, identify critical privacy risks, and empower employees to make smart data handling decisions—without impeding productivity. This is an event you won’t want to miss.

Lay the foundation for a safer, more innovative future

Attend the Microsoft Security Summit on May 12, 2022, to experience the future of comprehensive security and explore the solutions that can get you there. Register to:

• Learn how to strengthen your organization’s defenses in the face of evolving cyber threats. 
• Get insights you can act on from defenders on the cybersecurity frontlines on topics like extended detection and response (XDR), proactive threat hunting, Zero Trust, and more.
• Hear exciting product announcements from leading voices in Microsoft Security.
• Watch demos of brand-new security, compliance, identity, and privacy technologies.
• Plus, ask Microsoft cybersecurity and threat intelligence experts all your most pressing questions in a live chat Q&A.

Safeguard your future. Be fearless.

Register now.

Microsoft Security Summit
Digital event | May 12, 2022
9:00 AM to 12:00 PM Pacific Time (UTC-7)

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Today, we’re sharing more about cyberattacks we’ve seen from a Russian nation-state actor targeting Ukraine and steps we’ve taken to disrupt it.

We recently observed attacks targeting Ukrainian entities from Strontium, a Russian GRU-connected actor we have tracked for years. This week, we were able to disrupt some of Strontium’s attacks on targets in Ukraine. On Wednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks. We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.

Strontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine’s government about the activity we detected and the action we’ve taken.

This disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work. Prior to this week, we had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.

The Strontium attacks are just a small part of the activity we have seen in Ukraine. Before the Russian invasion, our teams began working around the clock to help organizations in Ukraine, including government agencies, defend against an onslaught of cyberwarfare that has escalated since the invasion began and has continued relentlessly. Since then, we have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure, and we continue to work closely with government and organizations of all kinds in Ukraine to help them defend against this onslaught. In the coming weeks we expect to provide a more comprehensive look at the scope of the cyberwar in Ukraine.

Tags: cyberattacks, cybersecurity, cyberwar, Russia, strontium, Ukraine

Beneath the buzz, the metaverse is arriving in both predictable and unexpected ways.

Some new experiences using headsets and mixed reality will be in your face – quite literally – but other implications will be harder to spot. As with all new categories, we’ll see intended and unintended innovations and experiences, and the security stakes will be higher than we imagine at first.

There is an inherent social engineering advantage with the novelty of any new technology. In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face – literally – like an avatar who impersonates your coworker, instead of a misleading domain name or email address. These types of threats could be deal breakers for enterprises if we don’t act now.

Because there will be no single metaverse platform or experience, interoperability is also crucial. Trust cannot end at the doorway of a virtual meeting space, for example – it must extend to the interactions and apps within – otherwise security uncertainty will hobble people wondering what to say or do in a new virtual space and create gaps that can be exploited.

Which brings us to the importance of these early days for the metaverse: We have one chance at the start of this era to establish specific, core security principles that foster trust and peace of mind for metaverse experiences. If we miss this opportunity, we’ll needlessly deter the adoption of technologies with great potential for improving accessibility, collaboration and business. The security community must work together to build a foundation to safely work, shop and play.

So what can we expect — and how can we create a trusted environment in the metaverse?

It’s important to remember that history often repeats itself
Technology shifts have a way of seeping in while we’re looking the other way. Consider the fact that real estate booms in virtual worlds aren’t new – coveted dot-com domain names were hot with brokers and speculators in the 1990s.

The early World Wide Web would indeed revolutionize commerce, but it would do so in ways many did not fully anticipate in the 1990s. Meanwhile, the ease of setting up a website also led to a gold rush of fraud with knock-off domains impersonating banks, government agencies and household brand names. These problems persist to this day.

We have seen this cycle play out again and again. When Wi-Fi was first available on laptops, corporate security teams were wary of embracing it. Before long, you could not buy a laptop without Wi-Fi –whether your organization accounted for wireless in security policies, or not.

When the iPhone and Android phones exploded onto the scene, they became a massive catalyst for BYOD (bring your own device) policies in the workplace. Almost overnight, personal devices became a new category and organizations had to catch up. We can logically expect metaverse-influenced features and experiences to arrive at enterprises in much the same fashion.

Let’s learn from these lessons and stay ahead of the curve
We’ve long known that security is a team sport, and no single vendor, product or technology can go it alone in protection. The culture of information-sharing and collaboration in the defender community today has been a monumental achievement that did not happen overnight. Today ISPs, cloud providers, device manufacturers — even industry rivals in these markets — recognize the need to work together on security issues.

Sitting now at the gateway of a new dimension in technology, it’s critical to align on key priorities to help secure the metaverse for generations — and identity, transparency and a continued sense of unity among defenders will be key.

Identity is where intruders strike first
For years fraudsters have claimed to be deposed princes with fortunes to share, or sweepstakes hosts desperately trying to reach you, but the advent of email and text messaging re-franchised these schemes for the digital world.

Play this forward, and picture what phishing could look like in the metaverse. It won’t be a fake email from your bank. It could be an avatar of a teller in a virtual bank lobby asking for your information. It could be an impersonation of your CEO inviting you to a meeting in a malicious virtual conference room.

This is why solving for identity in the metaverse is a top concern. Organizations need to know that adopting metaverse-enabled apps and experiences won’t upend their identity and access control. This means we have to make identity manageable for enterprises in this new world.

Constructive steps include making things like multi-factor authentication (MFA) and passwordless authentication integral to platforms. We can also build on recent innovations in the multicloud arena, where IT admins can use a single console to govern access to multiple cloud app experiences their users rely on.

Transparency and interoperability will be key
There will be many providers of platforms and experiences in the metaverse, and true interoperability can make the gaps between them seamless and more secure — while enabling exciting new scenarios. Think of bringing your virtual PowerPoint presentation into a client’s virtual meeting room, even if it’s operating on a different platform.

Transparency can help enable this every step of the way. New platforms usually run a tough gauntlet once they arrive in enterprises at scale — that is often when security researchers really begin probing code, features and product claims.

Metaverse stakeholders should anticipate security questions and be prepared to jump on any updates. There must be clear and standard communication around terms of service, security features like where and how encryption is used, vulnerability reporting and updates.

Transparency helps accelerate adoption — it speeds the learning process for security.

Our strongest defense is working together
The problems of yesterday’s and today’s Internet — impersonation, attempts to steal credentials, social engineering, nation state espionage, inevitable vulnerabilities — will be with us in the metaverse. And it will take the same security community of good faith, norms and teamwork to anticipate and respond to them.

The strides we’ve made across the tech industry in cooperating against threats as the stakes have risen in recent years remains a cornerstone for security as metaverse platforms and experiences begin to shape the future.

Security researchers, chief information security officers and industry stakeholders also have an opportunity to understand the terrain of the metaverse as adversaries do — and use it to our advantage. Metaverse platforms will likely create and generate entirely new data streams with the potential to improve authentication, pinpoint suspect or malicious activity or even revisualize cybersecurity to help human analysts make decisions in the moment.

As with any new frontier, high expectations, fierce competition, uncertainty and learning on the fly will define how the metaverse evolves — and the same is true for securing it. But we do not need to predict the ultimate impact of the metaverse to recognize and embrace the security and trust principles that make the journey a safer one for all.

Let’s make the lessons we’ve learned about identity, transparency and the security community’s powerful collaboration our top ideals to enable this next wave of technology to reach its full potential.

Tags: metaverse, Security

Cybersecurity continues to be a significant threat for governments, businesses and individuals around the world. From supply chain disruptions to ransomware attacks, cybercriminals have become increasingly sophisticated and the threat landscape more diverse. These cybersecurity challenges are compounded by a workforce shortage; there simply aren’t enough people with the cybersecurity skills needed to fill open jobs.

This is a global problem. By 2025, there will be 3.5 million cybersecurity jobs open globally, representing a 350% increase over an eight-year period. We recently announced a national skilling campaign in the United States, where for every two jobs in cybersecurity today, a third goes unfilled. We’re working with community colleges to help close the gap and increase diversity in the profession. Today, Microsoft is announcing the expansion of our cybersecurity skills campaign to an additional 23 countries.

The expansion will see new targeted investments in the following countries: Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Germany, India, Ireland, Israel, Italy, Japan, Korea, Mexico, New Zealand, Norway, Poland, Romania, South Africa, Sweden, Switzerland, and the United Kingdom. These countries have an elevated cyberthreat risk, coupled with a significant gap in their cybersecurity workforces both in terms of the number of professionals employed in cybersecurity vs. the demand, as well as a lack of diversity.

Based on our research, we’ve created a Power BI to shed light on the cybersecurity skills gap in these countries:

As with our U.S. program, one of our goals is to ensure traditionally excluded populations have opportunities to enter the cybersecurity workforce, including women. The global cybersecurity workforce is woefully lacking in diversity: in the countries where we are expanding our campaign, on average, only 17% of the cybersecurity workforce are female. Leaving women out of the cybersecurity workforce leaves talent on the table and will only hurt our ability to close the skills gap. This isn’t just about equality, there’s a business case too: gender-diverse businesses perform better.

Global scale, meeting local needs
To address the cybersecurity skills gap, there are a few baseline elements that are needed around the world:

First, we need to better understand the skills gap and share best practices. As a broader community, we can’t solve a problem we don’t fully understand, which is why Microsoft is launching a new partnership with the Organization for Economic Cooperation and Development (OECD) to not only develop a detailed study on the skills gap in selected countries but also improve the ability to grow cybersecurity workforces through postsecondary education and training. Together with the OECD, we will make this data publicly available to allow both policymakers and businesses to make more informed decisions, and we will convene member countries to share learnings and best practices.

Second, anyone interested in pursuing cybersecurity as a career – whether students, people changing careers or current IT professionals – need access to industry-aligned skilling content so that they can train for these critical roles. That is why, as part of this expansion, we are offering free training for cybersecurity pathways through our LinkedIn Learning platform, including courses like “The Cybersecurity Threat Landscape” and “Cybersecurity Foundations.” Additionally, learners seeking more technical skilling opportunities can access free security courses through our Microsoft Learn platform with 47 Learning Paths and hundreds of hours of content.

Third, educational institutions need more teachers able and equipped to teach cybersecurity students, which is why we are partnering with educational institutions to provide curriculum. Through our Microsoft Learn for Educators program, we are providing all higher education institutions with access to free curriculum, educator training and tools for teaching, including coursework like Microsoft Security, Compliance and Identity Fundamentals, Microsoft Azure Security Technologies certification and more. We also provide faculty at all these institutions with access to additional resources including free practice and certification exams, curriculum integration support and more. To date, more than 1,000 institutions of higher education around the world have joined the program.

Fourth, we need to provide support to diverse and underserved job seekers. That’s why we are partnering with Ecole 42, a tuition-free global computer science training program with a mission to educate the next generation of software engineers, to make Microsoft cybersecurity content available to its 15,000 learners globally, using peer-to-peer learning and gamification. We’re also launching a partnership with Women in Cybersecurity, a nonprofit with the mission of recruiting, retaining and advancing women in cybersecurity, to expand their student chapters in these 23 countries, helping promote the retention and advancement of women in cybersecurity.

Finally, the cybersecurity skills gap will not be solved with a one-size-fits-all solution. In each of the countries where we are expanding our campaign, Microsoft will work with local education institutions, nonprofits, governments and businesses to develop a cybersecurity skills program that fits the unique needs of their own market – anchored in data about the cybersecurity skills gap in each country. That said, we are building the framework based on a common set of needs, and ensuring we expand access to tools we have available today.

Global expansion
Work is already underway. Here are just a few examples, and we’ll share more details about countries’ plans in the coming weeks and months:

In Colombia, the government has embarked on an initiative to increase its national cybersecurity capacity, including the implementation of professional training programs in areas such as digital security, information security, cybersecurity and critical infrastructure. Our cybersecurity skills work in Colombia will support this effort, helping people acquire cybersecurity and digital skills needed for in-demand jobs. That’s why we’re working with Servicio Nacional de Aprendizaje (SENA), a Colombian public institution that provides free vocational training to millions of Colombians, the Universidad de los Andes, a major private university in Colombia, and local nongovernmental organizations, to offer a “train the trainers” program to equip more than 68,000 Colombians, including 20,000 women, with the skills needed to help fill the many open cybersecurity jobs.

In India, we’re building off our existing CyberShikshaa program, which is helping break down the gender divide in the cybersecurity field. Since 2018, we have helped young women with technical training in cybersecurity with mentoring from industry experts, especially from women leaders in the field, followed by job placement assistance with leading companies. By 2025, the cybersecurity sector in India will have an estimated 1.5 million job vacancies. This represents a 42% talent shortage even as cybersecurity job growth is projected to grow by 32% by 2028, according to India’s Labor Bureau. The demand is there, but more must be done to meet it; most higher-education and technical institutes do not offer cybersecurity courses.

That’s why we have also partnered with ICT Academy, a nonprofit partner in India, to develop cybersecurity training programs for educators and higher-education students at 100 institutions in five states, with an emphasis on rural colleges. Through this initiative, CyberShikshaa for Educators, we’ll help more faculty become cybersecurity trainers, and then provide students cybersecurity training and job placement assistance to help them find new careers. In the first phase, we aim to train about 6,000 students and will then work with our partner network to connect students to job opportunities and internships.

A look at our U.S. progress – and a look to the future
In the five months since we announced our U.S. cybersecurity skills for jobs campaign, we are making progress. Today, we are working with 135 U.S. community colleges, providing access to free curriculum, educator training and tools for teaching. We’re sharing cybersecurity best practices with schools through the American Association of Community Colleges, the first of three cohorts we are providing grants for funding technical assistance to accelerate their cybersecurity programs. Finally, we’re granting scholarships to students seeking a degree or certification in a cybersecurity field. We are learning a lot and will share more in the months to come.

The number of cybersecurity attacks around the world is increasing every day, and increasing in complexity as cybercriminals continue to escalate their activity. People will be impacted no matter where they live. It’s critical that we invest in the cybersecurity workforce to ensure there are enough people with the skills needed to thwart these attacks and protect the digital ecosystem to keep organizations secure and people safe.

Tags: cybersecurity, diversity, education

In recent weeks, Microsoft Security teams have been actively tracking a large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements. As this campaign has accelerated, our teams have been focused on detection, customer notifications, threat intelligence briefings, and sharing with our industry collaboration partners to understand the actor’s tactics and targets. Over time, we have improved our ability to track this actor and helped customers minimize the impact of active intrusions and in some cases worked with impacted organizations to stop attacks prior to data theft or destructive actions. Microsoft is committed to providing visibility into the malicious activity we’ve observed and sharing insights and knowledge of actor tactics that might be useful for other organizations to protect themselves. While our investigation into the most recent attacks is still in progress, we will continue to update this blog when we have more to share.

The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.

Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by Microsoft. Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.

The social engineering and identity-centric tactics leveraged by DEV-0537 require detection and response processes that are similar to insider risk programs–but also involve short response timeframes needed to deal with malicious external threats. In this blog, we compile the tactics, techniques, and procedures (TTPs) we’ve observed across multiple attacks and compromises. We also provide baseline risk mitigation strategies and recommendations to help organizations harden their organization’s security against this unique blend of tradecraft.

Analysis

The actors behind DEV-0537 focused their social engineering efforts to gather knowledge about their target’s business operations. Such information includes intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships. Examples of these social engineering tactics include spamming a target user with multifactor authentication (MFA) prompts and calling the organization’s help desk to reset a target’s credentials.

Microsoft Threat Intelligence Center (MSTIC) assesses that the objective of DEV-0537 is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.

While this actor’s TTPs and infrastructure are constantly changing and evolving, the following sections provide additional details on the very diverse set of TTPs we have observed that DEV-0537 is using.

Initial access

DEV-0537 uses a variety of methods that are typically focused on compromising user identities to gain initial access to an organization including:

• Deploying the malicious Redline password stealer to obtain passwords and session tokens
• Purchasing credentials and session tokens from criminal underground forums
• Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
• Searching public code repositories for exposed credentials

Using the compromised credentials and/or session tokens, DEV-0537 accesses internet-facing systems and applications. These systems most commonly include virtual private network (VPN), remote desktop protocol (RDP), virtual desktop infrastructure (VDI) including Citrix, or Identity providers (including Azure Active Directory, Okta). For organizations using MFA security, DEV-0537 used two main techniques to satisfy MFA requirements–session token replay and using stolen passwords to trigger simple-approval MFA prompts hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval.

In some cases, DEV-0537 first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems. Given that employees typically use these personal accounts or mobile phone numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.

Microsoft also found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners). DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains. 

In other observed activity, DEV-0537 actors performed a SIM-swapping attack to access a user’s phone number before signing into the corporate network. This method allows the actors to handle phone-based authentication prompts they need to gain access to a target.  

Once standard user credentials or access was obtained, DEV-0537 typically connected a system to an organization’s VPN. In some cases, to meet conditional access requirements, DEV-0537 registered or joined the system to the organization’s Azure Active Directory (Azure AD).

Reconnaissance and privilege escalation

Once DEV-0537 obtained access to the target network using the compromised account, they used multiple tactics to discover additional credentials or intrusion points to extend their access including:

• Exploiting unpatched vulnerabilities on internally accessible servers including JIRA, Gitlab, and Confluence
• Searching code repositories and collaboration platforms for exposed credentials and secrets

They have been consistently observed to use AD Explorer, a publicly available tool, to enumerate all users and groups in the said network. This allows them to understand which accounts might have higher privileges. They then proceeded to search collaboration platforms like SharePoint or Confluence, issue-tracking solutions like JIRA, code repositories like GitLab and GitHub, and organization collaboration channels like Teams or Slack to discover further high-privilege account credentials to access other sensitive information.

DEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA, and GitLab for privilege escalation. The group compromised the servers running these applications to get the credentials of a privileged account or run in the context of the said account and dump credentials from there. The group used DCSync attacks and Mimikatz to perform privilege escalation routines. Once domain administrator access or its equivalent has been obtained, the group used the built-in ntdsutil utility to extract the AD database.

In some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials. The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.

Exfiltration, destruction, and extortion

Based on our observation, DEV-0537 has dedicated infrastructure they operate in known virtual private server (VPS) providers and leverage NordVPN for its egress points. DEV-0537 is aware of detections such as impossible travel and thus picked VPN egress points that were geographically like their targets. DEV-0537 then downloaded sensitive data from the targeted organization for future extortion or public release to the system joined to the organization’s VPN and/or Azure AD-joined system.

DEV-0537 has been observed leveraging access to cloud assets to create new virtual machines within the target’s cloud environment, which they use as actor-controlled infrastructure to perform further attacks across the target organization.

If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access. After exfiltration, DEV-0537 often deletes the target’s systems and resources. We’ve observed deletion of resources both on-premises (for example, VMware vSphere/ESXi) and in the cloud to trigger the organization’s incident and crisis response process.

The actor has been observed then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response. It is assessed this provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands. Notably, DEV-0537 has been observed joining incident response bridges within targeted organizations responding to destructive actions. In some cases, DEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole.

Impact

Early observed attacks by DEV-0537 targeted cryptocurrency accounts resulting in compromise and theft of wallets and funds. As they expanded their attacks, the actors began targeting telecommunication, higher education, and government organizations in South America. More recent campaigns have expanded to include organizations globally spanning a variety of sectors. Based on observed activity, this group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies–to leverage their access from one organization to access the partner or supplier organizations. They have also been observed targeting government entities, manufacturing, higher education, energy, retailers, and healthcare.

Microsoft will continue to monitor DEV-0537 activity and implement protections for our customers. The current detections and advanced detections in place across our security products are detailed in the following sections.

Actor actions targeting Microsoft

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

Recommendations

Strengthen MFA implementation

Multifactor authentication (MFA) is one of the primary lines of defense against DEV-0537. While this group attempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other personnel alike. See the following recommendations to implement MFA more securely:

Do:

• Require Multifactor Authenticator for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
• Leverage more secure implementations such as FIDO Tokens, or the Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Use Azure AD Password Protection to ensure that users aren’t using easily-guessed passwords. Our blog about password spray attacks outlines additional recommendations.
• Leverage passwordless authentication methods such as Windows Hello for Business, Microsoft Authenticator, or FIDO tokens to reduce risks and user experience issues associated with passwords.

Do NOT:

• Use weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or secondary email addresses.
• Include location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity.
• Allow credential or MFA factor sharing between users.

Require healthy and trusted endpoints

• Require trusted, compliant, and healthy devices for access to resources to prevent data theft.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.

Leverage modern authentication options for VPNs

VPN authentication should leverage modern authentication options such as OAuth or SAML connected to Azure AD to enable risk-based sign-in detection. Modern authentication enables blocking authentication attempts based on sign-in risk, requiring compliant devices for sign in, and tighter integration with your authentication stack to provide more accurate risk detections. Implementation of modern authentication and tight conditional access policies on VPN has been shown to be effective against DEV-0537’s access tactics.

Strengthen and monitor your cloud security posture

DEV-0537 leverages legitimate credentials to perform malicious actions against customers. Since these credentials are legitimate, some activity performed might seem consistent with standard user behavior. Use the following recommendations to improve your cloud security posture:

Improve awareness of social engineering attacks

Microsoft recommends raising and improving awareness of social engineering tactics to protect your organization. Educate members of your technical team to watch out for and report any unusual contacts with colleagues. IT help desks should be hypervigilant about suspicious users and ensure that they are tracked and reported immediately. We recommend reviewing help desk policies for password resets for highly privileged users and executives to take social engineering into consideration.

Embed a culture of security awareness in your organization by educating employees about help desk verification practices. Encourage them to report suspicious or unusual contacts from the help desk. Education is the number one defense against social engineering attacks such as this one and it is important to make sure that all employees are aware of the risks and known tactics.

Establish operational security processes in response to DEV-0537 intrusions

DEV-0537 is known to monitor and intrude in incident response communications. As such, these communication channels should be closely monitored for unauthorized attendees and verification of attendees should be performed visually or audibly.

We advise organizations to follow very tight operational security practices when responding to an intrusion believed to be DEV-0537. Organizations should develop an out-of-band communication plan for incident responders that is usable for multiple days while an investigation occurs. Documentation of this response plan should be closely held and not easily accessible.

Microsoft continues to track DEV-0537’s activities, tactics, malware, and tools. We will communicate any additional insights and recommendations as we investigate their actions against our customers.

Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate (also referred to as Sunburst by FireEye) involving a supply chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessments are ongoing, Microsoft is providing visibility into the attack chains and related threat intelligence to the defender community as early as possible so organizations can identify and take action to stop this attack, understand the potential scope of its impact, and begin the recovery process from this active threat. We have established a resource center that is constantly updated as more information becomes available at https://aka.ms/solorigate.

This blog is a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment. The description of the attack in this blog is based on current analysis and investigations by researchers across Microsoft, our partners, and the intelligence community who are actively collaborating to respond to the attack. This is an active threat that continues to evolve, and the findings included here represent what we know at the time of publishing. We continue to publish and update intelligence, indicators, tactics, techniques, and procedures (TTPs), and related details as we discover them. The report from the Microsoft Security Response Center (MSRC) includes the latest analysis of this threat, known indicators of compromise (IOCs), and initial recommended defenses, and will be updated as new data becomes available.

This blog covers:

Tracking the cross-domain Solorigate attack from endpoint to the cloud

The Solorigate attack is an example of a modern cross-domain compromise. Since these kinds of attacks span multiple domains, having visibility into the entire scope of the attack is key to stopping and preventing its spread.

This attack features a sophisticated technique involving a software supply chain compromise that allowed attackers to introduce malicious code into signed binaries on the SolarWinds Orion Platform, a popular IT management software. The compromised application grants attackers “free” and easy deployment across a wide range of organizations who use and regularly update the application, with little risk of detection because the signed application and binaries are common and are considered trusted. With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected). Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources through the following steps:

1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
   1. Stealing the SAML signing certificate (Path 1)
   2. Adding to or modifying existing federation trust (Path 2)
3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

Figure 1. High-level end-to-end Solorigate attack chain

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected. The deeply integrated cross-domain security capabilities in Microsoft 365 Defender can empower organizations and their security operations (SOC) teams to uncover this attack, scope out the end-to-end breach from endpoint to the cloud, and take action to block and remediate it. This blog will offer step-by-step guidance to do this by outlining:

• How indicators of attack show up across endpoints, identity, and the cloud
• How Microsoft 365 Defender automatically combines alerts across these different domains into a comprehensive end-to-end story
• How to leverage the powerful toolset available for deep investigation, hunting, and response to enable SOCs to battle the attackers and evict these attackers from both on-premises and cloud environments

Threat analytics: Understanding and responding to active attacks

As soon as this attack was discovered, Microsoft researchers published two threat analytics reports to help organizations determine if they are affected, assess the impact of the attack, and identify actions to contain it.

The reports are published in Microsoft 365 security center, available to all Microsoft Defender for Endpoint customers and Microsoft 365 Defender early adopters. In addition to detailed descriptions of the attack, TTPs, and indicators of compromise (IoCs), the reports provide real-time data aggregated from signals across Microsoft 365 Defender, indicating the all-up impact of the threat to the organization, as well as details about relevant incidents and alerts to initiate investigation on. These reports continue to be updated as additional information becomes available.

Given the significance of this threat, we are making similar relevant Microsoft threat intelligence data, including the updated list of IOCs, available to everyone publicly.  A comprehensive list of guidance and insights is available at https://aka.ms/solorigate.

Figure 2. Threat analytics report on Solorigate attack

We recommend Microsoft 365 Defender customers to start their investigations here. After gaining deep understanding of the threat and getting the latest research findings, you can take the following recommended steps:

Find devices with the compromised SolarWinds Orion application

The threat analytics report uses insights from threat and vulnerability management to identify devices that have the compromised SolarWinds Orion Platform binaries or are exposed to the attack due to misconfiguration.

From the Vulnerability patching status chart in threat analytics, you can view the mitigation details to see a list of devices with the vulnerability ID TVM-2020-0002, which was added specifically to help with Solorigate investigations:

Figure 3. Threat and vulnerability management data shows data on exposed devices

Threat and vulnerability management provides more info about the vulnerability ID TVM-2020-0002, as well as all relevant applications, via the Software inventory view. There are also multiple security recommendations to address this specific threat, including instructions to update the software versions installed on exposed devices.

Figure 4. Security recommendations from threat and vulnerability management

Investigate related alerts and incidents

From the threat analytics report, you can quickly locate devices with alerts related to the attack. The Devices with alerts chart identifies devices with malicious components or activities known to be directly related to Solorigate. Click through to get the list of alerts and investigate.

Some Solorigate activities may not be directly tied to this specific threat but will trigger alerts due to generally suspicious or malicious behaviors. All alerts in Microsoft 365 Defender provided by different Microsoft 365 products are correlated into incidents. Incidents help you see the relationship between detected activities, better understand the end-to-end picture of the attack, and investigate, contain, and remediate the threat in a consolidated manner.

Review incidents in the Incidents queue and look for those with alerts relevant to this attacker’s TTPs, as described in the threat analytics report (also listed at the end of this blog).

Figure 5. Consolidated Incident view for Solorigate

Some alerts are specially tagged with Microsoft Threat Experts to indicate malicious activities that Microsoft researchers found in customer environments during hunting. As part of the Microsoft Threat Experts service, researchers investigated this attack as it unfolded, hunting for associated attacker behaviors, and sent targeted attack notifications. If you see an alert tagged with Microsoft Threat Experts, we strongly recommend that you give it immediate attention.

Figure 6. Microsoft Threat Experts targeted attack notification

Additionally, Microsoft Threat Experts customers with Experts on demand subscriptions can reach out directly to our on-demand hunters for additional help in understanding the Solorigate threat and the scope of its impact in their environments.

Hunt for related attacker activity

The threat analytics report also provides advanced hunting queries that can help analysts locate additional related or similar activities across endpoint, identity, and cloud. Advanced hunting uses a rich set of data sources, but in response to Solorigate, Microsoft has enabled streaming of Azure Active Directory (Azure AD) audit logs into advanced hunting, available for all customers in public preview. These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies.  Customers who do not have Microsoft Defender for Endpoint or are not early adopters for Microsoft 365 Defender can see our recommended advanced hunting queries.

Currently, this data is available to customers who have Microsoft Cloud App Security with the Office365 connector. Our intent is to expand availability to more Microsoft 365 Defender customers. The new log data is available in the CloudAppEvents table:

CloudAppEvents
| where Application == “Office 365”

The log data contains activity logs useful for investigating and finding Azure AD-related activities. This data further enriches the CloudAppEvents table, which also has Exchange Online and Microsoft Teams activities.

As part of making this new data available, we also published a handful of relevant advanced hunting queries, identified by the suffix [Solorigate], to the GitHub repo.

Here’s an example query that helps you see when credentials are added to an Azure AD application after ‘Admin Consent’ permissions were granted:

CloudAppEvents
| where Application == “Office 365”
| where ActionType == “Consent to application.”
| where RawEventData.ModifiedProperties[0].Name == “ConsentContext.IsAdminConsent” and RawEventData.ModifiedProperties[0].NewValue == “True”
| extend spnID = tostring(RawEventData.Target[3].ID)
| parse RawEventData.ModifiedProperties[4].NewValue with * “=> [[” dummpy “Scope: ” After “]]” *
| extend PermissionsGranted = split(After, “]”,0)
| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
| join (
CloudAppEvents
| where Application == “Office 365”
| where ActionType == “Add service principal credentials.” or ActionType == “Update application – Certificates and secrets management “
| extend spnID = tostring(RawEventData.Target[3].ID)
| project AddSecretTime = Timestamp, AccountDisplayName , spnID
) on spnID
| where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1

Microsoft 356 Defender advanced hunting can also assist in many of the recommended incident investigation tasks outlined in the blog, Advice for incident responders on recovery from systemic identity compromises.

In the remaining sections, we will discuss select examples of alerts raised by Microsoft 365 solutions that monitor and detect Solorigate activities across the attack chain on endpoint, identity, and the cloud. These are alerts you may encounter when investigating incidents in Microsoft 365 security center if your organization is affected by this threat. We will also indicate activities which are now blocked by Microsoft 365 Defender. Lastly, each section contains examples of hunting queries you will find useful for hunting for various attacker activities in your environment.

Detecting and blocking malware and malicious behavior on endpoints

Figure 7. Solorigate attack chain: Initial access and command-and-control

Discovering and blocking backdoor activity

When the compromised SolarWinds binary SolarWinds.Orion.Core.BusinessLayer.dll gets loaded on a device through normal update channels, the backdoor goes through an extensive list of checks to ensure it’s running in an actual enterprise network and not on an analyst’s machine. It then contacts a command-and-control (C2) server using a subdomain that is generated partly with information gathered from the affected device, which means a unique subdomain is generated for each affected domain. The backdoor allows the attackers to remotely run commands on the device and move to the next stages of the attack. For more information, read our in-depth analysis of the Solorigate malware.

Microsoft Defender for Endpoint delivers comprehensive protection against this threat (see full list of detection and protection alerts at the end of this blog). Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviors. It quarantines the malware, even if the process is running.

Figure 8. Microsoft Defender for Endpoint blocks malicious binaries

If the malicious code is successfully deployed, the backdoor lies dormant for up to two weeks. It then attempts to contact numerous C2 domains, with the primary domain being *.avsvmcloud[.]com. The backdoor uses a domain generation algorithm to evade detection. Microsoft 365 Defender detects and blocks this behavior.

Figure 9. Microsoft Defender for Endpoint prevented malicious C2 callback

Discovering potentially tampered devices

To evade security software and analyst tools, the Solorigate malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them.

The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts, including “Attempt to stop Microsoft Defender for Endpoint sensor”, “Tampering with Microsoft Defender for Endpoint sensor settings”, or “Possible sensor tampering in memory”.

Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful. The following advanced hunting query can be used to locate devices that should be reporting but aren’t:

// Times to be modified as appropriate
let timeAgo=1d;
let silenceTime=8h;
// Get all silent devices and IPs from network events
let allNetwork=materialize(DeviceNetworkEvents
| where Timestamp > ago(timeAgo)
and isnotempty(LocalIP)
and isnotempty(RemoteIP)
and ActionType in (“ConnectionSuccess”, “InboundConnectionAccepted”)
and LocalIP !in (“127.0.0.1”, “::1”)
| project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId);
let nonSilentDevices=allNetwork
| where Timestamp > ago(silenceTime)
| union (DeviceProcessEvents | where Timestamp > ago(silenceTime))
| summarize by DeviceId;
let nonSilentIPs=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by LocalIP;
let silentDevices=allNetwork
| where DeviceId !in (nonSilentDevices)
and LocalIP !in (nonSilentIPs)
| project DeviceId, LocalIP, Timestamp, ReportId;
// Get all remote IPs that were recently active
let addressesDuringSilence=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by RemoteIP;
// Potentially disconnected devices were connected but are silent
silentDevices
| where LocalIP in (addressesDuringSilence)
| summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId
| project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1

Microsoft is continuously developing additional measures to both block and alert on these types of tampering activities.

Detecting hands-on-keyboard activity within an on-premises environment

Figure 10. Solorigate attack chain: Hands-on-keyboard attack on premises

After establishing a backdoor connection on an affected device, the attacker’s next goal is to achieve off-premises access to the organization’s cloud services. To do this, they must find a way to gain permissions to those services. One technique we have seen the attackers use is to go after the organization’s Active Directory Federation Services (AD FS) server to obtain the proverbial “keys” to the identity kingdom. AD FS enables federated identity and access management by securely sharing digital identity and entitlement rights across security and enterprise boundaries; effectively, it is the “LSASS for the cloud.” Among other things, AD FS stores the Security Assertion Markup Language (SAML) token signing certificate, which is used to create authorization tokens for users or services in the organization so they can access cloud applications and resources after authentication.

To attack the AD FS infrastructure, the attackers must first obtain appropriate domain permissions through on-premises intelligence gathering, lateral movement, and credential theft. Building from the backdoor described above, the attackers leverage fileless techniques for privilege escalation, persistence, and lateral movement, including evading analysis by using system binaries and exploration tools that masquerade as other benign binaries. The attackers also carefully chose organization-specific command-and-control (C2) domains and use custom organization-specific tool naming and locations.

Microsoft Defender for Endpoint detects a wide array of these attack techniques, allowing SOC teams to track the attacker’s actions in the environment and take actions to contain the attack. The following section covers detections for the techniques used by the attackers to compromise the AD FS infrastructure.

Identifying attacker reconnaissance

Attackers collect data from Active Directory using a renamed version of the utility ADFind, running queries against Domain Controllers as part of the reconnaissance stage of the attack. Microsoft Defender for Endpoint detects this behavior and allows the SOC analyst to track compromised devices at this stage to gain visibility into the information the attacker is looking for.

Figure 11. Microsoft Defender for Endpoint detects usage of masquerading exploration tools

Figure 12. Microsoft Defender for Endpoint detects usage LDAP query for reconnaissance.

Stopping lateral movement and credential theft

To gain access to a highly privileged account needed for later steps in the kill chain, the attackers move laterally between devices and dump credentials until an account with the needed privileges is compromised, all while remaining as stealthy as possible.

A variety of credential theft methods, such as dumping LSASS memory, are detected and blocked by Microsoft Defender for Endpoint. The example below shows the detection of lateral movement using Windows Management Instrumentation (WMI) to run the attacker’s payload using the Rundll32.exe process.

Figure 13. Microsoft Defender for Endpoint alert for suspicious remote WMI execution highlighting the attacker’s device and payload

Microsoft Defender for Identity also detects and raises alerts on a variety of credential theft techniques. In addition to watching for alerts, security analysts can hunt across identity data in Microsoft 365 Defender for signs of identity compromise. Here are a couple of example Microsoft Defender for Identity queries looking for such patterns:

Enumeration of high-value DC assets followed by logon attempts to validate stolen credentials in time proximity

let MaxTime = 1d;
let MinNumberLogon = 5;
//devices attempting enumeration of high-value DC
IdentityQueryEvents
| where Timestamp > ago(30d)
| where Application == “Active Directory”
| where QueryTarget in (“Read-only Domain Controllers”)
//high-value RODC assets
| project Timestamp, Protocol, Query, DeviceName, AccountUpn
| join kind = innerunique (
//devices trying to logon {MaxTime} after enumeration
IdentityLogonEvents
| where Timestamp > ago(30d)
| where ActionType == “LogonSuccess”
| project LogonTime = Timestamp, DeviceName, DestinationDeviceName) on DeviceName
| where LogonTime between (Timestamp .. (Timestamp + MaxTime))
| summarize n=dcount(DestinationDeviceName), TargetedDC = makeset(DestinationDeviceName) by Timestamp, Protocol, DeviceName
| where n >= MinNumberLogon

High-volume of LDAP queries in short time filtering for non-DC devices

let Threshold = 12;
let BinTime = 1m;
//approximate list of DC
let listDC=IdentityDirectoryEvents
| where Application == “Active Directory”
| where ActionType == “Directory Services replication”
| summarize by DestinationDeviceName;
IdentityQueryEvents
| where Timestamp > ago(30d)
//filter out LDAP traffic across DC
| where DeviceName !in (listDC)
| where ActionType == “LDAP query”
| parse Query with * “Search Scope: ” SearchScope “, Base Object:” BaseObject “, Search Filter: ” SearchFilter
| summarize NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
| where NumberOfDistinctLdapQueries > Threshold

At this point, SOC teams can take containment measures within the Microsoft 365 security center, for example, using indicators to isolate the devices involved and block the remotely executed payload across the environment, as well as mark suspect users as compromised.

Detecting and remediating persistence

Microsoft Defender for Endpoint also detects the advanced defense evasion and masquerading techniques used by the attackers to make their actions as close to normal as possible, such as binding a WMI event filter with a logical consumer to remain persistent. Follow the recommended actions in the alert to remove persistence and prevent the attacker’s payload from loading after reboot.

Figure 14. Microsoft Defender for Endpoint alert for WMI event filter bound to a suspicious consumer showing the persistence and the scheduled command line

Catching AD FS compromise and the attacker’s ability to impersonate users in the cloud

The next step in the attack focuses on the AD FS infrastructure and can unfold in two separate paths that lead to the same outcome—the ability to create valid SAML tokens allowing impersonation of users in the cloud:

• Path 1 – Stealing the SAML signing certificate: After gaining administrative privileges in the organization’s on-premises network, and with access to the AD FS server itself, the attackers access and extract the SAML signing certificate. With this signing certificate, the attackers create valid SAML tokens to access various desired cloud resources as the identity of their choosing.
• Path 2 – Adding to or modifying existing federation trust: After gaining administrative Azure Active Directory (Azure AD) privileges using compromised credentials, the attackers add their own certificate as a trusted entity in the domain either by adding a new federation trust to an existing tenant or modifying the properties of an existing federation trust. As a result, any SAML token they create and sign will be valid for the identity of their choosing.

In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services.

Microsoft Defender for Endpoint and Microsoft Defender for Identity detect the actions that attackers take to steal the encryption key needed to decrypt the SAML signing certificate. Both solutions leverage unique LDAP telemetry to raise high-severity alerts highlighting the attacker’s progress towards creating illicit SAML tokens.

 

Figure 15. Microsoft Defender for Endpoint detects a suspicious LDAP query being launched and an attempted AD FS private key extraction

Figure 16. Microsoft Defender for Identity detects private key extraction via malicious LDAP requests

For the second path, the attackers create their own SAML signing certificate outside of the organization’s environment. With Azure AD administrative permissions, they then add the new certificate as a trusted object. The following advanced hunting query over Azure AD audit logs shows when domain federation settings are changed, helping to discover where the attackers configured the domain to accept authorization tokens signed by their own signing certificate. As these are rare actions, we advise verifying that any instances identified are the result of legitimate administrative activity.

ADFSDomainTrustMods

let auditLookback = 1d; CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType =~ “Set federation settings on domain.”
| extend targetDetails = parse_json(ActivityObjects[1])
| extend targetDisplayName = targetDetails.Name
| extend resultStatus = extractjson(“$.ResultStatus”, tostring(RawEventData), typeof(string))
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent

If the SAML signing certificate is confirmed to be compromised or the attacker has added a new one, follow the best practices for invalidating through certificate rotation to prevent further use and creation of SAML tokens by the attacker. Additionally, affected AD FS servers may need to be isolated and remediated to ensure no remaining attacker control or persistence.

If the attackers accomplish either path, they gain the ability to create illicit SAML tokens for the identities of their choosing and bypass multifactor authentication (MFA), since the service or application accepting the token assumes MFA is a necessary previous step in creating a properly signed token. To prevent attackers from progressing to the next stage, which is to access cloud resources, the attack should be discovered and remediated at this stage.

Detecting the hands-on-keyboard activity in the cloud environment

Figure 17. Solorigate attack chain: Hands-on-keyboard attack in the cloud

With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised device or be confined to on-premises persistence. By abusing API access via existing OAuth applications or service principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals with existing Mail.Read or Mail.ReadWrite permissions to read email content via Microsoft Graph from Exchange Online. If the application does not already have read permissions for emails, then the app may be modified to grant those permissions.

Identifying unusual addition of credentials to an OAuth app

Microsoft Cloud App Security (MCAS) has added new automatic detection of unusual credential additions to an OAuth application to alert SOCs about apps that have been compromised to extract data from the organization. This detection logic is built on an anomaly detection engine that learns from each user in the environment, filtering out normal usage patterns to ensure alerts highlight real attacks and not false positives. If you see this alert in your environment and confirm malicious activity, you should take immediate action to suspend the user, mark the user as compromised, reset the user’s password, and remove the credential additions. You may consider disabling the application during investigation and remediation.

Figure 18. Microsoft Defender Cloud App Security alert for unusual addition of credentials to an OAuth app

SOCs can use the following Microsoft 365 Defender advanced hunting query over Azure AD audit logs to examine when new credentials have been added to a service principle or application. In general, credential changes may be rare depending on the type and use of the service principal or application. SOCs should verify unusual changes with their respective owners to ensure they are the result of legitimate administrative actions.

NewAppOrServicePrincipalCredential

let auditLookback = 1d; CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType in (“Add service principal.”, “Add service principal credentials.”, “Update application – Certificates and secrets management “)
| extend RawEventData = parse_json(RawEventData)
| where RawEventData.ResultStatus =~ “success”
| where AccountDisplayName has “@”
| extend targetDetails = parse_json(ActivityObjects[1])
| extend targetId = targetDetails.Id
| extend targetType = targetDetails.Type
| extend targetDisplayName = targetDetails.Name
| extend keyEvents = RawEventData.ModifiedProperties
| where keyEvents has “KeyIdentifier=” and keyEvents has “KeyUsage=Verify”
| mvexpand keyEvents
| where keyEvents.Name =~ “KeyDescription”
| parse keyEvents.NewValue with * “KeyIdentifier=” keyIdentifier:string “,KeyType=” keyType:string “,KeyUsage=” keyUsage:string “,DisplayName=” keyDisplayName:string “]” *
| parse keyEvents.OldValue with * “KeyIdentifier=” keyIdentifierOld:string “,KeyType” *
| where keyEvents.OldValue == “[]” or keyIdentifier != keyIdentifierOld
| where keyUsage == “Verify”
| project-away keyEvents
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, InitiatingIPAddress=IPAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier

Discovering malicious access to mail items

OAuth applications or service principals with Mail.Read or Mail.ReadWrite permissions can read email content from Exchange Online via the Microsoft Graph. To help increase visibility on these behaviors, the MailItemsAccessed action is now available via the new Exchange mailbox advanced audit functionality. See if this feature is enabled by default for you. Important note for customers: If you have customized the list of audit events you are collecting, you may need to manually enable this telemetry.

If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online stops generating auditing records for MailItemsAccessed activity for 24 hours and then resumes logging after this period. This throttling behavior is a good starting point for SOCs to discover potentially compromised mailboxes.

MailItemsAccessedThrottling

let starttime = 2d;
let endtime = 1d;
CloudAppEvents
| where Timestamp between (startofday(ago(starttime))..startofday(ago(endtime)))
| where ActionType == “MailItemsAccessed”
| where isnotempty(RawEventData[‘ClientAppId’]) and RawEventData[‘OperationProperties’][1] has “True”
| project Timestamp, RawEventData[‘OrganizationId’],AccountObjectId,UserAgent

In addition to looking for throttled telemetry, you can also hunt for OAuth applications reading mail via the Microsoft Graph API whose behavior has changed prior to a baseline period.

OAuthGraphAPIAnomalies

//Look for OAuth App reading mail via GraphAPI — that did not read mail via graph API in prior week
let appMailReadActivity = (timeframeStart:datetime, timeframeEnd:datetime) {
CloudAppEvents
| where Timestamp between (timeframeStart .. timeframeEnd)
| where ActionType == “MailItemsAccessed”
| where RawEventData has “00000003-0000-0000-c000-000000000000” // performance check
| extend rawData = parse_json(RawEventData)
| extend AppId = tostring(parse_json(rawData.AppId))
| extend OAuthAppId = tostring(parse_json(rawData.ClientAppId)) // extract OAuthAppId
| summarize by OAuthAppId
};
appMailReadActivity(ago(1d),now()) // detection period
| join kind = leftanti appMailReadActivity(ago(7d),ago(2d)) // baseline period
on OAuthAppId

Microsoft 365 Defender’s cross-domain XDR correlation enables stronger response to critical security incidents

Like the rest of the security industry, Microsoft continues to track the Solorigate attack, an active threat that continues to unfold as well as evolve. As part of empowering our customers and the larger security community to respond to this attack through sharing intelligence and providing advice, this blog serves to guide Microsoft 365 customers to take full advantage of the comprehensive visibility and the rich investigation tools available in Microsoft 365 Defender. This blog shows that many of the existing capabilities in Microsoft 365 Defender help address this attack, but the unique scenarios created by the threat resulted in some Solorigate-specific detections and other innovative protections, including ones that are made possible by deeply integrated cross-domain threat defense.

For additional information and further guidance, refer to these Microsoft resources:

Microsoft will continue to provide public information about the patterns and techniques of this attack and related intelligence for customers to defend themselves, in addition to enhancing the protection capabilities of Microsoft security solutions.

Appendix: Additional details for detection and hunting

Detection details

Attack stage	Microsoft 365 Defender detection or alert
Initial access	Microsoft Defender for Endpoint: ‘Solorigate’ high-severity malware was detected/blocked/prevented (Trojan:MSIL/Solorigate.BR!dha) SolarWinds Malicious binaries associated with a supply chain attack
Execution and persistence	Microsoft Defender for Endpoint:
Command and Control	Microsoft Defender for Endpoint:
Defense evasion	Microsoft Defender for Endpoint: Suspicious audit policy tampering
Reconnaissance	Microsoft Defender for Endpoint: Masquerading Active Directory exploration tool Suspicious sequence of exploration activities Execution of suspicious known LDAP query fragments
Credential access	Microsoft Defender for Endpoint: Suspicious access to LSASS (credential access) AD FS private key extraction attempt Possible attempt to access ADFS key material Suspicious ADFS adapter process created Microsoft Defender for Identity: Unusual addition of permissions to an OAuth app Active Directory attributes Reconnaissance using LDAP Microsoft Cloud App Security: Unusual addition of credentials to an OAuth app
Lateral movement	Microsoft Defender for Endpoint Suspicious file creation initiated remotely (lateral movement) Suspicious Remote WMI Execution (lateral movement)
Exfiltration	Microsoft Defender for Endpoint Suspicious mailbox export or access modification Suspicious archive creation

Advanced hunting queries

As 2020 draws to a close, most of us are looking forward to putting this year in the rearview mirror. Since we depend even more on getting online for everything in our lives, we’re more than ready to be done with passwords. Passwords are a hassle to use, and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month. According to the Gartner Group, 20 to 50 percent of all help desk calls are for password resets. The World Economic Forum (WEF) estimates that cybercrime costs the global economy $2.9 million every minute, with roughly 80 percent of those attacks directed at passwords.

In November 2019 at Microsoft Ignite, we shared that more than 100 million people were already using Microsoft’s passwordless sign-in each month. In May of 2020, just in time for World Password Day, that number had already grown to more than 150 million people, and the use of biometrics to access work accounts is now almost double what it was then. We’ve drawn strength from our customers’ determination this year and are set to make passwordless access a reality for all our customers in 2021.

2020: A banner year for passwordless technology

February: We announced a preview of Azure Active Directory support for FIDO2 security keys in hybrid environments. The Fast Identity Online (FIDO) Alliance is a “cross-industry consortia providing standards, certifications, and market adoption programs to replace passwords with simpler, stronger authentication.” Following the latest FIDO spec, FIDO2, we enabled users with security keys to access their Hybrid Azure Active Directory (Azure AD) Windows 10 devices with seamless sign-in, providing secure access to on-premises and cloud resources using a strong hardware-backed public and private-key credential. This expansion of Microsoft’s passwordless capabilities followed 2019’s preview of FIDO2 support for Azure Active Directory joined devices and browser sign-ins.

June: I gave a keynote speech at Identiverse Virtual 2020 where I got to talk about how Microsoft’s FIDO2 implementation highlights the importance of industry standards in implementing Zero Trust security and is crucial to enabling secure ongoing remote work across industries. Nitika Gupta, Principal Program Manager of Identity Security in our team, showed how Zero Trust is more important than ever for securing data and resources and provided actionable steps that organizations can take to start their Zero Trust journey.

September: At Microsoft Ignite, the company revealed the new passwordless wizard available through the Microsoft 365 Admin Center. Delivering a streamlined user sign-in experience in Windows 10, Windows Hello for Business replaces passwords by combining strong MFA for an enrolled device with a PIN or user biometric (fingerprint or facial recognition). This approach gives you, our customers, the ability to deliver great user experiences for your employees, customers, and partners without compromising your security posture.

November: Authenticate 2020, “the first conference dedicated to who, what, why and how of user authentication,” featured my boss, Joy Chik, CVP of Identity at Microsoft, as the keynote speaker. Joy talked about how FIDO2 is a critical part of Microsoft’s passwordless vision, and the importance of the whole industry working toward great user experiences, interoperability, and having apps everywhere support passwordless authentication. November also saw Microsoft once again recognized by Gartner as a “Leader” in identity and access management (IAM).

MISA members lead the way

The Microsoft Intelligent Security Association (MISA) is an ecosystem of security partners who have integrated their solutions with Microsoft to better defend against increasingly sophisticated cyber threats. Four MISA members—YubiKey, HID Global, Trustkey, and AuthenTrend—stood out this year for their efforts in driving passwordless technology adoption across industries.

Yubico created the passwordless YubiKey hardware to help businesses achieve the highest level of security at scale.

“We’re providing users with a convenient, simple, authentication solution for Azure Active Directory.”—Derek Hanson, VP of Solutions Architecture and Alliances, Yubico

HID Global engineered the HID Crescendo family of FIDO-enabled smart cards and USB keys to streamline access for IT and physical workspaces—enabling passwordless authentication anywhere.

“Organizations can now secure access to laptops and cloud apps with the same credentials employees use to open the door to their office.”—Julian Lovelock, VP of Global Business Segment Identity and Access Management Solutions, HID

TrustKey provides FIDO2 hardware and software solutions for enterprises who want to deploy passwordless authentication with Azure Active Directory because: “Users often find innovative ways to circumvent difficult policies,” comments Andrew Jun, VP of Product Development at TrustKey, “which inadvertently creates security holes.”

AuthenTrend applied fingerprint-authentication technology to the FIDO2 security key and aspires to replace all passwords with biometrics to help people take back ownership of their credentials.

Next steps for passwordless in 2021

Our team has been working hard this year to join these partners in making passwords a thing of the past. Along with new UX and APIs for managing FIDO2 security keys enabling customers to develop custom solutions and tools, we plan to release a converged registration portal in 2021, where all users can seamlessly manage passwordless credentials via the My Apps portal.

We’re excited about the metrics we tracked in 2020, which show a growing acceptance of passwordless among organizations and users:

• Passwordless usage in Azure Active Directory is up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.
• More than 150 million total passwordless users across Azure Active Directory and Microsoft consumer accounts.
• The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.

We’re all hoping the coming year will bring a return to normal and that passwordless access will at least make our online lives a little easier.

Learn more about Microsoft’s passwordless story. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The invention of differential privacy was ahead of its time. The technology, pioneered by Microsoft researchers 15 years ago, makes it possible to extract useful insights from datasets, while safeguarding the privacy of the individuals included in the data. What was needed to realize its full potential? The marriage of cloud computing and artificial intelligence (AI), which allows for the sharing and analysis of huge amounts of data requiring that individual personal privacy is protected.

Over the past year, Microsoft collaborated with the OpenDP Initiative, led by Harvard’s Institute for Quantitative Social Science (IQSS) and School of Engineering and Applied Sciences (SEAS), and together we launched the open-source differential privacy platform, SmartNoise. We’re excited about the results and the learnings we’ve collected to date. My colleague Sarah Bird recently wrote about those learnings and how Microsoft is adopting differential privacy into some of our products. Differential privacy has also become a powerful new tool in Microsoft’s privacy and security ecosystem. Externally, we’re working with partners, exploring how differential privacy applies in real world scenarios, and today we’re launching the SmartNoise Early Adopter Acceleration Program to attract more.

Differential privacy within Microsoft’s security and privacy landscape

Today, data is the fuel that drives innovation. However, legitimate security and privacy concerns restrict the ability to fully unlock the power of data. That’s understandable when you consider that data is often the most valuable asset an organization and an individual has. Microsoft is developing a range of new technologies including Azure Confidential Computing, homomorphic encryption, secure multi-party computation and federated learning to provide stronger protections and eliminate many types of threats. Each of these technologies is a valuable addition to our portfolio because no single technology solves every type of problem. However, by using them together, we are able to build solutions with unprecedented levels of privacy and security.

Encrypting data while at rest and in transit are industry standard now. The addition of Azure Confidential Computing furthers this protecting your data in use – or during computation – in a secure hardware environment. This reduces your risk to vulnerabilities like malware, insider attacks and malicious or negligent administrators.

By adding differential privacy to our suite of security and privacy technologies, Microsoft is providing another step in this journey. Differential privacy ensures that the result of a computation is safe to share or use. When data is released with differential privacy applied, your dataset has the guarantee that any individual in the dataset cannot be reidentified. SmartNoise provides organizations with additional confidence in fields like financial services and health care where both securing highly sensitive data and protecting privacy is a necessity.

With innovations like SmartNoise and Azure Confidential Computing, Microsoft is providing the tools and technology to ensure individuals data is secure and private throughout its life cycle from the beginning all the way through to the intelligence it delivers.

Differential privacy in practice

In addition to Harvard’s IQSS and SEAS, Microsoft is also working with several partners to explore the potential for differential privacy.

One of our thought leaders and partners is Educational Results Partnership (ERP), a nonprofit organization that applies data science to improve student outcomes and career readiness throughout the educational system. ERP has accumulated the largest database in the US on student achievement from kindergarten to students’ entry into the labor market. Their mission is to use actionable data to close equity gaps in education and the labor market by improving academic and workforce outcomes for students in traditionally disenfranchised communities and populations.

Dr. Jim Lanich, ERP’s president and CEO said, “ERP’s data-informed approach relies on collecting data from educational and government institutions throughout the United States. We’re excited to be partnering with Microsoft on the development of a differential privacy application that will allow organizations to look deeper into their data while strengthening privacy protections for students and individuals. The ability to draw more meaningful insights from the data will lead to action that can improve outcomes and close equity gaps.”

Another key partner is Humana, a health care company whose goal is to improve the health of their millions of members by delivering simple and easy health care experiences that lead to differentiated health outcomes. To achieve their goal, Humana is investing in data, analytics and digital health technologies to share data across all parties delivering care.

Slawek Kierner, Humana’s SVP of Enterprise Data and Analytics said, “Collaboration is key in tackling the challenges in health care. Having tools that can protect the privacy of individuals while preserving the underlying information is key. At Humana, we are exploring how differential privacy can enable us to share data with partners like researchers, community organizations, and academics to better serve our members while protecting their privacy.”

In addition, Microsoft is partnering with the Open Data Institute on an Education Open Data Challenge to generate innovative solutions to close the digital divide and improve learning outcomes in K-12 education. Among other resources, participants in the challenge will receive access to Microsoft’s US broadband usage data with differential privacy applied to protect individuals’ privacy. This dataset was initially created to help the FCC and policymakers bridge the digital divide. By opening up the data further via Differential Privacy we are enabling a whole new use case to help solve some of the world’s educational challenges. We encourage those interested to register. You can find more information here.

SmartNoise Early Adopter Acceleration Program

We’re excited about the progress we’ve made in just a little over a year through our collaboration with Harvard and the OpenDP initiative. Our partners levering SmartNoise and differential privacy have taught us a great deal about how SmartNoise can advance the sharing of data and insights. But there is more work to be done, and we are looking for additional partners to help with this effort.

We are introducing the SmartNoise Early Adopter Acceleration Program to support usage and adoption of SmartNoise and OpenDP. This collaboration program with the SmartNoise team aims to accelerate the adoption of differential privacy in solutions today that will open data and offer insights to benefit society.

If you have a project that would benefit from using differential privacy, we invite you to apply. We will accept applications through February 1, 2021. Selected applicants will be notified by March 1, 2021.

Selected teams can engage in technical and conceptual considerations incorporating SmartNoise and differential privacy into their solutions. These collaboration activities include:

• SmartNoise and OpenDP technical assistance and guidance
• Differential privacy methodology reviews
• Guidance and feedback on privacy budgets, setting parameters and managing epsilon
• Design and architecture reviews and consultation

 And, since there is more work to do, there will be more progress and learnings to share. Microsoft is proud to be part of this first-of-its-kind open-source differential privacy platform with Harvard IQSS and SEAS and OpenDP community and we are committed to engaging with developers, researchers and companies as this project moves forward. If you already incorporate differential privacy into your work, we welcome your thoughts or feedback about SmartNoise on GitHub.

Tags: Azure, Azure Confidential Computing, differential privacy, OpenDP Initiative, SmartNoise, SmartNoise Early Adopter Acceleration Program