The talk DPRK – All grown up will cover how the Democratic People’s Republic of Korea (DPRK) has successfully built computer network exploitation capability over the past 10 years and how threat actors have enabled North Korea to steal billions of dollars in cryptocurrency as well as target organizations associated with satellites and weapons systems. Over this period, North Korean threat actors have developed and used multiple zero-day exploits and have become experts in cryptocurrency, blockchain, and AI technology.

This presentation will also include information on North Korea overcoming sanctions and other financial barriers by the United States and multiple other countries through the deployment of North Korean IT workers in Russia, China, and, other countries. These IT workers masquerade as individuals from countries other than North Korea to perform legitimate IT work and generate revenue for the regime. North Korean threat actors’ focus areas are:

• Stealing money or cryptocurrency to help fund the North Korea weapons programs
• Stealing information pertaining to weapons systems, sanctions information, and policy-related decisions before they occur
• Performing IT work to generate revenue to help fund the North Korea IT weapons program

Meanwhile, in the talk No targets left behind, Microsoft Threat Intelligence analysts will present research on Storm-2077, a Chinese threat actor that conducts intelligence collection targeting government agencies and non-governmental organizations. This presentation will trace how Microsoft assembled the pieces of threat activity now tracked as Storm-2077 to demonstrate how we overcome challenges in tracking overlapping activities and attributing cyber operations originating from China.

This blog summarizes intelligence on threat actors covered by the two Microsoft presentations at CYBERWARCON.

Sapphire Sleet: Social engineering leading to cryptocurrency theft

The North Korean threat actor that Microsoft tracks as Sapphire Sleet has been conducting cryptocurrency theft as well as computer network exploitation activities since at least 2020. Microsoft’s analysis of Sapphire Sleet activity indicates that over 10 million US dollars’ worth of cryptocurrency was stolen by the threat actor from multiple companies over a six-month period.

Masquerading as a venture capitalist

While their methods have changed throughout the years, the primary scheme used by Sapphire Sleet over the past year and a half is to masquerade as a venture capitalist, feigning interest in investing in the target user’s company. The threat actor sets up an online meeting with a target user. On the day of the meeting, when the target user attempts to connect to the meeting, the user receives either a frozen screen or an error message stating that the user should contact the room administrator or support team for assistance.

When the target contacts the threat actor, the threat actor sends a script – a .scpt file (Mac) or a Visual Basic Script (.vbs) file (Windows) – to “fix the connection issue”. This script leads to malware being downloaded onto the target user’s device. The threat actor then works towards obtaining cryptocurrency wallets and other credentials on the compromised device, enabling the threat actor to steal cryptocurrency.  

Posing as recruiters

As a secondary method, Sapphire Sleet masquerades as a recruiter on professional platforms like LinkedIn and reaches out to potential victims. The threat actor, posing as a recruiter, tells the target user that they have a job they are trying to fill and believe that the user would be a good candidate. To validate the skills listed on the target user’s profile, the threat actor asks the user to complete a skills assessment from a website under the threat actor’s control. The threat actor sends the target user a sign-in account and password. In signing in to the website and downloading the code associated with the skills assessment, the target user downloads malware onto their device, allowing the attackers to gain access to the system.

Ruby Sleet: Sophisticated phishing targeting satellite and weapons systems-related targets

Ruby Sleet, a threat actor that Microsoft has been tracking since 2020, has significantly increased the sophistication of their phishing operations over the past several years. The threat actor has been observed signing their malware with legitimate (but compromised) certificates obtained from victims they have compromised. The threat actor has also distributed backdoored virtual private network (VPN) clients, installers, and various other legitimate software.

Ruby Sleet has also been observed conducting research on targets to find what specific software they run in their environment. The threat actor has developed custom capabilities tailored to specific targets. For example, in December 2023, Microsoft Threat Intelligence observed Ruby Sleet carrying out a supply chain attack in which the threat actor successfully compromised a Korean construction company and replaced a legitimate version of VeraPort software with a version that communicates with known Ruby Sleet infrastructure.

Ruby Sleet has targeted and successfully compromised aerospace and defense-related organizations. Stealing aerospace and defense-related technology may be used by North Korea to increase its understanding of missiles, drones, and other related technologies.

North Korean IT workers: The triple threat

In addition to utilizing computer network exploitation through the years, North Korea has dispatched thousands of IT workers abroad to earn money for the regime. These IT workers have brought in hundreds of millions of dollars for North Korea. We consider these North Korean IT workers to be a triple threat, because they:

• Make money for the regime by performing “legitimate” IT work
• May use their access to obtain sensitive intellectual property, source code, or trade secrets at the company
• Steal sensitive data from the company and in some cases ransom the company into paying them in exchange for not publicly disclosing the company’s data

Microsoft Threat Intelligence has observed North Korean IT workers operating out of North Korea, Russia, and China.

Facilitators complicate tracking of IT worker ecosystem

Microsoft Threat Intelligence observed that the activities of North Korean IT workers involved many different parties, from creating accounts on various platforms to accepting payments and moving money to North Korean IT worker-controlled accounts. This makes tracking their activities more challenging than traditional nation-state threat actors.

Since it’s difficult for a person in North Korea to sign up for things such as a bank account or phone number, the IT workers must utilize facilitators to help them acquire access to platforms where they can apply for remote jobs. These facilitators are used by the IT workers for tasks such as creating an account on a freelance job website. As the relationship builds, the IT workers may ask the facilitator to perform other tasks such as:

• Creating or renting their bank account to the North Korean IT worker
• Creating LinkedIn accounts to be used for contacting recruiters to obtain work
• Purchasing mobile phone numbers or SIM cards
• Creating additional accounts on freelance job sites

Fake profiles and portfolios with the aid of AI

One of the first things a North Korean IT worker does is set up a portfolio to show supposed examples of their previous work. Microsoft Threat Intelligence has observed hundreds of fake profiles and portfolios for North Korean IT workers on developer platforms like GitHub.

Additionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters and apply for jobs. 

In October 2024, Microsoft found a public repository containing North Korean IT worker files. The repository contained the following information:

• Resumes and email accounts used by the North Korean IT workers
• Infrastructure used by these workers (VPS and VPN accounts along with specific VPS IP addresses)
• Playbooks on conducting identity theft and creating and bidding jobs on freelancer websites without getting flagged
• Actual images and AI-enhanced images of suspected North Korean IT workers
• Wallet information and suspected payments made to facilitators
• LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
• Tracking sheet of work performed and payments received by these IT workers

Review of the repository indicates that the North Korean IT workers are conducting identity theft and using AI tools such as Faceswap to move their picture over to documents that they have stolen from victims. The attackers are also using Faceswap to take pictures of the North Korean IT workers and move them to more professional looking settings. The pictures created by the North Korean IT workers using AI tools are then utilized on resumes or profiles, sometimes for multiple personas, that are submitted for job applications.

In the same repository, Microsoft Threat Intelligence found photos that appear to be of North Korean IT workers:

Microsoft has observed that, in addition to using AI to assist with creating images used with job applications, North Korean IT workers are experimenting with other AI technologies such as voice-changing software. This aligns with observations shared in earlier blogs showing threat actors using AI as a productivity tool to refine their attack techniques. While we do not see threat actors using combined AI voice and video products as a tactic, we do recognize that if actors were to combine these technologies, it’s possible that future campaigns may involve IT workers using these programs to attempt to trick interviewers into thinking they are not communicating with a North Korean IT worker. If successful, this could allow the North Korean IT workers to do interviews directly and not have to rely on facilitators obtaining work for them by standing in on interviews or selling account access to them.

Getting payment for remote work

The North Korean IT workers appear to be very organized when it comes to tracking payments received.  Overall, this group of North Korean IT workers appears to have made at least 370,000 US dollars through their efforts. 

Protecting organizations from North Korean IT workers

Unfortunately, computer network exploitation and use of IT workers is a low-risk, high-reward technique used by North Korean threat actors. Here are some steps that organizations can take to be better protected:

• Follow guidance from the US Department of State, US Department of the Treasury, and the Federal Bureau of Investigation on how to spot North Korean IT workers.
• Educate human resources managers, hiring managers, and program managers for signs to look for when dealing with suspected North Korean IT workers.
• Use simple non-technical techniques such as asking IT workers to turn on their camera periodically and comparing the person on camera with the one that picked up the laptop from your organization.
• Ask the person on camera to walk through or explain code that they purportedly wrote.

Storm-2077: No targets left behind

Over the past decade, following numerous government indictments and the public disclosure of threat actors’ activities, tracking and attributing cyber operations originating from China has become increasingly challenging as the attackers adjust their tactics. These threat actors continue to conduct operations while using tooling and techniques against targets that often overlap with another threat actor’s operation. While analyzing activity that was affecting a handful of customers, Microsoft Threat Intelligence assembled the pieces of what would be tracked as Storm-2077. Undoubtably, this actor had some victimology and operational techniques that overlapped with a couple of threat actors that Microsoft was already tracking.  

Microsoft assesses that Storm-2077 is a China state threat actor that has been active since at least January 2024. Storm-2077 has targeted a wide variety of sectors, including government agencies and non-governmental organizations in the United States. As we continued to track Storm-2077, we observed that they went after several other industries worldwide, including the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services. Storm-2077 overlaps with activity tracked by other security vendors as TAG-100.

We assess that Storm-2077 likely operates with the objective of conducting intelligence collection. Storm-2077 has used phishing emails to gain credentials and, in certain cases, likely exploited edge-facing devices to gain initial access. We have observed techniques that focus on email data theft, which could allow them to analyze the data later without risking immediate loss of access. In some cases, Storm-2077 has used valid credentials harvested from the successful compromise of a system.

We’ve also observed Storm-2077 successfully exfiltrate emails by stealing credentials to access legitimate cloud applications such as eDiscovery applications. In other cases, Storm-2077 has been observed gaining access to cloud environments by harvesting credentials from compromised endpoints. Once administrative access was gained, Storm-2077 created their own application with mail read rights.

Access to email data is crucial for threat actors because it often contains sensitive information that could be utilized later for malicious purposes. Emails can include sign-in credentials, confidential communication, financial records, business secrets, intellectual property, and credentials for accessing critical systems, or employee information. Access to email accounts and the ability to steal email communication could enable an attacker to further their operations.

Microsoft’s talk on Storm-2077 at CYBERWARCON will highlight how vast their targeting interest covers. All sectors appear to be on the table, leaving no targets behind. Our analysts will talk about the challenges of tracking China-based threat actors and how they had to distinctly carve out Storm-2077.

CYBERWARCON Recap

At this year’s CYBERWARCON, Microsoft Security is sponsoring the post-event Fireside Recap. Hosted by Sherrod DeGrippo, this session will feature special guests who will dive into the highlights, key insights, and emerging themes that defined CYBERWARCON 2024. Interviews with speakers will offer exclusive insights and bring the conference’s biggest moments into sharp focus.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON appeared first on Microsoft Security Blog.

At Microsoft, we remain steadfast in our commitment to security, which continues to be our top priority. Through our Secure Future Initiative (SFI), we’ve dedicated the equivalent of 34,000 full-time engineers to the effort, making it the largest cybersecurity engineering project in history—driving continuous improvement in our cyber resilience. In our latest update, we share insights into the work we are doing in culture, governance, and cybernorms to promote transparency and better support our customers in this new era of security. For each engineering pillar, we provide details on steps taken to reduce risk and provide guidance so customers can do the same.

Insights gained from SFI help us continue to harden our security posture and product development. At Microsoft Ignite 2024, we are pleased to unveil new security solutions, an industry-leading bug bounty program, and innovations in our AI platform. 

Transforming security with graph-based posture management 

Microsoft’s Security Fellow and Deputy Chief Information Security Office (CISO) John Lambert says, “Defenders think in lists, cyberattackers think in graphs. As long as this is true, attackers win,” referring to cyberattackers’ relentless focus on the relationships between things like identities, files, and devices. Exploiting these relationships helps criminals and spies do more extensive damage beyond the point of intrusion. Poor visibility and understanding of relationships and pathways between entities can limit traditional security solutions to defending in siloes, unable to detect or disrupt advanced persistent threats (APTs).

We are excited to announce the general availability of Microsoft Security Exposure Management. This innovative solution dynamically maps changing relationships between critical assets such as devices, data, identities, and other connections. Powered by our security graph, and now with third-party connectors for Rapid 7, ServiceNow, Qualys, and Tenable in preview, Exposure Management provides customers with a comprehensive, dynamic view of their IT assets and potential cyberattack paths. This empowers security teams to be more proactive with an end-to-end exposure management solution. In the constantly evolving cyberthreat landscape, defenders need tools that can quickly identify signal from noise and help prioritize critical tasks.  

Beyond seeing potential cyberattack paths, Exposure Management also helps security and IT teams measure the effectiveness of their cyber hygiene and security initiatives such as zero trust, cloud security, and more. Currently, customers are using Exposure Management in more than 70,000 cloud tenants to proactively protect critical entities and measure their cybersecurity effectiveness.

Announcing $4 million AI and cloud security bug bounty “Zero Day Quest” 

Born out of our Secure Future Initiative commitments and our belief that security is a team sport, we also announced Zero Day Quest, the industry’s largest public security research event. We have a long history of partnering across the industry to mitigate potential issues before they impact our customers, which also helps us build more secure products by default and by design.  

Every year our bug bounty program pays millions for high-quality security research with over $16 million awarded last year. Zero Day Quest will build on this work with an additional $4 million in potential rewards focused on cloud and AI—— which are areas of highest impact to our customers. We are also committed to collaborating with the security community by providing access to our engineers and AI red teams. The quest starts now and will culminate in an in-person hacking event in 2025.

As part of our ongoing commitment to transparency, we will share the details of the critical bugs once they are fixed so the whole industry can learn from them—after all, security is a team sport. 

New advances for securing AI and new skills for Security Copilot 

AI adoption is rapidly outpacing many other technologies in the digital era. Our generative AI solution, Microsoft Security Copilot, continues to be adopted by security teams to boost productivity and effectiveness. Organizations in every industry, including National Australia Bank, Intesa Sanpaolo, Oregon State University, and Eastman are able to perform security tasks faster and more accurately.² A recent study found that three months after adopting Security Copilot, organizations saw a 30% reduction in their mean time to resolve security incidents. More than 100 partners have integrated with Security Copilot to enrich the insights with ecosystem data. New Copilot skills are now available for IT admins in Microsoft Entra and Microsoft Intune, data security and compliance teams in Microsoft Purview, and security operations teams in the Microsoft Defender product family.   

According to our Security for AI team’s new “Accelerate AI transformation with strong security” white paper, we found that over 95% of organizations surveyed are either already using or developing generative AI, or they plan to do so in the future, with two thirds (66%) choosing to develop multiple AI apps of their own. This fast-paced adoption has led to 37 new AI-related bills passed into law worldwide in 2023, reflecting a growing international effort to address the security, safety, compliance, and transparency challenges posed by AI technologies.³ This underscores the criticality of securing and governing the data that fuels AI. Through Microsoft Defender, our customers have discovered and secured more than 750,000 generative AI app instances and Microsoft Purview has audited more than a billion Copilot interactions.⁴  

Microsoft Purview is already helping thousands of organizations, such as Cummins, KPMG, and Auburn University, with their AI transformation by providing data security and compliance capabilities across Microsoft and third-party applications. Now, we’re announcing new capabilities in Microsoft Purview to discover, protect, and govern data in generative AI applications. Available for preview, new capabilities in Purview include Data Loss Prevention (DLP) for Microsoft 365 Copilot, prevention of data oversharing in AI apps, and detection of risky AI use such as malicious intent, prompt injections, and misuse of protected materials. Additionally, Microsoft Purview now includes Data Security Posture Management (DSPM) that gives customers a single pane of glass to proactively discover data risks, such as sensitive data in user prompts, and receive recommended actions and insights for quick responses during incidents. For more details, read the blog on Tech Community. 

Microsoft continues to innovate on our end-to-end security platform to help defenders make the complex simpler, while staying ahead of cyberthreats and enabling their AI transformation. At the same time, we are continuously improving the safety and security of our cloud services and other technologies, including these recent steps to make Windows 11 more secure. 

Next steps with Microsoft Security

From the advances announced to our daily defense of customers, and the steadfast dedication of Chief Executive Officer (CEO) Satya Nadella and every employee, security remains our top priority at Microsoft as we deliver on our principles of secure by design, secure by default, and secure operations. To learn more about our vision for the future of security, tune in to the Microsoft Ignite keynote. 

Microsoft Ignite 2024

Gain insights to keep your organizations safer with an AI-first, end-to-end cybersecurity approach.

Register now

Are you a regular user of Microsoft Security products? Review your experience on Gartner Peer Insights™ and get a $25 gift card. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹ Microsoft Digital Defense Report 2024.

² Microsoft customer stories:

• National Australia Bank invests in an efficient, cloud-managed future with Windows 11 Enterprise
• Intesa Sanpaolo accrues big cybersecurity dividends with Microsoft Sentinel, Copilot for Security
• Oregon State University protects vital research and sensitive data with Microsoft Sentinel and Microsoft Defender
• Eastman catalyzes cybersecurity defenses with Copilot for Security

³ How countries around the world are trying to regulate artificial intelligence, Theara Coleman, The Week US. July 4, 2023.

⁴ Earnings Release FY25 Q1, Microsoft. October 30, 2024.

The post AI innovations for a more secure future unveiled at Microsoft Ignite appeared first on Microsoft Security Blog.

84% of surveyed organizations want to feel more confident about managing and discovering data input into AI apps and tools. This report includes research to provide you with the actionable industry-agnostic insights and guidance to better secure your data used by your generative AI applications. 

Microsoft Data Security Index

Gain deeper insights about generative AI and its influence on data security.

Discover more

In 2023, we commissioned our first independent research that surveyed more than 800 data security professionals to help business leaders develop their data security strategies. This year, we expanded the survey to 1,300 security professionals to uncover new learnings on data security and AI practices.   

Some of the top-level insights from our expanded research are:  

1. The data security landscape remains fractured across traditional and new risks due to AI.
2. User adoption of generative AI increases the risk and exposure of sensitive data.
3. Decision-makers are optimistic about AI’s potential to boost their data security effectiveness.

The data security landscape remains fractured across traditional and new risks

On average, organizations are juggling 12 different data security solutions, creating complexity that increases their vulnerability. This is especially true for the largest organizations: On average, medium enterprises use nine tools, large enterprises use 11, and extra-large enterprises use 14. In addition, 21% of decision-makers cite the lack of consolidated and comprehensive visibility caused by disparate tools as their biggest challenge and risk.

Fragmented solutions make it difficult to understand data security posture since data is isolated and disparate workflows could limit comprehensive visibility into potential risks. When tools don’t integrate, data security teams have to build processes to correlate data and establish a cohesive view of risks, which can lead to blind spots and make it challenging to detect and mitigate risks effectively.

As a result, the data also shows a strong correlation between the number of data security tools used and the frequency of data security incidents. In 2024, organizations using more data security tools (11 or more) experienced an average of 202 data security incidents, compared to 139 incidents for those with 10 or fewer tools.

In addition, a growing area of concern is the rise in data security incidents from the use of AI applications, which nearly doubled from 27% in 2023 to 40% in 2024. Attacks from the use of AI apps not only expose sensitive data but also compromise the functionality of the AI systems themselves, further complicating an already fractured data security landscape.

In short, there’s an increasingly urgent need for more integrated and cohesive data security strategies that can address both traditional and emerging risks linked to the use of AI tools.

Adoption of generative AI increases the risk and exposure of sensitive data

User adoption of generative AI increases the risk and exposure of sensitive data. As AI becomes more embedded in daily operations, organizations recognize the need for stronger protection. 96% of companies surveyed admitted that they harbored some level of reservation about employee use of generative AI. However, 93% of companies also reported that they had taken proactive action and were at some stage of either developing or implementing new controls around employee use of generative AI.  

Unauthorized AI applications can access and misuse data, leading to potential breaches. The use of these unauthorized AI applications often occurs with employees logging in with personal credentials or using personal devices for work-related tasks. On average, 65% of organizations admit that their employees are using unsanctioned AI apps.

Given these concerns, it is important for organizations to implement the right data security controls and to mitigate these risks and ensure that AI tools are used responsibly. Currently, 43% of companies are focused on preventing sensitive data from being uploaded into AI apps, while another 42% are logging all activities and content within these apps for potential investigations or incident response. Similarly, 42% are blocking user access to unauthorized tools, and an equal percentage are investing in employee training on secure AI use.

To implement the right data security controls, customers need to increase their visibility of their AI application usage as well as the data that is flowing through those applications. In addition, they need a way to assess the risk levels of emerging generative AI applications and be able to apply conditional access policies to those applications based on a user’s risk levels.

Finally, they need to be able to access audit logs and generate reports to help them assess their overall risk levels as well as provide transparency and reporting for regulatory compliance.

AI’s potential to boost data security effectiveness

Traditional data security measures often struggle to keep up with the sheer volume of data generated in today’s digital landscape. AI, however, can sift through this data, identifying patterns and anomalies that might indicate a security threat. Regardless of where they are in their generative AI adoption journeys, organizations that have implemented AI-enabled data security solutions often gain both increased visibility across their digital estates and increased capacity to process and analyze incidents as they are detected.

77% of organizations believe that AI will accelerate their ability to discover unprotected sensitive data, detect anomalous activity, and automatically protect at-risk data. 76% believe AI will improve the accuracy of their data security strategies, and an overwhelming 93% are at least planning to use AI for data security.

Organizations already using AI as part of their data security operations also report fewer alerts. On average, organizations using AI security tools receive 47 alerts per day, compared to an average 79 alerts among those that have yet to implement similar AI solutions.

AI’s ability to analyze vast amounts of data, detect anomalies, and respond to threats in real-time offers a promising avenue for strengthening data security. This optimism is also driving investments in AI-powered data security solutions, which are expected to play a pivotal role in future security strategies.

As we look to the future, customers are looking for ways to streamline how they discover and label sensitive data, provide more effective and accurate alerts, simplify investigations, make recommendations to better secure their data environments, and ultimately reduce the number of data security incidents.

Final thoughts 

So, what can be made of this new generative AI revolution, especially as it pertains to data security? For those beginning their adoption roadmap or looking for ways to improve, here are three broadly applicable recommendations:  

• Hedge against data security incidents by adopting an integrated platform.
• Adopt controls for employee use of generative AI that won’t impact productivity. 
• Uplevel your data security strategy with help from AI.

Gain deeper insights about generative AI and its influence on data security by exploring Data Security Index: Trends, insights, and strategies to keep your data secure and navigate generative AI. There you’ll also find in-depth sentiment analysis from participating data security professionals, providing even more insight into common thought processes around generative AI adoption. For further reading, you can also check out the Data Security as a Foundation for Secure AI Adoption white paper. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Microsoft Data Security Index annual report highlights evolving generative AI security needs appeared first on Microsoft Security Blog.

As part of the department’s ongoing assessments of zero trust implementation, Flank Speed just underwent its second round of security assessments sponsored by the DoD Zero Trust Portfolio Management Office (PfMO)—with tremendous results. Just two years after the initial DoD guidance was issued, the United States Navy demonstrated that their integrated approach to security could achieve the department’s ZT goals, years ahead of schedule. The model developed by the Navy in collaboration with Microsoft can be replicated to help both civilian and defense agencies to similarly accelerate their own zero trust goals. 

DoD Zero Trust Report

The United States Navy is proving that Zero Trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Discover more

During the exhaustive test, the comprehensive, integrated suite of Microsoft Security tools enabled Navy personnel to meet Target Level zero trust implementation, achieving 100% success in the 91 Target Level activities tested. Further testing of 61 Advanced Level zero trust activities determined the Navy had achieved success in nearly all (60 of 61) advanced Target Level activities.

The DoD expanded beyond traditional penetration testing to thoroughly evaluate all 152 zero trust activities. Prior to the month-long test, military personnel were trained on the effective operation of the comprehensive zero trust solution over the course of six months. This training allowed Navy personnel to detect and mitigate all attack vectors presented to them by the near-peer adversary assessment team.  

“Flank Speed’s unprecedented ability to achieve the very highest level of DoD ZT outcomes demonstrate to us that the department and the federal government that ZT cyber defenses work very effectively to protect and defend our data and systems against the very latest cyber-attacks from our adversaries.”

—Mr. Randy Resnick, Senior Executive Service, Chief ZT Officer for the DoD 

Components of success 

Flank Speed is a large-scale deployment born out of the need to securely facilitate remote workers at the onset of the COVID-19 pandemic and built on the Navy’s unclassified combined Azure and Microsoft 365 Impact Level 5(IL5) cloud. To achieve a secure operating environment, the Navy aligned its security approach around the DoD’s seven zero trust pillars—each of which represents its own protection area:  

As outlined in the diagram below, the Microsoft 365 E5 package combines best-in-class productivity solutions with comprehensive security technologies that can address all seven pillars of the DoD Zero Trust Strategy.  

This comprehensive and extensible zero trust platform supports a range of environments including hybrid cloud, multicloud, and multiplatform needs. It brings pre-integrated extended detection and response (XDR) services, coupled with cloud-based device management and cloud-based identity and access management to meet the security priorities necessary for all defense and civilian organizations. The specific technologies and implementation strategies that support each pillar are outlined in this blog post. Microsoft has also published a higher-level Security Adoption Framework (SAF) that provides guidance to organizations as they navigate the ever-changing security landscape. 

A partner agencies can trust 

Implementation of a zero trust solution from scratch can be a daunting task. A successful deployment requires the integration of properly configured technologies across numerous product categories. No single product can effectively achieve zero trust goals alone, but selecting a set of integrated capabilities whether first or third party can provide significant acceleration. In order to be effective in the long term, a zero trust implementation must also be flexible enough to adapt quickly to new adversary tactics. Following the White House Executive Order to improve the nation’s cybersecurity and protect federal government networks, Microsoft offered technical expertise that helped architect and deploy technologies aligned to the DoD ZT strategy, including continuous monitoring, big data analysis, and comply-to-connect components. 

The success of Flank Speed is a critical demonstration of this collaborative approach to implementation. That a complex and critical environment such as that belonging to the Navy fully met not only its Target Level zero trust activities, but nearly all of the Advanced Level criteria more than three years before the DoD’s 2027 deadline with a repeatable solution, is a testament that zero trust can be implemented effectively at scale across the government.  

Importantly, though Flank Speed itself is cloud-native, it has been deployed to extend its usability and security capabilities to both cloud-only and existing on-premises workloads and devices, both ashore and afloat. This gave the Navy a rapid path to increased security that was independent of any effort to modernize or sunset existing legacy assets. Along with the proven security achievements, this capacity to extend zero trust security to existing infrastructure could have wide-ranging benefits for organizations pursuing similar cybersecurity goals of a homogeneous security baseline across heterogeneous environments. 

A commitment to security and innovation 

Microsoft’s support in helping the United States Department of Defense and its branches achieve zero trust implementation also helps inform Microsoft’s own Secure Future Initiative, which aims to continuously apply the company’s cumulative security learnings in an effort to improve its own methods and practices, and to ensure that security is kept paramount in everything Microsoft creates and provides to its customers. Independent learnings gleaned as part of the Secure Future Initiative, in return, help Microsoft refine its approach in support of government organizations and a vast ecosystem of security partners. In this way Microsoft can work to ensure that zero trust environments supported by Microsoft 365 and Azure stay up to date, even as cyber threat actors change and mature their tactics and tools. This continuous collaboration advances the broader effort to secure and support the United States national security and the security posture of democratic organizations the world over.  

Microsoft commends the United States Navy for their milestone achievement. The United States Navy and the United States Department of Defense are proving that zero trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Next steps

To learn more about how to accelerate your Zero Trust implementation with best practices, the latest trends, and a framework informed by real-world deployments, visit our latest guidance. 

 To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post DoD Zero Trust Strategy proves security benchmark years ahead of schedule with Microsoft collaboration appeared first on Microsoft Security Blog.

According to a recent survey conducted by ISMG, the top concerns for both business executives and security leaders on using generative AI in their organization range, from data security and governance, transparency and accountability to regulatory compliance.¹ In this paper, the first in a series on AI compliance, governance, and safety from the Microsoft Security team, we provide business and technical leaders with an overview of potential security risks when deploying generative AI, along with insights into recommended safeguards and approaches to adopt the technology responsibly and effectively.

Learn how to deploy generative AI securely and responsibly

In the paper, we explore five critical areas to help ensure the responsible and effective deployment of generative AI: data security, managing hallucinations and overreliance, addressing biases, legal and regulatory compliance, and defending against threat actors. Each section provides essential insights and practical strategies for navigating these challenges. 

Data security

Data security is a top concern for business and cybersecurity leaders. Specific worries include data leakage, over-permissioned data, and improper internal sharing. Traditional methods like applying data permissions and lifecycle management can enhance security. 

Managing hallucinations and overreliance

Generative AI hallucinations can lead to inaccurate data and flawed decisions. We explore techniques to help ensure AI output accuracy and minimize overreliance risks, including grounding data on trusted sources and using AI red teaming. 

Defending against threat actors

Threat actors use AI for cyberattacks, making safeguards essential. We cover protecting against malicious model instructions, AI system jailbreaks, and AI-driven attacks, emphasizing authentication measures and insider risk programs. 

Addressing biases

Reducing bias is crucial to help ensure fair AI use. We discuss methods to identify and mitigate biases from training data and generative systems, emphasizing the role of ethics committees and diversity practices.

Legal and regulatory compliance

Navigating AI regulations is challenging due to unclear guidelines and global disparities. We offer best practices for aligning AI initiatives with legal and ethical standards, including establishing ethics committees and leveraging frameworks like the NIST AI Risk Management Framework.

Explore concrete actions for the future

As your organization adopts generative AI, it’s critical to implement responsible AI principles—including fairness, reliability, safety, privacy, inclusiveness, transparency, and accountability. In this paper, we provide an effective approach that uses the “map, measure, and manage” framework as a guide; as well as explore the importance of experimentation, efficiency, and continuous improvement in your AI deployment.

I’m excited to launch this series on AI compliance, governance, and safety with a strategy paper on minimizing risk and enabling your organization to reap the benefits of generative AI. We hope this series serves as a guide to unlock the full potential of generative AI while ensuring security, compliance, and ethical use—and trust the guidance will empower your organization with the knowledge and tools needed to thrive in this new era for business.

Additional resources

• Get the Grow Your Business with AI You Can Trust e-book.
• Explore the Introduction to Generative AI and Safety guide.

Minimize Risk and Reap the Benefits of AI

Get more insights from Bret Arsenault on emerging security challenges from his Microsoft Security blogs covering topics like next generation built-in security, insider risk management, managing hybrid work, and more.

^{1, 2} ISMG’s First annual generative AI study – Business rewards vs. security risks: Research report, ISMG.

The post More value, less risk: How to implement generative AI across the organization securely and responsibly appeared first on Microsoft Security Blog.

We are announcing a resource to help our customers answer these questions: The Microsoft Zero Trust Workshop, a self-service tool to help you plan and execute your Zero Trust journey guide by yourself or with the guidance of a partner.

The Zero Trust Workshop lets you customize your organization’s end-to-end security deployment to your unique business needs and your environment with a powerful tool that: provides a comprehensive assessment of zero trust capabilities learned from hundreds of deployments; guides you with a visual easy-to-use tool that explains each step of the journey; and delivers a digital artifact that you and your team can use to plan and prioritize your next steps and to compare and measure progress regularly. 

Zero Trust Workshop

A comprehensive technical guide to help customers and partners adopt a Zero Trust strategy and deploy security solutions end-to-end to secure their organizations.

Learn more

How our workshop helps customers and partners solidify their Zero Trust strategy 

Over the past year, we have piloted this workshop with more than 30 customers and partners. They have consistently told us that this provides them with the clarity, coverage, and actionable guidance they need to secure their organization within each Zero Trust pillar and across the pillars. When asked how likely they are to recommend the workshop to their partner teams or to other customers, customers give the workshop a net promoter score of 73.

The layout and question structure is fantastic as it provokes a fair amount of thought around adding each of the capabilities to take a multi-faceted approach to authentication and authorization.

—Senior vice president at a major financial institution

Security is a team sport, and we recognize that customers often need security partners to help them plan and execute their security strategy. This is why we partnered with several deployment partners across the pillars of Zero Trust to get their feedback on the workshop and how they would use it to help their customers.

The Zero Trust Workshop is a great starting point for our customers who want to embrace Zero Trust principles, but don’t know how to align the technology they already own. Furthermore, the workshop allows our customers to measure the progress they’ve made and aim for the next incremental hardening of the Zero Trust model, which is part and parcel of the Zero Trust manner of thinking. As a Microsoft partner and as an MVP, I advocate that customers use the materials provided by Microsoft, including these workshops, to measure and further their security posture.

—Nicolas Blank, NBConsult

[The Zero Trust workshop] has enabled Slalom to help clients accelerate their efforts towards a comprehensive cyber resilience strategy. It provides a clear picture of an organization’s current state and provides a template for order of operations and best practices in a very tidy package. It’s an easy-to-use tool with a huge impact, and our clients and workshop participants have been very impressed by how it organizes and prioritizes a complex set of operations in an approachable and manageable way.

—Slalom

How to start using the workshop to plan your Zero Trust journey

The Zero Trust Workshop is comprised of two main components, all in one handy file you can download and use to drive these conversations: 

• The Zero Trust Basic Assessment (optional): For customers starting on their Zero Trust journey, the assessment is a foundational tool that customers can run before the workshop to check for common misconfigurations and gaps in settings (for example, having too many global admins) to remediate before starting to enable the security features and capabilities of a Zero Trust journey.  

• The Zero Trust Strategy workshop: This is a guided breakdown of the Zero Trust areas according to the standard Zero Trust pillars (Identity, Devices, Data, Network, Infrastructure and Application, and Security Operations). For each pillar, we walk you through the associated areas with a proposed “do this first, consider this then, think about this next” order to how you should tackle them. For each area and capability, you have guidance on why it matters and options to address it and then can discuss it with your stakeholder and decide if this is something you already did, something you are going to do, or something you do not plan to implement at this time. As you progress through the different boxes and areas, you create an artifact for your organization on how well-deployed you are in this Zero Trust pillar and what are the next areas to tackle.  

Now, we are launching the Identity, Devices, and Data pillars. We will add the Network, Infrastructure and Application, and Security Operations in the coming few months. The website for the workshop will announce these as they become available.

I invite you to check out the Zero Trust Workshop site where we have detailed training videos and content. 

For our valued security deployment partners, the workshop is also included in the recently launched Zero Trust Partner kit where, as a partner, you can take the workshop material and customize it for your customer engagements based on your needs. 

Closing thoughts

We all need to work together to help secure the world we live in and keep people safe with the intention of collective defense. As shared in the most recent Microsoft Digital Defense Report, the cyber threat landscape is ever-growing and requires a collaborative approach between product vendors, security experts, and customers to help protect everyone. In the spirit of working with the wider ecosystem to help secure all customers, we recently partnered with NIST’s NCCoE and more than 20 security vendors to publish a guide on how to adopt NIST’s Zero Trust reference architecture using Microsoft’s Security products and this is another example of us working with all of you deploying security out there to help secure the ecosystem. 

We would love to hear how you are using it. Use the feedback form on the site to share with us how we can improve it to help your organization implement a Zero Trust journey. 

Additional resources to accelerate your Zero Trust journey 

This joins a library of other resources to guide your security modernization and Zero Trust journey, including: 

• The Zero Trust Guidance center

• The Microsoft Security Adoption Framework (SAF) which includes the Microsoft Cybersecurity Reference Architecture and the Chief Information Security Officer (CISO) Workshop.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post ​​Zero Trust Workshop: Advance your knowledge with an online resource appeared first on Microsoft Security Blog.

Unique characteristics of QR code phishing campaigns

Like with other phishing techniques, the goal of QR code phishing attacks is to get the user to click on a malicious link that seems legitimate. They often use minimalistic emails to deliver malicious QR codes that prompt seemingly legitimate actions—like password resets or two-factor authentication verifications. A QR code can also be easily manipulated to redirect unsuspecting victims to malicious websites or to download malware in exactly the same way as URLs.

Figure 1. QR code as an image within email body redirecting to a malicious website.

The normal warning signs users might notice on larger screens can often go unnoticed on mobile devices. While the tactics, techniques, and procedures (TTPs) vary depending on which bad actor is at work, Microsoft Defender for Office 365 has detected a key set of patterns in QR code phishing attacks, including but not limited to:

• URL redirection, where a click or tap takes you not where you expected, but to a forwarded URL.
• Minimal to no text, which reduces the signals available for analysis and machine learning detection.
• Exploiting a known or trusted brand, using their familiarity and reputation to increase likelihood of interaction.
• Exploiting known email channels that trusted, legitimate senders use.
• A variety of social lures, including multifactor authentication, document signing, and more.
• Embedding QR codes in attachments.

The impact of QR code phishing campaigns on the broader email security industry

With the most common intent of QR code phishing being credential theft, malware distribution, or financial theft, QR code campaigns are often massive—exceeding 1,000 users and follow targeted information gathering reconnaissance by bad actors.²

Microsoft security researchers first started noticing an increase in QR-code based attacks in September 2023. We saw attackers quickly morphing their techniques in two keys ways: First by manipulating the way that the QR code rendered (such as different colors and tables), and second by manipulating the embedded URL to do redirection.

The dynamic nature of QR codes made it challenging for traditional email security mechanisms that were designed for link-based phishing techniques to effectively filter and protect against these types of cyberattacks. A key reason was the fact that extensive image content analysis was not commonly done for every image in every message, and did not represent a standard in the industry at the time of the surge.

As a result, for several months our customers saw an increase in bad email that contained malicious QR codes as we were adapting and evolving our technology to be effective against QR codes. This was a challenging time for our customers and those of other email security vendors. We added incremental resources and redirected all our engineering energy to address these issues, and along the way not only delivered new technological innovations but also modified our processes and modernized components of our pipeline to be more resilient in the future. Now these challenges have been addressed through a key set of innovations, and we want to share our learnings and technology advancements moving forward.

For bad actors, QR code phishing has become a lucrative business, and attackers are utilizing AI and large language models (LLMs) like ChatGPT to increase the speed and improve the believability of their attacks. Recent research by Insikt Group noted that bad actors can generate 1,000 phishing emails in under two hours for as little as $10.³ For the security industry, this necessitates a multifaceted response including improved employee training and a renewed commitment to innovation.

The necessity of innovation in QR code phishing defense

Innovation in the face of evolving QR code phishing risk is not just beneficial, it’s imperative. As cybercriminals continually refine their tactics to exploit new technologies, security solutions must evolve at a similar pace to remain effective. In response to the growing threat of QR code phishing, Microsoft Defender for Office 365 took decisive action to leverage advanced machine learning and AI—developing robust defenses capable of detecting and neutralizing QR code phishing attacks in real time. Our team meticulously analyzed these cyberthreats across trillions of signals, gaining valuable insights into their mechanisms and evolving patterns. This knowledge helped us refine our security protocols and enhance our platform’s resilience with several strategic updates. As the largest email security provider, we have seen a significant decline in QR code phishing attempts. At the height, Defender for Office 365 was blocking 3 million attempts daily, and with the delivery of innovative protection we have seen this number shrink to 200,000 QR code phishing attempts every day. This is testament that our innovation is having the desired effect: reducing the effectiveness of QR code-based attacks and forcing attackers to shift their tactics.

Figure 2. QR code phishing blocked by Microsoft Defender for Office 365.

Recent innovations and protections we’ve implemented and improved within Microsoft Defender for Office 365 to help combat QR code phishing include:

• URL extraction enhancements: Microsoft Defender for Office 365 has improved its capabilities to extract URLs from QR codes, substantially boosting the system’s ability to detect and counteract phishing links hidden within QR images. This enhancement enables a more thorough analysis of potential cyberthreats embedded in QR codes. In addition, we now extract metadata from QR codes, which enriches the contextual data available during threat assessments, enhancing our ability to detect suspicious activities early in the attack chain.
• Advanced image processing: Advanced image processing techniques at the initial stage of the mail flow process allow us to extract and log URLs hidden within QR codes. This proactive measure disrupts attacks before they have a chance to compromise end user inboxes, addressing cyberthreats at the earliest possible point.
• Advanced hunting and remediation: To offer a comprehensive response to QR code threats across email, endpoint, and identities with our advanced hunting capabilities, security teams across organizations are well equipped to specifically identify and filter out malicious activities linked to these codes.
• User resilience against QR code phishing: To further equip our organization against these emerging threats, Microsoft Defender for Office 365 has expanded its advanced capabilities to include QR code threats, maintaining alignment with email platforms and specific cyberattack techniques. Our attack simulation training systems along with standard setup of user selection, payload configuration, and scheduling, now have specialized payloads for QR code phishing to simulate authentic attack scenarios.

Read more technical details on how to hunt and respond to QR code-based attacks. By integrating all these capabilities across the Microsoft Defender XDR platform, we can help ensure any QR code-related threats identified in emails are thoroughly analyzed in conjunction with endpoint and identity data, creating a robust security posture that addresses threats on multiple fronts.

Staying ahead of the evolving threat landscape 

The enhancements of Microsoft Defender for Office 365 to defend against QR code-based phishing attacks showcased our need to advance Microsoft’s email and collaboration security faster. The rollout of the above has closed this gap and made Defender for Office 365 effective against these attacks, and as the use of QR codes expands, our defensive tactics will now equally advanced to combat them.

Our continuous investment in analyzing the cyberthreat landscape, learning from past gaps, and our updated infrastructure will enable us to effectively handle present issues and proactively address future risks faster as threats emerge across email and collaboration tools. We will soon be sharing more exciting innovation that will showcase our commitment to delivering the best email and collaboration security solution to customers.

For more information, view the data sheet on protecting against QR code phishing or visit the website to learn more about Microsoft Defender for Office 365.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Attackers Weaponizing QR Codes to Steal Employees Microsoft Credentials, Cybersecurity News. August 22, 2023.

²Hunting for QR Code AiTM Phishing and User Compromise, Microsoft Tech Community. February 12, 2024.

³Security Challenges Rise as QR Code and AI-Generated Phishing Proliferate, Recorded Future. July 18, 2024.

The post How Microsoft Defender for Office 365 innovated to address QR code phishing attacks appeared first on Microsoft Security Blog.

Microsoft assesses that credentials acquired from CovertNetwork-1658 password spray operations are used by multiple Chinese threat actors. In particular, Microsoft has observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658. Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services. Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others.

As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to help secure their environments. In this blog, we provide more information about CovertNetwork-1658 infrastructure, and associated Storm-0940 activity. We also share mitigation recommendations, detection information, and hunting queries that can help organizations identify, investigate, and mitigate associated activity.

What is CovertNetwork-1658?

Microsoft tracks a network of compromised small office and home office (SOHO) routers as CovertNetwork-1658. SOHO routers manufactured by TP-Link make up most of this network. Microsoft uses “CovertNetwork” to refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors.

CovertNetwork-1658 specifically refers to a collection of egress IPs that may be used by one or more Chinese threat actors and is wholly comprised of compromised devices. Microsoft assesses that a threat actor located in China established and maintains this network. The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers. Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.

Post-compromise activity on compromised routers

After successfully gaining access to a vulnerable router, in some instances, the following steps are taken by the threat actor to prepare the router for password spray operations:

1. Download Telnet binary from a remote File Transfer Protocol (FTP) server
2. Download xlogin backdoor binary from a remote FTP server
3. Utilize the downloaded Telnet and xlogin binaries to start an access-controlled command shell on TCP port 7777
4. Connect and authenticate to the xlogin backdoor listening on TCP port 7777
5. Download a SOCKS5 server binary to router
6. Start SOCKS5 server on TCP port 11288

CovertNetwork-1658 is observed conducting their password spray campaigns through this proxy network to ensure the password spray attempts originate from the compromised devices.

Password spray activity from CovertNetwork-1658 infrastructure

Microsoft has observed multiple password spray campaigns originating from CovertNetwork-1658 infrastructure. In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization. In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day. Figure 2 depicts this distribution in greater detail.

CovertNetwork-1658 infrastructure is difficult to monitor due to the following characteristics:

• The use of compromised SOHO IP addresses
• The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
• The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity

Various security vendors have reported on CovertNetwork-1658 activities, including Sekoia (July 2024) and Team Cymru (August 2024). Microsoft assesses that after these blogs were published, the usage of CovertNetwork-1658 network has declined substantially. The below chart highlights a steady and steep decline in the use of CovertNetwork-1658’s original infrastructure since their activities have been exposed in public reporting as observed in Censys.IO data.

Microsoft assesses that CovertNetwork-1658 has not stopped operations as indicated in recent activity but is likely acquiring new infrastructure with modified fingerprints from what has been publicly disclosed. An observed increase in recent activity may be early evidence supporting this assessment.

Historically, Microsoft has observed an average of 8,000 compromised devices actively engaged in the CovertNetwork-1658 network at any given time. On average, about 20 percent of these devices perform password spraying at any given time. Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time. This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Below are User Agent Strings* observed in the password spray activity:

• Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

*Note: We updated this list of User Agent Strings on November 4, 2024 to fix typos.

Observed activity tied to Storm-0940

Microsoft has observed numerous cases where Storm-0940 has gained initial access to target organizations using valid credentials obtained through CovertNetwork-1658’s password spray operations. In some instances, Storm-0940 was observed using compromised credentials that were obtained from CovertNetwork-1658 infrastructure on the same day. This quick operational hand-off of compromised credentials is evidence of a likely close working relationship between the operators of CovertNetwork-1658 and Storm-0940.

After successfully gaining access to a victim environment, in some instances, Storm-0940 has been observed:        

• Using scanning and credential dumping tools to move laterally within the network;
• Attempting to access network devices and install proxy tools and remote access trojans (RATs) for persistence; and
• Attempting to exfiltrate data.

Recommendations

Organizations can defend against password spraying by building credential hygiene and hardening cloud identities. Microsoft recommends the following mitigations to reduce the impact of this threat:

• Educate users on the importance of credential hygiene and avoiding password reuse.
• Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. Microsoft continues to expand MFA defaults for products and services like Azure to broaden MFA adoption.
  • Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business.
  • Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
• Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA.
• Disable legacy authentication.
• Use a cloud-based identity security solution to identify and detect threats or compromised identities.
• Disable stale or unused accounts.
• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
  • Create conditional access policies to allow or disallow access to the environment based on defined criteria.
• • Block legacy authentication with Azure AD by using Conditional Access. Legacy authentication protocols don’t have the ability to enforce MFA, so blocking such authentication methods will prevent password spray attackers from taking advantage of the lack of MFA on those protocols.
  • Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise.
• Secure accounts with credential hygiene:
  • Practice the principle of least privilege and audit privileged account activity in your Azure AD environments to slow and stop attackers.
  • Deploy Azure AD Connect Health for ADFS. This captures failed attempts as well as IP addresses recorded in ADFS logs for bad requests via the Risky IP report.
  • Use Azure AD password protection to detect and block known weak passwords and their variants.
  • Turn on identity protection in Azure AD to monitor for identity-based risks and create policies for risky sign ins.
• Educate users about phishing attempts and MFA fatigue attacks. Encourage users to report unsolicited MFA authentication prompts.
• Review your Anomaly detection policies in Defender for Cloud Apps under Microsoft 365 Defender Policies by going to Cloud Apps > Policies > Policy management. Then select Anomaly detection policy.

Detection details

Alerts with the following titles in the Security Center can indicate threat activity on your network:

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert can indicate associated threat activity:

• Storm-0940 actor activity detected

Microsoft Defender XDR

The following alert might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Password spray attacks originating from single ISP

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Password Spray
• Unfamiliar Sign-in properties
• Atypical travel
• Suspicious behavior: Impossible travel activity

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity:

• Suspicious Administrative Activity
• Impossible travel activity

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Potential Storm-0940 activity           

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//Advanced Hunting Query
let suspAppRes = datatable(appId:string, resourceId:string)
[
    "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000"
];
let userAgents = datatable(userAgent:string)
[
    "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity
];
AADSignInEventsBeta
| where Timestamp >=ago(30d)
| where ApplicationId in ((suspAppRes | project appId)) and ResourceId in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent))
Failed sign-in activity
The following query identifies failed attempts to sign-in from multiple sources that originate from a single ISP. Attackers distribute attacks from multiple IP addresses across a single service provider to evade detection
IdentityLogonEvents
| where Timestamp > ago(4h)
| where ActionType == "LogonFailed"
| where isnotempty(AccountObjectId)
| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP
| where TargetCount >= 100
| where TargetCountry >= 5
| where TargetIPAddress >= 25

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Potential Storm-0940 activity

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//sentinelquery
let suspAppRes = datatable(appId:string, resourceId:string)
[
    "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000"
];
let userAgents = datatable(userAgent:string)
[
    "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity
];
SigninLogs
| where TimeGenerated >=ago(30d)
| where AppId  in ((suspAppRes | project appId)) and ResourceIdentity in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent))

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network appeared first on Microsoft Security Blog.

A Leader in the market with an innovative solution for the SOC  

Microsoft Sentinel provides a unique experience for customers to help them act faster and stay safer while managing the scaling costs of security. Customers choose our SIEM in order to:  

Protect everything with a comprehensive SIEM solution. Microsoft Sentinel is a cloud-native solution that supports detection, investigation, and response across multi-cloud and multi-platform data sources with 340+ out-of-the-box connectors A strength of Microsoft’s offering is its breadth, which includes user entity and behavior analytics (UEBA), threat intelligence and security orchestration, automation, and response (SOAR) capabilities, along with native integrations into Microsoft Defender threat protection products. 

• Enhance security with a unified security operations platform. Customers get the best protection when pairing Microsoft Sentinel with Defender XDR in Microsoft’s unified security operations platform. The integration not only brings the two products together into one experience but combines functionalities across each to maximize efficiency and security. One example is the unified correlation engine which delivers 50% faster alerting between first- and third-party data, custom detections and threat intelligence.³ Customers can stay safer with a unified approach, with capabilities like automatic attack disruption—which contains attacks in progress, limiting their impact at machine speed.   

• Address any scenario. As the first cloud-native SIEM, Microsoft Sentinel helps customers observe threats across their digital estate with the flexibility required for today’s challenges. Our content hub offerings include over 200 Microsoft- created solutions and over 280 community contributions. The ability to adapt to the unique use cases of an organization is something called out in both the Forrester and Gartner reports.  

• Scale your security coverage with cloud flexibility. Compared with legacy, on-premises SIEM solutions, Microsoft Sentinel customers see up to a 234% return on investment (ROI).¹ This makes it an attractive option for customers looking for a scalable offering to meet the evolving needs of their business while managing the costs of data. We’ve recently launched a new, low-cost data tier called Auxiliary Logs to help customers increase the visibility of their digital environment, while keeping their budgets in check. In addition, Microsoft’s SOC Optimizations feature, a first of its kind offering, provides targeted recommendations to users on how to better leverage their security data to manage costs and maximize their protection, based on their specific environment and using frameworks like the MITRE attack map  

• Respond quickly to emergent threats with AI. Security Copilot is a GenAI tool that can help analysts increase the speed of their response, uplevel their skills, and improve the quality of their work. 92% of analysts reported using Copilot helped make them more productive and 93% reported an improvement in the quality of their work.²  

What’s next in Microsoft Security 

Microsoft is dedicated to continued leadership in security through ongoing investment to provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. New and upcoming enhancements include more unified features across SIEM and XDR, exposure management and cloud security in the unified security operations platform, and our SIEM migration tool—which now supports conversion of Splunk detections to Microsoft Sentinel analytics rules and additional Copilot skills to help analysts do their job better.  

​​CTA​: To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

^[1] The Total Economic Impact™ Of Microsoft Sentinel (forrester.com) 

^[2] Microsoft Copilot for Security randomized controlled trial (RCT) with experienced security analysts conducted by Microsoft Office of the Chief Economist, January 2024 

³Microsoft internal data 

Gartner, Magic Quadrant for Security Information and Event Management, By Andrew Davies, Mitchell Schneider, Rustam Malik, Eric Ahlm, 8 May 2024 

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

The post ​​Microsoft now a Leader in three major analyst reports for SIEM appeared first on Microsoft Security Blog.

To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more

1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

• Use strong passwords and consider a password manager.
• Turn on multifactor authentication.
• Learn to recognize and report phishing.
• Make sure to keep your software updated.

2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101, Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Next steps with Microsoft Security

• Read the full report to learn more about how security is continuing to play an important role for SMBs.

• Get the Be Cybersmart Kit to help educate everyone in your organization with cybersecurity awareness resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​7 cybersecurity trends and tips for small and medium businesses to stay protected appeared first on Microsoft Security Blog.