OT systems, which control real-world critical processes, present a significant target for cyberattacks. These systems are prevalent across various industries, from building heating, ventilation, and air conditioning (HVAC) systems, to water supply and power plants, providing control over vital parameters such as speed and temperature in industrial processes. A cyberattack on an OT system could transfer control over these critical parameters to attackers and enable malicious alteration that could result in malfunctions or even complete system outages, either programmatically via the programmable logic controller (PLC) or using the graphical controls of the human machine interface (HMI).

Adding to the potential damage of attacks on OT systems are their often-lacking security measures, which make OT attacks not only attractive for attackers but also relatively easy to execute. Many OT devices, notwithstanding common security guidelines, are directly connected to the internet, making them discoverable by attackers through internet scanning tools. Once discovered by attackers, poor security configurations, such as weak sign-in passwords or outdated software with known vulnerabilities, could be further exploited to obtain access to the devices.

The attractiveness of OT systems and attackers’ capabilities against systems with weak configurations were demonstrated in the Israel-Hamas war, which was accompanied by a spike in cyberattacks, including from OT-focused actors. Shortly after October 7, the Telegram channels of several such actors broadcasted their attacks against OT systems associated with Israeli companies. These publications were often accompanied by images of purportedly compromised systems, which the threat actors presented as alleged evidence for the attacks.

Microsoft’s analysis of multiple attacks by these actors revealed a common attack methodology: focusing on internet-exposed, poorly secured OT devices. This report will illustrate this attack methodology using the high-profile case of the November 2023 attack against Aliquippa water plant, for which CISA released an advisory in December 2023. CISA attributed the attack to the Islamic Revolutionary Guard Corps (IRGC)-affiliated actor “CyberAv3ngers”, tracked by Microsoft as Storm-0784. Microsoft assesses that the same methodology has been utilized by other OT-focused threat actors in multiple other attacks as well.

The attacks conducted by OT-focused actors were not limited to public sector facilities but also affected private companies in various countries. While the public sector has been implored to implement proper risk management and protection of OT systems, the diversity of target profiles illustrates that ensuring OT security in the private sector is equally crucial. Recommendations for organizations to protect against similar attacks and improve the security posture of their OT systems can be found at the end of this report.

Spike in activity of OT threat actors

Shortly after the outbreak of the Israel-Hamas war, Microsoft has seen a rise in reports of attacker activity against OT systems with Israeli affiliation. This included activity by existing groups such as the IRGC-affiliated “CyberAv3ngers”, and the emergence of new groups such as the “CyberAv3ngers”-associated “Soldiers of Solomon”, and “Abnaa Al-Saada”, a cyber persona presenting itself as Yemeni. Microsoft tracks both “CyberAv3ngers” and its associated group “Soldiers of Solomon” as Storm-0784.

The systems targeted by these groups included both OT equipment deployed across different sectors in Israel, including PLCs and HMIs manufactured by large international vendors, as well as Israeli-sourced OT equipment deployed in other countries. The attacks were made public by the actors using their Telegram channels, on which they also posted images of the target systems to enhance purported credibility and present evidence for the attack.

Researching the threat actors in question, Microsoft has identified a typical target profile that attackers appeared to focus on: internet-exposed OT systems with poor security posture, potentially accompanied by weak passwords and known vulnerabilities.

The Aliquippa case: A high-profile OT attack

In late November 2023, the Aliquippa water plant was affected by a cyberattack that resulted in the outage of a pressure regulation pump on the municipal water supply line in Aliquippa, Pennsylvania. In addition to impairing functionality, the attack, which targeted a PLC-HMI system by Israeli manufacturer Unitronics, also defaced the device to display a red screen with the name and logo of the “CyberAv3ngers” actor. The US Department of Treasury sanctioned officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) in relation to the attack.

Around the same time, multiple other attack cases on Unitronics systems were reported across the industry in other parts of the world, with targeted equipment displaying the same message: “Every equipment ‘made in Israel’ is a Cyber Av3ngers legal target“.

Microsoft analyzed the publicly available data on the Aliquippa incident to find the victim system and assess how it was compromised. Leveraging researchers’ intimate OT knowledge to interpret the limited details known to the public has enabled the identification of a specific machine that Microsoft believes to be the victim.

According to publicly accessible sources, the targeted system was exposed to the internet, and it suffered both defacement and the shutdown of the pump it controlled. Designated engines that map internet-connected devices and their associated services allowed Microsoft researchers to compile a list of internet-exposed Unitronics devices of the relevant model, which also had a dedicated control port open. This configuration could potentially allow to reprogram the device reprogramming, leading to the observed defacement and shutdown.

The analysis of contextual data narrowed the device profile list, identifying a specific system that could be the victim. This system was geographically situated near the Aliquippa station, with its PLC Name field set to “Raccoon Primary PLC”, consistent with the Aliquippa water station serving Potter and Raccoon townships, and also aligning with a photograph disseminated by the media, depicting a sign that reads “PRIMARY PLC” on the targeted system.

The data gathered throughout the research of the Aliquippa attack case highlights a trend: a common target profile of internet-exposed OT systems with a weak security posture that mirrors other attack cases.

Attacks representing a broader concerning trend

The CISA advisory that was released following the attacks in November 2023 described the profile of the targeted OT systems as being internet-exposed and having weak sign-in configurations. In May 2024, CISA released another advisory following the more recent attacks against the water sector, which showed that the victims had a similar profile. Again, OT systems that were left internet-exposed and had weak passwords were targeted by nation-state attackers, this time by pro-Russia activists.

While attacks on high-profile targets, especially in the public sector, often receive significant media attention, it’s important to recognize that the private sector and individual users may also be impacted. Notably, the Aliquippa water plant was just one victim in a series of attacks on Unitronics by “CyberAv3ngers”, which also expanded to the private sector. Screenshots of affected systems with the same red screen and message have been posted by users on the Unitronics forum claiming their equipment was attacked, with similar reports also showing on social media platform X. Following the incidents, a vulnerability was assigned for the Unitronics default password configuration (CVE-2023-6448), and a patch was issued by Unitronics to require users to fix the issue.  

The common target profile for the attack cases analyzed reflects what attackers do to pick an easily accessible and appealing target in the first place. Attackers can, and do, obtain visibility on OT devices that are open to the internet using search engines, identify vulnerable models and open communication ports, and then use the contextual metadata to identify devices that are of special interest, such as ICS systems in water plants or other critical facilities. At that point, a weak password or an outdated system with an exploitable vulnerability is all that stands between them and remote access to the system.

The growing attention from attackers towards OT systems, observed across various sectors, is particularly concerning due to inadequate security practices on these systems. The Microsoft Digital Defense Report 2023 highlights that 78% of industrial network devices on customer networks monitored by Microsoft Defender for IoT have known vulnerabilities. Among these, 46% utilize deprecated firmware, for which patches are no longer available, while the remaining 32% operate outdated systems with unpatched vulnerabilities. For devices that are patched, many still use default passwords or have no passwords at all. Microsoft collects statistics on the prevalence of username and password pairs seen used in Microsoft’s sensor network, as was shared in the Microsoft Digital Defense Report 2022. Such outdated and vulnerable systems present attractive targets for future attacks, particularly when coupled with internet connectivity and default passwords. In the next sections, we share recommendations for improving the security posture of OT systems to help prevent attacks.

Mitigation and protection guidance

The analysis of the attack claims in question reveals diverse target profiles. It is therefore vital for organizations of all different sectors to ensure security hygiene for their OT systems to prevent similar threats.

• Adopt a comprehensive IoT and OT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft Defender XDR.
• Enable vulnerability assessments to identify unpatched devices in the organizational network and set workflows for initiating appropriate patch processes through  Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint with the Microsoft Defender for IoT add-on.
• Reduce the attack surface by eliminating unnecessary internet connections to IoT devices and OT control systems. Verify that no OT system is directly connected to the internet, for example, through IoT routers or Cellular bridged (LTE or 3G). Close unnecessary open ports and services on their equipment, eliminating remote access entirely when possible, and restricting access behind a firewall or VPN when full elimination cannot be achieved.
• Implement Zero Trust practices by applying network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. OT devices and networks should be isolated from IT with firewalls. Extend vulnerability and exposure control beyond the firewall with Microsoft Defender External Attack Surface Management. Turn on attack surface reduction rules in Microsoft Defender for Endpoint to prevent common attack techniques such as those used by ransomware groups.

Microsoft Defender for IoT detections

Microsoft Defender for IoT provides detections for suspicious behaviors of OT and IoT devices. Alerts related to internet access and modification of PLC behavior will detect activity of this type, such as:

• External address within the network communicated with Internet
• Internet Access Detected
• Unauthorized Internet Connectivity Detected
• Unauthorized PLC Program Upload
• Unauthorized PLC Programming

References

• IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities | CISA
• Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group – CBS Pittsburgh (cbsnews.com)
• Aliquippa Water Authority – Municipal Water Authority of Aliquippa
• Cyber group backed by Iran is taking credit for Pennsylvania water system cyberattack
• PLC Hacking – More Commonplace Than You Might Think – Best Programming Practices – Unitronics Support Forum: Programmable Controllers (PLC + HMI All-in-One)
• Full Pint Beer on X: “Ugh – the brewery control system received a CYBER ATTACK over the weekend!!! We are working to restore things to working order, kudos to the crew at @Brewmation for working with us over the Thanksgiving weekend! Thank goodness for backups! #cyberattack #automation #ransomware https://t.co/SNdXY9ne4h” / X
• NVD – CVE-2023-6448 (nist.gov)
• Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf (unitronicsplc.com)
• Iranian cyber attack targets Israeli tech used by several US bodies | The Times of Israel

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Exposed and vulnerable: Recent attacks highlight critical need to protect internet-exposed OT devices appeared first on Microsoft Security Blog.

CODESYS is compatible with approximately 1,000 different device types from over 500 manufacturers and several million devices that use the solution to implement the international industrial standard IEC (International Electrotechnical Commission) 611131-3. A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information. Exploiting the discovered vulnerabilities, however, requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.

Microsoft researchers reported the discovery to CODESYS in September 2022 and worked closely with CODESYS to ensure that the vulnerabilities are patched. Information on the patch released by CODESYS to address these vulnerabilities can be found here: Security update for CODESYS Control V3. We strongly urge CODESYS users to apply these security updates as soon as possible. We also thank CODESYS for their collaboration and recognizing the urgency in addressing these vulnerabilities. 

Below is a list of the discovered vulnerabilities discussed in this blog: 

In this blog, we provide an overview of the CODESYS V3 protocol structure, highlighting several key components, and describe the main issue that led to our discovery of the vulnerabilities. The full research and the results can be found in our report on Github. We also provide an open-source forensics tool to help users identify impacted devices, security recommendations for those affected, and detection information for potentially related threats.

CODESYS: A widely used PLC solution

CODESYS is a software development environment that provides automation specialists with tools for developing automated solutions. CODESYS is a platform-independent solution that helps device manufacturers implement the international industrial standard IEC 611131-3. The SDK also has management software that runs on Windows machines and a simulator for testing environments, allowing users to test their PLC systems before deployment. The proprietary protocols used by CODESYS use either UDP or TCP for communication between the management software and PLC.

CODESYS is widely used and can be found in several industries, including factory automation, energy automation, and process automation, among others. 

Discovering the CODESYS vulnerabilities

The vulnerabilities were uncovered by Microsoft researchers while examining the security of the CODESYS V3 proprietary protocol as part of our goal to improve the security standards and create forensic tools for OT devices. During this research, we examined the structure and security of the protocol that is used by many types and vendors of PLCs.  We examined the following two PLCs that use CODESYS V3 from different vendors: Schneider Electric Modicon TM251 and WAGO PFC200.

CODESYS V3 protocol

The CODESYS network protocol works over either TCP or UDP:

• Ports 11740-11743 for TCP
• Ports 1740-1743 for UDP

The CODESYS network protocol consists of four layers:

1. Block driver layer: The layer that creates the capability to communicate over a physical or software interface, over TCP or UDP.
2. Datagram layer: The layer that enables communication between components and endpoints through physical or virtual interfaces. 
3. Channel layer: The layer that is responsible for creating, managing, and closing communications channels.
4. Services layer: Represents a combination of several layers of the ISO/OSI model session layer, presentation layer, and application layer. It consists of components, each of which is responsible for a portion of functionality of the PLC and has services that it supports. Other tasks of the Services layer include encoding/decoding and encrypting/decrypting the data transmitted on that layer. Additionally, the Services layer is also responsible for tracking the client-server session. Each component is identified by a unique ID, such as:

These components use the Tags layer for data transmission and encoding, which is transmitted over the Services layer.

There are two types of tags: parent and data. Both tags have identical structure but different sizes and purposes. The following table provides the basic structure of tags:

Tags can represent any type of data, and it is extracted by the component. The difference between a parent tag and a data tag is that a parent tag is used for linking several tags into one logical element.

Tags contain several important structures, including BTagReader and BTagWriter, which include the following fields:

• Data
• Current position in data
• Size of data

These structures are allocated for each request and exist only in the context of the request. Each request handler creates BTagWriter and BTagReader tags and uses them to parse and handle requests. Tag IDs are not unique across services, meaning each service may have its own definition for a tag ID. Tag IDs are handled in the context of each service.

The following figure provides an example of a Tag layer and relevant fields.

This example contains the following tags:

• Tag1 – )TAG ID 0x01( 10 00 00 00
• Tag2 – (TAG ID 0x23) Authentication method type
• Tag3 – (TAG ID 0x81) Parent tag that contains two sub tags
• Tag4 – (TAG ID 0x10) Username tag
• Tag5 – (TAG ID 0x11) Hash of a password tag

CODESYS components

CODESYS consists of components and each component is responsible for a portion of functionality of the PLC. The following is a list of example components:

• CmpAlarmManger – Manages alarm events, registers clients that receive events, etc.
• CmpApp – Manages running applications and application event usage.
• CmpAppBp – Manages breakpoints in IEC tasks.
• CmpCodeMeter – Manages the CodeMeter License containers.
• CmpCoreDump – Manages creating, reading, and printing to file coredumps.
• CMPTraceMgr – Enables tracing of information inside the IEC tasks.

Each component includes a number of services that the client can ask to use. For example, CMPTraceMgrincludes the following:

• TraceMgrPacketCreate – Creates a new trace packet
• TraceMgrPacketDelete – Deletes a trace manager packet
• TraceMgrPacketStart – Starts tracing, which is triggered by the TraceTrigger
• TraceMgrRecordUpdate – Records the current value of the TraceVariable together with the current timestamp
• TraceMgrRecordAdd – Creates a new TraceRecordConfiguration and adds it to a specific trace packet for a specific IEC task/application

Each service is identified by a unique number for the specific component.

Tags layer vulnerability

A security issue was discovered inside the tag decoding mechanism that led to multiple vulnerabilities that could put devices at risk of attacks such as RCE and DoS.  

In order to understand the security issue, let’s analyze the service TraceMgrRecordAdd of the component CMPTraceMgr by examining the code that activates the relevant service.

The TraceMgrRecordAddByTag appears to correspond to TraceMgrRecordAdd.

As displayed in Figure 5, the following code initializes structure from tags that are sent to the service.  

The following figure looks at the code for the TraceMgrAddNewRecordPartByTag method, which copies data from different tags into an output buffer.

The whole tag is copied into the buffer without validating the size, causing buffer overflow.

Fifteen places in CODESYS V3 SDK were found with the same issue in different components that could lead to remote attackers gaining full control over the device.

Exploitation approach

We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs. To overcome the user authentication, we used a known vulnerability, CVE-2019-9013, which allows us to perform a replay attack against the PLC using the unsecured username and password’s hash that were sent during the sign-in process, allowing us to bypass the user authentication process.

IEC tasks

IEC tasks are the execution unit of CODESYS runtime. It is the equivalent to thread in operating systems. A single component can have more than one task and will have at least one IEC task. The tasks are managed by CODESYS runtime. 

Each IEC task has a memory segment with read, write, and execute permissions. If a threat actor writes code there, it could be run without the data execution prevention mitigation being applied.

The IEC task segment is also where the stack is defined, meaning we don’t need to handle DEP.

Since the IEC tasks are part of the CODESYS code, they are present on all PLCs of all vendors that utilize CODESYS.

Full exploit

By looking for gadgets, we can bypass the ASLR. In the examples below, we can see part of the gadgets that we used in our exploit.

The complete exploit steps:

1. Steal credentials with CVE-2019-9013.
2. Create a new channel for the attack.
3. Sign-in to the device with the stolen credentials.
4. Exploit the vulnerabilities with a malicious packet that triggers buffer overflow.
5. Gain full control of the device.

We were able to exploit the two PLCs that we researched.

Demo video:

Critical importance of ICS security 

With CODESYS being used by many vendors, one vulnerability may affect many sectors, device types, and verticals, let alone multiple vulnerabilities. All the vulnerabilities can lead to DoS and 1 RCE. While exploiting the discovered vulnerabilities requires deep knowledge of the proprietary protocol of CODESYS V3 as well as user authentication (and additional permissions are required for an account to have control of the PLC), a successful attack has the potential to inflict great damage on targets. Threat actors could launch a DoS attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way.

Mitigation and protection guidance

CODESYS V3 versions prior to 3.5.19.0 are vulnerable to the discovered vulnerabilities. It is recommended to first identify the devices using CODESYS in your network and check with device manufacturers to determine which version of the CODESYS SDK is used and whether a patch is available. It is also recommended to update the device firmware to version to 3.5.19.0 or above. 

General recommendations: 

• Apply patches to affected devices in your network. Check with the device manufacturers for available patches and update the device firmware to version to 3.5.19.0 or above. 
• Make sure all critical devices, such as PLCs, routers, PCs, etc., are disconnected from the internet and segmented, regardless of whether they run CODESYS.  
• Limit access to CODESYS devices to authorized components only. 
• Due to the nature of the CVEs, which still require a username and password, if prioritizing patching is difficult, reduce risk by ensuring proper segmentation, requiring unique usernames and passwords, and reducing users that have writing authentication.   

To assist with identifying impacted devices, the cyberphysical systems research team has released an open-source software tool on GitHub that allows users to communicate with devices in their environment that run CODESYS and extract the version of CODESYS on their devices in a safe manner to confirm if their devices are vulnerable. In addition, the cyberphysical system research team also released a tool for performing a forensics investigation on CODESYS V3 devices as part of its arsenal of open-source tools available on GitHub.

Microsoft 365 Defender detections 

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender for IoT 

Microsoft Defender for IoT with all versions of the sensor and TI package after April 2023 provides the following protections against these vulnerabilities and associated exploits and other malicious behavior:  

• Defender for IoT detects and classifies devices that use CODESYS.  
• Defender for IoT raises alerts on unauthorized access to devices using CODESYS, and abnormal behavior in these devices.  
• Defender for IoT raises alerts if a threat actor attempts to exploit these vulnerabilities. Alert type: “Suspicion of Malicious Activity”

Microsoft Defender Threat Intelligence 

Microsoft Defender Threat Intelligence shows devices running CODESYS that are exposed to the internet by searching for “CODESYS” components on IPs.  

Vladimir Tokarev

Microsoft Threat Intelligence Community

References 

• https://www.codesys.com/the-system/codesys-inside.html
• https://store.codesys.com/engineering/codesys.html
• https://github.com/microsoft/CoDe16/tree/main
• https://store.codesys.com/en/alarm-manager.html
• https://content.helpme-codesys.com/en/libs/CmpApp/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpAppBP/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpCodeMeter/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpTraceMgr/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpApp/Current/AppStartApplication.html
• https://help.codesys.com/webapp/TraceMgrPacketCreate;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrPacketDelete;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrPacketStart;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrRecordUpdate;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrRecordAdd;product=CmpTraceMgr;version=3.5.17.0
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9013
• https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a67ba382de688916f77e3013c0802fade&download=
• https://www.codesys.com/download
• https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-192-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-192-04.pdf&_ga=2.25212925.1579834642.1689503846-267712980.1687697317
• https://cert.vde.com/de/advisories/VDE-2023-026/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-1/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-2/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-3/

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS  appeared first on Microsoft Security Blog.

Microsoft’s IoT security commitments 

While customers are familiar with our approach to Windows PC and server security, many are unaware that Microsoft has taken similar steps to strengthen the security of business-critical systems and the networks that enclose them, including vulnerable and unmanaged IoT and OT endpoints. Microsoft often detects a wide range of threats targeting IoT devices, including sophisticated malware that enables attackers to target compromised devices using botnets³ or compromised routers,⁴ and a malicious form of cryptomining called cryptojacking.⁵ This blog post details Microsoft’s efforts to help partners create IoT solutions with strong security, thereby supporting initiatives outlined in the new National Cybersecurity Strategy and other US Cybersecurity and Infrastructure Security Agency (CISA) initiatives.

Developing and deploying software products that are secure by design and default is both a challenging and costly endeavor. According to recent guidance from the CISA, Secure-by-Design requires significant resources to incorporate security functions at each layer of the product development process.⁶ To maximize effectiveness, this approach needs to be integrated into a product’s design from the onset and cannot always be “bolted on” later.

Security by design and default is an enduring priority at Microsoft. In 2021, we committed to investing USD100 billion to advance our security solutions over five years (approximately USD20 billion per year) and today we employ more than 8,000 security professionals.⁷ One result of these investments is Windows 11, our most secure version of Windows yet. At Microsoft, we have a great deal of experience around security by design and default and have strived to implement best practices into our products and programs to assist partners who combine hardware, innovative functionality, online services, and operating systems (OS) to produce and maintain IoT solutions with robust security.

Applying Zero Trust to IoT

Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to “never trust, always verify.” A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy.

Microsoft advocates for a Zero Trust approach to IoT security, based on the principle of verifying everything and trusting nothing (see Seven Properties of Highly Secure Devices). Zero Trust is also aligned with the new directives in the US National Cybersecurity Strategy and the requirements of the new US cybersecurity labeling program.

A traditional network security model often doesn’t meet the security or user experience needs of modern organizations, including those that have embraced IoT in their digital transformation strategy. User and device interactions with corporate resources and services now often bypass on-premises, perimeter-based defenses. Organizations need a comprehensive security model that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects their people, devices, applications, and data wherever they are.

To optimize security and minimize risk for IoT devices, a Zero Trust approach requires:

1. Secure identity with Zero Trust: Identities—whether they represent people, services, or IoT devices—define the Zero Trust control plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure access is compliant and typical for that identity. Follow least privilege access principles.
2. Secure endpoints with Zero Trust: Once an identity has been granted access to a resource, data can flow to a variety of different endpoints—from IoT devices to smartphones, bring-your-own-device (BYOD) to partner-managed devices, and on-premises workloads to cloud-hosted servers. This diversity creates a massive attack surface area. Monitor and enforce device health and compliance for secure access.
3. Secure applications with Zero Trust: Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises, lifted and shifted to cloud workloads, or modern software as a service (SaaS) applications. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options.
4. Secure data with Zero Trust: Ultimately, security teams are protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Classify, label, and encrypt data, and restrict access based on those attributes.
5. Secure infrastructure with Zero Trust: Infrastructure—whether on-premises servers, cloud-based virtual machines, containers, or micro-services—represents a critical threat vector. Assess for version, configuration, and just-in-time access to harden defense. Use telemetry to detect attacks and anomalies, automatically block and flag risky behavior, and take protective actions.
6. Secure networks with Zero Trust: All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks (and do deeper in-network micro-segmentation) and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.
7. Visibility, automation, and orchestration with Zero Trust: In our Zero Trust guides, we define the approach to implement an end-to-end Zero Trust methodology across identities, endpoints and devices, data, apps, infrastructure, and networks. These activities increase your visibility, which gives you better data for making trust decisions. With each of these individual areas generating their own relevant alerts, we need an integrated capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction.

Microsoft’s Edge Secured-Core program

At Microsoft, we understand Secure-by-Design and Secure-by-Default are difficult to build and even more challenging to get right. To simplify this process, we created Edge Secured-Core, a Microsoft device certification program that codifies and operationalizes the security tenets such as secure by default and Zero Trust into a clear set of requirements. Edge Secured-Core also provides tooling and assistance to our device ecosystem partners to help them build devices that meet these security requirements. We have further customized those requirements for various platforms that manufacturers use to build devices, including Microsoft-provided operating systems Windows IoT and Microsoft Azure Sphere, and ecosystem-provided operating systems based on Linux. Edge Secured-Core devices from partners including Intel, AAEON, Lenovo, and Asus can be found in the Azure Certified Device Catalog today. 

Windows IoT

Windows IoT is a platform that leverages our long history and investment in Windows security to enable more secure and reliable IoT solutions. Whether you are building devices for industrial usage, healthcare or retail sectors, or other scenarios, Windows IoT provides key capabilities to protect your devices and data from the many prevalent threats in today’s digital landscape. 

Windows IoT capabilities include:

• BitLocker, which encrypts the data stored on the device to prevent unauthorized access.
• Secure Boot, which verifies the integrity of the boot process and prevents malicious code from running.
• Code integrity, which verifies the integrity of operating system files when loaded and enforces device manufacturer policies that dictate the drivers and applications that can be loaded on the device.
• Exploit mitigations, which automatically applies several exploit mitigation techniques to operating system processes and apps (examples include kernel pool protection, data execution protection, and address space layout randomization).
• Device attestation, which proves the identity and health of the device to cloud services.

Windows IoT also offers end-to-end management and updates using the trusted Windows infrastructure, ensuring consistent and timely delivery of security patches and feature enhancements. Some versions of Windows IoT support a 10-year servicing term, allowing partners to receive updates and maintain application compatibility, reducing the risk of obsolescence and vulnerability. 

Another benefit of Windows IoT is the flexibility to run containerized workflows, including Linux, on the same device. This allows partners to use existing skills and tools, thereby optimizing performance and resource utilization. Containers provide isolation and portability, enhancing the security and reliability of applications.

Defending against threats with Microsoft Azure Sphere

Microsoft Azure Sphere is a fully managed, integrated hardware, operating system, and cloud platform solution for medium- and low-power IoT devices. It offers a comprehensive approach to secure IoT devices from chip to cloud. 

Azure Sphere devices combine a low-power Arm Cortex-A processor running a custom Linux-based operating system serviced by Microsoft with Arm Cortex-M processors for real-time processing and control. Device manufacturers can develop, deploy, and update their applications, while Microsoft independently provides operating system security updates and device monitoring. Additionally, Azure Sphere devices embed the Microsoft Pluton security architecture, providing a hardware-based root of trust and cryptographic engine. Pluton protects the device identity, keys, and firmware from physical and software attacks and enables secure boot and remote attestation. 

Azure Sphere provides deep defense by employing multiple layers of protection to mitigate the impact of potential vulnerabilities, such as secure boot, kernel hardening, and a per-application network firewall. Azure Sphere devices communicate with a dedicated cloud service, the Azure Sphere Security Service, which attests the device is running expected and up-to-date software, performs both operating system and application updates, provides error reporting, and retrieves a Microsoft signed certificate that is renewed daily.

Similar to Windows IoT, Azure Sphere also offers a 10-year term for security fixes and operating system updates for all devices, as well as an application compatibility promise that ensures existing applications will continue to run on future operating system versions. Also, supporting CISA’s secure-by-design recommendations, Azure Sphere has started enabling embedded development using Rust, a coding language designed to improve memory safety and reduce mistakes during development.⁸

Enhancing security on Linux devices

While Microsoft directly provides operating system updates for Windows IoT and Azure Sphere, Edge Secured-core provides a way of ensuring the same security tenets of secure-by-design and default principles are applicable for devices that use ecosystem-provided distributions of the Linux OS. We collaborate with Linux partner companies to ensure their distributions meet security requirements such as committing to security updates for at least five years, building in support for Secure boot, etc. Microsoft incorporates security checks to onboard operating system partners and ongoing monitoring using Microsoft security agents on these devices, thus providing confidence to customers.

Secure your IoT devices with Microsoft Defender for IoT

Next to consumers, organizations are investing in automation and smart technology to streamline operations, cyber-physical systems, once completely isolated from the network, are now converging with mainstream IT infrastructure. Microsoft Defender for IoT is a security solution that enables organizations to implement Zero Trust principles across enterprise IoT and OT devices to minimize risk and protect these mission-critical systems from threats, as their attack surface expands.⁹

Defender for IoT empowers analysts to discover, manage, and secure enterprise IoT and OT devices in their environment. With network layer monitoring, analysts get a full view of their IoT and OT device estate as well as valuable insights into device-specific details and behaviors. These insights in tandem with generated alerts help analysts protect their environment by easily identifying and prioritizing risks like unpatched systems, vulnerabilities, and anomalous behavior all from a centralized user experience.

Support for the broader IoT ecosystem

Beyond these core platforms, Microsoft provides additional programs and services to enable partners to create more secure IoT devices. For example, due to the wide range of possible configurations and hardware platforms, operating systems such as Azure RTOS place the responsibility of security more heavily on the device manufacturer. SDKs and services like Device Update for Microsoft Azure IoT Hub allow partners to add support for over-the-air software updates to their products.

Microsoft Security supports the US National Cybersecurity Strategy

Microsoft remains committed to supporting the US National Cybersecurity Strategy and helping partners effectively deliver and maintain more secure IoT solutions using powerful technology, tools, and programs designed to improve security outcomes. It is vitally important that partners focus on IoT security by prioritizing security through smart design and development practices and carefully selecting platforms and security defaults that are secure as possible to lower the cost of maintaining the security of products.

Learn more

Learn more about Microsoft Defender for IoT.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹United States National Cybersecurity Strategy, The White House. March 2023.

²Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers, The White House. July 13, 2023.

³Microsoft research uncovers new Zerobot capabilities, Microsoft Threat Intelligence. December 21, 2022.

⁴Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure, Microsoft Threat Intelligence. March 16, 2022.

⁵IoT devices and Linux-based systems targeted by OpenSSH trojan campaign, Microsoft Threat Intelligence. June 23, 2023.

⁶Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, CISA. April 13, 2023.

⁷Satya Nadella on Twitter. August 25, 2021.

⁸Modernizing embedded development on Azure Sphere with Rust, Akshatha Udayashankar. January 11, 2023.

⁹Learn how Microsoft strengthens IoT and OT security with Zero Trust, Michal Braverman-Blumenstyk. November 8, 2021.

The post Adopting guidance from the US National Cybersecurity Strategy to secure the Internet of Things appeared first on Microsoft Security Blog.

Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.

In this blog post, we present our analysis of the tools and techniques used in this attack and the efforts made by the threat actor to evade detection on affected devices. We also provide indicators of compromise and relevant Microsoft Defender for IoT and Microsoft Defender for Endpoint detections, as well as recommendations for defenders to protect devices and networks.

Attack chain

The threat actors initiate the attack by attempting to brute force various credentials on misconfigured internet-facing Linux devices. Upon compromising a target device, they disable shell history and retrieve a compromised OpenSSH archive named openssh-8.0p1.tgz from a remote server. The archive contains benign OpenSSH source code alongside several malicious files: the shell script inst.sh, backdoor binaries for multiple architectures (x86-64, arm4l, arm5l, i568, and i686), and an archive containing the shell script vars.sh, which holds embedded files for the backdoor’s operation.

After installing the payload, the shell script inst.sh runs a backdoor binary that matches the target device’s architecture. The backdoor is a shell script compiled using an open-source project called Shell Script Compiler (shc), and enables the threat actors to perform subsequent malicious activities and deploy additional tools on affected systems.

Custom backdoor deploys open-source rootkits

Once running on a device, the shell script backdoor tests access to /proc to determine whether the device is a honeypot. If it can’t access /proc, it determines the device is a honeypot and exits. Otherwise, it exfiltrates information about the device, including its operating system version, network configuration, and the contents of /etc/passwd and /etc/shadow over email to the hardcoded address dotsysadmin[@]protonmail[.]com, and to any email address provided by the threat actor as an argument to the script.

On supported systems, the backdoor downloads, compiles, and installs two open-source rootkits available on GitHub, Diamorphine and Reptile. The backdoor configures Reptile to connect to the C2 domain rsh.sys-stat[.]download on port 4444 and to hide its child processes, files, or their content. Microsoft researchers assess that the Diamorphine rootkit is used to hide processes as well.

To ensure persistent SSH access to the device, the backdoor appends two public keys to the authorized_keys configuration files of all users on the system.

The backdoor obscures its activity by removing records from Apache, nginx, httpd, and system logs that contain the IP and username specified as arguments to the script. Additionally, it has the capability to install an open-source utility called logtamper to clear the utmp and wtmp logs, which record information about user sign-in sessions and system events.

The backdoor eliminates cryptomining competition from other miners that may exist on the device by monopolizing device resources and preventing communication with a hardcoded list of hosts and IPs related to these activities. It accomplishes this by adding iptables rules to drop communication with the hosts and IPs and configuring /etc/hosts to make the hosts resolve to the localhost address. It also identifies miner processes and files by their names and either terminates them or blocks access to them, and removes SSH access configured in authorized_keys by other adversaries.

Patching OpenSSH source code

The backdoor uses the Linux patch utility to apply the patch file ss.patch, which is embedded in vars.sh, to the OpenSSH source code files included in its package. Once the patches are applied, the backdoor compiles and installs the modified OpenSSH on the device.

The compromised OpenSSH grants the attackers persistent access to the device and to the SSH credentials the device handles. The patches install hooks that intercept the passwords and keys of the device’s SSH connections, whether as a client or a server. The passwords and keys are then stored encrypted in a file on the disk. Moreover, the patches enable root login over SSH and conceal the intruder’s presence by suppressing the logging of the threat actors’ SSH sessions, which are distinguished by a special password.

The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server and may thus pose a greater challenge for detection than other malicious files. The patched OpenSSH could also enable the threat actors to access and compromise additional devices. This type of attack demonstrates the techniques and persistence of adversaries who seek to infiltrate and control exposed devices.

Botnet operation

The backdoor runs a secondary payload embedded in the shell script vars.sh, which is a slightly modified version of ZiggyStarTux, an open-source IRC bot based on the Kaiten malware. Among its features is executing bash commands issued from the C2 and possessing distributed denial of service (DDoS) capabilities.

The backdoor employs various mechanisms to set up ZiggyStarTux’s persistence on compromised systems. It copies the ZiggyStarTux binary to several locations on the disk and establishes cron jobs to invoke it at regular intervals. Moreover, it runs a bash script that registers ZiggyStarTux as a systemd service by creating and configuring the service file /etc/systemd/system/network-check.service.

Analysis of ZiggyStarTux revealed that the threat actors stripped the binary of logging-related strings and incorporated a function that writes the bot’s process ID to /var/run/sys_checker.pid, allowing the backdoor to read that file and conceal that process ID using the installed rootkits.

The ZiggyStarTux bots communicate with the C2 via an IRC server hosted on various domains and IPs located in different geographical regions. Evidence indicates that the threat actors disguise their traffic by utilizing the subdomain of a Southeast Asian financial institution that is hosted on one of their own servers.

To receive commands, the ZiggyStarTux bots connect to the IRC server and join a hidden password-protected channel named ##..##. The server was observed issuing bash commands that instruct bots to download and launch two shell scripts from a remote server. The first script, lscan, retrieves lssh.tgz from the server, an archive of scripts that scan each IP in the subnet for SSH access using a password list. The scripts record the results of each connection attempt in a log file.

The second script, zaz, fetches the compromised OpenSSH package with the embedded backdoor from the remote server. The installation is carried out using the email address ancientgh0st@yahoo[.]com as an argument to serve as an additional exfiltration point for device information. Additionally, zaz retrieves an archive called hive-start.tgz which contains mining malware crafted for Hiveon OS systems, a Linux-based open-source operating system designed for cryptomining.

Indications of criminal cooperation

Microsoft researchers have traced the campaign to a user named asterzeu on the hacking forum cardingforum[.]cx, who offered multiple tools for sale on the platform, including an SSH backdoor. The domain madagent[.]tm was registered in 2015 with an email address matching the username and shared numerous servers over a four-year period with madagent[.]cc, one of the C2 domains of ZiggyStarTux. Furthermore, the distribution of the shell script backdoor between threat actors has been identified, adding to the evidence of a network of tools and infrastructure shared or sold on the malware-as-a-service market.

Mitigation and protection guidance

Microsoft recommends the following steps to protect devices and networks against this threat:

• Harden internet-facing devices against attacks
  • Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
  • Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
  • Use least-privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
  • When possible, update OpenSSH to the latest version.
• Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.
• Use security solutions with cross-domain visibility and detection capabilities like Microsoft 365 Defender, which provides integrated defense across endpoints, identities, email, applications, and data.

Detections

Microsoft Defender for IoT

Microsoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the use of open-source tools and exploits that may be tied to this attack.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• Trojan:Linux/SamDust!MTB
• Trojan:Linux/SamDust.D!MTB
• Trojan:Linux/SamDust.B!MTB
• Trojan:Linux/SamDust.A!MTB
• Trojan:Linux/SamDust.N!MTB
• Trojan:Linux/Reptile.A
• Trojan:Linux/Reptile.B
• Trojan:Linux/Reptile.C
• Trojan:Linux/Reptile.D
• Trojan:Linux/Diamorphine.A!MTB

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Unusual number of failed sign-in attempts

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Suspicious file property modification occurred
• Suspicious termination of security tool
• Suspicious service launched
• Suspicious Linux service created
• File masquerading

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

In addition, customers can use the SSH Brute force detection template in the Syslog solution package to monitor for brute force attempts against their exposed SSH endpoints.

Indicators of Compromise

Rotem Sde-Or, Microsoft Threat Intelligence Community

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post IoT devices and Linux-based systems targeted by OpenSSH trojan campaign appeared first on Microsoft Security Blog.

With industry-leading AI, Microsoft synthesizes 65 trillion signals a day across many types of devices, apps, platforms, and endpoints—allowing for an unparalleled view of the evolving threat landscape.¹

We recently announced the Microsoft Supply Chain Platform, an open, flexible, and collaborative platform designed to address the needs of supply chain leaders. This is done by enabling end-to-end visibility and control of processes and data across new or existing supply chain management and enterprise resource planning solutions.

Microsoft Security solutions are a key part of this platform. A cybersecurity breach can lead to operational disruptions, reputational damage, financial losses for companies involved in the supply chain, and even lead to loss of life in the case of critical industries like manufacturing, healthcare, energy, and transportation. That’s why it’s essential for organizations to invest in advanced security solutions to protect their supply chains.

According to Gartner, “By 2025, 60 percent of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements.”²

Find out more about Microsoft Defender for IoT, Microsoft Entra and the rest of our Microsoft Security solutions that play a critical role in securing your supply chains at Hannover Messe, from April 17 to 21, 2023, at the Microsoft Stand, Hall 17. Explore how to interact with us while there and register for Microsoft’s “Supply Chain Reimagined at Hannover Messe” session on April 19, 2023, during the event. We hope to see you there! 

Cloud-powered security with Microsoft Defender for IoT

IoT and OT devices proliferate throughout supply chains, hence why IoT and OT security solutions are an essential component of supply chain security. These solutions protect connected devices and systems, which can be vulnerable to attacks that seek to disrupt operations or, often, move laterally into IT environments to steal data or intellectual property.

IoT and OT environments have unique security challenges. Many legacy devices are unmanaged and older network monitoring systems are not familiar with IoT and OT protocols, making them unreliable. Microsoft provides a range of IoT and OT solutions, including Azure Sphere, Azure IoT Edge, and Azure Digital Twins, which enable organizations to securely connect, manage, and analyze their IoT and OT devices and systems.

Microsoft Defender IoT secures these environments, offering asset discovery, threat detection, incident response, compliance reporting, and more. Defender for IoT can be deployed on-premises or in the cloud and it integrates with Microsoft Defender, Microsoft Threat Intelligence, and Microsoft Sentinel to enable security operations center teams to collaborate more effectively and efficiently. Learn more about Defender for IoT and how a cloud-powered OT security solution delivers the best value.

“By combining Defender for IoT and Device Update for Azure IoT Hub, we’ll have the efficiency and flexibility to cover multiple use cases on more powerful hardware yet be able to protect multiple operating systems and applications on a single device.”

—Claus von Reibnitz, Managing Director for Leibherr

Secure access for suppliers and partners

IAM solutions are another critical component of supply chain security. By their very nature, supply chains include multiple organizations—such as suppliers, distributors, and retailers—whose employees and partners need to access information. Every organization must ensure that only the right users (such as employees, partners, vendors, contractors, and guests) have appropriate access at the right time.

Microsoft Entra is a cloud-based solution that offers complete identity and access management services for organizations. The granular authorization policies of Microsoft Entra ensure that only approved users and devices can access sensitive data and systems. This includes support for multifactor authentication with phishing-resistant systems and passwordless technologies. Microsoft Entra also integrates with other Microsoft services, such as Microsoft 365 and Microsoft Dynamics 365, for a seamless and secure experience for users accessing these services.

“We concluded that it would be much safer and more productive for us to understand and enjoy cloud services like Microsoft 365 and Microsoft Azure rather than taking the risks in maintaining our own systems.”

—Keita Nakano, Deputy Chief of Information Planning, Nissin Foods

One of the key advantages of Microsoft Security solutions in the Microsoft Supply Chain Platform is their ability to operate with other Microsoft products and services. For example, IAM solutions such as Microsoft Azure Active Directory (part of Microsoft Entra) can be integrated with other Microsoft Cloud services, such as Microsoft 365 and Dynamics 365. IoT and OT solutions can also be integrated with other Microsoft services, such as Azure AI and Azure Analytics, to enable organizations to gain insights into their IoT and OT data and use these insights to improve supply chain operations.

Another advantage of Microsoft Security solutions is their flexibility. These solutions can be deployed in a variety of environments, including on-premises, cloud, and hybrid environments. This allows organizations to choose the deployment model that best meets their specific security and compliance requirements. Microsoft Security solutions also offer advanced threat protection capabilities that use machine learning and AI to detect and respond to threats in real time, reducing the risk of data breaches and other cyberthreats.

In addition to IAM and IoT and OT solutions, data protection, compliance and governance, and security analytics help organizations protect their sensitive data, ensure compliance with regulations and standards, and gain insights into their security posture.

Cybersecurity breaches can significantly impact supply chains and contribute to the ongoing disruptions we face in meeting partner and customer needs. However, organizations can mitigate the risks by investing in advanced security solutions with Microsoft Security. With the ability to integrate with other Microsoft products and services, deploy in a variety of environments, and provide advanced threat protection capabilities, Microsoft Security solutions include a comprehensive set of tools and services for securing supply chains and ensuring the continuity of operations.

Learn more about cybersecurity and resiliency for supply chains

Get details on Microsoft Security solutions, including Microsoft Defender for IoT and our multicloud, identity and access capabilities with Microsoft Entra. And to dive deeper into Microsoft Security solutions, join us on April 13, 2023, for Microsoft Secure Technical Accelerator. Engage with our product and engineering teams through a live question and answer during each session, learn best practices, build community with your security peers, and get prescriptive technical guidance that will help you and your organization implement our comprehensive security solutions, Save the date and RSVP for event updates.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Security reaches another milestone—Comprehensive, customer-centric solutions drive results, Vasu Jakkal. January 25, 2023.

²Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23, Gartner. June 21, 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Improve supply chain security and resiliency with Microsoft   appeared first on Microsoft Security Blog.

At our inaugural Microsoft Secure event, we’re sharing our latest innovations across security, compliance, identity, management, and privacy. Continue reading this blog post for the top Microsoft Security announcements in AI, identity, and data protection, and watch Microsoft Secure today or on-demand for more information on these exciting innovations.

Today, the odds remain stacked against cybersecurity professionals. Too often, they fight an asymmetric battle against prolific, relentless, and sophisticated attackers. I am delighted to welcome you to the new era of security—shaped by the power of OpenAI’s GPT-4 generative AI—and thrilled to introduce to you Microsoft Security Copilot.

Introducing Microsoft Security Copilot—End-to-end defense at machine speed and scale

Microsoft Security Copilot is the first security product to enable defenders to move at the speed and scale of AI. Security Copilot combines OpenAI large language model with a security-specific model from Microsoft. This security-specific model in turn incorporates a growing set of security-specific skills and is informed by Microsoft’s unique global threat intelligence and more than 65 trillion daily signals. Security Copilot also delivers an enterprise-grade security and privacy-compliant experience as it runs on Microsoft Azure’s Hyperscale infrastructure.

Transforming threat protection and cloud security

Plus, we are continuing to deliver you the latest innovations to enable you to defend your organization more effectively with extended detection and response (XDR) and threat intelligence. In August 2022, we introduced Microsoft Defender Threat Intelligence (MDTI), formerly RiskIQ, which enables 360-degree visibility into threats. Today, we are announcing the next step in helping defenders get the context they need to secure their organization faster.

Microsoft Defender Threat Intelligence is now available to licensed customers directly within Microsoft 365 Defender. It’s already integrated with Microsoft Sentinel and now has an application programming interface (API) to help enrich incidents, automate incident response, and work with a broad ecosystem of security tools. With this advancement, you get one of the world’s best threat intelligence, integrated with the tools you use every day.

We are also adding Intel Profiles, updated daily with information on threat actors and tools. Both Microsoft 365 Defender and Microsoft Sentinel customers can quickly access this information to analyze, investigate, and hunt threats.

Beyond threat intelligence, Microsoft 365 Defender delivers industry-leading XDR spanning far beyond multi-platform endpoints to include email, identities, software as a solution (SaaS) applications, and more. Today, we are extending that protection to Microsoft Teams for any customer licensed for Microsoft Defender for Office 365. Collaboration platforms, such as Teams, are vital business tools and, increasingly, a new attack vector for adversaries to phish employees.

Over time, Microsoft Defender for Office 365 will support the full lifecycle of protection for Teams from prevention and detection to investigation and hunting, response actions, and even help with raising user awareness of best practices. Today, we are extending beyond the existing safe links capability to enable users to report suspicious messages, automatically purge unsafe messages, and integrate administration experiences into the Microsoft 365 Defender. With Teams and Microsoft 365 Defender, your employees can be both productive and safe.

With accelerated cloud migration and growing cloud-native app development, it is critical for security teams to evolve from protecting infrastructure to securing the entire lifecycle of cloud applications. Moreover, as the volume of cloud data grows, it’s becoming an increasingly lucrative target for bad actors. Microsoft is leading the next chapter of multi-cloud security with new innovations in Microsoft Defender for Cloud, one of the industry’s most comprehensive cloud-native application protection platform (CNAPP).

• Defender Cloud Security Posture Management (CSPM) is now generally available to help organizations get an end-to-end view of risks and prioritize remediation across their multicloud environments with contextual cloud security. And now, new integrated data-aware security posture capabilities allow teams to automatically discover their data estate, assess threats to their most critical assets and sensitive data, and proactively prevent breaches along potential attack paths.
• Defender for Storage now offers sensitive data discovery and malware scanning to address threats to critical storage resources in the cloud. New scanning capabilities prevent infiltration attempts with near real-time detection of metamorphic and polymorphic malware across cloud data.

For organizations seeking to defend operational technologies (OT) at scale, Microsoft Defender for IoT now offers a fully cloud-delivered OT security solution. Customers can achieve single-pane-of-glass visibility for all OT devices, across all sites when Defender for IoT is deployed on Microsoft Azure Portal. Learn more about the new capabilities and explore cloud-delivered OT security—as well as new threat management capabilities and Microsoft Azure integrations—with a 30-day free trial of OT monitoring in the Azure portal.

Many organizations may not have the time, resources, or expertise to build an in-house incident response program. For customers that want help preparing their in-house security team or are facing an especially complex security incident, Microsoft Incident Response offers an end-to-end portfolio of proactive and reactive incident response services. Microsoft Security is expanding our incident response presence and we’re excited to announce the Microsoft Incident Response Retainer, which is now generally available to enterprise, government, education, and non-profit customers. If you’re curious about how an Incident Response Retainer can improve your security posture, explore details on our incident response-related announcements.

People rely on technology to collaborate on projects and complete tasks. And security professionals are more important than ever to keep their organizations resilient as threats evolve and attack surfaces grow. Security is a team sport that takes everyone working together. Protection takes a combined effort across teams, devices, defenders, and clouds.

Secure, connected endpoint management and identity

Another way to empower security teams is to consolidate multiple endpoint management tools in Microsoft Intune and converge workloads across IT and security operations. The Microsoft Intune Suite, launched on March 1, 2023, unifies a series of mission-critical endpoint management solutions within Intune. The features of the Microsoft Intune Suite are designed to incorporate security signals into endpoint management that fortify your cyber safety for Zero Trust, use data science and AI for proactive user experience protection, and reduce complexity and costs through automation and consolidation.

“I’m consistently impressed by the level of security that Intune provides. Now with the Microsoft Intune Suite on the horizon, I feel even more confident that my company’s data will remain highly secure, and the straightforward management and deployment of policies will make it easier to help ensure that all devices are safeguarded.”—Ibrar Mahmood, IT Cyber Security Manager, Milton Keynes University Hospital NHS Foundation Trust.

Deep integration of Microsoft Security services in the Intune Suite empowers IT and security operations to control the elevation of Windows standard users with Microsoft Intune Endpoint Privilege Management, enable trusted helpdesk to employee connections with Remote Help, secure corporate data and application access from mobile bring your own devices (BYOD) with Microsoft Tunnel for Mobile Application Management, and detect anomalies based on the severity with advanced endpoint analytics. And we’re just getting started! In the coming months, we will introduce AI-powered analytics and add more capabilities, including a Microsoft-hosted app catalog with advanced update notifications and controls.

In identity announcements, Microsoft Entra is introducing new governance controls and policy protections to help you better secure identities and the resources they access. Key among these innovations is Microsoft Entra Identity Governance and Verified ID. With this new feature, using a Verified ID during an entitlement management flow enables simplified and standardized ways to handle collecting the right information from requestors without asking them to fill out additional paperwork.

But that’s not all the product enhancements for Microsoft Entra. New features to empower security teams to better protect organizations include:

• New protections to help secure sign-ins: With conditional access authentication strengths, admins can set policy on the strength of multifactor authentication required and base that policy on the sensitivity of the apps and resources a user is trying to access. More access scenarios will also benefit from an extension of phishing-resistant multifactor authentication. These include external users and collaborators between government and commercial clouds, and Azure virtual machines to protect remote sign-ins across development, test, and production environments. Conditional access for high-risk actions also allows you to apply conditional access policies directly to sensitive actions in Microsoft Azure Active Directory with Conditional Access for high-risk actions—now in public preview.
• New countermeasures to help prevent lateral movement: Strict enforcement of location policies, now in public preview, will let resource providers use continuous access evaluation to immediately revoke tokens that violate location policies. Also, token protection ensures tokens can be used only on the device they were intended for and is in public preview for Windows sign-in sessions.
• A new dashboard to help close policy gaps: We’re also excited to introduce an overview dashboard in Conditional Access that summarizes policy posture, unprotected users and apps, provides insights and recommendations based on sign-in activity, and helps show the impact of individual policies.  

The goal of our updates in Microsoft Intune and Microsoft Entra is to enable smarter, real-time access decisions for all identities and cloud-managed endpoints. We do that through our solutions, but also through research. Find the latest multicloud permissions risks insights in the 2023 State of Cloud Permissions Risks Report, compiled from more than 500 risk assessments completed in Microsoft Entra Permissions Management, our cloud infrastructure entitlement management (CIEM) solution. Learn about the projected Total Economic Impact™ of the Microsoft Intune Suite in a new technology study conducted by Forrester Consulting commissioned by Microsoft.

Data security for today’s world

A strategy of being human-first in security wouldn’t be complete without data security. After all, data offers immense value to your organization and inspires an equally powerful need to protect it. Safeguard sensitive information across platforms, apps, and clouds and minimize insider risk using the latest capabilities of Microsoft Purview, our set of data protection, governance, and compliance solutions. All these capabilities are available immediately to E5 customers, while organizations without E5 can start a trial.

In February 2023, we introduced Adaptive Protection in Microsoft Purview to power data security with people-centric intelligence. Available for public preview, this capability leverages the built-in and ready-to-use machine learning models in Microsoft Purview Insider Risk Management to understand how users are interacting with data and respond by:

• Identifying high-risk users who may take risky actions that could lead to data security incidents.
• Dynamically tailoring data loss prevention (DLP) controls based on the level of risk detected.
• Automatically applying the most effective DLP policies, such as blocking data-sharing, only to high-risk users, so the productivity of low-risk users isn’t impacted.

Among other advantages, Adaptive Protection reduces the alert overload that strains IT resources by letting organizations prioritize their limited resources and address the highest risks.

To bolster your protection further with Microsoft Purview DLP, we are bringing proactive protection to your Windows endpoint devices, where every document—whether or not it contains sensitive information and when it was created or modified—is analyzed to determine its sensitivity based on what the DLP policies are configured to look for. If the file that contains sensitive content violates any DLP policy rules, the appropriate restrictions as defined in the policy are applied, so that you can better protect files.

To support our customers’ diverse digital estates, we are excited to extend DLP controls to protect files with sensitive information in multiple places. Organizations can now extend existing protection for sensitive files on endpoint devices against actions such as print, copy to USB, upload to the cloud, copy to clipboard, and more to virtualized environments, including Windows Virtual Desktop, Citrix, Amazon Web Services (AWS) workspace, and Hyper-V platforms. We are also extending DLP controls to support files on network shares. And finally, we are adding capabilities on macOS devices, such as protection of sensitive file exfiltration through Bluetooth, the ability to define groups of apps and apply different restrictions to each group, and the ability to customize notifications and use advanced classifiers.  

To empower administrators to identify, debug, and remediate device misconfigurations, we are providing details about device health as well as the configuration status of all onboarded endpoint devices in the Device Onboarding tab in the Microsoft Purview compliance portal.

We are constantly adding support for classification types, and we are introducing the following types in public preview:

• Context-based classification with default site labels that allows an admin to choose specific SharePoint and OneDrive locations that are sensitive and ensure that any content moved or egressed from that location is automatically labeled based on the default label.  
• Optical character recognition (OCR) for text extraction of images that are sent over emails, stored on SharePoint and OneDrive, shared across Teams, as well as egressed across endpoint devices.

Lastly, to help security teams create and finetune Insider Risk Management policies more easily, the real-time policy-tuning analysis, now in public preview, provides admins with a prediction of the number of users in a tenant that could potentially match a given set of policy conditions.

Register for Microsoft Secure today!

We covered many announcements in this blog about technology, but I always return to the people who use it. Our innovations are designed to equip defenders with the best possible tools and information to develop a security solution that’s comprehensive and fitting for their organizations.

Comprehensive security not only means solutions that address a wide variety of threats and vulnerabilities but also how they work together to provide the best security outcomes. Learn more about how your organization can eliminate security gaps and cut costs with simplified, comprehensive protection from the Microsoft Secure event—all sessions are available on-demand.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Secure: Explore innovations transforming the future of security appeared first on Microsoft Security Blog.

It is with great pleasure that we announce the general availability (GA) of the Microsoft Defender for IoT cloud-managed platform, which lets businesses interconnect their OT environment without compromising security. Powered by Microsoft’s scalable, cost-effective cloud technology, Defender for IoT helps you manage assets, track emerging threats, and control risks across enterprise and mission-critical networks—both in connected and air-gapped environments. In this blog, we’ll look at today’s connected OT environment, including the advantages of cloud-managed security and how a converged security operations center (SOC) can offer advantages over the traditional siloed approach.

Why choose a cloud-powered solution for IoT and OT security?

The proliferation of connected devices—everything from manufacturing systems, heating, ventilation, and air conditioning (HVAC), and building management systems (BMS) to heavy machinery for mining, drilling, and transportation—means that OT security solutions require speed, accuracy, and context on a massive scale. In the December 2022 issue of our Cyber Signals threat brief, Microsoft identified unpatched, high-severity vulnerabilities in 75 percent of the most common industrial controllers used in our customers’ OT networks. Even using ordinary Internet of Things (IoT) devices like printers and routers, attackers can breach and move laterally through an IT system, installing malware and stealing sensitive intellectual property. Cloud-powered IoT and OT security solutions offer several advantages over traditional solutions:

• Discovery of assets end-to-end: Asset profiling involves analyzing network signals to discover and categorize network assets, the information collected about those assets, and the types of assets they represent. Profiling in the cloud is driven by an extensive collection of classifiers, allowing for high-fidelity categorization into categories such as servers, workstations, mobile devices, and IoT devices. Monitoring and analyzing potential security risks can be done once the assets have been classified properly. This is critical for protecting an organization’s networks, as vulnerabilities or misconfigurations in any asset can create a potential entry point for attackers. By identifying and mitigating these risks, organizations can ensure that their infrastructure is secure and protects sensitive information.
• Detect and respond to threats as they occur in real-time: Reduce response times from days to minutes by detecting and responding to threats as they occur. Through collaboration between defenders from different industries, we can share best practices and information to better protect against emerging threats. By leveraging collective knowledge, defenders can stay ahead of malicious actors and respond to incidents as they occur. As a result, a cloud-powered OT solution can help prevent breaches and minimize their effects. For instance, by detecting malicious activity on a network or a suspicious login attempt, security analysts can respond immediately to prevent a breach or limit its extent.
• Defend against known and unknown threats: Microsoft AI and machine learning alerts provide real-time detection of threats, as well as automated responses to known or unknown attacks. These alerts are designed to help security teams quickly identify and investigate suspicious activity, then take the necessary steps to protect the organization. For instance, a security system that monitors network activity in real-time can detect suspicious activity within minutes of it occurring, alerting security administrators to take action before the attack has a chance to succeed. 
• Compliance reports tailored to your requirements: Organizations can easily create and manage tailored compliance reports that are up-to-date, secure, and compliant with industry standards. With customizable reporting tools available in Microsoft Azure, users can obtain data from multiple sources and build robust, customized reports. Along with providing automated reporting and scheduling capabilities, Azure Workbooks provide a collaborative experience across silos.
• Workflows and integrations that leverage the cloud: Cloud-to-cloud integrations help organizations streamline workflows and easily access data from multiple sources. By connecting multiple cloud services, organizations can gain better visibility into their operations, automate processes, and reduce manual labor. Additionally, cloud-to-cloud integrations help organizations scale quickly and eliminate the need to purchase additional hardware and software. As a result, organizations can reduce costs and increase efficiency.

With any type of OT security, mean time to recovery (MTTR) provides a critical metric. A target MTTR for IT is typically between 30 minutes and two hours. However, because IoT and OT security often involves cyber physical systems used in utilities, healthcare, or energy production, every minute counts. Cloud-based OT security can make a difference by enabling real-time response rates across multiple locations. But what if you could take your security a step further by enabling a faster MTTR through a unified SOC for both IT and OT?

Unifying security efforts with a converged IT, IoT, and OT SOC

Empowering OT and IT security teams to work together helps create a unified front against evolving threats, maximizing your resources while gaining a comprehensive view of vulnerabilities. This way, a converged SOC taps into the strengths of both teams, creating a streamlined, cost-effective approach to enterprise security. By establishing common goals and key performance indicators, IT and OT security teams can work together on tabletop exercises to build cohesion. To learn more about how to empower OT and IT security teams to work together, watch our webinar, OT/IoT Enabled SOC with Microsoft Sentinel and Microsoft Defender for IoT.

The key benefits of a converged SOC include:

• Improved collaboration: Increase your team’s effectiveness in identifying and responding to threats by utilizing both IT skills and OT knowledge, creating a better understanding of potential impacts on both IT and OT systems.
• Greater visibility: Gain a complete picture of vulnerabilities across both the business and industrial sides of your organization. Then take proactive measures to prevent a breach.
• Streamlined response: Eliminate the need to transfer incidents between IT and OT teams, reducing response times. Mitigate security incidents with swift, coordinated actions to reduce potential damage.
• Strengthened compliance: Share knowledge and expertise easily to ensure that all areas of the business comply with industry regulations and standards.

Figure 1. Defender for IoT—Device inventory view.

Microsoft Defender for IoT is a unified solution for today’s converged SOC

Given the 75 percent vulnerability rate in industrial controllers, nearly every organization using OT will need to reevaluate the security posture of both its legacy equipment (brownfield; lacking security) and its newer devices (greenfield; with some built-in security).² Older network monitoring systems are not familiar with IoT and OT protocols, making them unreliable. A purpose-built solution is needed for today’s converged SOC.

With Microsoft Defender for IoT, you can achieve faster time-to-value, improve agility and scalability, increase visibility, and strengthen the resiliency of your network and infrastructure without making significant changes. The Defender for IoT cloud is designed to augment your on-premises processing power while providing a source of centralized management for global security teams—raising the bar for OT defense. Let’s walk through how a typical scenario might play out.

How Defender for IoT works—scenario:

1. A new common vulnerability and exposure (CVE) is published with information that may affect your organization’s OT devices. Even more concerning, you discover that hackers have been sharing this vulnerability widely online.
2. With Microsoft Threat Intelligence, the new CVE is ingested automatically and shared across our cloud-based security services, including Defender for IoT.
3. Using the Microsoft Azure Portal, your SOC can begin monitoring for the new vulnerability across all devices and sites.
4. Result: Securing your IoT and OT environment becomes faster and more comprehensive.

Additional scenarios where your SOC could see immediate benefit with Defender for IoT include:

• OT security and compliance audits.
• Attack surface reduction consulting.
• Tabletop exercises.

See and protect everything with Device inventory

With the GA of Defender for IoT, Device inventory now allows your SOC to confidently manage OT devices from a single pane of glass through the Microsoft Azure Portal. By supporting unlimited data sources (such as manufacturer, type, serial number, firmware, and more), Device inventory helps your security team gain a complete picture of your IoT and OT assets and proactively addresses any vulnerabilities using Microsoft’s scalable, cloud-managed platform.

Figure 2. Defender for IoT—Comprehensive view of an asset with backplane modules.

Simplified integration for end-to-end protection

To enable comprehensive protection across your enterprise, Defender for IoT easily integrates with Microsoft Sentinel. Together, Defender for IoT and Microsoft Sentinel provide security information and event management (SIEM) for both OT and IT environments. Defender for IoT also shares threat data with Microsoft 365 Defender, Microsoft Defender for Cloud, and non-Microsoft products like Splunk, IBM QRadar, and ServiceNow. This extensive and integrated ecosystem allows your converged SOC to tune alerts automatically across IoT and IT, creating baselines and custom alerts that help reduce alert fatigue.

Creating security for all—you’re invited

To learn more about how Microsoft Defender for IoT can help create a unified security solution for your converged SOC, remember to mark your calendars for the RSA Conference, April 24 to 27, 2023, and visit us at Microsoft booth 604. Register now for the special RSA Microsoft pre-day event.

Want to be among the first to see the AI-powered future of cybersecurity and the latest advances in cloud defense? Join us at Microsoft’s new digital security-only event, Microsoft Secure, on March 28, 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Industry 4.0 technologies assessment: A sustainability perspective, Chunguang Bai, Patrick Dallasega, Guido Orzes, and Joseph Sarkis. November 2020.

²The convergence of IT and OT: Cyber risks to critical infrastructure on the rise, Microsoft. December 2022.

³Someone tried to poison a Florida city by hacking into the water treatment system, sheriff says, Amir Vera, Jamiel Lynch, and Christina Carrega. February 8, 2021.

The post Leverage cloud-powered security with Microsoft Defender for IoT appeared first on Microsoft Security Blog.

Looking at the steady rise in cybercrime, it can feel like there are only gray skies on the horizon. Since September 2021 we saw the number of password attacks rise from 579¹ to 1,287² per second. That’s a staggering increase. But at Microsoft, we’re moving into the new year full of hope and resolution. We center our actions around the belief that cybersecurity is about people—to protect, involve, and empower everyone.

We’re committed to innovating against the threats of today and tomorrow by harnessing AI, machine learning, and cloud technologies all brought together in an end-to-end security cloud. Since July 2022, Microsoft Security has delivered more than 300 product innovations—from minor updates to major launches like Microsoft Entra Workload Identities (November 2022). In addition, we now have more than 15,000 partners integrated across our security ecosystem so customers have the power to choose what works best for them. In a time when security professionals are being asked to do more with less—fewer people, scant resources, and less time—Microsoft has responded with a simplified, comprehensive security approach that protects your entire multicloud, multiplatform digital estate. And we continue to foster a diverse, inclusive new generation of cyber defenders who will keep us all moving ahead—fearlessly. Here’s a look at some of our newest innovations to help you move into the new year with confidence.

Unified innovations to protect you comprehensively and make your job easier

According to Microsoft research, 72 percent of chief information security officers (CISOs) and other C-level security professionals say that it’s very important for a technology vendor to offer a comprehensive set of products across security, compliance, and identity.³ We continue to respond to this need, and over the past year, we’ve streamlined and simplified our security solutions into six integrated product families designed to decrease your costs and enable growth. This simplification makes it easier for you to anticipate vulnerabilities, manage risks, and navigate a rapidly evolving threat landscape and regulatory environment. This comprehensive solution with interconnected product families cover extended detection and response (XDR), security information and event management (SIEM), threat intelligence, identity and access management (IAM), endpoint management, cloud security, and data protection, compliance, and privacy. For organizations that want to extend their ability to defend and manage threats, we’ve added a new line of managed services—Microsoft Security Experts.

Integrated security defense

As cyberattacks become more sophisticated, Microsoft continues to keep pace. We’re always pushing our limits and improving our products to help you eliminate security gaps and protect more with less. During the latter half of 2022, we extended our vision of simplified, unified protection—delivering hundreds of innovations to help protect your entire digital estate. Some of our notable launches over the past six months include:

• Microsoft Defender for IoT adds agentless monitoring to secure enterprise IoT devices like Voice over Internet Protocol (VoIP), printers, and smart TVs—as well as Operational Technology (OT) devices in critical industries like energy, manufacturing, and healthcare.⁴ A dedicated integration with Microsoft 365 Defender adds XDR for Internet of Things (IoT) devices, which means less complexity and greater visibility within one unified security operational center. These entry points can be used to escalate laterally across your network and are often overlooked. 
• Microsoft Defender Cloud Security Posture Management (in preview), helps your security teams save time and remediate critical risks with contextual cloud security. Get a continuous security assessment of your resources running across Microsoft Azure, Amazon Web Services (AWS), Google Cloud, and on-premises systems with new agentless scanning capabilities that provide real-time assessments across hybrid and multicloud environments. 
• Microsoft Defender for DevOps (also in preview) integrates with Defender Cloud Security Posture Management to further connect the dots for security operations (SecOps) teams. Defender for DevOps empowers your team to unify and strengthen DevOps security to minimize vulnerabilities, then effectively prioritize and drive remediation across multipipeline environments. 
• Microsoft Defender External Attack Surface Management also integrates with Defender Cloud Security Posture Management to help provide a better picture of your attack surface, including shadow IT and other unseen assets accumulated through normal business growth. This gives SecOps the ability to discover unknown resources that are accessible from the internet—the same view an attacker has when selecting a target. With this new tool, your team is empowered to maintain a dynamic inventory of external resources across multiple cloud and hybrid environments, helping to monitor unmanaged resources that could serve as potential entry points. 
• Microsoft Defender Threat Intelligence empowers your team to better track threat actor activity and patterns.⁵ Uncover attacker infrastructure so you can accelerate your investigation and remediation with more context, insights, and analysis. Armed with this real-time data, your team can proactively hunt for threats, undertake custom threat intelligence processes and investigations, and even improve the performance of third-party security products.
• Microsoft Defender Experts for Hunting provides a proactive threat-hunting service for customers who would prefer to have Microsoft experts help them hunt down threats using Microsoft Defender data.⁶ This new service covers not only endpoints, but also Microsoft Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off contextual alert information and remediation instructions, enabling your team to respond quickly. 

Integrated data and identity protection

A recent industry study found that phishing, password spray, multifactor authentication fatigue, and other identity-driven attacks now account for 61 percent of breaches.⁷ And during the third quarter of 2022, approximately 15 million data records were breached worldwide—a 37 percent increase over the previous quarter.⁸ Because our adversaries aren’t slowing their attacks, we’ve continued to innovate and expand capabilities for Microsoft Entra, Microsoft Intune, and Microsoft Purview to help your team protect user identities, their endpoints, and the precious data that keep your business going.

• Microsoft Entra Permissions Management (formerly CloudKnox Security) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and Google Cloud.⁹ With Permissions Management, organizations can discover, remediate, and monitor permissions for all identities and resources across multicloud environments. This empowers your team to enforce the Zero Trust principle of least-privilege access at cloud scale using historical data—improving your security without interrupting productivity.
• Microsoft Entra Workload Identities extends advanced capabilities, such as Conditional Access and Identity Protection, to better manage lifecycles with insight into access activities and protect your non-human identities as well. 
• Microsoft Entra Verified ID—for Microsoft Azure Active Directory (Azure AD) subscribers (free and premium)—provides provides an easy option to issue, request, and verify credentials for employment, education, or any other claim.¹⁰ This decentralized identity system offers a convenient, portable way to verify your identity while controlling your own data.
• Microsoft Entra certificate-based authentication (CBA) through Azure AD strengthens access controls and helps organizations reduce infrastructure costs, so even customers who have regulatory requirements for CBA can move authentication to the cloud and eliminate the need for Active Directory Federation Services (AD FS).
• Microsoft Entra Identity Governance is a complete identity cloud-delivered governance solution to ensure that only the right people have access to the right resources. This service includes more advanced tools—lifecycle workflows that automate repetitive tasks like employee onboarding and separation of duties, which introduces checks and balances within entitlements management and provisioning back to your on-premises applications——and capabilities that were already available in Azure AD.
• Microsoft Purview Data Loss Prevention and new capabilities focused on granular policy configuration and context for post-incident investigation on endpoint devices help users make informed decisions and take the right actions while using sensitive data, helping balance security and productivity. A recent survey by MDC Research shows that a majority of customers purchase three or more products to meet their compliance and data protection needs. Stitching together disparate solutions is not only resource-intensive but also could lead to potential blind spots and gaps in an organization’s data protection strategy.¹¹
• Microsoft Purview Information Protection for Adobe Document Cloud provides a rights-management solution that helps you protect your data when shared in documents. This portable data protection solution combines native classification and labeling capabilities with the power of Adobe Acrobat to seamlessly secure PDFs with sensitivity labels and user-defined permissions. Available for Windows and macOS.
• Microsoft Purview Insider Risk Management offers analytics, quicker policy creation capabilities, new file path, keyword, and site URL exclusions to reduce false positives, and a new policy type to help detect risky browsing usage help organizations detect risky insider activities that may lead to a data security incident.¹² Data breaches arising from insider threats cost businesses an average of USD7.5 million annually. Our holistic insider risk management program report showed that the most effective way to address insider risks is to build a program focused on empowering your people, making user privacy a priority, collaborating across leadership, and addressing data protection and insider risk management from multiple lenses.¹³
• Microsoft Purview eDiscovery APIs help organizations lower costs by leveraging automation to streamline repetitive workflows. The automation and extensibility of eDiscovery workflows help reduce staff hours and the likelihood of costly human errors, which is critical for organizations with complex requirements for litigation and investigation.

Looking back, I am appreciative for all we’ve accomplished. These innovations across the Microsoft Security comprehensive solution empower your team to move into this year with confidence—six integrated product families to help you protect what matters most.

Creating a safer world for all is our north star; it’s what drives us toward relentless innovation. We hope you will join us in this goal and discover new ways to stay ahead of the bad actors. Today, Microsoft Security helps to protect billions of people around the globe. Our ability to process trillions of signals daily gives us a unique vantage point to scan the threat landscape and help protect against sophisticated new attacks. As proof, the number of Microsoft Security customers almost doubled in the last year to more than 860,000 worldwide. That’s why Microsoft is driving the future of cybersecurity by continuing to invest in AI, machine learning, and cloud technologies.

Join us at Microsoft Secure to hear about future innovations

Be among the first to hear important security announcements from Microsoft leaders and learn how your organization can eliminate security gaps and cut costs with simplified, comprehensive protection for the new year at Microsoft Secure on March 28, 2023. This new digital event will bring our customers, partners, and the defender community together to share perspectives on navigating the security landscape and to build on real-world experience. Register today!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

²Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

³Microsoft Security audience tracking research, November 2022.

⁴Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT, Michal Braverman-Blumenstyk and Nir Giller. July 11, 2022.

⁵Microsoft announces new solutions for threat intelligence and attack surface management, Vasu Jakkal. August 2, 2022.

⁶Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

⁷50 Identity And Access Security Stats You Should Know In 2022, Caitlin Jones. January 6, 2023.

⁸Number of data records exposed worldwide from 1st quarter 2020 to 3rd quarter 2022, Statista. November 29, 2022.

⁹Microsoft Entra Permissions Management is now generally available, Alex Simons. July 7, 2022.

¹⁰Microsoft Entra Verified ID now generally available, Ankur Patel. August 8, 2022.

¹¹New capabilities that help proactively secure data with Microsoft Purview Data Loss Prevention, Shilpa Bothra. October 12, 2022.

¹²Detecting and investigating security risks with new capabilities from Insider Risk Management, Talhah Mir. October 12, 2022.

¹³Microsoft publishes new report on holistic insider risk management, Bret Arsenault. October 6, 2022.

The post Microsoft Security innovations from 2022 to help you create a safer world today appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Malware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly targeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure rapidly. The Microsoft Defender for IoT research team recently analyzed a cross-platform botnet that originates from malicious software downloads on Windows devices and succeeds in propagating to a variety of Linux-based devices.

The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet. The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.

Microsoft tracks this cluster of activity as DEV-1028, a cross-platform botnet that infects Windows devices, Linux devices, and IoT devices. The DEV-1028 botnet is known to launch distributed denial of service (DDoS) attacks against private Minecraft servers.

Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites. A breakdown of the systems affected by the botnet over the three months from the time of this analysis also revealed that most of the devices were in Russia:

This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure. In this blog post, we share details on how this botnet affects multiple platforms, its DDoS capabilities, and recommendations for organizations to prevent their devices from becoming part of a botnet. We also share Minecraft server version information for owners of private servers to update and ensure they are protected from this threat.

Cross-platform botnet targets SSH-enabled devices

Microsoft researchers observed that the initial infection points related to the botnet were devices infected through the installation of malicious cracking tools that purport to acquire illegal Windows licenses.

The cracking tools contain additional code that downloads and launches a fake version of svchost.exe through a PowerShell command. In some cases, the downloaded file is named svchosts.exe.

Next, svchost.exe launches malicious.py, the main Python script that contains all the logic of the botnet, whichthen scans the internet for SSH-enabled Linux-based devices (Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian, which are commonly enabled for remote configuration) and launches a dictionary attack to propagate. Once a device is found, it downloads the file Updater.zip from repo[.]ark—event[.]net onto the device, which creates the file fuse. The fuse file then downloads a copy of malicious.py onto the device. Both svchost.exe and fuse are compiled using PyInstaller, which bundles all the Python runtime and libraries necessary to initiate malicious.py.

While malicious.py has specific functionalities depending on whether the file launches on a Windows or Linux-based device (for Windows, the file establishes persistency by adding the registry key Software\Microsoft\Windows\CurrentVersion\Run with the executable as the value), the executable is compiled to operate on both Windows and Linux-based devices. The file communicates with its command-and-control (C2) server to launch the following commands:

• Establish TCP connection to repo[.]ark-event[.]net on port 4676.
• Send initial connection string.
• Receive a key from the server for encryption and decryption, and then encrypt further communication using the Fernet symmetric algorithm.
• Send version information to the server:
  • Windows device: The current Windows version
  • Linux device: Hardcoded version (2.19 in the sample we analyzed)
• Continue receiving encrypted commands from the server

Based on our analysis, the botnet is primarily used to launch DDoS attacks against private Minecraft servers using known server DDoS commands and unique Minecraft commands. Below is the list of commands established in the code:

While most of the commands are methods of DDoS, the most notable command run by the botnet is ATTACK_MCCRASH. The command sends ${env:random payload of specific size:-a} as the username in order to exhaust the resources of the server and make it crash.

TCP payloads on port 25565 have the following binary structure:

• Bytes [0:1] – Size of packet
• Bytes [1:2] – Login Start command
• Bytes [2:3] – Size of username
• Bytes [3:18] – Username string

The usage of the env variable triggers the use of Log4j 2 library, which causes abnormal consumption of system resources (not related to Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method.

A wide range of Minecraft server versions could be affected

While testing the impact of the malware, researchers found that the malware itself was hardcoded to target a specific version of Minecraft server, 1.12.2. However, all versions between 1.7.2 and 1.18.2 can be affected by this method of attack. There is a slight modification in the Minecraft protocol in server version 1.19, which was released earlier in 2022, that prevents the use of the Minecraft specific commands, the ATTACK_MCCRASH, ATTACK_[MCBOT|MINE] and ATTACK_MCDATA, without modification of the attack code.

The wide range of at-risk Minecraft servers highlights the impact this malware could have had if it was specifically coded to affect versions beyond 1.12.2. The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.

Protecting endpoints from cross-platform DDoS botnets like MCCrash

To harden devices networks against threats like MCCrash, organizations must implement the basics to secure identities and their devices, including access limitation. Solutions must detect downloads of malicious programs and malicious attempts to gain access to SSH-enabled devices and generate alerts on anomalous network behavior. Below are some of our recommendations for organizations:

• Ensure employees are not downloading cracking tools as these are abused as an infection source for spreading malware.

• Increase network security by enforcing multi-factor authentication (MFA) methods such as Azure Active Directory (now part of Microsoft Entra) MFA. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  
  Microsoft 365 Defender protects against attacks related to botnets by coordinating threat data across identities, endpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to comprehensively detect and remediate end-to-end attack chains—from malicious downloads to its follow-on activities in endpoints. This rich set of tools like advanced hunting let defenders surface threats and gain insights for hardening networks from compromise.

• Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender. Defender for IoT is updated regularly with indicators of compromise (IoCs) from threat research like the example described in this blog, alongside rules to detect malicious activity.
  
  On the IoT device level:
  • Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
  • Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
  • Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.

• For users hosting private Minecraft servers, update to version 1.19.1 and above.

• Adopt a comprehensive Windows security solution
  • Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.
  • For commercial customers, enable application and browser controls such as Microsoft Defender Application Guard for enhanced protection for Office and Edge.
  • Perform timely cleanup of all unused and stale executables sitting on your organizations’ devices.
  • Protect against advanced firmware attacks by enabling memory integrity, Secure Boot, and Trusted Platform Module 2.0, if not enabled by default, which hardens boot using capabilities built into modern CPUs.

Indicators of compromise (IOCs)

• e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25 (KMSAuto++.exe)
• 143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320 (W10DigitalActivation.exe)
• f9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30 (dcloader.exe)
• 4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f (updater.zip)
• eb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382 (svchosts.exe)
• 93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251 (fuse)
• 202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1 (malicious.py)
• repo[.]ark-event[.]net

Detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects the malware used in this attack as the following:

• TrojanDownloader:MSIL/MCCrash.NZM!MTB
• Trojan:Win32/MCCrash.MA!MTB
• TrojanDownloader:Python/MCCrash!MTB
• Trojan:Python/MCCrash.A
• TrojanDownloader:Linux/MCCrash!MTB
• Trojan:Python/MCCrash.RPB!MTB
• Trojan:Python/MCCrash.RPC!MTB

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:

• Emerging threat activity group DEV-1028 detected
• System file masquerade
• Anomaly detected in ASEP registry
• Suspicious process launched using cmd.exe
• Suspicious file launch

Microsoft Defender for IoT

MCCrash-related activity on IoT devices would raise the following alerts in Microsoft Defender for IoT:

• Unauthorized SSH access
• Excessive login attempts

Microsoft Defender for Cloud

Microsoft Defender for Cloud raises the following alert for related activity:

• VM_SuspectDownload

Advanced hunting queries

Microsoft 365 Defender

Run the following queries to search for related files in your environment:

DeviceFileEvents
| where SHA256 in ("e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25","143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320","f9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30","4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f","eb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382","93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251","202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1")

DeviceFileEvents
| where FolderPath endswith @":\windows\svchost.exe"

DeviceRegistryEvents
| where RegistryKey contains "CurrentVersion\\Run"
| where RegistryValueName == "br" or RegistryValueData contains "svchost.exe" or RegistryValueData contains "svchosts.exe"

DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe")
| where ProcessCommandLine has_all ("-command", ".downloadfile(", "windows/svchost.exe")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

To supplement this indicator matching, customers can use the following queries against data ingested into their workspaces to help find devices with exposed SSH endpoints, and devices that might be under SSH brute force attempts.

Potential SSH brute force attempt: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/ssh_potentialBruteForce.yaml

Exposed critical ports in Azure: https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/CriticalPortsOpened.yaml

David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, Microsoft Defender for IoT Research Team

Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)

The post MCCrash: Cross-platform DDoS botnet targets private Minecraft servers appeared first on Microsoft Security Blog.