The key to fighting ransomware at scale is Microsoft’s unwavering commitment to simplifying, automating, and augmenting security analyst workstreams to meet the demands of today’s and tomorrow’s cyberthreat environment. We are excited to announce that Gartner has named Microsoft a Leader in the 2024 Gartner^® Magic Quadrant™ for Endpoint Protection Platforms for the fifth consecutive time. We believe this announcement reflects Microsoft’s continued progress in helping organizations protect their endpoints against even the most sophisticated attacks, while driving continued efficiency for security operations center (SOC) teams.

Microsoft Defender for Endpoint is an endpoint security platform that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT) devices. It is core to Microsoft Defender XDR and built on global threat intelligence—informed by more than 78 trillion daily signals and more than 10,000 security experts—empowering security teams to fend off sophisticated threats.²

Our customers and partners have been an invaluable part of this multiyear journey, and we are grateful for both their business and their partnership. Read the complimentary report providing more details on our positioning as a Leader.

Microsoft Defender for Endpoint is built from the ground up with operational resilience in mind. It starts with our agent architecture that follows best practices for Windows by limiting its reliance on kernel mode while protecting customers in real-time. It does not load content updates from files in the kernel mode driver. As an added safeguard, we deliver updates to customers applying Microsoft’s long-established safe deployment practices (SDP) model. Customers have full control over how these updates are delivered and how controls are applied to their device estate. This model of shared control helps provide security and resiliency. 

Over the last 12 months, Microsoft has delivered significant innovations that have helped defenders gain the upper hand against cyberthreats including: improved attack disruption, Microsoft Copilot for Security, a new Linux agent, simplified settings management, the unified security operations platform and Microsoft Defender Experts for XDR.

Automatic attack disruption, unique to Microsoft, is a self-defense capability that stops in-progress cyberattacks by analyzing the attacker’s intent, identifying compromised assets, and isolating or disabling assets like users or devices at machine speed. For example, in July 2024 we discovered the CVE-2024-37085 vulnerability. Numerous ransomware operators exploited it to encrypt the entire file system and move laterally in the network. Attack disruption fends off such sophisticated ransomware attempts by blocking lateral movement and remote encryption in a decentralized way across all your device estate—in just three minutes on average.³ This is a capability that Microsoft continues to invest in to disrupt more scenarios even earlier in the cyberattack chain.  

Microsoft Copilot for Security is the industry’s first generative AI that empowers security teams to protect at the speed and scale of AI, generally available as of April 2024. Embedded within the Defender XDR experience, it assists analysts by providing enriched context for faster and smarter decisions. It accelerates investigation, containment, and remediation with prescriptive step-by-step guidance. Analysts can now easily understand attacker actions with intuitive script analysis and launch complex Kusto Query Language (KQL) queries using plain language. The results from a randomized controlled trial based on 147 security professionals showed significant efficiency gains including speed and quality improvements when using Copilot for Security. Security professionals were up to 22% faster across all tasks, and more than 93% of users wanted to use Copilot again.

A new Linux agent has been built from scratch, using eBPF sensor technology to deliver the performance and stability needed for mission-critical server workloads while providing visibility into cyberthreats. We continue prioritizing innovations across every type of endpoint from Windows, Linux, macOS, iOS, Android, and IoT to provide the holistic endpoint security that organizations need.

Simplified setup and change management help analysts configure devices correctly to minimize threat exposure. With the general availability of simplified settings management, SOC analysts can manage security policies without leaving the Defender XDR portal.

Unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unification helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time, and improving overall efficiency. Defender for Endpoint is core to this platform, which combines “the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security.” By working seamlessly across Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot for Security, security analysts need only a single set of automation rules and playbooks. Plus, they can use plain language to execute complex tasks in an instant with Copilot for Security embedded in the platform.

Microsoft Defender Experts for XDR gives your security team coverage with around-the-clock access to Microsoft expertise. Recognizing that sophisticated cyberthreats go beyond the endpoint, Microsoft offers Microsoft Defender Experts for XDR. This managed service is available 24 hours a day, 7 days a week, helping organizations extend their SOC team to fully triage events and respond to incidents across domains.

Thank you to all our customers. You inspire us as together we work to create a safer world.

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform. 

Are you a regular user of Microsoft Defender for Endpoint? Review your experience on Gartner Peer Insights™ and get a $25 gift card.    

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2024 Microsoft Digital Defense Report. Publishing October 15, 2024.

²Microsoft Digital Defense Report, Microsoft. 2023.

³Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview, Rob Lefferts. April 3, 2024.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Franz Hinner, Deepak Mishra, Satarupa Patnaik, Chris Silva, September 23, 2024. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, MAGIC QUADRANT and PEER INSIGHTS are registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post ​​Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

OpenVPN is widely used by thousands of companies spanning various industries across major platforms such as Windows, iOS, macOS, Android, and BSD. As such, exploitation of the discovered vulnerabilities, which affect all versions of OpenVPN prior to version 2.6.10 (and 2.5.10), could put endpoints and enterprises at significant risk of attack.

We reported the discovery to OpenVPN through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in March 2024 and worked closely with OpenVPN to ensure that the vulnerabilities are patched. Information on the security fixes released by OpenVPN to address these vulnerabilities can be found here: OpenVPN 2.6.10. We strongly urge OpenVPN users to apply the latest security updates as soon as possible. We also thank OpenVPN for their collaboration and recognizing the urgency in addressing these vulnerabilities.

Below is a list of the discovered vulnerabilities discussed in this blog:

In this blog post, we detail our analysis of the discovered vulnerabilities and the impact of exploitation. In addition to patching, we provide guidance to mitigate and detect threats attempting to exploit these vulnerabilities. This research emphasizes the need for responsible disclosure and collaboration among the security community to defend devices across platforms and build better protection for all, spanning the entire user-device ecosystem. The discovery of these vulnerabilities further highlights the critical importance of ensuring the security of enterprise and endpoint systems and underscores the need for continuous monitoring and protection of these environments.

What is OpenVPN?

OpenVPN is a virtual private network (VPN) system that creates a private and secure point-to-point or site-to-site connection between networks. The OpenVPN open-source project is widely popular across the world, including the United States, India, France, Brazil, the United Kingdom, and Germany, as well as industries spanning the information technology, financial services, telecommunications, and computer software sectors. This project supports different major platforms and is integrated into millions of devices globally.

OpenVPN is also the name of the tunneling protocol it uses, which employs the Secure Socket Layer (SSL) encryption protocol to ensure that data shared over the internet remains private, using AES-256 encryption. Since the source code is available for audit, vulnerabilities can be easily identified and fixed.

OpenVPN analysis

We discovered the vulnerabilities while examining the OpenVPN open-source project to enhance enterprise security standards. During this research, we checked two other popular VPN solutions and found that at the time they were impacted by a vulnerability (CVE-2024-1305). Following this discovery, we started hunting for and uncovered additional vulnerable drivers with the same issue and decided to investigate open-source VPN projects. Upon confirming that the same vulnerability was located in the OpenVPN open-source repository, our research then focused on examining the architecture and security model of the OpenVPN project for Windows systems.

OpenVPN architecture

OpenVPN server client architecture

OpenVPN is a sophisticated VPN system meticulously engineered to establish secure point-to-point or site-to-site connections. It supports both routed and bridged configurations, as well as remote access capabilities, making it a versatile choice for various networking needs. OpenVPN comprises both client and server applications, ensuring a comprehensive solution for secure communication.

With OpenVPN, peers can authenticate each other through multiple methods, including pre-shared secret keys, certificates, or username/password combinations. In multi-client server environments, the server can generate and issue an individual authentication certificate for each client, leveraging robust digital signatures and a trusted certificate authority. This ensures an elevated level of security and integrity in the authentication process, enhancing the overall reliability of the VPN connection. 

Client-side architecture

The client-side architecture is where we discovered the additional three vulnerabilities (CVE-2024-27459, CVE-2024-24974, and CVE-2024-27903):

OpenVPN’s client architecture can be summarized in the following simplified diagram:

openvpnserv.exe and openvpn.exe

The system service launches elevated commands on behalf of the user, handling tasks such as adding or deleting DNS configurations, IP addresses, and routes, and enabling Dynamic Host Configuration Protocol (DHCP). These commands are received from the openvpn.exe process through a named pipe created for these two entities, such as “openvpn/service_XXX” where XXX is the thread ID (TID) that is being passed to the newly created process as a command line argument.

The launched commands arrive in the form of a binary structure that contains the relevant information for the specific command, with the structure being validated and only then launching the appropriate command. The below figure displays an example of the structure that contains information for adding/deleting DNS configuration:

Additionally, openvpnserv.exe serves as the management unit, spawning openvpn.exe processes upon requests from different users on the machine. This can be done automatically using the OpenVPN GUI or by sending specifically crafted requests. Communication for this process occurs through a second named pipe, such as “openvpn/service”.

Openvpn.exe is the user mode process being spawned on behalf of the client. When openvpn.exe starts, it receives a path for a configuration file (as a command line argument). The configuration file that’s provided holds different information.

A lot of fields can be managed in configuration files, such as:

1. Tunnel options
2. Server mode options
3. Client mode options

Plugin mechanism in openvpn.exe

Another mechanism of interest for us is the plugin mechanism in openvpn.exe, which can extend the functionality to add additional logic, such as authentication plugins to bring authentication against Lightweight Directory Access Protocol (LDAP) or Radius or other Pluggable Authentication Module
(PAM) backends. Some of the existing plugins are:

1. Radiusplugin – Radius authentication support for open OpenVPN.
2. Eurephia – Authentication and access control plugin for OpenVPN.
3. Openvpn_defer_auth – OpenVPN plugin to perform deferred authentication requests.

The plugin mechanism fits into the earlier diagram, as shown in Figure 2.

The plugin is loaded as a directive in the configuration file, which looks like:

Furthermore, the number of callbacks defined in the plugin launch on behalf of the loading process (openvpn.exe), such as:

1. openvpn_plugin_func_v1 – This function is called by OpenVPN each time the OpenVPN reaches a point where plugin calls should happen.
2. openvpn_plugin_{open, func}_v3() – Defines the version of the v3 plugin argument.

OpenVPN security model

As previously mentioned, we discovered four vulnerabilities on the client side of OpenVPN’s architecture.

As described before, openvpnserv.exe (SYSTEM service) spawns the openvpn.exe process as a result of the request from the user. Furthermore, the spawned process runs in the context of the user who requested to create the new process, which is achieved through named pipe impersonation, as displayed in the below image:

The ImpersonateNamedPipeClient function impersonates a named pipe client application.

Furthermore, to prevent unwanted behavior, specific EXPLICIT_ACCESS must be granted for any new process:

This explicit access, in addition to the earlier described “elevated commands” launched by openvpnserv.exe on request from the openvpn.exe process, and other comprehensive inspection of the passed arguments  ensure that malicious behavior cannot be launched in the name of the impersonated user.

Vulnerability analysis

CVE-2024-1305    

We identified a vulnerability in the “tap-windows6” project that involves developing the Terminal Access Point (TAP) adapter used by OpenVPN. In the project’s src folder, the device.c file contains the code for the TAP device object and its initialization.

In the device.c file, the CreateTapDevice method initializes a dispatch table object with callbacks for methods managing various Input/Output Controls (IOCTLs) for the device. One of these methods is TapDeviceWrite, which handles the write IOCTL.

The TapDeviceWrite method performs several operations and eventually calls TapSharedSendPacket. This method, in turn, calls NdisAllocateNetBufferAndNetBufferLists twice. In one scenario, it calls this function with the fullLength parameter, defined as follows:

Both PacketLength and PrefixLength are parameters passed from the TapDeviceWrite call and, therefore, attacker controlled. If these values are large enough, their sum (fullLength) can overflow (a 32-bit unsigned integer). This overflow results in the allocation of a smaller-than-expected memory size, which subsequently causes a memory overflow issue.

CVE-2024-27459  

The second vulnerability that we discovered resided in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service. As described earlier, both of which communicate through a named pipe:

The openvpnserv.exe service will read the message size in an infinite loop from the openvpn.exe process and then handle the message received by calling the HandleMessage method. The HandleMessage method reads the size provided by the infinite loop and casts the read bytes into the relevant type accordingly:

This communication mechanism presents an issue as reading the “user” provided number of bytes on to an “n bytes” long structure located on the stack will produce a stack overflow vulnerability.

CVE-2024-24974  

The third vulnerability involves unprivileged access to an operating system resource. The openvpnserv.exe service spawns a new openvpn.exe process based on user requests received through the “\\openvpn\\service” named pipe. This vulnerability allows remote access to the named service pipe, enabling an attacker to remotely interact with and launch operations on it.

CVE-2024-27903  

Lastly, we identified a vulnerability in OpenVPN’s plugin mechanism that permits plugins to be loaded from various paths on an endpoint device. This behavior can be exploited by attackers to load harmful plugins from these different paths.

Exploiting and chaining the vulnerabilities

All the identified vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them. The discovered vulnerabilities could then be combined to achieve different exploitation results, or chained together to form a sophisticated attack chain, as detailed in the below sections.

RCE exploitation

We first explored how an attacker could achieve remote code execution (RCE) exploitation using CVE-2024-24974 and CVE-2024-27903.

To successfully exploit these vulnerabilities and achieve RCE, an attacker must first obtain an OpenVPN user’s credentials. The attacker’s device must then launch the NET USE command with the stolen credentials to remotely access the operating system resources and grant the attacker access to the named pipes objects devices.

Next, the attacker can send a “connect” request to the “\\openvpn\\service” named pipe to launch a new instance of openvpn.exe on its behalf.

In the request, a path to a configuration file (\\\\DESKTOP-4P6938I\\share\\OpenVPN\\config\\sample.ovpn) is specified that’s located on the attacker-controlled device. A log path is also provided into which the loaded plugin will write its logs (“–log \\\\\{TARGET_MACHINE_PLACEHOLDER}\\share\\OpenVPN\\log\\plugin_log.txt\).

The provided configuration has instructions to load malicious plugin, as such:

After successful exploitation, the attacker can read the log provided on the attacker-controlled device.

LPE exploitation

Next, we investigated how an attacker could achieve local privilege execution (LPE) using CVE-2024-27459 and CVE-2024-27903. To successfully achieve an LPE exploit in this context, an attacker must load a malicious plugin into the normal launching process of openvpn.exe by using a malicious configuration file.

First, the attacker will connect to a local device “\\openvpn\\service” named pipe with a command that instructs openvpnserv.exe to launch openvpn.exe based on the attacker-provided malicious configuration.

The malicious configuration will include a line like the below example:

For the malicious plugin to successfully communicate with openvpnserv.exe, it must hijack the number of the handle used by openvpn.exe to communicate with the inner named pipe connecting the openvpv.exe process and the openvpnserv.exe service. This can be achieved, for instance, by parsing command line arguments, as displayed below:

This works because when the openvpn.exe process spawns, it’s being passed the TID (as a command line argument) that the inner named pipe (which is being used for communication between this specific OpenVPN instance and the openvpnserv.exe service) will have. For instance, if the inner named pipe created is “\\openvpn\\service_1234” then openvpn.exe will be launched with an extra argument of 1234.

Next, attackers can exploit the stack overflow vulnerability by sending data bigger than the MSG structure. It is important to note that there are stack protection mechanisms in place, called stack canaries, which make exploitation much more challenging. Thus, when triggering the overflow:

After the crash of openvpnserv.exe, the attacker has a slot of time in which they can reclaim the named pipe “\\openvpn\\service”.

If successful, the attacker then poses as the server client side of the named pipe “\\openvpn\\service”. From that moment on, every attempt to connect to the “\\openvpn\\service” named pipe will result in a connection to the attacker. If a privileged enough user, such as a SYSTEM or Administrator user, is connected to the named pipe, the attacker can impersonate that user:

The attacker can then start an elevated process on the user’s behalf, thus achieving LPE.

Chaining it all together

As our research demonstrated, an attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain.

A number of adjustments are needed for the full attack chain to be exploited as presented in this blog post, mainly the malicious payload that crashes openvpnserv.exe and the malicious payload that actually behaves as openvpnserv.exe after openvpnserv.exe is crashed all have to be loaded with the malicious plugin. After successfully achieving LPE, attackers will use different techniques, such as Bring Your Own Vulnerable Driver (BYOVD) or exploiting known vulnerabilities, to achieve a stronger grasp of the endpoint. Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.

Critical importance of endpoint security in private and enterprise sectors

With OpenVPN being widely used across various vendors, industries, and fields, the presented vulnerabilities may impact numerous sectors, device types, and verticals. Exploiting these vulnerabilities requires user authentication, a deep understanding of OpenVPN’s inner workings, and intermediate knowledge of the operating system. However, a successful attack could significantly impact endpoints in both the private and enterprise sectors. Attackers could launch a comprehensive attack chain on a device using a vulnerable version of OpenVPN, achieving full control over the target endpoint. This control could enable them to steal sensitive data, tamper with it, or even wipe and destroy critical information, causing substantial harm to both private and enterprise environments.

The discovery of these vulnerabilities underscores the importance of responsible disclosure to secure enterprise and endpoint systems, in addition to the collective efforts of the security community to protect devices across various platforms and establish stronger safeguards for everyone. We would like to again thank OpenVPN for their partnership and swift action in addressing these vulnerabilities.

Mitigation and protection guidance

OpenVPN versions prior to 2.5.10 and 2.6.10 are vulnerable to discussed vulnerabilities.

It is recommended to first identify if a vulnerable version is installed and, if so, immediately apply the relevant patch found here: OpenVPN 2.6.10.

Additionally, follow the below recommendations to further mitigate potential exploitation risks affiliated with the discovered vulnerabilities:

• Apply patches to affected devices in your network. Check the OpenVPN website for the latest patches.
• Make sure OpenVPN clients are disconnected from the internet and segmented.
• Limit access to OpenVPN clients to authorized users only. 
• Due to the nature of the CVEs, which still require a username and password, prioritizing patching is difficult. Reduce risk by ensuring proper segmentation, requiring strong usernames and passwords, and reducing the number of users that have writing authentication.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert can indicate associated threat activity:

• Suspicious OpenVPN named pipe activity

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2024-27459
• CVE-2024-24974
• CVE-2024-27903
• CVE-2024-1305

Microsoft Defender for IoT

Microsoft Defender for IoT raises alerts for the following vulnerabilities, exploits, and behavior associated with this threat:

• Suspicion of Malicious Activity

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

This query identifies connection to OpenVPN’s named pipe from remote host:

DeviceEvents  
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"]
| where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and isnotempty( RemoteIP) 

This query identifies image load into OpenVPN’s process from share folder:

DeviceImageLoadEvents 
|where InitiatingProcessFileName == "openvpn.exe" and FolderPath startswith "\\\\"

This query identifies process connect to OpenVPN’s named pipe as server which it is not openvpnserv.exe:

DeviceEvents  
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"], NamedPipeEnd=JsonAdditionalFields["NamedPipeEnd"]
|where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and NamedPipeEnd == "Server" and InitiatingProcessFileName != "openvpnserv.exe"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

List of devices with OpenVPN vulnerabilities

DeviceTvmSoftwareVulnerabilities
| where OSPlatform contains "Windows"
| where CveId in ("CVE-2024-27459","CVE-2024-24974","CVE-2024-27903","CVE-2024-1305") 
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Named pipe creation activity of OpenVPN

let PipeNames = pack_array('\\openvpn/service','\\openvpn/service_','openvpn','openvpn/service','\\openvpn\\service_');
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType == "NamedPipeEvent"
| where ProcessCommandLine contains "openvpn.exe" or InitiatingProcessCommandLine contains "openvpn.exe"
| extend Fields=parse_json(AdditionalFields)
| where Fields.FileOperation == "File created"
| where Fields.PipeName has_any (PipeNames)
| project TimeGenerated,ActionType,DeviceName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,InitiatingProcessFolderPath,
InitiatingProcessCommandLine,ProcessCommandLine,Fields.FileOperation,Fields.PipeName

Vladimir Tokarev

Microsoft Threat Intelligence Community

References

• https://blackhat.com/us-24/briefings/schedule/#ovpnx–zero-days-leading-to-rce-lpe-and-kce-via-byovd-affecting-millions-of-openvpn-endpoints-across-the-globe-38900
• https://enlyft.com/tech/products/openvpn
• https://github.com/OpenVPN/openvpn/blob/v2.6.10/Changes.rst
• https://github.com/OpenVPN/openvpn/blob/v2.5.10/Changes.rst
• https://forums-new.openvpn.net/forum/announcements/69-release-openvpn-version-2-6-10
• https://openvpn.net/community-downloads/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27459
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24974
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27903
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1305
• https://openvpn.net/as-docs/site-to-site-routing.html#site-to-site-routing
• https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
• https://github.com/OpenVPN/openvpn/blob/master/include/openvpn-plugin.h.in
• https://www.lifewire.com/net-use-command-2618096
• https://wikipedia.org/wiki/Stack_buffer_overflow#Stack_canaries
• https://community.openvpn.net/openvpn/wiki/Downloads
• https://www.cisa.gov/secure-our-world/use-strong-passwords

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE appeared first on Microsoft Security Blog.

PanelView Plus devices are graphic terminals, also known as human machine interface (HMI) and are used in the industrial space. These vulnerabilities can significantly impact organizations using the affected devices, as attackers could exploit these vulnerabilities to remotely execute code and disrupt operations.

We shared these findings with Rockwell Automation through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in May and July 2023. Rockwell published two advisories and released security patches in September and October 2023. We want to thank the Rockwell Automation product security team for their responsiveness in fixing this issue. We highly recommend PanelView Plus customers to apply these security patches.

The discovered vulnerabilities are summarized in the table below:

In this blog post, we will focus on the technical details of the CVE-2023-2071 remote code execution vulnerability and how it was discovered, as well as provide an overview of the protocol used for both the RCE and DoS vulnerabilities. Additionally, we will offer technical details about the vulnerability and demonstrate the exploitation method. By sharing this research with the larger security community, we aim to emphasize the importance of collaboration in the effort to secure platforms and devices.

Suspicious remote registry query

One of the primary responsibilities of the Microsoft Defender for IoT research team is to ensure that the product properly analyzes various operational technology (OT) and Internet of Things (IoT) protocols. During this process, we observed a legitimate packet capture of two devices communicating using the Common Industrial Protocol (CIP), with one device sending a request containing a path to a registry value named “ProductCode,” and the other device responding with what appeared to be the product code value. The lack of encryption and absence of prior authentication in the communication raised concerns, as it appeared to involve a remote registry query. Further investigation revealed that the requesting device was an engineering workstation, and the responding device was an HMI – specifically, PanelView Plus.

We hypothesized that this remote registry querying functionality could be abused by querying system keys to access secrets or even gain remote control. To validate this hypothesis, we needed to locate the code responsible for this functionality. Since the two devices communicated using the CIP, our first step was to understand the protocol in depth.

Object-oriented protocol for industrial automation applications

CIP is an industrial protocol designed for industrial automation applications. Various vendors in the industrial sector utilize this protocol, and the communication we observed took place over Ethernet/IP – a protocol that adapts CIP to standard Ethernet.

According to the official CIP documentation: “A CIP node is modeled as a collection of Objects. (…) A Class is a set of Objects that all represent the same kind of system component. An Object Instance is the actual representation of a particular Object within a Class.”

From this description, we can deduce that CIP is an object-oriented protocol, where messages are directed towards specific objects, identified by their Class ID and Object Instance ID. Additionally, the term “Service Code” is defined as: “An integer identification value which denotes an action request that can be directed at a particular object instance or object attribute”. Therefore, when messaging an object, we should also specify a Service Code, which informs the object what action it should perform.

The CIP specification outlines common Class IDs and Service IDs, as well as ranges for vendor-specific IDs.

Returning to the packet capture, we observed that both Service ID and Class ID values were vendor specific. This means that to understand the meaning of these Class and Service IDs and locate the code responsible for the functionality, we must analyze the HMI firmware.

Firmware analysis

According to Rockwell Automation’s online resources, PanelView Plus HMIs operate on the Windows 10 IoT (or Windows CE for older versions) operating system. We were able to extract the DLLs and executables related to Rockwell Automation from the most recent firmware. There are several DLLs responsible for receiving different Class IDs and processing their requests, one of which is responsible for processing the Class ID we observed in the packet capture.

Upon examining the functionality associated with this Class ID, we confirmed that it is indeed responsible for querying the registry and sending the value in the response. However, we also discovered that the code managing this functionality performs input verification, allowing the reading of registry values only from specific Rockwell keys.

Potentially exploitable custom class

Although our initial hypothesis was proven incorrect, this finding allowed us to gain valuable insights into Rockwell’s process of handling different CIP classes. Additionally, we learned how to identify the classes that a specific DLL is responsible for processing. This knowledge leads us to our second hypothesis: there might be another custom class, managed by the same DLL as the one responsible for the registry class, that could be exploited to gain remote control of the device.

Remote code execution

We began analyzing the DLL that handles the custom CIP class for reading and writing registry keys and discovered that this DLL also manages two other undocumented custom CIP classes from Rockwell. We decided to investigate these classes further to determine if they could be exploited for our attack and help validate our hypothesis.

Custom class 1

The first class we examined had an intriguing functionality: it accepts a path to a DLL file, a function name, and a third parameter as input. It then loads the DLL using LoadLibrary and calls the specified function using GetProcAddress, passing the third parameter as an argument.

This seemed like a possible avenue for executing arbitrary code. However, there was a catch: the class included a verification function that checked if the DLL name was remotehelper.dll and if the function name was one of the predefined values. If these conditions were not met, the class would return an error and not execute the function.

Custom class 2

Next, we examined the second class found within the same DLL. This class allowed reading and writing files on the device. It also included a verification function, but it was more permissive: it only checked whether the path for reading/writing began with a specific string. We realized that this class could potentially be exploited by uploading a malicious DLL to the device and place it in almost any location.

Exploitation approach

Having gained a comprehensive understanding of the vulnerabilities, we had an idea of how an attacker could utilize the two custom classes to launch code remotely on the device. The idea was to compile a DLL compatible with Windows 10 IoT, the operating system of the device. This DLL would contain the code we wanted to run on the device and would be exported under the name GetVersion, which is one of the valid function names that can be invoked by custom class 1. We would then use custom class 2 to upload our DLL to the device, placing it in a random folder and naming it remotehelper.dll. Finally, we would execute it using custom class 1.

To further explore how the vulnerability can be exploited, we decided to leverage an existing function in the original remotehelper.dll file. We discovered that this file had an export called InvokeExe, which allowed running any executable file on the device. However, this function was not in the list of valid function names for custom class 1, so we could not use it directly. To overcome this obstacle, we patched the remotehelper.dll file and altered one of the valid export names to point to the InvokeExe function. We then uploaded our patched DLL to the device, placing it in a different folder than the original. Subsequently, we used custom class 1 to invoke our patched DLL and run cmd.exe, which granted us a command shell on the device. We confirmed that the exploit was successful and that we had gained full control of the device.

Mitigation and protection guidance

Microsoft recommends the following measures to help protect organizations from attacks that take advantage of the PanelView Plus vulnerabilities shared in this blog post:

• Apply patches to affected devices in your network. FactoryTalk View ME v12/v13 and FactoryTalk® Linx v6.20/v6.30 on PanelView Plus are vulnerable to the discovered vulnerabilities. It is recommended to first identify the devices in your network that are impacted by those vulnerabilities. It is also recommended to install the following patches on the device:
  • PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution
  • PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure
• Make sure all critical devices, such as PLCs, routers, PCs, etc., are disconnected from the internet and segmented, regardless of whether they run Rockwell’s FactoryTalk View.  
• Limit access to CIP devices to authorized components only. 

To assist with identifying impacted devices, Microsoft released a tool for scanning and performing forensics investigation on Rockwell Rslogix devices as part of its arsenal of open-source tools available on GitHub.

Microsoft Defender for IoT detections

Microsoft Defender for IoT provides the following protection measures against these vulnerabilities, associated exploits, and other malicious behavior:  

• Defender for IoT detects and classifies devices that use CIP.  
• Defender for IoT raises alerts on unauthorized access to devices using CIP, and abnormal behavior in these devices.  
• Defender for IoT raises alerts if a threat actor attempts to exploit these vulnerabilities. Alert type: “Suspicion of Malicious Activity”.

Yuval Gordon
Microsoft Threat Intelligence Community

References

• https://www.odva.org/wp-content/uploads/2020/06/PUB00123R1_Common-Industrial_Protocol_and_Family_of_CIP_Networks.pdf
• https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1652.html
• https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1645%20.html

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Vulnerabilities in PanelView Plus devices could lead to remote code execution appeared first on Microsoft Security Blog.

OT systems, which control real-world critical processes, present a significant target for cyberattacks. These systems are prevalent across various industries, from building heating, ventilation, and air conditioning (HVAC) systems, to water supply and power plants, providing control over vital parameters such as speed and temperature in industrial processes. A cyberattack on an OT system could transfer control over these critical parameters to attackers and enable malicious alteration that could result in malfunctions or even complete system outages, either programmatically via the programmable logic controller (PLC) or using the graphical controls of the human machine interface (HMI).

Adding to the potential damage of attacks on OT systems are their often-lacking security measures, which make OT attacks not only attractive for attackers but also relatively easy to execute. Many OT devices, notwithstanding common security guidelines, are directly connected to the internet, making them discoverable by attackers through internet scanning tools. Once discovered by attackers, poor security configurations, such as weak sign-in passwords or outdated software with known vulnerabilities, could be further exploited to obtain access to the devices.

The attractiveness of OT systems and attackers’ capabilities against systems with weak configurations were demonstrated in the Israel-Hamas war, which was accompanied by a spike in cyberattacks, including from OT-focused actors. Shortly after October 7, the Telegram channels of several such actors broadcasted their attacks against OT systems associated with Israeli companies. These publications were often accompanied by images of purportedly compromised systems, which the threat actors presented as alleged evidence for the attacks.

Microsoft’s analysis of multiple attacks by these actors revealed a common attack methodology: focusing on internet-exposed, poorly secured OT devices. This report will illustrate this attack methodology using the high-profile case of the November 2023 attack against Aliquippa water plant, for which CISA released an advisory in December 2023. CISA attributed the attack to the Islamic Revolutionary Guard Corps (IRGC)-affiliated actor “CyberAv3ngers”, tracked by Microsoft as Storm-0784. Microsoft assesses that the same methodology has been utilized by other OT-focused threat actors in multiple other attacks as well.

The attacks conducted by OT-focused actors were not limited to public sector facilities but also affected private companies in various countries. While the public sector has been implored to implement proper risk management and protection of OT systems, the diversity of target profiles illustrates that ensuring OT security in the private sector is equally crucial. Recommendations for organizations to protect against similar attacks and improve the security posture of their OT systems can be found at the end of this report.

Spike in activity of OT threat actors

Shortly after the outbreak of the Israel-Hamas war, Microsoft has seen a rise in reports of attacker activity against OT systems with Israeli affiliation. This included activity by existing groups such as the IRGC-affiliated “CyberAv3ngers”, and the emergence of new groups such as the “CyberAv3ngers”-associated “Soldiers of Solomon”, and “Abnaa Al-Saada”, a cyber persona presenting itself as Yemeni. Microsoft tracks both “CyberAv3ngers” and its associated group “Soldiers of Solomon” as Storm-0784.

The systems targeted by these groups included both OT equipment deployed across different sectors in Israel, including PLCs and HMIs manufactured by large international vendors, as well as Israeli-sourced OT equipment deployed in other countries. The attacks were made public by the actors using their Telegram channels, on which they also posted images of the target systems to enhance purported credibility and present evidence for the attack.

Researching the threat actors in question, Microsoft has identified a typical target profile that attackers appeared to focus on: internet-exposed OT systems with poor security posture, potentially accompanied by weak passwords and known vulnerabilities.

The Aliquippa case: A high-profile OT attack

In late November 2023, the Aliquippa water plant was affected by a cyberattack that resulted in the outage of a pressure regulation pump on the municipal water supply line in Aliquippa, Pennsylvania. In addition to impairing functionality, the attack, which targeted a PLC-HMI system by Israeli manufacturer Unitronics, also defaced the device to display a red screen with the name and logo of the “CyberAv3ngers” actor. The US Department of Treasury sanctioned officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) in relation to the attack.

Around the same time, multiple other attack cases on Unitronics systems were reported across the industry in other parts of the world, with targeted equipment displaying the same message: “Every equipment ‘made in Israel’ is a Cyber Av3ngers legal target“.

Microsoft analyzed the publicly available data on the Aliquippa incident to find the victim system and assess how it was compromised. Leveraging researchers’ intimate OT knowledge to interpret the limited details known to the public has enabled the identification of a specific machine that Microsoft believes to be the victim.

According to publicly accessible sources, the targeted system was exposed to the internet, and it suffered both defacement and the shutdown of the pump it controlled. Designated engines that map internet-connected devices and their associated services allowed Microsoft researchers to compile a list of internet-exposed Unitronics devices of the relevant model, which also had a dedicated control port open. This configuration could potentially allow to reprogram the device reprogramming, leading to the observed defacement and shutdown.

The analysis of contextual data narrowed the device profile list, identifying a specific system that could be the victim. This system was geographically situated near the Aliquippa station, with its PLC Name field set to “Raccoon Primary PLC”, consistent with the Aliquippa water station serving Potter and Raccoon townships, and also aligning with a photograph disseminated by the media, depicting a sign that reads “PRIMARY PLC” on the targeted system.

The data gathered throughout the research of the Aliquippa attack case highlights a trend: a common target profile of internet-exposed OT systems with a weak security posture that mirrors other attack cases.

Attacks representing a broader concerning trend

The CISA advisory that was released following the attacks in November 2023 described the profile of the targeted OT systems as being internet-exposed and having weak sign-in configurations. In May 2024, CISA released another advisory following the more recent attacks against the water sector, which showed that the victims had a similar profile. Again, OT systems that were left internet-exposed and had weak passwords were targeted by nation-state attackers, this time by pro-Russia activists.

While attacks on high-profile targets, especially in the public sector, often receive significant media attention, it’s important to recognize that the private sector and individual users may also be impacted. Notably, the Aliquippa water plant was just one victim in a series of attacks on Unitronics by “CyberAv3ngers”, which also expanded to the private sector. Screenshots of affected systems with the same red screen and message have been posted by users on the Unitronics forum claiming their equipment was attacked, with similar reports also showing on social media platform X. Following the incidents, a vulnerability was assigned for the Unitronics default password configuration (CVE-2023-6448), and a patch was issued by Unitronics to require users to fix the issue.  

The common target profile for the attack cases analyzed reflects what attackers do to pick an easily accessible and appealing target in the first place. Attackers can, and do, obtain visibility on OT devices that are open to the internet using search engines, identify vulnerable models and open communication ports, and then use the contextual metadata to identify devices that are of special interest, such as ICS systems in water plants or other critical facilities. At that point, a weak password or an outdated system with an exploitable vulnerability is all that stands between them and remote access to the system.

The growing attention from attackers towards OT systems, observed across various sectors, is particularly concerning due to inadequate security practices on these systems. The Microsoft Digital Defense Report 2023 highlights that 78% of industrial network devices on customer networks monitored by Microsoft Defender for IoT have known vulnerabilities. Among these, 46% utilize deprecated firmware, for which patches are no longer available, while the remaining 32% operate outdated systems with unpatched vulnerabilities. For devices that are patched, many still use default passwords or have no passwords at all. Microsoft collects statistics on the prevalence of username and password pairs seen used in Microsoft’s sensor network, as was shared in the Microsoft Digital Defense Report 2022. Such outdated and vulnerable systems present attractive targets for future attacks, particularly when coupled with internet connectivity and default passwords. In the next sections, we share recommendations for improving the security posture of OT systems to help prevent attacks.

Mitigation and protection guidance

The analysis of the attack claims in question reveals diverse target profiles. It is therefore vital for organizations of all different sectors to ensure security hygiene for their OT systems to prevent similar threats.

• Adopt a comprehensive IoT and OT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft Defender XDR.
• Enable vulnerability assessments to identify unpatched devices in the organizational network and set workflows for initiating appropriate patch processes through  Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint with the Microsoft Defender for IoT add-on.
• Reduce the attack surface by eliminating unnecessary internet connections to IoT devices and OT control systems. Verify that no OT system is directly connected to the internet, for example, through IoT routers or Cellular bridged (LTE or 3G). Close unnecessary open ports and services on their equipment, eliminating remote access entirely when possible, and restricting access behind a firewall or VPN when full elimination cannot be achieved.
• Implement Zero Trust practices by applying network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. OT devices and networks should be isolated from IT with firewalls. Extend vulnerability and exposure control beyond the firewall with Microsoft Defender External Attack Surface Management. Turn on attack surface reduction rules in Microsoft Defender for Endpoint to prevent common attack techniques such as those used by ransomware groups.

Microsoft Defender for IoT detections

Microsoft Defender for IoT provides detections for suspicious behaviors of OT and IoT devices. Alerts related to internet access and modification of PLC behavior will detect activity of this type, such as:

• External address within the network communicated with Internet
• Internet Access Detected
• Unauthorized Internet Connectivity Detected
• Unauthorized PLC Program Upload
• Unauthorized PLC Programming

References

• IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities | CISA
• Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group – CBS Pittsburgh (cbsnews.com)
• Aliquippa Water Authority – Municipal Water Authority of Aliquippa
• Cyber group backed by Iran is taking credit for Pennsylvania water system cyberattack
• PLC Hacking – More Commonplace Than You Might Think – Best Programming Practices – Unitronics Support Forum: Programmable Controllers (PLC + HMI All-in-One)
• Full Pint Beer on X: “Ugh – the brewery control system received a CYBER ATTACK over the weekend!!! We are working to restore things to working order, kudos to the crew at @Brewmation for working with us over the Thanksgiving weekend! Thank goodness for backups! #cyberattack #automation #ransomware https://t.co/SNdXY9ne4h” / X
• NVD – CVE-2023-6448 (nist.gov)
• Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf (unitronicsplc.com)
• Iranian cyber attack targets Israeli tech used by several US bodies | The Times of Israel

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Exposed and vulnerable: Recent attacks highlight critical need to protect internet-exposed OT devices appeared first on Microsoft Security Blog.

To overcome this challenge, Microsoft released ICSpector, an open-source framework that facilitates the examination of the information and configurations of industrial programmable logic controllers (PLCs). This framework simplifies the process of locating PLCs and detecting any anomalous indicators that are compromised or manipulated. This can assist you in safeguarding the PLCs from adversaries who intend to harm or disrupt their operations. 

Many operational technology (OT) security tools based on network layer monitoring, such as Microsoft Defender for IoT, provide network protection for OT/IoT environments, allowing analysts to discover their devices and respond to alerts on vulnerabilities and anomalous behavior. However, one of the biggest challenges is retrieving the code running on the PLC and scanning it as part of an incident response to understand if it was tampered with. This act requires caution, because the PLCs are actively operating vital industrial process. This is where ICSpector can help individuals or facilities perform this task with best practices.

Industrial control systems in brief 

Industrial Control Systems (ICS) and Operational Technology (OT) are critical to modern society, powering everything from power grids and water treatment plants to manufacturing facilities and transportation systems. These systems typically rely on a combination of hardware and software components to perform their functions. Programmable logic controllers (PLCs) are used to manage and control the various processes within an industrial environment. As these systems become increasingly digitized and interconnected, they are also becoming more vulnerable to cyberattacks.  

Due to their critical role in ensuring the smooth operation of industrial processes, and the physical danger or extreme financial losses that could result if attacked, ICS devices are prime targets of cyberattacks, making ICS security an increasingly critical issue in today’s digital landscape. 

Figure 1: Known ICS-targeted cyberattacks that occurred between 2010 and 2022. (Image from Cyber Signals: Risks to critical infrastructure on the rise)

With ICS cyberattacks on the rise, facilities require a holistic solution to address the unique nature of critical infrastructure environments. A common threat involves ICS malware attempting to modify the controller program logic to disrupt operations and cause physical harm. 

Extracting data from a controller can be challenging, as it requires specialized expertise in communicating with the device and understanding the specific, and at many times proprietary, protocols used to transmit and store data. This expertise is critical for conducting forensic operations because investigators must be able to extract specific data from a controller to identify security risks and determine the root cause of issues. The challenges around securing OT and the potentially large impact from even one controller being infected in a critical environment, highlight the need for effective security measures and forensic tools to investigate and remediate incidents. 

Challenges in ICS forensics 

ICS forensics differs from standard IT forensics, because ICS environments possess distinctive features that distinguish them.  

Cybersecurity forensics in IT environments involves the collection, analysis, and preservation of digital evidence to identify the cause and extent of a security breach or cyberattack. This includes analyzing network traffic, logs, and system data to identify the source of the attack and to patch vulnerabilities. In contrast, forensics in OT environments involves analyzing ICS data, including data from sensors and controllers used in manufacturing and industrial settings. 

While OT communication protocols and execution methods are based on general principles, each vendor can implement its own protocol for data exchange and management. As a result, there is no universal protocol that applies to all controllers, and researchers must investigate each device separately, from its communication patterns to its internal data structure. 

Another challenge has to do with talent and tools. Because OT and IT environments were historically isolated and had distinct security operations center teams with different tools, most incident response specialists lack the expertise to analyze OT. And while the IT domain has a variety of forensics tools, such as Autopsy, The Sleuth Kit and FTK, the OT forensics domain is still emerging, lacks a common methodology, and requires OT experts to develop their own solutions. 

Specialized tools and techniques have started to emerge to address the unique challenges of conducting investigations in ICS environments. These include the Top 20 Secure PLC Coding Practices, specific OT protocols implementations available on GitHub, and paid tools for an overview of controller programs for a specific set of protocols. Notably missing from these options has been an open-source solution that provides a comprehensive implementation of OT protocols and gives forensics investigators the ability to analyze extracted data and drill down into informative and suspicious areas within the controller loaded project.  

ICSpector for industrial engineers and cybersecurity analysts 
Microsoft aspired to fill the gap in the market by creating the ICSpector framework. Written in Python and available on GitHub, ICSpector is a framework with tools that enable investigators to: 

• Scan their network for programmable logic controllers. 
• Extract project configuration and code from controllers. 
• Detect any anomalous components within ICS environments.  

Security experts can use these forensic artifacts to identify compromised devices as part of manual verification, automated monitoring of tasks, or during incident response. The framework’s modular, flexible design makes it convenient for investigators to customize it to their specific needs. 

The framework is composed of several components that can be developed and executed separately. The overall architecture is as follows:  

Figure 2: The main modules of the ICSpector framework architecture (left to right) are: input handling, network scanner, protocol plugin, data analyzer, and output.

The network scanner identifies devices that communicate in the supported OT protocol and ensures they are responsive, based on a provided IP subnet. Alternatively, a user can provide a specific IP list that was exported from OT security products such as MDIoT, and the network scanner will only verify these devices are connected before beginning data extraction. After feeding the plugin the list of available devices, it extracts the PLC project metadata and logic. Then, the analyzer converts the raw data into a human-readable form and extracts different logic to highlight areas of the project artifacts that usually indicate malicious activity. The framework lets each component run independently with the required input. You can easily modify each component, adapting the operation to current needs, such as introducing protocol changes and analysis methods or altering the output. With the framework, users gain an inventory of assets based on the protocol scanning ability. In the data extraction phase, you can create snapshots of the controller projects and then compare changes over time. 

Note: while the framework is not designed to disrupt the production process, due to the sensitive nature of ICS environments, we advise executing the data extracting component in a monitored environment. 

Figure 3: Anomalous artifacts that can be extracted by ICSpector include timestamps outliers, author information, tasks usage, network capabilities, and online vs. offline project compare.

The forensic analysis component of ICSpector allows to dive deep into malicious modifications of controller code. With the ICSpector framework, you can extract timestamp outliers indicating that someone changed the controller code at an unexpected time. Author information is provided as well to help detect suspicious code writers. You can extract network capabilities to surface unexpected communication ports and network libraries. Tasks are the code components responsible for the entire code execution, and the framework gives you an overview of the execution flow Tasks are data structures that trigger the execution of the PLC project, and the framework gives you an overview of existing tasks and their configuration. Additionally, the entire call graph is exported to obtain a clear view of the execution flow. Stuxnet, a sophisticated computer worm that was responsible for causing significant damage to Iran’s nuclear program in 2010, altered a cyclic task to monitor its malicious activities and added malicious logic to the main block of the program. Since the code running on the controller may differ from an engineer’s hard copy, the framework lets you compare the differences between the online and the offline code to catch malicious changes. All of these analysis capabilities could have helped detect the presence of Stuxnet in the network. 

Get started with ICSpector 
ICSpector is a novel solution that enables OT experts and cybersecurity analysts to enhance their reactive and proactive incident response capabilities in ICS environments. The OT cybersecurity community can participate in and benefit from security efforts in OT forensics, advancing our vision of better security practices in the OT field. 

ICSpector can be used in conjunction with Microsoft Defender for IoT, Microsoft Security’s solution for defending IoT and ICS/OT devices that maps out your OT network and alerts you of malicious activity. Defender for IoT, or any other OT security solution, can help with both proactive and reactive OT incident response. Try ICSpector to see how it could benefit your organization. Our how-to guide will walk you through the installation of the framework and explain the components and how to use them in your environment.  

Currently, the system supports three OT protocols: Siemens S7Comm, which is compatible with the S7-300/400 series, Rockwell RSLogix, using the Common Industrial Protocol, and Codesys V3, which is a widely used SDK for industrial control devices and is implemented by different vendors.   

We encourage you to contribute to the tool by adding new OT protocols and forensic logic. 

 
Learning about ICS basics, PLC programming and investigation methodologies can be done through the webinar, hosted by Microsoft Defender for IoT Research team. 

To get started with OT security, watch the “Introduction to ICS/OT Security” webinar series, hosted by Microsoft Security Community. 

The post ​​Investigating industrial control systems using Microsoft’s ICSpector open-source framework appeared first on Microsoft Security Blog.

CODESYS is compatible with approximately 1,000 different device types from over 500 manufacturers and several million devices that use the solution to implement the international industrial standard IEC (International Electrotechnical Commission) 611131-3. A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices and let attackers tamper with operations, cause a PLC to run in an unusual way, or steal critical information. Exploiting the discovered vulnerabilities, however, requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.

Microsoft researchers reported the discovery to CODESYS in September 2022 and worked closely with CODESYS to ensure that the vulnerabilities are patched. Information on the patch released by CODESYS to address these vulnerabilities can be found here: Security update for CODESYS Control V3. We strongly urge CODESYS users to apply these security updates as soon as possible. We also thank CODESYS for their collaboration and recognizing the urgency in addressing these vulnerabilities. 

Below is a list of the discovered vulnerabilities discussed in this blog: 

In this blog, we provide an overview of the CODESYS V3 protocol structure, highlighting several key components, and describe the main issue that led to our discovery of the vulnerabilities. The full research and the results can be found in our report on Github. We also provide an open-source forensics tool to help users identify impacted devices, security recommendations for those affected, and detection information for potentially related threats.

CODESYS: A widely used PLC solution

CODESYS is a software development environment that provides automation specialists with tools for developing automated solutions. CODESYS is a platform-independent solution that helps device manufacturers implement the international industrial standard IEC 611131-3. The SDK also has management software that runs on Windows machines and a simulator for testing environments, allowing users to test their PLC systems before deployment. The proprietary protocols used by CODESYS use either UDP or TCP for communication between the management software and PLC.

CODESYS is widely used and can be found in several industries, including factory automation, energy automation, and process automation, among others. 

Discovering the CODESYS vulnerabilities

The vulnerabilities were uncovered by Microsoft researchers while examining the security of the CODESYS V3 proprietary protocol as part of our goal to improve the security standards and create forensic tools for OT devices. During this research, we examined the structure and security of the protocol that is used by many types and vendors of PLCs.  We examined the following two PLCs that use CODESYS V3 from different vendors: Schneider Electric Modicon TM251 and WAGO PFC200.

CODESYS V3 protocol

The CODESYS network protocol works over either TCP or UDP:

• Ports 11740-11743 for TCP
• Ports 1740-1743 for UDP

The CODESYS network protocol consists of four layers:

1. Block driver layer: The layer that creates the capability to communicate over a physical or software interface, over TCP or UDP.
2. Datagram layer: The layer that enables communication between components and endpoints through physical or virtual interfaces. 
3. Channel layer: The layer that is responsible for creating, managing, and closing communications channels.
4. Services layer: Represents a combination of several layers of the ISO/OSI model session layer, presentation layer, and application layer. It consists of components, each of which is responsible for a portion of functionality of the PLC and has services that it supports. Other tasks of the Services layer include encoding/decoding and encrypting/decrypting the data transmitted on that layer. Additionally, the Services layer is also responsible for tracking the client-server session. Each component is identified by a unique ID, such as:

These components use the Tags layer for data transmission and encoding, which is transmitted over the Services layer.

There are two types of tags: parent and data. Both tags have identical structure but different sizes and purposes. The following table provides the basic structure of tags:

Tags can represent any type of data, and it is extracted by the component. The difference between a parent tag and a data tag is that a parent tag is used for linking several tags into one logical element.

Tags contain several important structures, including BTagReader and BTagWriter, which include the following fields:

• Data
• Current position in data
• Size of data

These structures are allocated for each request and exist only in the context of the request. Each request handler creates BTagWriter and BTagReader tags and uses them to parse and handle requests. Tag IDs are not unique across services, meaning each service may have its own definition for a tag ID. Tag IDs are handled in the context of each service.

The following figure provides an example of a Tag layer and relevant fields.

This example contains the following tags:

• Tag1 – )TAG ID 0x01( 10 00 00 00
• Tag2 – (TAG ID 0x23) Authentication method type
• Tag3 – (TAG ID 0x81) Parent tag that contains two sub tags
• Tag4 – (TAG ID 0x10) Username tag
• Tag5 – (TAG ID 0x11) Hash of a password tag

CODESYS components

CODESYS consists of components and each component is responsible for a portion of functionality of the PLC. The following is a list of example components:

• CmpAlarmManger – Manages alarm events, registers clients that receive events, etc.
• CmpApp – Manages running applications and application event usage.
• CmpAppBp – Manages breakpoints in IEC tasks.
• CmpCodeMeter – Manages the CodeMeter License containers.
• CmpCoreDump – Manages creating, reading, and printing to file coredumps.
• CMPTraceMgr – Enables tracing of information inside the IEC tasks.

Each component includes a number of services that the client can ask to use. For example, CMPTraceMgrincludes the following:

• TraceMgrPacketCreate – Creates a new trace packet
• TraceMgrPacketDelete – Deletes a trace manager packet
• TraceMgrPacketStart – Starts tracing, which is triggered by the TraceTrigger
• TraceMgrRecordUpdate – Records the current value of the TraceVariable together with the current timestamp
• TraceMgrRecordAdd – Creates a new TraceRecordConfiguration and adds it to a specific trace packet for a specific IEC task/application

Each service is identified by a unique number for the specific component.

Tags layer vulnerability

A security issue was discovered inside the tag decoding mechanism that led to multiple vulnerabilities that could put devices at risk of attacks such as RCE and DoS.  

In order to understand the security issue, let’s analyze the service TraceMgrRecordAdd of the component CMPTraceMgr by examining the code that activates the relevant service.

The TraceMgrRecordAddByTag appears to correspond to TraceMgrRecordAdd.

As displayed in Figure 5, the following code initializes structure from tags that are sent to the service.  

The following figure looks at the code for the TraceMgrAddNewRecordPartByTag method, which copies data from different tags into an output buffer.

The whole tag is copied into the buffer without validating the size, causing buffer overflow.

Fifteen places in CODESYS V3 SDK were found with the same issue in different components that could lead to remote attackers gaining full control over the device.

Exploitation approach

We were able to apply 12 of the buffer overflow vulnerabilities to gain RCE of PLCs. Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs. To overcome the user authentication, we used a known vulnerability, CVE-2019-9013, which allows us to perform a replay attack against the PLC using the unsecured username and password’s hash that were sent during the sign-in process, allowing us to bypass the user authentication process.

IEC tasks

IEC tasks are the execution unit of CODESYS runtime. It is the equivalent to thread in operating systems. A single component can have more than one task and will have at least one IEC task. The tasks are managed by CODESYS runtime. 

Each IEC task has a memory segment with read, write, and execute permissions. If a threat actor writes code there, it could be run without the data execution prevention mitigation being applied.

The IEC task segment is also where the stack is defined, meaning we don’t need to handle DEP.

Since the IEC tasks are part of the CODESYS code, they are present on all PLCs of all vendors that utilize CODESYS.

Full exploit

By looking for gadgets, we can bypass the ASLR. In the examples below, we can see part of the gadgets that we used in our exploit.

The complete exploit steps:

1. Steal credentials with CVE-2019-9013.
2. Create a new channel for the attack.
3. Sign-in to the device with the stolen credentials.
4. Exploit the vulnerabilities with a malicious packet that triggers buffer overflow.
5. Gain full control of the device.

We were able to exploit the two PLCs that we researched.

Demo video:

Critical importance of ICS security 

With CODESYS being used by many vendors, one vulnerability may affect many sectors, device types, and verticals, let alone multiple vulnerabilities. All the vulnerabilities can lead to DoS and 1 RCE. While exploiting the discovered vulnerabilities requires deep knowledge of the proprietary protocol of CODESYS V3 as well as user authentication (and additional permissions are required for an account to have control of the PLC), a successful attack has the potential to inflict great damage on targets. Threat actors could launch a DoS attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way.

Mitigation and protection guidance

CODESYS V3 versions prior to 3.5.19.0 are vulnerable to the discovered vulnerabilities. It is recommended to first identify the devices using CODESYS in your network and check with device manufacturers to determine which version of the CODESYS SDK is used and whether a patch is available. It is also recommended to update the device firmware to version to 3.5.19.0 or above. 

General recommendations: 

• Apply patches to affected devices in your network. Check with the device manufacturers for available patches and update the device firmware to version to 3.5.19.0 or above. 
• Make sure all critical devices, such as PLCs, routers, PCs, etc., are disconnected from the internet and segmented, regardless of whether they run CODESYS.  
• Limit access to CODESYS devices to authorized components only. 
• Due to the nature of the CVEs, which still require a username and password, if prioritizing patching is difficult, reduce risk by ensuring proper segmentation, requiring unique usernames and passwords, and reducing users that have writing authentication.   

To assist with identifying impacted devices, the cyberphysical systems research team has released an open-source software tool on GitHub that allows users to communicate with devices in their environment that run CODESYS and extract the version of CODESYS on their devices in a safe manner to confirm if their devices are vulnerable. In addition, the cyberphysical system research team also released a tool for performing a forensics investigation on CODESYS V3 devices as part of its arsenal of open-source tools available on GitHub.

Microsoft 365 Defender detections 

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender for IoT 

Microsoft Defender for IoT with all versions of the sensor and TI package after April 2023 provides the following protections against these vulnerabilities and associated exploits and other malicious behavior:  

• Defender for IoT detects and classifies devices that use CODESYS.  
• Defender for IoT raises alerts on unauthorized access to devices using CODESYS, and abnormal behavior in these devices.  
• Defender for IoT raises alerts if a threat actor attempts to exploit these vulnerabilities. Alert type: “Suspicion of Malicious Activity”

Microsoft Defender Threat Intelligence 

Microsoft Defender Threat Intelligence shows devices running CODESYS that are exposed to the internet by searching for “CODESYS” components on IPs.  

Vladimir Tokarev

Microsoft Threat Intelligence Community

References 

• https://www.codesys.com/the-system/codesys-inside.html
• https://store.codesys.com/engineering/codesys.html
• https://github.com/microsoft/CoDe16/tree/main
• https://store.codesys.com/en/alarm-manager.html
• https://content.helpme-codesys.com/en/libs/CmpApp/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpAppBP/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpCodeMeter/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpTraceMgr/Current/index.html
• https://content.helpme-codesys.com/en/libs/CmpApp/Current/AppStartApplication.html
• https://help.codesys.com/webapp/TraceMgrPacketCreate;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrPacketDelete;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrPacketStart;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrRecordUpdate;product=CmpTraceMgr;version=3.5.16.0
• https://help.codesys.com/webapp/TraceMgrRecordAdd;product=CmpTraceMgr;version=3.5.17.0
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9013
• https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a67ba382de688916f77e3013c0802fade&download=
• https://www.codesys.com/download
• https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-192-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-192-04.pdf&_ga=2.25212925.1579834642.1689503846-267712980.1687697317
• https://cert.vde.com/de/advisories/VDE-2023-026/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-1/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-2/
• https://ics-cert.kaspersky.com/publications/reports/2019/09/18/security-research-codesys-runtime-a-plc-control-framework-part-3/

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS  appeared first on Microsoft Security Blog.

Microsoft’s IoT security commitments 

While customers are familiar with our approach to Windows PC and server security, many are unaware that Microsoft has taken similar steps to strengthen the security of business-critical systems and the networks that enclose them, including vulnerable and unmanaged IoT and OT endpoints. Microsoft often detects a wide range of threats targeting IoT devices, including sophisticated malware that enables attackers to target compromised devices using botnets³ or compromised routers,⁴ and a malicious form of cryptomining called cryptojacking.⁵ This blog post details Microsoft’s efforts to help partners create IoT solutions with strong security, thereby supporting initiatives outlined in the new National Cybersecurity Strategy and other US Cybersecurity and Infrastructure Security Agency (CISA) initiatives.

Developing and deploying software products that are secure by design and default is both a challenging and costly endeavor. According to recent guidance from the CISA, Secure-by-Design requires significant resources to incorporate security functions at each layer of the product development process.⁶ To maximize effectiveness, this approach needs to be integrated into a product’s design from the onset and cannot always be “bolted on” later.

Security by design and default is an enduring priority at Microsoft. In 2021, we committed to investing USD100 billion to advance our security solutions over five years (approximately USD20 billion per year) and today we employ more than 8,000 security professionals.⁷ One result of these investments is Windows 11, our most secure version of Windows yet. At Microsoft, we have a great deal of experience around security by design and default and have strived to implement best practices into our products and programs to assist partners who combine hardware, innovative functionality, online services, and operating systems (OS) to produce and maintain IoT solutions with robust security.

Applying Zero Trust to IoT

Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to “never trust, always verify.” A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy.

Microsoft advocates for a Zero Trust approach to IoT security, based on the principle of verifying everything and trusting nothing (see Seven Properties of Highly Secure Devices). Zero Trust is also aligned with the new directives in the US National Cybersecurity Strategy and the requirements of the new US cybersecurity labeling program.

A traditional network security model often doesn’t meet the security or user experience needs of modern organizations, including those that have embraced IoT in their digital transformation strategy. User and device interactions with corporate resources and services now often bypass on-premises, perimeter-based defenses. Organizations need a comprehensive security model that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects their people, devices, applications, and data wherever they are.

To optimize security and minimize risk for IoT devices, a Zero Trust approach requires:

1. Secure identity with Zero Trust: Identities—whether they represent people, services, or IoT devices—define the Zero Trust control plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure access is compliant and typical for that identity. Follow least privilege access principles.
2. Secure endpoints with Zero Trust: Once an identity has been granted access to a resource, data can flow to a variety of different endpoints—from IoT devices to smartphones, bring-your-own-device (BYOD) to partner-managed devices, and on-premises workloads to cloud-hosted servers. This diversity creates a massive attack surface area. Monitor and enforce device health and compliance for secure access.
3. Secure applications with Zero Trust: Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises, lifted and shifted to cloud workloads, or modern software as a service (SaaS) applications. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options.
4. Secure data with Zero Trust: Ultimately, security teams are protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Classify, label, and encrypt data, and restrict access based on those attributes.
5. Secure infrastructure with Zero Trust: Infrastructure—whether on-premises servers, cloud-based virtual machines, containers, or micro-services—represents a critical threat vector. Assess for version, configuration, and just-in-time access to harden defense. Use telemetry to detect attacks and anomalies, automatically block and flag risky behavior, and take protective actions.
6. Secure networks with Zero Trust: All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks (and do deeper in-network micro-segmentation) and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.
7. Visibility, automation, and orchestration with Zero Trust: In our Zero Trust guides, we define the approach to implement an end-to-end Zero Trust methodology across identities, endpoints and devices, data, apps, infrastructure, and networks. These activities increase your visibility, which gives you better data for making trust decisions. With each of these individual areas generating their own relevant alerts, we need an integrated capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction.

Microsoft’s Edge Secured-Core program

At Microsoft, we understand Secure-by-Design and Secure-by-Default are difficult to build and even more challenging to get right. To simplify this process, we created Edge Secured-Core, a Microsoft device certification program that codifies and operationalizes the security tenets such as secure by default and Zero Trust into a clear set of requirements. Edge Secured-Core also provides tooling and assistance to our device ecosystem partners to help them build devices that meet these security requirements. We have further customized those requirements for various platforms that manufacturers use to build devices, including Microsoft-provided operating systems Windows IoT and Microsoft Azure Sphere, and ecosystem-provided operating systems based on Linux. Edge Secured-Core devices from partners including Intel, AAEON, Lenovo, and Asus can be found in the Azure Certified Device Catalog today. 

Windows IoT

Windows IoT is a platform that leverages our long history and investment in Windows security to enable more secure and reliable IoT solutions. Whether you are building devices for industrial usage, healthcare or retail sectors, or other scenarios, Windows IoT provides key capabilities to protect your devices and data from the many prevalent threats in today’s digital landscape. 

Windows IoT capabilities include:

• BitLocker, which encrypts the data stored on the device to prevent unauthorized access.
• Secure Boot, which verifies the integrity of the boot process and prevents malicious code from running.
• Code integrity, which verifies the integrity of operating system files when loaded and enforces device manufacturer policies that dictate the drivers and applications that can be loaded on the device.
• Exploit mitigations, which automatically applies several exploit mitigation techniques to operating system processes and apps (examples include kernel pool protection, data execution protection, and address space layout randomization).
• Device attestation, which proves the identity and health of the device to cloud services.

Windows IoT also offers end-to-end management and updates using the trusted Windows infrastructure, ensuring consistent and timely delivery of security patches and feature enhancements. Some versions of Windows IoT support a 10-year servicing term, allowing partners to receive updates and maintain application compatibility, reducing the risk of obsolescence and vulnerability. 

Another benefit of Windows IoT is the flexibility to run containerized workflows, including Linux, on the same device. This allows partners to use existing skills and tools, thereby optimizing performance and resource utilization. Containers provide isolation and portability, enhancing the security and reliability of applications.

Defending against threats with Microsoft Azure Sphere

Microsoft Azure Sphere is a fully managed, integrated hardware, operating system, and cloud platform solution for medium- and low-power IoT devices. It offers a comprehensive approach to secure IoT devices from chip to cloud. 

Azure Sphere devices combine a low-power Arm Cortex-A processor running a custom Linux-based operating system serviced by Microsoft with Arm Cortex-M processors for real-time processing and control. Device manufacturers can develop, deploy, and update their applications, while Microsoft independently provides operating system security updates and device monitoring. Additionally, Azure Sphere devices embed the Microsoft Pluton security architecture, providing a hardware-based root of trust and cryptographic engine. Pluton protects the device identity, keys, and firmware from physical and software attacks and enables secure boot and remote attestation. 

Azure Sphere provides deep defense by employing multiple layers of protection to mitigate the impact of potential vulnerabilities, such as secure boot, kernel hardening, and a per-application network firewall. Azure Sphere devices communicate with a dedicated cloud service, the Azure Sphere Security Service, which attests the device is running expected and up-to-date software, performs both operating system and application updates, provides error reporting, and retrieves a Microsoft signed certificate that is renewed daily.

Similar to Windows IoT, Azure Sphere also offers a 10-year term for security fixes and operating system updates for all devices, as well as an application compatibility promise that ensures existing applications will continue to run on future operating system versions. Also, supporting CISA’s secure-by-design recommendations, Azure Sphere has started enabling embedded development using Rust, a coding language designed to improve memory safety and reduce mistakes during development.⁸

Enhancing security on Linux devices

While Microsoft directly provides operating system updates for Windows IoT and Azure Sphere, Edge Secured-core provides a way of ensuring the same security tenets of secure-by-design and default principles are applicable for devices that use ecosystem-provided distributions of the Linux OS. We collaborate with Linux partner companies to ensure their distributions meet security requirements such as committing to security updates for at least five years, building in support for Secure boot, etc. Microsoft incorporates security checks to onboard operating system partners and ongoing monitoring using Microsoft security agents on these devices, thus providing confidence to customers.

Secure your IoT devices with Microsoft Defender for IoT

Next to consumers, organizations are investing in automation and smart technology to streamline operations, cyber-physical systems, once completely isolated from the network, are now converging with mainstream IT infrastructure. Microsoft Defender for IoT is a security solution that enables organizations to implement Zero Trust principles across enterprise IoT and OT devices to minimize risk and protect these mission-critical systems from threats, as their attack surface expands.⁹

Defender for IoT empowers analysts to discover, manage, and secure enterprise IoT and OT devices in their environment. With network layer monitoring, analysts get a full view of their IoT and OT device estate as well as valuable insights into device-specific details and behaviors. These insights in tandem with generated alerts help analysts protect their environment by easily identifying and prioritizing risks like unpatched systems, vulnerabilities, and anomalous behavior all from a centralized user experience.

Support for the broader IoT ecosystem

Beyond these core platforms, Microsoft provides additional programs and services to enable partners to create more secure IoT devices. For example, due to the wide range of possible configurations and hardware platforms, operating systems such as Azure RTOS place the responsibility of security more heavily on the device manufacturer. SDKs and services like Device Update for Microsoft Azure IoT Hub allow partners to add support for over-the-air software updates to their products.

Microsoft Security supports the US National Cybersecurity Strategy

Microsoft remains committed to supporting the US National Cybersecurity Strategy and helping partners effectively deliver and maintain more secure IoT solutions using powerful technology, tools, and programs designed to improve security outcomes. It is vitally important that partners focus on IoT security by prioritizing security through smart design and development practices and carefully selecting platforms and security defaults that are secure as possible to lower the cost of maintaining the security of products.

Learn more

Learn more about Microsoft Defender for IoT.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹United States National Cybersecurity Strategy, The White House. March 2023.

²Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers, The White House. July 13, 2023.

³Microsoft research uncovers new Zerobot capabilities, Microsoft Threat Intelligence. December 21, 2022.

⁴Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure, Microsoft Threat Intelligence. March 16, 2022.

⁵IoT devices and Linux-based systems targeted by OpenSSH trojan campaign, Microsoft Threat Intelligence. June 23, 2023.

⁶Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, CISA. April 13, 2023.

⁷Satya Nadella on Twitter. August 25, 2021.

⁸Modernizing embedded development on Azure Sphere with Rust, Akshatha Udayashankar. January 11, 2023.

⁹Learn how Microsoft strengthens IoT and OT security with Zero Trust, Michal Braverman-Blumenstyk. November 8, 2021.

The post Adopting guidance from the US National Cybersecurity Strategy to secure the Internet of Things appeared first on Microsoft Security Blog.

Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.

In this blog post, we present our analysis of the tools and techniques used in this attack and the efforts made by the threat actor to evade detection on affected devices. We also provide indicators of compromise and relevant Microsoft Defender for IoT and Microsoft Defender for Endpoint detections, as well as recommendations for defenders to protect devices and networks.

Attack chain

The threat actors initiate the attack by attempting to brute force various credentials on misconfigured internet-facing Linux devices. Upon compromising a target device, they disable shell history and retrieve a compromised OpenSSH archive named openssh-8.0p1.tgz from a remote server. The archive contains benign OpenSSH source code alongside several malicious files: the shell script inst.sh, backdoor binaries for multiple architectures (x86-64, arm4l, arm5l, i568, and i686), and an archive containing the shell script vars.sh, which holds embedded files for the backdoor’s operation.

After installing the payload, the shell script inst.sh runs a backdoor binary that matches the target device’s architecture. The backdoor is a shell script compiled using an open-source project called Shell Script Compiler (shc), and enables the threat actors to perform subsequent malicious activities and deploy additional tools on affected systems.

Custom backdoor deploys open-source rootkits

Once running on a device, the shell script backdoor tests access to /proc to determine whether the device is a honeypot. If it can’t access /proc, it determines the device is a honeypot and exits. Otherwise, it exfiltrates information about the device, including its operating system version, network configuration, and the contents of /etc/passwd and /etc/shadow over email to the hardcoded address dotsysadmin[@]protonmail[.]com, and to any email address provided by the threat actor as an argument to the script.

On supported systems, the backdoor downloads, compiles, and installs two open-source rootkits available on GitHub, Diamorphine and Reptile. The backdoor configures Reptile to connect to the C2 domain rsh.sys-stat[.]download on port 4444 and to hide its child processes, files, or their content. Microsoft researchers assess that the Diamorphine rootkit is used to hide processes as well.

To ensure persistent SSH access to the device, the backdoor appends two public keys to the authorized_keys configuration files of all users on the system.

The backdoor obscures its activity by removing records from Apache, nginx, httpd, and system logs that contain the IP and username specified as arguments to the script. Additionally, it has the capability to install an open-source utility called logtamper to clear the utmp and wtmp logs, which record information about user sign-in sessions and system events.

The backdoor eliminates cryptomining competition from other miners that may exist on the device by monopolizing device resources and preventing communication with a hardcoded list of hosts and IPs related to these activities. It accomplishes this by adding iptables rules to drop communication with the hosts and IPs and configuring /etc/hosts to make the hosts resolve to the localhost address. It also identifies miner processes and files by their names and either terminates them or blocks access to them, and removes SSH access configured in authorized_keys by other adversaries.

Patching OpenSSH source code

The backdoor uses the Linux patch utility to apply the patch file ss.patch, which is embedded in vars.sh, to the OpenSSH source code files included in its package. Once the patches are applied, the backdoor compiles and installs the modified OpenSSH on the device.

The compromised OpenSSH grants the attackers persistent access to the device and to the SSH credentials the device handles. The patches install hooks that intercept the passwords and keys of the device’s SSH connections, whether as a client or a server. The passwords and keys are then stored encrypted in a file on the disk. Moreover, the patches enable root login over SSH and conceal the intruder’s presence by suppressing the logging of the threat actors’ SSH sessions, which are distinguished by a special password.

The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server and may thus pose a greater challenge for detection than other malicious files. The patched OpenSSH could also enable the threat actors to access and compromise additional devices. This type of attack demonstrates the techniques and persistence of adversaries who seek to infiltrate and control exposed devices.

Botnet operation

The backdoor runs a secondary payload embedded in the shell script vars.sh, which is a slightly modified version of ZiggyStarTux, an open-source IRC bot based on the Kaiten malware. Among its features is executing bash commands issued from the C2 and possessing distributed denial of service (DDoS) capabilities.

The backdoor employs various mechanisms to set up ZiggyStarTux’s persistence on compromised systems. It copies the ZiggyStarTux binary to several locations on the disk and establishes cron jobs to invoke it at regular intervals. Moreover, it runs a bash script that registers ZiggyStarTux as a systemd service by creating and configuring the service file /etc/systemd/system/network-check.service.

Analysis of ZiggyStarTux revealed that the threat actors stripped the binary of logging-related strings and incorporated a function that writes the bot’s process ID to /var/run/sys_checker.pid, allowing the backdoor to read that file and conceal that process ID using the installed rootkits.

The ZiggyStarTux bots communicate with the C2 via an IRC server hosted on various domains and IPs located in different geographical regions. Evidence indicates that the threat actors disguise their traffic by utilizing the subdomain of a Southeast Asian financial institution that is hosted on one of their own servers.

To receive commands, the ZiggyStarTux bots connect to the IRC server and join a hidden password-protected channel named ##..##. The server was observed issuing bash commands that instruct bots to download and launch two shell scripts from a remote server. The first script, lscan, retrieves lssh.tgz from the server, an archive of scripts that scan each IP in the subnet for SSH access using a password list. The scripts record the results of each connection attempt in a log file.

The second script, zaz, fetches the compromised OpenSSH package with the embedded backdoor from the remote server. The installation is carried out using the email address ancientgh0st@yahoo[.]com as an argument to serve as an additional exfiltration point for device information. Additionally, zaz retrieves an archive called hive-start.tgz which contains mining malware crafted for Hiveon OS systems, a Linux-based open-source operating system designed for cryptomining.

Indications of criminal cooperation

Microsoft researchers have traced the campaign to a user named asterzeu on the hacking forum cardingforum[.]cx, who offered multiple tools for sale on the platform, including an SSH backdoor. The domain madagent[.]tm was registered in 2015 with an email address matching the username and shared numerous servers over a four-year period with madagent[.]cc, one of the C2 domains of ZiggyStarTux. Furthermore, the distribution of the shell script backdoor between threat actors has been identified, adding to the evidence of a network of tools and infrastructure shared or sold on the malware-as-a-service market.

Mitigation and protection guidance

Microsoft recommends the following steps to protect devices and networks against this threat:

• Harden internet-facing devices against attacks
  • Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
  • Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
  • Use least-privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.
  • When possible, update OpenSSH to the latest version.
• Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.
• Use security solutions with cross-domain visibility and detection capabilities like Microsoft 365 Defender, which provides integrated defense across endpoints, identities, email, applications, and data.

Detections

Microsoft Defender for IoT

Microsoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the use of open-source tools and exploits that may be tied to this attack.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• Trojan:Linux/SamDust!MTB
• Trojan:Linux/SamDust.D!MTB
• Trojan:Linux/SamDust.B!MTB
• Trojan:Linux/SamDust.A!MTB
• Trojan:Linux/SamDust.N!MTB
• Trojan:Linux/Reptile.A
• Trojan:Linux/Reptile.B
• Trojan:Linux/Reptile.C
• Trojan:Linux/Reptile.D
• Trojan:Linux/Diamorphine.A!MTB

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Unusual number of failed sign-in attempts

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Suspicious file property modification occurred
• Suspicious termination of security tool
• Suspicious service launched
• Suspicious Linux service created
• File masquerading

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

In addition, customers can use the SSH Brute force detection template in the Syslog solution package to monitor for brute force attempts against their exposed SSH endpoints.

Indicators of Compromise

Rotem Sde-Or, Microsoft Threat Intelligence Community

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post IoT devices and Linux-based systems targeted by OpenSSH trojan campaign appeared first on Microsoft Security Blog.

With industry-leading AI, Microsoft synthesizes 65 trillion signals a day across many types of devices, apps, platforms, and endpoints—allowing for an unparalleled view of the evolving threat landscape.¹

We recently announced the Microsoft Supply Chain Platform, an open, flexible, and collaborative platform designed to address the needs of supply chain leaders. This is done by enabling end-to-end visibility and control of processes and data across new or existing supply chain management and enterprise resource planning solutions.

Microsoft Security solutions are a key part of this platform. A cybersecurity breach can lead to operational disruptions, reputational damage, financial losses for companies involved in the supply chain, and even lead to loss of life in the case of critical industries like manufacturing, healthcare, energy, and transportation. That’s why it’s essential for organizations to invest in advanced security solutions to protect their supply chains.

According to Gartner, “By 2025, 60 percent of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements.”²

Find out more about Microsoft Defender for IoT, Microsoft Entra and the rest of our Microsoft Security solutions that play a critical role in securing your supply chains at Hannover Messe, from April 17 to 21, 2023, at the Microsoft Stand, Hall 17. Explore how to interact with us while there and register for Microsoft’s “Supply Chain Reimagined at Hannover Messe” session on April 19, 2023, during the event. We hope to see you there! 

Cloud-powered security with Microsoft Defender for IoT

IoT and OT devices proliferate throughout supply chains, hence why IoT and OT security solutions are an essential component of supply chain security. These solutions protect connected devices and systems, which can be vulnerable to attacks that seek to disrupt operations or, often, move laterally into IT environments to steal data or intellectual property.

IoT and OT environments have unique security challenges. Many legacy devices are unmanaged and older network monitoring systems are not familiar with IoT and OT protocols, making them unreliable. Microsoft provides a range of IoT and OT solutions, including Azure Sphere, Azure IoT Edge, and Azure Digital Twins, which enable organizations to securely connect, manage, and analyze their IoT and OT devices and systems.

Microsoft Defender IoT secures these environments, offering asset discovery, threat detection, incident response, compliance reporting, and more. Defender for IoT can be deployed on-premises or in the cloud and it integrates with Microsoft Defender, Microsoft Threat Intelligence, and Microsoft Sentinel to enable security operations center teams to collaborate more effectively and efficiently. Learn more about Defender for IoT and how a cloud-powered OT security solution delivers the best value.

“By combining Defender for IoT and Device Update for Azure IoT Hub, we’ll have the efficiency and flexibility to cover multiple use cases on more powerful hardware yet be able to protect multiple operating systems and applications on a single device.”

—Claus von Reibnitz, Managing Director for Leibherr

Secure access for suppliers and partners

IAM solutions are another critical component of supply chain security. By their very nature, supply chains include multiple organizations—such as suppliers, distributors, and retailers—whose employees and partners need to access information. Every organization must ensure that only the right users (such as employees, partners, vendors, contractors, and guests) have appropriate access at the right time.

Microsoft Entra is a cloud-based solution that offers complete identity and access management services for organizations. The granular authorization policies of Microsoft Entra ensure that only approved users and devices can access sensitive data and systems. This includes support for multifactor authentication with phishing-resistant systems and passwordless technologies. Microsoft Entra also integrates with other Microsoft services, such as Microsoft 365 and Microsoft Dynamics 365, for a seamless and secure experience for users accessing these services.

“We concluded that it would be much safer and more productive for us to understand and enjoy cloud services like Microsoft 365 and Microsoft Azure rather than taking the risks in maintaining our own systems.”

—Keita Nakano, Deputy Chief of Information Planning, Nissin Foods

One of the key advantages of Microsoft Security solutions in the Microsoft Supply Chain Platform is their ability to operate with other Microsoft products and services. For example, IAM solutions such as Microsoft Azure Active Directory (part of Microsoft Entra) can be integrated with other Microsoft Cloud services, such as Microsoft 365 and Dynamics 365. IoT and OT solutions can also be integrated with other Microsoft services, such as Azure AI and Azure Analytics, to enable organizations to gain insights into their IoT and OT data and use these insights to improve supply chain operations.

Another advantage of Microsoft Security solutions is their flexibility. These solutions can be deployed in a variety of environments, including on-premises, cloud, and hybrid environments. This allows organizations to choose the deployment model that best meets their specific security and compliance requirements. Microsoft Security solutions also offer advanced threat protection capabilities that use machine learning and AI to detect and respond to threats in real time, reducing the risk of data breaches and other cyberthreats.

In addition to IAM and IoT and OT solutions, data protection, compliance and governance, and security analytics help organizations protect their sensitive data, ensure compliance with regulations and standards, and gain insights into their security posture.

Cybersecurity breaches can significantly impact supply chains and contribute to the ongoing disruptions we face in meeting partner and customer needs. However, organizations can mitigate the risks by investing in advanced security solutions with Microsoft Security. With the ability to integrate with other Microsoft products and services, deploy in a variety of environments, and provide advanced threat protection capabilities, Microsoft Security solutions include a comprehensive set of tools and services for securing supply chains and ensuring the continuity of operations.

Learn more about cybersecurity and resiliency for supply chains

Get details on Microsoft Security solutions, including Microsoft Defender for IoT and our multicloud, identity and access capabilities with Microsoft Entra. And to dive deeper into Microsoft Security solutions, join us on April 13, 2023, for Microsoft Secure Technical Accelerator. Engage with our product and engineering teams through a live question and answer during each session, learn best practices, build community with your security peers, and get prescriptive technical guidance that will help you and your organization implement our comprehensive security solutions, Save the date and RSVP for event updates.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Security reaches another milestone—Comprehensive, customer-centric solutions drive results, Vasu Jakkal. January 25, 2023.

²Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23, Gartner. June 21, 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Improve supply chain security and resiliency with Microsoft   appeared first on Microsoft Security Blog.

At our inaugural Microsoft Secure event, we’re sharing our latest innovations across security, compliance, identity, management, and privacy. Continue reading this blog post for the top Microsoft Security announcements in AI, identity, and data protection, and watch Microsoft Secure today or on-demand for more information on these exciting innovations.

Today, the odds remain stacked against cybersecurity professionals. Too often, they fight an asymmetric battle against prolific, relentless, and sophisticated attackers. I am delighted to welcome you to the new era of security—shaped by the power of OpenAI’s GPT-4 generative AI—and thrilled to introduce to you Microsoft Security Copilot.

Introducing Microsoft Security Copilot—End-to-end defense at machine speed and scale

Microsoft Security Copilot is the first security product to enable defenders to move at the speed and scale of AI. Security Copilot combines OpenAI large language model with a security-specific model from Microsoft. This security-specific model in turn incorporates a growing set of security-specific skills and is informed by Microsoft’s unique global threat intelligence and more than 65 trillion daily signals. Security Copilot also delivers an enterprise-grade security and privacy-compliant experience as it runs on Microsoft Azure’s Hyperscale infrastructure.

Transforming threat protection and cloud security

Plus, we are continuing to deliver you the latest innovations to enable you to defend your organization more effectively with extended detection and response (XDR) and threat intelligence. In August 2022, we introduced Microsoft Defender Threat Intelligence (MDTI), formerly RiskIQ, which enables 360-degree visibility into threats. Today, we are announcing the next step in helping defenders get the context they need to secure their organization faster.

Microsoft Defender Threat Intelligence is now available to licensed customers directly within Microsoft 365 Defender. It’s already integrated with Microsoft Sentinel and now has an application programming interface (API) to help enrich incidents, automate incident response, and work with a broad ecosystem of security tools. With this advancement, you get one of the world’s best threat intelligence, integrated with the tools you use every day.

We are also adding Intel Profiles, updated daily with information on threat actors and tools. Both Microsoft 365 Defender and Microsoft Sentinel customers can quickly access this information to analyze, investigate, and hunt threats.

Beyond threat intelligence, Microsoft 365 Defender delivers industry-leading XDR spanning far beyond multi-platform endpoints to include email, identities, software as a solution (SaaS) applications, and more. Today, we are extending that protection to Microsoft Teams for any customer licensed for Microsoft Defender for Office 365. Collaboration platforms, such as Teams, are vital business tools and, increasingly, a new attack vector for adversaries to phish employees.

Over time, Microsoft Defender for Office 365 will support the full lifecycle of protection for Teams from prevention and detection to investigation and hunting, response actions, and even help with raising user awareness of best practices. Today, we are extending beyond the existing safe links capability to enable users to report suspicious messages, automatically purge unsafe messages, and integrate administration experiences into the Microsoft 365 Defender. With Teams and Microsoft 365 Defender, your employees can be both productive and safe.

With accelerated cloud migration and growing cloud-native app development, it is critical for security teams to evolve from protecting infrastructure to securing the entire lifecycle of cloud applications. Moreover, as the volume of cloud data grows, it’s becoming an increasingly lucrative target for bad actors. Microsoft is leading the next chapter of multi-cloud security with new innovations in Microsoft Defender for Cloud, one of the industry’s most comprehensive cloud-native application protection platform (CNAPP).

• Defender Cloud Security Posture Management (CSPM) is now generally available to help organizations get an end-to-end view of risks and prioritize remediation across their multicloud environments with contextual cloud security. And now, new integrated data-aware security posture capabilities allow teams to automatically discover their data estate, assess threats to their most critical assets and sensitive data, and proactively prevent breaches along potential attack paths.
• Defender for Storage now offers sensitive data discovery and malware scanning to address threats to critical storage resources in the cloud. New scanning capabilities prevent infiltration attempts with near real-time detection of metamorphic and polymorphic malware across cloud data.

For organizations seeking to defend operational technologies (OT) at scale, Microsoft Defender for IoT now offers a fully cloud-delivered OT security solution. Customers can achieve single-pane-of-glass visibility for all OT devices, across all sites when Defender for IoT is deployed on Microsoft Azure Portal. Learn more about the new capabilities and explore cloud-delivered OT security—as well as new threat management capabilities and Microsoft Azure integrations—with a 30-day free trial of OT monitoring in the Azure portal.

Many organizations may not have the time, resources, or expertise to build an in-house incident response program. For customers that want help preparing their in-house security team or are facing an especially complex security incident, Microsoft Incident Response offers an end-to-end portfolio of proactive and reactive incident response services. Microsoft Security is expanding our incident response presence and we’re excited to announce the Microsoft Incident Response Retainer, which is now generally available to enterprise, government, education, and non-profit customers. If you’re curious about how an Incident Response Retainer can improve your security posture, explore details on our incident response-related announcements.

People rely on technology to collaborate on projects and complete tasks. And security professionals are more important than ever to keep their organizations resilient as threats evolve and attack surfaces grow. Security is a team sport that takes everyone working together. Protection takes a combined effort across teams, devices, defenders, and clouds.

Secure, connected endpoint management and identity

Another way to empower security teams is to consolidate multiple endpoint management tools in Microsoft Intune and converge workloads across IT and security operations. The Microsoft Intune Suite, launched on March 1, 2023, unifies a series of mission-critical endpoint management solutions within Intune. The features of the Microsoft Intune Suite are designed to incorporate security signals into endpoint management that fortify your cyber safety for Zero Trust, use data science and AI for proactive user experience protection, and reduce complexity and costs through automation and consolidation.

“I’m consistently impressed by the level of security that Intune provides. Now with the Microsoft Intune Suite on the horizon, I feel even more confident that my company’s data will remain highly secure, and the straightforward management and deployment of policies will make it easier to help ensure that all devices are safeguarded.”—Ibrar Mahmood, IT Cyber Security Manager, Milton Keynes University Hospital NHS Foundation Trust.

Deep integration of Microsoft Security services in the Intune Suite empowers IT and security operations to control the elevation of Windows standard users with Microsoft Intune Endpoint Privilege Management, enable trusted helpdesk to employee connections with Remote Help, secure corporate data and application access from mobile bring your own devices (BYOD) with Microsoft Tunnel for Mobile Application Management, and detect anomalies based on the severity with advanced endpoint analytics. And we’re just getting started! In the coming months, we will introduce AI-powered analytics and add more capabilities, including a Microsoft-hosted app catalog with advanced update notifications and controls.

In identity announcements, Microsoft Entra is introducing new governance controls and policy protections to help you better secure identities and the resources they access. Key among these innovations is Microsoft Entra Identity Governance and Verified ID. With this new feature, using a Verified ID during an entitlement management flow enables simplified and standardized ways to handle collecting the right information from requestors without asking them to fill out additional paperwork.

But that’s not all the product enhancements for Microsoft Entra. New features to empower security teams to better protect organizations include:

• New protections to help secure sign-ins: With conditional access authentication strengths, admins can set policy on the strength of multifactor authentication required and base that policy on the sensitivity of the apps and resources a user is trying to access. More access scenarios will also benefit from an extension of phishing-resistant multifactor authentication. These include external users and collaborators between government and commercial clouds, and Azure virtual machines to protect remote sign-ins across development, test, and production environments. Conditional access for high-risk actions also allows you to apply conditional access policies directly to sensitive actions in Microsoft Azure Active Directory with Conditional Access for high-risk actions—now in public preview.
• New countermeasures to help prevent lateral movement: Strict enforcement of location policies, now in public preview, will let resource providers use continuous access evaluation to immediately revoke tokens that violate location policies. Also, token protection ensures tokens can be used only on the device they were intended for and is in public preview for Windows sign-in sessions.
• A new dashboard to help close policy gaps: We’re also excited to introduce an overview dashboard in Conditional Access that summarizes policy posture, unprotected users and apps, provides insights and recommendations based on sign-in activity, and helps show the impact of individual policies.  

The goal of our updates in Microsoft Intune and Microsoft Entra is to enable smarter, real-time access decisions for all identities and cloud-managed endpoints. We do that through our solutions, but also through research. Find the latest multicloud permissions risks insights in the 2023 State of Cloud Permissions Risks Report, compiled from more than 500 risk assessments completed in Microsoft Entra Permissions Management, our cloud infrastructure entitlement management (CIEM) solution. Learn about the projected Total Economic Impact™ of the Microsoft Intune Suite in a new technology study conducted by Forrester Consulting commissioned by Microsoft.

Data security for today’s world

A strategy of being human-first in security wouldn’t be complete without data security. After all, data offers immense value to your organization and inspires an equally powerful need to protect it. Safeguard sensitive information across platforms, apps, and clouds and minimize insider risk using the latest capabilities of Microsoft Purview, our set of data protection, governance, and compliance solutions. All these capabilities are available immediately to E5 customers, while organizations without E5 can start a trial.

In February 2023, we introduced Adaptive Protection in Microsoft Purview to power data security with people-centric intelligence. Available for public preview, this capability leverages the built-in and ready-to-use machine learning models in Microsoft Purview Insider Risk Management to understand how users are interacting with data and respond by:

• Identifying high-risk users who may take risky actions that could lead to data security incidents.
• Dynamically tailoring data loss prevention (DLP) controls based on the level of risk detected.
• Automatically applying the most effective DLP policies, such as blocking data-sharing, only to high-risk users, so the productivity of low-risk users isn’t impacted.

Among other advantages, Adaptive Protection reduces the alert overload that strains IT resources by letting organizations prioritize their limited resources and address the highest risks.

To bolster your protection further with Microsoft Purview DLP, we are bringing proactive protection to your Windows endpoint devices, where every document—whether or not it contains sensitive information and when it was created or modified—is analyzed to determine its sensitivity based on what the DLP policies are configured to look for. If the file that contains sensitive content violates any DLP policy rules, the appropriate restrictions as defined in the policy are applied, so that you can better protect files.

To support our customers’ diverse digital estates, we are excited to extend DLP controls to protect files with sensitive information in multiple places. Organizations can now extend existing protection for sensitive files on endpoint devices against actions such as print, copy to USB, upload to the cloud, copy to clipboard, and more to virtualized environments, including Windows Virtual Desktop, Citrix, Amazon Web Services (AWS) workspace, and Hyper-V platforms. We are also extending DLP controls to support files on network shares. And finally, we are adding capabilities on macOS devices, such as protection of sensitive file exfiltration through Bluetooth, the ability to define groups of apps and apply different restrictions to each group, and the ability to customize notifications and use advanced classifiers.  

To empower administrators to identify, debug, and remediate device misconfigurations, we are providing details about device health as well as the configuration status of all onboarded endpoint devices in the Device Onboarding tab in the Microsoft Purview compliance portal.

We are constantly adding support for classification types, and we are introducing the following types in public preview:

• Context-based classification with default site labels that allows an admin to choose specific SharePoint and OneDrive locations that are sensitive and ensure that any content moved or egressed from that location is automatically labeled based on the default label.  
• Optical character recognition (OCR) for text extraction of images that are sent over emails, stored on SharePoint and OneDrive, shared across Teams, as well as egressed across endpoint devices.

Lastly, to help security teams create and finetune Insider Risk Management policies more easily, the real-time policy-tuning analysis, now in public preview, provides admins with a prediction of the number of users in a tenant that could potentially match a given set of policy conditions.

Register for Microsoft Secure today!

We covered many announcements in this blog about technology, but I always return to the people who use it. Our innovations are designed to equip defenders with the best possible tools and information to develop a security solution that’s comprehensive and fitting for their organizations.

Comprehensive security not only means solutions that address a wide variety of threats and vulnerabilities but also how they work together to provide the best security outcomes. Learn more about how your organization can eliminate security gaps and cut costs with simplified, comprehensive protection from the Microsoft Secure event—all sessions are available on-demand.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Secure: Explore innovations transforming the future of security appeared first on Microsoft Security Blog.