First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors.

Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. In this blog, we will share intelligence about Onyx Sleet and its historical tradecraft and targets, as well as our analysis of recent malware campaigns, with the goal of enabling the broader community to identify and respond to similar campaigns. We also provide protection, detection, and hunting guidance to help improve defenses against these attacks.

Who is Onyx Sleet?

Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability as a part of a targeted attack. Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server.

Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2).

Onyx Sleet is tracked by other security companies as APT45, SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2.

Affiliations with other threat actors originating from North Korea

Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed an overlap between Onyx Sleet and Storm-0530. Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022.

Onyx Sleet targets

In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent attacks include the targeting of South Korean educational institutions, construction companies, and manufacturing organizations in May 2024. Onyx Sleet has also shown interest in taking advantage of online gambling websites, possibly for financial gain either on behalf of North Korea or for individual members of the group.

Onyx Sleet tradecraft

Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective. Onyx Sleet historically leveraged spear-phishing to compromise targets, and in more recent campaigns, they have been observed to primarily use exploits for initial access, alongside a loader, downloader, and backdoor as a part of its well-established attack chain.

Onyx Sleet nevertheless made some changes, for example, adding new C2 servers and hosting IPs, creating new malware, and launching multiple campaigns over time. In the past, Onyx Sleet introduced custom ransomware strains as a part of its campaigns. It also created and deployed the RAT identified by Kaspersky as Dtrack, which was observed in global attacks from September 2019 to January 2024. The Dtrack RAT follows the common attack chain used by Onyx Sleet and includes the exploitation of the Log4j 2 CVE-2021-44228 vulnerability for initial access and the use of payloads signed with an invalid certificate masquerading as legitimate software to evade detection.

Another example of Onyx Sleet introducing variations in the implementation of its attack chain is the campaign identified by AhnLab Security Intelligence Center (ASEC) in May 2024. In this campaign, the threat actor employed a previously unseen malware family dubbed as Dora RAT. Developed in the Go programming language, this custom malware strain targeted South Korean educational institutions, construction companies, and manufacturing organizations. 

Onyx Sleet avoids common detection techniques across its attack lifecycle by heavily using custom encryption and obfuscation algorithms and launching as much of its code in memory as possible. These tools and techniques have been observed in several reported campaigns, including TDrop2.

Onyx Sleet has also used several off-the shelf tools, including Sliver, remote monitoring and management (RMM) tools SOCKS proxy tools, Ngrok, and masscan. We have also observed Onyx Sleet using commercial packers like Themida and VMProtect to obfuscate their malware. In January 2024, Microsoft Threat Intelligence identified a campaign attributed to Onyx Sleet that deployed a Sliver implant, an open-source C2 framework that supports multiple operators, listener types, and payload generation. Like the Dtrack RAT, this malware was signed with an invalid certificate impersonating Tableau software. Further analysis revealed that this Onyx Sleet campaign compromised multiple aerospace and defense organizations from October 2023 to June 2024.

Apart from the previously mentioned Log4j 2 vulnerability, Onyx Sleet has exploited other publicly disclosed (N-day) vulnerabilities to gain access to target environments. Some vulnerabilities recently exploited by Onyx Sleet include:

• CVE-2023-46604 (Apache ActiveMQ)
• CVE-2023-22515 (Confluence)
• CVE-2023-27350 (PaperCut)
• CVE-2023-42793 (TeamCity)

In addition to these well-known and disclosed vulnerabilities, Onyx Sleet has used custom exploit capabilities in campaigns targeting users mostly in South Korea. In these campaigns, Onyx Sleet exploited vulnerabilities in a remote desktop/management application, a data loss prevention application, a network access control system, and an endpoint detection and response (EDR) product.

Recent malware campaigns

In December 2023, South Korean authorities attributed attacks that stole over 1.2 TB of data from targeted South Korean defense contractors using custom malware to Andariel. Microsoft has attributed several custom malware families used in the said attacks – TigerRAT, SmallTiger, LightHand, and ValidAlpha – to Onyx Sleet.

TigerRAT

Since 2020, Onyx Sleet has been observed using the custom RAT malware TigerRAT. In some campaigns using TigerRAT, Onyx Sleet exploited vulnerabilities in Log4j 2 to deliver and install the malware. When launched, this malware can steal confidential information and carry out commands, such as keylogging and screen recording, from the C2.

SmallTiger

In February 2024, ASEC identified SmallTiger, a new malware strain targeting South Korean defense and manufacturing organizations. During the process of lateral movement, this malware is delivered as a DLL file (SmallTiger[.]dll) and uses a C2 connection to download and launch the payload into memory. Microsoft researchers have determined that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable.

The SmallTiger campaign can be tied back to a campaign using a similar attack chain beginning in November 2023 that delivered the DurianBeacon RAT malware. In May 2024, Microsoft observed Onyx Sleet continuing to conduct attacks targeting South Korean defense organizations using SmallTiger.

LightHand

LightHand is a custom, lightweight backdoor used by Onyx Sleet for remote access of target devices. Via LightHand, Onyx Sleet can execute arbitrary commands through command shell (cmd.exe), get system storage information, perform directory listing, and create/delete files on the target device.

ValidAlpha (BlackRAT)

ValidAlpha (also known as BlackRAT) is a custom backdoor developed in the Go programming language and used by Onyx Sleet to target organizations globally in the energy, defense, and engineering sectors since at least 2023. ValidAlpha can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands.

Samples of ValidAlpha analyzed by Microsoft had a unique PDB string: I:/01___Tools/02__RAT/Black/Client_Go/Client.go

Recommendations

Microsoft recommends the following mitigations to defend against attacks by Onyx Sleet:

• Keep software up to date. Apply new security patches as soon as possible.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Enable network protection to help prevent access to malicious domains.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to help resolve breaches, significantly reducing alert volume

Microsoft Defender customers can turn on attack surface reduction rules to help prevent common attack techniques used by Onyx Sleet:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block JavaScript or VBScript from launching downloaded, executable content

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware families:

• CertutilPE
• Dora
• LightHand
• SmallTiger
• TigerCrypt
• TigerRAT
• ValidAlpha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Onyx Sleet activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

• Document contains macro to download a file

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2023-42793 (TeamCity)
• CVE-2023-27350 (Papercut)
• CVE-2021-44228 (Log4j 2)

Microsoft Defender Threat Intelligence

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Tool Profile: Dtrack
• Onyx Sleet targeting defense firm in the Middle East
• Onyx Sleet targets electrical equipment manufacturer in India
• Onyx Sleet exploits vulnerable VMWare Horizon servers
• Onyx Sleet using Sliver remote access trojan in attacks on aerospace and defense
• Same Targets, new playbooks: East Asia threat actors employ unique methods

Microsoft Sentinel queries

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Use this query to assess the existence of vulnerabilities used by Onyx Sleet:

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2021-44228","CVE-2023-27350","CVE-2023-42793")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware 

Use this query to detect associated network IOCs:

let remoteip = dynamic(["84.38.134.56","45.155.37.101","213.139.205.151","109.248.150.147","162.19.71.175","147.78.149.201"]);
let remoteurl = dynamic(["americajobmail.site","privatemake.bounceme.net","ww3c.bounceme.net","advice.uphearth.com","http://84.38.134.56/procdump.gif"]);
DeviceNetworkEvents  
| where RemoteIP == remoteip or RemoteUrl == remoteurl 
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Use this query to detect associated file IOCs:

let selectedTimestamp = datetime(2024-07-17T00:00:00.0000000Z);  
let fileName = "SmallTiger.dll";  
let FileSHA256 = dynamic(["f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c","0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 ","29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3","fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32","868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf","f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5","1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1","3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061","8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f","7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"]);  
let SignerName = "INVALID:Tableau Software Inc.";  
let Signerhash = "6624c7b8faac176d1c1cb10b03e7ee58a4853f91";  
let certificateserialnumber = "76cb5d1e6c2b6895428115705d9ac765";  
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents,  
DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator)  
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from July 17th runs the search backwards for 90 days, change the above date accordingly.  
and   
( FileName == fileName or OldFileName == fileName or ProfileName == fileName or InitiatingProcessFileName == fileName or InitiatingProcessParentFileName == fileName  
or InitiatingProcessVersionInfoInternalFileName == fileName or InitiatingProcessVersionInfoOriginalFileName == fileName or PreviousFileName == fileName  
or ProcessVersionInfoInternalFileName == fileName or ProcessVersionInfoOriginalFileName == fileName or DestinationFileName == fileName or SourceFileName == fileName  
or ServiceFileName == fileName or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256) or Signer == SignerName or SignerHash == Signerhash or CertificateSerialNumber == certificateserialnumber )

Indicators of compromise

IP addresses

• 84.38.134[.]56
• 45.155.37[.]101
• 213.139.205[.]151
• 109.248.150[.]147
• 162.19.71[.]175
• 147.78.149[.]201

URL

• hxxp://84.38.134[.]56/procdump.gif

Actor-controlled domain

• americajobmail[.]site
• privatemake.bounceme[.]net
• ww3c.bounceme[.]net
• advice.uphearth[.]com

SHA-256

• TigerRAT
  • f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
  • 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
  • 29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
  • fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
  • 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
• LightHand
  • f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
  • 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
  • 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
  • 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
  • 7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
• ValidAlpha
  • c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
  • c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1

Fake Tableau certificate

• Signer: INVALID:Tableau Software Inc.
• SignerHash: 6624c7b8faac176d1c1cb10b03e7ee58a4853f91
• CertificateSerialNumber: 76cb5d1e6c2b6895428115705d9ac765

References

• https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
• https://asec.ahnlab.com/en/66088/
• https://www.helpnetsecurity.com/2013/07/08/dissecting-operation-troy-cyberespionage-in-south-korea/
• https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
• https://securelist.com/my-name-is-dtrack/93338/
• https://www.virustotal.com/gui/file/96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3/details
• https://www.reuters.com/technology/cybersecurity/north-korea-hackers-may-have-stolen-data-laser-weapon-police-2023-12-06/
• https://asec.ahnlab.com/en/56405/
• https://blog.talosintelligence.com/lazarus-magicrat/
• https://asec.ahnlab.com/ko/65918/
• https://www.boho.or.kr/en/bbs/view.do?searchCnd=&bbsId=B0001041&searchWrd=&menuNo=205083&pageIndex=1&categoryCode=&nttId=36276

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Onyx Sleet uses array of malware to gather intelligence for North Korea appeared first on Microsoft Security Blog.

Who is Mint Sandstorm?

Mint Sandstorm is Microsoft’s new name for PHOSPHORUS, an Iranian nation-state actor. This new name is part of the new threat actor naming taxonomy we announced today, designed to keep pace with the evolving and growing threat landscape.

Mint Sandstorm is known to pursue targets in both the private and public sectors, including political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East.  Activity Microsoft tracks as part of the larger Mint Sandstorm group overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453.

Mint Sandstorm is a composite name used to describe several subgroups of activity with ties to the same organizational structure. Microsoft assesses that Mint Sandstorm is associated with an intelligence arm of Iran’s military, the Islamic Revolutionary Guard Corps (IRGC), an assessment that has been corroborated by multiple credible sources including Mandiant, Proofpoint, and SecureWorks.  In 2022, the US Department of Treasury sanctioned elements of Mint Sandstorm for past cyberattacks citing sponsorship from the IRGC.

Today, Microsoft is reporting on a distinct Mint Sandstorm subgroup that specializes in hacking into and stealing sensitive information from high-value targets. This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s  national priorities.

Microsoft Threat Intelligence consistently tracks threat actor activity, including Mint Sandstorm and its subgroups, and works across Microsoft Security products and services to build detections into our products that improve protection for customers. As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft is sharing details on these operations to raise awareness on the risks associated with their activity and to empower organizations to harden their attack surfaces against tradecraft commonly used by this Mint Sandstorm subgroup.

Recent operations

From late 2021 to mid-2022, this Mint Sandstorm subgroup moved from reconnaissance to direct targeting of US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity potentially in support of retaliatory destructive cyberattacks. This targeting was likely in response to Iran’s attribution of cyberattacks that halted maritime traffic at a major Iranian seaport in May 2020, delayed Iranian trains in July 2021, and crashed gas station payment systems throughout Iran in late 2021. Of note, a senior cybersecurity-focused IRGC official and others close to the Iranian Supreme Leader pinned the attack affecting gas station payment systems on Israel and the United States.

This targeting also coincided with a broader increase in the pace and the scope of cyberattacks attributed to Iranian threat actors, including another Mint Sandstorm subgroup, that Microsoft observed beginning in September 2021. The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations.  Given the hardline consensus among policymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity.

Mint Sandstorm tradecraft

Microsoft has observed multiple attack chains and various tools in compromises involving this Mint Sandstorm subgroup. The TTPs detailed below are a sampling of new or otherwise notable tradecraft used by this actor.

Rapid adoption of publicly disclosed POCs for initial access and persistence

Microsoft has increasingly observed this Mint Sandstorm subgroup adopting publicly disclosed proof-of-concept (POC) code shortly after it is released to exploit vulnerabilities in internet-facing applications. Until 2023, this subgroup had been slow to adopt exploits for recently-disclosed vulnerabilities with publicly reported POCs, often taking several weeks to successfully weaponize exploits for vulnerabilities like Proxyshell and Log4Shell. However, beginning in early 2023, Microsoft observed a notable decrease in the time required for this subgroup to adopt and incorporate public POCs. For example, Mint Sandstorm began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 2023, the same day the POC became public. They later exploited CVE-2022-47986 in Aspera Faspex within five days of the POC being made public on February 2, 2023.

While this subgroup has demonstrated their ability to rapidly incorporate new public POCs into their playbooks, Microsoft has also observed that Mint Sandstorm continues to use older vulnerabilities, especially Log4Shell, to compromise unpatched devices. As this activity is typically opportunistic and indiscriminate, Microsoft recommends that organizations regularly patch vulnerabilities with publicly available POCs, regardless of how long the POC has been available.

After gaining initial access to an organization by exploiting a vulnerability with a public POC, this Mint Sandstorm subgroup deploys a custom PowerShell script designed for discovery. In some cases, the subgroup does not act on the information they collect, possibly because they assess that a victim does not meet any targeting requirements or because the subgroup wishes to wait and focus on more valuable targets. In cases where Mint Sandstorm operators continue their pursuit of a given target, Microsoft typically observes one of two possible attack chains.

• Attack chain 1: The Mint Sandstorm subgroup proceeds using Impacket to move laterally through a compromised organization and relies extensively on PowerShell scripts (rather than custom implants) to enumerate admin accounts and enable RDP connections. In this attack chain, the subgroup uses an SSH tunnel for command and control (C2), and the final objective in many cases is theft of the Active Directory database. If obtained, the Mint Sandstorm subgroup can use the Active Directory database to access credentials for users’ accounts. In cases where users’ credentials are accessed and the target organization has not reset corresponding passwords, the actors can log in with stolen credentials and masquerade as legitimate users, possibly without attracting attention from defenders. The actors could also gain access to other systems where individuals may have reused their passwords.
• Attack chain 2: As is the case in attack chain 1, the Mint Sandstorm subgroup uses Impacket to move laterally. However, in this progression, the operators use webhook.site for C2 and create scheduled tasks for persistence. Finally, in this attack chain, the actors deploy a custom malware variant, such as Drokbk or Soldier. These custom malware variants signal an increase in the subgroup’s level of sophistication, as they shift from using publicly available tools and simple scripts to deploying fully custom developed malicious code. 

Use of custom tools to evade detection

Since 2022,Microsoft has observed this Mint Sandstorm subgroup using two custom implants, detected by Microsoft security products as Drokbk and Soldier, to persist in target environments and deploy additional tools. Drobkbk and Soldier both use Mint Sandstorm-controlled GitHub repositories to host a domain rotator containing the operators’ C2 domains. This allows Mint Sandstorm to dynamically update their C2 infrastructure, which may help the operators stay a step ahead of defenders using list-based domain blocking.

• Drokbk: Drokbk.exe is a custom .NET implant with two components: an installer, sometimes accessed from a compressed archive on a legitimate file-sharing platform, and a secondary backdoor payload. The Drokbk backdoor issues a web request to obtain the contents of a README file on a Mint Sandstorm-controlled GitHub repo. The README file contains a list of URLs that direct targets to the C2 infrastructure associated with Drokbk.
• Soldier: Soldier is a multistage .NET backdoor with the ability to download and run additional tools and uninstall itself. Like Drokbk, Soldier C2 infrastructure is stored on a domain rotator on a GitHub repository operated by Mint Sandstorm. Microsoft Threat Intelligence analysts assess that Soldier is a more sophisticated variant of Drokbk.

In certain cases, this Mint Sandstorm subgroup has used TTPs outside of these attack chains, notably when they have failed to achieve short-term objectives. In one instance, Microsoft also observed the subgroup using TTPs from both attack chains in a single compromised environment. However, in most cases, Mint Sandstorm activity displays one of the above discussed attack chains.

Low-volume phishing campaigns using template injection

Microsoft has also observed this Mint Sandstorm subgroup using a distinct attack chain involving low-volume phishing campaigns and a third custom implant.  In these operations, the group crafts bespoke phishing emails, often purporting to contain information on security policies that affect countries in the Middle East, to deliver weaponized documents to individuals of interest. Recipients are typically individuals affiliated with high-profile think tanks or universities in Israel, North America, or Europe with ties to the security and policy communities. Unlike their initial exploitation of vulnerable internet-facing applications, which is largely indiscriminate and affects organizations across sectors and geographies, activity associated with this campaign was highly targeted and affected fewer than 10 organizations..

The initial emails are most commonly lures designed to social engineer recipients into clicking a OneDrive link hosting a PDF spoofed to resemble information on a topic involving security or policy in the Middle East. The PDF contains a link to a macro-enabled template file (dotm) hosted on Dropbox. This file has been weaponized with macros to perform remote template injection, a technique that allows operators to obtain and launch a payload from a remote C2, often OneDrive. Template injection is an attractive option for adversaries looking to execute malicious code without drawing scrutiny from defenders. This technique can also be used to persist in a compromised environment if an adversary replaces a default template used by a common application.

In these attacks, Microsoft has observed the Mint Sandstorm subgroup using CharmPower, a custom implant, in attacks that began with targeted phishing campaigns. CharmPower is a modular backdoor written in PowerShell that this subgroup delivers in phishing campaigns that rely on template injection. CharmPower can read files, gather information on an infected host, and send details back to the attackers. Reporting from Checkpoint indicates that at least one version of CharmPower pulls data from a specific text file that contains a hardcoded victim identifier.

What’s next

Capabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to conceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities. While effects vary depending on the operators’ post-intrusion activities, even initial access can enable unauthorized access and facilitate further behaviors that may adversely impact the confidentiality, integrity, and availability of an environment. A successful intrusion creates liabilities and may harm an organization’s reputation, especially those responsible for delivering services to others such as critical infrastructure providers, which Mint Sandstorm has targeted in the past.  

As these operators increasingly develop and use sophisticated capabilities, organizations must develop corresponding defenses to harden their attack surfaces and raise costs for these operators. Microsoft will continue to monitor Mint Sandstorm activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below and shared with the broader security community to help detect and prevent further attacks.

Mitigation and protection guidance

The techniques used by this subset of Mint Sandstorm can be mitigated through the following actions:

Hardening internet-facing assets and understanding your perimeter

Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as Microsoft Defender External Attack Surface Management, can be used to improve data.

Vulnerabilities observed in recent campaigns attributed to this Mint Sandstorm subgroup that defenders can identify and mitigate include:

• IBM Aspera Faspex affected by CVE-2022-47986: Organizations can remediate CVE-2022-47986 by upgrading to Faspex 4.4.2 Patch Level 2 or using Faspex 5.x which does not contain this vulnerability. More details are available in IBM’s security advisory here.
• Zoho ManageEngine affected by CVE-2022-47966: Organizations using Zoho ManageEngine products vulnerable to CVE-2022-47966 should download and apply upgrades from the official advisory as soon as possible. Patching this vulnerability is useful beyond this specific campaign as several adversaries are exploiting CVE-2022-47966 for initial access.
• Apache Log4j2 (aka Log4Shell) (CVE-2021-44228 and CVE-2021-45046): Microsoft’s guidance for organizations using applications vulnerable to Log4Shell exploitation can be found here. This guidance is useful for any organization with vulnerable applications and useful beyond this specific campaign, as several adversaries exploit Log4Shell to obtain initial access.

This Mint Sandstorm subgroup has demonstrated its ability to rapidly adopt newly reported N-day vulnerabilities into its playbooks. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.

Reducing the attack surface

Microsoft 365 Defender customers can also turn on attack surface reduction rules to harden their environments against techniques used by this Mint Sandstorm subgroup. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant protection against the tradecraft discussed in this report.

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block Office applications from creating executable content
• Block process creations originating from PSExec and WMI commands

Additionally, in 2022, Microsoft changed the default behavior of Office applications to block macros in files from the internet, further minimizing the attack surface for operators like this subgroup of Mint Sandstorm.

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects the Drokbk implant as the following malware:

• Trojan:MSIL/Drokbk.A!dha
• Trojan:MSIL/Drokbk.B!dha
• Trojan:MSIL/Drokbk.C!dha
• Trojan:Win32/Drokbk.C!dha  

  Microsoft Defender Antivirus detects the Soldier implant as the following malware:

• Trojan:MSIL/SoldierAudio.A!dha
• Trojan:MSIL/SoldierAudio.B!dha
• Trojan:MSIL/SoldierAudio.C!dha

Microsoft Defender Antivirus detects the CharmPower implant as the following malware:

• TrojanDownloader:O97M/RooftopMelt.A!dha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Phosphorus Actor activity detected

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ManageEngine Suspicious Process Execution.  

DeviceProcessEvents
| where InitiatingProcessFileName hasprefix "java"
| where InitiatingProcessFolderPath  has @"\manageengine\" or InitiatingProcessFolderPath has @"\ServiceDesk\"
| where (FileName in~ ("powershell.exe", "powershell_ise.exe") and
            (ProcessCommandLine has_any ("whoami", "net user", "net group", "localgroup administrators", "dsquery", "samaccountname=", " echo ", "query session", "adscredentials", "o365accountconfiguration", "-dumpmode", "-ssh", "usoprivate", "usoshared", "Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "set-MpPreference", "add-MpPreference", "certutil", "bitsadmin") // "csvhost.exe", "ekern.exe", "svhost.exe", ".dmp"
             or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}"))
           or (FileName =~ "curl.exe" and ProcessCommandLine contains "http")
           or (FileName =~ "wget.exe" and ProcessCommandLine contains "http")
           or ProcessCommandLine has_any ("E:jscript", "e:vbscript")
           or ProcessCommandLine has_all ("localgroup Administrators", "/add")
           or ProcessCommandLine has_all ("reg add", "DisableAntiSpyware", @"\Microsoft\Windows Defender")
           or ProcessCommandLine has_all ("reg add", "DisableRestrictedAdmin", @"CurrentControlSet\Control\Lsa")
           or ProcessCommandLine has_all ("wmic", "process call create")
           or ProcessCommandLine has_all ("net", "user ", "/add")
           or ProcessCommandLine has_all ("net1", "user ", "/add")
           or ProcessCommandLine has_all ("vssadmin", "delete", "shadows")
           or ProcessCommandLine has_all ("wmic", "delete", "shadowcopy")
           or ProcessCommandLine has_all ("wbadmin", "delete", "catalog")
           or (ProcessCommandLine has "lsass" and ProcessCommandLine has_any ("procdump", "tasklist", "findstr"))
 | where ProcessCommandLine !contains "download.microsoft.com" and ProcessCommandLine !contains "manageengine.com" and ProcessCommandLine !contains "msiexec"

Ruby AsperaFaspex Suspicious Process Execution.

DeviceProcessEvents
| where InitiatingProcessFileName hasprefix "ruby"
| where InitiatingProcessFolderPath has @"aspera"
| where (FileName in~ ("powershell.exe", "powershell_ise.exe") and
            (ProcessCommandLine has_any ("whoami", "net user", "net group", "localgroup administrators", "dsquery", "samaccountname=", " echo ", "query session", "adscredentials", "o365accountconfiguration", "-dumpmode", "-ssh", "usoprivate", "usoshared", "Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "set-MpPreference", "add-MpPreference", "certutil", "bitsadmin", "csvhost.exe", "ekern.exe", "svhost.exe", ".dmp")
             or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}"))
           or (FileName =~ "curl.exe" and ProcessCommandLine contains "http")
           or (FileName =~ "wget.exe" and ProcessCommandLine contains "http")
           or ProcessCommandLine has_any ("E:jscript", "e:vbscript")
           or ProcessCommandLine has_all ("localgroup Administrators", "/add")
           or ProcessCommandLine has_all ("reg add", "DisableAntiSpyware", @"\Microsoft\Windows Defender")
           or ProcessCommandLine has_all ("reg add", "DisableRestrictedAdmin", @"CurrentControlSet\Control\Lsa")
           or ProcessCommandLine has_all ("wmic", "process call create")
           or ProcessCommandLine has_all ("net", "user ", "/add")
           or ProcessCommandLine has_all ("net1", "user ", "/add")
           or ProcessCommandLine has_all ("vssadmin", "delete", "shadows")
           or ProcessCommandLine has_all ("wmic", "delete", "shadowcopy")
           or ProcessCommandLine has_all ("wbadmin", "delete", "catalog")
           or (ProcessCommandLine has "lsass" and ProcessCommandLine has_any ("procdump", "tasklist", "findstr"))

Log4J Wstomcat Process Execution.

DeviceProcessEvents
| where InitiatingProcessFileName has "ws_tomcatservice.exe" and FileName !in~("repadmin.exe")

Encoded watcher Function.

DeviceProcessEvents 
| where FileName =~ "powershell.exe" and ProcessCommandLine hasprefix "-e"
| extend SplitString = split(ProcessCommandLine, " ")
| mvexpand SS = SplitString 
| where SS matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$"
| extend base64_decoded = replace(@'\0', '', make_string(base64_decode_toarray(tostring(SS))))
| where not(base64_decoded has_any(@"software\checker", "set folder to watch"))
| where base64_decoded has_all("$hst", "$prt") or base64_decoded has_any("watcher", @"WAt`CH`Er()")

 Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with “TI map”) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

In addition, Microsoft Sentinel customers can leverage the following content to hunt for and detect related activity in their environments:

• Log4J solution
• Potential Impacket Execution
• Commands executed by WMI on new hosts – potential Impacket
• Scheduled Task Hidden
• Remote Task Creation/Update using Schtasks Process
• Scheduled Task Creation or Update from User Writable Directory
• Exchange SSRF Autodiscover ProxyShell – Detection

Indicators of compromise

References

Iran: Background and U.S. Policy. Congressional Research Service

Cobalt Illusion Masquerades as Atlantic Council Employee. Secureworks

Apt42: Crooked Charms, Cons, and Compromises. Mandiant

Badblood: TA453 Targets US & Israel in Credential Phishing. Proofpoint

Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity. U.S. Department of the Treasury

Officials: Israel Linked to a Disruptive Cyberattack on Iranian Port Facility. The Washington Post

Iran Says Cyberattack Causes Widespread Disruption at Gas Stations. Thomson Reuters

Iran’s Evolving Approach to Asymmetric Naval Warfare. The Washington Institute for Near East Policy

Hackers breach Iran rail network, disrupt service | Reuters. Reuters

APT35 Exploits Log4J Vulnerability to Distribute New Modular PowerShell Toolkit. Checkpoint

Iran Says Gas Stations Were Target Of Cyberattack To Foment Unrest (iranintl.com)

Complaint – Summons – Civil Cover Sheet.pdf (noticeofpleadings.com)

The post Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. MERCURY is now tracked as Mango Sandstorm and DEV-1084 is now tracked as Storm-1084.

To learn more about the new taxonomy represents the origin, unique traits, and impact of threat actors, to get complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Microsoft Threat Intelligence has detected destructive operations enabled by MERCURY, a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.

Previous MERCURY attacks have been observed targeting on-premises environments, however, the impact in this case notably also included destruction of cloud resources. Microsoft assesses that MERCURY likely worked in partnership with another actor that Microsoft tracks as DEV-1084, who carried out the destructive actions after MERCURY’s successful operations had gained access to the target environment.

MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage. DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.

In this blog post, we detail our analysis of the observed actor activity and related tools. We also share information to the community and industry partners on ways to detect these attacks, including detection details of MERCURY and DEV-1084’s tools in Microsoft 365 Defender, Microsoft Defender for Identity, Microsoft Defender for Cloud Applications, Microsoft Defender Antivirus, and Microsoft Defender for Endpoint. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we reach high confidence about the origin or identity of the actor behind the activity.

Who is DEV-1084?

Microsoft tracks the destructive actions documented in this blog post as DEV-1084. DEV-1084 likely worked in partnership with MERCURY—an Iran-based actor that the US Cyber Command has publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). DEV-1084 publicly adopted the DarkBit persona and presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran’s link to and strategic motivation for the attack.

The link between the DEV-1084 cluster and MERCURY was established based on the following evidence:

• DEV-1084 operators were observed sending threatening emails from 146.70.106[.]89, an IP address previously linked to MERCURY.
• DEV-1084 used MULLVAD VPN, the same VPN provider historically used by MERCURY.
• DEV-1084 used Rport and a customized version of Ligolo. MERCURY has also been observed using Rport and a similar version of Ligolo in previous attacks.
• DEV-1084 used the vatacloud[.]com domain for command and control (C2) during this incident. Microsoft assesses with high-confidence that the vatacloud[.]com domain is controlled by MERCURY operators.

Microsoft assesses that MERCURY gains access to the targets through remote exploitation of an unpatched internet-facing device. MERCURY then handed off access to DEV-1084. It is not currently clear if DEV-1084 operates independently of MERCURY and works with other Iranian actors or if DEV-1084 is an ‘effects based’ sub-team of MERCURY that only surfaces when MERCURY operators are instructed to carry out a destructive attack.

Early activities, related attacker tools and techniques

Microsoft assesses with moderate confidence that the threat actors attempted several times and succeeded to perform initial intrusion leveraging exposed vulnerable applications, for example, continuing to exploit Log4j 2 vulnerabilities in unpatched systems in July 2022.

After gaining access, the threat actors deploy several tools and leverage techniques to maintain persistence, which provide effective and continued access to compromised devices, such as the following:

• Installing web shells
• Adding a local user account and elevating privileges to local administrator
• Installing legitimate remote access tools, such as RPort, Ligolo and eHorus
• Installing a customized PowerShell script backdoor
• Stealing credentials

Once the persistence is established, the threat actors perform extensive discovery leveraging common native Windows tools and commands such as netstat and nltest. Such reconnaissance activities were seen leveraged throughout the attack chain.

The threat actors consistently perform extensive lateral movement actions using the acquired credentials within a targeted environment. These actions mainly involved:

• Remote scheduled tasks to launch their customized PowerShell backdoor
• Windows Management Instrumentation (WMI) to launch commands on devices
• Remote services to run encoded PowerShell commands

After infecting the new devices, the threat actors often installed the same persistence mechanisms as described above. Interestingly, after each main attack step, the actors did not always immediately continue their operations but would wait weeks and sometimes months before moving to the next step.

For execution and communication, the threat actors leverage several C2 servers and sometimes deploy tunnelling tools, such as Ligolo and OpenSSH, commonly leveraged to stay under the radar of security teams and solutions.

On-premises destructive impact

In observed activity, the threat actors leveraged highly privileged credentials and access to domain controllers on on-premises destructive operations to prepare for large-scale encryption of targeted devices.

To do so, they first interfered with security tools using Group Policy Objects (GPO). With defenses impaired, the threat actors proceeded to stage the ransomware payload in the NETLOGON shares on several domain controllers.

GPO was leveraged again to register a scheduled task used to launch the ransomware payload. Finally, the ransomware payload encrypted files found on the file system of the targeted devices by changing the file name extension to DARKBIT and dropped ransom notes.

Moving from on-premises to cloud

To move from on-premises to the cloud, the threat actors had to first compromise two privileged accounts and leverage them to manipulate the Azure Active Directory (Azure AD) Connect agent. Two weeks before the ransomware deployment, the threat actors first used a compromised, highly privileged account to access the device where the Azure Active Directory (Azure AD) Connect agent is installed. We assess with high confidence that the threat actors then used the AADInternals tool to extract the plaintext credentials of a privileged Azure AD account. The threat actors then used these credentials to pivot from the on-premises environment to the Azure AD environment.

Azure AD Connect is an on-premises application for managing hybrid identities through features like password hash synchronization, pass-through authentication, objects synchronization, and others. As part of the express settings installation process, multiple accounts are created both in the on-premises (Windows Server Active Directory) and cloud (Azure AD) environments. The first account is the AD DS Connector Account. The account name is prefixed with MSOL_ and it is created with a long complex password.

This account’s permissions are set based on features enabled during the service’s installation, but in most common scenarios, the account has permissions to replicate directory changes, modify passwords, modify users, modify groups, and so on (see all the permissions here). In addition, during installation, an Azure AD account called the Azure AD Connector Account is also created. This account is used by the synchronization service to manage Azure AD objects. The account is created with a long complex password as well, and by default (if using the express settings) prefixed with Sync_[ServerName]. This user is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). In older versions, this account might be assigned with the Global Administrator role.

There are other entities detailed here that are created but are less relevant to this topic.

Extracting credentials

Two weeks before the ransomware deployment, the threat actors were observed using compromised credentials to access the Azure AD Connect device. Next, they set up an SSH tunnel to an attacker-controlled device. On a separate attacker-controlled compromised device, evidence indicates cloning of the AADInternals tool. One of the functions available in this tool’s library is Get-AADIntSyncCredentials, which allows any local administrator on a device where Azure AD Connect is installed to extract the plaintext credentials of both the Azure AD Connector account and the AD DS Connector account.

Shortly before the ransomware deployment, we observed authentication from a known attacker IP address into the Azure AD Connector cloud account. Investigating this sign-in showed that the threat actors were able to access the account on the first attempt without any guessing or modification of the password, indicating that the actors possessed the password for this account. The Azure AD Connector account is configured with single-factor authentication, making it easier for the attacker to gain entry and elevate privileges.

Cloud destructive impact

On the day of the ransomware attack, the threat actors executed multiple actions in the cloud using two privileged accounts. The first account was the compromised Azure AD Connector account, which had Global Administrator permissions as it was set up for an old solution (DirSync). For the second account, which also had Global Administrator permissions, the threat actors leveraged RDP for access into the account. Even though this account had MFA in place, the threat actors accessed it through RDP, which is an open session that evades MFA blocking their activities.

Mass Azure resource deletion

On the same day, a successful sign-in to the Microsoft Azure environment was observed. The threat actors claimed the Global Administrator permission through Azure Privileged Identity Management (PIM) and elevated access to get permissions to the target’s management groups and Azure subscriptions. The Azure AD Connector account and the compromised administrator account were then used to perform significant destruction of the Azure environment—deleting within a few hours server farms, virtual machines, storage accounts, and virtual networks. We assess that the attacker’s goal was to cause data loss and a denial of service (DoS) of the target’s services.

Exchange Web Server API abuse

The actors went on to provide an existing legitimate OAuth application with both the full_access_as_app permission and administrator consent, which granted the threat actors full access to mailboxes through Exchange Web Services.

With the obtained cloud administrator privileges, the threat actors updated the OAuth application with certificates to conduct malicious activities.  These newly added credentials could then be used to issue access tokens and authenticate on behalf of the application to access cloud resources.

We then observed the threat actors using this application’s permissions to perform GetItem operations over many mailboxes in the target environment. They also performed thousands of search activities, which we suspect were attempts to dump mailboxes and/or search for sensitive data in them.

Email impersonation

The threat actors used the compromised administrator account to grant SMTP Send on behalf permissions to the Azure AD Connector account over a high-ranking employee’s mailbox, using the Set-Mailbox PowerShell cmdlet.

Emails were then created and sent both internally and externally.

The timeline below summarizes the sequence of events:

Mitigations for destructive attacks

The techniques used by the actors and described in this blog can be mitigated by adopting the following security measures: 

Recommendations to secure your on-prem environment

• Refer to Microsoft’s blog Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself for recommendations on building strong credential hygiene and other robust measures to defend against ransomware and human operated attacks.
• Enable tamper protection – Tamper protection is a feature in Microsoft Defender for Endpoint that prevents antivirus tampering and misconfiguration by malicious apps and actors. Customers running Intune can enable DisableLocalAdminMerge to prevent modification of antivirus exclusions via GPO.

Recommendations to secure your Azure AD environment

• Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
• Enable continuous access evaluation – Continuous access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.
• Search unified audit logs for the SendAs operation to identify and track emails sent on behalf of a user mailbox.
• Further steps and recommendation to manage, design, and secure your Azure AD environment can be found by referring to Azure Identity Management and access control security best practices.

Detections

Microsoft 365 Defender

The following alerts in Microsoft 365 Defender can be used to detect suspicious operations in Azure related to the attacker activities described in this blog, including destructive activity:

• Access elevation by risky user
• Suspicious Azure resource deletions
• Suspicious Addition of an Exchange related App Role

In addition, the following alert can help detect compromised Azure AD Connect accounts:

• Unusual activities by Azure AD Connect sync account

Microsoft Defender for Cloud Apps

For Microsoft Defender for Cloud Apps with Azure Connector enabled, the following alerts can be used to detect destructive operations in Azure:

• Multiple storage deletion activities
• Multiple delete VM activities

Azure AD Identity Protection

Monitor medium and high severity alerts for highly privileged accounts as they can indicate malicious activity. For example:

• Unfamiliar sign-in properties

Find details of Azure AD Identity Protection alerts here.

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Suspicious additions to sensitive groups

For relevant accounts with Honeytoken configured, the following alert can indicate malicious activity:

• Honeytoken activity

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects attempted exploitation and post-exploitation activity and payloads. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown threats. Refer to the list of detection names related to exploitation of Log4j 2 vulnerabilities. Detections for the IOCs listed above are listed below:

• Backdoor:PHP/Remoteshell.V
• HackTool:Win32/LSADump
• VirTool:Win32/RemoteExec
• Trojan:PowerShell/Downloader.SB
• Trojan:Win32/Nibtse.G!tsk
• Backdoor:ASP/Shellman.SA
• Ransom:Win64/DarkBit
• VirTool:Win32/AtExecCommand

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint alerts with the following titles can indicate possible presence of the indicators of compromise listed below.

• Mercury actor activity detected
• Ransomware-linked emerging threat actor DEV-1084 detected

Reducing the attack surface

Microsoft Defender for Endpoint customers can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
• Implement controlled folder access and add folders to the protected folders list to help prevent files from being altered or encrypted by ransomware. Set controlled folder access to Enabled.

Detecting Log4j 2 exploitation

Alerts that indicate threat activity related to the exploitation of the Log4j 2 exploitation should be immediately investigated and remediated. Refer to our Log4j related blogs to learn about this vulnerability and for a list of Microsoft Defender for Endpoint alerts that can indicate exploitation and exploitation attempts.

Detecting post-exploitation activity

Alerts with the following titles may indicate post-exploitation threat activity related to MERCURY activity described in this blog and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms:

Any alert title related to web shell threats, for example:

• ‘WebShell’ backdoor was prevented on an IIS Web server

Any alert title that mentions the DarkBit ransomware threat or DEV-1084, for example:

• ‘DarkBit’ ransomware was blocked
• ‘DarkBit’ ransomware was detected
• ‘DarkBit’ ransomware was prevented
• Ransomware-linked emerging threat actor DEV-1084 detected

Any alert title that mentions suspicious scheduled task creation or execution, for example:

• Suspicious scheduled task

Any alert title that mentions suspected tunneling activity, for example:

• Suspicious SSH tunneling activity

Any alert title that mentions suspected tampering activity, for example:

• Suspicious Microsoft Defender Antivirus exclusion
• Microsoft Defender Antivirus tampering

Any alert title that mentions PowerShell, for example:

• Suspicious process executed PowerShell command
• A malicious PowerShell Cmdlet was invoked on the machine
• Suspicious PowerShell command line
• Suspicious PowerShell download or encoded command execution
• Suspicious remote PowerShell execution

Any alert title related to suspicious remote activity, for example:

• Suspicious RDP session
• An active ‘RemoteExec’ malware was blocked
• Suspicious service registration

Any alert related to persistence:

• Anomaly detected in ASEP registry
• User account created under suspicious circumstances

Any alert title that mentions credential dumping activity or tools, for example:

• Malicious credential theft tool execution detected
• Credential dumping activity observed
• Mimikatz credential theft tool
• ‘DumpLsass’ malware was blocked on a Microsoft SQL server

Microsoft Defender Vulnerability Management

In addition to the mitigations above being presented and managed through Microsoft Defender Vulnerability Management, Microsoft 365 Defender customers can use threat and vulnerability management to identify and remediate devices that are vulnerable to Log4j 2 exploitation. More comprehensive guidance on this capability can be found on this blog: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability.

Advanced hunting queries

Microsoft 365 Defender

To locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:

// Advanced Hunting Query to surface potential Mercury PowerShell script backdoor installation

DeviceFileEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where FolderPath in~ (@"c:\programdata\db.ps1", @"c:\programdata\db.sqlite")
| summarize min(Timestamp), max(Timestamp) by DeviceId, SHA256, InitiatingProcessParentFileName

DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine has_cs "-EP BYPASS -NoP -W h"
| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId

// Advanced Hunting Query to surface potential Mercury PowerShell script backdoor initiating commands

DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine contains_cs @"c:\programdata\db.ps1"
| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId

//Advanced Hunting Query for Azure resource deletion activity

let PrivEscalation = CloudAppEvents 
| where Application == "Microsoft Azure"
| where ActionType == "ElevateAccess Microsoft.Authorization"
| where ActivityObjects has "Azure Subscription" and ActivityObjects has "Azure Resource Group"
| extend PrivEscalationTime = Timestamp
| project AccountObjectId, PrivEscalationTime ,ActionType;
CloudAppEvents
| join kind = inner PrivEscalation on AccountObjectId
| extend DeletionTime = Timestamp
| where (DeletionTime - PrivEscalationTime) <= 1h
| where Application == "Microsoft Azure"
| where ActionType has "Delete"
|summarize min(DeletionTime), TotalResourcersDeleted =count(), CountOfDistinctResources= dcount(ActionType), DistinctResources=make_set(ActionType) by AccountObjectId

//AHQ used to detect attacker abusing OAuth application during the attack

CloudAppEvents
    | where Application == "Office 365"
    | where ActionType == "Consent to application."
    | where RawEventData.ResultStatus =~ "success"
    | extend UserId = tostring(RawEventData.UserId)
    | mv-expand AdminConsent = RawEventData.ModifiedProperties 
    | where AdminConsent.Name == "ConsentContext.IsAdminConsent" and AdminConsent.NewValue == "True"
    | project ConsentTimestamp =Timestamp, UserId, AccountObjectId, ReportId, ActionType
    | join kind = leftouter (CloudAppEvents  
        | where Application == "Office 365"      
        | where ActionType == "Add app role assignment to service principal."   
        | extend PermissionAddedTo = tostring(RawEventData.Target[3].ID)
        | extend FullAccessPermission = RawEventData.ModifiedProperties 
        | extend OuthAppName = tostring(FullAccessPermission[6].NewValue) // Find app name
        | extend OAuthApplicationId = tostring(FullAccessPermission[7].NewValue) // Find appId
        | extend AppRoleValue = tostring(FullAccessPermission[1].NewValue) // Permission Level
        | where AppRoleValue == "full_access_as_app"
        | project PermissionTime=Timestamp, InitiatingUser=AccountDisplayName, OuthAppName, OAuthApplicationId, AppRoleValue, AccountObjectId, FullAccessPermission
    ) on AccountObjectId

Microsoft Sentinel

Microsoft Sentinel has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft Defender detections list above.

• full_access_as_app Granted To Application
• Potential SSH Tunnel to AAD Connect Host
• Suspicious Sign In by AAD Connect Sync Account
• Malicious web application requests linked with Microsoft Defender for Endpoint
• Web Shell Activity
• Tracking Privileged Account Rare Activity
• Mass Cloud resource deletions Time Series Anomaly
• Consent to Application discovery
• OAuth Application Required Resource Access Update
• Rare application consent
• Credential added after admin consented to ApplicationNew access credential added to Application or Service Principal

Microsoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with “TI map”) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Indicators of compromise (IOCs)

The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

NOTE: These indicators should not be considered exhaustive for this observed activity.

Microsoft Defender Threat Intelligence

Community members and customers can find summary information and all IOCs from this blog post in the linked Microsoft Defender Threat Intelligence article.

References

• https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
• https://ehorus.com/
• https://github.com/nicocha30/ligolo-ng
• https://www.openssh.com/
• https://github.com/Gerenios/AADInternals/blob/master/AADSyncSettings.ps1#L97

The post MERCURY and DEV-1084: Destructive attack on hybrid environment appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Malware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly targeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure rapidly. The Microsoft Defender for IoT research team recently analyzed a cross-platform botnet that originates from malicious software downloads on Windows devices and succeeds in propagating to a variety of Linux-based devices.

The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet. The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.

Microsoft tracks this cluster of activity as DEV-1028, a cross-platform botnet that infects Windows devices, Linux devices, and IoT devices. The DEV-1028 botnet is known to launch distributed denial of service (DDoS) attacks against private Minecraft servers.

Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites. A breakdown of the systems affected by the botnet over the three months from the time of this analysis also revealed that most of the devices were in Russia:

This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure. In this blog post, we share details on how this botnet affects multiple platforms, its DDoS capabilities, and recommendations for organizations to prevent their devices from becoming part of a botnet. We also share Minecraft server version information for owners of private servers to update and ensure they are protected from this threat.

Cross-platform botnet targets SSH-enabled devices

Microsoft researchers observed that the initial infection points related to the botnet were devices infected through the installation of malicious cracking tools that purport to acquire illegal Windows licenses.

The cracking tools contain additional code that downloads and launches a fake version of svchost.exe through a PowerShell command. In some cases, the downloaded file is named svchosts.exe.

Next, svchost.exe launches malicious.py, the main Python script that contains all the logic of the botnet, whichthen scans the internet for SSH-enabled Linux-based devices (Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian, which are commonly enabled for remote configuration) and launches a dictionary attack to propagate. Once a device is found, it downloads the file Updater.zip from repo[.]ark—event[.]net onto the device, which creates the file fuse. The fuse file then downloads a copy of malicious.py onto the device. Both svchost.exe and fuse are compiled using PyInstaller, which bundles all the Python runtime and libraries necessary to initiate malicious.py.

While malicious.py has specific functionalities depending on whether the file launches on a Windows or Linux-based device (for Windows, the file establishes persistency by adding the registry key Software\Microsoft\Windows\CurrentVersion\Run with the executable as the value), the executable is compiled to operate on both Windows and Linux-based devices. The file communicates with its command-and-control (C2) server to launch the following commands:

• Establish TCP connection to repo[.]ark-event[.]net on port 4676.
• Send initial connection string.
• Receive a key from the server for encryption and decryption, and then encrypt further communication using the Fernet symmetric algorithm.
• Send version information to the server:
  • Windows device: The current Windows version
  • Linux device: Hardcoded version (2.19 in the sample we analyzed)
• Continue receiving encrypted commands from the server

Based on our analysis, the botnet is primarily used to launch DDoS attacks against private Minecraft servers using known server DDoS commands and unique Minecraft commands. Below is the list of commands established in the code:

While most of the commands are methods of DDoS, the most notable command run by the botnet is ATTACK_MCCRASH. The command sends ${env:random payload of specific size:-a} as the username in order to exhaust the resources of the server and make it crash.

TCP payloads on port 25565 have the following binary structure:

• Bytes [0:1] – Size of packet
• Bytes [1:2] – Login Start command
• Bytes [2:3] – Size of username
• Bytes [3:18] – Username string

The usage of the env variable triggers the use of Log4j 2 library, which causes abnormal consumption of system resources (not related to Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method.

A wide range of Minecraft server versions could be affected

While testing the impact of the malware, researchers found that the malware itself was hardcoded to target a specific version of Minecraft server, 1.12.2. However, all versions between 1.7.2 and 1.18.2 can be affected by this method of attack. There is a slight modification in the Minecraft protocol in server version 1.19, which was released earlier in 2022, that prevents the use of the Minecraft specific commands, the ATTACK_MCCRASH, ATTACK_[MCBOT|MINE] and ATTACK_MCDATA, without modification of the attack code.

The wide range of at-risk Minecraft servers highlights the impact this malware could have had if it was specifically coded to affect versions beyond 1.12.2. The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.

Protecting endpoints from cross-platform DDoS botnets like MCCrash

To harden devices networks against threats like MCCrash, organizations must implement the basics to secure identities and their devices, including access limitation. Solutions must detect downloads of malicious programs and malicious attempts to gain access to SSH-enabled devices and generate alerts on anomalous network behavior. Below are some of our recommendations for organizations:

• Ensure employees are not downloading cracking tools as these are abused as an infection source for spreading malware.

• Increase network security by enforcing multi-factor authentication (MFA) methods such as Azure Active Directory (now part of Microsoft Entra) MFA. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  
  Microsoft 365 Defender protects against attacks related to botnets by coordinating threat data across identities, endpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to comprehensively detect and remediate end-to-end attack chains—from malicious downloads to its follow-on activities in endpoints. This rich set of tools like advanced hunting let defenders surface threats and gain insights for hardening networks from compromise.

• Adopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender. Defender for IoT is updated regularly with indicators of compromise (IoCs) from threat research like the example described in this blog, alongside rules to detect malicious activity.
  
  On the IoT device level:
  • Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.
  • Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.
  • Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.

• For users hosting private Minecraft servers, update to version 1.19.1 and above.

• Adopt a comprehensive Windows security solution
  • Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.
  • For commercial customers, enable application and browser controls such as Microsoft Defender Application Guard for enhanced protection for Office and Edge.
  • Perform timely cleanup of all unused and stale executables sitting on your organizations’ devices.
  • Protect against advanced firmware attacks by enabling memory integrity, Secure Boot, and Trusted Platform Module 2.0, if not enabled by default, which hardens boot using capabilities built into modern CPUs.

Indicators of compromise (IOCs)

• e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25 (KMSAuto++.exe)
• 143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320 (W10DigitalActivation.exe)
• f9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30 (dcloader.exe)
• 4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f (updater.zip)
• eb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382 (svchosts.exe)
• 93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251 (fuse)
• 202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1 (malicious.py)
• repo[.]ark-event[.]net

Detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects the malware used in this attack as the following:

• TrojanDownloader:MSIL/MCCrash.NZM!MTB
• Trojan:Win32/MCCrash.MA!MTB
• TrojanDownloader:Python/MCCrash!MTB
• Trojan:Python/MCCrash.A
• TrojanDownloader:Linux/MCCrash!MTB
• Trojan:Python/MCCrash.RPB!MTB
• Trojan:Python/MCCrash.RPC!MTB

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:

• Emerging threat activity group DEV-1028 detected
• System file masquerade
• Anomaly detected in ASEP registry
• Suspicious process launched using cmd.exe
• Suspicious file launch

Microsoft Defender for IoT

MCCrash-related activity on IoT devices would raise the following alerts in Microsoft Defender for IoT:

• Unauthorized SSH access
• Excessive login attempts

Microsoft Defender for Cloud

Microsoft Defender for Cloud raises the following alert for related activity:

• VM_SuspectDownload

Advanced hunting queries

Microsoft 365 Defender

Run the following queries to search for related files in your environment:

DeviceFileEvents
| where SHA256 in ("e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25","143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320","f9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30","4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f","eb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382","93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251","202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1")

DeviceFileEvents
| where FolderPath endswith @":\windows\svchost.exe"

DeviceRegistryEvents
| where RegistryKey contains "CurrentVersion\\Run"
| where RegistryValueName == "br" or RegistryValueData contains "svchost.exe" or RegistryValueData contains "svchosts.exe"

DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe")
| where ProcessCommandLine has_all ("-command", ".downloadfile(", "windows/svchost.exe")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

To supplement this indicator matching, customers can use the following queries against data ingested into their workspaces to help find devices with exposed SSH endpoints, and devices that might be under SSH brute force attempts.

Potential SSH brute force attempt: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Syslog/ssh_potentialBruteForce.yaml

Exposed critical ports in Azure: https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/CriticalPortsOpened.yaml

David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, Microsoft Defender for IoT Research Team

Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)

The post MCCrash: Cross-platform DDoS botnet targets private Minecraft servers appeared first on Microsoft Security Blog.

We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.

In this blog, we detail the risks affiliated with vulnerable components, highlighting the Boa web server, and how we suspect these components could be exploited to target critical industries. We also discuss the difficulties with identifying these components in device supply chains. To provide comprehensive protection against such attacks, we offer detection information to identify vulnerable components and guidance for organizations and network operators to improve their security posture.

Investigating the attack activity

The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022. Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa.

Microsoft further identified that half of the IP addresses published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool identified by Recorded Future. The combination of Boa and suspicious response headers was identified on another set of IP addresses, displaying similar behavior to those found by Recorded Future. While these IP addresses are not confirmed as malicious, we recommend they be monitored to ensure no additional suspicious activity. Users of Microsoft Defender Threat Intelligence will find these IP addresses in the portal labeled as block-listed or suspicious:

• 122[.]117[.]212[.]65
• 103[.]58[.]93[.]133
• 125[.]141[.]38[.]53
• 14[.]45[.]33[.]239
• 14[.]55[.]86[.]138
• 183[.]108[.]133[.]29
• 183[.]99[.]53[.]180
• 220[.]94[.]133[.]121
• 58[.]76[.]177[.]166

Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators. Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.

Since the report’s publication, Microsoft researchers tracking the published IPs hosts have observed that all IP addresses have been compromised by a variety of attackers employing different malicious methods. For example, some of the IP addresses were further leveraged to download a variant of the Mirai malware family shortly following the report’s release. Microsoft also found evidence that across different devices on the IP addresses, there were attempts to connect with default credentials through brute force methods and attempts to run shell commands. Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector.

Boa widespread through SDKs

The Boa web server is widely implemented across a variety of devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens. The popularity of Boa web servers is especially concerning as Boa has been formally discontinued since 2005. Data from the Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world over the span of a week, as depicted in the below figure:

Boa web servers remain pervasive in the development of IoT devices, one reason for this could be its inclusion in popular SDKs, which contain essential functions that operate system on chip (SOC) implemented in microchips. Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to supply chain vulnerabilities. Popular SDKs like those released by RealTek, are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters. Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek’s SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks.

While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including CVE-2009-4496, which could allow attackers to execute code remotely. Additional vendor and device specific vulnerabilities exist across a range of devices including routers.

The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.

Recommendations

As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations. This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.

Microsoft recommends that organizations and network operators follow best practice guidelines for their networks:

• Patch vulnerable devices whenever possible to reduce exposure risks across your organization.
• Utilize device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in the organizational network and set workflows for initiating appropriate patch processes with solutions like Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint with Microsoft Defender for IoT .
• Extend vulnerability and risk detection beyond the firewall with platforms like Microsoft Defender External Attack Surface Management. Customers can identify internet-exposed infrastructure running Boa web server components in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable to CVE-2009-4496. The insight can be found under High Severity Observations.
• Reduce the attack surface by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls.
• Use proactive antivirus scanning to identify malicious payloads on devices.
• Configure detection rules to identify malicious activity whenever possible. Security personnel can use our snort rule below to configure security solutions to detect CVE-2022-27255 on assets using the RealTek SDK.

alert udp any any -> any any (msg:"Realtek eCOS SDK SIP Traffic Exploit CVE-2022-27255"; content: "invite"; depth: 6; nocase;  content: "sip:"; content: "m=audio "; isdataat: 128,relative;   content:!"|0d|"; within: 128;sid:20221031;)

• Adopt a comprehensive IoT and OT solution like Microsoft Defender for IoT to monitor devices, respond to threats, and increase visibility in order to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure. 

Adam Castleman, Jordan Herman, Microsoft Defender Threat Intelligence
Rotem Sde Or, Ilana Sivan, Gil Regev, Microsoft Defender for IoT Research Team
Ross Bevington, Microsoft Threat Intelligence Center

The post Vulnerable SDK components lead to supply chain risks in IoT and OT environments appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.

• PHOSPHORUS is now tracked as Mint Sandstorm
• DEV-0270 is now tracked as Storm-0270

To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270’s operations.

DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.

In some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in a SQL database dump.

Using these observations, this blog details the group’s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.

Who is DEV-0270?

Microsoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (ناجی تکنولوژی هوشمند), located in Karaj, Iran.

The group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.

As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Observed actor activity

Initial access

In many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon—this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities, Microsoft has not observed this activity used against customers to deploy ransomware.

Discovery

Upon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command wmic computersystem get domain obtains the target’s domain name. The whoami command displays user information and net user command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.

• wmic computersystem get domain
• whoami
• net user

On the compromised Exchange server, the actor used the following command to understand the target environment.

Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress |  ft -hidetableheaders

For discovery of domain controllers, the actor used the following PowerShell and WMI command.

Credential access

DEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.

"reg" add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

The actor then uses rundll32.exe and comsvcs.dll with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (ssasl.dmp):

Persistence

To maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently named DefaultAccount with a password of P@ssw0rd1234, to the device using the command net user /add. The DefaultAccount account is typically a pre-existing account set up but not enabled on most Windows systems.

The attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall using netsh.exe to allow RDP connections, and adds the user to the remote desktop users group:

"reg" add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f

"reg" add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

"reg" add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD

"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389

Scheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a device. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to launch a .bat via the command prompt. The batch file results in a download of a renamed dllhost.exe, a reverse proxy, for maintaining control of the device even if the organization removes the file from the device.

Privilege escalation

DEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web shell into a privileged process on a vulnerable web server. When the group uses Impacket’s WMIExec to move to other systems on the network laterally, they are typically already using a privileged account to run remote commands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain local system credentials and masquerade as other local accounts which might have extended privileges.

Another form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to provide it with administrator privileges. DEV-0270 uses powershell.exe and net.exe commands to create or enable this account and add it to the administrators’ group for higher privileges.

Defense evasion

DEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off Microsoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the execution of their custom binaries. The threat group creates or activates the DefaultAccount account to add it to the Administrators and Remote Desktop Users groups. The modification of the DefaultAccount provides the threat actor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses powershell.exe to load their custom root certificate to the local certificate database. This custom certificate is spoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as invalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious communications to blend in with other legitimate traffic on the network.

Additionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security. They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: dllhost.exe, task_update.exe, user.exe, and CacheTask. Using .bat files and powershell.exe, DEV-0270 might terminate existing legitimate processes, run their binary with the same process name, and then configure scheduled tasks to ensure the persistence of their custom binaries.

Lateral movement

DEV-0270 has been seen creating defaultaccount and adding that account to the Remote Desktop Users group. The group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.

Along with RDP, Impacket’s WMIExec is a known toolkit used by the group for lateral movement. In multiple compromises, this was the main method observed for them to pivot to additional devices in the organization, execute commands to find additional high-value targets, and dump credentials for escalating privileges.

An example of a command using Impacket’s WMIExec from a remote device:

cmd.exe /Q /c quser 1> \\127.0.0.1\ADMIN$\__1657130354.2207212 2>&1

Impact

DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that allows for the encryption of a device’s entire hard drive. The group drops DiskCryptor from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.

The following are DEV-0270’s PowerShell commands using BitLocker:

Microsoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.

Recommended mitigation steps

The techniques used by DEV-0270 can be mitigated through the following actions:

• Apply the corresponding security updates for Exchange Server, including applicable fixes for CVE-2021-26855, CVE-2021-26858, CVE-2021-26857 and CVE-2021-27065. While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.
  • For Exchange Server instances in Mainstream Support, critical product updates are released for the most recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server instances in Extended Support, critical product updates are released for the most recently released CU only.
  • If you don’t have a supported CU, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older and unsupported CUs to help customers more quickly protect their environment. For information on these updates, see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.
  • Installing the updates is the only complete mitigation for these vulnerabilities and has no impact on functionality. If the threat actor has exploited these vulnerabilities to install malware, installing the updates does not remove implanted malware or evict the actor.
• Use Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.
• Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.
• Enforce strong local administrator passwords. Use tools like LAPS.
• Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.
• Keep backups so you can recover data affected by destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
• Turn on the following attack surface reduction rules to block or audit activity associated with this threat:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PsExec and WMI commands
  • Block persistence through WMI event subscription. Ensure that Microsoft Defender for Endpoint is up to date and that real-time behavior monitoring is enabled

Detection details

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

• Malware associated with DEV-0270 activity group detected

The following additional alerts may also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the following queries to look for the related malicious activity in their environments.

DEV-0270 registry IOC

This query identifies modification of registry by DEV-0270 actor to disable security feature as well as to add ransom notes:

• https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270RegistryIOCSep2022.yaml

DEV-0270 malicious PowerShell usage

DEV-0270 heavily uses PowerShell to achieve their objective at various stages of their attack. This query locates PowerShell activity tied to the actor:

• https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270PowershellSep2022.yaml

DEV-0270 WMIC discovery

This query identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment:

• https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270WMICDiscoverySep2022.yaml

DEV-0270 new user creation

This query tries to detect creation of a new user using a known DEV-0270 username/password schema:

• https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270NewUserSep2022.yaml

Microsoft 365 Defender

To locate possible actor activity, run the following queries.

Disable services via registry
Search for processes modifying the registry to disable security features. GitHub link

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all(@’”reg”’, ‘add’, @’”HKLM\SOFTWARE\Policies\’, ‘/v’,’/t’, ‘REG_DWORD’, ‘/d’, ‘/f’)
    and InitiatingProcessCommandLine has_any(‘DisableRealtimeMonitoring’, ‘UseTPMKey’, ‘UseTPMKeyPIN’, ‘UseAdvancedStartup’, ‘EnableBDEWithNoTPM’, ‘RecoveryKeyMessageSource’)

Modifying the registry to add a ransom message notification

Identify registry modifications that are indicative of a ransom note tied to DEV-0270. GitHub link

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all(‘”reg”’, ‘add’, @’”HKLM\SOFTWARE\Policies\’, ‘/v’,’/t’, ‘REG_DWORD’, ‘/d’, ‘/f’, ‘RecoveryKeyMessage’, ‘Your drives are Encrypted!’, ‘@’)

DLLHost.exe file creation via PowerShell

Identify masqueraded DLLHost.exe file created by PowerShell. GitHub link

DeviceProcessEvents
| where InitiatingProcessFileName =~ ‘powershell.exe’
| where InitiatingProcessCommandLine has_all(‘$file=’, ‘dllhost.exe’, ‘Invoke-WebRequest’, ‘-OutFile’)

Add malicious user to Admins and RDP users group via PowerShell

Look for adding a user to Administrators in remote desktop users via PowerShell. GitHub link

DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')

Email data exfiltration via PowerShell

Identify email exfiltration conducted by PowerShell. GitHub link

DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')

Create new user with known DEV-0270 username/password
Search for the creation of a new user using a known DEV-0270 username/password schema. GitHub link

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('net user', '/add')
| parse InitiatingProcessCommandLine with * "user " username " "*
| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine)
| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')

PowerShell adding exclusion path for Microsoft Defender of ProgramData

Identify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor. GitHub link

DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_all("try", "Add-MpPreference", "-ExclusionPath", "ProgramData", "catch")

DLLHost.exe WMIC domain discovery

Identify dllhost.exe using WMIC to discover additional hosts and associated domain. GitHub link

DeviceProcessEvents
| where InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine == "dllhost.exe"
| where ProcessCommandLine has "wmic computersystem get domain"

The post Profiling DEV-0270: PHOSPHORUS’ ransomware operations appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. MERCURY is now tracked as Mango Sandstorm.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

While MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now. After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.

This blog details Microsoft’s analysis of observed MERCURY activity and related tools used in targeted attacks. This information is shared with our customers and industry partners to improve detection of these attacks, such as implementing detections against MERCURY’s tools in both Microsoft Defender Antivirus and Microsoft Defender for Endpoint. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information needed to secure their accounts.

MERCURY TTPs align with Iran-based nation-state actor

Microsoft assesses with moderate confidence that MERCURY exploited remote code execution vulnerabilities in Apache Log4j 2 (also referred to as “Log4Shell”) in vulnerable SysAid Server instances the targets were running. MERCURY has used Log4j 2 exploits in past campaigns as well. 

MSTIC assesses with high confidence that MERCURY is coordinating its operations in affiliation with Iran’s Ministry of Intelligence and Security (MOIS). According to the US Cyber Command, MuddyWater, a group we track as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and Security.”

The following are common MERCURY techniques and tooling:

• Adversary-in-the-mailbox phishing: MERCURY has a long history of spear-phishing its targets. Recently, there has been an uptick in the volume of these phishing attacks. The source of the phishing comes from compromised mailboxes and initiating previous email conversations with targets. MERCURY operators include links to or directly attach commercial remote access tools, such as ScreenConnect, in these initial phishing mails.
• Use of cloud file-sharing services: MERCURY utilizes commercially available file-sharing services as well as self-hosting resources for delivering payloads.
• Use of commercial remote access applications: The initial foothold on victims emerges via commercially available remote access applications. This allows MERCURY to gain elevated privileges and be able to transfer files, primarily PowerShell scripts, easily over to the victim’s environment.
• Tooling: MERCURY’s tools of choice tend to be Venom proxy tool, Ligolo reverse tunneling, and home-grown PowerShell programs.
• Targeting: MERCURY targets a variety of Middle Eastern-geolocated organizations. Mailbox victims correlate directly with organizations that do business with the Middle Eastern victims.

This latest activity sheds light on behavior MERCURY isn’t widely known for: scanning and exploiting a vulnerable application on a target’s device. They have been observed performing this activity in the past, but it is not very common. The exploits are derived from open source and sculpted to fit their needs. 

Observed actor activity

Initial access

On July 23 and 25, 2022, MERCURY was observed using exploits against vulnerable SysAid Server instances as its initial access vector. Based on observations from past campaigns and vulnerabilities found in target environments, Microsoft assess that the exploits used were most likely related to Log4j 2. The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country.

Exploiting SysAid successfully enables the threat actor to drop and leverage web shells to execute several commands, as listed below. Most commands are related to reconnaissance, with one encoded PowerShell that downloads the actor’s tool for lateral movement and persistence.

Executed commands:

• cmd.exe /C whoami
• cmd.exe /C powershell -exec bypass -w 1 -enc UwB….
• cmd.exe /C hostname
• cmd.exe /C ipconfig /all
• cmd.exe /C net user
• cmd.exe /C net localgroup administrators
• cmd.exe /C net user admin * /add
• cmd.exe /C net localgroup Administrators admin /add
• cmd.exe /C quser

Persistence

Once MERCURY has obtained access to the target organization, the threat actor establishes persistence using several methods, including:

• Dropping a web shell, providing effective and continued access to the compromised device.
• Adding a user and elevating their privileges to local administrator.
• Adding the leveraged tools in the startup folders and ASEP registry keys, ensuring their persistence upon device reboot.
• Stealing credentials.

The actor leverages the new local administrator user to connect through remote desktop protocol (RDP). During this session, the threat actor dumps credentials by leveraging the open-source application Mimikatz. We also observed MERCURY later performing additional credential dumping in SQL servers to steal other high privileged accounts, like service accounts.

Lateral movement

We observed MERCURY further using its foothold to compromise other devices within the target organizations by leveraging several methods, such as:

• Windows Management Instrumentation (WMI) to launch commands on devices within organizations.
• Remote services (leveraging RemCom tool) to run encoded PowerShell commands within organizations.

Most of the commands launched are meant to install tools on targets or perform reconnaissance to find domain administrator accounts.

Communication

Throughout the attack, the threat actor used different methods to communicate with their command-and-control (C2) server, including:

• Built-in operating system tools such as PowerShell
• Tunneling tool called vpnui.exe, a unique version of the open-source tool Ligolo
• Remote monitoring and management software called eHorus

Microsoft will continue to monitor MERCURY activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below. 

Recommended customer actions

The techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below: 

• Check if you use SysAid in your network. If you do, apply security patches and update affected products and services as soon as possible. Refer to SysAid’s Important Update Regarding Apache Log4j for technical information about the vulnerabilities and mitigation recommendations.
• Refer to the detailed Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion. 
• Block in-bound traffic from IPs specified in the indicators of compromise table.  
• Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity. 
• Enable multi-factor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. Note: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts. 

Indicators of compromise (IOCs)

The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

NOTE: These indicators should not be considered exhaustive for this observed activity.

Microsoft Defender Threat Intelligence

Community members and customers can find summary information and all IOCs from this blog post in the linked Microsoft Defender Threat Intelligence portal article.

Detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects attempted exploitation and post-exploitation activity and payloads. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown threats. Refer to the list of detection names related to exploitation of Log4j 2 vulnerabilities. Detections for the IOCs listed above are listed below:

• Backdoor:PHP/Remoteshell.V
• HackTool:Win32/LSADump
• VirTool:Win32/RemoteExec

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers should monitor the alert “Mercury Actor activity detected” for possible presence of the indicators of compromise listed above.

Reducing the attack surface

Microsoft Defender for Endpoint customers can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion.

Detecting Log4j 2 exploitation

Alerts that indicate threat activity related to the exploitation of the Log4j 2 exploitation should be immediately investigated and remediated. Refer to the list of Microsoft Defender for Endpoint alerts that can indicate exploitation and exploitation attempts.

Detecting post-exploitation activity

Alerts with the following titles may indicate post-exploitation threat activity related to MERCURY activity described in this blog and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms:

Any alert title related to web shell threats, for example:

• An active ‘Remoteshell’ backdoor was blocked

Any alert title that mentions PowerShell, for example:

• Suspicious process executed PowerShell command
• A malicious PowerShell Cmdlet was invoked on the machine
• Suspicious PowerShell command line
• Suspicious PowerShell download or encoded command execution
• Suspicious remote PowerShell execution

Any alert title related to suspicious remote activity, for example:

• Suspicious RDP session
• An active ‘RemoteExec’ malware was blocked
• Suspicious service registration

Any alert related to persistence, for example:

• Anomaly detected in ASEP registry
• User account created under suspicious circumstances

Any alert title that mentions credential dumping activity or tools, for example:

• Malicious credential theft tool execution detected
• Credential dumping activity observed
• Mimikatz credential theft tool
• ‘DumpLsass’ malware was blocked on a Microsoft SQL server

Microsoft Defender Vulnerability Management

Microsoft 365 Defender customers can use threat and vulnerability management to identify and remediate devices that are vulnerable to Log4j 2 exploitation. A more comprehensive guidance on this capability can be found on this blog: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability.

Advanced hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the following queries to look for the related malicious activity in their environments.

Identify MERCURY IOCs

The query below identifies matches based on IOCs shared in this post for the MERCURY actor across a range of common Microsoft Sentinel data sets:

• https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Mercury_Log4j_August2022.yaml

Identify SysAid Server web shell creation

The query below looks for potential web shell creation by SysAid Server:

• https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialMercury_Webshell.yaml

Identify MERCURY PowerShell commands

The query below identifies instances of PowerShell commands used by the threat actor in command line data:

• https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/powershell_mercury.yaml

 In addition to the above, Microsoft Sentinel users should also look for possible Log4j 2 vulnerabilities, the details of which were shared in a previous blog post.

Microsoft 365 Defender

To locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:

Potential WebShell creation by SysAisServer instance

DeviceFileEvents
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe") 
| where InitiatingProcessCommandLine has "SysAidServer" 
| where FileName endswith ".jsp"

Abnormal process out of SysAidServer instance

DeviceProcessEvents
| where Timestamp > ago(7d) 
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe") 
| where InitiatingProcessCommandLine has "SysAidServer" 
| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId

PowerShell commands used by MERCURY

DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_cs "-exec bypass -w 1 -enc" 
| where ProcessCommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA" 
| summarize makeset(ProcessCommandLine), makeset(InitiatingProcessCommandLine, 10), makeset(DeviceId), min(Timestamp), max(Timestamp) by DeviceId

Vulnerable Log4j 2 devices

Use this query to identify vulnerabilities in installed software on devices, surface file-level findings from the disk, and provide the ability to correlate them with additional context in advanced hunting.

DeviceTvmSoftwareVulnerabilities 
| where CveId in ("CVE-2021-44228", "CVE-2021-45046")

DeviceTvmSoftwareEvidenceBeta
| mv-expand DiskPaths
| where DiskPaths contains "log4j"
| project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths

The post MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment.

July 2022 update – New information about DEV-0206-associated activity wherein existing Raspberry Robin infections are used to deploy FakeUpdates, which then leads to follow-on actions resembling DEV-0243.

June 2022 update – More details in the Threat actors and campaigns section, including recently observed activities from DEV-0193 (Trickbot LLC), DEV-0504, DEV-0237, DEV-0401, and a new section on Qakbot campaigns that lead to ransomware deployments.

Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.

That depth of signal intelligence gathered from various domains—identity, email, data, and cloud—provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated “cut” from their tool’s success.

The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.

Within this category of threats, Microsoft has been tracking the trend in the ransomware as a service (RaaS) gig economy, called human-operated ransomware, which remains one of the most impactful threats to organizations. We coined the industry term “human-operated ransomware” to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target’s network.

Unlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries—for example, a security product that isn‘t configured to prevent tampering or a service that’s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them—with no guarantee they’ll leave their target environment once they’ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren’t successfully evicted.

Ransomware attacks have become even more impactful in recent years as more ransomware as a service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.

All human-operated ransomware campaigns—all human-operated attacks in general, for that matter—share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment. 

In this blog, we detail several of the ransomware ecosystems  using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here’s a quick table of contents:

1. How RaaS redefines our understanding of ransomware incidents
   • The RaaS affiliate model explained
   • Access for sale and mercurial targeting
2. “Human-operated” means human decisions
   • Exfiltration and double extortion
   • Persistent and sneaky access methods
3. Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks
4. Defending against ransomware: Moving beyond protection by detection
   • Building credential hygiene
   • Auditing credential exposure
   • Prioritizing deployment of Active Directory updates
   • Cloud hardening
   • Addressing security blind spots
   • Reducing the attack surface
   • Hardening internet-facing assets and understanding your perimeter

How RaaS redefines our understanding of ransomware incidents

With ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the “human-operated” aspect of these attacks—attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.

In the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.

Reporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.

We know, for example, that the underlying techniques used in human-operated ransomware campaigns haven’t changed very much over the years—attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there’s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it’s only possible on the most critical assets and segments of the network. 

Without the ability to steal access to highly privileged accounts, attackers can’t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.

In the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like Microsoft 365 Defender, whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.

The RaaS affiliate model explained

The cybercriminal economy—a connected ecosystem of many players with different techniques, goals, and skillsets—is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills.

RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services

RaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further muddying the waters when it comes to tracking the criminals behind these actions.

Access for sale and mercurial targeting

A component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a “load”. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them en masse to “bank” for later profit. Some advertisements for the sale of initial access specifically cite that a system isn’t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.

Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn’t manifest itself as specifically attacking the target’s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.

In some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a “jump server” to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren’t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.

“Human-operated” means human decisions

Microsoft coined the term “human-operated ransomware” to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks—including objectives and pre-ransom activity—evolve depending on the environment and the unique opportunities identified by the attackers.

These attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.

After the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator’s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker’s next steps.

If there’s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker.  

This human decision-making early in the reconnaissance and intrusion stages means that even if a target’s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks “in production” from an undetected location in their target’s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.

Exfiltration and double extortion

Ransomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and “double extortion,” which refers to attackers threatening to leak data if a ransom hasn’t been paid, has also become a common tactic among many RaaS affiliate programs—many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.

This trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don’t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below.  

Persistent and sneaky access methods

Paying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers’ demands doesn’t guarantee that attackers ever “pack their bags” and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren’t successfully evicted.

The handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.

Some of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:

• AnyDesk
• Atera Remote Management
• ngrok.io
• Remote Manipulator System
• Splashtop
• TeamViewer

Another popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.

The time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can’t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can’t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.

The human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.

Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks

For organizations to successfully respond to evict an active attacker, it’s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it’s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.

In the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:

• DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today  
• ELBRUS: (Un)arrested development
• DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs
• DEV-0237: Prolific collaborator
• DEV-0450 and DEV-0464: Distributing Qakbot for ransomware deployment
• DEV-0206 and DEV-0243: An “evil” partnership
• DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate
• DEV-0537: From extortion to destruction

Microsoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled “Ransomware-linked emerging threat activity group detected”. We also add the note “Ongoing hands-on-keyboard attack” to alerts that indicate a human attacker is in the network. When these alerts are raised, it’s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.

A note on threat actor naming: as part of Microsoft’s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a “development group”. We use a naming structure with a prefix of “DEV” to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHORUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use “contractors,” who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.

DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today

A vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. 

DEV-0193’s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.

A subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure as a service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon as a service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been implicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444. 

The leaked chat files from a group publicly labeled as the “Conti Group” in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload—even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group,” even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.

Microsoft hasn’t observed a Conti deployment in our data since April 19, 2022, suggesting that the Conti program has shut down or gone on hiatus, potentially in response to the visibility of DEV-0230’s deployment of Conti in high-profile incidents or FBI’s announcement of a reward for information related to Conti. As can be expected when a RaaS program shuts down, the gig economy nature of the ransomware ecosystem means that affiliates can easily shift between payloads. Conti affiliates who had previously deployed Conti have moved on to other RaaS payloads. For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly. Similarly, DEV-0230 shifted to deploying QuantumLocker around April 23, 2022.

ELBRUS: (Un)arrested development

ELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.

In 2018, this activity group made headlines when three of its members were arrested. In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.

ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called “Combi Security” and “Bastion Security” to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.

In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn’t performed by ELBRUS but by a ransomware as a service affiliate Microsoft tracks as DEV-0289.

ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.

While they aren’t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server.  

DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs

An excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the “REvil gang” or “BlackCat ransomware group”. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment.  

DEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren’t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older “fully owned” ransomware payloads like Phobos, which they can buy when a RaaS isn’t available, or they don’t want to pay the fees associated with RaaS programs.

DEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren’t protected with tamper protection.

DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others. BlackCat remains DEV-0504’s primary payload as of June 2022.

DEV-0237: Prolific collaborator

Like DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.

After the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to public discourse around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn’t want Hive’s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.

Beyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237’s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.

Like all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload xxx.exe, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.

In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive. While the group used other payloads such as BlackCat in the same timeframe, Nokoyawa became a more regular part of their toolkits. By June 2022, DEV-0237 was still primarily deploying Hive and sometimes Nokoyawa but was seen experimenting with other ransomware payloads, including Agenda and Mindware.

DEV-0237 is also one of several actors observed introducing other tools into their attacks to replace Cobalt Strike. Cobalt Strike’s ubiquity and visible impact has led to improved detections and heightened awareness in security organizations, leading to observed decreased use by actors. DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike.

DEV-0450 and DEV-0464: Distributing Qakbot for ransomware deployment

The evolution of prevalent trojans from being commodity malware to serving as footholds for ransomware is well documented via the impact of Emotet, Trickbot, and BazaLoader. Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates. Qakbot is delivered via email, often downloaded by malicious macros in an Office document. Qakbot’s initial actions include profiling the system and the network, and exfiltrating emails (.eml files) for later use as templates in its malware distribution campaigns.

Qakbot is prevalent across a wide range of networks, building upon successful infections to continue spreading and expanding. Microsoft tracks DEV-0450 and DEV-0464 as  Qakbot distributors that result in observed ransomware attacks. DEV-0450 distributes the “presidents”-themed Qakbot, using American presidents’ names in their malware campaigns. Meanwhile, DEV-0464 distributes the “TR” Qakbot and other malware such as SquirrelWaffle. DEV-0464 also rapidly adopted the Microsoft Support Diagnostic Tool (MSDT) vulnerability (CVE-2022-30190) in their campaigns. The abuse of malicious macros and MSDT can be blocked by preventing Office from creating child processes, which we detail in the hardening guidance below.

Historically, Qakbot infections typically lead to hands-on-keyboard activity and ransomware deployments by DEV-0216, DEV-0506, and DEV-0826. DEV-0506 previously deployed Conti but switched to deploying Black Basta around April 8, 2022. This group uses DEV-0365’s Cobalt Strike Beacon infrastructure instead of maintaining their own. In late September 2022, Microsoft observed DEV-0506 adding Brute Ratel as a tool to facilitate their hands-on-keyboard access as well as Cobalt Strike Beacons.

Another RaaS affiliate that acquired access from Qakbot infections was DEV-0216, which maintains their own Cobalt Strike Beacon infrastructure and has operated as an affiliate for Egregor, Maze, Lockbit, REvil, and Conti in numerous high-impact incidents. Microsoft no longer sees DEV-0216 ransomware incidents initiating from DEV-0464 and DEV-0450 infections, indicating they may no longer be acquiring access via Qakbot.

DEV-0206 and DEV-0243: An “evil” partnership

Malvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.

Once successfully executed, the JavaScript framework, also referred to SocGholish, acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as “EvilCorp,”  The custom Cobalt Strike loaders are similar to those seen in publicly documented Blister malware’s inner payloads. In DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.

Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the “EvilCorp” activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status.

On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections. Raspberry Robin is a USB-based worm first publicly discussed by Red Canary. The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.

DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate

Differing from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 is confirmed to be a China-based activity group.

DEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j 2. Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.

Once inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the wmiexec.py module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.

Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228 vulnerability.

Like many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay.  In a notable shift—possibly related to victim payment issues—DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022. Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.

DEV-0537: From extortion to destruction

An example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 in this blog. DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.

Once initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn’t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. 

DEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim’s data and resources.

Defending against ransomware: Moving beyond protection by detection

A durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. 

Attackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven’t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.

Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.

Building credential hygiene

More than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.

Credential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn’t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.

Too often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven’t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.

Here are some steps organizations can take to build credential hygiene:

• Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can’t be used to move laterally. Run services as Network Service when accessing other resources.
• Use tools like LUA Buglight to determine the privileges that applications really need.
• Look for events with EventID 4624 where the logon type is 2, 4, 5, or 10 and the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn’t be exposed on member servers or workstations.
• Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.
• Randomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS) to prevent lateral movement using local accounts with shared passwords.
• Use a cloud-based identity security solution that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities

Auditing credential exposure

Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. BloodHound is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use this detection guidance to watch for malicious use.

Microsoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.

Prioritizing deployment of Active Directory updates

Security patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.

Cloud hardening

As attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:

Cloud identity hardening

• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
  • Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.
  • Ensure that “break glass” account passwords are stored offline and configure honey-token activity for account usage.
  • Implement Conditional Access policies enforcing Microsoft’s Zero Trust principles.
• Enable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.
• Ensure that VPN access is protected via modern authentication methods.

Multifactor authentication (MFA)

• Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
• Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
• Identify and secure workload identities to secure accounts where traditional MFA enforcement does not apply.
• Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).
• For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their computers. Refer to this article for an example.
• Disable legacy authentication.

Cloud admins

• Ensure cloud admins/tenant admins are treated with the same level of security and credential hygiene as Domain Admins.
• Address gaps in authentication coverage.

Addressing security blind spots

In almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn’t protected by  antivirus or EDR solutions. It’s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.

Organizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn’t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.

For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.
• Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
• Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.

Reducing the attack surface

Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:

• Common entry vectors:
  • Block all Office applications from creating child processes
  • Block Office communication application from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block execution of potentially obfuscated scripts
  • Block JavaScript or VBScript from launching downloaded executable content
• Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PsExec and WMI commands
  • Use advanced protection against ransomware

In addition, Microsoft has changed the default behavior of Office applications to block macros in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.

Hardening internet-facing assets and understanding your perimeter

Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as RiskIQ, can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:

• Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
• Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.

Ransomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.

Some observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:

• Citrix ADC systems affected by CVE-2019-19781
• Pulse Secure VPN systems affected by CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
• SonicWall SSLVPN affected by CVE-2021-20016
• Microsoft SharePoint servers affected by CVE-2019-0604
• Unpatched Microsoft Exchange servers
• Zoho ManageEngine systems affected by CVE-2020-10189
• FortiGate VPN servers affected by CVE-2018-13379
• Apache log4j CVE-2021-44228

Ransomware attackers also rapidly adopt new vulnerabilities. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.

Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks

The multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. Microsoft 365 Defender is designed to make it easy for organizations to apply many of these security controls.

Microsoft 365 Defender’s industry-leading visibility and detection capabilities, demonstrated in the recent MITRE Engenuity ATT&CK® Evaluations, automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

In line with the recently announced expansion into a new service category called Microsoft Security Experts, we’re introducing the availability of Microsoft Defender Experts for Hunting for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.

Join our research team at the Microsoft Security Summit digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&A. Register today.

The post Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself appeared first on Microsoft Security Blog.

Even if it didn’t lead the evening news, the security announcement is a crucial milestone for all those that understand the importance of a Zero Trust model and are working hard to implement it. It’s no secret that government support for a technology can turbo-boost adoption—ask anyone who uses GPS, the internet, or electronic medical records.² US Federal Government support for Zero Trust is similar: the Office of Management and Budget (OMB) has started an accelerated adoption curve for tens of millions of new endpoints.

There are 2.25 million full-time equivalent employees in the US federal executive branch, and 4.3m if you count postal workers and other staff in the judicial, legislative, and uniformed military branches.³ These also include many frontline workers, a critical security topic that I discuss in the blog post Reduce the load on frontline workers with the right management technology. The US Federal Government also sets the tone for technology policy in state and local government, which adds another 19.7 million workers, before we even begin to count federal government suppliers who will be asked to comply.⁴ Even at a ratio of one employee per endpoint (and the ratio could be higher with personal devices and IoT), not counting the endpoint strategy updates by overseas governments, we’re looking at tens of millions of endpoints that will be managed according to Zero Trust governance principles.   

In full, I encourage you to read the memorandum press release, Office of Management and Budget Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture.

Here are my three takeaways:

1. Zero Trust is now relevant to every organization.
2. Leadership alignment is the biggest obstacle to driving Zero Trust agendas.
3. Zero Trust architecture requires holistic, integrated thinking.

Zero Trust is now relevant to every organization

Hybrid work, cloud migration, and increased threats make Zero Trust now relevant to every organization.

The concept of Zero Trust is not new. The term was first coined by then Forrester analyst John Kindervag in 2010.⁵ Yet, as the OMB paper says: “The growing threat of sophisticated cyber attacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door.”

Yet, in our 2021 Zero Trust Adoption Report, only 35 percent of organizations claim to have fully implemented their Zero Trust strategy.

Zero Trust is now vitally relevant for every organization for two reasons. First, the shift to remote work and the accompanying cloud migration is here to stay. Gartner® estimates that 47 percent of knowledge workers will work remotely in 2022.⁶ This is not just a pandemic-era emergency that will reset to perimeter-based solutions once COVID-19 cases decrease. Today, security solutions must start from the fact that endpoints could be outside of a perimeter defense set-up and be tailored accordingly. Second, cyber threats continue to increase. The US Federal Government referenced the Log4j flaw but could equally have mentioned Kaseya, SolarWinds, or other recent disruptions. These disruptions are expensive—a 2021 IBM report put the average total cost of a breach of 1 to 10 million records at USD52 million, with a mega breach of 50 to 65 million records costing companies more than USD400 million.⁷

The US Federal Government is signaling that Zero Trust is essential for the current times. Zero Trust requires customers to think beyond firewalls and network perimeters and assume breach from within those boundaries.

Leadership alignment is the biggest obstacle to driving Zero Trust agendas

My second takeaway is that leadership alignment is critical to organizations making the proper progress in Zero Trust.

OMB requires that every agency nominate a Zero Trust strategy implementation lead within 30 days. Furthermore, the memorandum states: “Agency Chief Financial Officers, Chief Acquisition Officers, senior agency officials for privacy, and others in agency leadership should work in partnership with their IT and security leadership to deploy and sustain Zero Trust capabilities. It is critical that agency leadership and the entire ‘C-suite’ be aligned and committed to overhauling an agency’s security architecture and operations.” In short, this is not simply a technology problem that can be handed over to IT, never to be thought of again. Zero Trust requires, at a minimum, C-suite engagement and, given the risks involved in a security breach, also warrants board oversight.

Our Zero Trust Adoption Report that explores the barriers to Zero Trust implementation also highlighted leadership alignment. Fifty-three percent mentioned this as a barrier, covering C-suite, stakeholder, or broader organizational support. Other key barriers to adoption included limited resources, such as skills shortages in areas like change management, or the inability to sustain the length of time for implementation. For example, according to a 2020 annual Cybersecurity Workforce Study by (ISC)², there remains a shortage of 3.1 million cybersecurity workers, including 359,000 in just the US.⁸ Related to this, budget constraints were mentioned by 4 in 10 survey respondents. Anticipating and proactively addressing leadership alignment, limited resources, and budget are key to the broader rollout of Zero Trust architectures, independent of any technology choices.   

Zero Trust architecture requires holistic, integrated thinking

 Zero Trust architecture thinking is more akin to conducting an orchestra than just flipping a switch. The US Federal Government’s plans encompass identity (including multifactor authentication and user authorization), devices (including endpoint detection and response), networks (including Domain Name System, HTTP, and email traffic encryption), apps and workloads, and data. This is not a project that can be done in silos or quickly. Indeed, the OMB asks federal agencies that “Within 60 days of the date of this memorandum, agencies must build upon those plans by incorporating the additional requirements identified in this document and submitting to OMB and Cybersecurity & Infrastructure Security Agency (CISA) an implementation plan for FY22 to FY24 for OMB concurrence, and a budget estimate for FY24.”

Microsoft’s and the US Federal Government’s Zero Trust frameworks are very similar. They overlap into five categories. Microsoft calls out infrastructure separately from networks, while the OMB memo combines the two. When thinking about Zero Trust, any organization needs to consider:

1. Identities and authentication: Protecting identities against compromise and securing access to resources, including multifactor authentication.
2. Endpoints and devices: Securing endpoints and allowing only compliant and trusted devices to access data.
3. Applications: Ensuring applications are available, visible, and securing your important data.
4. Data: Protecting sensitive data wherever it lives or travels.
5. Networks: Removing implicit trust from the network and preventing lateral movement.
6. Infrastructure: Detecting threats and responding to them in real-time.

Underscoring these pillars is centralized visibility, which enables a holistic view. Being able to see how all apps and endpoints are deployed and whether there are security issues is vital to maintaining as well as setting up a Zero Trust posture. An endpoint management solution provides a central repository for security policies and a place to enforce those policies should an endpoint no longer comply. Solutions should enable built-in encryption across all platforms, whether Windows, macOS, iOS, Android, or Linux. Equally, unified endpoint management will make the network journey towards Zero Trust easier, regardless of the type of network. Visibility matters in Zero Trust, and effective endpoint management is a major factor in delivering it.

Picking a starting point

Having a consistent framework for Zero Trust and constant visibility is a good starting point. Nonetheless, it doesn’t answer the question of where and how to start implementing Zero Trust for your organization. The answer will be specific to every organization—there is no one-size-fits-all approach for Zero Trust. Organizations may start at different points, but the Microsoft 365 Zero Trust deployment plan gives all organizations a practical guide to introduce Zero Trust.

The deployment plan has five steps and can help organizations implement a Zero Trust architecture:

1. Configure Zero Trust identity and device access protection to provide a Zero Trust foundation.
2. Manage endpoints by enrolling devices into management solutions.
3. Add Zero Trust identity and device access protection to those devices.
4. Evaluate, pilot, and deploy Microsoft 365 Defender to automatically collect, correlate, and analyze the signal, threat, and alert data.
5. Protect and govern sensitive data to discover, classify, and protect sensitive information wherever it lives or travels.

Management of your apps and endpoints plays a vital and foundational role in any Zero Trust deployment. By enrolling devices into management, you can configure compliance policies to ensure devices meet minimum requirements and deploy those configuration profiles to harden devices against threats. With a solid foundation established, you can defend against threats by using device risk signals and ensure compliance using security baselines. In this way, you’re protecting and governing sensitive data, no matter what operating system platform your devices are using.

CISA Director Jen Easterly wrote in the memo’s press release: “As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity.” Zero Trust is a critical US Federal Government priority, which will accelerate mass adoption. If your organization is just starting to implement Zero Trust or further along, I hope the free resources below are helpful.

Learn more

Explore Microsoft’s resources and products to help you implement a Zero Trust strategy:

• Zero Trust Guidance Center
• Microsoft Zero Trust Deployment Plan
• Microsoft Endpoint Manager
• Manage devices with Intune

Read more about the US Federal Government’s Zero Trust strategy announcement:

• US Government sets forth Zero Trust architecture strategy and requirements
• OMB Federal Zero Trust strategy

Additional resources:

¹US Government sets forth Zero Trust architecture strategy and requirements, Joy Chik, Microsoft. February 17, 2022.

²50 inventions you might not know were funded by the US government, Abby Monteil, Stacker. December 9, 2020.

³Federal Workforce Statistics Sources: OPM and OMB, Congressional Research Service. June 24, 2021.

⁴Number of state and local government employees in the United States from 1997 to 2020, by full-time/part-time status, Statista.

⁵Forrester pushes Zero Trust model for security, Dark Reading.

⁶Gartner, Forecast Analysis: Remote and Hybrid Workers, Worldwide, Ranjit Atwal, Rishi Padhi, Namrata Banerjee, Anna Griffen, 2 June 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

⁷Cost of a Data Breach Report 2021, IBM.

⁸Cybersecurity Workforce Study, (ISC)². 2020.

The post The federal Zero Trust strategy and Microsoft’s deployment guidance for all appeared first on Microsoft Security Blog.

Natalia: What do you recommend to security leaders concerned with the talent shortfall?

Heath: There needs to be more openness and getting away from gatekeeping. In this industry, there’s a lot of, “I went through this path, so you need to go through this path.” Or “I did these certifications, so you need to do these certifications.” Everybody wants this perfect candidate—somebody who has 10 years of experience—even when they don’t necessarily need it. We need to be able to take somebody that’s more junior, who we can help train. Or take someone with a clean slate.

As a manager, be open to more than just what’s on the Human Resources job description. And be open to new people with different backgrounds. People are coming from all walks of life and age groups. So, if you put those biases aside and just consider the person that’s in front of you, that will help with the job shortage and help close the talent gap.

Natalia: And how has the pandemic and the shift to hybrid work changed cybersecurity skilling?

Heath: I think it’s been a positive. In our field, the ability to work remotely was always there. But the pandemic shifted things, so more companies are starting to realize that fact. I’ve worked jobs as a penetration tester where I had to relocate, even though I was working out of my home 95 percent of the time. Now, more companies are opening their eyes to talent that isn’t local. You no longer have to look in big markets; you can look at somebody on the other side of the country who’s studying cybersecurity, and they can be an asset to your team.

I was doing a lot of Twitch streaming during the shutdown, and I noticed our streams were way bigger than before. We had more people watching, more people interested. There’s a lot of people who took advantage of the shutdown to say, “Hey, this is my time to get focused. I want a new career.” There are high-paying jobs and there’s remote work. And as I mentioned, you don’t need a specific background or degree to get into this field. People can come from all walks of life. I think the pandemic helped shine a light on that.

Natalia: You’re well known as The Cyber Mentor™. How has mentoring impacted your career?

Heath: It keeps me on top of my game. I have to be able to give people direction and I don’t want to give out bad information, so, I’m making sure that I stay on top of what the industry changes are, where the jobs are heading, and how to interview properly—all of which seem to change from year to year. It helps me stay in touch with the next generation that’s coming into the security field as well.

Natalia: Do you have your own mentors that help you progress in your career?

Heath: I came up with what I call “community mentorship.” I have a Discord community, and we use that to encourage other people to give back. You want to be able to help people when they need it or get help when you need it while learning from each other. When it’s time for networking or needing a job, that goes a long way. For me, it’s more about being where there are groups of like-minded people. I’ve got a lot of friends that own penetration test companies, and we’ll get together, have lunch, talk strategies. What are you doing? What am I doing? That’s the kind of mentorship that we have with each other; just making sure we’re keeping each other in check, thinking about new things.

Natalia: What are the biggest struggles for early career mentees who are trying to grow their skills? And how can leaders address those challenges?

Heath: For a person looking to get a role, there are a few things to remember. One is to make sure you’re crawling before you walk, walking before you run. I’ll use hacking as an example. A lot of people get excited about hacking and think it sounds awesome. “You can get paid money to hack something? I want to do that!” And they try to jump right into it without building foundational skill sets, learning the parts of a computer, or learning how to do computer networking or basic troubleshooting. What I tell people is to break and fix computers. Understand basic hardware, basic computer networking, what IP addresses are, what a subnet is. Understand some coding, like Python. You don’t need a computer science background but having those foundational skills will go a long way.

If you don’t put a foundation under a house, it’s going to collapse. So, you need to think about your career in the same way. You must make sure you’re building a foundation. People don’t realize the amount of effort that goes into getting into the field. Do your due diligence beforehand.

There’s also a lot of imposter syndrome in cybersecurity. I tell people not to concern themselves with others, especially on social media. They say comparison is the thief of joy, and I truly believe that. You have to make sure you’re running your own race. Even if you run the same mile as somebody else, and they finish it in 5 minutes, and you finish it in 10; you still finish the same mile. What matters is that you got there. As long as you’re trying to be better than you were yesterday, you’re going to make it a lot farther than you think.

Finally, cybersecurity is a field that’s constantly changing. For somebody who is complacent—who wants to get a degree, get a job, and then is set—cybersecurity is not the right fit. Cybersecurity is for somebody who’s interested in constantly learning because there are always new vulnerabilities. There was just the Log4J vulnerability that caused everyone concern. I had a meeting today with a client, and if I’m not prepared, I’m letting them down. I’m letting their security down as well. I spent the weekend studying because I had to. That’s the business we’re in.

You must stay on top of this from an employer side as well—being able to train people and keep them up to date. TCM Security has a base foundation where we want our employees to be, and then we encourage them to gain knowledge where they’re most interested. I’ve been sent to a training that I had no interest in whatsoever and wanted to pull my hair out. As a manager, I ask, “What do you want to learn?” When I send an employee to a cybersecurity training that they’re interested in, they’re going to retain that information a lot better. They can then bring that information back to us, and we can use that in real-world scenarios.

Natalia: How can security leaders recruit security professionals to their teams better? What should they look out for? For example, how important are certifications?

Heath: For an entry-level role, certifications are important. Their importance diminishes once you get into the field. But I’m an advocate for them; they help prove some knowledge—so does having a blog, attending a conference, building a home lab, speaking at a conference, speaking at a local community group—anything that says, “I’m passionate about security.”

I have seen some entry-level roles where the interviewers have you code something, or have you fix broken code, just to make sure you logically understand what’s going on. You don’t have to be a developer or be able to code, but you must be able to understand what’s in front of you. Having some coding challenges during the hiring process can be beneficial—but it should be open book. For a security professional, using search is 90 percent of our job, honestly. If you’re limiting somebody from searching online, you’re setting false expectations.

I go back and re-watch videos and re-read blogs all the time, because there are so many different commands, and there’s no way of memorizing all of them. But you need to understand the concepts. If you understand the tool they might need to run or the concept of it, then you can search that, find the tool, and run it. That’s more important.

Natalia: We’ve all read the statistics about burnout in the security industry. What do you recommend for leaders who want to better retain their talent?

Heath: You must be pro-mental health. Make sure there’s ample paid time off (PTO) and encourage employees to use it. Also, make sure that your employees can take time off beyond PTO. If they’re sick, they shouldn’t feel like they’re letting people down. That’s why we have flexible schedules; we run on a 32-hour workweek. We try to give people as much time back and have a work-life balance. We also pay for training, so people can go and focus on topics they’re interested in. We make sure that we’re investing in our employees. It’s so much more expensive to rehire and retrain. I’d rather invest in an employee and keep their mental health at a high level, and make sure I’m giving them all the tools and training they need to perform successfully.

Natalia: What trends have you seen in cybersecurity skilling? What do you think is coming next in terms of how security professionals are trained up, recruited, and retained?

Heath: There are more people interested in the field, and that’s great. We’re starting to see a lot more training providers and training options. Back when I started, a lot of it was just reading blog posts, and there were maybe one or two training providers. Now, there are 10 or 15.

Misinformation can be out there, or outdated information. If you search online for certification companies—or even look at an online post from a year ago—that information could be outdated. So again, this comes back to due diligence and making sure that you’re doing your research, not just relying on one source. If I was going to look for certifications to get into this field, I’d look at 20 or 30 different resources, get a consensus of what polls the highest, then do my own research on those organizations. It’s great job skills practice to research and make sure you understand where you need to go.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Disclaimer: The views expressed here are solely those of the author and do not represent the views of Microsoft Corporation.

The post Build a stronger cybersecurity team through diversity and training appeared first on Microsoft Security Blog.