Monthly news - April 2023

[Guest Heike Ritter]

Microsoft 365 Defender Monthly news April 2023 Edition	[attachment=36396:name]
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2023.
Legend: [attachment=36397:name] Product videos [attachment=36398:name] Webcast (recordings) [attachment=36399:name] Docs on Microsoft [attachment=36400:name] Blogs on Microsoft [attachment=36401:name] GitHub [attachment=36402:name] External [attachment=36403:name] Product improvements [attachment=36404:name] Previews / Announcements

Microsoft 365 Defender

[attachment=36405:name] Season 3 of the virtual Ninja Show now on-demand. 10 episodes for you to watch either on the show page or we also have a playlist on YouTube. [attachment=36406:name] Respond to threats in near real-time with custom detections. Use the new near real-time detection frequency for an even faster response to emerging threats in your environment. [attachment=36407:name] XDR attack disruption in action – Defending against a recent BEC attack. Learn how a real-world BEC attack was disrupted by Microsoft 365 Defender. [attachment=36408:name] Introducing "Behaviors", a new data type in Microsoft 365 Defender Advanced Hunting (Preview). Behaviors will optimize the alerts queue by enabling security teams to focus on the most relevant alerts in their environment. Within Defender for Cloud Apps, we have identified some detections that are better suited as behaviors, and we are transforming them to the new data type to reflect it that can be retrieved via advanced hunting. [attachment=36409:name] (Preview) Microsoft Defender Threat Intelligence (Defender TI) is now available in the Microsoft 365 Defender portal. This change introduces a new navigation menu within the Microsoft 365 Defender portal named Threat Intelligence. Learn more [attachment=36410:name] (Preview) Complete device reports for the DeviceInfo table in advanced hunting are now sent every hour (instead of the previous daily cadence). In addition, complete device reports are also sent whenever there is a change to any previous report. New columns were also added to the DeviceInfo table, along with several improvements to existing data in DeviceInfo and DeviceNetworkInfo tables.

Microsoft Defender for Endpoint
[attachment=36411:name] Defender for Endpoint P1/ P2 Mix licensing support (preview): If you have Defender for Endpoint Plan 1 and Plan 2 in your tenant, the ability to manage your subscription settings across client devices is now in preview! This new capability enables you to: Apply either Defender for Endpoint Plan 1 or Plan 2 settings to all your client devices; or Use mixed mode, and apply Defender for Endpoint Plan 1 settings to some client devices, and Defender for Endpoint Plan 2 to other client devices. You can also use a newly added license usage report to track status.
[attachment=36412:name]	Microsoft awarded Best Advanced Protection for Corporate and Consumer Users by AV-TEST. AV-TEST has awarded Microsoft Best Advanced Protection 2022 for both Corporate Users and Consumer Users categories.
[attachment=36413:name]	MacOS Device control. Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Apple APFS encrypted device and Bluetooth media with or without exclusions.

Microsoft Defender for Cloud Apps

[attachment=36414:name] Performance enhancements and faster load times for Defender for Cloud Apps inline proxy. We are excited to announce a significant improvement to the loading time of web pages protected by session policies. End users that are scoped to session policies, either from a desktop or mobile device, can now enjoy a faster and more seamless browsing experience. We witnessed an improvement of between 10 and 40 percent, depending on the application, the network, and the complexity of the web page. [attachment=36415:name] Improve your ability to distinguish between several sensitive information types, using Short evidence. We're excited to announce public preview of ‘Short evidence’! Short evidence allows Defender for Cloud Apps Information Protection users to distinguish between multiple Sensitive Information Types (SITs) in the same file match. Read all about this new capability: Microsoft Data Classification Services integration. [attachment=36416:name] New SaaS Security infographic. Learn more about SaaS Security at Microsoft specifically within Defender for Cloud Apps. [attachment=36417:name] Introducing "Behaviors", a new data type in Microsoft 365 Defender Advanced Hunting (Preview). Behaviors will optimize the alerts queue by enabling security teams to focus on the most relevant alerts in their environment. Within Defender for Cloud Apps, we have identified some detections that are better suited as behaviors, and we are transforming them to the new data type to reflect it that can be retrieved via advanced hunting. [attachment=36418:name] Defender for Cloud Apps Operational Guide. This guide provides an overview of the requirements and tasks for successfully operating Defender for Cloud Apps in your organization. These tasks help ensure that your security operations center (SOC) provides a high-quality, reliable approach to protect, detect, and respond to SaaS app based security threats.

Microsoft Defender for Identity

[attachment=36419:name] We no longer require logging 1644 events. If you have this registry setting enabled, you can remove it. For more information, see Event ID 1644. [attachment=36420:name] Some exclusions for the Honeytoken was queried via SAM-R alert weren't functioning properly. In these instances, alerts were being triggered even for excluded entities. This has now been fixed. [attachment=36421:name] Updated NTLM protocol name for the Identity Advanced Hunting tables: The old protocol name Ntlm will now be the new protocol name NTLM, in Advanced Hunting Identity tables: IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents. If you're currently using the Ntlm protocol in case-sensitive format from the Identity event tables, you should change it to NTLM. [attachment=36422:name] We removed the prerequisite of configuring a Directory Services account for the sensors to start. For more information, see Microsoft Defender for Identity Directory Service account recommendations. [attachment=36423:name] We're in the process of disabling the SAM-R honeytoken alert. While these types of accounts should never be accessed or queried, we're aware that certain legacy systems may use these accounts as part of their regular operations. If this functionality is necessary for you, you can always create an advanced hunting query and use it as a custom detection. Additionally, we'll be reviewing the LDAP honeytoken alert over the coming weeks, but it will remain functional for now.

Microsoft Defender for Office 365
[attachment=36424:name] Enhanced threat detection with URL click alerts by Defender for Office 365. Defender for Office 365 now features alerting policy enhancements to support the detection, investigation, and remediation of threats via URLs sent over email. These alerting policy enhancements in Defender for Office 365 provide an invaluable layer of protection against the ever-evolving tactics used by attackers in exploiting URLs sent via email. [attachment=36425:name] Defender for Office 365: Teams Security. Defender for Office 365 will provide protection and enhanced security operations (SecOps) experience for Microsoft Teams. These protection capabilities will include automatic remediation of malicious entities and support for end user reporting. In addition, Microsoft Teams specific attack insights will be included in the unified investigation and response experience in the Microsoft 365 Defender portal, for an optimized SecOps experience. [attachment=36426:name] Updates to evaluation experience. We are adding several new capabilities to our audit mode, which is used to evaluate Defender for Office 365 through a trial or a subscription that includes Defender for Office 365 Plan 2. Security Administrators can now turn on/off specific evaluation policies. You can now evaluate domain and user impersonation protection in audit mode where no action on messages will be taken. If your organization’s MX is pointed to a 3rd party email filtering provider and you want to evaluate spoof filtering in Defender for Office 365, you will be able to do so in audit mode where no action, such as send to junk/quarantine, on messages will be taken.
[attachment=36427:name]	Within 4 hours option for notifications. We are adding a new "Within 4 hours option" to end user notifications, allowing users to be able to rely on prompt notification about quarantined items when appropriate. With this feature users can be rest assured that they will be updated frequently once new items lands on their quarantine folder. Rollout of this option starts now in April! Read preview announcement blog.

Microsoft Defender for IoT

[attachment=36428:name] Announcing the release of cloud-powered security for IoT/OT environments. Defender for IoT team announced the general availability (GA) of its cloud-powered security, which enables businesses to interconnect their OT environment without compromising security while addressing the special needs of mission-critical OT environments and cyber-physical systems. Powered by Microsoft’s scalable, cost-effective Azure cloud, Defender for IoT helps enterprises manage assets, track emerging threats, and control risks across enterprise and mission-critical networks—both in connected and air-gapped environments. Moreover, Defender for IoT is perfectly suited to the needs of bandwidth constrained, classic production networks in remote locations, making it easy for enterprises to deploy, manage, and monitor even the most resource-limited environments. Microsoft 365 Defender Threat Analytics Reports (access to the Microsoft 365 Defender portal needed) Activity profile: 2022 DDoS attack trends. As organizations strengthen their defenses and take a more proactive approach to protection, attackers are adapting their techniques and increasing the sophistication of their operations. DEV-0450 and DEV-0464: Distributing Qakbot for ransomware deployment. Microsoft tracks DEV-0450 and DEV-0464 as Qakbot distributors that result in observed ransomware attacks. Qakbot is delivered using email, often downloaded by malicious macros in a Microsoft 365 document. Actor profile: DEV-1010. The actor Microsoft tracks as DEV-1010 is a cybercriminal group based out of Russia and Belarus. Microsoft identified the group conducting a phishing campaign in late October 2022 involving downloads of malicious Microsoft software installer (MSI) files, interpreters, downloader scripts, a remote access tool named rutserv.exe, and a PowerShell dropper containing a reflectively loaded Cobalt Strike beacon. PlugX malware leveraging OEM extended ASCII characters to evade detection. Microsoft 365 Defender detects ImageLoad events where an image is loaded from a directory path that begins with the non-breaking space (NBSP) character “0xA0”. The use of NBSP is a novel technique employed by PlugX malware to hide its presence on an infected removable media. Activity profile: Identity focus on Qakbot attacks. For many distributors of initial access malware like Qakbot, getting the first-stage payload onto a device is often just the first step in what ends up being a larger attack, including the delivery of additional malware payloads or selling access to other threat actors with their own objectives. As a result, Qakbot infections might vary in terms of objectives. Activity profile: Remcos payload delivery through tax document lures. Since February 20, 2022, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise targeted networks. The campaign uses lures masquerading as tax documentation sent by a client, while the link in the email uses a legitimate click tracking service to evade detection. Threat Insights: Exchange vulnerability CVE-2023-21707. On March 14, 2023, Microsoft re-released patches for CVE-2023-21707, a remote code execution vulnerability in Exchange, to address stability issues experienced by a small subset of customers. Although this vulnerability has not been observed exploited in the wild, customers are urged to re-apply the patches as soon as possible for their organization’s security. Tool profile: Caffeine phishing as a service platform. The Caffeine phishing as a service (PhaaS) platform provides ready-to-use phishing emails, website templates, how-to documentation, phishing infrastructure (domains and IP addresses), and user support systems to its customers, lowering the barrier to entry for less skilled phishing actors. Activity profile: Emotet uses new defense evasion technique, March 2023. Emotet email activity resumed on March 7, 2023, following a period of inactivity in late 2022. This threat, which has frequently paused operations before resuming, is developed and deployed by an activity group Microsoft tracks as DEV-0201. CVE-2023-23397: Microsoft Outlook elevation of privilege vulnerability leads to NTLM credential theft. Microsoft Threat Intelligence discovered limited, targeted abuse of a zero-day in Microsoft Outlook that allows for NT LAN Manager (NTLM) credential theft being used by a likely Russian state-sponsored actor tracked by Microsoft as STRONTIUM. Activity profile: PHOSPHORUS exploits Aspera Faspex vulnerability (CVE-2022-47986). Since early February 2023, the actor Microsoft tracks as PHOSPHORUS has been observed exploiting CVE-2022-47986, a pre-authentication remote code execution vulnerability in Aspera Faspex, a file transfer application commonly used with Ruby on Rails. Actor profile: DEV-0506. The actor Microsoft tracks as DEV-0506 is a cybercriminal group known to deploy Black Basta ransomware. Tool profile: WinDealer. WinDealer is a modular backdoor that can perform file actions, execute arbitrary commands, and conduct discovery. Since 2020, WinDealer infections occur via the automatic update feature of benign applications popular in China. Tool profile: Information stealers. Information stealers (infostealers) are malicious software designed to steal data stored in browsers. Information stealers steal data like session tokens and cookies—which can include multifactor authentication (MFA) claims—saved passwords and input form data, credit card information, user files, cryptocurrency wallets, and credentials for internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), virtual desktop infrastructure (VDI) including Citrix, or identity providers (including Azure Active Directory, Okta). In some instances, infostealers can also load other malware to the affected environment. Activity profile: DEV-0501 shifts to BlackCat ransomware after Hive shut-down. DEV-0501 is a ransomware threat group that has switched ransomware payloads multiple times since 2021. Following the law enforcement shutdown of the Hive ransomware-as-a-service (RaaS) program in January 2023, DEV-0501 began to deploy BlackCat in February 2023. Activity profile: 3CXDesktopApp possible supply chain compromise. Microsoft is aware of third-party reports of hands-on-keyboard compromises originating from 3CXDesktopApp installs.

Blogs on Microsoft Security

[attachment=36429:name] New research, tooling, and partnerships for more secure AI and machine learning. At Microsoft, we’ve been working on the challenges and opportunities of AI for years. Today we’re sharing some recent developments so that the community can be better informed and better equipped for a new world of AI exploration. [attachment=36430:name] Protecting Android clipboard content from unintended exposure. Microsoft discovered that the SHEIN Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server. [attachment=36431:name] DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality. [attachment=36432:name] KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks.

 

Continue reading...