FPCH Admin AWS Posted June 30, 2023 FPCH Admin Posted June 30, 2023 Microsoft 365 Defender Monthly news July 2023 Edition [attachment=44312:name] This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from June 2023. Legend: [attachment=44313:name] Product videos [attachment=44314:name] Webcast (recordings) [attachment=44315:name] Docs on Microsoft [attachment=44316:name] Blogs on Microsoft [attachment=44317:name] GitHub [attachment=44318:name] External [attachment=44319:name] Product improvements [attachment=44320:name] Previews / Announcements Microsoft 365 Defender [attachment=44321:name] Prevent repeat attacks with threat-informed security posture recommendations. Microsoft 365 Defender now makes it easy for security operations (SOC) teams to identify and prioritize the right controls with the general availability of threat-informed security posture recommendations. [attachment=44322:name] [attachment=44323:name] Share your feedback on Microsoft 365 Defender via the new feedback portal. We’re excited to announce that Microsoft 365 Defender is now part of the new community feedback experience, and our customers now have a dedicated platform to submit their suggestions and feature requests for our security products. [attachment=44324:name] Ninja Show Season 4 recap! In this season we had a special mini-series on incident response, with lots of demos on how to investigate incidents following playbooks. Check out this summary and let us know your favorite topic from this season or what you’re looking forward to next! [attachment=44325:name] Microsoft Defender for Endpoint [attachment=44326:name] Forcibly releasing devices from isolation is now available for public preview. This new capability allows you to forcibly release devices from isolation, when isolated devices become unresponsive. For more information, see Take response actions on a device in Microsoft Defender for Endpoint. [attachment=44327:name] New Monthly security summary. Gain insights into an organization’s security posture and performance, as well as visualizing the team’s effort in managing the environment. Microsoft Defender for Cloud Apps [attachment=44328:name] [attachment=44329:name] App governance is now included as part of the Defender for Cloud Apps licenses and no longer requires an add-on license. In the Microsoft 365 Defender portal, go to Settings > Cloud apps > App governance > Service status to either enable app governance if available, or sign up for the waitlist. Webinar: App Governance Inclusion in Defender for Cloud Apps Overview. [attachment=44330:name] Safeguarding your OAuth apps with App Governance. Learn why App Governance is the essential layer of defence to protect your Oauth apps. Learn how to enable it and start using in a couple of steps. [attachment=44331:name] Defender for Cloud Apps Operational Guide is ready to download for your SOC and security teams to help with planning and performing security activities. [attachment=44332:name] Update Defender for Cloud Apps IP addresses for reverse proxy infrastructure. We recently completed infrastructure enhancements which resulted in new IPs that need to be added for Defender for Cloud Apps proxy infrastructure. We recommend that customers review the network list for proxy and ensure these have been updated in their environments. [attachment=44333:name] Enhanced hunting experience for OAuth app activities. App governance now makes it easy for you to take hunting with app data to the next level by providing deeper OAuth app insights, helping your SOC identify an app’s activities and the resources it has accessed. OAuth app insights include: Out-of-the-box queries that help to streamline the investigationVisibility into the data using the results viewThe ability to include OAuth app data such as resource, app, user, and app activity details in custom detections. For more information, see Hunt for threats in app activities. [attachment=44334:name] App hygiene update with Microsoft Entra. Starting June 1, 2023, management of unused apps, unused credentials, and expiring credentials will only be available to app governance customers with Microsoft Entra Workload Identities Premium. See Secure apps with app hygiene features and What are workload identities?. Microsoft Defender for Identity [attachment=44335:name] Advanced hunting with an enhanced IdentityInfo table. For tenants with Defender for Identity deployed, the Microsoft 365 IdentityInfo advanced hunting table now includes more attributes per identity, as well as identities detected by the Defender for Identity sensor from your on-premises environment. For more information, see the Microsoft 365 Defender advanced hunting documentation. [attachment=44336:name] Webinar recording: Become an Advisor to Our Product Engineering Team. The Defender for Identity product engineering team is excited to share a program for customers to become trusted advisors and impact our feature planning. Engage directly with the engineering team, learn what's coming, test out private previews, and share your experiences and recommendations. Microsoft uses the program to put the customer at the center of product development and, ultimately, help us better secure your organization and your customers. Microsoft Defender for IoT [attachment=44337:name] On June 1, 2023, Microsoft Defender for IoT moved to site-based licensing for organizations looking to protect their operation technology (OT) environments. The previous Azure consumption model for this solution will no longer be available for purchase by new customers. Existing customers can choose to transition to site-based licensing or remain on the consumption model. [attachment=44338:name] IoT devices and Linux-based systems targeted by OpenSSH trojan campaign. Microsoft has uncovered an attack leveraging custom and open-source tools to target internet-facing IoT devices and Linux-based systems. The attack involves deploying a patched version of OpenSSH on affected devices to allow root login and the hijack of SSH credentials. Microsoft Defender for Business [attachment=44339:name] Streaming API for Defender for Business customers is now in public preview! We are delighted to announce that Microsoft Defender for Business now supports streaming events through Advanced Hunting! This means that Defender for Business customers can stream the data to Event Hubs, Azure, or local storage. Blogs on Microsoft Security [attachment=44340:name] Detecting and mitigating a multi-stage AiTM phishing and BEC campaign. Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks. [attachment=44341:name] Cadet Blizzard emerges as a novel and distinct Russian threat actor. Microsoft attributes several campaigns to a distinct Russian state-sponsored threat actor tracked as Cadet Blizzard (DEV-0586), including the WhisperGate destructive attack, Ukrainian website defacements, and the hack-and-leak front “Free Civilian”. Microsoft 365 Defender Threat Analytics reports (Portal access needed) Detecting and mitigating a multi-stage AiTM phishing and BEC campaign. In April 2023 Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations. The attack originated from a compromised trusted vendor and showcases the complexity of AiTM and BEC threats which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud. Technique profile: Antivirus tampering. One of the first steps many attackers take after the initial compromise of an organization is to identify and tamper with security solutions. By disabling or otherwise tampering with defenses, attackers gain time to install malicious tools, exfiltrate data for espionage or extortion, and potentially launch destructive attacks like ransomware. Vulnerability profile: MOVEit Transfer zero-day exploitation (CVE-2023-34362). On May 31, 2023, Progress Software Corporation disclosed a critical SQL injection vulnerability (CVE-2023-34362) in their MOVEit Transfer application that could lead to unauthenticated access to the underlying database. Microsoft has observed active exploitation of the MOVEit Transfer vulnerabilities as early as May 27, 2023. MediaArena potentially unwanted application detection surge. Microsoft observed an increasing number of detections for a new family of unwanted applications named MediaArena, a highly prevalent family of browser modifier applications that bypass a browser's supported extensibility model to change Microsoft Edge's default search provider. Actor profile: Lace Tempest ransomware and extortion group. Lace Tempest (DEV-0950) is a cybercriminal group known to conduct ransomware operations. They target organizations across a diverse array of industries and have traditionally used phishing campaigns and exploited public-facing Serv-U FTP server vulnerabilities to obtain initial access. Recently, Microsoft observed activity originating from Raspberry Robin worm infections attributed to Lace Tempest. Activity Profile: Peach Sandstorm uses sophisticated TTPs in a new campaign. Microsoft observed a resurgence of activity attributed to Peach Sandstorm, an Iran-based nation state actor. While the majority of activity Microsoft saw in this campaign can be characterized as reconnaissance, in March 2023, Microsoft identified a successful intrusion where Peach Sandstorm used a GoldenSAML attack to ultimately exfiltrate data from a compromised organization. Actor profile: Cadet Blizzard. Cadet Blizzard (DEV-0586) is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted. Actor profile: Storm-0288 leverages handoffs from multiple actors to deploy ransomware. Storm-0288 (DEV-0288) is a financially-motivated cybercrime group known to use the malware families PUNCHBUGGY, BadHatch, and White Rabbit, among others. Identified operations have focused on point-of-sale compromise, data exfiltration, extortion, and ransomware deployment. Actor profile: Storm-0396 operates LockBit ransomware as a service. Storm-0396 (DEV-0396) is a cybercriminal group known as the likely operators of LockBit ransomware as a service (RaaS). They manage the LockBit RaaS offerings, including LockBit 2.0, LockBit Black (aka LockBit 3.0), the recently discovered variant LockBit Green, and an ESXI variant to encrypt Linux servers. LockBit RaaS is one of the most prominent RaaS models and has historically impacted numerous organizations worldwide. Activity profile: Storm-1359 launches distributed denial of service attacks. Microsoft has attributed distributed denial of service (DDoS) attacks in early June 2023 to the threat actor tracked as Storm-1359. These attacks against multiple Microsoft cloud services, including Microsoft 365 and Azure, likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools. Threat insights: Storm-0875 uses social engineering and AADInternals to compromise cloud identities. In April and May 2023, Microsoft Threat Intelligence attributed multiple attacks involving cloud identity compromise in Microsoft Azure and Office 365 tenants to the threat actor that Microsoft tracks as Storm-0875 (DEV-0875). To compromise cloud identities, Storm-0875 (also known as 0ktapus) used extensive social engineering tactics to compromise Global Administrator accounts, then used the AADInternals tool to establish a federated backdoor and generate security assertion markup language (SAML) tokens. The tokens allowed the actor to sign-in as additional accounts for persistence and follow-on malicious activities, including pivoting to access on-premises resources. Actor profile: Storm-0201. Storm-0201 (DEV-0201) is a criminal group that focuses on the development and distribution of the Emotet malware. They are known to primarily target organizations in opportunistic email attacks worldwide, and prior Storm-0201 infections have led to ransomware. Storm-0201 is tracked by other security companies as Mummy Spider and TA542. Activity profile: Midnight Blizzard credential attacks. Since at least March 2023, Microsoft Threat Intelligence detected an increase in credential attacks and initial access operations utilizing residential proxy services conducted by the threat actor that Microsoft tracks as Midnight Blizzard. The credential attacks use a variety of password spray, brute force, and token theft techniques to gain access to target environments. Actor profile: Storm-0558. Storm-0558 (DEV-0558) is a nation-state activity group based out of China. They focus on espionage, data theft, and credential access. They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access. IoT devices and Linux-based systems targeted by OpenSSH trojan campaign. Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware. Tool profile: Greatness adversary-in-the-middle phishing-as-a-service platform. Greatness is a phishing-as-a-service (PhaaS) platform with adversary-in-the-middle (AiTM) capabilities that has been active since mid-2022 and is attributed to the threat that Microsoft tracks as Storm-1295 (DEV-1295). Continue reading... Quote Off Topic Forum - Unlike the Rest
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.