Monthly Archives: December 2020

Cyber Security Roundup for January 2021

A suspected nation-state sophisticated cyber-attack of SolarWinds which led to the distribution of a tainted version the SolarWinds Orion network monitoring tool, compromising their customers, dominated the cyber headlines in mid-December 2020.  This was not only one of the most significant cyberattacks of 2020 but perhaps of all time. The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments, and several utilities were all compromised by the attack. For the full details of the SolarWinds cyber-attack see my article Sunburst: SolarWinds Orion Compromise Overview

Two other cyberattacks are possibly linked to the SolarWinds hack was also reported, the cyber-theft of sophisticated hacking tools from cybersecurity firm FireEye, a nation-state actor is suspected to be responsible. And the United States National Security Agency (NSA) advised a VMware security vulnerability was being exploited by Russian state-sponsored actors.

Amidst the steady stream of COVID-19 and Brexit news reports, yet another significant ransomware and cyber-extortion attack briefly made UK headlines. Hackers stole confidential records, including patient photos, from UK cosmetic surgery chain 'The Hospital Group', and threatening to publish patient's 'before and after' photos. The UK cosmetic surgery firm, which has a long history of celebrity endorsements, confirmed it was the victim of a ransomware attack, and that it had informed the UK's Information Commissioner's Office about their loss of personal data.

Spotify users had their passwords reset after security researchers alerted the music streaming platform of a leaky database which held the credentials of up to 350,000 Spotify users, which could have been part of a credential stuffing campaign. Security researchers at Avast reported 3 million devices may have been infected with malware hidden within 28 third-party Google Chrome and Microsoft Edge extensions.

A McAfee report said $1 Trillion was lost to cybercrime in 2020, and companies remained unprepared for cyberattacks in 2021.

Stay safe and secure.



    4 Ways to Help Your Family Combat Cyber Threats in the New Year

    New Years 2021

    No doubt, we have a lot to be hopeful for as we step into the New Year. We’ve adapted, survived, and learned to thrive under extraordinary circumstances. While faced with plenty of challenges, families successfully transitioned to working and learning from home like pros. So, as we set our intentions for 2021, we will need that same resolve to tackle growing cyber threats.

    The good news: With a COVID-19 vaccine making its debut, we’re trusting there’s an end in sight to the pandemic of 2020, which may help curb a lot of our emotional as well as digital stressors.

    The not-so-good-news: According to McAfee’s latest Quarterly Threat Report, pandemic-themed threats that began in 2020 will continue, specifically, phishing and malware scams targeting people working from home. According to the recent report, bad actors are especially taking advantage of the mass remote workforces.

    According to Raj Samani, McAfee Fellow and Chief Scientist, “What began as a trickle of phishing campaigns and the occasional malicious app quickly turned into a deluge of malicious URLs, attacks on cloud users and capable threat actors leveraging the world’s thirst for more information on COVID-19 as an entry mechanism into systems across the globe.”

    This report points inspires a few best practices for families as we launch a new year: Stay informed and keep talking about the threats and — as grandma might advise — dress in layers to protect against the elements (in this case, digital threats).

    Safe Family Tips

    1. Information is power.The best defense against online threats is a good offense, which is the digital space means staying informed. The more you know about how hackers exploit consumers, the more you can dodge shady phishing scams such as emails trying to sell you the COVID-19 vaccine online or a voucher allowing you to skip the vaccination line.
    2. Verify email sources.Be skeptical of emails or text messages claiming to be from people you know or organizations with requests or offers that seem too good to be true. Before you click, go straight to the organization’s website or contact customer service. Verifying sources will help you steer clear of downloading malicious content from phishing links. Remind family members to keep their guards up and never to share personal information.
    3. Hover over links, scrutinize URLs.If someone sends you a message with a link, hover over the link without clicking on it. This will allow you to see a link preview. If the URL looks suspicious, delete the message. A few red flags: Fake links generally imitate established websites but may include unnecessary words and domains in the address. When in doubt about a link’s validity — don’t click.
    4. Think in layers.When it comes to cybersecurity for the new year, try thinking (or dressing) your devices in layers. A few ways to layer up:

    • Use 2FA passwords. Regularly changing passwords and adding two-factor authentication (2FA) is proving to be the most effective way to thwart hackers. If you work from home, 2FA is a more secure way to access work applications. This password/username combo requires you to verify who you are with a personal device only you own puts an extra barrier between your data and a creative hacker.

    • Use a VPN. If you travel or choose to work in a coffee shop, a Virtual Private Network (VPN) will give your family an encrypted channel that shields your online activity from hackers.

    • Security software. If you’ve been cobbling your security plan together, consider one comprehensive security solution to help protect you from malware, phishing attacks, and viruses. Leading products such as McAfee Total protection will include safe browsing and a VPN.

    The past year, while difficult, also gave us several gifts to carry into 2021. For families, it connected us with our resilience and creativity. It made us wiser, braver, and more ready for the challenges ahead, be they online or within the ebb and flow of everyday life. That’s something we can all celebrate.


    The post 4 Ways to Help Your Family Combat Cyber Threats in the New Year appeared first on McAfee Blogs.

    Webcast: Discussing Implications of the SolarWinds Breach(es)

    Does the news on SUNBURST and SUPERNOVA have you feeling like you’re flapping in the (Solar)Wind? Join John Strand, Jonathan Ham, and Jake Williams as they discuss the implications of the breaches in this no-FUD webcast. No, we won’t be discussing “cyber Pearl Harbor” – because lets be honest, that’s just hyperbole. Join us to […]

    The post Webcast: Discussing Implications of the SolarWinds Breach(es) appeared first on Black Hills Information Security.

    Lessons from Teaching Cybersecurity: Week 13

    As I mentioned previously, this year, I’m going back to school. Not to take classes but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their kid […]… Read More

    The post Lessons from Teaching Cybersecurity: Week 13 appeared first on The State of Security.

    Acceso Remoto Seguro: Por que es importante y por que hay que hacerlo bien

    Con la llegada de COVID-19  las organizaciones de todo el mundo fueron obligadas a hacer la transición de sus empleados a trabajar desde casa, en un momento en que la infraestructura de red de las organizaciones es más compleja que nunca. Esta complejidad no es única de los entornos de IT. De hecho, las máquinas […]… Read More

    The post Acceso Remoto Seguro: Por que es importante y por que hay que hacerlo bien appeared first on The State of Security.

    Happy 11th Birthday, KrebsOnSecurity!

    Today marks the 11th anniversary of KrebsOnSecurity! Thank you, Dear Readers, for your continued encouragement and support!

    With the ongoing disruption to life and livelihood wrought by the Covid-19 pandemic, 2020 has been a fairly horrid year by most accounts. And it’s perhaps fitting that this was also a leap year, piling on an extra day to a solar rotation that most of us probably can’t wait to see in the rearview mirror.

    But it was hardly a dull one for computer security news junkies. In almost every category — from epic breaches and ransomware to cybercrime justice and increasingly aggressive phishing and social engineering scams — 2020 was a year that truly went to eleven.

    Almost 150 stories here this past year generated nearly 9,000 responses from readers (although about 6 percent of those were on just one story). Thank you all for your thoughtful engagement, wisdom, news tips and support.

    I’d like to reprise a note from last year’s anniversary post concerning ads. A good chunk of the loyal readers here are understandably security- and privacy-conscious, and many block advertisements by default — including the ads displayed here.

    KrebsOnSecurity does not run third-party ads and has no plans to change that; all of the creatives you see on this site are hosted in-house, are purely image-based, and are vetted first by Yours Truly. Love them or hate ’em, these ads help keep the content at KrebsOnSecurity free to any and all readers. If you’re currently blocking ads here, please consider making an exception for this site.

    In case you missed them, some of the most popular feature/enterprise stories on the site this year (in no particular order) included:

    The Joys of Owning an ‘OG’ Email Account
    Confessions of an ID Theft Kingpin (Part II)
    Why and Where You Should Plant Your Flag
    Thinking of a Career in Cybersecurity? Read This
    Turn on MFA Before Crooks Do it for You
    Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion
    Who’s Behind the ‘Web Listings’ Mail Scam?
    When in Doubt: Hang Up, Look Up, & Call Back
    Riding the State Unemployment Fraud Wave
    Would You Have Fallen for this Phone Scam?

    Bring on 2021!

    With 2021 approaching, it is a time to both reflect on the outstanding progress we have each made – personally and professionally, and warmly welcome a new chapter in 2021!  

    2020 has been one of the most unexpected years in our history. However, despite COVID-19, we had some amazing successes. 

    January brought McAfee our new CEO – Peter Leav. It’s hard to believe it has only been a year under his leadership. What an impact! And, McAfee is back on the stock exchange.   

    2020 has also seen the rapid acceleration of cloud adoption. Typically, a move like that involves immense planning to minimize complexity. That didn’t always happen.  And, as our Advanced Threat Research team has reported, cybercriminals took full advantage of more ransomware, malware, and general bad behavior. In fact, a recent McAfee report estimates global cybercrime losses will exceed $1 Trillion.  Fortunately, McAfee customers benefited from the get-go with a robust, award-winning cloud-native portfolio that became even stronger in 2020.   

    Excelling at Cloud Security with SASE and CNAPP 

    Shortly after Peter joined, we closed our LightPoint Acquisition, enabling us to add Remote Browser Isolation (RBI) to MVISION Unified Cloud Edge (UCE). In March, we delivered multi-vector data protection for unified and comprehensive data protection across endpoints, web, and cloud. In August, we further enhanced our MVISION UCE offering by announcing pivotal SD-WAN Technology integrations. Finally, at MPOWER, we announced the industry first integration of Remote Browser Isolation into our Unified Cloud Edge solution.  

    To our award-winning and unmatched MVISION Cloud solution which is natively integrated into UCE, we were the first CASB to map cloud threats to MITRE ATT&CK. Introducing MITRE ATT&CK into the MVISION Cloud workflow helps SOC analysts to investigate cloud threats and security managers defend against future attacks with increased precision. Our new MVISION Cloud Security Advisor (CSA) – provides recommendations – broken into visibility and control metrics – to help prioritize cloud security controls implementation.  We also delivered MVISION Cloud for Teams, which provides policy and collaboration controls to enable organizations to safely collaborate with partners without having to worry about exposing confidential data to guest users.   

    MVISION Cloud received its FedRAMP High JAB P-ATO designation and McAfee MVISION for Endpoint achieved FedRAMP Moderate Authorization. Both of those are important to enable our Federal customers to take advantage of the MVISION portfolio.  

    All of this helps our customers accelerate the easy adoption of a more complete Secure Access Service Edge (SASE) architecture and better defend against advanced web and cloud-based threats. In fact, our MVISION UCE customers can enjoy nearly 40% annual TCO savings when they go from on-prem to cloud. 

    For our customers who want cloud native IaaS security while dealing existing on-prem data center deployments, we rolled out our new McAfee MVISION Cloud-Native Application Protection Platform (CNAPP), an integrated hybrid cloud security platform for comprehensive data protection, threat prevention, governance, and compliance for the cloud-native application lifecycle. We also announced native AWS Integrations for MVISION CNAPP.  

    Delivering future proof SOC with XDR  

    The team and I are also extremely excited about the progress with our Endpoint portfolio across ENSEDR and momentum behind MVISION Insights 

    The still unfolding SolarWinds supply chain compromise has shown how unprepared SOC teams can be and why it is ever more important to have proactive and actionable threat intelligence at your fingertips. As news of an emerging campaign becomes viral, SOC teams must answer the topical question raised by the C-level or the Board “Are we impacted” which unfortunately till now took weeks if not days of scrambling to answer. We launched MVISION Insights early this summer to solve for exactly this problem. MVISION Insights leverages McAfee’s cutting-edge threat research, augmented with AI applied to real-time telemetry streamed from over a Billion sensors to identify and prioritize threats, before they hit. MVISION Insights can predict the impact on your countermeasures, and then tells you exactly how and where to improve your security posture. In essence, it enables you to “shift left” and anticipate and stop breaches before they happen. As the SolarWinds compromise was unfolding, MVISION Insights delivered actionable threat intelligence to McAfee’s customers within hours. The fact that we now have hundreds of customers who have adopted MVISION Insights as part of their SOC framework within a few months of release is a testament to the real value add they are enjoying. Best part is that it is also free for all our customers who have our integrated EPP+EDR SKUs: MV6 or MV7. 

    Our latest Endpoint protection product, ENS 10.7, is stronger with the highest quality and customer satisfaction than ever. ENS 10.7 couples all our endpoint protection capabilities with machine learning, behavior monitoring, fileless threat defense and Rollback Remediation. It’s also backed by our Global Threat Intelligence (GTI) to provide adaptable, defense in depth capability against the techniques used in targeted ransomware attacks. ENS 10.7 delivers meaningful value. Rollback Remediation, for instance, can save an average $500 per node in labor and productivity costs by eliminating need to reimage machines. ENS 10.7 became generally available about a year ago and has emerged as our #1 deployed enterprise product worldwide – the fastest ramp of any ENS release. 

    Equally on the EDR front, we delivered capabilities that make a measurable improvement for the ever tired SOC teams. The included AI Guided investigations can speed threat investigations from greater than 2 hours to as little as 6 minutes per incident. The SolarWinds compromise also showed that Organizations need an integrated platform that delivers complete visibility and control across their infrastructure including their supply chain. The recently announced MVISION XDR builds upon our EDR solution making it easier for our customers to achieve this complete visibility and control. It extends MVISION Insights across endpoints, network and cloud, making it the first proactive XDR platform to manage your risk. MVISION XDR dramatically expands the capabilities of traditional Endpoint Detection and Response (EDR) point solutions by delivering a fully integrated, SaaS-based platform to rapidly discover and mitigate the real threats to your users and data across all threat vectors.  And, complementing our MVSION XDR solution is a host of partner solutions available via MVISION Marketplace.  

    Finally, we rolled out the Device-to-Cloud suites, making it easier for our customers to move to a cloud-native architecture. These three SaaS offerings all feature MVISION Insights and endpoint protection to provide right-sized security solutions in a simple-to-acquire package.  

    I am so proud that our customers and the industry also recognize the McAfee teams’ hard work. We were able to add a long list of awards and accolades to our portfolio in 2020. 



    Now that we’ve looked back at our successes, let’s take a moment to look forward and set goals for ourselves in the coming year. My team and I are committed to:  

    • Expanding on our XDR strategy by changing the landscape of how we enable our customers to being more proactive and get complete visibility and control halting threats before they reach devices, networks, and the cloud.  
    • Strengthening UCE by innovating and expanding our portfolio features and functionality to enable comprehensive Zero Trust and SASE coverage from McAfee that spans all major threat vectors.   
    • Raising the bar of MVISION CNAPP innovation and making it easier (and safer) to accelerate cloud transitions with continued cloud security innovation. 


    Against today’s increasingly sophisticated adversaries, your success is our success.    

    As we head into 2021, I want to take a moment to wish each of you peace, good health, and prosperity.   

    Happy holidays to you and yours! 

    Thanks, Shishir 

    The post Bring on 2021! appeared first on McAfee Blogs.

    Trends in IT-Security and IAM in 2021, the “New Normal” and beyond

    Article by Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH

    Yes, there is hope for 2021, but the challenges of the “New Normal” are here to stay. CISOs have to prepare and start acting now, because cybersecurity and the IT-infrastructure will have to face threats that have only just started.

    The year 2020 was the year working from home lost its oddity status and became normality. Big names like Google and Twitter are planning long-term and hold out the prospect of working from home on a permanent basis. More than 60 percent of companies are trying the same and have implemented home office policies in 2020. But with great flexibility comes great responsibility: Everyone responsible for Cybersecurity and a secure IT infrastructure is now dealing with new challenges closing the last gaps and weak points when it comes to allowing access to company resources. Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH, the specialist for secure identity access management (IAM), authentication and authorization, shows the top 3 issues CISOs have to look out for:

    1. The Problem with Insider Threats will only get Worse
    With more and more people working from home, the use of personal devices and working on private networks only increases and further fuels the risk of insider threats. This does not come as a surprise. As early as in 2018, Verizon's Data Breach Investigation Report already recorded an increase in threats from "internal actors," meaning employees who knowingly or unknowingly illegally disseminated data and other company information. According to the 2020 report, insiders were responsible for a data breach in a flabbergasting 30% of cases.

    The case of Twitter in the summer of 2020 illustrates the damage vividly an insider threat can create. Hackers used social engineering to exploit the insecurity of IT employees and thus gain access to internal systems. Of course, it is quite unlikely that any of Twitter’s employees acted with malicious intent, still, they became the tool for an attack. The result: although the ATOs (Account Take Over) was used for fairly obvious scam posts, the attackers captured well over $100,000.

    No company is immune to such attacks, and even strict cybersecurity policies have little effect because they are very difficult to enforce or monitor when people are working from home. Therefore, it can be assumed that the number of insider threats will increase by more than 20% in 2021.

    2. Ransomware and Shadow-IT are bound to become the CISOs nightmare
    Working from home came suddenly for most companies and pretty much overnight, and even still, most corporations are not sufficiently prepared for the challenges that lie ahead. Unlike in the office, where the IT department can reasonably reliably control the distribution of software on employee PCs, the use of home networks and private devices opens up new attack vectors for hackers.

    Employees often use third-party services, download free software, or use private cloud services as a workaround when corporate services are not available. The storage of documents, access to data or other sensitive information on private devices will also continue to increase without CISOs being able to control this. Since private devices and networks are usually inadequately protected, they serve as a gateway for ransomware, which then attacks corporate networks, encrypts data and extorts high ransoms. Gartner analysts have already predicted a 700% increase in 2017 - the growth from the New Normal will dwarf those numbers and give CISOs many sleepless nights. Due to system and network vulnerabilities, misconfigurations, phishing, and the increase in credential attacks, we will likely see an exponential increase in ransomware attacks in 2021.

    3. Mobile Devices Become a Favourite Target for Hackers
    Developments such as multi-factor authentication (MFA) is improving the security of access to corporate services. On the flip side, it has put mobile devices in the crosshair of hackers. As smartphones are now practical for almost all online activities, the number of attack vectors has grown steadily along with them. In addition to malware, which can be easily installed via third-party apps, especially on Android, and data manipulation or the exploitation of recovery vulnerabilities (such as the interception of magic links or PIN text messages), social engineering is a particularly popular field here.

    In addition to the widespread phishing e-mail, vishing (manipulation of employees by fictitious calls from IT staff) and smishing (which works similarly to phishing but uses SMS instead of e-mail) will increase sharply. Hackers will come up with new tricks to compromise mobile devices, and that can only make digital fraud worse.

    2021: The Year We Abolish Trust
    In a year in which we will have to learn a lot of things anew, CISOs are well-advised to not build anything on trust – neither their network infrastructure nor their IAM. Zero-trust architectures that question all access to corporate resources must become the standard in the age of the New Normal. Restricting resource access to a physical address or IP address, or to VPN access, is counterproductive and difficult to manage if employees are to work from remote locations. Digital identity will shift from user identity to the combined identity of the device and the user. Only this will enable modern and secure identity & access management.

    Hacking Christmas Gifts: Remote Control Cars

    If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye […]… Read More

    The post Hacking Christmas Gifts: Remote Control Cars appeared first on The State of Security.

    A Review of Ransomware in 2020

    As if dealing with COVID-19 were not enough, 2020 turned out to be a banner year for another troublesome strain of virus— ransomware. Malicious actors grew more sophisticated, daring and brutal. They also hit a number of high-profile targets. For those of you who didn’t keep up with all of the developments in the ransomware […]… Read More

    The post A Review of Ransomware in 2020 appeared first on The State of Security.

    Using Microsoft 365 Defender to protect against Solorigate

    Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate (also referred to as Sunburst by FireEye) involving a supply chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessments are ongoing, Microsoft is providing visibility into the attack chains and related threat intelligence to the defender community as early as possible so organizations can identify and take action to stop this attack, understand the potential scope of its impact, and begin the recovery process from this active threat. We have established a resource center that is constantly updated as more information becomes available at

    This blog is a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment. The description of the attack in this blog is based on current analysis and investigations by researchers across Microsoft, our partners, and the intelligence community who are actively collaborating to respond to the attack. This is an active threat that continues to evolve, and the findings included here represent what we know at the time of publishing. We continue to publish and update intelligence, indicators, tactics, techniques, and procedures (TTPs), and related details as we discover them. The report from the Microsoft Security Response Center (MSRC) includes the latest analysis of this threat, known indicators of compromise (IOCs), and initial recommended defenses, and will be updated as new data becomes available.

    This blog covers:

    Tracking the cross-domain Solorigate attack from endpoint to the cloud

    The Solorigate attack is an example of a modern cross-domain compromise. Since these kinds of attacks span multiple domains, having visibility into the entire scope of the attack is key to stopping and preventing its spread.

    This attack features a sophisticated technique involving a software supply chain compromise that allowed attackers to introduce malicious code into signed binaries on the SolarWinds Orion Platform, a popular IT management software. The compromised application grants attackers “free” and easy deployment across a wide range of organizations who use and regularly update the application, with little risk of detection because the signed application and binaries are common and are considered trusted. With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected). Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources through the following steps:

    1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
    2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
      1. Stealing the SAML signing certificate (Path 1)
      2. Adding to or modifying existing federation trust (Path 2)
    3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

    Diagram of the high-level Solorigate attack chain

    Figure 1. High-level end-to-end Solorigate attack chain

    This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected. The deeply integrated cross-domain security capabilities in Microsoft 365 Defender can empower organizations and their security operations (SOC) teams to uncover this attack, scope out the end-to-end breach from endpoint to the cloud, and take action to block and remediate it. This blog will offer step-by-step guidance to do this by outlining:

    • How indicators of attack show up across endpoints, identity, and the cloud
    • How Microsoft 365 Defender automatically combines alerts across these different domains into a comprehensive end-to-end story
    • How to leverage the powerful toolset available for deep investigation, hunting, and response to enable SOCs to battle the attackers and evict these attackers from both on-premises and cloud environments

    Threat analytics: Understanding and responding to active attacks

    As soon as this attack was discovered, Microsoft researchers published two threat analytics reports to help organizations determine if they are affected, assess the impact of the attack, and identify actions to contain it.

    The reports are published in Microsoft 365 security center, available to all Microsoft Defender for Endpoint customers and Microsoft 365 Defender early adopters. In addition to detailed descriptions of the attack, TTPs, and indicators of compromise (IoCs), the reports provide real-time data aggregated from signals across Microsoft 365 Defender, indicating the all-up impact of the threat to the organization, as well as details about relevant incidents and alerts to initiate investigation on. These reports continue to be updated as additional information becomes available.

    Given the significance of this threat, we are making similar relevant Microsoft threat intelligence data, including the updated list of IOCs, available to everyone publicly.  A comprehensive list of guidance and insights is available at

    Screenshot of threat analytics report on Soloriage in Microsoft Defender Security Center

    Figure 2. Threat analytics report on Solorigate attack

    We recommend Microsoft 365 Defender customers to start their investigations here. After gaining deep understanding of the threat and getting the latest research findings, you can take the following recommended steps:

    Find devices with the compromised SolarWinds Orion application

    The threat analytics report uses insights from threat and vulnerability management to identify devices that have the compromised SolarWinds Orion Platform binaries or are exposed to the attack due to misconfiguration.

    From the Vulnerability patching status chart in threat analytics, you can view the mitigation details to see a list of devices with the vulnerability ID TVM-2020-0002, which was added specifically to help with Solorigate investigations:

    Threat and vulnerability management insights on impact of Solorigate

    Figure 3. Threat and vulnerability management data shows data on exposed devices

    Threat and vulnerability management provides more info about the vulnerability ID TVM-2020-0002, as well as all relevant applications, via the Software inventory view. There are also multiple security recommendations to address this specific threat, including instructions to update the software versions installed on exposed devices.

    Screenshot of security recommendations for Solorigate in Microsoft Defender Security Center

    Figure 4. Security recommendations from threat and vulnerability management

    Investigate related alerts and incidents

    From the threat analytics report, you can quickly locate devices with alerts related to the attack. The Devices with alerts chart identifies devices with malicious components or activities known to be directly related to Solorigate. Click through to get the list of alerts and investigate.

    Some Solorigate activities may not be directly tied to this specific threat but will trigger alerts due to generally suspicious or malicious behaviors. All alerts in Microsoft 365 Defender provided by different Microsoft 365 products are correlated into incidents. Incidents help you see the relationship between detected activities, better understand the end-to-end picture of the attack, and investigate, contain, and remediate the threat in a consolidated manner.

    Review incidents in the Incidents queue and look for those with alerts relevant to this attacker’s TTPs, as described in the threat analytics report (also listed at the end of this blog).

    Screenshot of Microsoft Defender Security Center incidents view for Solorigate

    Figure 5. Consolidated Incident view for Solorigate

    Some alerts are specially tagged with Microsoft Threat Experts to indicate malicious activities that Microsoft researchers found in customer environments during hunting. As part of the Microsoft Threat Experts service, researchers investigated this attack as it unfolded, hunting for associated attacker behaviors, and sent targeted attack notifications. If you see an alert tagged with Microsoft Threat Experts, we strongly recommend that you give it immediate attention.

    Screenshot of Microsoft Defender Security Center showing Microsoft Threat Experts detections

    Figure 6. Microsoft Threat Experts targeted attack notification

    Additionally, Microsoft Threat Experts customers with Experts on demand subscriptions can reach out directly to our on-demand hunters for additional help in understanding the Solorigate threat and the scope of its impact in their environments.

    Hunt for related attacker activity

    The threat analytics report also provides advanced hunting queries that can help analysts locate additional related or similar activities across endpoint, identity, and cloud. Advanced hunting uses a rich set of data sources, but in response to Solorigate, Microsoft has enabled streaming of Azure Active Directory (Azure AD) audit logs into advanced hunting, available for all customers in public preview. These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies.  Customers who do not have Microsoft Defender for Endpoint or are not early adopters for Microsoft 365 Defender can see our recommended advanced hunting queries.

    Currently, this data is available to customers who have Microsoft Cloud App Security with the Office365 connector. Our intent is to expand availability to more Microsoft 365 Defender customers. The new log data is available in the CloudAppEvents table:

    | where Application == “Office 365”

    The log data contains activity logs useful for investigating and finding Azure AD-related activities. This data further enriches the CloudAppEvents table, which also has Exchange Online and Microsoft Teams activities.

    As part of making this new data available, we also published a handful of relevant advanced hunting queries, identified by the suffix [Solorigate], to the GitHub repo.

    Here’s an example query that helps you see when credentials are added to an Azure AD application after ‘Admin Consent’ permissions were granted:

    | where Application == “Office 365”
    | where ActionType == “Consent to application.”
    | where RawEventData.ModifiedProperties[0].Name == “ConsentContext.IsAdminConsent” and RawEventData.ModifiedProperties[0].NewValue == “True”
    | extend spnID = tostring(RawEventData.Target[3].ID)
    | parse RawEventData.ModifiedProperties[4].NewValue with * “=> [[” dummpy “Scope: ” After “]]” *
    | extend PermissionsGranted = split(After, “]”,0)
    | project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
    | join (
    | where Application == “Office 365”
    | where ActionType == “Add service principal credentials.” or ActionType == “Update application – Certificates and secrets management “
    | extend spnID = tostring(RawEventData.Target[3].ID)
    | project AddSecretTime = Timestamp, AccountDisplayName , spnID
    ) on spnID
    | where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1

    Microsoft 356 Defender advanced hunting can also assist in many of the recommended incident investigation tasks outlined in the blog, Advice for incident responders on recovery from systemic identity compromises.

    In the remaining sections, we will discuss select examples of alerts raised by Microsoft 365 solutions that monitor and detect Solorigate activities across the attack chain on endpoint, identity, and the cloud. These are alerts you may encounter when investigating incidents in Microsoft 365 security center if your organization is affected by this threat. We will also indicate activities which are now blocked by Microsoft 365 Defender. Lastly, each section contains examples of hunting queries you will find useful for hunting for various attacker activities in your environment.

    Detecting and blocking malware and malicious behavior on endpoints

    Diagram showing attack chain on endpoints involving the Solorigate malware

    Figure 7. Solorigate attack chain: Initial access and command-and-control

    Discovering and blocking backdoor activity

    When the compromised SolarWinds binary SolarWinds.Orion.Core.BusinessLayer.dll gets loaded on a device through normal update channels, the backdoor goes through an extensive list of checks to ensure it’s running in an actual enterprise network and not on an analyst’s machine. It then contacts a command-and-control (C2) server using a subdomain that is generated partly with information gathered from the affected device, which means a unique subdomain is generated for each affected domain. The backdoor allows the attackers to remotely run commands on the device and move to the next stages of the attack. For more information, read our in-depth analysis of the Solorigate malware.

    Microsoft Defender for Endpoint delivers comprehensive protection against this threat (see full list of detection and protection alerts at the end of this blog). Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviors. It quarantines the malware, even if the process is running.

    Screenshot of Microsoft Defender Security Center showing alert for blocking of Solorigate malware

    Figure 8. Microsoft Defender for Endpoint blocks malicious binaries

    If the malicious code is successfully deployed, the backdoor lies dormant for up to two weeks. It then attempts to contact numerous C2 domains, with the primary domain being *.avsvmcloud[.]com. The backdoor uses a domain generation algorithm to evade detection. Microsoft 365 Defender detects and blocks this behavior.

    Screenshot of Microsoft Defender Security Center showing alert for malicious network connection

    Figure 9. Microsoft Defender for Endpoint prevented malicious C2 callback

    Discovering potentially tampered devices

    To evade security software and analyst tools, the Solorigate malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them.

    The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts, including “Attempt to stop Microsoft Defender for Endpoint sensor”, “Tampering with Microsoft Defender for Endpoint sensor settings”, or “Possible sensor tampering in memory”.

    Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful. The following advanced hunting query can be used to locate devices that should be reporting but aren’t:

    // Times to be modified as appropriate
    let timeAgo=1d;
    let silenceTime=8h;
    // Get all silent devices and IPs from network events
    let allNetwork=materialize(DeviceNetworkEvents
    | where Timestamp > ago(timeAgo)
    and isnotempty(LocalIP)
    and isnotempty(RemoteIP)
    and ActionType in (“ConnectionSuccess”, “InboundConnectionAccepted”)
    and LocalIP !in (“”, “::1”)
    | project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId);
    let nonSilentDevices=allNetwork
    | where Timestamp > ago(silenceTime)
    | union (DeviceProcessEvents | where Timestamp > ago(silenceTime))
    | summarize by DeviceId;
    let nonSilentIPs=allNetwork
    | where Timestamp > ago(silenceTime)
    | summarize by LocalIP;
    let silentDevices=allNetwork
    | where DeviceId !in (nonSilentDevices)
    and LocalIP !in (nonSilentIPs)
    | project DeviceId, LocalIP, Timestamp, ReportId;
    // Get all remote IPs that were recently active
    let addressesDuringSilence=allNetwork
    | where Timestamp > ago(silenceTime)
    | summarize by RemoteIP;
    // Potentially disconnected devices were connected but are silent
    | where LocalIP in (addressesDuringSilence)
    | summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId
    | project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1

    Microsoft is continuously developing additional measures to both block and alert on these types of tampering activities.

    Detecting hands-on-keyboard activity within an on-premises environment

    Diagram showing Solorigate hands-on-keyboard attack on premises

    Figure 10. Solorigate attack chain: Hands-on-keyboard attack on premises

    After establishing a backdoor connection on an affected device, the attacker’s next goal is to achieve off-premises access to the organization’s cloud services. To do this, they must find a way to gain permissions to those services. One technique we have seen the attackers use is to go after the organization’s Active Directory Federation Services (AD FS) server to obtain the proverbial “keys” to the identity kingdom. AD FS enables federated identity and access management by securely sharing digital identity and entitlement rights across security and enterprise boundaries; effectively, it is the “LSASS for the cloud.” Among other things, AD FS stores the Security Assertion Markup Language (SAML) token signing certificate, which is used to create authorization tokens for users or services in the organization so they can access cloud applications and resources after authentication.

    To attack the AD FS infrastructure, the attackers must first obtain appropriate domain permissions through on-premises intelligence gathering, lateral movement, and credential theft. Building from the backdoor described above, the attackers leverage fileless techniques for privilege escalation, persistence, and lateral movement, including evading analysis by using system binaries and exploration tools that masquerade as other benign binaries. The attackers also carefully chose organization-specific command-and-control (C2) domains and use custom organization-specific tool naming and locations.

    Microsoft Defender for Endpoint detects a wide array of these attack techniques, allowing SOC teams to track the attacker’s actions in the environment and take actions to contain the attack. The following section covers detections for the techniques used by the attackers to compromise the AD FS infrastructure.

    Identifying attacker reconnaissance

    Attackers collect data from Active Directory using a renamed version of the utility ADFind, running queries against Domain Controllers as part of the reconnaissance stage of the attack. Microsoft Defender for Endpoint detects this behavior and allows the SOC analyst to track compromised devices at this stage to gain visibility into the information the attacker is looking for.

    Screenshot of Microsoft Defender Security Center alert for detection of exploration tools

    Figure 11. Microsoft Defender for Endpoint detects usage of masquerading exploration tools

    Screenshot of Microsoft Defender Security Center alert for detection of LDAP queries

    Figure 12. Microsoft Defender for Endpoint detects usage LDAP query for reconnaissance.

    Stopping lateral movement and credential theft

    To gain access to a highly privileged account needed for later steps in the kill chain, the attackers move laterally between devices and dump credentials until an account with the needed privileges is compromised, all while remaining as stealthy as possible.

    A variety of credential theft methods, such as dumping LSASS memory, are detected and blocked by Microsoft Defender for Endpoint. The example below shows the detection of lateral movement using Windows Management Instrumentation (WMI) to run the attacker’s payload using the Rundll32.exe process.

    Screenshot of Microsoft Defender Security Center alert for detection of remote WMI execution

    Figure 13. Microsoft Defender for Endpoint alert for suspicious remote WMI execution highlighting the attacker’s device and payload

    Microsoft Defender for Identity also detects and raises alerts on a variety of credential theft techniques. In addition to watching for alerts, security analysts can hunt across identity data in Microsoft 365 Defender for signs of identity compromise. Here are a couple of example Microsoft Defender for Identity queries looking for such patterns:

    Enumeration of high-value DC assets followed by logon attempts to validate stolen credentials in time proximity

    let MaxTime = 1d;
    let MinNumberLogon = 5;
    //devices attempting enumeration of high-value DC
    | where Timestamp > ago(30d)
    | where Application == “Active Directory”
    | where QueryTarget in (“Read-only Domain Controllers”)
    //high-value RODC assets
    | project Timestamp, Protocol, Query, DeviceName, AccountUpn
    | join kind = innerunique (
    //devices trying to logon {MaxTime} after enumeration
    | where Timestamp > ago(30d)
    | where ActionType == “LogonSuccess”
    | project LogonTime = Timestamp, DeviceName, DestinationDeviceName) on DeviceName
    | where LogonTime between (Timestamp .. (Timestamp + MaxTime))
    | summarize n=dcount(DestinationDeviceName), TargetedDC = makeset(DestinationDeviceName) by Timestamp, Protocol, DeviceName
    | where n >= MinNumberLogon

    High-volume of LDAP queries in short time filtering for non-DC devices

    let Threshold = 12;
    let BinTime = 1m;
    //approximate list of DC
    let listDC=IdentityDirectoryEvents
    | where Application == “Active Directory”
    | where ActionType == “Directory Services replication”
    | summarize by DestinationDeviceName;
    | where Timestamp > ago(30d)
    //filter out LDAP traffic across DC
    | where DeviceName !in (listDC)
    | where ActionType == “LDAP query”
    | parse Query with * “Search Scope: ” SearchScope “, Base Object:” BaseObject “, Search Filter: ” SearchFilter
    | summarize NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
    | where NumberOfDistinctLdapQueries > Threshold

    At this point, SOC teams can take containment measures within the Microsoft 365 security center, for example, using indicators to isolate the devices involved and block the remotely executed payload across the environment, as well as mark suspect users as compromised.

    Detecting and remediating persistence

    Microsoft Defender for Endpoint also detects the advanced defense evasion and masquerading techniques used by the attackers to make their actions as close to normal as possible, such as binding a WMI event filter with a logical consumer to remain persistent. Follow the recommended actions in the alert to remove persistence and prevent the attacker’s payload from loading after reboot.

    Screenshot of Microsoft Defender Security Center alert for detection of WMI event filter bound to suspicious consumer

    Figure 14. Microsoft Defender for Endpoint alert for WMI event filter bound to a suspicious consumer showing the persistence and the scheduled command line

    Catching AD FS compromise and the attacker’s ability to impersonate users in the cloud

    The next step in the attack focuses on the AD FS infrastructure and can unfold in two separate paths that lead to the same outcome—the ability to create valid SAML tokens allowing impersonation of users in the cloud:

    • Path 1 – Stealing the SAML signing certificate: After gaining administrative privileges in the organization’s on-premises network, and with access to the AD FS server itself, the attackers access and extract the SAML signing certificate. With this signing certificate, the attackers create valid SAML tokens to access various desired cloud resources as the identity of their choosing.
    • Path 2 – Adding to or modifying existing federation trust: After gaining administrative Azure Active Directory (Azure AD) privileges using compromised credentials, the attackers add their own certificate as a trusted entity in the domain either by adding a new federation trust to an existing tenant or modifying the properties of an existing federation trust. As a result, any SAML token they create and sign will be valid for the identity of their choosing.

    In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services.

    Microsoft Defender for Endpoint and Microsoft Defender for Identity detect the actions that attackers take to steal the encryption key needed to decrypt the SAML signing certificate. Both solutions leverage unique LDAP telemetry to raise high-severity alerts highlighting the attacker’s progress towards creating illicit SAML tokens.

    Screenshot of Microsoft Defender Security Center alert for LDAP query and AD FS private key extraction 

    Figure 15. Microsoft Defender for Endpoint detects a suspicious LDAP query being launched and an attempted AD FS private key extraction

    Figure 16. Microsoft Defender for Identity detects private key extraction via malicious LDAP requests

    For the second path, the attackers create their own SAML signing certificate outside of the organization’s environment. With Azure AD administrative permissions, they then add the new certificate as a trusted object. The following advanced hunting query over Azure AD audit logs shows when domain federation settings are changed, helping to discover where the attackers configured the domain to accept authorization tokens signed by their own signing certificate. As these are rare actions, we advise verifying that any instances identified are the result of legitimate administrative activity.


    let auditLookback = 1d; CloudAppEvents
    | where Timestamp > ago(auditLookback)
    | where ActionType =~ “Set federation settings on domain.”
    | extend targetDetails = parse_json(ActivityObjects[1])
    | extend targetDisplayName = targetDetails.Name
    | extend resultStatus = extractjson(“$.ResultStatus”, tostring(RawEventData), typeof(string))
    | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent

    If the SAML signing certificate is confirmed to be compromised or the attacker has added a new one, follow the best practices for invalidating through certificate rotation to prevent further use and creation of SAML tokens by the attacker. Additionally, affected AD FS servers may need to be isolated and remediated to ensure no remaining attacker control or persistence.

    If the attackers accomplish either path, they gain the ability to create illicit SAML tokens for the identities of their choosing and bypass multifactor authentication (MFA), since the service or application accepting the token assumes MFA is a necessary previous step in creating a properly signed token. To prevent attackers from progressing to the next stage, which is to access cloud resources, the attack should be discovered and remediated at this stage.

    Detecting the hands-on-keyboard activity in the cloud environment

    Diagram of hands-on-keyboard attacks in the cloud

    Figure 17. Solorigate attack chain: Hands-on-keyboard attack in the cloud

    With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised device or be confined to on-premises persistence. By abusing API access via existing OAuth applications or service principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals with existing Mail.Read or Mail.ReadWrite permissions to read email content via Microsoft Graph from Exchange Online. If the application does not already have read permissions for emails, then the app may be modified to grant those permissions.

    Identifying unusual addition of credentials to an OAuth app

    Microsoft Cloud App Security (MCAS) has added new automatic detection of unusual credential additions to an OAuth application to alert SOCs about apps that have been compromised to extract data from the organization. This detection logic is built on an anomaly detection engine that learns from each user in the environment, filtering out normal usage patterns to ensure alerts highlight real attacks and not false positives. If you see this alert in your environment and confirm malicious activity, you should take immediate action to suspend the user, mark the user as compromised, reset the user’s password, and remove the credential additions. You may consider disabling the application during investigation and remediation.

    Figure 18. Microsoft Defender Cloud App Security alert for unusual addition of credentials to an OAuth app

    SOCs can use the following Microsoft 365 Defender advanced hunting query over Azure AD audit logs to examine when new credentials have been added to a service principle or application. In general, credential changes may be rare depending on the type and use of the service principal or application. SOCs should verify unusual changes with their respective owners to ensure they are the result of legitimate administrative actions.


    let auditLookback = 1d; CloudAppEvents
    | where Timestamp > ago(auditLookback)
    | where ActionType in (“Add service principal.”, “Add service principal credentials.”, “Update application – Certificates and secrets management “)
    | extend RawEventData = parse_json(RawEventData)
    | where RawEventData.ResultStatus =~ “success”
    | where AccountDisplayName has “@”
    | extend targetDetails = parse_json(ActivityObjects[1])
    | extend targetId = targetDetails.Id
    | extend targetType = targetDetails.Type
    | extend targetDisplayName = targetDetails.Name
    | extend keyEvents = RawEventData.ModifiedProperties
    | where keyEvents has “KeyIdentifier=” and keyEvents has “KeyUsage=Verify”
    | mvexpand keyEvents
    | where keyEvents.Name =~ “KeyDescription”
    | parse keyEvents.NewValue with * “KeyIdentifier=” keyIdentifier:string “,KeyType=” keyType:string “,KeyUsage=” keyUsage:string “,DisplayName=” keyDisplayName:string “]” *
    | parse keyEvents.OldValue with * “KeyIdentifier=” keyIdentifierOld:string “,KeyType” *
    | where keyEvents.OldValue == “[]” or keyIdentifier != keyIdentifierOld
    | where keyUsage == “Verify”
    | project-away keyEvents
    | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, InitiatingIPAddress=IPAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier

    Discovering malicious access to mail items

    OAuth applications or service principals with Mail.Read or Mail.ReadWrite permissions can read email content from Exchange Online via the Microsoft Graph. To help increase visibility on these behaviors, the MailItemsAccessed action is now available via the new Exchange mailbox advanced audit functionality. See if this feature is enabled by default for you. Important note for customers: If you have customized the list of audit events you are collecting, you may need to manually enable this telemetry.

    If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online stops generating auditing records for MailItemsAccessed activity for 24 hours and then resumes logging after this period. This throttling behavior is a good starting point for SOCs to discover potentially compromised mailboxes.


    let starttime = 2d;
    let endtime = 1d;
    | where Timestamp between (startofday(ago(starttime))..startofday(ago(endtime)))
    | where ActionType == “MailItemsAccessed”
    | where isnotempty(RawEventData[‘ClientAppId’]) and RawEventData[‘OperationProperties’][1] has “True”
    | project Timestamp, RawEventData[‘OrganizationId’],AccountObjectId,UserAgent

    In addition to looking for throttled telemetry, you can also hunt for OAuth applications reading mail via the Microsoft Graph API whose behavior has changed prior to a baseline period.


    //Look for OAuth App reading mail via GraphAPI — that did not read mail via graph API in prior week
    let appMailReadActivity = (timeframeStart:datetime, timeframeEnd:datetime) {
    | where Timestamp between (timeframeStart .. timeframeEnd)
    | where ActionType == “MailItemsAccessed”
    | where RawEventData has “00000003-0000-0000-c000-000000000000” // performance check
    | extend rawData = parse_json(RawEventData)
    | extend AppId = tostring(parse_json(rawData.AppId))
    | extend OAuthAppId = tostring(parse_json(rawData.ClientAppId)) // extract OAuthAppId
    | summarize by OAuthAppId
    appMailReadActivity(ago(1d),now()) // detection period
    | join kind = leftanti appMailReadActivity(ago(7d),ago(2d)) // baseline period
    on OAuthAppId

    Microsoft 365 Defender’s cross-domain XDR correlation enables stronger response to critical security incidents

    Like the rest of the security industry, Microsoft continues to track the Solorigate attack, an active threat that continues to unfold as well as evolve. As part of empowering our customers and the larger security community to respond to this attack through sharing intelligence and providing advice, this blog serves to guide Microsoft 365 customers to take full advantage of the comprehensive visibility and the rich investigation tools available in Microsoft 365 Defender. This blog shows that many of the existing capabilities in Microsoft 365 Defender help address this attack, but the unique scenarios created by the threat resulted in some Solorigate-specific detections and other innovative protections, including ones that are made possible by deeply integrated cross-domain threat defense.

    For additional information and further guidance, refer to these Microsoft resources:

    Microsoft will continue to provide public information about the patterns and techniques of this attack and related intelligence for customers to defend themselves, in addition to enhancing the protection capabilities of Microsoft security solutions.


    Appendix: Additional details for detection and hunting

    Detection details

    Attack stage Microsoft 365 Defender detection or alert
    Initial access Microsoft Defender for Endpoint:

    • ‘Solorigate’ high-severity malware was detected/blocked/prevented (Trojan:MSIL/Solorigate.BR!dha)
    • SolarWinds Malicious binaries associated with a supply chain attack
    Execution and persistence Microsoft Defender for Endpoint:

    Command and Control Microsoft Defender for Endpoint:

    Defense evasion Microsoft Defender for Endpoint:

    • Suspicious audit policy tampering
    Reconnaissance Microsoft Defender for Endpoint:

    • Masquerading Active Directory exploration tool
    • Suspicious sequence of exploration activities
    • Execution of suspicious known LDAP query fragments
    Credential access Microsoft Defender for Endpoint:

    • Suspicious access to LSASS (credential access)
    • AD FS private key extraction attempt
    • Possible attempt to access ADFS key material
    • Suspicious ADFS adapter process created

    Microsoft Defender for Identity:

    • Unusual addition of permissions to an OAuth app
    • Active Directory attributes Reconnaissance using LDAP

    Microsoft Cloud App Security:

    • Unusual addition of credentials to an OAuth app
    Lateral movement Microsoft Defender for Endpoint

    • Suspicious file creation initiated remotely (lateral movement)
    • Suspicious Remote WMI Execution (lateral movement)
    Exfiltration Microsoft Defender for Endpoint

    • Suspicious mailbox export or access modification
    • Suspicious archive creation

    Advanced hunting queries

    Attack stage Query link in GitHub repo
    General Microsoft Defender for Endpoint Threat and Vulnerability Management:

    Initial access Microsoft Defender for Endpoint:

    Execution Microsoft Defender for Endpoint:

    | where InitiatingProcessFileName =~”Microsoft.IdentityServer.ServiceHost.exe”
    | where FileName in~(“werfault.exe”, “csc.exe”)
    | where ProcessCommandLine !contains (“nameId”)

    Command and Control Microsoft Defender for Endpoint

    Credential access Azure Active Directory (Microsoft Cloud App Security):

    Exfiltration Exchange Online (Microsoft Cloud App Security):

    The post Using Microsoft 365 Defender to protect against Solorigate appeared first on Microsoft Security.

    Privacy in 2020 and What to Expect for the Year Ahead

    2020 was dominated by news of the pandemic and anchored by reality that we all found ourselves in – entire families logging in remotely, trying to keep school and work feeling “normal.” While we tested the limits of what a home office could sustain, the privacy and security of a fully remote world was put front […]… Read More

    The post Privacy in 2020 and What to Expect for the Year Ahead appeared first on The State of Security.

    Don’t Let Your Stored Procedures Lack Integrity

    Unfamiliar territory As a security analyst, engineer, or CISO, there are so many aspects of the field that require immediate attention that one cannot possibly know everything.  Some of the common areas of security knowledge include topics such as where to place a firewall, configuration and patch management, physical and logical security, and legal and […]… Read More

    The post Don’t Let Your Stored Procedures Lack Integrity appeared first on The State of Security.

    Weekly Update 223

    Weekly Update 223

    Well that's Christmas down for another year, and a rather different one it was for so many of us around the world. I'm pumping this post out very quickly (a couple of days after recording) whilst midway along a very long drive. I'll share more about that on my New Year's Day broadcast so for now, here's the Christmas Day weekly update:

    Weekly Update 223
    Weekly Update 223
    Weekly Update 223
    Weekly Update 223


    1. Ledger customers are receiving some super nasty protection emails (makes me think of the mob charging business to make sure "nothing happens to them...")
    2. The Ledger emails are even getting to the point of death threats (it ain't going to work out well for them if law enforcement ever catches up with those responsible for this)
    3. Sponsored by: 1Password is a secure password manager and digital wallet that keeps you safe online

    Looking Ahead to 2021: The Things We’ll Carry Forward

    Looking Ahead to 2021: The Things We’ll Carry Forward

    Right now, I’m thinking about how my life changed in 2020. Not so much in the sweeping and upending ways. More in the little ways. I’m thinking about the coping ways. The cobble-it-all-together ways. The little changes to make things work ways. There were plenty.  Now, with the first doses of vaccine going to those who need it most, I find myself wondering which of those little changes from 2020 will carry over into post-pandemic days.

    One thing I do know, central to many of those changes was the internet.

    The little things meant a lot

    For starters, I now have a chocolatier in my home. That’s courtesy of the online Master Classes my husband  and I took—his course of study being chocolate making. (We’ll see how he tops that in 2021. Chocolate sets a pretty high bar.) Would we have taken our respective classes otherwise? Hard to say. But I will say this—it was a comfort.

    I know that ordering my mother’s groceries online so she could avoid going into the store and stay safe was new. And through working online, I feel like I got invited into my team members’ homes where I had the pleasure of meeting  their spouses, children and pets. Also, while I could not travel like I wanted to, I could still go exploring with virtual tours of the world’s great museums plus catch a few great dive sites without getting wet. Those were all unique to 2020 as well.

    I count myself fortunate that I had those options available to me, as many people simply did not—whether because a lack of connectivity held them back, or their working situations simply could not make the jump to online. With that, I think of the essential workers, the first responders, the medical professionals of all walks, and the people who kept our communities going by being on the front lines of this pandemic. We all owe them so much, both now and moving forward.

    The internet helped us live our lives in 2020

    Yet where possible, the internet responded, in the best way that it could. For those of us who saw our work, studies, and livelihoods shift online, the internet proved that it could step in. It’s been far from ideal, of course. The internet is simply no substitute for us working and being together, yet it helped so many of us face the challenges of 2020. Even if we didn’t use the internet for work or school, it helped us find employment, get care by way of telemedicine, and keep in touch thanks to free video conferencing, just to name a few things.

    Put plainly, the internet helped us live our lives this year. And out of necessity, it re-shaped the way we live our lives too. So, without question, I can see some of little changes I made carrying over. My husband and I will take more Master Classes. I like the idea of helping my mom with the shopping when I can’t be with her. And I’ll keep exploring, even while that means restricting it to online for now. I’m sure you can count think of a few examples of your own too—things that made your life a little better this year and that can make the years to come better too.

    Some of the big changes ahead in 2021

    Looking beyond my own homestead, I’m hoping that 2021 will prompt broader, and immensely positive, changes as part of lessons learned from 2020.

    With regards to internet access, this year has underscored the internet’s role as an essential utility. It’s no longer a luxury. I predict we’ll see renewed energy in public and private partnerships that will connect more people to fixed broadband internet connections so that they can benefit from the same professional, educational, and personal opportunities that the rest of us on broadband already enjoy.

    During the election year here in the U.S., there’s been plenty of conversation about the propagation of disinformation and misinformation on the internet, both by bad actors and by the unwitting parties who fall prey to their falsehoods. We covered the topic extensively in our election blogs, and I believe the ability to critically assess what we see and read on the internet is a major issue of our time, whether it’s an election year or not. Disinformation and misinformation online are here to stay, and there’s an opportunity for schools to introduce instruction on smart media consumption as part of their curriculums.

    And, what about working from home? Will it become a new norm for business in some shape or other? Working from home remains a complicated conversation, as a mix of public health concerns, local mandates, and stark financial realities drove that shift to remote workforces in the first place. Now, similar questions arise as communities and economies recover. Companies will make strategic decisions about their properties, people, and how they all work together—not to mention how they ensure personal and corporate security in a remote workplace setting. If we use major outdoor retailer REI as one example, we’ll see that the answers are nuanced—particularly when the end result means selling a newly built and never-used corporate headquarters like REI did.

    A stronger and greater 2021

    To bring it all back home, let’s see what’s worth carrying forward into 2021. We learned a multitude of hard lessons in 2020, and we pulled off plenty of clever moves in response. As much as we’d like to put 2020 behind us, let’s take a moment to pause and consider where some of the silver linings were and see if we can spin them into something stronger and greater in 2021.

    And on a personal note I would like to end 2020 and start 2021 expressing my gratitude for the frontline workers, teachers and humanitarians who place service to society above all else. We have heroes in our midst and that is something to celebrate!

    Happy New Year!

    Stay Updated 

    To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

    The post Looking Ahead to 2021: The Things We’ll Carry Forward appeared first on McAfee Blogs.

    SUNBURST Additional Technical Details

    FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed a global intrusion campaign by a sophisticated threat actor we are currently tracking as UNC2452.

    SUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol and persistent state data is stored within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.

    In this post, the following topics are covered in greater detail:

    • Anti-Analysis Environment Checks and Blocklists
    • Domain Generation Algorithm and Variations
    • Command and Control (C2) behaviors for DNS A and CNAME records
    • Malware modes of operation

    Anti-Analysis Environment Checks

    Before reaching out to its C2 server, SUNBURST performs numerous checks to ensure no analysis tools are present. It checks process names, file write timestamps, and Active Directory (AD) domains before proceeding. We believe that these checks helped SUNBURST evade detection by anti-virus software and forensic investigators for seven months after its introduction to the SolarWinds Orion supply chain.

    First, the backdoor verifies that the lowercase name of the current process is solarwinds.businesslayerhost. UNC2452 avoided including this string directly in the source code by computing a hash of the string and comparing the result to the 64-bit number 17291806236368054941. The hash value is calculated as a standard FNV-1A 64-bit hash with an additional XOR by the 64-bit number 6605813339339102567. The additional XOR operation forces malware analysts to develop custom tools to brute force the hash preimage.

    Next, the backdoor only executes if the filesystem last write time of the .NET assembly SolarWinds.Orion.Core.BusinessLayer.dll is at least 12 to 14 days prior to the current time. The exact threshold is selected randomly from this interval. In other words, SUNBURST lays low for almost two weeks before raising its head. If the timestamp check fails, the backdoor will execute again at a random later time when it is invoked by a legitimate recurring background task. Once the threshold is met, the sample creates the named pipe 583da945-62af-10e8-4902-a8f205c72b2e to ensure only one instance of the backdoor is running. If the named pipe already exists, the malware exits.

    SUNBURST stores its configuration in the legitimate SolarWinds.Orion.Core.BusinessLayer.dll.config file. It repurposes two existing settings in the appSettings section:  ReportWatcherRetry and ReportWatcherPostpone. During initialization, the backdoor determines if the ReportWatcherRetry setting is the value 3. This value indicates the malware has been deactivated and will no longer perform any network activity. As we describe later, UNC2452 can command the backdoor to disable itself. This feature may be utilized when the operator determines the victim is not of interest or that they’ve completed their mission. When investigating a system compromised by SUNBURST, review this setting to determine if the backdoor has been disabled. Note, the presence of this value does not offer proof the actor did not further compromise the environment before disabling SUNBURST.

    The backdoor also determines if the system is joined to an Active Directory (AD) domain and, if so, retrieves the domain name. Execution ceases if the system is not joined to an AD domain. SUNBURST checks the AD domain name against a blocklist and halts execution if it contains one of the following values:















    We suspect these hard-coded AD domains may be SolarWinds internal domains that UNC2452 wanted to avoid.

    Finally, SUNBURST verifies the system has internet connectivity by ensuring it can resolve the DNS name Otherwise, execution stops and retries at a random later time.

    Anti-Analysis Blocklists

    SUNBURST's behavior is affected by the presence of malware analysis and security software. To disguise the strings used to detect these security tools, UNC2452 calculated and embedded a hash value for each string. While it is trivial for the backdoor to check for the existence of a hashed process name, it is computationally expensive to determine what string a hash value corresponds to (the “preimage”). However, thanks to some hard work by members of the information security community, the hashes have been successfully brute-forced. The list of hashes and their corresponding strings can be viewed at this FireEye GitHub page.

    SUNBURST uses the aforementioned FNV-1A plus XOR algorithm to compute the hash of each process name, service name, and driver filename on the system.

    If a blocklisted process or driver name is found, SUNBURST pauses and tries again later. The backdoor continues past this check only when there are no processes nor drivers from the blocklist present.

    If a blocklisted service is found, SUNBURST attempts to disable the blocklisted service by manipulating the service configuration in the Windows Registry. It sets the registry value HKLM\SYSTEM\CurrentControlSet\services\<service_name>\Start to the value 4, which corresponds to SERVICE_DISABLED. As a result, the blocklisted service is disabled on the next power cycle. This means the presence of a blocklisted service on a compromised host does not make a system immune to SUNBURST.

    After the registry modification is made, SUNBURST updates the ReportWatcherPostpone configuration value to reflect the service it disabled. Then, the backdoor pauses and retries the process and service blocklist checks at a later time.

    Subsequent service blocklist checks skip services already present in the ReportWatcherPostpone configuration key. SUNBURST will not treat the services it has disabled as members of the blocklist anymore. Therefore, during an incident response, forensic teams should consider recovering and decoding this configuration key to parse out which services SUNBURST attempted to disable.

    Domain Generation Algorithm

    In this section we describe how SUNBURST uses an intermediary command and control (C2) coordinator to retrieve its final C2 server. The C2 coordinator instructs the backdoor to continue or halt beaconing. It also redirects SUNBURST to its final C2 server via DNS CNAME records. We believe this enables UNC2452 to compartmentalize their operations, limiting the network infrastructure shared among victims.

    The C2 coordinator is implemented as the authoritative DNS server for the avsvmcloud[.]com domain. To communicate with the C2 coordinator, SUNBURST uses a Domain Generation Algorithm (DGA) to construct subdomains of avsvmcloud[.]com and resolves the fully qualified domain names (FQDN) using the system DNS client. The backdoor interprets the DNS responses in an unusual way to receive orders from the C2 coordinator.

    The DGA generates subdomains with the following DNS suffixes to create the FQDN:


    A method named Update is responsible for initializing cryptographic helpers for the generation of these random-looking C2 subdomains. Subdomains are generated by concatenating an encoded user ID with an encoding of the system's domain name. The C2 coordinator can recover the victim domain name from the encoded data and likely uses this to route SUNBURST to its final C2 server.

    A user ID is generated based on three values:

    • MAC address of the first available, non-loopback network interface
    • Domain name
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid value

    SUNBURST takes the MD5 hash of these combined values and encodes it using a custom XOR scheme. We believe this value is used by UNC2452 to track unique victims.

    SUNBURST uses four different forms of subdomains to signify the operating mode of the backdoor. Each form contains slightly different information. However, in two of the forms, investigators can recover the domain names of victim organizations. We recommend reviewing DNS logs to confirm the presence of a victim’s domain in SUNBURST C2 coordinator traffic.

    When SUNBURST is in its initial mode, it embeds the domain of the victim organization in its DGA-generated domain prefix. Once the malware transitions to an “active” mode, the malware uses the other two forms of subdomains. These do not include the AD domain, but instead include encodings of either the list of running and stopped services or a timestamp.

    The open-source community has done a fantastic job reverse engineering many of the subdomain forms. While we are not aware of any public decoder scripts that reverse all four possible encodings, most decoders focus on recovering the most useful information: the user ID and domain name embedded in the subdomains. We recommend that incident responders for victim organizations with access to DNS logs use these tools to confirm their AD domains are not embedded within SUNBURST generated DNS subdomains. Note that this does not indicate follow-on activity.

    The following sources may be referenced for decoding such domains:

    Figure 1: Diagram of actor operations and usage of SUNBURST

    Command and Control

    SUNBURST uses a two-part C2 protocol that involves both DNS and HTTP. In “passive” mode, the backdoor communicates with its C2 coordinator via DNS and receives high-level updates to its state. For example, the C2 coordinator may tell the backdoor to go to sleep or spring into action. When the backdoor is in “active” mode, it communicates via HTTP to its final C2 server and receives detailed commands such as “spawn a process” or “transfer a file”.

    DNS C2 and the C2 Coordinator Protocol

    When communicating with the C2 coordinator, the backdoor continuously generates domains via its DGA. The backdoor delays execution for random intervals between generating domains. In some cases, this delay is up to 9 hours.

    If the C2 coordinator responds with a DNS A record, SUNBURST checks the resolved address against a hard-coded list of IP address blocks. If the address falls within a block, the backdoor transitions into an associated mode. The backdoor starts in the “passive” mode where it does nothing but check blocklists, sleep, and beacon via DNS until a transition is seen. Other modes are “active”, in which the malware communicates via HTTP, and “disabled”, in which the malware is permanently disabled. These modes and transitions are defined in the Modes of Operation section.

    The C2 coordinator may also respond with a DNS CNAME response. In this case, the malware uses the pointed-to domain from the CNAME response for HTTPS C2 communications. SUNBURST starts a thread to handle command execution and further C2 HTTP(S) callouts. As an investigator, if you see CNAME resolutions for subdomains of avsvmcloud[.]com, it‘s possible that UNC2452 initiated follow-on C2 within the environment.

    Note, the malware must receive a DNS A record response pointing to one of the following subnets immediately prior to receiving a DNS CNAME response. Otherwise, the CNAME resolution will be ignored and treated as an error. In addition, for these subnets, the least-significant bytes from the A record IP address are parsed to obtain configuration data such as the proxy method to use, the URI scheme to use, and a delay value used in the HTTP thread.

    Subsequent DNS A record responses in the following subnet ranges cause the DGA beaconing to continue.


    Otherwise, subsequent DNS A record responses in the following subnet ranges cause SUNBURST to terminate and update the configuration key ReportWatcherRetry to a value that prevents further execution. This is the killswitch.

    fc00:: - fe00::

    fec0:: - ffc0::

    ff00:: - ff00::


    While in “active” mode, the DGA subdomain encoding does not include victim machine domain name information. Instead, the DGA subdomains encode a timestamp or the list of stopped/running services. To transition back to “passive” mode, the malware operator may set the DNS server to resolve A records within the following IP ranges:

    If the malware is transitioned from the “active” mode back to “passive”, the C2 coordinator must repeat the activation process if the operator wants to re-activate the sample.

    HTTP(S) C2

    After receiving a CNAME DNS response with a new host to communicate with, SUNBURST starts a new thread to execute the method HttpHelper.Initialize. This method is responsible for the C2 communications and dispatching. The HTTP thread begins by delaying for a configurable amount of time that is controlled by the SetTime command. The HTTP thread delays for a minimum of one minute between callouts. The malware uses HTTP GET or POST requests. The sample disables certificate verification so it is possible to decrypt HTTPS traffic if SSL man-in-the-middle is performed.

    The malware constructs HTTP GET or POST request URIs from random selections of substrings. The scheme used depends on the A record received just prior to the CNAME DNS response. When sending a GET request, the malware adds an "If-None-Match" HTTP header that includes the encoded user ID. This likely allows the C2 server to determine which SUNBURST installation generated the request, further enabling multiplexing of C2 streams on a single server.

    In observed traffic, the C2 server employs steganography to hide data within HTTP response bodies and attempts to appear as benign XML related to .NET assemblies. Command data is spread across many GUID and hexadecimal strings. Commands are extracted from HTTP response bodies by searching for hexadecimal strings using the following regular expression: "\{[0-9a-f-]{36}\}"|"[0-9a-f]{32}"|"[0-9a-f]{16}". Matched substrings in the response are filtered for non-hex characters, joined together, and hex-decoded. Depending on the mode of operation, the malware may skip the steganography and send the encoded response in an HTTP response body.

    Figure 2: C2 response embeds commands in XML GUIDs

    In the received C2 response, the first DWORD value indicates the actual size of the message. This value is followed immediately by the message with optional junk bytes added. The extracted message is single-byte XOR decoded using the first byte of the message. The result is then DEFLATE decompressed. The first character of the decompressed data is an ASCII integer that maps to a command ID, with optional additional command arguments delimited by space characters. The supported commands are shown in the following table.





    No operation 


    Terminate the current thread. 


    Sets the delay time between main event loop executions Delay is in seconds, and varies random between [.9 * <delay>, 1.1 * <delay>] 

    If the delay is < 300 it is doubled on the next execution through the loop, this means it should settle onto an interval of around [5, 10] minutes 

    o There is a second, unrelated delay routine that delays for a random interval between [16hrs, 83hrs] 



    Profile the local system including hostname, username, OS version, MAC addresses, IP address, DHCP configuration, and domain information. 


    Perform an HTTP request to the specified URL, parse the results and send the response to the C2 server. 


    Starts a new process with the given file path and arguments 


    Returns a process listing. If no arguments are provided, returns just the PID and process name.  If an argument is provided, it also returns the parent PID and username and domain for the process owner. 


    Terminate the given process, by PID. 


    Given a path, and a match pattern recursively list files and directories.


    Given a file path and a Base64-encoded string write the contents of the Base64 string to the given file path. Write using append mode. Delay for [1s, 2s] after writing is done. 



    Tests whether the given file path exists. 



    Deletes the specified file path. 



    Compute the MD5 of a file at a given path and return the result as a hex string. If an argument is provided, it is the expected MD5 hash of the file and returns an error if the calculated MD5 differs. 



    Arbitrary registry read from one of the supported hives.



    Arbitrary registry write from one of the supported hives. 



    Arbitrary registry delete from one of the supported hives.



    Returns listing of subkeys and value names beneath the given registry path.



    Attempts to immediately trigger a system reboot. 

    SUNBURST sends messages back to the C2 server using a protocol that consists of UTF-8 strings and an appended 4-byte error DWORD and 8-byte userID. These are bare DEFLATE compressed and single-byte XOR encoded with the XOR key prepended to the message. Message payloads of length 10,000 or less are turned into JSON documents that resemble the Orion Improvement Program (OIP) messages used legitimately by SolarWinds. Messages larger than 10,000 bytes are sent as-is in the HTTP request body.

    The fake OIP document contains the following fields:

    • userId – a unique identifier for the victim machine
    • sessionID – stores a new random GUID for each HTTP thread
    • steps – an array of objects that contain the following keys: Timestamp, Index, EventType, EventName, DurationMs, Succeeded, and Message.

    The JSON key EventType is hard-coded to the value Orion and the EventName is hard-coded to EventManager. The encoded message to send to the C2 server is split up into random ranges, Base64-encoded, and stored in the Message field of the objects in the steps array. Not all objects in the steps array contribute to the malware response. The integer in the Timestamp field must have the 0x2 bit set to indicate the contents of the Message field are used in the malware response. steps objects whose 0x2 bit is clear in the Timestamp field contain random data and are discarded when assembling the malware response. This may be an attempt to hinder analysis in the absence of the malware sample.

    Figure 3: HTTP callout masquerades as OIP protocol

    Modes of Operation

    As detailed in the DGA section, the malware has multiple modes of operation configured by the IP block that A records resolve to as well as depending on if CNAME records exist. These modes of operation are stored in internal enumerations. These mappings and values are described next.

    Internal Modes

    The following modes govern internal operations of the malware:

    Mode Name





    Disabled; the malware killswitch has been activated and the sample may never run again without external modification to the XML configuration on-disk.



    Passive mode; DGA subdomains encode the system’s domain name



    Active mode; C2 beaconing will occur on next CNAME resolve or is already actively occurring. DGA domains encode either the userID or the list of services

    The mode values are written into the backdoor configuration key ReportWatcherRetry. Investigators may consider recovering the malware configuration and inspecting this configuration value to determine the last running mode of the malware.

    The following transitions govern how IP block ranges are translated into running modes:

    Transition Name



    Transition to Truncate


    Transition from Append to New


    Transition to Truncate


    Transition to Append, either start or continue C2 beaconing


    Not an IPv4 or IPv6 address, exit and retry DGA later

    The following diagram describes how the SUNBURST’s DGA DNS responses act as mode transitions to control the malware before HTTP-based C2 beaconing has even begun:

    Additionally, here is an annotated network log showing how a sequence of DNS resolutions can transition the malware mode:

    To end this discussion of modes and transitions, a small note about the choices of these IP blocks. In cases such as the ImpLink IP blocks that activate the killswitch, it’s likely that the ranges were specifically chosen by the attacker to avoid being discovered by security researchers. In other cases, such as the NetBios and "special" NetBios IP blocks, the companies these blocks resolve to is likely irrelevant or at least beyond what can be definitively said without speculation.

    Malware Flow Diagram

    The following diagram provides a full picture of the malware's execution. Internally, SUNBURST uses a set of modes and transitions as described earlier. The names of these modes and transitions have no meaning. The malware authors purposely chose them as a form of obfuscation. When diagraming the malware's execution, these names were reused for clarity.

    Figure 4: Malware logic and decision states


    Is a system running blocklisted processes, services, or drivers safe from compromise?

    Sometimes, but not always. SUNBURST unconditionally exits if blocklisted processes or drivers are found and will not run until they are no longer detected. On the other hand, services are disabled by setting a registry value that controls startup initialization and are not explicitly stopped. As a result, a blocklisted service may still be running when the malware performs its service checks later. For this reason, it is possible for a victim system to be infected while a blocklisted service is running. Additionally, SUNBURST only attempts to disable a service once and updates its configuration to mark the service as disabled. Once the configuration is updated, the service is not treated as a blocklisted entry during subsequent execution. 

    Does observing one DGA encoding over another provide any information during incident response?

    Short answer: it provides a hint for where to look but isn’t a be-all tell-all alone. Noticing the DGA encoding change in network logs is a hint that the malware may have moved from New to Append or Append to New. This puts the malware in a mode where if a CNAME record is seen soon after, then HTTP C2 can begin. Incident response should focus on trying to identify CNAME records being successfully resolved instead of focusing on DGA encodings entirely. Identifying CNAME records is easier than tracking the malware mode through logs and a stronger signal.

    What is the "killswitch"?

    FireEye discovered that certain DNS responses cause the malware to disable itself and stop further network activity. With the support and help of GoDaddy’s Abuse Team and the Microsoft Threat Intelligence Center, the domain used for resolving DGA domains was reconfigured to point to a sinkhole server under Microsoft’s control. The IP of this sinkhole server was specially chosen to fall into the range used by the malware to transition from its current mode (New or Append) into Truncate mode where it will be permanently inactive. In other words, SUNBURST infections should now be inoculated due to the killswitch.

    When C2 communication occurs, is a CNAME record required?

    CNAME records are required for HTTP C2 beaconing to occur and are provided by the C2 coordinator to specify the final C2 server. C2 activity must occur over a domain name provided via a CNAME record. It cannot occur directly via a raw IP. To initialize C2 beaconing, the backdoor first looks for an A record response from one of its special NetBios subnets and subsequently expects to receive a CNAME record.

    If a DGA domain is decoded to a company domain name, is that company compromised?

    When the backdoor is in “passive” mode it uses the DGA encoding which embeds victim AD domain names. This means that any system where the backdoor is present may have started trying to contact DNS servers where an attacker could then activate the backdoor to begin active C2 communications. In most cases this did not occur and backdoors for non-targets were disabled by the operator. Therefore, it cannot be assumed that an organization experienced follow-on activity if their domain is decoded from any DNS logs. Specifically, it’s only an indicator that the backdoor code was present and capable of being activated.

    Public Contributions

    We have seen substantial community contributions to our public SUNBURST GitHub repository.

    We would like to publicly thank all contributors to this repository. Specifically, all FNV hashes embedded within SUNBURST have been brute-forced. This is a huge amount of compute power that members of the community provided free-of-charge to help others. We want to thank everyone who contributed hashes and specifically callout the Hashcat community, which organized to systematically break each hash. This was essential for breaking the final few hashes whose preimage were of considerable length.


    Matthew Williams, Michael Sikorski, Alex Berry and Robert Wallace.

    For additional information on UNC2452, register for our webinar, UNC2452: What We Know So Far, on Tuesday, Jan. 12, at 8 a.m. PT/11 a.m. ET.

    Don’t let your kids’ online classes be disrupted by cyberattacks!

    Beware of cyberattacks happening through online classes!2020 will be remembered for a lot of sweeping changes and online classes are definitely on top of...

    The post Don’t let your kids’ online classes be disrupted by cyberattacks! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

    Why SolarWinds-SUNBURST is our Cyber Pearl Harbor

    On December 13, 2020, FireEye announced that threat actors had compromised SolarWinds’s Orion IT monitoring and management software and used it to distribute a software backdoor to dozens of that company’s customers, including several high profile U.S. government agencies.

    Many are referring to the SolarWinds-SUNBURST campaign incidents as the long-prophesied “Cyber Pearl Harbor.” We agree, but it is important to be clear as to why this is the case.

    Game Changing Attack Vector

    This campaign is the first major supply chain attack of its kind at scale and represents a shift in tactics where a nation state has employed a new weapon for cyber-espionage.  Just as the use of nuclear weapons at the end of WWII changed military strategy for the next 75 years, the use of a supply chain attack will change the way we need to consider defense against cyber-attacks.

    This supply chain attack operated at the scale of a worm such as WannaCry in 2017, combined with the precision and lethality of the 2014 Sony Pictures or 2015 U.S. Office of Personnel Management (OPM) attacks.

    The impact of this attack shows how a high-volume commercial software product can impact many organizations simultaneously. In the past, cyber-attacks such as WannaCry relied on vulnerabilities, exploiting organizations that failed to install critical patches. In the case of SolarWinds-SUNBURST, any organization that simply updated its software could be vulnerable to attack, which is why we saw the impact across multiple agencies in the federal government and private sector.  Furthermore, the backdoor used stealth tactics to monitor if it was being analyzed by looking for the presence of debuggers and network monitors and suppressing communications and alerts of other malicious behavior in those scenarios.

    Broad Reach and Impact

    From a U.S. national security perspective, this attack enables the nation’s enemies to steal all manner of information, from inter-governmental communications to national secrets. Attackers can, in turn, leverage this information to influence or impact U.S. policy through malicious leaks.

    The attack impacted private companies as well. Unlike government networks which isolate classified information both from the internet and non-classified material, private organizations often have critical intellectual property on the same internet-facing network they store non sensitive information.  Exactly what corporate intellectual property or private data on employees has been stolen will be difficult to determine, and the full extent of theft may never be fully known.

    These cyber supply chain attacks are a concern for consumers as well. In today’s highly interconnected homes, a breach of consumer electronics companies can result in attackers using their access to smart appliances such as TVs, virtual assistants, and smart phones to steal their information or act as a gateway to attack businesses while users are working remotely from home.

    Endless Possibilities for Attackers

    What makes this campaign so insidious is that the attackers used trusted SolarWinds software to infiltrate victim organizations with the SUNBURST backdoor, which then enabled the attacker to take any number of secondary steps. This could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that could result in kinetic damage, or simply implanting additional malicious content throughout the organization to stay in control and maintain access even after the initial threat appears to have passed.

    Encourages the Wrong Behavior

    Such an attack is particularly challenging in that it raises concerns around best practices cybersecurity professionals have been trying to communicate for years. For decades, we have been saying that it is critical to patch and keep software updated. In this case, however, it was patching and bringing new software into an environment that opened organizations up to attack.

    Organizations must not read into these SolarWinds-SUNBURST revelations that they should not prioritize keeping their environments up to date. Doing so would certainly open them up to a variety of other attacks.

    How do we reconcile these two conflicting security viewpoints? Organizations and cybersecurity practitioners must be vigilant in their review and understanding of the software being brought into their environments. Additionally, they must identify their most critical information and data and apply the principles of least privilege to these items, ensuring that sensitive information such as national secrets and intellectual property are protected.

    Daisy Chained Victims Amplify Impact

    One additional area of concern is when software vendors are impacted.  In this scenario, it is possible for there to be a daisy chain effect. The adversary could modify either source code or a development toolchain within a victim’s environment to plant additional backdoors that are then distributed to their customers.

    Conclusion and More Information

    The SolarWinds-SUNBURST campaign is like a “smart bomb” on a crowded landscape of “dumb bomb” cyber threats. WannaCry was a dumb bomb in that it was fully autonomous and indiscriminate in what it attacked. Whereas this SolarWinds-SUNBURST attack is a “precision guided” smart cyber weapon that is being used to target specific organizations in very specific ways. Every organization that is of interest to the attacker might be targeted slightly differently.

    McAfee has incorporated technical indicators gleaned from the FireEye and SolarWinds incidents into our cyber defenses and solutions portfolio to protect our environment and customers. The details of these supplemental protections can be found in McAfee’s knowledge base (KB) articles KB89830 and KB93861.

    Please also see the following analysis blogs focused on SolarWinds-SUNBURST:


    The post Why SolarWinds-SUNBURST is our Cyber Pearl Harbor appeared first on McAfee Blogs.

    McAfee Security Innovation Alliance 2020 MPOWER Awards

    McAfee, the device-to-cloud cybersecurity company, announced the winners of its distinguished SIA Partner Awards. The 2020 awards recognize partners who demonstrated innovation, strategic value, and market leadership in their respective market segments which are a complement to the McAfee solution portfolio.

    2020 has been a difficult year for everyone that has required organizations to be flexible and rethink how they deploy security to ensure their critical assets remain protected. The McAfee SIA program enables organizations to embrace the flexibility they need through certified integrated solutions from industry-leading providers to ensure they have the tools and resources needed to stay protected and ensure business keeps operating.

    We are pleased to announce the winners of the 2020 McAfee Security Innovation Alliance Awards in the following three categories: Most Innovative Partners of the Year, and SIA Partner of the Year.

    Most Innovative Partner of the Year: IBM Security

    IBM Security is a strategic partnered with McAfee across multiple IBM teams including Resilient and QRadar. To date McAfee has certified integrations with IBM’s Incident Response platform, Resilient to include: TIE, DXL, ePO, ESM, ATD and now MVISION. McAfee has released QRadar integrations to both ePO and MVISION. All McAfee Resilient integrations are published on IBM’s AppExchange. In 2019 McAfee and IBM jointly founded the Open Cybersecurity Alliance under the auspices of Oasis. Read our  solution brief for more details. IBM Security was amongst the inaugural partners announced during the recent launch of the MVISION Marketplace.

    Most Innovative Partner of the Year: Siemplify

    Siemplify is a great McAfee partner, previously integrating their SOAR product with McAfee ePO. Now, with McAfee’s latest announcement of the MVISION Marketplace including Siemplify as one of the inaugural development partners. Siemplify has shown themselves to be one of our most innovative partners during 2020 and now enable mutual customers to discover, try, buy, and deploy partner technologies as a Composable solution with a few clicks of the mouse.

    SIA Partner of the Year 2020 : ThreatQuotient

    Most Valuable Partner of the Year criteria cover the breadth and depth of the partner’s multiple integrations and close business engagement with McAfee.

    ThreatQuotient, “ThreatQ” Joined the SIA program in January 2017 and quickly showed their value through their Threat Intelligence Platform. In ThreatQ fashion, they quickly, integrated with McAfee TIE, McAfee Data Exchange Layer (DXL), McAfee Advanced Threat Detection (ATD), McAfee Active Response (MAR) and Enterprise Security Manager (ESM), followed by MVISION Endpoint Detection and Response (EDR). Most recently ThreatQ was amongst the inaugural partners to launch with McAfee’s new MVISION Marketplace.

    Partnership integrations and the most deal closures within the SIA programs tells the story or why ThreatQuotient was selected as the Partner of The Year.

    To learn more about these partners and MVISION Marketplace visit:

    Read the MVISION Marketplace press release here: McAfee Announces MVISION Marketplace


    The post McAfee Security Innovation Alliance 2020 MPOWER Awards appeared first on McAfee Blogs.

    Data breach hits 30,000 signed up to workplace pensions provider

    Fraud worries as UK company Now:Pensions says ‘third-party contractor’ posted personal details of clients to online public forum

    About 30,000 customers of Now:Pensions face an anxious Christmas after a serious data breach at the pensions provider led to their sensitive personal details being posted on the internet.

    In an email sent to affected customers, the workplace pensions firm warned that names, postal and email addresses, birth dates and National Insurance numbers all appeared in a public forum online.

    Continue reading...

    2020 In Review: The Top 10 Most Popular Life at McAfee Blogs

    2020 has been quite the year for many, and through it all, we’re reflecting on everything we are thankful for. This includes the incredible stories and invaluable perspectives that come from our McAfee team members around the world.

    As the year endswe’re counting down the top 10 most read Life at McAfee blog stories. These are the stories from our team members that you love to read, and we love to tell  

    10. One Team Member Selflessly Provides Relief tCovid 19’s Front Line 

    Image © by Christian Beier

    When COVID-19 hit Germany, Heiko jumped into action and made an impact on his community with the help of THW and McAfee’s Volunteer Time Off (VTO) benefit. Read about Heiko’s experience and how he was able to help provide relief by helping to build a temporary hospital facility. 

    9. How to Adopt a Work-From-Home Mindset 


    Navigating a global pandemic while balancing parenthood and adjusting to remote work is currently a challenge for many. In this blog, our team member, Paige, offers up four helpful tips for remote working parents. 

     8. McAfee Men Share Fresh Perspectives oGender Equality

    In honor of International Women’s Day, we asked McAfee men around the world to share their perspectives on creating a more gender equal world. They offered candid and rich insights with takeaways to remember  inside and outside of the workplace. If you’re looking for an interesting conversation ogender equality, you won’t want to miss this blog. 

    7. McAfee’s Women in Security Offer New Grads Career Insights


    Launching your career is an exciting experience that can also be nerve-wracking feat. Our Women in Security (WISE) Community hosted a panel discussion to encourage our next generation of women in tech to pursue their passions. Whether you’re just starting your career or looking for a change, you’ll find useful insights on what it’s like to work in the tech industry and life at McAfee!  

    6. Spotlighting McAfee’s Women in Technology Scholarship Recipients

    We talked to our Women in Technology (WIT) Scholarship recipients and discussed their participation in our summer internship program in Cork, Ireland. Read about their unique experiences being in the program  from building professional relationships to mentorships and training. This is a valuable read for anyone jumpstarting a new career.

    5. What iMcAfee Internship Like? 10 Interns Share Perspectives 

    Looking for snapshot of McAfee internships? To celebrate National Intern Day, we asked  ten global McAfee interns to share insights gained from their unique experiences. 

    4. Honoring Our Brave Military Veterans from the McAfee Community 

     To pay tribute to our veterans in honor of Veterans Day and Remembrance Day, we asked team members in our McAfee Veterans Community to share memories and photos from their service days. Check out what some of them had to say! 

    3. How One McAfee Advanced Threat Researcher iGiving Back During Covid-19 

    Meet Thomas, Advanced threat Researcher at McAfee by day, 3Dmaskprinting expert by night. Read Thomas’ story and find out how he is making a significant impact and inspiring others to support healthcare workers during the pandemic. 

    2. Women in Sales Part 1: Opportunities for Women Across Cybersecurity Sales 

    In our Women in Sales series, McAfee’s sales professionals talked on how to break boundaries and achieve success in cybersecurity sales. If you want to dive into industry opportunities and gain advice to advance your career, this is the place to start!

    1. Five Tips from McAfee’s Remote Workers

    Whether you’re an expert in remote work or working from home for the first time, you may be looking for helpful tips to set yourself up for success. In this blog, get advice from seasoned remote workers on navigating working from home and learn how you can incorporate practical tips.  

    Are you thinking about joining our team? McAfee takes great pride in providing a virtual onboarding experience with the right tools and support. Learn more about our jobs. Subscribe to job alerts.



    The post 2020 In Review: The Top 10 Most Popular Life at McAfee Blogs appeared first on McAfee Blogs.

    Fact vs. Fiction: Film Industry’s Portrayal of Cybersecurity

    Article by Beau Peters

    The movie industry is infamous for its loose depictions of hacking and cybersecurity. Hollywood often gets a lot wrong about hacking and digital protections, but what does it get right?

    The power of film in influencing the future of technology and the experts that create it is immense. Because of this, it is important to assess what the facts are versus movie fiction.  Here, we’ll explore the film industry’s portrayal of cybersecurity.

    Cybersecurity in Movies
    From WarGames to Blackhat, hacking and cybersecurity movies have glamorized the world of digital safety and the compromising of said safety. However, each Hollywood outing does so with varying levels of realism, typically embracing excitement over reality. 
    In the 1983 WarGames movie, a young hacker almost triggers World War 3
    These portrayals have led to common tropes and views of the cybersecurity industry in their attempts to prevent and combat hacking attempts. Among these tropes are some of the following portrayals, each occurring with varying degrees of absurdity.

    1 Hacking is exciting, fast, and often ethical
    The trope of a computer-savvy individual slamming on a keyboard for a few seconds and saying “I’m in” is common enough to be a defining joke about cybersecurity in film. Hacking is shown to be a process that takes minutes with has instant results. This is often far from reality, where hacking attempts can take weeks or even months to produce results.

    And the results of actual digital break-ins are often far from ethical. Movies tend to show hacking as a victimless crime, but real-life hacking tends to mean data theft that can have severe implications on people’s lives.

    2. There is a visually distinct or compelling element of hacking 
    Hollywood has to keep an audience engaged. Because of this, hacking and cybersecurity are often paired with some visually striking element that would simply be ridiculous in reality.

    Jurassic Park has a great scene exemplifying this trope. Under attack from a velociraptor, a child logs on to a computer and proceeds to navigate through a 3D maze representing the computer system’s files. In reality, typing in a few commands would have achieved a result faster. However, this wouldn’t have been as exciting.

    3. Hacking and cybersecurity are defined by excessively fast typing
    You always know a hacker or a computer systems expert by their excessively fast keyboard smashing. In movies and TV, computer experts are always clicking away at a keyboard at speeds few of us could match, speeds that would unlikely result in very productive work due to mistakes and time needed to assess the situation.

    However, fast typing is a staple of hacking movies. The faster you type, the faster you can get in or defend a system.

    When compared to the reality of cybersecurity systems, these Hollywood portrayals often come up short. Though some movies are getting better at portraying hacking and security, they rarely capture the grittier, less exciting truth. 

    Cybersecurity in Reality
    In reality, hacking is a much more time consuming and boring process, with results that have real impacts on the lives of everyday people. Hollywood neglects some of these finer points in favour of spectacle, as can be expected. Cybersecurity comes with its own set of tedious practices as well as the glamorous aspects of navigating computer systems.

    Here are just a few ways that hacking and cybersecurity operate in the real world that movies tend to obscure or fail to depict:

    1. Hacking is about information more than profit.
    While cybercriminals can sometimes come away with a profit, doing so is incredibly difficult and not very common. Ransomware is sometimes used to extort profits from corporations, a process that occurs when a cybercriminal uses malware to hold a system hostage until a payment is made. However, break-ins usually result in little more than data theft or blockages with costly implications for businesses and individuals.

    For example, Distributed Denial of Service (DDoS) attacks are used to slow or stop the computer processes of a business. This doesn’t necessarily result in any money for the hackers, but the downtime can cost companies thousands to millions of dollars.

    2. Hackers rely heavily on phishing and social engineering.
    Breaking into a system often requires access to valid user IDs and account passwords. This means hackers tend to use phishing and social engineering methods to mine information. They use all kinds of bots and scams to try and trick average individuals into clicking a link or divulging personal information.

    However, this means that a lot of good can be done in the cybersecurity world without even needing to code. Simply teaching teams what to look for in avoiding scams and fraud can be a great way to approach cybersecurity incident management and keep private data safe.

    3. White-hat hackers are real, and they make good money.
    One thing movies get right sometimes is that hackers can be the good guys. There is a whole category of ethical hackers who often work as bounty hunters to find flaws in a company's cybersecurity systems. These so-called “white hat” hackers attempt to break in and are paid a bounty if they can reveal security deficiencies.

    Sometimes, white-hat hacking comes with a significant paycheck. The bounty platform HackerOne has paid out $40 million across 2020 alone, making seven different hackers millionaires in a single year.

    With the desperate need for individuals in the cybersecurity field, the truth around hacking is important to note. While Hollywood can make hacking seem glamorous and exciting, the truth is that many hacking processes come with dangerous implications. However, hacking can also be used to benefit the safety of information in ethical bounty situations.

    With the emergence of cloud computing as a standard for remote workspaces, security professionals are needed now more than ever. Secure public and private cloud solutions are required for a functioning application marketplace, and cybersecurity professionals play a key role in maintaining that safety.

    While cybersecurity isn’t always exciting, the results of keeping systems safe are much more rewarding than the black-hat alternatives.

    The movie industry propagates a view of the cybersecurity field that is often far from reality. However, by acknowledging the departures from the truth, we get a better idea of the need and value of cybersecurity solutions as a whole, especially in the modern world of accelerated digital innovation.

    While hacking and cybersecurity might not be anywhere near as exciting as they are in movies, working in cybersecurity—whether as a systems expert or a white-hat hacker—can mean a big paycheck and a safer world for the people you know and love. And that reality is better than any movie.

    Hacking Christmas Gifts: Artie Drawing Robot

    If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye toward their […]… Read More

    The post Hacking Christmas Gifts: Artie Drawing Robot appeared first on The State of Security.

    Lessons from Teaching Cybersecurity: Week 12

    As I had mentioned previously, this year, I’m going back to school. Not to take classes, but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their […]… Read More

    The post Lessons from Teaching Cybersecurity: Week 12 appeared first on The State of Security.

    Card-Not-Present Fraud: 4 Security Considerations for Point of Sale Businesses

    As the retail world’s center of gravity shifts to the cloud, payment card fraud has followed suit. According to Verizon’s retail vulnerabilities study, attacks against e-commerce applications are by far the leading cause of retail data breaches. This trend mirrors similar outcomes in other industries, like food service. A complimentary Verizon study finds remote attacks […]… Read More

    The post Card-Not-Present Fraud: 4 Security Considerations for Point of Sale Businesses appeared first on The State of Security.

    Talkin’ About Infosec News – 12/21/2020

    Originally aired on December 21, 2020 Articles discussed in this episode:

    The post Talkin’ About Infosec News – 12/21/2020 appeared first on Black Hills Information Security.

    Six Trends Shaping the 2021 Cybersecurity Outlook

    Article by Tom Kellerman, Head of Cybersecurity Strategy, Rick McElroy, Head of Security Strategy and Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black

    Everything is different, and yet the same. As we look ahead to the cybersecurity landscape in the next 12 months, it is from a position no one predicted this time last year. Business operations have changed beyond recognition with most employees working from home in a transition that happened almost overnight. Stretched security teams have been challenged to rapidly deploy robust remote working facilities to maintain productivity. Most were writing the ‘pandemic playbook’ as they went along.

    Ironically, one of the few certainties of the situation was that cybercriminals would take advantage of disruption to escalate campaigns. In that sense, nothing changed, except that the opportunity was suddenly much greater. As a result, nine in ten security professionals surveyed by our Threat Analysis Unit said they were facing increased attack volumes, which they attributed to the newly distributed working environment.

    The effects of COVID-19 will continue to impact the cybersecurity sector for some time, but they are not the only considerations. This year we’ve seen cybercrime and cybercriminal groups continue along a path of technical and industry innovation that will see new strategies and tactics gain traction in 2021. We have also seen cyber defences tested like never before and, for the most part, they have held firm; there is reason for cybersecurity professionals to be optimistic.

    With this in mind, the following are six trends we expect to see, and key areas cybersecurity professionals should keep their eyes on in 2021.

    1. Remote-Working Focuses Attacker Attention on Mobile Compromise
    As business becomes more mobile than ever and remote working persists, mobile devices and operating systems will be increasingly targeted. As employees use personal devices to review and share sensitive corporate information, these become an excellent point of ingress for attackers. If hackers can get into your Android or iPhone, they will then be able to island-hop into the corporate networks you access, whether by deactivating VPNs or breaking down firewalls.

    We will also see hackers using malware such as Shlayer to access iOS, ultimately turning Siri into their personal listening device to eavesdrop on sensitive business communications.

    Combating these risks requires a combination of new mobile device policies and infrastructure designed to facilitate continued remote working, as well as raising employee awareness of the persistent risks and the importance of digital distancing.

    2. Continuing Direct Impacts on Healthcare
    In terms of direct impact of COVID-19 the healthcare sector, at the heart of crisis response, will see the adaptations it made to try and maintain patient services become a vulnerability. With growing reliance on telemedicine for routine medical appointments lucrative personally identifiable information (PII) is being accessed from remote locations and as a result is more easily intercepted by hackers. At the same time, vaccine-related data pertaining to trials and formulae is some of the most sought-after intellectual property right now and the drive to get hold of it for financial or political gain is putting healthcare and biotech organisations under intense pressure from external threats and insider risk.

    That said, the strain on healthcare cybersecurity is not going unheeded; we will see increased IT and security budgets in the sector to combat the growth in external threats.

    3. Emerging Tactical Trends: Cloud-Jacking and Destructive ICS Attacks
    As the new year dawns, we will see tried and tested tactics evolving to become more sophisticated and take advantage of changes in network architecture. Cloud-jacking through public clouds will become the island-hopping strategy of choice for cybercriminals as opportunity proliferates due to the overreliance on public clouds by the newly distributed workforce.

    It won’t be only the virtual environment under threat. Increasing cyber-physical integration will tempt nation state-sponsored groups into bolder, more destructive attacks against industrial control system (ICS) environments. Critical National Infrastructure, energy and manufacturing companies will be in the crosshairs as OT threats ramp up. Our analysts are seeing new ICS-specific malware changing hands on the dark web and we are likely to see it in action in the coming year.

    4. The Ransomware Economy Pivots to Extortion and Collaboration
    Another familiar tactic taking on a new twist is ransomware. Ransomware groups have evolved their approach to neutralise the defensive effect of back-ups and disaster recovery by making sure they’ve exfiltrated all the data they need before the victim knows they’re under attack. Once the systems are locked attackers use the data in their possession to extort victims to pay to prevent the breach becoming public. And if that fails, they can sell the data anyway, meaning the victim is doubly damaged.

    Ransomware is such big business that the leading groups are collaborating, sharing resources and infrastructure to develop more sophisticated and lucrative campaigns. Not all collaborations will be successful, however, and we’ll see groups disagreeing on the ethics of targeting vulnerable sectors such as healthcare.

    5. AI Utilised for Defensive and Offensive Purposes
    Technology innovation is as relevant to attackers as it is to defenders and, while artificial intelligence and machine learning have significant benefits in cybersecurity, we can expect to see adversaries continue to advance in the way AI/ML principles are used for post-exploitation activities. They’ll leverage collected information to pivot to other systems, move laterally and spread efficiently – all through automation.

    The silver lining is that in 2021 defenders will begin to see significant AI/ML advancements and integrations into the security stack. Security automation will be simplified and integrated into the arsenal of more organisations – not just those with mature SOCs. As awareness of how attackers are using automation increases, we can expect defenders to fix the issue, maximising automation to spot malicious activity faster than ever before.

    6. Defender Confidence is Justifiably on the Rise
    To finish on a resoundingly positive note, this year we saw cyber defences placed under inconceivable strain and they flexed in response. Yes, there were vulnerabilities due to the rapidity of the switch to fully remote working, but on the whole security tools and processes are working. Defender technology is doing the job is it designed to do and that is no small feat.

    The mission-critical nature of cybersecurity has never been more apparent than in 2020 as teams have risen to the challenge of uniquely difficult circumstances. In recognition of this we will see board-level support and a much healthier relationship between IT and security teams as they collaborate to simultaneously empower and safeguard users. 2020 has been the catalyst for change for which we were more than ready.

    How to Build Successful Security Awareness Training Programs in 2021 and Beyond

    Security awareness training is one of the most straightforward ways to improve a business’ overall resilience against cyberattacks. That is, when you get it just right.

    Thanks to the disruptions to “normal” work routines that COVID-19 has brought, launching a company-wide training program to teach end users how to avoid phishing scams and online risks is a big challenge. Unfortunately, COVID-19 has also brought a major acceleration in phishing activity. With so many office employees working outside the safety of corporate network protections, you can see why the need for training has never been more critical.

    But there’s another issue: training is outside the skillset for most IT admins, and the level of effort to set up and run a program of training courses, compliance accreditations and phishing simulations can be daunting.

    To help you get started, here are our top 5 recommendations for starting your security awareness program so you can maximize the impact of your efforts.

    1. Get buy-in from stakeholders.

      While you probably already have some combination of security tools in place, such as endpoint protection, DNS or web filtering, etc., the 2020 Verizon Data Breach Investigations Report states that phishing and social engineering are still the primary tactics used in successful cybersecurity breaches.

      Make sure your stakeholders understand these threats. Send an email introducing the program to management and clearly explain the importance of educating users and measuring and mitigating your risk of exposure to phishing and other social engineering attacks.
    1. Start with a baseline phishing campaign.

      When you run your first phishing campaign, you establish your starting point for measuring and demonstrating improvement over time. (You can also use this real-world data to accurately show the need for improvement to any still-skeptical stakeholders.) Ideally this initial campaign should be sent to all users without any type of forewarning or formal announcement, including members of leadership teams. Make sure to use an option that simply shows a broken link to users who click through, instead of alerting them to the campaign, so you can prevent word-of-mouth between employees from skewing the results.
    1. Set up essential security and compliance training.

      Create training campaigns to cover essential cybersecurity topics including phishing, social engineering, passwords and more. Establish which compliance courses are appropriate (or required) for your organization and which employees need to complete them.
    1. Establish a monthly phishing simulation and training cadence.

      Repetition and relevance are key for a successful security awareness training program. By setting up a regular simulation and training schedule, you can more easily measure progress and keep an eye on any high-risk users who might need extra attention. Using our shorter 4-5-minute modules in between more substantial training is an effective tactic to keep security top of mind while avoiding user fatigue. And if you can’t run phishing simulations monthly, strive for a quarterly cadence. If you get pushback on sending emails to everyone, then we recommend you prioritize testing users who failed the previous round.
    1. Communicate results

      A great way to raise awareness and increase the impact of your phishing campaigns is to share the results across the organization. Keep in mind, the goal is to capitalize on collective engagement and share aggregate results, not to call out individuals. (Your “offenders” will recognize themselves anyway.)

      The critical piece is seeing the statistics on where the organization stands as a whole. After the baseline phishing simulation, send out an email to all employees with the results and the reasoning for the campaign. Communicating these numbers will not only help show improvement over time, it’ll also demonstrate the value of the program overall and reinforce to employees that cyber resilience isn’t just IT’s job – it’s a responsibility we all share.

    Although there are numerous other tips and tricks that can help ensure the success of your security awareness training program, these are our top five basic pieces of advice to get you on your way. When you follow these steps, it won’t take long to see the very real returns on your training investment.

    For more detailed tips on how you can put Webroot® Security Awareness Training to work to improve your business’ cyber resilience posture, view our white paper.

    The post How to Build Successful Security Awareness Training Programs in 2021 and Beyond appeared first on Webroot Blog.

    ST25: Absicherung von Cloud-nativen Anwendungen

    Die Cloud ist und bleibt ein Treiber für die digitale Transformation. Nachdem der Fokus primär auf die Erkennung von Shadow-IT
    und die Absicherung von SaaS-Diensten lag, wandert nun der Blick auf längerfristige Projekte: Die Migration von ganzen Diensten
    und Anwendungen in Richtung Cloud. In diesem Podcast sprechen wir daher über die Themen Infrastruktur und Container in der
    Cloud, wie diese sich in die bestehende Architektur einbinden und welche weiteren wichtigen Sichtweisen für eine umfassendes
    Sicherheitskonzept hilfreich sind.

    The post ST25: Absicherung von Cloud-nativen Anwendungen appeared first on McAfee Blogs.

    Advice for incident responders on recovery from systemic identity compromises

    As Microsoft alongside our industry partners and the security community continues to investigate the extent of the Solorigate attack, our goal is to provide the latest threat intelligence including IOCs and guidance across our products and solutions to help the community fight back against, harden your infrastructure, and begin to recover from this attack of unprecedented scale. As new information becomes available, we will make updates to this article.

    This blog will outline lessons learned from this and other incident response to date in on-premises and cloud environments. This latest guidance is for customers looking to re-establish trusted identities for credentials that are suspected of compromise by Solorigate malware.

    This article is intended to give experienced incident responders some advice on techniques to consider when helping an organization respond to a suspected systemic identity compromise, like we’re seeing in some victims of the Solorigate malware, based on our experience in the field in similar scenarios. Re-establishing trust in the organization’s on-premises and cloud environments with minimal business impact requires in-depth investigation and an understanding of potential methods of persistence. While not meant to cover every possible scenario, this guidance is intended to summarize our experience with similar customer breaches and will be updated if we learn of new information that would help with successful recovery. Please review the resources referenced at the end of this article for additional information. This information is provided as-is and constitutes generalized guidance; the ultimate determination about how to apply this guidance to your IT environment and tenant(s) must consider your unique environment and needs, which each Customer is in the best position to determine.

    The Solorigate investigation referenced in this guidance is ongoing at the time of publication and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog.

    Overview of the intrusion

    As described in this Microsoft blog post, the hallmarks of this actor’s activity include, but are not limited to, the following techniques that are likely to result in systemic identity compromise:

    • An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Read our in-depth technical analysis of the Solorigate malware.
    • An intruder using administrative permissions (acquired through an on-premises compromise) to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens to impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
    • Anomalous logins using the SAML tokens signed with a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. An organization may miss the use of illegitimate SAML tokens because they are signed with a legitimate certificate.
    • The use of highly privileged accounts (acquired through the technique above or other means) to add illegitimate credentials to existing application service principals, enabling the attacker to call APIs with the permission assigned to that application.

    Overview of response objectives

    Organizations that have experienced systemic identity compromise need to start recovery by re-establishing trustworthy communications. This will enable effective triage and coordination of business operations recovery.

    Many organizations have complex internal and external interdependencies. Core business processes and applications in an organization are likely to be temporarily impacted during recovery efforts until trust within your environment is re-established. Microsoft recommends that Incident Responders establish secure communications with key organizational personnel as the first step toward organizational recovery. If your investigation indicates that the attacker has used techniques outside of identity compromise at lower levels of your organizations’ infrastructure, such as hardware or firmware attacks, you will need to address those threats to reduce the risk of re-compromise.

    Response objectives in approximate order:

    1. Establish secure communications for personnel key to the investigation and response effort.
    2. Investigate the environment for persistence and initial access point, while establishing continuous monitoring operations during recovery efforts.
    3. Regain and retain administrative control of your environment and remediate or block possible persistence techniques and initial access exploits.
    4. Improve posture by enabling security features and capabilities following best practice recommendations.

    We recommend that incident responders review and digest the entirety of this guidance before taking action, as the specific order of actions taken to achieve the response objectives is very situational and depends heavily on the results (and completeness) of investigation and the business constraints of the specific organization. The following sections describe the incident Response techniques we recommend you consider for each of the above objectives.

    Establish secure communications and productivity

    Successful response requires being able to communicate without the attacker eavesdropping on your communications. Until you have achieved assurance in the privacy of your communications on your current infrastructure, use completely isolated identities and communication resources to coordinate your response and discuss topics that could potentially tip off the attacker to your investigation. Until your investigation has achieved assurance in actor eviction, we strongly recommend that you keep all incident-related comms isolated to enable you to have the element of surprise when taking remediation actions.

    • Initial one-on-one and group communications can be achieved through phone (PSTN) calling, conference bridges not connected to the corporate infrastructure, and end-to-end encrypted messaging solutions.
    • One way that many customers have established secure productivity and collaboration is to create a new Office 365 tenant which is completely isolated from the organization’s production tenant and create accounts only for the key personnel needed, and any incident response vendors or partners who need to be part of the response.
      • Make sure to follow best practices for securing this tenant, especially administrative accounts and rights by default. The new tenant should be limited on Administrative rights along with no trusts with outside applications or vendors. If you need further assistance or want information on hardening Microsoft 365, you can review the guidance here.

    Investigate your environment

    Once your incident responders and key personnel have a secure place to collaborate, the next step is to investigate the suspected compromised environment. Successful investigation will be a balance between getting to the bottom of every anomalous behavior to fully scope the extent of attacker activity and persistence and taking action quickly to stop any further activity on objectives by the attacker. Successful remediation requires as complete an understanding of the initial method of entry and persistence mechanisms controlled by the attacker as possible. Any persistence mechanisms missed could result in continued access by the attacker and potential for re-compromise.

    • Investigate and review cloud environment logs for suspicious actions and attacker IOCs, including:
      • Unified Audit Logs (UAL).
      • Azure Active Directory (Azure AD) logs.
      • Active Directory logs.
      • Exchange on-prem logs.
      • VPN logs.
      • Engineering systems logging.
      • Antivirus and endpoint detection logging.
    • Review endpoint audit logs for changes from on-premises for actions including, but not limited to, the following:
      • Group membership changes.
      • New user account creation.
      • Delegations within Active Directory.
      • Along with other typical signs of compromise or activity.
    • Review Administrative rights in your environments
      • Review privileged access in the cloud and remove any unnecessary permissions. Implement Privileged Identity Management (PIM); setup Conditional Access policies to limit administrative access during hardening.
      • Review privileged access on-premise and remove unnecessary permissions. Reduce membership of built-in groups, verify Active Directory delegations, harden Tier 0 environment, and limit who has access to Tier 0 assets.
      • Review all Enterprise Applications for delegated permissions and consent grants that allow (sample script to assist):
        • Modification of privileged users and roles.
        • Reading or accessing all mailboxes.
        • Sending or forwarding email on behalf of other users.
        • Accessing all OneDrive or SharePoint sites content.
        • Adding service principals that can read/write to the Directory.
      • Review access and configuration settings for the following Office 365 products:
        • SharePoint Online Sharing
        • Teams
        • PowerApps
        • OneDrive for Business
      • Review user accounts
        • Review and remove guest users that are no longer needed.
        • Review email configurations using Hawk or something similar.
          • Delegates
          • Mailbox folder permissions
          • ActiveSync mobile device registrations
          • Inbox Rules
          • Outlook on the Web Options
        • Validate that both MFA and self-service password reset (SSPR) contact information for all users is correct.

    You may find that one or more of the logging sources above are data sources that the organization does not currently include in its security program. Some of them, especially the logging available in the cloud, are available only if configured and we recommend that you configure them as soon as possible to enable both the detections in the next section and forensics review of logs going forward. Make sure to configure your log retention to support your organization’s investigation goals going forward and retain evidence, if needed for legal, regulatory, or insurance purposes.

    Establish continuous monitoring

    There are many ways to detect activity associated with this campaign. Exactly how your organization will detect attacker behavior depends on which security tools you have available, or choose to deploy in response. Microsoft has provided examples publicly for some of the core security products and services that we offer and are continually updating those documents as new threat intelligence is identified related to this attacker. If you use other vendor’s products, review your vendor’s recommendations, and review the Microsoft documentation below to understand the detection techniques if you need to implement analogous detections in your environment on your own.

    For readers using Azure Sentinel in their environments, review SolarWinds Post-Compromise Hunting guidance.

    For readers using Microsoft Defender for Endpoint, review our guidance here, and review Microsoft Defender Antivirus guidance.

    Azure Active Directory sign-ins

    You can view this information from the Azure Active Directory Sign-in blade by selecting an appropriate time window and then downloading the report as either a CSV or JSON file. NOTE: You can download interactive, as well as non-interactive, sign-in reports via this interface. Once you have downloaded the results, look for the value “MFA requirement satisfied by claim in the token” in the “MFA result” field.

    You can also use the Get-AzureADAuditSignInLogs cmdlet (see the details here) and filter the results to only return entries that match this field value, as seen in this example:

    Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt <startdate> and createdDateTime lt <enddate>"  | where {$_.Status.AdditionalDetails -eq "MFA requirement satisfied by claim in the token"} | select-object CreatedDateTime, IpAddress,UserAgent, ResourceDisplayName, CorrelationId, RequestId, UserPrincipalName -ExpandProperty Status

    If your ADFS environment is configured to send a claim for MFA being satisfied, this may not be a strong signal. However, for many organizations using ADFS, and this claim is not included per your configuration; in those cases, the presence of this claim may be a strong indicator of attacker activity. You may also wish to add additional filters or conditions in the where clause to further improve your signal to noise ratio, such as only surfacing results from domains that are federated.

    If suspicious sign-ins are detected, you can further pivot your investigation based on IP addresses identified, user accounts identified, and/or other indicators such as the UserAgent string and client operating system observed, if based on your knowledge of your environment these appear to be strong indicators.

    Analysis of risky sign-in events

    In some cases, Azure Active Directory and its Identity Protection platform will generate risk events associated with the use of attacker generated SAML tokens. These can be labeled as “unfamiliar properties”, “anonymous IP address”, “impossible travel” and the other risk events as described here.

    Closely analyze all risk events associated with accounts that have administrative privileges. It is also important to analyze events that have been dismissed or remediated as some of these actions are done automatically. For example, a risk event for an anonymous IP address can be automatically remediated because the user passed MFA.

    Detection of domain authentication properties

    The attacker may attempt to manipulate the domain authentication policies which are recorded in the Azure Active Directory Audit Logs and reflected in the Unified Audit Log. An attacker who has gained access with Global Administrator privileges can modify the domains that are federated and/or trusted. Review any events associated with “Set domain authentication” in either the Unified Audit Log, Azure AD Audit Logs, and/or your SIEM environment. Verify that all activities were expected and planned.

    The sample command below returns the entries from the Unified Audit Log which were associated with manipulation of domain authentication settings.

    Search-UnifiedAuditLog -StartDate <startdate> -EndDate <enddate> -ResultSize 5000 -Operations "Set domain authentication"

    Detection of credentials to a service principal associated with an OAuth application

    If the attacker has gained control of a credential with sufficient privileges, the attack pattern includes locating an application that has been granted the ability to access any user’s e-mail in the organization and adding attacker controlled credentials to that application. In some cases, the attacker has modified these applications granting them additional rights such as access to all e-mail in the organization.

    The following are operations that would be consistent with attacker behavior:

    • Add service principal credentials.
    • Update application- certificates and secrets management.
    • Update service principal.
    • Add app role assignment to service principal.
    • Add app role assignment grant to user.
    • Add OAuth2PermissionGrant.

    Detection e-mail access by applications

    Detection of access to e-mail by applications can be achieved using the Advanced Auditing capabilities of Office 365. Access to messages inside of Office 365 is audited via the MailItemsAccessed capability.

    Analyze events in the Unified Audit Log for the Operation of MailItemsAccessed.

    Detection of non-interactive sign-ins to service principals

    Azure Active Directory in the Sign-In reports provides reporting of non-interactive sign-ins using credentials issued to service principals (as was observed in this attack). Analyzing the sign-ins for service principals reports can provide valuable data such as the IP Address the attacker was using to access the applications for e-mail access.

    If there is evidence found that uncovers administrative permissions acquired through the on-premises compromise to gain access to your organization’s global administrator account and/or trusted SAML token signing certificate, Microsoft recommends taking the following immediate actions:

    Remediate and retain administrative control

    Regaining and retaining administrative control of your environment

    If your investigation has identified that the attacker has administrative control in the organization’s cloud environment and/or on-prem, it’s critical to regain control in such a way as to ensure that the attacker isn’t persistent. Exactly which steps you will take depend both on what persistence you discovered in your investigation, and your level of confidence in the completeness of that investigation and discovery of all possible methods of entry and persistence. While it is possible to regain control with high confidence, even in the face of an incomplete investigation, doing so requires significant impact to business operations, so most organizations choose to remediate based on the results of the investigation in our experience.

    We recommend you consider the following steps when building your administrative control recovery plan, but the exact order and timing should be planned based on the results of your investigation and understanding of adversary owned administrative assets and methods of persistence.

    • Ensure that any actions described here are performed from a trusted device built from a clean source, such as a privileged access workstation.
    • If the organization has lost control of its token signing certificates or federated trust the highest assurance approach is to remove trust and switch to cloud mastered identity while remediating on-prem. A detailed plan for doing so is beyond the scope of this document and requires careful planning and understanding of the business operations impacts of isolating identity. Review the Azure Active Directory guidance or key considerations.
    • Should your organization choose not to break trust while recovering administrative control on-prem, you’ll need to rotate your SAML token signing certificate once you have regained administrative control on-prem and blocked the attacker’s ability to access the signing certificate again. It’s critical that your organization follow the certificate rotation instructions below to ensure that the attacker doesn’t maintain the ability to forge tokens for your domain.

    Rotation of ADFS token signing certificate

    For a compromised or potentially compromised ADFS Token Signing certificate, rotating the Token Signing certificate a single time would still allow the previous Token Signing certificate to work. The rationale for this is to permit a grace period to update your Relying Party Trusts prior to expiration of the certificate during normal rotation of the signing certificate.

    NOTE: Conducting the below steps in the ADFS environment will create both a primary and secondary certificate and will automatically promote the secondary certificate to primary after a default period of five days. If you have Relying Party trusts, this could cause impacts five days after the initial ADFS environment change and should be accounted for within your process. You can resolve this by replacing the primary certificate a third time with “-Urgent” and removing the secondary certificate or turning off automatic certificate rotation.

    If instead of rolling the Token Signing Certificate your organization feels the need to replace the ADFS servers with known clean systems, you can follow steps to remove the existing ADFS from your environment and build a new one.

    Delete Azure AD Cloud Provisioning agent configuration.

    Should your organization decide to rotate the certificate on your current ADFS servers, follow these steps in the below order, from the ADFS server:

    1. Check to make sure that your AutoCertificateRollover is set to True.
      Get-AdfsProperties | FL AutoCert*, Certificate*
      • If it is not, you can set it with this command:
        Set-ADFSProperties -AutoCertificateRollover $true
    2. Connect to the Microsoft Online Service
    3. Document both your on-premise and cloud Token Signing Certificate thumbprint and expiration dates.
      Get-MsolFederationProperty -DomainName <domain>
    4. Replace the primary Token Signing certificate using the -Urgent switch to cause ADFS to replace the primary certificate immediately without making it a Secondary certificate.
      Update-AdfsCertificate -CertificateType Token-Signing -Urgent
    5. Create a secondary Token Signing certificate without using the -Urgent switch to allow for two on-premise Token Signing certificates, before syncing with Azure cloud.
      Update-AdfsCertificate -CertificateType Token-Signing
    6. Update the cloud environment with both the primary and secondary certificates on-premise to immediately remove the cloud published token signing certificate. If this step is not completed using this method you leave the potential for the old token signing certificate to still authenticate users.
      Update-MsolFederatedDomain -DomainName <domain>
    7. Verification that you completed the above steps and removed the certificate that was displayed in Step 3 above.
      Get-MsolFederationProperty -DomainName <domain>
    8. Revoke refresh tokens via PowerShell, information can be found here and you can also reference how to “Revoke user access in Azure Active Directory.”
      • Note: This will log users out of their phone, current webmail sessions, along with other items that are using Tokens and Refresh Tokens.

    Additional cloud remediation activities to complete

    • Reset passwords on any break-glass accounts and reduce the number of break-glass accounts to the absolute minimum required.
    • We recommend that service and user accounts with Privileged access should be Cloud Only accounts and not use on-premise accounts synced or federated to Azure Active Directory.
    • Enforce Multi-Factor Authentication (MFA) across all elevated users in the tenant. We recommend enforcing MFA across all users in the tenant.
    • Implement Privileged Identity Management (PIM) and conditional access to limit administrative access.
      • For Office 365 users, implement Privileged Access Management (PAM) to limit access to sensitive capabilities (including eDiscovery, Global Admin, Account Administration, and more).
    • Review and reduce all Enterprise Applications delegated permissions or consent grants that allow such as:
      • Modification of privileged users and roles.
      • Reading, sending email, or accessing all mailboxes.
      • Accessing OneDrive, Teams, or SharePoint content.
      • Adding of Service Principals that can read/write to the Directory.
      • Application Permissions versus Delegated Access.

    Additional on-premises remediation activities to complete

    • Rebuild systems that were identified as compromised by the attacker during your investigation.
    • Remove unnecessary members from Domain Admins, Backup Operators, and Enterprise Admin groups. Reference Microsoft’s Securing Privileged Access.
    • Reset passwords of all privileged accounts in the environment.
      • Privilege accounts are not limited to Built-In groups but can also be groups that are delegated access to Server Administration / Workstation Administration and other aspects of your environment.
    • Reset the krbtgt account using this script twice.
      • Note: If you are using Read-Only Domain Controllers, you will need to run the script for Read-Write Domain Controllers and Read-Only Domain Controllers.
    • After you validate that no persistence mechanisms created by the attacker exist or remain on your system, schedule a restart. This can assist with removing memory resident malware.
    • Reset each domain controller’s DSRM (Directory Services Restore Mode) password to something unique and complex.

    Remediate or block persistence discovered during investigation

    Remediate the persistence techniques identified in your investigation stage earlier. Investigation is an iterative process and you’ll need to balance the organizational desire to remediate as you identify anomalies and the chance that remediation will alert the attacker of your detection and cause them to react by changing techniques or creating additional persistence. For Office 365 accounts, automatically remediate known persistence techniques, if any are discovered, using the scripts described

    Remediate user and service account access

    Some of the user-level actions we recommend were described above already, specifically in terms of ensuring that MFA is enabled and running specific remediation scripts to clean up known persistence techniques. Here are some additional steps you should consider taking to remediate and restore user accounts:

    • Enforce conditional access based on trusted device.
      • If possible, enforce location-based conditional access that suits your organizational requirements.
    • For any user accounts suspected of being compromised, immediately reset passwords after eviction; make sure you also implement a mid-term plan to reset credentials for all accounts in your directory.
    • After credential rotation, use PowerShell to revoke refresh tokens immediately. More information can be found here and additional resources can be found at Revoke user access in an emergency in Azure Active Directory | Microsoft Docs.

    Improve security posture

    After a security event is a good time for organizations to reflect on their security strategy and priorities. Incident Responders are often asked to provide recommendations after an event on what investments the organization should prioritize now that it’s been faced with new threats. In addition to the recommendations documented earlier, we recommend you consider these areas of focus for your post-incident review recommendations that are responsive to the post-exploitation techniques used by this attacker and the common security posture gaps that enable them.

    General security posture

    • Review Microsoft Secure Score for security fundamentals recommendations customized for the Microsoft products and services you consume.
    • Ensure that your organization has EDR and SIEM solutions in place.
    • Review Microsoft’s Enterprise access model.


    1. Review Five steps to securing your identity infrastructure and prioritize steps as appropriate for your Identity architecture.
    2. Consider migrating to Azure AD Security Defaults for your authentication policy- details can be found here.
    3. Eliminate your organization’s use of legacy authentication, if systems or applications still require it- review the guidance here.
      • As announced last year, the Exchange Team is planning to disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021. As a point of clarity, Security Defaults and Authentication Policies are separate but provide complementary features. We recommend that customers use Authentication Policies to turn off Basic Authentication for a subset of Exchange Online protocols or to gradually turn off Basic Authentication across a large organization. While more details will come in future announcements, as mentioned in April, we plan to begin disabling Basic Authentication in existing tenants with no recorded usage as early as October 2020. We will provide notifications via Message Center posts before we disable Basic Authentication for any tenant.
    4. In order to help protect your ADFS/Azure AD Connect systems, beyond the ADFS guidance located, we recommend that you consider the following actions:
      • Treat your ADFS infrastructure and AD Connect infrastructure as a Tier 0 asset.
      • Restrict local administrative access to the system, including the account that is used to run the ADFS service.
        • The least privilege necessary for the account running ADFS is the Log on as a Service User Right Assignment.
      • Restrict administrative access to limited users and from limited IP address ranges by leveraging Windows Firewall policies for Remote Desktop.
        • It is recommended to set up a Tier 0 jump box or equivalent system.
      • Block all inbound SMB access to the systems from anywhere in the environment. See this resource for further details.
        • Get the Windows Firewall logs to a SIEM for historical and proactive monitoring.
      • If you are using a Service Account and your environment supports it, migrate from a Service Account to a group Managed Service Account (gMSA). If you cannot move to a gMSA, rotate the password on the Service Account to a complex password.
      • Ensure Verbose logging is enabled on your ADFS systems by executing the following commands:
    Set-AdfsProperties -AuditLevel verbose
    Restart-Service -Name adfssrv
    Auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

    Contributors: We thank the team at FireEye for their contributions and review.

    The post Advice for incident responders on recovery from systemic identity compromises appeared first on Microsoft Security.

    How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise

    In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll delivered as part of a digitally-signed Windows Installer Patch. The trojanized file delivers a backdoor, dubbed SUNBURST by FireEye (and Solorigate by Microsoft), that communicates to third-party servers for command and control and malicious file transfer giving the attacker a foothold on the affected system with elevated privileges. From there, additional actions on the objective, such as lateral movement and data exfiltration, are possible. Since release of the initial blog from FireEye, subsequent additional analysis by McAfee and the industry as well as alerts by CISA, we have seen the attack grow in size, breadth and complexity. We will continue to update defensive recommendation blogs like this as new details emerge.

    The use of a compromised software supply chain as an Initial Access technique (T1195.002) is particularly dangerous as the attack uses assumed trusted paths and as such can go undetected for a long period. This attack leveraged several techniques, such as trusted software, signed code and stealthy hiding-in-plain-sight communication, allowing the attacker to evade even strong defenses and enjoy a long dwell before detection. The sophisticated nature of the attack suggests that an Advanced Persistent Threat (APT) Group is likely responsible. In fact, FireEye is tracking the group as UNC2452 and has released countermeasures to identify the initial SUNBURST backdoor. McAfee has also provided an intelligence summary within MVISION Insights and mitigation controls for the initial entry vectors are published in KB93861. For additional response actions, please view Part One of this blog series here. If you are using SolarWinds software, please refer to the company guidance here to check for vulnerable versions and patch information.

    However, looking beyond the initial entry and containment actions, you should think about how you are prepared for this type of attack in the future. This is a sophisticated actor(s) who may use other techniques such as Spearphishing to gain access, then move around the corporate network and potentially steal intellectual property as was the case with FireEye. They will change techniques and tools, so you need to be ready. Our Advanced Threat Research team tracks over 700 APT and Cyber Crime campaigns so the potential for another threat actor to launch a similar attack is high. In this blog, we will take a specific look at the techniques used in the SolarWinds compromise and provide some guidance on how McAfee solutions could help you respond now and prepare for this type of threat in the future with an adaptable security capability for resilience.

    Attack Chain Overview

    In our first blog in this series, we provided some initial response guidance designed to disrupt the attack early in the Execution phase or look retrospectively on the endpoints or proxy logs for indicators of compromise. But as you can see in the attack timeline below, it started much earlier with purposeful and detailed preparation and includes multiple other steps. A couple of techniques speak volumes about the sophistication and planning involved in this campaign.

    Figure 1: SUNBURST Attack Progression

    First is the choice of entry vector. The attacker in this case compromised part of the software supply chain by weaponizing software by SolarWinds, a major brand of IT management software. While software supply chain compromises are not new, like the recent one affecting JavaScript, they are typically on a smaller scale or more quickly detected. More common initial access techniques involve Spearphishing or taking advantage of open remote services like RDP. While both take planning and effort, weaponizing software from a major technology company and going undetected in that process is no easy feat. Secondly, the calculated wait time before external communication and the custom Domain Generation Algorithm (DGA) indicate the attacker has a lot of patience and stealth capability. For more detailed analysis of these advanced techniques, see McAfee Labs additional analysis blog on the SUNBURST backdoor.

    The attack also involves numerous post-exploitation actions such as command and control communication masquerading (T1001.003) as normal update traffic, additional payload transfers (T1105), system discovery, credential harvesting and potentially then movement to other systems, even cloud-hosted infrastructure systems. The goal of course is to disrupt or detect any stage of attack before the breakout point and hopefully before any real impact to the business. The breakout point is when an attacker has gained privileges and starts to move laterally within the business. At that point, it becomes very difficult but not impossible to disrupt or detect the activity. But you must act fast. The impact of the attack can vary. In one case, it could be loss of intellectual property, but in another case, destruction of critical systems or data could be the goal. Also, what if the attacker used other initial access techniques, such as Spearphishing (T1566), to deliver a similar backdoor? Would you be able to detect that activity or any of the follow actions? Our point is don’t just update the endpoint with the latest DAT and consider yourself secure. Look for other ways to disrupt or detect an attack throughout the whole attack chain, leveraging both prevention and detection capability and keeping the end goal in mind to reduce impact to the business. Also think about how you prepare. The attackers in this case spent a lot of time in preparation creating custom malware and infrastructure. How about your organization? Do you know what attackers might be targeting your organization? Do you know their tactics and techniques?

    Staying Ahead with MVISION Insights

    In the first hours of a new threat campaign, if the CIO or CISO asked you, “are we exposed to SUNBURST”, how long would it take you to answer that question? One place to turn is MVISION Insights. MVISION Insights combines McAfee’s Threat Intelligence research with telemetry from your endpoint controls to reduce your attack surface against emerging threats. MVISION Insights tracks over 700 APT and Cyber Crime campaigns as researched by McAfee’s ATR team, including the most recent, FireEye Red Team tool release and SolarWinds Supply Chain Compromise campaigns.

    Figure 2: Getting details on the attack

    In the beginning hours of a new threat response, you can use MVISION Insights to get a quick summary of the threat, view external resources, and a list of known indicators such as files, URLs, or IP addresses. The campaign summary saves you from some of the time-consuming task of combing multiple sites, downloading reports, and building out the broader picture. MVISION Insights provides critical pieces in one place allowing you to move quicker through the response process. The next question to answer, is this new attack a risk to my business? Insights can help you answer that question as well when you click on “Your Environment”.

    Figure 3: Quick review of your exposure

    Insights automatically correlates the indicators of compromise with Threat Events from McAfee ENS, allowing you to quickly asses if there is an immediate problem now. If you had a detection, you should immediately go to incident response. Insights reviews your endpoint control configuration to asses if you have the right content update deployed to potentially disrupt the threat. At this point, you are closer to answer the CIO question of “are we exposed”. I say closer because Insights provides only the endpoint protection view currently so you will need to review other controls you have in place to fully assess risk.

    Figure 4: Detail review of your exposure

    However, Insights also assesses your endpoint security posture against other advanced threat techniques, looking to see if you are getting the best value from ENS by leveraging signature, intelligence and behavior anomaly detection capability in the solution. This is important because the attackers will change tactics, using new entry techniques and tools, so your security posture must continuously adapt. And this is just one campaign. Insights is summarizing intelligence, surfacing detections and reducing your attack surface continuously, against 700 campaigns!

    Review your Defensive Architecture

    Mitigating risk from SUNBURST and similar sophisticated APT campaigns requires a security architecture that provides defense in depth and visibility throughout the entire attack chain. You should review your architecture and assess gaps either in technique visibility or protection capability. Below we have outlined where McAfee and partner solutions could be used to either disrupt or detect some of the attack techniques used in SUNBURST based on what we know today.

    Figure 5:  Device to Cloud Security Architecture

    While the attacker is no doubt sophisticated and stealthy, the multi-stage aspect of the attack presents opportunities to detect or stop at multiple points and perhaps even before the attack gains a foothold. We cover more about how to use McAfee EDR to search for or detect some of the techniques used in SUNBURST in next section. However, there are some other key cyber defense capabilities that may be overlooked in your organizations but are critical to having a chance at detection and mitigation. We highlight those in this section below.

    Getting inside the attacker’s preparation

    Normally this is beyond what most organizations have time to do. However, in this case, you need to gain any advantage. We discussed MVISION Insights above so here we will cover additional guidance. During the preparation phase of this attack, the attacker obtains infrastructure within the target geo to host their command and control server. During this phase, they also set the hostnames of their C2 servers to mimic target organization hostnames. A scan for your domain names on external IP blocks can reveal the attack formation. Open source tools such as Spiderfoot offer a number of plugins to gather and analyze such types of data. Passive DNS with combination of hosts communicating with unusual domain names also represent a window of detection whereby Advanced DNS Protection solutions such as from our SIA partner Infoblox can detect behavior-based DGA usage by malware and automatically block such DNS resolution requests.

    Visibility on DNS

    DNS queries often provide the first layers of insights into any type of C2 communication and data exfiltration. You should enable logging ideally at an upstream resolver(s) where you can see traffic from your entire infrastructure. More information can be found here for Windows DNS Servers and Linux Bind DNS Servers.  This could be forwarded to McAfee ESM/other SIEMs for analysis and correlation for detection of DGA-type activities.

    NetFlow Logging

    Being able to detect unusual flows should also be a priority for incident responders. Along with DNS queries, NetFlow data when combined with UBA provides a great source of detection, as the attackers’ use of VPS providers can be combined with user login data to detect an “impossible rate of travel event.”

    Hunting for Indicators with MVISION EDR

    As described in the defensive architecture, MVISION EDR plays a vital role in hunting for prevalence of indicators related to the SUNBURST backdoor and ensuing post compromise activity. The role of MVISION EDR becomes even more important due to the usage of manual OPSEC by the threat actor where what follows the initial breach is driven by how the threat actor is targeting the organisation.

    Hunting for Presence of Malicious Files

    You can use MVISION EDR or MAR to search endpoints for SUNBURST indicators as provided by Microsoft and FireEye. If you are licensed for MVISION Insights, you can pivot directly to MVISION EDR to search for indicators. MVISION EDR supports real-time searches to hunt for presence of files on the endpoints and allows for sweeps across the estate. The following query can be used with the pre-populated malicious file hash list. The presence of the file on the system is itself does not mean it was successful and further hunting to check for execution of the actual malicious code on the needed. See the search syntax below.


    Begin MVEDR Query Syntax…

    Files name, full_name, md5, sha256, created_at, create_user_name, create_user_domain and HostInfo hostname, ip_address, os and LoggedInUsers username, userdomain where Files sha256 equals “ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c” or Files sha256 equals “c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77” or Files sha256 equals “eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed” or Files sha256 equals “dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b” or Files sha256 equals “32519685c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” or Files sha256 equals “d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600” or Files sha256 equals “53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7” or Files sha256 equals “019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134” or Files sha256 equals “ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6” or Files sha256 equals “32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” or Files sha256 equals “292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712” or Files sha256 equals “c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71”


    …End MVEDR Query Syntax

    Figure 6: Real Time Search for indicators

    Additionally, you can do a historical search creation and deletion of files going back up to 90 days in cloud storage.

    Figure 7: Historical Search and Modification of Files

    The threat actor is known to rename system utilities/files and clean up their tracks. MVISION EDR can review historical changes to the file system, this is crucial in determining if an endpoint was a victim of this attack. The flexible search interface can be used to filter down and track the progress of the completion of the attacker’s objectives for e.g. look at changes triggered from the infected dll’s such as netsetupsvc.dll.

    Hunting for Malicious Network Connections

    MVISION EDR allows for tracing of active network connections leveraging the real time search functionalities


    Figure 8: Realtime Network Connections

    You can also leverage the historical search function to look for historical connections related to the command and control activity for this threat actor. The filtering by process ID and source/destination IP allows analysts to track down the malicious communications.

    Figure 9: Historical Network Connections

    MVISION EDR also allows analysts to review historical DNS lookups thus allowing for the ability to hunt for malicious DNS lookups. This is a very important capability in the product as many organizations do not log DNS or have a DNS hierarchy that makes it harder to log the end device making the actual request.

    Figure 10: Historical DNS Searches

    Hunting for Malicious Named Pipes Across the Estate

    MVISION EDR includes custom collector creation ability that allows for execution of custom commands across the estate. In this case, it’s possible to look for the existence of the Named Pipes by executing the following Powershell command:

    Figure 11: EDR Named Pipe Collector

    Powershell Command for Pipe detection [System.IO.Directory]::GetFiles(“\\.\\pipe\\”) | %{($_ -split “\\”)[6]}

    Figure 12: Realtime Search for Named Pipe

    HostInfo hostname, ip_address, os where _NamedPipe pipename contains “583da945-62af-10e8-4902-a8f2 05c72b2e”

    Hunting for Malicious Processes

    It is known the attacker in its final stages leverages legitimate SolarWinds processes to complete their objectives:









    ProcessHistory parentname, name, id, cmdline WHERE ProcessHistory parentname equals “WerFault.exe” or ProcessHistory parentname equals “ExportToPDFCmd.Exe” or ProcessHistory parentname equals “APMServiceControl.exe” or ProcessHistory parentname equals “SolarWinds.Credentials.Orion.WebApi.exe” or ProcessHistory parentname equals “SolarWinds.Orion.Topology.Calculator.exe” or ProcessHistory parentname equals “\SolarWinds\Orion\Database-Maint.exe”

    Hunting back longer than 90 days with EDR Trace Data

    MVISION EDR’s architecture leverages the Data Exchange Layer to stream trace data to our cloud service where we apply analytics to identify or investigate a threat. Trace data are artifacts from the endpoint, such as file hashes, processes, communications, typically needed for endpoint detection and searches. The DXL architecture allows that data to be streamed to the cloud as well to a local data store such as a SIEM or other log storage like Elastic simultaneously.

    Figure 14: Long term search of EDR trace data in a Kibana dashboard


    Figure 15: Long term search of EDR trace data in a Sp dashboard

    You can store the data longer than the 90-day maximum McAfee stores in our cloud. Why is this important? Recent analysis of SUNBURST suggests that the attack goes as far back as March 2020, and perhaps earlier. This local storage would provide capability to hunt for indicators further back as needed, if so configured.

    Assessing Visibility

    How do you know what data sources are needed to detect Mitre Att&ck tactics and techniques? Carlos Diaz from MVISION EDR engineering wrote a great tool called Mitre-Assistant to simplify that process. You can download that tool here.

    Detecting Actions on Objective

    Post Initial Exploit Threat Detection and Analysis in EDR

    One of the key challenges threat hunters and security analysts face is where the attack progresses through to the second phase of the attack, where it is understood the attacker has dropped malware to execute and complete their objectives. This usage of sophisticated execution of malware from a trusted process is detected by MVISION EDR and automatically mapped to the MITRE ATT&CK Framework. As part of the detection and process tracing, EDR also captures the command executed on the endpoint. This becomes invaluable in case of tracking the manual OPSEC aspect of the second phase of the attack.

    Figure 16: Mitre analysis and threat detection for post exploit execution

    MVISION EDR provides extensive capabilities to respond to threats once they have been assessed, e.g. real-time searches once executed allows analysts to scope the affected endpoints rapidly at which point the solution offers multiple options as a method for containment and remediation of the threat across the estate through bulk operations.

    Figure 17: EDR Bulk Threat Mitigation

    Detecting Data Exfiltration, Lateral Movement and Prevention

    MVISION EDR provides a way to easily visualize data egress by looking at topology view of the endpoints where malicious activity has been detected, by observing the network-flow map the outlier connections can be easily identified and then correlated with WHOIS, IP reputation and Passive DNS data from providers like McAfee GTI and Virustotal. Once established, the external connections can be blocked and the endpoint can be quarantined from the EDR console. EDR also shows common processes spawning across multiple endpoints to showcase lateral movement and is also tagged as part of the MITRE techniques being identified and detected.

    Figure 18: EDR Lateral Movement and Exfiltration

    Combining EDR with Deception technology such as that from Attivo Networks brings together a combination of offensive detection where the attacker can be effectively trapped as result of not getting hold of the real credentials required to make the lateral movement/ privilege escalation a success thus failing in their objective completion.

    An integrated approach to DLP can also provide effective protection against the completion of the objectives for e.g. unified DLP policy across the endpoint and web-gateway looking for exfiltration of sensitive organizational data can also provide valuable defenses. McAfee’s UCE platform provides such unified data protection capabilities.

    Cloud account compromise detection

    Our latest research indicates attacker is actively looking to establish additional footholds into customer cloud environments such as Azure AD or bypass multi-factor authentication by hijacking SAML sessions, McAfee’s MVISION Cloud Access Control and User Anomaly Detection can identify suspicious access attempts to cloud services and infrastructure.

    It is recommended to increase monitoring and investigations into such activity especially with privileged accounts on sensitive infrastructure

    Supply Chain and Intellectual Property Protection

    In addition to architecture review and continuous hunting for indicators, it is recommended that customers work with their suppliers – IT, Cloud Services, Infrastructure, Hardware, etc. – to validate integrity. Secondly, review controls, detection use cases in the SOC and logs, specifically related to your intellectual property. A tabletop exercise to rehearse crisis management and breach notification procedures is also recommended.

    Summary and Next Steps

    It’s important to note that analysis of this attack is ongoing across the globe and events are still unfolding. The presence/detection of the backdoor and affected software is just the beginning for many customers. MVISION EDR or other tool detections of malicious named-pipe presence and domains help indicate to a customer if the backdoor was running, but with the gathered system information, the adversary may have valid accounts and access to AD or Cloud systems in some cases. The adversary has been wiping information/log files to erase traces. Incident Response is a critical piece of your overall business resilience and if you are affected, you will no doubt be asking yourself these types of questions.

    • When did we install the vulnerable software?
    • Did they compromise user-accounts and have AD access?
    • Did they install additional backdoors?
    • How many systems and accounts are affected?
    • Were cloud or enterprise resources accessed?
    • Was information stolen? If so, do we have notification procedures?
    • Are there other supply chain compromises yet undiscovered?

    McAfee will continue to post analysis results and defensive guidance as we learn more about the attack. Customers should follow McAfee Labs posts, check the Insights Preview Dashboard for latest threat intelligence, and continually check the Knowledge Center for latest product guidance.

    The post How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise appeared first on McAfee Blogs.

    Predicated Data Classification Trends for 2021

    Article by Adam Strange, Data Classification Specialist, HelpSystems

    In the digitally accelerated COVID-19 environment of 2021 what are the top data security trends that organisations are facing? Here is HelpSystems Data Classification Specialist, Adam Strange’s take on the outlook and trends for 2021.

    Ongoing Growth in Remote Working will Create Data Security Threats
    • The far-reaching impact of COVID-19 includes the intensified threat of malicious cyber attacks as well as an escalating number of damaging data breaches across almost every sector of business. The rapid shift to remote working during the pandemic left many employers exposed to hackers and highlighted multiple examples of serious network and data vulnerabilities.
    • For example, in a recent article, Infosecurity Magazine quotes research finding that attacks on the biotech and pharmaceutical industry alone rose by 50% in 2020 compared to 2019. And in the defence sector, The Pentagon is seeing a huge rise in cyber attacks through the pandemic, where unprecedented numbers of employees are forced to communicate through their own devices. 
    • As more companies move to facilitate a semi-permanent remote workforce, data security ecosystems will evolve to become more complex and advanced data management and classification solutions will be a critical technology investment.
    • ‘Insider threat’ will be categorised as the most prominent tier 1 data security risk in 2021, necessitating stricter corporate guidelines and protocols in data classification, as well as comprehensive employee education programmes around data security. 
    • HelpSystems’ recent research interviewed 250 CISOs and CIOs in financial institutions about the cybersecurity challenges they face and found that insider threat - whether intentional or accidental - was cited by more than a third (35%) of survey respondents as one of the threats with the potential to cause the most damage in the next 12 months. 
    • Further, the latest Information Commissioner’s Office (ICO) report confirmed that misdirected email remains one of the UK’s most prominent causes of security incidents, demonstrating the need for all organisations to control the dissemination of their classified data. 
    • HelpSystems’ technologies in data security and classification are enabling businesses to regain control of sensitive data, identify sensitive data by scanning and analysing data at rest and classify and protect personal data by detecting PII at creation. 
    A Security Culture needs to be Embedded into Organisations, especially as Insider Breach Risk continues to Grow
    • In 2021 data governance will take centre stage in data security and privacy strategies. Companies will create Centres of Excellence (COE) to embed a solid data security culture across teams and corporate divisions and to formalise in-house data management processes, rolling out divisional best practice and placing data classification at the foundation of their data security strategy.
    • Employees play a vital role in ensuring the organisation maintains a strong data privacy posture. For this to be effective, organisations need to ensure that they provide regular security awareness training to protect sensitive information. In terms of how they go about doing this, they must invest in user training and education programmes. 
    • The security culture of the firm must be inclusive towards all employees, making sure they are continually trained so that their approach to security becomes part of their everyday working practice, irrespective of their location, and security becomes embedded into all their actions and the ethos of the business. 
    • Data classification solutions will allow businesses to protect data by putting appropriate security labels in place. HelpSystems data classification uses both visual and metadata labels to classify both emails and documents according to their sensitivity. Once labelled, data is controlled to ensure that emails, documents and files are only sent to those that should be receiving them, protecting sensitive information from accidental loss, through misdirected emails and the inadvertent sharing of restricted documents and files. 
    Supply Chain Ecosystem Risk will get Bigger
    • Accenture quote that 94% of Fortune 100 companies experienced supply chain disruptions from COVID-19, and that as much as 40% of cyber threats are now occurring indirectly through the supply chain.
    • 2020 has been the year where businesses realised more than ever that data security across the supply chain was only as strong as its weakest link, where exposing a business’s network and sensitive data to its suppliers had the potential to carry significant additional risk. 
    • HelpSystems’ recent report interviewed 250 CISOs and CIOs from financial institutions about the cybersecurity challenges they face and nearly half (46%) said that cybersecurity weaknesses in the supply chain had the biggest potential to cause the most damage in the next 12 months. 
    • But sharing information with suppliers is essential for the supply chain to function. Most organisations go to great lengths to secure intellectual property (IP), personally identifiable information (PII) and other sensitive data internally, yet when this information is shared across the supply chain, it doesn’t get the same robust attention. 
    • The demand for greater resilience across supply chain operations in 2021 will require businesses to move quickly to overhaul existing tech investments and prioritise data governance. Organisations must ensure basic controls are implemented around their suppliers’ IT infrastructure and that they have robust security measures in place. 
    • Advanced data classification capabilities will deliver assurance and control to numerous industries including finance, defence and government. HelpSystems advises organisations to ensure their suppliers have a robust approach to security and information risk with security frameworks such as ISO 27001 and Cyber Essentials in place. 
    • Organisations should implement a data classification scheme and embed data risk management into the procurement lifecycle processes from start to finish. By effectively embedding data risk management, categorisation and classification into procurement and vendor management processes, businesses will prevent their suppliers’ vulnerabilities becoming their own and more effectively secure data in the supply chain. 
    Data Privacy Regulations set to Increase
    • An increased focus on data privacy and protection of personal data and the continuing shift in privacy law, as reflected in the EU’s landmark GDPR in 2018 and, this year, the US’s CCPA, and the CPRA set to take effect in 2023, has changed the data regulatory landscape. We can expect to see similar US compliance rulings come into force beyond California through 2021.
    • In addition to individual state privacy rulings, we can expect to see federal US-wide regulation come into force. 
    • This new phase in privacy regulation will be complex and enforcement will demand changes in people, process and technology - proper corporate data governance programmes, employee training and solid data management systems in every organisation to counter reputational risk and hefty fines. 
    • Data automation will also be a priority as companies struggle to deliver relevant data protection strategies for every level of business and its users, across all platforms and infrastructures to conform with individual state and international laws. 
    • HelpSystems’ unified security, compliance and data classification solutions simplify compliancy reporting enabling business to easily generate the documentation necessary to identify security issues, give auditors the information that they need and prove compliance. 

    Finally, True Unified Multi-Vector Data Protection in a Cloud World

    This week, we announced the latest release of MVISION Unified Cloud Edge, which included a number of great data protection enhancements. With working patterns and data workflows dramatically changed in 2020, this release couldn’t be more timely.

    According to a report by Gartner earlier in 2020, 88% of organizations have encouraged or required employees to work from home. And a report from PwC found that, corporations have termed the remote work effort in 2020, by and large, a success. Many executives are reconfiguring office layouts to cut capacity by half or more, indicating that remote work is here to stay as a part of work life even after we come out of the restrictions placed on us by the pandemic.

    Security teams, scrambling to keep pace with the work from home changes, are grappling with multiple challenges, a key one being how to protect corporate data from exfiltration and maintain compliance in this new work from home paradigm. Employees are working in less secure environments and using multiple applications and communication tools that may not have been permitted within the corporate environment. What if they upload sensitive corporate data to a less than secure cloud service? What if employees use their personal devices to download company email content or Salesforce contacts?

    McAfee’s Unified Cloud Edge provides enterprises with comprehensive data and threat protection by bringing together its flagship secure web gateway, CASB, and endpoint DLP offerings into a single integrated Secure Access Service Edge (SASE) solution. The unified security solution offered by UCE features unified data classification and incident management across the network, sanctioned and unsanctioned (Shadow IT) cloud applications, web traffic, and endpoints, thereby covering multiple key exfiltration vectors.

    UCE Protects Against Multiple Data Exfiltration Vectors

    1. Exfiltration to High Risk Cloud Services

    According to a recent McAfee report, 91% of cloud services do not encrypt data at rest and 87% of cloud services do not delete data upon account termination, allowing the cloud service to own customer data in perpetuity. McAfee UCE detects the usage of risky cloud services using over 75 security attributes and enforces policies, such blocking all services with a risk score over 7, which helps prevent exfiltration of data into high risk cloud services.

    2. Exfiltration to permitted cloud services

    Some cloud services, especially the high risk ones, can be blocked. But there are others which may not be fully sanctioned by IT, but fulfill a business need or improve productivity and thus may have to be allowed. To protect data while enabling these services, security teams can enforce partial controls, such as allowing users to download data from these services but blocking uploads. This way, employees remain productive while company data remains protected.

    3. Exfiltration from sanctioned cloud services

    Digital transformation and cloud-first initiatives have led to significant amounts of data moving to cloud data stores such as Office 365 and G Suite. So, companies are comfortable with sensitive corporate data living in these data stores but are worried about it being exfiltrated to unauthorized users. For example, a file in OneDrive can be shared with an unauthorized external user, or a user can download data from a corporate SharePoint account and then upload it to a personal OneDrive account. MVISION Cloud customers commonly apply collaboration controls to block unauthorized third party sharing and use inline controls like Tenant Restrictions to ensure employees always login with their corporate accounts and not with their personal accounts.

    4. Exfiltration from endpoint devices

    An important consideration for all security teams, especially given most employees are now working from home, is the plethora of unmanaged devices such as storage drives, printers, and peripherals that data can be exfiltrated into. In addition, services that enable remote working, like Zoom, WebEx, and Dropbox, have desktop apps that enable file sharing and syncing actions that cannot be controlled by network policies because of web socket or certificate pinning considerations. The ability to enforce data protection policies on endpoint devices becomes crucial to protect against data leakage to unauthorized devices and maintain compliance in a WFH world.

    5. Exfiltration via email

    Outbound email is one of the critical vectors for data loss. The ability to extend and enforce DLP policies to email is an important consideration for security teams. Many enterprises choose to apply inline email controls, while some choose to use the off-band method, which surfaces policy violations in a monitoring mode only.

    UCE provides a Unified and Comprehensive Data Protection Offering

    Using point security solutions for data protection raises multiple challenges. Managing policy workflows in multiple consoles, rewriting policies, and aligning incident information in multiple security products result in operational overhead and coordination challenges that slow down the teams involved and hurt the company’s ability to respond to a security incident. UCE brings web, CASB, and endpoint DLP into a converged offering for data protection. By providing a unified experience, UCE increases consistency and efficiencies for security teams in multiple ways.

    1. Reusable classifications

    A single set of classifications can be reused across different McAfee platforms, including ePO, MVISION Cloud, and Unified Cloud Edge. For example, if a classification is implemented to identify Brazilian driver’s license information to apply DLP policies on endpoint devices, the same classification can be applied in DLP policies on collaboration policies in Office 365 or outgoing emails in Exchange Online. Alternatively, if the endpoint and cloud were secured by two separate products, it would require creating disparate classifications and policies on both platforms and then ensuring the 2 policies have the same underlying regex rules to keep policy violations consistent. This increases operational complexity and overhead for security teams.

    2. Converged incident infrastructure

    Customers using MVISION Cloud have a unified view of cloud, web, and endpoint DLP incidents in a single unified console. This can be extremely helpful in scenarios where a single exfiltration act by an employee is spread across multiple vectors. For example, an employee attempts to share a company document with his personal email address, and then tries to upload it to a shadow service like WeTransfer. When both these attempts don’t work, he uses a USB drive to copy the document from his office laptop. Each of these fires an incident, but when we present a consolidated view of these incidents based on the file, your admins have a unique perspective and possibly a different remediation action as opposed to trying to parse these incidents from separate solutions.

    3. Consistent experience

    McAfee data protection platforms provide customers with a consistent experience in creating a DLP policy, whether it is securing sanctioned cloud services, protecting against malware, or preventing data exfiltration to shadow cloud services. Having a familiar workflow makes it easy for multiple teams to create and manage policies and remediate incidents.

    As the report from PwC states, the work from home paradigm is likely not going away anytime soon. As enterprises prepare for the new normal, a solution like Unified Cloud Edge enables the security transformation they need to gain success in a remote world.

    The post Finally, True Unified Multi-Vector Data Protection in a Cloud World appeared first on McAfee Blogs.

    Veracode CEO on the Relationship Between Security and Business Functions: Security Can’t Be Effective in a Silo

    Veracode CEO Sam King says that security can???t be successful, and in fact will become a blocker, if it operates in a silo. She recently sat down for a fireside chat with Mahi Dontamsetti, State Street CTRO, and Jim Routh, MassMutual CISO, to share her thoughts and observations on communicating about security to the Boardツ?and the overall connection between the security function and business functions.

    She notes that even though there are often designated technical experts on the Board, there is now an increased awareness around cybersecurity, even among the traditionally business-oriented members. So, it???s important to tailor messages to the business functions so that they too can understand the organizations??? risk posture. This doesn???t mean that you should try to make everyone on the Board a cybersecurity expert, but King remarks that there should be a ???baseline knowledge that all Board members have around cybersecurity.??? ツ?

    Mahi Dontamsetti agrees with King that cybersecurity should be communicated to all members of the Board in an easy-to-understand manner. Dontamsetti goes on to say that sometimes it???s the non-technical experts who ask the best questions or have important insights into cybersecurity. They???re sometimes able to fill in the ???known unknowns.???

    Jim Routh adds that Board members are actively seeking out cybersecurity knowledge. ???Board members today go to classes to improve their skill through NACD or other associations,??? he said. ???They're re-skilling and retooling themselves at a pretty significant pace, so that will give us more Board members with cybersecurity expertise.???

    Routh also mentions the importance of level setting cybersecurity expectations with the Board. It shouldn???t be about eliminating all cybersecurity incidents because that???s unrealistic. The goal should be to ???recover quickly when you have security incidents and minimize the business impact.??? And the whole organization needs to work toward that goal. ???Every enterprise at any level of maturity today has to recognize that incident response for cybersecurity has to be a fabric for the entire enterprise. It's not just a siloed function in IT or in cybersecurity.???

    How can you ensure that cybersecurity isn???t siloed? Routh recommends identifying your top 10 cybersecurity risks and making sure that they are well known throughout the company, especially with senior leaders. Resources should be allocated to the top 10 risks and projects and initiatives around those risks should be prioritized.

    Not only should you come up with your top 10 cybersecurity risks, but it???s also worth identifying your top 10 business strategies. King makes the point that ???when you're looking at the top 10 of your business strategies as a company, regardless of whether you're a cybersecurity company like Veracode or you're a financial services company, or whatever industry you're in, cybersecurity has to be in that top 10.??? By making cybersecurity a top 10 business strategy, you ensure that executives and senior leaders are prioritizing risk mitigation strategies and, hopefully, integrating the strategies company-wide.

    If cybersecurity is siloed, departments may try to ignore security best practices for the sake of speed. King remarks that without cybersecurity integration, you may hear a lot of, ???We're super excited about this project, but once we go to the security person there's going to be all of these different things that we have to be concerned about. And, will we be able to get it done or not????

    But cybersecurity integration doesn???t have to slow down processes. If you start your project with security best practices in mind from the very beginning, there won???t be time-consuming or expensive rework down the line.

    And how about obtaining cybersecurity resources and budget? Well, King explains that if cybersecurity is one of your top 10 business strategies, there won???t be arguments as to whether or not cybersecurity initiatives should be funded. Cybersecurity won???t be ???taking money??? from a different initiative if it was already determined that cybersecurity is a priority.

    To learn more about communicating cybersecurity to the Board, or for tips on integrating cybersecurity best practices throughout your organization, check out the full webinar, Driving the Cybersecurity Agenda with the C-Suite and Boards.

    Fixing CRLF Injection Logging Issues in Python

    It can sometimes be a little challenging to figure out specifically how to address different vulnerability classes in Python. This article addresses one of the top finding categories found in Python, CWE 117 (also known as CRLF Injection), and shows how to use a custom log formatter to address the issue. We???ll use this project, which deactivates or deletes user accounts from the Veracode platform, to illustrate the functionality.

    The vulnerability

    CWE 117 (sometimes classified as CWE 93) is (normally, see note below) a medium severity finding that compromises the integrity of logging information by allowing an attacker to insert extra log statements, corrupt the logs so that they become unreadable, or even inject malicious code into the logs (useful if the log will be read through a web user interface). The attacker does this by inserting data containing carriage return and line feed (CRLF) characters, causing the appearance of a new logging statement.

    Note on classification: CWE 93 refers to a broader set of weaknesses with handling content containing CRLF characters. It applies to logs and also to HTTP headers (CWE 113), sending email messages, or any output format where carriage returns and line feeds are significant characters; CWE 117 is the log-specific version of it. This article focuses specifically on issues where CRLF injection occurs in a logging context (CWE 117).


    This code snippet is vulnerable to CRLF injection:

    import logging
    import sys
    import anticrlf
    logger = logging.getLogger(__name__)
    logging.basicConfig(level=logging.DEBUG, stream=sys.stderr)
    ... # additional logger setup
    dangerous_value = "This line splits\r\nthe log entry by including CRLF"
    logger.warn("The value of dangerous_value is {}".format(dangerous_value))
    # WARNING:__main__:The value of dangerous_value is This line splits
    # the log entry by including CRLF
    # Note how the above ^ makes two lines, messing up log integrity

    The fix

    Before we get into the fix, it???s worth noting that not every application has a strong requirement for log integrity ??? a local command line script may not require as much attention to this vulnerability category as a system where auditing is a requirement and that takes input from multiple users. See also the note on severity below.

    Assuming that log integrity is important for your application (and in most cases it probably is), the strategy for fixing CRLF injection vulnerabilities is to sanitize all user inputs, ensure that you use a consistent character encoding throughout the application (to avoid problems from canonicalization), and escape output. Dealing with the first two issues is beyond the scope of this article, but applying an output escaping strategy is pretty straightforward by using a logging formatter. For the purposes of this blog, we???ll use logging-formatter-anticrlf from Veracode Research; see the Alternatives section for some other approaches you could take.

    The logging-formatter-anticrlf library functions as a drop-in logging formatter, but it escapes carriage returns and line feeds in the output. Darren???s readme shows how to use the library for stream-based logging; the project above shows an example of using it with logging to a file. Here???s how:

    • First, we install logging-formatter-anticrlf using pip install logging-formatter-anticrlf.

    • We import logging and anticrlf.

    • We set up the logger (this routine is called from within the if __name__ == '__main__': block at the bottom or the file):

    def setup_logger():
        handler = logging.FileHandler('vcoffboard.log', encoding='utf8')
        logger = logging.getLogger(__name__)
    • We define a variable for the instance of logger that we configured, and make sure that all our logging statements call this rather than calling logger directly. Importantly, we repeat this in any helper files to make sure they???re all using the same log file configuration:

    # assume setup_logger() has been called once for this __name__
    logger = logging.getLogger(__name__)
    dangerous_value = "This line splits\r\nthe log entry by including CRLF"
    logger.warn("The value of dangerous_value is {}".format(dangerous_value))
    # WARNING:__main__:The value of dangerous_value is This line splits\r\nthe log entry by including CRLF
    # Note that the the CR and LF are escaped so the log entry is correctly all on one line

    And that???s it! As long as you call the logger using the log variable, it will format the logs with our anticrlf formatter and escape the log output correctly.


    What else could we do to fix CWE 117 findings in Python? We have a couple of options:

    1. Explore other available libraries that do encoding for logs. Unfortunately, there don???t seem to be a lot available that specifically address the logging context such that you can simply use them as a drop-in replacement for an existing logger.

    2. Explicitly encode all logging statements. You can certainly explicitly encode every string that you send in a logging statement using Python???s encode() or a similar function. Using encode() has the advantage of not requiring any additional libraries, but the disadvantage of requiring you to remember to apply the fix for every logging statement. The advantage of the library discussed in this post is that it functions as a drop-in; once you configure logging to use it as a formatter, the rest of your code can function as normal and you don???t need to remember to perform explicit encoding.

    3. Take a different path. One way to avoid the problem entirely might be to switch to using syslog or another external logging system that does not use CRLF to start a new log message. This will be a more substantial change and will require its own secure coding considerations, but avoids this particular flavor of log injection.


    It???s common to see large numbers of CWE 117 findings in an application; logging is a common operation for many applications and every log statement has a potential vulnerability to CRLF injection. Applying a strategy such as the one described here allows you to quickly address lots of findings in a fairly straightforward way.


    Severity: As with any vulnerability category, the severity of any individual example of a CWE 117 finding may be higher or lower, depending on the business requirements of the application; specifically, for some applications, log integrity may be less critical than others.

    McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise

    Last month, I discussed the FedRAMP program’s basics and why it’s such a big deal for the federal government. In short, the program protects the data of U.S. citizens in the cloud and promotes the adoption of secure cloud services across the government with a standardized approach.

    But within the FedRAMP program, there are different authorizations. We’re pleased that McAfee MVISION for Endpoint Access recently achieved FedRAMP Moderate Authorization, which allows users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).

    As organizations across the country continue to adapt to a remote workforce, the U.S. government is “in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape,” Alex Chapin, our VP of DoD and Intelligence notes.

    And he’s right – with the 2021 federal fiscal year in full focus, federal agencies are continuing to push cloud computing as the COVID-19 pandemic continues, creating a real need for security in these applications.

    The FedRAMP Moderate designation allows MVISION to provide the command and control cyber defense capabilities government environments need to enable on-premises and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.

    This is a massive win for the federal government as it continues to build out its remote workforce capabilities at a time when the GAO is continuing to release best practices for telework, highlighting how remote work is here to stay in the federal government.

    MVISION Cloud is currently in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).

    At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards to help the federal government secure its digital infrastructure and prepare for an increasingly digital operation. We look forward to working closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.

    The post McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise appeared first on McAfee Blogs.

    The Hidden Costs of Cybercrime on Government

    Organizations across the country – from the private sector to the federal government –  have become more digital, especially following the shift to remote work this year. It’s no surprise that cybercriminals around the world have taken notice. According to a new report by McAfee and the Center for Strategic and International Studies (CSIS), cybercrime is now a nearly trillion-dollar industry, and the government sector is not immune.

    Across the board, the issue continues to rise – increasing the cost of cybercrime by nearly 50% since our last report in 2018. The threats to the government from cybercriminals are even greater, leading to potential national security risks as dark actors look to steal U.S. secrets and intellectual property.

    All levels of government – from state and local to the federal government here in Washington – are taking steps to mitigate the issues, but they must do so differently than their private sector counterparts. Government respondents to the survey reported the highest number of malicious attacks, highlighting the high-stakes environment in which governments operate.

    Unfortunately, the report also found that while government organizations face more attacks than their private-sector counterparts, they also take longer to remediate them, leaving our government services, infrastructure, and other critical aspects of society at risk for longer than they need.

    A Discussion With CSIS

    Earlier this week, McAfee’s CTO Steve Grobman joined CSIS for a conversation on the report and how we can continue to prepare for and mitigate the risk of cybercrime and its hidden costs with CSIS’ Jim Lewis and Zhanna Malekos Smith, former Federal CISO Grant Schneider and the FBI’s Jonathan Holmes.

    Kicking off the discussion, Schneider highlighted the importance of the workforce and the need to take care of them so organizations can quickly rebound from an incident. Schneider noted that if an office were robbed, no one would blame the team, but with cybercrime, victims are often seen as the issue – leading to reduced employee morale and more issues later down the line.

    Instead, Schneider argued on the importance of preparing the workforce and that preparation can take several forms, including risk management through NIST’s risk management framework. He also called for organizations to develop a recovery plan, engaging different departments, leadership and the public to be ready for when an incident occurs.

    In his discussion of the report’s findings, McAfee CTO Steve Grobman noted they weren’t shocking. Grobman said that as we adopt new technologies, adversaries will continue to find new attack vectors.

    This year was particularly notable as much of the federal government transitioned to a remote work environment overnight. As the workforce went remote – critical government information was accessed from home internet routers that lacked the same level of security as government office networks, increasing adversaries’ ability to successfully launch attacks.

    Luckily, as Grobman noted, there are ways lawmakers can mitigate the threat of ransomware against government and the private sector.

    What’s the solution?

    Across the country, governments are facing ransomware attacks at an alarming rate, and every one of them – at every level – needs to have a plan in place. There needs to be a data-based discussion with leadership to decide how to balance the daily blocking and tackling of threats with limited complication to the continuation of operations and preparation for big intrusions like we’ve seen happen this year.

    There are also policy solutions – many of these criminal groups operate in countries that allow them to do so. When negotiating trade deals with countries, the level of cybercrime and the government’s cooperation with or against those groups must be considered.

    The cost of cybercrime is now nearly 1% of the global GDP, and it will only continue to rise, impacting companies and governments around the world unless we come together to stop it through basic cyber hygiene, preparation and policy solutions.

    The post The Hidden Costs of Cybercrime on Government appeared first on McAfee Blogs.

    Business and enterprise anti-virus products put through a long-term test – which performed the best?

    Many thanks to the great folks at AV-Comparatives, who have sponsored my writing for the past week. Anti-malware testing lab AV-Comparatives carries out independent intensive tests of security software, and has just published its long-term test report into the performance of business and enterprise endpoint security products, taking a close look 19 products designed to … Continue reading "Business and enterprise anti-virus products put through a long-term test – which performed the best?"

    NIST Software Tool Improves Your Doctor’s Vaccination Advice

    Behind the scenes at your doctor’s office, there’s a complicated set of information that your providers have to absorb before telling you which vaccinations to get and when. A software tool created at the National Institute of Standards and Technology (NIST) is helping them make better decisions. The software tool — called the Forecasting for Immunization Test Suite, or FITS — is helping ensure that your doctors are getting correct and up-to-date recommendations about when patients should get their vaccines. While your doctor remains responsible for the final decision, computers are vital

    Remote iOS Attacks Targeting Journalists: More Than One Threat Actor?

    Remote iOS Attacks Targeting Journalists: More Than One Threat Actor?

    ZecOps is proud to share that we detected multiple exploits by the threat actors that recently targeted Aljazeera’s journalists before it was made public. The attack detection was automatically detected using ZecOps Mobile DFIR.

    In this blog post, we’ll share our analysis of the post-exploitation kernel panics observed on one of the targeted devices.

    Key details on the attacks targeting journalists in Middle East:

    • First known attack: earliest signs of compromise on January 17th, 2020.
    • Was the attack successful: Yes – the device shows signs for successfully planted malware / rootkit.
    • Persistence: The device shows signs for a persistent malware that is capable of surviving reboots. It is unclear if the device was re-infected following an OS update, or that the malware also persisted between OS updates.
    • Attack Impact: The threat-operators were able to continuously access the device microphone, camera, and data including texts, and emails for the entire period.
    • Attribution: We named this threat actor Desert Cobra. We do not rule out that NSO (aka “NSO Group”) was involved in the other reporters’ cases that was published today by Citizen Labs. We refrain from naming the particular threat actor that targeted one of the victims in Citizen-Labs report, NSO, due to some activities that do not add-up with our Mobile Threat Intelligence on NSO. We also do not rule out that this device was potentially compromised by more than one threat actor simultaneously.
    • OS Update? We do recommend updating to the latest iOS version, however we have no evidence that this actually fixes any of the vulnerabilities that were exploited by this threat operator(s).

    Post-exploitation Panic Analysis

    A tale of two panics: MobileMail and mediaanalysisd: kauth_cred_t corruption

    The following stack backtrace of the MobileMail panic indicates that the panic happened on function kauth_cred_unref:

    panic(cpu 2 caller 0xfffffff02a2f47f0): "kfree: size 8589934796 > kalloc_largest_allocated 21938176"
    _func_fffffff007b747f0 + 0 ~ (kfree + 340)
    sfree() + 28
    _func_fffffff008debd5c + 68 ~ (_mpo_cred_check_label_update + 2904)
    _func_fffffff008df5f48 + 92 ~ (_sandbox_hook_policy_syscall + 6488)
    _func_fffffff008df5d8c + 300 ~ (_sandbox_hook_policy_syscall + 6252)
    _func_fffffff008de309c + 64 ~ (_check_boolean_entitlement + 1716)
    _func_fffffff0081538e8 + 76 ~ (audit_session_unref)
    _func_fffffff007f3f790 + 200 ~ (kauth_cred_unref)
     _vn_open_auth + 1612
     _open1 + 256
     _open + 528

    kauth_cred_unref frees credential structures from the kernel. The following is the stack backtrace of the mediaanalysisd panic, it also panicked on function “kauth_cred_unref”:

    _func_fffffff008db5d4c + 260 ~ (_sandbox_hook_policy_syscall + 6212)         
           0xfffffff010795e50  ldr x8, [x21]                  
           0xfffffff010795e54  str x8, [x19, x22, lsl #3]     
           0xfffffff010795e58  b 0x01db5e78    // 0xfffffff01254bcd0 
           0xfffffff010795e5c  ldr x9, [x8] 
     _func_fffffff008da305c + 64 ~ (_check_boolean_entitlement + 1716)
     _func_fffffff00814783c + 76 ~ (audit_session_unref)
     _func_fffffff007f336f4 + 200 ~ (kauth_cred_unref)
    _func_fffffff007cebec8 + 444 ~ (_copyin + 4560)
    _copyin + 2224

    Function “kauth_cred_free” calls by “kauth_cred_unref”, code as follows:

    static void kauth_cred_free(kauth_cred_t cred)
    assert(os_atomic_load(&cred->cr_ref, relaxed) == 0);
    AUDIT_SESSION_UNREF(cred); // ← call kfree, panic inside
    FREE_ZONE(cred, sizeof(*cred), M_CRED);

    Both of the panics happened inside “AUDIT_SESSION_UNREF”, which means the credential structure of the processes was corrupted.

    A classic way to gain root access for a kernel exploit is to replace the credential structure of an attacker controlled process with the kernel credentials. Please note that it doesn’t necessarily mean MobileMail or mediaanalysisd was controlled, the corruption of the credential structures could have also happened due to wrong offsets during exploitation.

    ZecOps customers: no further action is required. The deployed systems detect these activities. The complete report and full IOC list is available in ZecOps Threat Intelligence feed.

    Hear the news first

    • Only essential content
    • New vulnerabilities & announcements
    • News from ZecOps Research Team
    We won’t spam, pinky swear 🤞

    iPhones vulnerable to hacking tool for months, researchers say

    Analysis: NSO Group’s Pegasus spyware could allegedly track locations and access passwords

    For almost a year, spyware sold by Israel’s NSO Group was allegedly armed with a computer security super-weapon: a zero-footprint, zero-click, zero-day exploit that used a vulnerability in iMessage to seize control of an iPhone at the push of a button.

    That means it would have left no visible trace of being placed on target’s phones, could be installed by simply sending a message that the victim didn’t even need to click on, and worked even on phones that were running the then-latest version of iOS, the operating system for iPhones.

    Continue reading...

    Weekly Update 222

    Weekly Update 222

    I'm live again! Well, I was live having found enough connectivity in Port Douglas to go back to streaming. I'll still be here next week too and will plan on doing a Christmas morning stream from the same location. I talk a bunch about the trip and what I'm seeing in Aus in the latter part of this video, it's a truly amazing place I'm only just getting to really see extensively now. That said, the present COVID outbreak in Sydney may impact the final leg in the trip as the government guidance now stipulates that we'd need to be tested on re-entry to Queensland and self-isolate until a test result is returned. Whilst not planning to go anywhere near Sydney metro, the final 2 nights of our trip had us in the Blue Mountains which is still considered "Greater Sydney" so unless things dramatically improve in the next couple of weeks, we'll be giving that location a wide berth. Oh - and I also talk about some cyber things, enjoy 🙂

    Weekly Update 222
    Weekly Update 222
    Weekly Update 222
    Weekly Update 222


    1. The massive road trip continues! (that's a tweet thread with pics from each day as I travel around the country)
    2. NordVPN has released their Cybersecurity A-Z guide (this is a great resource for everyone, techie or not)
    3. Someone sent me through tens of thousands of customer records from a healthcare website (that's a link to a previous incident, point is it just keeps happening over and over again)
    4. SolarWinds, solarwinds123 and trusting updates (this is so multi-faceted on so many levels)
    5. Sponsored by: 1Password is a secure password manager and digital wallet that keeps you safe online

    Sunburst: SolarWinds Orion Compromise Overview

    On 13th December 2020, it came to light SolarWinds IT systems were compromised by hackers between March 2020 and June 2020. SolarWinds provides software to help organisations manage their IT networking infrastructure. The attackers exploited their SolarWinds IT access to covertly insert a vulnerability, coined 'Sunburst', within the SolarWinds Orion platform software builds. 

    The following SolarWinds Orion versions are considered to be compromised. 
    • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
    • Orion Platform 2020.2 RC1, version 2020.2.100.12219
    • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
    • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
    The vulnerability within these 'tainted' SolarWinds Orion versions permits an attacker to compromise the server on which the SolarWinds Orion product is installed and runs.  Given SolarWinds is a popular network traffic monitoring product, thousands of organisations are said to be impacted by a potential hidden 'backdoor' into their internal networks, which is open to be exploited by malicious hackers, granting them remote access to their internal IT systems and confidential data.  Organisations with the compromised versions of SolarWinds Orion present should immediately disconnect the software's host server from their network, and conduct a digital forensic investigation to determine if their IT systems were remotely compromised.

    How to Update SolarWinds Orion to a Safe Version
    Upgrading to Orion Platform version 2020.2.1 HF 2 ensures the platform is not vulnerable to the SUNBURST vulnerability. The update is currently available at Hotfix installation instructions are available in the 2020.2.1 HF 2 Release notes here.

    The Impact
    In the order of 18,000 organisations from 19 different countries, including the UK, are known to have downloaded the tainted SolarWinds Orion software. Around 50 organisations are known to have been compromised by hackers via the vulnerability, so far.  The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments and several utilities were compromised.

    As for the UK, Paul Chichester, NCSC Director of Operations, said “This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact. That work is ongoing and will take some time, but simply having SolarWinds does not automatically make an organisation vulnerable to real world impact.' Given that NCSC statement and what has been publically disclosed to date, it is clear the United States governing apparatus are the primary targets of the cyber-attack.

    Russia Accused of Orchestrating this Cyber Attack
    Given the sophistication of the attack and the reported compromises (aka targets) of United States government departments and utilities, it has all the hallmarks of a significant nation-station orchestrated cyber-attack. The fingers of suspicion are pointing directly at Russia, with the Russian backed hacking group APT29 'Fancy Bear' cited as the culprits by many security researchers and intelligence analysts. US Secretary of State Mike Pompeo and Attorney General Bill Barr both publically stated they believe Moscow are behind the attack, as did the chairs of the Senate and House of Representatives' intelligence committees. Russia Denies 'Baseless' SolarWinds claims, while outgoing President Donald Trump seemed to be blaming China for the attack in a Tweet on 19th December.

    Further Information
    Indicators of Compromise (IOCs)




    Additional DLLs


    Network indicators


    Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

    We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections we have built in as a result. We have established a resource center that is constantly updated as more information becomes available at

    While the full extent of the compromise is still being investigated by the security industry as a whole, in this blog we are sharing insights into the compromised SolarWinds Orion Platform DLL that led to this sophisticated attack. The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.

    The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline. Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions—and keep a low profile.

    In many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.

    Once loaded, the backdoor goes through an extensive list of checks to make sure it’s running in an actual enterprise network and not on an analyst’s machines. It then contacts a command-and-control (C2) server using a subdomain generated partly from information gathered from the affected device, which means a unique subdomain for each affected domain. This is another way the attackers try to evade detection.

    With a lengthy list of functions and capabilities, this backdoor allows hands-on-keyboard attackers to perform a wide range of actions. As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.


    Solorigate attack chain diagram

    Figure 1. Solorigate malware infection chain

    The challenge in detecting these kinds of attacks means organizations should focus on solutions that can look at different facets of network operations to detect ongoing attacks already inside the network, in addition to strong preventative protection.

    We have previously provided guidance and remediation steps to help ensure that customers are empowered to address this threat. In this blog, we’ll share our in-depth analysis of the backdoor’s behavior and functions, and show why it represents a high risk for business environments. We’ll also share details of the comprehensive endpoint protection provided by Microsoft Defender for Endpoint. In another blog, we discuss protections across the broader Microsoft 365 Defender, which integrates signals from endpoints with other domains – identities, data, cloud – to provide coordinated detection, investigation, and remediation capabilities. Read: Using Microsoft 365 Defender to protect against Solorigate.

    Where it all starts: A poisoned code library

    The attackers inserted malicious code into SolarWinds.Orion.Core.BusinessLayer.dll, a code library belonging to the SolarWinds Orion Platform. The attackers had to find a suitable place in this DLL component to insert their code. Ideally, they would choose a place in a method that gets invoked periodically, ensuring both execution and persistence, so that the malicious code is guaranteed to be always up and running. Such a suitable location turns out to be a method named RefreshInternal.

    Screenshot of code of DLL with inserted code

    Figure 2: The method infected with the bootstrapper for the backdoor

    Screenshot of original code of DLL

    Figure 3: What the original method looks like

    The modification to this function is very lightweight and could be easily overlooked—all it does is to execute the method OrionImprovementBusinessLayer.Initialize within a parallel thread, so that the normal execution flow of RefreshInternal is not altered.

    Why was this method chosen rather than other ones? A quick look at the architecture of this DLL shows that RefreshInternal is part of the class SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager and is invoked by a sequence of methods that can be traced back to the CoreBusinessLayerPlugin class. The purpose of this class, which initiates its execution with a method named Start (likely at an early stage when the DLL is loaded), is to initialize various other components and schedule the execution of several tasks. Among those tasks is Background Inventory, which ultimately starts the malicious code.

    Screenshot of DLL execution flow showing inserted code running within a parallel thread

    Figure 4. The inserted malicious code runs within a parallel thread

    The functionality of the backdoor resides entirely in the class OrionImprovementBusinessLayer, comprising 13 subclasses and 16 methods. Its name blends in with the rest of the legitimate code. The threat actors were savvy enough to avoid give-away terminology like “backdoor”, “keylogger”, etc., and instead opted for a more neutral jargon. At first glance, the code in this DLL looks normal and doesn’t raise suspicions, which could be part of the reason why the insertion of malicious code was undetected for months, especially if the code for this DLL was not frequently updated.

    To have some minimal form of obfuscation from prying eyes, the strings in the backdoor are compressed and encoded in Base64, or their hashes are used instead.

    Screenshot of malware code with obfuscated strings

    Figure 5: Example of obfuscated strings

    Initial reconnaissance

    The Initialize method is the de facto execution entry point of the backdoor. It carries out several checks to verify that it is running in a real victim’s environment:

    • It verifies that the process hosting the malicious DLL is named solarwinds.businesslayerhost.exe
    • It checks that the last write-time of the malicious DLL is at least 12 to 14 days earlier
    • It delays execution by random amounts of time
    • It verifies that the domain name of the current device meets the following conditions:
      • The domain must not contain certain strings; the check for these strings is implemented via hashes, so at this time the domain names that are block-listed are unknown
      • The domain must not contain “solarwinds”
      • The domain must not match the regular expression (?i)([^a-z]|^)(test)([^a-z]|$), or in simpler terms, it must not look like a test domain
    • It checks that there are no running processes related to security-related software (e.g., Windbg, Autoruns, Wireshark)
    • It checks that there are no drivers loaded from security-related software (e.g., groundling32.sys)
    • It checks that the status of certain services belonging to security-related software meets certain conditions (e.g., windefend, sense, cavp)
    • It checks that the host “” resolves to an expected IP address

    If any of these checks fail, the backdoor terminates. All these inspections are carried out to avoid exposing the malicious functionality to unwanted environments, such as test networks or machines belonging to SolarWinds.

    The backdoor

    After the extensive validation described above, the backdoor enters its main execution stage. At its core, the backdoor is a very standard one that receives instructions from the C2 server, executes those instructions, and sends back information. The type of commands that can be executed range from manipulating of registry keys, to creating processes, and deleting files, etc., effectively providing the attackers with full access to the device, especially since it’s executing from a trusted, signed binary.

    In its first step, the backdoor initiates a connection to a predefined C2 server to report some basic information about the compromised system and receive the first commands. The C2 domain is composed of four different parts: three come from strings that are hardcoded in the backdoor, and one component is generated dynamically based on some unique information extracted from the device. This means that every affected device generates a different subdomain to contact (and possibly more than one). Here’s an example of a generated domain:

    Image showing components of dynamically generated C2 domain

    Figure 6: Dynamically generated C2 domain

    The dynamically generated portion of the domain is the interesting part. It is computed by hashing the following data:

    • The physical address of the network interface
    • The domain name of the device
    • The content of the MachineGuid registry value from the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

    The backdoor also generates a pseudo-random URI that is requested on the C2 domain. Like the domain, the URI is composed using a set of hardcoded keywords and paths, which are chosen partly at random and partly based on the type of HTTP request that is being sent out. Possible URIs that can be generated follow these formats:

    • pki/crl/<random components>.crl, where <random components> can be numbers and one of the following strings:
      • “-root”
      • “-cert”
      • “-universal_ca”
      • “-ca”
      • “-primary_ca”
      • “-timestamp”
      • “-global”
      • “-secureca”
    • fonts/woff/<random components>-webfont<random component>.woff2 or fonts/woff/<random components>.woff2, where the <random components> can be numbers and one or more of the following strings:
      • “Bold”
      • “BoldItalic”
      • “ExtraBold”
      • “ExtraBoldItalic”
      • “Italic”,
      • “Light”
      • “LightItalic”
      • “Regular”
      • “SemiBold”
      • “SemiBoldItalic”
      • “opensans”
      • “noto”
      • “freefont”
      • “SourceCodePro”
      • “SourceSerifPro”
      • “SourceHanSans”
      • “SourceHanSerif”
    • swip/upd/<random components>, where <random components> can be one or more of the following strings:
      • “SolarWinds”
      • “.CortexPlugin”
      • “.Orion”
      • “Wireless”
      • “UI”
      • “Widgets”
      • “NPM”
      • “Apollo”
      • “CloudMonitoring”
      • “Nodes”,
      • “Volumes”,
      • “Interfaces”,
      • “Components”
    • swip/Upload.ashx
    • swip/Events

    Here are examples of final URLs generated by the backdoor:

    • hxxps://3mu76044hgf7shjf[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com /swip/upd/Orion[.]Wireless[.]xml
    • hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com /pki/crl/492-ca[.]crl
    • hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-1[.]avsvmcloud[.]com /fonts/woff/6047-freefont-ExtraBold[.]woff2

    Finally, the backdoor composes a JSON document into which it adds the unique user ID described earlier, a session ID, and a set of other non-relevant data fields. It then sends this JSON document to the C2 server.

    Screenshot of data generated by malware

    Figure 7: Example of data generated by the malware

    If the communication is successful, the C2 responds with an encoded, compressed buffer of data containing commands for the backdoor to execute. The C2 might also respond with information about an additional C2 address to report to. The backdoor accepts the following commands:

    • Idle
    • Exit
    • SetTime
    • CollectSystemDescription
    • UploadSystemDescription
    • RunTask
    • GetProcessByDescription
    • KillTask
    • GetFileSystemEntries
    • WriteFile
    • FileExists
    • DeleteFile
    • GetFileHash
    • ReadRegistryValue
    • SetRegistryValue
    • DeleteRegistryValue
    • GetRegistrySubKeyAndValueNames
    • Reboot
    • None

    In a nutshell, these commands allow the attackers to run, stop, and enumerate processes; read, write, and enumerate files and registry keys; collect and upload information about the device; and restart the device, wait, or exit. The command CollectSystemDescription retrieves the following information:

    • Local Computer Domain name
    • Administrator Account SID
    • HostName
    • Username
    • OS Version
    • System Directory
    • Device uptime
    • Information about the network interfaces

    Resulting hands-on-keyboard attack

    Once backdoor access is obtained, the attackers follow the standard playbook of privilege escalation exploration, credential theft, and lateral movement hunting for high-value accounts and assets. To avoid detection, attackers renamed Windows administrative tools like adfind.exe which were then used for domain enumeration.

    C:\Windows\system32\cmd.exe /C csrss.exe -h -f (name=”Domain Admins”) member -list | csrss.exe -h -f objectcategory=* > .\Mod\mod1.log

    Lateral movement was observed via PowerShell remote task creation, as detailed by FireEye and Volexity:

    $scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done” C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]

    Persistence is achieved via backdoors deployed via various techniques:

    1. PowerShell:

    Powershell -nop -exec bypass -EncodedCommand

    The –EncodedCommand, once decoded, would resemble:

    Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION

    1. Rundll32:

    C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\[malicious .dll file], [various exports]

    With Rundll32, each compromised device receives a unique binary hash, unique local filesystem path, pseudo-unique export, and unique C2 domain.

    The backdoor also allows the attackers to deliver second-stage payloads, which are part of the Cobalt Strike software suite. We continue to investigate these payloads, which are detected as Trojan:Win32/Solorigate.A!dha, as the situation continues to unfold.

    Microsoft Defender for Endpoint product and hardening guidance

    Supply chain compromise continues to be a growing concern in the security industry. The Solorigate incident is a grave reminder that these kinds of attacks can achieve the harmful combination of widespread impact and deep consequences for successfully compromised networks. We continue to urge customers to:

    • Isolate and investigate devices where these malicious binaries have been detected
    • Identify accounts that have been used on the affected device and consider them compromised
    • Investigate how those endpoints might have been compromised
    • Investigate the timeline of device compromise for indications of lateral movement

    Hardening networks by reducing attack surfaces and building strong preventative protection are baseline requirements for defending organizations. On top of that, comprehensive visibility into system and network activities drive the early detection of anomalous behaviors and potential signs of compromise. More importantly, the ability to correlate signals through AI could surface more evasive attacker activity.

    Microsoft Defender for Endpoint has comprehensive detection coverage across the Solorigate attack chain. These detections raise alerts that inform security operations teams about the presence of activities and artifacts related to this incident. Given that this attack involves the compromise of legitimate software, automatic remediation is not enabled to prevent service interruption. The detections, however, provide visibility into the attack activity. Analysts can then use investigation and remediation tools in Microsoft Defender Endpoint to perform deep investigation and additional hunting.

    Microsoft 365 Defender provides visibility beyond endpoints by consolidating threat data from across domains – identities, data, cloud apps, as well as endpoints – delivering coordinated defense against this threat. This cross-domain visibility allows Microsoft 365 Defender to correlate signals and comprehensively resolve whole attack chains. Security operations teams can then hunt using this rich threat data and gain insights for hardening networks from compromise. Read: Using Microsoft 365 Defender to protect against Solorigate.

    Solorigate attack chain diagram

    Figure 8. Microsoft Defender for Endpoint detections across the Solorigate attack chain

    Several Microsoft Defender for Endpoint capabilities are relevant to the Solorigate attack:

    Next generation protection

    Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviors. It quarantines malware, even if the process is running.

    Detection for backdoored SolarWinds.Orion.Core.BusinessLayer.dll files:

    Detection for Cobalt Strike fragments in process memory and stops the process:

    Detection for the second-stage payload, a cobalt strike beacon that might connect to infinitysoftwares[.]com.

    Detection for the PowerShell payload that grabs hashes and SolarWinds passwords from the database along with machine information:

    Screenshot of Microsoft Defender Security Center alert of Solorigate malware being prevented

    Figure 9. Microsoft Defender for Endpoint prevented malicious binaries

    Endpoint detection and response (EDR)

    Alerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can indicate threat activity on your network:

    • SolarWinds Malicious binaries associated with a supply chain attack
    • SolarWinds Compromised binaries associated with a supply chain attack
    • Network traffic to domains associated with a supply chain attack

    Alerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can indicate the possibility that the threat activity in this report occurred or might occur later. These alerts can also be associated with other malicious threats.

    • ADFS private key extraction attempt
    • Masquerading Active Directory exploration tool
    • Suspicious mailbox export or access modification
    • Possible attempt to access ADFS key material
    • Suspicious ADFS adapter process created

    Screenshot of Microsoft Defender Security Center alert of ADFS private key extraction attempt

    Figure 10. Microsoft Defender for Endpoint detections of suspicious LDAP query being launched and attempted ADFS private key extraction

    Screenshot of Microsoft Defender Security Center alert of Possible attempt to access ADFS key material

    Figure 11. Microsoft Defender for Endpoint alert description and recommended actions for possible attempt to access ADFS key material

    Our ability to deliver these protections through our security technologies is backed by our security experts who immediately investigated this attack and continue to look into the incident as it develops. Careful monitoring by experts is critical in this case because we’re dealing with a highly motivated and highly sophisticated threat actor. In the same way that our products integrate with each other to consolidate and correlate signals, security experts and threat researchers across Microsoft are working together to address this advanced attack and ensure our customers are protected.

    Threat analytics report

    We published a comprehensive threat analytics report on this incident. Threat analytics reports provide technical information, detection details, and recommended mitigations designed to empower defenders to understand attacks, assess its impact, and review defenses.

    Screenshot of Threat Analytics report for Solorigate in Microsoft Defender Security Center

    Figure 12. Threat analytics report on the Solorigate attack

    Advanced hunting

    Microsoft 365 Defender and Microsoft Defender for Endpoint customers can run advanced hunting queries to hunt for similar TTPs used in this attack.

    Malicious DLLs loaded into memory

    To locate the presence or distribution of malicious DLLs loaded into memory, run the following query

    DeviceImageLoadEvents | where SHA1 in (“d130bd75645c2433f88ac03e73395fba172ef676″,”1acf3108bf1e376c8848fbb25dc87424f2c2a39c”,”e257236206e99f5a5c62035c9c59c57206728b28″,”6fdd82b7ca1c1f0ec67c05b36d14c9517065353b”,”2f1a5a7411d015d01aaee4535835400191645023″,”bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387″,”16505d0b929d80ad1680f993c02954cfd3772207″,”d8938528d68aabe1e31df485eb3f75c8a925b5d9″,”395da6d4f3c890295f7584132ea73d759bd9d094″,”c8b7f28230ea8fbf441c64fdd3feeba88607069e”,”2841391dfbffa02341333dd34f5298071730366a”,”2546b0e82aecfe987c318c7ad1d00f9fa11cd305″,”e2152737bed988c0939c900037890d1244d9a30e”) or SHA256 in (“ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6″,”dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b”,”eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed”,”ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c”,”019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134″,”c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77″,”0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589″,”e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d”,”20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9″,”2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d”,”a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d”,”92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690″,”a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2″,”cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6″)

    Malicious DLLs created in the system or locally

    To locate the presence or distribution of malicious DLLs created in the system or locally, run the following query

    DeviceFileEvents | where SHA1 in (“d130bd75645c2433f88ac03e73395fba172ef676″,”1acf3108bf1e376c8848fbb25dc87424f2c2a39c”,”e257236206e99f5a5c62035c9c59c57206728b28″,”6fdd82b7ca1c1f0ec67c05b36d14c9517065353b”,”2f1a5a7411d015d01aaee4535835400191645023″,”bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387″,”16505d0b929d80ad1680f993c02954cfd3772207″,”d8938528d68aabe1e31df485eb3f75c8a925b5d9″,”395da6d4f3c890295f7584132ea73d759bd9d094″,”c8b7f28230ea8fbf441c64fdd3feeba88607069e”,”2841391dfbffa02341333dd34f5298071730366a”,”2546b0e82aecfe987c318c7ad1d00f9fa11cd305″,”e2152737bed988c0939c900037890d1244d9a30e”) or SHA256 in (“ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6″,”dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b”,”eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed”,”ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c”,”019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134″,”c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77″,”0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589″,”e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d”,”20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9″,”2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d”,”a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d”,”92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690″,”a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2″,”cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6″)

    SolarWinds processes launching PowerShell with Base64

    To locate SolarWinds processes spawning suspected Base64-encoded PowerShell commands, run the following query 

    DeviceProcessEvents| where InitiatingProcessFileName =~ “SolarWinds.BusinessLayerHost.exe”| where FileName =~ “powershell.exe”// Extract base64 encoded string, ensure valid base64 length| extend base64_extracted = extract(‘([A-Za-z0-9+/]{20,}[=]{0,3})’, 1, ProcessCommandLine)| extend base64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4)| extend base64_decoded = replace(@’\0′, ”, make_string(base64_decode_toarray(base64_extracted)))//| where notempty(base64_extracted) and base64_extracted matches regex ‘[A-Z]’ and base64_extracted matches regex ‘[0-9]’

    SolarWinds processes launching CMD with echo

    To locate SolarWinds processes launching CMD with echo,  run the following query 

    DeviceProcessEvents| where InitiatingProcessFileName =~ “SolarWinds.BusinessLayerHost.exe”| where FileName == “cmd.exe” and ProcessCommandLine has “echo”

    C2 communications

    To locate DNS lookups to a malicious actor’s domain, run the following query 

    DeviceEvents| where ActionType == “DnsQueryResponse” //DNS Query Responseand AdditionalFields has “.avsvmcloud”

    To locate DNS lookups to a malicious actor’s domain, run the following query 

    DeviceNetworkEvents| where RemoteUrl contains ‘’| where InitiatingProcessFileName != “chrome.exe”| where InitiatingProcessFileName != “msedge.exe”| where InitiatingProcessFileName != “iexplore.exe”| where InitiatingProcessFileName != “firefox.exe”| where InitiatingProcessFileName != “opera.exe”

    Find SolarWinds Orion software in your enterprise

    To search for Threat and Vulnerability Management data to find SolarWinds Orion software organized by product name and ordered by how many devices the software is installed on, run the following query 

    DeviceTvmSoftwareInventoryVulnerabilities| where SoftwareVendor == ‘solarwinds’| where SoftwareName startswith ‘orion’| summarize dcount(DeviceName) by SoftwareName| sort by dcount_DeviceName desc

    ADFS adapter process spawning

    DeviceProcessEvents| where InitiatingProcessFileName =~”Microsoft.IdentityServer.ServiceHost.exe”| where FileName in~(“werfault.exe”, “csc.exe”)| where ProcessCommandLine !contains (“nameId”)



    MITRE ATT&CK techniques observed

    This threat makes use of attacker techniques documented in the MITRE ATT&CK framework.

    Initial Access

    T1195.001 Supply Chain Compromise


    T1072 Software Deployment Tools

    Command and Control

    T1071.004 Application Layer Protocol: DNS

    T1017.001 Application Layer Protocol: Web Protocols

    T1568.002 Dynamic Resolution: Domain Generation Algorithms

    T1132 Data Encoding


    T1078 Valid Accounts 

    Defense Evasion

    T1480.001 Execution Guardrails: Environmental Keying

    T1562.001 Impair Defenses: Disable or Modify Tools


    T1005 Data From Local System 

    Additional malware discovered

    In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor. The malware consists of a small persistence backdoor in the form of a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll, which is programmed to allow remote code execution through SolarWinds web application server when installed in the folder “inetpub\SolarWinds\bin\”. Unlike Solorigate, this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise.  Nonetheless, the infected DLL contains just one method (named DynamicRun), that can receive a C# script from a web request, compile it on the fly, and execute it.

    Screenshot of code of the original DLL

    Figure 13: Original DLL

    Screenshot of DLL code with inserted malicious code

    Figure 14: The malicious addition that calls the DynamicRun method

    This code provides an attacker the ability to send and execute any arbitrary C# program on the victim’s device. Microsoft Defender Antivirus detects this compromised DLL as Trojan:MSIL/Solorigate.G!dha.



    Talk to us

    Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

    Read all Microsoft security intelligence blog posts.

    Follow us on Twitter @MsftSecIntel.

    The post Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers appeared first on Microsoft Security.

    Best Smart Home Devices for a Connected New Year

    smart gifts

     Like many of you, I spent a lot of time at home this year, but it came with an unexpected upside: an excuse to upgrade all my home tech! With so many great new products on the market, from 5G devices to smart TVs, cameras, and more, there’s a lot to choose from this holiday season, and into the New Year.

    In fact, the smart home market is set to grow by nearly 12% over the next five years, to $135 billion, so I’m sure even more devices are coming. But for now, here are the devices on my wish list, and how to protect them once they’re unboxed.

    Smart Thermostats—These have been around for a while, but the newest additions include features that keep your home comfortable, and eco-friendly, by giving you greater control over your energy use. Some thermostats can detect your habits, and heat or cool different areas of your home, depending on which rooms you are using. And others now connect to smart speakers, allowing you to stream your favorite music and podcasts, or receive calendar alerts.

    Bluetooth Speakers—Speaking of high-tech speakers, this category has taken off in recent years, but now there are more options for different types of users. While some people like the voice command features that turn their speakers into personal assistants, other users just want portable speakers with great sound quality and a sleek style. Now you can find a variety of different designs, sizes, and price points.

    Smart TVs—With the explosion of streaming content services, and the demand for more in-home entertainment during the pandemic, smart TVs have become a must-have item for many. The latest offer 4K streaming video, which gives you higher resolution, although you need to stream 4K content to get the benefit. It may be worth the investment for other new features, however, such as a faster user interface, and a built-in universal search engine that will allow you to easily locate a favorite movie, actor, or genre.

    IP Cameras— Internet-connected cameras can be an affordable security option, and the latest versions offer extra surveillance with wide-angle lenses, night vision, and wireless options for outdoors. Some cameras even do motion tracking, and offer facial recognition, in case you want to know right away if the person on your property is a known entity or a stranger. Just keep in mind that to get the advanced features you usually need to sign up for a subscription service as well.

    Gaming Router—As the father of two school-aged children, I know a lot of parents are wary of online gaming, but here’s why a gaming router may be a great gift, even if there are no hardcore gamers in the house. These routers aim to give you a more reliable internet connection, while allowing multiple devices to simultaneously receive data streams, which could be a game changer if your whole family is trying to work and learn online from home.

    Some routers even offer Wi-Fi 6, which is a huge jump in potential speed to 9.6 Gbps from the current 3.5 Gbps. This also means that all the devices connected to your network could see a significant speed increase, but only if you have devices that can take advantage of it.

    Here are a few more great holiday gifts ideas:

    • Smart locks and doorbells
    • Smart lightbulbs
    • Intelligent air purifiers

    How To Secure Your Smart Home Devices?

    While the best smart home devices can certainly make your home more convenient, safe, and fun, they do open the door to some risk. You may have read about IP cameras being hacked, or other ways in which home networks are vulnerable to attacks. This is because most Internet of Things (IoT) devices come with little built-in security, making them an easy target for hackers.

    Here’s how to secure both your network and your devices so you can enjoy them without worry.

    • Buy from reputable brands—Try to choose products from brands you trust, and who have a good reputation when it comes to support and built-in security features.
    • Change the Default Username & Passwords—Default names and passwords are often available on the dark web, allowing cybercriminals to login to your devices. Once logged in, they could potentially use the connection to distribute malware aimed at infecting the computers or smartphones connected to the same network.
    • Setup A Guest Network—To further protect your content-rich devices, set up a guest network on your router that is exclusively for your home IoT. With a guest network, you can also make sure that devices are only connected during the right times, and with the right permissions. Follow the instruction in your router manual or look them up online.
    • Practice Good Password Hygiene —Since you need to change the default passwords anyway, make each password unique and change them regularly. To make life even easier, use a password manager to generate and track your complex passwords for you.
    • Secure Your Network—Since your router is the central hub for all the connected devices, make it as secure as possible by checking to see that it uses encryption to scramble your data so that no one else can see it. A solution like McAfee Secure Home Platform makes it easy to protect your connected home.
    • Use Powerful Security Software—Invest in comprehensive security software that can detect and block a variety of threats, and make sure it includes a firewall so all the computers and devices on your home network are protected. A product like McAfee® Total Protection has the added benefit of including a password manager, multi-device compatibility, device security, and a Virtual Private Network (VPN), which ensures that you can safely connect to the internet no matter where you go. Importantly, it also includes dark web monitoring to help protect your personal and financial information by alerting you if your data is lost or stolen.


    By taking these precautions as soon as you unwrap your smart home devices, you’re setting yourself up for a fun, and safe, tech-filled New Year.

    The post Best Smart Home Devices for a Connected New Year appeared first on McAfee Blogs.

    VMware Flaw a Vector in SolarWinds Breach?

    U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks.

    On Dec. 7, 2020, the NSA said “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”

    VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3, and said it learned about the flaw from the NSA.

    The NSA advisory (PDF) came less than 24 hours before cyber incident response firm FireEye said it discovered attackers had broken into its networks and stolen more than 300 proprietary software tools the company developed to help customers secure their networks.

    On Dec. 13, FireEye disclosed that the incident was the result of the SolarWinds compromise, which involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for users of its Orion network management software as far back as March 2020.

    In its advisory on the VMware vulnerability, the NSA urged patching it “as soon as possible,” specifically encouraging the National Security System, Department of Defense, and defense contractors to make doing so a high priority.

    The NSA said that in order to exploit this particular flaw, hackers would already need to have access to a vulnerable VMware device’s management interface — i.e., they would need to be on the target’s internal network (provided the vulnerable VMware interface was not accessible from the Internet). However, the SolarWinds compromise would have provided that internal access nicely.

    In response to questions from KrebsOnSecurity, VMware said it has “received no notification or indication that the CVE 2020-4006 was used in conjunction with the SolarWinds supply chain compromise.”

    VMware added that while some of its own networks used the vulnerable SolarWinds Orion software, an investigation has so far revealed no evidence of exploitation.

    “While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation,” the company said in a statement. “This has also been confirmed by SolarWinds own investigations to date.”

    On Dec. 17, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released a sobering alert on the SolarWinds attack, noting that CISA had evidence of additional access vectors other than the SolarWinds Orion platform.

    CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).”

    Indeed, the NSA’s Dec. 7 advisory said the hacking activity it saw involving the VMware vulnerability “led to the installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.”

    Also on Dec. 17, the NSA released a far more detailed advisory explaining how it has seen the VMware vulnerability being used to forge SAML tokens, this time specifically referencing the SolarWinds compromise.

    Asked about the potential connection, the NSA said only that “if malicious cyber actors gain initial access to networks through the SolarWinds compromise, the TTPs [tactics, techniques and procedures] noted in our December 17 advisory may be used to forge credentials and maintain persistent access.”

    “Our guidance in this advisory helps detect and mitigate against this, no matter the initial access method,” the NSA said.

    CISA’s analysis suggested the crooks behind the SolarWinds intrusion were heavily focused on impersonating trusted personnel on targeted networks, and that they’d devised clever ways to bypass multi-factor authentication (MFA) systems protecting networks they targeted.

    The bulletin references research released earlier this week by security firm Volexity, which described encountering the same attackers using a novel technique to bypass MFA protections provided by Duo for Microsoft Outlook Web App (OWA) users.

    Duo’s parent Cisco Systems Inc. responded that the attack described by Volexity didn’t target any specific vulnerability in its products. As Ars Technica explained, the bypass involving Duo’s protections could have just as easily involved any of Duo’s competitors.

    “MFA threat modeling generally doesn’t include a complete system compromise of an OWA server,” Ars’ Dan Goodin wrote. “The level of access the hacker achieved was enough to neuter just about any defense.”

    Several media outlets, including The New York Times and The Washington Post, have cited anonymous government sources saying the group behind the SolarWinds hacks was known as APT29 or “Cozy Bear,” an advanced threat group believed to be part of the Russian Federal Security Service (FSB).

    SolarWinds has said almost 18,000 customers may have received the backdoored Orion software updates. So far, only a handful of customers targeted by the suspected Russian hackers behind the SolarWinds compromise have been made public — including the U.S. Commerce, Energy and Treasury departments, and the DHS.

    No doubt we will hear about new victims in the public and private sector in the coming days and weeks. In the meantime, thousands of organizations are facing incredibly costly, disruptive and time-intensive work in determining whether they were compromised and if so what to do about it.

    The CISA advisory notes the attackers behind the SolarWinds compromises targeted key personnel at victim firms — including cyber incident response staff, and IT email accounts. The warning suggests organizations that suspect they were victims should assume their email communications and internal network traffic are compromised, and rely upon or build out-of-band systems for discussing internally how they will proceed to clean up the mess.

    “If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network,” CISA warned. “In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.”

    Cyber News Rundown: Trickbot Spreads Via Subway Emails

    Trickbot spreading through Subway company emails

    Customers of Subway U.K. have been receiving confirmation emails for recent orders that instead contain malicious links for initiating Trickbot malware downloads. Subway has since disclosed that it discovered unauthorized access to several of its servers, which then launched the campaign. Users who do click on the malicious link initiate a process in Task Manager that can be stopped to prevent additional illicit activities typical of Trickbot infections.

    Scores of municipal websites attacked in Lithuania

    At least 22 websites belonging to various municipalities in Lithuania were compromised after a sophisticated cyberattack allowed intruders to take control. After gaining access to the sites, the attackers began delivering misinformation emails under the auspices of Lithuanian government and military ministries. Much of the misinformation being spread revolved around military enlistment and the suspicion of corruption at an airport housing a NATO facility.

    Researchers discover millions of medical records online

    Researchers at CybelAngel have uncovered over 45 million healthcare records on unprotected servers. Amongst the sensitive data was personal health information and other personally identifiable data, all left on servers with a login page that allowed access without credentials. It’s likely this data was left unsecured because of the number of medical professionals needing to access, though the security lapse is inexcusable. With healthcare facilities prime targets for ransomware attacks, communications between organizations should entail strict security to protect the valuable data.

    Ransomware strikes city of Independence, Missouri

    Officials for the city of Independence, Missouri, have been working for weeks to recover from a ransomware attack that forced them to take several essential services offline. Fortunately, recent file backups were available to restore some of the encrypted systems to normal. At this point, officials remain uncertain if customer or employee data was stolen during the attack, and no ransomware group has come forward to take credit for the attack or post the stolen data for sale.

    Data Breach Compromises Patient Data at California Hospital

    California’s Sonoma Valley Hospital recently delivered letters to roughly 67,000 patients regarding a data breach back in October that may have compromised personally identifiable information and other healthcare records. While the hospital was able to shut down some of their systems to prevent the breach from spreading, the attackers are believed to have gained access to and stole sensitive data.

    The post Cyber News Rundown: Trickbot Spreads Via Subway Emails appeared first on Webroot Blog.

    Finding the Success Among the Pandemonium that is 2020

    Even the best psychics, science fiction and horror writers could not have predicted or written 2020.  

    It’s been quite the year. I am thankful that it’s almost over. 

    The COVID-19 Coronavirus started a global lockdown that sent millions of people to work from home, or wherever they could shelter in place. Personally, working at home didn’t seem like a bad option at the time.  But after 8 months, sheltering in place, working from home, and sharing your Internet bandwidth with three others who also need real-time audio and video can be exhausting. 

    Professionally, it’s another story. It’s hard to understate the magnitude of the change. It was as if someone flipped a switch. One day, most of McAfee’s 7,000+ employees could be found working in McAfee offices. The next day, we had 7,000 “offices” of one person each. They were now voices heard on a phone, logging in from remote locations. 

    Whereas previously just 2% of workers were remote full time globallyby April 2020, 42% of the workforce was remote according to Stanford University economics professor Nicholas BloomBy late August, the number of workers at home dropped to 35%. That said, once the pandemic ends, about 55% of employers surveyed by PWC said they expected staff to work from home at least one day a week. And more than 80% of employees said they supported that idea. In fact, Facebook, Microsoft and Twitter have all said remote work would be a permanent option. 

    Most organizations have found a way to make do with existing infrastructure. Since we’re apparently in it for the long-haul, it’s time to go back and verify that all appropriate security protections are in place. Because – let’s face it – in many organizations, security during this transition had to be prioritized behind keeping the business runningCyber hygiene had to wait while organizations worldwide raced to the cloud in order to get their teams online and productive again.  

    Cybercriminals know home networks are often less secure and have leaped at the opportunity to find new and easier ways to access data and systems. In fact, McAfee’s Advanced Threat Research team observed a 630% increase in external attacks on cloud accounts with the greatest concentration on collaboration services (CARR). And, during Q2 of 2020, McAfee’s global network of more than a billion sensors registered a 605% increase in total COVID-19-themed threat detections. 

     For a security company like McAfeethe pandemic is an opportunity to share some lessons to help protect your people and data without getting in your teams’ way.  It will not surprise you to learn we primarily run our own products and relied on them heavily for our WFH transitionI will be touting some of the benefits of our products in this article. 

    1. Maximize Visibility and Control 

    For many companies, the rapid transition resulted in less visibility and control than when everyone was in the office behind a web gatewayWith WFH, visibility and control across the entire organization – cloud, web as well as both managed and unmanaged devices is imperative.  

    McAfee MVISION Complete, part of our new Device-to-Cloud suites, providethis visibility and control across endpoint, web and cloud.  The solution unifies MVISION Insights, Endpoint, cloud access security broker (CASB)data loss prevention (DLP)cloud-based Secure Web Gateway (SWG) and (soon) remote browser isolation technologies to deliver comprehensive device-to-cloud protection. It enables us to: 

    • Secure corporate devices against ransomware and other advanced malware with our endpoint anti-malware and endpoint detection and response (EDR) technology; 
    • Manage web and cloud access from anywhere through our SWG; 
    • Improve our phishing and web protections with the remote browser isolation technology from McAfee’s acquisition of LightPoint last year; 
    • Control shadow and sanctioned cloud services via integrated CASB; and 
    • Protect data on endpoints, web and in cloud services with unified DLP.

    2. Run an Effective Threat Management Program 

    Threat Intelligence programs are designed to answer questions such as:  

    1. Who is targeting me?  
    2. What are they after? 
    3. Am I protected? 
    4. If not, how can I become protected? 

     Questions like these are called Intelligence Requirements, and some threat management programs flounder because they focus on answering the first two questions.  Others struggle because they don’t have the resources to answer the last two in a good way.  It takes substantial time to walk through indicators of compromise (IOCs) and determine whether you have coverage on your endpoints, your IPS, your Web Gateway, etc.  It can take longer to update coverage.  Having 95% coverage can sound like a lot, but advanced actors always seem to be able to locate the unprotected 5%.  

    3. Plan for Increased Threats to Home Workers 

    WFH has put a premium on making sure employees can depend on the same level of security they received in the office. In a post-pandemic future where WFH continues to be prevalent, cyber adversaries will focus their innovation on WFH users.  To get ahead of this trend, we must find ways to increase our protections for WFH users.   

    4. Future-Proof … with the Right Protections 

    Enterprise security teams should plan for the likelihood that some of their employees working from home are going to get breached. It may be a compromised computer. It may be a connected IOT device. People will do the wrong thing, so it is important here to mitigate risk. 

    The technical measures listed earlier are a good start.  In addition, you’ll need to make sure WFH users are patched as aggressively as they were when on-siteAnd, that you have a process for following up with the last 5% who are out of office during patch installation, or who power down their laptop during installation.  You’ll also need vulnerability scanning agents installed on user workstations.

    Finally, I see a renewed move back to centralizing the data to limit the endpoint exposure. 

    5. Education Never Ends 

    There’s no getting around it. People are both a company’s biggest asset … and also a company’s biggest security liability. Many employees are still prone to making silly security mistakes by ignoring best practices. So, any WFH security approach ought to feature a big education component. Spend more time with employees to educate and inform how to improve their security practices. What’s practical guidance for employees? There’s no one-size-fits all but the best advice I can offer is to be realistic. Don’t send out a detailed, 20-page paper on wireless security and expect miracles. The message needs to be brief, clear and simple.   

    I’d love to hear what you’re doing to secure your distributed teams… leave comments below. 

    The post Finding the Success Among the Pandemonium that is 2020 appeared first on McAfee Blogs.

    Additional Analysis into the SUNBURST Backdoor

    Executive Summary

    There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader campaign has resulted in detection against specific IoCs associated with the Sunburst trojan, the focus within the Advanced Threat Research (ATR) team has been to determine the possibility of additional persistence measures. Our analysis into the backdoor reveals that the level of access lends itself to the assumption that additional persistence mechanisms could have been established and some inferences regarding the intent from adversaries;

    • An interesting observation was the check for the presence of SolarWinds’ Improvement Client executable and it’s version “”. The ImprovementClient is a program that can collect considerable information such as count of Orion user accounts by authentication method and data about devices and applications monitored.
    • Observation of the http routine was the search for certain keywords in the http-traffic that might indicate the adversary was looking into details/access of Cloud and/or wireless networks of their victims.
    • Even if a victim is using a Proxy-server with username and password, the backdoor is capable of retrieving that information and using it to build up the connection towards the C2.

    Available Resources

    Although this analysis will focus on the premise that the backdoor supports the feasibility of establishing additional persistence methods we recognize the importance of providing assurance regarding coverage against available indicators. To that end the following resources are available:

    Additional resources will become available as analysis both conducted by McAfee researchers, and the wider community becomes available.

    Backdoor Analysis

    There exists excellent analysis from many of our industry peers into the SUNBURST trojan, and the intention here is not to duplicate findings but to provide analysis we have not seen previously covered. The purpose is to enable potential victims to better understand the capabilities of the campaign in an effort to consider the possibility that there are additional persistence mechanisms.

    For the purposes of this analysis our focus centered upon the file “SolarWinds.Orion.Core.BusinessLayer.dll“, this particular file, as the name suggests, is associated with the SolarWinds ORION software suite and was modified with a class added containing the backdoor “SunBurst”.

    Figure 1 Added module and dependencies

    A deeper dive into the backdoor reveals that the initial call is to the added class “OrionImprovementBusinessLayer” which has the following functions:


    Figure 2 Start of the inserted class

    The class starts with a check to see if the module is running and, if not, it will start the service and thereafter initiate a period of dormancy.


    Figure 3 Sleep sequence of backdoor

    As was detailed by FireEye, this period of sleep can range from minutes up to two weeks. The actual time period of dormancy is dependent on the checks that must be passed from the code, like hash of the Orion process, write-times of files, process running etc. A sleep period of this length of time is unusual and speaks to a very patient adversary.

    The most important strings inside the backdoors are encoded with the DeflateStream Class of the .NET’s Compression library together with the base64 encoder. By examining the block-list, we discover findings that warrant further inspection. First entries are the local-IP address ranges and netmasks:


    Followed by the IPv6 local addresses equivalents:
    fc00::,fe00::, fec0::,ffc0::,ff00::,ff00::

    Next, there is a list of IP-addresses and their associated subnetmasks. We executed a whois on those IP-addressees to get an idea of whom they might belong to. There is no indication as to the reason that the following IPs have been inserted into the blocklist, although the netmasks implemented in certain entries are ‘quite’ specific, therefore we have to assume the attackers were intentional in their desire to avoid certain targets.

    Assuming that the victim is not within the block list, the sample will then proceed to create the named pipe 583da945-62af-10e8-4902-a8f205c72b2e. This is done to ensure that only one instance of the backdoor is running. We were able to verify this through replication we carried out within our own environment.

    Figure 4 Running of Backdoor

    When we ran the backdoor, we were able to confirm that this value is hardcoded in the code, and once the dormancy period passed the service is started and named pipe is created. At this point, the backdoor will also create a unique UserID MD5 value for the system it is installed on as depicted within figure 5.

    Figure 5 Creation of User-ID

    This particular routine will initially read the Device-info of the system but ignore the loopback interfaces (part of the code of the ReadDeviceInfo routine that mentions “Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true” ). The Device-info will then be combined with the domain name, followed by a value from the registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography). This information is then used to create an MD5 value of that string.

    The module will start the ‘update’ routine. This routine is a continuous loop designed for verification against, for example, unwanted services that could potentially be used against detection of the backdoor as depicted in figure 6.


    Figure 6 Update Loop

    Information Gathering

    The backdoor gathers information from the system. The following information is gathered by a routine called “CollectSystemDescription”, some examples include;

    • OS version, major /minor – is it 32 or 64 bits
    • Network configs, info on IP, NetBIOS, IPV6 etc.
    • Host, SID & Username & System directory. In particular the SID for the Administrator account is searched for.

    There exists other subroutines to collect additional data, for example enumerating the information from the network-adaptors, the backdoor uses the GetNetworkAdapterConfiguration routine. The routine is gathering the following information:

    Figure 7 Gathering network information

    In order to check if certain ‘unwanted’ services are running, the backdoor enumerates the services, creates a hashlist and compares them with a hard-coded set of these values. The ‘update’ routine will exit once a ‘block-listed’ process id discovered. The backdoor will attempt to stop these services by entering a value in the registry for that service that will disable that service. The update routine will check again and continue this process until all unwanted processes are disabled.
    Another capability of the backdoor is to start/stop tasks:

    Figure 8 Kill/Run task routine

    Other functionalities we observed in the code are:

    • SetTime
    • CollectSystemDescription
    • UploadSystemDescription
    • GetProcessByDescription
    • GetFileSystemEntries
    • WriteFile
    • FileExists
    • DeleteFile
    • GetFileHash
    • ReadRegistryValue
    • SetRegistryValue
    • DeleteRegistryValue
    • GetRegistrySubKeyAndValueNames
    • Reboot

    An interesting observation was the check for the presence of SolarWinds’ Improvement Client executable and it’s version “”.

    Figure 9 Searching for ImprovementClient

    The ImprovementClient is a program that can collect the following information (source SolarWinds) :

    • The SWID (SolarWinds ID) associated with any SolarWinds commercial licenses installed
    • The email address provided to the installer during installation
    • Unique identifier of the downloaded installer
    • Versions of all Orion products installed
    • Operating system version
    • CPU description and count
    • Physical memory installed and percent used
    • Time zone
    • Dates when you logged in to the Orion website
    • Licensing information of other SolarWinds Orion products locally installed
    • Row counts for database tables
    • Count of monitored nodes by polling protocol
    • Count of Orion user accounts by authentication method
    • Network discovery scheduling information (not results)
    • Data about devices and applications monitored:
      • Vendor
      • Model
      • OS/Firmware version
      • Count
      • Abstract configuration information, such as number of websites hosted
    • Data about the SolarWinds product:
      • Feature usage statistics
      • Performance statistics
      • Hardware and OS platform description

    Another observation of the http routine was the search for certain keywords in the http-traffic that might indicate the adversary was looking into details/access of cloud and/or wireless networks of their victims by using the SolarWinds’ modules that are installed to monitor/administer these kinds of instances. Managing the network using SolarWinds’ Orion is executed by using a browser and localhost that is hosting the webserver. Reading out the certificate values and search for these keywords in the http-traffic would have gained this information.

    Figure 10 Search for keywords

    Network / DGA

    After all checks and routines have passed, the backdoor will use a domain generating algorithm (hereafter DGA) to generate a domain. Example of the part of the DGA code:

    Figure 11 DGA code example

    When the domain is successfully reached, the routine called ‘Update’ contains a part that will act on this and start a new thread firing off the routine “HttpHelper.Initialize”. In the below screenshot we can observe that flow:

    Figure 12 DGA, HttpHelper

    The code shows that when the dnsrecord equals the domain and can be reached, the new thread will start in the background.

    The ‘HttpHelper’ class/routine is responsible for all the C2 communications:

    Figure 13 HttpHelp

    Even if a victim is using a Proxy-server with username and password, the backdoor is capable of retrieving that information and using it to build up the connection towards the C2. It then uses a routine called “IWebProxy GetWebProxy” for that:

    Figure 14 Getting proxy username and pwd

    The DGA-generated C2s are subdomains of: avsvmcloud[.]com.
    An example of how these domains would look:


    Inspecting the CNAME’s from the DGA-generated C2’s we observed the following domain-names:

    • freescanonline[.]com
    • deftsecurity[.]com
    • thedoccloud[.]com
    • websitetheme[.]com
    • highdatabase[.]com
    • incomeupdate[.]com
    • databasegalore[.]com
    • panhardware[.]com
    • Zupertech[.]com
    • Virtualdataserver[.]com
    • digitalcollege[.]org

    In the forementioned HTTP handler code, we discovered paths that might be installed on the C2’s for different functions:

    • swip/upd/
    • swip/Events
    • swip/Upload.ashx

    Once the backdoor is connected, depending on the objectives from the adversaries, multiple actions can be executed including the usage of multiple payloads that can be injected into memory. At the time of writing, details regarding the ‘killswitch’ against the above domain will prevent this particular backdoor from being operational, however for the purpose of this analysis it demonstrates the level of access afforded to attackers. While the efforts to sinkhole the domain are to be applauded, organisations that have been able to identify indicators of SUNBURST within their environment are strongly encouraged to carry out additional measures to provide themselves assurances that further persistent mechanisms have not been deployed.

    The post Additional Analysis into the SUNBURST Backdoor appeared first on McAfee Blogs.

    3 Reasons Why Connected Apps are Critical to Enterprise Security

    Every day, new apps are developed to solve problems and create efficiency in individuals’ lives.  Employees are continually experimenting with new apps to enhance productivity and simplify complex matters. When in a pinch, using DropBox to share large files or an online PDF editor for quick modifications are commonalities among employeesHowever, these apps, although useful, may not be sanctioned or observable by an IT department. The rapid adoption of this process, while bringing the benefit of increased productivity and agility, also raises the ‘shadow IT problem’ where IT has little to no visibility into the cloud services that employees are using or the risk associated with these services. Without visibility, it becomes very difficult for IT to manage both cost expenditure and risk in the cloud. Per the McAfee Cloud Adoption and Risk report, the average enterprise today uses 1950 cloud services, of which less than 10% are enterprise ready. To divert a data breach (with the average cost of a data breach in the US being $7.9 million), enterprises must exercise governance and control over their unsanctioned cloud usage. Does this sound all too familiar? It’s because these are many of the issues we face with Shadow IT, and are facing today regarding a similar security risk with connected apps.   

    What are Connected Apps? Collaboration platforms such as Office 365 enable teams and end-users to install and connect third-party apps or create their own custom apps to help solve new and existing business problems. For example, Microsoft hosts the Microsoft Store, where end-users can browse througthousands of apps and install them into their company’s Office 365 environment. These apps help augment native Microsoft office capabilities and help increase enduser productivity. Some examples include WebEx to set up meetings from Outlook or Survey Monkey add-in to initiate surveys from Microsoft Teams.  When these apps are added, they will often ask the enduser to authorize access to their Cloud app resources. This could be data stored in the app, like in SharePoint, or calendar information or email content. Authorizing access to third party apps creates concerns for many organizations. 

    Reason 1: Risky Data Exfiltrated to 3rd Party Apps 

    What if the app itself is risky? For example, PDF converter apps ask for access to all data so they can generate PDF versions for sharing. Corporate data is moving out of the corporate cloud app into these risky applications. Or, even if the app is not risky, it may be accessing cloud resources such as mail, drive, calendar, which contain data considered highly sensitive by the company. For example, the Evernote app for Outlook can be used for saving email data. Now, the app itself is not risky, but the company may not have approved it for employees to use. If that is the case, an introduction of apps in this manner represents a data exfiltration of corporate data.    

    Reason 2: No Coverage with Existing Controls 

    Connected Apps establishes a cloud-to-cloud connection with your sanctioned cloud services that is not visible to existing network policies and controls. So, if a company has put in place controls on the web gateway or firewall to block unauthorized file sharing services, then it is still possible for employees to add the connected app from the marketplace and bypass these existing controls. Even the API based DLP policies do not apply to data moving into Connected Apps. All of this means that organizations need to exercise more oversight and control on the usage of Connected apps by their employees.  

    Reason 3: Shared Responsibility 

    The Shared Responsibility model applies to Connected Apps as wellCloud services like Google and Microsoft provide a marketplace for customers to add appsbut they expect the companies to take responsibility for their data and users and ensure that the usage of these connected apps is in line with security and compliance policies.  

    MVISION Cloud provides comprehensive security solutions through visibility, control, and the ability to troubleshoot into third-party applications connected to sanctioned cloud services, such as these marketplace apps. With a database of over 30,000 cloud services, MVISION Cloud provides comprehensive and up to date information on Connected Apps plugged into corporate cloud services such as Microsoft 365 and G Suite. Customers can use this visibility to apply controls to block, allow, or selectively allow apps for some users. As large users deploy Connected Apps to their hundreds of thousands of users, MVISION Cloud also provides troubleshooting tools to track activities and add notes to allow for quick diagnosis and resolution of Support issues. To learn more, see the brief video below provides a deeper look into securing connected apps with MVISION Cloud.  

    The post 3 Reasons Why Connected Apps are Critical to Enterprise Security appeared first on McAfee Blogs.

    RFID Proximity Cloning Attacks

    Ray Felch // Introduction While packing up my KeyWe Smart Lock accessories, and after wrapping up my research and two previous blogs “Reverse Engineering a Smart Lock” and “Machine-in-the-Middle BLE Attack”, I came across a couple of KeyWe RFID tags. Although I was somewhat already familiar with RFID (Radio Frequency ID) technology, I decided this […]

    The post RFID Proximity Cloning Attacks appeared first on Black Hills Information Security.

    Steps to Protect Your Computer From Cybersecurity Threats

    There are plenty of different types of malware and viruses nowadays, and relying on a default computer set up to protect you is not enough. 

    Tech-savvy people can detect a potential threat almost immediately, and they should not have problems. But not everyone has enough experience to rely on themselves. Moreover, it may be that someone who is not aware of potential malware and viruses could be using your computer and infecting the system without even knowing about it.

    In other words, it is necessary to have a proper cybersecurity strategy in hand. If you have been looking for some suggestions on creating an effective plan and giving yourself peace of mind, take the steps in this article. 

    Step #1 – Get Reliable Antivirus Software

    Starting with reliable antivirus software is a good piece of advice. But do not limit yourself to just leaving the software in the background. While it should detect and eliminate most threats, it is also recommended to perform custom disk scans regularly. And, as one expects, remove any potentially corrupted files that the antivirus finds.

    Step #2 – Be Smart About Passwords You Use

    Macbook users may not be aware of Keychain access and accountsd – two tools that store and exchange login information. But even knowing what is a login keychain may not be enough to be smart about password creation and usage.

    Whether you use a Mac, PC, or a smartphone, it is necessary to spend more time and come up with passwords that are actually difficult to crack. Avoid combinations like “password123” or “123password123” because they are too easy.

    If you cannot come up with a strong password, use an online generator, and write the password on a piece of paper to memorize it. Also, do not use the same password for every account. If someone finds it out, they can access important profiles like emails and social media accounts.

    Step #3 – Browse via VPNs

    A virtual private network costs a couple of dollars per month, but they offer you access to geo-restricted content, internet anonymity, and security.

    VPNs are particularly effective when you need to connect to public Wi-Fi available in places like cafes, hotels, or libraries. These public networks lack the necessary safety protocols that one can find in virtually every VPN service. In addition, you can also change your IP and surf the net as if you are in a different location.

    Step #4 – Install Ad Blocker Extensions

    Ad blocker browser extensions can be a life-saver in certain situations. Some sites are notorious for their aggressive ad policy, and they do not bother warning visitors how clicking on some ads redirect to a landing page full of malware.

    Meanwhile, having an ad blocker eliminates most forms of advertisement you encounter online. Besides preventing potential cybersecurity threats, your overall internet experience should improve as well since you will not have to deal with ads.

    Step #5 – Avoid Shady URLs

    If a website link seems suspicious, do not risk and ignore it, even if you receive it from someone you know and trust. You should not have issues finding the same page using Google search if you want.

    Step #6 – Keep the System up to Date

    System updates may take some time to download and install, but they should still be one of the priorities if you want to avoid potential cybersecurity attacks

    While most associate OS updates with the latest features and basic performance improvements, one should not underestimate how much of a boost a new update can be to the computer’s security.

    Malware creators are one step ahead, and those who work in cybersecurity need to react to make sure that the user devices have enough protection. Missing the most recent system update could mean exposure to the most recent malware. And only installing an OS update could fix this potential cybersecurity hole.

    Step #7 – Create Data Backups

    It is better to be safe than sorry. Instead of second-guessing what you would do if some malware wiped your data, why not create a backup and have fewer worries?

    You can use cloud services like Dropbox and iCloud or purchase an external hard drive. There is no need to back up every file on the computer as you can install something like video games or software without issues. It is personal information, pictures, and important documents that should be the priority.

    Step #8 – Limit Physical Access to the Computer

    Living alone means that you should not have to worry about another person getting their hands on your computer. However, if someone else uses the computer, you cannot guarantee that they will not end up infecting it with malware.

    Limiting physical access is one of the options, but you can also create a non-admin account and disable certain features, like accessing system files. It might not seem like much, but it can help prevent potential cybersecurity threats.

    The post Steps to Protect Your Computer From Cybersecurity Threats appeared first on CyberDB.

    Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’

    A key malicious domain name used to control potentially thousands of computer systems compromised via the months-long breach at network monitoring software vendor SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself, KrebsOnSecurity has learned.

    Austin, Texas-based SolarWinds disclosed this week that a compromise of its software update servers earlier this year may have resulted in malicious code being pushed to nearly 18,000 customers of its Orion platform. Many U.S. federal agencies and Fortune 500 firms use(d) Orion to monitor the health of their IT networks.

    On Dec. 13, cyber incident response firm FireEye published a detailed writeup on the malware infrastructure used in the SolarWinds compromise, presenting evidence that the Orion software was first compromised back in March 2020. FireEye said hacked networks were seen communicating with a malicious domain name — avsvmcloud[.]com — one of several domains the attackers had set up to control affected systems.

    As first reported here on Tuesday, there were signs over the past few days that control over the domain had been transferred to Microsoft. Asked about the changeover, Microsoft referred questions to FireEye and to GoDaddy, the current domain name registrar for the malicious site.

    Today, FireEye responded that the domain seizure was part of a collaborative effort to prevent networks that may have been affected by the compromised SolarWinds software update from communicating with the attackers. What’s more, the company said the domain was reconfigured to act as a “killswitch” that would prevent the malware from continuing to operate in some circumstances.

    “SUNBURST is the malware that was distributed through SolarWinds software,” FireEye said in a statement shared with KrebsOnSecurity. “As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.”

    The statement continues:

    “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.”

    “This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.

    This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST.”

    It is likely that given their visibility into and control over the malicious domain, Microsoft, FireEye, GoDaddy and others now have a decent idea which companies may still be struggling with SUNBURST infections.

    The killswitch revelations came as security researchers said they’d made progress in decoding SUNBURST’s obfuscated communications methods. Chinese cybersecurity firm RedDrip Team published their findings on Github, saying its decoder tool had identified nearly a hundred suspected victims of the SolarWinds/Orion breach, including universities, governments and high tech companies.

    Meanwhile, the potential legal fallout for SolarWinds in the wake of this breach continues to worsen. The Washington Post reported Tuesday that top investors in SolarWinds sold millions of dollars in stock in the days before the intrusion was revealed. SolarWinds’s stock price has fallen more than 20 percent in the past few days. The Post cited former enforcement officials at the U.S. Securities and Exchange Commission (SEC) saying the sales were likely to prompt an insider trading investigation.

    Outing of FSB hit squad highlights Russia’s data security problem

    Analysis: trade in stolen data is a boon for investigators and a headache for Kremlin

    In early 2019, the journalist Andrei Zakharov managed to buy his own phone and banking records in a groundbreaking investigation into Russia’s thriving markets in stolen personal data, in which law enforcement and telecoms employees can be contracted anonymously to dip into their systems and pull out sensitive details on anyone.

    A year and a half later, investigators from Bellingcat and the Insider used some of the same tools and clever analysis to out a secret FSB team that had been tasked with killing Alexei Navalny using a novichok nerve agent.

    Related: Russian FSB hit squad poisoned Alexei Navalny, report says

    Related: 'We got really lucky': how novichok suspects' identities were revealed

    Continue reading...

    Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected


    Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected

    Every few weeks, there seems to be breaking news about large-scale data breaches that affect millions – but what about the lesser-known threats that lurk quietly in the shadows? Oftentimes, these are the scams that could wreak havoc on our day-to-day digital lives.

    Adrozek malware is just that: a new strain that affects web browsers, stealthily stealing credentials through “drive-by downloads,” or a download that happens without your knowledge.

    Let’s unpack how this malware works, who it targets, and what we can do to protect our browsers from this sneaky threat.

    Browsers, Beware!

    According to Threatpost, Adrozek is infecting several web browsers (including Google Chrome, Microsoft Edge, Mozilla Firefox, and Yandex) on Windows machines with the help of a browser modifier that hijacks search results. To find its way onto our devices, the malware uses “drive-by downloads” once you load one of its several malicious web pages. In fact, a huge, global infrastructure supports Adrozek – one that is made up of 159 unique domain names, each hosting an average of 17,300 unique URLs, which in turn hosts more than 15,300 unique malware samples.

    Once it makes its way onto your machine, the malware changes the device’s browser settings to allow Adrozek to insert fake ads over real ones. If you do happen to click on one of these fraudulent ads, the scammers behind this threat earn affiliate advertising dollars for each user they deceive. This not only takes money away from advertisers who are unaware that malware is increasing their traffic, but it also pays cybercriminals for their crimes. What’s more, the malware extracts data from the infected device and sends it to a remote server for future exploitation. In some cases, it even steals saved passwords from Firefox. These features allow the cybercriminals behind Adrozek to capitalize on the initial threat by collecting data that could be used against everyday users like you and me when we least expect it.

    Adrozek: A Malware Chameleon

    Aside from being supported by a vast infrastructure, Adrozek is powerful for another reason: it’s difficult to spot. Adrozek is a type of polymorphic malware, or malware that is programmed to constantly shift and change its code to avoid detection. As a result, it can be tricky to find and root out once it’s infected your browser.

    Fight Back Against Malware

    To help protect your devices from falling victim to the latest theats, follow these tips to help protect your online security:

    Keep your browser updated

    Software developers are actively working to identify and address security issues. Frequently update your browsers, operating systems, and apps so that they have the latest fixes and security protections.

    Practice proper password hygiene

    Because Adrozek actively steals saved passwords from Firefox, it’s crucial to practice good password hygiene. When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials.

    Reinstall your browsers

    You can typically get rid of browser-hijacking malware by resetting the browser. But because Adrozek will hide itself on your device, extra measures should be taken to get rid of it. If you suspect that Adrozek may have found its way onto your device, delete your browsers, run a malware scan, and reboot your device. Run the malware scan a second time and reinstall your browsers.

    Use a comprehensive security solution

    Use a solution like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

    Stay Updated

    To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

    The post Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected appeared first on McAfee Blogs.

    SUNBURST Malware and SolarWinds Supply Chain Compromise

    Part I of II


    In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll. The trojanized file delivers the SUNBURST malware through a backdoor as part of a digitally-signed Windows Installer Patch. Use of a Compromised Software Supply Chain (T1195.002) as an Initial Access technique is particularly critical as it can go undetected for a long period. FireEye released countermeasures that can identify the SUNBURST malware.

    If you are using SolarWinds software, please refer to the company’s guidance here to check for vulnerable versions and patch information. McAfee has evaluated the published countermeasures and will continue to analyze further attack indicators. It’s important to note that this was a very sophisticated attack and customers are advised to assess their overall security architecture capability to either prevent, detect or respond to an APT threat. This attack reminds us that in today’s digital enterprise the supply chain includes many diverse elements including but not limited to critical equipment and hardware, cloud software and infrastructure as a service provider and critical IT software. Customers are advised to assess both intellectual property protection and supply chain integrity strategies. Part one of this blog series details initial McAfee defensive guidance and response actions. Part two will describe additional mitigation and solution recommendations.

    Protection Summary

    For the latest information on McAfee see KB93861and subscribe to receive updates. Below is protection summary to date for the known backdoor indicators

    • GTI Cloud and latest DAT has coverage for known indicators and C2 domains for the backdoor
    • McAfee Web Gateway can block known C2 domains
    • McAfee is continuing to review other detection approaches, including Real Protect and Endpoint Detection and Response
    • McAfee Advanced Threat Researchers continue to hunt for new indicators. Intelligence updates will be made available in MVISION Insights
    • Signatures are available for Network Security Platform to detect network indicators of compromise

    McAfee Labs will continue analysis for any known indicators associated with this attack and update product protection accordingly.  Furthermore, analysis is underway to analyse the behavioural components of the campaign and ensure product efficacy considers protection beyond static measures such as signatures. 

    Threat Intelligence Summary

    MVISION Insights is tracking the campaign as SolarWinds Supply Chain Attack Affecting Multiple Global Victims with SUNBURST Backdoor.  Customers can view the public version of MVISION Insights for the latest attack details, prevalence, techniques used and indicators of compromise.

     Figure 1: Attack Summary

    Insights provides the indicators used by SUNBURST. The indicators will continue to update based on automated collection and human analysis. You can use the indicators to hunt on your network.  Note: This will be updated as new indicators are verified.

    Figure 2: Campaign Indicators

    Insights outlines the MITRE Att&ck techniques used by SUNBURST. You can use MITRE Att&ck framework to asses defensive capability across your security architecture.

     Figure 3: Mitre Att&ck Framework


    One of the first initial response actions should be to hunt for known indicators of the attack. You can use MVISION EDR or MAR to search endpoints for SUNBURST backdoor indicators as provided by Microsoft and FireEye. See the search syntax below. If you are licensed for MVISION Insights this query will take place automatically. Additional defensive guidance will be published in an upcoming blog.


    Begin MVEDR Query Syntax…


    Files name, full_name, md5, sha256, created_at, create_user_name, create_user_domain and HostInfo hostname, ip_address, os and LoggedInUsers username, userdomain where Files sha256 equals “ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c” or Files sha256 equals “c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77” or Files sha256 equals “eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed” or Files sha256 equals “dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b” or Files sha256 equals “32519685c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” or Files sha256 equals “d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600” or Files sha256 equals “53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7” or Files sha256 equals “019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134” or Files sha256 equals “ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6” or Files sha256 equals “32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” or Files sha256 equals “292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712” or Files sha256 equals “c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71”


    …End MVEDR Query Syntax


    You should also search McAfee Web Gateway logs (or other network and SIEM logs) for communication to command and control domains or IP addresses, particularly those categorized as “Malicious Sites” below. Continue to check MVISION Insights for new domains and URLs.


    What’s Next

    It’s important to note that ongoing analysis will be critical to understand how the attackers will adapt and what additional mitigation is required. This will be a continuous process and we expect to add multiple updates to KB93861. Additionally, customers should follow McAfee Labs posts, check Insights Public Dashboard for latest threat intelligence, and continually check the Knowledge Center for latest product guidance. Part two of this blog will cover defensive capabilities and controls in more depth.

    Additional McAfee Threat Intel Resources

    Insights Trending Campaigns

    Every week Insights Preview highlights the top emerging threats and campaigns based on ATR Operational Intelligence collection and analysis.

    Atlas Dashboard

    Follow the latest COVID Threat statistics on the public Atlas Dashboard.  For more information about how a customer can utilize Atlas and Intelligence as a Service from APG, speak to your McAfee Account Manager for a Threat Intel Briefing and Workshop.

    Threat Research

    McAfee Labs and Advanced Threat Research teams produce regular research reports with the latest threat intelligence statistics and trends. Please share the reports with customers.

    McAfee Threat Intelligence Blogs

    Review and Share our external blogs that feature deeper malware analysis and explanations on emerging threats and attack campaigns.

    The post SUNBURST Malware and SolarWinds Supply Chain Compromise appeared first on McAfee Blogs.

    Defense in Depth: Why You Need DAST, SAST, SCA, and Pen Testing

    When it comes toツ?applicationツ?security (AppSec),ツ?most experts recommend usingツ?Dynamic Application Security Testingツ?(DAST)ツ?andツ?Static Application Security Testingツ?(SAST)ツ?as ???complementary??? approaches for robust AppSec. However, these experts rarely specifyツ?howツ?to run them in a complementary fashion.ツ?

    At Veracode, we use SAST, DAST,ツ?SCA,ツ?andツ?penツ?testing as theツ?fourツ?pillars of ourツ?defenseツ?in-depthツ?strategy to deliver a ???secure-by-design??? AppSec methodology across the entireツ?softwareツ?developmentツ?lifeツ?cycle.ツ?ツ?


    Most organizations start their AppSec journey by runningツ?manualツ?penetrationツ?testsツ?(MPT).ツ?Penetration testing is necessary to catch vulnerability classes,ツ?such as authorization issues and business logic flaws,ツ?that cannot be found through automated assessments alone. Expertly trained pen testersツ?canツ?reviewツ?an entireツ?environment,ツ?rather than just the application,ツ?and canツ?follow or break the workflows in a way that is difficult forツ?automation to replicate.ツ?Additionally, pen testing is requiredツ?to comply with regulations such asツ?PCI DSS, HIPAA, GLBA, FISMA, and NERC CIP.ツ?

    However,ツ?penツ?testing is only one assessment type and can bottleneck developmentツ?velocityツ?because it is a manual process.ツ?ツ?

    How does Dynamic Analysis work?ツ?

    Dynamicツ?applicationツ?securityツ?testingツ?(DAST)ツ?isツ?an AppSec assessment thatツ?scans all applications and interconnected structures in a running environment without looking deeply into source code. The results of ???outside-in???ツ?dynamicツ?scanningツ?help prioritizeツ?the remediation ofツ?exploitable vulnerabilitiesツ?and immediately reduce AppSec risk as they are fixed. However, it can be challenging to pinpoint theツ?exactツ?line of code toツ?work onツ?using only DAST.ツ?This assessment on its own is limited by the configuration of your scanner and what you choose to test. If you don???t properly configure your scans,ツ?you may miss vulnerabilities and have a false sense of security.ツ?

    Additionally, since theツ?applicationツ?isツ?scannedツ?towards the end of theツ?SDLC,ツ?there???s more pressure on development teams to remediate the difficult-to-find vulnerabilities quickly.ツ?This is usuallyツ?whereツ?frictionツ?between development and security increases,ツ?often resulting in unmitigated risk.ツ?ツ?

    How does Static Analysis work?ツ?

    Staticツ?applicationツ?securityツ?testingツ?(SAST)ツ?is an AppSec assessmentツ?that tests applications from the inside-out,ツ?by scanning applications,ツ?but not running them. It usually targets source code, byte code,ツ?andツ?binaryツ?code, and ???sits??? in an earlier stage of the SDLC so developers can look for security issuesツ?beforeツ?the application is complete. SAST also provides real-time security feedback during coding, making it a moreツ?proactive methodツ?for fixing flaws quickly. This ???inside-out approach??? can help reduceツ?securityツ?technical debtツ?for the lowest cost.ツ?

    On the flip side, fixing all the flaws found after a SAST scan may be an inefficient use of resources that may not reduce your risk in a meaningful way.ツ?And since the scan doesn't execute in a running environment, it can be hard to determine which flaws are immediately exploitable, or to understand how the exploit might happen without appropriate training.ツ?

    Software Compositionツ?Analysisツ?

    Getting features to market faster than the competition almost always requires development teams toツ?use at least one open-source library inツ?their codebase. Third-party code is a necessity in modern software development and so is securing it.ツ?According toツ?Veracode???sツ?State of Software Security:ツ?Open-Sourceツ?Edition,ツ?97.4ツ?percentツ?of the 85,000 apps scanned hadツ?an unfixedツ?securityツ?flaw in an external library.ツ?The good news is thatツ?nearly 75ツ?percentツ?of the known flaws can be fixed with aツ?versionツ?update.ツ?Veracode Software Composition Analysisツ?(SCA) and other similar solutionsツ?automaticallyツ?scan yourツ?librariesツ?and their dependenciesツ?to find vulnerabilities andツ?help you fix them.ツ?ツ?ツ?

    Defenseツ?in depthツ?

    If youツ?conduct onlyツ?SCA you???re not protecting your entire codebase. If you conduct justツ?SAST, you may introduce resource-related inefficiencies into the SDLC during remediation.ツ?If youツ?conduct onlyツ?MPT or DAST, you???re finding flaws at a later, more expensive stage and putting increased pressure on development teams to find the flaw in the source code and remediate it quickly.ツ?ツ?

    To ensure that you get the most value out of your AppSec program, you should use DAST findings to configure SAST policies, and to inform SAST activities. A quick defense against something like an input/output validation problem found during aツ?Veracode Dynamic Analysisツ?scan is to implement a WAF rule that prevents unauthorized data from leaving the application. Once the vulnerability has been secured at that level, useツ?Veracode Static Analysisツ?to go deep into the source code to find and patch the flaw.ツ?Once the first-party code has been secured, integrate Veracode SCA into your development workflowsツ?to secure your third-party code.ツ?This ensures that you are not just relying on one control to prevent an attack.ツ?ツ?

    On top of this, it is critical to continue runningツ?MPTツ?assessmentsツ?to secure the flaws that automationツ?can???tツ?find. You want to look at the hierarchies of the architecture to be sure that you are doing everything you can to secure each level. Thisツ?complementary approach makes it easier to find exploitable flaws, remediate them quickly, and even learn secure coding to prevent them in future.ツ?According to the 11thツ?edition of theツ?State of Software Securityツ?report,ツ?organizations that scan with both SAST and DAST are likely to remediateツ?50 percent ofツ?their flaws 24.5 days quicker than if they only scanned with one technology.ツ?It???s not hard to understand why: by seeing how an attack may be exploited at runtime, developers get an education in how to think like an attacker and may even be more motivated to fixツ?otherツ?findings.ツ?

    In today???s expanding threat landscape, DAST, SAST,ツ?SCA,ツ?and MPT provide a means forツ?DevSecOpsツ?teams to secure their code and strengthen their AppSec programs before it???s too late.ツ?To learn more aboutツ?the strengths and weaknesses of the different types of application security technologies, check outツ?ourツ?Guideツ?toツ?AppSec Solutions.ツ?

    Talkin’ About Infosec News – 12/14/2020

    Originally aired on December 14, 2020 Articles discussed in this episode:

    The post Talkin’ About Infosec News – 12/14/2020 appeared first on Black Hills Information Security.