About Kelly Sheridan Staff Editor Dark Reading

This author has not yet filled in any details.
So far Kelly Sheridan Staff Editor Dark Reading has created 45 blog entries.

Businesses Struggle with Cloud Availability as Attackers Take Aim


Researchers find organizations struggle with availability for cloud applications as government officials warn of cloud-focused cyberattacks. The majority of organizations have separate tools for networking and security, researchers report in a new survey on cloud and networking challenges. Their findings emerge as US government officials warn businesses of successful attacks on corporate cloud services.  Barracuda Networks today published a survey conducted by Censuswide, which polled more than 800 IT decision makers responsible for cloud infrastructure. The majority – 69% in the US and 56% overall – struggle to ensure availability and always-on access to cloud applications for employees. Most of the businesses say they're challenged with latency, downtime, and cost. "The Internet is the core utility for us to get our day-to-day work done," says Sinan Eren, vice president of zero-trust access at Barracuda. "It's tougher for organizations to leverage the public Internet and grow their base of employees accessing these solutions on a daily basis." Nearly 70% experience latency and performance issues running software-as-a-service (SaaS) workloads such as Office 365, researchers report, a trend they anticipate will continue. As businesses grow more dependent on the cloud, they encounter a number of constraints. Downtime is a constant issue; lack of bandwidth is a common complaint. Organizations using a traditional network that backhauls traffic through a centralized data center find users and networks suffer from latency. The cost of network infrastructure has proved a hurdle for businesses working to fix the problem. More than 70% use traditional access methods, such as multiprotocol label switching (MPLS) in their networks. At least 60% say their MPLS costs significantly increase with seasonal workload peaks, while a similar number say they think MPLS lines are pricey and inflexible for their business needs.  "It does take a tremendous amount of investment to improve these workloads and improve the efficiency, performance, and latency," Eren says.  Most companies have historically used dedicated lease lines, such as MPLS lines, to interconnect network infrastructure, researchers note. These leases are typically long-term and don't scale up or down, often resulting in a mismatch in capacity. Organizations often find they're paying more than they should for capacity they may not necessarily need all the time.  Of the businesses surveyed, 86% have separate products that specifically focus on networking or security. Around the same amount believe security should be incorporated throughout the network, not only applied at the data center, and 70% say security is a primary concern for the organization when deploying an SD-WAN tool. Dark Clouds AheadThe cloud-related challenges companies face set a concerning stage for an alert published this week by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). US officials warn of "several recent successful cyberattacks against various organizations' cloud services," done by attackers exploiting poor cyber hygiene practices within a victim's cloud services configuration.  These attacks frequently occurred when a target organization's employees worked remotely and used a combination of corporate and personal devices to access cloud services, CISA states. Despite the use of security tools, poor user practices paved the way for successful attacks. Attackers used a variety of techniques – phishing, brute force login attempts, and possibly a "pass the cookie" attack – to breach cloud services. CISA warns of phishing emails with links to harvest credentials for cloud service accounts. With these credentials, the attackers were able to log in and send emails from the target user's account to other accounts in the same business. In several instances, they say, attackers collected sensitive data by abusing email forwarding rules that employees had set up to send business emails to their personal accounts. In one, they modified an email rule to redirect emails to an account controlled by the attackers. In some cases, attackers created new mailbox rules to forward specific emails with phishing-related keywords to the victim's RSS Feeds or Subscriptions folder so as to hide warnings. These attackers successfully breached one user protected with multifactor authentication. They attempted brute force logins on some accounts, which were unsuccessful, officials say. In response to the attacks detailed in the alert, CISA has compiled an extensive list of steps that organizations can take to strengthen their cloud security practices. Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio Recommended Reading: More Insights

Businesses Struggle with Cloud Availability as Attackers Take Aim2021-01-15T10:36:35-05:00

Microsoft Defender Zero-Day Fixed in First Patch Tuesday of 2021


Microsoft patched 83 bugs, including a Microsoft Defender zero-day and one publicly known elevation of privilege flaw. Microsoft has released patches for 83 vulnerabilities on its first Patch Tuesday of 2021, which addresses 10 critical flaws, including one zero-day remote code execution bug in Microsoft Defender.  The fixes released today cover Microsoft Windows, the Edge browser, ChakraCore, Office and Microsoft Office Services and Web Apps, Microsoft Malware Protection Engine, Visual Studio, ASP .NET, .NET Core, and Azure. Of these, 73 are classified Important; one is publicly known. While 83 CVEs (common vulnerabilities and exposures) is much lower than the record monthly patch numbers Microsoft reported last year, it's 59% higher than the 49 patched in January 2020. "If that's any indication, it means 2021 will be another banner year for Patch Tuesday vulnerability disclosures," says Satnam Narang, staff research engineer at Tenable. CVE-2021-1647 is the critical bug in Microsoft's Malware Protection Engine already seen in the wild. Microsoft does not elaborate on these attacks or how widespread they are. It does say a proof-of-concept code is available, though the code or technique may not work in all situations.  This vulnerability doesn't affect the network stack, and an attacker could gain access remotely via SSH, locally by accessing the machine itself, or by tricking the user into performing an action that would trigger the bug, such as opening a malicious file. User interaction is not required. Attack complexity is low, meaning attackers wouldn't require specialized access conditions to exploit the flaw, and they can expect repeatable success against the vulnerable component, Microsoft says in its disclosure. It also requires low privileges: An attacker would need privileges that provide basic user capabilities, which normally only affect user-owned settings and files. "Considering how prevalent Microsoft Defender is, this flaw provides attackers with a large attack surface," Narang says.  News of the zero-day and patch arrive weeks after Microsoft confirmed its network was among the thousands affected by infected SolarWinds software updates, and it admitted attackers were able to view its source code. While there are no details of attacks leveraging this zero-day, Dustin Childs of Trend Micro's Zero-Day Initiative (ZDI) acknowledges the possibility that this patch could be related to the compromise.  For many organizations, CVE-2021-1647 may already be patched. Microsoft often updates malware definitions and the Microsoft Malware Protection Engine. The default configuration for both businesses and individuals ensures both are automatically updated, the company says. Those whose systems are not connected to the Internet will need to manually apply the fix.  "For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked," says Chris Goettl, senior director of product management and security at Ivanti. He advises security teams to ensure their Microsoft Malware Protection Engine is at Version 1.1.17700.4 or higher.  The ZDI publicly disclosed CVE-2021-1648, an important elevation of privilege flaw in print driver host splwow64, after it exceeded its own disclosure timeline. This patch was also discovered by Google Project Zero researchers and corrects a flaw introduced in an earlier patch. Like the zero-day patched this month, this vulnerability has low attack complexity, low required privileges, and does not require user interaction for exploitation, Microsoft reports.  "The previous CVE was being exploited in the wild, so it's within reason to think this CVE will be actively exploited as well," Trend Micro's Childs writes. CVE-2021-1647 aside, the remaining Critical bugs are all remote code execution vulnerabilities. Five affect Remote Procedure Call (RPC) runtime, including CVE-2021-1660, which has a CVSS score of 8.8 and is bound to the network stack. Microsoft says this can be exploited using a low-complexity attack and requires no privileges or user interaction. It's worth noting Microsoft also patched four additional RPC vulnerabilities that are classified as Important but have the same CVSS score and descriptors as the critical flaws. Microsoft now providers fewer details in patch descriptions and it's unclear why some of these flaws are classified as Critical and others as Important. This month's Critical bugs primarily affect the operating system, browser, and malware protection, Goettl notes. He urges businesses to also pay attention to Important updates, some of which address bugs in developer tools. "Your development teams need to be aware of what tools they are using and what vulnerabilities may be exposed," he explains. Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio Recommended Reading: More Insights

Microsoft Defender Zero-Day Fixed in First Patch Tuesday of 20212021-01-15T10:36:44-05:00

Dark Web Forum Activity Surged 44% in Early COVID Months


Researchers analyzed the activity of five popular English- and Russian-speaking Dark Web forums and discovered exponential membership growth. Dark Web forum activity grew 44% during the spring of 2020 compared with baseline numbers in January, researchers learned in a new analysis of COVID-19's effects on underground forums. A team at cybersecurity company Sixgill analyzed five underground forums, chosen for their high volume of posts, low barrier to entry, and prominence, to investigate their user count and activity. At their peak, these forums had a combined total of 268,610 unique monthly users – up from 82,421 in January. Their compounded monthly growth rate ranged from 1% to 9.2%.  While the growth can be explained by the increase in people sitting inside with the lack of other things to do, Sixgill security research lead Dov Lerner was surprised by the jump in activity. One site's growth did not hinder another's, a sign that participation on the Dark Web is growing.  "Everyone's stuck at home; people are bored and looking for something to do … I would have guessed that the number of [Dark Web] actors would rise as well," he says. "I did not expect it to rise 44%. That number really stood out as something very, very striking."  Earlier Sixgill reports detected an uptick in specific types of cybercrime on the Dark Web during the same spring 2020 timeframe, including the sale of gaming store accounts, compromised Remote Desktop Protocol (RDP) credentials, money laundering services, and narcotics.  The Forums The forums are identified in the report as Forums A, B, C, D, and E. Researchers chose to not name the specific forums but say they are "extremely popular" and specifically focused on cybercrime. Four of the forums were English-speaking; one was Russian. While Russian is a prominent language on the Dark Web, Lerner hypothesizes Russian-speaking forums may have a smaller volume of posts, or Russian participants are joining large English-speaking forums.  These sites were broad in nature and ran the gamut of cybercrime, with the range of shared information spanning gaming cheats to compromised software. "They all deal in one way or another with the more heavy cybercrime," Lerner says. "In general, I think it's interesting how many topics coexist on these forums. These are very broad." Forum activity was evaluated in terms of the number of posts. Users were only counted if they had created at least one, as researchers couldn't determine the number of registered users who hadn't contributed. In the first half of 2020, 85% of participants contributed ten or fewer posts, and only 2.1% wrote more than 51 posts, researchers report. Most forum users barely participate at all: the top 20% most active users account for nearly 75% of all posts.  There are many reasons why users might post infrequently, Lerner says. Some less experienced participants might be coming to learn, so they observe but don't contribute. Others may have wanted to dip their toes into the underground but then lost interest. Some users create "burner" accounts and post with a new username each time to maintain operational security. All five forums analyzed experienced exponential growth, with the number of participants starting low and suddenly increasing over time. Each had different periods during which growth accelerated, and growth varied from forum to forum. The 44% increase researchers discovered is part of a trend toward higher participation overall, Lerner says. Many forums become popular through word of mouth as people share them with friends; from there, they can grow quickly. Researchers are working to determine how long these forums last, and what drives their growth. COVID-related growth aside, he says a forum might become popular if it becomes known for a good or service in high demand. However, if something appears on one site, it can later be shared on others. While all forums evaluated are still in operation, two of the oldest – founded in 2006 – are now seeing their activity begin to stagnate. Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio Recommended Reading: More Insights

Dark Web Forum Activity Surged 44% in Early COVID Months2021-01-06T10:35:35-05:00

Microsoft Source Code Exposed: What We Know & What It Means


Microsoft says there is no increase in security risk; however, experts say access to source code could make some steps easier for attackers. Microsoft confirmed last week that attackers were able to view some of its source code, which it found during an ongoing investigation of the SolarWinds breach. While its threat-modeling approach mitigates the risk of viewing code, many questions remain that could determine the severity of this attack.  In a blog post published on Dec. 31, 2020, officials said Microsoft has not found evidence of access to production services or customer data, nor has it discovered that its systems were used to attack other companies. The company has not found indications of common tactics, techniques, and procedures (TTPs) linked to abuse of forged SAML tokens against its corporate domains.  It did find an internal account had been used to view source code in "a number of code repositories," according to the blog post, from the Microsoft Security Response Center (MSRC). This activity was unearthed when investigators noticed unusual activity with a small number of internal accounts, the post explains, and the affected account didn't have permissions to change any code or engineering systems. The accounts were investigated and remediated, officials noted.  The news began to generate attention in the security community, and with good reason: Microsoft's software is among the most widely deployed in the world, and organizations of all sizes rely on the company's products and services. It's an appealing target, in particular among advanced attackers like those behind the SolarWinds incident. "It's something they can't access themselves, and there's a lot of assumption that there's super-secret things there that are going to compromise [their] security," says Jake Williams, founder and president of Rendition Infosec, regarding why businesses might understandably panic at the news. While it's certainly concerning, and we don't know the full extent of what attackers could see, Microsoft's threat-modeling strategy assumes attackers already have some knowledge of its source code. This "inner source" approach adopts practices from open source software development and culture, and it doesn't rely on the secrecy of source code for product security. "There are a lot of software vendors, and security vendors, that rely on the secrecy of their code to ensure security of applications," Williams explains. Microsoft made a big push for secure software development in Windows Vista. It didn't make the decision to open source the code but designed it with the assumption that could possibly happen someday. Source code is viewable within Microsoft, and viewing the source code isn't tied to heightened security risk. "If the code is all publicly released, there should not be new vulnerabilities discovered purely because that occurs," Williams adds. Microsoft's practice isn't common; for most organizations, the process of adopting the same approach and revamping their existing code base is too much work. However, Microsoft is a big enough target, with people regularly reverse engineering its code, that it makes sense.  While attackers were only able to view the source code, and not edit or change it, this level of access could prove helpful with some things — for example, writing rootkits. Microsoft, which did not provide additional detail for this story beyond its blog post, has not confirmed which source code was accessed and how that particular source code could prove helpful to an attacker. It's one of many questions that remain following Microsoft's update. What have the attackers already seen? Where was the affected code? Were the attackers able to access an account that allowed them to alter source code? There is still much we don't know regarding this intrusion. This "inner source" approach still creates risk, writes Andrew Fife, vice president of marketing at Cycode, in a blog post on the news. Modern applications include microservices, libraries, APIs, and SDKs that often require authentication to deliver a core service. It's common for developers to write this data into source code with the assumption only insiders can see them. "While Microsoft claims their 'threat models assume that attackers have knowledge of source code,' it would be far more reassuring if they directly addressed whether or not the breached code contained secrets," he writes. In the same way source code is a software company's IP, Fife adds, it can also be used to help reverse engineer and exploit an application. This is an ongoing investigation, and we will continue to provide updates as they are known. In the meantime, Williams advises organizations to continue applying security patches as usual and stick with the infosec basics: review trust relationships, check your logging posture, and adopt the principles of least privilege and zero trust. "Supply chain attacks are really difficult to defend against, and it really comes back to infosec foundations," he says. "If your model of protecting against an attack is 'give me an indicator of compromise and I will block that indicator,' that's '90s thinking." Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio Recommended Reading: More Insights

Microsoft Source Code Exposed: What We Know & What It Means2021-01-05T10:35:54-05:00

Remote Desktop Bugs: Patches That Took Priority in a Pandemic Year


Remote Desktop flaws were a patching priority this year as Microsoft distributed fixes and businesses scrambled to protect remote employees. Microsoft patched a record number of common vulnerabilities and exposures (CVEs) in 2020, putting pressure on overwhelmed security teams to apply fixes and protect a growing number of remote employees. Many of these flaws affected Remote Desktop, a Windows service that proved critical for the newly remote workforce. This year, Microsoft's monthly Patch Tuesday rollouts accumulated a total of 1,245 bugs fixed, which far exceeds the 840 patched in 2019 and numbers more than 2017 and 2018 combined, points out Satnam Narang, research engineer at Tenable. Most months brought at least 110 patches, with June and September marking the highest monthly count at 129 patches each.  "Just the sheer number of CVEs getting patched, especially from March to about September – we kept seeing 100 CVEs each month," Narang says. "Me and the team, we kept getting blown away by the sheer volume of them." As security teams learned this year, many vulnerabilities Microsoft found and patched affected Windows Remote Desktop Protocol (RDP) -- Microsoft's protocol for enabling users to access Windows workstations or servers -- Remote Desktop Client, Remote Desktop Services, and Remote Desktop Gateway. While these all warranted priority patching before 2020, the COVID-19 pandemic and subsequent shift to work-from-home made them appealing targets.  "Because we are a remote workforce, anything that's going to impact the tools we need I think is going to be ripe for attack," says Dustin Childs of Trend Micro's Zero Day Initiative. "The two fertile areas for attacks are the tools remote workers use and the infrastructure that supports it."    This year attackers shifted their strategies from targeting applications, as they have in years past, to targeting protocols, Childs explains. These include RDP in addition to DNS, which has been targeted with multiple bugs, TCP/IP, and SMB, which is "also still very popular," he adds.  Protocols are a broad target, and their complexities have been targeted for years, he continues. But as organizations grow more complex and add more systems, attackers are learning they can hit a lot of targets if they go after low-lying protocols. A stronger focus on application security is also pushing attackers to look for underlying targets to get past improved software defenses.  The most common type of attack targeting RDP is brute force; in this, criminals attempt to find the username and password for an RDP connection by trying different combinations until one works. These attacks skyrocketed in early March, totaling 3.3 billion for the first 11 months of 2020, Kaspersky research shows. They numbered 969 million during the same period in 2019. It's not surprising that Remote Desktop was heavily targeted this year, says Andrew Brandt, principal researcher with Sophos. Organizations with thousands of employees placed critical data on a segment of their networks and limited them to internal access. Now workers need to get to those assets from home. "There's the twin challenges of protecting our stuff and making it so our employees aren't impeded from being able to work," he explains. It's a difficult balance to strike because the two goals "sometimes work at opposite ends." A Historically Hot TargetRDP vulnerabilities came under the spotlight in 2019 with the widely reported BlueKeep and DejaBlue flaws. While none of the bugs patched this year merited a name, Narang notes RDP flaws should always capture the attention of security teams. Not only are they invaluable to criminals seeking data and funds, they're the "bread and butter" for ransomware operators. Attackers who seek to take over a system, whether it's RDP or something else in a business, typically have two goals. They could establish permanency by setting up a backdoor to ensure their access isn't cut off, or they could pivot to take over the domain controller, Exchange server, or SharePoint server to see whether they can work their way around the environment, Childs says. From there, it's a matter of what they want to do, whether it's to deploy ransomware or steal data. A dangerous trait of RDP exploits is they're typically invisible to employees. Whether security teams see a red flag depends on the type of logging they have and how closely those logs are monitored. With RDP, it also depends on your network intrusion detection/prevention setup. At a time when security analysts are overwhelmed with alerts, these may slip through the cracks.  The severity of a flaw often depends on where it is: Vulnerabilities in Remote Desktop Server, for example, are considered more severe than those in Remote Desktop Client, Childs continues. "If you can take over the Remote Desktop Server, that's usually going to be something you can do unauthenticated remotely and that gets you a lot of code execution power," he explains. "Those are the ones we saw that could actually be wormable," a trait in RDP flaw BlueKeep. Flaws in Remote Desktop Client usually require a man-in-the-middle attack, or sending a victim to a malicious Remote Desktop Server. This additional step is often a factor in whether a bug is classified as critical or important, Childs points out. If man-in-the-middle or authentication is required, a critical vulnerability may be considered important. Experts warn teams to consider how their businesses use a service instead of relying on a rating system to prioritize patches. "Severity is based on not just the complexity of being able to accomplish a specific exploit … but also based on things like how widely distributed is this particular vulnerable application, and what are the mitigating circumstances by which you have to have the app configured so the exploit is functional as opposed to theoretical," Brandt says. In some cases, Sophos' offensive security team found important flaws to be "pretty severe" when given the right information. Ultimately, the decision of whether a vulnerability is critical is a judgment call, Childs says. Either a security leader can make the call or they have to really trust the person making it. "In my environment, I know we use RDP extensively, so anything that comes out I'm going to treat it as critical," he continues. "I don't care if it's post-authentication. I don't care if it's man-in-the-middle. I'm going to treat it as critical in our environment because I know how much we rely on RDP." If a business doesn't rely on RDP, these patches may be secondary, he adds. More Bugs Found, More Bugs PatchedThe spike in security flaws discovered and fixed this year may at first cause alarm among people worried about increasingly vulnerable tools and services. But security experts, both at Microsoft and security companies, attribute the growth to higher participation in bug-bounty programs and a stronger focus on defensive security during a year when remote work became the norm.  "When quarantine kicked off, we did a huge strategy sync around, 'How do we protect our customers?'" says Ron Aquino, head of platform security and mitigations at Microsoft. "One of the things that jumped out at us is there are certain protocols that are very important for work-from-home."  RDP became a major area of focus, he continues. The team made a "huge push" to review RDP, especially code that may have been legacy code built a long time ago, for vulnerabilities. Many of these patches, especially those for RDP, apply to customers who adjust default configuration. Aquino notes those who stick with RDP's default settings and follow best practices are secure. During this time, Microsoft decided to pivot its bug bounty program and introduce scenarios to help researchers decide where they should focus their efforts, adds Justin Campbell, principal group engineering manager with Microsoft Security. By the end of July, they had updated their bounty with new increased payouts: up to $100,000 USD for remote code execution flaws that didn't require authentication. "We did that for several categories we thought would be especially impactful, but we try to not specify specific targets because we don't want to give researchers blinders," he says. "We want to have them exploring the spaces where we aren't already looking, if there is such a place." While Campbell says these incentives were partly responsible for the growth in bug-bounty participation, data shows a surge in security researchers signing up to submit vulnerabilities during the pandemic. More businesses are adopting vulnerability disclosure programs (VDPs), and hackers are showing interest, especially in the industries where they're already active. Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio Recommended Reading: More Insights

Remote Desktop Bugs: Patches That Took Priority in a Pandemic Year2020-12-29T10:35:26-05:00

Lazarus Group Seeks Intelligence Related to COVID-19


Researchers attribute attacks targeting a pharmaceutical company and a government ministry related to COVID-19 response. Security researchers have linked Lazarus Group with two attacks targeting institutions related to COVID-19 vaccine development and response. Their data indicates the North Korea-backed group, best known for hacking for financial gain and even sabotage, is strongly interested in COVID-19 intelligence.  The Kaspersky research team reports Lazarus Group targeted a pharmaceutical company at the end of September; during its investigation, it found the group had also targeted a Ministry of Health related to COVID-19 response. While each attack used different tactics, techniques, and procedures, researchers found connections between them and attribute the activity to Lazarus Group "with high confidence."  On Oct. 27, 2020, two Windows servers were compromised at a Ministry of Health. Researchers were unable to identify the attack vector but confirm a sophisticated malware cluster, dubbed "wAgent," was installed on the servers. The malware's main component only works in memory, they say, and it fetches additional payloads from a remote server. In this attack, the malware was directly executed on the victim's machine. Using the wAgent backdoor, the attacker installed an additional wAgent payload with a persistence mechanism. This wAgent installer works similarly to the wAgent malware loader, and it is tasked with loading an embedded payload after decrypting it with a 16-byte key from the command line.  In the decrypted payload, the malware creates a file path to carry out the infection. The final payload fetches additional payloads from the command-and-control (C2) server — possibly a fully featured backdoor — and loading it in memory, researchers explain in a writeup of the findings.  The wAgent malware used here has the same infection scheme as attacks on cryptocurrency businesses involving Lazarus Group, they note. The cases employed a similar malware naming scheme, used a Security Support Provider as a persistence mechanism, and have "almost identical" debugging messages. A different payload, dubbed Bookcode malware, was used in the Sept. 25 incident targeting a pharmaceutical company. Lazarus Group had previously deployed Bookcode in an attack on a South Korean software company, possibly targeting its source code or supply chain. It has also been spotted distributing Bookcode via spear-phishing or website compromise in earlier attacks. Researchers have previously determined that Bookcode is exclusively used by Lazarus Group. The victim organization in this case is authorized to produce and distribute COVID-19 vaccines and has one in development, researchers say. The researchers were able to identify a loader sample, a file tasked with loading an encrypted payload in the system folder. After decrypting this, the loader finds the Service Host Process with certain parameters and injects the payload into it.  Once the malware is started, it sends data about the victim to the attackers' infrastructure. After communicating with the C2 server, it provides backdoor functionalities. The campaign deploying the Bookcode cluster is intended to extract information from the infected host, including password hashes, researchers explain. It also uses Windows commands to check network connectivity and uses the WakeMeOnLan tool to scan hosts in the same network. In working with the pharmaceutical firm to remediate the attack, the Kaspersky team found an additional configuration file containing four C2 servers, all of which are compromised servers located in South Korea.  "These two incidents reveal Lazarus Group's interest in intelligence related to COVID-19," says Kaspersky security expert Seongsu Park. "While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well." Kaspersky believes all entities involved in vaccine research, crisis response, and related activities should be on high alert for cyberattacks, Park adds.  Today's update arrives amid ongoing attacks targeting the COVID-19 vaccine supply chain. Earlier this month, researchers with IBM Security's X-Force reported a spear-phishing campaign targeting individuals across several organizations involved with the supply chain. The activity, which appeared designed to harvest credentials for future attacks, threatens components and participants in the "cold chain" that ensures vaccines are stored and transported safely. Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio Recommended Reading: More Insights

Lazarus Group Seeks Intelligence Related to COVID-192020-12-24T10:36:12-05:00

Microsoft Ups Security of Azure AD, Identity


A roundup of Microsoft's recent security news and updates that focus on protecting identity. Microsoft's latest security announcements have focused on securing Azure AD and Identity. Updates include stronger compromise prevention for Azure AD, a zero-trust business plan, and some changes to managing user authentication in Azure Portal. Since it's a lot of news to work through, below is a recap of the highlights: The updated Azure AD compromise prevention system, released last week, still uses supervised machine learning but expands the features and process used to train the model. This model, Microsoft says, aims to provide more accurate risk assessments by flagging more suspicious activity while reducing the number of false alarms. Its system pulls data from several sources including user behavior, threat intelligence, network intelligence, and device intelligence. Known good or bad sign-ins, called "labels," aim to help teach the algorithm how to differentiate between the two. All of this intelligence is used train new machine learning models, which are deployed to the Azure AD authentication service and used to evaluate 30 billion authentications daily, Microsoft reports.  News of the Azure AD update arrived shortly after news of the SolarWinds breach began to make headlines. Reports indicate intruders used multiple attack vectors, one of which was distributing malware hidden in SolarWinds Orion network management software. The other, CISA reports, may have involved a multifactor authentication bypass, done by accessing a secret key from the Outlook Web App server. Late last week, Microsoft confirmed its network was breached.  Earlier this month, Microsoft released a zero-trust business plan to provide guidance for organizations starting the zero-trust implementation process. The document, which includes lessons learned from leaders who oversaw zero trust adoption in their own environments, lays out the process of planning, implementing, and measuring success of a zero trust deployment. Some of the new features we saw come from Microsoft in recent weeks include updates to managing user authentication methods in Azure Portal. The new UX design lets admins add, edit, and delete users' authentication phone numbers and email addresses. As authentication methods are released in coming months, they'll appear and be managed in the same interface.  As part of usability improvements, Microsoft is simplifying how phone numbers are managed in Azure AD. Users now have two sets of phone numbers: a public number that is managed in the user profile and never used for authentication, and an authentication number managed under authentication methods and kept private. This will be available to all Directory-synced tenants by 2021. Microsoft is also releasing new APIs to beta in Microsoft Graph. New authentication method APIs can be used to read and remove a user's FIDO2 security keys; read and remove a user's Passwordless Phone Sign-In capability with Microsoft Authenticator; and read, add, update, and remove a user's email address for Self-Service Password Reset. Microsoft Authenticator will be updated with password management and autofill capabilities, which were made available for public preview last week. Authenticator will autofill passwords, which can be synced across mobile and desktop devices. Microsoft notes this is currently limited to Microsoft accounts and not for Azure AD-based work or school accounts.  Azure AD Application Proxy, which provides secure remote access to on-premise applications, will now support more applications, including those that use headers for authentication such as Peoplesoft, NetWeaver Portal, and WebCenter, Microsoft announced earlier this month. The new support started in public preview on Dec. 1. To connect a header-based authentication application to Application Proxy, users will need Application Proxy enabled in their tenant and have at least one connector installed, Microsoft says. Its full blog post on the announcement has additional steps.  Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio Recommended Reading: More Insights

Microsoft Ups Security of Azure AD, Identity2020-12-23T10:40:28-05:00
Go to Top