Microsoft Archives - Page 52 of 57 - Appunti dalla rete

The Real Cost of Microsoft 365 Revealed

Estimating the real cost of a technology solution for a business can be challenging. There are obvious costs as well as many intangible costs that should be taken into account.

For on-premises solutions, people tend to include licensing and support maintenance contract costs, plus server hardware and virtualization licensing costs. For Software as a Service (SaaS) cloud solutions, it seems like it should be easier since there’s no hardware component, just the monthly cost per licensed user but this simplification can be misleading.

In this article we’re going to look at the complete picture of the cost of Microsoft 365 (formerly Office 365), how choices you as an administrator make can directly influence costs, and how you can help your business maximize the investment in OneDrive, SharePoint, Exchange Online and other services.

The Differences Between Office 365 & Microsoft 365

As covered in our article about the death of Office 2019 there are naming changes afoot in the Office ecosystem. The personal Office 365 subscriptions have changed and are now called Microsoft 365 Family (up to six people) and Personal along with the Office 365 Business SKUs, that top out at 300 users, has also been renamed. The new SKUs are Microsoft 365 Business Basic, Apps, Standard, and Premium.

There’s no reason to believe that this name change won’t eventually extend to the Enterprise SKUs but until it does, from a licensing cost perspective it’s important to separate the two. Office 365 E1, E3 and E5 gives you the well-known “Office” applications, either web-based or on your device, along with SharePoint Online, Exchange Online and OneDrive for Business in the cloud backend.

Microsoft 365 F3, E3 and E5, on the other hand, includes everything from Microsoft 365 plus Azure Active Directory Premium features (identity security), Enterprise Mobility & Security (EMS) / Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM) along with Windows 10 Enterprise.

Comparing M365 plans

So, a decision that needs to be looked at early when you’re looking to optimize your cloud spend is whether your business is under 300 users and likely to stay that way for the next few years. If that’s the case you should definitely look at the M365 Business SKUs as they may fulfil your business needs, especially as Microsoft recently added several security features from AAD Premium P1 to M365 Business.

If you’re close to 300, expecting to grow or already larger, you’re going to have to pick from the Enterprise offerings. The next question is then, what’s the business need – do you just need to replace your on-premises Exchange and SharePoint servers with the equivalent cloud-based offerings? Or is your business looking to manage corporate-issued mobile devices (smartphones and tablets) with MDM or protect data on employee-owned devices? The latter is known as Bring Your Own Device (BYOD), sometimes called Bring Your Own Disaster. If you have those needs (and no other MDM in place today), the inclusion of Intune in M365 might be the clincher. If on the other hand, you need to protect your on-premises Active Directory (AD) against attacks using Azure Advanced Threat Protection (AATP) or inspect, understand and manage your users’ cloud usage through Microsoft Cloud App Security (MCAS) you’ll also need M365 E5, rather than just O365.

Cloud app security dashboard

The difference is substantial, outfitting 1000 users with O365 E3 will cost you $ 240,000 per year, whereas moving up to M365 E3 will cost you $ 384,000. And springing for the whole enchilada with every security feature available in M365 E5 will cost you $ 684,000, nearly 3X the cost of O365 E3. Thus, you need to know what your business needs and tailor the subscriptions accordingly (see below for picking individual services to match business requirements).

Note that if you’re in the education sector you have different options (O365 A1, A3, and A5 along with M365 A1, A3, and A5) that are roughly equivalent to the corresponding Enterprise offerings but less costly. And charities/not-for-profits have options as well for both O365 and M365. M365 Business Premium is free for up to 10 users for charities and $ 5 per month for additional users.

A la carte Instead of Bundles

There are two ways to optimize your subscription spend in O365 / M365. Firstly, you can mix licenses to suit the different roles of workers in your business. For instance, the sales staff in your retail chain stores are assigned O365 E1 licenses ($8 / month) because they only need web access to email and documents, the administrative staff in head office use O365 E3 ($20 / month) and the executive suite and other high-value personnel use the full security features in E5 ($35 / month). Substitute M365 F3, E3, and E5 in that example if you need the additional features in M365.

Secondly, you don’t have to use the bundles that are encapsulated in the E3, E5, etc. SKUs, and you can instead pick exactly the standalone services you need to meet your business needs. Maybe some users only need Exchange Online whereas other users only need Project Online. The breakdown of exactly what features are available across all the different plans and standalone services is beyond the scope of this article but the O365 and M365 service descriptions are the best places to start investigating.

Excerpt from the O365 Service Description

And if you’re a larger business (500 users+) you’re not going to pay list prices and instead these licenses will probably be part of a larger, multi-year, enterprise agreement with substantial discounts.

If You Hate Change

If you want to stay on-premises Exchange Server 2019 is available (only runs on Windows Server 2019), as is SharePoint Server 2019 and you can even buy the “boxed” version of Office 2019 with Word, Excel, etc. with no links to the cloud whatsoever. This is an option that moves away from the monthly subscription cost of M365 (there’s no way to “buy” M365 outright) and back to the traditional way of buying software packages every 2-5 years. Be aware that these on-premises products do NOT offer the same rich features that O365 / M365 provides, whether it’s the super-tight integration between Exchange Online and SharePoint Online, cloud-only services like Microsoft Teams that build on top of the overall O365 fabric or AI-powered design suggestions in the O365 versions of Word or PowerPoint. There’s no doubt that Microsoft’s focus is on cloud services, these are updated with new features on a daily basis, instead of every few years. If your business is looking to digitally transform, towards tech intensity (two recent buzzwords in IT with a kernel of truth in them) using on-premises servers and boxed software licensing is NOT going to get you there. But if you want to keep going like you always have, it’s an option.

And if you’re looking at this from a personal point of view, a free Microsoft account through Outlook.com does give you access to Office Online: Word, Excel, and PowerPoint in a browser. There’s even a free version of Microsoft Teams available.

Transforming your Business

There’s a joke going around at the moment about the Covid-19 pandemic bringing digital transformation to many businesses in weeks that would have taken years to achieve without it. There’s no doubt that adopting the power of cloud services has the power to truly change how you run your business for the better. A good example is moving internal communication from email to Teams, including voice and video calls and perhaps even replacing a phone system with cloud-based phone plans.

But these business improvements depend on the actual adoption of these new tools. And that requires a mindset shift for everyone. Start with your IT department, if they still see M365 as just cloud-hosted versions of their old on-premises servers they’re missing the much bigger picture of the integrated platform that O365 has become. Examples include services such as Data Loss Prevention (DLP), unified labeling and automatic encryption/protection of documents and data, and unified audit logging that spans ALL the workloads. So, make sure you get them on board with seeing O365 as a technology tool to transform the business, not just a place to store emails and documents in OneDrive. And adding M365 unlocks massive security benefits, enabling zero-trust (incredibly important as everyone is working from home), identity-based perimeters, and cloud usage controls. But if your IT or security folks aren’t on board with truly adopting these tools, they’re not going to make you any more secure. Here’s free IT administrator training for them.

Finally, you’re going to have to bring all the end-users on board with a good Adoption and Change Management (ACM) program, helping everyone understand these new services and what they can do to make their working lives better. This includes training but make sure you look to short, interactive, video-based modules that can be applied just when the user needs coaching on a particular tool, not long classroom-based sessions.

And all of that, for all the different departments, isn’t a once-off when you migrate to O365, it’s an ongoing process because the other superpower of the cloud is that it changes and improves ALL the time. This means you’ll need to assign someone to track the changes that are coming/in preview and ensure that the ones that really matter to your business are understood and adopted. The first place to look is the Microsoft 365 Message Center in the portal where you can also sign up for regular emails with summaries of what’s coming. Another good source is the Office 365 Weekly Blog.

M365 portal Message Center

To help you track your usage and adoption of the different services in O365 there is a usage analytics integration with PowerBI. Use this information to firstly see where adoption can be improved and take steps to help users with those services and secondly to identify services and tools that your business isn’t using and perhaps don’t need, giving you options for changing license levels to optimize your subscription spend.

PowerBI O365 Usage Analytics (courtesy of Microsoft)

Closing Notes

There’s another factor to consider as you’re moving from on-premises servers to Microsoft 365 and that’s the changing tasks of your IT staff. Instead of swapping broken hard drives in servers these people now need to be able to manage cloud services and automation with PowerShell and most importantly, see how these cloud services can be adopted to improve business outcomes.

A further potential cost to take into account is backup. Microsoft keeps four copies of your data, in at least two datacentres so they’re not going to lose it but if you need the ability to “go back in time” and see what a mailbox or SharePoint library looked like nine months ago, for instance, you’ll need a third-party backup service, further adding to your monthly cost.

And that’s part of the overall cost of using O365 or M365, training staff, adopting new features, different tasks for administrators and managing change requires people and resources, in other words, money. And that’s got to be factored into the overall cost using Microsoft 365, it’s not just the monthly license cost.

The final question is of course – is it worth it? Speaking as an IT consultant with clients (including a K-12 school with 100 students) who recently moved EVERYONE to work and study from home, supported by O365, Teams, and other cloud services, the answer is a resounding yes! There’s no way we could have managed that transition with only on-premises infrastructure to fall back on.

Source :
https://www.altaro.com/microsoft-365/real-cost-m365/

New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable

A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.

According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” mrd0x said in a technical write-up published last week. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”

Interestingly, the technique has been abused in the wild at least once before. In February 2020, Zscaler disclosed details of a campaign that leveraged the BitB trick to siphon credentials for video game digital distribution service Steam by means of fake Counter-Strike: Global Offensive (CS: GO) websites.

“Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others,” Zscaler researcher Prakhar Shrotriya said at the time.

“In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.”

While this method significantly makes it easier to mount effective social engineering campaigns, it’s worth noting that potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting.

“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x added.

Source :
https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html

New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems

Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software’s InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).

Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system.

“The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement,” firmware security company Binarly, which discovered the latter three flaws, said in a write-up.

“The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime.”

All the flaws relate to improper input validation vulnerabilities affecting the System Management Mode (SMM) of the firmware, effectively allowing a local authenticated attacker to leverage the system management interrupt (SMI) to achieve arbitrary code execution.

System Management Mode refers to a special-purpose CPU mode in x86 microcontrollers that’s designed for handling system-wide functions like power management, system hardware control, thermal monitoring, and other proprietary manufacturer-developed code.

Whenever one of these operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. Given that SMM code executes at the highest privilege level and is invisible to the underlying operating system, the method makes it ripe for abuse to deploy persistent firmware implants.

A number of Dell products, including Alienware, Inspiron, Vostro line-ups, and Edge Gateway 3000 Series, are impacted, with the Texas-headquartered PC manufacturer recommending customers to upgrade their BIOS at the “earliest opportunity.”

“The ongoing discovery of these vulnerabilities demonstrate what we describe as ‘repeatable failures’ around the lack of input sanitation or, in general, insecure coding practices,” Binarly researchers said.

“These failures are a direct consequence of the complexity of the codebase or support for legacy components that get less security attention, but are still widely deployed in the field. In many cases, the same vulnerability can be fixed over multiple iterations, and still, the complexity of the attack surface leaves open gaps for malicious exploitation.”

Source :
https://thehackernews.com/2022/03/new-dell-bios-bugs-affect-millions-of.html

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Problem

It’s time to start planning! Microsoft will stop their browsers displaying the ‘lock’ icon for services that are secured with a certificate that uses SHA1. This is going to happen in February 2017 so now’s the time to start thinking about testing your PKI environment, and making sure all your applications support SHA2.

Note: This includes code that has been signed using SHA1 as well!

Solution

Below I’m just using an ‘offline root CA’ server, if you have multi tiered PKI deployments, then start at the root CA, fix that, then reissue your Sub CA certificates to your intermediate servers, fix them, then repeat the process for any issuing CA servers. Obviously if you only have a two tier PKI environment you will only need to do the root and Sub CA servers.

For your SubCA’s see PART TWO of this article.

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

What about certificates that have already been issued?

We are NOT going to revoke any CA certificates that have already been issued so existing certificates will remain unaffected.

Here we can see my CA server is using SHA1

Note: If your server says the provider is Microsoft Strong Cryptographic Provider and not Microsoft Software Key Storage Provider then skip down a bit.

You may have multiple Certificates (that is not unusual).

Open a PowerShell Window (run as administrator), issue the following command;

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Restart Certificate Services.

net stop certsvc
net start certsvc

Now you need to generate a new CA certificate.

Now you can see your new cert is using SHA256.

Mine Won’t Change From SHA1?

That’s because your cryptographic provider does not support higher than SHA1, for example ‘The command to change to SHA256 was successful, but the new certificate still says SHA1. If you look the Provider is set to ‘Microsoft Strong Cryptography Provider‘.

As you can see the strongest hash algorithm that supports is SHA1 that’s why it refuses to change.

How Do I Change the CA Cryptographic Provider?

Make a backup of the CA Settings and the CA registry Settings.

Backup-CARoleService –path C:\CA-Backup -Password (Read-Host -Prompt "Enter Password" -AsSecureString) 
TYPE IN A PASSWORD
reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc c:\Reg-Backup\CAregistry.reg

Note: You might want to create the Reg-Backup folder first and grant some rights to it.

Now we need to delete the certificates this CA uses (don’t panic we’ve backed them up!) But first we need to find the certificate’s hashes to delete. Open an administrative command prompt, stop certificate services, and then issue the following command;

Note: ROOT-CA is the name of YOUR CA.

Stop-service certsvc

Certutil –store my ROOT-CA >output.txt

Open output.txt then take a note of the hashes for the certificate(s)

Then Open an Administrative PowerShell window and delete them;

cd cert:\localmachine\my 
Del –deletekey <Certificate HASH>

Now we need to import the p12 file we backed up earlier, then export that as a PFX file. Change ROOT-CA to the name of YOUR CA and the path to your backup folder and certificate as approriate.

Certutil –csp “Microsoft Software Key Storage Provider” –importpfx C:\CA-Backup\ROOT-CA.p12
Certutil –exportpfx my ROOT-CA C:\CA-Backup\Exported-ROOT-CA.pfx 
ENTER AND CONFIRM A PASSWORD

Then restore the key from your PFX file.

Certutil –restorekey C:\CA-Backup\Exported-ROOT-CA.pfx

Now you need to import a couple of Registry files, in the examples below replace ROOT-CA with the name of your CA

Save the file as CA-Registry-Merge.reg (set the save as file type to All Files)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOT-CA\CSP] 
"ProviderType"=dword:00000000 
"Provider"="Microsoft Software Key Storage Provider" 
"CNGPublicKeyAlgorithm"="RSA" 
"CNGHashAlgorithm"="SHA1"

Merge the file into the registry.

Repeat the process with the following regisry file save this one as CA-Registry-Merge2.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOT-CA\EncryptionCSP] 
"ProviderType"=dword:00000000 
"Provider"="Microsoft Software Key Storage Provider" 
"CNGPublicKeyAlgorithm"="RSA" 
"CNGEncryptionAlgorithm"="3DES" 
"MachineKeyset"=dword:00000001 
"SymmetricKeySize"=dword:000000a8

Now change the hashing algorithm to SHA256, open an administrative command prompt and issue the following two commands;

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net start certsvc

Renew the CA Cert.

You can now see the new cert is using SHA256.

Source :
https://www.petenetlive.com/KB/Article/0001243

Microsoft Teams is the new frontier for phishing attacks

Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.

One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.

“The scary part is that we trust these programs implicitly — unlike our email inboxes, where we’ve learned to be suspicious of messages where we don’t recognize the sender’s address,” said Armen Najarian, chief identity officer at anti-fraud technology firm Outseer.

Notably, traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.

However, it appears that attackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers, security researchers and executives say. For some threat actors, it’s also a chance to leverage the additional capabilities of collaboration apps as part of the trickery.

Sophisticated Teams attacks

Patrick Harr, CEO of phishing protection vendor SlashNext, told VentureBeat that a highly sophisticated phishing attack recently struck a customer on Microsoft Teams.

It happened, Harr said, while the CEO of the customer company was traveling to China. Posing as the CEO, an attacker sent a WhatsApp message to several of the company’s employees, asking them to join a Teams meeting.

Once in the meeting, the employees saw a video feed of the CEO, which they didn’t realize had been scraped from a past TV interview. As part of the trick, the attackers had added a fake background to the video to make it appear the CEO was in China, Harr said.

But since there was no audio, the “CEO” said that there “must be a bad connection” — and then dropped a SharePoint link into the chat.

Posing as the CEO, the attacker told the employees that “‘since I can’t can’t make this work, send me the information on this SharePoint link,’” Harr said.

An employee did end up clicking on the malicious SharePoint link — but they were blocked from accessing the page.

Ultimately, the incident demonstrates that “these bad actors are nesting themselves in legitimate services,” Harr said. “They’re getting very creative. They’re staying ahead of the curve.”

A big target

Microsoft Teams is massively widespread in the enterprise, with 270 million monthly active users, and that’s led attackers to take notice.

Threat actors have spotted a few of other things about Teams, too: If you can acquire an account’s Microsoft Office 365 password, that can potentially get you into Teams as well. And while more workers may be savvy about email phishing techniques at this point, they’re less likely to be suspicious about a Teams message, according to researchers.

Attackers are seizing the opportunity: In January, email security platform Avanan saw thousands of attacks involving malware dropped into Teams conversations, researchers at the Check Point-owned organization reported.

By attaching a malicious executable file in a Microsoft Teams conversation, “hackers have found a new way to easily target millions of users,” the Avanan researchers wrote in a blog post. When clicked, the .exe file installs a Trojan on a user’s Windows PC, and the Trojan then installs malware.

The attacks are having success because with Microsoft Teams, unlike with email, “end-users have an inherent trust of the platform,” the researchers wrote.

Ultimately, the incidents reported by Avanan show that “hackers are beginning to understand and better utilize Teams as a potential attack vector,” the researchers said.

In other words, as they are known to do, cyberattackers are evolving once again.

‘The new BEC’

Referring to the Microsoft Teams attacks cited by Avanan, “this is the new business email compromise / legitimate service abuse,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in a tweet. “It follows the trend we’ve seen with Slack and Discord.”

Business email compromise (BEC) describes a type of phishing attack in which an attacker targets a certain individual in a company, and attempts to persuade the individual to perform a wire transfer of funds to their account.

BEC attacks “are not losing their effectiveness,” Gallagher said in an email to VentureBeat. Indeed, 77% of organizations faced business email compromise attacks last year, up from 65% in 2020, according to Proofpoint data.

But with the arrival of BEC-like attacks on collaboration platforms such as Microsoft Teams, “malicious actors are expanding their attack surface and finding new ways to get a foothold into organizations,” Gallagher said.

“As more businesses move toward the cloud and software-as-a-service [SaaS] models, legitimate hosted services – like Microsoft Teams and Slack – will be an attractive avenue for attackers,” Gallagher said.

Najarian agreed that BEC attacks “are still very effective for criminal hacker groups.”

“But expanding their tactics into Microsoft Teams, Slack, Discord and other chat apps presents another revenue driver for them,” Najarian said in an email.

Combining tactics

Notably, the types of Microsoft Teams attacks reported by SlashNext and Avanan involve a combination of social engineering and credential harvesting.

“If malicious actors secure credentials and can access a Microsoft 365 environment in the cloud, they can act as a trusted team member,” Gallagher said. “As such, victims assume the files and links shared in the legitimate service are trusted, since they do not display the tell-tale signs of a malicious URL once uploaded or shared in the trusted environment.”

Adversaries can “get into all sorts of places in the enterprise that they otherwise wouldn’t be able to access without compromising the network,” he said.

All in all, legitimate service abuse is an emerging vector for malicious actors to target the enterprise, he said — and it will only continue to grow “as the enterprise becomes more detached from traditional infrastructure.”

Source :
https://venturebeat.com/2022/02/23/microsoft-teams-is-the-new-frontier-for-phishing-attacks/

Microsoft rolling out new endpoint security solution for SMBs

Microsoft says its new endpoint security solution for small and medium-sized businesses (SMBs) known as Microsoft Defender for Business has hit general availability.

It has started rolling out to new and existing Microsoft 365 Business Premium customers worldwide starting today, March 1st.

Microsoft Defender for Business helps companies with up to 300 employees defend against cybersecurity threats, including malware, phishing, and ransomware in environments with Windows, macOS, iOS, and Android devices.

It comes with simplified client configuration via a wizard-driven setup, and it enables all recommended security policies out-of-the-box, making it easy to use even by organizations without dedicated security teams.

In November, Microsoft announced this new security solution at Microsoft Ignite 2021 in response to a 300% increase in ransomware attacks in the previous year, with more than 50% of them directly affecting SMBs, according to US Secretary of Homeland Security Alejandro Mayorkas.

Defender for Business began rolling out in preview worldwide in December when Microsoft also announced that it would be available as a standalone license directly from Microsoft and Microsoft Partner Cloud Solution Provider (CSP) channels at $3 per user per month.https://www.youtube.com/embed/umhUNzMqZto

Key features bundled with the Microsoft Defender for Business security suite include:

Simplified deployment and management for IT administrators who may not have the expertise to address today’s evolving threat landscape.
Next-generation antivirus protection and endpoint detection and response to detect and respond to sophisticated attacks with behavioral monitoring.
Automated investigation and remediation to help customers react quickly to threats.
Threat and vulnerability management proactively alerts users to weaknesses and misconfigurations in software.
Microsoft 365 Lighthouse integration with Microsoft Defender for Business for IT service providers to view security events across customers, with additional capabilities coming.

You can get Defender for Business as part of Microsoft 365 Business Premium and will not require onboarding or offboarding devices from Microsoft Defender for Endpoint P1 or P2.

“Defender for Business will be rolled out to existing Microsoft 365 Business Premium customers in the next few weeks. There is no action or additional transactions required and it will show up in the Microsoft 365 Defender portal under the section, Endpoints,” Microsoft said.

“Defender for Business will also be offered as a standalone solution and will be coming later this year. You can continue to preview the standalone solution by signing up at https://aka.ms/MDB-Preview.”

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-rolling-out-new-endpoint-security-solution-for-smbs/

Deploying WPA2 WiFi profile (including Pre-Shared key) using Group Policy

Problem

Whilst there is a setting in Group Policy Preferences to deploy WiFi settings, this does not include the WiFi Pre-Shared Key (PSK).

The following method will allow you to also push out the Pre-Shared Key:

Solution

From a PC that already has the WiFi profile installed:

Open command prompt (as admin) and run the following command. Make a note of the name of the profile you want to export:

netsh wlan show profiles

Run the following command, replacing the profile name with the one you wish to export, and path to an existing folder where an XML file will be created

netsh wlan export profile name="MyWiFiSSID" folder=C:\WLAN key=clear

Note that the key=clear is vital for this to work.

Copy that XML file to a network share that is accessible from the computer accounts. Do bear in mind the WiFi key is visible in plain text within this file, so consideration must be taken as where/how to store it.

The following command is used to install the profile:

netsh wlan add profile filename="\\servername\share\Wi-Fi-MyWiFiSSID.xml" user=all

… however, this will reinstall and reconnect the WiFi each time.

From my experience, the best method is to create a Computer Startup script GPO that will only run once. This one does the trick:

IF EXIST C:\WiFi.txt GOTO END

netsh wlan add profile filename="\\servername\share\Wi-Fi-MyWiFiSSID.xml" user=all >> C:\WiFi.txt

Source :
https://goddamnpc.com/deploying-wpa2-wifi-profile-including-pre-shared-key-using-group-policy/

Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike

Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts.

“Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers,” South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published Monday.

Cobalt Strike is a commercial, full-featured penetration testing framework that allows an attacker to deploy an agent named “Beacon” on the victim machine, granting the operator remote access to the system. Although billed as a red team threat simulation platform, cracked versions of the software have been actively used by a wide range of threat actors.

Intrusions observed by ASEC involve the unidentified actor scanning port 1433 to check for exposed MS SQL servers to perform brute force or dictionary attacks against the system administrator account, i.e., “sa” account, to attempt a log in.

That’s not to say that servers not left accessible over the internet aren’t vulnerable, what with the threat actor behind LemonDuck malware scanning the same port to laterally move across the network.

“Managing admin account credentials so that they’re vulnerable to brute forcing and dictionary attacks as above or failing to change the credentials periodically may make the MS-SQL server the main target of attackers,” the researchers said.

Upon successfully gaining a foothold, the next phase of the attack works by spawning a Windows command shell via the MS SQL “sqlservr.exe” process to download the next-stage payload that houses the encoded Cobalt Strike binary on to the system.

The attacks ultimately culminate with the malware decoding the Cobalt Strike executable, followed by injecting it into the legitimate Microsoft Build Engine (MSBuild) process, which has been previously abused by malicious actors to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems.

Furthermore, the Cobalt Strike that’s executed in MSBuild.exe comes with additional configurations to evade detection of security software. It achieves this by loading “wwanmm.dll,” a Windows library for WWan Media Manager, then writing and running the Beacon in the memory area of the DLL.

“As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,” the researchers noted.

Source :
https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html

New Wiper Malware Targeting Ukraine Amid Russia’s Military Operation

Cybersecurity firms ESET and Broadcom’s Symantec said they discovered a new data wiper malware used in fresh attacks against hundreds of machines in Ukraine, as Russian forces formally launched a full-scale military operation against the country.

The Slovak company dubbed the wiper “HermeticWiper” (aka KillDisk.NCV), with one of the malware samples compiled on December 28, 2021, implying that preparations for the attacks may have been underway for nearly two months.

“The wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd,” ESET said in a series of tweets. “The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step the wiper reboots [the] computer.”

Specifically, HermeticWiper is delivered via the benign but signed EaseUS partition management driver that then proceeds to impair the first 512 bytes, the Master Boot Record (MBR) for every physical drive, before initiating a system shutdown and effectively rendering the machine inoperable.

“After a week of defacements and increasing DDoS attacks, the proliferation of sabotage operations through wiper malware is an expected and regrettable escalation,” SentinelOne’s principal threat researcher Juan Andres Guerrero-Saade said in a report analyzing the new malware.

At least one of the intrusions involved deploying the malware directly from the Windows domain controller, indicating that the attackers had taken control of the target network.

The scale and the impact of the data-wiping attacks remains unknown as yet, as is the identity of the threat actor behind the infections. But the development marks the second time this year that a destructive malware has been deployed on Ukrainian computer systems after the WhisperGate operation in mid-January.

The wiper attacks also follow a third “massive” wave of distributed denial-of-service (DDoS) attacks that hit several Ukrainian government and banking institutions on Wednesday, knocking out online portals for the Ministry of Foreign Affairs, Cabinet of Ministers, and Rada, the country’s parliament.

Last week, two of the largest Ukrainian banks, PrivatBank and Oschadbank, as well as the websites of the Ukrainian Ministry of Defense and the Armed Forces suffered outages as a result of a DDoS attack from unknown actors, prompting the U.K. and U.S. governments to point the fingers at the Russian Main Intelligence Directorate (GRU), an allegation the Kremlin has denied.

Campaigns that use DDoS attacks deliver torrents of junk traffic that are intended to overwhelm targets with the goal of rendering them inaccessible. A subsequent analysis of the February 15 incidents by the CERT-UA found that they were carried out using botnets such as Mirai and Mēris by leveraging compromised MikroTik routers and other IoT devices.

What’s more, information systems belonging to Ukraine’s state institutions are said to have been unsuccessfully targeted in as many as 121 cyber attacks in January 2022 alone.

That’s not all. Cybercriminals on the dark web are looking to capitalize on the ongoing political tensions by advertising databases and network accesses containing information on Ukrainian citizens and critical infra entities on RaidForums and Free Civilian marketplaces in “hopes of gaining high profits,” according to a report published by Accenture earlier this week.

The continuous onslaught of disruptive malicious cyber acts since the start of the year has also led the Ukrainian law enforcement authority to paint the attacks as an effort to spread anxiety, undermine confidence in the state’s ability to defend its citizens, and destabilize its unity.

“Ukraine is facing attempts to systematically sow panic, spread fake information and distort the real state of affairs,” the Security Service of Ukraine (SSU) said on February 14. “All this combined is nothing more than another massive wave of hybrid warfare.”

Source :
https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html

Back up your Documents, Pictures, and Desktop folders with Microsoft OneDrive

You can back up your important folders (your Desktop, Documents, and Pictures folders) on your Windows PC with OneDrive PC folder backup, so they’re protected and available on other devices. If you haven’t already set up OneDrive on your computer, see Sync files with OneDrive in Windows. There’s no extra cost for PC folder backup (up to 5 GB of files without a subscription). See OneDrive plans.

Note: If you’re surprised that your files are saving to OneDrive, see Files save to OneDrive by default in Windows 10.https://www.microsoft.com/en-us/videoplayer/embed/RE2PM4G?pid=ocpVideo0-innerdiv-oneplayer&jsapi=true&postJsllMsg=true&maskLevel=20&market=en-us

Set up PC folder backup

If you’re prompted to back up your important folders (Desktop, Documents, and Pictures), select the prompt to start the folder backup wizard.If you didn’t see the prompt or you already closed the wizard, select the white or blue cloud icon in the Windows notification area, and then select Help & Settings > Settings, then Backup > Manage backup.
In the Back up your folders dialog, make sure the folders that you want to back up are selected.
Select Start backup.
You can close the dialog box while your files sync to OneDrive. Or, to watch your files sync, select View upload progress. If you already closed the dialog, to open the OneDrive activity center, select the white or blue cloud in the notification area.

Access your backed up folders on any device

When your files finish syncing to OneDrive, they’re backed up and you can access them from anywhere in Documents, Desktop, or Pictures. When you back up your Desktop folder, the items on your desktop roam with you to your other PC desktops where you’re running OneDrive.

You can back up a maximum of 5 GB of files in OneDrive for free, or up to 1 TB with a Microsoft 365 subscription.

Try Microsoft 365 for free

If you’re signed in to the OneDrive sync app on your computer, you can use File Explorer to access your OneDrive. You can also use the OneDrive mobile app to access your folders on any device.

Manage or stop PC folder backup

To stop or start backing up your folders in OneDrive, update your folder selections in OneDrive Settings.

Open OneDrive settings (select the white or blue cloud icon in your notification area, and then select Help & Settings > Settings.)
In Settings, select Backup > Manage backup.
To start backing up a folder, select any folder that doesn’t say Files backed up, and then select Start backup.
To stop backing up a folder, select Stop backup, and confirm your request. See important notes below.

Screenshot of when you stop protecting folders in OneDrive

When you stop backing up a folder, the files that were already backed up by OneDrive stay in the OneDrive folder, and will no longer appear in your device folder.
In the folder that you stopped backing up, you’ll see an icon titled Where are my files that’s a shortcut to your folders in OneDrive. To access your files, select the icon to open the folder in OneDrive.
If you want those files back in your device folder and not in OneDrive, move them manually from the OneDrive folder back to your device folder. Note that any new files you add to that folder on your device won’t be backed up by OneDrive after you stop the backup.
To move the files. select Where are my files to open the folder in OneDrive, then select the files that you want to move to your device folder, and drag them to that location.

Fix problems with PC folder backup

Here are a list of errors you might see when you set up PC folder backup and how to resolve them:

The following file type can’t be protected: Outlook database files (.pst).
Folder protection is unavailable: A common reason for this error is that important folders on PCs that are connected to a domain can’t be protected in a personal OneDrive account (when you’re signed in with a Microsoft account). For info about data protection solutions, contact your IT administrator. You shouldn’t have this issue with a work or school account.
File exceeds the maximum path length: Make sure the entire file path, including the file name, contains fewer than 260 characters. An example of a file path is:
C:\Users\<UserName>\Pictures\Saved\2017\December\Holiday\NewYears\Family…
To resolve this, shorten the name of your file or the name of subfolders in OneDrive, or select a sub-folder that’s closer to the top-level folder.
File exceeds the maximum file size: OneDrive can’t sync files over 250GB. Remove these files from the folder you want to protect and then try again.
The file name isn’t allowed in OneDrive: File names can’t start with a space or include any of these characters: \ : / * ? < > ” |. Please move or rename the file to continue.
The folder isn’t selected for syncing: The folder with the error is not syncing to your PC. To resolve this error, open OneDrive Settings (right-click the white or blue cloud icon in your notification area, and select Settings), select Choose Folders, and then make sure the folder you want to protect is selected. If Pictures is showing this error, make sure that Pictures, Screenshots, and Camera Roll are all selected (or don’t exist). It’s also possible that the OneDrive folder has a different name from the Windows important folder.
Important folders aren’t in the default locations: The folder with the error contains another important folder and can’t be protected until the contained folder is moved. Important folders that may be contained within the folder include: Documents, Desktop, Pictures, Screenshots, Camera Roll, or the OneDrive folder.
An unknown error occurred, with error code 0x80070005: If you receive error code 0x80070005, the “Prohibit User from manually redirecting Profile Folders” group policy is enabled. You may find that the files from the folders you selected were moved to identically named folders in your OneDrive folder, and the original locations are empty. Move the folder contents back to the original locations and ask your administrator whether the policy can be changed.
Folder contains a reparse point (junction point or symlink): The folder you want to protect contains a special file type that links parts of the file system together. These items can’t be protected. To protect the folder, remove the file causing the issue.
Post PC folder backup: OneDrive tries to automatically re-open notebooks that were previously open. In rare cases, some notebooks may not be automatically loaded in the OneNote desktop app after PC folder backup. Workaround for this issue is to reopen the notebooks in the OneNote app using File > Open.Caution: Some applications may depend on these links to function properly. Remove only the links that you know are safe to modify.

Source :
https://support.microsoft.com/en-us/office/back-up-your-documents-pictures-and-desktop-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057