By: Greg Young – Trendmicro August 03, 2023 Read time: 4 min (1014 words)
The US Securities and Exchange Commission (SEC) recently adopted rules regarding mandatory cybersecurity disclosure. Explore what this announcement means for you and your organization.
On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted rules regarding mandatory cybersecurity disclosure. What does this mean for you and your organization? As I understand them, here are the major takeaways that cybersecurity and business leaders need to know:
Who does this apply to?
The rules announced apply only to registrants of the SEC i.e., companies filing documents with the US SEC. Not surprisingly, this isn’t limited to attacks on assets located within the US, so incidents concerning SEC registrant companies’ assets in other countries are in scope. This scope also, not surprisingly, does not include the government, companies not subject to SEC reporting (i.e., privately held companies), and other organizations.
Breach notification for these others will be the subject of separate compliance regimes, which will hopefully, at some point in time, be harmonized and/or unified to some degree with the SEC reporting.
Advice for security leaders: be aware that these new rules could require “double reporting,” such as for publicly traded critical infrastructure companies. Having multiple compliance regimes, however, is not new for cybersecurity.
What are the general disclosure requirements?
Some pundits have said “four days after an incident” but that’s not quite correct. The SEC says that “material breaches” must be reported “four business days after a registrant determines that a cybersecurity incident is material.”
We’ve hit the first squishy bit: materiality. Directing companies to disclose material events shouldn’t be necessary before there’s a mixed record of companies making materiality for public company operation. But what kind of cybersecurity incident would be likely to be important to a reasonable investor?
We’ve seen giant breaches that paradoxically did not move stock prices, and minor breaches that did the opposite. I’m clearly on the side of compliance and disclosure, but I recognize it is a gray area. Recently we saw some companies that had the MOVEit vulnerability exploited but had no data loss. Should they report? But in some cases, their response to the vulnerability was in the millions: how about then? I expect and hope there will be further guidance.
Advice for security leaders: monitor the breach investigation and monitor the analysis of materiality. Security leaders won’t often make that call but should give guidance and continuous updates to the CxO who are responsible.
The second squishy bit is that the requirement is the reporting should be made four days after determining the incident is material. So not four days after the incident, but after the materiality determination. I understand why it was structured this way, as a small indicator of compromise must be followed up before understanding the scope and nature of a breach, including whether a breach has occurred at all. But this does give a window to some of the foot-dragging for disclosure we’ve unfortunately seen, including product companies with vulnerabilities.
Advice for security leaders: make management aware of the four-day reporting requirement and monitor the clock once the material line is crossed or identified.
Are there extensions?
There are, but not because you need more time. Instead “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.” Note that it specifically states that the Attorney General (AG) makes that determination, and the AG communicates this to the SEC. There could be some delegation of this authority within the Department of Justice in the future, but today it is the AG.
How does it compare to other countries and compliance regimes?
Breach and incident reporting and disclosure is not new, and the concept of reporting material events is already commonplace around the world. GDPR breach reporting is 72 hours, HHS HIPAA requires notice not later than 60 days and 90 days to individuals affected, and the UK Financial Conduct Authority (FCA) has breach reporting requirements. Canada has draft legislation in Bill C-26 that looks at mandatory reporting through the lens of critical industries, which includes verticals such as banking and telecoms but not public companies. Many of the world’s financial oversight bodies do not require breach notification for public companies in the exchanges they are responsible for.
Advice to security leaders: consider the new SEC rules as clarification and amplification of existing reporting requirements for material events rather than a new regime or something that is harsher or different to other geographies.
Is breach reporting the only new rule?
No, I’ve only focused on incident reporting in this post. There’s a few more. The two most noteworthy ones are:
Regulation S-K Item 106, requiring registrants to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
Also specified is that annual 10-Ks “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
Bottom line
SEC mandatory reporting for material cybersecurity events was already a requirement under the general reporting requirements, however the timelines and nature of the reporting are getting real and have a ticking four-day timer on them.
Stepping back from the rules, the importance of visibility and continuous monitoring are the real takeaways. Time to detection can’t be at the speed of your least experienced analyst. Platform means unified visibility rather than a wall of consoles. Finding and stopping breaches means internal visibility must include a rich array of telemetry, and that it be continuously monitored.
Many SEC registrants have operations outside the US, and that means visibility needs to include threat intelligence that is localized to other geographies. These new SEC rules show more than ever that that cyber risk is business risk.
To learn more about cyber risk management, check out the following resources:
By: Trend Micro August 08, 2023 Read time: 4 min (1020 words)
How generative AI influenced threat trends in 1H 2023
A lot can change in cybersecurity over the course of just six months in criminal marketplaces. In the first half of 2023, the rapid expansion of generative AI tools began to be felt in scams such as virtual kidnapping and tools by cybercriminals. Tools like WormGPT and FraudGPT are being marketed. The use of AI empowers adversaries to carry out more sophisticated attacks and poses a new set of challenges. The good news is that the same technology can also be used to empower security teams to work more effectively.
As we analyze the major events and patterns observed during this time, we uncover critical insights that can help businesses stay ahead of risk and prepare for the challenges that lie ahead in the second half of the year.
AI-Driven Tools in Cybercrime
The adoption of AI in organizations has increased significantly, offering numerous benefits. However, cybercriminals are also harnessing the power of AI to carry out attacks more efficiently.
As detailed in a Trend research report in June, virtual kidnapping is a relatively new and concerning type of imposter scam. The scammer extorts their victims by tricking them into believing they are holding a friend or family member hostage. In reality, it is AI technology known as a “deepfake,” which enables the fraudster to impersonate the real voice of the “hostage” whilst on the phone. Audio harvested from their social media posts will typically be used to train the AI model.
However, it is generative AI that’s playing an increasingly important role earlier on in the attack chain—by accelerating what would otherwise be a time-consuming process of selecting the right victims. To find those most likely to pay up when confronted with traumatic content, threat groups can use generative AI like ChatGPT to filter large quantities of potential victim data, fusing it with geolocation and advertising analytics. The result is a risk-based scoring system that can show scammers at a glance where they should focus their attacks.
This isn’t just theory. Virtual kidnapping scams are already happening. The bad news is that generative AI could be leveraged to make such attacks even more automated and effective in the future. An attacker could generate a script via ChatGPT to then convert to the hostage’s voice using deepfake and a text-to-speech app.
Of course, virtual kidnapping is just one of a growing number of scams that are continually being refined and improved by threat actors. Pig butchering is another type of investment fraud where the victim is befriended online, sometimes on romance sites, and then tricked into depositing their money into fictitious cryptocurrency schemes. It’s feared that these fraudsters could use ChatGPT and similar tools to improve their conversational techniques and perhaps even shortlist victims most likely to fall for the scams.
What to expect
The emergence of generative AI tools enables cybercriminals to automate and improve the efficiency of their attacks. The future may witness the development of AI-driven threats like DDoS attacks, wipers, and more, increasing the sophistication and scale of cyberattacks.
One area of concern is the use of generative AI to select victims based on extensive data analysis. This capability allows cybercriminals to target individuals and organizations with precision, maximizing the impact of their attacks.
Fighting back
Fortunately, security experts like Trend are also developing AI tools to help customers mitigate such threats. Trend pioneered the use of AI and machine learning for cybersecurity—embedding the technology in products as far back as 2005. From those early days of spam filtering, we began developing models designed to detect and block unknown threats more effectively.
Trend’s defense strategy
Most recently, we began leveraging generative AI to enhance security operations. Companion is a cybersecurity assistant designed to automate repetitive tasks and thereby free up time-poor analysts to focus on high-value tasks. It can also help to fill skills gaps by decoding complex scripts, triaging and recommending actions, and explaining and contextualizing alerts for SecOps staff.
What else happened in 1H 2023?
Ransomware: Adapting and Growing
Ransomware attacks are becoming sophisticated, with illegal actors leveraging AI-enabled tools to automate their malicious activities. One new player on the scene, Mimic, has abused legitimate search tools to identify and encrypt specific files for maximum impact. Meanwhile, the Royal ransomware group has expanded its targets to include Linux platforms, signaling an escalation in their capabilities.
According to Trend data, ransomware groups have been targeting finance, IT, and healthcare industries the most in 2023. From January 1 to July 17, 2023, there have been 219, 206, and 178 successful compromises of victims in these industries, respectively.
Our research findings revealed that ransomware groups are collaborating more frequently, leading to lower costs and increased market presence. Some groups are showing a shift in motivation, with recent attacks resembling those of advanced persistent threat (APT) groups. To combat these evolving threats, organizations need to implement a “shift left” strategy, fortifying their defenses to prevent threats from gaining access to their networks in the first place.
Vulnerabilities: Paring Down Cyber Risk Index
While the Cyber Risk Index (CRI) has lowered to a moderate range, the threat landscape remains concerning. Smaller platforms are exploited by threat actors, such as Clop ransomware targeting MOVEIt and compromising government agencies. New top-level domains by Google pose risks for concealing malicious URLs. Connected cars create new avenues for hackers. Proactive cyber risk management is crucial.
Campaigns: Evading Detection and Expanding Targets
Malicious actors are continually updating their tools, techniques and procedures (TTP) to evade detection and cast a wider net for victims. APT34, for instance, used DNS-based communication combined with legitimate SMTP mail traffic to bypass security policies. Meanwhile, Earth Preta has shifted its focus to target critical infrastructure and key institutions using hybrid techniques to deploy malware.
Persistent threats like the APT41 subgroup Earth Longzhi have resurfaced with new techniques, targeting firms in multiple countries. These campaigns require a coordinated approach to cyber espionage, and businesses must remain vigilant against such attacks.
By: Alifiya Sadikali – Trendmicro August 09, 2023 Read time: 4 min (1179 words)
Discover the core principles and frameworks of Zero Trust, NIST 800-207 guidelines, and best practices when implementing CISA’s Zero Trust Maturity Model.
With the growing number of devices connected to the internet, traditional security measures are no longer enough to keep your digital assets safe. To protect your organization from digital threats, it’s crucial to establish strong security protocols and take proactive measures to stay vigilant.
What is Zero Trust?
Zero Trust is a cybersecurity philosophy based on the premise that threats can arise internally and externally. With Zero Trust, no user, system, or service should automatically be trusted, regardless of its location within or outside the network. Providing an added layer of security to protect sensitive data and applications, Zero Trust only grants access to authenticated and authorized users and devices. And in the event of a data breach, compartmentalizing access to individual resources limits potential damage.
Your organization should consider Zero Trust as a proactive security strategy to protect its data and assets better.
The pillars of Zero Trust
At its core, the basis for Zero Trust is comprised of a few fundamental principles:
Verify explicitly. Only grant access once the user or device has been explicitly authenticated and verified. By doing so, you can ensure that only those with a legitimate need to access your organization’s resources can do so.
Least privilege access. Only give users access to the resources they need to do their job and nothing more. Limiting access in this way prevents unauthorized access to your organization’s data and applications.
Assume breach. Act as if a compromise to your organization’s security has occurred. Take steps to minimize the damage, including monitoring for unusual activity, limiting access to sensitive data, and ensuring that backups are up-to-date and secure.
Microsegmentation. Divide your organization’s network into smaller, more manageable segments and apply security controls to each segment individually. This reduces the risk of a breach spreading from one part of your network to another.
Security automation. Use tools and technologies to automate the process of monitoring, detecting, and responding to security threats. This ensures that your organization’s security is always up-to-date and can react quickly to new threats and vulnerabilities.
A Zero Trust approach is a proactive and effective way to protect your organization’s data and assets from cyber-attacks and data breaches. By following these core principles, your organization can minimize the risk of unauthorized access, reduce the impact of a breach, and ensure that your organization’s security is always up-to-date and effective.
The role of NIST 800-207 in Zero Trust
NIST 800-207 is a cybersecurity framework developed by the National Institute of Standards and Technology. It provides guidelines and best practices for organizations to manage and mitigate cybersecurity risks.
Designed to be flexible and adaptable for a variety of organizations and industries, the framework supports the customization of cybersecurity plans to meet their specific needs. Its implementation can help organizations improve their cybersecurity posture and protect against cyber threats.
One of the most important recommendations of NIST 800-207 is to establish a policy engine, policy administrator, and policy enforcement point. This will help ensure consistent policy enforcement and that access is granted only to those who need it.
Another critical recommendation is conducting continuous monitoring and having real-time risk-based decision-making capabilities. This can help you quickly identify and respond to potential threats.
Additionally, it is essential to understand and map dependencies among assets and resources. This will help you ensure your security measures are appropriately targeted based on potential vulnerabilities.
Finally, NIST recommends replacing traditional paradigms, such as implicit trust in assets or entities, with a “trust but verify” methodology. Adopting this approach can better protect your organization’s assets and resources from internal and external threats.
CISA’s Zero Trust Maturity Model
The Zero Trust Maturity Model (ZMM), developed by CISA, provides a comprehensive framework for assessing an organization’s Zero Trust posture. This model covers critical areas including:
Identity management: To implement a Zero Trust strategy, it is important to begin with identity. This involves continuously verifying, authenticating, and authorizing any entity before granting access to corporate resources. To achieve this, comprehensive visibility is necessary.
Devices, networks, applications: To maintain Zero Trust, use endpoint detection and response capabilities to detect threats and keep track of device assets, network connections, application configurations, and vulnerabilities. Continuously assess and score device security posture and implement risk-informed authentication protocols to ensure only trusted devices, networks and applications can access sensitive data and enterprise systems.
Data and governance: To maximize security, implement prevention, detection, and response measures for identity, devices, networks, IoT, and cloud. Monitor legacy protocols and device encryption status. Apply Data Loss Prevention and access control policies based on risk profiles.
Visibility and analytics: Zero Trust strategies cannot succeed within silos. By collecting data from various sources within an organization, organizations can gain a complete view of all entities and resources. This data can be analyzed through threat intelligence, generating reliable and contextualized alerts. By tracking broader incidents connected to the same root cause, organizations can make informed policy decisions and take appropriate response actions.
Automation and orchestration: To effectively automate security responses, it is important to have access to comprehensive data that can inform the orchestration of systems and manage permissions. This includes identifying the types of data being protected and the entities that are accessing it. By doing so, it ensures that there is proper oversight and security throughout the development process of functions, products, and services.
By thoroughly evaluating these areas, your organization can identify potential vulnerabilities in its security measures and take prompt action to improve your overall cybersecurity posture. CISA’s ZMM offers a holistic approach to security that will enable your organization to remain vigilant against potential threats.
Implementing Zero Trust with Trend Vision One
Trend Vision One seamlessly integrates with third-party partner ecosystems and aligns to industry frameworks and best practices, including NIST and CISA, offering coverage from prevention to extended detection and response across all pillars of zero trust.
Trend Vision One is an innovative solution that empowers organizations to identify their vulnerabilities, monitor potential threats, and evaluate risks in real-time, enabling them to make informed decisions regarding access control. With its open platform approach, Trend enables seamless integration with third-party partner ecosystems, including IAM, Vulnerability Management, Firewall, BAS, and SIEM/SOAR vendors, providing a comprehensive and unified source of truth for risk assessment within your current security framework. Additionally, Trend Vision One is interoperable with SWG, CASB, and ZTNA and includes Attack Surface Management and XDR, all within a single console.
Conclusion
CISOs today understand that the journey towards achieving Zero Trust is a gradual process that requires careful planning, step-by-step implementation, and a shift in mindset towards proactive security and cyber risk management. By understanding the core principles of Zero Trust and utilizing the guidelines provided by NIST and CISA to operationalize Zero Trust with Trend Vision One, you can ensure that your organization’s cybersecurity measures are strong and can adapt to the constantly changing threat landscape.
To read more thought leadership and research about Zero Trust, click here.
By: Trend Micro August 15, 2023 Read time: 4 min (1157 words)
The unveiling of the first-ever Open Worldwide Application Security Project (OWASP) risk list for large language model AI chatbots was yet another sign of generative AI’s rush into the mainstream—and a crucial step toward protecting enterprises from AI-related threats.
For more than 20 years, the Open Worldwide Application Security Project (OWASP) top 10 risk list has been a go-to reference in the fight to make software more secure. So it’s no surprise developers and cybersecurity professionals paid close attention earlier this spring when OWASP published an all-new list focused on large language model AI vulnerabilities.
OWASP’s move is yet more proof of how quickly AI chatbots have swept into the mainstream. Nearly half (48%) of corporate respondents to one survey said that by February 2023 they had already replaced workers with ChatGPT—just three months after its public launch. With many observers expressing concern that AI adoption has rushed ahead without understanding of the risks involved, the OWASP top 10 AI risk list is both timely and essential.
Large language model vulnerabilities at a glance
OWASP has released two draft versions of its AI vulnerability list so far: one in May 2023 and a July 1 update with refined classifications and definitions, examples, scenarios, and links to additional references. The most recent is labeled ‘version 0.5’, and a formal version 1 is reported to be in the works.
We did some analysis and found the vulnerabilities identified by OWASP fall broadly into three categories:
Access risks associated with exploited privileges and unauthorized actions.
Data risks such as data manipulation or loss of services.
Reputational and business risks resulting from bad AI outputs or actions.
In this blog, we take a closer look at the specific risks in each case and offer some suggestions about how to handle them.
1. Access risks
Of the 10 vulnerabilities listed by OWASP, four are specific to access and misuse of privileges: insecure plugins, insecure output handling, permissions issues, and excessive agency.
According to OWASP, any large language model that uses insecure plugins to receive “free-form text” inputs could be exposed to malicious requests, resulting in unwanted behaviors or the execution of unauthorized remote code. On the flipside, plugins or applications that handle large language model outputs insecurely—without evaluating them—could be susceptible to cross-site and server-side request forgeries, unauthorized privilege escalations, hijack attacks, and more.
Similarly, when authorizations aren’t tracked between plugins, permissions issues can arise that open the way for indirect prompt injections or malicious plugin usage.
Finally, because AI chatbots are ‘actors’ able to make and implement decisions, it matters how much free reign (i.e., agency) they’re given. As OWASP explains, “When LLMs interface with other systems, unrestricted agency may lead to undesirable operations and actions.” Examples include personal mail reader assistants being exploited to propagate spam or customer service AI chatbots manipulated into issuing undeserved refunds.
In all of these cases, the large language model becomes a conduit for bad actors to infiltrate systems.
2. Data risks
Poisoned training data, supply chain vulnerabilities, prompt injection vulnerabilities and denials of serviceare all data-specific AI risks.
Data can be poisoned deliberately by bad actors who want to harm an organization. It can also be distorted inadvertently when an AI system learns from unreliable or unvetted sources. Both types of poisoning can occur within an active AI chatbot application or emerge from the large language model supply chain, where reliance on pre-trained models, crowdsourced data, and insecure plugin extensions may produce biased data outputs, security breaches, or system failures.
With prompt injections, ill-meaning inputs may cause a large language model AI chatbot to expose data that should be kept private or perform other actions that lead to data compromises.
AI denial of service attacks are similar to classic DOS attacks. They may aim to overwhelm a large language model and deprive users of access to data and apps, or—because many AI chatbots rely on pay-as-you-go IT infrastructure—force the system to consume excessive resources and rack up massive costs.
3. Reputational and business risks
The final OWASP vulnerability (according to our buckets) is already reaping consequences around the world today:overreliance on AI. There’s no shortage of stories about large language models generating false or inappropriate outputs from fabricated citations and legal precedents to racist and sexist language.
OWASP points out that depending on AI chatbots without proper oversight can make organizations vulnerable to publishing misinformation or offensive content that results in reputational damage or even legal action. Given all these various risks, the question becomes, “What can we do about it?” Fortunately, there are some protective steps organizations can take.
What enterprises can do about large language model vulnerabilities
From our perspective at Trend Micro, defending against AI access risks requires a zero-trust security stance with disciplined separation of systems (sandboxing). Even though generative AI has the ability to challenge zero-trust defenses in ways that other IT systems don’t—because it can mimic trusted entities—a zero-trust posture still adds checks and balances that make it easier to identify and contain unwanted activity. OWASP also advises that large language models “should not self-police” and calls for controls to be embedded in application programming interfaces (APIs).
Sandboxing is also key to protecting data privacy and integrity: keeping confidential information fully separated from shareable data and making it inaccessible to AI chatbots and other public-facing systems. (See our recent blog on AI cybersecurity policies for more.)
Good separation of data prevents large language models from including private or personally identifiable information in public outputs, and from being publicly prompted to interact with secure applications such as payment systems in inappropriate ways.
On the reputational front, the simplest remedies are to not rely solely on AI-generated content or code, and to never publish or use AI outputs without first verifying they are true, accurate, and reliable.
Many of these defensive measures can—and should—be embedded in corporate policies. Once an appropriate policy foundation is in place, security technologies such as endpoint detection and response (EDR), extended detection and response (XDR), and security information and event management (SIEM) can be used for enforcement and to monitor for potentially harmful activity.
Large language model AI chatbots are here to stay
OWASP’s initial work cataloguing AI risks proves that concerns about the rush to embrace AI are well justified. At the same time, AI clearly isn’t going anywhere, so understanding the risks and taking responsible steps to mitigate them is critically important.
Setting up the right policies to manage AI use and implementing those policies with the help of cybersecurity solutions is a good first step. So is staying informed. The way we see it at Trend Micro, OWASP’s top 10 AI risk list is bound to become as much of an annual must-read as its original application security list has been since 2003.
Next steps
For more Trend Micro thought leadership on AI chatbot security, check out these resources:
The Azure Active Directory password policy defines the password requirements for tenant users, including password complexity, length, password expiration, account lockout settings, and some other parameters. In this article, we’ll take a look into how to manage a password policy in Azure AD.
Azure AD has a default password policy applied to all accounts that are created in the cloud (not synchronized from on-premises Active Directory via Azure AD Connect).
It defines the following settings that cannot be changed by the Azure/Microsoft 365 tenant administrator:
How to Change Password Expiration Policy in Azure AD
By default, a user’s password never expires in Azure AD (Microsoft 365). But you can enable the password expiration through the Microsoft 365 Admin Center:
Go to Microsoft 365 Admin Center -> Settings -> Security & Privacy -> Password expiration policy;
Disable the option Set password to never expire (recommended);
In this case: Password expiration set to 90 days The notification to change your password will start to be displayed 14 days before the expiry date.
You can use the MSOnline PowerShell module to change user password expiration settings. Just install the module (if needed) and connect to your tenant:
Install-Module MSOnline Connect-MsolService
Check the current password expiration policy settings in Azure AD:
One more parameter of the Azure password policy available for the administrator to configure is the user lockout rules in case of entering an incorrect password. By default, an account is locked for 1 minute after 10 failed attempts to authenticate using an incorrect password. Note that the lockout time is extended following each next unsuccessful sign-in attempt.
You can configure the lockout settings in the following section of the Azure Portal -> Azure Active Directory -> Security -> Authentication methods —> Password protection.
The options available for you to change are:
Lockout threshold – the number of unsuccessful sign-in attempts before the account is locked out (10 by default);
Lockout duration in seconds – 60 seconds by default.
If their account is locked out, an Azure user will see the following notification:
Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.
Prevent Using Weak and Popular Passwords in Azure AD
There is a separate Azure AD Password Protection feature that allows you to block the use of weak and popular passwords (such as P@ssw0rd, Pa$$word, etc.).
You can use the DSInternals PowerShell module to check the on-premises Active Directory for weak user passwords.
You can define your own list of weak passwords in Azure Active Directory -> Security -> Authentication methods —> Password protection. Enable the option Enforce custom list and add a list of passwords you want to ban (up to 1000 passwords).
Unfortunately, you can’t use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password.
These settings are applied by default only to cloud users in Azure.
If you want to apply a banned password list to the local Active Directory DS users, here’s what you need to do:
Make sure you have Azure AD Premium P1 or P2 subscription;
Enable the option Enable password protection on Windows Server Active Directory;
The default configuration enables only the audit of the prohibited password use. So, after the testing, switch the Mode option to Enforced;
Deploy the Azure AD Password Protection Proxy Service (AzureADPasswordProtectionProxySetup.msi) on one of the on-premises hosts;
Install Azure AD Password Protection (AzureADPasswordProtectionDCAgentSetup.msi) on all the ADDS domain controllers.
If you want the Azure password policy to be applied to users synchronized from AD DS via Azure AD Connect, you must enable the option EnforceCloudPasswordPolicyForPasswordSyncedUsers:
Ensure that you have configured a sufficiently strong domain password policy in your on-premises Active Directory. Otherwise, synchronized users can set any password, including those that are weak and insecure.
In this case, when a user’s password is changed or reset in on-premises Active Directory, the user is checked against the list of banned passwords in Azure.
If you have Azure AD Connect sync enabled, you can use your own password policies from on-premises Active Directory to apply to cloud users. To do this, you need to create a Fine Grained Security password policy in the on-premises AD and link it to a group containing the users synchronized with the cloud. In this case, Azure Active Directory will follow the password policy of your local domain.
As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.
Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:
Exploitation of unpatched internet-exposed Microsoft Exchange Servers
Web shell deployment facilitating remote access
Use of living-off-the-land tools for persistence and reconnaissance
Deployment of Cobalt Strike beacons for command and control (C2)
Process hollowing and the use of vulnerable drivers for defense evasion
Deployment of custom-developed backdoors to facilitate persistence
Deployment of a custom-developed data collection and exfiltration tool
Figure 1. BlackByte 2.0 ransomware attack chain
In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.
Forensic analysis
Initial access and privilege escalation
To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:
Attain system-level privileges on the compromised Exchange host
Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
Construct a valid authentication token and use it against the Exchange PowerShell backend
Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
Create web shells to obtain remote control on affected servers
The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:
185.225.73[.]244
Persistence
Backdoor
After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:
The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:
hxxps://myvisit[.]alteksecurity[.]org/t
The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.
An additional file, api-system.png, was identified to have similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.
Cobalt Strike Beacon
The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh:
hxxps://temp[.]sh/szAyn/sys.exe
This beacon was configured to communicate with the following C2 channel:
109.206.243[.]59:443
AnyDesk
Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:
C:\systemtest\anydesk\AnyDesk.exe
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
C:\Scripts\AnyDesk.exe
Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.
Reconnaissance
We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:
Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.
Credential access
Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.
Lateral movement
Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.
Data staging and exfiltration
In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:
explorer.exe P@$$w0rd
After reverse engineering explorer.exe, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:
C:\Exchange\MSExchLog.log
Analysis of the binary revealed a list of file extensions that are targeted for enumeration.
Figure 2. Binary analysis showing file extensions enumerated by explorer.exe
Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:
hxxps://g.api.mega.co[.]nz
Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ
We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.
ExByte execution flow
Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0:
If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs, which runs explorer.exe with elevated privileges.
After this access check, explorer.exe attempts to read the data.txt file in the current location:
If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:
If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:
{“a”:”us0”,“user”:”<CONTENT FROM data.txt>”}
Finally, it forms a URL for sign-in to the API of the service MEGA NZ:
hxxps://g.api.mega.co[.]nz/cs?id=1674017543
Data encryption and destruction
On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:
wEFT.exe
schillerized.exe
The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.
Two modes of execution were identified:
When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.
Depending on the switch (-s or -a), execution may create the following files:
C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
Some capabilities identified for the BlackByte 2.0 ransomware were:
Antivirus bypass
The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed antivirus software
Process hollowing
Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command:
Ability to terminate running services and processes
Ability to enumerate and mount volumes and network shares for encryption
Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
Ability to perform anti-debugging techniques
Recommendations
To guard against BlackByte ransomware attacks, Microsoft recommends the following:
Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
Block inbound traffic from IPs specified in the indicators of compromise section of this report
Block inbound traffic from TOR exit nodes
Block inbound access from unauthorized public VPN services
Restrict administrative privileges to prevent authorized system changes
Conclusion
BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities. As outlined in the Microsoft Digital Defense Report, common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.
As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.
To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.
Microsoft 365 Defender detections
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
Trojan:Win32/Kovter!MSR
Trojan:Win64/WinGoObfusc.LK!MT
Trojan:Win64/BlackByte!MSR
HackTool:Win32/AdFind!MSR
Trojan:Win64/CobaltStrike!MSR
Microsoft Defender for Endpoint
The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.
‘CVE-2021-31207’ exploit malware was detected
An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
Suspicious registry modification.
‘Rtcore64’ hacktool was detected
Possible ongoing hands-on-keyboard activity (Cobalt Strike)
A file or network connection related to a ransomware-linked emerging threat activity group detected
Suspicious sequence of exploration activities
A process was injected with potentially malicious code
Suspicious behavior by cmd.exe was observed
‘Blackbyte’ ransomware was detected
Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:
CVE-2021-34473
CVE-2021-34523
CVE-2021-31207
CVE-2019-16098
Hunting queries
Microsoft 365 Defender
Microsoft 365 Defender customers can run the following query to find related activity in their networks:
ProxyShell web shell creation events
DeviceProcessEvents| where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any ("-RequestFile","-FilePath")
Suspicious vssadmin events
DeviceProcessEvents| where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED")
Detection for persistence creation using Registry Run keys
DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnce" and RegistryValueName == "MsEdgeMsE") or (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnceEx" and RegistryValueName == "MsEdgeMsE")or (RegistryKey has @"Microsoft\Windows\CurrentVersion\Run" and RegistryValueName == "MsEdgeMsE")| where RegistryValueData startswith @"rundll32"| where RegistryValueData endswith @".dll,Default"| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.
The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
AdFind.exe (Active Directory information gathering tool)
hxxps://myvisit[.]alteksecurity[.]org/t
URL
C2 for backdoor api-msvc.dll
hxxps://temp[.]sh/szAyn/sys.exe
URL
Download URL for sys.exe
109.206.243[.]59
IP Address
C2 for Cobalt Strike Beacon sys.exe
185.225.73[.]244
IP Address
Originating IP address for ProxyShell exploitation and web shell interaction
NOTE: These indicators should not be considered exhaustive for this observed activity.
Appendix
File extensions targeted by BlackByte binary for encryption:
.4dd
.4dl
.accdb
.accdc
.accde
.accdr
.accdt
.accft
.adb
.ade
.adf
.adp
.arc
.ora
.alf
.ask
.btr
.bdf
.cat
.cdb
.ckp
.cma
.cpd
.dacpac
.dad
.dadiagrams
.daschema
.db
.db-shm
.db-wal
.db3
.dbc
.dbf
.dbs
.dbt
.dbv
. dbx
. dcb
. dct
. dcx
. ddl
. dlis
. dp1
. dqy
. dsk
. dsn
. dtsx
. dxl
. eco
. ecx
. edb
. epim
. exb
. fcd
. fdb
. fic
. fmp
. fmp12
. fmpsl
. fol
.fp3
. fp4
. fp5
. fp7
. fpt
. frm
. gdb
. grdb
. gwi
. hdb
. his
. ib
. idb
. ihx
. itdb
. itw
. jet
. jtx
. kdb
. kexi
. kexic
. kexis
. lgc
. lwx
. maf
. maq
. mar
. masmav
. mdb
. mpd
. mrg
. mud
. mwb
. myd
. ndf
. nnt
. nrmlib
. ns2
. ns3
. ns4
. nsf
. nv
. nv2
. nwdb
. nyf
. odb
. ogy
. orx
. owc
. p96
. p97
. pan
. pdb
. pdm
. pnz
. qry
. qvd
. rbf
. rctd
. rod
. rodx
. rpd
. rsd
. sas7bdat
. sbf
. scx
. sdb
. sdc
. sdf
. sis
. spg
. sql
. sqlite
. sqlite3
. sqlitedb
. te
. temx
. tmd
. tps
. trc
. trm
. udb
. udl
. usr
. v12
. vis
. vpd
. vvv
. wdb
. wmdb
. wrk
. xdb
. xld
. xmlff
. abcddb
. abs
. abx
. accdw
. and
. db2
. fm5
. hjt
. icg
. icr
. kdb
. lut
. maw
. mdn
. mdt
Shared folders targeted for encryption (Example: \\[IP address]\Downloads):
Users
Backup
Veeam
homes
home
media
common
Storage Server
Public
Web
Images
Downloads
BackupData
ActiveBackupForBusiness
Backups
NAS-DC
DCBACKUP
DirectorFiles
share
File extensions ignored:
.ini
.url
.msilog
.log
.ldf
.lock
.theme
.msi
.sys
.wpx
.cpl
.adv
.msc
.scr
.key
.ico
.dll
.hta
.deskthemepack
.nomedia
.msu
.rtp
.msp
.idx
.ani
.386
.diagcfg
.bin
.mod
.ics
.com
.hlp
.spl
.nls
.cab
.exe
.diagpkg
.icl
.ocx
.rom
.prf
.thempack
.msstyles
.icns
.mpa
.drv
.cur
.diagcab
.cmd
.shs
Folders ignored:
windows
boot
program files (x86)
windows.old
programdata
intel
bitdefender
trend micro
windowsapps
appdata
application data
system volume information
perflogs
msocache
Files ignored:
bootnxt
ntldr
bootmgr
thumbs.db
ntuser.dat
bootsect.bak
autoexec.bat
iconcache.db
bootfont.bin
Processes terminated:
teracopy
teamviewer
nsservice
nsctrl
uranium
processhacker
procmon
pestudio
procmon64
x32dbg
x64dbg
cff explorer
procexp
pslist
tcpview
tcpvcon
dbgview
rammap
rammap64
vmmap
ollydbg
autoruns
autorunssc
filemon
regmon
idaq
idaq64
immunitydebugger
wireshark
dumpcap
hookexplorer
importrec
petools
lordpe
sysinspector
proc_analyzer
sysanalyzer
sniff_hit
windbg
joeboxcontrol
joeboxserver
resourcehacker
fiddler
httpdebugger
dumpit
rammap
rammap64
vmmap
agntsvc
cntaosmgr
dbeng50
dbsnmp
encsvc
infopath
isqlplussvc
mbamtray
msaccess
msftesql
mspub
mydesktopqos
mydesktopservice
mysqld
mysqld-nt
mysqld-opt
Ntrtscan
ocautoupds
ocomm
ocssd
onenote
oracle
outlook
PccNTMon
powerpnt
sqbcoreservice
sql
sqlagent
sqlbrowser
sqlservr
sqlwriter
steam
synctime
tbirdconfig
thebat
thebat64
thunderbird
tmlisten
visio
winword
wordpad
xfssvccon
zoolz
Services terminated:
CybereasonRansomFree
vnetd
bpcd
SamSs
TeraCopyService
msftesql
nsService
klvssbridge64
vapiendpoint
ShMonitor
Smcinst
SmcService
SntpService
svcGenericHost
Swi_
TmCCSF
tmlisten
TrueKey
TrueKeyScheduler
TrueKeyServiceHelper
WRSVC
McTaskManager
OracleClientCache80
mfefire
wbengine
mfemms
RESvc
mfevtp
sacsvr
SAVAdminService
SepMasterService
PDVFSService
ESHASRV
SDRSVC
FA_Scheduler
KAVFS
KAVFS_KAVFSGT
kavfsslp
klnagent
macmnsvc
masvc
MBAMService
MBEndpointAgent
McShield
audioendpointbuilder
Antivirus
AVP
DCAgent
bedbg
EhttpSrv
MMS
ekrn
EPSecurityService
EPUpdateService
ntrtscan
EsgShKernel
msexchangeadtopology
AcrSch2Svc
MSOLAP$TPSAMA
Intel(R) PROSet Monitoring
msexchangeimap4
ARSM
unistoresvc_1af40a
ReportServer$TPS
MSOLAP$SYSTEM_BGC
W3Svc
MSExchangeSRS
ReportServer$TPSAMA
Zoolz 2 Service
MSOLAP$TPS
aphidmonitorservice
SstpSvc
MSExchangeMTA
ReportServer$SYSTEM_BGC
Symantec System Recovery
UI0Detect
MSExchangeSA
MSExchangeIS
ReportServer
MsDtsServer110
POP3Svc
MSExchangeMGMT
SMTPSvc
MsDtsServer
IisAdmin
MSExchangeES
EraserSvc11710
Enterprise Client Service
MsDtsServer100
NetMsmqActivator
stc_raw_agent
VSNAPVSS
PDVFSService
AcrSch2Svc
Acronis
CASAD2DWebSvc
CAARCUpdateSvc
McAfee
avpsus
DLPAgentService
mfewc
BMR Boot Service
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVsc screenconnect
ransom
sqltelemetry
msexch
vnc
teamviewer
msolap
veeam
backup
sql
memtas
vss
sophos
svc$
mepocs
wuauserv
Drivers that Blackbyte can bypass:
360avflt.sys
360box.sys
360fsflt.sys
360qpesv.sys
5nine.cbt.sys
a2acc.sys
a2acc64.sys
a2ertpx64.sys
a2ertpx86.sys
a2gffi64.sys
a2gffx64.sys
a2gffx86.sys
aaf.sys
aalprotect.sys
abrpmon.sys
accessvalidator.sys
acdriver.sys
acdrv.sys
adaptivaclientcache32.sys
adaptivaclientcache64.sys
adcvcsnt.sys
adspiderdoc.sys
aefilter.sys
agentrtm64.sys
agfsmon.sys
agseclock.sys
agsyslock.sys
ahkamflt.sys
ahksvpro.sys
ahkusbfw.sys
ahnrghlh.sys
aictracedrv_am.sys
airship-filter.sys
ajfsprot.sys
alcapture.sys
alfaff.sys
altcbt.sys
amfd.sys
amfsm.sys
amm6460.sys
amm8660.sys
amsfilter.sys
amznmon.sys
antileakfilter.sys
antispyfilter.sys
anvfsm.sys
apexsqlfilterdriver.sys
appcheckd.sys
appguard.sys
appvmon.sys
arfmonnt.sys
arta.sys
arwflt.sys
asgard.sys
ashavscan.sys
asiofms.sys
aswfsblk.sys
aswmonflt.sys
aswsnx.sys
aswsp.sys
aszfltnt.sys
atamptnt.sys
atc.sys
atdragent.sys
atdragent64.sys
aternityregistryhook.sys
atflt.sys
atrsdfw.sys
auditflt.sys
aupdrv.sys
avapsfd.sys
avc3.sys
avckf.sys
avfsmn.sys
avgmfi64.sys
avgmfrs.sys
avgmfx64.sys
avgmfx86.sys
avgntflt.sys
avgtpx64.sys
avgtpx86.sys
avipbb.sys
avkmgr.sys
avmf.sys
awarecore.sys
axfltdrv.sys
axfsysmon.sys
ayfilter.sys
b9kernel.sys
backupreader.sys
bamfltr.sys
bapfecpt.sys
bbfilter.sys
bd0003.sys
bddevflt.sys
bdfiledefend.sys
bdfilespy.sys
bdfm.sys
bdfsfltr.sys
bdprivmon.sys
bdrdfolder.sys
bdsdkit.sys
bdsfilter.sys
bdsflt.sys
bdsvm.sys
bdsysmon.sys
bedaisy.sys
bemk.sys
bfaccess.sys
bfilter.sys
bfmon.sys
bhdrvx64.sys
bhdrvx86.sys
bhkavka.sys
bhkavki.sys
bkavautoflt.sys
bkavsdflt.sys
blackbirdfsa.sys
blackcat.sys
bmfsdrv.sys
bmregdrv.sys
boscmflt.sys
bosfsfltr.sys
bouncer.sys
boxifier.sys
brcow_x_x_x_x.sys
brfilter.sys
brnfilelock.sys
brnseclock.sys
browsermon.sys
bsrfsflt.sys
bssaudit.sys
bsyaed.sys
bsyar.sys
bsydf.sys
bsyirmf.sys
bsyrtm.sys
bsysp.sys
bsywl.sys
bwfsdrv.sys
bzsenspdrv.sys
bzsenth.sys
bzsenyaradrv.sys
caadflt.sys
caavfltr.sys
cancelsafe.sys
carbonblackk.sys
catflt.sys
catmf.sys
cbelam.sys
cbfilter20.sys
cbfltfs4.sys
cbfsfilter2017.sys
cbfsfilter2020.sys
cbsampledrv.sys
cdo.sys
cdrrsflt.sys
cdsgfsfilter.sys
centrifyfsf.sys
cfrmd.sys
cfsfdrv
cgwmf.sys
change.sys
changelog.sys
chemometecfilter.sys
ciscoampcefwdriver.sys
ciscoampheurdriver.sys
ciscosam.sys
clumiochangeblockmf.sys
cmdccav.sys
cmdcwagt.sys
cmdguard.sys
cmdmnefs.sys
cmflt.sys
code42filter.sys
codex.sys
conduantfsfltr.sys
containermonitor.sys
cpavfilter.sys
cpavkernel.sys
cpepmon.sys
crexecprev.sys
crncache32.sys
crncache64.sys
crnsysm.sys
cruncopy.sys
csaam.sys
csaav.sys
csacentr.sys
csaenh.sys
csagent.sys
csareg.sys
csascr.sys
csbfilter.sys
csdevicecontrol.sys
csfirmwareanalysis.sys
csflt.sys
csmon.sys
cssdlp.sys
ctamflt.sys
ctifile.sys
ctinet.sys
ctrpamon.sys
ctx.sys
cvcbt.sys
cvofflineflt32.sys
cvofflineflt64.sys
cvsflt.sys
cwdriver.sys
cwmem2k64.sys
cybkerneltracker.sys
cylancedrv64.sys
cyoptics.sys
cyprotectdrv32.sys
cyprotectdrv64.sys
cytmon.sys
cyverak.sys
cyvrfsfd.sys
cyvrlpc.sys
cyvrmtgn.sys
datanow_driver.sys
dattofsf.sys
da_ctl.sys
dcfafilter.sys
dcfsgrd.sys
dcsnaprestore.sys
deepinsfs.sys
delete_flt.sys
devmonminifilter.sys
dfmfilter.sys
dgedriver.sys
dgfilter.sys
dgsafe.sys
dhwatchdog.sys
diflt.sys
diskactmon.sys
dkdrv.sys
dkrtwrt.sys
dktlfsmf.sys
dnafsmonitor.sys
docvmonk.sys
docvmonk64.sys
dpmfilter.sys
drbdlock.sys
drivesentryfilterdriver2lite.sys
drsfile.sys
drvhookcsmf.sys
drvhookcsmf_amd64.sys
drwebfwflt.sys
drwebfwft.sys
dsark.sys
dsdriver.sys
dsfemon.sys
dsflt.sys
dsfltfs.sys
dskmn.sys
dtdsel.sys
dtpl.sys
dwprot.sys
dwshield.sys
dwshield64.sys
eamonm.sys
easeflt.sys
easyanticheat.sys
eaw.sys
ecatdriver.sys
edevmon.sys
ednemfsfilter.sys
edrdrv.sys
edrsensor.sys
edsigk.sys
eectrl.sys
eetd32.sys
eetd64.sys
eeyehv.sys
eeyehv64.sys
egambit.sys
egfilterk.sys
egminflt.sys
egnfsflt.sys
ehdrv.sys
elock2fsctldriver.sys
emxdrv2.sys
enigmafilemondriver.sys
enmon.sys
epdrv.sys
epfw.sys
epfwwfp.sys
epicfilter.sys
epklib.sys
epp64.sys
epregflt.sys
eps.sys
epsmn.sys
equ8_helper.sys
eraser.sys
esensor.sys
esprobe.sys
estprmon.sys
estprp.sys
estregmon.sys
estregp.sys
estrkmon.sys
estrkr.sys
eventmon.sys
evmf.sys
evscase.sys
excfs.sys
exprevdriver.sys
failattach.sys
failmount.sys
fam.sys
fangcloud_autolock_driver.sys
fapmonitor.sys
farflt.sys
farwflt.sys
fasdriver
fcnotify.sys
fcontrol.sys
fdrtrace.sys
fekern.sys
fencry.sys
ffcfilt.sys
ffdriver.sys
fildds.sys
filefilter.sys
fileflt.sys
fileguard.sys
filehubagent.sys
filemon.sys
filemonitor.sys
filenamevalidator.sys
filescan.sys
filesharemon.sys
filesightmf.sys
filesystemcbt.sys
filetrace.sys
file_monitor.sys
file_protector.sys
file_tracker.sys
filrdriver.sys
fim.sys
fiometer.sys
fiopolicyfilter.sys
fjgsdis2.sys
fjseparettifilterredirect.sys
flashaccelfs.sys
flightrecorder.sys
fltrs329.sys
flyfs.sys
fmdrive.sys
fmkkc.sys
fmm.sys
fortiaptfilter.sys
fortimon2.sys
fortirmon.sys
fortishield.sys
fpav_rtp.sys
fpepflt.sys
fsafilter.sys
fsatp.sys
fsfilter.sys
fsgk.sys
fshs.sys
fsmon.sys
fsmonitor.sys
fsnk.sys
fsrfilter.sys
fstrace.sys
fsulgk.sys
fsw31rj1.sys
gagsecurity.sys
gbpkm.sys
gcffilter.sys
gddcv.sys
gefcmp.sys
gemma.sys
geprotection.sys
ggc.sys
gibepcore.sys
gkff.sys
gkff64.sys
gkpfcb.sys
gkpfcb64.sys
gofsmf.sys
gpminifilter.sys
groundling32.sys
groundling64.sys
gtkdrv.sys
gumhfilter.sys
gzflt.sys
hafsnk.sys
hbflt.sys
hbfsfltr.sys
hcp_kernel_acq.sys
hdcorrelatefdrv.sys
hdfilemon.sys
hdransomoffdrv.sys
hdrfs.sys
heimdall.sys
hexisfsmonitor.sys
hfileflt.sys
hiofs.sys
hmpalert.sys
hookcentre.sys
hooksys.sys
hpreg.sys
hsmltmon.sys
hsmltwhl.sys
hssfwhl.sys
hvlminifilter.sys
ibr2fsk.sys
iccfileioad.sys
iccfilteraudit.sys
iccfiltersc.sys
icfclientflt.sys
icrlmonitor.sys
iderafilterdriver.sys
ielcp.sys
ieslp.sys
ifs64.sys
ignis.sys
iguard.sys
iiscache.sys
ikfilesec.sys
im.sys
imffilter.sys
imfilter.sys
imgguard.sys
immflex.sys
immunetprotect.sys
immunetselfprotect.sys
inisbdrv64.sys
ino_fltr.sys
intelcas.sys
intmfs.sys
inuse.sys
invprotectdrv.sys
invprotectdrv64.sys
ionmonwdrv.sys
iothorfs.sys
ipcomfltr.sys
ipfilter.sys
iprotect.sys
iridiumswitch.sys
irongatefd.sys
isafekrnl.sys
isafekrnlmon.sys
isafermon
isecureflt.sys
isedrv.sys
isfpdrv.sys
isirmfmon.sys
isregflt.sys
isregflt64.sys
issfltr.sys
issregistry.sys
it2drv.sys
it2reg.sys
ivappmon.sys
iwdmfs.sys
iwhlp.sys
iwhlp2.sys
iwhlpxp.sys
jdppsf.sys
jdppwf.sys
jkppob.sys
jkppok.sys
jkpppf.sys
jkppxk.sys
k7sentry.sys
kavnsi.sys
kawachfsminifilter.sys
kc3.sys
kconv.sys
kernelagent32.sys
kewf.sys
kfac.sys
kfileflt.sys
kisknl.sys
klam.sys
klbg.sys
klboot.sys
kldback.sys
kldlinf.sys
kldtool.sys
klfdefsf.sys
klflt.sys
klgse.sys
klhk.sys
klif.sys
klifaa.sys
klifks.sys
klifsm.sys
klrsps.sys
klsnsr.sys
klupd_klif_arkmon.sys
kmkuflt.sys
kmnwch.sys
kmxagent.sys
kmxfile.sys
kmxsbx.sys
ksfsflt.sys
ktfsfilter.sys
ktsyncfsflt.sys
kubwksp.sys
lafs.sys
lbd.sys
lbprotect.sys
lcgadmon.sys
lcgfile.sys
lcgfilemon.sys
lcmadmon.sys
lcmfile.sys
lcmfilemon.sys
lcmprintmon.sys
ldsecdrv.sys
libwamf.sys
livedrivefilter.sys
llfilter.sys
lmdriver.sys
lnvscenter.sys
locksmith.sys
lragentmf.sys
lrtp.sys
magicbackupmonitor.sys
magicprotect.sys
majoradvapi.sys
marspy.sys
maxcryptmon.sys
maxproc64.sys
maxprotector.sys
mbae64.sys
mbam.sys
mbamchameleon.sys
mbamshuriken.sys
mbamswissarmy.sys
mbamwatchdog.sys
mblmon.sys
mcfilemon32.sys
mcfilemon64.sys
mcstrg.sys
mearwfltdriver.sys
message.sys
mfdriver.sys
mfeaack.sys
mfeaskm.sys
mfeavfk.sys
mfeclnrk.sys
mfeelamk.sys
mfefirek.sys
mfehidk.sys
mfencbdc.sys
mfencfilter.sys
mfencoas.sys
mfencrk.sys
mfeplk.sys
mfewfpk.sys
miniicpt.sys
minispy.sys
minitrc.sys
mlsaff.sys
mmpsy32.sys
mmpsy64.sys
monsterk.sys
mozycorpfilter.sys
mozyenterprisefilter.sys
mozyentfilter.sys
mozyhomefilter.sys
mozynextfilter.sys
mozyoemfilter.sys
mozyprofilter.sys
mpfilter.sys
mpkernel.sys
mpksldrv.sys
mpxmon.sys
mracdrv.sys
mrxgoogle.sys
mscan-rt.sys
msiodrv4.sys
msixpackagingtoolmonitor.sys
msnfsflt.sys
mspy.sys
mssecflt.sys
mtsvcdf.sys
mumdi.sys
mwac.sys
mwatcher.sys
mwfsmfltr.sys
mydlpmf.sys
namechanger.sys
nanoavmf.sys
naswsp.sys
ndgdmk.sys
neokerbyfilter
netaccctrl.sys
netaccctrl64.sys
netguard.sys
netpeeker.sys
ngscan.sys
nlcbhelpi64.sys
nlcbhelpx64.sys
nlcbhelpx86.sys
nlxff.sys
nmlhssrv01.sys
nmpfilter.sys
nntinfo.sys
novashield.sys
nowonmf.sys
npetw.sys
nprosec.sys
npxgd.sys
npxgd64.sys
nravwka.sys
nrcomgrdka.sys
nrcomgrdki.sys
nregsec.sys
nrpmonka.sys
nrpmonki.sys
nsminflt.sys
nsminflt64.sys
ntest.sys
ntfsf.sys
ntguard.sys
ntps_fa.sys
nullfilter.sys
nvcmflt.sys
nvmon.sys
nwedriver.sys
nxfsmon.sys
nxrmflt.sys
oadevice.sys
oavfm.sys
oczminifilter.sys
odfsfilter.sys
odfsfimfilter.sys
odfstokenfilter.sys
offsm.sys
omfltlh.sys
osiris.sys
ospfile_mini.sys
ospmon.sys
parity.sys
passthrough.sys
path8flt.sys
pavdrv.sys
pcpifd.sys
pctcore.sys
pctcore64.sys
pdgenfam.sys
pecfilter.sys
perfectworldanticheatsys.sys
pervac.sys
pfkrnl.sys
pfracdrv.sys
pgpfs.sys
pgpwdefs.sys
phantomd.sys
phdcbtdrv.sys
pkgfilter.sys
pkticpt.sys
plgfltr.sys
plpoffdrv.sys
pointguardvista64f.sys
pointguardvistaf.sys
pointguardvistar32.sys
pointguardvistar64.sys
procmon11.sys
proggerdriver.sys
psacfileaccessfilter.sys
pscff.sys
psgdflt.sys
psgfoctrl.sys
psinfile.sys
psinproc.sys
psisolator.sys
pwipf6.sys
pwprotect.sys
pzdrvxp.sys
qdocumentref.sys
qfapflt.sys
qfilter.sys
qfimdvr.sys
qfmon.sys
qminspec.sys
qmon.sys
qqprotect.sys
qqprotectx64.sys
qqsysmon.sys
qqsysmonx64.sys
qutmdrv.sys
ranpodfs.sys
ransomdefensexxx.sys
ransomdetect.sys
reaqtor.sys
redlight.sys
regguard.sys
reghook.sys
regmonex.sys
repdrv.sys
repmon.sys
revefltmgr.sys
reveprocprotection.sys
revonetdriver.sys
rflog.sys
rgnt.sys
rmdiskmon.sys
rmphvmonitor.sys
rpwatcher.sys
rrmon32.sys
rrmon64.sys
rsfdrv.sys
rsflt.sys
rspcrtw.sys
rsrtw.sys
rswctrl.sys
rswmon.sys
rtologon.sys
rtw.sys
ruaff.sys
rubrikfileaudit.sys
ruidiskfs.sys
ruieye.sys
ruifileaccess.sys
ruimachine.sys
ruiminispy.sys
rvsavd.sys
rvsmon.sys
rw7fsflt.sys
rwchangedrv.sys
ryfilter.sys
ryguard.sys
safe-agent.sys
safsfilter.sys
sagntflt.sys
sahara.sys
sakfile.sys
sakmfile.sys
samflt.sys
samsungrapidfsfltr.sys
sanddriver.sys
santa.sys
sascan.sys
savant.sys
savonaccess.sys
scaegis.sys
scauthfsflt.sys
scauthiodrv.sys
scensemon.sys
scfltr.sys
scifsflt.sys
sciptflt.sys
sconnect.sys
scred.sys
sdactmon.sys
sddrvldr.sys
sdvfilter.sys
se46filter.sys
secdodriver.sys
secone_filemon10.sys
secone_proc10.sys
secone_reg10.sys
secone_usb.sys
secrmm.sys
secufile.sys
secure_os.sys
secure_os_mf.sys
securofsd_x64.sys
sefo.sys
segf.sys
segiraflt.sys
segmd.sys
segmp.sys
sentinelmonitor.sys
serdr.sys
serfs.sys
sfac.sys
sfavflt.sys
sfdfilter.sys
sfpmonitor.sys
sgresflt.sys
shdlpmedia.sys
shdlpsf.sys
sheedantivirusfilterdriver.sys
sheedselfprotection.sys
shldflt.sys
si32_file.sys
si64_file.sys
sieflt.sys
simrep.sys
sisipsfilefilter
sk.sys
skyamdrv.sys
skyrgdrv.sys
skywpdrv.sys
slb_guard.sys
sld.sys
smbresilfilter.sys
smdrvnt.sys
sndacs.sys
snexequota.sys
snilog.sys
snimg.sys
snscore.sys
snsrflt.sys
sodatpfl.sys
softfilterxxx.sys
soidriver.sys
solitkm.sys
sonar.sys
sophosdt2.sys
sophosed.sys
sophosntplwf.sys
sophossupport.sys
spbbcdrv.sys
spellmon.sys
spider3g.sys
spiderg3.sys
spiminifilter.sys
spotlight.sys
sprtdrv.sys
sqlsafefilterdriver.sys
srminifilterdrv.sys
srtsp.sys
srtsp64.sys
srtspit.sys
ssfmonm.sys
ssrfsf.sys
ssvhook.sys
stcvsm.sys
stegoprotect.sys
stest.sys
stflt.sys
stkrnl64.sys
storagedrv.sys
strapvista.sys
strapvista64.sys
svcbt.sys
swcommfltr.sys
swfsfltr.sys
swfsfltrv2.sys
swin.sys
symafr.sys
symefa.sys
symefa64.sys
symefasi.sys
symevent.sys
symevent64x86.sys
symevnt.sys
symevnt32.sys
symhsm.sys
symrg.sys
sysdiag.sys
sysmon.sys
sysmondrv.sys
sysplant.sys
szardrv.sys
szdfmdrv.sys
szdfmdrv_usb.sys
szedrdrv.sys
szpcmdrv.sys
taniumrecorderdrv.sys
taobserveflt.sys
tbfsfilt.sys
tbmninifilter.sys
tbrdrv.sys
tdevflt.sys
tedrdrv.sys
tenrsafe2.sys
tesmon.sys
tesxnginx.sys
tesxporter.sys
tffregnt.sys
tfsflt.sys
tgfsmf.sys
thetta.sys
thfilter.sys
threatstackfim.sys
tkdac2k.sys
tkdacxp.sys
tkdacxp64.sys
tkfsavxp.sys
tkfsavxp64.sys
tkfsft.sys
tkfsft64.sys
tkpcftcb.sys
tkpcftcb64.sys
tkpl2k.sys
tkpl2k64.sys
tksp2k.sys
tkspxp.sys
tkspxp64.sys
tmactmon.sys
tmcomm.sys
tmesflt.sys
tmevtmgr.sys
tmeyes.sys
tmfsdrv2.sys
tmkmsnsr.sys
tmnciesc.sys
tmpreflt.sys
tmumh.sys
tmums.sys
tmusa.sys
tmxpflt.sys
topdogfsfilt.sys
trace.sys
trfsfilter.sys
tritiumfltr.sys
trpmnflt.sys
trufos.sys
trustededgeffd.sys
tsifilemon.sys
tss.sys
tstfilter.sys
tstfsredir.sys
tstregredir.sys
tsyscare.sys
tvdriver.sys
tvfiltr.sys
tvmfltr.sys
tvptfile.sys
tvspfltr.sys
twbdcfilter.sys
txfilefilter.sys
txregmon.sys
uamflt.sys
ucafltdriver.sys
ufdfilter.sys
uncheater.sys
upguardrealtime.sys
usbl_ifsfltr.sys
usbpdh.sys
usbtest.sys
uvmcifsf.sys
uwfreg.sys
uwfs.sys
v3flt2k.sys
v3flu2k.sys
v3ift2k.sys
v3iftmnt.sys
v3mifint.sys
varpffmon.sys
vast.sys
vcdriv.sys
vchle.sys
vcmfilter.sys
vcreg.sys
veeamfct.sys
vfdrv.sys
vfilefilter.sys
vfpd.sys
vfsenc.sys
vhddelta.sys
vhdtrack.sys
vidderfs.sys
vintmfs.sys
virtfile.sys
virtualagent.sys
vk_fsf.sys
vlflt.sys
vmwvvpfsd.sys
vollock.sys
vpdrvnt.sys
vradfil2.sys
vraptdef.sys
vraptflt.sys
vrarnflt.sys
vrbbdflt.sys
vrexpdrv.sys
vrfsftm.sys
vrfsftmx.sys
vrnsfilter.sys
vrsdam.sys
vrsdcore.sys
vrsdetri.sys
vrsdetrix.sys
vrsdfmx.sys
vrvbrfsfilter.sys
vsepflt.sys
vsscanner.sys
vtsysflt.sys
vxfsrep.sys
wats_se.sys
wbfilter.sys
wcsdriver.sys
wdcfilter.sys
wdfilter.sys
wdocsafe.sys
wfp_mrt.sys
wgfile.sys
whiteshield.sys
windbdrv.sys
windd.sys
winfladrv.sys
winflahdrv.sys
winfldrv.sys
winfpdrv.sys
winload.sys
winteonminifilter.sys
wiper.sys
wlminisecmod.sys
wntgpdrv.sys
wraekernel.sys
wrcore.sys
wrcore.x64.sys
wrdwizfileprot.sys
wrdwizregprot.sys
wrdwizscanner.sys
wrdwizsecure64.sys
wrkrn.sys
wrpfv.sys
wsafefilter.sys
wscm.sys
xcpl.sys
xendowflt.sys
xfsgk.sys
xhunter1.sys
xhunter64.sys
xiaobaifs.sys
xiaobaifsr.sys
xkfsfd.sys
xoiv8x64.sys
xomfcbt8x64.sys
yahoostorage.sys
yfsd.sys
yfsd2.sys
yfsdr.sys
yfsrd.sys
zampit_ml.sys
zesfsmf.sys
zqfilter.sys
zsfprt.sys
zwasatom.sys
zwpxesvr.sys
zxfsfilt.sys
zyfm.sys
zzpensys.sys
Further reading
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.
On July 11, 2023, Microsoft published two blogs detailing a malicious campaign by a threat actor tracked as Storm-0558 that targeted customer email that we’ve detected and mitigated: Microsoft Security Response Center and Microsoft on the Issues. As we continue our investigation into this incident and deploy defense in depth measures to harden all systems involved, we’re providing this deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.
As described in more detail in our July 11 blogs, Storm-0558 is a China-based threat actor with espionage objectives. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. No other environment was impacted. Microsoft has successfully blocked this campaign from Storm-0558. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.
Since identification of this malicious campaign on June 16, 2023, Microsoft has identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities. We continue to investigate and monitor the situation and will take additional steps to protect customers.
Actor overview
Microsoft Threat Intelligence assesses with moderate confidence that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. While we have discovered some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), we maintain high confidence that Storm-0558 operates as its own distinct group.
Figure 1 shows Storm-0558 working patterns from April to July 2023; the actor’s core working hours are consistent with working hours in China, Monday through Friday from 12:00 AM UTC (8:00 AM China Standard time) through 09:00 AM UTC (5:00 PM China Standard Time).
Figure 1. Heatmap of observed Stom-0558 activity by day of week and hour (UTC).
In past activity observed by Microsoft, Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests.
Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers. The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021. Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well resourced, and has an in-depth understanding of many authentication techniques and applications.
In the past, Microsoft has observed Storm-0558 obtain credentials for initial access through phishing campaigns. The actor has also exploited vulnerabilities in public-facing applications to gain initial access to victim networks. These exploits typically result in web shells, including China Chopper, being deployed on compromised servers. One of the most prevalent malware families used by Storm-0558 is a shared tool tracked by Microsoft as Cigril. This family exists in several variants and is launched using dynamic-link library (DLL) search order hijacking.
After gaining access to a compromised system, Storm-0558 accesses credentials from a variety of sources, including the LSASS process memory and Security Account Manager (SAM) registry hive. Microsoft assesses that once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user’s cloud email account with the valid account credentials. The actor then collects information from the email account over the web service.
Initial discovery and analysis of current activity
On June 16, 2023, Microsoft was notified by a customer of anomalous Exchange Online data access. Microsoft analysis attributed the activity to Storm-0558 based on established prior TTPs. We determined that Storm-0558 was accessing the customer’s Exchange Online data using Outlook Web Access (OWA). Microsoft’s investigative workflow initially assumed the actor was stealing correctly issued Azure Active Directory (Azure AD) tokens, most probably using malware on infected customer devices. Microsoft analysts later determined that the actor’s access was utilizing Exchange Online authentication artifacts, which are typically derived from Azure AD authentication tokens (Azure AD tokens). Further in-depth analysis over the next several days led Microsoft analysts to assess that the internal Exchange Online authentication artifacts did not correspond to Azure AD tokens in Microsoft logs.
Microsoft analysts began investigating the possibility that the actor was forging authentication tokens using an acquired Azure AD enterprise signing key. In-depth analysis of the Exchange Online activity discovered that in fact the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. This was made possible by a validation error in Microsoft code. The use of an incorrect key to sign the requests allowed our investigation teams to see all actor access requests which followed this pattern across both our enterprise and consumer systems. Use of the incorrect key to sign this scope of assertions was an obvious indicator of the actor activity as no Microsoft system signs tokens in this way. Use of acquired signing material to forge authentication tokens to access customer Exchange Online data differs from previously observed Storm-0558 activity. Microsoft’s investigations have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.
Actor techniques
Token forgery
Authentication tokens are used to validate the identity of entities requesting access to resources – in this case, email. These tokens are issued to the requesting entity (such as a user’s browser) by identity providers like Azure AD. To prove authenticity, the identity provider signs the token using a private signing key. The relying party validates the token presented by the requesting entity by using a public validation key. Any request whose signature is correctly validated by the published public validation key will be trusted by the relying party. An actor that can acquire a private signing key can then create falsified tokens with valid signatures that will be accepted by relying parties. This is called token forgery.
Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.
As part of defense in depth, we continuously update our systems. We have substantially hardened key issuance systems since the acquired MSA key was initially issued. This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems. Our active investigation indicates these hardening and isolation improvements disrupt the mechanisms we believe the actor could have used to acquire MSA signing keys. No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys. We continue to explore other ways the key may have been acquired and add additional defense in depth measures.
Identity techniques for access
Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.
Actor tooling
Microsoft Threat Intelligence routinely identifies threat actor capabilities and leverages file intelligence to facilitate our protection of Microsoft customers. During this investigation, we identified several distinct Storm-0558 capabilities that facilitate the threat actor’s intrusion techniques. The capabilities described in this section are not expected to be present in the victim environment.
Storm-0558 uses a collection of PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. For example, Storm-0558 has the capability to use minted access tokens to extract email data such as:
Download emails
Download attachments
Locate and download conversations
Get email folder information
The generated web requests can be routed through a Tor proxy or several hardcoded SOCKS5 proxy servers. The threat actor was observed using several User-Agents when issuing web requests, for example:
Client=REST;Client=RESTSystem;;
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52
The scripts contain highly sensitive hardcoded information such as bearer access tokens and email data, which the threat actor uses to perform the OWA API calls. The threat actor has the capability to refresh the access token for use in subsequent OWA commands.
Figure 2. Python code snippet of the token refresh functionality used by the threat actor.Figure 3. PowerShell code snippet of OWA REST API call to GetConversationItems.
Actor infrastructure
During significant portions of Storm-0558’s malicious activities, the threat actor leveraged dedicated infrastructure running the SoftEther proxy software. Proxy infrastructure complicates detection and attribution of Storm-0558 activities. During our response, Microsoft Threat Intelligence identified a unique method of profiling this proxy infrastructure and correlated with behavioral characteristics of the actor intrusion techniques. Our profile was based on the following facets:
Hosts operating as part of this network present a JARM fingerprint consistent with SoftEther VPN: 06d06d07d06d06d06c42d42d000000cdb95e27fd8f9fee4a2bec829b889b8b.
Presented x509 certificate has expiration date of December 31, 2037.
Subject information within the x509 certificate does not contain “softether”.
Over the course of the campaign, the IPs listed in the table below were used during the corresponding timeframes.
IP address
First seen
Last seen
Description
51.89.156[.]153
3/9/2023
7/10/2023
SoftEther proxy
176.31.90[.]129
3/28/2023
6/29/2023
SoftEther proxy
137.74.181[.]100
3/31/2023
7/11/2023
SoftEther proxy
193.36.119[.]45
4/19/2023
7/7/2023
SoftEther proxy
185.158.248[.]159
4/24/2023
7/6/2023
SoftEther proxy
131.153.78[.]188
5/6/2023
6/29/2023
SoftEther proxy
37.143.130[.]146
5/12/2023
5/19/2023
SoftEther proxy
146.70.157[.]45
5/12/2023
6/8/2023
SoftEther proxy
185.195.200[.]39
5/15/2023
6/29/2023
SoftEther proxy
185.38.142[.]229
5/15/2023
7/12/2023
SoftEther proxy
146.70.121[.]44
5/17/2023
6/29/2023
SoftEther proxy
31.42.177[.]181
5/22/2023
5/23/2023
SoftEther proxy
185.51.134[.]52
6/7/2023
7/11/2023
SoftEther proxy
173.44.226[.]70
6/9/2023
7/11/2023
SoftEther proxy
45.14.227[.]233
6/12/2023
6/26/2023
SoftEther proxy
185.236.231[.]109
6/12/2023
7/3/2023
SoftEther proxy
178.73.220[.]149
6/16/2023
7/12/2023
SoftEther proxy
45.14.227[.]212
6/19/2023
6/29/2023
SoftEther proxy
91.222.173[.]225
6/20/2023
7/1/2023
SoftEther proxy
146.70.35[.]168
6/22/2023
6/29/2023
SoftEther proxy
146.70.157[.]213
6/26/2023
6/30/2023
SoftEther proxy
31.42.177[.]201
6/27/2023
6/29/2023
SoftEther proxy
5.252.176[.]8
7/1/2023
7/1/2023
SoftEther proxy
80.85.158[.]215
7/1/2023
7/9/2023
SoftEther proxy
193.149.129[.]88
7/2/2023
7/12/2023
SoftEther proxy
5.252.178[.]68
7/3/2023
7/11/2023
SoftEther proxy
116.202.251[.]8
7/4/2023
7/7/2023
SoftEther proxy
185.158.248[.]93
6/25/2023
06/26/2023
SoftEther proxy
20.108.240[.]252
6/25/2023
7/5/2023
SoftEther proxy
146.70.135[.]182
5/18/2023
6/22/2023
SoftEther proxy
As early as May 15, 2023, Storm-0558 shifted to using a separate series of dedicated infrastructure servers specifically for token replay and interaction with Microsoft services. It is likely that the dedicated infrastructure and supporting services configured on this infrastructure offered a more efficient manner of facilitating the actor’s activities. The dedicated infrastructure would host an actor-developed web panel that presented an authentication page at URI /#/login. The observed sign-in pages had one of two SHA-1 hashes: 80d315c21fc13365bba5b4d56357136e84ecb2d4 and 931e27b6f1a99edb96860f840eb7ef201f6c68ec.
Figure 4. Token web panel sign-in page with SHA-1 hashes.
As part of the intelligence-driven response to this campaign, and in support of tracking, analyzing, and disrupting actor activity, analytics were developed to proactively track the dedicated infrastructure. Through this tracking, we identified the following dedicated infrastructure.
IP address
First seen
Last seen
Description
195.26.87[.]219
5/15/2023
6/25/2023
Token web panel
185.236.228[.]183
5/24/2023
6/11/2023
Token web panel
85.239.63[.]160
6/7/2023
6/11/2023
Token web panel
193.105.134[.]58
6/24/2023
6/25/2023
Token web panel
146.0.74[.]16
6/28/2023
7/4/2023
Token web panel
91.231.186[.]226
6/29/2023
7/4/2023
Token web panel
91.222.174[.]41
6/29/2023
7/3/2023
Token web panel
185.38.142[.]249
6/29/2023
7/2/2023
Token web panel
The last observed dedicated token replay infrastructure associated with this activity was stood down on July 4, 2023, roughly one day following the coordinated mitigation conducted by Microsoft.
Post-compromise activity
Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users.
Mitigation and hardening
No customer action is required to mitigate the token forgery technique or validation error in OWA or Outlook.com. Microsoft has mitigated this issue on customers’ behalf as follows:
On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which mitigated the token renewal being abused.
On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge tokens. Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key. The new MSA signing keys are issued in substantially updated systems which benefit from hardening not present at issuance of the actor-acquired MSA key:
Microsoft has increased the isolation of these systems from corporate environments, applications, and users.Microsoft has refined monitoring of all systems related to key activity, and increased automated alerting related to this monitoring.
Microsoft has moved the MSA signing keys to the key store used for our enterprise systems.
On July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of previously-issued tokens.
Ongoing monitoring indicates that all actor activity related to this incident has been blocked. Microsoft will continue to monitor Storm-0558 activity and implement protections for our customers.
Recommendations
Microsoft has mitigated this activity on our customers’ behalf for Microsoft services. No customer action is required to prevent threat actors from using the techniques described above to access Exchange Online and Outlook.com.
Indicators of compromise
Indicator
Type
First seen
Last seen
Description
d4b4cccda9228624656bff33d8110955779632aa
Thumbprint
Thumbprint of acquired signing key
195.26.87[.]219
IPv4
5/15/2023
6/25/2023
Token web panel
185.236.228[.]183
IPv4
5/24/2023
6/11/2023
Token web panel
85.239.63[.]160
IPv4
6/7/2023
6/11/2023
Token web panel
193.105.134[.]58
IPv4
6/24/2023
6/25/2023
Token web panel
146.0.74[.]16
IPv4
6/28/2023
7/4/2023
Token web panel
91.231.186[.]226
IPv4
6/29/2023
7/4/2023
Token web panel
91.222.174[.]41
IPv4
6/29/2023
7/3/2023
Token web panel
185.38.142[.]249
IPv4
6/29/2023
7/2/2023
Token web panel
51.89.156[.]153
IPv4
3/9/2023
7/10/2023
SoftEther proxy
176.31.90[.]129
IPv4
3/28/2023
6/29/2023
SoftEther proxy
137.74.181[.]100
IPv4
3/31/2023
7/11/2023
SoftEther proxy
193.36.119[.]45
IPv4
4/19/2023
7/7/2023
SoftEther proxy
185.158.248[.]159
IPv4
4/24/2023
7/6/2023
SoftEther proxy
131.153.78[.]188
IPv4
5/6/2023
6/29/2023
SoftEther proxy
37.143.130[.]146
IPv4
5/12/2023
5/19/2023
SoftEther proxy
146.70.157[.]45
IPv4
5/12/2023
6/8/2023
SoftEther proxy
185.195.200[.]39
IPv4
5/15/2023
6/29/2023
SoftEther proxy
185.38.142[.]229
IPv4
5/15/2023
7/12/2023
SoftEther proxy
146.70.121[.]44
IPv4
5/17/2023
6/29/2023
SoftEther proxy
31.42.177[.]181
IPv4
5/22/2023
5/23/2023
SoftEther proxy
185.51.134[.]52
IPv4
6/7/2023
7/11/2023
SoftEther proxy
173.44.226[.]70
IPv4
6/9/2023
7/11/2023
SoftEther proxy
45.14.227[.]233
IPv4
6/12/2023
6/26/2023
SoftEther proxy
185.236.231[.]109
IPv4
6/12/2023
7/3/2023
SoftEther proxy
178.73.220[.]149
IPv4
6/16/2023
7/12/2023
SoftEther proxy
45.14.227[.]212
IPv4
6/19/2023
6/29/2023
SoftEther proxy
91.222.173[.]225
IPv4
6/20/2023
7/1/2023
SoftEther proxy
146.70.35[.]168
IPv4
6/22/2023
6/29/2023
SoftEther proxy
146.70.157[.]213
IPv4
6/26/2023
6/30/2023
SoftEther proxy
31.42.177[.]201
IPv4
6/27/2023
6/29/2023
SoftEther proxy
5.252.176[.]8
IPv4
7/1/2023
7/1/2023
SoftEther proxy
80.85.158[.]215
IPv4
7/1/2023
7/9/2023
SoftEther proxy
193.149.129[.]88
IPv4
7/2/2023
7/12/2023
SoftEther proxy
5.252.178[.]68
IPv4
7/3/2023
7/11/2023
SoftEther proxy
116.202.251[.]8
IPv4
7/4/2023
7/7/2023
SoftEther proxy
Further reading
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.
Small businesses are often targeted by cybercriminals due to their lack of resources and security measures. Protecting your business from cyber threats is crucial to avoid data breaches and financial losses.
Why is cyber security so important for small businesses?
Small businesses are particularly in danger of cyberattacks, which can result in financial loss, data breaches, and damage to IT equipment. To protect your business, it’s important to implement strong cybersecurity measures.
Here are some tips to help you get started:
One important aspect of data protection and cybersecurity for small businesses is controlling access to customer lists. It’s important to limit access to this sensitive information to only those employees who need it to perform their job duties. Additionally, implementing strong password policies and regularly updating software and security measures can help prevent unauthorized access and protect against cyber attacks. Regular employee training on cybersecurity best practices can also help ensure that everyone in the organization is aware of potential threats and knows how to respond in the event of a breach.
When it comes to protecting customer credit card information in small businesses, there are a few key tips to keep in mind. First and foremost, it’s important to use secure payment processing systems that encrypt sensitive data. Additionally, it’s crucial to regularly update software and security measures to stay ahead of potential threats. Employee training and education on cybersecurity best practices can also go a long way in preventing data breaches. Finally, having a plan in place for responding to a breach can help minimize the damage and protect both your business and your customers.
Small businesses are often exposed to cyber attacks, making data protection and cybersecurity crucial. One area of particular concern is your company’s banking details. To protect this sensitive information, consider implementing strong passwords, two-factor authentication, and regular monitoring of your accounts. Additionally, educate your employees on safe online practices and limit access to financial information to only those who need it. Regularly backing up your data and investing in cybersecurity software can also help prevent data breaches.
Small businesses are often at high risk of cyber attacks due to their limited resources and lack of expertise in cybersecurity. To protect sensitive data, it is important to implement strong passwords, regularly update software and antivirus programs, and limit access to confidential information.
It is also important to have a plan in place in case of a security breach, including steps to contain the breach and notify affected parties. By taking these steps, small businesses can better protect themselves from cyber threats and ensure the safety of their data.
Tips for protecting your small business from cyber threats and data breaches are crucial in today’s digital age. One of the most important steps is to educate your employees on cybersecurity best practices, such as using strong passwords and avoiding suspicious emails or links.
It’s also important to regularly update your software and systems to ensure they are secure and protected against the latest threats. Additionally, implementing multi-factor authentication and encrypting sensitive data can add an extra layer of protection. Finally, having a plan in place for responding to a cyber-attack or data breach can help minimize the damage and get your business back on track as quickly as possible.
Small businesses are attackable to cyber-attacks and data breaches, which can have devastating consequences. To protect your business, it’s important to implement strong cybersecurity measures. This includes using strong passwords, regularly updating software and systems, and training employees on how to identify and avoid phishing scams.
It’s also important to have a data backup plan in place and to regularly test your security measures to ensure they are effective. By taking these steps, you can help protect your business from cyber threats and safeguard your valuable data.
To protect against cyber threats, it’s important to implement strong data protection and cybersecurity measures. This can include regularly updating software and passwords, using firewalls and antivirus software, and providing employee training on safe online practices. Additionally, it’s important to have a plan in place for responding to a cyber attack, including backing up data and having a designated point person for handling the situation.
In today’s digital age, small businesses must prioritize data protection and cybersecurity to safeguard their operations and reputation. With the rise of remote work and cloud-based technology, businesses are more vulnerable to cyber attacks than ever before. To mitigate these risks, it’s crucial to implement strong security measures for online meetings, advertising, transactions, and communication with customers and suppliers. By prioritizing cybersecurity, small businesses can protect their data and prevent unauthorized access or breaches.
Here are 8 essential tips for data protection and cybersecurity in small businesses.
1. Train Your Employees on Cybersecurity Best Practices
Your employees are the first line of defense against cyber threats. It’s important to train them on cybersecurity best practices to ensure they understand the risks and how to prevent them. This includes creating strong passwords, avoiding suspicious emails and links, and regularly updating software and security systems. Consider providing regular training sessions and resources to keep your employees informed and prepared.
2. Use Strong Passwords and Two-Factor Authentication
One of the most basic yet effective ways to protect your business from cyber threats is to use strong passwords and two-factor authentication. Encourage your employees to use complex passwords that include a mix of letters, numbers, and symbols, and to avoid using the same password for multiple accounts. Two-factor authentication adds an extra layer of security by requiring a second form of verification, such as a code sent to a mobile device, before granting access to an account. This can help prevent unauthorized access even if a password is compromised.
3. Keep Your Software and Systems Up to Date
One of the easiest ways for cybercriminals to gain access to your business’s data is through outdated software and systems. Hackers are constantly looking for vulnerabilities in software and operating systems, and if they find one, they can exploit it to gain access to your data. To prevent this, make sure all software and systems are kept up-to-date with the latest security patches and updates. This includes not only your computers and servers but also any mobile devices and other connected devices used in your business. Set up automatic updates whenever possible to ensure that you don’t miss any critical security updates.
4. Use Antivirus and Anti-Malware Software
Antivirus and anti-malware software are essential tools for protecting your small business from cyber threats. These programs can detect and remove malicious software, such as viruses, spyware, and ransomware before they can cause damage to your systems or steal your data. Make sure to install reputable antivirus and anti-malware software on all devices used in your business, including computers, servers, and mobile devices. Keep the software up-to-date and run regular scans to ensure that your systems are free from malware.
5. Backup Your Data Regularly
One of the most important steps you can take to protect your small business from data loss is to back up your data regularly. This means creating copies of your important files and storing them in a secure location, such as an external hard drive or cloud storage service. In the event of a cyber-attack or other disaster, having a backup of your data can help you quickly recover and minimize the impact on your business. Make sure to test your backups regularly to ensure that they are working properly and that you can restore your data if needed.
6. Carry out a risk assessment
Small businesses are especially in peril of cyber attacks, making it crucial to prioritize data protection and cybersecurity. One important step is to assess potential risks that could compromise your company’s networks, systems, and information. By identifying and analyzing possible threats, you can develop a plan to address security gaps and protect your business from harm.
For Small businesses making data protection and cybersecurity is a crucial part. To start, conduct a thorough risk assessment to identify where and how your data is stored, who has access to it, and potential threats. If you use cloud storage, consult with your provider to assess risks. Determine the potential impact of breaches and establish risk levels for different events. By taking these steps, you can better protect your business from cyber threats
7. Limit access to sensitive data
One effective strategy is to limit access to critical data to only those who need it. This reduces the risk of a data breach and makes it harder for malicious insiders to gain unauthorized access. To ensure accountability and clarity, create a plan that outlines who has access to what information and what their roles and responsibilities are. By taking these steps, you can help safeguard your business against cyber threats.
8. Use a firewall
For Small businesses, it’s important to protect the system from cyber attacks by making data protection and reducing cybersecurity risk. One effective measure is implementing a firewall, which not only protects hardware but also software. By blocking or deterring viruses from entering the network, a firewall provides an added layer of security. It’s important to note that a firewall differs from an antivirus, which targets software affected by a virus that has already infiltrated the system.
Small businesses can take steps to protect their data and ensure cybersecurity. One important step is to install a firewall and keep it updated with the latest software or firmware. Regularly checking for updates can help prevent potential security breaches.
Conclusion
Small businesses are particularly vulnerable to cyber attacks, so it’s important to take steps to protect your data. One key tip is to be cautious when granting access to your systems, especially to partners or suppliers. Before granting access, make sure they have similar cybersecurity practices in place. Don’t hesitate to ask for proof or to conduct a security audit to ensure your data is safe.
As you probably know, Windows keeps your files into folders that can also contain subfolders. By using folders, you can keep your computer organized by placing files of certain types in their own folders, such as files for a school project or sales meeting. And of course you can create these folders and subfolders as needed and copy or move your files in and out of them.
You have probably also noticed that all of these folders look the same with the exception of the Windows user folders for Documents, Downloads, Pictures and so on as seen below.
Another thing that will affect how your folders look is the view that you have applied to them. You can set your folder views to show them as a list or as icons of various sizes. When you use one of the icon views, you might see a file preview icon on the folder based on what types of files are in the folder itself. This icon can also change when you add or remove files from the folder. Empty folders will not have any file preview icons on them.
If you are looking for some extra customization, then you can try out the free Folder Marker software which will allow you to apply colors to specific folders as well as custom icons. Once you download and install the software, you can apply color and icon changes by either adding folders to the main interface or by using the new right click context menu item that you will now have on your computer.
If you use the first method where you add or drag folders into the app itself, any changes you make will be applied to all folders in the list so you might want to use the right click method to apply changes to single folders.
If you would rather apply a custom icon to your folder rather than change its color, then you can do so from the Main tab in the app or simply by clicking the icon you like from the right click menu. The User Icons section is used to add your own custom icons if you happen to know how to create those.
The image below shows the same folders with some colors and icons applied to them. As you can see, they stand out much better than they did before the changes were made. If you were to move or copy a folder to a new location, its color or custom icon will stay with it so you don’t need to worry about having to change its appearance again.
If you change your mind and what to revert a folder back to its original look, you can do so by right clicking on it and choosing the Restore Default option. To revert all of your changes, you can open the app itself and then go to the Action menu and click on Rollback All Changes.
As you can see, Folder Marker is easy to use and is a quick way to customize your Windows folders and can really help with your file management tasks. You can download the program from their website here.
Last updated: June 20, 2023 Robert Waters Security Unified Endpoint Management DEX
Increases in attack surface size lead to increased cybersecurity risk. Thus, logically, decreases in attack surface size lead to decreased cybersecurity risk.
While some attack surface management solutions offer remediation capabilities that aid in this effort, remediation is reactive. As with all things related to security and risk management, being proactive is preferred.
The good news is that ASM solutions aren’t the only weapons security teams have in the attack surface fight. There are many steps an organization can take to lessen the exposure of its IT environment and preempt cyberattacks.
How do I reduce my organization’s attack surface?
Unfortunately for everyone but malicious actors, there’s no eliminating your entire attack surface, but the following best practice security controls detailed in this post will help you significantly shrink it:
As noted in our attack surface glossary entry, different attack vectors can technically fall under multiple types of attack surfaces — digital, physical and/or human. Similarly, many of the best practices in this post can help you reduce multiple types of attack surfaces.
For that reason, we have included a checklist along with each best practice that signifies which type(s) of attack surface a particular best practice primarily addresses.
#1: Reduce complexity
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
Reduce your cybersecurity attack surface by reducing complexity. Seems obvious, right? And it is. However, many companies have long failed at this seemingly simple step. Not because it’s not obvious, but because it hasn’t always been easy to do.
Research from Randori and ESG reveals seven in 10 organizations were compromised by an unknown, unmanaged or poorly managed internet-facing asset over the past year. Cyber asset attack surface management (CAASM) solutions enable such organizations to identify all their assets — including those that are unauthorized and unmanaged — so they can be secured, managed or even removed from the enterprise network.
Any unused or unnecessary assets, from endpoint devices to network infrastructure, should also be removed from the network and properly discarded.
The code that makes up your software applications is another area where complexity contributes to the size of your attack surface. Work with your development team to identify where opportunities exist to minimize the amount of executed code exposed to malicious actors, which will thereby also reduce your attack surface.
#2: Adopt a zero trust strategy for logical and physical access control
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
The National Institute of Standards and Technology (NIST) defines zero trust as follows:
“A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Taking a zero trust approach to logical access control reduces your organization’s attack surface — and likelihood of data breaches — by continuously verifying posture and compliance and providing least-privileged access.
And while zero trust isn’t a product but a strategy, there are products that can help you implement a zero trust strategy. Chief among those products are those included in the secure access service edge (SASE) framework:
And though it’s not typically viewed in this manner, a zero trust strategy can extend beyond logical access control to physical access control. When it comes to allowing anyone into secure areas of your facilities, remember to never trust, always verify. Mechanisms like access cards and biometrics can be used for this purpose.
#3: Evolve to risk-based vulnerability management
.
Digital attack surface
Physical attack surface
Human attack surface
X
.
First, the bad news: the US National Vulnerability Database (US NVD) contains over 160,000 scored vulnerabilities and dozens more are added every day. Now, the good news: a vast majority of vulnerabilities have never been exploited, which means they can’t be used to perpetrate a cyberattack, which means they aren’t part of your attack surface.
In fact, a ransomware research report from Securin, Cyber Security Works (CSW), Ivanti and Cyware showed only 180 of those 160,000+ vulnerabilities were trending active exploits.
Comparison of total NVD vulnerabilities vs. those that endanger an organization
Only approximately 0.1% of all vulnerabilities in the US NVD are trending active exploits that pose an immediate risk to an organization
A true risk-based approach is needed. Risk-based vulnerability management (RBVM) — as its name suggests — is a cybersecurity strategy that prioritizes vulnerabilities for remediation based on the risk they pose to the organization.
With the intelligence from their RBVM tool in hand, organizations can then go about reducing their attack surface by remediating the vulnerabilities that pose them the most risk. Most commonly, that involves patching exploited vulnerabilities on the infrastructure side and fixing vulnerable code in the application stack.
#4: Implement network segmentation and microsegmentation
.
Digital attack surface
Physical attack surface
Human attack surface
X
.
Once again, borrowing from the NIST glossary, network segmentation is defined as follows:
Splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.
From this definition, you can see how segmenting can reduce your attack surface by blocking attackers from certain parts of your network. While traditional network segmentation stops those attackers from moving north-south at the network level, microsegmentation stops them from moving east-west at the workload level.
More specifically, microsegmentation goes beyond network segmentation and enforces policies on a more granular basis — for example, by application or device instead of by network.
For example, it can be used to implement restrictions so an IoT device can only communicate with its application server and no other IoT devices, or to prevent someone in one department from accessing any other department’s systems.
#5: Strengthen software and asset configurations
.
Digital attack surface
Physical attack surface
Human attack surface
X
.
Operating systems, applications and enterprise assets — such as servers and end user, network and IoT devices — typically come unconfigured or with default configurations that favor ease of deployment and use over security. According to CIS Critical Security Controls (CIS Controls) v8, the following can all be exploitable if left in their default state:
Basic controls
Open services and ports
Default accounts or passwords
Pre-configured Domain Name System (DNS) settings
Older (vulnerable) protocols
Pre-installation of unnecessary software
Clearly, such configurations increase the size of an attack surface. To remedy the situation, Control 4: Secure Configuration of Enterprise Assets and Software of CIS Controls v8 recommends developing and applying strong initial configurations, then continually managing and maintaining those configurations to avoid degrading security of software and assets.
Here are some free resources and tools your team can leverage to help with this effort:
CIS Benchmarks List – Configuration recommendations for over 25 vendor product families
CIS-CAT Lite — Assessment tool that helps users implement secure configurations for a range of technologies
#6: Enforce policy compliance
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
It’s no secret that endpoints are a major contributor to the size of most attack surfaces — especially in the age of Everywhere Work when more employees are working in hybrid and remote roles than ever before. Seven in 10 government employees now work virtually at least part of the time.
It’s hard enough getting employees to follow IT and security policies when they’re inside the office, let alone when 70% of them are spread all over the globe.
Unified endpoint management (UEM) tools ensure universal policy compliance by automatically enforcing policies. This fact should come as no surprise to IT and security professionals, many of whom consider UEM a commodity at this point. In fact, Gartner predicts that 90% of its clients will manage most of their estate with cloud-based UEM tools by just 2025.
Nonetheless, UEM is the best option for enforcing IT and security policy compliance, so I’d be remiss to omit it from this list.
Additionally, beyond compliance, modern UEM tools offer several other capabilities that can help you identify, manage and reduce your attack surface:
Have complete visibility into IT assets by discovering all devices on your network — a key ASM capability for organizations without a CAASM solution.
Provision devices with the appropriate software and access permissions, then automatically update that software as needed — no user interactions required.
Manage all types of devices across the entire lifecycle, from onboarding to retirement, to ensure they’reproperly discarded once no longer in use.
Support zero trust access and contextual authentication, vulnerability, policy, configuration and data management by integrating with identity, security and remote-access tools. For example, UEM and mobile threat defense (MTD) tools can integrate to enable you to enact risk-based policies to protect mobile devices from compromising the corporate network and its assets.
#7: Train all employees on cybersecurity policies and best practices
Thus, it should come as no surprise when you review the data from Ivanti’s 2023 Government Cybersecurity Status Report and see the percentages of employees around the world that don’t believe their actions have any impact on their organization’s ability to avert cyberattacks:
Do employees think their own actions matter?
Many employees don’t believe their actions impact their organization’s ability to stay safe from cyberattacks.
In the immortal words of Alexander Pope: “To err is human…” In cybersecurity terms: until AI officially takes over, humans will remain a significant part of your attack surface. And until then, human attack surfaces must be managed and reduced wherever possible.
Thus far, the best way to do that’s proven to be cybersecurity training, both on general best practices and company-specific policies — and definitely don’t forget to include a social engineering module.
To once again borrow from CIS Controls v8, Control 14: Security Awareness and Skills Training encourages organizations to do the following: “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”
CIS — the Center for Internet Security — also recommends leveraging the following resources to help build a security awareness program:
Security and IT staff — not just those in non-technical roles — should also be receiving cybersecurity training relevant to their roles. In fact, according to the IT and security decision-makers surveyed by Randori and ESG for their 2022 report on The State of Attack Surface Management, providing security and IT staff with more ASM training would be the third most-effective way to improve ASM.
Ensuring partners, vendors and other third-party contractors take security training as well can also help contain your human attack surface.
#8: Improve digital employee experience (DEX)
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
No matter how much cybersecurity training you provide employees, the more complex and convoluted security measures become, the more likely they are to bypass them. Sixty-nine percent of end users report struggling to navigate overly convoluted and complex security measures. Such dissatisfied users are prone to distribute data over unsecured channels, prevent the installation of security updates and deploy shadow IT.
So what do you do? Ivanti’s 2022 Digital Employee Experience Report indicates IT leaders — with support from the C-suite — need to put their efforts toward providing a secure-by-design digital employee experience. While that once may have seemed like an impossible task, it’s now easier than ever thanks to an emerging market for DEX tools that help you measure and continuously improve employees’ technology experience.
One area in which organizations can easily improve both security and employee experience is authentication. Annoying and inefficient to remember, enter and reset, passwords have long been the bane of end users.
On top of that, they’re extremely unsecure. Roughly half of the 4,291 data breaches not involving internal malicious activity analyzed for the 2023 Verizon DBIR were enabled through credentials — about four times the amount enabled by phishing — making them by far the most popular path into an organization’s IT estate.
Passwordless authentication software solves this problem. If you’d like to improve end user experience and reduce your attack surface in one fell swoop, deploy a passwordless authentication solution that uses FIDO2 authentication protocols. Both you and your users will rejoice when you can say goodbye to passwords written on Post-it Notes forever.
Ivanti’s suggested best practices for reducing your attack surface combine learnings from our firsthand experience plus secondhand knowledge gleaned from authoritative resources.
And while these best practices will indeed greatly diminish the size of your attack surface, there’s no shortage of other steps an organization could take to combat the ever-expanding size and complexity of modern attack surfaces.
Check out the following free resources — some of which were referenced above — for additional guidance on shrinking your attack surface:
So, you’ve implemented all the best practices above and you’re wondering what’s next. As with all things cybersecurity, there’s no time for standing still. Attack surfaces require constant monitoring.
You never know when the next unmanaged BYOD device will connect to your network, the next vulnerability in your CRM software will be exploited or the next employee will forget their iPhone at the bar after a team happy hour.
On top of tracking existing attack vectors, you also need to stay informed about emerging ones. For example, the recent explosion of AI models is driving substantial attack surface growth, and it’s safe to say more technologies that open the door to your IT environment are on the horizon. Stay vigilant.
About Robert Waters
Robert Waters is the Lead Product Marketing Manager for endpoint security at Ivanti. His 15 years of marketing experience in the technology industry include an early stint at a Fortune 1000 telecommunications company and a decade at a network monitoring and managed services firm.
Robert joined Ivanti in November of 2022 and now oversees all things risk-based vulnerability management and patch management.
