The Microsoft Threat Intelligence community is made up of more than 10,000 world-class experts, security researchers, analysts, and threat hunters analyzing 78 trillion signals daily to discover threats and deliver timely and hyper-relevant insight to protect customers. Our research covers a broad spectrum of threats, including threat actors and the infrastructure that enables them, as well as the tools and techniques they use in their attacks.
External link for Microsoft Threat Intelligence
Microsoft Threat Intelligence reposted this
Read an update on what we’ve done to help Microsoft customers recover from the recent CrowdStrike outage. Learn about our actions from the start of the incident and our collaboration with customers, cloud providers and others in the tech community. https://lnkd.in/gPBnrjyt
The Microsoft AI Bounty program aims to better secure Microsoft Copilot by inviting security researchers to find and report high impact security vulnerabilities. In the program, researchers who find a bug in Copilot need to send details of their findings to MSRC via https://msft.it/6043lRzYB for analysis, severity and impact assessment, as well as mitigation development. Principal Research Manager Andrew Paverd shares that the AI bug bar, the clear definition of what a bug means, is the critical first ingredient of any bug bounty program like Microsoft AI Bounty. The AI bug bar, reflected in the Microsoft Vulnerability Severity Classification for AI Systems, puts focus on high impact security issues within Microsoft Copilot. Learn more about the AI bug bar here: https://msft.it/6044lRzY8 The new bug bounty program, which launched in October 2023, is an area of vulnerability research that people from any background can get started in. Technical Program Manager Lynn Miyashita shares, “...there’s a number of different types of vulnerabilities that you can find in varying severity levels, and I think it opens up the door to anyone of any background being able to have the opportunity to go and start chatting with Copilot to see what they can find.” Andrew also further iterates that AI is just part of a bigger system, and that there's potential for finding vulnerabilities that span the traditional scope of a bug hunter and the scope of new vulnerabilities that may arise because of AI. Learn more about the Microsoft AI Bounty Program in this episode of the Microsoft Threat Intelligence Podcast with host Sherrod DeGrippo: https://msft.it/6042lRzY6 Also, specific details on the bounty program can be found here: https://msft.it/6045lRzYD
Here’s your guide to the extensive Microsoft threat intelligence research and AI-first end-to-end security expertise you can look forward to on the main stage, briefings, and theater sessions at the Microsoft booth at Black Hat USA 2024: https://msft.it/6040luRhg Ann Johnson, CVP and Deputy CISO, will take the stage with Sherrod DeGrippo to share threat intelligence insights and best practices from the Office of the CISO. Microsoft will also be part of the AI Summit as we participate in the Balancing Security and Innovation - Risks and Rewards in AI-Driven Cybersecurity panel. Threat analysts, researchers, and security leaders will be at Microsoft booth #1240 to connect and share insights. Get live demos of Copilot for Security and other solutions. Schedule an in-person meeting with Microsoft Security leaders and experts focused on your topic of interest. https://msft.it/6041luRh9 Reserve your spot at the Microsoft Security VIP Mixer, co-hosted by Ann Johnson and Aarti Borkar, to connect and network with fellow industry experts: https://msft.it/6042luRhi
We're in our #BlueHat era. Join us on October 29th-30th in Redmond, WA for two days packed with learning, networking, and fun. Will we see you there?
In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Octo Tempest is known for sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware. RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware (like BlackCat), making it one of the most widespread ransomware families today. Notably, RansomHub was observed in post-compromise activity by Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections. In addition to RansomHub and Qilin, other notable ransomware families in this period include BlackSuit, LockBit, Medusa, Black Basta, and Play. Several new ransomware families emerged this quarter. Fog, which uses the .flocked extension, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. To deploy Fog, Storm-0844 uses VPN clients to gain initial access, likely via valid accounts. They use open-source tools like ADFind, Rubeus, and Advanced IP Scanner for network discovery and lateral movement. They also use rclone for staging files to be exfiltrated. By June, Storm-0844 was deploying Fog in more campaigns than Akira. FakePenny is another new ransomware family we uncovered during this period. In April, we observed North Korean threat actor Moonstone Sleet (formerly Storm-1789) deploying FakePenny, part of a wide-ranging tradecraft that also includes a malicious tank game: https://msft.it/6046lOdRi Threat actors like Octo Tempest focus on identity compromise in their intrusions to access and persist in on-premises and cloud environments for data exfiltration and ransomware deployment. This quarter, Storm-0501 was observed adopting similar tactics, utilizing open-source toolkits like AADInternals for domain federations and other techniques to facilitate latter stages of attacks, which culminate in the deployment of Embargo ransomware. Threat actors also continue to leverage remote management and monitoring tools in ransomware campaigns. In May, we published research on Storm-1811 misusing Quick Assist in social engineering attacks, which were followed by delivery of various malicious tools, leading to Black Basta deployment: https://msft.it/6047lOdRc Users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust. We publish reports on ransomware threat actors and associated activity in Microsoft Defender Threat Intelligence and Microsoft Defender XDR threat analytics. For more information and guidance, visit https://msft.it/6048lOdRY
Microsoft has announced the general availability of the Microsoft Entra Suite and the general availability of Microsoft Sentinel within the Microsoft unified security operations platform, providing new capabilities that can further simplify the implementation of a Zero Trust architecture across the full lifecycle from prevention to detection and response. https://msft.it/6044lzQeM The Microsoft Entra Suite unifies identity and network access security, and provides everything needed to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. https://msft.it/6045lzQe3 Microsoft Sentinel capabilities within the Microsoft unified security operations platform help bring together all the security signals the environment generates, then normalizes, analyzes, and uses them to proactively defend against cyberthreats. https://msft.it/6046lzQeO
The July 2024 security updates are available:
Security updates for July 2024 are now available. Details are available here: https://msft.it/60119yPTS #PatchTuesday #SecurityUpdateGuide
In this episode of The Microsoft Threat Intelligence podcast, top experts from different areas in cybersecurity share their experiences pushing for security at various levels and their insights on the impact of AI to cybersecurity This series of discussions, recorded live at RSA Conference 2024, features discussions on the process of securing the Windows platform, the power grid, as well as the unique challenges faced by specific industries such as education in cybersecurity. The experts also talk about the importance of integration in dealing with cyberthreats, such as considering product functionality when building cybersecurity measures, as well as including threat intelligence related to cybercrime entities into attack frameworks such as MITRE. Listen to the full episode, hosted by Sherrod DeGrippo, here: https://msft.it/6040lHNSm
Microsoft Threat Intelligence reposted this
Meet the experts—Microsoft Threat Intelligence analysts Alison Ali, Waymon Ho, and Emiel Haeghebaert—charged with tracking Storm-0539, a Morocco-based threat actor specializing in payment card theft and gift card fraud. Details at: https://msft.it/6041l8GYx
Microsoft researchers discovered two vulnerabilities in Rockwell Automation’s PanelView Plus that could be remotely exploited by attackers to allow remote code execution (RCE) and denial of service (DoS). PanelView Plus devices are graphic terminals, also known as human machine interface (HMI), used in the industrial sector. Both vulnerabilities are related to custom classes in PanelView Plus. The RCE vulnerability involves two custom classes that could be used to upload and load a malicious DLL into the device. The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS. Microsoft reported these findings to Rockwell Automation in May and July 2023, and Rockwell Automation published security patches to address the vulnerabilities in September and October 2023. We’re sharing our research to help developers, vendors, and the industry in general to avoid or detect similar issues in their systems. Read our latest blog to get our analysis of the vulnerabilities, as well as mitigation and protection guidance for defenders: https://msft.it/6046l8Ufn