Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft. Show all posts
Microsoft
antivirus software Antivirus System CrowdStrike CrowdStrike outage Cyber Outage Cyber Security Microsoft

How an IT Team Used Windows 3.1 to Mitigate a Massive CrowdStrike Outage

 

In an unprecedented event, a single update from anti-virus company CrowdStrike caused global havoc, affecting millions of Windows computers. This incident, described as the largest outage ever, disrupted numerous services and companies worldwide. As reports of the “Blue Screen of Death” (BSOD) flooded in, Microsoft was quick to clarify that this was a “third-party issue,” placing the blame squarely on CrowdStrike’s update to its Falcon virus scanner. 

The repercussions of this update were immediate and far-reaching. Millions of computers running Windows software experienced critical failures, bringing operations to a halt. Apple and Linux users were unaffected, which only highlighted the extent of the disruption within the Windows ecosystem. CrowdStrike’s response included a fix for the issue, but this solution required manual reboots in safe mode for affected machines. This task was easier said than done, especially for organizations with numerous devices, many of which were not easily accessible. 

Interestingly, an IT team found an unconventional solution to the problem. By leveraging the long-outdated Windows 3.1 operating system, they managed to navigate the crisis effectively. The story of this team’s ingenuity quickly became a focal point amid the chaos. Their ability to use such an old operating system to circumvent the issues posed by the update provided a glimmer of hope and a unique narrative twist to the otherwise grim situation. The CrowdStrike incident underscores the vulnerability of our modern, interconnected systems. 

With so much reliance on digital infrastructure, a single flawed update can ripple outwards, causing substantial disruption. It also serves as a poignant reminder of the resilience and resourcefulness often required in IT management. While it might seem archaic, the use of Windows 3.1 in this scenario was a testament to the enduring utility of older technologies, particularly in crisis situations where conventional solutions fail.  
CrowdStrike’s official statement, which notably lacked an apology, fueled frustration among users. However, CEO George Kurtz later expressed deep regret for the impact caused, acknowledging the disruption to customers, travelers, and affected companies. This incident has inevitably led to questions about the robustness of update deployment processes, especially given the scale of this outage. The timing of the update also came under scrutiny. 

As one computer scientist noted, pushing an update on a Friday is risky. Fewer staff are typically available over the weekend to address potential issues, leading to prolonged resolution times. Many large firms, therefore, prefer to schedule updates mid-week to mitigate such risks. For those impacted, CrowdStrike provided detailed instructions on its support website for fixing the issue. 
Organizations with dedicated IT teams coordinated widespread responses to manage the situation effectively. Unlike typical outages that might resolve themselves quickly, this event required significant manual intervention, highlighting the critical importance of preparedness and robust contingency planning. In conclusion, the CrowdStrike update debacle not only disrupted global operations but also showcased the adaptability and ingenuity of IT professionals. It reinforced the critical need for careful planning and the sometimes surprising utility of legacy systems in modern IT environments. 

As the world recovers from this incident, it serves as a stark reminder of our dependence on digital tools and the importance of rigorous update management.
Read more »
Virus Attack
Antivirus Crowdsource Security CrowdStrike Cyber Security data security Microsoft Virus Attack

Global Outage Caused by Anti-Virus Update from Crowdstrike

 

A recent update from the anti-virus firm Crowdstrike has led to a global outage affecting millions of Windows users. The incident is being termed one of the most extensive outages ever, impacting numerous services and companies worldwide. Crowdstrike, a company many may not have heard of before, inadvertently caused this disruption with a problematic update to its Falcon virus scanner. The update led to widespread reports of the infamous Blue Screen of Death (BSOD) on computers running Windows. 

Microsoft quickly clarified that the issue was due to a third-party problem, absolving itself of direct responsibility. Users of Apple and Linux systems were unaffected, which brought some relief to those communities. Crowdstrike has since released a fix for the issue, but the recovery process remains cumbersome. IT professionals have noted that each affected machine requires a manual reboot in safe mode to restore normal operations. This task is complicated by the physical accessibility of the devices, making the resolution process even more challenging. There is currently no indication that the issue was caused by malicious intent or that any data has been compromised. 

Nonetheless, this incident highlights the crucial importance of staying updated with software patches, albeit with a note of caution. The cybersecurity community continues to stress the necessity of regular updates while acknowledging the occasional risks involved. Crowdstrike’s initial response fell short of an apology, which drew significant criticism online. However, CEO George Kurtz later issued a public apology via NBC News, expressing deep regret for the disruption caused to customers, travelers, and affected companies. This gesture, while somewhat late, was an important step in addressing the public’s concerns. This episode serves as a stark reminder of our heavy reliance on remotely managed devices and the vulnerability that comes with it. 

Despite robust systems in place to catch most issues, some problems, like this one, slip through the cracks. The timing of the update, which was pushed out on a Friday, compounded the difficulties, as fewer staff are typically available over the weekend to address such crises. For Crowdstrike customers, detailed instructions for the fix are available on the company’s support website. Many companies with dedicated IT teams are likely coordinating their responses to ensure a swift resolution. 

Unlike many outages that resolve themselves quickly, this incident will take days, if not longer, to fully mend, illustrating the significant impact of a single flawed update in our interconnected digital world.
Read more »
Ransomware
Malware. Scattered Spider Microsoft Qilin Ransomware

How Microsoft Connected Scattered Spider to Qilin Ransomware

How Microsoft Connected Scattered Spider to Qilin Ransomware

The Rising Threat of Scattered Spider and Qilin Ransomware

One of the latest and most concerning developments is the link between the notorious Scattered Spider cybercrime gang and the Qilin ransomware attacks. This connection, recently highlighted by Microsoft, underscores the growing sophistication and danger posed by these cyber criminals.

Who is Scattered Spider?

Scattered Spider, also known as Octo Tempest, is a cybercrime group that has been active in various malicious activities. They are known for their advanced tactics and persistent efforts to breach security defenses. Their operations have been marked by a high degree of organization and technical prowess, making them a formidable adversary in the cybersecurity world.

“In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns,“ said Microsoft.

The Qilin Ransomware

Qilin ransomware is a relatively new addition to the arsenal of cyber threats. Ransomware, in general, is a type of malicious software designed to block access to a computer system or data until a ransom is paid. 

Qilin ransomware follows this pattern but has enhanced capabilities, making it particularly dangerous. It encrypts files on the victim’s system, rendering them inaccessible, and demands a ransom for the decryption key.

The Connection

Microsoft’s recent findings have linked Scattered Spider to the deployment of Qilin ransomware in their attacks. This connection is significant for several reasons. Firstly, it indicates that Scattered Spider continuously evolves its tactics and tools to stay ahead of cybersecurity defenses. By incorporating Qilin ransomware into their operations, they have added a potent weapon to their formidable arsenal.

Secondly, this link highlights the increasing collaboration and resource-sharing among cybercriminal groups. The use of Qilin ransomware by Scattered Spider suggests that these groups are not working in isolation but are instead leveraging each other’s tools and techniques to maximize their impact.

The Impact

The impact of these attacks can be devastating. Ransomware attacks, in general, can lead to significant financial losses, operational disruptions, and reputational damage for the affected organizations. The involvement of a sophisticated group like Scattered Spider only amplifies these risks. 

Their ability to breach security defenses and deploy advanced ransomware like Qilin means that no organization is safe from their reach.

Read more »
Privacy
Adobe AI Models Artifcial Intelligence data security Meta Microsoft Privacy

Tech Giants Face Backlash Over AI Privacy Concerns






Microsoft recently faced material backlash over its new AI tool, Recall, leading to a delayed release. Recall, introduced last month as a feature of Microsoft's new AI companion, captures screen images every few seconds to create a searchable library. This includes sensitive information like passwords and private conversations. The tool's release was postponed indefinitely after criticism from data privacy experts, including the UK's Information Commissioner's Office (ICO).

In response, Microsoft announced changes to Recall. Initially planned for a broad release on June 18, 2024, it will first be available to Windows Insider Program users. The company assured that Recall would be turned off by default and emphasised its commitment to privacy and security. Despite these assurances, Microsoft declined to comment on claims that the tool posed a security risk.

Recall was showcased during Microsoft's developer conference, with Yusuf Mehdi, Corporate Vice President, highlighting its ability to access virtually anything on a user's PC. Following its debut, the ICO vowed to investigate privacy concerns. On June 13, Microsoft announced updates to Recall, reinforcing its "commitment to responsible AI" and privacy principles.

Adobe Overhauls Terms of Service 

Adobe faced a wave of criticism after updating its terms of service, which many users interpreted as allowing the company to use their work for AI training without proper consent. Users were required to agree to a clause granting Adobe a broad licence over their content, leading to suspicions that Adobe was using this content to train generative AI models like Firefly.

Adobe officials, including President David Wadhwani and Chief Trust Officer Dana Rao, denied these claims and clarified that the terms were misinterpreted. They reassured users that their content would not be used for AI training without explicit permission, except for submissions to the Adobe Stock marketplace. The company acknowledged the need for clearer communication and has since updated its terms to explicitly state these protections.

The controversy began with Firefly's release in March 2023, when artists noticed AI-generated imagery mimicking their styles. Users like YouTuber Sasha Yanshin cancelled their Adobe subscriptions in protest. Adobe's Chief Product Officer, Scott Belsky, admitted the wording was unclear and emphasised the importance of trust and transparency.

Meta Faces Scrutiny Over AI Training Practices

Meta, the parent company of Facebook and Instagram, has also been criticised for using user data to train its AI tools. Concerns were raised when Martin Keary, Vice President of Product Design at Muse Group, revealed that Meta planned to use public content from social media for AI training.

Meta responded by assuring users that it only used public content and did not access private messages or information from users under 18. An opt-out form was introduced for EU users, but U.S. users have limited options due to the lack of national privacy laws. Meta emphasised that its latest AI model, Llama 2, was not trained on user data, but users remain concerned about their privacy.

Suspicion arose in May 2023, with users questioning Meta's security policy changes. Meta's official statement to European users clarified its practices, but the opt-out form, available under Privacy Policy settings, remains a complex process. The company can only address user requests if they demonstrate that the AI "has knowledge" of them.

The recent actions by Microsoft, Adobe, and Meta highlight the growing tensions between tech giants and their users over data privacy and AI development. As these companies navigate user concerns and regulatory scrutiny, the debate over how AI tools should handle personal data continues to intensify. The tech industry's future will heavily depend on balancing innovation with ethical considerations and user trust.


Read more »
Windows
CISA Cyberattacks Cybercirme Cyberhackers CyberThreat HHS Microsoft Vulnerabilities and Exploits Windows

Microsoft Announces New Deadlines for Windows Updates

 


A July 4 deadline for Windows users who have not updated their systems is fast approaching. It was only two weeks ago that a two-week-old security vulnerability found in Windows was found to have been reactivated. Despite Microsoft's claim that CVE-2024-26169 is not exploitable, Symantec's security researchers believe otherwise, finding “some evidence” that attackers might have prepared an exploit for the CVE-2024-26169 vulnerability before patching the vulnerability. 

As of last month, several U.S. government agencies – including CISA and the FBI – have collaborated on a Cybersecurity Alert which warns that “Black Basta affiliates have compromised a wide range of critical infrastructure, businesses, and industries throughout North America, Europe and Australia.” There are over 500 organizations in the world that have been affected by Black Basta affiliates in the year 2024. 

Several organizations have released the joint CSA, including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), to provide information regarding the Black Basta attacks, which are referred to hereafter as the authoring organizations. A variant of ransomware known as Black Basta has encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. 

The FBI has conducted investigations into Black Basta and third parties have reported on these TTPs and IOCs. This is a ransomware-as-a-service variant that was first detected in April 2022 and is considered a ransomware-as-a-service (RaaS) variant. It is believed that the Black Basta ransomware will have affected more than 500 organizations globally by May 2024, affecting a wide range of businesses in North America, Europe, and Australia as well as critical infrastructures. 

Black Basta is a Russian-linked ransomware that originated in early 2022. It was used to attack over 329 organizations around the world and has grown to become one of the fourth most active strains of ransomware based on the number of victims. According to the group, they are using double-extortion tactics to extort victims by threatening to publish stolen data unless the victim is willing to pay a ransom. Several researchers have suggested that BlackBasta may have originated as a part of Conti Group, a ransomware gang that has been in operation for quite some time now. 

It has been revealed through the leak of Conti’s online chats that the group had ties to the Russian government and that it supported the invasion of Ukraine. The group ended in May 2022, but its online chats were leaking this information. Affiliates of Black Basta use common methods for gaining access to a system such as phishing emails and exploiting known vulnerabilities then use a double extortion technique to gain access to the system as well as steal data. There are two types of ransom notes: those which include instructions as to how to pay as well as those which do not.

The ransomware group instead gives victims a one-time use private code and instructs them to contact the group via a website that is only accessible through the Tor browser, a URL that contains a .onion extension. According to the majority of ransom notes, victims are usually given between 10 and 12 days before becoming subject to the publication of their data on the Basta News website, which the Black Basta ransomware group runs. Black Basta attacks businesses in a range of different industries, affecting the construction industry (10% of victims), the legal sector (4%) and the real estate sector (3%). This group of ransomware is known as Black Basta and its victimology is very similar to that of the Conti ransomware group.

Both groups have a shared appetite for many of the same industries as Black Basta. Among the victims of Black Basta, 61% are from organizations that are based in the United States, followed by 15% from the German authorities. There are several high-profile victims of Black Basta, which include Capita, a software services company with billions of dollars worth of UK government contracts, and ABB, a company that has more than US$29 billion in revenue. The information regarding whether or not a ransom was paid by either company has not been publicized.

The healthcare industry is an attractive target for cybercriminals due to the size of the organization, the technological dependence, the access to medical information and the unique impact of disruptions to patient care. There are several ways in which a member of the Black Basta organization will gain access to a system, and these methods include phishing emails, exploiting known vulnerabilities, and then using double extortion techniques to gain access to the system as well as stealing data. A ransom note can be divided into two types: those that provide instructions on how to pay the ransom, and those which do not provide instructions. 

As an alternative to encrypting the victims' files, the ransomware group comprises a group of individuals that give victims an individual one-use private code in addition to instructing them to contact the group via a website only accessible by Tor browsers, one that contains a .onion extension on the URL. There is usually between 10 and 12 days of grace allowed to victims according to ransom notes that are generally released by the Black Basta malware group before their data is exposed on Basta News, which is a website that publishes data from the victims. 

It is not uncommon for Black Basta to attack businesses across a wide range of different industries, with 10 per cent of victims coming from the construction industry, 4 per cent from the legal sector, and 3 per cent from the real estate industry. It seems that the Black Basta ransomware group, which has a victimology very similar to that of the Conti ransomware group, has been seen to distribute a similar type of ransomware. There is a clear affinity between the two groups when it comes to several of the same industries as Black Basta.

Black Basta has been responsible for the murder of 61% of American victims, followed by 16% of German victims, and the vast majority of victims belong to organizations based in the United States and Europe. The Black Basta scam has claimed the lives of several high-profile companies, including Capita, a software company with billions of dollars worth of contracts with the British government, and ABB, a company with one of the world's largest revenue bases within the US$29 billion range. Neither company has provided any information regarding a ransom payment that has been made by one of the companies, which is of concern. 

The healthcare industry represents an appealing target for cybercriminals due to several critical factors. Firstly, the sheer size and scale of healthcare organizations make them lucrative targets. Additionally, their substantial reliance on advanced technology heightens vulnerability to cyberattacks. Furthermore, these organizations possess extensive repositories of sensitive medical information, making them particularly attractive to malicious actors. The potential disruptions to patient care resulting from cyber incidents also underscore the unique and profound impact of such breaches within the healthcare sector.
Read more »
Sp1d3r
Cyber Attacks CyberCrime Cybersecurity CyberThreat Data hack Data Safety Food Giand Microsoft Sp1d3r

Fast Food Giant Jollibee Suffers Major Cyberattack, 32 Million Affected

 


Jollibee Foods Corp., a fast-food company specializing in Filipino fare, is investigating a report of a data breach in its delivery service system, adding its name to a growing list of companies which have been targeted by hackers in recent years. Earlier today, Jollibee sent us a statement informing us that “a cybersecurity incident” had reportedly affected the company, “along with other companies.” 

The company stated in the statement that they had addressed the incident. A massive data breach has allegedly taken place at the Philippine fast-food chain, Jollibee. On June 20, 2024, an actor claimed responsibility for breaching the systems of Jollibee Foods Corporation, causing the Jollibee cyberattack to become known. Known as "Sp1d3r", the notorious attacker claimed that he was able to obtain the sensitive data of 32 million customers of a fast food chain and offered to sell the database for $40,000. 

An archive that was sold by an actor under the alias "Sp1d3r" has been found on Deep Web Konek. According to the archive, the data contains sensitive information on 32 million Jollibee customers, including their full names, mailing addresses, phone numbers, and e-mail addresses, among other things. A cybercriminal account known as “Sp1d3r” was posted on the BreachForums network on June 1, 2012, claiming that they had stolen the sensitive personal data of over 190 million people from QuoteWizard. 

According to the alleged database, the data included customer details, partial credit card numbers insurance quotes, and other personal information. The same threat actor also affected Advance Auto Parts, Inc., another American automobile aftermarket component supplier. Using the name Sp1d3r, the attacker claimed that three terabytes of customer information were stolen from Snowflake, a cloud storage service that the company used, and then sold it for $15 million to the company. 

Moreover, Sp1d3r is selling “extensive records” of food delivery orders, sales transactions, and service details, as indicated in its report. According to the company, the cyberattack may result in damages of up to $3 million. According to the company's response, it is currently actively investigating the incident, and response protocols have been deployed. However, they did not confirm the breach or the theft of data, nor did they deny it. Several big companies in the Philippines have been breached, including Maxicare, Jollibee Foods Corporation, and the Maritime Industry Authority (Marina), which exposed the personal information of their customers in an attempt to evade taxes. 

A data breach at Maxcare on June 19, which exposed the personal information of 13,000 members of the company, less than one per cent of its entire membership base, was confirmed by the company on June 19. As stated on its website, the firm consists of 20,000 physicians and specialists who are attached to over 1,300 hospitals, clinics, dental clinics, 140 rehabilitation centres, dialysis centres, and eye clinics, which serve as a platform for research. 

In the last few months, the company has grown to include over 1.8 million members across the country, from the corporate sector to small and medium-sized companies to the individual and family segments. It is believed that the exposed records belong to those who utilized Lab@Home, a third-party booking platform for home care providers. According to the threat actor, he had carried out a cyberattack and obtained access to 32 million customer information, such as names, addresses, phone numbers, emails, and hashed passwords, in a cyberattack. 

In addition, the hacker is also suspected of exfiltrating 600 million rows of data related to food delivery, sales orders, transactions, customer details, and other details regarding service providers. There is evidence supporting these claims provided in the TA through a sample of the data formatted in tabular format, which can be opened up using spreadsheet applications such as Microsoft Excel or Google Sheets. Although there are still a lot of questions surrounding the exact details of the alleged data breach, it is evident that the potential consequences of this breach are grave. 

Also, Deep Web Konek made known information regarding a data breach that allegedly occurred at the Philippines’ largest fast food chain, Jollibee Foods Corporation, and was disclosed by the group. A certain amount of data including the names and addresses of 32 million customers as well as 650 million records related to Jollibee's food delivery operations could have been exposed, according to the group. Among the data that has been compromised is reportedly sensitive information such as name, address, phone number, and e-mail address of the customers, along with hashed passwords. In addition, a vast number of records were exposed regarding delivery orders for food, transactions for sales and details concerning services. 

A report from the Cyber Security Information and Analysis Group said that the exposed data spans multiple tables, indicating a comprehensive and deep breach of Jollibee's systems. It has not been announced what the consequences of the breach will be Jollibee yet. The maritime industry authority of the Philippines reported on June 16 that, as a result of an attack and compromise of four of its web-based systems, the authority has been compromised. 

As a result, Marina said that it immediately dispatched officials and employees to its centre to put in place measures to ensure that the integrity of the system is maintained and protected. There is no doubt that Jollibee is investigating the claims made by "Sp1d3r". However, the threat actor has been implicated in several recent data breaches, including attacks on several customers of Snowflake, which is one of the most popular cloud data storage vendors. 

Jollibee's cyber attack is a stark reminder of the vulnerability of the digital world, where even the most successful and established businesses are susceptible to cyberattacks from notorious hackers, who may even become the perpetrators themselves. Customers must remain vigilant and follow any further guidance provided by Jollibee and cybersecurity experts as this may lead to further security breaches.
Read more »
Oyster Backdoor
data security Google malware Microsoft Oyster Backdoor

When Legit Downloads Go Rogue: The Oyster Backdoor Story

When Legit Downloads Go Rogue: The Oyster Backdoor Story

Researchers from Rapid7 recently uncovered a sophisticated malvertising campaign that exploits unsuspecting users searching for popular software downloads. This campaign specifically targets users seeking legitimate applications like Google Chrome and Microsoft Teams, leveraging fake software installers to distribute the Oyster backdoor, also known as Broomstick.

“Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software,” said the report.

How the Malvertising Campaign Works

The modus operandi of this campaign involves luring users to malicious websites. The threat actors create typo-squatted sites that closely mimic legitimate platforms. For instance, users searching for Microsoft Teams might inadvertently land on a fake Microsoft Teams download page. These malicious websites host supposed software installers, enticing users to download and install the application.

Fake Installers

However, the catch lies in the content of these fake installers. When users download them, they unknowingly execute the Oyster backdoor. This stealthy piece of malware allows attackers to gain unauthorized access to compromised systems. 

Once the backdoor is in place, attackers can engage in hands-on keyboard activity, directly interacting with the compromised system. Furthermore, the Oyster backdoor can deploy additional payloads after execution, potentially leading to further compromise or data exfiltration.

Impact and Mitigation

The impact on users who fall victim to this malvertising campaign can be severe. They inadvertently install the Oyster backdoor on their systems, providing attackers with a foothold. From there, attackers can escalate privileges, steal sensitive information, or launch other attacks.

To reduce such risks, users should remain vigilant:

  • Verify Sources: Always verify the legitimacy of software sources before downloading. Avoid third-party download sites and opt for official websites or trusted app stores.
  • Security Software: Regularly update and use security software to detect and prevent malware infections.
  • User Education: Educate users about the risks of malvertising and emphasize safe browsing practices.

Read more »
Windows Hello
AI technology Copilot Cyber Security data security Edge Browser Microsoft Microsoft Copilot Privacy Concerns Windows 11 Recall Windows Hello

Microsoft Revises AI Feature After Privacy Concerns

 

Microsoft is making changes to a controversial feature announced for its new range of AI-powered PCs after it was flagged as a potential "privacy nightmare." The "Recall" feature for Copilot+ was initially introduced as a way to enhance user experience by capturing and storing screenshots of desktop activity. However, following concerns that hackers could misuse this tool and its saved screenshots, Microsoft has decided to make the feature opt-in. 

"We have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards," said Pavan Davuluri, corporate vice president of Windows and Devices, in a blog post on Friday. The company is banking on artificial intelligence (AI) to drive demand for its devices. Executive vice president Yusuf Medhi, during the event's keynote speech, likened the feature to having photographic memory, saying it used AI "to make it possible to access virtually anything you have ever seen on your PC." 

The feature can search through a user's past activity, including files, photos, emails, and browsing history. While many devices offer similar functionalities, Recall's unique aspect was its ability to take screenshots every few seconds and search these too. Microsoft claimed it "built privacy into Recall’s design" from the beginning, allowing users control over what was captured—such as opting out of capturing certain websites or not capturing private browsing on Microsoft’s browser, Edge. Despite these assurances, the company has now adjusted the feature to address privacy concerns. 

Changes will include making Recall an opt-in feature during the PC setup process, meaning it will be turned off by default. Users will also need to use Windows' "Hello" authentication process to enable the tool, ensuring that only authorized individuals can view or search their timeline of saved activity. Additionally, "proof of presence" will be required to access or search through the saved activity in Recall. These updates are set to be implemented before the launch of Copilot+ PCs on June 18. The adjustments aim to provide users with a clearer choice and enhanced control over their data, addressing the potential privacy risks associated with the feature. 

Microsoft's decision to revise the Recall feature underscores the importance of user feedback and the company's commitment to privacy and security. By making Recall opt-in and incorporating robust authentication measures, Microsoft seeks to balance innovation with the protection of user data, ensuring that AI enhancements do not compromise privacy. As AI continues to evolve, these safeguards are crucial in maintaining user trust and mitigating the risks associated with advanced data collection technologies.
Read more »
Microsoft
Azure Data Breach data scam Data Theft Microsoft

Security researcher says Azure Tags are security threat but Microsoft disagrees

 

Tenable recently identified a notable security issue within Microsoft's Azure Network service tags. While Tenable classified this as a high-severity vulnerability, Microsoft disagreed with this classification. Despite their differences, both companies jointly disclosed the security issue on Monday. 

What is Azure? 

Azure is Microsoft's comprehensive public cloud platform, offering over 200 services. These include Platform as a Service (PaaS) for application development and operation, Infrastructure as a Service (IaaS) for virtual machines, networking, and storage, and Managed Database Services for simplified database management. Azure supports developers, IT professionals, and business owners, providing the tools to build, run, and manage applications across multiple environments, including on-premises and edge locations. This flexibility and scalability make Azure adaptable to a wide range of organizational needs. 

What is the Issue?

Azure service tags represent groups of IP addresses for various Azure services, streamlining the creation of access control rules. These tags can be used in firewall settings to permit traffic from specific Azure services. However, Tenable uncovered a serious flaw: attackers could potentially bypass firewall rules that rely exclusively on service tags by masquerading as trusted services. 

Specific Vulnerability Scenario 

The vulnerability arises under the following conditions: Inbound traffic is permitted through a service tag. Services allowing inbound traffic might let users control parts of web requests, such as the URL path or destination host. An attacker in one tenant (Tenant A) could exploit this to access resources in another tenant (Tenant B) if the target allows traffic from the service tag and lacks additional authentication methods. For example, Azure Monitor Availability Tests use the ApplicationInsightsAvailability service tag for synthetic monitoring. A malicious user could exploit this setup to access endpoints in a different subscription. 

What Customer Should do? 

Reviewing and Strengthening Security Posture Azure customers using service tags should reevaluate their network settings: Recognize that relying solely on service tags does not fully secure traffic. Implement additional authentication and authorization checks for enhanced security. Ensure appropriate security measures are in place to safeguard traffic between Azure tenants. Refer to Microsoft's updated best practices for service tags and specific service guidelines. Adhere to Azure security fundamentals to secure your Azure platform and infrastructure. Enable and configure suitable monitoring controls in Azure Monitor. Example Mitigation Strategy To protect against unauthorized traffic via the ApplicationInsightsAvailability service tag, customers can create a token and include it as an HTTP header in availability tests. Validate this HTTP header in incoming requests to authenticate traffic origins, rejecting any requests missing the custom header. 

Microsoft’s Response and Mitigation Following Tenable's report, 

Conducted an extensive review and search for similar vulnerabilities. 

Updated documentation for Azure services utilizing inbound service tags. 

Released best practices for service tags to aid users in securing their environments more effectively. 

This collaborative disclosure by Tenable and Microsoft underscores the importance for Azure customers to regularly review and enhance their network security configurations. Service tags should be integrated into a comprehensive security strategy that includes robust authentication and monitoring practices.
Read more »
Window Security
AI Cyber Security Cyberattacks CyberCrime CyberThreat Microsoft Window Security

Windows AI’s Screenshot Feature Labeled a ‘Disaster’ for Security

 


In the last few months, Microsoft has been touting AI PCs. Additionally, Microsoft recently released a new feature for Windows 11 called "Recall" that is capable of taking a screenshot of everything users do and making all their actions searchable. Additionally, the company claimed that Copilot and Recall activity data would not be remotely accessible by threat actors. 

However, a security researcher by the name of Kevin Beaumont claims that the data is stored in a simple SQLite database that is stored in plain text. Windows's recall feature, which is currently in preview, captures a screen snapshot every few seconds and stores it locally. Even though it is intended to provide users with an easy way to search for and revisit past activities, there are serious security and privacy concerns surrounding the feature. 

As a result of this feature, which tracks every activity on a Windows computer to help users find things easily in the future using natural language, Microsoft is being called a hackable security catastrophe. An individual who is a white-hat hacker has already developed a tool that is capable of extracting sensitive data from Recall.

The tool is called TotalRecall, and it is available on GitHub right now. Recall uses local artificial intelligence models to capture everything users do and see on their computer, and then they can search for and retrieve anything they want in seconds, even if it is in a different place on their computer. Users can even navigate through a timeline that they can explore. 

In Recall, everything is kept private and local on the device, so no data is used to train Microsoft's artificial intelligence models. It has been revealed by cybersecurity expert Kevin Beaumont that Microsoft's Recall AI-powered feature has some potential security flaws, even though Microsoft has claimed that it will be a secure and encrypted experience. As Beaumont, who previously worked for Microsoft in 2020, has been testing out the Recall feature for the past week, he has learned that the data is stored as plain text in a database. 

If that were the case, someone could easily exploit malware to extract the database and its contents with the help of an attacker. A plain text database was shared by Beaumont as an example of how Recall activity cannot be exfiltrated remotely by a hacker. Beaumont said he was annoyed that Microsoft informed media outlets that this couldn't happen. 

There is a fear that Recall makes it easier for malware and attackers to steal information from a user's PC, as the database is stored locally on the user's computer, but it is accessible from their AppData folder if a user is an admin. Currently, InfoStealer trojans exist in the market to steal credentials and information from a PC. These types of malware are being distributed by hackers to steal and sell personal details about individuals. 

As a result of the Recall, threat actors are now able to produce automatic scrapes within seconds of every webpage a user has ever visited, says Beaumont. Using the information he has obtained from his Recall database, Beaumont has implemented many new features, such as uploading personal databases and searching them instantly. To give them time to do anything with the feature, I have intentionally withheld technical details until Microsoft ships the feature, he explains. 

It is currently being planned by Microsoft for Recall to be enabled by default on Copilot Plus computers shortly. The setup process of Windows 8 is reportedly being discussed by Microsoft to be changed. By uploading a database he created called Recall onto a website that allows users to upload databases and search through them, the security researcher demonstrated the same experience.  

As Microsoft is preparing for Windows 11 Recall to be enabled when setting up a Copilot Plus PC, it can pose a serious privacy concern for end users who are not aware of how it works in terms of how the service works. Microsoft is reported to be considering adding an option that will let users opt out of the feature during the setup phase, which will make it possible for users to opt-out, out instead of having to opt in to the feature. Besides security researchers, there has also been criticism of the feature by the UK Information Commissioner's Office, and the organization is planning to reach out to Microsoft to get further information.
Read more »
threat report
Cyber Crime Microsoft Moonstone North Korea threat report

Unmasking Moonstone Sleet: A Deep Dive into North Korea’s Latest Cyber Threat

Moonstone Sleet: A New North Korean Threat Actor

Moonstone Sleet: A New North Korean Threat Actor

Microsoft discovered a new North Korean threat actor, Moonstone Sleet (formerly Storm-1789), who targets companies with a combination of tried-and-true techniques used by other North Korean threat actors as well as unique attack methodologies for financial and cyber espionage purposes. 

Moonstone Sleet has been detected setting up phony firms and job chances to engage with potential targets, using trojanized copies of legitimate tools, developing a fully complete malicious game, and delivering a new unique ransomware.

About Moonstone Sleet 

Moonstone Sleet is a threat actor behind a series of malicious acts that Microsoft believes is North Korean state-aligned. It employs tried-and-true techniques other North Korean threat actors utilize and novel attack methodologies. 

When Microsoft first discovered Moonstone Sleet activity, the actor showed strong similarities to Diamond Sleet, reusing code from known Diamond Sleet malware such as Comebacker and employing well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. 

However, Moonstone Sleet swiftly adopted its own unique infrastructure and attacks. Microsoft has since observed Moonstone Sleet and Diamond Sleet operating concurrently, with Diamond Sleet continuing to use much of its well-known, established tradecraft.

Moonstone Sleet has a diverse collection of operations that serve its financial and cyberespionage goals. These include delivering proprietary ransomware, building a malicious game, establishing bogus firms, and employing IT personnel.

Why should organizations be concerned?

Moonstone Sleet’s emergence highlights the need for organizations to remain vigilant. Here’s why:

  • Financial Gain: Moonstone Sleet primarily targets financial institutions, seeking monetary gains through cybercrime. Their deceptive tactics make it challenging to detect their presence until it’s too late.
  • Cyberespionage: Beyond financial motives, Moonstone Sleet engages in cyber espionage. They aim to steal sensitive data, trade secrets, and intellectual property, posing a significant risk to organizations.
  • Overlapping TTPs: Moonstone Sleet’s TTPs overlap with other North Korean threat actors. Organizations must recognize these patterns and enhance their defenses accordingly.

Defending against Moonstone Sleet

  • User Awareness: Educate employees about the risks of downloading files from unverified sources. Encourage skepticism when encountering job offers or software downloads.
  • Network Segmentation: Implement network segmentation to limit lateral movement within the organization. Isolate critical systems from less secure areas.
  • Behavioral Analytics: Leverage behavioral analytics to detect unusual activity. Monitor for signs of trojanized tools or suspicious game downloads.
  • Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence. Stay informed about emerging threat actors and their TTPs.

Read more »
Sensitive Information
Cloud Cyber Attacks fake websites Financial Scam Financial Theft Gift Card Hacking Microsoft Moroccan Cybercrime Phishing Attack Sensitive Information

Moroccan Cybercrime Group Storm-0539 Exploits Gift Card Systems with Advanced Phishing Attacks

 

A Morocco-based cybercrime group, Storm-0539, is making headlines for its sophisticated email and SMS phishing attacks aimed at stealing and reselling gift cards. Microsoft's latest Cyber Signals report reveals that this group is responsible for significant financial theft, with some companies losing up to $100,000 daily. 

First identified by Microsoft in December 2023, Storm-0539, also known as Atlas Lion, has been active since late 2021. The group employs social engineering techniques to harvest victims' credentials through adversary-in-the-middle (AitM) phishing pages. They exploit this access to register their own devices, bypass authentication, and maintain persistent access to create fraudulent gift cards. 

The group's attack strategy includes gaining covert access to cloud environments for extensive reconnaissance, targeting large retailers, luxury brands, and fast-food chains. They aim to redeem and sell gift cards on black markets or use money mules to cash out. This marks an evolution from their previous tactics of stealing payment card data via malware on point-of-sale (PoS) devices. 

Microsoft noted a 30% increase in Storm-0539's activities between March and May 2024, emphasizing their deep understanding of cloud systems to manipulate gift card issuance processes. In addition to stealing login credentials, Storm-0539 targets secure shell (SSH) passwords and keys, which are either sold or used for further attacks. The group uses internal company mailing lists to send phishing emails, enhancing their credibility and sets up new phishing websites by exploiting free trial or student accounts on cloud platforms. 

The FBI has warned about Storm-0539's smishing attacks on retail gift card departments, using sophisticated phishing kits to bypass multi-factor authentication (MFA). The group's ability to adapt and pivot tactics after detection underscores their persistence and resourcefulness. Microsoft urges companies to monitor gift card portals closely and implement conditional access policies to strengthen security. They highlight the effectiveness of using additional identity-driven signals, such as IP address and device status, alongside MFA. 

Meanwhile, Enea researchers have identified broader criminal campaigns exploiting cloud storage services like Amazon S3 and Google Cloud Storage for SMS-based gift card scams. These scams use legitimate-looking URLs to bypass firewalls and redirect users to malicious websites that steal sensitive information. 

Storm-0539's operations exemplify the increasing sophistication of financially motivated cybercriminals, borrowing techniques from state-sponsored actors to remain undetected. As these threats evolve, robust cybersecurity measures and vigilant monitoring are crucial to protect sensitive information and financial assets.
Read more »
Moroccan Cybercrime
Cyber Crime Cyberattacks Cyberhacks Cyberscams CyberThreat Gift Card Microsoft Moroccan Cybercrime

Microsoft Uncovers Moroccan Cybercriminals Exploiting Gift Card Scams

 


An armed cybercriminal group working out of Morocco has been targeting major retailers for creating fake gift cards, infiltrating their systems to steal millions of dollars by using them as a source of revenue, according to a new report by Microsoft. It's not just any old gift card scam that's trying to get shoppers to buy fake gift cards. Its goal is to compromise the internal systems of large retailers, luxury brands, and fast-food chains to steal money. This group is dubbed "Atlas Lion" or "Storm-0539." 

Researchers at Microsoft have tracked the Moroccan group Storm-0539 since 2021, known as Atlas Lion, which specializes in the theft of gift cards. It has been estimated that this cybercriminal group has been active for more than a decade. They create fake charity websites to fool cloud companies into giving them access to their online computers free of charge. To avoid detection, they then trick employees at big US stores into giving them access to their gift card systems to steal gift cards without exceeding the limit. 

Once inside, they use their techniques to steal gift cards. Unlike most cybercriminals who launch a single attack and move on, Storm-0539 establishes a persistent presence within a compromised system, allowing them to repeatedly generate and cash out fraudulent gift cards. This tactic makes them especially dangerous, with Microsoft reporting a troubling 30% increase in their activity leading up to the Memorial Day holiday compared to the previous two months. 

It has always been a common practice for cybercriminals to target gift cards since they are typically unlinked to a specific account, making it difficult for them to be traced. Storm-0539 has taken it to the next level. Cybercriminals have long been drawn to gift cards because they usually are not linked to specific accounts or customers, which makes their use more difficult to scrutinize. It is common for gift card scams to increase during holiday periods such as Christmas and Labor Day because they are usually associated with different companies or customers. 

In the days leading up to Memorial Day, Microsoft revealed that Storm-0539 had conducted a 30% increase in activity compared to the last two months when compared to the previous two months. During this period, Microsoft has been tracking Storm-0539 since late 2021. The group has developed from using malware on retail cash registers and kiosks for stealing payment card information to using malware for stealing payment information from the cards. 

Their strategy changed as technology advanced, and they began targeting cloud services and card systems for large retailers, luxury brands, and fast-food chains. Indeed, fraudsters sometimes ask victims to use gift card codes as payment to avoid tracing them. In this case, however, the hackers have gone to the source and printed gift card codes worth thousands of dollars. When that is done, the hackers will then redeem the gift cards for their value, sell them to others, or cash them out using money mules. 

Storm-0539, also known as Atlas Lion, has been active since at least late 2021 and focuses its activities on cybercrime, such as breaking into payment card accounts. But in recent months, Microsoft has also observed the group compromising gift card code systems, particularly before major holiday seasons.  It is reported that Microsoft observed a 30% increase in intrusion activity from Storm-0539 between March and May 2024, before the summer vacation season. It has been observed that an increase of 60% in attack activity between the fall and winter holidays in 2023, coincided with an increase in attack activity between September and December. 

As part of the attack, the hackers often infiltrate corporations by sending phishing emails to employees' inboxes and phones to trick them into providing the hijackers with access to their accounts when they are not supposed to. A hacker attempts to identify a specific gift card business process that is associated with compromised employee accounts within a targeted organization by moving sideways through the network until they find compromised accounts that are linked to that specific portfolio," Microsoft explains. In his research, Jakkal observed that Storm-0539 has evolved to be adept at resetting the process of issuing gift cards to organizations and granting access to employees before compromising their account accesses. 

Taking the form of legitimate organizations, Storm-0539 adopts the guise of non-profit organizations as part of its ongoing effort to remain undetected by cloud providers. According to Jakkal, "They often exploit unsuspecting victims by creating convincing websites using misleading "typosquatting" domain names that are only a few characters different from legitimate websites to lure them into paying for them, showing their cunning and resourcefulness," he explained.  According to Microsoft, the hackers have recovered legitimate copies of 501(c)(3) letters from nonprofit organizations' public websites, and they are using these to gain access to discounted cloud services from cloud service providers by downloading them. 

After they have gained access to login information by phishing and smishing emails, they register their devices into a victim's network and proceed to bypass the two-factor authentication by registering them into the victim's network, allowing them to continue to access the environment despite the MFA. They create new gift cards to resell them to other cybercriminals on the dark web at a discount or cash them out through money mules to cash out. According to Microsoft researchers, there have been instances where threat actors have stolen up to $100,000 from certain companies each day using ordinary gift cards that have been purchased by employees. 

There is a warning from Microsoft that it wants to remind organizations that issue gift cards to treat the portals used to process the cards as high-value targets that need to be extensively checked and balanced before issuing the cards. In a recent report, Microsoft issued a warning about the rise of cybercriminal activities involving gift card scams, specifically highlighting the actions of a group known as Storm-0539. This warning follows a similar alert from December, where Microsoft reported an increase in attacks by Storm-0539 during the holiday season. 

According to Emiel Haeghebaert, a senior hunt analyst at the Microsoft Threat Intelligence Center, this group is comprised of no more than a dozen individuals based in Morocco. Storm-0539 employs phishing campaigns to target employees and gain unauthorized access to both personal and corporate systems. The FBI has elaborated on their tactics, explaining that once initial access is obtained, the group uses further phishing campaigns to escalate their network privileges. 

Their strategy involves targeting the mobile phones of employees in retail departments, exploiting both personal and work devices through sophisticated phishing kits capable of bypassing multi-factor authentication. Upon compromising an employee's account, Storm-0539 conducts detailed reconnaissance within the business network to identify processes related to gift card management. They then pivot to infiltrate the accounts of employees handling the specific gift card portfolio. 

Within these networks, the attackers seek to obtain secure shell (SSH) passwords and keys, along with the credentials of employees in the gift card department. After securing the necessary access, the group creates fraudulent gift cards using compromised employee accounts. The recent report from Microsoft underscores the severity of this threat, echoing an earlier alert issued by the FBI concerning Storm-0539. 

To mitigate such risks, Microsoft advises that merchants issuing gift cards should regard their gift card portals as high-value targets, necessitating constant monitoring and auditing for any suspicious activity. Microsoft further recommends that organizations establish stringent controls over user access privileges. According to Microsoft, attackers like Storm-0539 typically assume they will encounter users with excessive access privileges, which can be exploited for significant impact. Regular reviews of privileges, distribution list memberships, and other user attributes are essential to limit the fallout from initial intrusions and to complicate the efforts of potential intruders. 

In conclusion, both Microsoft and the FBI emphasize the importance of vigilance and proactive security measures in combating the sophisticated tactics employed by groups like Storm-0539. By treating gift card systems as critical assets and implementing rigorous access controls, organizations can better defend themselves against these evolving cyber threats.
Read more »
Windows 11 Recall
AI-powered feature Cyber Security Cybersecurity Data Encryption data security Microsoft Online Safety Privacy Concerns Threat actors User Privacy Windows 11 Recall

Microsoft's Windows 11 Recall Feature Sparks Major Privacy Concerns

 

Microsoft's introduction of the AI-driven Windows 11 Recall feature has raised significant privacy concerns, with many fearing it could create new vulnerabilities for data theft.

Unveiled during a Monday AI event, the Recall feature is intended to help users easily access past information through a simple search. Currently, it's available on Copilot+ PCs with Snapdragon X ARM processors, but Microsoft is collaborating with Intel and AMD for broader compatibility. 

Recall works by capturing screenshots of the active window every few seconds, recording user activity for up to three months. These snapshots are analyzed by an on-device Neural Processing Unit (NPU) and AI models to extract and index data, which users can search through using natural language queries. Microsoft assures that this data is encrypted with BitLocker and stored locally, not shared with other users on the device.

Despite Microsoft's assurances, the Recall feature has sparked immediate concerns about privacy and data security. Critics worry about the extensive data collection, as the feature records everything on the screen, potentially including sensitive information like passwords and private documents. Although Microsoft claims all data remains on the user’s device and is encrypted, the possibility of misuse remains a significant concern.

Microsoft emphasizes user control over the Recall feature, allowing users to decide what apps can be screenshotted and to pause or delete snapshots as needed. The company also stated that the feature would not capture content from Microsoft Edge’s InPrivate windows or other DRM-protected content. However, it remains unclear if similar protections will apply to other browsers' private modes, such as Firefox.

Yusuf Mehdi, Corporate Vice President & Consumer Chief Marketing Officer at Microsoft, assured journalists that the Recall index remains private, local, and secure. He reiterated that the data would not be used to train AI models and that users have complete control over editing and deleting captured data. Furthermore, Microsoft confirmed that Recall data would not be stored in the cloud, addressing concerns about remote data access.

Despite these reassurances, cybersecurity experts and users remain skeptical. Past instances of data exploitation by large companies have eroded trust, making users wary of Microsoft’s claims. The UK’s Information Commissioner's Office (ICO) has also sought clarification from Microsoft to ensure user data protection.

Microsoft admits that Recall does not perform content moderation, raising significant security concerns. Anything visible on the screen, including sensitive information, could be recorded and indexed. If a device is compromised, this data could be accessible to threat actors, potentially leading to extortion or further breaches.

Cybersecurity expert Kevin Beaumont likened the feature to a keylogger integrated into Windows, expressing concerns about the expanded attack surface. Historically, infostealer malware targets databases stored locally, and the Recall feature's data could become a prime target for such malware.

Given Microsoft’s role in handling consumer data and computing security, introducing a feature that could increase risk seems irresponsible to some experts. While Microsoft claims to prioritize security, the introduction of Recall could complicate this commitment.

In a pledge to prioritize security, Microsoft CEO Satya Nadella stated, "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security." This statement underscores the importance of security over new features, emphasizing the need to protect customers' digital estates and build a safer digital world.

While the Recall feature aims to enhance user experience, its potential privacy risks and security implications necessitate careful consideration and robust safeguards to ensure user data protection.
Read more »
Technology
DataBreach Security Google Microsoft Security Flaws Technology

Google Unhappy: Microsoft’s Cybersecurity Struggles: What Went Wrong?

Google Unhappy: Microsoft’s Cybersecurity Struggles: What Went Wrong?

Google released a study of Microsoft's recent security vulnerabilities, finding that Microsoft is "unable to keep their systems and therefore their customers' data safe." Recent incidents have raised questions about Microsoft’s ability to safeguard its systems and protect customer data effectively. In this blog post, we delve into the challenges faced by Microsoft and explore potential implications for its customers.

The Exchange Breach: A Wake-Up Call

Last year, China-backed hackers infiltrated Microsoft Exchange servers, compromising countless accounts. The breach exposed a critical vulnerability, allowing unauthorized access to sensitive information. What compounded the issue was Microsoft’s initial response. The company failed to provide accurate information about the breach, leaving customers in the dark. The Federal Cybersecurity Review Board criticized Microsoft for not rectifying misleading statements promptly.

In its research, Google criticizes Microsoft for failing to accurately characterize a security breach that occurred last year in which China-backed hackers accessed Microsoft Exchange's networks, allowing them to access any Exchange account. Google cites the federal cybersecurity review board's findings that Microsoft customers lacked sufficient information to assess if they were at risk at the time, and Microsoft made a "decision not to correct" comments about the breach that the board found "inaccurate."

Source Code Exposure and Email Compromises

Beyond the Exchange breach, Microsoft faced other cybersecurity setbacks. Russian hackers gained access to the company’s source code, raising concerns about the integrity of its software. Additionally, senior leadership’s email accounts were compromised, highlighting vulnerabilities within Microsoft’s infrastructure. These incidents underscore the need for robust security measures and transparency.

Google’s Perspective: A Safer Alternative?

Google, a competitor in the tech space, has seized the opportunity to position its Google Workspace as a safer alternative. The company emphasizes its engineering excellence, cutting-edge defenses, and transparent security culture. Google Workspace offers features like advanced threat protection, data loss prevention, and real-time monitoring. While Google’s motives may be partly self-serving, it raises valid points about the importance of proactive security practices.

The Way Forward

Microsoft must address its cybersecurity challenges head-on. Transparency, accurate communication, and rapid incident response are critical. Customers deserve timely information to assess their risk and take necessary precautions. 

As organizations increasingly rely on cloud services, trust in providers’ security practices becomes paramount. Microsoft’s reputation hinges on its ability to protect both its systems and its customers’ data.

Read more »
Ransomware
Black Basta Cyber Security Microsoft Quick Assist RaaS Ransomware

Cybercriminals Exploit Windows Quick Assist in Latest Ransomware Campaign

 

A recent wave of cyberattacks has seen financially motivated criminals leveraging Windows Quick Assist, a built-in remote control and screen-sharing tool, to deploy Black Basta ransomware on victim networks. Microsoft has investigated these attacks since mid-April 2024, identifying the threat group behind them as Storm-1811.

The attacks typically begin with email bombing, where the target's inbox is flooded with spam emails. This overload is followed by a phone call from the attackers, who impersonate Microsoft technical support or the victim's IT help desk. They offer to help resolve the spam issue, tricking victims into granting remote access via Quick Assist.

Once access is granted, the attackers execute a scripted command to download malicious files, including Qakbot malware, remote monitoring tools like ScreenConnect and NetSupport Manager, and the Cobalt Strike framework. These tools enable the attackers to perform domain enumeration and move laterally across the network. Eventually, they deploy Black Basta ransomware using PsExec, a telnet-replacement tool.

Rapid7, a cybersecurity company that also detected these attacks, noted that attackers use batch scripts to harvest credentials from the command line using PowerShell. These credentials are often exfiltrated to the attackers' server via Secure Copy (SCP). In some cases, credentials are saved to an archive for later retrieval.

To mitigate these attacks, Microsoft advises organisations to disable or uninstall Quick Assist and similar remote tools if they are not used. Employees should be trained to recognise tech support scams and instructed to only allow remote access if they initiated the contact with IT support. Suspicious Quick Assist sessions should be immediately disconnected.

The Black Basta ransomware operation emerged after the Conti cybercrime group disbanded two years ago following multiple data breaches. Black Basta began operating as a Ransomware-as-a-Service (RaaS) in April 2022 and has since attacked numerous high-profile targets, including defence contractor Rheinmetall, technology company Capita, Hyundai's European division, and the American Dental Association.

Recent attacks linked to Black Basta include a ransomware incident at U.S. healthcare giant Ascension, which disrupted ambulance services. According to a joint advisory by CISA and the FBI, Black Basta affiliates have breached over 500 organisations across 12 out of 16 critical infrastructure sectors since April 2022, causing data breaches and encryption.

Health-ISAC, an information sharing and analysis centre, has warned of increased attacks against the healthcare sector by Black Basta. Research by Elliptic and Corvus Insurance indicates that the group has extorted at least $100 million in ransom payments from over 90 victims by November 2023.

Microsoft is enhancing Quick Assist to improve transparency and trust between users, including adding warning messages to alert users about potential scams. Rapid7 observed similar scams targeting their customers, with attackers using other remote monitoring tools like AnyDesk.

To prevent such attacks, organisations should block unapproved remote management tools and train staff to recognise and report suspicious calls and messages. Quick Assist should only be used if the interaction was initiated by contacting official support channels.

The recent misuse of Windows Quick Assist in deploying Black Basta ransomware pushes forward the vision for increased vigilance and robust cybersecurity practices to save all our digital assets from such social engineering attacks.


Read more »
Technology
Analysis Artifical Intelligence CIA Information Security Microsoft Technology

Microsoft Introduces Innovative AI Model for Intelligence Analysis

 




Microsoft has introduced a cutting-edge artificial intelligence (AI) model tailored specifically for the US intelligence community, marking a leap forward in secure intelligence analysis. This state-of-the-art AI model operates entirely offline, mitigating the risks associated with internet connectivity and ensuring the utmost security for classified information.

Unlike traditional AI models that rely on cloud services and internet connectivity, Microsoft's new creation is completely isolated from online networks. Developed over a meticulous 18-month period, the model originated from an AI supercomputer based in Iowa, showcasing Microsoft's dedication to innovation in AI technologies.

Leading the charge is William Chappell, Microsoft’s Chief Technology Officer for Strategic Missions and Technology, who spearheaded the project from inception to completion. Chappell emphasises the model's unprecedented level of isolation, ensuring that sensitive data remains secure within a specialised network accessible solely to authorised government personnel.

This groundbreaking AI model provides a critical advantage to US intelligence agencies, empowering them with the capability to analyse classified information with unparalleled security and efficiency. The model's isolation from the internet minimises the risk of data breaches or cyber threats, addressing concerns that have plagued previous attempts at AI-driven intelligence analysis.

However, despite the promise of heightened security, questions linger regarding the reliability and accuracy of the AI model. Similar AI models have exhibited occasional errors or 'hallucinations,' raising concerns about the integrity of analyses conducted using Microsoft's creation, particularly when dealing with classified data.

Nevertheless, the advent of this internet-free AI model represents a significant milestone in the field of intelligence analysis. Sheetal Patel, Assistant Director of the CIA for the Transnational and Technology Mission Center, stressed upon the competitive advantage this technology provides in the global intelligence infrastructure, positioning the US at the forefront of AI-driven intelligence analysis.

As the intelligence community goes through with this technology, the need for rigorous auditing and oversight becomes cardinal to ensure the model's effectiveness and reliability. While the potential benefits are undeniable, it is essential to address any lingering doubts about the AI model's accuracy and security protocols.

In addition to this advancement, Microsoft continues to push the boundaries of AI research and development. The company's ongoing efforts include the development of MAI-1, its largest in-house AI model yet, boasting an impressive 500 billion parameters. Additionally, Microsoft has released smaller, more accessible chatbots like Phi-3-Mini, signalling its commitment to democratising AI technologies.

All in all, Microsoft's introduction of an internet-free AI model for intelligence analysis marks a new era of secure and efficient information processing for government agencies. While challenges and uncertainties remain, the potential impact of this technology on national security and intelligence operations cannot be overstated. As Microsoft continues to innovate in the field of AI, the future of intelligence analysis looks increasingly promising.




Read more »
Threat Intelligence
Accountability Automation collaboration Cyber Security Cybersecurity executives Microsoft organizational changes Secure Future Initiative security governance Threat Intelligence

Microsoft to Enforce Executive Accountability for Cybersecurity

 

Microsoft is undergoing organizational adjustments to enhance cybersecurity measures throughout its products and services, focusing on holding senior leadership directly responsible. Charlie Bell, Microsoft's executive vice president of security, outlined these changes in a recent blog post aimed at reassuring customers and the US government of the company's dedication to bolstering cybersecurity amidst evolving threats.

One key aspect of this initiative involves tying a portion of the compensation for the company's Senior Leadership Team to the progress made in fulfilling security plans and milestones. Additionally, Microsoft is implementing significant changes to elevate security governance, including organizational restructuring, enhanced oversight, controls, and reporting mechanisms.

These measures encompass appointing a deputy Chief Information Security Officer (CISO) to each product team, ensuring direct reporting of the company's threat intelligence team to the enterprise CISO, and fostering collaboration among engineering teams across Microsoft Azure, Windows, Microsoft 365, and security groups to prioritize security.

Bell's announcement follows a recent assessment by the US Department of Homeland Security's Cyber Safety Review Board (CSRB), highlighting the need for strategic and cultural improvements in Microsoft's cybersecurity practices. The CSRB identified areas where Microsoft could have prevented a notable cyber incident involving a breach of its Exchange Online environment by the Chinese cyber-espionage group Storm-0558, which compromised user emails from various organizations, including government agencies.

Microsoft previously launched the Secure Future Initiative (SFI) to address emerging threats, incorporating measures such as automation, artificial intelligence (AI), and enhanced threat modelling throughout the development lifecycle of its products. The initiative also aims to integrate more secure default settings across Microsoft's product portfolio and strengthen identity protection while enhancing cloud vulnerability response and mitigation times.

Bell's update provided further details on Microsoft's approach, emphasizing six key pillars: protecting identities and secrets, safeguarding cloud tenants and production systems, securing networks, fortifying engineering systems, monitoring and detecting threats, and expediting response and remediation efforts.

To achieve these goals, Microsoft plans to implement various measures, such as automatic rotation of signing and platform keys, continuous enforcement of least privileged access, and network isolation and segmentation. Efforts will also focus on inventory management of software assets and implementing zero-trust access to source code and infrastructure.

While the full impact of these changes may take time to materialize, Microsoft remains a prominent target for cyberattacks. Despite ongoing challenges, industry experts like Tom Corn, chief product officer at Ontinue, acknowledge the ambitious scope of Microsoft's Secure Future Initiative and its potential to streamline operationalization for broader benefit.
Read more »
Subscribe to: Posts (Atom)