Microsoft Threat Intelligence

In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Octo Tempest is known for sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware. RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware (like BlackCat), making it one of the most widespread ransomware families today. Notably, RansomHub was observed in post-compromise activity by Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections. In addition to RansomHub and Qilin, other notable ransomware families in this period include BlackSuit, LockBit, Medusa, Black Basta, and Play. Several new ransomware families emerged this quarter. Fog, which uses the .flocked extension, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. To deploy Fog, Storm-0844 uses VPN clients to gain initial access, likely via valid accounts. They use open-source tools like ADFind, Rubeus, and Advanced IP Scanner for network discovery and lateral movement. They also use rclone for staging files to be exfiltrated. By June, Storm-0844 was deploying Fog in more campaigns than Akira. FakePenny is another new ransomware family we uncovered during this period. In April, we observed North Korean threat actor Moonstone Sleet (formerly Storm-1789) deploying FakePenny, part of a wide-ranging tradecraft that also includes a malicious tank game: https://msft.it/6046lOdRi Threat actors like Octo Tempest focus on identity compromise in their intrusions to access and persist in on-premises and cloud environments for data exfiltration and ransomware deployment. This quarter, Storm-0501 was observed adopting similar tactics, utilizing open-source toolkits like AADInternals for domain federations and other techniques to facilitate latter stages of attacks, which culminate in the deployment of Embargo ransomware. Threat actors also continue to leverage remote management and monitoring tools in ransomware campaigns. In May, we published research on Storm-1811 misusing Quick Assist in social engineering attacks, which were followed by delivery of various malicious tools, leading to Black Basta deployment: https://msft.it/6047lOdRc Users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust. We publish reports on ransomware threat actors and associated activity in Microsoft Defender Threat Intelligence and Microsoft Defender XDR threat analytics. For more information and guidance, visit https://msft.it/6048lOdRY

Microsoft has announced the general availability of the Microsoft Entra Suite and the general availability of Microsoft Sentinel within the Microsoft unified security operations platform, providing new capabilities that can further simplify the implementation of a Zero Trust architecture across the full lifecycle from prevention to detection and response. https://msft.it/6044lzQeM The Microsoft Entra Suite unifies identity and network access security, and provides everything needed to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. https://msft.it/6045lzQe3 Microsoft Sentinel capabilities within the Microsoft unified security operations platform help bring together all the security signals the environment generates, then normalizes, analyzes, and uses them to proactively defend against cyberthreats. https://msft.it/6046lzQeO

The July 2024 security updates are available:

In this episode of The Microsoft Threat Intelligence podcast, top experts from different areas in cybersecurity share their experiences pushing for security at various levels and their insights on the impact of AI to cybersecurity This series of discussions, recorded live at RSA Conference 2024, features discussions on the process of securing the Windows platform, the power grid, as well as the unique challenges faced by specific industries such as education in cybersecurity. The experts also talk about the importance of integration in dealing with cyberthreats, such as considering product functionality when building cybersecurity measures, as well as including threat intelligence related to cybercrime entities into attack frameworks such as MITRE. Listen to the full episode, hosted by Sherrod DeGrippo, here: https://msft.it/6040lHNSm

Meet the experts—Microsoft Threat Intelligence analysts Alison Ali, Waymon Ho, and Emiel Haeghebaert—charged with tracking Storm-0539, a Morocco-based threat actor specializing in payment card theft and gift card fraud. Details at: https://msft.it/6041l8GYx

Microsoft researchers discovered two vulnerabilities in Rockwell Automation’s PanelView Plus that could be remotely exploited by attackers to allow remote code execution (RCE) and denial of service (DoS). PanelView Plus devices are graphic terminals, also known as human machine interface (HMI), used in the industrial sector. Both vulnerabilities are related to custom classes in PanelView Plus. The RCE vulnerability involves two custom classes that could be used to upload and load a malicious DLL into the device. The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS. Microsoft reported these findings to Rockwell Automation in May and July 2023, and Rockwell Automation published security patches to address the vulnerabilities in September and October 2023. We’re sharing our research to help developers, vendors, and the industry in general to avoid or detect similar issues in their systems. Read our latest blog to get our analysis of the vulnerabilities, as well as mitigation and protection guidance for defenders: https://msft.it/6046l8Ufn

Microsoft has accelerated the speed and scale at which threat intelligence is published in Microsoft Defender Threat Intelligence (MDTI), Microsoft Defender XDR Threat Analytics, and Microsoft Copilot for Security, giving customers more critical security insights, data, and guidance than ever before. Our 10,000 interdisciplinary experts reason over more than 78 trillion daily threat signals to continuously add to our understanding of threat actors and activity. Over the past year, Microsoft Threat Intelligence has published hundreds of new Intel profiles to help customers maintain situational awareness around the threat activity, techniques, vulnerabilities, and the more than 300 named threat actors tracked by Microsoft. We have also improved the quantity and depth of open-source intelligence (OSINT), and delivered detections and security recommendations to provide context on daily alerts and help customers detect, understand, and address cyberattacks and related activities. Using Copilot for Security, customers can quickly retrieve information from these publications to contextualize artifacts and correlate MDTI and Threat Analytics content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers assess their vulnerabilities and quickly understand the broader scope of an attack. Learn more: https://msft.it/6048l8z0k

Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6

Microsoft recently discovered a new type of generative AI jailbreak method, which we call Skeleton Key for its ability to potentially subvert responsible AI (RAI) guardrails built into the model, which could enable the model to violate its operators’ polices, make decisions unduly influenced by a user, or run malicious instructions. The Skeleton Key method works by using a multi-step strategy to cause a model to ignore its guardrails by asking it to augment, rather than change, its behavior guidelines. This enables a model to then respond to any request for information or content, including producing ordinarily forbidden behaviors and content. To protect against Skeleton Key attacks, Microsoft has implemented several approaches to our AI system design, provided tools for customers developing their own applications on Azure, and provided mitigation guidance for defenders to discovered and protect against such attacks. Learn about Skeleton Key, what Microsoft is doing to defend systems against this threat, and more in the latest Microsoft Threat Intelligence blog from the Chief Technology Officer of Microsoft Azure Mark Russinovich: https://msft.it/6043Y7Xrd Learn more about Mark Russinovich and his exploration into AI and AI jailbreaking techniques like Crescendo and Skeleton Key, as discussed on that latest Microsoft Threat Intelligence podcast episode hosted by Sherrod DeGrippo: https://msft.it/6044Y7Xre