Windows Server 2025, security baseline http://dlvr.it/TJBk2M #WindowsServer2025 #MicrosoftSecurity #SecurityBaseline #SysAdmin

Windows Server 2025, security baseline http://dlvr.it/THjTnm #WindowsServer2025 #MicrosoftSecurity #CyberSecurity #ITSecurity

Die indischen Betrugs-Callcenter haben offenbar inzwischen vom angeblichen #microsoftsecurity-Scam auf #paypalscam umgestellt. Gerade hatte ich einen in der Leitung. Da ich heute Feiertag habe und gut gelaunt war, hab ich das Spiel ca. 10 Minuten mitgespielt, bevor ich ihm gesagt habe, dass ich gar kein #PayPal-Konto habe.

Es ging die ganze Zeit darum, #anydesk auf einem meiner Geräte zu installieren und dann meine Daten abzugreifen.

Microsoft will base part of senior exec comp on security, add deputy CISOs to product groups - Charlie Bell, executive vice president of Microsoft security, speaks at the GeekW... - https://www.geekwire.com/2024/microsoft-will-base-part-of-senior-exec-comp-on-security-add-deputy-cisos-to-product-groups/ #cybersafetyreviewboard #microsoftsecurity #satyanadella #charliebell #microsoft

" Mint Sandstorm: Sophisticated Phishing Campaign Unleashed by APT35 "

Microsoft's security blog reveals an intricate phishing campaign, "Mint Sandstorm," by the subgroup PHOSPHORUS (also known as APT35 and Charming Kitten), linked to Iran's Islamic Revolutionary Guard Corps. This campaign targets individuals in universities and research organizations involved in Middle Eastern affairs across various countries. Unique tactics include bespoke phishing lures, using compromised legitimate email accounts, and deploying custom backdoors like MediaPl and MischiefTut. These tools allow for encrypted communications, reconnaissance, and persistence in target environments. Microsoft suggests using Attack Simulator in Defender for Office 365, enabling SmartScreen on browsers, and activating cloud-delivered protection to mitigate risks.

Microsoft's security blog

Tags: #CyberSecurity #Phishing #APT35 #CharmingKitten #MintSandstorm #MicrosoftSecurity #InfoSec #ThreatIntelligence

Mitre - APT35

" CVE-2023-36025: A Stepping Stone in Phemedrone Stealer Attacks"

Trend Micro's recent investigation reveals the exploitation of CVE-2023-36025, a Windows Defender SmartScreen bypass, in the Phemedrone Stealer campaign. This vulnerability allows attackers to evade defense by using .url files to download malicious .cpl scripts unnoticed. Phemedrone Stealer, an open-source malware maintained on GitHub and Telegram, targets web browsers, cryptocurrency wallets, and messaging apps like Telegram and Steam, harvesting sensitive data and system information. Notably, CVE-2023-36025 was patched by Microsoft in Nov 2023, but remains on CISA's Known Exploited Vulnerabilities list due to its active exploitation.

The attack involves hosting malicious Internet Shortcut files on platforms like Discord, often disguised using URL shorteners. Upon execution, these files download a .cpl file, bypassing the usual security prompts. This leverages the MITRE ATT&CK technique T1218.002, using control.exe to run .cpl files. The subsequent stages involve a PowerShell loader hosted on GitHub, and a second-stage loader known as Donut, which executes the final payload in memory. This sophisticated attack sequence showcases the complexity and stealth of modern cyber threats.

Phemedrone's payload is versatile, targeting various applications for sensitive information like passwords, files, and system data. It uses advanced techniques for data handling and compression, highlighting the need for vigilant cybersecurity practices.

Tags: #CyberSecurity #CVE202336025 #PhemedroneStealer #DefenseEvasion #Malware #TrendMicro #MicrosoftSecurity #CISA #MITREATTACK #DonutLoader

MITRE ATT&CK - T1218.002

Source: https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html

" Windows App Installer Vulnerability: A New Twist in Cybersecurity "

Microsoft has temporarily disabled the MSIX ms-appinstaller protocol handler in Windows due to security concerns. This action was taken because malicious groups, like the Sangria Tempest group (also known as FIN7), were using it to distribute malware. This vulnerability, known as CVE-2021-43890, was exploited through phishing and malicious ads, often resulting in ransomware attacks. These attacks were able to bypass Defender SmartScreen and browser security warnings. Microsoft initially disabled this handler in February 2022 to counter Emotet attacks and has now decided to disable it again due to ongoing misuse by financially motivated threat groups.

The MSIX ms-appinstaller protocol handler is an important part of the MSIX package format. It simplifies the process of installing Windows applications directly from a URL, making it easier for developers and users. MSIX is a modern app package format for Windows that combines the best features of MSI, .appx, App-V, and ClickOnce installation technologies. Its main goal is to help developers package and distribute their applications efficiently and reliably, ensuring compatibility.

For more on CVE-2021-43890: Microsoft Advisory
For details on FIN7: MITRE - FIN7

Tags: #CyberSecurity #WindowsVulnerability #MSIX #ProtocolHandler #Malware #Ransomware #Phishing #ThreatIntelligence #SangriaTempest #FIN7 #MicrosoftSecurity

Sources:

• MSRC Blog: Microsoft addresses App Installer abuse
• BleepingComputer, Sergiu Gatlan: Microsoft disables MSIX protocol handler

𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗗𝗲𝗳𝗲𝗻𝘀𝗲 𝗥𝗲𝗽𝗼𝗿𝘁 𝟮𝟬𝟮𝟯 𝗶𝘀 𝗼𝘂𝘁!

It covers trends between July 2022 and June 2023 across nation-state activity, cybercrime, and defense techniques.

Blog: https://blogs.microsoft.com/on-the-issues/2023/10/05/microsoft-digital-defense-report-2023-global-cyberattacks/

Report: https://aka.ms/aka.ms.mddrrep

Executive summary: https://aka.ms/aka.ms.mddrexecrep

𝗗𝗲𝗳𝗲𝗻𝗱𝗶𝗻𝗴 𝗻𝗲𝘄 𝘃𝗲𝗰𝘁𝗼𝗿𝘀: 𝗧𝗵𝗿𝗲𝗮𝘁 𝗮𝗰𝘁𝗼𝗿𝘀 𝗮𝘁𝘁𝗲𝗺𝗽𝘁 𝗦𝗤𝗟 𝗦𝗲𝗿𝘃𝗲𝗿 𝘁𝗼 𝗰𝗹𝗼𝘂𝗱 𝗹𝗮𝘁𝗲𝗿𝗮𝗹 𝗺𝗼𝘃𝗲𝗺𝗲𝗻𝘁

Nice write-up by Microsoft security researchers about new campaign where attackers attempted to move laterally to a cloud environment through a SQL Server instance.

Attackers are now attempting to move laterally into cloud environments via SQL Server instances—a method previously seen in VMs and Kubernetes clusters but not in SQL Server.

https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/

Today at 4pm EST, we chat with competitive martial artist, powerlifter, Iron Maiden fan, and motivational Principal PM manager for Defender for Cloud at Microsoft, Yuri Diogenes!

Join us live on one of the following:

LinkedIn: https://rodtrent.com/8mq

YouTube: https://rodtrent.com/4iu

Twitch: https://rodtrent.com/kfe

Or listen in after the show on your favorite podcast network.

Implement Microsoft Sentinel and Microsoft 365 Defender for Zero Trust

This solution guide walks through the process of setting up Microsoft eXtended detection and response (XDR) tools together with Microsoft Sentinel to accelerate your organization’s ability to respond to and remediate cybersecurity attacks.

https://learn.microsoft.com/en-us/security/operations/siem-xdr-overview

Today at 1pm EST, I'll be moderating a Learn Live: Enable and manage Microsoft Defender for Cloud session. Stop by and learn something and ask questions!

https://rodtrent.com/p4i

Fuzzy hashing logs to find malicious activity https://rodtrent.com/rc2

Ask Microsoft Anything: SIEM and XDR - Join this Ask Microsoft Anything (AMA) session to get your questions about Microsoft Sentinel and Microsoft 365 Defender answered by our product experts!

Apr 13 2023, 07:00 AM - 07:30 AM (PDT)

https://rodtrent.com/el1

Latest Microsoft Entra advancements strengthen identity security https://rodtrent.com/8bd

The Microsoft Secure 2023 Learn Live series is still underway! Join in real-time or watch on demand https://rodtrent.com/di5

What an amazing month it's been for our Women in Cybersecurity series on the Microsoft Security Insights show! It's hard to believe we have just one week left. But it's a doozy.

Next week, stop by live or wait for the replay to hear from Elizabeth Stephens, Director Data Center Cyber Risk Intelligence. This should be super interesting.

https://aka.ms/MSIShowElizabeth

In a recent report, Microsoft Digital Threat Analysis Center (DTAC) attributes a recent influence operation targeting French satirical magazine Charlie Hebdo to an Iranian nation-state actor, NEPTUNIUM.

In January, a hacker group known as "Holy Souls" claimed to have obtained the personal information of over 200,000 Charlie Hebdo customers. They released a sample of the data, which included full names, telephone numbers, and email and home addresses, putting subscribers at risk of targeting by extremist organizations.

To help against these influence operations, DTAC also released their Influence Attribution Framework. This tool helps organizations understand, attribute, and mitigate the impact of these operations. For more information on how the framework works, I've put together a simple infographic that summarizes its key components. #microsoft #threatintelligence #influence #infosec #cybersecurity #microsoftsecurity

Report: https://lnkd.in/gwp7Aq9m

Framework: https://lnkd.in/gVuv6D8S

Stop letting users increase your vulnerability – turn off user application consent https://rodtrent.com/lio

I hear from customers quite a bit that really just want a great starting point for security. Make security your org's 2023 resolution.

Four things you can do to make your environment safer in less than five minutes https://rodtrent.com/c3n