Resultados 1 a 5 de 5
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] Microsoft: more than 1.5 million attempts to breach its cloud systems daily

    Pedro Hernandez
    June 06, 2017

    Microsoft's cloud is constantly under attack. While it's no surprise that the Redmond, Wash. technology giant makes a tempting target for cyber-attackers, but the scale of the attacks weathered by the company may raise some eyebrows.

    On a typical day, 1.5 million attempts are made to breach Microsoft's cloud systems, the company revealed today in on its website. Keeping attackers at bay are over 3,500 security engineers and Microsoft's Intelligent Security Graph, an AI-enabled system that uses machine learning to analyze hundreds of billions of authentications and other security information generated by the company's IT systems.

    Each second, Microsoft feeds hundreds of gigabytes of telemetry into the Intelligent Security Graph, the company claims. And every month, Microsoft scans an estimated 400 billion emails that flow through Office 365 and Outlook for phishing scams and malware.

    All told, Microsoft invests $1 billion each year in cloud security. These statistics aside, the company continues to roll out new features and product enhancements to eliminate security gaps for customers.

    Today, Microsoft announced that its Azure AD (Active Directory) Conditional Access feature now supports the Azure Portal and Teams, the company's Slack-like group chat and collaboration application. Launched last summer, and available as part of Azure AD Premium plans, Conditional Access allows companies to restrict access to business applications and other resources, blocking users access unless their devices meet certain requirements. For example, administrators can stop attempts to access applications from untrusted networks or use the feature to enforce multi-factor authentication.

    Linking Azure AD Conditional Access to the Azure Portal, the cloud service's management hub, is a major step toward helping the company's customers secure their cloud accounts. Previously, Microsoft only offered multi-factor authentication as a way to protect administrator accounts on the Azure Portal.

    Microsoft isn't the only cloud provider caught in an endless war against cyber-scammers.

    Last week it was revealed that OneLogin, a popular password management service, suffered a breach. A hacker had somehow managed to gain access to OneLogin's Amazon Web Services (AWS) credentials, keys that were then used to perform reconnaissance on the company's operations. OneLogin uses AWS as its cloud provider.

    "The threat actor was able to access database tables that contain information about users, apps, and various types of keys," explained Alvaro Hoyos, chief information security officer at OneLogin, in a blog post. "While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data."

    In the meantime, the venture capital community keeps pouring funds into cloud security firms.

    Netskope just announced it had raised $100 million to bulk up its Cloud Access Security Broker (CASB) technology and expand its market presence. Underscoring the competitive nature of today's cloud security market, Sanjay Beri, founder and CEO of Netskope, told eWEEK's Sean Michael Kerner that the funding "was an over-subscribed, pre-emptive round," adding that the company was not in need of, nor was it soliciting, investments.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    'ExplodingCan' targets servers running Windows 2003

    Shivali Best
    6 June 2017

    ShadowBrokers, the group behind the WannaCry hack, stole the ExplodingCan from the NSA, along with an arsenal of other cyber weapons.

    The hack targets Microsoft Windows 2003 servers running the Internet Information Services version 6.0 (IIS 6.0) web server.

    Paul Harris, managing director of Secarma, said: 'Ultimately this is in the same risk category as the WannaCry attacks.

    'It's another way for cybercriminals and hacking teams to access your environment and, once they're in, the internal parts of these systems are wide open to a variety of different attack vectors.'

    And if you do find yourself a victim of the attack, not even Microsoft can help you, as the firm has declared Windows 2003 out of support.

    Worldwide, there around 375,000 IIS 6.0 servers that could be vulnerable, although an exact number is difficult to pinpoint.

    Secarma has released a free tool for users to check for ExplodingCan.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    NSA’s EternalBlue Exploit Ported to Windows 10

    Michael Mimos
    June 6, 2017

    The NSA’s EternalBlue exploit has been ported to Windows 10 by white hats, meaning that every unpatched version of the Microsoft operating system back to Windows XP—and likely earlier—can be affected by one of the most powerful attacks ever made public.

    Researchers at RiskSense, among the first to analyze EternalBlue, its DoublePulsar backdoor payload, and the NSA’s Fuzzbunch platform (think: Metasploit), said they would not release the source code for the Windows 10 port for some time, if ever. The proof of concept has been in the works since the ShadowBrokers’ April leak of Equation Group offensive hacking tools targeting Windows XP and Windows 7, as well as the development of a Metasploit module based on EternalBlue released two days after the WannaCry attacks. The best defense against EternalBlue, researchers maintain, is to apply the MS17-010 update provided in March by Microsoft.

    The researchers did today publish a report (PDF download) explaining what was necessary to bring the NSA exploit to Windows 10 and examining the mitigations implemented by Microsoft that can keep these attacks in check moving forward.

    “We’ve omitted certain details of the exploit chain that would only be useful to attackers and not so much for building defenses,” said senior research analyst Sean Dillon. “The research is for the white-hat information security industry in order to increase the understanding and awareness of these exploits so that new techniques can be developed that prevent this and future attacks. This helps defenders better understand the exploit chain so that they can build defenses for the exploit rather than the payload.”

    The available Metasploit module, which is completely separate from the new Windows 10 port, is a stripped down version of EternalBlue that reduced the amount of network traffic involved, and as a result, many of the intrusion detection system rules created since the leak and recommended by security companies and the U.S. government could be bypassed. It also removes the DoublePulsar backdoor, which Dillon said many security companies paid too much unnecessary attention to. DoublePulsar is a kernel-level exploit dropped by all of the exploits in the Fuzzbunch platform.

    “The DoublePulsar backdoor is kind of a red herring for researchers and defenders to focus on,” Dillon said. “We demonstrated that by creating a new payload that can load malware directly without having to first install the DoublePulsar backdoor. So people looking to defend against these attacks in the future should not focus solely on DoublePulsar. Focus on what parts of the exploit we can detect and block.”

    The new port targets Windows 10 x64 version 1511, which was released in November and was code-named Threshold 2, still supported in the Windows Current Branch for Business. The researchers were able to bypass mitigations introduced in Windows 10 that are not present in Windows XP, 7 or 8 and defeat EternalBlue bypasses for DEP and ASLR.

    “To port to Windows 10, we had to create a new bypass for DEP,” Dillon said. The RiskSense report goes into painstaking detail about the new attack, including a new payload replacing DoublePulsar, which Dillon said is cryptographically insecure and allows anyone to load secondary malware, which is what happened with WannaCry. RiskSense’s new payload is an Asynchronous Procedure Call (APC) that allows user-mode payloads to be executed without the backdoor.

    “An APC can ‘borrow’ a process thread that is in an idle Alertable state, and while it relies on structures whose offsets change between versions of Microsoft Windows, it is one of the most reliable and easiest ways to exit kernel mode and enter user mode,” RiskSense said in its report.

    The ShadowBrokers’ leaks have been snapshots of the NSA’s offensive capabilities, and rarely an image of their current arsenal. It’s likely that by now the NSA has a Windows 10 version of EternalBlue, but until today, such an option hasn’t been available to defenders. In the meantime, EternalBlue remains one of the most complex attacks made public, one that worried NSA insiders should it ever be stolen and/or leaked; the NSA is believed to have alerted Microsoft about the impending ShadowBrokers’ leak giving the company time to build, test and deploy MS17-010 one month before the April leak.

    “There are really only a handful of people who could have written the original EternalBlue exploit, but now that it’s out there and you can study the original exploit and the techniques used, it opens the door for many more amateur-type hackers to understand what’s going on,” Dillon said. “It’s really easy to use a buffer overflow to cause a crash. It’s harder to get code execution. So, whoever wrote the original exploits did a lot of experimentation to find the best path to turn that crash into code execution. They’ve done all the hard work, so now it’s about what’s changed between different versions of Windows to fix it up.”

    Dillon said EternalBlue’s capability to provide attackers with an instant remote unauthenticated Windows code execution attack is the best type of exploit at a hacker’s disposal.

    “They definitely broke a lot of new ground with the exploit. When we added the targets of the original exploit to Metasploit, there was a lot of code that needed to be added to Metasploit to get it up to par with being able to support a remote kernel exploit that targets x64,” Dillon said, adding that the original exploit targets x86 also, calling that feat “almost miraculous.

    “You’re talking about a heap-spray attack on the Windows kernel. Heap spray attacks are probably one of the most esoteric types of exploitation and this is for Windows, which does not have source code available,” Dillon said. “Performing a similar heap spray on Linux is difficult, but easier than this. A lot of work went into this.”

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Protecting Office 365 from Attack

    As the rate and sophistication of ransomware and phishing campaigns accelerate, Office 365 has become a primary target, making a defense-in-breadth strategy critical.

    Jasson Walker

    While hackers have targeted Microsoft products and services for decades, the growth in ransomware and phishing attacks has made Office 365 a primary target. Now that Office 365 has become the company's fastest-growing offering and the breaches coming from e-mail and misused identities continue to accelerate, it's essential that Office 365 administrators take proactive steps to "hack-proof" their environments.

    A recent report released by the U.S. Department of Justice revealed that ransomware -- the fastest growing malware -- quadruped last year from 1,000 attacks per day observed in 2015 to more than 4,000 daily incidents with the amounts paid in ransom expected to reach $1 billion. The average ransom paid is $500. The risk of malware from e-mail doubled last year, based on findings from the 2017 Symantec Corp. "Internet Security Threat Report," which showed the probability of an attack via e-mail rose to one in 131 last year from one in 224 in 2015. The 2017 Verizon "Data Breach Investigations Report" found that 43 percent of hackers used e-mail-based phishing as their method of attacks, which were associated with espionage and financial theft.

    Last year Microsoft saw malware attempts targeted at Office 365 increase 600 percent, said Jason Rogers, Microsoft's lead program manager for antimalware and advanced threat detection for Office 365, speaking during a session at last fall's Microsoft Ignite conference in Atlanta.

    Unfortunately, like other software, it's virtually impossible to "hack-proof" Office 365. Nevertheless, you can significantly mitigate the probability of a successful attack by understanding common Office 365 attack vectors and implementing a comprehensive strategy that defends your environment against the growing number of threats. A defense strategy must incorporate multiple Office 365 defense-in-breadth (not depth) security services, user awareness training and by utilizing the continuous monitoring services offered with Office 365.

    Among the most pervasive attacks against Office 365 users is ransomware, and given last year's sharp rise, it's a significant problem. One example of a high-profile Office 365 attack vector was last year's Locky attack. Let's examine the attack and some best practices to defend your environment against it.

    Anatomy of an Osiris/Locky Ransomware Attack

    In addition to Locky, a more recent iteration of it has emerged, which is called Osiris. Once an attacker reaches a user endpoint, the malware encrypts the hard drive and demands .5 to 2 Bitcoin to decrypt your data. At last the Atlanta Ignite conference, Microsoft gave a detailed description of how the attack is executed (see Figure 1 and Figure 2).

    Figure 1. The path of the Locky/Osiris attack

    Figure 2. The flow of a ransomware attack following a successful phishing attempt

    1. The Attacker: Many attackers are now well-funded, professional hackers with advanced resources at their disposal. These aren't some high schools kid in their parents' basement. Today's attacker usually spends 200+ hours curating all the resources and workflow of an attack. How many hours have you spent to secure your environment?

    2. Locky Attack Infrastructure: A typical Locky attack includes a command-and-control apparatus and a network of zombie computers (aka botnet). The command-and-control apparatus executes the workflow of the attack, while the botnets are a set of servers that have been compromised (unbeknownst to their owners) to send out millions of e-mails to the individuals who are targeted in the attack.

    3. Start Campaign: Attacks are organized into campaigns, and the command-and-control apparatus launches a campaign by directing the botnets to start sending out infected e-mails to targets.

    4. Update Payload: The Attacker knows the target e-mail servers will eventually block infected e-mails. Therefore, the attacker configures the command-and-control apparatus to morph the attack signature (aka update the attack payload) of the infected e-mails as the botnets continue to send them out. The attack signatures can morph as quickly as every five minutes, making it very difficult for target e-mail servers to identify any single attack signature and prevent the delivery of infected e-mail messages.

    5. Distribution of the Ransomware: When an infected e-mail is successfully delivered to a targeted individual, and the target subsequently opens the attachment and enables macros, malicious code is executed, which saves a downloader application to the machine and communicates back to the command-and-control apparatus to download the encryption code.

    6. Activating the Ransomware: Once the code starts encrypting, the command-and-control apparatus delivers the encryption code to the target's machine and encryption commences. At this point, the target computer is now owned and the user is completely locked out.

    The Evolution from Locky to Osiris

    Locky is an extremely sophisticated piece of ransomware that keeps evolving. As of April 2017, the latest iteration is known as Osiris (named for the Egyptian god). There are at least seven known iterations of the ransomware since it was discovered in February 2016. Each iteration is noted by the file extension used on encrypted files:

    • .locky -- February 2016
    • .zepto -- June 2016
    • .odin -- September 2016
    • .shit, .thor -- October 2016
    • .aesir -- November 2016
    • .zzzzz, .osiris -- December 2016

    Each iteration of the ransomware is more efficient, adding new features such as: dynamic command-and-control IP addresses, stronger encryption, and new infected message formats that get delivered and clicked through by targeted individuals.

    Strategy to Protect Office 365

    Now that you understand how this ransomware works, what can you do to protect your Office 365 environment and your users? It requires a comprehensive strategy to mitigate as many vulnerabilities as possible and to quickly detect and respond to a successful attack. Defense in breadth mitigates the vulnerabilities in your defense products and services, user training mitigates human vulnerabilities, and continuous monitoring allows you to detect and respond to successful attacks. Let's look at each of these components closer.


  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    IT Security Battle: Is Microsoft All You Need?

    As Microsoft bakes more security features into Windows, officials are telling customers they don’t need third-party endpoint protection tools. Working to make good on founder Bill Gates’ goal for Windows security, the Redmond-based software giant says it has closed that gap between what it offers on Windows 10 and what third-party security vendors provide. However, those vendors beg to differ.

    Read this free Redmond In-Depth Report to better understand the issues at stake and what Microsoft, industry watchers, and third-party anti-virus and security vendors have to say about:

    • Windows Defender
    • Windows Information Protection
    • Defender Advanced Threat Protection (ATP)

    Download this free report! (PDF | 7 Pages | 468 KB)

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens