Microsoft unifies Defender umbrella… Ignite 2020

Defender is getting ignited .. more products are getting in to one umbrella. Initially change of windows defender to Microsoft defender in early 2020, this comes as a products unification .

Products are mainly categorised in to two. Microsoft 365 defender for endpoints and Azure defender for cloud Infrastructures

Microsoft 365 Defender line will include:

Microsoft 365 Defender
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Identity

Azure Defender line will include:

Azure Defender for Servers
Azure Defender for IoT
Azure Defender for SQL

It’s hard to follow product portfolio’s since the inception of products . It’s difficult to keep track of products.Going forward, there will be Microsoft Defender and Azure Sentinel.

Microsoft Defender will be Microsoft’s XDR product, while Azure Sentinel will be the company’s SIEM line.

XDR stands for eXtended Detection and Response and is a cyber-security term that refers to products that detect and respond to active threats on endpoints .

SIEM stands for Security Information and Event Management and is a cyber-security term that refers to web applications that aggregate logs from all devices in order to analyze large quantities of data from a vantage point and search for anomalies and signs of a security breach.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets.

North Korea or Russia is Lazarus belongs

North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.

TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.

TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.

TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.

According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
TA505 and Lazarus IOCs were found together in bank networks.

North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”

Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.

TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.

It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.

Aruba Clear pass RCE bypassed

A critical vulnerability has been patched in Aruba ClearPass Policy Manager that exposes host systems to remote exploitation.

The flaw is classed as an unauthenticated remote code execution (RCE) vulnerability in Aruba ClearPass Policy Manager, software that acts as a secure access gatekeeper for IoT, bring-your-own-device (BYOD), and guest devices on corporate networks.

Tracked as CVE-2020-7115 and issued a CVSS score of 8.1.

Certificate validation

Client certificates are uploaded to an endpoint, ClearPass, which relies on the OpenSSL library, will copy the contents to a temporary file in the /tmp/ directory, created using the Java createTempFile function.

This function gives the file a random name and fixed extension. The software will then attempt to validate client certificates “by determining whether a password parameter in the request is able to decrypt the certificate”, the researcher explains.

This is performed by passing the temporary file name and password as arguments to a shell script. The “password” argument, however, is not quoted properly.

In addition, while not knowing the randomly-generated file name could be a potential barrier to exploitation, by using the wildcard character “*,” the shell script will automatically substitute in a valid path during queries.

Therefore, if a file is placed on disk that can be interpreted as an OpenSSL engine file, attackers can control “-engine” arguments and execute arbitrary code, bypassing existing authentication processes on public-facing systems.

“Upon successful bypass, an attacker could then execute an exploit that would allow remote command execution in the underlying operating system,”.

The vulnerability has now been resolved with the release of Aruba ClearPass Policy Manager version 6.9.1.

The PoC is limited and will only work once as it relies on passing multiple clientCertFiles as arguments, an invalid mechanism to call OpenSSL.

“An attacker could easily use this bug to compromise any publicly exposed ClearPass instances that haven’t been patched,” Jensen commented. “Hopefully, the majority of public-facing instances are fixed.”

In addition to CVE-2020-7115, the networking vendor has also released patches for CVE-2020-7116 and CVE-2020-7117 vulnerabilities.

While the bugs can also be used to compromise underlying operating systems, attackers must be authenticated, greatly limiting the risks posed the vulnerabilities.

Maze infects via VM 🐾

The gang responsible for the Maze ransomware family conducted an attack in which they distributed their malware payload inside of a virtual machine (VM).

The attackers packaged the ransomware payload inside of a Windows .msi installer file that was more than 700MB in size and distributed it onto the VM’s virtual hard drive.

A look inside the Maze-delivered VM, with the 495KB ransomware payload clearly visible. (Source: Sophos MTR)

An investigation into the attack revealed that the malicious actors had been present on the targeted organization’s network for at least six days prior to distributing their ransomware payload. During that period, they had built lists of internal IP addresses, used one of the organization’s domain controller servers and exfiltrated information to data leak site

This dwell time could explain the existence of certain configurations of the Maze-delivered VM. As quoted by Sophos’ MTR in its research:

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network.

The campaign described above wasn’t the first instance in which attackers have delivered ransomware inside a virtual machine. Sophos’ MTR spotted the Ragner locker crypto-malware family pull the same trick.

The virtual machine in that attack ran Windows XP as opposed to the Windows 7 instance on the VM containing Maze. Furthermore, the latter VM was larger in size in order to support additional functionality.

Backup ! Backup ! Backup ! Not only required … Hygienic cyber policy required.