Microsoft rolls out Protection to kitty critical accounts

Microsoft has launched Office 365 priority protection for accounts of high-profile employees such as executive-level managers who are most often targeted by threat actors.

The new feature was added to MS defender ATP which provides enterprise accounts with email threat protection from advanced threats including business email compromise and credential phishing, as well as automated remediation of detected attacks.

ADPriority Account Protection enables an organization’s security team to provide critical accounts with custom-tailored protection measures to block targeted attacks such as phishing that could lead to severe security breaches due to their access to highly sensitive company data.

It allows prioritizing alerts and threat investigations involving an organization’s most targeted or visible executive-level users.

Priority account tags

Enterprise security teams can also identify attacks targeting critical Office 365 accounts easier and quickly switch their efforts to campaign investigations involving C-suite users.

“These Priority account tags and filters will surface throughout the product, including in alerts, Threat Explorer, Campaign Views, and reports,” Microsoft previously said last month, when the feature was still in development.

Customers are required to have Defender for Office 365 Plan 2 subscriptions to get access to this new feature, including those with Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security.

Priority account alert

Microsoft has also announced the general availability of Office 365 Consent Phishing, including OAuth app publisher verification and app consent policies.

Redmond is also planning to add SMTP Strict Transport Security to secure Office 365 customers’ email communication integrity and security starting next month.

Once launched,MTA-STS support will help protect users’ Exchange Online emails against email interception and downgrade or man-in-the-middle attacks.

Cicada 🐞Chinese sponsered

The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon,that can give attackers instant administrator privileges on vulnerable systems. Cicada , which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda

Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign.

The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software.

Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. .

Threat Vector

Third-stage DLL has an export named “FuckYouAnti”

Third-stage DLL uses CppHostCLR technique to inject and execute the .NET loader assembly

.NET Loader is obfuscated with ConfuserEx v1.0.0

Final payload is QuasarRAT—an open source backdoor used by Cicada in the past

It’s difficult to say how..when..where.. you get attacked and compromised across geographies… Stay safe and secure

APT Predictions 2020 As it happened..Predicting 2021

Trying to make predictions about the future is a tricky business. As per the researchers what they predicted and what is happened.. and what going to happen they elobrated

  • The next level of false flag attacks
    Olympic Destroyer , Death Stalker
  • From ransomware to targeted ransomware
    Attacks targetting mainly hospitals and universities
  • New online banking and payments attack vectors
    FIN7, Cobalt Groups, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    Tunnel Snake, Mosaic Regressor
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
    Strongpity4
  • Increasing sophistication of attack methods
    Geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    TwoSail Junk
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

More Silicon Valley companies will take action against zero-day brokers

Increased targeting of network appliances

The emergence of 5G vulnerabilities

Demanding money “with menaces”

More disruptive attacks

Attackers will continue to exploit the COVID-19 pandemic

Buer ☠️ Malware as a service

A new malware-as-a-service offering has been discovered by cybersecurity firm Sophos, providing an alternative to other well-known malware loaders like Emotet and BazarLoader. Buer, as the new malware has been dubbed, when it was used to compromise Windows PCs, acting as a gateway for further attacks to follow.

“Buer was first advertised in August 2019 under the title “Modular Buer Loader”, described by its developers as ‘a new modular bot…written in pure C’ with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers).

Buer comes with bot functionality, specific to each download. The bots can be configured depending on a variety of filters, including whether the infected machine is 32 or 64 bit, the country where the exploit is taking place and what specific tasks are required.

Sophos discovered Buer as the root cause of a Ryuk ransomware attack, with the malware delivered via Google Docs and requiring the victim to enable scripted content in order to work. In this respect, Buer mimics Emotet and other loader malware variants.

Buer uses a stolen certificate issued by a Polish software developer in order to evade detection and checks for the presence of a debugger to ensure forensic analysis can be avoided.

Nevertheless, there are ways for individuals to protect themselves. Remaining cautious against phishing attacks is essential, as is ensuring that the latest av soln is present and up-to-date.