Microsoft Threat Intelligence

To help defenders get better access to relevant threat intelligence articles, the Microsoft Defender XDR portal home page now displays featured Microsoft Defender Threat Intelligence (MDTI) articles to highlight noteworthy Microsoft content. The Intel explorer page now also has an article digest that notifies users of new MDTI articles that were published since they last accessed the portal. These capabilities will help users stay up to speed with the latest analysis of threat activity observed by Microsoft. MDTI articles provide insight into threat actors, tooling, attacks, and vulnerabilities, and link to actionable content and key indicators of compromise (IOCs) to help users in intelligence gathering, triage, incident response, and hunting efforts. Learn more about MDTI articles from our documentation: https://msft.it/6040mPaZM https://msft.it/6041mPaZ3

Microsoft has observed threat actors in North Korea diversifying their attacks that aim to gather intelligence and generate revenue in support of the North Korean regime. Onyx Sleet has been observed to now support both intelligence gathering and revenue generation for North Korea, conducting cyber espionage through numerous campaigns and more recently deploying ransomware in their attacks. Unlike other North Korean threat actors, Onyx Sleet uses a combination of custom and off-the-shelf tools in their attacks. The threat actor is also closely affiliated with Storm-0530, a group that calls itself H0lyGh0st, and is known to launch ransomware attacks against a wide range of targets. Another North Korean threat actor Microsoft tracks as Citrine Sleet is observed to particularly focus on cryptocurrency theft for financial gain. While the actor has been commonly observed to use its own malware known as AppleJeus, which aims to steal their targets’ cryptocurrency assets, Microsoft recently identified Citrine Sleet exploiting a zero-day vulnerability in Chromium to gain remote code execution and launch the sophisticated rootkit FudModule. In this episode of the Microsoft Threat Intelligence podcast, Microsoft Threat Intelligence researchers share their findings in tracking Onyx Sleet and Citrine Sleet, as well as their insights on the potential driving forces behind the changes in observed tactics. Listen to the full episode here, hosted by Sherrod DeGrippo: https://msft.it/6049mOdB3 Learn more about Onyx Sleet and Citrine Sleet from our blog posts: https://msft.it/6040mOdBO https://msft.it/6041mOdBP

The September 2024 security updates are available:

Defending against cyberattacks hinges on the ability to correlate alerts at scale across numerous sources and alert types. The Microsoft unified security operations platform, which brings together Microsoft Defender XDR and Microsoft Sentinel, allows defenders to have unified incidents and unified hunting with Microsoft Defender XDR, streamlining their investigations and reducing context switching. Through the unified security operations platform, defenders can use Microsoft Copilot for Security features such as incident summaries, guided investigations, script analysis, and advanced hunting on Microsoft Sentinel data. This will also allow defenders to seamlessly handle the vast complexities of alert correlation across numerous enterprises by leveraging data from Defender workloads and third-party sources ingested by Microsoft Sentinel. By leveraging a unified platform that consolidates alerts across multiple workloads, organizations benefit not only from streamlining their security operations but also gain deeper insights into potential threats and vulnerabilities. Learn more about the integration of Microsoft Defender XDR and Microsoft Sentinel through the Microsoft unified security operations platform in the Microsoft Defender portal through our documentation pages: https://msft.it/6047mGZLh https://msft.it/6048mGZ06

I talk with Tom Gallagher about the new North Korean threat actor Citrine Sleet exploiting Chromium a zero-day. https://lnkd.in/eY4h9aas

Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency sector for financial gain. Google released a fix for the vulnerability, and users should ensure they are using the latest version of Chromium. We thank the Chromium team for their collaboration in addressing this issue. Read our blog to get more information about Citrine Sleet and the observed tactics, techniques, and procedures (TTPs) used to exploit CVE-2024-7971, as well as recommendations for mitigating and protecting against this activity. https://msft.it/6043l7qAH

The threat actors behind Black Basta ransomware have been making changes to their initial access vectors, becoming less reliant on email-related techniques and employing methods such as SEO poisoning and malvertising in some campaigns. In one campaign observed by Microsoft earlier this year, threat actors combined impersonation through vishing, misuse of remote monitoring and management (RMM) tools, malicious links sent over Microsoft Teams leading to adversary-in-the-middle (AiTM) landing pages, and use of malicious payloads to deploy ransomware. Microsoft has also observed other threat actors expanding their techniques by using large language models (LLMs) to operationalize their campaigns. Threat actors such as Forest Blizzard, Emerald Sleet, Crimson Sandstorm, and others were observed using LLMs to conduct research on their targets, improve their social engineering attacks, and troubleshoot their code. Hear more from Microsoft security researchers Anna Seitz and Daria-Romana P. as they discuss the details of these developments with Microsoft Threat Intelligence Podcast host Sherrod DeGrippo: https://msft.it/6040lApX6

Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor named Tickler in attacks against the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. Tickler is capable of running various commands and collecting information from target devices. Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus. Peach Sandstorm was also observed to launch password spray attacks against their targets and leverage compromised accounts to procure operational infrastructure. The attacker-controlled infrastructure is then used as command-and-control (C2) for Peach Sandstorm operations. Microsoft also observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors via LinkedIn. Our blog presents information on Peach Sandstorm's use of Tickler and the threat actor's evolving tradecraft, as well as guidance for how organizations can harden their attack surfaces against related attacks. https://msft.it/6042lfpyI

Microsoft researchers examined anonymized and aggregated security patch level data from millions of Android devices enrolled with Microsoft Intune to gain insights into the availability and adoption of Android security updates across different device models. Mobile devices are targeted by threat actors in part due to their prevalence, access to enterprise networks and resources, and unique attributes like portability, ubiquitous network connectivity, and sensor capabilities. Concerns around the lifecycle for Android security updates frequently appear in mobile security discussions. As with any platform, vulnerabilities are found in Android that require timely patching to mitigate exploitation by threat actors, though Android's extensibility and device diversity from various original equipment manufacturers (OEMs) create security update complexities. We uncovered that the majority (61) of the top 100 (by Intune enrollment) device models had security updates made available during the month of Google's Android security bulletin release or the following month. Additionally, the majority of these Intune-enrolled devices had the updates installed during the same or following month that they became available from the OEM. Though notably, 32 device models had a difference of two months or more since the latest patch level release, and 6 of those 32 models had a difference of 10 months or more. Learn more about the security update lifecycle for Android as well as our findings and recommendations for users and enterprises to ensure Android devices remain updated against discovered vulnerabilities: https://msft.it/6045l4OkS

Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, discusses SIM swapping, AI exploits, and defensive strategies in this interview with Information Security Media Group (ISMG).