Important reading: Attacking PowerShell CLIXML Deserialization
Using PowerShell’s CLIXML deserialization could lead to undesired effects, including remote code execution. Solutions, like PowerShell Remoting and PowerShell Direct (Hyper-V), rely on such deserialization and could make you vulnerable to this kind of attack
https://www.truesec.com/hub/blog/attacking-powershell-clixml-deserialization
Recommended reading: A Preliminary Post Incident Review (PIR) by Crowdstrike about the Content Configuration Update Impacting the Falcon Sensor and the Windows Operating System (BSOD)
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
The independent Cyber Safety Review Board CSRB concluded in a report that the theft of a Microsoft signing key should never have happened and that Storm-0558 was able to succeed because of a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed!
"The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations"
Recommended reading: Microsoft Incident Response lessons on preventing cloud identity compromise
In real-world customer engagements, Microsoft Incident Response (Microsoft IR) sees combinations of issues and misconfigurations that could lead to attacker access to customers’ Microsoft Entra ID tenants. Effective protection of a customer’s Entra ID tenant is less challenging than protecting an Active Directory deployment but does require governance and monitoring. Reducing risk and exposure of your most privileged accounts plays a critical role in preventing or detecting attempts at tenant-wide compromise.
Recommended reading: A TOUCH OF PWN
There are many reasons why a fingerprint is not a good secret, but some are more fascinating and fun than others...
Recommended reading: Malware distributor Storm-0324 facilitates ransomware access
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool […]
Interesting reading: Results of Major Technical Investigations for Storm-0558 Key Acquisition
Microsoft expands cloud logging accessibility and flexibility even further. Over the coming months, access to wider cloud security logs for worldwide customers will be included at no additional cost 👏
Today we are expanding Microsoft’s cloud logging accessibility and flexibility even further. Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost.
Recommended reading: Analysis of Storm-0558 techniques for unauthorized email access - Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook com!
Recommended reading: Storm-0978 (DEV-0978; also referred to as RomCom) attacks reveal financial and espionage motives,
by Microsoft Threat Intelligence
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a zero-day remote code execution vulnerability exploited via Microsoft Word documents.
