New Containment Feature for Microsoft Defender

Microsoft has introduced a new feature for Microsoft Defender for Endpoint (MDE), aimed at helping organizations contain cyber attacks executed via compromised devices. Such attacks are typically used for lateral network movements, a technique attackers use to move deeper into a network after initial access. This new feature allows network administrators to contain Windows devices in the event of a confirmed or suspected compromise. By doing so, Microsoft Defender will block incoming and outgoing communications with compromised devices. This approach significantly limits possible attack actions, as an attacker will no longer be able to move across an organization’s network. 


“New functional features of Microsoft Defender will protect the devices neighboring those compromised, as the latter will be simply isolated,” stated Microsoft. 

Containing a device with the new feature is quite simple. First, go to the Device Inventory page and select the device to be contained. Then, choose the ‘Contain device’ option from the Actions menu of the device and confirm the action.


In the meantime, security operations analysts will be able to locate, identify, and remediate a threat on the compromised device. However, there is one important caveat for this new feature’s functionality: blocking incoming and outgoing communications for a contained device is currently supported only on Windows 10 and Windows Server 2019+ systems.

 

Symbiote: New Super Stealthy Malware Infects Linux Systems

This Thursday, cybersecurity researchers from Intezer and BlackBerry Threat Research & Intelligence reported the discovery of a new malware, dubbed Symbiote due to its “parasitic nature”. It targets Linux systems, infecting all running processes, and steals account credentials to provide backdoor access. Malware operators can get SSH access to the machine via PAM services and gain root privileges on the system.  


The joint team discovered Symbiote several months ago. This malware is not a typical executable but a shared object (SO) library. It is loaded into running processes with LD_PRELOAD, granting it priority over other SOs. This strongly differentiates Symbiote from other Linux malware, which typically attempts to compromise loaded processes. “Since the malware operates as a user-land level rootkit, detecting an infection may be difficult,”
one researcher noted. 


The first sample of Symbiote is dated November 2021 and was most likely developed to attack financial institutions in Latin America. Given its stealthy nature, there is a high likelihood that the malware has been exploited anywhere else. 


Symbiote has some specific features. In particular, it is impressively stealthy. Symbiote uses Berkeley Packet Filter (BPF) method, and will inject itself into an inspection software process and use BPF to conceal results that might reveal itself. It will load itself before other dynamic objects, allowing for activation of such functions as libc and libpcap hiding its presence. Connection entries are constantly scrubbed, and linked files are hidden. Last month we wrote about another malware that uses BPF, called BPFDoor. However, this one is new, as researchers concluded upon thorough code study. 


As noted, Symbiote is difficult to detect, but some hints are available. One can use network telemetry to see anomalous DNS requests. Also, experts recommend that security tools be statically linked to prevent infection by user-land rootkits.


Ransomware Wreaks Havoc in Palermo

The municipality of Palermo, a city in Southern Italy, has been the victim of a massive cyberattack likely involving ransomware. 

Palermo is populated by about 1.3 million people and welcomes more than 2 million tourists annually. All of them have been seriously affected by this attack, which hit a broad range of digital services delivered daily to citizens and guests of the city. The public video surveillance system, police operation center, and all municipality services went offline and could not be restored for several days despite efforts by relevant IT teams.

Currently all municipal digital services are unavailable, and public offices can only be reached by fax machines, inspiring memories of the previous century. Online ticket bookings for museums, theatres, and sports events are also unavailable, a major issue for a city reliant on tourism income. Still worse, the “limited traffic zone card” service was also hit, dramatically adding to the inconvenience since the historic city center requires them for entrance by both locals and guests. 

A pro-Russian hacker group Killnet has recently threatened Italy with cyberattacks and was mentioned in the context of the Palermo incident. However, the typical weapon of Killnet is DDoS, whereas Palermo public city services was reportedly hit with ransomware.

The councillor for innovation in Palermo has stated that all systems have been shut down and isolated from the network. This is recommended in such cases, as it prevents malware from spreading. However, judging by the warning that the outage would last a while, we may assume that the current state of the backup and restore policy might be questionable after the municipality of Palermo eliminates the incident consequences.

Analysis of such successful cyberattacks underscores the criticality of reliable backup and restore programs for any organization that provides essential public or business services needs. It should be designed and implemented by a recognized cybersecurity consultancy and service provider.

Microsoft has issued CVE for the “Follina” Zero-day vulnerability

Cybersecurity experts are raising the alarm about a Zero-day remote code execution vulnerability in Microsoft Office, which has been dubbed “Follina”. It surfaced after the nao_sec team came across the 05-2022-0438.doc Word file, which was submitted to the VirusTotal from a Belorussian IP address. 

This vulnerability allows an attacker to run arbitrary code with the privileges of the calling application. Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from an application such as Microsoft Word. The attacker can then install programs, view, change, or delete data, or create new accounts as allowed by the user’s rights. The biggest problem is that Word will run the code with MSDT even if the macros are disabled. This has been demonstrated despite claims by Microsoft that Protected View or Application Guard could prevent a current attack. 

This vulnerability affects all supported Windows versions and several Office versions, including Office 2013, 2016, and 2021. Unfortunately, no known patch is available, as infected files delivered through email or other initial access methods do not trigger an Antivirus/EDR response. The temporary solution offered by Microsoft includes Defender for Endpoint attack surface reduction rule, and Defender Antivirus build 1.367.719.0 or newer. 

It is reported that the following Microsoft 365 Defender alerts might indicate exploitation of this vulnerability: Suspicious behavior by an Office application, and Suspicious behavior by Msdt.exe.

We are now waiting for immediate actions from the security vendors. In the meantime, we can use POC code samples that help identify exposure to respond to the threat promptly. These samples are already publicly available on GitHub. 

Stay with Soteryan for timely and actionable advice on malware, Zero-day vulnerabilities, and more cybersecurity expertise from your reliable partner. 

Lumos: Identify and Locate Hidden IoT Devices

Information security involves more than just malware. Leaks of sensitive personal information can often occur through IoT devices hidden in unfamiliar environments. These devices, including tiny cameras, microphones, and speakers, are increasingly used to snoop on users in hotel rooms and AirBnB locations. The number of scandals linked to such leaks is snowballing. This problem has already been recognized as a grave threat to privacy globally.  

As a solution, a team of cybersecurity experts have developed Lumos, a system designed to identify and locate IoT spying devices.

Lumos can identify Wi-Fi-connected IoT devices and visualize their presence using an augmented reality interface. It functions as a sniffer for encrypted packages transmitted over wireless channels. Lumos does not need IP/DNS layer information or Wi-Fi channel assignments to identify IoT devices, and uses phone sensors and wireless signal strength measurements to locate them.  Lumos runs on commodity user devices, such as notebooks or phones, making it extremely handy for tourists and frequent business travellers.

The system has been tested on around 44 devices and in 6 different environments and shows an impressive 95% accuracy in identification. The location median error was below 1.5 m, a performance demonstrated in 1000 sq. ft. apartment. Lumos adds all newly discovered types of IoT devices to a database to simplify their identification in the future. Devices like Lumos empower users to take control of their privacy and security.