The Microsoft Threat Intelligence community is made up of more than 10,000 world-class experts, security researchers, analysts, and threat hunters analyzing 78 trillion signals daily to discover threats and deliver timely and hyper-relevant insight to protect customers. Our research covers a broad spectrum of threats, including threat actors and the infrastructure that enables them, as well as the tools and techniques they use in their attacks.
External link for Microsoft Threat Intelligence
Microsoft Threat Intelligence reposted this
"The solution isn't simply hiring more people - it's about rethinking how we develop talent and being more open-minded about transferable skills from other fields." 💯Sherrod DeGrippo! Some of the most resilient and adaptable people I've worked with in cyber started in a different field. Widening the aperture of who can do the job, and taking time to invest in people, will go a long way in addressing the talent gap. https://lnkd.in/ggcXxpTW.
Microsoft Threat Intelligence reposted this
Part 2 of our Secret Blizzard blog series is out! teaser text from the blog below but take the time to read both of these great pieces of analysis. More importantly... use the information we share here (TTPs, IOCs, detections, and mitigations) to help us disrupt this actor's operations! Russian nation-state actor Secret Blizzard ((Turla, Venomous Bear, Snake, Waterbug) co-opted the tools and infrastructure of another nation-state threat actor to facilitate espionage activities (see Part 1 blog), then used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard’s custom malware, with the Tavdig backdoor creating the foothold to install their KazuarV2 backdoor. Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware relating to cybercriminal activity that Microsoft tracks as Storm-1919 to download its backdoors to specifically selected target devices associated with the Ukrainian military. This was at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine. Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.
After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in our last blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard's custom backdoors, Tavdig and KazuarV2. Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware, relating to cybercriminal activity that Microsoft tracks as Storm-1919, to download its backdoors to specifically selected target devices associated with the Ukrainian military. Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine. Read the second part of our two-part blog series to learn more about these findings along with insights into Secret Blizzard’s tactics, techniques, and procedures. Get mitigation, detection, and hunting guidance as well as indicators of compromise to keep your organization informed and protected: https://msft.it/6041oODVb Refer to part one of our blog series for more information: https://msft.it/6042oODVj
"We work in a field that demands a high level of dedication, expertise, and continuous learning," writes Microsoft Threat Intelligence's Sherrod DeGrippo on this column for SC Media. How do we solve the skills gap, which remains the biggest challenge when designing for cyber resilience? Sherrod provides suggestions for empowering the next generation of defenders: https://msft.it/6045oPCMX
We are proud to share that for the sixth year in a row, Microsoft Defender XDR demonstrated industry-leading extended detection and response (XDR) capabilities in the independent MITRE ATT&CK® Evaluations: Enterprise. Learn more about how Defender XDR secures your multi-operating system estate: https://msft.it/6049oOG5D #XDR #ThreatProtection
After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in our last blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard's custom backdoors, Tavdig and KazuarV2. Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware, relating to cybercriminal activity that Microsoft tracks as Storm-1919, to download its backdoors to specifically selected target devices associated with the Ukrainian military. Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine. Read the second part of our two-part blog series to learn more about these findings along with insights into Secret Blizzard’s tactics, techniques, and procedures. Get mitigation, detection, and hunting guidance as well as indicators of compromise to keep your organization informed and protected: https://msft.it/6041oODVb Refer to part one of our blog series for more information: https://msft.it/6042oODVj
The December 2024 security updates are available:
Security updates for December 2024 are now available. Details are available here: https://msft.it/60119yPTS #PatchTuesday #SecurityUpdateGuide
Are you a security researcher interested in AI bounty submissions? Join us to learn more about Microsoft's Bug Bounty Program and how to qualify for the Zero Day Quest. In this session, hosted by Lynn Miyashita and Andrew Paverd, we'll discuss Microsoft's approach to bug bounties and deep dive into the new vulnerability categories for AI security research. Don't miss out! Join us on December 17th at 9:30 AM PT for a virtual training session. Register now: https://lnkd.in/g6kaXZfY #ZeroDayQuest
Microsoft observed a 146% rise in adversary-in-the-middle (AiTM) attacks over the last year, indicating that cybercriminals are continuing to find ways to compromise accounts that are protected by multifactor authentication (MFA). An AiTM phishing attack involves tricking a user into going to a legitimate-looking copy of a website, entering their credentials, and performing MFA to authenticate on behalf of the adversary, who then uses the victim’s information to sign in to the real website—resulting in a token issued directly to the adversary’s device. Using phishing-resistant credentials such as passkeys, certificate-based authentication (CBA), and Windows Hello for Business can help protect against AiTM attacks, as these credentials use cryptographic methods that don’t expose sensitive information, making it challenging for attackers to intercept or replicate the authentication process. Microsoft Entra ID supports the said authentication methods as protection against identity attacks. Learn more about how AiTM attacks, as well as the defense-in-depth measures organizations can apply to protect against them in our blog: https://msft.it/6044o1dpK
Based on our own findings and those reported by governments and other security vendors, Microsoft Threat Intelligence assesses the Russian nation-state actor that we track as Secret Blizzard has used the tools and infrastructure of at least six other threat actors during the past seven years. Microsoft research reveals that Secret Blizzard is compromising the infrastructure of the Pakistan-based threat actor we track as Storm-0156 for espionage purposes on targets of interest in South Asia. In collaboration with Black Lotus Labs, we confirmed that Secret Blizzard is deploying backdoors and clipboard monitors to Storm-0156 infrastructure and using this position to commandeer Storm-0156 backdoors to download Secret Blizzard espionage tools onto victim devices. This blog is the first in a two-part series detailing these findings and providing insights into Secret Blizzard's tactics, techniques, and procedures. Get mitigation, detection, and hunting guidance along with indicators of compromise to stay informed and to protect your organization: https://msft.it/6049oE6px
In today's "Learn to Red Team AI Systems using PyRIT" training, Richard Lundeen, Martin Pouliot, and Ram Shankar Siva Kumar welcomed hundreds of attendees to discuss using PyRIT to find high-quality bugs in generative AI systems. If you missed the live session, you can watch the recording here: https://lnkd.in/gUSaN5fu Check out the attached deck for more insights. Here are some additional resources to support your AI security research: ▶️𝐏𝐲𝐑𝐈𝐓: https://lnkd.in/d_8yN3bT ▶️𝐀𝐈 𝐁𝐨𝐮𝐧𝐭𝐲: https://aka.ms/aibounty ▶️𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐁𝐨𝐮𝐧𝐭𝐲 𝐏𝐫𝐨𝐠𝐫𝐚𝐦: https://aka.ms/bounty ▶️𝐒𝐮𝐛𝐦𝐢𝐭 𝐚 𝐫𝐞𝐩𝐨𝐫𝐭 𝐭𝐨 𝐭𝐡𝐞 𝐌𝐒𝐑𝐂: https://aka.ms/secure-at ▶️𝐌𝐒𝐑𝐂 𝐑𝐞𝐬𝐞𝐚𝐫𝐜𝐡𝐞𝐫 𝐑𝐞𝐬𝐨𝐮𝐫𝐜𝐞 𝐂𝐞𝐧𝐭𝐞r: https://lnkd.in/gzAsNN5K Additional Resources: ▶️𝐁𝐮𝐠 𝐁𝐚𝐫 𝐑𝐞𝐬𝐨𝐮𝐫𝐜𝐞𝐬 https://lnkd.in/g56uDbqz https://lnkd.in/gjyuSUY3 https://aka.ms/aibugbar ▶️𝐀𝐝𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐎𝐒𝐒 𝐓𝐨𝐨𝐥𝐬 https://lnkd.in/dCjxbiEW https://lnkd.in/gBb7iiQb