Select Page

Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team

Recently, we published our first case report (001: …And Then There Were Six) by the Microsoft Detection and Response Team (DART). We received significant positive response from our customers and colleagues and our team has been getting inquiries asking for ... continue reading
Image: Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Impact Using Cloud credentials Exec into container Backdoor container Privileged container Clear container logs List K8S secrets Access the K8S API server Access cloud resources Data Destruction Compromised images in registry bash/cmd inside container Writable hostPath mount Cluster-admin binding Delete K8S events Mount service principal Access Kubelet API Container service account Resource Hijacking Kubeconfig file New container Kubernetes CronJob hostPath mount Pod / container name similarity Access container service account Network mapping Cluster internal networking Denial of service Application vulnerability Application exploit (RCE) Access cloud resources Connect from Proxy server Applications credentials in configuration files Access Kubernetes dashboard Applications credentials in configuration files Exposed Dashboard SSH server running inside container Instance Metadata API Writable volume mounts on the host Access Kubernetes dashboard Access tiller endpoint

Attack matrix for Kubernetes

Kubernetes, the most popular container orchestration system and one of the fastest-growing projects in the history of open source, becomes a significant part of many companies’ compute stack. The flexibility and scalability of containers encourage many developers to move their ... continue reading

Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do

True to form, human-operated ransomware campaigns are always on prowl for any path of least resistance to gain initial access to target organizations. During this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found ... continue reading

Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios

With the bulk of end users now working remotely, legacy network architectures that route all remote traffic through a central corporate network are suddenly under enormous strain. The result can be poorer performance, productivity, and user experience. Many organizations are ... continue reading
Latest Astaroth living-off-the-land attacks are even more invisible but not less observable

Latest Astaroth living-off-the-land attacks are even more invisible but not less observable

Following a short hiatus, Astaroth came back to life in early February sporting significant changes in its attack chain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate processes to attempt running undetected on compromised ... continue reading
Screenshot of a phishing email about a coronavirus update.

Protecting against coronavirus themed phishing attacks

The world has changed in unprecedented ways in the last several weeks due to the coronavirus pandemic. While it has brought out the best in humanity in many ways, as with any crisis it can also attract the worst in ... continue reading
Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks

Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks

Gaining kernel privileges by taking advantage of legitimate but vulnerable kernel drivers has become an established tool of choice for advanced adversaries. Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have ... continue reading

Work remotely, stay secure—guidance for CISOs

With many employees suddenly working from home, there are things an organization and employees can do to help remain productive without increasing cybersecurity risk. While employees in this new remote work situation will be thinking about how to stay in ... continue reading

Guarding against supply chain attacks—Part 3: How software becomes compromised

Do you know all the software your company uses? The software supply chain can be complex and opaque. It’s comprised of software that businesses use to run operations, such as customer relationship management (CRM), enterprise resource planning (ERP), and project ... continue reading
Threat hunting: Part 1—Why your SOC needs a proactive hunting team

Threat hunting: Part 1—Why your SOC needs a proactive hunting team

Cybersecurity can often feel like a game of whack-a-mole. As our tools get better at stopping one type of attack, our adversaries innovate new tactics. Sophisticated cybercriminals burrow their way into network caverns, avoiding detection for weeks or even months, ... continue reading