Research by Frost & Sullivan reports there is greater adoption of meeting insights and analytics tools to gain a better understanding of space utilization, performance, and engagement, with 76% of the decision-makers indicating this is a key capability. Companies are looking into implementing emerging technologies that provide insights on the workspace and meeting room utilization.

Today’s workforce has become accustomed to the Bring Your Own Meeting (BYOM) or Bring your own Device (BYOD) concept in meeting rooms. The Barco ClickShare solution enables users to host calls from their own laptop with their preferred videoconferencing platform, using the audio and video equipment in the meeting room. According to Barco, ClickShare has been leading the market with its wireless BYOM approach, as market research company Futuresource Consulting has previously estimated that ClickShare’s portfolio makes up over 50% of the global wireless conferencing market.

Clickshare & Microsoft Integration

With more than 240,000 ClickShare Conference devices in the field, ClickShare will be a significant data source for Microsoft Teams Rooms management capabilities and will feed into future initiatives. This first step provides valuable insights for IT decision makers without changing the user experience. When initiating a Teams call, the user’s Teams desktop client identifies the connected microphone, speaker, and camera via the ClickShare Base Unit and Button, passing the data into the Teams Pro Portal. Once multiple users have connected to the same ClickShare Base Unit, the information is populated for IT managers as a potential shared space within the Pro Management portal, enabling registration and management of the meeting space.

“ClickShare has always put the user at the heart of the experience, while guaranteeing IT managers have the necessary insights to equip meeting rooms in the most optimal way,” says Jan van Houtte, head of product at Barco. “Through this integration, Microsoft and Barco will work together to build easy management systems at scale for their customers. The joint forces in the Shared Spaces initiative are a first yet crucial step to explore market opportunities and establish a future portfolio.”

“Barco shares a clear focus with Microsoft on creating the best meeting experience. This focus drives our decision making, strategy, and partnerships, which has led us to take this step,” says Dan Root, head of global strategic alliances at Barco. “We are very pleased to be a part of the Microsoft Teams Devices ecosystem, and to bring Microsoft into our partnership program. Through this collaboration we will work together to build industry-leading solutions that take collaboration to the next level.”

Another version of this article originally appeared on our sister-site Commercial Integrator on February 22, 2024. It has since been updated for My TechDecisions’ audience.

The post Barco Streamlines IT Management with Microsoft Integration appeared first on My TechDecisions.

That list of bugs that should be prioritized includes two remote code execution vulnerabilities in Microsoft Exchange Server, an elevation of privilege bug in Microsoft SharePoint, a trio of remote code execution flaws in Windows Pragmatic General Multicast, and a handful of others.

Based on input from security researchers from Zero Day Initiative (ZD), Tenable, Immersive Labs and others, here is a look at the vulnerabilities that warrant more attention for the June 2023 Patch Tuesday release.

CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability

If this looks familiar, you aren’t alone. Microsoft has issued fixes for a number of Exchange Server remote code execution bugs in recent years, and this one is a bypass of fixes for CVE-2022-41082 and CVE-2023-21529, with the latter listed as being under active exploitation.

This vulnerability exists within the Command class, and the issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. This bug requires the attacker to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

CVE-2023-28310  – Microsoft Exchange Server Remote Code Execution Vulnerability

This is the other Exchange RCE bug listed this month, and like its twin this month, is rated as important but considered more likely to be exploited. This also requires an attacker to be authenticated, so an attacker will need valid credentials.

According to researchers, both Exchange Server bugs closely mirror the vulnerabilities identified as part of the ProxyNotShell exploits. Successful exploitation could result in an attacker gaining access to an organization’s email account, or even the ability to impersonate any user.

Since attackers are adept at stealing valid credentials via phishing attacks, these should not be ignored.

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

According to researchers, this critical-rated vulnerability is used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft lists enabling the AMSI feature to mitigate this flaw, but organizations are still urged to deploy the update as soon as possible.

Exploitation is achieved by sending a spoofed JWT authentication token to a vulnerable server, giving them privileged of an authenticated user on the target, researchers say.

CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This trio of vulnerabilities, all critical-rated, allow a remote, unauthenticated attacker to execute code on an affected system where the messag queuing service s running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row that Microsoft has patched a critical-rated bug in this component.

For successful exploitation, a system must have message querying services enabled.

For further June 2023 Patch Tuesday analysis, consult research blogs from Zero Day Initiative, Tenable, Immersive Labs and others.

The post June 2023 Patch Tuesday: Exchange Server, SharePoint, PGM appeared first on My TechDecisions.

That includes Microsoft, which is attributing the attacks exploiting the bug, tracked as CVE-2023-34362, to a group it calls “Lace Tempest,” which is known for ransomware operations and running the Clop extortion site.

The Redmond, Wash. tech giant says the group has used similar vulnerabilities in file transfer tools to steal data and extort victims in the past.

In a series of tweets, the Microsoft Threat Intelligent Twitter account revealed several details on the attacks, saying exploitation is typically followed by deployment of a web shell with data exfiltration capabilities.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j

— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023

According to Progress Software, the vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. MOVEit Transfer customers are advised to take immediate action to help protect their environment. Organizations are urged to apply the patch immediately.

According to a statement from a MOVEit spokesperson, the company promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. “We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Affecting all supported MOVEit Transfer versions, CVE-2023-34362 is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the company says.

In the meantime, the MOVEit says its continuing to work with cybersecurity experts to investigate the issue. A company spokesperson said in a statement, “We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”

Experts Weigh in On MOVEit Vulnerability

On Monday, reports of widespread exploitation came pouring in, as several security firms say their customers are under active attack.

Caitlin Condon, senior manager for security research at Rapid7, says the company has responded to alerts across a range of organizations from small businesses to enterprises with “tens of thousands of assets.”

There doesn’t appear to be any particular target vertical of organizational profile, Condon says, as victim organizations have so far included technology, insurance, manufacturing, municipal government, healthcare and financial services. The amount of data varies case by case, but Rapid7 has responded to “multiple incidents where several dozen gigabytes of data was stolen,” Condon says.

In a Rapid7 blog, the company says it has observed an uptick in related cases since the bug was disclosed last week, and the company’s researchers say the vulnerability was exploited at least four days prior to Progress Software’s first advisory on May 31.

These updates confirm what Satnam Narang, senior staff research engineer at Tenable, said last week, attributing the exploitation of file transfer tools to double extortion ransomware groups like Clop.

“While we don’t know the specifics around the group behind the zero day attacks involving MOVEit, it underscores a worrisome trend of threat actors targeting file transfer solutions,” Narang said last week. “Organizations that use MOVEit software should assume compromise and engage in incident response to determine the potential impact, if any.”

MOVEit customers are advised to check for indicators of compromise and unauthorized access over at least the past 30 days.

The post Ransomware Groups Confirmed to be Exploiting MOVEit Bug appeared first on My TechDecisions.

The announcements come as Microsoft remains laser focused on integrating AI models from OpenAI across its product portfolio and new AI assistant Copilot. Microsoft bills Mesh as essentially a new way for organizations to collaborate that is designed to make virtual meetings more interactive and less dreadful.

To help cut down on meeting fatigue, Microsoft is launching the general availability of Avatars for Teams. In a blog, Microsoft says the new customizable avatars give users a “much-needed camera break” while still showing that they are actively engaged in the meeting.

Avatars for Teams is generally available on the desktop Teams client for PC and Mac and is rolling out to tenants now, Microsoft says.

Microsoft is also introducing immersive spaces for Microsoft Teams, which the company calls a new way for people to connect using the collaboration platform by adding an immersive experience to any Teams meeting. This is designed to give meetings a sense of “natural co-presence and togetherness” regardless of participant location.

“Engage with others in a space that mimics many elements of an in-person interaction – like the ability to walk over to someone you want to catch up with, or to be in a space with multiple concurrent conversations without talking over one another,” Microsoft in a Tech Community blog.

Immersive spaces features spatial audio so users experience sound as they would in an in-person setting, and it can be accessed through a PC or VR headset. It is currently available for Teams Technology Adoption Program (TAP) customers in private preview.

Customers and partners can learn more about Mesh or register interest in the Mesh private preview here.

The post Avatars, Immersive Spaces Coming to Microsoft Teams via Mesh appeared first on My TechDecisions.

In addition, Microsoft is making Microsoft Entra Verified ID easy to integrate into any application with the Microsoft Entra Verified ID SDK.

Microsoft calls Entra External ID its next generation customer identity and access management platform that represents an evolutionary step in unifying secure and engaging experiences across all external identities including customers, partners, citizens, and others within a single, integrated platform.

The solution includes all familiar Azure AD External Identities features along with new capabilities in public preview to allow developers to build secure, compliant web and mobile applications for customers, citizens and partners within minutes, the company says in a Tech Community blog.

Microsoft in May 2022 announced Entra, its new family of identity and access products that now includes Azure Active Directory (Azure AD), part of the Microsoft Entra family, Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.

Entra Permissions is designed to enable the enforcement of the principle of least privilege at cloud scale, While Entra Verified ID is designed to issue, request and verify credentials for proof of employment, education or other claims.

According to Microsoft, customers have asked the company to evolve currently siloed Azure AD B2C solutions towards a developer-friendly platform that is includes the security and governance capabilities of Azure AD and is integrated with the Entra family of products.

“Today’s preview responds to this feedback – Microsoft Entra External ID is delivering easy developer tools to harness our powerful user identity data plane in minutes,” the company says. “Our most popular B2C features and scenarios are now integrated into Azure AD, so you can now consistently leverage our powerful app development libraries (Microsoft Authentication Library or MSAL), flexible customization capabilities for end user experience and journeys, easy authorization with role-based access control (RBAC), and rich administration portals for any B2B or B2C application.”

In addition, Microsoft is integrating Entra Verified ID capabilities into Entra External ID natively, giving organizations the ability to include them in their user journeys.

“Verified ID will transform your customer and partner experiences with its open-standards-based built-in ID verification, to enable quick, self-service onboarding experiences that can reduce fraud and account takeover risk and minimize help desk costs – removing the user friction associated with ID proofing or know-your-customer scenarios. It’s just one more reason to secure your critical customer-facing applications and strengthen your digital relationships with Microsoft Entra External ID,” Microsoft.

Microsoft also announced the general availability of Entra Verified ID digital wallet SDK, an open standards-based verifiable credentials services that customers can use to automate verification of identity such as government issued-identity documents, face matching and electronic data verification, in a secure, privacy-respecting manner, Microsoft says. Verified ID Wallet Library can be integrated into mobile apps to store and share digital Verified ID cards, the company adds.

“This allows you to issue verifiable credentials for dozens of use cases, such as reducing the risk for fraud and account takeovers, streamlining app sign ins, creating self-service account recovery and helpdesk flows, and enabling rich partner rewards ecosystems,” Microsoft writes in the blog.

The post Microsoft Announces Public Preview of Developer-Centric Platform Entra External ID​ appeared first on My TechDecisions.

Microsoft says Volt Typhoon is pursing development of capabilities that could disrupt critical communications infrastructure between the U.S. and Asia region during future crises. Although Microsoft’s research blog doesn’t mention Taiwan or the escalating tensions between the U.S. and China over the country, cyberattacks are now essentially expected to be a part of international crises after the cyberattacks that preluded Russian’s invasion of Ukraine.

Volt Typhoon’s victims

According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the U.S. Affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.

Volt Typhoon relies on stealth and almost exclusively living-off-the-land techniques and hands-on-keyboard activity to stay undetected. The group issues commands via the command line to collect data and credentials from local and network systems, put the data into an archive file to stage for exfiltration and uses stolen credentials to maintain persistence, researchers say.

The group also leverages compromised small office and home office (SOHO) network routers, firewalls and VPN hardware to route traffic through in an attempt to blend into normal network activity. The group also uses custom versions of open-source tools to establish a command-and-control channel over proxy to stay under the radar, Microsoft researchers say.

Volt Typhoon’s initial access

Volt Typhoon gains initial access to victim environments through internet-facing Fortinet FortiGuard devices, but Microsoft researchers don’t exactly know how, per the blog.

“Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices,” researchers write.

From there, the elleged China-based hacking group leverages privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and attempts to authenticate to other devices on the network with those credentials.

How Volt Typhoon evades detection

The elite China hacking group proxies its network traffic to its targets through compromised SOHO network edge devices, including routers.

“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet,” Microsoft researchers say.

In a separate advisory from the U.S. National Security Agency, officials get more specific about the device types, listing ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices. Owners of those network edge devices should ensure that management interfaces aren’t exposed to the public internet.

According to the NSA, Volt Typhoon further obscures activity by having their command-and-control traffic emanate from local ISPs in the geographic area of the victim.

Volt Typhoon’s discovery and data exfiltration

Once inside a target’s environment, Volt Typhoon uses the command line to conduct hands-on-keyboard activity. The group rarely uses malware, researchers say. Instead, they use living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data.

According to Microsoft, the alleged Chinese hacking group also uses a variety of legitimate tools, including the Local Security Authority Subsystem Service to dump credentials, the command-line tool Ntdsutil.exe to create installation media from domain controllers, and PowerShell, Windows Management Instrumentation Command-line and the ping command to discover other systems on the network.

According to the NSA, the group also exploits CVE-2021-40539 a vulnerability in ManageEngine ADSelfService Plus, and CVE-2021-27860, a vulnerability in the management interface of FatPipe WARP, IPVPN and MPVPN.

Read Microsoft’s blog and the NSA advisory for more information, including indicators of compromise and recommended actions.

The post Microsoft, NSA Warn of Stealthy China-Sponsored Hacking Group Volt Typhoon appeared first on My TechDecisions.

The Windows announcements came during Microsoft’s annual Build developer conference, during which the Redmond, Wash. tech giant made several key AI announcements, including Windows 11 Copilot.

Windows 365 Boot

Among the Windows 11 IT and management announcements, the preview of Windows 365 Boot was perhaps the most notable, as it gives Windows 11 Pro or Enterprise users the ability to log directly into their Windows 365 Cloud PC as the primary Windows experience on their device. Windows 365 Boot will take users to their Windows 11 login experience, and they will then be directly connected to their Windows 365 Cloud PC with no additional steps.

Microsoft bills this as a tool for shared devices as logging in with a unique user identity can take a user to their own personal and secure Windows experience.

To deploy Windows 365 Boot to endpoints via Microsoft Intune, IT administrators will first need to ensure that they have Windows 11-based endpoints (Windows 11 Pro and Enterprise), enrollment in the Windows Insider Program (Dev Channel), Intune Administrator rights and Windows 365 Cloud PC licenses.

This Tech Community blog includes more information on how to deploy Windows 365 Boot.

Privacy and security

Microsoft is releasing several other new features designed to make Windows 11 more secure, including the public preview of ability to isolate Win32 applications for both consumer and commercial users.

According to Microsoft, this gives developers the ability to reduce the risk of security breaches by running Win32 apps in isolation to help prevent apps from having unexpected or unauthorized access to critical internal Windows subsystems, thereby minimizing the damage of an app is compromised.

Microsoft also rehashed its Sign-in Session Token Protection Policy, which it first announced at Microsoft Secure in March, which allows applications and services to cryptographically bind security tokens on the device to restrict attackers’ ability to impersonate users on a different device after stealing tokens.

In addition, Microsoft announced account badging, starting in June, which will send users an alert to their Start menu when their account needs attention.

Other security and privacy tools now available include new app privacy settings that give users the ability to allow or block access to presence sensor information and enable or disable presence sensing features, as well as a glanceable VPN on the taskbar to give users quick access to their VPN status.

IT management

For simplified IT management, Microsoft is adding new cloud-powered capabilities to Windows 11 Enterprise designed to lower the cost of managing and securing Windows devices.

This starts with Universal Print secure release with QR code for Android delivering step-by-step process authentication, including the ability to securely release a print job only to the employee for which it’s intended. This is designed to help prevent leaks of confidential information.

Microsoft is also making it easier for IT teams to connect to hybrid workers with organizational messages. The company says this allows IT in Windows 11 Enterprise organizations to send company-branded messages from Microsoft Intune to users on various Windows surfaces, including the notification panel, above the taskbar and the Get Started app.

Although it was announced last month, Microsoft also reiterated the preview release of the ability to upgrade from Windows 10 to Windows 11 Enterprise via Windows Autopatch.

Read Microsoft’s blog to learn more about these announcements.

The post Microsoft Releases Windows 365 Boot Preview, Windows 11 IT Management Features appeared first on My TechDecisions.

The Build conference comes as Microsoft becomes fully invested in Copilot, AI and Windows 11, with much of the announcements spanning across those product categories.

Windows Copilot for Windows 11

Microsoft has already unveiled Microsoft 365 Copilot to help workers be more productive while using Microsoft’s productivity tools such as Word, PowerPoint, Outlook and more. Now, the company is launching Windows Copilot, available in preview next month, which Microsoft calls the first PC platform to provide centralized AI assistance for users.

This comes along with Bing Chat and first- and third-party plugins to help users create complex projects and collaborate more efficiently across multiple applications. Windows Copilot, essentially a virtual assistant, can be invoked from the taskbar and will stay consistent across apps, programs and windows, Microsoft says.

In a blog, Panos Panay, Microsoft’s chief product officer of Windows and devices, says Windows Copilot makes every user a power user.

“The things you love about Windows – copy/paste, Snap Assist, Snipping Tool, personalization – they are all right there for you, along with every other feature on the platform, and they only get better with Windows Copilot,” Panay writes. “For example, you can not only copy and paste, but also ask Windows Copilot to rewrite, summarize or explain your content.”

Similar to ChatGPT, Bing Chat and other chatbots driven by large language models (LLMs), Copilot can be asked a range of questions.

Since the tool was announced during the Build developer conference, Microsoft says Windows Copilot gives developers new ways to reach and innovate for shared customers.

“We welcome you to be part of the Windows Copilot journey by continuing to invest in Bing and ChatGPT plugins so your investments will carry forward to Windows Copilot,” Panay writes.

Bringing the new Bing to ChatGPT, plugins

Microsoft is also bringing its new Bing to ChatGPT to act as the default search experience, giving ChatGPT users access to Bing’s search engine which will be built-in to provide additional information from the web.

This makes ChatGPT answers grounded by search and web data, with citations. ChatGPT Plus subscribers will first get access, and it will be rolling out to free users “soon” by enabling a plugin with brings Bing to ChatGPT, Microsoft says.

Additionally, Microsoft and ChatGPT creators OpenAI are making it possible for developers to use one platform to build and submit plugins that work across both consumer and business surfaces, including ChatGPT, Bing, Dynamics 365 Copilot, Microsoft 365 Copilot, and Windows Copilot.

As part of the shared platform, Bing is adding to its support for plugins by adding several others to the Bing ecosystem.

With Microsoft launching Windows Copilot and essentially bringing Bing Chat to Windows 11 in a “more robust way,” Microsoft says Windows Copilot and Bing Chat enable those plugins to be enhanced through applications on Windows.

Microsoft says it is also natively integrating the common plugin platform into Microsoft Edge.

Microsoft Fabric

Also as part of Microsoft’s announcements is Microsoft Fabric, a new unified platform for analytics that includes data engineering, data integration, data warehousing, data science, real-time analytics, applied observability and business intelligence connected to a single data repository called OneLake, the company says.

According to Microsoft, Fabric enables customers of all technical levels to experience capabilities in a single, unified experience. It is infused with Azure OpenAI Service at every layer to help customers unlock the full potential of their data, enabling developers to leverage the power of generative AI to find insights in their data.

Fabric also incldues Copilot, allowing customers to use conversational language to create dataflows and pipelines, generate code and entire functions, build machine learning models or visualize results, Microsoft says.

Other developer tools

Microsoft also announced Hybrid AI loop to support AI development across platform, and across Azure to client with new silicon support from AMD, Intel, Nvidia and Qualcomm. This builds on Hybrid Loop, which Microsoft launched at last year’s Build conference to enable hybrid AI scenarios across Azure and client devices.

Microsoft also announced Dev Home, which it calls a new Windows 11 experience designed to help developers be more productive and streamline workflows. The preview is available in the Microsoft Store now.

Read Microsoft’s blog for the full list of new developer tools.

The post Microsoft Brings Copilot to Windows 11 appeared first on My TechDecisions.

The report, the fourth such edition of Microsoft’s cybersecurity research report, finds cybercrime as a service targeting business email has skyrocketed, rising 38% between 2019 and 2022.

In addition, Microsoft says it detected and investigated a whopping 35 million business email compromise (BEC) attempts between April 2022 and April 2023, good for an adjusted average of 156,000 daily attempts to take over a business email account.

The company also cites the FBI’s Recovery Asset Team, which initiated the Financial Fraud Kill Chain on more than 2,800 BEC complaints involving domestic transactions, with potential losses of nearly $600 million.

Business email compromise attacks leveraging residential IP addresses

In the Cyber Signals report, Microsoft identifies a significant trend in attackers’ use of platforms like BulletProftLink, a popular platform for creating industrial-scale malicious email campaigns. The company defines BulletProftLink as and sells an end-to-end service that includes templates, hosting, and automated services for BEC.

Threat actors using that service receive credentials and the IP address of the victim, and they then purchase IP addresses from residential IP services to match the victim’s location creating residential IP proxies to mask their origin.

With localized address space to support their activities in addition to usernames and passwords, BEC attackers can further obscure their movements, circumvent “impossible travel” flags and open a gateway to conduct further attacks, Microsoft says.

“Impossible travel,” Microsoft says, is a detection used to indicate that a user account might be compromised by flagging physical restrictions that indicate a task if being performed in two locations without enough time to travel from one location to another.

This rising trend could escalate the use of residential IP addresses to evade detection, Microsoft says, as residential IP addresses mapped to locations at scale provide the ability and opportunity for hackers to gather large volumes of compromised credentials and access accounts.

According to Microsoft, threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks.

“One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second,” Microsoft says in the report.

Microsoft says BulletProftLink offers a decentralized gateway design that includes Internet Computer public blockchain nodes to host phishing and BEC sites, creating a sophisticated decentralized web offering that is difficult to disrupt. This is a notable shift from other phishing-as-a-service tools like Evil Proxy, Naked Pages and Caffeine that deploy phishing campaigns and obtain compromised credentials.

“Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex,” Microsoft says. “While you can remove a phishing link, the content remains online, and cybercriminals return to create a new link to existing CaaS content.”

Business email compromise evasion tactics

According to Microsoft, business email compromise phishing emails typically target executives and other senior leaders, finance managers and human resources staff with access to sensitive employee information. However, all types of BEC attacks are on the rise, Microsoft says in the report.

A phishing lure email is the most common type of business email compromise phishing email (62%), followed by payroll (15%), invoice (8.29%), gift card (5%), business information (4.4%) and others.

Business email compromise attacks are typically designed to be relatively quiet, leveraging social engineering and deception rather then attacking unpatched vulnerabilities, malware or extortion messages.

“Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and inbox success rate of malicious messages,” Microsoft says.

On the residential IP address trend, Microsoft says these attacks can be rapidly scaled to make detection with traditional tools difficult, as variances in login locations are not inherently malicious. In the distributed work environment, a user could be logged into a business application via a Wi-FI connection and be signed into the same apps on their smartphone’s cellular network. This makes “impossible travel” flag policies difficult to design.

In addition, attackers are increasingly routing malicious mail and other activity through address space near their targets, Microsoft says.

How to protect against business email compromise 

To help organizations protect against business email compromise attacks, Microsoft offers several recommendations:

• Use a secure email solution that leverage AI capabilities and phishing protections.
• Configure email to flag messages sent from external users, enable notifications for unverified email senders, block suspicious senders and use reporting to flag suspicious emails.
• Use multi-factor authentication for email accounts.
• Educate employees on how to spot suspicious emails.
• Secure identities with Zero Trust tools to prohibit lateral movement.
• Use a secure payment platform to eliminate the threat of invoice-based phishing emails.
• Take extra steps to verify the authenticity of financial transactions via email.

The post Business Email Compromise is on the Rise appeared first on My TechDecisions.

According to a joint advisory from CISA, its Australian counterpart agency, the FBI, and input from Microsoft and Sophos, the BianLian group is a ransomware developer, deployer and data extortion group that has been active since June 2022. The group originally used a double-extortion model in which they encrypted systems after exfiltrating the data, but the BianLian group since January has shifted to largely exfiltration-based extortion, meaning they bypass encryption and use the threat of leaking sensitive data to compel victims to pay the ransom.

How the BianLian Ransomware group gains initial access and evades detection

According to the advisory, the group leverages legitimate IT tools to gain access and steal data, including Remote Desktop Protocol credentials, open-source tools and command-line scripting for discovery and credential harvesting, and data exfiltration via File Transfer Protocol (FTP), Rclone or Mega.

However, initial access is gained by leveraging compromised Remote Desktop Protocol credentials, which officials say are likely acquired from initial access brokers or phishing.

To evade detection, the BianLian ransomware group uses PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows Defender and Anti-Malware Scan Interface. In addition, the group modifies the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEnabled, and SAVService services, enabling them to uninstall those services.

How the BianLian Ransomware group learns about the victim’s environment

For discovery and learning about the victim’s environment, the BianLian group actors employ a variety of tools, including native Windows tools and Windows Command Shell get an overview of the victim’s environment.

To scan the network for open ports and ping computers, the group uses Advanced Port Scanner and SoftPerfect Network Scanner.

The group also uses SharpShares to enumerate accessible network shares in a domain and PingCastle to enumerate Active Directory and provide a map to visualize the hierarchy of trust relationships, according to the advisory.

Meanwhile, native Windows tools and Windows Command Shell are used to query logged-in users and query the domain to identify all groups, accounts in the Domain Admins and Domain Computers groups, and all users in the domain. In addition, the tools are used to retrieve a list of all domain controllers and domain trusts and identify accessible devices on the network, according to the advisory.

Read Next: Creating a Ransomware Response Plan

How BianLian Ransomware group obtains credentials and moves laterally

To more laterally through the network and conduct further malicious activities, the BianLian group uses valid accounts, the credentials of which are obtained in several ways, including using Windows Command Shell to find unsecured credentials on the local machine, harvesting credentials from the Local Security Authority Subsystem Services (LSASS) memory, using RDP Recognizer to brute force RDP passwords for check for vulnerabilities, and accessing the Active Directory domain database.

In one case, BianLian ransomware actors were observed using a portable executable version of an Impacket tool to move laterally to a domain controller and harvest credential hashes, authorities say.

Through Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network. This allows threat actors to run portable executable files on victim systems using local user rights, but only if the executable is not blocked.

BianLian group actors use PsExec and RDP with valid accounts for lateral movement, the advisory states. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic.

In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller, authorities say.

BianLian Ransomware group’s collection and exploitation

According to the advisory, the BianLian ransomware group has been observed using malware that enumerates registry and files and copies clipboard data from users.

The group searches for sensitive files using PowerShell scripts and exfiltrates them for data extortion, which is a departure from the group’s previous activity of encrypting files before extortion attempts.

BianLian group users FTP and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. The group has been observed installing Rclone and other files in generic and generally unchecked folders, as well as using the Mega file sharing services to exfiltrate victim data.

According to a ransom note, BianLian group specifically looks for financial, client, business technical and personal files.

If a victim refuses to pay, the group threatens to publish exfiltrated data to a leak website on the Tor network. The ransom note directs victims to a Tox ID and a Tox chat or email address to communicate with the attackers.

The group communicates in a variety of ways, including printing a ransom note to printers on the compromised network.

How to Protect Against a BianLian Ransomware attack

In addition to typical ransomware mitigations, organizations are urged to limit the use of RDP and other remote desktop services, disable command-line and scripting activities and permissions, and restrict the usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.

Read the advisory for more information, including the full list of recommendations and indicators of compromise.

The post BianLian Ransomware Group Skips Encryption and Goes Straight to Exfiltration appeared first on My TechDecisions.