Results 1 to 6 of 6

Thread: Death star unleashed- Microsoft

  1. #1
    NavyDiver's Avatar
    NavyDiver is offline Very Very Lucky! Gold Subscriber
    Join Date
    Feb 2010
    Location
    Melbourne
    Posts
    9,359
    Total Downloaded
    0

    Death star unleashed- Microsoft

    The speed, scope and scale of Microsoft’s response were unprecedented. Specifically, Microsoft did four things over the course of four days that effectively undid the work of the attackers.1) On Dec. 13, the day this became public, Microsoft announced that it removed the digital certificates that the Trojaned files used. These digital certificates allowed Microsoft Windows systems to believe that those compromised files were trustworthy. In this single act, Microsoft literally overnight told all Windows systems to stop trusting those compromised files which could stop them from being used.2) That same day, Microsoft announced that it was updating Microsoft Windows Defender, the antimalware capability built into Windows, to detect and alert if it found the Trojaned file on the system.3) Next, on Tuesday, Dec. 15, Microsoft and others moved to “sinkhole” one of the domains that the malware uses for command and control (C2): avsvmcloud[.]com. SInkholing is a legal and technical tactic to deprive attackers of control over malware. In Sinkholing, an organization like Microsoft goes to court to wrest control of a domain being used for malicious purposes away from its current holder, the attacker.When successful, the organization can then use its ownership of that domain to sever the attacker’s control over the malware and the systems the malware controls. Sinkholed domains can also be used to help identify compromised systems: when the malware reaches out to the sinkholed domain for instructions, the new owners can identify those systems and attempt to locate and warn the owners. Sinkholing is a tactic that was first used in big attacks in the 2008-2009 battle against Conficker and has been a standard tactic in Microsoft’s toolkit for years, including most recently against TrickBot.4) Finally, today, Wednesday, Dec. 16, Microsoft basically changed its phasers from “stun” to “kill” by changing Windows Defender’s default action for Solorigate from “Alert” to “Quarantine,” a drastic action that could cause systems to crash but will effectively kill the malware when it finds it. This action is important, too, because it gives other security companies license now to follow suit with this drastic step: Microsoft’s size and leadership of its platform give cover to other security companies that they wouldn’t otherwise have.Taken together, these steps amount to Microsoft first neutralizing and then killing the malware while wresting control over the malware’s infrastructure from the attackers. By the end of this week, the attackers will be left with barely a fraction of the systems under their control.They may still have access to compromised networks through other means: that’s what incident responders are likely working on now. And there’s no undoing whatever they did while the infiltration went unnoticed for months. But still, these actions together come as close to obliterating an attack as we’ve seen, which is all the more notable because of the likely attackers.In the end, this all reminds us how much power Microsoft has at its disposal. Between its control of the Windows operating system, its robust legal team, and its position in the industry, it has the power to change the world nearly overnight if it wants to. And when it chooses to train that power on an adversary, it really is the equivalent of the Death Star: able to completely destroy a planet in a single blast.Fortunately these days, Microsoft is sparing in its use of its power. But as I’ve noted before, we should never mistake Microsoft’s gentleness for weakness.And anyway, what’s the point in having a Death Star if you don’t get to use it (for good) sometimes?


    https://www.geekwire.com/2020/micros...PALArRKWkd7oOI

  2. #2
    Join Date
    Mar 2018
    Location
    Sydney
    Posts
    403
    Total Downloaded
    0
    Hi

    The extent of this compromise, the time that the miscreants were inside critical systems, and the sophistication of this piece of malware is unprecedented. The extent and damage is still being accessed. Sys Admins, Cyber Sec specialists are probably flat out and there are many very worried Govt Depts, Military sites and big companies. It really is a huge FU. When 330,000 customers use one Network Monitoring system from one company then it does not take precognition to see a weakness in that.

    And I think Putin should give the hackers a weeks holiday in some luxurious accommodation at some nice Black Sea resort and a nice medal. The hackers have probably exceeded their job performance expectations this year :-)

    Mike
    Our car: Fuji White MY13 D4 SDV6 SE 3.0 Litre, 8 spd auto.
    My car: Series 2a Workshop, 109 inch WB, ex mil., 1971. To be restored.
    Wife's car: Series 2a FFT, LWB, ex. mil., 1966. To be restored.

  3. #3
    BradC is offline Super Moderator
    No one of consequence
    Supporter
    Join Date
    Mar 2018
    Location
    Perth (near Malaga)
    Posts
    2,862
    Total Downloaded
    0
    Quote Originally Posted by speleomike View Post
    The extent and damage is still being accessed.
    And will likely never be actually calculated. This was a particularly clever piece of Malware used in a targeted and elegantly devious manner.

    As for the "Yay Microsoft" cheer squad.... Woohoo, they did what any responsible organisation in their position should. They invalidated a compromised certificate, updated their anti-malware signatures and pushed them out as an update (which organisations will deploy at their leisure. They also colaborated with other organisations in taking down an element of the command and control structure (the bit they know about anyway). Given Microsofts propensity for breaking stuff with updates, most responsible orgnisations validate these updates before deploying them), so who knows when they'll be comprehensively covered?

    Microsoft were running the compromised code also, so who knows? The attackers might have one of their signing certificates. The attack was done in such a manner as the extent of exfiltration would be practically impossible to quantify.

    This is the Philby of malware.

  4. #4
    Join Date
    May 2008
    Location
    Bundaberg Qld
    Posts
    7,040
    Total Downloaded
    0
    English please gentleman
    PaulT

    REMLR 256 / SLOw 4 (P)

    W/Shops/trailers & GS's
    RRs, Disco's, 110s & 109s.

  5. #5
    BradC is offline Super Moderator
    No one of consequence
    Supporter
    Join Date
    Mar 2018
    Location
    Perth (near Malaga)
    Posts
    2,862
    Total Downloaded
    0
    Quote Originally Posted by pop058 View Post
    English please gentleman
    Some clever and probably well funded (at or to a State level) bad men developed some very nasty software that allowed them to steal unquantified and probably untraceable buckets of information from up to 300,000 organisations globally. Nobody knows which or how many of these were compromised, nor what (if anything) was taken. The sort of data lost could range from cat pictures to the US nuclear codes. Bad, naughty men!

  6. #6
    Saitch's Avatar
    Saitch is online now OldBushie Silver Subscriber
    Join Date
    Mar 2012
    Location
    Armstrong Creek, Qld
    Posts
    7,955
    Total Downloaded
    0
    Gasp! You mean.........you're saying..........you're telling me that a foreign power may quite possibly have my AULRO password!

    Oh, will this subterfuge never end?
    'sit bonum tempora volvunt'


Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Search AULRO.com ONLY!
Search All the Web!