Multifactor authentication (MFA) manipulation in compromised tenants can be hard to detect, as some changes can be dismissed as part of standard helpdesk processes. Microsoft shares guidance for hunting for MFA anomalies using Kusto Query Language (KQL): https://t.co/FVZ1ZKhPFZ
Our analysis of an attempt to steal the cloud identity in a SQL Server instance for lateral movement highlights the importance of securing cloud identities and implementing least privilege practices when deploying cloud-based and on-premises solutions: https://t.co/RUyDVeyfP5
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure. https://t.co/Hs0wN5397s
Adversary-in-the-middle (AiTM) phishing techniques continue to proliferate through the phishing-as-a-service (PhaaS) cybercrime model, as seen in the increasing number of-AiTM capable PhaaS platforms throughout 2023.
Microsoft has identified highly targeted social engineering attacks by the threat actor Midnight Blizzard (previously NOBELIUM) using credential theft phishing lures sent as Microsoft Teams chats. Get detailed analysis, IOCs, and recommendations: https://t.co/1Ywtrlnme6
Microsoft security researchers have surfaced tell-tale patterns to help defenders identify and mitigate cloud cryptojacking, a form of cloud compute resource abuse that involves threat actors compromising cloud tenants to mine cryptocurrency: https://t.co/r2dbvYiC7j
The Orca Research Pod has discovered a critical design flaw in the #GoogleCloud Build service that enables attackers to escalate privileges and gain unauthorized access to code repositories and images in Artifact Registry. Learn more: https://t.co/d7P1gveSyP
We’re sharing more details from our investigation of the Storm-0558 campaign that targeted customer email, including our analysis of the threat actor’s techniques, tools, and infrastructure, and the steps we took to harden systems involved: https://t.co/XsgJNPMKKo
The Orca Research Pod discovered two vulnerabilities in #Azure that allowed Cross-Site Scripting (#XSS) attacks. Both vulnerabilities have now been fixed.☁️ Learn about the intricacies of these #vulnerabilities and how to prevent #XSSvulnerabilities: https://t.co/hNiThWwJfe
A multi-stage AiTM phishing and BEC activity spanning multiple banking & financial services orgs uncovered by Microsoft Defender Experts shows the complexity of these threats that abuse trusted relationships between orgs with the intent of financial fraud: https://t.co/VHIg2tWXbF
🚩Monitor for any interactive login from AAD on-prem account (MSOL_). Can be done by setting Honey Token activity in Defender for Identity.
🚩 Make sure your AAD Connect sync account is not global admin.
Hope you found it interesting, happy hunting!
11/11
Happy to share a new blog about super interesting incident I had a chance to investigate!
Read the thread to learn how threat actors are using AAD connect machines to pivot from on-prem -> cloud + executing multiple destruction and collection operations in the cloud ☁️
🧵1/n
Microsoft detected a unique operation in which threat actors, tracked as MERCURY and DEV-1084, carried out destructive actions in both on-premises and cloud environments. Learn more about the observed activity and tools and get TTPs and protection info: https://t.co/5cxf0Kp1WS
Key takeaways from the incident:
🚩 Monitor for any low/medium/high risk sign-in of AAD sync account.
🚩Make sure your AAD sync account is not used for anything else besides what is supposed to.
🚩Treat your AAD Connect machine as Tier0!
10/n