• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
Microsoft To Build New Azure Cloud Data Centers In Greece

Detecting the Impossible: Serverless C2 in the Cloud

January 13, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

March 5, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft makes passwordless push in Azure Active Directory

March 5, 2021
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

Microsoft Power BI Premium Per User pricing is a game changer

March 4, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

March 4, 2021
8×8 makes raft of updates to platform

BitDam ATP+ protects Office 365 users from unknown threats

March 4, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Cloud Network Engineer – Associate – ATL

March 3, 2021
Microsoft Outlines How To Set Up Windows Virtual Desktop

What’s New in Tufin Orchestration Suite 21-1

March 3, 2021
Innovative solutions for IT workers at home

BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

March 2, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft to add new shared channels, encryption for calls, webinar features to Teams

March 2, 2021
Microsoft Declares ‘General Availability’ of Threat Experts Security Service

Mindware Partners with Cibecs to Help Regional Organizations Manage and Protect Distributed Endpoint Devices and Data

March 1, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Enterprise Key Management Solution Market 2021 Industry Growth Analysis, Future Predictions, SWOT Analysis, By Top Players- EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

March 1, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Intel Calls Silicon ‘Greatest Weapon Against Security Threats’

March 1, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Sunday, March 7, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    Microsoft To Build New Azure Cloud Data Centers In Greece

    Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft makes passwordless push in Azure Active Directory

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

    8×8 makes raft of updates to platform

    BitDam ATP+ protects Office 365 users from unknown threats

    Microsoft Outlines How To Set Up Windows Virtual Desktop

    What’s New in Tufin Orchestration Suite 21-1

    Innovative solutions for IT workers at home

    BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Cloud Security in Banking Market Next Big Thing | Major Giants- Sophos, Boxcryptor, Microsoft Azure

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Cloud Announces Three New Vertical Cloud Solutions

    Innovative solutions for IT workers at home

    Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

    Innovative solutions for IT workers at home

    What is database encryption?

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

    Microsoft Power BI Premium Per User pricing is a game changer

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Cloud Network Engineer – Associate – ATL

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft to add new shared channels, encryption for calls, webinar features to Teams

    Microsoft Declares ‘General Availability’ of Threat Experts Security Service

    Mindware Partners with Cibecs to Help Regional Organizations Manage and Protect Distributed Endpoint Devices and Data

    Microsoft To Build New Azure Cloud Data Centers In Greece

    Enterprise Key Management Solution Market 2021 Industry Growth Analysis, Future Predictions, SWOT Analysis, By Top Players- EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Intel Calls Silicon ‘Greatest Weapon Against Security Threats’

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Releases Azure Firewall Premium in Public Preview

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

    8×8 makes raft of updates to platform

    Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home News Business

Detecting the Impossible: Serverless C2 in the Cloud

by AZURE SECURITY NEWS EDITOR
January 13, 2021
in Business
0
Microsoft To Build New Azure Cloud Data Centers In Greece
491
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

There are certain sophisticated threat behaviors that are generally considered “impossible” to detect on the network, which are both tedious and challenging for security teams to protect against. These include the use of encryption by attackers, fileless malware that exploits applications commonly used for justified activity to execute malicious code, insider threats that are hidden within normal business operations and non-malware-based lateral movement that blends in as attackers systematically move through a network in search of data or assets to exfiltrate.

As if these threats weren’t enough for security teams to grapple with, the discovery of a new exploitation technique—serverless command and control (C2) running in the cloud—is only making their jobs more difficult. My team and I uncovered a combination of these sophisticated techniques when working with a client in the financial services industry.

The Hard Things About Hard Things (in the SOC)

First, the C2 server was using Transport Layer Security (TLS) encryption for the communication channel. TLS encryption is common on today’s networks and designed to protect the transfer of data and information. However, this is also why attackers use it, since much of the existing security tools are blind to encrypted data.

Second, the C2 server (which is used by attackers to maintain communications with compromised systems) was actually serverless code in the Azure cloud. Therefore, all that is seen on the network is an encrypted tunnel to a subdomain of azurewebsites.net. In many networks, there can be thousands of unique sessions per day, to hundreds of subdomains of azurewebsites.net. To make matters worse, traditional approaches to TLS fingerprinting (such as JA(3)) are quite ineffective at making sense of this traffic, because there is usually a homogenous mix of background updaters, web browsers, business productivity apps, IoT clients and more that interact with the Azure cloud.

Making matters worse, the malware in question persists as an Office add-in, which complicates detection on both the network and the endpoint itself. This malware only runs when certain Office applications are started (which could be frequent based on the victim). And because it runs inside the Office process, it is all the more difficult to detect on the endpoint. Worse yet, it is possible to load malicious add-ins without elevated permissions, user-interventions or notifications. And, the pièce de résistance: Malicious add-ins can download and run other executables without user knowledge leveraging normal user-level permissions.

Understanding the Malware

MWR Labs’ William Knowles wrote about Office persistence, highlighting various persistence techniques including one known as WLL add-ins for Word. In short, users can:

  1. Take a malicious DLL
  2. Put it in a directory that unprivileged users have access to (%appdata%RoamingMicrosoftWordstartup)
  3. Change the extension from .dll to .wll

And that’s it. Word will run the code in the .dll every time the application is opened. Similar capabilities exist for Excel, PowerPoint and other apps in the Office suite.

Drop the malicious .dll in this unrestricted directory. Change extension from .dll to .wll to get instant persistence. Word will execute whatever is in DllMain().

But what if add-ins are disabled? It doesn’t matter—even if the user has configured Word to disable add-ins, that setting will disable all add-ins, except WLLs. Also as mentioned above, the attacker can use the WLL to download and run other executables.But if the WLL is totally self-contained (meaning it doesn’t need to download and run other files), then examining the process will show nothing because the entire code is running in Word’s process space.

The process when the add-in does not execute other applications. The code runs within WINWORD.exe.

Admittedly, one disadvantage to a completely self-contained .wll is that static detection is easier since the single .wll likely will contain a high percentage of suspicious functionality. Therefore, the attacker in this case created an add-in that is just a simple loader and clean-up for other executables. This seemed to be intended to evade any static analysis detection. Adding a few red-herring imports that are frequently used by legitimate programs and not malware made detection even less likely.

Detecting the Impossible

Although it may sound like this type of exploitation is impossible to detect, there are ways in which organizations can protect themselves against it using advanced network traffic analysis techniques.

Previous approaches to network security have been defeated by many modern threat scenarios because they are locked within the confines of sessions and protocols. The reality is that threat detection is based on understanding behaviors and applications as well as how these manifest into sessions and protocols over (potentially large durations of) time.

In this case, it’s important to factor in that different scenarios can play out when users start up Microsoft Word depending on the version of Office, how it is licensed and the version of Windows that is running, among others. This is a great way to apply machine learning, learn the sequence and then identify with high confidence when Microsoft Word (or any other application) is launched. For instance, looking at the sequence shown below, a handful of requests are made, in order, to the following locations as the application starts up:

  1. Several [a-z]-ring.msedge.net connections
  2. Possible ocws.officeapps.live.com connections
  3. And finally, fp.msedge.net
Word starting up with no add-ins present.

Now let’s see what happens if an add-in is loaded that communicates on the network:

  1. Several <a single letter>-ring.msedge.net connections
  2. <request(s) from add-in(s)>
  3. Possible ocws.officeapps.live.com connections
  4. And finally, fp.msedge.net
Word starting up, with the malicious add-in present. It downloads and executes the second stage payload from an azurewebsites.net function.

To identify network-connected add-ins such as this, users simply need to:

  1. Identify the “network fingerprint” of Word starting up
  2. Identify the additional add-in connections
  3. Alert to the outliers, i.e. “add-in connections that are not common”

Sounds simple enough. Of course, very few technologies really give the defenders the ability to define detection patterns such as this. Never mind that these patterns could change all the time, so simply hard-coding them into the detection solution isn’t much of an option. As mentioned previously, machine learning can help, but what is also needed is a framework and language for expressing attacker tactics, techniques and procedures (TTPs). With the ability to write true TTP-level rules like this, we were not only able to catch this encrypted and serverless C2, but also identify all rogue add-ins with this single detection.

Although this new exploitation discovery can be terrifying from a threat detection and hunting perspective, it can be protected against as long as organizations have access to the latest in network traffic analysis. With advances in machine learning and automation, organizations can effectively arm their networks against an ever-evolving attack landscape.

Reference: https://securityboulevard.com/2019/07/detecting-the-impossible-serverless-c2-in-the-cloud/

Share196Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

by AZURE SECURITY NEWS EDITOR
March 4, 2021
0

Microsoft recently released a few new Azure Active Directory (AD) features, namely My Apps "collections" and new "risk detections" capabilities, into general availability (GA)....

Microsoft Outlines How To Set Up Windows Virtual Desktop

What’s New in Tufin Orchestration Suite 21-1

by AZURE SECURITY NEWS EDITOR
March 3, 2021
0

Tufin 21-1 is packed full of new features and product enhancements, including incorporating many of our customers’ requests, to help...

Innovative solutions for IT workers at home

BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

by AZURE SECURITY NEWS EDITOR
March 2, 2021
0

BitDam, a leading provider of cybersecurity solutions that protect business communications from unknown threats, today announced the availability of BitDam ATP+, its...

Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

Cloud Security in Banking Market Next Big Thing | Major Giants- Sophos, Boxcryptor, Microsoft Azure

by AZURE SECURITY NEWS EDITOR
March 1, 2021
0

The Global Cloud Security in Banking Market Report provides a holistic evaluation of the market for the forecast period (2020–2026)....

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
Microsoft To Build New Azure Cloud Data Centers In Greece

Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

March 5, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft makes passwordless push in Azure Active Directory

March 5, 2021
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

Microsoft Power BI Premium Per User pricing is a game changer

March 4, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In