Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Azure. Show all posts

Microsoft Entra ID Faces Surge in Coordinated Credential-Based Attacks

An extensive account takeover (ATO) campaign targeting Microsoft Entra ID has been identified by cybersecurity experts, exploiting a powerful open-source penetration testing framework known as TeamFiltration. 

First detected in December 2024, the campaign has accelerated rapidly, compromising more than 80,000 user accounts across many cloud environments over the past several years. It is a sophisticated and stealthy attack operation aimed at breaching enterprise cloud infrastructure that has been identified by the threat intelligence firm Proofpoint with the codename UNK_SneakyStrike, a sophisticated and stealthy attack operation. 

UNK_SneakyStrike stands out due to its distinctive operational pattern, which tends to unfold in waves of activity throughout a single cloud environment often targeting a broad spectrum of users. The attacks usually follow a period of silent periods lasting between four and five days following these aggressive bursts of login attempts, a tactic that enables attackers to avoid triggering traditional detection mechanisms while maintaining sustained pressure on organizations' defence systems. 

Several technical indicators indicate that the attackers are using TeamFiltration—a sophisticated, open-source penetration testing framework first introduced at the Def Con security conference in 2022—a framework that is highly sophisticated and open source. As well as its original purpose of offering security testing and red teaming services in enterprises, TeamFiltration is now being used by malicious actors to automate large-scale user enumeration, password spraying, and stealthy data exfiltration, all of which are carried out on a massive scale by malicious actors. 

To simulate real-world account takeover scenarios in Microsoft cloud environments, this tool has been designed to compromise Microsoft Entra ID, also known as Azure Active Directory, in an attempt to compromise these accounts. It is important to know that TeamFiltration's most dangerous feature is its integration with the Microsoft Teams APIs, along with its use of Amazon Web Services (AWS) cloud infrastructure to rotate the source IP addresses dynamically. 

Not only will this strategy allow security teams to evade geofencing and rate-limiting defences, but also make attribution and traffic filtering a significant deal more challenging. Additionally, the framework features advanced functionalities that include the ability to backdoor OneDrive accounts so that attackers can gain prolonged, covert access to compromised systems without triggering immediate alarms, which is the main benefit of this framework. 

A combination of these features makes TeamFiltration a useful tool for long-term intrusion campaigns as it enhances an attacker's ability to keep persistence within targeted networks and to siphon sensitive data for extended periods of time. By analysing a series of distinctive digital fingerprints that were discovered during forensic analysis, Proofpoint was able to pinpoint both the TeamFiltration framework and the threat actor dubbed UNK_SneakyStrike as being responsible for this malicious activity. 

As a result, there were numerous issues with the tool, including a rarely observed user agent string, hardcoded client identifications for OAuth, and a snapshot of the Secureworks FOCI project embedded within its backend architecture that had been around for quite some time. As a result of these technical artefacts, researchers were able to trace the attack's origin and misuse of tools with a high degree of confidence, enabling them to trace the campaign's origin and tool misuse with greater certainty. 

An in-depth investigation of the attack revealed that the attackers were obfuscating and circumventing geo-based blocking mechanisms by using Amazon Web Services (AWS) infrastructure spanning multiple international regions in order to conceal their real location. A particularly stealthy manoeuvre was used by the threat actors when they interacted with the Microsoft Teams API using a "sacrificial" Microsoft Office 365 Business Basic account, which gave them the opportunity to conduct covert account enumeration activities. 

Through this tactic, they were able to verify existing Entra ID accounts without triggering security alerts, thereby silently creating a map of user credentials that were available. As a result of the analysis of network telemetry, the majority of malicious traffic originated in the United States (42%). Additional significant activity was traced to Ireland (11%) and the United Kingdom (8%) as well. As a consequence of the global distribution of attack sources, attribution became even more complex and time-consuming, compromising the ability to respond efficiently. 

A detailed advisory issued by Proofpoint, in response to the campaign, urged organisations, particularly those that rely on Microsoft Entra ID for cloud identity management and remote access-to initiate immediate mitigations or improvements to the system. As part of its recommendations, the TeamFiltration-specific user-agent strings should be flagged by detection rules, and multi-factor authentication (MFA) should be enforced uniformly across all user roles, based on all IP addresses that are listed in the published indicators of compromise (IOCs). 

It is also recommended that organisations comply with OAuth 2.0 security standards and implement granular conditional access policies within Entra ID environments to limit potential exposure to hackers. There has been no official security bulletin issued by Microsoft concerning this specific threat, but internal reports have revealed that multiple instances of unauthorised access involving enterprise accounts have been reported. This incident serves as a reminder of the risks associated with dual-use red-teaming tools such as TeamFiltration, which can pose a serious risk to organisations. 

There is no doubt in my mind that such frameworks are designed to provide legitimate security assessments, however, as they are made available to the general public, they continue to raise concerns as they make it more easy for threat actors to use them to gain an advantage, blurring the line between offensive research and actual attack vectors as threats evolve. 

The attackers during the incident exploited the infrastructure of Amazon Web Services (AWS), but Amazon Web Services (AWS) reiterated its strong commitment to promoting responsible and lawful use of its cloud platform. As stated by Amazon Web Services, in order to use its resources lawfully and legally, all customers are required to adhere to all applicable laws and to adhere to the platform's terms of service. 

A spokesperson for Amazon Web Services explained that the company maintains a clearly defined policy framework that prevents misappropriation of its infrastructure. As soon as a company receives credible reports that indicate a potential violation of these policies, it initiates an internal investigation and takes appropriate action, such as disabling access to content that is deemed to be violating the company's terms. As part of this commitment, Amazon Web Services actively supports and values the global community of security researchers. 

Using the UNK_SneakyStrike codename, the campaign has been classified as a highly orchestrated and large-scale operation that is based on the enumeration of users and password spraying. According to researchers at Proofpoint, these attempts to gain access to cloud computing services usually take place in bursts that are intense and short-lived, resulting in a flood of credentials-based login requests to cloud environments. Then, there is a period of quietness lasting between four and five days after these attacks, which is an intentional way to prevent continuous detection and prolong the life cycle of the campaign while enabling threat actors to remain evasive. 

A key concern with this operation is the precision with which it targets its targets, which makes it particularly concerning. In the opinion of Proofpoint, attackers are trying to gain access to nearly all user accounts within the small cloud tenants, while selectively targeting particular users within the larger enterprise environments. 

TeamFiltration's built-in filtering capabilities, which allow attackers to prioritise the highest value accounts while avoiding detection by excessive probing, are a calculated approach that mirrors the built-in filtering capabilities of TeamFiltration. This situation underscores one of the major challenges the cybersecurity community faces today: tools like TeamFiltration that were designed to help defenders simulate real-world attacks are increasingly being turned against organisations, instead of helping them fight back. 

By weaponizing these tools, threat actors can infiltrate cloud infrastructure, extract sensitive data, establish long-term access, and bypass conventional security controls, while infiltrating it, extracting sensitive data, and establishing long-term control. In this campaign, we are reminded that dual-purpose cybersecurity technologies, though essential for improving organization resilience, can also pose a persistent and evolving threat when misappropriated. 

As the UNK_SneakyStrike campaign demonstrates, the modern threat landscape continues to grow in size and sophistication, which is why it is imperative that cloud security be taken into account in a proactive, intelligence-driven way. Cloud-native organisations must take steps to enhance their threat detection capabilities and go beyond just reactive measures by investing in continuous threat monitoring, behavioural analytics, and threat hunting capabilities tailored to match their environments' needs. 

In the present day, security strategies must adapt to the dynamic nature of cloud infrastructure and the growing threat of identity-based attacks, which means relying on traditional perimeter defences or static access controls will no longer be sufficient. In order to maintain security, enterprise defenders need to routinely audit their identity and access management policies, verify that integrated third-party applications are secure, and review logs for anomalies indicative of low-and-slow intrusion patterns. 

In order to build a resilient ecosystem that can withstand emerging threats, cloud service providers, vendors, and enterprise security teams need to work together in order to create a collaborative ecosystem. As an added note, cybersecurity community members must engage in ongoing discussions about how dual-purpose security tools should be distributed and governed to ensure that innovation intended to strengthen defences is not merely a weapon that compromises them, but rather a means of strengthening those defences. 

The ability to deal with advanced threats requires agility, visibility, and collaboration in order for organisations to remain resilient. There is no doubt that organisations are more vulnerable to attacks than they were in the past, but they can minimise exposure, contain intrusions quickly, and ensure business continuity despite increasingly coordinated, deceptive attack campaigns if they are making use of holistic security hygiene and adopting a zero-trust architecture.

Microsoft Builds Fictitious Azure Tenants to Lure Phishers to Honeypots

 

Microsoft employs deceptive tactics against phishing actors, creating realistic-looking honeypot tenants with Azure access and luring attackers in to gather intelligence on them. 

Tech giant can use the acquired data to map malicious infrastructure, gain a better understanding of sophisticated phishing operations, disrupt large-scale campaigns, identify hackers, and significantly slow their activity. 

Ross Bevington, a key security software engineer at Microsoft known as Microsoft's "Head of Deception," described the strategy and its negative impact on phishing activities at the BSides Exeter conference. 

Bevington developed a "hybrid high interaction honeypot" on the now-defunct code.microsoft.com to gather threat intelligence on actors ranging from rookie hackers to nation-state outfits targeting Microsoft infrastructure. 

Illusion of phishing success 

Currently, Bevington and his team combat phishing by employing deception techniques that exploit full Microsoft tenant environments as honeypots, which include custom domain names, thousands of user accounts, and activities such as internal communications and file-sharing. 

Companies or researchers often set up a honeypot and wait for threat actors to take note of it and take action. A honeypot not only diverts attackers from the real environment, but it also allows for the collection of intelligence on the tactics used to infiltrate systems, which can then be used to the legitimate network. 

In his BSides Exeter presentation, the researcher describes the active strategy as visiting active phishing sites identified by Defender and entering the honeypot renters' credentials. Because the credentials are not safeguarded by two-factor authentication and the tenants include realistic-looking information, attackers can easily get access and begin spending time hunting for evidence of a trap. 

Microsoft claims to monitor over 25,000 phishing sites every day, providing about 20% of them with honeypot credentials; the others are prevented by CAPTCHA or other anti-bot techniques. 

Once the attackers log into the fake tenants, which occurs in 5% of cases, extensive logging is enabled to follow every activity they perform, allowing them to learn the threat actors' methods, approaches, and procedures. IP addresses, browsers, location, behavioural patterns, whether they use VPNs or VPSs, and the phishing kits they employ are all part of the intelligence gathered. 

Furthermore, when attackers attempt to interact with the fake accounts in the environment, Microsoft blocks responses as much as feasible. The deception technology now takes an attacker 30 days to realise they have breached a fictitious environment. Microsoft has regularly gathered actionable data that other security teams could use to construct more complex profiles and better defences.

Ransomware Outfits Are Exploiting Microsoft Azure Tool For Data Theft

 

Ransomware gangs like BianLian and Rhysida are increasingly using Microsoft's Azure Storage Explorer and AzCopy to steal data from compromised networks and store it in Azure Blob Storage. Storage Explorer is a graphical management tool for Microsoft Azure, whereas AzCopy is a command-line utility for large-scale data transfers to and from Azure storage. 

The stolen data in these attacks is thereafter kept in an Azure Blob container in the cloud, where threat actors can subsequently move it to their own storage, according to cybersecurity firm modePUSH's observations. 

However, the researchers observed that the perpetrators had to do additional work to make Azure Storage Explorer operate, such as installing prerequisites and upgrading.NET to version 8. This reflects the growing emphasis on data theft in ransomware operations, which is the primary leverage for threat actors in the subsequent extortion phase. 

Why Azure?

Though each ransomware gang has a unique set of exfiltration tools, they often use Rclone for syncing data with various cloud providers and MEGAsync for syncing with the MEGA cloud. 

Furthermore, Azure's scalability and efficiency, which allow it to manage massive volumes of unstructured data, are extremely useful when attackers want to exfiltrate large numbers of files in the least amount of time. 

ModePUSH claims to have noticed ransomware attackers employing numerous instances of Azure Storage Explorer to upload data to a blob container, hence speeding up the process. 

Uncovering ransomware exfiltration

The researchers discovered that the threat actors set the default 'Info' level logging while using Storage Explorer and AzCopy, which generates a log file at%USERPROFILE%\.azcopy. 

This log file is especially useful for incident responders since it contains information on file actions, allowing investigators to rapidly determine which data was stolen (UPLOADSUCCESSFUL) and which payloads were potentially injected (DOWNLOADSUCCESSFUL). 

Defence strategies include establishing alarms for odd patterns in file copying or access on crucial systems, monitoring for AzCopy execution, and tracking outbound network traffic to Azure Blob Storage endpoints at ".blob.core.windows.net" or Azure IP ranges. 

If an organisation already uses Azure, it is advised to use the 'Logout on Exit' feature, which will log users out automatically when they close the program, to stop hackers from stealing files with an ongoing session.

Security researcher says Azure Tags are security threat but Microsoft disagrees

 

Tenable recently identified a notable security issue within Microsoft's Azure Network service tags. While Tenable classified this as a high-severity vulnerability, Microsoft disagreed with this classification. Despite their differences, both companies jointly disclosed the security issue on Monday. 

What is Azure? 

Azure is Microsoft's comprehensive public cloud platform, offering over 200 services. These include Platform as a Service (PaaS) for application development and operation, Infrastructure as a Service (IaaS) for virtual machines, networking, and storage, and Managed Database Services for simplified database management. Azure supports developers, IT professionals, and business owners, providing the tools to build, run, and manage applications across multiple environments, including on-premises and edge locations. This flexibility and scalability make Azure adaptable to a wide range of organizational needs. 

What is the Issue?

Azure service tags represent groups of IP addresses for various Azure services, streamlining the creation of access control rules. These tags can be used in firewall settings to permit traffic from specific Azure services. However, Tenable uncovered a serious flaw: attackers could potentially bypass firewall rules that rely exclusively on service tags by masquerading as trusted services. 

Specific Vulnerability Scenario 

The vulnerability arises under the following conditions: Inbound traffic is permitted through a service tag. Services allowing inbound traffic might let users control parts of web requests, such as the URL path or destination host. An attacker in one tenant (Tenant A) could exploit this to access resources in another tenant (Tenant B) if the target allows traffic from the service tag and lacks additional authentication methods. For example, Azure Monitor Availability Tests use the ApplicationInsightsAvailability service tag for synthetic monitoring. A malicious user could exploit this setup to access endpoints in a different subscription. 

What Customer Should do? 

Reviewing and Strengthening Security Posture Azure customers using service tags should reevaluate their network settings: Recognize that relying solely on service tags does not fully secure traffic. Implement additional authentication and authorization checks for enhanced security. Ensure appropriate security measures are in place to safeguard traffic between Azure tenants. Refer to Microsoft's updated best practices for service tags and specific service guidelines. Adhere to Azure security fundamentals to secure your Azure platform and infrastructure. Enable and configure suitable monitoring controls in Azure Monitor. Example Mitigation Strategy To protect against unauthorized traffic via the ApplicationInsightsAvailability service tag, customers can create a token and include it as an HTTP header in availability tests. Validate this HTTP header in incoming requests to authenticate traffic origins, rejecting any requests missing the custom header. 

Microsoft’s Response and Mitigation Following Tenable's report, 

Conducted an extensive review and search for similar vulnerabilities. 

Updated documentation for Azure services utilizing inbound service tags. 

Released best practices for service tags to aid users in securing their environments more effectively. 

This collaborative disclosure by Tenable and Microsoft underscores the importance for Azure customers to regularly review and enhance their network security configurations. Service tags should be integrated into a comprehensive security strategy that includes robust authentication and monitoring practices.

Phishing and Cloud Account Takeover Campaign Targeting Microsoft Azure Users

 


In a security breach, several Azure accounts were compromised, which resulted in the loss of important data from the users. A cyberattack was launched against senior executives in several major corporations and affected a variety of environments at the same time. 

In November 2023, Proofpoint, a cybersecurity company, discovered a harmful attack by combining cloud account takeover (ATO) with phishing techniques that would steal credentials from the victim. This attack used the same harmful campaign that was discovered by Proofpoint in November 2023. 

It is alleged that the hackers have used proxy services to get around geographical limitations and conceal their actual location, which would allow them to access both Office Home and Microsoft 365 applications at the same time. It is thought that the attackers used links in the papers that led to phishing websites to execute the attack. 

The anchor text for some of these links was “View document,” which made no sense to me as it did not imply anything about their real location. There was a well-planned attack that targeted both mid-level employees and senior employees, though a greater number of the former employees' accounts were hacked as a result. 

According to Proofpoint, CEOs, presidents, account managers, finance directors, vice presidents of operations, and sales directors were the most common targets. In this way, the attackers were able to gain access to information from all levels and domains of the organization. 

A cybercriminal will often use their own MFA (multifactor authentication) in these types of attacks to extend access to an account that has been compromised by the attackers. To prevent the user from regaining access, attackers add a second mobile number or set up an authentication app. To conceal their traces, attackers also destroy any evidence that suggests questionable behaviour. 

The most targeted positions were mid to senior-level, including sales directors, account managers, financial directors, operations vice presidents, and CEOs, among others. The attackers were able to gain access to a wide variety of organizational information as a result of this. 

As a result, the attackers have also instituted methods to maintain access, such as setting up a multi-factor authentication system and erasing all evidence of their intrusion. Data theft and financial fraud appear to be the primary goals of these attacks. 

It is not yet confirmed who the perpetrators are, although the evidence suggests that they will be located in Russia or Nigeria, and will use ISPs that are located in these countries.

Microsoft's Rise as a Cybersecurity Powerhouse

Tech titan Microsoft has emerged as an unexpected yet potent competitor in the cybersecurity industry in a time of rapid digital transformation and rising cyber threats. The company has quickly evolved from its conventional position to become a cybersecurity juggernaut, meeting the urgent demands of both consumers and enterprises in terms of digital security thanks to its broad suite of software and cloud services.

Microsoft entered the field of cybersecurity gradually and strategically. A whopping $20 billion in security-related revenue has been produced by the corporation, according to recent reports, underlining its dedication to protecting its clients from an increasingly complicated cyber scenario. This unexpected change was brought on by many strategic acquisitions and a paradigm shift that prioritized security in all of its services.

The business has considerably improved its capacity to deliver cutting-edge threat information and improved security solutions as a result of its acquisition of cybersecurity businesses like RiskIQ and ReFirm Labs. Microsoft has been able to offer a comprehensive package of services that cover threat detection, prevention, and response by incorporating these cutting-edge technologies into its current portfolio.

The Azure cloud platform is one of the main factors contributing to Microsoft's success in the cybersecurity industry. As more companies move their operations to the cloud, it is crucial to protect the cloud infrastructure. Azure has been used by Microsoft to provide strong security solutions that protect networks, programs, and data. For instance, its Azure Sentinel service uses machine learning and artificial intelligence to analyze enormous volumes of data and find anomalies that could point to possible security breaches.

Furthermore, Microsoft's commitment to addressing cybersecurity issues goes beyond its own products. The business has taken the initiative to work with the larger cybersecurity community in order to exchange threat intelligence and best practices. Its participation in efforts like the Cybersecurity Tech Accord, which combines international tech companies to safeguard clients from cyber dangers, is an example of this collaborative approach.

Microsoft's success in the field of cybersecurity is not without its difficulties, though. The broader cybersecurity sector continues to be beset by a chronic spending issue as it works to strengthen digital defenses. Microsoft makes large investments in security, but many other companies find it difficult to set aside enough funding to properly combat attacks that are always developing.



Microsoft’s Security Practices Under Fire: Is the Azure Platform Safe

Microsoft Azure

Allegations against Microsoft’s security practices

Microsoft has recently come under fire for its security practices, with critics claiming that the Azure platform is “worse than you think.” According to an article on TechSpot, Tenable CEO Amit Yoran has criticized Microsoft for its lax security practices and lack of transparency regarding breaches. He asserts that the Azure platform harbors serious vulnerabilities, about which Microsoft has deliberately kept its customers in the dark.

This is not the first time Microsoft has faced criticism for its security practices. In the past, the company has been accused of failing to protect user data adequately and of not being transparent about data breaches. In this case, Yoran claims that Microsoft needs to be more forthcoming about the extent of the vulnerabilities present in the Azure platform.

Implications for customers

The implications of these allegations are profound. If true, it would mean that Microsoft has knowingly put its customers at risk by failing to disclose vulnerabilities in its platform. This could expose sensitive data to hackers and other malicious actors, putting individuals and organizations at risk.

It is important to note that these allegations have not been proven and that Microsoft has not yet responded. However, if authentic, it would represent a significant breach of trust between Microsoft and its customers. Companies rely on cloud platforms like Azure to store and manage their data, and they expect these platforms to be secure and transparent about any potential risks.

Evaluating cloud security

In light of these allegations, it is essential for companies to evaluate their use of cloud platforms carefully and to ensure that they are taking appropriate measures to protect their data. This may include using additional security measures such as encryption and multi-factor authentication and regularly reviewing their cloud provider’s security practices.

The recent allegations against Microsoft regarding its security practices and the Azure platform are concerning. If true, they represent a significant breach of trust between Microsoft and its customers. It is essential for companies to evaluate their use of cloud platforms carefully and to take appropriate measures to protect their data. 

Microsoft Offers Free Security Features Amid Recent Hacks

Microsoft has taken a big step to strengthen the security of its products in response to the growing cybersecurity threats and a number of recent high-profile attacks. The business has declared that it will offer all users essential security features at no cost. Microsoft is making this change in an effort to allay concerns about the security of its platforms and shield its users from potential cyberattacks.

The Messenger, The Register, and Bloomberg all reported that Microsoft made the decision to offer these security capabilities free of charge in response to mounting demand to improve security across its whole portfolio of products. Recent cyberattacks have brought up important issues with data privacy and information security, necessitating the development of stronger protection methods.

A number of allegedly state-sponsored hacks, with China as a particular target, are one of the main drivers behind this tactical approach. Governments, corporations, and individual users all over the world are extremely concerned about these breaches since they target not only crucial infrastructure but also important data.

Improved encryption tools, multi-factor authentication, and cutting-edge threat detection capabilities are among the free security improvements. Users of Microsoft's operating systems, including Windows 10 and Windows 11, as well as cloud-based services like Microsoft 365 and Azure, will have access to these functionalities. Microsoft wants to make these crucial security features available to a broader variety of customers, independent of subscription plans, by removing the financial barrier.

Microsoft responded to the judgment by saying, "We take the security of our customers' data and their privacy extremely seriously. We think it is our duty to provide our users with the best defenses possible as threats continue to evolve. We believe that by making these security features available for free, more people will take advantage of them and improve their overall cybersecurity posture.

Industry professionals applaud Microsoft for choosing to offer these security measures without charge. This is a huge step in the right direction, said Mark Thompson, a cybersecurity analyst with TechDefend. Because these services are free, Microsoft is enabling its users to properly defend themselves against possible attacks as cyber threats become more complex.

The action is also in line with the work of other cybersecurity organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), which has been promoting improved cooperation amongst IT businesses to battle cyber threats.

Although the choice definitely benefits customers, it also poses a challenge for other digital firms in the sector. Customers are expected to demand comparable initiatives from other big players in response to the growing emphasis on data security and privacy, driving the entire sector toward a more secure future.

Microsoft's Response to "Privacy-Concerns" of ChatGPT in Business

 


As a response to concerns over using individuals' data to train artificial intelligence models, Microsoft is considering launching a privacy-centric version of ChatGPT. There is a possibility that the decision will be attractive to industries such as healthcare, finance, and banking that have not adopted ChatGPT. This is because they are concerned that sensitive information will be shared with the system by their staff. This is due to the risk of sensitive information being shared. 

The use of ChatGPT has greatly benefited some businesses, especially banks and other corporations. However, these companies have resisted the adoption of the technology due to privacy concerns. They fear that their employees might unintentionally disclose confidential information while using it. 

By adding OpenAI's GPT-4 or ChatGPT to Azure, Microsoft wants to make it easier for enterprises to integrate proprietary data with user queries. In addition, Microsoft wants to see the results of its analytics on this platform. 

A user fires off a query to Azure; Microsoft's cloud determines what data is required to complete that query, so it is returned to the user as soon as possible. Using the question and the retrieving information, an initial query is created, which is then passed on to an OpenAI model of choice hosted in Azure. The model predicts an answer, which is sent back to the user. 

Some businesses have already become interested in the new artificial intelligence-powered chatbot to automate their business processes, but many others, such as banks, have opted against adopting it for fear that the chatbot will inadvertently give them proprietary information when used by their employees. 

According to reports, Microsoft, which holds the rights to resell the startup's technology, has a plan in place to get holdouts on board. 

As part of the AI tool, a separate version will operate on separate cloud servers. This version will be kept apart from other customers' data, to ensure privacy. Dedicated servers will store the data separately from the main ChatGPT system to ensure the privacy of the data stored on these dedicated servers. As a result, customers would have to pay up to 10 times more for private ChatGPT setup compared with the charges they face currently. 

It is also planned for OpenAI to launch an exclusive subscription service for businesses that will focus on privacy by not allowing users' data to be fed into those training models by default. 

Additionally, OpenAI has sold a private ChatGPT service to Morgan Stanley as part of its recent sales activity. A wealth management division of the bank can use this platform to ask questions and analyze thousands of market research documents that have been generated over the years by its wealth management division. Microsoft has already invested multi-year, multibillion-dollar amounts in OpenAI, which means that it can resell its products without violating any terms. 

In response to the voluminous data that ChatGPT gathered from numerous sources in its initial training and continues to collect from its users, there have been numerous privacy and regulatory concerns about ChatGPT since its release. Microsoft seems to have taken the opposite approach. Andy Beatman, senior product marketing manager of Azure AI, said that this enhanced data handover feature is among the most requested features among customers. 

As reported by The Register, the upcoming system, which will undergo a public preview after being released in the spring, operates on Azure for retrieving relevant data. This is so it can best satisfy the worker's request based on its internal data. 

Microsoft also explained that Azure OpenAI delivers insights based on the content and level of information provided by the user. Together with Azure Cognitive Search, this data can be retrieved for the user based on their input and conversation history. 

However, there is a drawback to this type of ChatGPT, which will come with a cost of deployment that will be higher than that of the public version, thus making it a rather high-priced option. Reports suggest that exclusive instances of ChatGPT could have a price tag that is up to 10 times more than what clients are currently paying for using a standard version of the software. 

As part of OpenAI's ongoing efforts to develop a similar offering to Microsoft's 'private' ChatGPT, the company will be releasing it in the "coming months." According to the company, by default, the subscription-based service will not use the input provided by employees and clients when training its language models. 

Since OpenAI was banned in Italy as a result of the chat history being used for training the AI model as part of the search engine results, an option has been added to shut off the chat history. A company spokesperson mentioned that ChatGPT now can turn off chat history and plans to introduce that soon. The conversations started during the period when chat history is disabled will not be used for training or improving their models, and will not appear in the sidebar of the history of the conversation. 

There is no doubt that Microsoft's AI-based privacy-centric service can be a game changer for businesses that receive and manage sensitive and important data. When Samsung found out that some of its employees were uploading company source code to the devices they use in the workplace, they banned them from using generational AI chatbots at work or on devices they use for their work. Several Microsoft representatives are already contacting organizations who could be interested in this upcoming product since many existing customers have contracts with Azure that could prove to be beneficial in securely managing data in the coming years.

Azure AD 'Log in With Microsoft' Authentication Bypass at Risk


Organizations that have adopted the “Log in with Microsoft” feature to their Microsoft Azure Active Directory setups may be exposed to an authentication bypass, which might lead to account takeovers of online and cloud-based accounts.

Descope researchers have labeled the attack as “nOAuth”. The campaign, according to them is an authentication implementation flaw that affects multitenant OAuth apps in Azure AD, Microsoft's cloud-based identity and access management service. If the attack is successful, the threat actor could then take over their victim’s accounts, enabling them to create persistence, exfiltrate data, determine whether lateral movement is feasible, and other activities.

According to Omer Cohen, CISO at Descope ”OAuth and OpenID Connect are open, popular standards which millions of Web properties already use[…]If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted.”

About nOAuth Cyberattack Threat

OAuth is an open source, token-based authorization framework that enables users to log into applications automatically based on prior authentication to another reputable app. Most consumers are already familiar with this thanks to the "Log in with Facebook" or "Log in with Google" choices seen on numerous e-commerce websites.

OAuth is used in the Azure AD environment to control user access to outside resources including Microsoft 365, the Azure portal, and thousands of other SaaS applications that support OAuth apps.

According to Descope analysis "Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols."

As per an issue of Descope analysis, published this week, the flaw allows malicious actors to do cross-platform spoofing by only needing an unknowing victim's email address to mimic them. The email attribute under "Contact Information" in an Azure AD account can therefore be changed at will to control the email authentication claim by anyone with malicious intent and a reasonable level of platform expertise.

"[This] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate[…]They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication," the researchers noted.

Incorrect Implementation of OAuth

Incorrect implementation of OAuth has apparently turned into a business, urging organizations to shut down this potentially harmful attack vector.

Some recent cases of the attack include vulnerabilities in the authorization system of the Booking.com website. The attack could have allowed attackers to access user accounts and acquire their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

Another case came to highlight when a bug, tracked as CVE-2023-28131 was discovered in the OAuth implementation of Expo, an open-source framework for developing native mobile apps for iOS, Android, and other Web platforms which was apparently utilizing a single codebase. This vulnerability was the reason why online users were at risk, those who logged in to an online service that employs the framework using different social media accounts.

Cohen notes that the OAuth standard and other such standards are reliable and strong authentication approaches. However, organizations must ensure to collaborate with cybersecurity and authentication professionals when adopting them.

"These standards are extremely complicated to work with[…]Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application," says Cohen. He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts".

Moreover, he emphasized its importance, since threat actors are constantly on a lookout for these types of vulnerabilities.  

Mozilla: Maximum Breached Accounts had Superhero and Disney Princes Names as Passwords

 

The passwords that we make for our accounts are very similar to a house key used to lock the house. The password protects the online home (account) of personal information, thus possessing an extremely strong password is just like employing a superhero in a battle of heroes and villains. 

However, according to a new blog post by Mozilla, superhero-themed passwords are progressively popping up in data breaches. Though it may sound absurd - following the research done by Mozilla using the data from haveibeenpwned.com, it was evident that most frequent passwords discovered in data breaches were created on either the names of superheroes or Disney princesses. Such obvious passwords make it easier for hackers to attack and hijack any account or system. 

While analyzing the data it was seen that 368,397 breaches included Superman, 226,327 breaches included Batman, and 160,030 breaches had Spider-Man as their passwords. Further, thousands of breaches featured Wolverine and Ironman as well. And not only this research from 2019 showed that 192,023 breached included Jasmine and 49,763 breached included Aurora as their password.

There were 484,4765 breached that had password as ‘princess’ and some Disney + accounts had password as ‘Disney’. This is one of the biggest reasons that support data breaches by hackers and boost their confidence.

With the increasing frequency of compromised account credentials on the dark web, a growing number of businesses are turning to password-less solutions. Microsoft has expanded its password-less sign-in option from Azure Active Directory (AAD) commercial clients to use Microsoft accounts on Windows 10 and Windows 11 PCs. 

Almost all of Microsoft's employees are passwordless, according to Vasu Jakkal, corporate vice president of the Microsoft Security, Compliance, Identity, and Management group.

"We use Windows Hello and biometrics. Microsoft already has 200 million passwords fewer customers across consumer and enterprise," Jakkal said. "We are going completely passwordless for Microsoft accounts. So you don't need a password at all," he further added. 

Though it's common to reuse passwords, it is highly dangerous, yet it's all too frequently because it's simple and people aren't aware of the consequences. Credential stuffing exploits take advantage of repeated passwords by automating login attempts targeting systems utilizing well-known email addresses and password pairings. One must keep changing their passwords from time to time and try to create a strong yet not so obvious password.

Bot Protection Available in Azure Web App Firewall

Microsoft recently announced that WAF (Web Application Firewall) bot safety tool has attained general availability status on Azure Application Gateway from this week. Azure WAF is a cloud based feature built to safeguard client web applications from bot attacks, general web vulnerabilities and common exploits, including SQL injection, cross site scripting, security misconfigurations, and broken authority and more. Azure WAF can be planted within minutes with Azure Application gateway, Azure Content Delivery Network (CDN) and Azure front door. Microsoft on Friday said that it is announcing the general availability of the Web Application Firewall (WAF) bot protection feature on Application Gateway. 

The feature lets customers to control bot protection rule set for WAF to log requests or restrict them from known harmful IP addresses. "Roughly 20% of all Internet traffic comes from bad bots. They do things like scraping, scanning, and looking for vulnerabilities in your web application. When these bots are stopped at the Web Application Firewall (WAF), they can’t attack you. They also can’t use up your resources and services, such as your backends and other underlying infrastructure," reports Microsoft.

The new bot protection rule can be used with OWASP CRS (Core Rules Set) to give extra safety for web applications. Because of this new rule that blocks bad bots, criminals can usi ot for different malicious tasks which are resource consuming like scanning, scraping, and looking out for exploits in web apps. When the bot protection rule is implemented on Azure WAF via Application Gateway, bots that use known malicious IPs retrieved from Microsoft Threat Intelligence feed are get automatically restricted from accessing customer server resources or verifying them on potential vulnerability gaps. "The bot mitigation ruleset list of known bad IP addresses updates multiple times per day from the Microsoft Threat Intelligence feed to stay in sync with the bots," Microsoft said. 

"Your web applications are continuously protected even as the bot attack vectors change," reports Bleeping Computers. You can get more information on WAF on Microsoft's Azure Product Website. Bleeping Computers reports "the steps required to configure a bot protection rule set include: Creating a basic WAF policy for Application Gateway by following the instructions described in Create Web Application Firewall policies for Application Gateway. In the Basic policy page that you created previously, under Settings, select Rules. On the details page, under the Manage rules section, from the drop-down menu, select the check box for the bot Protection rule, and then select Save."