Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Microsoft Security Response. Show all posts

How to Protect Your PC from Ransomware with Windows Defender

 

Ransomware is a significant threat that can lock users out of their own files until a ransom is paid to recover the data. CBS News recently highlighted the devastating impact of ransomware, focusing on the Scattered Spider group, which caused millions in damage by targeting Las Vegas casinos. While personal computers are less common targets, it’s still crucial to take precautions. 

The best way to protect your system from ransomware is by avoiding sites or downloads likely to contain malware. However, using additional measures like modern antivirus software or built-in protections in Windows can enhance security. Microsoft Defender, integrated into Windows, offers ransomware protection, but users need to enable it manually. To activate ransomware protection in Windows, you must access the Windows Security app. This can be done by searching for “Windows Security” via the Start Menu or settings. Once inside the app, go to “Virus & threat protection” and activate Controlled folder access. 

This feature limits which applications can alter files in crucial folders, such as Documents, Pictures, and others. While trusted programs like Microsoft Office automatically retain access, unauthorized apps cannot modify or even see these folders until granted permission. This restriction is vital for stopping ransomware from encrypting sensitive files. An essential step to further enhance security is backing up your data. Windows Security facilitates this through integration with OneDrive. By logging into your OneDrive account, either through the Windows PC itself or directly in the OneDrive app, you can ensure automatic backups of your important files. 

This provides an additional layer of security, helping to recover encrypted data without paying a ransom. While OneDrive offers convenient cloud backup, it’s also recommended to keep offline backups. These backups are immune to ransomware that might affect your online accounts. Without an offline backup, relying solely on cloud services still leaves a vulnerability. Turning on ransomware protection comes with minor inconveniences, especially for those who save files in common folders. 

For instance, gamers might experience issues with save files being restricted, but this can be remedied by adding specific apps to the access list or adjusting where files are saved. Overall, securing your PC against ransomware involves enabling the built-in features in Windows, setting up OneDrive backups, and keeping an offline backup for extra safety. Taking these steps ensures you’re prepared in case your files are ever threatened by ransomware attacks.

Midnight Blizzard: Russian Threat Actors Behind Microsoft Corporate Emails’ Breach


On Friday, Microsoft informed that some of its corporate accounts suffered a breach in which some of its data was compromised. The attack was conducted by a Russian state-sponsored hackers group named “Midnight Blizzard.”

The attack was first detected on January 12th, and Microsoft in its initial investigation attributed the attack to the Russian threat actors, known famously as Nobelium or APT-29.

Microsoft informs that the threat actors launched the attacks in November 2023, in which they carried out a password spray attack in order to access a legacy non-production test tenant account. 

Password Spray Attack

A password spray attack is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a particular password. If that password fails, they repeat this process with other passwords until they run out or successfully breach the account.

Since the hackers were able to access accounts using a brute force attack, it is clear that it lacked two-factor authentication or multi-factor authentication.

Microsoft claims that after taking control of the "test" account, the Nobelium hackers utilized it to access a "small percentage" of the company's email accounts for more than a month.

It is still unclear why a non-production test account would have the ability to access other accounts in Microsoft's corporate email system unless the threat actors utilized this test account to infiltrate networks and move to accounts with higher permissions.

Apparently, these breached accounts include members of Microsoft’s leadership team and employees assigned to the cybersecurity and legal departments, targeted by hackers to steal emails and attachments. 

"The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself," the Microsoft Security Response Center shared in a report on the incident.

"We are in the process of notifying employees whose email was accessed."

Microsoft reaffirms that the incident was caused by the brute force password attack, rather than a vulnerability in their product services.

However, it seems that Microsoft’s poorly managed security configuration played a major role in the success of the breach.

While this investigation is underway, Microsoft stated that they will release more information when it is appropriate.