Microsoft Threat Intelligence

AI Safety at Microsoft means everything from "protect the VM from buffer overruns" to "what happens if the person using this has an abusive partner?" Right now we're hiring for a range of roles, looking for a range of backgrounds. Follow the links to learn the details of each particular role and apply for them. If you don't see something that matches your background and skillset, keep watching! We'll continue to post as other roles come up. *AI Red Team:* Probing the high-risk systems to discover the risks nobody has realized are yet real. All these roles include crossover with operations, to keep you grounded in the real cutting edge. *AIRT Operator:* https://lnkd.in/gctvci3S The core "probe the systems" job. Experience thinking adversarially required. Maniacal cackles optional. *AI Safety Researcher:* https://lnkd.in/gsa-Udru Staff-level, looking for adversarial ML or AI safety experience. Research on the cutting edge of AI havoc. *SWE:* https://lnkd.in/gvwJePge Working on PyRIT (https://lnkd.in/gFdmfaww) *The AI Safety Platform:* Putting as much of AI safety as possible into the codebase so teams don’t have to do it by hand. Domain expertise not required, experience working on software platforms (APIs/SDKs) useful.  *Eng Manager*: https://lnkd.in/gfnW_a-b *Staff-level SWE*: https://lnkd.in/g4c7FFE9 *Senior-level SWE*: https://lnkd.in/g7bBy_4S *Empowering Microsoft:* Lots of safety can't be turned into software: how to identify the relevant threats, design an incident response plan, etc. This team needs to understand and distill the practice of safety and turn it into training, tools, and documentation, first for our own teams, then for the world. *AI Safety Program Manager:* https://lnkd.in/gKbfzh6P Staff-level role distilling this knowledge. Deep safety expertise (including technical and human aspects), experience working with product teams, and great communication required. *Technical Writer:* https://lnkd.in/gZ8dv8Eg *TPM, Office of the Deputy CISO:* https://lnkd.in/gQN2k8rb We have so many cats to herd. Senior- to staff-level TPM who can bring order out of chaos.

In a new report released today, the Microsoft Threat Analysis Center (MTAC) is sharing intelligence about Iranian actors laying the groundwork for influence operations aimed at US audiences and potentially seeking to impact the 2024 US presidential election. Foreign malign influence concerning the 2024 US election started off slowly but has steadily picked up pace over the last six months, initially from Russian operations but more recently from Iranian activity. Microsoft has observed that recent cyber-enabled influence activity arises from a combination of Iranian actors like Sefid Flood, Mint Sandstorm, Peach Sandstorm, and Storm-2035 conducting initial cyber reconnaissance and seeding online personas and websites into the information space. Microsoft also observed three Russian influence actors behind campaigns aimed at the 2024 presidential election: Ruza Flood (aka Doppelganger), Storm-1516, and Storm-1841 (Rybar). The most impactful of these actors as of late June 2024 is Storm-1516, which pivoted in late April from Ukraine-focused operations to targeting the US election with its distinctive video forgeries. Chinese Communist Party (CCP)-linked influence actors also continue to engage US audiences on divisive political issues, expanding to new platforms and evolving their tactics to engage new audience spaces ahead of November. Learn more about these campaigns from the third election report from MTAC: https://msft.it/6040llWQu

Microsoft identified multiple vulnerabilities in the open-source platform OpenVPN, with binaries integrated into millions of devices worldwide, which could be exploited to create an attack chain allowing remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information. While user authentication and a deep understanding of OpenVPN’s architecture and operating systems are required to exploit these vulnerabilities, exploitation could put endpoints and enterprises at significant risk of attack. Learn more about the discovered vulnerabilities, attack chain, and exploitation impacts, and get guidance to mitigate and detect threats attempting to exploit these vulnerabilities in this Microsoft Threat Intelligence blog post from Vladimir Tokarev: https://msft.it/6040llDaw

Today is the last day to join us at Black Hat USA 2024! Use our blog to guide your way through Microsoft’s comprehensive threat intelligence research and AI-first end-to-end security expertise showcasing today: https://msft.it/6049lYN3P Vladimir Tokarev demonstrates how 4 vulnerabilities discovered in OpenVPN could lead to an attack chain allowing remote code execution, local privilege escalation, and kernel code execution. Starting at 10:20 AM, located at South Seas AB, Level 3: https://msft.it/6040lYN3u Join us in the Microsoft booth #1240 as we host today’s exclusive theatre sessions below! https://msft.it/6041lYN3R Starting at 11:00 AM, join Simeon Kakpovi and Greg Schloemer for another “KC7 Threat Intelligence challenge”, a fun and interactive cybersecurity “detective” game that allows players to investigate realistic intrusions using real tools and simulated data, regardless of players’ prior skills or experience. At 11:30 AM, Nicole J. session, “Introduction to Hunting Methodology”, provides an overview of the proactive and systematic approach to identifying and mitigating threats within a system or network. At 12:00 PM, catch our session “Storm-0539: How the threat intelligence shows up for customers” to learn more about the tools and methods used to bring actionability to threat intelligence, including Microsoft Defender Threat Intelligence and Threat Analytics, as presented by Rachel Giacobozzi and Alison Ali. At 12:30 PM, Waymon H. presents “The Winds of Change – The Evolution of Octo Tempest”, detailing the evolution of Octo Tempest and a walk through of the threat actor's operations across the attack chain, including their extensive abuse of identity and cloud technologies. At 1:00 PM, find Ryan Caney and Aled M.'s session “Unraveling GooseEgg: Forest Blizzard's Tool For CVE-2022-38028” for an in-depth analysis of this Russia-based threat actor, their objectives, TTPs, and their custom tool GooseEgg, used to exploit a vulnerability in the Windows Print Spooler service.

Join us at Black Hat USA 2024! Check out our in-depth guide to learn more about Microsoft’s comprehensive threat intelligence research and AI-first end-to-end security expertise showcasing on the main stage, briefings, and theatre sessions: https://msft.it/6046lY8s0 Join Ann Johnson, CVP and Deputy CISO, and Sherrod DeGrippo, Director of Threat Intelligence Strategy, as they share threat intelligence insights and best practices at the Main Stage talk "From the Office of the CISO: Smarter, Faster, Stronger Security in the Age of AI", starting at 12:15 PM in Oceanside A, Level 2: https://msft.it/6047lY8sF Take a deeper look into cyber threat actors associated with North Korea during our sponsored session titled “Moonstone Sleet: A Deep Dive into their TTPs,” presented by Greg Schloemer, threat intelligence analyst at Microsoft, beginning at 11:30 AM in Mandalay Bay K: https://msft.it/6048lY8s2 You can also join us in the Microsoft booth #1240 as we host today’s exclusive theatre sessions below! https://msft.it/6049lY8sN At 11:00 AM, join Simeon Kakpovi and Greg Schloemer for a “KC7 Threat Intelligence challenge”, a fun and interactive cybersecurity “detective” game that allows players to investigate realistic intrusions using real tools and simulated data, regardless of players’ prior skills or experience. At 11:30 AM, Anthony M. presents “Demystifying Microsoft Incident Response Resources” to provide an overview of various Microsoft Defender tools and techniques used for incident response, such as using Kusto Query Language (KQL) for threat hunting, applying common Defender settings, and leveraging Live Response capabilities. At 12:00 PM, catch our session “Targets of Opportunity: Overview of a Global Exploitation Campaign by Russian Military Intelligence”, which details the tactics, techniques, and procedures used by a threat actor we track as Seashell Blizzard to gain initial access to systems, as presented by Michael Matonis. At 12:30 PM, Stephen M. presents “Queries timing out? Memory limitations? How to make your Kusto threat hunting queries more efficient”, including some fun techniques for writing more advanced queries too. At 1:00 PM, join Judy N. and Kristina Savelesky at our booth for some “Threat Actor TTP Trivia”. Learn more about Microsoft’s threat intelligence landscape and test your threat actor and TTP knowledge with our trivia game! At 1:30 PM, learn more about Microsoft’s Bug Bounty Program, how it encourages collaboration across security researchers and the community, and how it enables Microsoft to improve our protection technologies from Bruce R.'s session: “License to Secure: The Microsoft Bounty Program”.

Threat actors are continuing to develop advanced phishing and evasion techniques to stay under the radar and take advantage of compromised email accounts to further their attacks. As shared by security researchers Igal Lytzki and Din Serussi during their presentation at Blue Hat Israel, actors like Mango Sandstorm use compromised mailboxes to send remote monitoring and management (RMM) tools to their targets. They also talk about the importance of taking a comprehensive approach in defending against email threats, which includes educating employees, having an email security solution, and conducting penetration testing to find the weak spots and run simulation with evasion techniques. This Microsoft Threat Intelligence Podcast episode, recorded during Blue Hat Israel in May, also features experts such as Gal Niv and Jonathan Jacobi, who discuss their experience creating the Web3 challenge held at the conference. Ida Vass also joins the episode to talk about the experience of producing Blue Hat, and the importance of having a high level of intentionality around what the experience can be for conference attendees. Lastly, Blue Hat keynote speaker J Wolfgang Goerlich shares more insights behind his keynote, which shifted the focus from what is going wrong, to what is being done right in cybersecurity. Listen to the full podcast episode, hosted by Sherrod DeGrippo, here: https://msft.it/6047ld3nJ

In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products. With David Weston

Microsoft uncovered a vulnerability in ESXi hypervisors, identified as CVE-2024-37085, being exploited by threat actors such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest to obtain full administrative permissions on domain-joined ESXi hypervisors and encrypt critical servers in ransomware attacks. The vulnerability involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the findings to VMware, who released a security update to fix this vulnerability. ESXi is a bare-metal hypervisor that is installed directly onto the physical server and provides direct access to and control of underlying resources. In observed attacks, threat actors exploited the vulnerability to gain full administrative permission on an ESXi hypervisor, enabling them to encrypt the file system, access to hosted VMs, and possibly to exfiltrate data or move laterally within the network. More details on this vulnerability and the attacks exploiting it in this blog: https://msft.it/6046lbTSm

In Main Stage Keynote "From the Office of the CISO: Smarter, Faster, Stronger Security in the Age of AI" leaders discuss defending an organization, how threat intelligence shapes security strategy, & how AI is transforming security: https://bit.ly/3Y9CvcJ