Imposing cost: Last July, Microsoft published a blog on the actor we called KNOTWEED (now Denim Tsunami). Today, we heard DSIRF, the company behind Denim Tsunami has closed their doors. Whether directly or indirectly related, shedding light on these private sector offensive actors imposes cost. This is a win! https://lnkd.in/gS-yq23m our blog from July: https://lnkd.in/gjfMfNJe
Jeremy Dallman’s Post
More Relevant Posts
-
We joined industry partners today to make a strong statement and step toward combatting cyber mercenaries, a set of actors we continue to track and protect our customers against. Read more in Amy's blog...
General Manager, Associate General Counsel, Cybersecurity Policy & Protection, @CyberAmyHB
Microsoft has long made clear its belief that cyber mercenaries – private sector offensive actors that develop and sell offensive cyber capabilities that fuel a market without legal rules, responsibilities, or repercussions – don’t deserve immunity. Today, Microsoft, Google, along with several industry partners have filed an amicus brief in a legal case brought by the Knight First Amendment Institute at Columbia University against the NSO Group (Dada v. NSO Group). Cyber mercenaries like NSO Group have exploited our technology by attacking our users and we believe that those who have been victimized are entitled to legal recourse even if they are located outside the United States. You can read more about our filing here: https://lnkd.in/dqrUrb65
Protecting users and reaffirming our commitment to combatting cyber mercenaries - Microsoft On the Issues
blogs.microsoft.com
-
7/21 PM UPDATE: PXE Recovery Option out! See Blog for details. 7/21 AM UPDATE: a new option for recovery using safe boot, the option to generate ISO or USB, a fix for ADK detection when the Windows Driver Kit is installed, and a fix for the USB disk size check. As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process - Recover from WinPE or Recover from safe mode. The signed Microsoft Recovery Tool can be found in the Microsoft Download Center. Details in the blog below.
New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints
techcommunity.microsoft.com
-
Since this event began, we’ve maintained ongoing communication with our customers, CrowdStrike and external developers to collect information and expedite solutions. Our focus is providing customers with technical guidance and support to safely bring disrupted systems back online. Steps taken have included: - Engaging with CrowdStrike to automate their work on developing a solution. - Deploying hundreds of Microsoft engineers and experts to work directly with customers to restore services. - Collaborating with other cloud providers and stakeholders, including Google Cloud Platform (GCP) and Amazon Web Services (AWS). - Quickly posting manual remediation documentation and scripts (links in blog). - jKeeping customers informed of the latest status on the incident through the Azure Status Dashboard (links in blog). https://lnkd.in/gN9Zw-Hq
Helping our customers through the CrowdStrike outage - The Official Microsoft Blog
blogs.microsoft.com
-
[from the article] Microsoft said: "Today sends a strong message to cybercriminals: there will be consequences for your actions. "Microsoft commends law enforcement for taking action against those that seek to cause harm, and we remain committed to collaborating with others across the public and private sector to collectively combat cyber threats and make the Internet a safer place. "As this outcome shows, we have greater impact when we come together to fight cybercrime."
Great work by law enforcement! https://lnkd.in/g8QshuvK
Walsall teenager arrested in joint West Midlands Police and FBI operation
westmidlands.police.uk
-
A good roll-up/snapshot of Q2 2024 activity by ransomware actors: Octo Tempest expands their payloads and targets... RansomHub RaaS gets more popular... Fog spreads along with FakePenny... OctoTempest doubles down on identity attacks... others copy... and RMMs remain a popular vector...
In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Octo Tempest is known for sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware. RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware (like BlackCat), making it one of the most widespread ransomware families today. Notably, RansomHub was observed in post-compromise activity by Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections. In addition to RansomHub and Qilin, other notable ransomware families in this period include BlackSuit, LockBit, Medusa, Black Basta, and Play. Several new ransomware families emerged this quarter. Fog, which uses the .flocked extension, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. To deploy Fog, Storm-0844 uses VPN clients to gain initial access, likely via valid accounts. They use open-source tools like ADFind, Rubeus, and Advanced IP Scanner for network discovery and lateral movement. They also use rclone for staging files to be exfiltrated. By June, Storm-0844 was deploying Fog in more campaigns than Akira. FakePenny is another new ransomware family we uncovered during this period. In April, we observed North Korean threat actor Moonstone Sleet (formerly Storm-1789) deploying FakePenny, part of a wide-ranging tradecraft that also includes a malicious tank game: https://msft.it/6046lOdRi Threat actors like Octo Tempest focus on identity compromise in their intrusions to access and persist in on-premises and cloud environments for data exfiltration and ransomware deployment. This quarter, Storm-0501 was observed adopting similar tactics, utilizing open-source toolkits like AADInternals for domain federations and other techniques to facilitate latter stages of attacks, which culminate in the deployment of Embargo ransomware. Threat actors also continue to leverage remote management and monitoring tools in ransomware campaigns. In May, we published research on Storm-1811 misusing Quick Assist in social engineering attacks, which were followed by delivery of various malicious tools, leading to Black Basta deployment: https://msft.it/6047lOdRc Users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust. We publish reports on ransomware threat actors and associated activity in Microsoft Defender Threat Intelligence and Microsoft Defender XDR threat analytics. For more information and guidance, visit https://msft.it/6048lOdRY
-
-
I'm a day late, but we just put out a second amazing blog on AI jailbreaks. Not only is this blog post very detailed and informative, but it's also a really fun read with great visuals! Congrats to the team for breaking down Skeleton Key so effectively. Here's a few teasers to make you want to read the whole post... Skeleton Key jailbreak technique works by using a multi-turn (or multiple step) strategy to cause a model to ignore its guardrails. Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other. It relies on the attacker already having legitimate access to the AI model. At the attack layer, Skeleton Key works by asking a model to augment, rather than change, its behavior guidelines so that it responds to any request for information or content, providing a warning (rather than refusing) if its output might be considered offensive, harmful, or illegal if followed. When the Skeleton Key jailbreak is successful, a model acknowledges that it has updated its guidelines and will subsequently comply with instructions to produce any content, no matter how much it violates its original responsible AI guidelines. Mitigations: Input filtering, System messages, Output filtering, Abuse monitoring.
Microsoft recently discovered a new type of generative AI jailbreak method, which we call Skeleton Key for its ability to potentially subvert responsible AI (RAI) guardrails built into the model, which could enable the model to violate its operators’ polices, make decisions unduly influenced by a user, or run malicious instructions. The Skeleton Key method works by using a multi-step strategy to cause a model to ignore its guardrails by asking it to augment, rather than change, its behavior guidelines. This enables a model to then respond to any request for information or content, including producing ordinarily forbidden behaviors and content. To protect against Skeleton Key attacks, Microsoft has implemented several approaches to our AI system design, provided tools for customers developing their own applications on Azure, and provided mitigation guidance for defenders to discovered and protect against such attacks. Learn about Skeleton Key, what Microsoft is doing to defend systems against this threat, and more in the latest Microsoft Threat Intelligence blog from the Chief Technology Officer of Microsoft Azure Mark Russinovich: https://msft.it/6043Y7Xrd Learn more about Mark Russinovich and his exploration into AI and AI jailbreaking techniques like Crescendo and Skeleton Key, as discussed on that latest Microsoft Threat Intelligence podcast episode hosted by Sherrod DeGrippo: https://msft.it/6044Y7Xre
Mitigating Skeleton Key, a new type of generative AI jailbreak technique | Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog
