Microsoft Threat Intelligence’s Post

The July 2024 security updates are available:

In this episode of The Microsoft Threat Intelligence podcast, top experts from different areas in cybersecurity share their experiences pushing for security at various levels and their insights on the impact of AI to cybersecurity This series of discussions, recorded live at RSA Conference 2024, features discussions on the process of securing the Windows platform, the power grid, as well as the unique challenges faced by specific industries such as education in cybersecurity. The experts also talk about the importance of integration in dealing with cyberthreats, such as considering product functionality when building cybersecurity measures, as well as including threat intelligence related to cybercrime entities into attack frameworks such as MITRE. Listen to the full episode, hosted by Sherrod DeGrippo, here: https://msft.it/6040lHNSm

Microsoft researchers discovered two vulnerabilities in Rockwell Automation’s PanelView Plus that could be remotely exploited by attackers to allow remote code execution (RCE) and denial of service (DoS). PanelView Plus devices are graphic terminals, also known as human machine interface (HMI), used in the industrial sector. Both vulnerabilities are related to custom classes in PanelView Plus. The RCE vulnerability involves two custom classes that could be used to upload and load a malicious DLL into the device. The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS. Microsoft reported these findings to Rockwell Automation in May and July 2023, and Rockwell Automation published security patches to address the vulnerabilities in September and October 2023. We’re sharing our research to help developers, vendors, and the industry in general to avoid or detect similar issues in their systems. Read our latest blog to get our analysis of the vulnerabilities, as well as mitigation and protection guidance for defenders: https://msft.it/6046l8Ufn

Microsoft has accelerated the speed and scale at which threat intelligence is published in Microsoft Defender Threat Intelligence (MDTI), Microsoft Defender XDR Threat Analytics, and Microsoft Copilot for Security, giving customers more critical security insights, data, and guidance than ever before. Our 10,000 interdisciplinary experts reason over more than 78 trillion daily threat signals to continuously add to our understanding of threat actors and activity. Over the past year, Microsoft Threat Intelligence has published hundreds of new Intel profiles to help customers maintain situational awareness around the threat activity, techniques, vulnerabilities, and the more than 300 named threat actors tracked by Microsoft. We have also improved the quantity and depth of open-source intelligence (OSINT), and delivered detections and security recommendations to provide context on daily alerts and help customers detect, understand, and address cyberattacks and related activities. Using Copilot for Security, customers can quickly retrieve information from these publications to contextualize artifacts and correlate MDTI and Threat Analytics content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers assess their vulnerabilities and quickly understand the broader scope of an attack. Learn more: https://msft.it/6048l8z0k

Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6

Microsoft recently discovered a new type of generative AI jailbreak method, which we call Skeleton Key for its ability to potentially subvert responsible AI (RAI) guardrails built into the model, which could enable the model to violate its operators’ polices, make decisions unduly influenced by a user, or run malicious instructions. The Skeleton Key method works by using a multi-step strategy to cause a model to ignore its guardrails by asking it to augment, rather than change, its behavior guidelines. This enables a model to then respond to any request for information or content, including producing ordinarily forbidden behaviors and content. To protect against Skeleton Key attacks, Microsoft has implemented several approaches to our AI system design, provided tools for customers developing their own applications on Azure, and provided mitigation guidance for defenders to discovered and protect against such attacks. Learn about Skeleton Key, what Microsoft is doing to defend systems against this threat, and more in the latest Microsoft Threat Intelligence blog from the Chief Technology Officer of Microsoft Azure Mark Russinovich: https://msft.it/6043Y7Xrd Learn more about Mark Russinovich and his exploration into AI and AI jailbreaking techniques like Crescendo and Skeleton Key, as discussed on that latest Microsoft Threat Intelligence podcast episode hosted by Sherrod DeGrippo: https://msft.it/6044Y7Xre

The Microsoft Copilot for Security threat intelligence embedded experience in Defender XDR, now generally available, returns, contextualizes, and summarizes intelligence from across Microsoft Defender Threat Intelligence (MDTI) and threat analytics about threat actors, threat tooling, and IoCs related to their security incidents and vulnerabilities. Copilot for Security helps defenders to evaluate artifacts and correlate threat intelligence content and data with other security information from Defender XDR, such as incidents and hunting activities, to assess risks and quickly understand the broader scope of an attack. The threat intelligence embedded experience in Defender XDR can help users summarize threat intelligence, prioritize threats based on exposures and vulnerabilities across the attack surface, and understand threats targeting their industry. Learn more here: https://msft.it/6042YAIos You can also find more details on using Microsoft Copilot for Security for threat intelligence here: https://msft.it/6043YAIot

Learn from Mark Russinovich, CTO and Technical Fellow of Microsoft Azure, as he shares details on his journey from developing Sysinternals to working in the cloud with Azure, his experiences with testing AI models for vulnerabilities, and discovering AI jailbreak attacks like Crescendo, a technique that tricks LLMs into generating malicious content by exploiting their own responses. Listen to the full episode of the Microsoft Threat Intelligence podcast here, hosted by Sherrod DeGrippo: https://msft.it/6046Y2knp More details on Crescendo and how Microsoft discovers and mitigates attacks against AI guardrails in this blog post: https://msft.it/6047Y2knV