Microsoft Security Saturday – 10/30/2021

Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity ProtectionMicrosoft has discovered a vulnerability that could allow an attacker to bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We also found a similar technique that could allow an attacker to elevate their privileges to root an affected device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2021-30892, was included in the security updates released by Apple on October 26, 2021.

NOBELIUM targeting delegated administrative privileges to facilitate broader attacksThe Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations (referred to as “service providers” for the rest of this blog) that have been granted administrative or privileged access by other organizations. 

New insights on cybersecurity in the age of hybrid workAs we approach the last week of Cybersecurity Awareness Month, I think about what is top of mind for myself and my peers in security. The past year has continued the 2020s major shift in the way organizations operate. Recent data shows that 81 percent of enterprise organizations have begun the move toward a hybrid workplace, with 31 percent of those surveyed already fully adopted. As the public and private sectors continue to enable hybrid work, the attack surface for cyber threats has expanded, and threat actors have been quick to exploit any vulnerabilities.

Microsoft Digital Defense Report shares new insights on nation-state attacksThe aims of nation-state cyber actors—largely espionage and disruption—remain consistent, along with their most reliable tactics and techniques: credential harvesting, malware, and VPN exploits. However, a common theme this year among the actors originating from China, Russia, North Korea, and Iran has been increased targeting of IT service providers as a way of exploiting downstream customers.1

Web content filtering now generally available on Windows – Over the past six months, we have focused on redesigning our reporting infrastructure to ensure that customers can access web content filtering reports in a reliable, performant manner. Reports are now updated regularly and can be viewed in the new Microsoft 365 Defender portal ( Go to Reports > Web Protection > Web Content Filtering Details

Announcing live response for macOS and LinuxAs part of our ongoing effort to deliver industry leading EDR capabilities across platforms, we are pleased to announce that new live response capabilities for macOS and Linux are now available now for public preview customers.

Azure Defender: Automatically Extend Multiple Suppression Rules on Security AlertsAzure Defender helps organizations be more secure by providing dedicated security analytics for a variety of workloads. Once you’ve enabled Azure Defender for the workload you need, you will receive alerts based on the analytics that were created to detects threats for the type of workload you selected. To ensure security alerts meet your organization’s specific requirements, you can create suppression rule(s) to fine tune alerts. Each suppression rule has an expiration date, which can be altered either through the Azure portal or REST API.

Monitoring Sentinel Analytical Rules – Push Health NotificationsAnalytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.

Agent Based IoT security with Azure Defender for IoTAre you a device builder, solution operator or a system integrator that wants to provide your customers with IoT devices and solutions that are built with next generation security capabilities? If so, come join us in this session to learn about how Azure Defender for IoT can help make secure devices and solutions the core strength of your next offering.

How the Microsoft 365 App Compliance program helps enable a secure Teams app ecosystemIt is no secret that applications are essential to empowering business continuity and productivity, within Teams and across the organization’s app ecosystem. The importance of productivity and collaboration tooling has become especially top of mind with the shift in hybrid work and having a scaled remote workforce. With tens of millions of applications available, IT and security operations teams need to be able to efficiently minimize the risk associated with such a large app ecosystem available.

The Microsoft Information Protection (MIP) Ninja Training is here! We are very excited and pleased to announce this rendition of the Ninja Training Series. With all the other training out there, our team has been working diligently to get this content out there. There are several videos and resources out there and the overall purpose of the MIP Ninja training is to help you master this realm. We aim to get you up-to-date links to the community blogs, training videos, Interactive Guides, learning paths, and any other relevant documentation.