@GossiTheDog I didn’t realize this part. It won’t show up in MDE logs?

Security Firm @SophosXOps published another report, this one on incidents at small and medium-sized businesses by @thepacketrat and Anna Szalay. One of the things I always look for in these reports are easy #cybersecurity wins -- and this report has a bunch of them.

First off - take a look at this chart: Top 15 dual-use tools. Imagine the pain you can cause threat actors by blocking the use of these tools and disrupting their playbooks!

The free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.

#cybersecurity #threatintel

From: @ScumBots
https://infosec.exchange/@ScumBots/114167879065509347

I’ve never heard of the MSP-focused bluetrait.io but add it to the list of legitimate services that get abused. If you don’t use this RMM service, I suggest blocking it via DNS, NGFW or Web security proxy. #cybersecurity

From: @threatinsight
https://infosec.exchange/@threatinsight/114144688263847941

There’s been a #Microsoft #outage going on all day today resulting in email and other M365 services including Teams being unavailable. Microsoft says they’ve rolled back the code change that caused the problem so things should start working again soon. Check on MO1020913 in the Microsoft Admin Portal for details.

If you help maintain #cybersecurity on a business network you should absolutely block Telegram—there’s nothing good there. If you have a web security proxy like Netskope or Zscaler, or an NGFW, block it there. You can also block it via DNS. Blocking these domains should do the job:

telegram.me
telegram.org
t.me
cdn-telegram.org
telegram-cdn.org

From: @nopatience
https://swecyb.com/@nopatience/114009822145442393

If you can completely disable device code flows using Conditional Access, you should do so. If you cannot, at least limit which user IDs can use them. If you allow any users to use device code flows, use the #KQL provided to hunt for abuse.

#cybersecurity #microsoft

From: @fabian_bader
https://infosec.exchange/@fabian_bader/114013896376345681

This tactic of sending unsolicited messages and calls via Teams has an easy solution—only allow specific external domains to communicate with your end users. Review your Teams logs, see which domains your users are communicating with, add them to the allow list and enable the control. Make your end users open up a support ticket for future domain adds so you can vet them.

Forget about Zero Trust and apply best practice security configurations. Let the marketing people and the CISO worry about whether something is “zero trust” or not. #Cybersecurity

Microsoft docs:
https://learn.microsoft.com/en-us/microsoft-365/solutions/trusted-vendor-onboarding?view=o365-worldwide#allow-the-vendors-domain-in-teams-external-access

From: @screaminggoat
https://infosec.exchange/@screaminggoat/113867636525001029

@GossiTheDog they just went GA (for Microsoft anyway) last month. Who’s going to widely deploy something from Microsoft that’s not GA?

@GossiTheDog @riskybusiness aren’t all forward web proxies identity-aware these days?

@horse @merill that's the traditional CyberArk model -- have a handful of highly privileged accounts that authorized users can check out and use for a limited period of time (or use them via a privileged session manager connection through a CA RDP proxy). I've never liked that approach because it makes it harder to correlate administrative actions to a person.

@patrickcmiller love to see this!

@patrickcmiller *FortiNOT*

@re_chief @thomasfuchs interesting…I haven’t noticed this but I’m going to keep an eye out for missing replies.

@GossiTheDog Wasabi uses the domain wasabisys.com for their storage service. You should block access to *.wasabisys.com too #threatintel

https://docs.wasabi.com/docs/service-urls?highlight=url

@SkywalkerIsNull @GossiTheDog This looks like one too. An unlikely account to be found on ioc.exchange

@Melody LOL “Most of the expats who want to move to the village are Catholics….” Why not move to Italy? They could live in Rome, right next to Vatican City? Are they worried the Pope isn’t Christian enough?

@goatsarah I got the arsed version