Microsoft Threat Intelligence’s Post

Microsoft researchers discovered two vulnerabilities in Rockwell Automation’s PanelView Plus that could be remotely exploited by attackers to allow remote code execution (RCE) and denial of service (DoS). PanelView Plus devices are graphic terminals, also known as human machine interface (HMI), used in the industrial sector. Both vulnerabilities are related to custom classes in PanelView Plus. The RCE vulnerability involves two custom classes that could be used to upload and load a malicious DLL into the device. The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS. Microsoft reported these findings to Rockwell Automation in May and July 2023, and Rockwell Automation published security patches to address the vulnerabilities in September and October 2023. We’re sharing our research to help developers, vendors, and the industry in general to avoid or detect similar issues in their systems. Read our latest blog to get our analysis of the vulnerabilities, as well as mitigation and protection guidance for defenders: https://msft.it/6046l8Ufn

Microsoft has accelerated the speed and scale at which threat intelligence is published in Microsoft Defender Threat Intelligence (MDTI), Microsoft Defender XDR Threat Analytics, and Microsoft Copilot for Security, giving customers more critical security insights, data, and guidance than ever before. Our 10,000 interdisciplinary experts reason over more than 78 trillion daily threat signals to continuously add to our understanding of threat actors and activity. Over the past year, Microsoft Threat Intelligence has published hundreds of new Intel profiles to help customers maintain situational awareness around the threat activity, techniques, vulnerabilities, and the more than 300 named threat actors tracked by Microsoft. We have also improved the quantity and depth of open-source intelligence (OSINT), and delivered detections and security recommendations to provide context on daily alerts and help customers detect, understand, and address cyberattacks and related activities. Using Copilot for Security, customers can quickly retrieve information from these publications to contextualize artifacts and correlate MDTI and Threat Analytics content and data with other security information from Defender XDR, such as incidents and hunting activities, to help customers assess their vulnerabilities and quickly understand the broader scope of an attack. Learn more: https://msft.it/6048l8z0k

Threats that involve the compromise of multiple privileged identities within the network may require a mass password reset as part of incident response. A mass password reset helps incident responders gain control of the identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in the environment. There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. In this blog post, Microsoft Incident Response provides best practices in preparing for and performing a mass password reset: https://msft.it/6046YhXQ6

Microsoft recently discovered a new type of generative AI jailbreak method, which we call Skeleton Key for its ability to potentially subvert responsible AI (RAI) guardrails built into the model, which could enable the model to violate its operators’ polices, make decisions unduly influenced by a user, or run malicious instructions. The Skeleton Key method works by using a multi-step strategy to cause a model to ignore its guardrails by asking it to augment, rather than change, its behavior guidelines. This enables a model to then respond to any request for information or content, including producing ordinarily forbidden behaviors and content. To protect against Skeleton Key attacks, Microsoft has implemented several approaches to our AI system design, provided tools for customers developing their own applications on Azure, and provided mitigation guidance for defenders to discovered and protect against such attacks. Learn about Skeleton Key, what Microsoft is doing to defend systems against this threat, and more in the latest Microsoft Threat Intelligence blog from the Chief Technology Officer of Microsoft Azure Mark Russinovich: https://msft.it/6043Y7Xrd Learn more about Mark Russinovich and his exploration into AI and AI jailbreaking techniques like Crescendo and Skeleton Key, as discussed on that latest Microsoft Threat Intelligence podcast episode hosted by Sherrod DeGrippo: https://msft.it/6044Y7Xre

The Microsoft Copilot for Security threat intelligence embedded experience in Defender XDR, now generally available, returns, contextualizes, and summarizes intelligence from across Microsoft Defender Threat Intelligence (MDTI) and threat analytics about threat actors, threat tooling, and IoCs related to their security incidents and vulnerabilities. Copilot for Security helps defenders to evaluate artifacts and correlate threat intelligence content and data with other security information from Defender XDR, such as incidents and hunting activities, to assess risks and quickly understand the broader scope of an attack. The threat intelligence embedded experience in Defender XDR can help users summarize threat intelligence, prioritize threats based on exposures and vulnerabilities across the attack surface, and understand threats targeting their industry. Learn more here: https://msft.it/6042YAIos You can also find more details on using Microsoft Copilot for Security for threat intelligence here: https://msft.it/6043YAIot

Octo Tempest is a threat actor known for employing social engineering, intimidation, and other human-centric tactics to gain initial access into an environment, granting themselves privilege to cloud and on-premises resources before exfiltrating data, and unleashing ransomware across an environment. Its extensive range of tactics, techniques, and procedures (TTPs) and ability to pivot quickly and change malicious actions depending on the target organization's response make this threat actor one of the most dangerous financial criminal groups. In this blog post, Microsoft Incident Response provides a response playbook to empower defenders in tackling the challenges posed by Octo Tempest and evicting the threat actor from cloud and on-premises environments: https://msft.it/6044Y2DSK Read our past report on Octo Tempest, documenting their wide array of TTPs: https://msft.it/6045Y2DSz

The June 2024 security updates are available: