Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: CISA Issues Incident Response Tool for Microsoft Cloud Services

CISA Issues Incident Response Tool for Microsoft Cloud Services

Learn about a free tool for detecting malicious activity in Microsoft cloud environments. Plus, Europol warns about ChatGPT cyber risks. Also, how business email compromise (BEC) scammers are stealing merchandise. In addition, CISA alerts orgs about early-stage ransomware breaches. And much more! 

Dive into six things that are top of mind for the week ending March 31.

1 - CISA releases cloud security tool for Microsoft, gives it fowl name

Cloud security teams have a new, albeit oddly named, tool for detecting malicious activity in Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365). 

The “Untitled Goose Tool” from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Sandia National Laboratories is described as a “flexible hunt and incident response tool” that gives network defenders authentication and data-gathering methods for these Microsoft cloud services.

But about the name. Is it an allusion to incident-response wild goose chases it’s meant to prevent? Is it a “Top Gun” reference, as CISA Director Jen Easterly’s tweet about the tool suggests?

New Incident Response Tool for Microsoft Cloud Services

(Update: Thanks to the several alert readers who clarified for me that the name is a play on the popular "Untitled Goose Game.")

“Untitled Goose Tool” can be used to export and review:

  • ADD sign-in and audit logs
  • M365 unified audit log (UAL)
  • Azure activity logs
  • Microsoft Defender for IoT alerts
  • Microsoft Defender for Endpoint (MDE) data

Cloud security teams can also use it to query, export and investigate AAD, M365 and Azure configurations.

CISA releases cloud security tool for Microsoft

CISA says “Untitled Goose Tool” uses novel authentication and data gathering methods to perform tasks including extracting cloud artifacts from these Microsoft cloud environments without performing additional analytics.

For more information about “Unified Goose Tool” you can check out the CISA announcement, fact sheet and GitHub page, as well as coverage from Redmond Magazine, The Register and Dark Reading.

And a reminder to cloud security teams everywhere: You’re not going to be happy unless you’re going Mach 2 with your hair on fire. You know that.

And don’t lose that loving feeling. 

Moving on – time to buzz the tower. In other words, time to check what’s up this week with ChatGPT.

2 - Europol: Police must prep for criminal uses of AI chatbots

Criminals will quickly ramp up their use of generative AI chatbots like ChatGPT in the near future, so police departments and law enforcement agencies must be ready to anticipate, detect and investigate these crimes.

That’s the word from Europol, the E.U.’s law enforcement agency, which this week released its study “ChatGPT: The impact of Large Language Models on Law Enforcement,” based on a series of internal workshops organized by the Europol Innovation Lab.

Europol recommendations for police chiefs and law enforcement organizations include:

  • Raise awareness about current and potential malicious uses of generative AI chatbots
  • Understand potential impact of this technology on different crime areas
  • Explore how ChatGPT and tools like it can help law enforcement build up knowledge and expand expertise
  • Consider developing custom generative AI chatbots trained on specialized law enforcement data for tailored and specific police use
Police must prep for criminal uses of AI chatbots

The Europol study is just the latest warning about actual and potential abuse of tools like ChatGPT for things like writing malware, crafting phishing emails, impersonating others, facilitating fraud and producing false information. 

In addition, OpenAI, the maker of ChatGPT, recently disclosed that a bug in the system exposed some users’ chat history titles and their conversations’ first message, as well as payment-related information of some ChatGPT Plus subscribers.

For more information about security concerns related to ChatGPT and similar generative AI tools, check out these Tenable resources:

VIDEO

 Anatomy of a Threat: GPT-4 and ChatGPT Used as Lure in Phishing Scams Promoting Fake OpenAI Tokens

3 - GSA 5G acquisition guidance includes cybersecurity advice

U.S. federal government agencies received guidance from the General Services Administration (GSA) on how to select 5G equipment using various criteria, including security considerations.

The GSA’s “Acquisition Guidance for Procuring 5G Technology,” which was published this week, warns about key dangers associated with 5G systems, including:

  • Improper deployment, configuration and management due to 5G networks’ larger amount of technology components than previous wireless networks
  • Supply chain risks introduced maliciously or unintentionally, also caused by 5G systems’ higher technical complexity
  • “Inherited” risks stemming from the integration of 5G systems with older wireless networks that contain legacy vulnerabilities
GSA 5G acquisition guidance includes cybersecurity advice

Recommendations include:

  • Determine application needs, including bandwidth, latency and locations, and establish security requirements
  • Establish the purpose and type of network connectivity needed, and based on that determine the appropriate security controls to use
  • Require that vendors provide:
    • a security development lifecycle for their 5G products that show security considerations from their design to end-of-life phases
    • a description of the their vulnerability reporting and response program
  • Integrate 5G systems’ authentication and access controls into your existing infrastructure
  • Decide what encryption requirements will be appropriate to secure your 5G data

For more information about 5G security:

VIDEO

5G Implementation Security Risks (CISA)

4 - U.S. government mulls TikTok ban

Should the ultra-popular TikTok social media app be banned in the U.S.? That’s a possibility being debated in Washington, D.C. right now, as many in Congress worry that ByteDance, the Chinese company that owns TikTok, may be sharing data from U.S. users with the Chinese government.

Last week, TikTok CEO Shou Zi Chew got grilled during an hours-long congressional hearing in which he tried to dispel a laundry list of privacy and national security worries voiced by U.S. lawmakers.

While support for a TikTok ban seemed overwhelming in Congress during the hearing, things have become less clear this week, with some lawmakers from both parties coming out against the idea, including Republican Senator Rand Paul and Democratic Representative Alexandria Ocasio-Cortez.

There are about 150 million Americans, the majority of them teenagers and twentysomethings, on TikTok, a platform for posting short videos.

For more information:

Tenable CEO Amit Yoran discusses proposed U.S. TikTok ban on CNN

5 - FBI warns of sophisticated BEC scam targeting vendors

Vendors of goods such as construction materials, agricultural supplies, computer hardware and solar energy products beware: Cybercriminals are using an elaborate business email compromise (BEC) scam to steal your merchandise.

That’s the word from the U.S. Federal Bureau of Investigation (FBI), which detailed the cybercrooks’ BEC methods in a recent alert titled “Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors.

As in the typical BEC scam, these fraudsters send emails that look legitimate using spoofed domain addresses and the names of actual employees in order to impersonate buyers and dupe recipients into conducting bulk purchase transactions.

FBI warns of sophisticated BEC scam targeting vendors

By providing fake credit references and forged W-9 forms to vendors, the scammers are able to obtain 30- or 60-day terms for payment, which delays the discovery of the fraud and allows them to place multiple purchase orders.

To avoid falling for these BEC scams, the FBI recommends:

  • Call a business’s main phone line directly to confirm the identity and employment status of the email sender, rather than calling numbers listed in the email message
  • Ensure the email domain address is associated with the business it claims to be from
  • Do not click on any links included in the emails, but rather type in the URL/domain of the source directly

For more information about BEC:

VIDEOS

A Holistic Approach to Defending Business Email Compromise (BEC) Attacks (SANS Institute)

Don’t Let Cyber Criminals Cash In – Preventing BEC (CISA)

6 - CISA to alert about “early stage” ransomware breaches

If ransomware attackers breach your network, your organization may get a heads-up from the U.S. government. That’s the goal of the Pre-Ransomware Notification Initiative just announced by CISA.

There’s typically a window of time that can last from hours to days between the moment when ransomware actors gain access to a network and the moment when they hijack systems and encrypt data.


CISA to alert about “early stage” ransomware breaches

If CISA gets tipped off that a ransomware gang has breached an organization’s network, the agency will immediately notify the affected organization. Since the beginning of the year, CISA has notified about 60 organizations about “potential pre-ranswomare intrusions” and many “remediated the intrusion before encryption or exfiltration occurred,” according to the agency.

Where do these tips about early-stage ransomware activity come from? Cybersecurity researchers, infrastructure providers and cyberthreat intelligence companies, to mention a few. Anyone with a tip can email it to this address: [email protected].

The announcement comes on the heels of CISA’s launch of a similar program called “Ransomware Vulnerability Warning Pilot,” in which the agency probes internet-facing assets from critical infrastructure organizations and alerts them if it detects vulnerabilities that ransomware groups typically exploit.

For more information about ransomware prevention and mitigation:

Tenable videos

Anatomy of a Threat: Vice Society Ransomware Targeting Education Sector

Anatomy of a Threat: Hive Ransomware Selling to Threat Groups

Anatomy of a Threat: Beware ProxyNotShell

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.