[Some Interesting] Cloud ‘n Sec news: 10th Jun 22

Andre Camillo
CloudnSec
Published in
3 min readJun 11, 2022

--

What’s worth your reading time

Cloud

Azure

VDI security best practices

An article shared by Microsoft on the subject. Handy? For sure!

Access it here, but according to them, they are:

  • Conditional access applies access controls based on signals like group membership, type of device, and IP address to enforce policies.
  • Multifactor authentication requires that users consistently verify their identities to access sensitive data.
  • Audit logs are used to gain insight into user and admin activities.
  • Endpoint security like Microsoft Defender for Endpoints offers built-in protection against malware and other advanced threats for all your endpoints.
  • Application restriction mitigates security threats by limiting what applications certain users are allowed to access using software like Windows Defender Application Control.

What’s new in Azure Firewall

Microsoft announced new features to Azure Firewall in a new blog post.

Amongst them, new IDS/IPS feature and more:

  • Intrusion Detection and Prevention System (IDPS) signatures lookup now generally available.
  • TLS inspection (TLSi) Certification Auto-Generation now generally available.
  • Web categories lookup now generally available.
  • Structured Firewall Logs now in preview.
  • IDPS Private IP ranges now in preview.

Security

Defense

Microsoft Defender for Office 365 step by step guide

Released by Microsoft, available for everyone, really handy, access it here:

Announcing the release of step-by-step guides! — Microsoft Tech Community

Threats

Atlassian Zero Day RCE

The announcement and raft of coverage on this cannot be overlooked.

Many outlets and researchers have covered this zero day due to its prevalence in enterprise environments which are very to attackers.

An overview of the coverage was shared by bleeping computer:

The zero-day (CVE-2022–26134) affects all supported versions of Confluence Server and Data Center and allows unauthenticated attackers to gain remote code execution on unpatched servers.

Since it was disclosed as an actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) has also added it to its ‘Known Exploited Vulnerabilities Catalog’ requiring federal agencies to block all internet traffic to Confluence servers on their networks.

Exploits were seen in the wild early in he week and days later threat intelligence teams informed of nation state threat actors exploiting the vulnerability:

Lockbit Ransomware gang teasing Mandiant leak

Early in the week reports indicated that Lockbit ransomware gang hacked cybersecurity IR giant Mandiant

Infosec news reporter Sergiu Gatlan reported:

The outcome, however, later, proved to be different than what originally hinted at. According to bleeping computer:

After LockBit published the files, it looks like this wasn’t about files stolen from Mandiant’s network but, instead, about the ransomware group trying to distance itself from the Evil Corp cybercrime gang.

This was likely prompted by LockBit fearing the lost revenue because their victims will stop paying ransoms as Evil Corp is sanctioned by the U.S. government.

Attacks

Italian city victim of cyberattack

At time of reporting, unknown if it was a DDOS or Ransomware, but it caused the city of Palermo in Italy to shut down some of the cities online services such as video surveillance, police operations center and other online services.

It’s the 5th largest city in Italy with more than a 1M citizens.

More info here.

Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo

Thank you for reading and leave your thoughts/comments!

--

--

Andre Camillo
CloudnSec

Cloud and Security technologies, Career, Growth Mindset, sometimes Music and Gaming easter eggs. Technical Specialist @Microsoft. Opinions are my own.