Cybersecurity Snapshot: CISA Issues Incident Response Tool for Microsoft Cloud Services

Learn about a free tool for detecting malicious activity in Microsoft cloud environments. Plus, Europol warns about ChatGPT cyber risks. Also, how business email compromise (BEC) scammers are stealing merchandise. In addition, CISA alerts orgs about early-stage ransomware breaches. And much more! 

Dive into six things that are top of mind for the week ending March 31.

1 - CISA releases cloud security tool for Microsoft, gives it fowl name

Cloud security teams have a new, albeit oddly named, tool for detecting malicious activity in Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365). 

The “Untitled Goose Tool” from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Sandia National Laboratories is described as a “flexible hunt and incident response tool” that gives network defenders authentication and data-gathering methods for these Microsoft cloud services.

But about the name. Is it an allusion to incident-response wild goose chases it’s meant to prevent? Is it a “Top Gun” reference, as CISA Director Jen Easterly’s tweet about the tool suggests?

(Update: Thanks to the several alert readers who clarified for me that the name is a play on the popular "Untitled Goose Game.")

“Untitled Goose Tool” can be used to export and review:

• ADD sign-in and audit logs
• M365 unified audit log (UAL)
• Azure activity logs
• Microsoft Defender for IoT alerts
• Microsoft Defender for Endpoint (MDE) data

Cloud security teams can also use it to query, export and investigate AAD, M365 and Azure configurations.

CISA says “Untitled Goose Tool” uses novel authentication and data gathering methods to perform tasks including extracting cloud artifacts from these Microsoft cloud environments without performing additional analytics.

For more information about “Unified Goose Tool” you can check out the CISA announcement, fact sheet and GitHub page, as well as coverage from Redmond Magazine, The Register and Dark Reading.

And a reminder to cloud security teams everywhere: You’re not going to be happy unless you’re going Mach 2 with your hair on fire. You know that.

And don’t lose that loving feeling. 

Moving on – time to buzz the tower. In other words, time to check what’s up this week with ChatGPT.

2 - Europol: Police must prep for criminal uses of AI chatbots

Criminals will quickly ramp up their use of generative AI chatbots like ChatGPT in the near future, so police departments and law enforcement agencies must be ready to anticipate, detect and investigate these crimes.

That’s the word from Europol, the E.U.’s law enforcement agency, which this week released its study “ChatGPT: The impact of Large Language Models on Law Enforcement,” based on a series of internal workshops organized by the Europol Innovation Lab.

Europol recommendations for police chiefs and law enforcement organizations include:

• Raise awareness about current and potential malicious uses of generative AI chatbots
• Understand potential impact of this technology on different crime areas
• Explore how ChatGPT and tools like it can help law enforcement build up knowledge and expand expertise
• Consider developing custom generative AI chatbots trained on specialized law enforcement data for tailored and specific police use

The Europol study is just the latest warning about actual and potential abuse of tools like ChatGPT for things like writing malware, crafting phishing emails, impersonating others, facilitating fraud and producing false information. 

In addition, OpenAI, the maker of ChatGPT, recently disclosed that a bug in the system exposed some users’ chat history titles and their conversations’ first message, as well as payment-related information of some ChatGPT Plus subscribers.

For more information about security concerns related to ChatGPT and similar generative AI tools, check out these Tenable resources:

• “OpenAI CEO worries about the potential to abuse ChatGPT”
• “OpenAI’s ChatGPT and GPT-4 Used as Lure in Phishing Email, Twitter Scams to Promote Fake OpenAI Tokens”
• “Cybersecurity Snapshot: A ChatGPT Special Edition About What Matters Most to Cyber Pros”
• “Amid ChatGPT furor, U.S. issues framework for secure AI”
• “U.K. cyber agency: Tread carefully when feeding data to ChatGPT”

VIDEO

 Anatomy of a Threat: GPT-4 and ChatGPT Used as Lure in Phishing Scams Promoting Fake OpenAI Tokens

3 - GSA 5G acquisition guidance includes cybersecurity advice

U.S. federal government agencies received guidance from the General Services Administration (GSA) on how to select 5G equipment using various criteria, including security considerations.

The GSA’s “Acquisition Guidance for Procuring 5G Technology,” which was published this week, warns about key dangers associated with 5G systems, including:

• Improper deployment, configuration and management due to 5G networks’ larger amount of technology components than previous wireless networks
• Supply chain risks introduced maliciously or unintentionally, also caused by 5G systems’ higher technical complexity
• “Inherited” risks stemming from the integration of 5G systems with older wireless networks that contain legacy vulnerabilities

Recommendations include:

• Determine application needs, including bandwidth, latency and locations, and establish security requirements
• Establish the purpose and type of network connectivity needed, and based on that determine the appropriate security controls to use
• Require that vendors provide:
  • a security development lifecycle for their 5G products that show security considerations from their design to end-of-life phases
  • a description of the their vulnerability reporting and response program
• Integrate 5G systems’ authentication and access controls into your existing infrastructure
• Decide what encryption requirements will be appropriate to secure your 5G data

For more information about 5G security:

• “5G Cybersecurity” (U.S. National Institute of Standards and Technology – NIST)
• “Secure 5G” (U.S. National Telecommunications and Information Administration)
• “Tackling Security Challenges in 5G Networks” (EU Agency for Cybersecurity - ENISA)
• “Security Implications of 5G Technology” (U.S. Department of Homeland Security - DHS)
•  “5G Hierarchy of Threats” (MITRE)

VIDEO

5G Implementation Security Risks (CISA)

4 - U.S. government mulls TikTok ban

Should the ultra-popular TikTok social media app be banned in the U.S.? That’s a possibility being debated in Washington, D.C. right now, as many in Congress worry that ByteDance, the Chinese company that owns TikTok, may be sharing data from U.S. users with the Chinese government.

Last week, TikTok CEO Shou Zi Chew got grilled during an hours-long congressional hearing in which he tried to dispel a laundry list of privacy and national security worries voiced by U.S. lawmakers.

While support for a TikTok ban seemed overwhelming in Congress during the hearing, things have become less clear this week, with some lawmakers from both parties coming out against the idea, including Republican Senator Rand Paul and Democratic Representative Alexandria Ocasio-Cortez.

There are about 150 million Americans, the majority of them teenagers and twentysomethings, on TikTok, a platform for posting short videos.

For more information:

Tenable CEO Amit Yoran discusses proposed U.S. TikTok ban on CNN

• “Bipartisan opposition to banning TikTok emerges on Capitol Hill” (NBC News)
• “How could the US ban TikTok?” (The Hill)
• “Despite growing support in Congress for a TikTok ban, Hawley fails to force his bill forward” (Kansas City Star)
• “TikTok congressional hearing: CEO Shou Zi Chew grilled by US lawmakers” (Reuters)

5 - FBI warns of sophisticated BEC scam targeting vendors

Vendors of goods such as construction materials, agricultural supplies, computer hardware and solar energy products beware: Cybercriminals are using an elaborate business email compromise (BEC) scam to steal your merchandise.

That’s the word from the U.S. Federal Bureau of Investigation (FBI), which detailed the cybercrooks’ BEC methods in a recent alert titled “Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors.”

As in the typical BEC scam, these fraudsters send emails that look legitimate using spoofed domain addresses and the names of actual employees in order to impersonate buyers and dupe recipients into conducting bulk purchase transactions.

By providing fake credit references and forged W-9 forms to vendors, the scammers are able to obtain 30- or 60-day terms for payment, which delays the discovery of the fraud and allows them to place multiple purchase orders.

To avoid falling for these BEC scams, the FBI recommends:

• Call a business’s main phone line directly to confirm the identity and employment status of the email sender, rather than calling numbers listed in the email message

• Ensure the email domain address is associated with the business it claims to be from

• Do not click on any links included in the emails, but rather type in the URL/domain of the source directly

For more information about BEC:

• “How can we help you? Business Email Compromise” (U.S. Federal Bureau of Investigation)
• “How Businesses Can Defend Against Business Email Compromise Scams” (Business News Daily)
• “Business Email Compromise” (Techopedia)
• “Security Primer – Business Email Compromise” (Center for Internet Security)
• “14 tips to prevent business email compromise” (CSO Online)

VIDEOS

A Holistic Approach to Defending Business Email Compromise (BEC) Attacks (SANS Institute)

Don’t Let Cyber Criminals Cash In – Preventing BEC (CISA)

6 - CISA to alert about “early stage” ransomware breaches

If ransomware attackers breach your network, your organization may get a heads-up from the U.S. government. That’s the goal of the Pre-Ransomware Notification Initiative just announced by CISA.

There’s typically a window of time that can last from hours to days between the moment when ransomware actors gain access to a network and the moment when they hijack systems and encrypt data.

If CISA gets tipped off that a ransomware gang has breached an organization’s network, the agency will immediately notify the affected organization. Since the beginning of the year, CISA has notified about 60 organizations about “potential pre-ranswomare intrusions” and many “remediated the intrusion before encryption or exfiltration occurred,” according to the agency.

Where do these tips about early-stage ransomware activity come from? Cybersecurity researchers, infrastructure providers and cyberthreat intelligence companies, to mention a few. Anyone with a tip can email it to this address: [email protected].

The announcement comes on the heels of CISA’s launch of a similar program called “Ransomware Vulnerability Warning Pilot,” in which the agency probes internet-facing assets from critical infrastructure organizations and alerts them if it detects vulnerabilities that ransomware groups typically exploit.

For more information about ransomware prevention and mitigation:

• “7 Steps to Help Prevent & Limit the Impact of Ransomware” (Center of Internet Security)
• “A Look Inside the Ransomware Ecosystem” (Tenable)
• “Mitigating malware and ransomware attacks” (U.K. National Cyber Security Centre)
• “Ransomware Preparedness: Why Organizations Should Plan for Ransomware Attacks Like Disasters” (Tenable)

Tenable videos

Anatomy of a Threat: Vice Society Ransomware Targeting Education Sector

Anatomy of a Threat: Hive Ransomware Selling to Threat Groups

Anatomy of a Threat: Beware ProxyNotShell