CISA unleashes Untitled Goose Tool to honk at danger in Microsoft's cloud

Trending 6 months ago

American cybersecurity officials person released an early-warning strategy to protect Microsoft unreality users.

The US government's Cybersecurity and Infrastructure Security Agency (CISA) released nan software, developed successful conjunction pinch Sandia National Labs, to thief web administrators spot perchance malicious activity successful nan Microsoft Azure cloud, Microsoft 365 services, and Azure Active Directory (AAD).

Dubbed nan Untitled Goose Tool, CISA said it "offers caller authentication and information gathering methods for web defenders to usage arsenic they interrogate and analyse their Microsoft unreality services."

The preamble of Untitled Goose Tool comes nan aforesaid time arsenic nan agency announced its Pre-Ransomware Notification Initiative, which delivers early warnings to organizations astir attacks, perchance successful capable clip to extremity nan attacks earlier nan miscreants tin encrypt aliases bargain data.

"We cognize that ransomware actors often return immoderate clip aft gaining first entree to a target earlier encrypting aliases stealing information, a model of clip that often lasts from hours to days," Clayton Romans, subordinate head of nan Joint Cyber Defense Collaborative (JCDC), wrote successful a blog post. "This model gives america clip to pass organizations that ransomware actors person gained first entree to their networks."

Both efforts are aimed astatine making enterprises much proactive successful defending against attacks and this period besides saw nan rollout of nan Decider tool to make it easier for organizations to representation adversary behaviour to nan MITRE ATT&CK model to place gaps successful their defenses and spell threat hunting.

Take a bird's oculus view

Network pros tin usage Untitled Goose Tool for exporting and reviewing AAD sign-in and audit logs, Microsoft 365's unified audit log (UAL), Azure activity logs, Defender for IoT alerts, and Defender for Endpoint information for suspicious activity. They besides tin look into Azure, Microsoft 365, and AAD configurations to spot sloppy security.

"Network defenders attempting to interrogate a ample M365 tenant via nan UAL whitethorn find that manually gathering each events astatine erstwhile is not feasible. Untitled Goose Tool uses caller information gathering methods via bespoke mechanisms," CISA wrote [PDF].

  • Hands up who DIDN'T utilization this years-old flaw to ransack a US govt web server...
  • Microsoft admits Azure Resource Manager grounded aft codification change
  • Microsoft breaks geolocation, locking users retired of Azure and M365
  • You conscionable gonna return that AWS? Let Microsoft schoolhouse your users connected unreality security?

Given that, nan instrumentality makes it easier to tie unreality artifacts from nan unreality services without further analytics, mounting clip bounds for nan UAL utilizing a characteristic called "goosey graze" and past extracting information wrong nan timeframes pinch "goosey honk." The aforesaid tin beryllium utilized for information from Defender for Endpoint.

Untitled Goose Tool tin beryllium utilized pinch some Windows and macOS, though nan PowerShell book is champion utilized only pinch Windows. It requires Python 3.7, 3.8, aliases 3.9 and is disposable from CISA's GitHub repository on pinch nan PowerShell script.

The agency's unveiling of nan Pre-Ransomware Notification Initiative comes little than 2 weeks aft it announced Ransomware Vulnerability Warning Pilot to pass captious infrastructure entities astir flaws successful their systems that could beryllium exploited by ransomware groups.

The notification effort started successful January and truthful acold has alerted much than 60 entities successful specified industries arsenic healthcare, energy, h2o and wastewater, and acquisition astir imaginable pre-ransomware, pinch immoderate reside nan problem earlier information was encrypted aliases stolen, according to Romans.

There are 2 cardinal parts to it. The JCDC collects tips from cybersecurity researchers, infrastructure providers, and cyberthreat companies astir imaginable ransomware activity successful nan early stages. The JCDC – a public-private group launched successful August 2021 – past notifies organizations targeted by miscreants astir nan threat and guides them done mitigation. ®