Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services. The tool enables users to:
Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
Query, export, and investigate AAD, M365, and Azure configurations.
Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
Perform time bounding of the UAL.
Extract data within those time bounds.
Collect and review data using similar time bounding capabilities for MDE data.
Untitled Goose Tool was developed by CISA with support from Sandia National Laboratories. Network defenders can see the Untitled Goose Tool fact sheet and visit the Untitled Goose Tool GitHub repository to get started.
CISA Releases Six Industrial Control Systems Advisories
CISA released six Industrial Control Systems (ICS) advisories on March 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-23-082-01 RoboDK
ICSA-23-082-02 CP-Plus KVMS Pro
ICSA-23-082-03 SAUTER EY-modulo 5 Building Automation Stations
ICSA-23-082-04 Schneider Electric IGSS
ICSA-23-082-05 ABB Pulsar Plus Controller
ICSA-23-082-06 ProPump and Controls Osprey Pump Controller
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
JCDC Cultivates Pre-Ransomware Notification Capability
In today’s blog post, Associate Director of the Joint Cyber Defense Collaborative (JCDC) Clayton Romans highlighted recent successes of pre-ransomware notification and its impact in reducing harm from ransomware intrusions. With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community.
The pre-encryption ransomware notification was cultivated with the help of the cybersecurity research community and through CISA’s relationships with infrastructure providers and cyber threat intelligence companies.
For more information, visit #StopRansomware. To report early-stage ransomware activity, visit Report Ransomware. CISA also encourages stakeholders and network defenders to review associate director Romans’ post, Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs, to learn more about CISA’s Pre-Ransomware Notification Initiative.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.