Recently Browsing 0 members
No registered users viewing this page.
By Usama Jawad96
Microsoft open sources CodeQL queries used in Solorigate investigation
by Usama Jawad
Last week, Microsoft finally completed its Solorigate investigation, concluding that while some code files for Azure, Intune, and Exchange were accessed, no customer data was compromised. The cyberattack had caused major concern around the globe because it targeted the United States' federal departments, the UK, the European Parliament, and thousands of other organizations. Supply chain attacks were executed on SolarWinds, Microsoft, and VMware, with Microsoft President Brad Smith calling it "a moment of reckoning".
Now, Microsoft has open sourced the CodeQL queries that it utilized in the Solorigate investigation.
Image via Kevin Ku from Pexels For those unaware, CodeQL is code analysis engine which depends upon code semantics and syntax. It develops a database built around the model of the compiling code, which can then be queried just like a regular database. It can be used both for static analysis and retroactive inspection of code.
CodeQL queries were used by Microsoft in its Solorigate investigation in order to analyze its code in a scalable manner and pinpoint indicators of compromise (IoCs) and other coding patterns used by Solorigate attackers directly on a code-level.
Microsoft essentially built multiple CodeQL databases from various build pipelines, and then aggregated them in a single infrastructure to enable system-wide querying capabilities. This enabled the firm to detect malicious activity in code within hours of a coding pattern being described.
Given that this is more of a syntactic and semantic technique that depends upon identifying similarities in coding patterns such as the variable names used, Microsoft has emphasized that if you find the same patterns in your own code base, that does not necessarily mean that it's compromised. Multiple programmers can of course have the same coding style.
At the same time, it is also important to remember that a malicious actor is not constrained to a single coding style. Essentially, if the attacker deviates significantly from their usual implant pattern, they would be able to circumvent Microsoft's CodeQL queries. Regarding the syntactic and semantic code pattern identification capabilities of the CodeQL engine, the Redmond tech giant notes that:
More information about using Microsoft's CodeQL queries is available here. You can find out more about how to deploy queries here.
By Usama Jawad96
Microsoft: Customer data was not accessed in Solorigate attack
by Usama Jawad
In 2020, there was a major global cyberattack, spanning across the United States' federal departments, the UK, the European Parliament, and thousands of other organizations. It was reported to have been triggered by supply chain attacks on three major firms: SolarWinds, Microsoft, and VMware, where attackers were able to access private documents and emails. The attack was dubbed "Solorigate" by Microsoft with President Brad Smith calling it "a moment of reckoning". Now, the company has shared a final update on its Solorigate investigation.
Image via Splashtop Microsoft Corporate Vice President of Security, Compliance, and Identity Vasu Jakkal has concluded that while nation-state actors were able to compromise some initial security procedures, they were then stopped by a "unified team of human and digital defenders". She also clarified that the company has found no proof of customer data or production services being breached. Furthermore, the investigation confirmed that Microsoft software was not used to attack other identities.
Microsoft states that multiple factors aided in limiting the scope of this attack and these should be embraced by other security teams and organizations moving forward as well. These include adopting a Zero Trust security model with multi-factor authentication for credentials, and cloud technologies like Azure Active Directory and Microsoft 365 Defender. Lastly, Jakkal has emphasized that it is paramount that companies and teams work together to strengthen collective defenses.
The Microsoft Security Response Center (MSRC) went on to say that:
MSRC highlighted that even though the attack was discovered in December 2020 with organizations racing to mitigate the threat, its analysis shows that the malicious actor attempted access in January 2021 as well. It has clarified that across all of its services, the attacker was able to view and download only a small number of code files for Azure, Intune, and Exchange. None of the code files breached contained any live credentials being used in production environments.
Rust Foundation formed to manage namesake language
by Paul Hill
The core team behind the Rust programming language have announced the establishment of the Rust Foundation, an independent non-profit that will steward the increasingly popular language. The move follows lay-offs at Mozilla last August which affected those working on Rust.
Commenting on the formation of the Rust Foundation, Mozilla said:
The board of directors at the new organisation are set to have their first meeting tomorrow. It’s made up of 11 members from the founding members of the organisation: AWS, Huawei, Google, Microsoft and Mozilla. With so many well-established entities backing Rust, it’s longevity is ensured and it’ll be better resourced enabling it to hold better events and create better materials for people looking to get into the language.
Rust is a low-level programming language similar to C. One of the main problems with C is the way it handles memory and when programmers miss these issues it can lead to serious vulnerabilities in things like web browsers and operating systems. Rust was designed with memory safety in mind, while you can disable the safety features, Rust does not compile unsafe code by default which drastically reduces the likelihood of vulnerabilities.
The Internet Security Research Group recently said that it would be using Rust to re-write a core TLS module for httpd to help boost the security of the core web technology.
Anyone can now contribute to Google's Fuchsia OS
by Paul Hill
Through its Open Source blog, Google has announced that it’s accepting contributions from the public for its alternative Fuchsia operating system. While the company has been committing code to a public repository for the last four years, it did not allow members of the public to submit code, but now they can.
Announcing the news, Developer Advocate for Fuchsia Wayne Piekarski said:
In addition to opening up the repository to public contributions, the firm has published a technical roadmap to provide people with a bit more information regarding the project’s direction and priorities. Some of the items on the roadmap include a driver framework so that the kernel can be updated independently of drivers, improving file systems for performance, and expanding the input pipeline for accessibility.
While this is definitely a big step for the long-term project, Google makes it clear that Fuchsia is still not ready for general product development nor should developers build their software to run on Fuchsia because it’s still evolving.
Developers that want to try out Fuchsia can clone, compile, and contribute to it. Google said that Fuchsia has support for a limited amount of x64-based hardware and it can also be run on an emulator. If you’d like to experiment with Fuchsia yourself, head over to the getting started page.
By Hamza Jawad
New capabilities for the Power BI Snowflake connector are now generally available
by Hamza Jawad
In February, Microsoft released a native Snowflake connector for Power BI, enabling single sign-on (SSO) for users connecting to Snowflake from Power BI Desktop or the Power BI service. More recently, some enhanced capabilities were added to the Snowflake connector. Today, it has been announced that these capabilities are now generally available.
With the primary purpose of streamlining access to Snowflake data warehouses, the following enhancements are being provided:
For those whom the SSO option is marked as unavailable, Power BI service admins will need to access Tenant settings in the Power BI Admin portal, and then enable the setting termed "Snowflake SSO". For more information on the Snowflake connector for Power BI, its documentation pages for Power BI Desktop and the Power BI Service can be visited to learn more.