Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft Azure Sentinel uses Fusion ML to detect ransomware attacks

Microsoft Azure Sentinel cloud-native SIEM (Security Information and Event Management) platform used the Fusion machine learning model to detect ransomware attack. Microsoft Azure Sentinel cloud-native SIEM is using the Fusion machine learning model to analyze data across enterprise environments and detect the activity associated with potential threats, including ransomware attacks. When a potential ransomware attack […]

Azure Sentinel

Microsoft Azure Sentinel cloud-native SIEM (Security Information and Event Management) platform used the Fusion machine learning model to detect ransomware attack.

Microsoft Azure Sentinel cloud-native SIEM is using the Fusion machine learning model to analyze data across enterprise environments and detect the activity associated with potential threats, including ransomware attacks.

When a potential ransomware attack is detected by the Fusion machine learning model, a high severity incident titled “Multiple alerts possibly related to Ransomware activity detected” will be triggered in the Azure Sentinel workspace

“In collaboration with the Microsoft Threat Intelligence Center (MSTIC), we are excited to announce Fusion detection for ransomware is now publicly available!” states the announcement published by Microsoft.

“These Fusion detections correlate alerts that are potentially associated with ransomware activities that are observed at defense evasion and execution stages during a specific timeframe.”

According to Microsoft, Fusion detection model for ransomware allows detecting malicious activities at the defense evasion and execution stages of an attack, allowing security analysts to quickly identify the threat and neutralize it.

Fusion correlates signals from Microsoft products as well as signals in network and cloud, it gathers data from the following solutions:

Early detection of ransomware activity could allow security analysts to prevent the threat from spreading within the target environment and prevent serious damages. 

The announcement includes examples of the Fusion detection for ransomware that shows how Fusion technology correlates alerts associated with events that could be indicating an ongoing chain of attacks, such as RDP brute-force attack, the use of a ‘Cryptor’ malware, and potential phishing activities.

Upon receiving an alert related to a potential ransomware attack scenario by Fusion in Azure Sentinel, admins will have to consider their systems as “potentially compromised” and respond to the threat.

Below are the recommendations provided by Microsoft:

  1. Isolate the machine from the network to prevent potential lateral movement.
  2. Run a full antimalware scan on the machine, following any resulting remediation advice.
  3. Review installed/running software on the machine, removing any unknown or unwanted packages.
  4. Revert the machine to a known good state, reinstalling the operating system only if required and restoring software from a verified malware-free source.
  5. Resolve recommendations from alert providers (e.g., Azure Security Center and Microsoft Defender) to prevent future breaches.
  6. Investigate the entire network to understand the intrusion and identify other machines that might be impacted by this attack.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Azure Sentinel)

[adrotate banner=”5″]

[adrotate banner=”13″]