Free delivery of monitoring software for malicious activity in US CISA, Azure and MS 365

Under the Cyber Security Task Agency CISA, the US Department of Homeland Security is launching a free instrument. The name is Sparrow.ps1, and it is said that it has the potential to detect suspicious and disruptive behaviour that in Azure and Microsoft 365 environments will endanger users and applications.

“CISA announced that it would distribute the instrument through the website of the US-CERT, saying, “We created it as a platform for a dedicated incident management team. It also clarified that it specializes in recognizing identity-based or authentication-based attacks that have recently been uniformly identified in different industries. In other words, it is a defensive tool that steals typical login credentials against an attack tactic.

The tool (github.com/cisagov/Sparrow) is currently distributed via GitHub. Sparrow is briefly defined by CISA as follows: ‘Sparrow installs the appropriate PowerShell modules on the review system, reviews Azure and MS 365 integrated audit logs to see if a particular violation indication has emerged, and lists all Azure AD domains. In addition, to classify actions that may be identified as malicious, Azure services and Microsoft Graph API permissions are compared together. The outcomes are stored as a CSV format.

The PowerShell modules required to install Sparrow are as follows.
1) CloudConnect:
www.powershellgallery.com/packages/CloudConnect/1.1.2
2) AzureAD: www.powershellgallery.com/packages/AzureAD/2.0.2.128
3) MSOnline: www.powershellgallery.com/packages/MSOnline/1.1.183.57

CISA actively encourages Azure and MS 365 users and administrators to use Sparrow. This is because damage can be minimized by responding faster.

In recent years, the so-called “SolarWinds crisis” has erupted in the US, and interest in hacking attacks targeting the supply chain and the cloud has increased. Hacking groups infiltrated the update distribution infrastructure of a company’s network monitoring solution called SolarWinds, infected the update file, and spread the infected file to plant a backdoor called SUNBURST in SolarWinds customers. Many US federal agencies and IT giants, including Microsoft, were hit by the attack.

Microsoft, which has studied the situation, recently reported an interim finding that “the attackers’ ultimate goal seems to have been digital assets stored in the cloud.” Then the attack strategy of the attackers was clarified as follows.

1) Solarwinds’ infrastructure infection update

2) Distributing malware from Sunburst via false notifications

3) Carefully picking targets using malware from Sunburst

4) Infiltrating the network of the aim and going into the cloud

In this sense, the introduction of anomalous activity monitoring software in the cloud is timely for CISA. It is not clear, however, whether additional detection tools are expected to be launched in the future for other common cloud providers, such as AWS or Google Cloud, and how well Sparrow is actually compatible with other cloud services.