FYSA
CISA has published (TLP:WHITE) Current Activity: CISA Releases New Alert on
Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to
Help Detect This
Activity<https://us-cert.cisa.gov/ncas/current-activity/2021/01/08/cisa-releases-new-alert-post-compromise-threat-activity-microsoft>
CISA has evidence of post-compromise APT activity in the cloud environment.
Specifically, CISA has seen an APT actor using compromised applications in a
victim’s Microsoft 365 (M365)/Azure environment and using additional
credentials and API access to cloud resources of private and public sector
organizations. This activity is in addition to what has been previously
detailed in AA20-352A<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>.
In response, CISA has released AA21-008A: Detecting Post-Compromise Threat
Activity in Microsoft Cloud
Environments<https://us-cert.cisa.gov/ncas/alerts/aa21-008a> to describe this
malicious APT activity and offer guidance on three open-source tools—including
a CISA-developed tool,
Sparrow<https://urldefense.us/v3/__https:/github.com/cisagov/Sparrow__;!!BClRuOV5cvtbuNI!TEJIOZ5A_F1RJ_Aiu8UZqMHgqHFXGNkPBtff0ubcsLaJN-nt5l2HkIlaOvmxedQiFEeOAzQ$>,
released on December 24. Network defenders can use these tools to help detect
and remediate malicious APT actor activity as part of the ongoing supply chain
compromise.
CISA strongly encourages users and administrators to review the Activity
Alert<https://us-cert.cisa.gov/ncas/alerts/aa21-008a> for additional
information and detection countermeasures.
We kindly request any questions, feedback, or incidents related to this product
be reported to CISA at Central@xxxxxxxxxxxx<mailto:Central@xxxxxxxxxxxx> or
888-282-0870.
Theresa A. Masse
Cyber Security Advisor, Region X (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671 Email:
theresa.masse@xxxxxxxxxxxx<mailto:theresa.masse@xxxxxxxxxxxx>
[cid:image006.png@01D6E5B7.BC23B180]