In today’s remote work environment caused by pandemics, security is becoming increasingly important. Colonial Pipeline, a leading fuel supplier on the US east coast, was hit by a ransomware attack earlier this year.1 This led to a massive disruption in the fuel supply chain and an increase in gasoline prices. In another, unrelated incident, the Chinese start-up Socialarks suffered a massive data breach.2 who disclosed Personally Identifiable Information (PII) of over 214 million users of some of the most popular social networks around the world. These data breaches are extremely expensive, with the average cost of a data breach estimated at $ 4.2 million per data breach in 2021.3 The number of ransomware attacks has also increased, with a ransomware attack expected every 11 seconds and an estimated total damage cost from these attacks at around $ 20 billion in 2021.4th
As we discussed below Microsoft Inspire Earlier this year, infrastructure threats could come from a variety of sources – attackers exploiting web shells, brute force login attacks, software vulnerabilities, and credentials theft – to achieve targets like ransomware. As cyber attacks continue to grow, the need for secure computing has never been more important. Customers value the protection of their data and workloads, and platform security can be an important tool in a comprehensive defense-in-depth strategy. Application of our knowledge from the Secure Core PC Initiative, Microsoft is working with partners to secure-core on Windows Server, Microsoft Azure Stack HCI, and Azure certified IoT devices.
Use case for REvil ransomware
Let’s dive into the typical kill chain of a human-powered ransomware campaign launched by. was carried out REvil (or Sodinokibi)that recently impacted thousands of companies worldwide, including the recent attack on Kaseya.5 The attackers used various techniques, such as compromised Remote desktop protocol (RDP) Credentials and vulnerabilities in the operating system and in applications to gain a foothold in organizations. US Department of Justice investigation documents6th Explore how REvil carried out the ransomware attack on Kaseya using the following attack pattern:
Figure 1. REvil ransomware kill chain.
The ransomware operators can gain administrator rights on the compromised devices, steal passwords from the memory using credential dumping tools, like Mimikatz, and use Cobalt strike and metasploit jumping sideways and building persistence in the victim’s networks. After obtaining the necessary permissions and access to the entire infrastructure, the ransomware is activated, initiates the encryption of all files and leaves the user with an electronic note with the amount that he will have to pay to decrypt his files.
Ransomware attacks like this one waste a huge amount of time and money on businesses. Raising the security bar for critical infrastructures further against attackers makes it easier for companies to meet this higher bar, which is a priority for both customers and Microsoft. Successful system protection requires a holistic approach that builds security from the chip to the cloud across hardware, firmware and the operating system.
Secured core servers leverage your infrastructure to protect you from security threats
Secured core servers take a defense-in-depth approach to basic system security. Secured core servers are based on three different pillars of security:
- To protect the server infrastructure with a hardware-based trust base.
- To protect sensitive workloads against attacks at the firmware level.
- To prevent unchecked code from being accessed and executed on the systems.
In partnership with leading original equipment manufacturers (OEMs) and silicon vendors, Secured Core servers use industry-standard hardware-based trustworthiness in conjunction with security functions that are integrated into today’s modern central processing units (CPUs). Secured core servers use the Trusted platform module 2.0 and Safe start-up to ensure that only trusted components are loaded into the boot path.
“To help our customers stay secure and accelerate their business results, Hewlett Packard Enterprise (HPE) is proud to announce the new Gen 10 Plus (v2) products for Azure Stack HCI 21H2 and Windows Server 2022 that come with HPE GreenLake Edge can be delivered to the cloud platform, “said Keith White, senior vice president and general manager, GreenLake Cloud Services Commercial Business. “These offer unparalleled host protection by combining HPE security technologies with secured core server capabilities for a secure, hybrid implementation.”
More details will be made available shortly as part of the Azure Stack HCI: Secured-core Server Solution Brief. Configuration details can be found in the section “Configuring and validating the secured core” of the Implementing Microsoft Windows Server 2022 with HPE Proliant servers, storage and networking options White paper.
Secured core servers use hardware-based security in the modern CPU Dynamic root of trust measurement (DRTM) to put the system in a trustworthy state and repel attacks from advanced malware that tries to tamper with the system.
Activated with Hypervisor-protected code integrity (HVCI), a Secured Core Server only starts executable files that have been signed by known and approved authorities. This ensures that code running within the Trusted Computing Base runs with integrity and is not exposed to exploits or attacks. The hypervisor sets and enforces permissions to prevent malware from attempting to modify the memory and run.
In the example of the REvil ransomware described above, secured core servers would have made it much more difficult for the attackers to effectively provide and activate their payload. HVCI is enabled with a code integrity security policy that blocks drivers that tamper with the kernel, such as: B. Mimikatz. Besides, there Virtualization-based security (VBS) is activated by default, IT administrators can easily activate functions such as Authorization guardthat protect credentials in an isolated environment that is invisible to attackers. By preventing credentials from being stolen (stage two of the kill chain, shown in illustration 1) Secured core servers can help make it extremely difficult for attackers to break into the network from the side and thus stop the attack.
Look for Secured Core Server Solutions in the HCI and Windows Server catalogs
You can now find a variety of servers certified for Secured Core Server AQ in the Azure Stack HCI catalog. With the improvements made to the catalog, you can easily identify Azure Stack HCI solutions that support secured core server functionality with the new secured core server badge.
Figure 2. Azure Stack HCI Catalog Secured Core Server.
Secured core servers support all protective measures that are offered in the trustworthy use case of corporate virtualization, as well as additional functions to protect hosts against attacks on firmware level. In addition to the Azure Stack HCI catalog, the Windows Server Catalog Lists dozens of hardware platforms from our various ecosystem partners that meet the Secured Core Server AQ. Find out more about how Secured Core Servers offer exceptional host security in our blog entry.
Easily manage your Secured Core Server with the Microsoft Windows Admin Center
Windows Admin Center is your user interface (UI) for managing the status and configuration of your Secured Core Server. Windows Admin Center is a locally provided browser-based application for managing Windows servers, clusters, hyperconverged infrastructures and Windows clients and can be used in production.
New functions in the Windows Admin Center make it extremely easy for customers to configure the Secured Core features for Windows Server and Azure Stack HCI systems. The new security feature of Windows Admin Center, now included in the product, enables advanced security with the click of a button from a web browser anywhere in the world. For Windows Server and validated Azure Stack HCI solutions, customers can search for Secured Core certified systems to simplify the acquisition of secure hardware platforms.
Figure 3. Windows Admin Center Secured Core Server Cluster Administration.
The Windows Admin Center user interface allows you to easily configure the six functions that secure core servers include: Hypervisor Enforced Code Integrity, Boot Direct Memory Access (DMA) protection, System Guard, Secure Boot, virtualization-based security, and Trusted Platform Module 2.0. Download the latest version of the. down Windows Admin Center today.
Begin your secured core journey
Secured core servers that are now in Azure Stack HCI and Windows Server Catalogs are loaded with industry-leading security mitigations built into the hardware, firmware, and operating system to thwart some of the most advanced vectors of attack. Along with Windows Admin Center, Managing and monitoring the security status of your critical business infrastructure has never been easier.
To learn more about Microsoft security solutions, visit our website. Bookmark the Security blog to keep up with our expert reporting on security issues. You can also follow us at @MSFTSafety for the latest cybersecurity news and updates.
1US gasoline pipeline hackers “didn’t want to cause problems” Mary-Ann Russon, BBC News. May 10, 2021.
2200 million scraped data exposed by Facebook, Instagram and LinkedIn users, Safety magazine. January 12, 2021.
3How much does a data breach cost? Cost of a Data Breach Report 2021, IBM.
4thThe global cost of damage to ransomware is projected to reach US $ 20 billion (USD) by 2021, Steve Morgan, Cybercrime Magazine. October 21, 2019.
5Ukrainians arrested and charged with ransomware attack on Kaseya, United States Department of Justice. November 8, 2021.
6thUnited States of America V. Yevgeniy Igorevich Polyanine, United States District Court for the Northern District of Texas Dallas Division. 08/24/2021.
#Secured #Core #Servers #Microsoft #Ecosystem #Protect #Infrastructure #Microsoft #Security #Blog