Microsoft on Wednesday mentioned {that a} consumer containment function in Microsoft Defender for Endpoint helped thwart a “large-scale distant encryption try” made by Akira ransomware actors concentrating on an unknown industrial group in early June 2023.
The tech big’s menace intelligence staff is monitoring the operator as Storm-1567.
The assault leveraged units that weren’t onboarded to Microsoft Defender for Endpoint as a protection evasion tactic, whereas additionally conducting a sequence of reconnaissance and lateral motion actions previous to encrypting the units utilizing a compromised consumer account.
However the brand new computerized assault disruption functionality meant that the breached accounts are prevented from “accessing endpoints and different assets within the community, limiting attackers’ capability to maneuver laterally whatever the account’s Energetic Listing state or privilege stage.”
In different phrases, the thought is to chop off all inbound and outbound communication and prohibit human-operated assaults from accessing different units within the community.
Redmond additionally mentioned its enterprise endpoint safety platform disrupted lateral motion makes an attempt towards a medical analysis lab in August 2023, wherein the adversary reset the password for a default area administrator account for follow-on actions.
“Extremely privileged consumer accounts are arguably an important property for attackers,” Microsoft mentioned. “Compromised area admin-level accounts in environments that use conventional options present attackers with entry to Energetic Listing and will subvert conventional safety mechanisms.”
“Figuring out and containing these compromised consumer accounts, due to this fact, prevents assaults from progressing, even when attackers acquire preliminary entry.”
