In the current pandemic-driven remote work environments, security has become increasingly important. Earlier this year, Colonial Pipeline, one of the leading suppliers of fuel on the East Coast of the United States, was hit by a ransomware attack.1 This caused a massive disruption of the fuel supply chain and a surge in gasoline prices. In another unrelated incident, Chinese start-up Socialarks suffered a massive data breach,2 which exposed personally identifiable information (PII) of over 214 million users of some of the most popular worldwide social networks. These data breaches are extremely expensive, with the average cost of a data breach estimated at USD4.2 million dollars for every breach in 2021.3 There has also been a surge in the number of ransomware attacks, with a ransomware attack expected every 11 seconds and the total costs of damages due to these attacks is estimated to be about USD20 billion dollars in 2021.4
As we discussed at Microsoft Inspire earlier this year, threats against infrastructure can come from a variety of sources—attackers exploiting web shells, brute force login attacks, software vulnerabilities, and credential theft—to achieve goals like deploying ransomware. With cyberattacks continuing to rise, the need for secure computing has never been more important. Customers care about the protection of their data and workloads, and platform security can be an important tool in a comprehensive defense-in-depth strategy. Applying our learnings from the Secured-core PC initiative, Microsoft is collaborating with partners to expand Secured-core to Windows Server, Microsoft Azure Stack HCI, and Azure-certified IoT devices.
REvil ransomware use case
Let’s dive into the typical kill chain of a human-operated ransomware campaign undertaken by REvil (or Sodinokibi), which very recently impacted over thousands of businesses worldwide including the recent attack on Kaseya.5 The attackers used a variety of different techniques, such as compromised Remote Desktop Protocol (RDP) credentials and vulnerabilities in the operating system and applications to gain an initial foothold in the organizations. Documents from the United States Department of Justice’s investigation6 delve into how REvil carried out the ransomware attack on Kaseya by using the following attack pattern:
Figure 1. Kill chain of REvil ransomware.
The ransomware operators can gain administrative privileges on the compromised devices, steal passwords from the memory using credential dumping tools, such as Mimikatz, and use Cobalt Strike and Metasploit to hop laterally and establish persistence on the victim’s networks. After obtaining the necessary privileges and access across the infrastructure, the ransomware activates, initiating the encryption of all the files and leaving an electronic note to the user indicating the amount that they need to pay to decrypt their files.
Ransomware attacks like these result in an enormous loss of time and money for enterprises. Continuing to raise the security bar for critical infrastructure against attackers makes it easier for organizations to meet that higher bar, which is an important priority for both customers and Microsoft. Successfully protecting systems requires a holistic approach that builds security from the chip to the cloud across hardware, firmware, and the operating system.
Secured-core servers leverage your infrastructure to help protect you from security threats
Secured-core servers take a defense-in-depth approach to basic system security. Secured-core servers are built around three distinct security pillars:
- To protect the server infrastructure with a hardware-based root of trust.
- To defend sensitive workloads against firmware-level attacks.
- To prevent access and the execution of unverified code on the systems.
Partnering with leading original equipment manufacturers (OEMs) and silicon vendors, Secured-core servers use industry-standard hardware-based root of trust coupled with security capabilities built into today’s modern central processing units (CPUs). Secured-core servers use the Trusted Platform Module 2.0 and Secure boot to ensure that only trusted components load in the boot path.
“To help our customers remain secure and accelerate their business outcomes, Hewlett Packard Enterprise (HPE) is excited to release the new Gen 10 Plus (v2) products for Azure Stack HCI 21H2 and Windows Server 2022 which can be delivered with the HPE GreenLake edge-to-cloud platform,” said Keith White, Senior Vice President and General Manager, GreenLake Cloud Services Commercial Business. “These offer unprecedented host protection by combining HPE’s security technologies with Secured-core server functionalities for a secure, hybrid implementation.”
Additional details will be made available soon as part of the Azure Stack HCI: Secured-core Server Solution Brief. Configuration details can be found in the section “Configuring and validating Secured-core” of the Implementing Microsoft Windows Server 2022 Using HPE Proliant Servers, Storage, and Networking Options white paper.
Secured-core servers use hardware-rooted security in the modern CPU with Dynamic Root of Trust Measurement (DRTM) to launch the system into a trusted state, mitigating attacks from advanced malware that attempts to tamper with the system.
Enabled with Hypervisor-Protected Code Integrity (HVCI), a Secured-core server only starts executables signed by known and approved authorities. This ensures that code running within the trusted computing base runs with integrity and is not subject to exploits or attacks. The hypervisor sets and enforces permissions to prevent malware from attempting to modify the memory and executing.
In the REvil ransomware example that was described earlier, Secured-core servers would have made it much harder for the attackers to effectively deploy and activate their payload. HVCI comes enabled with a code integrity security policy that blocks drivers that tamper with the kernel, such as Mimikatz. Additionally, since Virtualization-based security (VBS) is enabled out of the box, IT administrators can easily enable features, such as Credential Guard, which safeguard the credentials in an isolated environment that is invisible to attackers. By preventing credential theft (stage two of the kill chain, represented in Figure 1), Secured-core servers can help make it extremely hard for attackers to hop laterally in the network, thereby, stopping the attack.
Look for Secured-core server solutions in the HCI and Windows Server catalogs
You can now find a breadth of servers certified for Secured-core server AQ in the Azure Stack HCI catalog. Enhancements made to the catalog allow you to easily identify Azure Stack HCI solutions that support Secured-core server functionality with the new Secured-core server badge.
Figure 2. Azure Stack HCI Catalog Secured-core servers.
Secured-core servers support all the protections offered in the trusted enterprise virtualization use case, plus additional features to protect hosts from firmware-level attacks. In addition to the Azure Stack HCI catalog, the Windows Server Catalog lists dozens of hardware platforms from our various ecosystem partners that meet the Secured-core server AQ. Learn more about how the Secured-core servers provide exceptional host security in our blog post.
Manage your Secured-core server easily with the Microsoft Windows Admin Center
Windows Admin Center is your user interface (UI) for managing the status and configuration of your Secured-core server. Windows Admin Center is a locally deployed, browser-based application for managing Windows servers, clusters, hyper-converged infrastructure, as well as Windows clients, and is ready to use in production.
New functionality in Windows Admin Center makes it extremely easy for customers to configure the Secured-core features for Windows Server and Azure Stack HCI systems. The new Windows Admin Center security functionality, now included with the product, enables advanced security with a click of the button from a web browser anywhere in the world. For Windows Server and validated Azure Stack HCI solutions, customers can look for Secured-core certified systems to simplify acquiring secure hardware platforms.
Figure 3. Windows Admin Center Secured-core server cluster management.
The Windows Admin Center UI allows you to easily configure the six features that encompass Secured-core server: Hypervisor Enforced Code Integrity, Boot Direct Memory Access (DMA) Protection, System Guard, Secure Boot, Virtualization-based security, and Trusted Platform Module 2.0. Download the latest version of Windows Admin Center today.
Begin your Secured-core journey
Secured-core servers, which are now available in the Azure Stack HCI and Windows Server catalogs, come fully equipped with industry-leading security mitigations built into the hardware, firmware, and the operating system to help thwart some of the most advanced attack vectors. Coupled with Windows Admin Center, managing and monitoring the security state of your mission-critical infrastructure has never been easier.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1US fuel pipeline hackers ‘didn’t mean to create problems,’ Mary-Ann Russon, BBC News. 10 May 2021.
2200 million Facebook, Instagram, and LinkedIn users’ scraped data exposed, Security Magazine. 12 January 2021.
3How much does a data breach cost? Cost of a Data Breach Report 2021, IBM.
4Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021, Steve Morgan, Cybercrime Magazine. 21 October 2019.
5Ukrainian Arrested and Charged with Ransomware Attack on Kaseya, The United States Department of Justice. 8 November 2021.
6United States of America V. Yevgeniy Igorevich Polyanin, United States District Court for the Norther District of Texas Dallas Division. 24 August 2021.