The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new cybersecurity software, Untitled Goose Tool, to help users of the Microsoft Azure cloud service spot potential security problems.
Developed in conjunction with Sandia National Labs, CISA describes Untitled Goose as “a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory, and Microsoft 365 environments”.
It is available in the CISA repository on GitHub.
How security teams can use Untitled Goose Tool
CISA says the tool can be used to export and review Azure Active Directory (AAD) sign-in and audit logs, Microsoft 365’s unified audit log (UAL) and Azure activity logs, as well as Microsoft Defender for IoT alerts, and Microsoft Defender for Endpoint data, to help try and spot suspicious activity.
It also enables system admins to query, export, and investigate AAD, Microsoft 365, and Azure configurations for potential problems.
A CISA factsheet says: “Network defenders attempting to interrogate a large Microsoft 365 tenant via the UAL may find that manually gathering all events at once is not feasible. Untitled Goose Tool uses novel data gathering methods via bespoke mechanisms.”
Quite who came up with the name for this tool is unclear, but it includes functions entitled goosey_graze and goosey_honk which aid in the extraction and monitoring of information.
The tool is purely for querying data, CISA says, and cannot make changes to cloud environments.
Content from our partners
Cloud environments increasingly targeted by cybercriminals
While vulnerabilities in cloud platforms such as Azure are relatively rare, cybercriminals are increasingly trying to find ways to breach the platforms. Last year, Tech Monitor reported on a vulnerability in Office 365 which potentially left cloud data open to attack.
“Current ransomware attacks are mainly focused on local networks and endpoints and not the cloud,” said Barak Hadad, head of research at security company Armis at the time. “But since organisations are moving their business logic to the cloud, we expect an increase of ransomware attacks against cloud storage systems.”
More recently, a remote code execution vulnerability in Azure was uncovered by researchers at cloud security company Ermetic. Dubbed EmojiDeploy, Microsoft patched it in December after Ermetic flagged the problem, earning the company a $30,000 bug bounty.
“The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu,” Liv Matan, researcher at Ermatic said, adding that the flaw could enable attackers to move laterally through affected systems. “By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim’s Azure application,” Matan added.
