Introducing the new File Integrity Monitoring with Defender for Endpoint integration
As the final and most complex piece of this puzzle is the release of File Integrity Monitoring (FIM) powered by Defender for Endpoint, marks a significant milestone in the Defender for Servers simplification journey. The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance.Agentless scanning for virtual machines in the cloud – technical deep dive
Over the past three years, a notable shift has unfolded in the realm of cloud security. Increasingly, security vendors are introducing agentless scanning solutions to enhance the protection of their customers. These solutions empower users with visibility into their security posture and the ability to detect threats — all achieved without the need to install any additional software, commonly referred to as an agent, onto their workloads.
Defender for cloud's Agentless secret scanning for virtual machines is now generally available!
Cloud cybersecurity is of paramount importance in today's digital landscape, as organizations increasingly rely on cloud services to store and manage sensitive data, applications, and infrastructure. Attacks on cloud infrastructure pose severe risks to organizations such as data theft, ransomware attacks, crypto mining attacks, and service disruption. During a cyber-attack, after gaining initial access to the target network, the attacker begins to move deeper into the network in search of sensitive data and other high-value assets. This stage, called lateral movement, is critical, as it enables threat actors to explore and expand their presence within a target network, increasing the potential for further compromise of critical systems. One of the most common techniques used by hackers to move laterally in a network is credential theft. This technique involves the exploitation of exposed secrets such as passwords, keys, tokens, and connection strings to gain access to additional assets in the network. Secrets are often found on files, stored on the disks of virtual machines (VMs) or containers running on various cloud platforms. The exposed secrets challenge: Having exposed secrets can happen due to the following reasons: Lack of awareness: Some organizations may not be aware of the risks and consequences of exposing secrets in their cloud environment. They may not have a clear policy or guidance on how to handle and protect secrets in their code and configuration files. Lack of discovery tools: due to missing tools or processes to detect and remediate secrets leaks. Complexity and speed: Modern software development is complex and fast-paced, relying on multiple cloud platforms, open-source software, and third-party code. Developers may use secrets to access and integrate various resources and services in their cloud environment. They may also store secrets in their source code repositories for convenience and reuse. It can lead to accidental exposure of secrets in public or private repositories, or during data transfer or processing. Trade-off between security and usability: Some organizations may choose to keep secrets exposed in their cloud environment for usability reasons, to avoid the complexity and latency of encrypting and decrypting data at rest and in transit. This can compromise the security and privacy of their data and credentials. Defender for cloud's Agentless secret scanning for virtual machines: The agentless secret scanning is designed to assist in mitigating the risk of lateral movement. It broadens the coverage of cloud assets, enabling quick detection, prioritization, and remediation of exposed secrets. Utilizing cloud APIs, it captures snapshots of your disks and conducts an out-of-band analysis, ensuring no impact on your virtual machines' performance. In addition, it identifies a variety of secrets across Azure, AWS, and GCP and provides practical suggestions for the following mitigations: Elimination of unnecessary secrets. Apply the Principle of Least Privilege. Strengthening the security of your secrets by employing secret management systems such as Azure Key Vault when possible. Usage of short-lived secrets, such as substituting Azure Storage connection strings with SAS tokens that possess shorter validity periods. Onboarding: Knowing that assets’ coverage plays crucial roles, we created a straightforward, easy onboarding experience – just one click, and all assets under the specified subscription is covered by our agentless scanning capability Agentless scanning configuration within the Defender for Servers settings Detection and prioritization: Microsoft’s secrets detection engine can identify a wide range of secret types, such as tokens, passwords, keys, or credentials, that are stored in different file types within the OS file system. After collecting the necessary file and secrets’ metadata from the disk, it sends them to the Defender for cloud portal. Prioritizing secrets can be a daunting task. You may wonder which secrets are the riskiest and require immediate attention. To evaluate the severity and urgency of each secret we detected, we provide: Rich metadata for every secret we detect such as the file’s last access time, token expiration date, an indication if the target resource that the secret provides access to exists and more. We also combine the secrets’ metadata with the assets cloud context, helping you to start with assets that are exposed to the internet and contain secrets that may compromise other sensitive assets. We are happy to announce that the secrets scanning findings will be also incorporated into our new DCSPM risk-based approach to prioritize recommendation and enhance attack path analysis. We have developed multiple views to assist you in pinpointing the most commonly found secrets or assets containing secrets. This enables a prioritized approach towards the elimination of exposed secrets. Security Recommendations: Enhanced recommendation experience aggregated by secret type The security recommendations for secrets offer a consolidated view of the detected secrets, including details such as the file location of the secrets, the last access time, an indicator if the target resource that the secret provides access to exists, and more. Attack Path: In this attack scenario, our scanner identified an AWS access key on the disk of an GCP VM instance. It was then able to pinpoint the AWS S3 bucket that the key could authenticate to. Leveraging the capabilities of Microsoft Defender CSPM, the attack path revealed that the initial GCP VM instance has a critical vulnerability and is exposed to the internet. This comprehensive context equips you with the necessary information for effective risk assessment and prioritization. Cloud Security Explorer: Use the cloud security explorer to search for plaintext secrets Secret’s tab (inventory): Use the secret's tab to view all secrets detected for a specified virtual machine We are thrilled to announce that the Agentless secret scanning for virtual machines is now GA for Defender CSPM and Defender for Servers P2 plans. To start using this new feature, ensure that agentless scanning under the environment settings is enabled for the relevant subscriptions. For customers who have already enabled the agentless scanning, there’s no further action needed. To learn more regarding the prerequisites, detection, capabilities and more, please refer the following documentation.Guidance for handling CVE-2025-31324 using Microsoft Security capabilities
Short Description Recently, a CVSS 10 vulnerability, CVE-2025-31324, affecting the "Visual Composer" component of the SAP NetWeaver application server, has been published, putting organizations at risk. In this blog post, we will show you how to effectively manage this CVE if your organization is affected by it. Exploiting this vulnerability involves sending a malicious POST request to the "/developmentserver/metadatauploader" endpoint of the SAP NetWeaver application server, which allows allow arbitrary file upload and execution. Impact: This vulnerability allows attackers to deploy a webshell and execute arbitrary commands on the SAP server with the same permissions as the SAP service. This specific SAP product is typically used in large organizations, on Linux and Windows servers across on-prem and cloud environments - making the impact of this vulnerability significant. Microsoft have already observed active exploits of this vulnerability in the wild, highlighting the urgency of addressing this issue. Mapping CVE-2025-31324 in Your Organization The first step in managing an incident is to map affected software within your organization’s assets. Using the Vulnerability Page Information on this CVE, including exposed devices and software in your organization, is available from the vulnerability page for CVE-2025-31324. Using Advanced Hunting This query searches software vulnerable to the this CVE and summarizes them by device name, OS version and device ID: DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2025-31324" | summarize by DeviceName, DeviceId, strcat(OSPlatform, " ", OSVersion), SoftwareName, SoftwareVersion To map the presence of additional, potentially vulnerable SAP NetWeaver servers in your environment, you can use the following Advanced Hunting query: *Results may be incomplete due to reliance on activity data, which means inactive instances of the application - those installed but not currently running, might not be included in the report. DeviceProcessEvents | where (FileName == "disp+work.exe" and ProcessVersionInfoProductName == "SAP NetWeaver") or FileName == "disp+work" | distinct DeviceId, DeviceName, FileName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion Where available, the ProcessVersionInfoProductVersion field contains the version of the SAP NetWeaver software. Optional: Utilizing software inventory to map devices is advisable even when a CVE hasn’t been officially published or when there’s a specific requirement to upgrade a particular package and version. This query searches for devices that have a vulnerable versions installed (you can use this link to open the query in your environment): DeviceTvmSoftwareInventory | where SoftwareName == "netweaver_application_server_visual_composer" | parse SoftwareVersion with Major:int "." Minor:int "." BuildDate:datetime "." rest:string | extend IsVulnerable = Minor < 5020 or BuildDate < datetime(2025-04-18) | project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion, IsVulnerable Using a dedicated scanner You can leverage Microsoft’s lightweight scanner to validate if your SAP NetWeaver application is vulnerable. This scanner probes the vulnerable endpoint without actively exploiting it. Recommendations for Mitigation and Best Practices Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Here are some recommendations: Update NetWeaver to a Non-Vulnerable Version: All NetWeaver 7.x versions are vulnerable. For versions 7.50 and above, support packages SP027 - SP033 have been released and should be installed. Versions 7.40 and below do not receive new support packages and should implement alternative mitigations. JIT (Just-In-Time) Access: Cloud customers using Defender for Servers P2 can utilize our "JIT" feature to protect their environment from unnecessary ports and risks. This feature helps secure your environment by limiting exposure to only the necessary ports. The Microsoft research team has identified common ports that are potential to be used by these components, so you can check or use JIT for these. It is important to mention that JIT can be used for any port, but these are the most common ones. Learn more about the JIT capability Ports commonly used by the vulnerable application as observed by Microsoft: 80, 443, 50000, 50001, 1090, 5000, 8000, 8080, 44300, 44380 Active Exploitations To better support our customers in the event of a breach, we are expanding our detection framework to identify and alert you about the exploitation of this vulnerability across all operating systems (for MDE customers). These detectors, as all Microsoft detections, are also connected to Automatic Attack Disruption, our autonomous protection vehicle. In cases where these alerts, alongside other signals, will allow for high confidence of an ongoing attack, automatic actions will be taken to contain the attack and prevent further progressions of the attack. Coverage and Detections Currently, our solutions support coverage of CVE-2025-31324 for Windows and Linux devices that are onboarded to MDE (in both MDE and MDC subscriptions). To further expand our support, Microsoft Defender Vulnerability management is currently deploying additional detection mechanisms. This blog will be updated with any changes and progress. Conclusion By following these guidelines and utilizing end-to-end integrated Microsoft Security products, organizations can better prepare for, prevent and respond to attacks, ensuring a more secure and resilient environment. While the above process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.
Unleashing the Power of Microsoft Defender for Cloud – Unique Capabilities for Robust Protection
So you have implemented a non-native Cloud Security Posture Management solution but there are security gaps that you might not have considered. How Defender for Cloud is uniquely positioned to secure your cloud attack surface.
