Ronald.phillips
Shared posts
MC898392 – Microsoft Teams: UDP Signaling Ports configuration change
Microsoft 365 was down for thousands of users - here's what happened
Stags 2024 S01E06 1080p WEB H264-LAZYCUNTS
The post Stags 2024 S01E06 1080p WEB H264-LAZYCUNTS appeared first on SceneSource.
Halo 5: Guardians Will Soon Be Playable On PC Thanks to New Xbox One Translation Layer For Windows
Halo 5: Guardians, as well as other Xbox One exclusives, will soon become playable on PC thanks to a new Xbox One translation layer for Windows PCs. XWine1, which was revealed with a tweet on X, is an Xbox One translation layer for Windows PCs that currently runs six games properly. Among these games are Halo 5: Guardians, which hasn't been ported to PC to date, Rare Replay, Crimson Dragon, Forza Motorsport 5, Powerstar Golf, Space Jam: A New Legacy - The Game, Forza Motorsport 6, Forza Horizon 2 and CrossfireX. Unfortunately, the translation layer is not available to the […]
Read full article at https://wccftech.com/halo-5-guardians-pc/
Rebel FM Episode 634 - 08/30/2024
How AitM Phishing Attacks Bypass MFA and EDR—and How to Fight Back
GitHub Promises 'Additional Guardrails' After Wednesday's Update Triggers Short Outage
Read more of this story at Slashdot.
Space Telescope Data Reignites Debate Over How Fast Our Universe Is Expanding
Read more of this story at Slashdot.
Free classic RTS OpenRA mod 'Command & Conquer - Combined Arms' has a huge overhaul
.
Read the full article on GamingOnLinux.
Intel Publishes Updated CPU Microcode For A Variety Of Security & Functional Issues
Day 902 of WW3: Well, well, well, how about that? Claim: Kadyrovites secretly concluded an agreement with Ukraine on Kursk region and stood aside for Ukrainian troops. Betrayal? In Russia? Where's my fainting couch? It's your Tuesday Ukraine war talk [News]
Doom modders are annoyed at the "chum-bucket" of wrongly credited mods in the latest Doom remaster
Last week, Bethesda released a remastered edition of Doom and Doom II on Steam, with lots of extra episodes and improvements. One of these new features is a built-in browser for mods, and support for many existing mods that previously required a different version of the game. Basically, lots of good fan-made mods are now playable on the Steam version of ye olde Doom. That's neat! Ah, but there is some demon excrement on the health pack, so to speak. The mod browser lacks moderation and lets people upload the work of others with their own name pinned as the author. That's prompted one level designer to call it "a massive breach of trust and violation of norms the Doom community has done its best to hold to for those 30 years."
Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE
Microsoft researchers recently identified multiple medium severity vulnerabilities in OpenVPN, an open-source project with binaries integrated into routers, firmware, PCs, mobile devices, and many other smart devices worldwide, numbering in the millions. Attackers could chain and remotely exploit some of the discovered vulnerabilities to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information. Exploiting these vulnerabilities, however, necessitates user authentication and a deep understanding of OpenVPN’s inner workings, alongside intermediate knowledge of the operating systems. Today, we presented this research and demonstrated the discovered attack chain in our session at Black Hat USA 2024.
OpenVPN is widely used by thousands of companies spanning various industries across major platforms such as Windows, iOS, macOS, Android, and BSD. As such, exploitation of the discovered vulnerabilities, which affect all versions of OpenVPN prior to version 2.6.10 (and 2.5.10), could put endpoints and enterprises at significant risk of attack.
We reported the discovery to OpenVPN through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in March 2024 and worked closely with OpenVPN to ensure that the vulnerabilities are patched. Information on the security fixes released by OpenVPN to address these vulnerabilities can be found here: OpenVPN 2.6.10. We strongly urge OpenVPN users to apply the latest security updates as soon as possible. We also thank OpenVPN for their collaboration and recognizing the urgency in addressing these vulnerabilities.
Below is a list of the discovered vulnerabilities discussed in this blog:
CVE ID | OpenVPN component | Impact | Affected platform |
CVE-2024-27459 | openvpnserv | Denial of service (DoS), local privilege escalation (LPE) | Windows |
CVE-2024-24974 | openvpnserv | Unauthorized access | Windows |
CVE-2024-27903 | openvpnserv | Remote code execution (RCE) | Windows |
Local privilege escalation (LPE), data manipulation | Android, iOS, macOS, BSD | ||
CVE-2024-1305 | Windows TAP driver | Denial of service (DoS) | Windows |
In this blog post, we detail our analysis of the discovered vulnerabilities and the impact of exploitation. In addition to patching, we provide guidance to mitigate and detect threats attempting to exploit these vulnerabilities. This research emphasizes the need for responsible disclosure and collaboration among the security community to defend devices across platforms and build better protection for all, spanning the entire user-device ecosystem. The discovery of these vulnerabilities further highlights the critical importance of ensuring the security of enterprise and endpoint systems and underscores the need for continuous monitoring and protection of these environments.
What is OpenVPN?
OpenVPN is a virtual private network (VPN) system that creates a private and secure point-to-point or site-to-site connection between networks. The OpenVPN open-source project is widely popular across the world, including the United States, India, France, Brazil, the United Kingdom, and Germany, as well as industries spanning the information technology, financial services, telecommunications, and computer software sectors. This project supports different major platforms and is integrated into millions of devices globally.
OpenVPN is also the name of the tunneling protocol it uses, which employs the Secure Socket Layer (SSL) encryption protocol to ensure that data shared over the internet remains private, using AES-256 encryption. Since the source code is available for audit, vulnerabilities can be easily identified and fixed.
OpenVPN analysis
We discovered the vulnerabilities while examining the OpenVPN open-source project to enhance enterprise security standards. During this research, we checked two other popular VPN solutions and found that at the time they were impacted by a vulnerability (CVE-2024-1305). Following this discovery, we started hunting for and uncovered additional vulnerable drivers with the same issue and decided to investigate open-source VPN projects. Upon confirming that the same vulnerability was located in the OpenVPN open-source repository, our research then focused on examining the architecture and security model of the OpenVPN project for Windows systems.
OpenVPN architecture
OpenVPN server client architecture
OpenVPN is a sophisticated VPN system meticulously engineered to establish secure point-to-point or site-to-site connections. It supports both routed and bridged configurations, as well as remote access capabilities, making it a versatile choice for various networking needs. OpenVPN comprises both client and server applications, ensuring a comprehensive solution for secure communication.
With OpenVPN, peers can authenticate each other through multiple methods, including pre-shared secret keys, certificates, or username/password combinations. In multi-client server environments, the server can generate and issue an individual authentication certificate for each client, leveraging robust digital signatures and a trusted certificate authority. This ensures an elevated level of security and integrity in the authentication process, enhancing the overall reliability of the VPN connection.
Client-side architecture
The client-side architecture is where we discovered the additional three vulnerabilities (CVE-2024-27459, CVE-2024-24974, and CVE-2024-27903):
OpenVPN’s client architecture can be summarized in the following simplified diagram:
openvpnserv.exe and openvpn.exe
The system service launches elevated commands on behalf of the user, handling tasks such as adding or deleting DNS configurations, IP addresses, and routes, and enabling Dynamic Host Configuration Protocol (DHCP). These commands are received from the openvpn.exe process through a named pipe created for these two entities, such as “openvpn/service_XXX” where XXX is the thread ID (TID) that is being passed to the newly created process as a command line argument.
The launched commands arrive in the form of a binary structure that contains the relevant information for the specific command, with the structure being validated and only then launching the appropriate command. The below figure displays an example of the structure that contains information for adding/deleting DNS configuration:
Additionally, openvpnserv.exe serves as the management unit, spawning openvpn.exe processes upon requests from different users on the machine. This can be done automatically using the OpenVPN GUI or by sending specifically crafted requests. Communication for this process occurs through a second named pipe, such as “openvpn/service”.
Openvpn.exe is the user mode process being spawned on behalf of the client. When openvpn.exe starts, it receives a path for a configuration file (as a command line argument). The configuration file that’s provided holds different information.
A lot of fields can be managed in configuration files, such as:
- Tunnel options
- Server mode options
- Client mode options
Plugin mechanism in openvpn.exe
Another mechanism of interest for us is the plugin mechanism in openvpn.exe, which can extend the functionality to add additional logic, such as authentication plugins to bring authentication against Lightweight Directory Access Protocol (LDAP) or Radius or other Pluggable Authentication Module
(PAM) backends. Some of the existing plugins are:
- Radiusplugin – Radius authentication support for open OpenVPN.
- Eurephia – Authentication and access control plugin for OpenVPN.
- Openvpn_defer_auth – OpenVPN plugin to perform deferred authentication requests.
The plugin mechanism fits into the earlier diagram, as shown in Figure 2.
The plugin is loaded as a directive in the configuration file, which looks like:
Furthermore, the number of callbacks defined in the plugin launch on behalf of the loading process (openvpn.exe), such as:
- openvpn_plugin_func_v1 – This function is called by OpenVPN each time the OpenVPN reaches a point where plugin calls should happen.
- openvpn_plugin_{open, func}_v3() – Defines the version of the v3 plugin argument.
OpenVPN security model
As previously mentioned, we discovered four vulnerabilities on the client side of OpenVPN’s architecture.
As described before, openvpnserv.exe (SYSTEM service) spawns the openvpn.exe process as a result of the request from the user. Furthermore, the spawned process runs in the context of the user who requested to create the new process, which is achieved through named pipe impersonation, as displayed in the below image:
The ImpersonateNamedPipeClient function impersonates a named pipe client application.
Furthermore, to prevent unwanted behavior, specific EXPLICIT_ACCESS must be granted for any new process:
This explicit access, in addition to the earlier described “elevated commands” launched by openvpnserv.exe on request from the openvpn.exe process, and other comprehensive inspection of the passed arguments ensure that malicious behavior cannot be launched in the name of the impersonated user.
Vulnerability analysis
CVE-2024-1305
We identified a vulnerability in the “tap-windows6” project that involves developing the Terminal Access Point (TAP) adapter used by OpenVPN. In the project’s src folder, the device.c file contains the code for the TAP device object and its initialization.
In the device.c file, the CreateTapDevice method initializes a dispatch table object with callbacks for methods managing various Input/Output Controls (IOCTLs) for the device. One of these methods is TapDeviceWrite, which handles the write IOCTL.
The TapDeviceWrite method performs several operations and eventually calls TapSharedSendPacket. This method, in turn, calls NdisAllocateNetBufferAndNetBufferLists twice. In one scenario, it calls this function with the fullLength parameter, defined as follows:
Both PacketLength and PrefixLength are parameters passed from the TapDeviceWrite call and, therefore, attacker controlled. If these values are large enough, their sum (fullLength) can overflow (a 32-bit unsigned integer). This overflow results in the allocation of a smaller-than-expected memory size, which subsequently causes a memory overflow issue.
CVE-2024-27459
The second vulnerability that we discovered resided in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service. As described earlier, both of which communicate through a named pipe:
The openvpnserv.exe service will read the message size in an infinite loop from the openvpn.exe process and then handle the message received by calling the HandleMessage method. The HandleMessage method reads the size provided by the infinite loop and casts the read bytes into the relevant type accordingly:
This communication mechanism presents an issue as reading the “user” provided number of bytes on to an “n bytes” long structure located on the stack will produce a stack overflow vulnerability.
CVE-2024-24974
The third vulnerability involves unprivileged access to an operating system resource. The openvpnserv.exe service spawns a new openvpn.exe process based on user requests received through the “\\openvpn\\service” named pipe. This vulnerability allows remote access to the named service pipe, enabling an attacker to remotely interact with and launch operations on it.
CVE-2024-27903
Lastly, we identified a vulnerability in OpenVPN’s plugin mechanism that permits plugins to be loaded from various paths on an endpoint device. This behavior can be exploited by attackers to load harmful plugins from these different paths.
Exploiting and chaining the vulnerabilities
All the identified vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them. The discovered vulnerabilities could then be combined to achieve different exploitation results, or chained together to form a sophisticated attack chain, as detailed in the below sections.
RCE exploitation
We first explored how an attacker could achieve remote code execution (RCE) exploitation using CVE-2024-24974 and CVE-2024-27903.
To successfully exploit these vulnerabilities and achieve RCE, an attacker must first obtain an OpenVPN user’s credentials. The attacker’s device must then launch the NET USE command with the stolen credentials to remotely access the operating system resources and grant the attacker access to the named pipes objects devices.
Next, the attacker can send a “connect” request to the “\\openvpn\\service” named pipe to launch a new instance of openvpn.exe on its behalf.
In the request, a path to a configuration file (\\\\DESKTOP-4P6938I\\share\\OpenVPN\\config\\sample.ovpn) is specified that’s located on the attacker-controlled device. A log path is also provided into which the loaded plugin will write its logs (“–log \\\\\{TARGET_MACHINE_PLACEHOLDER}\\share\\OpenVPN\\log\\plugin_log.txt\).
The provided configuration has instructions to load malicious plugin, as such:
After successful exploitation, the attacker can read the log provided on the attacker-controlled device.
LPE exploitation
Next, we investigated how an attacker could achieve local privilege execution (LPE) using CVE-2024-27459 and CVE-2024-27903. To successfully achieve an LPE exploit in this context, an attacker must load a malicious plugin into the normal launching process of openvpn.exe by using a malicious configuration file.
First, the attacker will connect to a local device “\\openvpn\\service” named pipe with a command that instructs openvpnserv.exe to launch openvpn.exe based on the attacker-provided malicious configuration.
The malicious configuration will include a line like the below example:
For the malicious plugin to successfully communicate with openvpnserv.exe, it must hijack the number of the handle used by openvpn.exe to communicate with the inner named pipe connecting the openvpv.exe process and the openvpnserv.exe service. This can be achieved, for instance, by parsing command line arguments, as displayed below:
This works because when the openvpn.exe process spawns, it’s being passed the TID (as a command line argument) that the inner named pipe (which is being used for communication between this specific OpenVPN instance and the openvpnserv.exe service) will have. For instance, if the inner named pipe created is “\\openvpn\\service_1234” then openvpn.exe will be launched with an extra argument of 1234.
Next, attackers can exploit the stack overflow vulnerability by sending data bigger than the MSG structure. It is important to note that there are stack protection mechanisms in place, called stack canaries, which make exploitation much more challenging. Thus, when triggering the overflow:
After the crash of openvpnserv.exe, the attacker has a slot of time in which they can reclaim the named pipe “\\openvpn\\service”.
If successful, the attacker then poses as the server client side of the named pipe “\\openvpn\\service”. From that moment on, every attempt to connect to the “\\openvpn\\service” named pipe will result in a connection to the attacker. If a privileged enough user, such as a SYSTEM or Administrator user, is connected to the named pipe, the attacker can impersonate that user:
The attacker can then start an elevated process on the user’s behalf, thus achieving LPE.
Chaining it all together
As our research demonstrated, an attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain.
A number of adjustments are needed for the full attack chain to be exploited as presented in this blog post, mainly the malicious payload that crashes openvpnserv.exe and the malicious payload that actually behaves as openvpnserv.exe after openvpnserv.exe is crashed all have to be loaded with the malicious plugin. After successfully achieving LPE, attackers will use different techniques, such as Bring Your Own Vulnerable Driver (BYOVD) or exploiting known vulnerabilities, to achieve a stronger grasp of the endpoint. Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.
Critical importance of endpoint security in private and enterprise sectors
With OpenVPN being widely used across various vendors, industries, and fields, the presented vulnerabilities may impact numerous sectors, device types, and verticals. Exploiting these vulnerabilities requires user authentication, a deep understanding of OpenVPN’s inner workings, and intermediate knowledge of the operating system. However, a successful attack could significantly impact endpoints in both the private and enterprise sectors. Attackers could launch a comprehensive attack chain on a device using a vulnerable version of OpenVPN, achieving full control over the target endpoint. This control could enable them to steal sensitive data, tamper with it, or even wipe and destroy critical information, causing substantial harm to both private and enterprise environments.
The discovery of these vulnerabilities underscores the importance of responsible disclosure to secure enterprise and endpoint systems, in addition to the collective efforts of the security community to protect devices across various platforms and establish stronger safeguards for everyone. We would like to again thank OpenVPN for their partnership and swift action in addressing these vulnerabilities.
Mitigation and protection guidance
OpenVPN versions prior to 2.5.10 and 2.6.10 are vulnerable to discussed vulnerabilities.
It is recommended to first identify if a vulnerable version is installed and, if so, immediately apply the relevant patch found here: OpenVPN 2.6.10.
Additionally, follow the below recommendations to further mitigate potential exploitation risks affiliated with the discovered vulnerabilities:
- Apply patches to affected devices in your network. Check the OpenVPN website for the latest patches.
- Make sure OpenVPN clients are disconnected from the internet and segmented.
- Limit access to OpenVPN clients to authorized users only.
- Due to the nature of the CVEs, which still require a username and password, prioritizing patching is difficult. Reduce risk by ensuring proper segmentation, requiring strong usernames and passwords, and reducing the number of users that have writing authentication.
Microsoft Defender XDR detections
Microsoft Defender for Endpoint
The following Microsoft Defender for Endpoint alert can indicate associated threat activity:
- Suspicious OpenVPN named pipe activity
Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:
- CVE-2024-27459
- CVE-2024-24974
- CVE-2024-27903
- CVE-2024-1305
Microsoft Defender for IoT
Microsoft Defender for IoT raises alerts for the following vulnerabilities, exploits, and behavior associated with this threat:
- Suspicion of Malicious Activity
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
This query identifies connection to OpenVPN’s named pipe from remote host:
DeviceEvents | where ActionType == "NamedPipeEvent" | extend JsonAdditionalFields=parse_json(AdditionalFields) | extend PipeName=JsonAdditionalFields["PipeName"] | where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and isnotempty( RemoteIP)
This query identifies image load into OpenVPN’s process from share folder:
DeviceImageLoadEvents |where InitiatingProcessFileName == "openvpn.exe" and FolderPath startswith "\\\\"
This query identifies process connect to OpenVPN’s named pipe as server which it is not openvpnserv.exe:
DeviceEvents | where ActionType == "NamedPipeEvent" | extend JsonAdditionalFields=parse_json(AdditionalFields) | extend PipeName=JsonAdditionalFields["PipeName"], NamedPipeEnd=JsonAdditionalFields["NamedPipeEnd"] |where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and NamedPipeEnd == "Server" and InitiatingProcessFileName != "openvpnserv.exe"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.
List of devices with OpenVPN vulnerabilities
DeviceTvmSoftwareVulnerabilities | where OSPlatform contains "Windows" | where CveId in ("CVE-2024-27459","CVE-2024-24974","CVE-2024-27903","CVE-2024-1305") | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel | join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware
Named pipe creation activity of OpenVPN
let PipeNames = pack_array('\\openvpn/service','\\openvpn/service_','openvpn','openvpn/service','\\openvpn\\service_'); DeviceEvents | where TimeGenerated > ago(30d) | where ActionType == "NamedPipeEvent" | where ProcessCommandLine contains "openvpn.exe" or InitiatingProcessCommandLine contains "openvpn.exe" | extend Fields=parse_json(AdditionalFields) | where Fields.FileOperation == "File created" | where Fields.PipeName has_any (PipeNames) | project TimeGenerated,ActionType,DeviceName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,InitiatingProcessFolderPath, InitiatingProcessCommandLine,ProcessCommandLine,Fields.FileOperation,Fields.PipeName
Vladimir Tokarev
Microsoft Threat Intelligence Community
References
- https://blackhat.com/us-24/briefings/schedule/#ovpnx–zero-days-leading-to-rce-lpe-and-kce-via-byovd-affecting-millions-of-openvpn-endpoints-across-the-globe-38900
- https://enlyft.com/tech/products/openvpn
- https://github.com/OpenVPN/openvpn/blob/v2.6.10/Changes.rst
- https://github.com/OpenVPN/openvpn/blob/v2.5.10/Changes.rst
- https://forums-new.openvpn.net/forum/announcements/69-release-openvpn-version-2-6-10
- https://openvpn.net/community-downloads/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27459
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24974
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27903
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1305
- https://openvpn.net/as-docs/site-to-site-routing.html#site-to-site-routing
- https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
- https://github.com/OpenVPN/openvpn/blob/master/include/openvpn-plugin.h.in
- https://www.lifewire.com/net-use-command-2618096
- https://wikipedia.org/wiki/Stack_buffer_overflow#Stack_canaries
- https://community.openvpn.net/openvpn/wiki/Downloads
- https://www.cisa.gov/secure-our-world/use-strong-passwords
Learn more
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.
The post Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE appeared first on Microsoft Security Blog.
DOOM + DOOM II get bundled together with new enhanced versions
.
Read the full article on GamingOnLinux.
WordStar 7, the Last Ever DOS Version, Is Re-Released For Free
Read more of this story at Slashdot.
14 Things Every Home Gym Needs
There’s a little game I like to play sometimes, and it seems to be popular with other folks who tend to work out at home: What equipment would I buy if I were starting a new home gym from scratch? Or you can play the advanced version: if you already have (insert common items here), what would you buy next?
What follow are my picks for anybody starting a new home gym or looking to expand the one they have—whether that means a corner of your bedroom or a full-on garage-based weightlifting paradise. I'll start with space- and budget-friendly items, then move on to some bigger-ticket buys.
Kettlebells
If I had to put together a home gym from scratch, I think I would start with two kettlebells: one light enough to strict press or snatch, and one heavy enough to make swings and goblet squats challenging.
If I had a smidge of extra cash, I’d buy them as adjustable kettlebells, like this one from Bells of Steel, so they could get heavier as I got stronger. Competition-style adjustables are by far the best kind.
A pull-up bar
Pulling exercises are some of the hardest to improvise outside of a gym (although if you took my advice about kettlebells, you could do rows with those). A doorway pull-up bar like this one barely takes up any space, but it opens up a ton of possibilities. If your doorframes don't allow that type of bar, try a pull-up tower like this one.
A spin bike
Cardio is good for you. I keep telling myself this, and I’m almost starting to believe it. With a spin bike, you can do intervals or steady state work while staying comfortably indoors when the road outside is dark, or wet, or icy. The price range of options here is wide: you can splurge on a top-of-the-line Peloton or go for one of the budget bikes (like a Sunny) that are less than a fifth of the price.
A rowing machine
My first choice for a cardio machine is the bike, as mentioned earlier. But if you want another device, I’d vote for a rower. Rowers involve your full body, and they’re great for interval training. The Concept 2 is probably the best-known (and, many would say, the best) brand in this space. (Not a rower person? My third choice would be a treadmill.)
Dumbbells
Dumbbells are a great way to lift weights at home. They’re smaller than a barbell, less specialized than a set of kettlebells, and you can do a ton of different workouts with them.
As with kettlebells, you’ll need to decide if you want to get a few pairs at specific fixed weights (cheaper to start), or go for a pricier adjustable set. Powerblock and Bowflex are the fancy kind, if you have the money but want to save space.
A bench
If you have dumbbells or want to do any sort of bro workout, you’re going to need a bench. I’m more of a barbell person, so I just got a flat bench that can fit in my rack when I want to bench press. But people who do more dumbbell work often prefer a sturdy adjustable bench that can be configured for incline or upright seated work.
A barbell
If you’re into powerlifting or weightlifting, or just want to go heavy in your general strength workouts, there’s really no substitute for a good ol’ barbell. “Standard” bars with a one-inch hole are common in budget sets, but your purchase will have more longevity if you opt for an “Olympic” style bar with two-inch collars. Get a 45-pound or 20-kilogram bar like this one unless you have a specific reason to get something else.
Iron weight plates
You’ve got a few options for plates—we’ll discuss another in a minute—but iron plates are the classic choice. They’re sturdy, appropriately heavy, and up to almost any job. Get any kind that appeals to you: regular metal plates, plastic-coated ones, vintage-style deep dish. Anything but hex plates.
Bumper plates
Not everyone needs bumper plates, but if you’re one of those people who does, skip the iron plates entirely and go for the good stuff. Bumper plates are essential for Olympic lifts (the snatch and the clean and jerk) and they’re also nice to have for other lifts, like deadlifts. In general, the cheapest kind are made of black rubber and are labeled in pounds; expect to pay a premium if you want them in kilos with international standard color-coding.
A squat rack or cage
You know you’ve Made It as a home gym owner when you have your own squat rack. Consider the amount of space you have available, since some racks require tall ceilings and all require a good bit of space around the sides so you can get to the bar to change the plates. There are folding racks, half racks, and full racks. You can also go the DIY route with one of those concrete-bucket-and-lumber squat stands everyone was using during lockdown. (Mine held up great for years, and only broke down when the buckets got too much UV damage from being in the sunlight so long.)
Resistance bands
Throw a band on your pullup bar and you have a way to do assisted pullups; hold a band in your hands instead and you can do band pull-aparts. Bands are also a great addition to your barbells if you don’t have quite enough plates (or if you’re a fan of conjugate training, in which case you’re probably already putting bands and chains on everything that isn’t nailed down.) If you want to use bands with barbells, look for the long loop type; if you want to use them on their own, look for the kind that clip to handles.
Sandbags
Sandbags are the under-appreciated workhorses of many a home gym. Sand is dirt cheap—almost literally—but expect to pay a few bucks for a really quality fabric sandbag to put it in. (That said, you can DIY this, and we have instructions.) Start with a bag that weighs maybe half as much as you do, and practice picking it up, carrying it, and generally doing anything people do with weights. Yes, you can even press it overhead if you’re careful. If that’s all too easy, go for a bag that weighs as much as you do, or more.
A plyo box
A box is a handy thing to have around, and one of the few things I’ve always wanted in my home gym but never found the space for. With one box, you can do box jumps or box squats. With two, you can do dips or stand on top of them and set up a belt squat. The possibilities are endless.
Specialty bars
If you’re shopping for the person who has everything, I’ll tell you what they don’t have: another specialty bar. After a normal barbell, a typical next purchase is a safety squat bar. You could also go for an axle, which is great for practicing strongman events, or a cambered or duffalo bar (honestly, I’m not sure why powerlifters love these so much, but they do). A dedicated deadlift bar is perfect for the deadlift specialist in your life, and a football bar or Swiss bar gives you lots of options for pressing. A log is great for the spoiled strongman or strongwoman in your life, or an EZ-curl bar for the bodybuilder. Or grab a trap bar to do deadlifts on easy mode.
Detect compromised RDP sessions with Microsoft Defender for Endpoint
Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveraging intelligence and social engineering. One of the most common tools human operators use is Remote Desktop Protocol (RDP), which gives attackers not only control, but also Graphical User Interface (GUI) visibility on remote computers. As RDP is such a popular tool in human operated attacks, it allows defenders to use the RDP context as a strong incriminator of suspicious activities. And therefore, detect Indicators of Compromise (IOCs) and act on them.
That’s why today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.
Remote session information
The new layer adds 8 extra fields, represented as new columns in Advanced Hunting, expands the schema across various tables. These columns enrich process information by including session details, augmenting the contextual data related to remote activities.
- InitiatingProcessSessionId - Windows session ID of the initiating process
- CreatedProcessSessionId - Windows session ID of the created process
- IsInitiatingProcessRemoteSession - Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).
- IsProcessRemoteSession - Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false).
- InitiatingProcessRemoteSessionDeviceName - Device name of the remote device from which the initiating process’s RDP session was initiated.
- ProcessRemoteSessionDeviceName - Device name of the remote device from which the created process’s RDP session was initiated.
- InitiatingProcessRemoteSessionIP - IP address of the remote device from which the initiating process’s RDP session was initiated.
- ProcessRemoteSessionIP - IP address of the remote device from which the created process’s RDP session was initiated.
The data will be available in the following tables:
Table Name |
Initiating process |
Created Process |
DeviceEvents |
Yes |
Yes, where relevant |
DeviceProcessEvents |
Yes |
Yes |
DeviceFileEvents |
Yes |
No |
DeviceImageLoadEvents |
Yes |
No |
DeviceLogonEvents |
Yes |
No |
DeviceNetworkEvents |
Yes |
No |
DeviceRegistryEvents |
Yes |
No |
Detect human-operated ransomware attacks that use RDP
Defender for Endpoint machine learning models use data from remote sessions to identify patterns of malicious activity. They assess user interactions with devices via RDP by examining more than 100 characteristics and apply a machine learning classifier to determine if the behavior is consistent with hands-on-keyboard-based attacks.
Image 1: Ransomware attack incident investigation
Detect suspicious RDP sessions
Another model uses remote session information to identify suspicious remote sessions. Outlined below is an example of a suspect RDP session where harmful tools, commonly used by attackers in ransomware campaigns and other malicious activities, are deployed, setting off a high-severity alert.
This context is also available in Advanced Hunting for custom detection and investigation purposes.
An Advanced Hunting query can be used to display all processes initiated by a source IP during an RDP session. This query can be adjusted to fit all the supported tables.
DeviceProcessEvents
| where Timestamp >= ago(1d)
| where IsInitiatingProcessRemoteSession == "True"
| where InitiatingProcessRemoteSessionIP == "X.X.X.X" // Insert your IP Address here
| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine
Another query can be used to highlight actions performed remotely by a compromised account. This query can be adjusted to fit all the supported tables.
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessAccountSid == "SID" // Insert the compromised account SID here
| where IsInitiatingProcessRemoteSession == "True"
| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine
You can also hunt for tampering attempts. Conducting this remotely across numerous devices can signal a broad attempt at tampering prior to an attack being launched.
DeviceRegistryEvents
| where Timestamp >= ago(7d)
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
| where RegistryValueName == "DisableAntiSpyware"
| where RegistryValueType == "Dword"
| where RegistryValueData == 1
| where IsInitiatingProcessRemoteSession == true
Comprehensive endpoint security
The ability to identify malicious use of RDP in Defender for Endpoint gives admins more granular visibility and control over detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape.
For more information:
- Learn more about Advanced Hunting in Microsoft Defender XDR: Overview - Advanced hunting | Microsoft Learn
- Learn more about Defender for Endpoint: Microsoft Defender for Endpoint | Microsoft Security
- Not a Defender for Endpoint customer? Start a free trial today.
Researchers Uncover Flaws in Windows Smart App Control and SmartScreen
Exploited Vulnerability Could Impact 20k Internet-Exposed VMware ESXi Instances
Shadowserver has observed over 20,000 internet-accessible VMware ESXi instances impacted by an exploited vulnerability.
The post Exploited Vulnerability Could Impact 20k Internet-Exposed VMware ESXi Instances appeared first on SecurityWeek.
CISA Broke Into a US Federal Agency, No One Noticed For a Full 5 Months
Read more of this story at Slashdot.
DigiCert Revoking Certs With Less Than 24 Hours Notice
Read more of this story at Slashdot.
Onyx Sleet uses array of malware to gather intelligence for North Korea
On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet’s activity to assess changes following the indictment.
First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors.
Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. In this blog, we will share intelligence about Onyx Sleet and its historical tradecraft and targets, as well as our analysis of recent malware campaigns, with the goal of enabling the broader community to identify and respond to similar campaigns. We also provide protection, detection, and hunting guidance to help improve defenses against these attacks.
Who is Onyx Sleet?
Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability as a part of a targeted attack. Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server.
Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2).
Onyx Sleet is tracked by other security companies as APT45, SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2.
Affiliations with other threat actors originating from North Korea
SLEET ACTORS
Learn about North Korean threat actorsOnyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed an overlap between Onyx Sleet and Storm-0530. Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022.
Onyx Sleet targets
In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent attacks include the targeting of South Korean educational institutions, construction companies, and manufacturing organizations in May 2024. Onyx Sleet has also shown interest in taking advantage of online gambling websites, possibly for financial gain either on behalf of North Korea or for individual members of the group.
Onyx Sleet tradecraft
Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective. Onyx Sleet historically leveraged spear-phishing to compromise targets, and in more recent campaigns, they have been observed to primarily use exploits for initial access, alongside a loader, downloader, and backdoor as a part of its well-established attack chain.
Onyx Sleet nevertheless made some changes, for example, adding new C2 servers and hosting IPs, creating new malware, and launching multiple campaigns over time. In the past, Onyx Sleet introduced custom ransomware strains as a part of its campaigns. It also created and deployed the RAT identified by Kaspersky as Dtrack, which was observed in global attacks from September 2019 to January 2024. The Dtrack RAT follows the common attack chain used by Onyx Sleet and includes the exploitation of the Log4j 2 CVE-2021-44228 vulnerability for initial access and the use of payloads signed with an invalid certificate masquerading as legitimate software to evade detection.
Another example of Onyx Sleet introducing variations in the implementation of its attack chain is the campaign identified by AhnLab Security Intelligence Center (ASEC) in May 2024. In this campaign, the threat actor employed a previously unseen malware family dubbed as Dora RAT. Developed in the Go programming language, this custom malware strain targeted South Korean educational institutions, construction companies, and manufacturing organizations.
Onyx Sleet avoids common detection techniques across its attack lifecycle by heavily using custom encryption and obfuscation algorithms and launching as much of its code in memory as possible. These tools and techniques have been observed in several reported campaigns, including TDrop2.
Onyx Sleet has also used several off-the shelf tools, including Sliver, remote monitoring and management (RMM) tools SOCKS proxy tools, Ngrok, and masscan. We have also observed Onyx Sleet using commercial packers like Themida and VMProtect to obfuscate their malware. In January 2024, Microsoft Threat Intelligence identified a campaign attributed to Onyx Sleet that deployed a Sliver implant, an open-source C2 framework that supports multiple operators, listener types, and payload generation. Like the Dtrack RAT, this malware was signed with an invalid certificate impersonating Tableau software. Further analysis revealed that this Onyx Sleet campaign compromised multiple aerospace and defense organizations from October 2023 to June 2024.
Apart from the previously mentioned Log4j 2 vulnerability, Onyx Sleet has exploited other publicly disclosed (N-day) vulnerabilities to gain access to target environments. Some vulnerabilities recently exploited by Onyx Sleet include:
- CVE-2023-46604 (Apache ActiveMQ)
- CVE-2023-22515 (Confluence)
- CVE-2023-27350 (PaperCut)
- CVE-2023-42793 (TeamCity)
In addition to these well-known and disclosed vulnerabilities, Onyx Sleet has used custom exploit capabilities in campaigns targeting users mostly in South Korea. In these campaigns, Onyx Sleet exploited vulnerabilities in a remote desktop/management application, a data loss prevention application, a network access control system, and an endpoint detection and response (EDR) product.
Recent malware campaigns
In December 2023, South Korean authorities attributed attacks that stole over 1.2 TB of data from targeted South Korean defense contractors using custom malware to Andariel. Microsoft has attributed several custom malware families used in the said attacks – TigerRAT, SmallTiger, LightHand, and ValidAlpha – to Onyx Sleet.
TigerRAT
Since 2020, Onyx Sleet has been observed using the custom RAT malware TigerRAT. In some campaigns using TigerRAT, Onyx Sleet exploited vulnerabilities in Log4j 2 to deliver and install the malware. When launched, this malware can steal confidential information and carry out commands, such as keylogging and screen recording, from the C2.
SmallTiger
In February 2024, ASEC identified SmallTiger, a new malware strain targeting South Korean defense and manufacturing organizations. During the process of lateral movement, this malware is delivered as a DLL file (SmallTiger[.]dll) and uses a C2 connection to download and launch the payload into memory. Microsoft researchers have determined that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable.
The SmallTiger campaign can be tied back to a campaign using a similar attack chain beginning in November 2023 that delivered the DurianBeacon RAT malware. In May 2024, Microsoft observed Onyx Sleet continuing to conduct attacks targeting South Korean defense organizations using SmallTiger.
LightHand
LightHand is a custom, lightweight backdoor used by Onyx Sleet for remote access of target devices. Via LightHand, Onyx Sleet can execute arbitrary commands through command shell (cmd.exe), get system storage information, perform directory listing, and create/delete files on the target device.
ValidAlpha (BlackRAT)
ValidAlpha (also known as BlackRAT) is a custom backdoor developed in the Go programming language and used by Onyx Sleet to target organizations globally in the energy, defense, and engineering sectors since at least 2023. ValidAlpha can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands.
Samples of ValidAlpha analyzed by Microsoft had a unique PDB string: I:/01___Tools/02__RAT/Black/Client_Go/Client.go
Recommendations
Microsoft recommends the following mitigations to defend against attacks by Onyx Sleet:
- Keep software up to date. Apply new security patches as soon as possible.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
- Enable network protection to help prevent access to malicious domains.
- Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
- Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to help resolve breaches, significantly reducing alert volume
Microsoft Defender customers can turn on attack surface reduction rules to help prevent common attack techniques used by Onyx Sleet:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block execution of potentially obfuscated scripts
- Block JavaScript or VBScript from launching downloaded, executable content
Detection details
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware families:
- CertutilPE
- Dora
- LightHand
- SmallTiger
- TigerCrypt
- TigerRAT
- ValidAlpha
Microsoft Defender for Endpoint
The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:
- Onyx Sleet activity group
The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:
- Document contains macro to download a file
Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:
- CVE-2023-42793 (TeamCity)
- CVE-2023-27350 (Papercut)
- CVE-2021-44228 (Log4j 2)
Microsoft Defender Threat Intelligence
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
- Tool Profile: Dtrack
- Onyx Sleet targeting defense firm in the Middle East
- Onyx Sleet targets electrical equipment manufacturer in India
- Onyx Sleet exploits vulnerable VMWare Horizon servers
- Onyx Sleet using Sliver remote access trojan in attacks on aerospace and defense
- Same Targets, new playbooks: East Asia threat actors employ unique methods
Microsoft Sentinel queries
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Use this query to assess the existence of vulnerabilities used by Onyx Sleet:
DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2021-44228","CVE-2023-27350","CVE-2023-42793") | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel | join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware
Use this query to detect associated network IOCs:
let remoteip = dynamic(["84.38.134.56","45.155.37.101","213.139.205.151","109.248.150.147","162.19.71.175","147.78.149.201"]); let remoteurl = dynamic(["americajobmail.site","privatemake.bounceme.net","ww3c.bounceme.net","advice.uphearth.com","http://84.38.134.56/procdump.gif"]); DeviceNetworkEvents | where RemoteIP == remoteip or RemoteUrl == remoteurl | project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl
Use this query to detect associated file IOCs:
let selectedTimestamp = datetime(2024-07-17T00:00:00.0000000Z); let fileName = "SmallTiger.dll"; let FileSHA256 = dynamic(["f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c","0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 ","29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3","fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32","868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf","f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5","1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1","3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061","8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f","7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"]); let SignerName = "INVALID:Tableau Software Inc."; let Signerhash = "6624c7b8faac176d1c1cb10b03e7ee58a4853f91"; let certificateserialnumber = "76cb5d1e6c2b6895428115705d9ac765"; search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from July 17th runs the search backwards for 90 days, change the above date accordingly. and ( FileName == fileName or OldFileName == fileName or ProfileName == fileName or InitiatingProcessFileName == fileName or InitiatingProcessParentFileName == fileName or InitiatingProcessVersionInfoInternalFileName == fileName or InitiatingProcessVersionInfoOriginalFileName == fileName or PreviousFileName == fileName or ProcessVersionInfoInternalFileName == fileName or ProcessVersionInfoOriginalFileName == fileName or DestinationFileName == fileName or SourceFileName == fileName or ServiceFileName == fileName or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256) or Signer == SignerName or SignerHash == Signerhash or CertificateSerialNumber == certificateserialnumber )
Indicators of compromise
IP addresses
- 84.38.134[.]56
- 45.155.37[.]101
- 213.139.205[.]151
- 109.248.150[.]147
- 162.19.71[.]175
- 147.78.149[.]201
URL
- hxxp://84.38.134[.]56/procdump.gif
Actor-controlled domain
- americajobmail[.]site
- privatemake.bounceme[.]net
- ww3c.bounceme[.]net
- advice.uphearth[.]com
SHA-256
- TigerRAT
- f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
- 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
- 29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
- fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
- 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
- LightHand
- f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
- 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
- 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
- 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
- 7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
- ValidAlpha
- c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
- c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1
Fake Tableau certificate
- Signer: INVALID:Tableau Software Inc.
- SignerHash: 6624c7b8faac176d1c1cb10b03e7ee58a4853f91
- CertificateSerialNumber: 76cb5d1e6c2b6895428115705d9ac765
References
- https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
- https://asec.ahnlab.com/en/66088/
- https://www.helpnetsecurity.com/2013/07/08/dissecting-operation-troy-cyberespionage-in-south-korea/
- https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
- https://securelist.com/my-name-is-dtrack/93338/
- https://www.virustotal.com/gui/file/96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3/details
- https://www.reuters.com/technology/cybersecurity/north-korea-hackers-may-have-stolen-data-laser-weapon-police-2023-12-06/
- https://asec.ahnlab.com/en/56405/
- https://blog.talosintelligence.com/lazarus-magicrat/
- https://asec.ahnlab.com/ko/65918/
- https://www.boho.or.kr/en/bbs/view.do?searchCnd=&bbsId=B0001041&searchWrd=&menuNo=205083&pageIndex=1&categoryCode=&nttId=36276
Learn more
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.
The post Onyx Sleet uses array of malware to gather intelligence for North Korea appeared first on Microsoft Security Blog.
Windows Security best practices for integrating and managing security tools
Windows is an open and flexible platform used by many of the world’s top businesses for high availability use cases where security and availability are non-negotiable.
To meet those needs:
- Windows provides a range of operating modes that customers can choose from. This includes the ability to limit what can run to only approved software and drivers. This can increase security and reliability by making Windows operate in a mode closer to mobile phones or appliances.
- Customers can choose integrated security monitoring and detection capabilities that are included with Windows. Or they can choose to replace or supplement this security with a wide variety of choices from a vibrant open ecosystem of vendors.
In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products.
CrowdStrike recently published a Preliminary Post Incident Review analyzing their outage. In their blog post, CrowdStrike describes the root cause as a memory safety issue—specifically a read out-of-bounds access violation in the CSagent driver. We leverage the Microsoft WinDBG Kernel Debugger and several extensions that are available free to anyone to perform this analysis. Customers with crash dumps can reproduce our steps with these tools.
Based on Microsoft’s analysis of the Windows Error Reporting (WER) kernel crash dumps related to the incident, we observe global crash patterns that reflect this:
FAULTING_THREAD: ffffe402fe868040 READ_ADDRESS: ffff840500000074 Paged pool MM_INTERNAL_CODE: 2 IMAGE_NAME: csagent.sys MODULE_NAME: csagent FAULTING_MODULE: fffff80671430000 csagent PROCESS_NAME: System TRAP_FRAME: ffff94058305ec20 -- (.trap 0xffff94058305ec20) .trap 0xffff94058305ec20 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003 rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0 r8=ffff840500000074 r9=0000000000000000 r10=0000000000000000 r11=0000000000000014 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc csagent+0xe14ed: fffff806`715114ed 458b08 mov r9d,dword ptr [r8] ds:ffff8405`00000074=???????? .trap Resetting default scope STACK_TEXT: ffff9405`8305e9f8 fffff806`5388c1e4 : 00000000`00000050 ffff8405`00000074 00000000`00000000 ffff9405`8305ec20 : nt!KeBugCheckEx ffff9405`8305ea00 fffff806`53662d8c : 00000000`00000000 00000000`00000000 00000000`00000000 ffff8405`00000074 : nt!MiSystemFault+0x1fcf94 ffff9405`8305eb00 fffff806`53827529 : ffffffff`00000030 ffff8405`af8351a2 ffff9405`8305f020 ffff9405`8305f020 : nt!MmAccessFault+0x29c ffff9405`8305ec20 fffff806`715114ed : 00000000`00000000 ffff9405`8305eeb0 ffff8405`b0bcd00c ffff8405`b0bc505c : nt!KiPageFault+0x369 ffff9405`8305edb0 fffff806`714e709e : 00000000`00000000 00000000`e01f008d ffff9405`8305f102 fffff806`716baaf8 : csagent+0xe14ed ffff9405`8305ef50 fffff806`714e8335 : 00000000`00000000 00000000`00000010 00000000`00000002 ffff8405`b0bc501c : csagent+0xb709e ffff9405`8305f080 fffff806`717220c7 : 00000000`00000000 00000000`00000000 ffff9405`8305f382 00000000`00000000 : csagent+0xb8335 ffff9405`8305f1b0 fffff806`7171ec44 : ffff9405`8305f668 fffff806`53eac2b0 ffff8405`afad4ac0 00000000`00000003 : csagent+0x2f20c7 ffff9405`8305f430 fffff806`71497a31 : 00000000`0000303b ffff9405`8305f6f0 ffff8405`afb1d140 ffffe402`ff251098 : csagent+0x2eec44 ffff9405`8305f5f0 fffff806`71496aee : ffff8405`afb1d140 fffff806`71541e7e 00000000`000067a0 fffff806`7168f8f0 : csagent+0x67a31 ffff9405`8305f760 fffff806`7149685b : ffff9405`8305f9d8 ffff8405`afb1d230 ffff8405`afb1d140 ffffe402`fe8644f8 : csagent+0x66aee ffff9405`8305f7d0 fffff806`715399ea : 00000000`4a8415aa ffff8eee`1c68ca4f 00000000`00000000 ffff8405`9e95fc30 : csagent+0x6685b ffff9405`8305f850 fffff806`7148efbb : 00000000`00000000 ffff9405`8305fa59 ffffe402`fe864050 ffffe402`fede62c0 : csagent+0x1099ea ffff9405`8305f980 fffff806`7148edd7 : ffffffff`ffffffa1 fffff806`7152e5c1 ffffe402`fe864050 00000000`00000001 : csagent+0x5efbb ffff9405`8305fac0 fffff806`7152e681 : 00000000`00000000 fffff806`53789272 00000000`00000002 ffffe402`fede62c0 : csagent+0x5edd7 ffff9405`8305faf0 fffff806`53707287 : ffffe402`fe868040 00000000`00000080 fffff806`7152e510 006fe47f`b19bbdff : csagent+0xfe681 ffff9405`8305fb30 fffff806`5381b8e4 : ffff9680`37651180 ffffe402`fe868040 fffff806`53707230 00000000`00000000 : nt!PspSystemThreadStartup+0x57 ffff9405`8305fb80 00000000`00000000 : ffff9405`83060000 ffff9405`83059000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34
Digging in more to this crash dump, we can restore the stack frame at the time of the access violation to learn more about its origin. Unfortunately, with WER data we only receive a compressed version of state and thus we cannot disassemble backwards to see a larger set of instructions prior to the crash, but we can see in the disassembly that there is a check for NULL before performing a read at the address specified in the R8 register:
6: kd> .trap 0xffff94058305ec20 .trap 0xffff94058305ec20 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003 rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0 r8=ffff840500000074 r9=0000000000000000 r10=0000000000000000 r11=0000000000000014 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=000000000000 000 iopl=0 nv up ei ng nz na po nc csagent+0xe14ed: fffff806`715114ed 458b08 mov r9d,dword ptr [r8] ds:ffff8405`00000074=???????? 6: kd> !pte ffff840500000074 !pte ffff840500000074 VA ffff840500000074 PXE at FFFFABD5EAF57840 PPE at FFFFABD5EAF080A0 PDE at FFFFABD5E1014000 PTE at FFFFABC202800000 contains 0A00000277200863 contains 0000000000000000 pfn 277200 ---DA--KWEV contains 0000000000000000 not valid 6: kd> ub fffff806`715114ed ub fffff806`715114ed csagent+0xe14d9: fffff806`715114d9 04d8 add al,0D8h fffff806`715114db 750b jne csagent+0xe14e8 (fffff806`715114e8) fffff806`715114dd 4d85c0 test r8,r8 fffff806`715114e0 7412 je csagent+0xe14f4 (fffff806`715114f4) fffff806`715114e2 450fb708 movzx r9d,word ptr [r8] fffff806`715114e6 eb08 jmp csagent+0xe14f0 (fffff806`715114f0) fffff806`715114e8 4d85c0 test r8,r8 fffff806`715114eb 7407 je csagent+0xe14f4 (fffff806`715114f4) 6: kd> ub fffff806`715114d9 ub fffff806`715114d9 ^ Unable to find valid previous instruction for 'ub fffff806`715114d9' 6: kd> u fffff806`715114eb u fffff806`715114eb csagent+0xe14eb: fffff806`715114eb 7407 je csagent+0xe14f4 (fffff806`715114f4) fffff806`715114ed 458b08 mov r9d,dword ptr [r8] fffff806`715114f0 4d8b5008 mov r10,qword ptr [r8+8] fffff806`715114f4 4d8bc2 mov r8,r10 fffff806`715114f7 488d4d90 lea rcx,[rbp-70h] fffff806`715114fb 488bd6 mov rdx,rsi fffff806`715114fe e8212c0000 call csagent+0xe4124 (fffff806`71514124) fffff806`71511503 4533d2 xor r10d,r10d 6: kd> db ffff840500000074 db ffff840500000074 ffff8405`00000074 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ffff8405`00000084 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ffff8405`00000094 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ffff8405`000000a4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ffff8405`000000b4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ffff8405`000000c4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ffff8405`000000d4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? ffff8405`000000e4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
Our observations confirm CrowdStrike’s analysis that this was a read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver.
We can also see that the csagent.sys module is registered as a file system filter driver commonly used by anti-malware agents to receive notifications about file operations such as the creation or modification of a file. This is often used by security products to scan any new file saved to disk, such as downloading a file via the browser.
File System filters can also be used as a signal for security solutions attempting to monitor the behavior of the system. CrowdStrike noted in their blog that part of their content update was changing the sensor’s logic relating to data around named pipe creation. The File System filter driver API allows the driver to receive a call when named pipe activity (e.g., named pipe creation) occurs on the system that could enable the detection of malicious behavior. The general function of the driver correlates to the information shared by CrowdStrike.
6: kd>!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent Hive ffff84059ca7b000 KeyNode ffff8405a6f67f9c [SubKeyAddr] [SubKeyName] ffff8405a6f683ac Instances ffff8405a6f6854c Sim Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details [ValueType] [ValueName] [ValueData] REG_DWORD Type 2 REG_DWORD Start 1 REG_DWORD ErrorControl 1 REG_EXPAND_SZ ImagePath \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys REG_SZ DisplayName CrowdStrike Falcon REG_SZ Group FSFilter Activity Monitor REG_MULTI_SZ DependOnService FltMgr\0 REG_SZ CNFG Config.sys REG_DWORD SupportedFeatures f
We can see the control channel file version 291 specified in the CrowdStrike analysis is also present in the crash indicating the file was read.
Determining how the file itself correlates to the access violation observed in the crash dump would require additional debugging of the driver using these tools but is outside of the scope of this blog post.
!ca ffffde8a870a8290 ControlArea @ ffffde8a870a8290 Segment ffff880ce0689c10 Flink ffffde8a87267718 Blink ffffde8a870a7d98 Section Ref 0 Pfn Ref b Mapped Views 0 User Ref 0 WaitForDel 0 Flush Count 0 File Object ffffde8a879b29a0 ModWriteCount 0 System Views 0 WritableRefs 0 PartitionId 0 Flags (8008080) File WasPurged OnUnusedList \Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys 1: kd> !ntfskd.ccb ffff880ce06f6970 !ntfskd.ccb ffff880ce06f6970 Ccb: ffff880c`e06f6970 Flags: 00008003 Cleanup OpenAsFile IgnoreCase Flags2: 00000841 OpenComplete AccessAffectsOplocks SegmentObjectReferenced Type: UserFileOpen FileObj: ffffde8a879b29a0 (018) ffff880c`db937370 FullFileName [\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys] (020) 000000000000004C LastFileNameOffset (022) 0000000000000000 EaModificationCount (024) 0000000000000000 NextEaOffset (048) FFFF880CE06F69F8 Lcb (058) 0000000000000002 TypeOfOpen
We can leverage the crash dump to determine if any other drivers supplied by CrowdStrike may exist on the running system during the crash.
6: kd> lmDvmCSFirmwareAnalysis lmDvmCSFirmwareAnalysis Browse full module list start end module name fffff806`58920000 fffff806`5893c000 CSFirmwareAnalysis (deferred) Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys Image name: CSFirmwareAnalysis.sys Browse all global symbols functions data Symbol Reload Timestamp: Mon Mar 18 11:32:14 2024 (65F888AE) CheckSum: 0002020E ImageSize: 0001C000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables: 6: kd> lmDvmcspcm4 lmDvmcspcm4 Browse full module list start end module name fffff806`71870000 fffff806`7187d000 cspcm4 (deferred) Image path: \??\C:\Windows\system32\drivers\CrowdStrike\cspcm4.sys Image name: cspcm4.sys Browse all global symbols functions data Symbol Reload Timestamp: Mon Jul 8 18:33:22 2024 (668C9362) CheckSum: 00012F69 ImageSize: 0000D000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables: 6: kd> lmDvmcsboot.sys lmDvmcsboot.sys Browse full module list start end module name Unloaded modules: fffff806`587d0000 fffff806`587dc000 CSBoot.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000C000 6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot Hive ffff84059ca7b000 KeyNode ffff8405a6f68924 [ValueType] [ValueName] [ValueData] REG_DWORD Type 1 REG_DWORD Start 0 REG_DWORD ErrorControl 1 REG_EXPAND_SZ ImagePath system32\drivers\CrowdStrike\CSBoot.sys REG_SZ DisplayName CrowdStrike Falcon Sensor Boot Driver REG_SZ Group Early-Launch 6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol Hive ffff84059ca7b000 KeyNode ffff8405a6f694ac [SubKeyAddr] [VolatileSubKeyName] ffff84059ce196c4 Enum Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details [ValueType] [ValueName] [ValueData] REG_DWORD Type 1 REG_DWORD Start 3 REG_DWORD ErrorControl 1 REG_DWORD Tag 1f REG_EXPAND_SZ ImagePath \SystemRoot\System32\drivers\CSDeviceControl.sys REG_SZ DisplayName @oem40.inf,%DeviceControl.SVCDESC%;CrowdStrike Device Control Service REG_SZ Group Base REG_MULTI_SZ Owners oem40.inf\0!csdevicecontrol.inf_amd64_b6725a84d4688d5a\0!csdevicecontrol.inf_amd64_016e965488e83578\0 REG_DWORD BootFlags 14 6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent Hive ffff84059ca7b000 KeyNode ffff8405a6f67f9c [SubKeyAddr] [SubKeyName] ffff8405a6f683ac Instances ffff8405a6f6854c Sim Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details [ValueType] [ValueName] [ValueData] REG_DWORD Type 2 REG_DWORD Start 1 REG_DWORD ErrorControl 1 REG_EXPAND_SZ ImagePath \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys REG_SZ DisplayName CrowdStrike Falcon REG_SZ Group FSFilter Activity Monitor REG_MULTI_SZ DependOnService FltMgr\0 REG_SZ CNFG Config.sys REG_DWORD SupportedFeatures f 6: kd> lmDvmCSFirmwareAnalysis lmDvmCSFirmwareAnalysis Browse full module list start end module name fffff806`58920000 fffff806`5893c000 CSFirmwareAnalysis (deferred) Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys Image name: CSFirmwareAnalysis.sys Browse all global symbols functions data Symbol Reload Timestamp: Mon Mar 18 11:32:14 2024 (65F888AE) CheckSum: 0002020E ImageSize: 0001C000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables: 6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis Hive ffff84059ca7b000 KeyNode ffff8405a6f69d9c [SubKeyAddr] [VolatileSubKeyName] ffff84059ce197cc Enum Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details [ValueType] [ValueName] [ValueData] REG_DWORD Type 1 REG_DWORD Start 0 REG_DWORD ErrorControl 1 REG_DWORD Tag 6 REG_EXPAND_SZ ImagePath system32\DRIVERS\CSFirmwareAnalysis.sys REG_SZ DisplayName @oem43.inf,%FirmwareAnalysis.SVCDESC%;CrowdStrike Firmware Analysis Service REG_SZ Group Boot Bus Extender REG_MULTI_SZ Owners oem43.inf\0!csfirmwareanalysis.inf_amd64_12861fc608fb1440\0 6: kd> !reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch !reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch
As we can see from the above analysis, CrowdStrike loads four driver modules. One of those modules receives dynamic control and content updates frequently based on the CrowdStrike Preliminary Post-incident-review timeline.
We can leverage the unique stack and attributes of this crash to identify the Windows crash reports generated by this specific CrowdStrike programming error. It’s worth noting the number of devices which generated crash reports is a subset of the number of impacted devices previously shared by Microsoft in our blog post, because crash reports are sampled and collected only from customers who choose to upload their crashes to Microsoft. Customers who choose to enable crash dump sharing help both driver vendors and Microsoft to identify and remediate quality issues and crashes.
We make this information available to driver owners so they can assess their own reliability via the Hardware Dev Center analytics dashboard. As we can see from the above, any reliability problem like this invalid memory access issue can lead to widespread availability issues when not combined with safe deployment practices. Let’s dig into why security solutions leverage kernel drivers on Windows.
Why do security solutions leverage kernel drivers?
Many security vendors such as CrowdStrike and Microsoft leverage a kernel driver architecture and there are several reasons for this.
Visibility and enforcement of security related events
Kernel drivers allow for system wide visibility, and the capability to load in early boot to detect threats like boot kits and root kits which can load before user-mode applications. In addition, Microsoft provides a rich set of capabilities such as system event callbacks for process and thread creation and filter drivers which can watch for events like file creation, deletion, or modification. Kernel activity can also trigger call backs for drivers to decide when to block activities like file or process creations. Many vendors also use drivers to collect a variety of network information in the kernel using the NDIS driver class.
Performance
Kernel drivers are often utilized by security vendors for potential performance benefits. For example, analysis or data collection for high throughput network activity may benefit from a kernel driver. There are many scenarios where data collection and analysis can be optimized for operation outside of kernel mode and Microsoft continues to partner with the ecosystem to improve performance and provide best practices to achieve parity outside of kernel mode.
Tamper resistance
A second benefit of loading into kernel mode is tamper resistance. Security products want to ensure that their software cannot be disabled by malware, targeted attacks, or malicious insiders, even when those attackers have admin-level privileges. They also want to ensure that their drivers load as early as possible so that they can observe system events at the earliest possible time. Windows provides a mechanism to launch drivers marked as Early Launch Antimalware (ELAM) early in the boot process for this reason. CrowdStrike signs the above CSboot driver as ELAM, enabling it to load early in the boot sequence.
In the general case, there is a tradeoff that security vendors must rationalize when it comes to kernel drivers. Kernel drivers provide the above properties at the cost of resilience. Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode.
All code operating at kernel level requires extensive validation because it cannot fail and restart like a normal user application. This is universal across all operating systems. Internally at Microsoft, we have invested in moving complex Windows core services from kernel to user mode, such as font file parsing from kernel to user mode.
It is possible today for security tools to balance security and reliability. For example, security vendors can use minimal sensors that run in kernel mode for data collection and enforcement limiting exposure to availability issues. The remainder of the key product functionality includes managing updates, parsing content, and other operations can occur isolated within user mode where recoverability is possible. This demonstrates the best practice of minimizing kernel usage while still maintaining a robust security posture and strong visibility.
Windows provides several user mode protection approaches for anti-tampering, like Virtualization-based security (VBS) Enclaves and Protected Processes that vendors can use to protect their key security processes. Windows also provides ETW events and user-mode interfaces like Antimalware Scan Interface for event visibility. These robust mechanisms can be used to reduce the amount of kernel code needed to create a security solution, which balances security and robustness.
How does Windows help ensure the quality of security related third-party products?
Microsoft engages with third-party security vendors through an industry forum called the Microsoft Virus Initiative (MVI). This group consists of Microsoft and Security Industry and was created to establish a dialogue and collaboration across the Windows security ecosystem to improve robustness in the way security products use the platform. With MVI, Microsoft and vendors collaborate on the Windows platform to define reliable extension points and platform improvements, as well as share information about how to best protect our customers.
Microsoft works with members of MVI to ensure compatibility with Windows updates, improve performance, and address reliability issues. MVI partners actively participating in the program contribute to making the ecosystem more resilient and gain benefits including technical briefings, feedback loops with Microsoft product teams, and access to antimalware platform features such as ELAM and Protected Processes. Microsoft also provides runtime protection such as Patch Guard to prevent disruptive behavior from kernel driver types like anti-malware.
In addition, all drivers signed by the Microsoft Windows Hardware Quality Labs (WHQL) must run a series of tests and attest to a number of quality checks, including using fuzzers, running static code analysis and testing under runtime driver verification, among other techniques. These tests have been developed to ensure that best practices around security and reliability are followed. Microsoft includes all these tools in the Windows Driver Kit used by all driver developers. A list of the resources and tools is available here.
All WHQL signed drivers are run through Microsoft’s ingestion checks and malware scans and must pass before being approved for signing. Additionally, if a third-party vendor chooses to distribute their driver via Windows Update (WU), the driver also goes through Microsoft’s flighting and gradual rollout processes to observe quality and ensure the driver meets the necessary quality criteria for a broad release.
Can customers deploy Windows in a higher security mode to increase reliability?
Windows at its core is an open and versatile OS, and it can easily be locked down for increased security using integrated tools. In addition, Windows is constantly increasing security defaults, including dozens of new security features enabled by default in Windows 11.
Security features enabled by default in Windows 11
Area | Feature |
Hardware Security Baseline |
TPM2.0 Secure boot Virtualization-based security (VBS) Memory integrity (Hypervisor-protected Code Integrity (HVCI)) Hardware-enforced stack protection Kernel Direct Memory Access (DMA) protection HW-based kernel protection (HLAT) Enhanced sign-in security (ESS) for built-in biometric sensors |
Encryption |
BitLocker (commercial) Device Encryption (consumer) |
Identity Management |
Credential Guard Entra primary refresh token (PRT) hardware protected MDM deployed SCEP certs hardware protected MDM enrollment certs hardware protected Local Security Authority (LSA) PPL prevents token/credential dumping Account lockout policy (for 10 failed sign-ins) Enhanced phishing protection with Microsoft Defender Microsoft Defender SmartScreen NPLogonNotification doesn’t include password WDigest SSO removed to reduce password disclosure AD Device Account protected by CredGuard* |
Multi-Factor Authentication (Passwordless) |
MSA & Entra users lead through Hello enablement by default MSA password automatically removed from Windows if never used Hello container VSM protected Peripheral biometric sensors blocked for ESS enabled devices Lock on leave integrated into Hello |
Security Incident Reduction | Common Log File Systems run from trusted source Move tool-tip APIs from kernel to user mode Modernize print stack by removing untrusted drivers DPAPI moved from 3DES to AES TLS 1.3 default with TLS 1.0/1.1 disabled by default NTLM-less* |
OS lockdown |
Microsoft Vulnerable Driver Blocklist 3P driver security baseline enforced via WHCP Smart App Control* |
Windows has integrated security features to self-defend. This includes key anti-malware features enabled by default, such as:
- Secure Boot, which helps prevent early boot malware and rootkits by enforcing signing consistently across Windows boots.
- Measured Boot, which provides TPM-based hardware cryptographic measurements on boot-time properties available through integrated attestation services such as Device Health Attestation.
- Memory integrity (also known as hypervisor-protected code integrity or HVCI), which prevents runtime generation of dynamic code in the kernel and helps ensure control flow integrity.
- Vulnerable driver blocklist, which is on by default, integrated into the OS, and managed by Microsoft. This complements the malicious driver block list.
- Protected Local Security Authority is on by default in Windows 11 to protect a range of credentials. Hardware-based credential protection is on by default for enterprise versions of Windows.
- Microsoft Defender Antivirus is enabled by default in Windows and offers anti-malware capabilities across the OS.
These security capabilities provide layers of protection against malware and exploitation attempts in modern Windows. Many Windows customers have leveraged our security baseline and Windows security technologies to harden their systems and these capabilities collectively have reduced the attack surface significantly.
Using the integrated security features of Windows to prevent adversary attacks such as those displayed in the MITRE ATT&CK® framework increases security while reducing cost and complexity. It leverages best practices to achieve maximum security and reliability. These best practices include:
- Using App Control for Business (formerly Windows Defender Application Control), you can author a security policy to allow only trusted and/or business-critical apps. Your policy can be crafted to deterministically and durably prevent nearly all malware and “living off the land” style attacks. It can also specify which kernel drivers are allowed by your organization to durably guarantee that only those drivers will load on your managed endpoints.
- Use Memory integrity with a specific allow list policy to further protect the Windows kernel using Virtualization-based security (VBS). Combined with App Control for Business, memory integrity can reduce the attack surface for kernel malware or boot kits. This can also be used to limit any drivers that might impact reliability on systems.
- Running as Standard User and elevating only as necessary. Companies that follow the best practices to run as standard user and reduce privileges mitigate many of the MITRE ATT&CK® techniques.
- Use Device Health Attestation (DHA) to monitor devices for the right security policy, including hardware-based measurements for the security posture of the machine. This is a modern and exceptionally durable approach to ensure security for high availability scenarios and uses Microsoft’s Zero Trust architecture.
What is next?
Windows is a self-protecting operating system that has produced dozens of new security features and architectural changes in recent versions. We plan to work with the anti-malware ecosystem to take advantage of these integrated features to modernize their approach, helping to support and even increase security along with reliability.
This includes helping the ecosystem by:
- Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products.
- Reducing the need for kernel drivers to access important security data.
- Providing enhanced isolation and anti-tampering capabilities with technologies like our recently announced VBS enclaves.
- Enabling zero trust approaches like high integrity attestation which provides a method to determine the security state of the machine based on the health of Windows native security features.
As we move forward, Windows is continuing to innovate and offer new ways for security tools to detect and respond to emerging threats safely and securely. Windows has announced a commitment around the Rust programming language as part of Microsoft’s Secure Future Initiative (SFI) and has recently expanded the Windows kernel to support Rust.
The information in this blog post is provided as part of our commitment to communicate learnings and next steps after the CrowdStrike incident. We will continue to share ongoing guidance on security best practices for Windows and work across our broad ecosystem of customers and partners to develop new security capabilities based on your feedback.
The post Windows Security best practices for integrating and managing security tools appeared first on Microsoft Security Blog.
Classic Microsoft Outlook for Windows: New reporting buttons integrated with Microsoft Defender for Office 365
Starting August 2024, classic Microsoft Outlook for Windows will integrate new reporting buttons to allow users to report emails as phishing, junk, or not junk. Admins can customize these buttons and reporting options via the Microsoft 365 Defender portal. Rollout will be complete by late September 2024.
Starting August 2024 for classic Microsoft Outlook for Windows, we will add new built-in reporting buttons that allow users to report emails as phishing / junk / not junk. The new buttons will be included in the next semi-annual release of Outlook for Windows. Admins can control the appearance and behavior of these buttons from the User reported settings page in the Microsoft 365 Defender portal (security.microsoft.com). Admins can also customize where messages get reported to (reporting mailbox, Microsoft, or both) and what the user sees both before and after reporting messages from these buttons. Your current User reported settings page will not be changed by this rollout.
This message is associated with Microsoft 365 Roadmap ID 371388.
When this will happen:
General Availability (Worldwide, GCC, GCC High, and DoD): We will begin rolling out early August 2024 and expect to complete by late September 2024.
How this will affect your organization:
Before this rollout: Classic Microsoft Outlook for Windows users do not see reporting buttons.
After the rollout:
New reporting buttons and menu options in Outlook Classic:
What you need to do to prepare:
This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation.
Learn more
- Report phishing and suspicious emails in Outlook for admins – Microsoft Defender for Office 365 | Microsoft Learn
- User reported settings – Microsoft Defender for Office 365 | Microsoft Learn
- OWA (Outlook on the web) and new Outlook for Windows have had this functionality since November 2022 and there is no change to it.
- The new built-in buttons on Outlook for Windows will inherit your existing User reported settings from OWA.
- Other versions of Outlook such as Mac, Mobile (iPhone and Android) will not be affected by this change. We are working on the adding the reporting buttons to other versions of Outlook.
- If you have the reporting feature turned off in the Microsoft 365 Defender User reported settings page or are using a third-party add-in, the reporting buttons in classic Outlook for Windows won’t be visible.
- The Microsoft reporting add-in (the Microsoft report message add-in and the Microsoft phishing add-in) will be supported until further notice. Customers who currently use the add-in and the new reporting buttons will see two sets of reporting buttons in the ribbon. However, when Outlook Mac and Mobile add the new reporting buttons in the near future, the reporting add-in will no longer be needed and can be removed.
- The selections you make on the user reported settings page will determine the reporting experience for your users whether they choose the add-in or built-in reporting option in Outlook. Either option will report to the same place (Microsoft, custom mailbox, or both) based on the User reported settings selected.
- Unlike OWA and new Outlook for windows, the built-in reporting buttons in classic Outlook for windows do not support reporting from shared and delegate mailboxes.
Message ID: MC841229
The post Classic Microsoft Outlook for Windows: New reporting buttons integrated with Microsoft Defender for Office 365 appeared first on M365 Admin.
4 reasons you don't need to buy most software anymore
Once upon a time, buying a new PC was accompanied by the need for a stack of software to get it going. You would need to pay for your operating system, office software, antivirus solution, and more to enable everyday usage. While open-source solutions to most of these have been available for years, many people still elect to use the paid versions to keep things simple. But there are a lot of great alternatives to some of the most popular paid apps. In current times, luckily we dont need to pay for nearly as much software upfront, but if youre not careful, you may end up paying for it on a month-to-month basis.
Beyblade X Episode 4 English Dubbed
[tab:WCO Player]
[tab:END]
Buried Lede: American Patriot Hero fined $48,000 for jamming cell phone frequencies during his highway commute so other drivers wouldn't kill him by driving and talking on their phones [Hero]
This Windows 11 bug may break Windows Security
The last few days weren't great for Windows 11 users. That is because Windows 11 users were widely reporting that their PCs were hit by several bugs after installing the June 2024 preview update (KB5039302). Microsoft does acknowledge those reported issues and is currently working on finding solutions. However, things got way worse when someone found out that Windows 11 might be plagued by what looks to be an unidentified bug, as Microsoft seems to be unaware of the issue.