Shared posts

26 Sep 03:16

MC898392 – Microsoft Teams: UDP Signaling Ports configuration change

by cso-publishing
check before: 2024-10-01 Product: Exchange, Outlook, Teams Platform: Education, Online, Web, World tenant Status: Launched Change type: Admin impact Links: 49152 Details: Summary: Microsoft Teams is updating UDP signaling ports for Calling and Meetings to enhance efficiency. The source ports will change from 49152-65535 to 50070-50089, with the destination UDP port remaining at 3478. Rollout […]

Source

12 Sep 15:34

Microsoft 365 was down for thousands of users - here's what happened

UPDATED: The web version of Microsoft's software suite and other services are back up following a major outage for thousands of users.
11 Sep 23:38

Stags 2024 S01E06 1080p WEB H264-LAZYCUNTS

by FatSlave (Hes fat and a slave, crazy right?)
11 Sep 09:14

Slow Horses S04E02 1080p x265-ELiTE

09 Sep 19:19

Halo 5: Guardians Will Soon Be Playable On PC Thanks to New Xbox One Translation Layer For Windows

by Francesco De Meo

Halo 5: Guardians

Halo 5: Guardians, as well as other Xbox One exclusives, will soon become playable on PC thanks to a new Xbox One translation layer for Windows PCs. XWine1, which was revealed with a tweet on X, is an Xbox One translation layer for Windows PCs that currently runs six games properly. Among these games are Halo 5: Guardians, which hasn't been ported to PC to date, Rare Replay, Crimson Dragon, Forza Motorsport 5, Powerstar Golf, Space Jam: A New Legacy - The Game, Forza Motorsport 6, Forza Horizon 2 and CrossfireX. Unfortunately, the translation layer is not available to the […]

Read full article at https://wccftech.com/halo-5-guardians-pc/

07 Sep 10:58

Ancient Aliens S20E19 720p HEVC x265-MeGusta

01 Sep 00:23

Rebel FM Episode 634 - 08/30/2024

This week we're surprised to find ourselves talking about the Black Ops 6 multiplayer beta, but we've also got chat about Squirrel With a Gun, Tetris, and plenty of other stuff too.  This week's music:  PLAIINS - Slow Rotting, Fast Decay
29 Aug 15:25

How AitM Phishing Attacks Bypass MFA and EDR—and How to Fight Back

by info@thehackernews.com (The Hacker News)
Attackers are increasingly using new phishing toolkits (open-source, commercial, and criminal) to execute adversary-in-the-middle (AitM) attacks. AitM enables attackers to not just harvest credentials but steal live sessions, allowing them to bypass traditional phishing prevention controls such as MFA, EDR, and email content filtering. In this article, we’re going to look at what AitM phishing
17 Aug 18:49

GitHub Promises 'Additional Guardrails' After Wednesday's Update Triggers Short Outage

by EditorDavid
Wednesday GitHub "broke itself," reports the Register, writing that "the Microsoft-owned code-hosting outfit says it made a change involving its database infrastructure, which sparked a global outage of its various services." Or, as the Verge puts it, GitHub experienced "some major issues" which apparently lasted for 36 minutes: When we first published this story, navigating to the main GitHub website showed an error message that said "no server is currently available to service your request," but the website was working again soon after. (The error message also featured an image of an angry unicorn.) GitHub's report of the incident also listed problems with things like pull requests, GitHub Pages, Copilot, and the GitHub API. GitHub attributed the downtime to "an erroneous configuration change rolled out to all GitHub.com databases that impacted the ability of the database to respond to health check pings from the routing service. As a result, the routing service could not detect healthy databases to route application traffic to. This led to widespread impact on GitHub.com starting at 23:02 UTC." (Downdetector showed "more than 10,000 user reports of problems," according to the Verge, "and that the problems were reported quite suddenly.") GitHub's incident report adds that "Given the severity of this incident, follow-up items are the highest priority work for teams at this time." To prevent recurrence we are implementing additional guardrails in our database change management process. We are also prioritizing several repair items such as faster rollback functionality and more resilience to dependency failures.

Read more of this story at Slashdot.

17 Aug 18:47

Space Telescope Data Reignites Debate Over How Fast Our Universe Is Expanding

by EditorDavid
"A new front has opened in the longstanding debate over how fast the universe is expanding," writes Science magazine: For years astronomers have argued over a gulf between the expansion rate as measured from galaxies in the local universe and as calculated from studies of the cosmic microwave background (CMB), the afterglow of the Big Bang. The disparity was so large and persistent that some astronomers thought the standard theory of the universe might have to be tweaked. But over the past week, results from NASA's new James Webb Space Telescope orbiting observatory suggest the problem may be more mundane: some systematic error in the strategies used to measure the distance to nearby galaxies. "The evidence based on these data does not suggest the need for additional physics," says Wendy Freedman of the University of Chicago, who leads [the Carnegie-Chicago Hubble Program, or CCHP] that calculated the expansion rate from JWST data using three different galactic distance measurements and released the results on the arXiv preprint server. (The papers have not yet been peer reviewed.) The methods disagreed about the expansion rate, known as the Hubble constant, or H0, and two were close to the CMB prediction. Specifically, the team used JWST to measure the distance to 10 local galaxies using three stars with a predictable brightness: Cepheids, the brightest red giant stars, and carbon stars. Science notes that the last two methods "agreed to about 1%, but differed from the Cepheid-based distance by 2.5% to 4%." Combining all three methods the team derived a value "just shy of 70 km/s per Mpc," according to the article — leading the University of Chicago's Freedman to say "There's something systematic in the measurements. Until we can establish unambiguously where the issue lies in the nearby universe, we can't be claiming that there's additional physics in the distant universe." But the controversy continues, according to Adam Riess of Johns Hopkins University (leader of a team of Hubble Constant researchers known as SH0ES). Riess points out that other teams have used JWST to measure distances with all three methods separately and have come up with values closer to the original SH0ES result. He also questions why CCHP excluded data from telescopes other than JWST. "I don't see a compelling justification for excluding the data they do," he says. Thanks to long-time Slashdot reader sciencehabit for sharing the article.

Read more of this story at Slashdot.

16 Aug 21:42

Free classic RTS OpenRA mod 'Command & Conquer - Combined Arms' has a huge overhaul

by Liam Dawe
If you love your classic RTS games, especially those from Westwood like Command & Conquer and Red Alert, you need to play the OpenRA mod Command & Conquer - Combined Arms.

.

Read the full article on GamingOnLinux.

14 Aug 03:17

Intel Publishes Updated CPU Microcode For A Variety Of Security & Functional Issues

by Michael Larabel
Intel published a number of new CPU microcode images this Patch Tuesday for addressing various security issues as well as a number of functional issues being addressed across different CPU client and server processor generations...
13 Aug 16:41

Day 902 of WW3: Well, well, well, how about that? Claim: Kadyrovites secretly concluded an agreement with Ukraine on Kursk region and stood aside for Ukrainian troops. Betrayal? In Russia? Where's my fainting couch? It's your Tuesday Ukraine war talk [News]

12 Aug 16:26

Doom modders are annoyed at the "chum-bucket" of wrongly credited mods in the latest Doom remaster

by Brendan Caldwell

Last week, Bethesda released a remastered edition of Doom and Doom II on Steam, with lots of extra episodes and improvements. One of these new features is a built-in browser for mods, and support for many existing mods that previously required a different version of the game. Basically, lots of good fan-made mods are now playable on the Steam version of ye olde Doom. That's neat! Ah, but there is some demon excrement on the health pack, so to speak. The mod browser lacks moderation and lets people upload the work of others with their own name pinned as the author. That's prompted one level designer to call it "a massive breach of trust and violation of norms the Doom community has done its best to hold to for those 30 years."

Read more

12 Aug 16:24

Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE

by Microsoft Threat Intelligence

Microsoft researchers recently identified multiple medium severity vulnerabilities in OpenVPN, an open-source project with binaries integrated into routers, firmware, PCs, mobile devices, and many other smart devices worldwide, numbering in the millions. Attackers could chain and remotely exploit some of the discovered vulnerabilities to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information. Exploiting these vulnerabilities, however, necessitates user authentication and a deep understanding of OpenVPN’s inner workings, alongside intermediate knowledge of the operating systems. Today, we presented this research and demonstrated the discovered attack chain in our session at Black Hat USA 2024.

OpenVPN is widely used by thousands of companies spanning various industries across major platforms such as Windows, iOS, macOS, Android, and BSD. As such, exploitation of the discovered vulnerabilities, which affect all versions of OpenVPN prior to version 2.6.10 (and 2.5.10), could put endpoints and enterprises at significant risk of attack.

We reported the discovery to OpenVPN through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in March 2024 and worked closely with OpenVPN to ensure that the vulnerabilities are patched. Information on the security fixes released by OpenVPN to address these vulnerabilities can be found here: OpenVPN 2.6.10. We strongly urge OpenVPN users to apply the latest security updates as soon as possible. We also thank OpenVPN for their collaboration and recognizing the urgency in addressing these vulnerabilities.

Below is a list of the discovered vulnerabilities discussed in this blog:

CVE ID OpenVPN component Impact Affected platform
CVE-2024-27459 openvpnserv                              Denial of service (DoS), local privilege escalation (LPE) Windows
CVE-2024-24974 openvpnserv                              Unauthorized access  Windows
CVE-2024-27903 openvpnserv Remote code execution (RCE) Windows
Local privilege escalation (LPE), data manipulation Android, iOS, macOS, BSD
CVE-2024-1305 Windows TAP driver  Denial of service (DoS)  Windows

In this blog post, we detail our analysis of the discovered vulnerabilities and the impact of exploitation. In addition to patching, we provide guidance to mitigate and detect threats attempting to exploit these vulnerabilities. This research emphasizes the need for responsible disclosure and collaboration among the security community to defend devices across platforms and build better protection for all, spanning the entire user-device ecosystem. The discovery of these vulnerabilities further highlights the critical importance of ensuring the security of enterprise and endpoint systems and underscores the need for continuous monitoring and protection of these environments.

What is OpenVPN?

OpenVPN is a virtual private network (VPN) system that creates a private and secure point-to-point or site-to-site connection between networks. The OpenVPN open-source project is widely popular across the world, including the United States, India, France, Brazil, the United Kingdom, and Germany, as well as industries spanning the information technology, financial services, telecommunications, and computer software sectors. This project supports different major platforms and is integrated into millions of devices globally.

OpenVPN is also the name of the tunneling protocol it uses, which employs the Secure Socket Layer (SSL) encryption protocol to ensure that data shared over the internet remains private, using AES-256 encryption. Since the source code is available for audit, vulnerabilities can be easily identified and fixed.

OpenVPN analysis

We discovered the vulnerabilities while examining the OpenVPN open-source project to enhance enterprise security standards. During this research, we checked two other popular VPN solutions and found that at the time they were impacted by a vulnerability (CVE-2024-1305). Following this discovery, we started hunting for and uncovered additional vulnerable drivers with the same issue and decided to investigate open-source VPN projects. Upon confirming that the same vulnerability was located in the OpenVPN open-source repository, our research then focused on examining the architecture and security model of the OpenVPN project for Windows systems.

OpenVPN architecture

OpenVPN server client architecture

OpenVPN is a sophisticated VPN system meticulously engineered to establish secure point-to-point or site-to-site connections. It supports both routed and bridged configurations, as well as remote access capabilities, making it a versatile choice for various networking needs. OpenVPN comprises both client and server applications, ensuring a comprehensive solution for secure communication.

With OpenVPN, peers can authenticate each other through multiple methods, including pre-shared secret keys, certificates, or username/password combinations. In multi-client server environments, the server can generate and issue an individual authentication certificate for each client, leveraging robust digital signatures and a trusted certificate authority. This ensures an elevated level of security and integrity in the authentication process, enhancing the overall reliability of the VPN connection. 

Diagram of OpenVPN's client server depicting the connection between the Gateway Client and the Access Server
Figure 1. OpenVPN client server model

Client-side architecture

The client-side architecture is where we discovered the additional three vulnerabilities (CVE-2024-27459, CVE-2024-24974, and CVE-2024-27903):

OpenVPN’s client architecture can be summarized in the following simplified diagram:

Diagram depicting the loaded plugin with the openvpn.exe usermode process connected by a named pope to the openvpnserv.exe system service within the client. The client is connected to the server via a tunnel.
Figure 2. OpenVPN client architecture with loaded plugin.dll

openvpnserv.exe and openvpn.exe

The system service launches elevated commands on behalf of the user, handling tasks such as adding or deleting DNS configurations, IP addresses, and routes, and enabling Dynamic Host Configuration Protocol (DHCP). These commands are received from the openvpn.exe process through a named pipe created for these two entities, such as “openvpn/service_XXX” where XXX is the thread ID (TID) that is being passed to the newly created process as a command line argument.

The launched commands arrive in the form of a binary structure that contains the relevant information for the specific command, with the structure being validated and only then launching the appropriate command. The below figure displays an example of the structure that contains information for adding/deleting DNS configuration:

Screenshot of code depicting the DNS configuration managing structure
Figure 3. OpenVPN DNS configuration managing structure

Additionally, openvpnserv.exe serves as the management unit, spawning openvpn.exe processes upon requests from different users on the machine. This can be done automatically using the OpenVPN GUI or by sending specifically crafted requests. Communication for this process occurs through a second named pipe, such as “openvpn/service”.

Openvpn.exe is the user mode process being spawned on behalf of the client. When openvpn.exe starts, it receives a path for a configuration file (as a command line argument). The configuration file that’s provided holds different information.

A lot of fields can be managed in configuration files, such as:

  1. Tunnel options
  2. Server mode options
  3. Client mode options

Plugin mechanism in openvpn.exe

Another mechanism of interest for us is the plugin mechanism in openvpn.exe, which can extend the functionality to add additional logic, such as authentication plugins to bring authentication against Lightweight Directory Access Protocol (LDAP) or Radius or other Pluggable Authentication Module
(PAM) backends. Some of the existing plugins are:

  1. Radiusplugin – Radius authentication support for open OpenVPN.
  2. Eurephia – Authentication and access control plugin for OpenVPN.
  3. Openvpn_defer_auth – OpenVPN plugin to perform deferred authentication requests.

The plugin mechanism fits into the earlier diagram, as shown in Figure 2.

The plugin is loaded as a directive in the configuration file, which looks like:

Screenshot of code depicting the client directive to load the plugin
Figure 4. OpenVPN client directive to load plugin

Furthermore, the number of callbacks defined in the plugin launch on behalf of the loading process (openvpn.exe), such as:

  1. openvpn_plugin_func_v1 – This function is called by OpenVPN each time the OpenVPN reaches a point where plugin calls should happen.
  2. openvpn_plugin_{open, func}_v3() – Defines the version of the v3 plugin argument.

OpenVPN security model

As previously mentioned, we discovered four vulnerabilities on the client side of OpenVPN’s architecture.

As described before, openvpnserv.exe (SYSTEM service) spawns the openvpn.exe process as a result of the request from the user. Furthermore, the spawned process runs in the context of the user who requested to create the new process, which is achieved through named pipe impersonation, as displayed in the below image:

Screenshot of code depicting named pipe impersonation
Figure 5. Named pipe impersonation

The ImpersonateNamedPipeClient function impersonates a named pipe client application.

Furthermore, to prevent unwanted behavior, specific EXPLICIT_ACCESS must be granted for any new process:

Screenshot of code depicting explicit access being granded for OVPN DACL
Figure 6. Explicit access for OVPN DACL

This explicit access, in addition to the earlier described “elevated commands” launched by openvpnserv.exe on request from the openvpn.exe process, and other comprehensive inspection of the passed arguments  ensure that malicious behavior cannot be launched in the name of the impersonated user.

Vulnerability analysis

CVE-2024-1305    

We identified a vulnerability in the “tap-windows6” project that involves developing the Terminal Access Point (TAP) adapter used by OpenVPN. In the project’s src folder, the device.c file contains the code for the TAP device object and its initialization.

In the device.c file, the CreateTapDevice method initializes a dispatch table object with callbacks for methods managing various Input/Output Controls (IOCTLs) for the device. One of these methods is TapDeviceWrite, which handles the write IOCTL.

Screenshot of code depicting where the wild kernel overflow vulnerability is located
Figure 7. Wild kernel overflow vulnerability location

The TapDeviceWrite method performs several operations and eventually calls TapSharedSendPacket. This method, in turn, calls NdisAllocateNetBufferAndNetBufferLists twice. In one scenario, it calls this function with the fullLength parameter, defined as follows:

Screenshot of code depicting the integer overflow
Figure 8. Integer overflow

Both PacketLength and PrefixLength are parameters passed from the TapDeviceWrite call and, therefore, attacker controlled. If these values are large enough, their sum (fullLength) can overflow (a 32-bit unsigned integer). This overflow results in the allocation of a smaller-than-expected memory size, which subsequently causes a memory overflow issue.

CVE-2024-27459  

The second vulnerability that we discovered resided in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service. As described earlier, both of which communicate through a named pipe:

Screenshot of code depicting the size being read from a named pipe
Figure 9. Reading size from a named pipe

The openvpnserv.exe service will read the message size in an infinite loop from the openvpn.exe process and then handle the message received by calling the HandleMessage method. The HandleMessage method reads the size provided by the infinite loop and casts the read bytes into the relevant type accordingly:

Screenshot of code depicting the stack overflow vulnerability location
Figure 10. Stack overflow vulnerability location

This communication mechanism presents an issue as reading the “user” provided number of bytes on to an “n bytes” long structure located on the stack will produce a stack overflow vulnerability.

CVE-2024-24974  

The third vulnerability involves unprivileged access to an operating system resource. The openvpnserv.exe service spawns a new openvpn.exe process based on user requests received through the “\\openvpn\\service” named pipe. This vulnerability allows remote access to the named service pipe, enabling an attacker to remotely interact with and launch operations on it.

CVE-2024-27903  

Lastly, we identified a vulnerability in OpenVPN’s plugin mechanism that permits plugins to be loaded from various paths on an endpoint device. This behavior can be exploited by attackers to load harmful plugins from these different paths.

Exploiting and chaining the vulnerabilities

All the identified vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them. The discovered vulnerabilities could then be combined to achieve different exploitation results, or chained together to form a sophisticated attack chain, as detailed in the below sections.

RCE exploitation

We first explored how an attacker could achieve remote code execution (RCE) exploitation using CVE-2024-24974 and CVE-2024-27903.

To successfully exploit these vulnerabilities and achieve RCE, an attacker must first obtain an OpenVPN user’s credentials. The attacker’s device must then launch the NET USE command with the stolen credentials to remotely access the operating system resources and grant the attacker access to the named pipes objects devices.

Next, the attacker can send a “connect” request to the “\\openvpn\\service” named pipe to launch a new instance of openvpn.exe on its behalf.

Screenshot of code depicting the initialization of OpenVPN from a remote location
Figure 11. Initializing OpenVPN from a remote location (in which {TARGET_MACHINE_PLACEHOLDER} can be substituted by a different end point)

In the request, a path to a configuration file (\\\\DESKTOP-4P6938I\\share\\OpenVPN\\config\\sample.ovpn) is specified that’s located on the attacker-controlled device. A log path is also provided into which the loaded plugin will write its logs (“–log \\\\\{TARGET_MACHINE_PLACEHOLDER}\\share\\OpenVPN\\log\\plugin_log.txt\).

The provided configuration has instructions to load malicious plugin, as such:

Screenshot of code depicting the malicious plugin loading directive from a remote location
Figure 12. Malicious plugin loading directive from a remote location

After successful exploitation, the attacker can read the log provided on the attacker-controlled device.

Screenshot of the plugin log on the attacker-controlled device
Figure 13. Plugin log on the attacker-controlled device

LPE exploitation

Next, we investigated how an attacker could achieve local privilege execution (LPE) using CVE-2024-27459 and CVE-2024-27903. To successfully achieve an LPE exploit in this context, an attacker must load a malicious plugin into the normal launching process of openvpn.exe by using a malicious configuration file.

First, the attacker will connect to a local device “\\openvpn\\service” named pipe with a command that instructs openvpnserv.exe to launch openvpn.exe based on the attacker-provided malicious configuration.

Screenshot of code depicting initializing OpenVPN from a local configuration
Figure 14. Initializing OpenVPN from a local configuration

The malicious configuration will include a line like the below example:

Screenshot of the malicious plugin loading directive from the local location
Figure 15. Malicious plugin loading directive from the local location

For the malicious plugin to successfully communicate with openvpnserv.exe, it must hijack the number of the handle used by openvpn.exe to communicate with the inner named pipe connecting the openvpv.exe process and the openvpnserv.exe service. This can be achieved, for instance, by parsing command line arguments, as displayed below:

Screenshot of code depicting parsing command line arguments to extract the thread ID
Figure 16. Parsing command line arguments to extract the thread ID (TID)

This works because when the openvpn.exe process spawns, it’s being passed the TID (as a command line argument) that the inner named pipe (which is being used for communication between this specific OpenVPN instance and the openvpnserv.exe service) will have. For instance, if the inner named pipe created is “\\openvpn\\service_1234” then openvpn.exe will be launched with an extra argument of 1234.

Screenshot of code depicting the thread ID being passed as a command line argument
Figure 17. Passing the TID as a command line argument

Next, attackers can exploit the stack overflow vulnerability by sending data bigger than the MSG structure. It is important to note that there are stack protection mechanisms in place, called stack canaries, which make exploitation much more challenging. Thus, when triggering the overflow:

Screenshot of code depicting the stack overflow being triggered
Figure 18. Stack overflow triggered

After the crash of openvpnserv.exe, the attacker has a slot of time in which they can reclaim the named pipe “\\openvpn\\service”.

If successful, the attacker then poses as the server client side of the named pipe “\\openvpn\\service”. From that moment on, every attempt to connect to the “\\openvpn\\service” named pipe will result in a connection to the attacker. If a privileged enough user, such as a SYSTEM or Administrator user, is connected to the named pipe, the attacker can impersonate that user:

Screenshot of code depicting impersonation of a privileged user
Figure 19. Impersonating a privileged user

The attacker can then start an elevated process on the user’s behalf, thus achieving LPE.

Chaining it all together

As our research demonstrated, an attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain.

A number of adjustments are needed for the full attack chain to be exploited as presented in this blog post, mainly the malicious payload that crashes openvpnserv.exe and the malicious payload that actually behaves as openvpnserv.exe after openvpnserv.exe is crashed all have to be loaded with the malicious plugin. After successfully achieving LPE, attackers will use different techniques, such as Bring Your Own Vulnerable Driver (BYOVD) or exploiting known vulnerabilities, to achieve a stronger grasp of the endpoint. Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.

Critical importance of endpoint security in private and enterprise sectors

With OpenVPN being widely used across various vendors, industries, and fields, the presented vulnerabilities may impact numerous sectors, device types, and verticals. Exploiting these vulnerabilities requires user authentication, a deep understanding of OpenVPN’s inner workings, and intermediate knowledge of the operating system. However, a successful attack could significantly impact endpoints in both the private and enterprise sectors. Attackers could launch a comprehensive attack chain on a device using a vulnerable version of OpenVPN, achieving full control over the target endpoint. This control could enable them to steal sensitive data, tamper with it, or even wipe and destroy critical information, causing substantial harm to both private and enterprise environments.

The discovery of these vulnerabilities underscores the importance of responsible disclosure to secure enterprise and endpoint systems, in addition to the collective efforts of the security community to protect devices across various platforms and establish stronger safeguards for everyone. We would like to again thank OpenVPN for their partnership and swift action in addressing these vulnerabilities.

Mitigation and protection guidance

OpenVPN versions prior to 2.5.10 and 2.6.10 are vulnerable to discussed vulnerabilities.

It is recommended to first identify if a vulnerable version is installed and, if so, immediately apply the relevant patch found here: OpenVPN 2.6.10.

Additionally, follow the below recommendations to further mitigate potential exploitation risks affiliated with the discovered vulnerabilities:

  • Apply patches to affected devices in your network. Check the OpenVPN website for the latest patches.
  • Make sure OpenVPN clients are disconnected from the internet and segmented.
  • Limit access to OpenVPN clients to authorized users only. 
  • Due to the nature of the CVEs, which still require a username and password, prioritizing patching is difficult. Reduce risk by ensuring proper segmentation, requiring strong usernames and passwords, and reducing the number of users that have writing authentication.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert can indicate associated threat activity:

  • Suspicious OpenVPN named pipe activity

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2024-27459
  • CVE-2024-24974
  • CVE-2024-27903
  • CVE-2024-1305

Microsoft Defender for IoT

Microsoft Defender for IoT raises alerts for the following vulnerabilities, exploits, and behavior associated with this threat:

  • Suspicion of Malicious Activity

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

This query identifies connection to OpenVPN’s named pipe from remote host:

DeviceEvents  
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"]
| where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and isnotempty( RemoteIP) 

This query identifies image load into OpenVPN’s process from share folder:

DeviceImageLoadEvents 
|where InitiatingProcessFileName == "openvpn.exe" and FolderPath startswith "\\\\"

This query identifies process connect to OpenVPN’s named pipe as server which it is not openvpnserv.exe:

DeviceEvents  
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"], NamedPipeEnd=JsonAdditionalFields["NamedPipeEnd"]
|where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and NamedPipeEnd == "Server" and InitiatingProcessFileName != "openvpnserv.exe"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

List of devices with OpenVPN vulnerabilities

DeviceTvmSoftwareVulnerabilities
| where OSPlatform contains "Windows"
| where CveId in ("CVE-2024-27459","CVE-2024-24974","CVE-2024-27903","CVE-2024-1305") 
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Named pipe creation activity of OpenVPN

let PipeNames = pack_array('\\openvpn/service','\\openvpn/service_','openvpn','openvpn/service','\\openvpn\\service_');
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType == "NamedPipeEvent"
| where ProcessCommandLine contains "openvpn.exe" or InitiatingProcessCommandLine contains "openvpn.exe"
| extend Fields=parse_json(AdditionalFields)
| where Fields.FileOperation == "File created"
| where Fields.PipeName has_any (PipeNames)
| project TimeGenerated,ActionType,DeviceName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,InitiatingProcessFolderPath,
InitiatingProcessCommandLine,ProcessCommandLine,Fields.FileOperation,Fields.PipeName

Vladimir Tokarev

Microsoft Threat Intelligence Community

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE appeared first on Microsoft Security Blog.

08 Aug 20:33

DOOM + DOOM II get bundled together with new enhanced versions

by Liam Dawe
Today id Software and Bethesda Softworks announced a new bundling of the original DOOM + DOOM II, with a whole bunch of enhancements using Nightdive Studio's KEX engine. A free update for existing owners too.

.

Read the full article on GamingOnLinux.

07 Aug 00:32

WordStar 7, the Last Ever DOS Version, Is Re-Released For Free

by BeauHD
An anonymous reader quotes a report from The Register: Before WordPerfect, the most popular work processor was WordStar. Now, the last ever DOS version has been bundled and set free by one of its biggest fans. WordStar 7.0d was the last-ever DOS release of the classic word processor, and it still has admirers today. A notable enthusiast is Canadian SF writer Robert J Sawyer, who wrote the book that became the TV series Flashforward. Thanks to his efforts you can now try out this pinnacle of pre-Windows PC programs for professional prose-smiths. Sawyer has taken the final release, packaged it up along with some useful tools -- including DOS emulators for modern Windows -- and shared the result. Now you, too, can revel in the sheer unbridled power of this powerful app. The download is 680MB, but as well as the app itself, full documentation, and some tools to help translate WordStar documents to more modern formats, it also includes copies of two FOSS tools that will let you run this MS-DOS application on modern Windows: DOSbox-X and vDosPlus. "The program has been a big part of my career -- not only did I write all 25 of my novels and almost all of my short stories with it (a few date back to the typewriter era), I also in my earlier freelance days wrote hundreds of newspaper and magazine articles with WordStar," says Sawyer.

Read more of this story at Slashdot.

06 Aug 00:04

14 Things Every Home Gym Needs

by Beth Skwarecki

There’s a little game I like to play sometimes, and it seems to be popular with other folks who tend to work out at home: What equipment would I buy if I were starting a new home gym from scratch? Or you can play the advanced version: if you already have (insert common items here), what would you buy next?

What follow are my picks for anybody starting a new home gym or looking to expand the one they have—whether that means a corner of your bedroom or a full-on garage-based weightlifting paradise. I'll start with space- and budget-friendly items, then move on to some bigger-ticket buys.

Kettlebells

If I had to put together a home gym from scratch, I think I would start with two kettlebells: one light enough to strict press or snatch, and one heavy enough to make swings and goblet squats challenging.

If I had a smidge of extra cash, I’d buy them as adjustable kettlebells, like this one from Bells of Steel, so they could get heavier as I got stronger. Competition-style adjustables are by far the best kind.

A pull-up bar

Pulling exercises are some of the hardest to improvise outside of a gym (although if you took my advice about kettlebells, you could do rows with those). A doorway pull-up bar like this one barely takes up any space, but it opens up a ton of possibilities. If your doorframes don't allow that type of bar, try a pull-up tower like this one.

A spin bike

Cardio is good for you. I keep telling myself this, and I’m almost starting to believe it. With a spin bike, you can do intervals or steady state work while staying comfortably indoors when the road outside is dark, or wet, or icy. The price range of options here is wide: you can splurge on a top-of-the-line Peloton or go for one of the budget bikes (like a Sunny) that are less than a fifth of the price.

A rowing machine

My first choice for a cardio machine is the bike, as mentioned earlier. But if you want another device, I’d vote for a rower. Rowers involve your full body, and they’re great for interval training. The Concept 2 is probably the best-known (and, many would say, the best) brand in this space. (Not a rower person? My third choice would be a treadmill.)

Dumbbells

Dumbbells are a great way to lift weights at home. They’re smaller than a barbell, less specialized than a set of kettlebells, and you can do a ton of different workouts with them.

As with kettlebells, you’ll need to decide if you want to get a few pairs at specific fixed weights (cheaper to start), or go for a pricier adjustable set. Powerblock and Bowflex are the fancy kind, if you have the money but want to save space.

A bench

If you have dumbbells or want to do any sort of bro workout, you’re going to need a bench. I’m more of a barbell person, so I just got a flat bench that can fit in my rack when I want to bench press. But people who do more dumbbell work often prefer a sturdy adjustable bench that can be configured for incline or upright seated work.

A barbell

If you’re into powerlifting or weightlifting, or just want to go heavy in your general strength workouts, there’s really no substitute for a good ol’ barbell. “Standard” bars with a one-inch hole are common in budget sets, but your purchase will have more longevity if you opt for an “Olympic” style bar with two-inch collars. Get a 45-pound or 20-kilogram bar like this one unless you have a specific reason to get something else.

Iron weight plates

You’ve got a few options for plates—we’ll discuss another in a minute—but iron plates are the classic choice. They’re sturdy, appropriately heavy, and up to almost any job. Get any kind that appeals to you: regular metal plates, plastic-coated ones, vintage-style deep dish. Anything but hex plates.

Bumper plates

Not everyone needs bumper plates, but if you’re one of those people who does, skip the iron plates entirely and go for the good stuff. Bumper plates are essential for Olympic lifts (the snatch and the clean and jerk) and they’re also nice to have for other lifts, like deadlifts. In general, the cheapest kind are made of black rubber and are labeled in pounds; expect to pay a premium if you want them in kilos with international standard color-coding.

A squat rack or cage

You know you’ve Made It as a home gym owner when you have your own squat rack. Consider the amount of space you have available, since some racks require tall ceilings and all require a good bit of space around the sides so you can get to the bar to change the plates. There are folding racks, half racks, and full racks. You can also go the DIY route with one of those concrete-bucket-and-lumber squat stands everyone was using during lockdown. (Mine held up great for years, and only broke down when the buckets got too much UV damage from being in the sunlight so long.)

Resistance bands

Throw a band on your pullup bar and you have a way to do assisted pullups; hold a band in your hands instead and you can do band pull-aparts. Bands are also a great addition to your barbells if you don’t have quite enough plates (or if you’re a fan of conjugate training, in which case you’re probably already putting bands and chains on everything that isn’t nailed down.) If you want to use bands with barbells, look for the long loop type; if you want to use them on their own, look for the kind that clip to handles.

Sandbags

Sandbags are the under-appreciated workhorses of many a home gym. Sand is dirt cheap—almost literally—but expect to pay a few bucks for a really quality fabric sandbag to put it in. (That said, you can DIY this, and we have instructions.) Start with a bag that weighs maybe half as much as you do, and practice picking it up, carrying it, and generally doing anything people do with weights. Yes, you can even press it overhead if you’re careful. If that’s all too easy, go for a bag that weighs as much as you do, or more.

A plyo box

A box is a handy thing to have around, and one of the few things I’ve always wanted in my home gym but never found the space for. With one box, you can do box jumps or box squats. With two, you can do dips or stand on top of them and set up a belt squat. The possibilities are endless.

Specialty bars

If you’re shopping for the person who has everything, I’ll tell you what they don’t have: another specialty bar. After a normal barbell, a typical next purchase is a safety squat bar. You could also go for an axle, which is great for practicing strongman events, or a cambered or duffalo bar (honestly, I’m not sure why powerlifters love these so much, but they do). A dedicated deadlift bar is perfect for the deadlift specialist in your life, and a football bar or Swiss bar gives you lots of options for pressing. A log is great for the spoiled strongman or strongwoman in your life, or an EZ-curl bar for the bodybuilder. Or grab a trap bar to do deadlifts on easy mode.

06 Aug 00:04

Detect compromised RDP sessions with Microsoft Defender for Endpoint

by SaarCohen

Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveraging intelligence and social engineering. One of the most common tools human operators use is Remote Desktop Protocol (RDP), which gives attackers not only control, but also Graphical User Interface (GUI) visibility on remote computers. As RDP is such a popular tool in human operated attacks, it allows defenders to use the RDP context as a strong incriminator of suspicious activities. And therefore, detect Indicators of Compromise (IOCs) and act on them.

 

That’s why today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.  

 

Remote session information 

The new layer adds 8 extra fields, represented as new columns in Advanced Hunting, expands the schema across various tables. These columns enrich process information by including session details, augmenting the contextual data related to remote activities.

 

  1. InitiatingProcessSessionId - Windows session ID of the initiating process 
  2. CreatedProcessSessionId - Windows session ID of the created process 
  3. IsInitiatingProcessRemoteSession - Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).  
  4. IsProcessRemoteSession - Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false).  
  5. InitiatingProcessRemoteSessionDeviceName -   Device name of the remote device from which the initiating process’s RDP session was initiated. 
  6. ProcessRemoteSessionDeviceName - Device name of the remote device from which the created process’s RDP session was initiated. 
  7. InitiatingProcessRemoteSessionIP - IP address of the remote device from which the initiating process’s RDP session was initiated. 
  8. ProcessRemoteSessionIP - IP address of the remote device from which the created process’s RDP session was initiated. 

The data will be available in the following tables: 

 

Table Name 

Initiating process 

Created Process 

DeviceEvents 

Yes 

Yes, where relevant 

DeviceProcessEvents 

Yes 

Yes 

DeviceFileEvents 

Yes 

No 

DeviceImageLoadEvents 

Yes 

No 

DeviceLogonEvents 

Yes 

No 

DeviceNetworkEvents 

Yes 

No 

DeviceRegistryEvents 

Yes 

No 

 

Detect human-operated ransomware attacks that use RDP 

Defender for Endpoint machine learning models use data from remote sessions to identify patterns of malicious activity. They assess user interactions with devices via RDP by examining more than 100 characteristics and apply a machine learning classifier to determine if the behavior is consistent with hands-on-keyboard-based attacks. 

 

Image 1: Ransomware attack incident investigationImage 1: Ransomware attack incident investigation

 

 

 

 

Detect suspicious RDP sessions 

 

Another model uses remote session information to identify suspicious remote sessions. Outlined below is an example of a suspect RDP session where harmful tools, commonly used by attackers in ransomware campaigns and other malicious activities, are deployed, setting off a high-severity alert.  

 

SaarCohen_2-1721753186979.png

 

SaarCohen_3-1721753195215.png

 

This context is also available in Advanced Hunting for custom detection and investigation purposes.  

An Advanced Hunting query can be used to display all processes initiated by a source IP during an RDP session. This query can be adjusted to fit all the supported tables. 

 

DeviceProcessEvents 

| where Timestamp >= ago(1d) 

| where IsInitiatingProcessRemoteSession == "True" 

| where InitiatingProcessRemoteSessionIP == "X.X.X.X" // Insert your IP Address here 

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine 

 

Another query can be used to highlight actions performed remotely by a compromised account. This query can be adjusted to fit all the supported tables. 

 

DeviceProcessEvents 

| where Timestamp >= ago(7d) 

| where InitiatingProcessAccountSid == "SID" // Insert the compromised account SID here 

| where IsInitiatingProcessRemoteSession == "True" 

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine 

 

You can also hunt for tampering attempts. Conducting this remotely across numerous devices can signal a broad attempt at tampering prior to an attack being launched. 

 

DeviceRegistryEvents 

| where Timestamp >= ago(7d) 

| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" 

| where RegistryValueName == "DisableAntiSpyware" 

| where RegistryValueType == "Dword" 

| where RegistryValueData == 1 

| where IsInitiatingProcessRemoteSession == true 

 

SaarCohen_1-1721753124145.png

 

Comprehensive endpoint security  

The ability to identify malicious use of RDP in Defender for Endpoint gives admins more granular visibility and control over detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape.  

For more information:   

05 Aug 15:35

Researchers Uncover Flaws in Windows Smart App Control and SmartScreen

by info@thehackernews.com (The Hacker News)
Cybersecurity researchers have uncovered design weaknesses in Microsoft's Windows Smart App Control and SmartScreen that could enable threat actors to gain initial access to target environments without raising any warnings. Smart App Control (SAC) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run
01 Aug 20:02

Exploited Vulnerability Could Impact 20k Internet-Exposed VMware ESXi Instances

by Ionut Arghire

Shadowserver has observed over 20,000 internet-accessible VMware ESXi instances impacted by an exploited vulnerability.

The post Exploited Vulnerability Could Impact 20k Internet-Exposed VMware ESXi Instances appeared first on SecurityWeek.

31 Jul 02:12

CISA Broke Into a US Federal Agency, No One Noticed For a Full 5 Months

by BeauHD
A 2023 red team exercise by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency exposed critical security failings, including unpatched vulnerabilities, inadequate incident response, and weak credential management, leading to a full domain compromise. According to The Register's Connor Jones, the agency failed to detect or remediate malicious activity for five months. From the report: According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise. It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023. "After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023." [...] After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. "None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said. CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets -- the most highly privileged systems. "The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. "They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)." From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had. The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate. It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.

Read more of this story at Slashdot.

30 Jul 10:42

DigiCert Revoking Certs With Less Than 24 Hours Notice

by BeauHD
In an incident report today, DigiCert says it discovered that some CNAME-based validations did not include the required underscore prefix, affecting about 0.4% of their domain validations. According to CA/Browser Forum (CABF) rules, certificates with validation issues must be revoked within 24 hours, prompting DigiCert to take immediate action. DigiCert says impacted customers "have been notified." New submitter jdastrup first shared the news, writing: Due to a mistake going back years that has recently been discovered, DigiCert is required by the CABF to revoke any certificate that used the improper Domain Control Validation (DCV) CNAME record in 24 hours. This could literally be thousands of SSL certs. This could take a lot of time and potentially cause outages worldwide starting July 30 at 19:30 UTC. Be prepared for a long night of cert renewals. DigiCert support line is completely jammed.

Read more of this story at Slashdot.

30 Jul 10:42

Onyx Sleet uses array of malware to gather intelligence for North Korea

by Microsoft Threat Intelligence

On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet’s activity to assess changes following the indictment.

First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors.

Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. In this blog, we will share intelligence about Onyx Sleet and its historical tradecraft and targets, as well as our analysis of recent malware campaigns, with the goal of enabling the broader community to identify and respond to similar campaigns. We also provide protection, detection, and hunting guidance to help improve defenses against these attacks.

Who is Onyx Sleet?

Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability as a part of a targeted attack. Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server.

Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2).

Onyx Sleet is tracked by other security companies as APT45, SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2.

Affiliations with other threat actors originating from North Korea

Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed an overlap between Onyx Sleet and Storm-0530. Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022.

Onyx Sleet targets

In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent attacks include the targeting of South Korean educational institutions, construction companies, and manufacturing organizations in May 2024. Onyx Sleet has also shown interest in taking advantage of online gambling websites, possibly for financial gain either on behalf of North Korea or for individual members of the group.

Onyx Sleet tradecraft

Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective. Onyx Sleet historically leveraged spear-phishing to compromise targets, and in more recent campaigns, they have been observed to primarily use exploits for initial access, alongside a loader, downloader, and backdoor as a part of its well-established attack chain.

A diagram of the Onyx Sleet attack chain. The chain begins with initial access via exploitation of several vulnerabilities, to a loader malware, a downloader, and finally a backdoor.
Figure 1. Onyx Sleet attack chain

Onyx Sleet nevertheless made some changes, for example, adding new C2 servers and hosting IPs, creating new malware, and launching multiple campaigns over time. In the past, Onyx Sleet introduced custom ransomware strains as a part of its campaigns. It also created and deployed the RAT identified by Kaspersky as Dtrack, which was observed in global attacks from September 2019 to January 2024. The Dtrack RAT follows the common attack chain used by Onyx Sleet and includes the exploitation of the Log4j 2 CVE-2021-44228 vulnerability for initial access and the use of payloads signed with an invalid certificate masquerading as legitimate software to evade detection.

Another example of Onyx Sleet introducing variations in the implementation of its attack chain is the campaign identified by AhnLab Security Intelligence Center (ASEC) in May 2024. In this campaign, the threat actor employed a previously unseen malware family dubbed as Dora RAT. Developed in the Go programming language, this custom malware strain targeted South Korean educational institutions, construction companies, and manufacturing organizations. 

Onyx Sleet avoids common detection techniques across its attack lifecycle by heavily using custom encryption and obfuscation algorithms and launching as much of its code in memory as possible. These tools and techniques have been observed in several reported campaigns, including TDrop2.

Onyx Sleet has also used several off-the shelf tools, including Sliver, remote monitoring and management (RMM) tools SOCKS proxy tools, Ngrok, and masscan. We have also observed Onyx Sleet using commercial packers like Themida and VMProtect to obfuscate their malware. In January 2024, Microsoft Threat Intelligence identified a campaign attributed to Onyx Sleet that deployed a Sliver implant, an open-source C2 framework that supports multiple operators, listener types, and payload generation. Like the Dtrack RAT, this malware was signed with an invalid certificate impersonating Tableau software. Further analysis revealed that this Onyx Sleet campaign compromised multiple aerospace and defense organizations from October 2023 to June 2024.

Information on the file signature for the fake Tableau Software certificate.
Figure 2. File signature showing the fake Tableau Software certificate (source: VirusTotal)

Apart from the previously mentioned Log4j 2 vulnerability, Onyx Sleet has exploited other publicly disclosed (N-day) vulnerabilities to gain access to target environments. Some vulnerabilities recently exploited by Onyx Sleet include:

  • CVE-2023-46604 (Apache ActiveMQ)
  • CVE-2023-22515 (Confluence)
  • CVE-2023-27350 (PaperCut)
  • CVE-2023-42793 (TeamCity)

In addition to these well-known and disclosed vulnerabilities, Onyx Sleet has used custom exploit capabilities in campaigns targeting users mostly in South Korea. In these campaigns, Onyx Sleet exploited vulnerabilities in a remote desktop/management application, a data loss prevention application, a network access control system, and an endpoint detection and response (EDR) product.

Recent malware campaigns

In December 2023, South Korean authorities attributed attacks that stole over 1.2 TB of data from targeted South Korean defense contractors using custom malware to Andariel. Microsoft has attributed several custom malware families used in the said attacks – TigerRAT, SmallTiger, LightHand, and ValidAlpha – to Onyx Sleet.

TigerRAT

Since 2020, Onyx Sleet has been observed using the custom RAT malware TigerRAT. In some campaigns using TigerRAT, Onyx Sleet exploited vulnerabilities in Log4j 2 to deliver and install the malware. When launched, this malware can steal confidential information and carry out commands, such as keylogging and screen recording, from the C2.

SmallTiger

In February 2024, ASEC identified SmallTiger, a new malware strain targeting South Korean defense and manufacturing organizations. During the process of lateral movement, this malware is delivered as a DLL file (SmallTiger[.]dll) and uses a C2 connection to download and launch the payload into memory. Microsoft researchers have determined that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable.

The SmallTiger campaign can be tied back to a campaign using a similar attack chain beginning in November 2023 that delivered the DurianBeacon RAT malware. In May 2024, Microsoft observed Onyx Sleet continuing to conduct attacks targeting South Korean defense organizations using SmallTiger.

LightHand

LightHand is a custom, lightweight backdoor used by Onyx Sleet for remote access of target devices. Via LightHand, Onyx Sleet can execute arbitrary commands through command shell (cmd.exe), get system storage information, perform directory listing, and create/delete files on the target device.

ValidAlpha (BlackRAT)

ValidAlpha (also known as BlackRAT) is a custom backdoor developed in the Go programming language and used by Onyx Sleet to target organizations globally in the energy, defense, and engineering sectors since at least 2023. ValidAlpha can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands.

Samples of ValidAlpha analyzed by Microsoft had a unique PDB string: I:/01___Tools/02__RAT/Black/Client_Go/Client.go

Recommendations

Microsoft recommends the following mitigations to defend against attacks by Onyx Sleet:

  • Keep software up to date. Apply new security patches as soon as possible.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
  • Enable network protection to help prevent access to malicious domains.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
  • Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to help resolve breaches, significantly reducing alert volume

Microsoft Defender customers can turn on attack surface reduction rules to help prevent common attack techniques used by Onyx Sleet:

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware families:

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

  • Onyx Sleet activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

  • Document contains macro to download a file

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

Microsoft Defender Threat Intelligence

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Sentinel queries

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Use this query to assess the existence of vulnerabilities used by Onyx Sleet:

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2021-44228","CVE-2023-27350","CVE-2023-42793")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware 

Use this query to detect associated network IOCs:

let remoteip = dynamic(["84.38.134.56","45.155.37.101","213.139.205.151","109.248.150.147","162.19.71.175","147.78.149.201"]);
let remoteurl = dynamic(["americajobmail.site","privatemake.bounceme.net","ww3c.bounceme.net","advice.uphearth.com","http://84.38.134.56/procdump.gif"]);
DeviceNetworkEvents  
| where RemoteIP == remoteip or RemoteUrl == remoteurl 
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Use this query to detect associated file IOCs:

let selectedTimestamp = datetime(2024-07-17T00:00:00.0000000Z);  
let fileName = "SmallTiger.dll";  
let FileSHA256 = dynamic(["f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c","0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 ","29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3","fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32","868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf","f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5","1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1","3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061","8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f","7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"]);  
let SignerName = "INVALID:Tableau Software Inc.";  
let Signerhash = "6624c7b8faac176d1c1cb10b03e7ee58a4853f91";  
let certificateserialnumber = "76cb5d1e6c2b6895428115705d9ac765";  
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents,  
DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator)  
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from July 17th runs the search backwards for 90 days, change the above date accordingly.  
and   
( FileName == fileName or OldFileName == fileName or ProfileName == fileName or InitiatingProcessFileName == fileName or InitiatingProcessParentFileName == fileName  
or InitiatingProcessVersionInfoInternalFileName == fileName or InitiatingProcessVersionInfoOriginalFileName == fileName or PreviousFileName == fileName  
or ProcessVersionInfoInternalFileName == fileName or ProcessVersionInfoOriginalFileName == fileName or DestinationFileName == fileName or SourceFileName == fileName  
or ServiceFileName == fileName or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256) or Signer == SignerName or SignerHash == Signerhash or CertificateSerialNumber == certificateserialnumber )

Indicators of compromise

IP addresses

  • 84.38.134[.]56
  • 45.155.37[.]101
  • 213.139.205[.]151
  • 109.248.150[.]147
  • 162.19.71[.]175
  • 147.78.149[.]201

URL

  • hxxp://84.38.134[.]56/procdump.gif

Actor-controlled domain

  • americajobmail[.]site
  • privatemake.bounceme[.]net
  • ww3c.bounceme[.]net
  • advice.uphearth[.]com

SHA-256

  • TigerRAT
    • f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
    • 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
    • 29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
    • fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
    • 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
  • LightHand
    • f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
    • 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
    • 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
    • 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
    • 7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
  • ValidAlpha
    • c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
    • c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1

Fake Tableau certificate

  • Signer: INVALID:Tableau Software Inc.
  • SignerHash: 6624c7b8faac176d1c1cb10b03e7ee58a4853f91
  • CertificateSerialNumber: 76cb5d1e6c2b6895428115705d9ac765

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Onyx Sleet uses array of malware to gather intelligence for North Korea appeared first on Microsoft Security Blog.

30 Jul 10:41

Windows Security best practices for integrating and managing security tools

by David Weston

Windows is an open and flexible platform used by many of the world’s top businesses for high availability use cases where security and availability are non-negotiable.

To meet those needs:

  1. Windows provides a range of operating modes that customers can choose from. This includes the ability to limit what can run to only approved software and drivers. This can increase security and reliability by making Windows operate in a mode closer to mobile phones or appliances.
  2. Customers can choose integrated security monitoring and detection capabilities that are included with Windows. Or they can choose to replace or supplement this security with a wide variety of choices from a vibrant open ecosystem of vendors.

In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products.

CrowdStrike recently published a Preliminary Post Incident Review analyzing their outage. In their blog post, CrowdStrike describes the root cause as a memory safety issue—specifically a read out-of-bounds access violation in the CSagent driver. We leverage the Microsoft WinDBG Kernel Debugger and several extensions that are available free to anyone to perform this analysis. Customers with crash dumps can reproduce our steps with these tools.

Based on Microsoft’s analysis of the Windows Error Reporting (WER) kernel crash dumps related to the incident, we observe global crash patterns that reflect this:

FAULTING_THREAD:  ffffe402fe868040

READ_ADDRESS:  ffff840500000074 Paged pool

MM_INTERNAL_CODE:  2

IMAGE_NAME:  csagent.sys

MODULE_NAME: csagent

FAULTING_MODULE: fffff80671430000 csagent

PROCESS_NAME:  System

TRAP_FRAME:  ffff94058305ec20 -- (.trap 0xffff94058305ec20)
.trap 0xffff94058305ec20
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0
 r8=ffff840500000074  r9=0000000000000000 r10=0000000000000000
r11=0000000000000014 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
csagent+0xe14ed:
fffff806`715114ed 458b08          mov     r9d,dword ptr [r8] ds:ffff8405`00000074=????????
.trap
Resetting default scope

STACK_TEXT:  
ffff9405`8305e9f8 fffff806`5388c1e4     : 00000000`00000050 ffff8405`00000074 00000000`00000000 ffff9405`8305ec20 : nt!KeBugCheckEx 
ffff9405`8305ea00 fffff806`53662d8c     : 00000000`00000000 00000000`00000000 00000000`00000000 ffff8405`00000074 : nt!MiSystemFault+0x1fcf94  
ffff9405`8305eb00 fffff806`53827529     : ffffffff`00000030 ffff8405`af8351a2 ffff9405`8305f020 ffff9405`8305f020 : nt!MmAccessFault+0x29c 
ffff9405`8305ec20 fffff806`715114ed     : 00000000`00000000 ffff9405`8305eeb0 ffff8405`b0bcd00c ffff8405`b0bc505c : nt!KiPageFault+0x369 
ffff9405`8305edb0 fffff806`714e709e     : 00000000`00000000 00000000`e01f008d ffff9405`8305f102 fffff806`716baaf8 : csagent+0xe14ed
ffff9405`8305ef50 fffff806`714e8335     : 00000000`00000000 00000000`00000010 00000000`00000002 ffff8405`b0bc501c : csagent+0xb709e
ffff9405`8305f080 fffff806`717220c7     : 00000000`00000000 00000000`00000000 ffff9405`8305f382 00000000`00000000 : csagent+0xb8335
ffff9405`8305f1b0 fffff806`7171ec44     : ffff9405`8305f668 fffff806`53eac2b0 ffff8405`afad4ac0 00000000`00000003 : csagent+0x2f20c7
ffff9405`8305f430 fffff806`71497a31     : 00000000`0000303b ffff9405`8305f6f0 ffff8405`afb1d140 ffffe402`ff251098 : csagent+0x2eec44
ffff9405`8305f5f0 fffff806`71496aee     : ffff8405`afb1d140 fffff806`71541e7e 00000000`000067a0 fffff806`7168f8f0 : csagent+0x67a31
ffff9405`8305f760 fffff806`7149685b     : ffff9405`8305f9d8 ffff8405`afb1d230 ffff8405`afb1d140 ffffe402`fe8644f8 : csagent+0x66aee
ffff9405`8305f7d0 fffff806`715399ea     : 00000000`4a8415aa ffff8eee`1c68ca4f 00000000`00000000 ffff8405`9e95fc30 : csagent+0x6685b
ffff9405`8305f850 fffff806`7148efbb     : 00000000`00000000 ffff9405`8305fa59 ffffe402`fe864050 ffffe402`fede62c0 : csagent+0x1099ea
ffff9405`8305f980 fffff806`7148edd7     : ffffffff`ffffffa1 fffff806`7152e5c1 ffffe402`fe864050 00000000`00000001 : csagent+0x5efbb
ffff9405`8305fac0 fffff806`7152e681     : 00000000`00000000 fffff806`53789272 00000000`00000002 ffffe402`fede62c0 : csagent+0x5edd7
ffff9405`8305faf0 fffff806`53707287     : ffffe402`fe868040 00000000`00000080 fffff806`7152e510 006fe47f`b19bbdff : csagent+0xfe681
ffff9405`8305fb30 fffff806`5381b8e4     : ffff9680`37651180 ffffe402`fe868040 fffff806`53707230 00000000`00000000 : nt!PspSystemThreadStartup+0x57 
ffff9405`8305fb80 00000000`00000000     : ffff9405`83060000 ffff9405`83059000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34 

Digging in more to this crash dump, we can restore the stack frame at the time of the access violation to learn more about its origin. Unfortunately, with WER data we only receive a compressed version of state and thus we cannot disassemble backwards to see a larger set of instructions prior to the crash, but we can see in the disassembly that there is a check for NULL before performing a read at the address specified in the R8 register:

6: kd> .trap 0xffff94058305ec20
.trap 0xffff94058305ec20
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0
 r8=ffff840500000074  r9=0000000000000000 r10=0000000000000000
r11=0000000000000014 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=000000000000
000
iopl=0         nv up ei ng nz na po nc
csagent+0xe14ed:
fffff806`715114ed 458b08          mov     r9d,dword ptr [r8] ds:ffff8405`00000074=????????
6: kd> !pte ffff840500000074
!pte ffff840500000074
                                           VA ffff840500000074
PXE at FFFFABD5EAF57840    PPE at FFFFABD5EAF080A0    PDE at FFFFABD5E1014000    PTE at FFFFABC202800000
contains 0A00000277200863  contains 0000000000000000
pfn 277200    ---DA--KWEV  contains 0000000000000000
not valid

6: kd> ub fffff806`715114ed
ub fffff806`715114ed
csagent+0xe14d9:
fffff806`715114d9 04d8            add     al,0D8h
fffff806`715114db 750b            jne     csagent+0xe14e8 (fffff806`715114e8)
fffff806`715114dd 4d85c0          test    r8,r8
fffff806`715114e0 7412            je      csagent+0xe14f4 (fffff806`715114f4)
fffff806`715114e2 450fb708        movzx   r9d,word ptr [r8]
fffff806`715114e6 eb08            jmp     csagent+0xe14f0 (fffff806`715114f0)
fffff806`715114e8 4d85c0          test    r8,r8
fffff806`715114eb 7407            je      csagent+0xe14f4 (fffff806`715114f4)
6: kd> ub fffff806`715114d9
ub fffff806`715114d9
                          ^ Unable to find valid previous instruction for 'ub fffff806`715114d9'
6: kd> u fffff806`715114eb
u fffff806`715114eb
csagent+0xe14eb:
fffff806`715114eb 7407            je      csagent+0xe14f4 (fffff806`715114f4)
fffff806`715114ed 458b08          mov     r9d,dword ptr [r8]
fffff806`715114f0 4d8b5008        mov     r10,qword ptr [r8+8]
fffff806`715114f4 4d8bc2          mov     r8,r10
fffff806`715114f7 488d4d90        lea     rcx,[rbp-70h]
fffff806`715114fb 488bd6          mov     rdx,rsi
fffff806`715114fe e8212c0000      call    csagent+0xe4124 (fffff806`71514124)
fffff806`71511503 4533d2          xor     r10d,r10d

6: kd> db ffff840500000074
db ffff840500000074
ffff8405`00000074  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`00000084  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`00000094  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000a4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000b4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000c4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000d4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000e4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

Our observations confirm CrowdStrike’s analysis that this was a read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver.

We can also see that the csagent.sys module is registered as a file system filter driver commonly used by anti-malware agents to receive notifications about file operations such as the creation or modification of a file. This is often used by security products to scan any new file saved to disk, such as downloading a file via the browser.

File System filters can also be used as a signal for security solutions attempting to monitor the behavior of the system. CrowdStrike noted in their blog that part of their content update was changing the sensor’s logic relating to data around named pipe creation. The File System filter driver API allows the driver to receive a call when named pipe activity (e.g., named pipe creation) occurs on the system that could enable the detection of malicious behavior. The general function of the driver correlates to the information shared by CrowdStrike.

6: kd>!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent

Hive         ffff84059ca7b000
KeyNode      ffff8405a6f67f9c

[SubKeyAddr]         [SubKeyName]
ffff8405a6f683ac     Instances
ffff8405a6f6854c     Sim

 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details

[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          2
REG_DWORD           Start                         1
REG_DWORD           ErrorControl                  1
REG_EXPAND_SZ       ImagePath                     \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys
REG_SZ              DisplayName                   CrowdStrike Falcon
REG_SZ              Group                         FSFilter Activity Monitor
REG_MULTI_SZ        DependOnService               FltMgr\0
REG_SZ              CNFG                          Config.sys
REG_DWORD           SupportedFeatures             f

We can see the control channel file version 291 specified in the CrowdStrike analysis is also present in the crash indicating the file was read.

Determining how the file itself correlates to the access violation observed in the crash dump would require additional debugging of the driver using these tools but is outside of the scope of this blog post.

!ca ffffde8a870a8290

ControlArea  @ ffffde8a870a8290
  Segment      ffff880ce0689c10  Flink      ffffde8a87267718  Blink        ffffde8a870a7d98
  Section Ref                 0  Pfn Ref                   b  Mapped Views                0
  User Ref                    0  WaitForDel                0  Flush Count                 0
  File Object  ffffde8a879b29a0  ModWriteCount             0  System Views                0
  WritableRefs                0  PartitionId                0  
  Flags (8008080) File WasPurged OnUnusedList 

      \Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys

1: kd> !ntfskd.ccb ffff880ce06f6970
!ntfskd.ccb ffff880ce06f6970

   Ccb: ffff880c`e06f6970
 Flags: 00008003 Cleanup OpenAsFile IgnoreCase
Flags2: 00000841 OpenComplete AccessAffectsOplocks SegmentObjectReferenced
  Type: UserFileOpen
FileObj: ffffde8a879b29a0

(018)  ffff880c`db937370  FullFileName [\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys]
(020) 000000000000004C  LastFileNameOffset 
(022) 0000000000000000  EaModificationCount 
(024) 0000000000000000  NextEaOffset 
(048) FFFF880CE06F69F8  Lcb 
(058) 0000000000000002  TypeOfOpen 

We can leverage the crash dump to determine if any other drivers supplied by CrowdStrike may exist on the running system during the crash.

6: kd> lmDvmCSFirmwareAnalysis
lmDvmCSFirmwareAnalysis
Browse full module list
start             end                 module name
fffff806`58920000 fffff806`5893c000   CSFirmwareAnalysis   (deferred)             
    Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys
    Image name: CSFirmwareAnalysis.sys
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Mar 18 11:32:14 2024 (65F888AE)
    CheckSum:         0002020E
    ImageSize:        0001C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
6: kd> lmDvmcspcm4
lmDvmcspcm4
Browse full module list
start             end                 module name
fffff806`71870000 fffff806`7187d000   cspcm4     (deferred)             
    Image path: \??\C:\Windows\system32\drivers\CrowdStrike\cspcm4.sys
    Image name: cspcm4.sys
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Jul  8 18:33:22 2024 (668C9362)
    CheckSum:         00012F69
    ImageSize:        0000D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
6: kd> lmDvmcsboot.sys
lmDvmcsboot.sys
Browse full module list
start             end                 module name

Unloaded modules:
fffff806`587d0000 fffff806`587dc000   CSBoot.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000C000

6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot

Hive         ffff84059ca7b000
KeyNode      ffff8405a6f68924

[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          1
REG_DWORD           Start                         0
REG_DWORD           ErrorControl                  1
REG_EXPAND_SZ       ImagePath                     system32\drivers\CrowdStrike\CSBoot.sys
REG_SZ              DisplayName                   CrowdStrike Falcon Sensor Boot Driver
REG_SZ              Group                         Early-Launch
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol

Hive         ffff84059ca7b000
KeyNode      ffff8405a6f694ac

[SubKeyAddr]         [VolatileSubKeyName]
ffff84059ce196c4     Enum

 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details

[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          1
REG_DWORD           Start                         3
REG_DWORD           ErrorControl                  1
REG_DWORD           Tag                           1f
REG_EXPAND_SZ       ImagePath                     \SystemRoot\System32\drivers\CSDeviceControl.sys
REG_SZ              DisplayName                   @oem40.inf,%DeviceControl.SVCDESC%;CrowdStrike Device Control Service
REG_SZ              Group                         Base
REG_MULTI_SZ        Owners                        oem40.inf\0!csdevicecontrol.inf_amd64_b6725a84d4688d5a\0!csdevicecontrol.inf_amd64_016e965488e83578\0
REG_DWORD           BootFlags                     14
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent

Hive         ffff84059ca7b000
KeyNode      ffff8405a6f67f9c

[SubKeyAddr]         [SubKeyName]
ffff8405a6f683ac     Instances
ffff8405a6f6854c     Sim

 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details

[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          2
REG_DWORD           Start                         1
REG_DWORD           ErrorControl                  1
REG_EXPAND_SZ       ImagePath                     \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys
REG_SZ              DisplayName                   CrowdStrike Falcon
REG_SZ              Group                         FSFilter Activity Monitor
REG_MULTI_SZ        DependOnService               FltMgr\0
REG_SZ              CNFG                          Config.sys
REG_DWORD           SupportedFeatures             f

6: kd> lmDvmCSFirmwareAnalysis
lmDvmCSFirmwareAnalysis
Browse full module list
start             end                 module name
fffff806`58920000 fffff806`5893c000   CSFirmwareAnalysis   (deferred)             
    Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys
    Image name: CSFirmwareAnalysis.sys
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Mar 18 11:32:14 2024 (65F888AE)
    CheckSum:         0002020E
    ImageSize:        0001C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis

Hive         ffff84059ca7b000
KeyNode      ffff8405a6f69d9c

[SubKeyAddr]         [VolatileSubKeyName]
ffff84059ce197cc     Enum

 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details

[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          1
REG_DWORD           Start                         0
REG_DWORD           ErrorControl                  1
REG_DWORD           Tag                           6
REG_EXPAND_SZ       ImagePath                     system32\DRIVERS\CSFirmwareAnalysis.sys
REG_SZ              DisplayName                   @oem43.inf,%FirmwareAnalysis.SVCDESC%;CrowdStrike Firmware Analysis Service
REG_SZ              Group                         Boot Bus Extender
REG_MULTI_SZ        Owners                        oem43.inf\0!csfirmwareanalysis.inf_amd64_12861fc608fb1440\0
6: kd> !reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch
!reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch

As we can see from the above analysis, CrowdStrike loads four driver modules. One of those modules receives dynamic control and content updates frequently based on the CrowdStrike Preliminary Post-incident-review timeline.

We can leverage the unique stack and attributes of this crash to identify the Windows crash reports generated by this specific CrowdStrike programming error. It’s worth noting the number of devices which generated crash reports is a subset of the number of impacted devices previously shared by Microsoft in our blog post, because crash reports are sampled and collected only from customers who choose to upload their crashes to Microsoft. Customers who choose to enable crash dump sharing help both driver vendors and Microsoft to identify and remediate quality issues and crashes.

Figure 1 CrowdStrike driver associated crash dump reports over time

We make this information available to driver owners so they can assess their own reliability via the Hardware Dev Center analytics dashboard. As we can see from the above, any reliability problem like this invalid memory access issue can lead to widespread availability issues when not combined with safe deployment practices. Let’s dig into why security solutions leverage kernel drivers on Windows.

Why do security solutions leverage kernel drivers?

Many security vendors such as CrowdStrike and Microsoft leverage a kernel driver architecture and there are several reasons for this.

Visibility and enforcement of security related events

Kernel drivers allow for system wide visibility, and the capability to load in early boot to detect threats like boot kits and root kits which can load before user-mode applications. In addition, Microsoft provides a rich set of capabilities such as system event callbacks for process and thread creation and filter drivers which can watch for events like file creation, deletion, or modification. Kernel activity can also trigger call backs for drivers to decide when to block activities like file or process creations. Many vendors also use drivers to collect a variety of network information in the kernel using the NDIS driver class.

Performance

Kernel drivers are often utilized by security vendors for potential performance benefits. For example, analysis or data collection for high throughput network activity may benefit from a kernel driver. There are many scenarios where data collection and analysis can be optimized for operation outside of kernel mode and Microsoft continues to partner with the ecosystem to improve performance and provide best practices to achieve parity outside of kernel mode.

Tamper resistance

A second benefit of loading into kernel mode is tamper resistance. Security products want to ensure that their software cannot be disabled by malware, targeted attacks, or malicious insiders, even when those attackers have admin-level privileges. They also want to ensure that their drivers load as early as possible so that they can observe system events at the earliest possible time. Windows provides a mechanism to launch drivers marked as Early Launch Antimalware (ELAM) early in the boot process for this reason. CrowdStrike signs the above CSboot driver as ELAM, enabling it to load early in the boot sequence.

In the general case, there is a tradeoff that security vendors must rationalize when it comes to kernel drivers. Kernel drivers provide the above properties at the cost of resilience. Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode.

All code operating at kernel level requires extensive validation because it cannot fail and restart like a normal user application. This is universal across all operating systems. Internally at Microsoft, we have invested in moving complex Windows core services from kernel to user mode, such as font file parsing from kernel to user mode.

It is possible today for security tools to balance security and reliability. For example, security vendors can use minimal sensors that run in kernel mode for data collection and enforcement limiting exposure to availability issues. The remainder of the key product functionality includes managing updates, parsing content, and other operations can occur isolated within user mode where recoverability is possible. This demonstrates the best practice of minimizing kernel usage while still maintaining a robust security posture and strong visibility.

Figure 2 Example security product architecture which balances security and reliability

Windows provides several user mode protection approaches for anti-tampering, like Virtualization-based security (VBS) Enclaves and Protected Processes that vendors can use to protect their key security processes. Windows also provides ETW events and user-mode interfaces like Antimalware Scan Interface for event visibility. These robust mechanisms can be used to reduce the amount of kernel code needed to create a security solution, which balances security and robustness.

How does Windows help ensure the quality of security related third-party products?

Microsoft engages with third-party security vendors through an industry forum called the Microsoft Virus Initiative (MVI). This group consists of Microsoft and Security Industry and was created to establish a dialogue and collaboration across the Windows security ecosystem to improve robustness in the way security products use the platform. With MVI, Microsoft and vendors collaborate on the Windows platform to define reliable extension points and platform improvements, as well as share information about how to best protect our customers.

Microsoft works with members of MVI to ensure compatibility with Windows updates, improve performance, and address reliability issues. MVI partners actively participating in the program contribute to making the ecosystem more resilient and gain benefits including technical briefings, feedback loops with Microsoft product teams, and access to antimalware platform features such as ELAM and Protected Processes. Microsoft also provides runtime protection such as Patch Guard to prevent disruptive behavior from kernel driver types like anti-malware.

In addition, all drivers signed by the Microsoft Windows Hardware Quality Labs (WHQL) must run a series of tests and attest to a number of quality checks, including using fuzzers, running static code analysis and testing under runtime driver verification, among other techniques. These tests have been developed to ensure that best practices around security and reliability are followed. Microsoft includes all these tools in the Windows Driver Kit used by all driver developers. A list of the resources and tools is available here.

All WHQL signed drivers are run through Microsoft’s ingestion checks and malware scans and must pass before being approved for signing. Additionally, if a third-party vendor chooses to distribute their driver via Windows Update (WU), the driver also goes through Microsoft’s flighting and gradual rollout processes to observe quality and ensure the driver meets the necessary quality criteria for a broad release.

Can customers deploy Windows in a higher security mode to increase reliability?

Windows at its core is an open and versatile OS, and it can easily be locked down for increased security using integrated tools. In addition, Windows is constantly increasing security defaults, including dozens of new security features enabled by default in Windows 11.

Security features enabled by default in Windows 11

Area Feature
Hardware Security Baseline TPM2.0
Secure boot
Virtualization-based security (VBS)
Memory integrity (Hypervisor-protected Code Integrity (HVCI))
Hardware-enforced stack protection
Kernel Direct Memory Access (DMA) protection
HW-based kernel protection (HLAT)
Enhanced sign-in security (ESS) for built-in biometric sensors
Encryption BitLocker (commercial)
Device Encryption (consumer)
Identity Management Credential Guard
Entra primary refresh token (PRT) hardware protected
MDM deployed SCEP certs hardware protected
MDM enrollment certs hardware protected
Local Security Authority (LSA) PPL prevents token/credential dumping
Account lockout policy (for 10 failed sign-ins)
Enhanced phishing protection with Microsoft Defender
Microsoft Defender SmartScreen
NPLogonNotification doesn’t include password
WDigest SSO removed to reduce password disclosure
AD Device Account protected by CredGuard*
Multi-Factor Authentication
(Passwordless)
MSA & Entra users lead through Hello enablement by default
MSA password automatically removed from Windows if never used
Hello container VSM protected
Peripheral biometric sensors blocked for ESS enabled devices
Lock on leave integrated into Hello
Security Incident Reduction Common Log File Systems run from trusted source
Move tool-tip APIs from kernel to user mode
Modernize print stack by removing untrusted drivers
DPAPI moved from 3DES to AES
TLS 1.3 default with TLS 1.0/1.1 disabled by default
NTLM-less*
OS lockdown Microsoft Vulnerable Driver Blocklist
3P driver security baseline enforced via WHCP
Smart App Control*
*Feature available in the Windows Insider Program or currently off by default and on a path for default enablement

Windows has integrated security features to self-defend. This includes key anti-malware features enabled by default, such as:

  1. Secure Boot, which helps prevent early boot malware and rootkits by enforcing signing consistently across Windows boots.
  2. Measured Boot, which provides TPM-based hardware cryptographic measurements on boot-time properties available through integrated attestation services such as Device Health Attestation.
  3. Memory integrity (also known as hypervisor-protected code integrity or HVCI), which prevents runtime generation of dynamic code in the kernel and helps ensure control flow integrity.
  4. Vulnerable driver blocklist, which is on by default, integrated into the OS, and managed by Microsoft. This complements the malicious driver block list.
  5. Protected Local Security Authority is on by default in Windows 11 to protect a range of credentials. Hardware-based credential protection is on by default for enterprise versions of Windows.
  6. Microsoft Defender Antivirus is enabled by default in Windows and offers anti-malware capabilities across the OS.

These security capabilities provide layers of protection against malware and exploitation attempts in modern Windows. Many Windows customers have leveraged our security baseline and Windows security technologies to harden their systems and these capabilities collectively have reduced the attack surface significantly.

Using the integrated security features of Windows to prevent adversary attacks such as those displayed in the MITRE ATT&CK® framework increases security while reducing cost and complexity. It leverages best practices to achieve maximum security and reliability. These best practices include:

  1. Using App Control for Business (formerly Windows Defender Application Control), you can author a security policy to allow only trusted and/or business-critical apps. Your policy can be crafted to deterministically and durably prevent nearly all malware and “living off the land” style attacks. It can also specify which kernel drivers are allowed by your organization to durably guarantee that only those drivers will load on your managed endpoints.
  2. Use Memory integrity with a specific allow list policy to further protect the Windows kernel using Virtualization-based security (VBS). Combined with App Control for Business, memory integrity can reduce the attack surface for kernel malware or boot kits. This can also be used to limit any drivers that might impact reliability on systems.
  3. Running as Standard User and elevating only as necessary. Companies that follow the best practices to run as standard user and reduce privileges mitigate many of the MITRE ATT&CK® techniques.
  4. Use Device Health Attestation (DHA) to monitor devices for the right security policy, including hardware-based measurements for the security posture of the machine. This is a modern and exceptionally durable approach to ensure security for high availability scenarios and uses Microsoft’s Zero Trust architecture.

What is next?

Windows is a self-protecting operating system that has produced dozens of new security features and architectural changes in recent versions. We plan to work with the anti-malware ecosystem to take advantage of these integrated features to modernize their approach, helping to support and even increase security along with reliability.

This includes helping the ecosystem by:

  1. Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products.
  2. Reducing the need for kernel drivers to access important security data.
  3. Providing enhanced isolation and anti-tampering capabilities with technologies like our recently announced VBS enclaves.
  4. Enabling zero trust approaches like high integrity attestation which provides a method to determine the security state of the machine based on the health of Windows native security features.

As we move forward, Windows is continuing to innovate and offer new ways for security tools to detect and respond to emerging threats safely and securely. Windows has announced a commitment around the Rust programming language as part of Microsoft’s Secure Future Initiative (SFI) and has recently expanded the Windows kernel to support Rust.

The information in this blog post is provided as part of our commitment to communicate learnings and next steps after the CrowdStrike incident. We will continue to share ongoing guidance on security best practices for Windows and work across our broad ecosystem of customers and partners to develop new security capabilities based on your feedback.

The post Windows Security best practices for integrating and managing security tools appeared first on Microsoft Security Blog.

30 Jul 10:37

Classic Microsoft Outlook for Windows: New reporting buttons integrated with Microsoft Defender for Office 365

by João Ferreira

Starting August 2024, classic Microsoft Outlook for Windows will integrate new reporting buttons to allow users to report emails as phishing, junk, or not junk. Admins can customize these buttons and reporting options via the Microsoft 365 Defender portal. Rollout will be complete by late September 2024.

Starting August 2024 for classic Microsoft Outlook for Windows, we will add new built-in reporting buttons that allow users to report emails as phishing / junk / not junk. The new buttons will be included in the next semi-annual release of Outlook for Windows. Admins can control the appearance and behavior of these buttons from the User reported settings page in the Microsoft 365 Defender portal (security.microsoft.com). Admins can also customize where messages get reported to (reporting mailbox, Microsoft, or both) and what the user sees both before and after reporting messages from these buttons. Your current User reported settings page will not be changed by this rollout.

This message is associated with Microsoft 365 Roadmap ID 371388.

When this will happen:

General Availability (Worldwide, GCC, GCC High, and DoD): We will begin rolling out early August 2024 and expect to complete by late September 2024.

How this will affect your organization:

Before this rollout: Classic Microsoft Outlook for Windows users do not see reporting buttons.

After the rollout:

New reporting buttons and menu options in Outlook Classic:

user controlsView image in new tab

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation.

Learn more

  • OWA (Outlook on the web) and new Outlook for Windows have had this functionality since November 2022 and there is no change to it.
  • The new built-in buttons on Outlook for Windows will inherit your existing User reported settings from OWA.
  • Other versions of Outlook such as Mac, Mobile (iPhone and Android) will not be affected by this change. We are working on the adding the reporting buttons to other versions of Outlook.
  • If you have the reporting feature turned off in the Microsoft 365 Defender User reported settings page or are using a third-party add-in, the reporting buttons in classic Outlook for Windows won’t be visible.
  • The Microsoft reporting add-in (the Microsoft report message add-in and the Microsoft phishing add-in) will be supported until further notice. Customers who currently use the add-in and the new reporting buttons will see two sets of reporting buttons in the ribbon. However, when Outlook Mac and Mobile add the new reporting buttons in the near future, the reporting add-in will no longer be needed and can be removed.
  • The selections you make on the user reported settings page will determine the reporting experience for your users whether they choose the add-in or built-in reporting option in Outlook. Either option will report to the same place (Microsoft, custom mailbox, or both) based on the User reported settings selected.
  • Unlike OWA and new Outlook for windows, the built-in reporting buttons in classic Outlook for windows do not support reporting from shared and delegate mailboxes.

Message ID: MC841229

The post Classic Microsoft Outlook for Windows: New reporting buttons integrated with Microsoft Defender for Office 365 appeared first on M365 Admin.

28 Jul 23:39

4 reasons you don't need to buy most software anymore

by Samuel Contreras

Once upon a time, buying a new PC was accompanied by the need for a stack of software to get it going. You would need to pay for your operating system, office software, antivirus solution, and more to enable everyday usage. While open-source solutions to most of these have been available for years, many people still elect to use the paid versions to keep things simple. But there are a lot of great alternatives to some of the most popular paid apps. In current times, luckily we dont need to pay for nearly as much software upfront, but if youre not careful, you may end up paying for it on a month-to-month basis.

21 Jul 15:17

Beyblade X Episode 4 English Dubbed

by Muhammed Şahinler
Episode Title:

Episode Description:

[tab:WCO Player]

[tab:END]

03 Jul 10:46

Buried Lede: American Patriot Hero fined $48,000 for jamming cell phone frequencies during his highway commute so other drivers wouldn't kill him by driving and talking on their phones [Hero]

02 Jul 20:22

This Windows 11 bug may break Windows Security

by Rahul Naskar

The last few days weren't great for Windows 11 users. That is because Windows 11 users were widely reporting that their PCs were hit by several bugs after installing the June 2024 preview update (KB5039302). Microsoft does acknowledge those reported issues and is currently working on finding solutions. However, things got way worse when someone found out that Windows 11 might be plagued by what looks to be an unidentified bug, as Microsoft seems to be unaware of the issue.