AMD has officially confirmed that its next-gen Ryzen 7 9800X3D CPU will be arriving on 7th November & also brought price cuts for the Ryzen 9000 series. X3D Action Next Month As AMD Confirms Ryzen 7 9800X3D Launch On 7th November, Ryzen 9000 CPUs Receive Price Cuts of Up To $50 Today, AMD is announcing two updates as a part of its Zen 5 "Ryzen 9000" family. The first CPU update is the major one in which the company has confirmed and teased its next-gen Ryzen 3D V-Cache CPUs and revealed that the first chip will be arriving on the […]
The action RPG Wayfinder has been released:
Wayfinder 1.0 Launch Trailer
Become a Wayfinder, and unlock their powers as you choose your path and playstyle while pushing back a hostile force that has overtaken your world. A Co-Op ARPG where you directly shape and customize the endless adventures you go on with friends, because Wayfinders are stronger together....
If you’ve ever used a modern Linux distribution, you’ve likely experienced the convenience of installing and updating software with a single command. Package managers, the tools behind this ease of use, have become a cornerstone of the Linux ecosystem, providing a structured and efficient way to manage software. However, the history of Linux package management is a long and evolving journey, beginning in the days when installing software was a manual, tedious, and error-prone process.
In this article, we’ll take a look at the evolution of Linux package management, from the early days of manual installations to today’s advanced, automated tools. We’ll explore how package managers were developed to address growing user demands, dependency problems, and the need for more efficient software distribution. By the end, you’ll have a deep understanding of how Linux package management has evolved and where it might be headed in the future.
The Early Days: Manual Installation of Software
The Beginning of Linux Distributions
When Linux was first introduced in the early 1990s, it was an exciting but highly technical operating system. Unlike today, there was no easy way to install software with a single command. Early Linux distributions, such as Slackware and Debian, required users to manually download source code, compile it, and install it themselves.
Tarballs and Source Code Compilation
In the early days, software was distributed in tarballs—compressed files that contained the source code of a program. Users had to unpack these tarballs, typically with the command tar -xvf, and then compile the software on their system. This was often a multi-step process that required running a configuration script (./configure) to check for system dependencies, compiling the source code into executable binaries using make, and finally installing the program with make install.
This process gave users maximum control but was fraught with difficulties:
Microsoft is enhancing passkey support in Windows 11 with a redesigned Windows Hello experience that allows users to sync passkeys to their Microsoft account or third-party providers like 1Password and Bitwarden. The Verge reports: A new API for third-party password and passkey managers means developers can plug directly into the Windows 11 experience, so you can use the same passkey from your mobile device to authenticate on your PC. Right now it's possible in some apps to do this through QR codes and other ways to authenticate from a mobile device, but Microsoft's full support means the passkeys experience on Windows is about to get a lot better.
Microsoft is also redesigning the Windows Hello prompt, including the ability to setup syncing of passkeys to your Microsoft account or saving them elsewhere. Once you've completed a one-time setup process you can use facial recognition, fingerprint, or PIN to authenticate with a passkey across multiple Windows 11 devices. Windows Insiders will get access to these new passkey features "in the coming months."
Unified Linux Wine Game Launcher (UMU) from Thomas "GloriousEggroll" Crider version 1.1.1 is out now as the first official release to help improve Linux desktop and Steam Deck gaming.
Eurogamer reports about the Starfield: Shattered Space launch:
Starfield's Shattered Space DLC has a lukewarm take off
Launch break.
Shattered Space, Bethesda's first major expansion for Starfield, released a few days ago, but has unfortunately been met with middling PC player numbers and lukewarm reviews....
check before: 2024-10-01 Product: Exchange, Outlook, Teams Platform: Education, Online, Web, World tenant Status: Launched Change type: Admin impact Links: 49152 Details: Summary: Microsoft Teams is updating UDP signaling ports for Calling and Meetings to enhance efficiency. The source ports will change from 49152-65535 to 50070-50089, with the destination UDP port remaining at 3478. Rollout […]
Halo 5: Guardians, as well as other Xbox One exclusives, will soon become playable on PC thanks to a new Xbox One translation layer for Windows PCs. XWine1, which was revealed with a tweet on X, is an Xbox One translation layer for Windows PCs that currently runs six games properly. Among these games are Halo 5: Guardians, which hasn't been ported to PC to date, Rare Replay, Crimson Dragon, Forza Motorsport 5, Powerstar Golf, Space Jam: A New Legacy - The Game, Forza Motorsport 6, Forza Horizon 2 and CrossfireX. Unfortunately, the translation layer is not available to the […]
This week we're surprised to find ourselves talking about the Black Ops 6 multiplayer beta, but we've also got chat about Squirrel With a Gun, Tetris, and plenty of other stuff too. This week's music: PLAIINS - Slow Rotting, Fast Decay
Attackers are increasingly using new phishing toolkits (open-source, commercial, and criminal) to execute adversary-in-the-middle (AitM) attacks.
AitM enables attackers to not just harvest credentials but steal live sessions, allowing them to bypass traditional phishing prevention controls such as MFA, EDR, and email content filtering.
In this article, we’re going to look at what AitM phishing
Wednesday GitHub "broke itself," reports the Register, writing that "the Microsoft-owned code-hosting outfit says it made a change involving its database infrastructure, which sparked a global outage of its various services."
Or, as the Verge puts it, GitHub experienced "some major issues" which apparently lasted for 36 minutes:
When we first published this story, navigating to the main GitHub website showed an error message that said "no server is currently available to service your request," but the website was working again soon after. (The error message also featured an image of an angry unicorn.) GitHub's report of the incident also listed problems with things like pull requests, GitHub Pages, Copilot, and the GitHub API.
GitHub attributed the downtime to "an erroneous configuration change rolled out to all GitHub.com databases that impacted the ability of the database to respond to health check pings from the routing service. As a result, the routing service could not detect healthy databases to route application traffic to. This led to widespread impact on GitHub.com starting at 23:02 UTC." (Downdetector showed "more than 10,000 user reports of problems," according to the Verge, "and that the problems were reported quite suddenly.")
GitHub's incident report adds that "Given the severity of this incident, follow-up items are the highest priority work for teams at this time."
To prevent recurrence we are implementing additional guardrails in our database change management process. We are also prioritizing several repair items such as faster rollback functionality and more resilience to dependency failures.
"A new front has opened in the longstanding debate over how fast the universe is expanding," writes Science magazine:
For years astronomers have argued over a gulf between the expansion rate as measured from galaxies in the local universe and as calculated from studies of the cosmic microwave background (CMB), the afterglow of the Big Bang. The disparity was so large and persistent that some astronomers thought the standard theory of the universe might have to be tweaked. But over the past week, results from NASA's new James Webb Space Telescope orbiting observatory suggest the problem may be more mundane: some systematic error in the strategies used to measure the distance to nearby galaxies.
"The evidence based on these data does not suggest the need for additional physics," says Wendy Freedman of the University of Chicago, who leads [the Carnegie-Chicago Hubble Program, or CCHP] that calculated the expansion rate from JWST data using three different galactic distance measurements and released the results on the arXiv preprint server. (The papers have not yet been peer reviewed.) The methods disagreed about the expansion rate, known as the Hubble constant, or H0, and two were close to the CMB prediction.
Specifically, the team used JWST to measure the distance to 10 local galaxies using three stars with a predictable brightness: Cepheids, the brightest red giant stars, and carbon stars. Science notes that the last two methods "agreed to about 1%, but differed from the Cepheid-based distance by 2.5% to 4%." Combining all three methods the team derived a value "just shy of 70 km/s per Mpc," according to the article — leading the University of Chicago's Freedman to say "There's something systematic in the measurements. Until we can establish unambiguously where the issue lies in the nearby universe, we can't be claiming that there's additional physics in the distant universe."
But the controversy continues, according to Adam Riess of Johns Hopkins University (leader of a team of Hubble Constant researchers known as SH0ES).
Riess points out that other teams have used JWST to measure distances with all three methods separately and have come up with values closer to the original SH0ES result. He also questions why CCHP excluded data from telescopes other than JWST. "I don't see a compelling justification for excluding the data they do," he says.
Thanks to long-time Slashdot reader sciencehabit for sharing the article.
If you love your classic RTS games, especially those from Westwood like Command & Conquer and Red Alert, you need to play the OpenRA mod Command & Conquer - Combined Arms.
Intel published a number of new CPU microcode images this Patch Tuesday for addressing various security issues as well as a number of functional issues being addressed across different CPU client and server processor generations...
Last week, Bethesda released a remastered edition of Doom and Doom II on Steam, with lots of extra episodes and improvements. One of these new features is a built-in browser for mods, and support for many existing mods that previously required a different version of the game. Basically, lots of good fan-made mods are now playable on the Steam version of ye olde Doom. That's neat! Ah, but there is some demon excrement on the health pack, so to speak. The mod browser lacks moderation and lets people upload the work of others with their own name pinned as the author. That's prompted one level designer to call it "a massive breach of trust and violation of norms the Doom community has done its best to hold to for those 30 years."
Microsoft researchers recently identified multiple medium severity vulnerabilities in OpenVPN, an open-source project with binaries integrated into routers, firmware, PCs, mobile devices, and many other smart devices worldwide, numbering in the millions. Attackers could chain and remotely exploit some of the discovered vulnerabilities to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information. Exploiting these vulnerabilities, however, necessitates user authentication and a deep understanding of OpenVPN’s inner workings, alongside intermediate knowledge of the operating systems. Today, we presented this research and demonstrated the discovered attack chain in our session at Black Hat USA 2024.
OpenVPN is widely used by thousands of companies spanning various industries across major platforms such as Windows, iOS, macOS, Android, and BSD. As such, exploitation of the discovered vulnerabilities, which affect all versions of OpenVPN prior to version 2.6.10 (and 2.5.10), could put endpoints and enterprises at significant risk of attack.
We reported the discovery to OpenVPN through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in March 2024 and worked closely with OpenVPN to ensure that the vulnerabilities are patched. Information on the security fixes released by OpenVPN to address these vulnerabilities can be found here: OpenVPN 2.6.10. We strongly urge OpenVPN users to apply the latest security updates as soon as possible. We also thank OpenVPN for their collaboration and recognizing the urgency in addressing these vulnerabilities.
Below is a list of the discovered vulnerabilities discussed in this blog:
In this blog post, we detail our analysis of the discovered vulnerabilities and the impact of exploitation. In addition to patching, we provide guidance to mitigate and detect threats attempting to exploit these vulnerabilities. This research emphasizes the need for responsible disclosure and collaboration among the security community to defend devices across platforms and build better protection for all, spanning the entire user-device ecosystem. The discovery of these vulnerabilities further highlights the critical importance of ensuring the security of enterprise and endpoint systems and underscores the need for continuous monitoring and protection of these environments.
What is OpenVPN?
OpenVPN is a virtual private network (VPN) system that creates a private and secure point-to-point or site-to-site connection between networks. The OpenVPN open-source project is widely popular across the world, including the United States, India, France, Brazil, the United Kingdom, and Germany, as well as industries spanning the information technology, financial services, telecommunications, and computer software sectors. This project supports different major platforms and is integrated into millions of devices globally.
OpenVPN is also the name of the tunneling protocol it uses, which employs the Secure Socket Layer (SSL) encryption protocol to ensure that data shared over the internet remains private, using AES-256 encryption. Since the source code is available for audit, vulnerabilities can be easily identified and fixed.
OpenVPN analysis
We discovered the vulnerabilities while examining the OpenVPN open-source project to enhance enterprise security standards. During this research, we checked two other popular VPN solutions and found that at the time they were impacted by a vulnerability (CVE-2024-1305). Following this discovery, we started hunting for and uncovered additional vulnerable drivers with the same issue and decided to investigate open-source VPN projects. Upon confirming that the same vulnerability was located in the OpenVPN open-source repository, our research then focused on examining the architecture and security model of the OpenVPN project for Windows systems.
OpenVPN architecture
OpenVPN server client architecture
OpenVPN is a sophisticated VPN system meticulously engineered to establish secure point-to-point or site-to-site connections. It supports both routed and bridged configurations, as well as remote access capabilities, making it a versatile choice for various networking needs. OpenVPN comprises both client and server applications, ensuring a comprehensive solution for secure communication.
With OpenVPN, peers can authenticate each other through multiple methods, including pre-shared secret keys, certificates, or username/password combinations. In multi-client server environments, the server can generate and issue an individual authentication certificate for each client, leveraging robust digital signatures and a trusted certificate authority. This ensures an elevated level of security and integrity in the authentication process, enhancing the overall reliability of the VPN connection.
The client-side architecture is where we discovered the additional three vulnerabilities (CVE-2024-27459, CVE-2024-24974, and CVE-2024-27903):
OpenVPN’s client architecture can be summarized in the following simplified diagram:
Figure 2. OpenVPN client architecture with loaded plugin.dll
openvpnserv.exe and openvpn.exe
The system service launches elevated commands on behalf of the user, handling tasks such as adding or deleting DNS configurations, IP addresses, and routes, and enabling Dynamic Host Configuration Protocol (DHCP). These commands are received from the openvpn.exe process through a named pipe created for these two entities, such as “openvpn/service_XXX” where XXX is the thread ID (TID) that is being passed to the newly created process as a command line argument.
The launched commands arrive in the form of a binary structure that contains the relevant information for the specific command, with the structure being validated and only then launching the appropriate command. The below figure displays an example of the structure that contains information for adding/deleting DNS configuration:
Figure 3. OpenVPN DNS configuration managing structure
Additionally, openvpnserv.exe serves as the management unit, spawning openvpn.exe processes upon requests from different users on the machine. This can be done automatically using the OpenVPN GUI or by sending specifically crafted requests. Communication for this process occurs through a second named pipe, such as “openvpn/service”.
Openvpn.exe is the user mode process being spawned on behalf of the client. When openvpn.exe starts, it receives a path for a configuration file (as a command line argument). The configuration file that’s provided holds different information.
Another mechanism of interest for us is the plugin mechanism in openvpn.exe, which can extend the functionality to add additional logic, such as authentication plugins to bring authentication against Lightweight Directory Access Protocol (LDAP) or Radius or other Pluggable Authentication Module (PAM) backends. Some of the existing plugins are:
Radiusplugin – Radius authentication support for open OpenVPN.
Eurephia – Authentication and access control plugin for OpenVPN.
Openvpn_defer_auth – OpenVPN plugin to perform deferred authentication requests.
The plugin mechanism fits into the earlier diagram, as shown in Figure 2.
The plugin is loaded as a directive in the configuration file, which looks like:
Figure 4. OpenVPN client directive to load plugin
Furthermore, the number of callbacks defined in the plugin launch on behalf of the loading process (openvpn.exe), such as:
openvpn_plugin_func_v1 – This function is called by OpenVPN each time the OpenVPN reaches a point where plugin calls should happen.
openvpn_plugin_{open, func}_v3() – Defines the version of the v3 plugin argument.
OpenVPN security model
As previously mentioned, we discovered four vulnerabilities on the client side of OpenVPN’s architecture.
As described before, openvpnserv.exe (SYSTEM service) spawns the openvpn.exe process as a result of the request from the user. Furthermore, the spawned process runs in the context of the user who requested to create the new process, which is achieved through named pipe impersonation, as displayed in the below image:
Figure 5. Named pipe impersonation
The ImpersonateNamedPipeClient function impersonates a named pipe client application.
Furthermore, to prevent unwanted behavior, specific EXPLICIT_ACCESS must be granted for any new process:
Figure 6. Explicit access for OVPN DACL
This explicit access, in addition to the earlier described “elevated commands” launched by openvpnserv.exe on request from the openvpn.exe process, and other comprehensive inspection of the passed arguments ensure that malicious behavior cannot be launched in the name of the impersonated user.
Vulnerability analysis
CVE-2024-1305
We identified a vulnerability in the “tap-windows6” project that involves developing the Terminal Access Point (TAP) adapter used by OpenVPN. In the project’s src folder, the device.c file contains the code for the TAP device object and its initialization.
In the device.c file, the CreateTapDevice method initializes a dispatch table object with callbacks for methods managing various Input/Output Controls (IOCTLs) for the device. One of these methods is TapDeviceWrite, which handles the write IOCTL.
The TapDeviceWrite method performs several operations and eventually calls TapSharedSendPacket. This method, in turn, calls NdisAllocateNetBufferAndNetBufferLists twice. In one scenario, it calls this function with the fullLength parameter, defined as follows:
Figure 8. Integer overflow
Both PacketLength and PrefixLength are parameters passed from the TapDeviceWrite call and, therefore, attacker controlled. If these values are large enough, their sum (fullLength) can overflow (a 32-bit unsigned integer). This overflow results in the allocation of a smaller-than-expected memory size, which subsequently causes a memory overflow issue.
CVE-2024-27459
The second vulnerability that we discovered resided in the communication mechanism between the openvpn.exe process and the openvpnserv.exe service. As described earlier, both of which communicate through a named pipe:
Figure 9. Reading size from a named pipe
The openvpnserv.exe service will read the message size in an infinite loop from the openvpn.exe process and then handle the message received by calling the HandleMessage method. The HandleMessage method reads the size provided by the infinite loop and casts the read bytes into the relevant type accordingly:
Figure 10. Stack overflow vulnerability location
This communication mechanism presents an issue as reading the “user” provided number of bytes on to an “n bytes” long structure located on the stack will produce a stack overflow vulnerability.
CVE-2024-24974
The third vulnerability involves unprivileged access to an operating system resource. The openvpnserv.exe service spawns a new openvpn.exe process based on user requests received through the “\\openvpn\\service” named pipe. This vulnerability allows remote access to the named service pipe, enabling an attacker to remotely interact with and launch operations on it.
CVE-2024-27903
Lastly, we identified a vulnerability in OpenVPN’s plugin mechanism that permits plugins to be loaded from various paths on an endpoint device. This behavior can be exploited by attackers to load harmful plugins from these different paths.
Exploiting and chaining the vulnerabilities
All the identified vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them. The discovered vulnerabilities could then be combined to achieve different exploitation results, or chained together to form a sophisticated attack chain, as detailed in the below sections.
RCE exploitation
We first explored how an attacker could achieve remote code execution (RCE) exploitation using CVE-2024-24974 and CVE-2024-27903.
To successfully exploit these vulnerabilities and achieve RCE, an attacker must first obtain an OpenVPN user’s credentials. The attacker’s device must then launch the NET USE command with the stolen credentials to remotely access the operating system resources and grant the attacker access to the named pipes objects devices.
Next, the attacker can send a “connect” request to the “\\openvpn\\service” named pipe to launch a new instance of openvpn.exe on its behalf.
Figure 11. Initializing OpenVPN from a remote location (in which {TARGET_MACHINE_PLACEHOLDER} can be substituted by a different end point)
In the request, a path to a configuration file (\\\\DESKTOP-4P6938I\\share\\OpenVPN\\config\\sample.ovpn) is specified that’s located on the attacker-controlled device. A log path is also provided into which the loaded plugin will write its logs (“–log \\\\\{TARGET_MACHINE_PLACEHOLDER}\\share\\OpenVPN\\log\\plugin_log.txt\).
The provided configuration has instructions to load malicious plugin, as such:
Figure 12. Malicious plugin loading directive from a remote location
After successful exploitation, the attacker can read the log provided on the attacker-controlled device.
Figure 13. Plugin log on the attacker-controlled device
LPE exploitation
Next, we investigated how an attacker could achieve local privilege execution (LPE) using CVE-2024-27459 and CVE-2024-27903. To successfully achieve an LPE exploit in this context, an attacker must load a malicious plugin into the normal launching process of openvpn.exe by using a malicious configuration file.
First, the attacker will connect to a local device “\\openvpn\\service” named pipe with a command that instructs openvpnserv.exe to launch openvpn.exe based on the attacker-provided malicious configuration.
Figure 14. Initializing OpenVPN from a local configuration
The malicious configuration will include a line like the below example:
Figure 15. Malicious plugin loading directive from the local location
For the malicious plugin to successfully communicate with openvpnserv.exe, it must hijack the number of the handle used by openvpn.exe to communicate with the inner named pipe connecting the openvpv.exe process and the openvpnserv.exe service. This can be achieved, for instance, by parsing command line arguments, as displayed below:
Figure 16. Parsing command line arguments to extract the thread ID (TID)
This works because when the openvpn.exe process spawns, it’s being passed the TID (as a command line argument) that the inner named pipe (which is being used for communication between this specific OpenVPN instance and the openvpnserv.exe service) will have. For instance, if the inner named pipe created is “\\openvpn\\service_1234” then openvpn.exe will be launched with an extra argument of 1234.
Figure 17. Passing the TID as a command line argument
Next, attackers can exploit the stack overflow vulnerability by sending data bigger than the MSG structure. It is important to note that there are stack protection mechanisms in place, called stack canaries, which make exploitation much more challenging. Thus, when triggering the overflow:
Figure 18. Stack overflow triggered
After the crash of openvpnserv.exe, the attacker has a slot of time in which they can reclaim the named pipe “\\openvpn\\service”.
If successful, the attacker then poses as the server client side of the named pipe “\\openvpn\\service”. From that moment on, every attempt to connect to the “\\openvpn\\service” named pipe will result in a connection to the attacker. If a privileged enough user, such as a SYSTEM or Administrator user, is connected to the named pipe, the attacker can impersonate that user:
Figure 19. Impersonating a privileged user
The attacker can then start an elevated process on the user’s behalf, thus achieving LPE.
Chaining it all together
As our research demonstrated, an attacker could leverage at least three of the four discovered vulnerabilities to create exploits to achieve RCE and LPE, which could then be chained together to create a powerful attack chain.
A number of adjustments are needed for the full attack chain to be exploited as presented in this blog post, mainly the malicious payload that crashes openvpnserv.exe and the malicious payload that actually behaves as openvpnserv.exe after openvpnserv.exe is crashed all have to be loaded with the malicious plugin. After successfully achieving LPE, attackers will use different techniques, such as Bring Your Own Vulnerable Driver (BYOVD) or exploiting known vulnerabilities, to achieve a stronger grasp of the endpoint. Through these techniques, the attacker can, for instance, disable Protect Process Light (PPL) for a critical process such as Microsoft Defender or bypass and meddle with other critical processes in the system. These actions enable attackers to bypass security products and manipulate the system’s core functions, further entrenching their control and avoiding detection.
Critical importance of endpoint security in private and enterprise sectors
With OpenVPN being widely used across various vendors, industries, and fields, the presented vulnerabilities may impact numerous sectors, device types, and verticals. Exploiting these vulnerabilities requires user authentication, a deep understanding of OpenVPN’s inner workings, and intermediate knowledge of the operating system. However, a successful attack could significantly impact endpoints in both the private and enterprise sectors. Attackers could launch a comprehensive attack chain on a device using a vulnerable version of OpenVPN, achieving full control over the target endpoint. This control could enable them to steal sensitive data, tamper with it, or even wipe and destroy critical information, causing substantial harm to both private and enterprise environments.
The discovery of these vulnerabilities underscores the importance of responsible disclosure to secure enterprise and endpoint systems, in addition to the collective efforts of the security community to protect devices across various platforms and establish stronger safeguards for everyone. We would like to again thank OpenVPN for their partnership and swift action in addressing these vulnerabilities.
Mitigation and protection guidance
OpenVPN versions prior to 2.5.10 and 2.6.10 are vulnerable to discussed vulnerabilities.
It is recommended to first identify if a vulnerable version is installed and, if so, immediately apply the relevant patch found here: OpenVPN 2.6.10.
Additionally, follow the below recommendations to further mitigate potential exploitation risks affiliated with the discovered vulnerabilities:
Apply patches to affected devices in your network. Check the OpenVPN website for the latest patches.
Make sure OpenVPN clients are disconnected from the internet and segmented.
Limit access to OpenVPN clients to authorized users only.
Due to the nature of the CVEs, which still require a username and password, prioritizing patching is difficult. Reduce risk by ensuring proper segmentation, requiring strong usernames and passwords, and reducing the number of users that have writing authentication.
Microsoft Defender XDR detections
Microsoft Defender for Endpoint
The following Microsoft Defender for Endpoint alert can indicate associated threat activity:
Suspicious OpenVPN named pipe activity
Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:
CVE-2024-27459
CVE-2024-24974
CVE-2024-27903
CVE-2024-1305
Microsoft Defender for IoT
Microsoft Defender for IoT raises alerts for the following vulnerabilities, exploits, and behavior associated with this threat:
Suspicion of Malicious Activity
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
This query identifies connection to OpenVPN’s named pipe from remote host:
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"]
| where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and isnotempty( RemoteIP)
This query identifies image load into OpenVPN’s process from share folder:
DeviceImageLoadEvents
|where InitiatingProcessFileName == "openvpn.exe" and FolderPath startswith "\\\\"
This query identifies process connect to OpenVPN’s named pipe as server which it is not openvpnserv.exe:
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend JsonAdditionalFields=parse_json(AdditionalFields)
| extend PipeName=JsonAdditionalFields["PipeName"], NamedPipeEnd=JsonAdditionalFields["NamedPipeEnd"]
|where PipeName == "\\Device\\NamedPipe\\openvpn\\service" and NamedPipeEnd == "Server" and InitiatingProcessFileName != "openvpnserv.exe"
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.
List of devices with OpenVPN vulnerabilities
DeviceTvmSoftwareVulnerabilities
| where OSPlatform contains "Windows"
| where CveId in ("CVE-2024-27459","CVE-2024-24974","CVE-2024-27903","CVE-2024-1305")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware
Named pipe creation activity of OpenVPN
let PipeNames = pack_array('\\openvpn/service','\\openvpn/service_','openvpn','openvpn/service','\\openvpn\\service_');
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType == "NamedPipeEvent"
| where ProcessCommandLine contains "openvpn.exe" or InitiatingProcessCommandLine contains "openvpn.exe"
| extend Fields=parse_json(AdditionalFields)
| where Fields.FileOperation == "File created"
| where Fields.PipeName has_any (PipeNames)
| project TimeGenerated,ActionType,DeviceName,InitiatingProcessAccountDomain,InitiatingProcessAccountName,InitiatingProcessFolderPath,
InitiatingProcessCommandLine,ProcessCommandLine,Fields.FileOperation,Fields.PipeName
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
Today id Software and Bethesda Softworks announced a new bundling of the original DOOM + DOOM II, with a whole bunch of enhancements using Nightdive Studio's KEX engine. A free update for existing owners too.
An anonymous reader quotes a report from The Register: Before WordPerfect, the most popular work processor was WordStar. Now, the last ever DOS version has been bundled and set free by one of its biggest fans. WordStar 7.0d was the last-ever DOS release of the classic word processor, and it still has admirers today. A notable enthusiast is Canadian SF writer Robert J Sawyer, who wrote the book that became the TV series Flashforward.
Thanks to his efforts you can now try out this pinnacle of pre-Windows PC programs for professional prose-smiths. Sawyer has taken the final release, packaged it up along with some useful tools -- including DOS emulators for modern Windows -- and shared the result. Now you, too, can revel in the sheer unbridled power of this powerful app. The download is 680MB, but as well as the app itself, full documentation, and some tools to help translate WordStar documents to more modern formats, it also includes copies of two FOSS tools that will let you run this MS-DOS application on modern Windows: DOSbox-X and vDosPlus. "The program has been a big part of my career -- not only did I write all 25 of my novels and almost all of my short stories with it (a few date back to the typewriter era), I also in my earlier freelance days wrote hundreds of newspaper and magazine articles with WordStar," says Sawyer.
There’s a little game I like to play sometimes, and it seems to be popular with other folks who tend to work out at home: What equipment would I buy if I were starting a new home gym from scratch? Or you can play the advanced version: if you already have (insert common items here), what would you buy next?
What follow are my picks for anybody starting a new home gym or looking to expand the one they have—whether that means a corner of your bedroom or a full-on garage-based weightlifting paradise. I'll start with space- and budget-friendly items, then move on to some bigger-ticket buys.
If I had a smidge of extra cash, I’d buy them as adjustable kettlebells, like this one from Bells of Steel, so they could get heavier as I got stronger. Competition-style adjustables are by far the best kind.
Pulling exercises are some of the hardest to improvise outside of a gym (although if you took my advice about kettlebells, you could do rows with those). A doorway pull-up bar like this one barely takes up any space, but it opens up a ton of possibilities. If your doorframes don't allow that type of bar, try a pull-up tower like this one.
Cardio is good for you. I keep telling myself this, and I’m almost starting to believe it. With a spin bike, you can do intervals or steady state work while staying comfortably indoors when the road outside is dark, or wet, or icy. The price range of options here is wide: you can splurge on a top-of-the-line Peloton or go for one of the budget bikes (like a Sunny) that are less than a fifth of the price.
My first choice for a cardio machine is the bike, as mentioned earlier. But if you want another device, I’d vote for a rower. Rowers involve your full body, and they’re great for interval training. The Concept 2 is probably the best-known (and, many would say, the best) brand in this space. (Not a rower person? My third choice would be a treadmill.)
Dumbbells are a great way to lift weights at home. They’re smaller than a barbell, less specialized than a set of kettlebells, and you can do a ton of different workouts with them.
As with kettlebells, you’ll need to decide if you want to get a few pairs at specific fixed weights (cheaper to start), or go for a pricier adjustable set. Powerblock and Bowflex are the fancy kind, if you have the money but want to save space.
If you have dumbbells or want to do any sort of bro workout, you’re going to need a bench. I’m more of a barbell person, so I just got a flat bench that can fit in my rack when I want to bench press. But people who do more dumbbell work often prefer a sturdy adjustable bench that can be configured for incline or upright seated work.
A barbell
If you’re into powerlifting or weightlifting, or just want to go heavy in your general strength workouts, there’s really no substitute for a good ol’ barbell. “Standard” bars with a one-inch hole are common in budget sets, but your purchase will have more longevity if you opt for an “Olympic” style bar with two-inch collars. Get a 45-pound or 20-kilogram bar like this one unless you have a specific reason to get something else.
Iron weight plates
You’ve got a few options for plates—we’ll discuss another in a minute—but iron plates are the classic choice. They’re sturdy, appropriately heavy, and up to almost any job. Get any kind that appeals to you: regular metal plates, plastic-coated ones, vintage-style deep dish. Anything but hex plates.
Not everyone needs bumper plates, but if you’re one of those people who does, skip the iron plates entirely and go for the good stuff. Bumper plates are essential for Olympic lifts (the snatch and the clean and jerk) and they’re also nice to have for other lifts, like deadlifts. In general, the cheapest kind are made of black rubber and are labeled in pounds; expect to pay a premium if you want them in kilos with international standard color-coding.
A squat rack or cage
You know you’ve Made It as a home gym owner when you have your own squat rack. Consider the amount of space you have available, since some racks require tall ceilings and all require a good bit of space around the sides so you can get to the bar to change the plates. There are folding racks, half racks, and full racks. You can also go the DIY route with one of those concrete-bucket-and-lumber squat stands everyone was using during lockdown. (Mine held up great for years, and only broke down when the buckets got too much UV damage from being in the sunlight so long.)
Throw a band on your pullup bar and you have a way to do assisted pullups; hold a band in your hands instead and you can do band pull-aparts. Bands are also a great addition to your barbells if you don’t have quite enough plates (or if you’re a fan of conjugate training, in which case you’re probably already putting bands and chains on everything that isn’t nailed down.) If you want to use bands with barbells, look for the long loop type; if you want to use them on their own, look for the kind that clip to handles.
Sandbags
Sandbags are the under-appreciated workhorses of many a home gym. Sand is dirt cheap—almost literally—but expect to pay a few bucks for a really quality fabric sandbag to put it in. (That said, you can DIY this, and we have instructions.) Start with a bag that weighs maybe half as much as you do, and practice picking it up, carrying it, and generally doing anything people do with weights. Yes, you can even press it overhead if you’re careful. If that’s all too easy, go for a bag that weighs as much as you do, or more.
A plyo box
A box is a handy thing to have around, and one of the few things I’ve always wanted in my home gym but never found the space for. With one box, you can do box jumps or box squats. With two, you can do dips or stand on top of them and set up a belt squat. The possibilities are endless.
Specialty bars
If you’re shopping for the person who has everything, I’ll tell you what they don’t have: another specialty bar. After a normal barbell, a typical next purchase is a safety squat bar. You could also go for an axle, which is great for practicing strongman events, or a cambered or duffalo bar (honestly, I’m not sure why powerlifters love these so much, but they do). A dedicated deadlift bar is perfect for the deadlift specialist in your life, and a football bar or Swiss bar gives you lots of options for pressing. A log is great for the spoiled strongman or strongwoman in your life, or an EZ-curl bar for the bodybuilder. Or grab a trap bar to do deadlifts on easy mode.
Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveraging intelligence and social engineering. One of the most common tools human operators use is Remote Desktop Protocol (RDP), which gives attackers not only control, but also Graphical User Interface (GUI) visibility on remote computers. As RDP is such a popular tool in human operated attacks, it allows defenders to use the RDP context as a strong incriminator of suspicious activities. And therefore, detect Indicators of Compromise (IOCs) and act on them.
That’s why today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.
Remote session information
The new layer adds 8 extra fields, represented as new columns in Advanced Hunting, expands the schema across various tables. These columns enrich process information by including session details, augmenting the contextual data related to remote activities.
InitiatingProcessSessionId - Windows session ID of the initiating process
CreatedProcessSessionId - Windows session ID of the created process
IsInitiatingProcessRemoteSession - Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).
IsProcessRemoteSession - Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false).
InitiatingProcessRemoteSessionDeviceName - Device name of the remote device from which the initiating process’s RDP session was initiated.
ProcessRemoteSessionDeviceName - Device name of the remote device from which the created process’s RDP session was initiated.
InitiatingProcessRemoteSessionIP - IP address of the remote device from which the initiating process’s RDP session was initiated.
ProcessRemoteSessionIP - IP address of the remote device from which the created process’s RDP session was initiated.
The data will be available in the following tables:
Table Name
Initiating process
Created Process
DeviceEvents
Yes
Yes, where relevant
DeviceProcessEvents
Yes
Yes
DeviceFileEvents
Yes
No
DeviceImageLoadEvents
Yes
No
DeviceLogonEvents
Yes
No
DeviceNetworkEvents
Yes
No
DeviceRegistryEvents
Yes
No
Detect human-operated ransomware attacks that use RDP
Defender for Endpoint machine learning models use data from remote sessions to identify patterns of malicious activity. They assess user interactions with devices via RDP by examining more than 100 characteristics and apply a machine learning classifier to determine if the behavior is consistent with hands-on-keyboard-based attacks.
Image 1: Ransomware attack incident investigation
Detect suspicious RDP sessions
Another model uses remote session information to identify suspicious remote sessions. Outlined below is an example of a suspect RDP session where harmful tools, commonly used by attackers in ransomware campaigns and other malicious activities, are deployed, setting off a high-severity alert.
This context is also available in Advanced Hunting for custom detection and investigation purposes.
An Advanced Hunting query can be used to display all processes initiated by a source IP during an RDP session. This query can be adjusted to fit all the supported tables.
DeviceProcessEvents
| where Timestamp >= ago(1d)
| where IsInitiatingProcessRemoteSession == "True"
| where InitiatingProcessRemoteSessionIP == "X.X.X.X" // Insert your IP Address here
Another query can be used to highlight actions performed remotely by a compromised account. This query can be adjusted to fit all the supported tables.
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessAccountSid == "SID" // Insert the compromised account SID here
| where IsInitiatingProcessRemoteSession == "True"
You can also hunt for tampering attempts. Conducting this remotely across numerous devices can signal a broad attempt at tampering prior to an attack being launched.
DeviceRegistryEvents
| where Timestamp >= ago(7d)
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
| where RegistryValueName == "DisableAntiSpyware"
| where RegistryValueType == "Dword"
| where RegistryValueData == 1
| where IsInitiatingProcessRemoteSession == true
Comprehensive endpoint security
The ability to identify malicious use of RDP in Defender for Endpoint gives admins more granular visibility and control over detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape.
Cybersecurity researchers have uncovered design weaknesses in Microsoft's Windows Smart App Control and SmartScreen that could enable threat actors to gain initial access to target environments without raising any warnings.
Smart App Control (SAC) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run
In an incident report today, DigiCert says it discovered that some CNAME-based validations did not include the required underscore prefix, affecting about 0.4% of their domain validations. According to CA/Browser Forum (CABF) rules, certificates with validation issues must be revoked within 24 hours, prompting DigiCert to take immediate action. DigiCert says impacted customers "have been notified." New submitter jdastrup first shared the news, writing: Due to a mistake going back years that has recently been discovered, DigiCert is required by the CABF to revoke any certificate that used the improper Domain Control Validation (DCV) CNAME record in 24 hours. This could literally be thousands of SSL certs. This could take a lot of time and potentially cause outages worldwide starting July 30 at 19:30 UTC. Be prepared for a long night of cert renewals. DigiCert support line is completely jammed.
On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet’s activity to assess changes following the indictment.
First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors.
Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. In this blog, we will share intelligence about Onyx Sleet and its historical tradecraft and targets, as well as our analysis of recent malware campaigns, with the goal of enabling the broader community to identify and respond to similar campaigns. We also provide protection, detection, and hunting guidance to help improve defenses against these attacks.
Who is Onyx Sleet?
Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability as a part of a targeted attack. Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server.
Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2).
Onyx Sleet is tracked by other security companies as APT45, SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2.
Affiliations with other threat actors originating from North Korea
Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed an overlap between Onyx Sleet and Storm-0530. Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022.
Onyx Sleet targets
In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent attacks include the targeting of South Korean educational institutions, construction companies, and manufacturing organizations in May 2024. Onyx Sleet has also shown interest in taking advantage of online gambling websites, possibly for financial gain either on behalf of North Korea or for individual members of the group.
Onyx Sleet tradecraft
Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective. Onyx Sleet historically leveraged spear-phishing to compromise targets, and in more recent campaigns, they have been observed to primarily use exploits for initial access, alongside a loader, downloader, and backdoor as a part of its well-established attack chain.
Figure 1. Onyx Sleet attack chain
Onyx Sleet nevertheless made some changes, for example, adding new C2 servers and hosting IPs, creating new malware, and launching multiple campaigns over time. In the past, Onyx Sleet introduced custom ransomware strains as a part of its campaigns. It also created and deployed the RAT identified by Kaspersky as Dtrack, which was observed in global attacks from September 2019 to January 2024. The Dtrack RAT follows the common attack chain used by Onyx Sleet and includes the exploitation of the Log4j 2 CVE-2021-44228 vulnerability for initial access and the use of payloads signed with an invalid certificate masquerading as legitimate software to evade detection.
Another example of Onyx Sleet introducing variations in the implementation of its attack chain is the campaign identified by AhnLab Security Intelligence Center (ASEC) in May 2024. In this campaign, the threat actor employed a previously unseen malware family dubbed as Dora RAT. Developed in the Go programming language, this custom malware strain targeted South Korean educational institutions, construction companies, and manufacturing organizations.
Onyx Sleet avoids common detection techniques across its attack lifecycle by heavily using custom encryption and obfuscation algorithms and launching as much of its code in memory as possible. These tools and techniques have been observed in several reported campaigns, including TDrop2.
Onyx Sleet has also used several off-the shelf tools, including Sliver, remote monitoring and management (RMM) tools SOCKS proxy tools, Ngrok, and masscan. We have also observed Onyx Sleet using commercial packers like Themida and VMProtect to obfuscate their malware. In January 2024, Microsoft Threat Intelligence identified a campaign attributed to Onyx Sleet that deployed a Sliver implant, an open-source C2 framework that supports multiple operators, listener types, and payload generation. Like the Dtrack RAT, this malware was signed with an invalid certificate impersonating Tableau software. Further analysis revealed that this Onyx Sleet campaign compromised multiple aerospace and defense organizations from October 2023 to June 2024.
Apart from the previously mentioned Log4j 2 vulnerability, Onyx Sleet has exploited other publicly disclosed (N-day) vulnerabilities to gain access to target environments. Some vulnerabilities recently exploited by Onyx Sleet include:
CVE-2023-46604 (Apache ActiveMQ)
CVE-2023-22515 (Confluence)
CVE-2023-27350 (PaperCut)
CVE-2023-42793 (TeamCity)
In addition to these well-known and disclosed vulnerabilities, Onyx Sleet has used custom exploit capabilities in campaigns targeting users mostly in South Korea. In these campaigns, Onyx Sleet exploited vulnerabilities in a remote desktop/management application, a data loss prevention application, a network access control system, and an endpoint detection and response (EDR) product.
Recent malware campaigns
In December 2023, South Korean authorities attributed attacks that stole over 1.2 TB of data from targeted South Korean defense contractors using custom malware to Andariel. Microsoft has attributed several custom malware families used in the said attacks – TigerRAT, SmallTiger, LightHand, and ValidAlpha – to Onyx Sleet.
TigerRAT
Since 2020, Onyx Sleet has been observed using the custom RAT malware TigerRAT. In some campaigns using TigerRAT, Onyx Sleet exploited vulnerabilities in Log4j 2 to deliver and install the malware. When launched, this malware can steal confidential information and carry out commands, such as keylogging and screen recording, from the C2.
SmallTiger
In February 2024, ASEC identified SmallTiger, a new malware strain targeting South Korean defense and manufacturing organizations. During the process of lateral movement, this malware is delivered as a DLL file (SmallTiger[.]dll) and uses a C2 connection to download and launch the payload into memory. Microsoft researchers have determined that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable.
The SmallTiger campaign can be tied back to a campaign using a similar attack chain beginning in November 2023 that delivered the DurianBeacon RAT malware. In May 2024, Microsoft observed Onyx Sleet continuing to conduct attacks targeting South Korean defense organizations using SmallTiger.
LightHand
LightHand is a custom, lightweight backdoor used by Onyx Sleet for remote access of target devices. Via LightHand, Onyx Sleet can execute arbitrary commands through command shell (cmd.exe), get system storage information, perform directory listing, and create/delete files on the target device.
ValidAlpha (BlackRAT)
ValidAlpha (also known as BlackRAT) is a custom backdoor developed in the Go programming language and used by Onyx Sleet to target organizations globally in the energy, defense, and engineering sectors since at least 2023. ValidAlpha can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands.
Samples of ValidAlpha analyzed by Microsoft had a unique PDB string: I:/01___Tools/02__RAT/Black/Client_Go/Client.go
Recommendations
Microsoft recommends the following mitigations to defend against attacks by Onyx Sleet:
Keep software up to date. Apply new security patches as soon as possible.
Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to help resolve breaches, significantly reducing alert volume
Microsoft Defender customers can turn on attack surface reduction rules to help prevent common attack techniques used by Onyx Sleet:
The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:
Onyx Sleet activity group
The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:
Document contains macro to download a file
Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Use this query to assess the existence of vulnerabilities used by Onyx Sleet:
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2021-44228","CVE-2023-27350","CVE-2023-42793")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware
Use this query to detect associated network IOCs:
let remoteip = dynamic(["84.38.134.56","45.155.37.101","213.139.205.151","109.248.150.147","162.19.71.175","147.78.149.201"]);
let remoteurl = dynamic(["americajobmail.site","privatemake.bounceme.net","ww3c.bounceme.net","advice.uphearth.com","http://84.38.134.56/procdump.gif"]);
DeviceNetworkEvents
| where RemoteIP == remoteip or RemoteUrl == remoteurl
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl
Use this query to detect associated file IOCs:
let selectedTimestamp = datetime(2024-07-17T00:00:00.0000000Z);
let fileName = "SmallTiger.dll";
let FileSHA256 = dynamic(["f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c","0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 ","29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3","fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32","868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf","f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5","1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1","3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061","8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f","7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"]);
let SignerName = "INVALID:Tableau Software Inc.";
let Signerhash = "6624c7b8faac176d1c1cb10b03e7ee58a4853f91";
let certificateserialnumber = "76cb5d1e6c2b6895428115705d9ac765";
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents,
DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator)
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from July 17th runs the search backwards for 90 days, change the above date accordingly.
and
( FileName == fileName or OldFileName == fileName or ProfileName == fileName or InitiatingProcessFileName == fileName or InitiatingProcessParentFileName == fileName
or InitiatingProcessVersionInfoInternalFileName == fileName or InitiatingProcessVersionInfoOriginalFileName == fileName or PreviousFileName == fileName
or ProcessVersionInfoInternalFileName == fileName or ProcessVersionInfoOriginalFileName == fileName or DestinationFileName == fileName or SourceFileName == fileName
or ServiceFileName == fileName or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256) or Signer == SignerName or SignerHash == Signerhash or CertificateSerialNumber == certificateserialnumber )
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
Starting August 2024, classic Microsoft Outlook for Windows will integrate new reporting buttons to allow users to report emails as phishing, junk, or not junk. Admins can customize these buttons and reporting options via the Microsoft 365 Defender portal. Rollout will be complete by late September 2024.
Starting August 2024 for classic Microsoft Outlook for Windows, we will add new built-in reporting buttons that allow users to report emails as phishing / junk / not junk. The new buttons will be included in the next semi-annual release of Outlook for Windows. Admins can control the appearance and behavior of these buttons from theUser reported settings page in the Microsoft 365 Defender portal (security.microsoft.com). Admins can also customize where messages get reported to (reporting mailbox, Microsoft, or both) and what the user sees both before and after reporting messages from these buttons. Your current User reported settings page will not be changed by this rollout.
This message is associated with Microsoft 365 Roadmap ID 371388.
When this will happen:
General Availability (Worldwide, GCC, GCC High, and DoD): We will begin rolling out early August 2024 and expect to complete by late September 2024.
How this will affect your organization:
Before this rollout: Classic Microsoft Outlook for Windows users do not see reporting buttons.
After the rollout:
New reporting buttons and menu options in Outlook Classic:
This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your users about this change and update any relevant documentation.
OWA (Outlook on the web) and new Outlook for Windows have had this functionality since November 2022 and there is no change to it.
The new built-in buttons on Outlook for Windows will inherit your existing User reported settings from OWA.
Other versions of Outlook such as Mac, Mobile (iPhone and Android) will not be affected by this change. We are working on the adding the reporting buttons to other versions of Outlook.
If you have the reporting feature turned off in the Microsoft 365 Defender User reported settings page or are using a third-party add-in, the reporting buttons in classic Outlook for Windows won’t be visible.
The Microsoft reporting add-in (the Microsoft report message add-in and the Microsoft phishing add-in) will be supported until further notice. Customers who currently use the add-in and the new reporting buttons will see two sets of reporting buttons in the ribbon. However, when Outlook Mac and Mobile add the new reporting buttons in the near future, the reporting add-in will no longer be needed and can be removed.
The selections you make on the user reported settings page will determine the reporting experience for your users whether they choose the add-in or built-in reporting option in Outlook. Either option will report to the same place (Microsoft, custom mailbox, or both) based on the User reported settings selected.
Unlike OWA and new Outlook for windows, the built-in reporting buttons in classic Outlook for windows do not support reporting from shared and delegate mailboxes.
.
.
.
![Adjustable Kettlebell [Bells of Steel] Upgraded Version Kettlebell Adjustable | Steel Shell, Internally-Loaded for Full Body Workouts | Competition Standard 35mm Handle, 12-20.5kg](https://lifehacker.com/imagery/product/04iIShFrFDAhepWxmNM75AD/hero-image.fill.size_autoxauto.v1720031287.jpg)
Image 1: Ransomware attack incident investigation
