What’s new in Windows Server 2022

This article describes some of the new features in Windows Server 2022. Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: security, Azure hybrid integration and management, and application platform. Also, Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMs up to date while minimizing downtime.


The new security capabilities in Windows Server 2022 combine other security capabilities in Windows Server across multiple areas to provide defense-in-depth protection against advanced threats. Advanced multi-layer security in Windows Server 2022 provides the comprehensive protection that servers need today.

Secured-core server

Secured-core server provides protections that are useful against sophisticated attacks and can provide increased assurance when handling mission critical data in some of the most data sensitive industries. It is built on three key pillars: simplified security, advanced protection, and preventative defense.

Simplified security

When you buy hardware from an OEM for Secured-core server, you have assurance that the OEM has provided a set of hardware, firmware, and drivers that satisfy the Secured-core promise. Windows Server systems will have easy configuration experiences in the Windows Admin Center to enable the security features of Secured-core.

Advanced protection

Secured-core servers use hardware, firmware, and operating system capabilities to the fullest extent to provide protection against current and future threats. The protections enabled by a Secured-core server are targeted to create a secure platform for critical applications and data used on that server. The Secured-core functionality spans the following areas:

  • Hardware root-of-trustTrusted Platform Module 2.0 (TPM 2.0) come standard with servers capable of using Secured-core servers. TPM 2.0 provides a secure store for sensitive keys and data, such as measurements of the components loaded during boot. This hardware root-of-trust raises the protection provided by capabilities like BitLocker, which uses TPM 2.0 and facilitates creating attestation-based workflows that can be incorporated into zero-trust security strategies.
  • Firmware protectionThere is a clear rise in security vulnerabilities being reported in the firmware space given the high privileges that firmware runs with and the relative opacity of what happens in firmware to traditional anti-virus solutions. Recent reports show that malware and ransomware platforms are adding firmware capabilities raising the risk of firmware attacks that have already been seen targeting enterprise resources like Active Directory domain controllers. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, along with DMA protection, Secured-core systems isolate the security critical hypervisor from attacks such as this.
  • Virtualization-based security (VBS)Secured-core servers support VBS and hypervisor-based code integrity (HVCI). VBS and HVCI protect against the entire class of vulnerabilities used in cryptocurrency mining attacks given the isolation VBS provides between the privileged parts of the operating system such as the kernel and the rest of the system. VBS also provides more capabilities that customers can enable, such as Credential Guard, which better protects domain credentials.

Preventative defense

Enabling Secured-core functionality helps proactively defend against and disrupt many of the paths attackers may use to exploit a system. This set of defenses also enables IT and SecOps teams better utilize their time across the many areas that need their attention.

Secure connectivity

Transport: HTTPS and TLS 1.3 enabled by default on Windows Server 2022

Secure connections are at the heart of today’s interconnected systems. Transport Layer Security (TLS) 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. HTTPS and TLS 1.3 is now enabled by default on Windows Server 2022, protecting the data of clients connecting to the server. It eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible. Learn more about supported TLS versions and about supported cipher suites.

Secure DNS: Encrypted DNS name resolution requests with DNS-over-HTTPS

DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol. This helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated. Learn more about configuring the DNS client to use DoH.

Server Message Block (SMB): SMB AES-256 encryption for the most security conscious

Windows Server now supports AES-256-GCM and AES-256-CCM cryptographic suites for SMB encryption and signing. Windows will automatically negotiate this more advanced cipher method when connecting to another computer that also supports it, and it can also be mandated through Group Policy. Windows Server still supports AES-128 for down-level compatibility.

SMB: East-West SMB encryption controls for internal cluster communications

Windows Server failover clusters now support granular control of encrypting and signing intra-node storage communications for Cluster Shared Volumes (CSV) and the storage bus layer (SBL). This means that when using Storage Spaces Direct, you can decide to encrypt or sign east-west communications within the cluster itself for higher security.


SMB over QUIC updates the SMB 3.1.1 protocol in Windows Server 2022 Datacenter: Azure Edition and supported Windows clients to use the QUIC protocol instead of TCP. By using SMB over QUIC along with TLS 1.3, users and applications can securely and reliably access data from edge file servers running in Azure. Mobile and telecommuter users no longer need a VPN to access their file servers over SMB when on Windows. More information can be found at the SMB over QUIC documentation.

Azure hybrid capabilities

You can increase your efficiency and agility with built-in hybrid capabilities in Windows Server 2022 that allow you to extend your data centers to Azure more easily than ever before.

Azure Arc enabled Windows Servers

Azure Arc enabled servers with Windows Server 2022 brings on-premises and multi-cloud Windows Servers to Azure with Azure Arc. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. More information can be found at the Azure Arc enables servers documentation.

Windows Admin Center

Improvements to Windows Admin Center to manage Windows Server 2022 include capabilities to both report on the current state of the Secured-core features mentioned above, and where applicable, allow customers to enable the features. More information on these and many more improvements to Windows Admin Center can be found at the Windows Admin Center documentation.

Azure Automanage – Hotpatch

Hotpatch, part of Azure Automanage, is supported in Windows Server 2022 Datacenter: Azure Edition. Hotpatching is a new way to install updates on new Windows Server Azure Edition virtual machines (VMs) that doesn’t require a reboot after installation. More information can be found at the Azure Automanage documentation.

Application platform

There are several platform improvements for Windows Containers, including application compatibility and the Windows Container experience with Kubernetes. A major improvement includes reducing the Windows Container image size by up to 40%, which leads to a 30% faster startup time and better performance.

You can now also run applications that depend on Azure Active Directory with group Managed Services Accounts (gMSA) without domain joining the container host, and Windows Containers now support Microsoft Distributed Transaction Control (MSDTC) and Microsoft Message Queuing (MSMQ).

There are several other enhancements that simplify the Windows Container experience with Kubernetes. These enhancements include support for host-process containers for node configuration, IPv6, and consistent network policy implementation with Calico.

In addition to platform improvements, Windows Admin Center has been updated to make it easy to containerize .NET applications. Once the application is in a container, you can host it on Azure Container Registry to then deploy it to other Azure services, including Azure Kubernetes Service.

With support for Intel Ice Lake processors, Windows Server 2022 supports business-critical and large-scale applications, such as SQL Server, that require up to 48 TB of memory and 2,048 logical cores running on 64 physical sockets. Confidential computing with Intel Secured Guard Extension (SGX) on Intel Ice Lake improves application security by isolating applications from each other with protected memory.

You can read more about these and other improvements at What’s new for Windows Containers in Windows Server 2022.

Other key features

Nested virtualization for AMD processors

Nested virtualization is a feature that allows you to run Hyper-V inside of a Hyper-V virtual machine (VM). Windows Server 2022 brings support for nested virtualization using AMD processors, giving more choices of hardware for your environments. More information can be found at the nested virtualization documentation.

Microsoft Edge browser

Microsoft Edge is included with Windows Server 2022, replacing Internet Explorer as the default browser. It is built on Chromium open source and backed by Microsoft security and innovation. It can be used with Server Core or Server with Desktop Experience installation options, and supports HTTP/3 which uses the QUIC protocol. More information can be found at the Microsoft Edge Enterprise documentation. Note that Microsoft Edge, unlike the rest of Windows Server, follows the Modern Lifecycle for its support lifecycle. For details, see Microsoft Edge lifecycle documentation.


Storage Migration Service

Enhancements to Storage Migration Service in Windows Server 2022 makes it easier to migrate storage to Windows Server or to Azure from more source locations. Here are the features that are available when running the Storage Migration Server orchestrator on Windows Server 2022:

  • Migrate local users and groups to the new server.
  • Migrate storage from failover clusters, migrate to failover clusters, and migrate between standalone servers and failover clusters.
  • Migrate storage from a Linux server that uses Samba.
  • More easily sync migrated shares into Azure by using Azure File Sync.
  • Migrate to new networks such as Azure.
  • Migrate NetApp CIFS servers from NetApp FAS arrays to Windows servers and clusters.

Adjustable storage repair speed

User adjustable storage repair speed is a new feature in Storage Spaces Direct that offers more control over the data resync process by allocating resources to either repair data copies (resiliency) or run active workloads (performance). This helps improve availability and allows you to service your clusters more flexibly and efficiently.

Storage bus cache with Storage Spaces on standalone servers

Storage bus cache is now available for standalone servers. It can significantly improve read and write performance, while maintaining storage efficiency and keeping the operational costs low. Similar to its implementation for Storage Spaces Direct, this feature binds together faster media (for example, NVMe or SSD) with slower media (for example, HDD) to create tiers. A portion of the faster media tier is reserved for the cache. To learn more, see Enable storage bus cache with Storage Spaces on standalone servers.

SMB compression

Enhancement to SMB in Windows Server 2022 and Windows 11 allows a user or application to compress files as they transfer over the network. Users no longer have to manually zip files in order to transfer much faster on slower or more congested networks. For details, see SMB Compression.

Source :

DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver

Dell has released remediation for a security vulnerability affecting the dbutil_2_3.sys driver packaged with Dell Client firmware update utility packages and other products.

Proprietary Code CVEDescriptionCVSS   Base ScoreCVSS Vector String
CVE-2021-21551Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The vulnerability described in the table above exists in the dbutil_2_3.sys driver. This driver may have been installed on to the Windows operating system of your Dell Client platform by one or more impacted products or components.

Refer to the “Affected Products and Remediation” section of this advisory for details regarding:

  • The list of impacted platforms, products, and components
  • The remediation steps including:
    • How to remove the vulnerable driver from your system
    • How to obtain an updated, remediated version of the driver 
  • What to know when using end of service life (aka end of support) platforms, products, or components

Additional, related information is available in this FAQ.

Dell Technologies raccomanda a tutti i clienti di prendere in considerazione sia il punteggio base CVSS, sia ogni eventuale punteggio temporale o ambientale che possa avere effetti sul livello di gravità potenziale associato a una specifica vulnerabilità di sicurezza.

Affected Products and Remediation

This section includes the following subsections:

  1. Affected platforms, products, and components.
  2. Remediation Steps:
    1. Determine impacted platforms, products, and components in your environment.
    2. Remove the vulnerable driver from your system.
    3. Obtain an updated, remediated version of the driver.
  3. What to know when installing a firmware update using an unremediated firmware update utility package.
  4. What to know when using end of service life (aka end of support) platforms, products, or components.

1. Affected platforms, products, and components
The vulnerable driver (dbutil_2_3.sys) may have been installed on to the Windows operating system of your Dell Client platform by one or more of the following products or components:

  • Impacted firmware update utility packages, including BIOS update utilities, Thunderbolt firmware update utilities, TPM firmware update utilities and dock firmware update utilities (see Note 1 and Note 2 below).
  • Any of the Dell Download Notification solutions, including Dell Command Update, Dell Update, Alienware Update, and Dell SupportAssist for PCs (Home and Business).
  • Dell System Inventory Agent
  • Dell Platform Tags
  • Dell BIOS Flash Utility

Note 1: The specific Dell Client platforms with impacted firmware update utility packages, including BIOS update utilities, Thunderbolt firmware update utilities, TPM firmware update utilities and dock firmware update utilities, are listed in the “Additional Information” section of this advisory.

  • This information is split into two tables with Table A listing impacted, supported platforms and Table B listing impacted platforms which have reached end of service life (aka end of support).

Note 2: This vulnerability is in the dbutil_2_3.sys driver which is included with firmware update utility packages. The actual firmware is not impacted by the vulnerability.

2. Remediation Steps
 Execute the following three steps to remediate this vulnerability:

  • 2.1. Determine impacted platforms, products, and components in your environment.
  • 2.2. Remove the vulnerable driver from your system.
  • 2.3. Obtain an updated, remediated version of the driver .

Details on each step are provided below.  

2.1 Determine impacted platforms, products, and components in your environment

Answer the following questions to determine the impacted platforms, products, and components in your environment. Then, execute the defined actions to remediate your environment.

2.1.1 Are you using a Dell Client platform which has an impacted firmware update utility package?

 If yes, perform the following actions:

  • Action 1: Remove the dbutil_2_3.sys driver from your system as described in 2.2.2.
  • Action 2: Obtain an updated, remediated version of the driver described in 2.3.  

Note: The specific Dell Client platforms with impacted firmware update utility packages, including BIOS update utilities, Thunderbolt firmware update utilities, TPM firmware update utilities and dock firmware update utilities, are listed in the “Additional Information” section of this advisory.

  • This information is split into two tables with Table A listing impacted, supported platforms and Table B listing impacted platform which have reached end of service life (aka end of support).

2.1.2 Are you using:

  • Any of the Dell Download Notification solutions including, Dell Command Update, Dell Update, Alienware Update, and Dell SupportAssist for PCs (Home and Business)?
  • Dell System Inventory Agent
  • Dell Platform Tags
  • Dell BIOS Flash Utility

If yes, perform the following actions:

  • Action 1: Update to a remediated version of the product or component as described in 2.2.1.
  • Action 2: Remove the dbutil_2_3.sys driver from your system as described in 2.2.2.

2.2. Remove the vulnerable driver from your system

Execute the following 2 steps to remove the dbutil_2_3.sys driver from your system, as applicable.

2.2.1 Update to a remediated version of the impacted product or component

If you are using any of the following products or components:

  • Any of the Dell Download Notification solutions including, Dell Command Update, Dell Update, Alienware Update, and Dell SupportAssist for PCs (Home and Business)
  • Dell System Inventory Agent
  • Dell Platform Tags
  • Dell BIOS Flash Utility

You must first update to a remediated version of the impacted product or component using respective instructions below. This action will also install an updated remediated version of the driver (DBUtilDrv2.sys).

For Dell Command Update, Dell Update, and Alienware Update:

  • Manually update to version 4.2 or greater
    • Visit the Dell Support Drivers and Download site for updates for your platform
    • If the self-update feature of these components is not enabled on your system, you can:
      • On an internet connected system, open / run the application
      • Click “Check for Updates”.

Note: When using either the “Check for Updates” option above, or when the self-update feature for these components is enabled, components will be updated as needed to prepare for driver removal via the next step (2.2.2), but the version of the component may not be reflected as an updated version.

  • Reboot your system.

For Dell SupportAssist for PCs (Home and Business):

  • Manually update to the latest available version:
    • Dell SupportAssist for Home PCs version 3.9.2 or greater will include the remediated driver and is expected to be available by June 15, 2021.
    • Dell SupportAssist for Business PCs version 2.4.1 or greater will include the remediated driver.
    • If the self-update feature of these components is not enabled on your system, you can:
      • On an internet connected system, open / run the application
      • Click “Check for Updates”.

Note: When using either the “Check for Updates” option above, or when the self-update feature for these components is enabled, components will be updated as needed to prepare for driver removal via the next step (2.2.2), but the version of the component may not be reflected as an updated version.

  • Reboot your system.

 For Dell System Inventory Agent:

  • Synchronize your Microsoft System Center Configuration Manager’s third-party updates feature, or Microsoft System Center Update Publisher (along with Windows Server Updates Services) to the latest Dell-provided catalog. Doing so will update the systems in your enterprise environment with the updated, remediated Dell System (OpenManage) Inventory Agent.
  • Update to version or greater by downloading / applying the latest available update on this page .
  • Reboot your system.

For Dell Platform Tags:

  • Update to version, A04 or greater by downloading / applying the latest available update on this page.
  • Reboot your system.

For Dell BIOS Flash Utility:

  • Update to version 3.3.11, A07 or greater by downloading / applying the latest available update on this page.
  • Reboot your system.

2.2.2 Remove the dbutil_2_3.sys driver from your system

Remove the dbutil_2_3.sys driver from your system using one of the following options:

  • Manually download and run a utility to remove the driver from the system (Option A).
  • Utilize one of the Dell Download Notification solutions to automatically obtain and run a utility to remove the driver from the system (Option B).
  • Manually remove the driver from the system (Option C).

Option A (Recommended):
Manually download and run the Dell Security Advisory Update – DSA-2021-088 utility to remove the dbutil_2_3.sys driver from the system.

Option B:
Use one of the Dell Download Notification solutions, to obtain and run the Dell Security Advisory Update – DSA-2021-088 utility to remove the dbutil_2_3.sys driver from the system.

Scenario 1: If your Dell Download Notification solution is configured to both automatically notify you of updates and apply them, then this utility will be automatically downloaded and run for you.

Scenario 2: If your Dell Download Notification solution is not configured to automatically download and apply updates, obtain and run the utility as follows:

Option C:
Manually remove the vulnerable dbutil_2_3.sys driver from the system using the following steps:

1. Check the following locations for the dbutil_2_3.sys driver file:

  • C:\Users\<username>\AppData\Local\Temp
  • C:\Windows\Temp

2. Select the dbutil_2_3.sys file and hold down the SHIFT key while pressing the DELETE key to permanently delete.

3. From an administrator command prompt, run “sc.exe delete DBUtil_2_3”.

Reference: For information on sc.exe commands, see Microsoft documentation.

2.3 Obtain an updated, remediated version of the driver
Execute the following to obtain an updated driver (DBUtilDrv2.sys) on your system.

Reminder: The updated driver was previously installed for certain products and components as a part of the instructions in Section 2.2.1.

For a Dell Client platform which has an impacted firmware update utility package:

  • With your next scheduled firmware update, download and apply the latest available firmware update utility which contains a remediated dbutil driver (DBUtilDrv2.sys). Customers can use one of the Dell Download Notification solutions to receive updated firmware update utility packages, as applicable.
  • Reboot your system


  • For supported platforms running Windows 10, updates are available as of the publishing of this advisory. (See Table A)
  • For supported platforms running Windows 7 or 8.1, updates are expected to be available by July 31, 2021. Once the updates are available, this advisory will be updated. If you update your BIOS, Thunderbolt firmware, TPM firmware, or doc firmware prior to the updates being available, you must also execute one of the three options defined in Step 2.2.2 of this section – even if you have previously performed this step – immediately following the update.

3. What to know when installing a firmware update using an unremediated firmware update utility package
You should still execute the steps in Sections 2.1 and 2.2 now. However, if you later update your BIOS, Thunderbolt firmware, TPM firmware, or dock firmware, to a version prior to the versions listed in Table A, you must take the following actions after applying the firmware update:

  1. Reboot your system.
  2. Repeat step 2.2.2 to again remove the dbutil_2_3.sys driver from your system.

4. What to know when using end of service life (aka end of support) platforms, products, or components
Remediated packages will not be provided for end of service life platforms (see Table B). Therefore, you must:

  1. Execute the steps in Sections 2.1 and 2.2.
  2. After applying any firmware update, including BIOS, Thunderbolt firmware, TPM firmware, or dock firmware:
  • Reboot your system.
  • Repeat step 2.2.2 to again remove the dbutil_2_3.sys driver from your system.

Dell would like to thank Alex Ionescu, Satoshi Tanda, and Yarden Shafir of CrowdStrike; Enrique Nissim of IOActive; Scott Noone of OSR; and Kasif Dekel of SentinelOne for reporting this issue.

Cronologia delle revisioni
1.02021-05-04Initial Release
1.12021-05-11Updated links to Dell Security Advisory Update – DSA-2021-088 utility v2.1 (A02)
2.02021-05-25Added additional impacted software products Dell BIOS Flash Utility and Dell SupportAssist for PCs (Home and Business)
Informazioni correlate

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Informazioni aggiuntive

Additional, related information is available in this FAQ.

Table A: Supported Dell platforms impacted firmware update utility packages, including BIOS update utilities, Thunderbolt firmware update utilities, TPM firmware update utilities and dock firmware update utilities.

Note: For platforms running Windows 10: Obtain the version specified in the table, or greater as available, for your BIOS, Thunderbolt Firmware Update, TPM Firmware Update, Dock Firmware Update Version. Once available, the table will be revised to add the updated versions for Windows 7 and 8.1.

Platform/ProductBIOS Version (or greater)Thunderbolt Firmware Update Version (or greater)TPM Firmware Update Version (or greater)Dock Firmware Update Version (or greater)
ChengMing 39671.11.0N/AN/AN/A
ChengMing 39771.11.0N/AN/AN/A
ChengMing 39802.17.0N/AN/AN/A
ChengMing 39881.5.0N/AN/AN/A
ChengMing 39901.3.1N/AN/AN/A
ChengMing 39911.3.1N/AN/AN/A
Dell G15 55101.3.1N/AN/AN/A
Dell G3 35001.7.1N/AN/AN/A
Dell G3 35791., A03N/AN/A
Dell G3 37791., A03N/AN/A
Dell G5 50001.1.0N/AN/AN/A
Dell G5 50901.4.0N/AN/AN/A
Dell G5 55001.7.1N/AN/AN/A
Dell G5 55871., A02N/AN/A
Dell G5 55901.14.0N/AN/AN/A
Dell G7 75001.6.0N/AN/AN/A
Dell G7 75881., A02N/AN/A
Dell G7 75901.14.0N/AN/AN/A
Dell G7 77001.6.0N/AN/AN/A
Dell G7 77901.14.0N/AN/AN/A
Dell Gaming G3 35901.12.0N/AN/AN/A
Dell Precision 3430 Tower1.10.0N/A7.2.0.2N/A
Dell Precision 3430 XL1.10.0N/A7.2.0.2N/A
Dell Precision 3431 Tower1.7.2N/AN/AN/A
Dell Precision 3630 Tower2.7.0N/AN/AN/A
Dell Precision 3930 Rack2.10.0N/A7.2.0.2N/A
Dell Precision 3930 XL Rack2.10.0N/A7.2.0.2N/A
Dell Precision 5820 Tower2.8.0N/A7.2.0.2N/A
Dell Precision 7820 Tower2.12.0N/AN/AN/A
Dell Precision 7820 XL Tower2.12.0N/AN/AN/A
Dell Precision 7920 Tower2.12.0N/AN/AN/A
Dell Precision 7920 XL Tower2.12.0N/AN/AN/A
Embedded Box PC 50001.9.1N/AN/AN/A
Inspiron 13 53701.17.0N/AN/AN/A
Inspiron 14 (5468)1.13.1N/AN/AN/A
Inspiron 14 (7460)1.14.1N/AN/AN/A
Inspiron 14 Gaming (7466)1.8.0N/AN/AN/A
Inspiron 14 Gaming (7467)1.13.1N/AN/AN/A
Inspiron 15 (5566)1.13.1N/AN/AN/A
Inspiron 15 (5567)1.4.1N/AN/AN/A
Inspiron 15 (7560)1.14.1N/AN/AN/A
Inspiron 15 (7572)1.6.1N/AN/AN/A
Inspiron 15 5582 2-in-12.9.0N/AN/AN/A
Inspiron 15 Gaming (7566)1.8.0N/AN/AN/A
Inspiron 15 Gaming (7567)1.13.1N/AN/AN/A
Inspiron 15 Gaming (7577), A05N/AN/A
Inspiron 17 (5767)1.4.1N/AN/AN/A
Inspiron 32681.15.0N/AN/AN/A
Inspiron 34702.17.0N/AN/AN/A
Inspiron 34711.5.0N/AN/AN/A
Inspiron 34801.12.0N/AN/AN/A
Inspiron 34811.11.0N/AN/AN/A
Inspiron 34901.10.0N/AN/AN/A
Inspiron 34931.12.0N/AN/AN/A
Inspiron 35011.4.0N/AN/AN/A
Inspiron 35801.12.0N/AN/AN/A
Inspiron 35811.11.0N/AN/AN/A
Inspiron 35831.12.0N/AN/AN/A
Inspiron 35841.11.0N/AN/AN/A
Inspiron 35901.10.0N/AN/AN/A
Inspiron 35931.12.0N/AN/AN/A
Inspiron 36681.15.0N/AN/AN/A
Inspiron 36702.17.0N/AN/AN/A
Inspiron 36711.5.0N/AN/AN/A
Inspiron 37801.12.0N/AN/AN/A
Inspiron 37811.11.0N/AN/AN/A
Inspiron 37901.10.0N/AN/AN/A
Inspiron 37931.12.0N/AN/AN/A
Inspiron 38801.3.1N/AN/AN/A
Inspiron 38811.3.1N/AN/AN/A
Inspiron 38911.0.2N/AN/AN/A
Inspiron 53001.5.0N/AN/AN/A
Inspiron 53011.6.1N/AN/AN/A
Inspiron 53901.10.0N/AN/AN/A
Inspiron 53911.11.0N/AN/AN/A
Inspiron 5400 2-in-11.5.0N/AN/AN/A
Inspiron 5400 AIO1.3.1N/AN/AN/A
Inspiron 54011.5.1N/AN/AN/A
Inspiron 54021.4.1N/AN/AN/A
Inspiron 5406 2-in-11.4.1N/AN/AN/A
Inspiron 54081.5.1N/AN/AN/A
Inspiron 54091.4.1N/AN/AN/A
Inspiron 54802.9.0N/AN/AN/A
Inspiron 5481 2-in-12.9.0N/AN/AN/A
Inspiron 54822.9.0N/AN/AN/A
Inspiron 54901.12.0N/AN/AN/A
Inspiron 5490 AIO1.7.0N/AN/AN/A
Inspiron 5491 2-in-11.8.1N/AN/AN/A
Inspiron 54931.12.0N/AN/AN/A
Inspiron 54941.10.0N/AN/AN/A
Inspiron 54981.12.0N/AN/AN/A
Inspiron 55011.5.1N/AN/AN/A
Inspiron 55021.4.1N/AN/AN/A
Inspiron 55081.5.1N/AN/AN/A
Inspiron 55091.4.1N/AN/AN/A
Inspiron 55701.4.1N/AN/AN/A
Inspiron 55802.9.0N/AN/AN/A
Inspiron 55831.12.0N/AN/AN/A
Inspiron 55841.12.0N/AN/AN/A
Inspiron 55901.12.0N/AN/AN/A
Inspiron 5591 2-in-11.8.1N/AN/AN/A
Inspiron 55931.12.0N/AN/AN/A
Inspiron 55941.10.0N/AN/AN/A
Inspiron 55981.12.0N/AN/AN/A
Inspiron 57701.4.1N/AN/AN/A
Inspiron 73001.6.1N/AN/AN/A
Inspiron 7300 2-in-11.2.4N/AN/AN/A
Inspiron 7306 2-in-11.4.1N/AN/AN/A
Inspiron 73801.12.0N/AN/AN/A
Inspiron 73861.9.0N/AN/AN/A
Inspiron 73901.11.0N/AN/AN/A
Inspiron 73911.11.0N/AN/AN/A
Inspiron 7391 2-in-, A01N/AN/A
Inspiron 74001.6.1N/AN/AN/A
Inspiron 74721.6.1N/AN/AN/A
Inspiron 74901., A03N/AN/A
Inspiron 75001., A01N/AN/A
Inspiron 7500 2-in-1 Black1.2.4N/AN/AN/A
Inspiron 7500 2-in-1 Silver1.5.0N/AN/AN/A
Inspiron 75011., A01N/AN/A
Inspiron 7506 2-in-11.4.1N/AN/AN/A
Inspiron 75801.12.0N/AN/AN/A
Inspiron 75861.9.0N/AN/AN/A
Inspiron 75901.8.0N/AN/AN/A
Inspiron 7590 2-in-11.11.0N/AN/AN/A
Inspiron 75911.8.0N/AN/AN/A
Inspiron 7591 2-in-, A01N/AN/A
Inspiron 77001.3.1N/AN/AN/A
Inspiron 7706 2-in-11.4.1N/AN/AN/A
Inspiron 77861.9.0N/AN/AN/A
Inspiron 77901.7.0N/AN/AN/A
Inspiron 77911., A01N/AN/A
Inspiron 5491 AIO1.7.0N/AN/AN/A
Latitude 12 72851., A05N/AN/A
Latitude 12 Rugged Extreme 72141.28.0N/AN/AN/A
Latitude 12 Rugged Tablet 72121.31.2N/AN/AN/A
Latitude 14 Rugged 54141.28.0N/AN/AN/A
Latitude 14 Rugged Extreme 74141.28.0N/AN/AN/A
Latitude 31201.0.5N/AN/AN/A
Latitude 31801.13.2N/AN/AN/A
Latitude 31891.13.2N/AN/AN/A
Latitude 31901.13.1N/AN/AN/A
Latitude 3190 2-in-11.13.1N/AN/AN/A
Latitude 33001.10.1N/AN/AN/A
Latitude 33011.13.0N/AN/AN/A
Latitude 33101.8.3N/AN/AN/A
Latitude 3310 2-in-11.17.1N/AN/AN/A
Latitude 33801.13.1N/AN/AN/A
Latitude 33901.14.2N/AN/AN/A
Latitude 34001.16.0N/A74.64N/A
Latitude 34101.5.1N/AN/AN/A
Latitude 34701.19.0N/AN/AN/A
Latitude 34801.15.1N/AN/AN/A
Latitude 3480 mobile thin client1.15.1N/AN/AN/A
Latitude 34901.14.1N/A7.2.0.2N/A
Latitude 35001.16.0N/A74.64N/A
Latitude 35101.5.1N/AN/AN/A
Latitude 35701.19.0N/AN/AN/A
Latitude 35801.15.1N/AN/AN/A
Latitude 35901.14.1N/A7.2.0.2N/A
Latitude 51751.8.1N/AN/AN/A
Latitude 51791.8.1N/AN/AN/A
Latitude 52001., A04N/AN/A
Latitude 52801.19.3N/AN/AN/A
Latitude 5280 mobile thin client1.19.3N/AN/AN/A
Latitude 5285 2-in-11.11.2N/AN/AN/A
Latitude 52881.19.3N/AN/AN/A
Latitude 52891.22.2N/AN/AN/A
Latitude 52901.16.3N/A7.2.0.2N/A
Latitude 5290 2-in-, A037.2.0.2N/A
Latitude 53001.14.0N/A74.64N/A
Latitude 5300 2-IN-, A0474.64N/A
Latitude 53101., A00N/AN/A
Latitude 5310 2-in-, A00N/AN/A
Latitude 53201.14.0N/AN/AN/A
Latitude 5320 2-in-11.14.0N/AN/AN/A
Latitude 54001., A0474.64N/A
Latitude 54011., A0474.64N/A
Latitude 54101., A01N/AN/A
Latitude 54111., A01N/AN/A
Latitude 54201.5.2N/AN/AN/A
Latitude 54801., A06N/AN/A
Latitude 54881., A06N/AN/A
Latitude 54901.16.3N/A7.2.0.2N/A
Latitude 54911., A047.2.0.2N/A
Latitude 54951.4.0N/AN/AN/A
Latitude 55001., A0474.64N/A
Latitude 55011., A0474.64N/A
Latitude 55101., A01N/AN/A
Latitude 55111., A01N/AN/A
Latitude 55201.5.1N/AN/AN/A
Latitude 55801., A06N/AN/A
Latitude 55901.16.3N/A7.2.0.2N/A
Latitude 55911., A047.2.0.2N/A
Latitude 7200 2-in-, A0374.64N/A
Latitude 7210 2 in, A01N/AN/A
Latitude 72751., A08N/AN/A
Latitude 72801., A06N/AN/A
Latitude 72901., A047.2.0.2N/A
Latitude 73001., A0474.64N/A
Latitude 73101., A01N/AN/A
Latitude 73201.5.0N/AN/AN/A
Latitude 73701., A08N/AN/A
Latitude 73801., A06N/AN/A
Latitude 73891.22.2N/AN/AN/A
Latitude 73901., A047.2.0.2N/A
Latitude 7390 2-in-, A047.2.0.2N/A
Latitude 74001., A0474.64N/A
Latitude 7400 2in11., A0374.64N/A
Latitude 74101., A01N/AN/A
Latitude 74201.5.0N/AN/AN/A
Latitude 74801., A06N/AN/A
Latitude 74901., A047.2.0.2N/A
Latitude 75201.5.0N/AN/AN/A
Latitude 94101., A01N/AN/A
Latitude 95101., A01N/AN/A
Latitude E52701.24.3N/AN/AN/A
Latitude E54701.24.3N/AN/AN/A
Latitude E55701., A08N/AN/A
Latitude E72701.27.3N/AN/AN/A
Latitude E7270 mobile thin client1.20.3,N/AN/AN/A
Latitude E74701.27.3N/AN/AN/A
Latitude Rugged 54201.12.0N/A7.2.0.2N/A
Latitude Rugged 54241.12.0N/A7.2.0.2N/A
Latitude Rugged 74241.12.0N/A7.2.0.2N/A
Latitude Rugged Extreme 74241.12.0N/AN/AN/A
Latitude Rugged Extreme Tablet 72201.9.1N/A74.64N/A
Latitude Rugged Extreme Tablet 7220EX1.9.1N/A74.64N/A
OptiPlex 30401.14.2N/AN/AN/A
OptiPlex 30461.11.1N/AN/AN/A
OptiPlex 30501.15.1N/AN/AN/A
OptiPlex 3050 AIO1.16.1N/AN/AN/A
OptiPlex 30601.9.1N/A7.2.0.2N/A
OptiPlex 30801.3.1N/AN/AN/A
OptiPlex 3090 Ultra1.0.10N/AN/AN/A
OptiPlex 3240 All-in-One1.11.1N/AN/AN/A
OptiPlex 50401.17.1N/AN/AN/A
OptiPlex 50501.15.1N/AN/AN/A
OptiPlex 5055 A-Serial1.2.9N/AN/AN/A
OptiPlex 5055 Ryzen APU1.2.8N/AN/AN/A
OptiPlex 5055 Ryzen CPU1.1.20N/AN/AN/A
OptiPlex 50601.9.1N/A7.2.0.2N/A
OptiPlex 50701.7.0N/AN/AN/A
OptiPlex 50801.3.10N/AN/AN/A
OptiPlex 5250 All-in-One1.16.1N/AN/AN/A
OptiPlex 5260 All-In-One1.12.0N/A7.2.0.2N/A
OptiPlex 5270 AIO1.7.0N/AN/AN/A
OptiPlex 5480 AIO1.4.0N/AN/AN/A
OptiPlex 70401.19.0N/AN/AN/A
OptiPlex 70501.15.1N/AN/AN/A
OptiPlex 70601.9.1N/A7.2.0.2N/A
OptiPlex 70701.7.2N/AN/AN/A
OptiPlex 7070 Ultra1.7.0N/AN/AN/A
OptiPlex 70711.7.2N/AN/AN/A
OptiPlex 70801.13.0N/AN/AN/A
OptiPlex 7090 Ultra1.0.10N/AN/AN/A
OptiPlex 7440 AIO1.14.1N/AN/AN/A
OptiPlex 7450 All-In-One1.16.1N/AN/AN/A
OptiPlex 7460 All-In-One1.12.0N/A7.2.0.2N/A
OptiPlex 7760 AIO1.12.0N/A7.2.0.2N/A
OptiPlex XE31.9.1N/A7.2.0.2N/A
Precision 17 M57501.7.2N/AN/AN/A
Precision 3240 CFF1.4.0N/AN/AN/A
Precision 3420 Tower2.17.1N/AN/AN/A
Precision 34401.13.0N/AN/AN/A
Precision 35101., A08N/AN/A
Precision 35201., A06N/AN/A
Precision 35301., A047.2.0.2N/A
Precision 35401., A0474.64N/A
Precision 35411., A0474.64N/A
Precision 35501., A01N/AN/A
Precision 35511., A01N/AN/A
Precision 35601.5.1N/AN/AN/A
Precision 3620 Tower2.17.1N/AN/AN/A
Precision 36401.4.3N/AN/AN/A
Precision 55101., A09N/AN/A
Precision 55201., A04N/AN/A
Precision 55301., A027.2.0.2N/A
Precision 5530 2-in-, A027.2.0.2N/A
Precision 55401., A027.2.0.2N/A
Precision 55501., A00N/AN/A
Precision 5720 AIO2.8.1N/AN/AN/A
Precision 5820 XL Tower2.8.0N/AN/AN/A
Precision 75201., A06N/AN/A
Precision 75301., A027.2.0.2N/A
Precision 75401., A03N/AN/A
Precision 75501., A01N/AN/A
Precision 77201., A06N/AN/A
Precision 77301., A027.2.0.2N/A
Precision 77401., A03N/AN/A
Precision 77501., A01N/AN/A
Vostro 13 53701.17.0N/AN/AN/A
Vostro 14 (5468)1.14.1N/AN/AN/A
Vostro 14 54711.17.0N/AN/AN/A
Vostro 15 (5568)1.14.1N/AN/AN/A
Vostro 15 75701., A05N/AN/A
Vostro 15 7580 G-Series1., A02N/AN/A
Vostro 30702.17.0N/AN/AN/A
Vostro 32671.15.1N/AN/AN/A
Vostro 32681.15.1N/AN/AN/A
Vostro 34001.4.0N/AN/AN/A
Vostro 34011.1.0N/AN/AN/A
Vostro 34702.17.0N/AN/AN/A
Vostro 34711.5.0N/AN/AN/A
Vostro 34801.12.0N/AN/AN/A
Vostro 34811.11.0N/AN/AN/A
Vostro 34901.10.0N/AN/AN/A
Vostro 34911.15.0N/AN/AN/A
Vostro 35001.4.0N/AN/AN/A
Vostro 35011.1.0N/AN/AN/A
Vostro 35801.12.0N/AN/AN/A
Vostro 35811.11.0N/AN/AN/A
Vostro 35831.12.0N/AN/AN/A
Vostro 35841.11.0N/AN/AN/A
Vostro 35901.10.0N/AN/AN/A
Vostro 35911.15.0N/AN/AN/A
Vostro 36601.15.1N/AN/AN/A
Vostro 36671.15.1N/AN/AN/A
Vostro 36681.15.1N/AN/AN/A
Vostro 36691.15.1N/AN/AN/A
Vostro 36702.17.0N/AN/AN/A
Vostro 36711.5.0N/AN/AN/A
Vostro 3681 1.3.1N/AN/AN/A
Vostro 36901.0.2N/AN/AN/A
Vostro 38811.3.1N/AN/AN/A
Vostro 38881.3.1N/AN/AN/A
Vostro 38901.0.2N/AN/AN/A
Vostro 50901.5.0N/AN/AN/A
Vostro 53001.5.0N/AN/AN/A
Vostro 53011.6.1N/AN/AN/A
Vostro 53901.10.0N/AN/AN/A
Vostro 53911.11.0N/AN/AN/A
Vostro 54011.5.3N/AN/AN/A
Vostro 54021.4.1N/AN/AN/A
Vostro 54101.5.1N/AN/AN/A
Vostro 54812.9.0N/AN/AN/A
Vostro 54901.12.0N/AN/AN/A
Vostro 54911.12.0N/AN/AN/A
Vostro 55011.5.1N/AN/AN/A
Vostro 55021.4.1N/AN/AN/A
Vostro 55812.9.0N/AN/AN/A
Vostro 55901.12.0N/AN/AN/A
Vostro 55911.12.0N/AN/AN/A
Vostro 58801.3.0N/AN/AN/A
Vostro 58901.0.2N/AN/AN/A
Vostro 75001., A01N/AN/A
Vostro 75901.8.0N/AN/AN/A
Wyse 50701.9.0N/A7.2.0.2N/A
Wyse 54701.6.0N/AN/AN/A
Wyse 5470 All-In-One1.7.0N/AN/AN/A
Wyse 7040 Thin Client1.10.1N/AN/AN/A
XPS 12 (9250), A08N/AN/A
XPS 13 (9360), A04N/AN/A
XPS 13 (9370), A047.2.0.2N/A
XPS 13 2-in-1 (9365), A03N/AN/A
XPS 13 73901., A01N/AN/A
XPS 13 7390 2-in-11.7.1N/A74.64N/A
XPS 13 93001.4.1N/A74.64N/A
XPS 13 93051.0.5N/AN/AN/A
XPS 13 93102.2.0N/AN/AN/A
XPS 13 9310 2-in-12.2.1N/AN/AN/A
XPS 13 93801., A027.2.0.2N/A
XPS 15 (9560), A04N/AN/A
XPS 15 2-in-1 (9575), A037.2.0.2N/A
XPS 15 95001., A00N/AN/A
XPS 15 95701., A027.2.0.2N/A
XPS 17 97001.7.2N/AN/AN/A
XPS 27 AIO (7760)2.8.1N/AN/AN/A
XPS 75901., A027.2.0.2N/A
XPS 89002.9.1N/AN/AN/A
XPS 89402.0.11N/AN/AN/A
Dell Dock WD15N/AN/AN/A1.0.8
Dell Dock WD19N/AN/AN/A01.00.15
Dell Thunderbolt Dock TB16N/AN/AN/A1.0.4
Dell Thunderbolt Dock TB18DCN/AN/AN/A1.0.10

Table B: End of Service Life Dell platforms with impacted firmware update utility packages, including BIOS update utilities, Thunderbolt firmware update utilities and TPM firmware update utilities.

Alienware 14Inspiron 580sOptiPlex 780
Alienware 17 51m r2Inspiron 620OptiPlex 790
Alienware Area 51Inspiron 660OptiPlex 9010
Alienware M14xr2Inspiron 660sOptiPlex 9020
Alienware M15 R4Inspiron 7359OptiPlex 9030 AIO
Alienware M17xr4Inspiron 7368OptiPlex 990
Alienware M18xr2Inspiron 7437OptiPlex Fx130
Asm100Inspiron 7520OptiPlex Fx170
Asm100r2Inspiron 7537OptiPlex Xe2
Cheng Ming 3967Inspiron 7548Precision 7510
Dell CanvasInspiron 7558Precision 7710
Dell Latitude 14 Rugged ExtremeInspiron 7559Precision M4600
Inspiron 1122Inspiron 7720Precision M4700
Inspiron 11-3162Inspiron 7737Precision M6600
Inspiron 1210Inspiron 7746Precision M6700
Inspiron 14-3452Inspiron One 19Precision R5500
Inspiron 14-5459Inspiron One 2020Precision T1700
Inspiron 15-3552Latitude 3150Precision T3500
Inspiron 1545Latitude 3160Precision T3600
Inspiron 15-5559Latitude 3310 2in1Precision T3610
Inspiron 15-5565Latitude 3330Precision T5500
Inspiron 1564Latitude 3340Precision T5600
Inspiron 15zLatitude 3350Precision T5610
Inspiron 17-5759Latitude 3440Precision T5810
Inspiron 20-3052Latitude 3450Precision T7500
Inspiron 2330Latitude 3460Precision T7600
Inspiron 24-3452Latitude 3460 Wyse TcPrecision T7610
Inspiron 24-3455Latitude 3550Precision T7810
Inspiron 24-5475Latitude 3560Precision T7910
Inspiron 3043Latitude 5250Vostro 14 3458
Inspiron 3048Latitude 5285Vostro 14-3446
Inspiron 3147Latitude 5450Vostro 1450
Inspiron 3157Latitude 5520Vostro 14-5459
Inspiron 3168Latitude 5550Vostro 15 3561
Inspiron 3252Latitude 7285Vostro 1550
Inspiron 3421Latitude 7350Vostro 20 3052
Inspiron 3437Latitude E5420Vostro 20 3055
Inspiron 3442Latitude E5430Vostro 220s
Inspiron 3443Latitude E5440Vostro 230
Inspiron 3520Latitude E5530Vostro 2521
Inspiron 3521Latitude E5540Vostro 260
Inspiron 3537Latitude E6220Vostro 270
Inspiron 3542Latitude E6230Vostro 270s
Inspiron 3543Latitude E6320Vostro 3010
Inspiron 3646Latitude E6330Vostro 3252
Inspiron 3647Latitude E6430Vostro 3560
Inspiron 3655Latitude E6430 AtgVostro 3800
Inspiron 3656Latitude E6440Vostro 3900
Inspiron 3847Latitude E6530Vostro 3900g
Inspiron 5323Latitude E6540Vostro 3901
Inspiron 5348Latitude E7240Vostro 3902
Inspiron 5423Latitude E7250Vostro 3905
Inspiron 5443Latitude E7270 Wyse TcVostro 470
Inspiron 5448Latitude E7440Vostro 5480
Inspiron 5485 2n1Latitude E7450XPS 13 9343
Inspiron 5520Latitude Xt3XPS 8700
Inspiron 5521OptiPlex 3010XPS 9350
Inspiron 5537OptiPlex 3011 AIOXPS 9530
Inspiron 5543OptiPlex 3020XPS One 2710
Inspiron 5548OptiPlex 3030 AIOXPS  13 9343
Inspiron 5576OptiPlex 390XPS 8700
Inspiron 5577OptiPlex 5055XPS 9350
Inspiron 5676OptiPlex 7010XPS 9530
Inspiron 5737OptiPlex 7020XPS 9550
Inspiron 5749OptiPlex 7090 UltraXPS ONE 2710

Source :

The cost of ransomware attacks: Why and how you should protect your data

As the COVID-19 pandemic ravaged the world in 2020, ransomware attacks grew to epidemic proportions of their own. Almost every day, both large and small companies across every industry — all lacking ransomware protection — were attacked. Now with incidents on the rise, organizations are rushing to implement data protection strategies to reduce their exposure.

By 2031, ransomware is likely to cost victims more than $250 billion annually, with a new attack occurring every 2 seconds.1

But, while everyone can agree that ransomware is a major threat, what are the actual costs that come with a ransomware attack? And, more importantly, what can you do to defend yourself from them?

What is ransomware?

Ransomware is malicious software (malware) used in a cyberattack to encrypt a victim’s data with a key known only to the attacker, rendering the data unusable until a ransom payment (usually cryptocurrency like Bitcoin) is paid by the victim. Ransomware activity has become pervasive, impacting 50% of organizations in 2020.2

Recently, however, ransomware incidents have become even more insidious. In the past, attackers would simply force companies to pay a ransom to unlock data. Today, 70% of occurrences employ double extortion tactics, where attackers exfiltrate and steal sensitive company information to coerce companies to pay even more.3 If payment isn’t made, the attackers leak the data onto the dark web.

The real costs of ransomware attacks

Ransomware has many costs, from the ransom amount to the costs of recovering from the occurrence to the damage to your organization’s brand. All of the costs add up to significant amounts and can take a major toll on your business.

Ransom costs

2020 was a very good year for ransomware attackers. The number of companies willing to pay increased, as did the size of the payouts.

Remediation costs

Beyond the ransom itself, there are the costs it takes to recover from an attack — including investing in IT resources to rebuild servers and recover data. There are also the costs of the disruption to the business, like lost revenue incurred from downtime.

Intangible costs: more than money

Beyond the direct costs of ransom and remediation, there are the soft costs of PR fiascos, brand erosion, and the reduced confidence of customers and partners. In addition, boards of directors and governments are starting to require immediate reporting of cybersecurity incidents, which take resources and incur more costs. For example, the U.S. Transportation Security Administration (TSA) will require pipeline companies to report incidents within 12 hours.

Using a modern cloud-native security solution for ransomware protection

While ransomware attacks are on the rise — and more costly than ever — there are risk mitigation strategies that you can take to defend against attacks and other cybersecurity threats. Cisco Umbrella, the cloud-native, multi-function security service, unifies firewall, secure web gateway (SWG), DNS-layer security, cloud access security broker (CASB), and threat intelligence into a single cloud service to help businesses of all sizes secure their network against ransomware and cybersecurity threats.

So, how exactly does Cisco Umbrella provide ransomware protection?

Blocks the first phase of attack — malicious internet requests at the DNS layer

Ransomware attackers need to stage internet infrastructure before they can launch an attack. Cisco Umbrella stops ransomware attacks early by blocking internet connections to the malicious sites that serve up ransomware. Cisco Umbrella enforces security at the DNS and IP layers, processing 220 billion internet requests for more than 20,000 businesses every day, preventing users from ever accessing most malicious content sites.

Unifies other security services for robust protection — anywhere and everywhere

With users accessing data and apps both on and off network and on many types of devices, ransomware security needs to be everywhere. Instead of a variety of individual standalone security solutions, Cisco Umbrella combines DNS-layer, firewall, SWG, CASB, and threat intelligence functions into a single cloud service to help businesses of all sizes secure their users, applications, and data, wherever they are.

Leverages unmatched threat intelligence

The best defense is a good offense. Cisco Umbrella uses intelligence from Cisco Talos, one of the largest commercial threat intelligence teams in the world, to offensively discover and block new threats before they become attacks. In addition, backed by more than 300 researchers, Cisco Umbrella uncovers and blocks a broad spectrum of malicious domains, IPs, URLs, and files being used in attacks.

Delivers proven performance against threats

Cisco Umbrella has a track record of tried-and-tested threat detection and security efficacy, backed by third-party validation. AV-TEST, an independent security organization, conducted a study of threat efficacy among leading cloud security vendors. Cisco Umbrella received top marks across the board, with a 96.39% threat detection rate — the highest in the industry.10

Take preventative action to defend your data

Ransomware attacks and their associated costs pose a serious threat to your business. But there are ways to defend against ransomware and mitigate the risks. Cisco Umbrella uses multiple, advanced security functions to provide protection from ransomware and other security threats. Want to learn even more about how to defend your data? Download the Ransomware Defense for Dummies ebook.

1 Brave, David, Global Ransomware Damage Costs Predicted to Reach $250 Billion (USD) by 2031, Cyber Security Ventures, June 1, 2021.
2 2021 Cyber security threat trends – phishing, crypto top the list, Cisco, June 1, 2021.
3 Brave, David, Global Ransomware Damage Costs Predicted to Reach $250 Billion (USD) by 2031, Cyber Security Ventures, June 1, 2021.
4 Highlights from the 2021 Unit 42 Ransomware Threat Report, Palo Alto Networks, March 17, 2021.
5 Highlights from the 2021 Unit 42 Ransomware Threat Report, Palo Alto Networks, March 17, 2021.
6 Yeap, Yuen Pin, Why Ransomware Costs Businesses Much More Than Money, Forbes, April 30, 2021.
7 Scroxton, Alex, Average Ransomware Cost Triples, Says Report, Computer Weekly, March 17, 2021.
8 Yeap, Yuen Pin, Why Ransomware Costs Businesses Much More Than Money, Forbes, April 30, 2021.
9 Andrus, Danielle, Ransomware Incidents, Costs On the Rise, and No Target Is Too Small, Benefits Pro, May 5, 2021.
10 DNS-Layer Protection & Secure Web Gateway Security Efficacy Test, AV-TEST, February 2021.

Source :

Supply Chain Attacks from a Managed Detection and Response Perspective


Modern technology has made managing large IT environments much less daunting compared to the past, when each endpoint had to be manually configured and maintained. Many organizations now use tools and IT solutions that allow centralized management of endpoints, making it possible to update, troubleshoot, and deploy applications from a remote location.

However, this convenience comes at a price — just as IT staff can access machines from a single location, the centralized nature of modern tech infrastructure also means that malicious actors can target the primary hub to gain access to the whole system.  Even more concerning, cybercriminals no longer even have to launch a direct attack against an organization — they can bypass security measures by focusing on their target’s supply chain. For example, instead of trying to find weak points in the system of a large organization that will likely have strong defenses, an attacker can instead target smaller companies that develop software for larger enterprises.

In this blog entry, we will take a look at two examples of supply chain attacks that our Managed Detection and Response (MDR) team encountered in the past couple of months.

Incident #1: Attack on the Kaseya platform

On July 2, during the peak of the Kaseya ransomware incident, we alerted one of our customers, notifying them about  ransomware detections in their system.  

Figure 1. The timeline of the incident

Our investigation found suspicious activity when the file AgentMon.exe, which is part of the Kaseya Agent, spawned another file, cmd.exe, that is responsible for creating the payload agent.exe, which in turn dropped MsMpEng.exe

By expanding our root cause analysis (RCA) and checking the argument for cmd.exe, we were able to see a few items before the execution of the ransomware. These initial set of indicators of compromise (IoCs) are similar to the ones discussed in another blog post.

Figure 2. Vision One console showing the attack’s infection chain

We found that the malware attempted to disable the anti-malware and anti-ransomware features of Windows Defender via PowerShell commands. It also created a copy of the Windows command line program Certutil.exe to “C:\Windows\cert.exe”, which is used to decode the payload file agent.crt, with the output given the name agent.exe.  Agent.exe is then used to create the file MsMpEng.exe, a version of Windows Defender that is vulnerable to DLL side-loading.

Figure 3. Details of the threat

Machine learning detection capabilities managed to block and detect the ransomware, however, the protection module was not activated in all the security agents of Trend Micro Apex One™ — so the organization’s support requested the team to check their product settings. Because the process chain showed that the ransomware came from a Kaseya agent, we  requested our customer to isolate the Kaseya servers to contain the threat.

A few hours later, Kaseya released a notice to their users to immediately shut down their Virtual System/Server Administrator (VSA) server until further notice.

Incident #2: Credential dumping attack on the Active Directory

The second supply chain incident handled by our MDR team starts with an alert to a customer that notified them of a credential dump occurring in their active directory (AD). The Incident View in Trend Micro Vision One™️ aggregated other detections into a single view, providing additional information on the scope of the threat. From there, we were able to see a server, an endpoint, and a user related to the threat.

Figure 4. Vision One’s incident view showing the threat’s details

Our threat hunting team also noted suspicious behavior related to WmiExec. Further investigation of the affected hosts’ Ownership Alignment Tools (OATs) show a related entry for persistence:

  • C:\Windows\System32\schtasks.exe /CREATE /RU SYSTEM /SC HOURLY /TN “Windows Defender” /TR “powershell.exe C:\Windows\System.exe -L rtcp:// -F mwss://” /ST 12:00
Figure 5. OAT flagging a suspicious creation of a scheduled task

We found scheduled tasks being utilized as a persistence mechanism for the file System.exe. Further analysis of this file shows that it is related to GO simple tunnel, which is used to forward network traffic to an IP address depending on the argument.

Checking the initial alert revealed a file common in the two hosts, which prompted us to check the IOC list to determine the other affected hosts in the environment.

Figure 6. Discovery commands and access to a malicious domain evident in the process chain

Expanding the nodes from the RCA allowed us to gather additional IOCs that showed setup0.exe creating the file elevateutils.exe. In addition, elevateutils.exe was seen querying the domain vmware[.]center, which is possibly the threat’s command-and-control (C&C) server. We also discovered the earliest instance of setup0.exe in one of the hosts.

The samples setup0.exe is an installer for elevateutils.exe which seems to be a Cobalt Strike Beacon Malleable C&C stager based on our analysis. The installer may have been used to masquerade as a normal file installation. 

Figure 7. The presence of EICAR strings is an indicator of it being of elevateutils.exe being a Cobalt Strike Beacon

The stager elevateutils.exe: will try to load the DLL chartdir60.dll, which will in turn read the contents of manual.pdf (these are also dropped by the installer in the same directory as elevateutil.exe). It will then decrypt, load, and execute a shell code in memory that will access the URL vmware[.]center/mV6c.

It makes use of VirtualAlloc, VirtualProtect, CreateThread, and a function to decrypt the shellcode to load and execute in memory. It also uses indirect API calls after decryption in a separate function, then uses JMP EAX to call the function as needed, which is not a routine or behavior that a normal file should have.

Since it’s possible that this is a Cobalt Strike Malleable C&C stager, further behaviors may be dependent on what is downloaded from the accessed URL. However, due to being inaccessible at the time of writing this blog post, we were unable to observe and/or verify other behaviors.

Use of the Progressive RCA of Vision One allowed us to see how elevateutils.exe was created, as well as its behaviors. The malicious file was deployed via a Desktop Central agent.

Figure 8. Viewing the behaviors of elevateutils.exe
Figure 9. The console showing the attack’s infection chain

Based on these findings, our recommendation to the customer was to check the logon logs of the affected application to verify any suspicious usage of accounts during the time the threat was deployed.

By closely monitoring the environment, the threat was stopped after the credential dump. Furthermore, the IOCs (IP addresses and hashes) were added to the suspicious objects list to block them while waiting for detections. Further monitoring was done and no other suspicious behavior were seen.

Defending against supply chain attacks

As businesses become more interconnected, a successful supply chain attack has the potential to cause a significant amount of damage to affected organizations.  We can expect to see more of these in the future, as they often lead to the same results as a direct attack while providing a wider attack surface for malicious actors to exploit.

Supply chain attacks are difficult to track because the targeted organizations often do not have full access to what’s going on security-wise with their supply chain partners. This can often be exacerbated by security lapses within the company itself. For example, products and software may have configurations — such as folder exclusions and suboptimal implementation of detection modules — that make threats more difficult to notice.

Security audits are also a very important step in securing the supply chain.  Even if third party vendors are known to be trustworthy, security precautions should still be deployed in case there are compromised accounts or even insider threats.

Using Vision One to contain the threat

Trend Micro Vision One provides offers organizations the ability to detect and respond to threats across multiple security layers. It provides enterprises options to deal with threats such as the ones discussed in this blog entry:

  • It can Isolate endpoints, which are often the source of infection, until they are fully cleaned or the investigation is done.
  • It can block IOCs related to the threat, this includes hashes, IP addresses, or domains found during analysis.
  • It can collect files for further investigation.

Indicators of Compromise (IoCs)

Incident # 1


SHA256Detection nameDetails

Incident # 2

SHA256Detection nameDetails
116af9afb2113fd96e35661df5def2728e169129bedd6b0bb76d12aaf88ba1ab Trojan.Win32.COBALT.AZSetup0.exe

IP addresses and domains

  • 185[.]215[.]113[.]213
  • vmware[.]center

    Source :

Using DNS-layer security to detect and prevent ransomware attacks

This year has seen a dramatic uptick in ransomware attacks, with high-profile incidents like the Colonial Pipeline attack or the Kaseya attack dominating news cycles. The frequency and cost of these attacks have prompted many cybersecurity professionals to investigate more robust ransomware protection solutions, like DNS-layer security. But how can you make sure your organization’s security posture is as effective as possible? That’s the question we set out to answer during our Black Hat 2021 session: Using DNS-layer security to detect and block dangerous campaigns.

At Cisco Umbrella, we’ve seen plenty of cyberattacks play out across vulnerable networks. Using the data we’ve gathered while researching emerging threats – including the recent wave of ransomware attacks – our team has developed a set of solutions that maximize our use of recursive DNS servers to improve security across networks. We’re confident that this approach to DNS-layer security can help keep your network safe from bad actors as well.

Did you miss our talk? Don’t worry – you can view the recorded session online or read the highlights below:

Observing DNS-layer activity can help you identify sophisticated threats

The Domain Name System (DNS) allows clients to connect to websites, perform software updates, and use many of the applications organizations rely on. Unfortunately, the DNS layer is also one of the least secure aspects of many networks: DNS packets are rarely inspected by security protocols and they pass easily through unblocked ports. So, it only makes sense that today’s sophisticated threats – including ransomware attacks – tend to operate at the DNS layer.

Of course, just because most security teams pay little attention to DNS-layer activity doesn’t mean that you have to do the same. In fact, you can configure your recursive DNS servers to gather data useful for designing and implementing proprietary defense algorithms or performing threat hunting at scale. For example, the Cisco Umbrella DNS resolvers gather data:

  • From authoritative DNS logs that can reveal potential attacks through newly staged infrastructures, BulletProofHostings, and malicious domains, IPs, and ASNs
  • From user request patterns that can reveal in-progress attacks through compromised systems and command and control callbacks

While partnering with a prosumer DNS-layer security provider like Cisco Umbrella is always an option when it comes to data gathering, we go into more detail on configuring your own recursive DNS servers to gather this data during our presentation.

Understanding how ransomware attacks happen can help you either prevent or mitigate threats

While the exact tactics, techniques, and procedures (TTPs) vary from scenario to scenario, most ransomware attacks tend to follow the same basic flow:

  • A client navigates to a compromised domain on the Internet, accidentally downloading a weaponized file containing a malicious program
  • The file launches an event chain designed to establish a post-exploitation framework on the affected network
  • The malicious program moves laterally to other computers on the network
  • Multiple computers are infected by the ransomware program, which encrypts all business-critical data

Starting in 2020, most ransomware attacks have added another step to the process: data exfiltration. Before encryption, the program transports business-critical data from the client’s network to the threat actor using DNS tunnels. This allows the threat actor to place additional leverage on their victim – instead of simply losing their data, companies find themselves facing the prospect of having that data leaked online or sold to the highest bidder on the dark web.

What’s more, since ransomware attacks can take as little as five hours to execute, detecting an in-progress attack can be difficult unless you have a strong DNS-layer security system designed to recognize these attacks.

Popular tools used in ransomware attacks rely on DNS-layer activity

Earlier, we mentioned how most ransomware attackers make use of the fact that network administrators don’t secure DNS-layer activity. In fact, we’ve observed that some of the most common attack frameworks rely heavily on DNS tunneling, both to gain a foothold across the network and to allow the threat actor to exfiltrate data or execute command and control attacks.

Examples of the attacks that make use of DNS tunneling techniques include:

  • The DNS beacon that originated in the CobaltStrike penetration testing tool used in most high profile ransomware attacks
  • Supply-Chain attack SUNBURST used DNS tunnelling during post-exploitation
  • APT group OilRig heavily leverages Data exfiltration through DNS tunnels in its cyber espionage campaigns

In our presentation, we go into more detail on the way these frameworks have been used by threat actors in the past and how they might be used in the future. But the common element these frameworks share – the use of DNS activity – is enough to suggest that DNS-layer security may become more important than ever as we prepare for upcoming attacks.

The strongest ransomware protection combines attack prevention and attack mitigation tactics

We’ve talked a lot about how the data gathered from recursive DNS servers can help identify threats. But DNS-layer security goes further than information gathering; a strong security posture should also help protect networks from attacks. At Cisco Umbrella, we configure our recursive DNS servers to do this in two ways: by preventing clients from connecting to suspicious domains – stopping attacks before they start – and by detecting unusual DNS-layer activity that could indicate an in-progress attack – allowing security teams to isolate infected systems and mitigate the damage.

Ransomware protection that prevents attacks

Using DNS-layer security to prevent ransomware attacks from occuring in the first place is an approach that many organizations favor, and with good reason: This tactic prevents any post-exploitation losses.

While the algorithms used by traditional recursive DNS servers will flag certain risky domains, this built-in defense often leaves much to be desired. It evaluates the domain’s age and reputation when determining whether a client should be allowed to connect to it, but allows bad actors to bypass these DNS-layer security protocols using staged domains in good repute.

At Cisco Umbrella, we work around this shortcoming by configuring our recursive DNS servers to flag any anomalous domains for deeper review before allowing clients to connect. This approach weeds out many more dangerous domains, minimizing the window of time in which a user is vulnerable from around 24 hours to mere minutes.

While the Cisco Umbrella team provides this service as part of our DNS-layer security offerings, we also discuss how you can configure your own resolvers to behave similarly in our presentation.

Ransomware protection that identifies in-progress attacks

While preventing the initial compromise may be the ideal form of protection, this approach is not a silver bullet. The tactics employed by threat actors constantly evolve, making it possible for certain ransomware attacks to slip past even the most tightly woven nets. This is why your DNS-layer security solution should also contain protocols that help it detect in-progress attacks.

For those looking to secure DNS activity, this involves incorporating a system that flags any anomalous DNS tunneling in a network. As mentioned earlier, most ransomware attacks make use of DNS tunneling to establish both bi-directional and unidirectional communication between an attacker and the systems on your network. If the DNS activity isn’t secure, this allows the threat actor to stay under the radar until their attack is nearly executed. But if your DNS-layer security solution carefully monitors network DNS activity, you can start mitigating the effects of an attack before they become catastrophic.

Cisco Umbrella offers DNS-layer security that helps protect clients from threats now and in the future

At Cisco Umbrella, we strive to offer customers the best protection possible by combining multiple detection and remediation techniques that help them prepare for the threats coming their way. This includes reactive DNS-layer security algorithms, real-time heuristics, and real-time behavioral detection. What’s more, we strive for as much transparency as possible, providing our clients with real-time statistics which we used when deciding to block connection to a domain.

Want to learn more about how Cisco Umbrella makes use of DNS-layer security to protect clients from ransomware attacks? Listen to our full Black Hat 2021 presentation!

Source :

Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities

Ransomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems.

“Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,” Cisco Talos said in a report published Thursday, corroborating an independent analysis from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea.

While Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions. The attacks are said to have taken place since at least July 13.

Since June, a series of “PrintNightmare” issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations –

  • CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
  • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
  • CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
  • CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)

CrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.

Vice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.

Specifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.

“Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,” the researchers said. “The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.”

Source :

Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic

Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks.

“We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google,” researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said.

Calling it a “bottomless well of valuable intel,” the treasure trove of information contains internal and external IP addresses, computer names, employee names and locations, and details about organizations’ web domains. The findings were presented at the Black Hat USA 2021 security conference last week.

“The traffic that leaked to us from internal network traffic provides malicious actors all the intel they would ever need to launch a successful attack,” the researchers added. “More than that, it gives anyone a bird’s eye view on what’s happening inside companies and governments. We liken this to having nation-state level spying capability – and getting it was as easy as registering a domain.”

The exploitation process hinges on registering a domain on Amazon’s Route53 DNS service (or Google Cloud DNS) with the same name as the DNS name server — which provides the translation (aka resolution) of domain names and hostnames into their corresponding Internet Protocol (IP) addresses — resulting in a scenario that effectively breaks the isolation between tenants, thus allowing valuable information to be accessed.

In other words, by creating a new domain on the Route53 platform inside AWS name server with the same moniker and pointing the hosted zone to their internal network, it causes the Dynamic DNS traffic from Route53 customers’ endpoints to be hijacked and sent directly to the rogue and same-named server, thus creating an easy pathway into mapping corporate networks.

“The dynamic DNS traffic we wiretapped came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies,” the researchers said. “The data included a wealth of valuable intel like internal and external IP addresses, computer names, employee names, and office locations.”

While Amazon and Google have since patched the issues, the Wiz research team has also released a tool to let companies test if their internal DDNS updates are being leaked to DNS providers or malicious actors.

Source :

PrintNightmare, Critical Windows Print Spooler Vulnerability

Updated July 1, 2021) See Microsoft’s new guidance for the Print spooler vulnerability (CVE-2021-34527) and apply the necessary workarounds. 

(Original post June 30, 2021) The CERT Coordination Center (CERT/CC) has released a VulNote for a critical remote code execution vulnerability in the Windows Print spooler service, noting: “while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.

CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021: “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.” 

Source :

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-34527On this pageSecurity Vulnerability

Released: 1 lug 2021Assigning CNA:Microsoft

MITRE CVE-2021-34527

Executive Summary

Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.


The following table provides an exploitability assessment for this vulnerability at the time of original publication.Publicly DisclosedExploitedExploitability AssessmentYesYesExploitation Detected


Determine if the Print Spooler service is running (run as a Domain Admin)

Run the following as a Domain Admin:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

For more information see: Use Group Policy settings to control printers.


Is this the vulnerability that has been referred to publicly as PrintNightmare?

Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability.

Is this vulnerability related to CVE-2021-1675?

This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

Did the June 2021 update introduce this vulnerability?

No, the vulnerability existed before the June 2021 security update. Microsoft strongly recommends installing the June 2021 updates.

What specific roles are known to be affected by the vulnerability?

Domain controllers are affected. We are still investigating if other types of roles are also affected.

All versions of Windows are listed in the Security Updates table. Are all versions exploitable?

The code that contains the vulnerability is in all versions of Windows. We are still investigating whether all versions are exploitable. We will update this CVE when that information is evident.

Why did Microsoft not assign a CVSS score to this vulnerability?

We are still investigating the issue so we cannot assign a score at this time.

Why is the severity of this vulnerability not defined?

We are still investigating. We will make this information available soon.


Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Source :

Amazon Prime Day: Big Sales, Big Scams

Malicious actors taking advantage of important events is not a new trend. For example, a large number of tax-related scams pops up every tax season in the US, with threats ranging from simple phishing emails to the use of scare tactics that lead to ransomware. More recently,  Covid-19 has led to a surge in pandemic-related malicious campaigns, mostly arriving via email.

For many people, major online shopping events such as the annual Amazon Prime day — which falls on June 21 this year — presents a unique opportunity to purchase goods at heavily discounted prices. However, shoppers are not the only ones looking to benefit — cybercriminals are also looking to prey on unsuspecting victims via social engineering and other kinds of scams. Amazon Prime has experienced tremendous growth over the past two years. According to estimates, there were 150 million Prime members at the end of the fourth quarter of 2019, a number which grew to 200 million by the first quarter of 2021 — with around 105 million users in the US alone. This makes Amazon Prime customers a particularly lucrative target for malicious actors.

As Amazon Prime day approaches, we’d like to build awareness among the shopping public by showing some of the related scams we’ve observed over the past few months.

Amazon Prime Scams

In 2020, Amazon Prime day, which is usually held in June or July, was postponed to October due to Covid-19. That same month, the Australian Communications and Media Authority (ACMA) issued an alert warning the public that they had been receiving reports of scammers — impersonating Amazon Prime staff — calling their targets, claiming that they owed money to Amazon. They also warned the victim that funds would be taken from their bank account if they did not act immediately. Often, the goal of these scammers is to retrieve Amazon account details and personal data from their victims by asking them to go online and enter the relevant information.

A variation of this scam involves swindlers calling their targets and presenting them with a recorded message, allegedly from Amazon, notifying call recipients of an issue with their order — such as a lost package or an unfulfilled order. The victims would then be invited to either press the number “1” button on their phone or provided a number that they would need to call. As with the first scam, the goals are the same: gaining personal information.

Aside from phone call scams, malicious actors also use tried-and-tested email-based phishing tactics. One method uses fake order invoices with corresponding phony order numbers and even a bogus hotline number, which, once called, will prompt the recipient to enter their personal details.

Another technique involves the scammer notifying an Amazon Prime user of problems with their account: For example, a Twitter post from user VZ NRW – Phishing shows fake Amazon Prime message warning the recipient that their Prime benefits have allegedly been suspended due to a problem with the payment. The message also contains a fake phishing link that the user would have to click to resolve the issue.  

Figure 1. An example of an email scam, coming from “Amazon Prime” complete with a fake order ID and hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

Malicious actors will also make use of fake websites and online forms — many of which are painstakingly crafted to match the official sites as much as possible. One phishing website asks users to confirm payment details by filling out certain information. However, despite looking authentic, the page contains plenty of red flags — for example, none of the outbound links actually work, and the forms used in the page requests more data than usual, including personal information that companies typically never ask users to provide.

A precursory search in VirusTotal using the strings “Amazon” and “Prime” reveal over a hundred PDF files, many of which contain movie names (membership in Amazon Prime also makes users eligible for Prime Video). These PDF files are hosted on various cloud services, with the link to these files typically distributed via malicious emails.

Figure 2. VirusTotal results using “Amazon” and “Prime” search strings

Upon opening some of these files, a Captcha button appears, which will activate a malicious redirection chain when clicked.

Figure 3. Captcha button that appears when clicking some of the VirusTotal samples.

While it’s easy to assume that most of these scammers are single individuals or small groups looking for a quick buck, there are certain threat actor groups that use sophisticated social engineering techniques for their campaigns, which includes Amazon users as a primary target.

The Heatstroke phishing campaign

We first encountered the phishing campaign known as Heatstroke back in 2019, noting that the group behind the campaign utilized complex techniques for both researching about and luring in their victims, which were primarily Amazon and Paypal users.

For example, compared to the webpage from the previous section, Heatstroke makes use of a phishing website with multiple working screens and subpages to try and mimic a legitimate website as much as possible. In addition, Heatstroke implements various obfuscation techniques such as forwarding the phishing kit content from another location or changing the landing page to bypass content filters.

Figure 4. Heatstroke’s infection chain, which they have been using since 2019

The threat actor has implemented some improvements over the past two years — such as expanded IP ranges and improvements to user agents and the kit’s “self-defense” mechanisms (coverage of scams, anti-bot, and IP protection services), as well as the addition of an API and kill date, after which the kit won’t work anymore. 

Heatstroke remains active with a well-maintained infrastructure in 2021. The threat actor largely uses the same techniques from the past. However, it might be a case of not fixing what isn’t broken, given how effective the previous campaigns proved to be.

Defending against scams

As exciting as Amazon Prime Day (and other similar shopping extravaganzas like Black Friday and Cyber Monday) is, the public should remain vigilant against potential scams, as cybercriminals are looking to capitalize on these types of events.

The following best practices and recommendations can help individuals avoid these kinds of scams:

  • Most reputable organizations will never ask for sensitive financial information over the phone. If a caller allegedly coming from Amazon or another company asks for strangely specific information such as credit card or bank account numbers, this is an automatic red flag.
  • Be wary of out-of-context emails. If you receive an email referencing an item you did not purchase, then it is highly likely that the email is a phishing attempt. Refrain from downloading attachments or clicking links in suspicious emails, as these can lead to malware infections.
  • Scan emails for typographical or grammatical mistakes. Legitimate emails will always be thoroughly checked and edited before being sent, therefore even small errors are possible signs of a malicious email.
  • Always double check the URL of a website to see if it matches up with the real one. For example, Amazon websites and subpages will always have a dot before “” (for example, “” versus “”), therefore, even if a website copies the design of the legitimate one, a sketchy URL will often give it away as being malicious. In the same vein, email addresses should be scrutinized to see if they look suspicious or have any unusual elements.
  • Organizations are also encouraged to regularly check the awareness of employees on the latest cyberthreats via Trend Micro Phish Insight, a cloud-based security awareness service that is designed to empower employees to protect themselves and their organization from social engineering-based attacks.

Source :–big-scams.html

Wordfence is now a CVE Numbering Authority (CNA)

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

WordPress powers over 40% of the World Wide Web in 2021. By becoming a CNA, Wordfence expands our ability to elevate and accelerate WordPress security research. This furthers our goal of helping to protect the community of WordPress site owners and developers, and the millions of website users that access WordPress every day.

What is a CNA?

The acronym CNA stands for CVE Numbering Authority. A CNA is an organization that has the authority to assign CVE IDs to vulnerabilities for a defined scope. As a CNA, Wordfence can assign CVE IDs to WordPress Plugins, Themes, and Core Vulnerabilities.

What is a CVE?

CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List. The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog.

What does this mean for Wordfence customers?

As the Wordfence Threat Intelligence team continues to produce groundbreaking WordPress security research, Wordfence can more efficiently assign CVE IDs prior to publicly disclosing any vulnerabilities that our team discovers. This means that a CVE ID will be immediately assigned with every vulnerability we discover rather than waiting for an assignment from an external CNA.

To report a vulnerability, even if there is uncertainty about the responsible disclosure process, proof of concept production, or mitigation review procedures, the Wordfence Threat Intelligence team is available to assist. Our highly credentialed team has expertise and experience in proper security disclosure and can assist in ensuring that adequate remediation of vulnerabilities, no matter the severity, are applied and verified. As the original researcher, you receive the CVE ID and public credit for your discovery. You will also receive thanks from the users and community that you have protected through your responsible disclosure. Please reach out to us and we will be happy to assist.

How to report vulnerabilities to Wordfence for CVE assignment and publication?

To report a vulnerability to Wordfence for a WordPress plugin, WordPress theme, or WordPress core, please reach out to with the vulnerability information. Please include the following details:

  • A concise description of the vulnerability.
  • A proof of concept – that is, how the vulnerability could potentially be exploited.
  • What software component in our scope is affected – namely, which plugin or theme is affected, or which part of WordPress core.
  • The version number(s) affected.
  • The name(s) of individuals you would like credited for the discovery – or indicate if you would like to remain anonymous.
  • Any other additional information as appropriate.

The Wordfence Threat Intelligence team will review your findings and report back within 1-3 business days with a CVE ID assignment, or a request for additional information.

Community engagement and outreach at Wordfence has helped accelerate our efforts to secure the global WordPress community. Becoming a CNA has helped further this goal. Our team looks forward to expediting our own research and helping to encourage and enable new researchers to join the growing community of people who discover and responsibly disclose WordPress vulnerabilities. Together we can work towards a safer Web for all.

Source :