Wifi Archives - Page 19 of 33 - Appunti dalla rete

Everything you might have missed during Cloudflare’s Impact Week 2022

And that’s a wrap! Impact Week 2022 has come to a close. Over the last week, Cloudflare announced new commitments in our mission to help build a better Internet, including delivering Zero Trust services for the most vulnerable voices and for critical infrastructure providers. We also announced new products and services, and shared technical deep dives.

Were you able to keep up with everything that was announced? Watch the Impact Week 2022 wrap-up video on Cloudflare TV, or read our recap below for anything you may have missed.

Product announcements

Blog	Summary
Cloudflare Zero Trust for Project Galileo and the Athenian Project	We are making the Cloudflare One Zero Trust suite available to teams that qualify for Project Galileo or Athenian at no cost. Cloudflare One includes the same Zero Trust security and connectivity solutions used by over 10,000 customers today to connect their users and safeguard their data.
Project Safekeeping – protecting the world’s most vulnerable infrastructure with Zero Trust	Under-resourced organizations that are vital to the basic functioning of our global communities (such as community hospitals, water treatment facilities, and local energy providers) face relentless cyber attacks, threatening basic needs for health, safety and security. Cloudflare’s mission is to help make a better Internet. We will help support these vulnerable infrastructure by providing our enterprise-level Zero Trust cybersecurity solution to them at no cost, with no time limit.
Cloudflare achieves FedRAMP authorization to secure more of the public sector	We are excited to announce our public sector suite of services, Cloudflare for Government, has achieved FedRAMP Moderate Authorization. The Federal Risk and Authorization Management Program (“FedRAMP”) is a US-government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
A new, configurable and scalable version of Geo Key Manager, now available in Closed Beta	At Cloudflare, we want to give our customers tools that allow them to maintain compliance in this ever-changing environment. That’s why we’re excited to announce a new version of Geo Key Manager — one that allows customers to define boundaries by country, by region, or by standard.

Technical deep dives

Blog	Summary
Cloudflare is joining the AS112 project to help the Internet deal with misdirected DNS queries	Cloudflare is participating in the AS112 project, becoming an operator of the loosely coordinated, distributed sink of the reverse lookup (PTR) queries for RFC 1918 addresses, dynamic DNS updates and other ambiguous addresses.
Measuring BGP RPKI Route Origin Validation	The Border Gateway Protocol (BGP) is the glue that keeps the entire Internet together. However, despite its vital function, BGP wasn’t originally designed to protect against malicious actors or routing mishaps. It has since been updated to account for this shortcoming with the Resource Public Key Infrastructure (RPKI) framework, but can we declare it to be safe yet?

Customer stories

Blog	Summary
Democratizing access to Zero Trust with Project Galileo	Learn how organizations under Project Galileo use Cloudflare Zero Trust to protect their organization from cyberattacks.
Securing the inboxes of democracy	Cloudflare email security worked hard in the 2022 U.S. midterm elections to ensure that the email inboxes of those seeking office were secure.
Expanding Area 1 email security to the Athenian Project	We are excited to share that we have grown our offering under the Athenian Project to include Cloudflare’s Area 1 email security suite to help state and local governments protect against a broad spectrum of phishing attacks to keep voter data safe and secure.
How Cloudflare helps protect small businesses	Large-scale cyber attacks on enterprises and governments make the headlines, but the impacts of cyber conflicts can be felt more profoundly and acutely by small businesses that struggle to keep the lights on during normal times. In this blog, we’ll share new research on how small businesses, including those using our free services, have leveraged Cloudflare services to make their businesses more secure and resistant to disruption.

Internet access

Blog	Summary
Cloudflare expands Project Pangea to connect and protect (even) more community networks	A year and a half ago, Cloudflare launched Project Pangea to help provide Internet services to underserved communities. Today, we’re sharing what we’ve learned by partnering with community networks, and announcing an expansion of the project.
The US government is working on an “Internet for all” plan. We’re on board.	The US government has a $65 billion program to get all Americans on the Internet. It’s a great initiative, and we’re on board.
The Montgomery, Alabama Internet Exchange is making the Internet faster. We’re happy to be there.	Internet Exchanges are a critical part of a strong Internet. Here’s the story of one of them.
Partnering with civil society to track Internet shutdowns with Radar Alerts and API	We want to tell you more about how we work with civil society organizations to provide tools to track and document the scope of these disruptions. We want to support their critical work and provide the tools they need so they can demand accountability and condemn the use of shutdowns to silence dissent.
How Cloudflare helps next-generation markets	At Cloudflare, part of our role is to make sure every person on the planet with an Internet connection has a good experience, whether they’re in a next-generation market or a current-gen market. In this blog we talk about how we define next-generation markets, how we help people in these markets get faster access to the websites and applications they use on a daily basis, and how we make it easy for developers to deploy services geographically close to users in next-generation markets.

Sustainability

Blog	Summary
Independent report shows: moving to Cloudflare can cut your carbon footprint	We didn’t start out with the goal to reduce the Internet’s environmental impact. But as the Internet has become an ever larger part of our lives, that has changed. Our mission is to help build a better Internet — and a better Internet needs to be a sustainable one.
A more sustainable end-of-life for your legacy hardware appliances with Cloudflare and Iron Mountain	We’re excited to announce an opportunity for Cloudflare customers to make it easier to decommission and dispose of their used hardware appliances in a sustainable way. We’re partnering with Iron Mountain to offer preferred pricing and value-back for Cloudflare customers that recycle or remarket legacy hardware through their service.
How we’re making Cloudflare’s infrastructure more sustainable	With the incredible growth of the Internet, and the increased usage of Cloudflare’s network, even linear improvements to sustainability in our hardware today will result in exponential gains in the future. We want to use this post to outline how we think about the sustainability impact of the hardware in our network, and what we’re doing to continually mitigate that impact.
Historical emissions offsets (and Scope 3 sneak preview)	Last year, Cloudflare committed to removing or offsetting the historical emissions associated with powering our network by 2025. We are excited to announce our first step toward offsetting our historical emissions by investing in 6,060 MTs’ worth of reforestation carbon offsets as part of the Pacajai Reduction of Emissions from Deforestation and forest Degradation (REDD+) Project in the State of Para, Brazil.
How we redesigned our offices to be more sustainable	Cloudflare is working hard to ensure that we’re making a positive impact on the environment around us, with the goal of building the most sustainable network. At the same time, we want to make sure that the positive changes that we are making are also something that our local Cloudflare team members can touch and feel, and know that in each of our actions we are having a positive impact on the environment around us. This is why we make sustainability one of the underlying goals of the design, construction, and operations of our global office spaces.
More bots, more trees	Once a year, we pull data from our Bot Fight Mode to determine the number of trees we can donate to our partners at One Tree Planted. It’s part of the commitment we made in 2019 to deter malicious bots online by redirecting them to a challenge page that requires them to perform computationally intensive, but meaningless tasks. While we use these tasks to drive up the bill for bot operators, we account for the carbon cost by planting trees.

Policy

Blog	Summary
The Challenges of Sanctioning the Internet	As governments continue to use sanctions as a foreign policy tool, we think it’s important that policymakers continue to hear from Internet infrastructure companies about how the legal framework is impacting their ability to support a global Internet. Here are some of the key issues we’ve identified and ways that regulators can help balance the policy goals of sanctions with the need to support the free flow of communications for ordinary citizens around the world.
An Update on Cloudflare’s Assistance to Ukraine	On February 24, 2022, when Russia invaded Ukraine, Cloudflare jumped into action to provide services that could help prevent potentially destructive cyber attacks and keep the global Internet flowing. During Impact Week, we want to provide an update on where things currently stand, the role of security companies like Cloudflare, and some of our takeaways from the conflict so far.
Two months later: Internet use in Iran during the Mahsa Amini Protests	A series of protests began in Iran on September 16, following the death in custody of Mahsa Amini — a 22 year old who had been arrested for violating Iran’s mandatory hijab law. The protests and civil unrest have continued to this day. But the impact hasn’t just been on the ground in Iran — the impact of the civil unrest can be seen in Internet usage inside the country, as well.
How Cloudflare advocates for a better Internet	We thought this week would be a great opportunity to share Cloudflare’s principles and our theories behind policy engagement. Because at its core, a public policy approach needs to reflect who the company is through their actions and rhetoric. And as a company, we believe there is real value in helping governments understand how companies work, and helping our employees understand how governments and law-makers work.
Applying Human Rights Frameworks to our approach to abuse	What does it mean to apply human rights frameworks to our response to abuse? As we’ll talk about in more detail, we use human rights concepts like access to fair process, proportionality (the idea that actions should be carefully calibrated to minimize any effect on rights), and transparency.
The Unintended Consequences of blocking IP addresses	This blog dives into a discussion of IP blocking: why we see it, what it is, what it does, who it affects, and why it’s such a problematic way to address content online.

Impact

Blog	Summary
Closing out 2022 with our latest Impact Report	Our Impact Report is an annual summary highlighting how we are trying to build a better Internet and the progress we are making on our environmental, social, and governance priorities.
Working to help the HBCU Smart Cities Challenge	The HBCU Smart Cities Challenge invites all HBCUs across the United States to build technological solutions to solve real-world problems.
Introducing Cloudflare’s Third Party Code of Conduct	Cloudflare is on a mission to help build a better Internet, and we are committed to doing this with ethics and integrity in everything that we do. This commitment extends beyond our own actions, to third parties acting on our behalf. We are excited to share our Third Party Code of Conduct, specifically formulated with our suppliers, resellers and other partners in mind.
The latest from Cloudflare’s seventeen Employee Resource Groups	In this blog post, we highlight a few stories from some of our 17 Employee Resource Groups (ERGs), including the most recent, Persianflare.

What’s next?

That’s it for Impact Week 2022. But let’s keep the conversation going. We want to hear from you!

Visit the Cloudflare Community to share your thoughts about Impact Week 2022, or engage with our team on Facebook, Twitter, LinkedIn, and YouTube.

Or if you’d like to rewatch any Cloudflare TV segments associated with the above stories, visit the Impact Week hub on our website.

Watch on Cloudflare TV

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.

Source :
https://blog.cloudflare.com/everything-you-might-have-missed-during-cloudflares-impact-week-2022/

Google’s Virtual Desktop of the Future

Nick Yeager

Manager, Google Computing

Did you know that most Google employees rely on virtual desktops to get their work done? This represents a paradigm shift in client computing at Google, and was especially critical during the pandemic and the remote work revolution. We’re excited to continue enabling our employees to be productive, anywhere! This post covers the history of virtual desktops and details the numerous benefits Google has seen from their implementation.

https://storage.googleapis.com/gweb-cloudblog-publish/images/image3_6PhPZT5.max-2000x2000.png

Background

In 2018, Google began the development of virtual desktops in the cloud. A whitepaper was published detailing how virtual desktops were created with Google Cloud, running on Google Compute Engine, as an alternative to physical workstations. Further research had shown that it was feasible to move our physical workstation fleet to these virtual desktops in the cloud. The research began with user experience analysis – looking into how employee satisfaction of cloud workstations compared with physical desktops. Researchers found that user satisfaction of cloud desktops was higher than that of their physical desktop counterparts! This was a monumental moment for cloud-based client computing at Google, and this discovery led to additional analyses of Compute Engine to understand if it could become our preferred (virtual) workstation platform of the future.

Today, Google’s internal use of virtual desktops has increased dramatically. Employees all over the globe use a mix of virtual Linux and Windows desktops on Compute Engine to complete their work. Whether an employee is writing code, accessing production systems, troubleshooting issues, or driving productivity initiatives, virtual desktops are providing them with the compute they need to get their work done. Access to virtual desktops is simple: some employees access their virtual desktop instances via Secure Shell (SSH), while others use Chrome Remote Desktop — a graphical access tool.

In addition to simplicity and accessibility, Google has realized a number of benefits from virtual desktops. We’ve seen an enhanced security posture, a boost to our sustainability initiatives, and a reduction in maintenance effort associated with our IT infrastructure. All these improvements were achieved while improving the user experience compared to our physical workstation fleet.

https://storage.googleapis.com/gweb-cloudblog-publish/images/image1_0EHHfvd.max-2000x2000.jpg

Example of Google Data Center

Analyzing Cloud vs Physical Desktops

Let’s look deeper into the analysis Google performed to compare cloud virtual desktops and physical desktops. Researchers compared cloud and physical desktops on five core pillars: user experience, performance, sustainability, security, and efficiency.

https://storage.googleapis.com/gweb-cloudblog-publish/images/image4_6gvUvXe.max-1900x1900.png

User Experience

Before the transition to virtual desktops got underway, user experience researchers wanted to know more about how they would affect employee happiness. They discovered that employees embraced the benefits that virtual desktops offered. This included freeing up valuable desk space to provide an always-on, always available compute experience, accessible from anywhere in the world, and reduced maintenance overhead compared to physical desktops.

Performance

From a performance perspective, cloud desktops are simply better than physical desktops. For example, running on Compute Engine makes it easy to spin-up on-demand virtual instances with predictable compute and performance – a task that is significantly more difficult with a physical workstation vendor. Virtual desktops rely on a mix of Virtual Machine (VM) families that Google developed based on the performance needs of our users. These include Google Compute Engine E2 high-efficiency instances, which employees might use for day-to-day tasks, to higher-performance N2/N2D instances, which employees might use for more demanding machine learning jobs. Compute Engine offers a VM shape for practically any computing workflow. Additionally, employees no longer have to worry about machine upgrades (to increase performance, for example) because our entire fleet of virtual desktops can be upgraded to new shapes (with more CPU and RAM) with a single config change and a simple reboot — all within a matter of minutes. Plus, Compute Engine continues to add features and new machine types, which means our capabilities only continue to grow in this space.

Sustainability

Google cares deeply about sustainability and has been carbon neutral since 2007. Moving from physical desktops to virtual desktops on Compute Engine brings us closer to Google sustainability goals of a net-neutral desktop computing fleet. Our internal facilities team has praised virtual desktops as a win for future workspace planning, because a reduction in physical workstations could also mean a reduction in first-time construction costs of new buildings, significant (up to 30%) campus energy reductions, and even further reductions in costs associated with HVAC needs and circuit size needs at our campuses. Lastly, a reduction in physical workstations also contributes to a reduction in physical e-waste and a reduction in the carbon associated with transporting workstations from their factory of origin to office locations. At Google’s scale, these changes lead to an immense win from a sustainability standpoint.

Security

By their very nature, virtual desktops mitigate the ability for a bad actor to exfiltrate data or otherwise compromise physical desktop hardware since there is no desktop hardware to compromise in the first place. This means attacks such as USB attacks, evil maid attacks, and similar techniques for subverting security that require direct hardware access become worries of the past. Additionally, the transition to cloud-based virtual desktops also brings with it an enhanced security posture through the use of Google Cloud’s myriad security features including Confidential Computing, vTPMs, and more.

Efficiency

In the past, it was not uncommon for employees to spend days waiting for IT to deliver new machines or fix physical workstations. Today, cloud-based desktops can be created instantaneously on-demand and resized on-demand. They are always accessible, and virtually immune from maintenance-related issues. IT no longer has to deal with concerns like warranty claims, break-fix issues, or recycling. This time savings enables IT to focus on higher priority initiatives all while reducing their workload. With an enterprise the size of Google, these efficiency wins added up quickly.

Considerations to Keep in Mind

Although Google has seen significant benefits with virtual desktops, there are some considerations to keep in mind before deciding if they are right for your enterprise. First, it’s important to recognize that migrating to a virtual fleet requires a consistently reliable and performant client internet connection. For remote/global employees, it’s important they’re located geographically near a Google Cloud Region (to minimize latency). Additionally, there are cases where physical workstations are still considered vital. These cases include users who need USB and other direct I/O access for testing/debugging hardware and users who have ultra low-latency graphics/video editing or CAD simulation needs. Finally, to ensure interoperability between these virtual desktops and the rest of our computing fleet, we did have to perform some additional engineering tasks to integrate our asset management and other IT systems with the virtual desktops. Whether your enterprise needs such features and integration should be carefully analyzed before considering a solution such as this. However, should you ultimately conclude that cloud-based desktops are the solution for your enterprise, we’re confident you’ll realize many of the benefits we have!

Tying It All Together

Although moving Google employees to virtual desktops in the clouds was a significant engineering undertaking, the benefits have been just as significant. Making this switch has boosted employee productivity and satisfaction, enhanced security, increased efficiency, and provided noticeable improvements in performance and user experience. In short, cloud-based desktops are helping us transform how Googlers get their work done. During the pandemic, we saw the benefits of virtual desktops in a critical time. Employees had access to their virtual desktop from anywhere in the world, which kept our workforce safer and reduced transmission vectors for COVID-19. We’re excited for a future where more and more of our employees are computing in the cloud as we continue to embrace the work-from-anywhere model and as we continue to add new features and enhanced capabilities to Compute Engine!

Source :
https://cloud.google.com/blog/topics/developers-practitioners/googles-virtual-desktop-future

How to Protect Your Microsoft Exchange Server 2019 with CrowdSec

Follow this step-by-step guide on installing CrowdSec on a Microsoft Exchange server to better protect against common cyberattacks and new threats.

This article is a direct translation of Florian Burnel’s article published on IT Connect. You can find the original article here.

We also have an article on installing CrowdSec on a Windows server with a tutorial on blocking brute force attacks on an RDP connection and blocking a scan of a website hosted on an IIS server.

I. Presentation

In this tutorial, we will dive into how to secure a Microsoft Exchange mail server with the CrowdSec collaborative firewall! Installing CrowdSec on a Microsoft Exchange server will allow you to protect against common attacks but also new threats.

A good example is the security breach ProxyNotShell which made headlines in October 2022: CrowdSec can detect exploit attempts and block malicious IP addresses, thanks to the fact that it contains a collection for IIS and attacks based on HTTP/HTTPS protocols. Other examples are more classic cases: brute force attacks on the Exchange webmail interface.

Due to how it functions, an Exchange server will be exposed to the Internet depending on the architecture of your IS (for example, the presence or absence of a reverse proxy). However, it must be able to communicate outward and also be reachable from the outside to send and receive emails to your users’ mailboxes.

This same server is also reachable through Webmail which allows users to check their emails from a browser. This implies the presence of an IIS web server that hosts both Webmail and Exchange Admin Center. Furthermore, when an Exchange server is compromised by a cyberattack, this mainly involves HTTP/HTTPS access: hence the interest in protecting yourself.

This article is a continuation of my first article on installing an Exchange Server 2019 server. For the installation of the Microsoft Exchange Server itself, I invite you to read my previous tutorial.

In addition, I also encourage you to restrict access to the Exchange admin center.

II. Setting up CrowdSec on Windows

A. Installing the CrowdSec Agent

I already wrote about how to install CrowdSec on Windows in a previous article, but that was the Alpha version. Now, the CrowdSec agent for Windows is available in a stable version, which means that it is ready to be implemented in production.

Note: if you have previously installed the alpha version on your server, you must uninstall it before installing this new CrowdSec version.

First, you must download the MSI package from the official CrowdSec GitHub repository.

While it is installing, the CrowdSec MSI package will perform the following actions:

Install CrowdSec itself
Integrate the Windows Collection (details are available here)
Register the CrowdSec instance with the Central API
Register the CrowdSec service within Windows (automatic start)

Once done, begin the installation. Just follow the steps without making any changes. Then, allow about 2 minutes for the Agent to fully install.

Install CrowdSec on Windows for Exchange Server

As soon as the CrowdSec Agent is in place, we have access to the “cscli” command line which allows you to manage your CrowdSec instance from it.

To list current collections:

cscli collections list

To list the current bouncers (none by default):

cscli bouncers list

CrowdSec Windows - List collections and bouncers

B. Installing the ISS Collection

On Windows, CrowdSec natively sets up the “crowdsecurity/windows“, but it is not enough to protect your Exchange server. We will need to add the IIS collection, which will also add two more collections to detect web attacks.

This collection is installed from this command:

cscli collections install crowdsecurity/iis

In just a few seconds after adding, we can list the installed collections to see the presence of the new collections.

CrowdSec Windows - Lister les collections

To justify what I said in the introduction about the ProxyNotShell vulnerability, we can look at the details of the “crowdsecurity/http-cve” collection. Here, we can see the presence of a detection scenario named “crowdsecurity/CVE-2022-41082” corresponding to this vulnerability.

cscli collections inspect crowdsecurity/http-cve

CrowdSec Windows - http-cve collection details

Let’s go to the next step.

C. Installing Windows Firewall Bouncer

Now, we must set up the “firewall” bouncer for Windows, otherwise, attacks will be detected, but not blocked. Click on the following link, then on the “Download” button to download the MSI package: https://hub.crowdsec.net/author/crowdsecurity/bouncers/cs-windows-firewall-bouncer

The installation is done in only a few clicks: just follow the wizard.

CrowdSec Windows - Installation du bouncer firewall

Once done, the command below will make it possible to see the presence of the bouncer.

cscli bouncers list

Let’s go to the next step.

D. Add IIS log support

For CrowdSec to focus on the logs generated by IIS, and by extension, corresponding to the access to the OWA and ECP portals of Exchange, we must indicate to it the paths to the log files it will analyze.

To do this, you will need to edit the following:

C:\ProgramData\CrowdSec\config\acquis.yaml

In order to add the following lines:

---
use_time_machine: true
filenames:
  - C:\inetpub\logs\LogFiles\*\*.log
labels:
  type: iis

You can see the presence of a “dynamic” path which is characterized by the presence of the wildcard character: “C:\inetpub\logs\LogFiles\*\*.log “. This value will allow CrowdSec to find and read log files located in the tree “C:\inetpub\logs\LogFiles\

In addition to the path to the log files, this configuration block we just added contains a parameter named use_time_machine. It is important because IIS does not write logs in real-time in the log file, but it writes new events in blocks, every minute. Thanks to this parameter, CrowdSec will read the date and time of each line to find its way and process the events chronologically, this avoids false positives.

However, if you are not using the log files, but the event viewer, you should use this piece of code and not the one mentioned above:

---
source: wineventlog
event_channel: Microsoft-IIS-Logging/Logs
event_ids:  - 6200
event_level: information
labels:  
type: iis

Save the acquired.yaml file and you can close it.

Finally, we need to restart CrowdSec. This operation is done in PowerShell with this command:

Restart-Service crowdsec

CrowdSec setup is complete! Now let’s test it!

III. Is the Exchange server protected?

A. Brute force on OWA – Webmail Exchange

There are several possible methods to perform a brute force attack on OWA. Of course, you could do this manually for testing, but you could also use something a bit more automated to simulate a brute-force attack. As for us, we will use a Bash script named “OWA BRUTE” that executes Hydra (an offensive tool compatible with many protocols to test a service’s authentication, equipment, etc. ) with specific parameters corresponding to Outlook Web Access.

The script is available on GitHub.

First, we need to install Hydra and Git. The first one is a prerequisite to use the script and perform our attack, while the second one will be used to clone the GitHub repository to get the Bash script (you can also copy and paste the script in a file…).

sudo apt-get update

sudo apt-get install hydra git

Once this is done, we clone the GitHub project in “/home/florian”:

cd /home/florian/

git clone

Then, we create a file “users.txt” in which we indicate some names of users. You can also recover a list on the Internet.

nano /home/florian/owabrute/users.txt

In the same sense, we create a file “passwords.txt” with the passwords to test.

nano /home/florian/owabrute/passwords.txt

Then, we move to the OWA BRUTE directory to add the execution rights on the Bash script.

cd /home/florian/owabrute/

chmod +x owabrute.sh

All that remains is to launch the attack by targeting “mail.domaine.fr” and then using our previously created files.

./owabrute.sh -d mail.domaine.fr -u ./users.txt -p ./passwords.txt

‍

We can see that the script will test each combination. At the end, it will indicate if it has succeeded or not in finding a valid combination. However, CrowdSec will intervene…

We can see that the script will test each combination, in turn. In the end, it will indicate whether or not it succeeded in finding a valid combination. However, CrowdSec will intervene....

Indeed, if I look at my Exchange server, I can see that there is a new IP address blocked because of brute force (“crowdsecurity/windows-bf”). The CrowdSec agent has correctly blocked the IP address that caused this attack.

Since we are here to test, we can unblock our IP address manually:

cscli decisions delete –ip X.X.X.X

Let’s move on to a second test.

B. Scan Web on OWA

In the case where someone tries to scan your Web server, when IIS is used by Exchange, they can rely on various tools including Nikto which is used to analyze the security level of a Web server. For this example, OWA will be scanned with the Nikto tool: we will see if CrowdSec detects what is happening on the IIS server…

First of all, let’s install this tool:

sudo apt-get update

sudo apt-get install nikto

Then, we launch the scan to webmail:

nikto -h https://mail.domaine.fr/owa

The analysis will take several minutes…

…Except that after a while, CrowdSec will realize that this web client is performing suspicious actions and it will decide to block it. In the example below, we can see the reason “http-sensitive-files” which means that the client tried to access sensitive files.

In this second example, where we performed a completely different action compared to the first attempt, CrowdSec also managed to detect our malicious actions.

IV. Conclusion

We have just seen how to set up the CrowdSec agent on Windows to protect a Microsoft Exchange mail server! Here, I took the example of Exchange Server 2019, but it also applies to previous versions. With these two quick, but concrete examples, we could see the efficiency of CrowdSec!

‍

I’ll also take this moment to remind you of the existence of the CrowdSec Console which allows you to follow the alerts raised by one or more CrowdSec Agents from a web-based console. To learn more about the implementation and all the functionalities, you can visit the Console page.

WRITTEN BY

Florian Burnel

Source :
https://www.crowdsec.net/blog/how-to-protect-microsoft-exchange-server-crowdsec

Pixel 7a renders leak providing a first look at the new Google mid-range

Rumors regarding the upcoming midrange Google Pixel phone – the Pixel 7a, have been swirling around for some time now with specs that seem more akin to a flagship phone than Google’s usual summer phone release. While some rumors say that the Pixel 7a could ship with a ceramic body, an upgraded camera setup, the same Tensor G2 processor, wireless charging, and a high-refresh-rate screen, high-resolution renders have now leaked that shed light on some, but not all, of the speculations. These renders come to us via Smartprix and OnLeaks, which include not only views of the device from different angles but also a 360-degree video for a more detailed look.360-degree view of the Pixel 7a render

The device retains the familiar Pixel design language with the camera bar that has been its iconic look since the Pixel 6. However, unlike the one found in the 6a, which was enclosed in all glass, this camera bar looks to be enveloped in brushed aluminum, although we cannot confirm the exact material just by looking at the renders. In comparison to the Pixel 6a, the dimensions reveal that the 7a will be just about the same height but will be a bit wider and thicker (152.4 x 72.9 x 9.0mm on the Pixel 7a vs. 152.2 x 71.8 x 8.9 mm on the Pixel 6a), but the difference seems so minimal it may not even register during day to day use.

When viewing the device from the front, one could see the noticeable larger bezels and thicker chin, which isn’t surprising for a Google mid-tier device. A punch-hole camera is found in the top-middle of the display, just like its predecessor, and the power button, volume rocker, and USB-C port seem to have been kept in the same location as well. Unfortunately, though, just like the Pixel 6a, there is no headphone jack in sight.

The leak also reports that the device will be available in two colorways, white and dark gray, with the white color chosen as the one pictured in the renders that features a silver frame around the device to match the same color of the camera bar. It is unknown if the dark gray option will have darker or even black rails and whether the camera bar will come in a matching color as well. Hopefully, there will be a third, more colorful option, just like “Lemongrass” was for the Pixel 6a.

Some of the rumors that remain unanswered by this leak include the material on the outside of the device, and frankly, with the renders being white, it does very little to debunk whether it will be ceramic or not. We also have no way of confirming one of the hottest rumors surrounding this device, which is its supposed 90Hz display, a detail that has made quite a few Pixel fans very happy. It looks like we’re going to have to wait a bit longer to get a bit more info, but knowing how these things usually go, we are probably not far off from the next 7a leak.

Source :
https://chromeunboxed.com/pixel-7a-renders-leak

Yes, AirPods work fine with Pixel phones, but Pixel Buds Pro work better

We see this question floating around the web quite a bit: will my AirPods work with a Pixel? The simple answer is, of course, yes! Though AirPods (or AirPods Pro) are designed to work best with Apple products, they are still Bluetooth earbuds that can be connected to a wide variety of devices. As a matter of fact, I’ve used both the AirPods and AirPods Pro with my Chromebook, too, and there’s no real issue in getting them connected on that front, either.

How to pair your AirPods

Pairing is pretty simple. With the AirPods in their case, flip open the lid, hold the button around back until the LED begins pulsing, and look for your AirPods in the list of available Bluetooth devices to pair. Again, I’ve had little issue whatsoever in getting them connected to anything I’ve tried, so thankfully Apple hasn’t put any blocks in place for non-Apple devices.

What works with AirPods on Pixel

Once you get them all connected, the functionality is pretty basic. For standard AirPods, you can listen to media, take calls, and double-tap near the top to play/pause audio. That’s about it. They stay connected well and have very little latency, so for all sorts of applications, they are pretty great. If you are OK with a straightforward bluetooth earbuds experience, there’s technically nothing broken, here. There’s just not a ton of added features.

For the AirPods Pro, the haptic buttons on the earbuds themselves will work based on how you set them up. Out of the box, they default to a single click for play/pause, double-click for skip forward, and triple-click for skip back. A long press will toggle ANC and transparency modes, too.

What doesn’t work with Airpods on Pixel

When looking at the variety of available earbuds on the market, clearly the AirPods are pretty Spartan in their functionality on non-Apple devices. While they do technically work fine for the basics, there’s a bunch of stuff you need to know that these earbuds won’t do on a Pixel phone. First up, since there’s only support for a double-top on the standard AirPods (it defaults to play/pause), when you are needing to adjust volume or skip a track, you’ll need to grab your phone. As stated above, the AirPods Pro get around this limitation a bit more effortlessly thanks to the haptic buttons on the stems.

None of the physical shortcuts can be adjusted when using a Pixel phone, however, and you’ll need an Apple device of some sort in order to change the device name and customize your click functionalities. It is worth noting, however, that even on Apple devices, the number of custom things you can do with the AirPods Pro is pretty limited, so you aren’t missing out on too much if you don’t have an Apple device around.

A software battery life indicator is another key thing missing from the equation, and apart from installing some 3rd-party software, you won’t know the remaining charge you have on your earbuds when paired to a Pixel phone. If you have a wireless charging pad and keep your AirPods on them regularly, it’s not a huge deal. The only time it really bugs me is with my old, 1st-gen AirPods that don’t come with wireless charging. I forget to top them off regularly.

And speaking of charging, all the AirPods at this point still charge with Lightning cables. That’s right: if you don’t have one of those lying around, you’re gonna be in trouble. For me, wireless charging has solved this issue, but it is still unfortunate. As an Android/ChromeOS guy, I don’t have Lightning cables around very often. It’s a small-but-aggravating thing you need to remember.

Why the Pixel Buds Pro and Pixel phones are a better pair

This should be pretty obvious, but the Pixel Buds Pro are a far better fit if you have a Pixel phone. Well, I say it should be obvious; but Google hasn’t always made it that way, have they? With issues here and there with their older Pixel Buds, I’ve not been a huge fan up until the Pixel Buds Pro. At this point, however, I’m a huge fan and all the niceties you get along with them have totally turned the tide for me.

For starters, the on-ear functionality is fantastic. Gestures like swiping for volume controls, tapping for play/pause/skip, and holding for ANC or transparency are the best in the business. It all works like you’d expect, the surface of the actual earbud is big enough to keep you from missing on a regular basis, and the way the Pixel Buds Pro sit in your ear keep them from feeling uncomfortable when you press on them.

The Pixel Buds Pro also come with Fast Pair, so as soon as you open them up, your Pixel will see them and get you paired up with ease. To be fair, the AirPods do this as well, but only on Apple devices. Pixel Buds Pro will Fast Pair with any eligible Android device or Chromebook, too.

Obviously, the Pixel Buds Pro also have an app (it is baked-in on Pixel phones) that allows for all sorts of customization for your presses, swipes, and EQ settings. Again, this sort of thing is present for the AirPods on Apple devices, but Google’s customization on Pixels and Android phones is far more robust and with Feature Drops, it will only get better over time.

So, in a nutshell, if you are a Pixel owner, AirPods will definitely work with your device, but I’d recommend the Pixel Buds Pro in the end. They’ve been on sale a ton of times for $149, and for that price, they are barely more expensive than the standard AirPods and far cheaper than the AirPods Pro. They pair easier, have more features, and I’d argue the sound quality is better too. While the AirPods and AirPods Pro technically will work for you, I’d only recommend them if you are in possession of them already, have an Apple device or two you use on a regular basis, or you get them as a gift. In any other case, go for the Pixel Buds Pro.

Source :
https://chromeunboxed.com/airpods-pro-pixel-phones-will-it-work/

Pixel Android 13 December update rolls out with lots of fixes

Yesterday, new software features arrived to the Pixel family of devices via the usual Pixel Feature Drop. The new features for the Pixel phone included the promised free Google One VPN, Clear Calling, Recorder app speaker labels, Spatial Audio, new live wallpapers, and unified Security & Privacy settings, among others. Here is a summary of feature availability per device:

Source / ✝ Only available in English (US)

However, aside from the new exciting features, Pixel phones also received their monthly software update for December 2022 as well as the final and stable release for those enrolled in the Android 13 QPR1 beta. Essentially, the December 2022 update (Build TQ1A.221205.011) includes the Pixel Feature drop plus the latest platform optimizations, bug fixes, and security patches that address areas such as device performance, stability, and connectivity. The list of issues fixed can be found below and it’s quite long:

Apps

Fix for issue causing text input to certain fields in the Phone app to display in a darker color

Fix for issue occasionally causing playback errors when seeking through video content in certain apps

Fix for issue occasionally preventing text messages from restoring from cloud backups during device setup

General improvements for background performance in certain Google apps

Audio

General improvements for USB audio support for various cables or accessories *[1]

General improvements to support various audio codecs with certain devices or accessories *[4]

Battery & Charging

Battery usage in Settings displays information since last full charge (up to 7 days)

Fix for issue occasionally causing device to power off while Battery Share is active *[4]

Fix for issue occasionally causing higher battery usage during media playback with certain apps *[2]

Fix for issue occasionally preventing Adaptive charging from working in certain conditions *[2]

Fix for issue occasionally preventing wireless charging from working with certain accessories *[2]

General improvements for charging, battery usage or thermal performance in certain conditions *[1]

Biometrics

Fix for issue occasionally causing audio to skip when played over certain Bluetooth devices or accessories *[2]

Fix for issue occasionally delaying when the fingerprint icon is displayed on the lock screen *[1]

Fix for issue occasionally preventing fingerprint sensor from detecting touch while always-on display is active *[3]

Fix for issue where fingerprint enrollment may occasionally display visual glitches in certain conditions *[1]

Improvements for face unlock lock screen helper text shown in certain conditions *[2]

Bluetooth

Fix for issue causing music playback to continue without audible sound after ending a call while using certain Bluetooth accessories *[2]

Fix for issue occasionally causing audio to skip when played over certain Bluetooth devices or accessories *[2]

Fix for issue occasionally preventing audio switching between connected Bluetooth devices in certain conditions

Fix for issue occasionally preventing Bluetooth Low Energy devices from displaying a device name during pairing

Fix for issue occasionally preventing connection to car head units using older Bluetooth versions

Fix for issue occasionally preventing discovery of certain Bluetooth devices or accessories

Fix for issue occasionally preventing previously paired Bluetooth devices from reconnecting

General improvements for Bluetooth stability and performance in certain conditions

Camera

Fix for issue occasionally causing Camera app to crash while zoomed in or switching modes *[2]

Fix for issue occasionally causing viewfinder preview to display a blank screen *[2]

Fix for issue where video that is recorded while switching between camera modes occasionally shows gaps in playback *[2]

General improvements for camera stability and performance in certain conditions

Display & Graphics

Fix for issue occasionally causing screen to flicker when waking from always-on display

Fix for issue occasionally causing visual artifacts or glitches while using certain apps or games *[3]

Framework

Fix for issue occasionally causing notifications to display in a different color theme from the system

Fix for issue occasionally causing the wrong character to display after a new line in certain apps or UI elements

Fix for issue occasionally causing Work Profile app notifications to appear even if Work Profile is paused

Fix for issue occasionally preventing certain apps to rotate to landscape orientation

Fix for issue occasionally preventing keyboard from being dismissed while using certain apps

Sensors

Fix for issue occasionally preventing “tap to wake” or “lift to wake” from working in certain conditions *[1]

Fix for issue occasionally preventing Adaptive brightness from activating in certain conditions

Fix for issue occasionally preventing Quick Tap from triggering app or system shortcuts in certain conditions

Fix to improve Adaptive brightness transitions during phone calls in certain conditions *[1]

General improvements for proximity sensor performance under certain lighting conditions *[1]

System

General improvements for system stability and performance in certain conditions

General improvements to optimize device thermal performance in certain conditions or use cases *[1]

Telephony

Fix for issue causing reduced network or call stability under certain conditions *[2]

Fix for issue occasionally preventing network SIM cards from activating in certain conditions *[3]

General improvements for network connection stability and performance in certain conditions

General improvements for network connectivity after toggling airplane mode off

General improvements for switching between 3G to 4G on certain carrier networks

General improvements for VPN connection stability and performance on mobile networks under certain conditions

General improvements for Wi-Fi calling stability and performance for certain carriers or networks

Improve dual SIM network connectivity in certain conditions *[3]

Improve RCS messaging stability under certain conditions *[2]

Touch

General improvements for touch response and performance in certain conditions *[1]

User Interface

Change for home screen search bar behavior to open the Google app when tapping the G logo

Fix for issue occasionally causing “Pause work apps” button display over app drawer or in the wrong position

Fix for issue occasionally causing certain Settings toggles to appear disabled, or set to the wrong state

Fix for issue occasionally causing device color theme to change unexpectedly

Fix for issue occasionally causing home screen app icons to appear duplicated after adjusting grid size

Fix for issue occasionally causing home screen widgets or icons to appear small or scaled down in certain conditions

Fix for issue occasionally causing media player controls to appear invisible or hidden in notification shade

Fix for issue occasionally causing notification overflow dot to overlay app icons on lock screen

Fix for issue occasionally causing notifications to disappear or appear invisible in notification shade

Fix for issue occasionally causing screenshot captures to fail in certain conditions

Fix for issue occasionally causing suggested apps in Search to overlap or display over results

Fix for issue occasionally causing text to appear incorrectly cutoff or truncated at different font sizes

Fix for issue occasionally causing UI to reset after adjusting display resolution

Fix for issue occasionally causing wallpaper to appear black or empty in certain conditions

Fix for issue occasionally enabling touch interaction during the lock screen transition after screen is turned off

Fix for issue occasionally preventing media player album art from updating when content changes

Fix for issue occasionally preventing media player controls from displaying on lock screen

Fix for issue occasionally preventing screen to appear blank or frozen after launching certain apps

Fix for issue where incoming notifications would occasionally display over others listed in the notification shade

Fix to improve responsiveness of At A Glance home and lock screen widget for certain conditions or use cases

Fix to improve spacing for certain UI modals in device setup and Settings

General improvements for performance in certain UI transitions and animations

Wi-Fi

Fix for issue occasionally preventing hotspot from turning on in certain conditions *[1]

General improvements for Wi-Fi network connection stability & performance in certain conditions *[1]

*[1] Included on Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro
*[2] Included on Pixel 7, Pixel 7 Pro
*[3] Included on Pixel 6, Pixel 6 Pro, Pixel 6a
*[4] Included on Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro

All Pixel devices running Android 13 (Pixel 4a, 5, 5a, 6, 6 Pro, 6a, 7, 7 Pro) began receiving these upgrades yesterday. The rollout will continue over the next week in phases, so if your eligible device doesn’t show the update available yet, you may just need to wait a few more days. However, once the OTA (over-the-air) update becomes available for your device, you will receive a notification.

Source :
https://chromeunboxed.com/december-2022-pixel-phone-update

How to keep your Gmail Inbox free of Spam and Promotions

Using its time-tested and refined algorithms, Gmail does a pretty good job of trying to keep our inboxes free of Spam, Junk emails, and unwanted promotions. It even utilizes inbox tabs to categorize your promotions, social, updates, and forum emails and keep them out of your primary email tab where your actual new emails are shown. However, even with all of these tools, filtering out unwanted emails is not 100% perfect, and a little manual input from us can go a long way. There are three ways that you can train Gmail to filter out unwanted emails from your inbox, which are as follows:

Inbox Categories

The first is the aforementioned inbox categories that can separate certain types of emails and display them on a different tab. Although initially done programmatically, this can be further tweaked so that you have the desired results.

To turn this feature on, navigate to your Gmail settings, then click on the Inbox tab. Make sure the Inbox type is set to “Default,” then add a checkmark to the categories you wish to have in a separate tab. If you just want to keep out marketing emails, add a check to the “Promotions” category, then “Save Changes.”

You will now have a “Promotions” tab in your emails that you have the option to check if desired. If you see emails in there that you’d rather go straight to your Primary tab, just drag it out and into the main tab. Gmail will then ask if you would like for it to automatically do the same for future emails from the same sender.

I just want the steps!

Go to Gmail settings

Click on the Inbox tab

Make sure the Inbox type is set to “Default”

Add a check to the “Promotions” category

Click on “Save Changes”

Gmail Filters

Utilizing Gmail filters is a manual process at first, but completely pays off once it’s set up and starts automatically filtering based on the parameters you have set. You can be very deliberate with your email filters, setting specific email addresses and/or domains to automatically go to Spam, or you can be more general and block out an entire email list that you may have been unwillingly made a part of. To do this, open the Spam email you would like to filter out in the future, then click on the three-dot menu, and select “Filter messages like these.”

Depending on the email, if Gmail detects that this was sent to a mailing list and not you directly, you will see an option to filter the email based on the list itself. Click on “Create filter,” and then choose to either archive or delete the email. If there are other emails in your inbox that match this filter, you should also see an option to apply it to all the matching conversations. Once you’ve chosen your desired action(s), click on “Create filter.”

I just want the steps!

Open the Spam email you would like to filter out in the future

Click on the three-dot menu

Select “Filter messages like these”

Click on “Create filter,” and then choose to either archive or delete the email

Select option to apply it to all the matching conversations

Click on “Create filter”

Reporting Spam in Inbox

Lastly, you can train Gmail to programmatically unsubscribe from an email list, mark the email as Spam, or do both at the same time. The latter is the most effective and recommended method, as it not only tries to unsubscribe you from the list but also marks it as Spam in case unsubscribing doesn’t go through as it should.

To just unsubscribe, you can click on the “Unsubscribe” link that appears beside the sender’s email address. Once you click there, you will receive a notification asking you to confirm that you want to go ahead and unsubscribe.

To both unsubscribe and mark the email as Spam, click on the exclamation mark that appears in the menu above the email, then confirm that you want to form “Report spam and unsubscribe.”

I just want the steps!

To just unsubscribe, click on the “Unsubscribe” link that appears beside the sender’s email address, then confirm by clicking the blue “Unsubscribe” button

To both unsubscribe and mark the email as Spam, click on the exclamation mark that appears in the menu above the email

At the confirmation popup, click on “Report spam and unsubscribe”

Source :
https://chromeunboxed.com/how-to-filter-spam-promotions

How to record your Pixel phone’s screen without installing a third-party application

In the early days of Android phones, which is now over ten years ago, I remember having to go to the Android Marketplace to find a third-party application to record my screen. Many of the instances where I felt I needed to capture my display occurred when I wanted to explain to my friends or family how to use their handsets without having to talk them through it on a phone call.

Nowadays, pretty much all modern versions of Android have a built-in screen recorder that you can access with just a few taps. Today, I’m going to show you how to do that on your Pixel or Android 12+ device so you can quickly save short clips to your storage and share them with others!

You may find that you have the same needs I have in the past, or you may simply want to record gameplay footage of mobile titles for YouTube. In the case of the latter, Google Play Games does support direct recording and even has special tools for it, though it’s worth noting that these are currently absent on my device at the time of writing this!

Alright, so first, you’ll need to swipe down the notification shade at the top of your phone. Swipe down a second time to pull up the Quick Settings panel. From there, you should see the colored tiles pictured below. If you don’t see the “Screen record” tile, you can tap the pencil icon at the bottom right of the panel to edit which tiles are available to you.

Oh and don’t forget that the quick settings are paginated, so you can swipe left and right to swap between the pages available. If you do need to edit your settings panel to place the screen recorder on the front page or to drag it out of the extra tiles section, you can simply press and hold it and bring it up higher (see the middle image).

Once it’s available – and please don’t skip this step – clear your screen of any personal information. This includes notifications and widgets that feature notes, emails, messages, and more. All too often, I see people record their screens and leave certain things visible that could compromise their privacy.

Tap the “Screen record” tile, select your audio device, whether or not you want to record audio, to begin with, and whether you’re interested in capturing your screen touches using the dialogue box that pops up. Your notification shade will close, and a red timer counting down from three will appear in your status bar.

The moment this disappears, you’re officially recording! This means that anything you do from touching, swiping, opening apps, and more will be captured. At this point, please avoid opening banking apps, your email, personal Keep notes, and so on. You wouldn’t want anyone to steal your secret government documents or find out that you’re a millionaire, now would you?

I wish I had either or both of those problems, and I’m sure you do too. Anyways, once you’re finished recording, just go ahead and swipe down from the top of your screen again to call up your notification shade. Then, tap the huge, red “Recording screen” notice.

That’s it! You’re no longer recording. Wait just a moment and you’ll see your recorded video appear as its own separate notification that you can then watch, delete, share or even upload to Google photos for later. Have fun and be safe!

I just want the steps!1. Swipe down twice from the top of your phone
2. Edit the quick settings panel if you need to make the “Screen record” tile available” (tap the pencil icon!)
3. Tap the “Screen record” tile and choose if you want to record audio or screen touches. You may also need to select your microphone!
4. Wait for the red countdown timer in your status bar to expire
5. You’re now recording! Perform any actions you wish to capture 🙂
6. When you’re finished, swipe down from the top of your screen and tap the red recording notice.
7. Upload your new video to Google Photos, share it with a friend or delete it!

Source :
https://chromeunboxed.com/how-to-easily-record-your-pixel-phone-screen

Protect Your iOS Devices with Cortex XDR Mobile

Cortex XDR 3.5 and Cortex XDR Agent 7.9 Deliver Stronger Security, Better Search and Broader Coverage, Including iOS Support

Your employees probably expect to work from anywhere, at any time they want, on any device. With the rise of remote work, users are accessing business apps and data from mobile devices more than ever before. Cortex XDR Mobile for iOS lets you protect your users from mobile threats, such as malicious URLs in text messages and malicious or unwanted spam calls.

Cortex XDR Mobile for iOS is just one of over 40 new features in our Cortex XDR 3.5 and Cortex XDR Agent 7.9 releases. In addition to iOS protection, we’ve bolstered endpoint security, improved the flexibility of XQL Search, and expanded visibility and normalization to additional data sources. Even more new advancements make it easier than ever to manage alert exceptions and granularly control access to alerts and incidents.

Let’s dive in and take a deeper look at the new capabilities of Cortex XDR 3.5 and Cortex XDR Agent 7.9.

iOS Protection with Cortex XDR Mobile

With the rapid shift to remote work, flexible BYOD policies are a must have, now, for many companies. Whether employees are working at home, from a café, or in a corporate office, they often have a phone within reach, and for good reason. 62% of U.S. workers say mobile phones or tablets help them be productive at work, according to a broad 2021 survey.

Phishing and Smishing and Spam, Oh My!

Screenshot of being protected by Cortex XDR, showing security events.

With Cortex XDR Mobile for iOS, you can now secure iOS devices from advanced threats like smishing. The Cortex XDR agent blocks malicious URLs in SMS messages with URL filtering powered by Unit 42 threat intelligence. It can also block spam calls, safeguarding your users from unwanted and potentially fraudulent calls. Users can also report a spam call or message, allowing the Cortex XDR administrator to block the phone number.

Hunting Down Jailbroken Devices

Some of your iPhone users might “jailbreak” their phones to remove software restrictions imposed by Apple. Once they gain root access to their phones, they can install software not available in the App Store. Jailbreaking increases the risk of downloading malware. It can also create stability issues.

The Cortex XDR agent detects jailbroken devices, including evasion techniques designed to thwart security tools. Overall, the Cortex XDR provides strong protection for iPhones and iPads, while balancing privacy and usability requirements.

Now you can protect a broad set of endpoints, mobile devices and cloud workloads in your organization, including Windows, Linux, Mac, Android, Chrome and now iOS, with the Cortex XDR agent.

In-Process Shellcode Protection

Threat actors can attempt to bypass endpoint security controls using shellcode to load malicious code into memory. Cortex XDR’s patent-pending in-process shellcode protection module blocks these attempts. To understand how, let’s look at a common attack sequence.

After threat actors have gained initial access to a host, they typically perform a series of steps, including analyzing the host operating system and delivering a malicious payload to the host.

They may use a stager to deliver the payload directly into memory rather than installing malware on the host machine. By loading the payload directly into memory, they can circumvent many antivirus solutions that will either ignore or perform more limited security checks on memory.

Many red team tools or hacking tools, such as Cobalt Strike, Sliver or Brute Ratel, have made it easier for attackers to perform these sophisticated steps.

If a process, including a benign process, executes and allocates memory in a suspicious way, the Cortex XDR agent will single out that memory allocation and extract and analyze the buffer. If the Cortex XDR agent detects any signature or indicator that the payload is malicious, the agent conducts additional analysis on the process and shellcode, including analyzing the behavior of the code and the process, using EDR data enrichment.

If the Cortex XDR agent determines the shellcode or the process loaded by the shellcode are malicious, it will terminate the process that loaded the shellcode and the allocated memory. By killing the process chain, or the “causality,” Cortex XDR prevents the malicious software from executing.

In-process shellcode protection is a patent-pending technology that helps detect and prevent the use of hacking tools and malware.

Our in-process shellcode protection will block red team and hacking tools from loading malicious code, without needing to individually identify and block each tool.

This means that if a never-before-seen hacking tool is released, Cortex XDR can prevent the tool from using shellcode to load a payload into memory.

Cortex XDR will terminate the implant once it’s loaded on the machine before it can do anything malicious.

Financial Malware and Cryptomining Protection

Whether stealing from bank accounts or mining for cryptocurrency, cybercriminals always have new tricks up their collective sleeves. To combat these dangerous threats, we’ve added two new behavior-based protection modules in Cortex XDR Agent 7.9. Let’s take a brief look at these threats and how you can mitigate them with Cortex XDR.

Banking Trojans emerged over a decade ago, typically stealing banking credentials by manipulating web browser sessions and logging keystrokes. Criminals deployed large networks of Trojans, such as Zeus, Trickbot, Emotet and Dridex, over the years. They infected millions of computers, accessed bank accounts, and transferred funds from victims. Now, threat actors often use these Trojans to deliver other types of malware to victims’ devices, like ransomware.

Cryptojacking, or malicious and unauthorized mining for cryptocurrency, is an easy way for threat actors to make money. Threat actors often target cloud services to mine cryptocurrency because cloud services provide greater scale, allowing them to mine cryptocurrency faster than a traditional endpoint. According to Unit 42 research, 23% of organizations with cloud assets are affected by cryptojacking, and it’s still the most common attack on unsecured Kubernetes clusters.

The new banking malware threat protection and cryptominers protection modules in the Cortex XDR agent automatically detect and stop the behaviors associated with these attacks. For example, to block banking malware, the module will block attempts to infect web browsers during process creation, as well as block other browser injection techniques. The cryptominers protection module will detect unusual cryptographic API or GPU access and other telltale signs of cryptojacking.

Both of these modules augment existing banking and cryptomining protection already available with Cortex XDR. You can enable, disable or set these modules to alert-only mode on Windows, Linux and macOS endpoints. You can also create exceptions per module or module rule for granular policy control.

Scope-Based Access Control for Alerts and Incidents

To address data privacy and security requirements, you might wish to control which Cortex XDR alerts and incidents your users can view. With Cortex XDR 3.5, you can control which alerts and incidents users can access based on endpoint and endpoint group tags.

Screenshot showing the update user page.

You can tag endpoints or endpoint groups by geographic location, organization, business unit, department or any other segmentation of your choice. Then, you can flexibly manage access to alerts and incidents based on the tags you’ve defined.

Alert Management Made Simple

Cortex XDR 3.5 provides several enhancements to ease alert management and reduce noise. First, you can now view and configure alert exclusions and agent exception policies from a central location. You are able to configure which alerts to suppress. You can also configure exceptions to IOC and BIOC rules to prevent matching events from triggering alerts.

A new Disable Prevention Rules feature enables you to granularly exclude prevention actions triggered by specific security modules. The Legacy Exceptions window shows legacy “allow list rules,” which are still available.

XQL Search Integration with Vulnerability Assessment

To help you quickly hunt down threats and discover high risk assets, we have enhanced our XQL search capability. Now you can uncover vulnerable endpoints and gain valuable exposure context for investigations by viewing Common Vulnerabilities and Exposures (CVEs), as well as installed applications per endpoint. You can also list all CVEs detected in your organization, together with the endpoints and applications impacted by each CVE.

In addition, XQL search supports several new options that offer greater flexibility and control to streamline investigation and response. Notably, a new top stage command reveals the top values for a specific field quickly, with minimal memory usage. By default the top stage command displays the top ten results.

For a complete list of new features, see the Cortex XDR 3.5 and Cortex XDR Agent 7.9 release notes. To learn more about the in-process shellcode protection feature, attend the session “Today’s Top Endpoint Threats, and Advancements to Stop Them” on Tuesday, December 13, at 10:30 AM PST at the Ignite ’22 Conference.

Source :
https://www.paloaltonetworks.com/blog/2022/12/ios-devices-with-cortex-xdr-mobile/

LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling

Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements

A postmortem analysis of multiple incidents in which attackers eventually launched the latest version of LockBit ransomware (known variously as LockBit 3.0 or ‘LockBit Black’), revealed the tooling used by at least one affiliate. Sophos’ Managed Detection and Response (MDR) team has observed both ransomware affiliates and legitimate penetration testers use the same collection of tooling over the past 3 months.

Leaked data about LockBit that showed the backend controls for the ransomware also seems to indicate that the creators have begun experimenting with the use of scripting that would allow the malware to “self-spread” using Windows Group Policy Objects (GPO) or the tool PSExec, potentially making it easier for the malware to laterally move and infect computers without the need for affiliates to know how to take advantage of these features for themselves, potentially speeding up the time it takes them to deploy the ransomware and encrypt targets.

A reverse-engineering analysis of the LockBit functionality shows that the ransomware has carried over most of its functionality from LockBit 2.0 and adopted new behaviors that make it more difficult to analyze by researchers. For instance, in some cases it now requires the affiliate to use a 32-character ‘password’ in the command line of the ransomware binary when launched, or else it won’t run, though not all the samples we looked at required the password.

We also observed that the ransomware runs with LocalServiceNetworkRestricted permissions, so it does not need full Administrator-level access to do its damage (supporting observations of the malware made by other researchers).

Most notably, we’ve observed (along with other researchers) that many LockBit 3.0 features and subroutines appear to have been lifted directly from BlackMatter ransomware.

Is LockBit 3.0 just ‘improved’ BlackMatter?

Other researchers previously noted that LockBit 3.0 appears to have adopted (or heavily borrowed) several concepts and techniques from the BlackMatter ransomware family.

We dug into this ourselves, and found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter.

Anti-debugging trick

Blackmatter and Lockbit 3.0 use a specific trick to conceal their internal functions calls from researchers. In both cases, the ransomware loads/resolves a Windows DLL from its hash tables, which are based on ROT13.

It will try to get pointers from the functions it needs by searching the PEB (Process Environment Block) of the module. It will then look for a specific binary data marker in the code (0xABABABAB) at the end of the heap; if it finds this marker, it means someone is debugging the code, and it doesn’t save the pointer, so the ransomware quits.

After these checks, it will create a special stub for each API it requires. There are five different types of stubs that can be created (randomly). Each stub is a small piece of shellcode that performs API hash resolution on the fly and jumps to the API address in memory. This adds some difficulties while reversing using a debugger.

Screenshot of disassembler code — LockBit’s 0xABABABAB marker

SophosLabs has put together a CyberChef recipe for decoding these stub shellcode snippets.

Output of a CyberChef recipe — The first stub, as an example (decoded with CyberChef)

Obfuscation of strings

Many strings in both LockBit 3.0 and BlackMatter are obfuscated, resolved during runtime by pushing the obfuscated strings on to the stack and decrypting with an XOR function. In both LockBit and BlackMatter, the code to achieve this is very similar.

Georgia Tech student Chuong Dong analyzed BlackMatter and showed this feature on his blog, with the screenshot above.

By comparison, LockBit 3.0 has adopted a string obfuscation method that looks and works in a very similar fashion to BlackMatter’s function.

API resolution

LockBit uses exactly the same implementation as BlackMatter to resolve API calls, with one exception: LockBit adds an extra step in an attempt to conceal the function from debuggers.

The array of calls performs precisely the same function in LockBit 3.0.

Hiding threads

Both LockBit and BlackMatter hide threads using the NtSetInformationThread function, with the parameter ThreadHideFromDebugger. As you probably can guess, this means that the debugger doesn’t receive events related to this thread.

Printing

LockBit, like BlackMatter, sends ransom notes to available printers.

Deletion of shadow copies

Both ransomware will sabotage the infected computer’s ability to recover from file encryption by deleting the Volume Shadow Copy files.

LockBit calls the IWbemLocator::ConnectServer method to connect with the local ROOT\CIMV2 namespace and obtain the pointer to an IWbemServices object that eventually calls IWbemServices::ExecQuery to execute the WQL query.

LockBit’s method of doing this is identical to BlackMatter’s implementation, except that it adds a bit of string obfuscation to the subroutine.

Enumerating DNS hostnames

Both LockBit and BlackMatter enumerate hostnames on the network by calling NetShareEnum.

In the source code for LockBit, the function looks like it has been copied, verbatim, from BlackMatter.

Determining the operating system version

Both ransomware strains use identical code to check the OS version – even using the same return codes (although this is a natural choice, since the return codes are hexadecimal representations of the version number).

Configuration

Both ransomware contain embedded configuration data inside their binary executables. We noted that LockBit decodes its config in a similar way to BlackMatter, albeit with some small differences.

For instance, BlackMatter saves its configuration in the .rsrc section, whereas LockBit stores it in .pdata.

And LockBit uses a different linear congruential generator (LCG) algorithm for decoding.

Some researchers have speculated that the close relationship between the LockBit and BlackMatter code indicates that one or more of BlackMatter’s coders were recruited by LockBit; that LockBit bought the BlackMatter codebase; or a collaboration between developers. As we noted in our white paper on multiple attackers earlier this year, it’s not uncommon for ransomware groups to interact, either inadvertently or deliberately.

Either way, these findings are further evidence that the ransomware ecosystem is complex, and fluid. Groups reuse, borrow, or steal each other’s ideas, code, and tactics as it suits them. And, as the LockBit 3.0 leak site (containing, among other things, a bug bounty and a reward for “brilliant ideas”) suggests, that gang in particular is not averse to paying for innovation.

LockBit tooling mimics what legitimate pentesters would use

Another aspect of the way LockBit 3.0’s affiliates are deploying the ransomware shows that they’re becoming very difficult to distinguish from the work of a legitimate penetration tester – aside from the fact that legitimate penetration testers, of course, have been contracted by the targeted company beforehand, and are legally allowed to perform the pentest.

The tooling we observed the attackers using included a package from GitHub called Backstab. The primary function of Backstab is, as the name implies, to sabotage the tooling that analysts in security operations centers use to monitor for suspicious activity in real time. The utility uses Microsoft’s own Process Explorer driver (signed by Microsoft) to terminate protected anti-malware processes and disable EDR utilities. Both Sophos and other researchers have observed LockBit attackers using Cobalt Strike, which has become a nearly ubiquitous attack tool among ransomware threat actors, and directly manipulating Windows Defender to evade detection.

Further complicating the parentage of LockBit 3.0 is the fact that we also encountered attackers using a password-locked variant of the ransomware, called lbb_pass.exe , which has also been used by attackers that deploy REvil ransomware. This may suggest that there are threat actors affiliated with both groups, or that threat actors not affiliated with LockBit have taken advantage of the leaked LockBit 3.0 builder. At least one group, BlooDy, has reportedly used the builder, and if history is anything to go by, more may follow suit.

LockBit 3.0 attackers also used a number of publicly-available tools and utilities that are now commonplace among ransomware threat actors, including the anti-hooking utility GMER, a tool called AV Remover published by antimalware company ESET, and a number of PowerShell scripts designed to remove Sophos products from computers where Tamper Protection has either never been enabled, or has been disabled by the attackers after they obtained the credentials to the organization’s management console.

We also saw evidence the attackers used a tool called Netscan to probe the target’s network, and of course, the ubiquitous password-sniffer Mimikatz.

Incident response makes no distinction

Because these utilities are in widespread use, MDR and Rapid Response treats them all equally – as though an attack is underway – and immediately alerts the targets when they’re detected.

We found the attackers took advantage of less-than-ideal security measures in place on the targeted networks. As we mentioned in our Active Adversaries Report on multiple ransomware attackers, the lack of multifactor authentication (MFA) on critical internal logins (such as management consoles) permits an intruder to use tooling that can sniff or keystroke-capture administrators’ passwords and then gain access to that management console.

It’s safe to assume that experienced threat actors are at least as familiar with Sophos Central and other console tools as the legitimate users of those consoles, and they know exactly where to go to weaken or disable the endpoint protection software. In fact, in at least one incident involving a LockBit threat actor, we observed them downloading files which, from their names, appeared to be intended to remove Sophos protection: sophoscentralremoval-master.zip and sophos-removal-tool-master.zip. So protecting those admin logins is among the most critically important steps admins can take to defend their networks.

For a list of IOCs associated with LockBit 3.0, please see our GitHub.

Acknowledgments

Sophos X-Ops acknowledges the collaboration of Colin Cowie, Gabor Szappanos, Alex Vermaning, and Steeve Gaudreault in producing this report.

Source :
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/