Since 2014, the National Institute of Standards and Technology (NIST), a U.S. federal agency, has issued guidelines for managing digital identities via Special Publication 800-63B. The latest revision (rev. 3) was released in 2017, and has been updated as recently as 2019. Revision 4 was made available for comment and review; however, revision 3 is still the standard as of the time of this blog post.
Section 5.1.1 – Memorized Secrets provides recommendations for requirements around how users may create new passwords or make password changes, including guidelines around issues such as password strength. Special Publication 800-63B also covers verifiers (software, websites, network directory services, etc.) that validate and handle passwords during authentication and other processes.
Not all organizations must adhere to NIST guidelines. However, many follow NIST password policy recommendations even if it’s not required because they provide a good foundation for sound digital identity management. Indeed, strong password security helps companies block many cybersecurity attacks, including hackers, brute force attacks like credential stuffing and dictionary attacks. In addition, mitigating identity-related security risks helps organizations ensure compliance with a wide range of regulations, such as HIPAA, FISMA and SOX.
Quick List of NIST Password Guidelines
This blog explain many NIST password guidelines in detail, but here’s a quick list:
User-generated passwords should be at least 8 characters in length.
Machine-generated passwords should be at least 6 characters in length.
Users should be able to create passwords at least 64 characters in length.
All ASCII/Unicode characters should be allowed, including emojis and spaces.
Stored passwords should be hashed and salted, and never truncated.
Prospective passwords should be compared against password breach databases and rejected if there’s a match.
Passwords should not expire.
Users should be prevented from using sequential characters (e.g., “1234”) or repeated characters (e.g., “aaaa”).
Two-factor authentication (2FA) should not use SMS for codes.
Knowledge-based authentication (KBA), such as “What was the name of your first pet?”, should not be used.
Users should be allowed 10 failed password attempts before being locked out of a system or service.
Passwords should not have hints.
Complexity requirements — like requiring special characters, numbers or uppercase letters — should not be used.
Context-specific words, such as the name of the service or the individual’s username, should not be permitted.
You probably notice that some of these recommendations represent a departure from previous assumptions and standards. For example, NIST has removed complexity requirements like special characters in passwords; this change was made in part because users find ways to circumvent stringent complexity requirements. Instead of struggling to remember complex passwords and risking getting locked out, they may write their passwords down and leave them near physical computers or servers. Or they simply recycle old passwords based on dictionary words by making minimal changes during password creation, such as incrementing a number at the end.
NIST Guidelines
Now let’s explore the NIST guidelines in more detail.
Password length & processing
Length has long been considered a crucial factor for password security. NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it’s recommended to allow passwords to be at least 64 characters as a maximum length.
Verifiers should no longer truncate any passwords during processing. Passwords should be hashed and salted, with the full password hash stored.
Also the recommended NIST account lockout policy is to allow users at least 10 attempts at entering their password before being locked out.
Accepted characters
All ASCII characters, including the space character, should be supported in passwords. NIST specifies that Unicode characters, such as emojis, should be accepted as well.
Users should be prevented from using sequential characters (e.g., “1234”), repeated characters (e.g., “aaaa”) and simple dictionary words.
Commonly used & breached passwords
Passwords that are known to be commonly used or compromised should not be permitted. For example, you should disallow passwords in lists from breaches (such as the Have I Been Pwned? database, which contains 570+ million passwords from breaches), previously used passwords, well-known commonly used passwords, and context-specific passwords (e.g., the name of the service).
When a user attempts to use a password that fails this check, a message should be displayed asking them for a different password and providing an explanation for why their previous entry was rejected.
Reduced complexity & password expiration
As explained earlier in the blog, previous password complexity requirements have led to less secure human behavior, instead of the intended effect of tightening security. With that in mind, NIST recommends reduced complexity requirements, which includes removing requirements for special characters, numbers, uppercase characters, etc.
A related recommendation for reducing insecure human behavior is to eliminate password expiration.
No more hints or knowledge-based authentication (KBA)
Although password hints were intended to help users to create more complex passwords, users often choose hints that practically give away their passwords. Accordingly, NIST recommends not allowing password hints.
NIST also recommends not using knowledge-based authentication (KBA), such as questions like “What was the name of your first pet?”
To account for the growing popularity of password managers, users should be able to paste passwords.
SMS is no longer considered a secure option for 2FA. Instead, one-time code provider, such as Google Authenticator or Okta Verify, should be used.
How Netwrix Can Help
Netwrix offers several solutions specifically designed to streamline and strengthen access and password management:
Netwrix Password Policy Enforcer makes it easy to create strong yet flexible password policies that enhance security and compliance without hurting user productivity or burdening helpdesk and IT teams.
Netwrix Password Reset enables users to safely unlock their own accounts and reset or change their own passwords, right from their web browser. This self-service functionality dramatically reduces user frustration and productivity losses while slashing helpdesk call volume.
FAQ
What is NIST Special Publication 800-63B?
NIST’s Digital Identity Guidelines (Special Publication 800-63B) provides reliable recommendations for identity and access management, including effective password policies.
Why does NIST recommend reducing password complexity requirements?
While requiring complex passwords makes them more difficult for attackers to crack, it also makes passwords harder for users to remember. To avoid frustrating lockouts, users tend to respond with behaviors like writing down their credentials on a sticky note by their desk or choosing to periodically reuse the same (or nearly the same) password — which increase security risks. Accordingly, NIST now recommends less stringent complexity requirements.
Microsoft Active Directory (AD) is the central credential store for 90% of organizations worldwide. As the gatekeeper to business applications and data, it’s not just everywhere, it’s everything! Managing AD is a never-ending task, and securing it is even harder. At Netwrix, we talk to a lot of customers who are using our tools to manage and secure AD, and over the years, key strategies for tightening security and hardening AD to resist attacks have emerged. Here are 10 Active Directory security hardening tips that you can use in your environment:
Active Directory includes thousands of items and many moving elements to safeguard. A core method for increasing security is to decrease clutter by removing unused users, groups and machines. Stale AD objects may be abused by attackers, so deleting them reduces your attack surface.
You may also find seldom-used items. Use HR data and work with business stakeholders to determine their status; for example, for user accounts, determine the user’s manager. While this takes time, you’ll appreciate having it done during your next audit or compliance review.
Tip #2: Make it easy for users to choose secure passwords.
To prevent adversaries from compromising user credentials to enter your network and move laterally, passwords need to be hard to crack. But users simply cannot remember and manage multiple complex passwords on their own, so they resort to practices that weaken security, such as writing their passwords on sticky notes or simply incrementing a number at the end when they need to change them. That led security experts to weaken their recommendations concerning password complexity and resets.
However, with an enterprise password management solution, you can make it easy for users to create unique and highly secure passwords and manage them effectively, so you do not have to compromise on strong password requirements. A user needs to memorize just one strong password, and the tool manages all the others for them.
Tip #3: Don’t let employees have admin privileges on their workstations.
If an attacker gains control of a user account (which we all know happens quite a bit), their next step is often to install hacking software on the user’s workstation to help them move laterally and take over other accounts. If the compromised account has local admin rights, that task is easy.
But most business users do not actually need to install software or change settings very often, so you can reduce your risk by not giving them admin permissions. If they do need an additional application, they can ask the helpdesk to install it. Don’t forget to use Microsoft LAPS ensure all remaining local admin accounts have strong passwords and change them on a regular schedule.
Tip #4: Lock down service accounts.
Service accounts are used by applications to authenticate to AD. They are frequently targeted by attackers because they are rarely monitored, have elevated privileges and typically have passwords with no expirations. Accordingly, take a good look at your service accounts and restrict their permissions as much as possible. Sometimes service accounts are members of the Domain Admin’s group, but typically don’t need all of that access to function — you may need to check with the application vendor to find out the exact privileges needed.
It’s also important to change service account passwords periodically to make it even more difficult for attackers to exploit them. Doing this manually is difficult, so consider using the group managed service account (gMSA) feature, introduced in Windows Server 2016. When you use gMSAs, the operating system will automatically handle the password management of service accounts for you.
Tip #5: Eliminate permanent membership in security groups.
The Enterprise Admin, Schema Admin and Domain Admin security groups are the crown jewels of Active Directory, and attackers will do everything they can to get membership in them. If your admins have permanent membership in these groups, an attacker who compromises one of their accounts will have permanent elevated access in your domain.
To reduce this risk, strictly limit membership in all of these highly privileged group and, furthermore, make membership temporary. The Enterprise Admin and Schema Admin groups are not frequently used, so for these, this won’t be an issue. Domain Admin is needed much more, so a system for granting temporary membership will have to be set up.
Tip #6: Eliminate elevated permissions wherever possible.
There are three fairly common permissions that attackers need to execute attacks against AD: Reset Password, Change Group Membership and Replication. These permissions are harder to secure since they are so frequently used in daily operations.
Accordingly, you should monitor all changes to security group permissions or membership that would grant these rights to additional users. Even better, implement a privileged access management (PAM) solution that enables just-in-time temporary provisioning of these privileges.
Tip #7: Implement multifactor authentication (MFA)
MFA adds an extra layer of security by requiring users to verify their identity by providing at least two of the following types of authentication factors:
Something they know, such as a password, PIN or answer to a security question
Something they have, such as a code from a physical token or a smart card
Something they are, which means biometrics like a fingerprint, iris or face scan
Tip #8: Closely audit your Active Directory.
It is important to audit Active Directory for both non-secure settings and suspicious activity. In particular, you should perform regular risk assessment to mitigate security gaps, monitor for anomalous user activity, and promptly identify configuration drift in critical system files. It’s ideal to invest in tools that will automatically alert you to suspicious events and even respond automatically to block threats.
Tip #9: Secure DNS.
Securing DNS can help you to block a variety of attacks, including as domain hijacking and DNS spoofing. Steps to take include implementing DNSSEC, using a secure DNS server and regularly reviewing DNS settings.
Tip #10: Regularly back up Active Directory.
Having a recent backup of your Active Directory is crucial for recovery from cyber incidents, including ransomware attacks and natural disasters. Backups should be stored securely, tested regularly and be readily accessible to ensure your critical AD settings are recoverable in the event of a disaster.
Conclusion
Active Directory is an amazing system for controlling access. However, it’s only secure when it’s clean, understood, properly configured, closely monitored and tightly controlled. These tips are practical ways that you can tighten security and harden your Active Directory.
Frequently Asked Questions
What is hardening in Active Directory?
Hardening in Active Directory is the process of securing and strengthening the directory service to reduce the risk of data breaches and downtime. It involves controlling access to sensitive data, removing unnecessary objects, enforcing password policies and monitoring for suspicious activity.
What is domain controller hardening?
Domain controller hardening is the process of strengthening the servers that run Active Directory to reduce the risk of unauthorized access, data breaches and service disruption. It includes deactivating superfluous services, deploying security patches and updates, establishing firewall rules, and enforcing strong password practices.
What happens if a domain controller is compromised?
An adversary who compromises a domain controller can do significant damage, from accessing sensitive data to creating, modifying and deleting user accounts and other critical AD objects.
How do I secure Active Directory?
Securing Active Directory is an ongoing process that involves multiple layers of security controls. In particular, organizations need to implement strong password policies, limit user access, monitor for suspicious activity, keep machines patched and updated, secure domain controllers, use multifactor authentication (MFA) to add extra security, and educate employees on cybersecurity best practices and potential threats.
Active Directory security groups are used to grant users permissions to IT resources. Each security group is assigned a set of access rights, and then users are made members of the appropriate groups. Done right, this approach enables an accurate, role-based approach to user management and reduces IT workload.
Why should Security Groups Stay Secure?
Security groups should always be protected with clear security protocols because they govern user and computer access to resources that could be highly confidential, sensitive, and critical to the organization. Any oversight may result in security breaches and data theft with lasting consequences. Hence, you need to establish some best practices for using and managing security groups.
Key Best Practices
The following best practices can help you use security groups effectively.
Use Group Nesting to Simplify Access Management
Give each security group a unique, descriptive name
Limit each group’s permissions to the bare minimum
Make each user a member of only the required groups
Track group activity and changes to security groups
Pay attention to service accounts
Have group owners review their groups regularly, and remove groups that are no longer needed
Use privileged accounts only when required
Always create a recovery plan
Use Group Nesting to Simplify Access Management.
When we talk about group nesting, we refer to making an AD group a member of another group. This strategy enables us to give permissions across domains through universal groups. It works this way:
Give each security group a unique, descriptive name.
When security groups have unclear names, or multiple groups have similar names, such as ‘Sales Group 1’ and ‘Sales Group 2’, it’s difficult to ensure that they have the correct permissions and membership. To reduce risk, establish group naming standards that ensure consistency and uniqueness.
Limit each group’s permissions to the bare minimum.
The least privilege principle is the cornerstone of security. Make sure each security group is assigned only the permissions that its members need to complete their tasks. Granting excessive permissions to a group enables any group member — or an adversary who compromises their account — to abuse those rights.
Make each user a member of only the required groups.
Never add users to groups they do not need to be a part of. Moreover, remove them promptly from groups they no longer need to belong to, such as when they change roles within the organization. For example, when users change departments, remove them from the previous department’s groups and add them to the new department’s groups. That way, each user has access only to the resources they need, which reduces your organization’s attack surface area.
Track group activity and changes to security groups.
Any improper change to the permissions or membership of a security group puts the organization at increased risk of security incidents and business disruptions. Be especially vigilant about monitoring changes to highly privileged groups like Domain Admins and Enterprise Admins.
Look out for the following to detect suspicious behavior:
Unauthorized permission and membership changes
Unnecessary or unusual use of admin accounts
Failed password attempts
Locked out accounts
Disabled or removed antivirus software
At a minimum, log the events and regularly run reports to spot suspicious activity. Even better, use a tool that will alert you in real time to changes to critical security groups, or block those changes from happening in the first place.
Pay attention to service accounts.
A service account is a special user account created to run a particular application or service. Best practices for service accounts include the following:
Set secure passwords.
Do not make service accounts members of built-in privileged groups like Domain Admins.
Enforce least privilege by granting each service account the minimum access required to accomplish its tasks.
Have group owners review their groups regularly, and remove groups that are no longer needed.
Security groups are usually set up to provide access to resources for a particular project team— but when the project is over, the group is often not deleted. By requiring group owners to regularly review their groups, you can improve security by removing groups that are no longer needed.
As a best practice, disable or delete dormant accounts after about 45 days of inactivity. Set up a system to distinguish inactive accounts from active accounts, which would help in removing inactive accounts from security groups. Hackers can easily target unused accounts since no one keeps track of the account’s activities. And if that unused account is a member of multiple security groups, the implications could be devastating.
Use privileged accounts only when required.
Accounts that are members of privileged groups should be used only for performing administrative tasks that require elevated rights. For all other tasks, admins should use their regular user accounts. This strategy reduces the risk of attackers gaining control of an account that is a member of security groups with access to sensitive systems and data.
Always create a recovery plan.
Despite keeping security intact, data breaches may happen at times due to an error. As a proactive measure, have a recovery plan in place with due attention to recovering security groups. IT teams must be trained to handle such a situation with quick and intelligent decision-making.
Simplifying Security Group Management
Netwrix GroupID can help you effectively manage your Active Directory security groups. Here are some of the ways it can help you implement the best practices described above.
Establish and enforce standards for naming groups
Ensure the membership of security groups is accurate
Establish an attestation process for security groups
Set security groups to expire automatically
Set a default group approver
Establish and enforce standards for naming groups.
Netwrix GroupID helps you implement consistency and convention in group names with the following features:
Group name prefixes
Regular expressions
Templates for naming nested groups
Lists of blocked words
Ensure the membership of security groups is accurate.
Netwrix GroupID enables you to manage group membership with LDAP queries as an alternative to manually adding and removing users, thus ensuring that membership is always up to date.
Establish an attestation process for security groups.
Netwrix GroupID makes it easy for group owners to regularly review the attributes, membership, and permissions of their security groups, as well as whether the groups are still needed. This process helps maintain a check on groups.
Set security groups to expire automatically.
You can set an expiry date for a security group, such as a group created for a specific project. Netwrix GroupID sends an email notification to a group’s owner 30 days, 7 days and 1 day before the expiration date. If the group is not renewed, it is automatically deleted. Expired groups that have been deleted can be quickly restored if necessary.
You can easily exempt any security group from expiration, including the default security groups in Active Directory.
Set a default group approver.
You can designate a default approver for groups, who will receive expiry notifications for groups without owners.
Conclusion
Properly managing your Active Directory security groups is vital to protecting your IT systems and data. A solution like Netwrix GroupID can make it easy to implement the best practices detailed here.
How governments play a vital role in developing regulations, stopping supply chain attacks, and diminishing other threats to our way of life.
While new issues are always emerging in the world of cybersecurity, some have been present since the beginning, such as what role cybersecurity should play in government operations and, conversely, what role government should play in cybersecurity. The answer to this question continues to shift and evolve over time, but each new leap in technology introduces additional considerations. As we move into the AI era, how can government best keep citizens safe without constraining innovation and the free market — and how can the government use its defensive capabilities to retain an edge in the conflicts of tomorrow?
The day’s first session, “Cybersecurity and Military Defense in an Increasingly Digital World,” offered a deep dive into the latter question. Over the past 20 years, military conflicts have moved from involving just Land, Air and Sea to also being fought in Space and Cyber. While superior technology has given us an upper hand in previous conflicts, in some areas our allies — and our adversaries — are catching up or even surpassing us. In each great technological leap, companies and countries alike ascend and recede, and to keep our edge in the conflicts of the future, the U.S. will need to shed complacency, develop the right policies, move toward greater infrastructure security and tap the capabilities of the private sector.
SonicWall in particular is well-positioned to work with the federal government and the military. For years, we’ve helped secure federal agencies and defense deployments against enemies foreign and domestic, and have woked to shorten and simplify the acquisition and procurement process. Our list of certifications includes FIPS 140-2, Common Criteria, DoDIN APL, Commercial Solutions for Classified (CSfC), USGv6, IPv6 and TAA and others. And our wide range of certified solutions have been used in a number of government use cases, such as globally distributed networks in military deployments and federal agencies, tip-of-the-spear, hub-and-spoke, defense in-depth layered firewall strategies and more.
This new strategy was at the center of the day’s next session. In “The National Cyber Strategy as Roadmap to a Secure Cyber Future,” panelists outlined this strategic guidance, which was released just two months ago and offered a roadmap for how the U.S. should protect its digital ecosystem against malicious criminal and nation-state actors. The guidance consists of five pillars, all of which SonicWall is in accord with:
Pillar One: Defend Critical Infrastructure SonicWall offers several security solutions that align with Pillar One, including firewalls, intrusion prevention, VPN, advanced threat protection, email security, Zero-Trust network access and more. We’re also working to align with and conform to NIST SSDF and NIST Zero Trust Architecture standards.
Pillar Three: Shape Market Forces to Drive Security and Resilience
This pillar shifts liability from end users to software providers that ignore best practices, ship insecure or vulnerable products or integrate unvetted or unsafe third-party software. And as part of our efforts to aign with the NIST SSDF, we’re implementing a Software Bill of Materials (SBOM).
Pillar Four: Invest in a Resilient Future
Given CISA’s prominence in this guidance, any regulations created will likely include threat emulation testing, and will likely be mapped to threat techniques, such as MITRE ATT&CK. SonicWall Capture Client (our EDR solution) is powered by SentinelOne, which has been a participant in the MITRE ATT&CK evaluations since 2018 and was a top performer in the 2022 Evaluations.
Pillar Five: Forge International Partnerships to Pursue Shared Goals
An international company, SonicWall recognizes the importance of international partnerships and works to comply with global regulations such as GDPR, HIPAA, PCI-DSS and more. By sharing threat intelligence and collaborating no mitigation strategies, we work with governments and the rest of the cybersecurity community to pursue shared cybersecurity goals.
And with the continued rise in cybercrime, realizing these goals has never been more important. In “The State of Cybersecurity: Year in Review,” Mandiant CEO Kevin Mandia summarized findings from the 1,163 intrusions his company investigated in 2022. The good news, Mandia said, is that we’re detecting threats faster. In just ten years, we’ve gone from averaging 200 days to notice there’s a problem, to just 16 days currently — but at the same time, an increase in the global median dwell time for ransomware shows there’s still work to be done.
Mandia also outined the evolution of how cybercriminals are entering networks, from Unix platforms, to Windows-based attacks, and from phishing, to spearphishing to vulnerabilities — bringing patch management once again to the fore.
Deep within the RSAC Sandbox, where today’s defenders learn, play and test their skills, panelists convened to discuss how to stop attackers’ relentless attempts to shift left. “Software Supply Chain: Panel on Threat Intel, Trends, Mitigation Strategies” explained that while the use of third-party components increases agility, it comes with tremendous risk. More than 96% of software organizations rely on third-party code, 90% of which consists of open source—but the developers of this software are frequently single individuals or small groups who may not have time to incorporate proper security, or even know how. Our current strategy of signing at the end isn’t enough, panelists argued—to truly ensure safety, signing should be done throughout the process (otherwise known as “sign at the station”).
Israel provides an example of how a country can approach the issue of software supply chain vulnerability — among other things, the country has created a GitHub and browser extension allowing developers to check packages for malicious code — but much work would need to be done to implement the Israel model in the U.S. AI also provides some hope, but given its current inability to reliably detect malicious code, we’re still a long way from being able to rely on it. In the meantime, organizations will need to rely on tried-and-true solutions such as SBOMs to help guard against supply chain attacks in the near future.
But while AI has tremendous potential to help defenders, it also has terrible potential to aid attackers. In “ChatGPT: A New Generation of Dynamic Machine-Based Attacks,” the speakers highlighted ways that attackers are using the new generation of AI technology to dramatically improve social engineering attempts, expand their efforts to targets in new areas, and even write ransomware and other malicious code. In real time, the speakers demonstrated the difference between previous phishing emails and phishing generated by ChatGPT, including the use of more natural language, the ability to instantly access details about the target and the ability to imitate a leader or colleague trusted by the victim with a minimum of effort. These advancements will lead to a sharp increase in victims of phishing attacks, as well as things like Business Email Compromise.
And while there are guardrails in place to help prevent ChatGPT from being used maliciously, they can be circumvented with breathtaking ease. With the simple adjustment of a prompt, the speakers demonstrated, ransomware and other malicious code can be generated. While this code isn’t functional on its own, it’s just one or two simple adjustments away — and this capability could be used to rapidly increase the speed with which attacks are launched.
These capabilities are especially concerning given the rise in state-sponsored attacks. In “State of the Hack 2023: NSA’s Perspective,” NSA Director of Cybersecurity Rob Joyce addressed a packed house regarding the NSA’s work to prevent the increasing wave of nation-state threats. The two biggest nation-state threats to U.S. cybersecurity continue to be Russia and China, with much of the Russian effort centering around the U.S.’ assistance in the Russia/Ukraine conflict.
As we detailed in our SonicWall 2023 Cyber Threat Report, since the beginning of the conflict, attacks by Russia’s military and associated groups have driven a massive spike in cybercrime in Ukraine. The good news, Joyce said, is that Russia is currently in intelligence-gathering mode when it comes to the U.S., and is specifically taking care not to release large-scale NotPetya-type attacks. But Russia also appears to be playing the long game, and is showing no signs of slowing or scaling back their efforts.
China also appears to be biding its time — but unlike Russia, whose efforts appear to be focused around traditional military dominance, China is seeking technological dominance. Exploitation by China has increased so much that we’ve become numb to it, Joyce argued. And since these nation-state sponsored attackers don’t incur much reputational damage for their misdeeds, they’ve become increasingly brazen in their attacks, going so far as to require any citizen who finds a zero-day to pass details to the government and hosting competitions for building exploits and finding vulnerabilities. And the country is also making efforts to influence international tech standards in an attempt to tip scales in their favor for years to come.
The 2023 RSA Conference has offered a wealth of information on a wide variety of topics, but it will soon draw to a close. Thursday is the last day to visit the SonicWall booth (#N-5585 in Moscone North) and enjoy demos and presentations on all of our latest technology. Don’t head home without stopping by — and don’t forget to check back for the conclusion of our RSAC 2023 coverage!
Microsoft Edge Windows 11 Windows 10 Office for business
Microsoft is always striving to improve and streamline our product experiences—offering a new way to use the classic Microsoft Outlook app on Windows and the Microsoft Edge web browser.
If you have a Microsoft 365 Personal or Family subscription, browser links from the Outlook app will open in Microsoft Edge by default, right alongside the email they’re from in the Microsoft Edge sidebar pane. This allows you to easily access, read, and respond to the message using your matching authenticated profile. No more disruptive switching—just your email and the web content you need to reference, in a single, side-by-side view. And we’re always optimizing the sidebar in Microsoft Edge to give you useful content and tools while you’re browsing so you don’t have to toggle back and forth between windows or even other tabs—whether you’re shopping online or working in a Microsoft 365 web app.
In the future, links from your Microsoft Teams messages will also open in Microsoft Edge by default to help you stay engaged in conversations as you browse the web.
Ultimately though, if this experience isn’t right for you, you can turn off this feature the first time it launches in Microsoft Edge, and then in Outlook settings at any time after that.
FAQ
Why is Microsoft making this change?
To improve your experience between email and browsing—letting you see them both at the same time, in the same place. No more switching back and forth between apps.
To provide a unique experience—at Microsoft, we strive to create the best customer experience across our products.
To reduce task switching and improve workflow and focus—by opening browser links in Microsoft Edge, the original message in Outlook can be viewed alongside web content to easily access, read, and respond to the message, using the matching authenticated profile.
Will this replace my default browser setting in Windows?
No, this only impacts links opened from Microsoft Outlook on Windows and you have the option to turn off this feature in Outlook settings.
I want to open links with the browser set as the default in Windows Settings. How do I do that?
You can choose your preferred browser for opening links from Outlook the first time it launches in Microsoft Edge. After that you can change this setting in Outlook at any time—select File > Options > Advanced > Link handling and choose your preferred browser from the dropdown menu.
In Outlook, go to File.
Select Options.
Select Advanced > Link handling and choose your preferred browser from the dropdown menu.
Will this change affect me if I’m using a Mac?
No, this change will only be applied to Windows 10 and Windows 11 devices.
Send us feedback
Please let us know what you think about the new experience in one of two ways:
In Microsoft Edge, go to Settings and more > Help and feedback > Send feedback. Follow the on-screen instructions and select Send.
Press Alt + Shift + I on your keyboard. Follow the on-screen instructions and select Send.
In this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available solutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.
By: Trend Micro Research March 30, 2023 Read time: 7 min (1870 words)
Updated on:
April 5, 2:39 a.m. EDT: We added Windows, Mac, and network commands to the Trend Micro Vision One™️ guide in the linked PDF.
April 4, 3:29 a.m. EDT: We added Trend Micro XDR filters to the solutions.
April 3, 2:33 a.m. EDT: We added details on d3dcompiler_47.dll‘s abuse of CVE-2013-3900 to make it appear legitimately signed.
April 1, 1:50 a.m. EDT: We added a guide on how Vision One can be used to search for potential threats associated with the 3CX desktop app.
March 31, 11:07 p.m. EDT: We added technical details, an analysis of the info-stealer payload, and information on Trend Micro XDR capabilities for investigating and mitigating risks associated with the 3CX desktop app.
March 31, 3:00 a.m. EDT: We added the execution flow diagram, a link to Trend Micro support page, and a list of Mac IOCs and detection names.
In late March 2023, security researchers revealed that threat actors abused a popular business communication software from 3CX — in particular, thereports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was being employed to target 3CX’s customers as part of an attack.
On its forums, 3CX has posted an update that recommends uninstalling the desktop app and using the Progressive Web App (PWA) client instead. The company also mentioned that they are working on an update to the desktop app.
For a more comprehensive scope of protection against possible attacks associated with the 3CX Desktop App, the Trend Micro XDR platform can help organizations mitigate the impact by collecting and analyzing extensive activity data from various sources. By applying XDR analytics to the data gathered from its native products, Trend Micro XDR generates correlated and actionable alerts.
Trend Micro customers can also take advantage of Trend Micro Vision One™ to search for and monitor potential threats associated with the 3CX Desktop App, and to better understand observed attack vectors. For more information on how to utilize Trend Micro Vision One features, you may download the PDF guide here.
Additional guidance for Trend Micro customers including help with protection and detection can be found on our support page.
What is the compromised application?
The 3CX app is a private automatic branch exchange (PABX) software that provides several communication functions for its users, including video conferencing, live chat, and call management. The app is available on most major operating systems, including Windows, macOS, and Linux. Additionally, the client is available as a mobile application for both Android and iOS devices, while a Chrome extension and the PWA version of the client allow users to access the software through their browsers.
The issue was said to be limited to the Electron (non-web versions) of their Windows package (versions 18.12.407 and 18.12.416) and macOS clients (versions 18.11.1213, 18.12.402, 18.12.407 and 18.12.416).
According to the company’s website, more than 600,000 businesses and over 12 million daily users around the world use 3CX’s VoIP IPBX software.
How does the attack work?
The attack is reportedly a multi-stage chain in which the initial step involves a compromised version of the 3CX desktop app. Based on initial analysis, the MSI package (detected by Trend Micro as Trojan.Win64.DEEFFACE.A and Trojan.Win64.DEEFFACE.SMA) is the one that is compromised with possible trojanized DLLs, since the .exe file has the same name.
The infection chain begins with 3CXDesktopApp.exe loading ffmpeg.dll (detected as Trojan.Win64.DEEFFACE.A andTrojan.Win64.DEEFFACE.SMA). Next, ffmpeg.dll reads and decrypts the encrypted code from d3dcompiler_47.dll (detected as Trojan.Win64.DEEFFACE.A and Trojan.Wind64.DEEFACE.SMD3D).
The decrypted code seems to be the backdoor payload that tries to access the IconStorages GiHub page to access an ICO file (detected as Trojan.Win32.DEEFFACE.ICO) containing the encrypted C&C server that the backdoor connects to in order to retrieve the possible final payload. In addition, d3dcompiler_47.dll also abuses CVE-2013-3900 to make it appear that it is legitimately signed.
Figure 1. The detailed execution flow and Trend Micro detections of the malicious files. The MSI installer contains the .exe and two .dll files. The main source of the detection in the MSI installer is “ffmpeg.dll,” which is the trojanized DLL.
As part of its attack routine, it contacts the servers noted in the list of indicators of compromise (IOCs) at the end of this blog entry. These domains are blocked by the Trend Micro Web Reputation Services (WRS).
Execution flow
Upon execution, the MSI package installer will drop the following files that are related to malicious behavior. Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.300.40 can detect these files as Trojan.Win64.DEEFFACE.A.
3CXDesktopApp.exe: A normal file that is abused to load the trojanized DLL
ffmpeg.dll: A trojanized DLL used to read, load, and execute a malicious shellcode from d3dcompiler_47.dll
d3dcompiler_47.dll: A DLL appended with an encrypted shellcode after the fe ed fa ce hex string
Some conditions are necessary for execution. For example, the sleep timestamp varies depending on the following conditions: First, it checks if the manifest file is present, as well as if it is using a specified date. If the file is not present or if it is using the specified date, the timestamp will generate a random number and use the formula rand() % 1800000 + current date + 604800 (604,800 is seven days). After the date is computed, the malware will continue its routine.
Upon execution of 3CXDesktopApp.exe, ffmpeg.dll, which seems to be a trojanized or patched DLL, will be loaded. It will still contain its normal functionalities, but it will have an added malicious function that reads d3dcompiler_47.dll to locate an encrypted shellcode after the fe ed fa ce hex strings.
Figure 2. Reading “d3dcompiler_47.dll” and locating the “fe ed fa ce” hex string
Upon decryption of the malicious shellcode using RC4 with the key, 3jB(2bsG#@c7, the shellcode will then try to access the GitHub repository that houses the ICO files containing the encrypted C&C strings that use Base64 encoding and AES + GCM encryption at the end of the image.
These B64 strings seem to be C&C domains that the shellcode tries to connect to for downloading other possible payloads. However, we were unable to confirm the exact nature of these payloads since the GitHub repository (raw.githubusercontent[.]com/IconStorages/images/main/) had already been taken down at the time of this writing. Note that the process exits when the page is inaccessible.
Figure 3. Code snippet showing the hard-coded GitHub repositoryFigure 4. An ICO file from the GitHub repository
The above description applies to the Windows version. The behaviour of the Mac version is broadly similar, although it only uses a subset of the Windows C&C domains.
Info-stealer payload analysis
Based on our ongoing analysis of attacks on 3CX and the behaviors observed, the following section details what we know so far about the payload’s attack vector.
Payloads in investigated 3CX attacks are detected as TrojanSpy.Win64.ICONICSTEALER.THCCABC. Upon analysis of the payload named ICONIC Stealer, we discovered that if it is executed using regsvr32.exe as the DLL loader, it will display the following system error:
Figure 5. Error displayed upon executing the sample using “regsvr32.exe”
Meanwhile, if rundll32.exe is used as the DLL loader, it encounters a WerFault error and displays the following pop-up message:
Figure 6. Error displayed if “rundll32.exe” is used as the DLL loader
This indicates that the sample must be loaded by a specific application to proceed to its malicious routine.
ICONIC Stealer then checks for a file named config.json under the folder “3CXDesktopApp.”
Figure 7. Checking for “config.json”
ICONIC Stealer was then observed to steal the following system information:
HostName
DomainName
OsVersion
The gathered data will then be converted into a text-string format.
Figure 8. Converting gathered data into a text-string format
ICONIC Stealer then proceeds to its last behavior, which steals browser data. It uses the function shown in Figure 9 to traverse the infected system using predefined directories related to the browser’s history and other browser-related information.
Figure 9. Function for traversing the infected system
The following figure shows a list of predefined strings:
Figure 10. List of predefined strings
The system directories on the following list compose the targets identified in the partial analysis of the ICONIC Stealer’s behavior. More information will be provided as this blog is updated.
AppData\Local\Google\Chrome\User Data
AppData\Local\Microsoft\Edge\User Data
AppData\Local\BraveSoftware\Brave-Browser\User Data
AppData\Roaming\Mozilla\Firefox\Profiles
Browser
Target information
Chrome
History
Edge
History
Brave
History
Firefox
places.sqlite
Table 1. The targeted section of each browser. Note that “places.sqlite” stores the annotations, bookmarks, favorite icons, input history, keywords, and the browsing history of visited pages for Mozilla Firefox.
ICONIC Stealer was also found with the capability to limit the retrieved data to the first five hundred entries to ensure that the most recent browser activity is the data that is retrieved:
Figure 11. Limiting data to the first 500 entries
“UTF-16LE”, ‘SELECT url, title FROM urls ORDER BY id DESC LIMIT
“UTF-16LE”, ‘500’,0
“UTF-16LE”, ‘SELECT url, title FROM moz_places ORDER BY id DESC
“UTF-16LE”, ‘LIMIT 500’,0
Figure 12. Retrieved results stored on an allocated buffer
The gathered data will be passed to the main loader module to POST then back to the C&C server embedded in the main module.
What is its potential impact?
Due to its widespread use and its importance in an organization’s communication system, threat actors can cause major damage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this software.
What can organizations do about it?
Organizations that are potentially affected should stop using the vulnerable version if possible and apply the patches or mitigation workarounds if these are available. IT and security teams should also scan for confirmed compromised binaries and builds and monitor for anomalous behavior in 3CX processes, with a particular focus on C&C traffic.
Meanwhile, enabling behavioral monitoring in security products can help detect the presence of the attack within the system.
The following domains are blocked by Trend Micro Web Reputation Services (WRS)
akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
visualstudiofactory[.]com
zacharryblogs[.]com
Trend Micro XDR uses the following filters to protect customers from 3CX-related attacks:
Filter
ID
OS
Compromised 3CX Application File Indicators
F6669
macOS, Windows
DLL Sideloading of 3CX Application
F6668
Windows
Web Reputation Services Detection for Compromised 3CX Application
F6670
macOS, Windows
Suspicious Web Access of Possible Compromised 3CX Application
F6673
Windows
Suspicious DNS Query of Possible Compromised 3CX Application
F6672
Windows
Trend Micro Malware Detection Patterns for Endpoint, Servers (Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security with anti-malware, among others), Mail, and Gateway (Cloud App Security, ScanMail for Exchange, IMSVA):
Starting with Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.200.40, known trojanized versions of this application are being detected as Trojan Win64.DEEFFACE.A.
The Mac version of this threat is detected as Trojan.MacOS.FAKE3L3CTRON.A.
The SMTP protocol is the main protocol used to transfer messages between mail servers and is, by default, not secure. The Transport Layer Security (TLS) protocol was introduced years ago to support encrypted transmission of messages over SMTP. It’s commonly used opportunistically rather than as a requirement, leaving much email traffic in clear text, vulnerable to interception by nefarious actors. Furthermore, SMTP determines the IP addresses of destination servers through the public DNS infrastructure, which is susceptible to spoofing and Man-in-the-Middle (MITM) attacks. This vulnerability has led to many new standards being created to increase security for sending and receiving email, one of those standards being DNS-based Authentication of Named Entities (DANE).
DANE for SMTP RFC 7672 uses the presence of a Transport Layer Security Authentication (TLSA) record in a domain’s DNS record set to signal a domain and its mail server(s) support DANE. If there’s no TLSA record present, DNS resolution for mail flow will work as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain. So, sending mail servers can successfully authenticate legitimate receiving mail servers using SMTP DANE. This authentication makes it resistant to downgrade and MITM attacks. DANE has direct dependencies on DNSSEC, which works by digitally signing records for DNS lookups using public key cryptography. DNSSEC checks occur on recursive DNS resolvers, the DNS servers that make DNS queries for clients. DNSSEC ensures that DNS records aren’t tampered with and are authentic.
Once the MX, A/AAAA and DNSSEC-related resource records for a domain are returned to the DNS recursive resolver as DNSSEC authentic, the sending mail server will ask for the TLSA record corresponding to the MX host entry or entries. If the TLSA record is present and proven authentic using another DNSSEC check, the DNS recursive resolver will return the TLSA record to the sending mail server.
After the authentic TLSA record is received, the sending mail server establishes an SMTP connection to the MX host associated with the authentic TLSA record. The sending mail server will try to set up TLS and compare the server’s TLS certificate with the data in the TLSA record to validate that the destination mail server connected to the sender is the legitimate receiving mail server. The message will be transmitted (using TLS) if authentication succeeds. When authentication fails or if TLS isn’t supported by the destination server, Exchange Online will retry the entire validation process beginning with a DNS query for the same destination domain again after 15 minutes, then 15 minutes after that, then every hour for the next 24 hours. If authentication continues to fail after 24 hours of retrying, the message will expire, and an NDR with error details will be generated and sent to the sender.
Tip
If you’re not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
What are the components of DANE?
TLSA Resource Record
The TLS Authentication (TLSA) record is used to associate a server’s X.509 certificate or public key value with the domain name that contains the record. TLSA records can only be trusted if DNSSEC is enabled on your domain. If you’re using a DNS provider to host your domain, the DNSSEC may be a setting offered when configuring a domain with them. To learn more about DNSSEC zone signing, visit this link: Overview of DNSSEC | Microsoft Docs.
Example TLSA record:
There are four configurable fields unique to the TLSA record type:
Certificate Usage Field: Specifies how the sending email server should verify the destination email server’s certificate.
Value
Acronym
Description
01
PKIX-TA
Certificate used is the trust-anchor Public CA from the X.509 trust-chain.
11
PKIX-EE
Certificate checked is the destination server; DNSSEC checks must verify its authenticity.
2
DANE-TA
Use server’s private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain.
3
DANE-EE
Only match against the destination server’s certificate.
1 Exchange Online follows RFC implementation guidance that Certificate Usage Field values of 0 or 1 shouldn’t be used when DANE is implemented with SMTP. When a TLSA record that has a Certificate Usage field value of 0 or 1 is returned to Exchange Online, Exchange Online will treat it as not usable. If all TLSA records are found unusable, Exchange Online won’t perform the DANE validation steps for 0 or 1 when sending the email. Instead, because of the presence of a TLSA record, Exchange Online will enforce the use of TLS for sending the email, sending the email if the destination email server supports TLS or dropping the email and generating an NDR if the destination email server doesn’t support TLS.
In the example TLSA record, the Certificate Usage Field is set to ‘3’, so the Certificate Association Data (‘abc123…xyz789’) would be matched against the destination server’s certificate only.
Selector field: Indicates which parts of the destination server’s certificate should be checked.
Value
Acronym
Description
0
Cert
Use full certificate.
1
SPKI (Subject Public Key Info)
Use certificate’s public key and the algorithm with which the public key is identified to use.
In the example TLSA record, the Selector Field is set to ‘1’ so the Certificate Association Data would be matched using the destination server certificate’s public key and the algorithm with which the public key is identified to use.
Matching Type Field: Indicates the format the certificate will be represented in the TLSA record.
Value
Acronym
Description
0
Full
The data in the TSLA record is the full certificate or SPKI.
1
SHA-256
The data in the TSLA record is an SHA-256 hash of either the certificate or the SPKI.
2
SHA-512
The data in the TSLA record is an SHA-512 hash of either the certificate or the SPKI.
In the example TLSA record, the Matching Type Field is set to ‘1’ so the Certificate Association Data is an SHA-256 hash of the Subject Public Key Info from the destination server certificate
Certificate Association Data: Specifies the certificate data that is used for matching against the destination server certificate. This data depends on the Selector Field value and the Matching Type Value.
In the example TLSA record, the Certificate Association data is set to ‘abc123..xyz789’. Since the Selector Field value in the example is set to ‘1’, it would reference the destination server certificate’s public key and the algorithm that’s identified to be used with it. And since the Matching Type field value in the example is set to ‘1’, it would reference the SHA-256 hash of the Subject Public Key Info from the destination server certificate.
How can Exchange Online customers use SMTP DANE Outbound?
As an Exchange Online customer, there isn’t anything you need to do to configure this enhanced email security for your outbound email. This enhanced email security is something we have built for you and it’s ON by default for all Exchange Online customers and is used when the destination domain advertises support for DANE. To reap the benefits of sending email with DNSSEC and DANE checks, communicate to your business partners with whom you exchange email that they need to implement DNSSEC and DANE so they can receive email using these standards.
How can Exchange Online customers use SMTP DANE inbound?
Currently, inbound SMTP DANE isn’t supported for Exchange Online. Support for inbound SMTP DANE will be available in the near future.
What is the recommended TLSA record configuration?
Per RFC implementation guidance for SMTP DANE, a TLSA record composed of the Certificate Usage field set to 3, the Selector field set to 1, and the Matching Type field set to 1 is recommended.
Exchange Online Mail Flow with SMTP DANE
The mail flow process for Exchange Online with SMTP DANE, shown in the flow chart below, validates domain and resource record security through DNSSEC, TLS support on the destination mail server, and that the destination mail server’s certificate matches what is expected based on its associated TLSA record.
There are only two scenarios where an SMTP DANE failure will result in the email being blocked:
The destination domain signaled DNSSEC support but one or more records were returned as inauthentic.
All MX records for the destination domain have TLSA records and none of the destination server’s certificates match what was expected per the TSLA record data, or a TLS connection isn’t supported by the destination server.
Related Technologies
Technology
Additional Information
Mail Transfer Agent – Strict Transport Security (MTA-STS) helps thwart downgrade and Man-in-the-Middle attacks by providing a mechanism for setting domain policies that specify whether the destination email server supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission.
More information about Exchange Online’s upcoming support for inbound and outbound MTA-STS will be published later this year.
DomainKeys Identified Mail (DKIM) uses X.509 certificate information to ensure that destination email systems trust messages sent outbound from your custom domain.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework and DomainKeys Identified Mail to authenticate mail senders and ensure that destination email systems trust messages sent from your domain.
Currently, there are four error codes for DANE when sending emails with Exchange Online. Microsoft is actively updating this error code list. The errors will be visible in:
The Exchange Admin Center portal through the Message Trace Details view.
NDRs generated when a message isn’t sent due to a DANE or DNSSEC failure.
starttls-not-supported: Destination mail server must support TLS to receive mail.
4/5.7.322
certificate-expired: Destination mail server’s certificate is expired.
4/5.7.323
tlsa-invalid: The domain failed DANE validation.
4/5.7.324
dnssec-invalid: Destination domain returned invalid DNSSEC records.
Note
Currently, when a domain signals that it supports DNSSEC but fails DNSSEC checks, Exchange Online does not generate the 4/5.7.324 dnssec-invalid error. It generates a generic DNS error:
4/5.4.312 DNS query failed
We are actively working to remedy this known limitation. If you receive this error statement, navigate to the Microsoft Remote Connectivity Analyzer and perform the DANE validation test against the domain that generated the 4/5.4.312 error. The results will show if it is a DNSSEC issue or a different DNS issue.
Troubleshooting 4/5.7.321 starttls-not-supported
This error usually indicates an issue with the destination mail server. After receiving the message:
Check that the destination email address was entered correctly.
Alert the destination email administrator that you received this error code so they can determine if the destination server is configured correctly to receive messages using TLS.
Retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting 4/5.7.322 certificate-expired
A valid X.509 certificate that hasn’t expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:
Alert the destination email administrator that you received this error code and provide the error code string.
Allow time for the destination server certificate to be renewed and the TLSA record to be updated to reference the new certificate. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting 4/5.7.323 tlsa-invalid
This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TLSA record has been returned. There are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code:
The destination mail server’s certificate doesn’t match with what is expected per the authentic TLSA record.
Authentic TLSA record is misconfigured.
The destination domain is being attacked.
Any other DANE failure.
After receiving the message:
Alert the destination email administrator that you received this error code and provide them the error code string.
Allow time for the destination email admin to review their DANE configuration and email server certificate validity. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting 4/5.7.324 dnssec-invalid
This error code is generated when the destination domain indicated it was DNSSEC-authentic but Exchange Online wasn’t able to verify it as DNSSEC-authentic.
After receiving the message:
Alert the destination email administrator that you received this error code and provide them the error code string.
Allow time for the destination email admin to review their domain’s DNSSEC configuration. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting Receiving Emails with SMTP DANE
Currently, there are two methods an admin of a receiving domain can use to validate and troubleshoot their DNSSEC and DANE configuration to receive email from Exchange Online using these standards.
Adopt SMTP TLS-RPT (Transport Layer Security Reporting) introduced in RFC8460
TLS-RPT https://datatracker.ietf.org/doc/html/rfc8460 is a reporting mechanism for senders to provide details to destination domain administrators about DANE and MTA-STS successes and failures with those respective destination domains. To receive TLS-RPT reports, you only need to add a TXT record in your domain’s DNS records that includes the email address or URI you would like the reports to be sent to. Exchange Online will send TLS-RPT reports in JSON format.
Example record:
The second method is to use the Remote Connectivity Analyzer Microsoft Remote Connectivity Analyzer, which can do the same DNSSEC and DANE checks against your DNS configuration that Exchange Online will do when sending email outside the service. This method is the most direct way of troubleshooting errors in your configuration to receive email from Exchange Online using these standards.
When errors are being troubleshooted, the below error codes may be generated:
NDR Code
Description
4/5.7.321
starttls-not-supported: Destination mail server must support TLS to receive mail.
4/5.7.322
certificate-expired: Destination mail server’s certificate has expired.
4/5.7.323
tlsa-invalid: The domain failed DANE validation.
4/5.7.324
dnssec-invalid: Destination domain returned invalid DNSSEC records.
Note
Currently, when a domain signals that it supports DNSSEC but fails DNSSEC checks, Exchange Online does not generate the 4/5.7.324 dnssec-invalid error. It generates a generic DNS error:
4/5.4.312 DNS query failed
We are actively working to remedy this known limitation. If you receive this error statement, navigate to the Microsoft Remote Connectivity Analyzer and perform the DANE validation test against the domain that generated the 4/5.4.312 error. The results will show if it is a DNSSEC issue or a different DNS issue.
Troubleshooting 4/5.7.321 starttls-not-supported
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
This error usually indicates an issue with the destination mail server. The mail server that the Remote Connectivity Analyzer is testing connecting with. There are generally two scenarios that generate this code:
The destination mail server doesn’t support secure communication at all, and plain, non-encrypted communication must be used.
The destination server is configured improperly and ignores the STARTTLS command.
After receiving the message:
Check the email address.
Locate the IP address that is associated with the error statement so you can identify the mail server the statement is associated with.
Check your mail server’s setting to make sure it’s configured to listen for SMTP traffic (commonly ports 25 and 587).
Wait a few minutes, then retry the test with the Remote Connectivity Analyzer tool.
If it still fails, then try removing the TLSA record and run the test with the Remote Connectivity Analyzer tool again.
If there are no failures, this message may indicate the mail server you’re using to receive mail doesn’t support STARTTLS and you may need to upgrade to one that does in order to use DANE.
Troubleshooting 4/5.7.322 certificate-expired
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
A valid X.509 certificate that hasn’t expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:
Check the IP that is associated with the error statement, so you can identify the mail server it’s associated with. Locate the expired certificate on the email server you identified.
Sign in to your certificate provider’s website.
Select the expired certificate and follow the instructions to renew and to pay for the renewal.
After your provider has verified the purchase, you may download a new certificate.
Install the renewed certificate into its associated mail server.
Update the mail server’s associated TLSA record with the new certificate’s data.
After waiting an appropriate amount of time, retry the test with the Remote Connectivity Analyzer tool.
Troubleshooting 4/5.7.323 tlsa-invalid
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TSLA record has been returned. But, there are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code:
Authentic TLSA record is misconfigured.
The certificate isn’t yet time valid/configured for a future time window.
Destination domain is being attacked.
Any other DANE failure.
After receiving the message:
Check the IP that is associated with the error statement to identify the mail server it’s associated with.
Identify the TLSA record that is associated with the identified mail server.
Verify the configuration of the TLSA record to ensure that it signals the sender to perform the preferred DANE checks and that the correct certificate data has been included in the TLSA record.
If you have to make any updates to the record for discrepancies, then wait a few minutes then rerun the test with the Remote Connectivity Analyzer tool.
Locate the certificate on the identified mail server.
Check the time window for which the certificate is valid. If it’s set to start validity at a future date, it needs to be renewed for the current date.
Sign in to your certificate provider’s website.
Select the expired certificate and follow the instructions to renew and to pay for the renewal.
After your provider has verified the purchase, you may download a new certificate.
Install the renewed certificate into its associated mail server.
Troubleshooting 4/5.7.324 dnssec-invalid
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
This error code is generated when the destination domain indicated it’s DNSSEC-authentic but Exchange Online isn’t able to verify it as DNSSEC-authentic. This section won’t be comprehensive for troubleshooting DNSSEC issues and focuses on scenarios where domains previously passed DNSSEC authentication but not now.
After receiving the message:
If you’re using a DNS provider, for example GoDaddy, alert your DNS provider of the error so they can work on the troubleshooting and configuration change.
If you’re managing your own DNSSEC infrastructure, there are many DNSSEC misconfigurations that may generate this error message. Some common problems to check for if your zone was previously passing DNSSEC authentication:
Broken trust chain, when the parent zone holds a set of DS records that point to something that doesn’t exist in the child zone. Such pointers by DS records can result in the child zone being marked as bogus by validating resolvers.
Resolve by reviewing the child domains RRSIG key IDs and ensuring that they match with the key IDs in the DS records published in the parent zone.
RRSIG resource record for the domain isn’t time valid, it has either expired or its validity period hasn’t begun.
Resolve by generating new signatures for the domain using valid timespans.
Note
This error code is also generated if Exchange Online receives SERVFAIL response from DNS server on TLSA query for the destination domain.
When an outbound email is being sent, if the receiving domain has DNSSEC enabled, we query for TLSA records associated with MX entries in the domain. If no TLSA record is published, the response to the TLSA lookup must be NOERROR (no records of requested type for this domain) or NXDOMAIN (there’s no such domain). DNSSEC requires this response if no TLSA record is published; otherwise, Exchange Online interprets the lack of response as a SERVFAIL error. As per RFC 7672, a SERVFAIL response is untrustworthy; so, the destination domain fails DNSSEC validation. This email is then deferred with the following error:
450 4.7.324 dnssec-invalid: Destination domain returned invalid DNSSEC records
If the email sender reports receipt of the message
If you’re using a DNS provider, for example, GoDaddy, alert your DNS provider of the error so that they can troubleshoot the DNS response. If you’re managing your own DNSSEC infrastructure, it could be an issue with the DNS server itself or with the network.
Frequently Asked Questions
As an Exchange Online customer, can I opt out of using DNSSEC and/or DANE?
We strongly believe DNSSEC and DANE will significantly increase the security position of our service and benefit all of our customers. We’ve worked diligently over the last year to reduce the risk and severity of the potential impact this deployment might have for Microsoft 365 customers. We’ll be actively monitoring and tracking the deployment to ensure negative impact is minimized as it rolls out. Because of this, tenant-level exceptions or opt-out won’t be available. If you experience any issues related to the enablement of DNSSEC and/or DANE, the different methods for investigating failures noted in this document will help you identify the source of the error. In most cases, the issue will be with the external destination party and you’ll need to communicate to these business partners that they need to correctly configure DNSSEC and DANE in order to receive email from Exchange Online using these standards.
How does DNSSEC relate to DANE?
DNSSEC adds a layer of trust into DNS resolution by applying the public key infrastructure to ensure the records returned in response to a DNS query are authentic. DANE ensures that the receiving mail server is the legitimate and expected mail server for the authentic MX record.
What is the difference between MTA-STS and DANE for SMTP?
DANE and MTA-STS serve the same purpose, but DANE requires DNSSEC for DNS authentication while MTA-STS relies on certificate authorities.
Why isn’t Opportunistic TLS sufficient?
Opportunistic TLS will encrypt communication between two endpoints if both agree to support it. However, even if TLS encrypts the transmission, a domain could be spoofed during DNS resolution such that it points to a malicious actor’s endpoint instead of the real endpoint for the domain. This spoof is a gap in email security that is addressed by implementing MTA-STS and/or SMTP DANE with DNSSEC.
Why isn’t DNSSEC sufficient?
DNSSEC isn’t fully resistant to Man-in-the-Middle attacks and downgrade (from TLS to clear text) attacks for mail flow scenarios. The addition of MTA-STS and DANE along with DNSSEC provides a comprehensive security method to thwart both MITM and downgrade attacks.
This is a Friday long-read, so grab a warm cup of something and kick back because we’re going to take our time on this. The world is about to profoundly change. I know you’re nervous – perhaps excited and optimistic, but if you’ve been paying attention and have been watching the trajectory of this thing, the rational reaction is to be nervous. In this post I’d like to unpack in practical and tangible terms what AI is, where it came from, and the state of play, and then I’ll show you a path that will give you a pretty good shot at surviving the coming revolution.
Who am I? I’m Mark Maunder and I founded Wordfence in 2011 and wrote the early versions of the product until 2015 when Matt Barry took over as lead developer and I morphed into a tech executive running Defiant Inc, which makes Wordfence. We have over 4 million customers using our free product and a large number of paying customers using our various paid WordPress security products. I’ve been a technologist since the early 90s and a kid hacker in my teens in the 80s and 90s. I started my career in mission-critical operations for companies like Coca-Cola, Credit Suisse (now UBS), and DeBeers and then went over to do dev for companies like the BBC and eToys which was one of the biggest dot-com busts. I created the first job meta-search called WorkZoo in the UK around 2001 which later competed with Indeed, launched after us, and which I sold in 2005 but which made Time Magazine and NYTimes. I subsequently launched a Geoblogging platform, inline comments via JS, an ad network, real-time analytics, a localized news website, and more. You could say I’ve been in the innovation game for a minute, and I’m in it for life. I’m based in the USA these days in case you’re curious – moved over here in 2003.
Examining Bubbles
My apologies for the long bio, but what I’d like to illustrate is that I’ve seen tech come and go. The hype cycles I’ve seen typically include:
Outlandish claims about how the tech will solve everything from slicing bread to world peace and everything in between.
Commercial vendors jumping on the emerging mega-trend to surf the wave with proprietary technologies of their own which they position as standards, or at the very least the default choice.
Nascent technologies implementing the tech, that are immature, unstable, rapidly changing, and may very well be abandoned in a few months or a few years.
The press contracting a bad case of rabies and foaming at the mouth about the tech, amplifying the most extreme aspects and use cases and creating a lot of noise, which makes it hard for implementors to sift for the truth and the fundamentals around the technology.
The investment community pouring cash into the space with little focus. This creates an extremely adversarial environment for tech practitioners who are building fundamental value, who now have to compete with powerful VC-backed marketing machines.
As Warren Buffet says, the Innovators, the Imitators, and the Swarming Incompetents enter the space in that order. I’d add that they have a pyramid structure with each successive wave being at least an order of magnitude bigger than the last. Things get crowded for a while.
Then you have the typical bust cycle which cleans house and makes the tech uncool again, but also makes it interesting to the true believers. The VC’s go away and stop making noise that innovators have to compete against. The imitators and swarming incompetents drift off to imitate and mess up something else. The businesses not creating fundamental value fail. Some creating fundamental value fail too but the talent and tech are sometimes reincarnated into something else useful.
So who prospers, and what tech survives after a bust? Sometimes none of it, but helpful derivative technologies are created, like Java Applets in the 90s that inspired Flash which inspired standards-based rich content web browsers.
Sometimes out of the ashes, an Amazon is born, as with the dot-com boom. And sometimes you have incredible innovation where the innovators never see large-scale commercial success, but others do, as with Igor Sysoyev who created Nginx which eliminated the need for a data center full of web servers to handle large-scale websites. Igor has a commercial thing, but the real winners were companies like Cloudflare who based their global infrastructure on Nginx, reverse proxying massive numbers of connections to origin servers with rules about what gets proxied. Hey, I benefited too. Nginx saved our behinds when Kerry and I were running Feedjit.com from 2007 to 2011 because it let us handle over 1 billion application requests per month on just 6 servers. Thanks Igor!
Blockchain technology is in a bust cycle and you can map the characteristics I defined above to blockchain. It looks eerily similar to the dot-com bust and you’ll see an Amazon emerge from the ashes about a decade from now. It might be Coinbase if they survive the over 80% dive in market cap that may continue, but who knows?
Derivative Versus Fundamental Technology Innovation
I’ve mentioned a few tech bubbles so far and it’s really the first step in pulling us out of the trees so that we can examine the various forests out there. Now let’s go a little more meta and talk about which forests matter. Some technology is derivative. Examples of derivative tech are new stuff that runs inside a browser, for example, Websockets.
Websockets are awesome because they let a browser keep a connection open and get push notifications without doing the old TCP three-way handshake to establish a new connection every time the browser wants to check if there’s data waiting on a chat server or whatever. We used to call this long-polling and I wrote a web server to do long polling which was a clumsy but necessary approach, so when Web Sockets came along we all breathed a sigh of relief and I happily retired my web server glad that no one would see my nasty source code which worked quite well mind you.
Another derivative technology – and you’re not going to like this – is blockchain. It’s a useful and novel implementation of hashing algorithms and a few other cryptographic tricks, but honestly, we should have disintermediated banking at least two decades ago and the fact that blockchain has still failed to do that is both disappointing and illustrative that it is just a set of derivative applications built on a tower of fundamentals that has a way to go before it matures. The hype cycle and speculative bubble around it was simply humans making human noise.
So that’s derivative tech. In addition to derivative tech, you have what I’d like to call fundamental tech. Electricity is fundamental. It’s cornerstone technology that transformed the world in our ability to use and transport energy which has enabled an industrial and technological revolution the likes of which the world has never seen. The microprocessor is also fundamental tech for similar reasons. You have algorithms that are fundamental tech like the RSA algorithm which allows us to establish a secure communication channel while a bad person is listening in the whole time – the kind of tech that could have changed the outcome of World War II.
The Internet is fundamental tech. It connected the world and gave us the ability to build applications on top like HTTP and the web which are derivative tech.
Oh I know you want to have a bar fight with me at this point and we’ll do that if you’re attending Wordcamp EU – a collegial and metaphorical barfight, that is – but hopefully, you’re picking up what I’m putting down here in a general sense: There is fundamental tech that profoundly enables and changes the world and which many other things are built on top of, and there is derivative tech that gets a lot of attention but isn’t quite as transformative in a historical sense if you’re thinking in terms of centuries. And there’s the big fat grey area in between.
AI is fundamental tech. For decades we have been programming by writing functions by hand. We’ve gotten quite good at structuring our code using metaphors like object-oriented programming to create logical structures that make sense in a human world, and help us organize large code bases. But fundamentally the way we define logic in a program hasn’t changed for a long time. Until now. For the first time in all of history, we can create functions in programming by training them, rather than writing them by hand. In other, slightly more technical words, we can infer a function from observations and then use it. Like babies and toddlers do. This is historic, it’s transformative and it is a fundamental breakthrough.
Funny thing is that until quite recently – around 2015 – AI had suffered many so-called “AI Winters” where there was significant interest in the field that catalyzed investment dollars, and then a setback usually caused by a reality check, that caused a winter in funding and interest. Does anyone remember the “expert systems” of the 80s? By the early 2000s AIs name had been dragged through the mud so many times that anyone doing serious research in the field used different words to describe their work, like “machine learning” or “informatics” or “knowledge systems”.
A few hardcore true believers like Yann Lecun, Yushua Bengio and Geoffrey Hinton powered through like Bilbo and Sam across The Dead Marshes and went on to win the Turing Award, which is basically the Nobel Prize of computer science and which I had the privilege of attending when Rivest, Adleman and Shamir won theirs for public key crypto. The Turing Award is a very big deal and well deserved considering how adversarial the AI environment was for a while.
So what changed? Well for one thing you’re reading this post because it’s about AI and you’re interested. And you’re interested because you recently used GPT-4, MidJourney, Dall-E or another model to create something. You’re seeing tangible results. And the reason you’re seeing results is that GPU hardware, algorithms, and an interest in the field have brought us to an inflection point where the technology is delivering results that are jaw-dropping enough to catalyze more funding, more research, and more jaw-dropping results. This cycle really picked up steam in 2015, and with the release of GPT-4 recently, has entered a phase of what I would describe as true and consistent exponential growth.
According to NVidia “LLM sizes have been increasing 10X every year for the last few years”. In two years that’s 100X. Three years from now that’s 1000X and so on. Extrapolate that out and be afraid. Or optimistic if your mind isn’t for rent and you are hopeful yet discontent. Rush lyrics aside, that pace should give you an idea of how quickly this thing is coming. And now that we’ve reached the point of inflection I mentioned, where the hardware and algorithms seem to have overcome the cycle of disappointment that AI has been stuck in for decades, I predict that you’ll see consistent and exponential growth in the field in capabilities for the foreseeable future, with a financial bubble and bust in there that won’t be of much consequence to the fundamental value of the technology.
“Thanks for the history lesson Maunder, but you brought us here with promises of telling us what to do about AI. So?”
What to do about AI
So far we’ve discussed what boom cycles look like and the kind of noise and bear traps you should be aware of. We’ve defined what AI is in fundamental terms – a function that you can train rather than hand code. And we’ve hopefully agreed that we’ve entered a period of consistent and exponential growth in the field. Now we’ll chat about how to survive and prosper in a world that looks a lot like when electricity was invented and commercialized, or the microprocessor, or the Internet.
Goldman estimates that AI will add 7% to global GDP at a rate of about 1.5% growth per year. They also estimate that roughly two-thirds of US occupations are exposed to some degree of automation by AI. You can extrapolate this globally. That kind of global disruption is matched only by the industrial revolution or the entire recent tech revolution as a whole starting from 1980. From the same publication, “A recent study by economist David Autor cited in the report found that 60% of today’s workers are employed in occupations that didn’t exist in 1940.”. So on an optimistic note, this kind of disruption isn’t a new thing and we’ve been disrupting and adapting for some time now.
Perhaps you’re reading this because you are running a WordPress website, perhaps secured by my product, Wordfence. Which means you’re a creator of some kind. Perhaps you’re a writer, an artist, or perhaps you’re an entrepreneur creating a business out of thin air. [Yes my fellow entreps, you get to hang with the other cool creator kids too!!]. If you don’t plan on adapting at all, that makes you far more vulnerable to this coming wave than say a chef who runs a restaurant, or someone who manages real estate and rentals. And that really is the key: adaptation. So how can we adapt?
If you’re a creator, you need to become a user of AI. You’re probably already using GPT to write copy for your product catalogs on your e-commerce website, or using MidJourney (MJ) or Dall-E to create art for ad campaigns. If you’re a designer or artist, you may feel the kind of resentment this Blender artist does in the Blender subreddit.
“My Job is different now since Midjourney v5 came out last week. I am not an artist anymore, nor a 3D artist. Rn all I do is prompting, photoshopping and implementing good looking pictures. The reason I went to be a 3D artist in the first place is gone. I wanted to create form In 3D space, sculpt, create. With my own creativity. With my own hands.”
“It came over night for me. I had no choice. And my boss also had no choice. I am now able to create, rig and animate a character thats spit out from MJ in 2-3 days. Before, it took us several weeks in 3D. The difference is: I care, he does not. For my boss its just a huge time/money saver.”
While I sympathize with how hard change and disruption can be, it’s been a constant for the past couple of centuries in many fields. MidJourney has a long way to go before it can match a real-world artist, unless you’re just churning out images and letting the AI guide the design choices and are happy to work around the bugs. For MidJourney and other generative AIs to produce exactly what we want, they’re going to have to get better at understanding what exactly we want to create. And that’s where the skill comes in. You’re already seeing this with a document that someone has created listing famous photographers and examples of their look. This can be used in MJ prompts to say “in the style of” to get a specific look, but it is an incredibly rudimentary approach.
Another way to guide the MJ AI in particular is to blend photos it has generated. Again, super rudimentary, but it’s the start of having the ability to tightly specify exactly what you want and get that out of MJ. And if you need a reminder of how basic it still is, try to get MJ to generate hands. It still sucks, even at version 5.
So if you’re a creator, start getting good at using the tools now, understand their limitations, and evolve as the products evolve until you’re an expert at guiding the AI to create exactly what you want. This will help you guide your customers in explaining the limits of the current state of AI to them and where you add value, let you take immediate advantage of the use that the current tools have, and ramp up your productivity as the tools get better at taking instructions from you.
This applies to writers, artists, designers, filmmakers, photographers, screenwriters, and anyone with creative output. Get good at the tools. Get good at them now. Do it with an open mind. Know that changes aren’t permanent and that change is. (Again with sneaking in the Rush lyrics)
Adapting as a Dev
Coders! My people! We have a problem. Most of you have become users of AI. You’re users of GPT-4 via their API. You’re plugging into other generative AIs via an API. You aren’t rolling your own. And rolling your own is where all the fun is!!
Ever heard of transfer learning? You can grab a pre-trained model from Hugging Face, chop off the head – aka the final layer in the layers of neural nets, substitute it with random weights, and train the pre-trained model with your own data to take advantage of the sometimes millions of dollars that someone else already spent training their model. In fact Facebook’s LLAMA model which is one of the largest LLM’s in the world was leaked via Torrent recently.
The most important thing you need to do right now as a developer is to stop being a user of AI and become a dev of AI. GPT-4 is a shiny ball that the world will have forgotten about in a year, but it’s a very shiny and attractive ball right now that is fueling many a late-night dev chat. Remember that stat I gave you above? That LLM’s have been increasing in size at 10X per year. The current state of the art will be accessible to you on a desktop in a few years and you need to get ready for that world today.
I’m going to just go ahead and tell you what you need to do to get your AI stuff together, fast.
Ignore the math. Trust me on this. Most people including devs are not good at math and it intimidates the hell out of them. AI is just matrix multiplication and addition using GPU cores to parallelize the ops. Expressing this as code is easy. Expressing it as math will make you hide under your bed and cry. Ignore the math. If you can code, you’ll get it.
Learn Python. Everything in AI is Python. It’s a beautiful little language that you’ll come to appreciate very quickly if you’re already a dev. It’s like coming over to Aikido if you’re already a black belt. OK the MMA scene kinda messed up my metaphor proving that Aikido is actually worthless, but whatever.
Then go do the Practical Deep Learning for Coders course at fast.ai. It’s how we get our guys up to speed fast in the field and it’s brilliant. Jeremy Howard does a spectacular job of getting you up to speed fast in the field by immediately getting you productive and then unpacking the details in a fun non-mathy way.
As you progress in the course, definitely get up to speed using Jupyter Notebooks and I’d recommend Kaggle for this. They were bought by Google a few years ago and kind of compete with Google’s own notebook system called Colab, but I prefer Kaggle. You get GPU access by simply verifying your email address and it’s free which is kind of amazing. So you can use a rich text environment on Kaggle to write your code, see the output and run it on some fairly decent GPUs. Kaggle GPU’s perform at about 20% of the speed of my laptop RTX 4090 in case you’re curious about benchmarks.
The course teaches fundamentals, how to use pre-trained models, how to create Jupyter Notebooks or fork others, how to create Hugging Face Spaces, and how to share your models and their output with the world. It is the fastest way right now to transform yourself from an AI user into an AI dev and get drinks bought for you at parties by folks that have not yet made the leap.
Alright, this went long but that was the plan. We’ll talk more about AI. Go forth, be brave, learn, and create!
Mark Maunder – Founder & CEO – Wordfence and Defiant Inc.
Footnotes: All images on the page were created with MidJourney and if you’d like to see the prompt I used, simply view the image in a new tab and the image name is the prompt, all except for the heavy metal hands image which a colleague created. I’ll be in the comments in case there’s discussion.
Note: Content from this post first appeared in r/CrowdStrike
We will continue to update on this dynamic situation as more details become available. CrowdStrike’s Intelligence team is in contact with 3CX.
On March 29, 2023, CrowdStrike observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp — a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.
The CrowdStrike Falcon® platform has behavioral preventions and atomic indicator detections targeting the abuse of 3CXDesktopApp. In addition, CrowdStrike® Falcon OverWatch™ helps customers stay vigilant against hands-on-keyboard activity.
The 3CXDesktopApp is available for Windows, macOS, Linux and mobile. At this time, activity has been observed on both Windows and macOS.
CrowdStrike Intelligence has assessed there is suspected nation-state involvement by the threat actor LABYRINTH CHOLLIMA. CrowdStrike Intelligence customers received an alert this morning on this active intrusion.
The CrowdStrike Falcon platform protects customers from this attack and has coverage utilizing behavior-based indicators of attack (IOAs) and indicators of compromise (IOCs) based detections targeting malicious behaviors associated with 3CX on both macOS and Windows.
Customers should ensure that prevention policies are properly configured with Suspicious Processes enabled.
Figure 1. CrowdStrike’s indicator of attack (IOA) identifies and blocks the malicious behavior in macOS (click to enlarge)
Figure 2. CrowdStrike’s indicator of attack (IOA) identifies and blocks the malicious behavior in Windows (click to enlarge)
Hunting in the CrowdStrike Falcon Platform
Falcon Discover
CrowdStrike Falcon® Discover customers can use the following link: US-1 | US-2 | EU | Gov to look for the presence of 3CXDesktopApp in their environment.
Falcon Insight customers can assess if the 3CXDesktopApp is running in their environment with the following query:
Event Search — Application Search
event_simpleName IN (PeVersionInfo, ProcessRollup2) FileName IN ("3CXDesktopApp.exe", "3CX Desktop App")
| stats dc(aid) as endpointCount by event_platform, FileName, SHA256HashData
Falcon Long Term Repository — Application Search
#event_simpleName=/^(PeVersionInfo|ProcessRollup2)$/ AND (event_platform=Win ImageFileName=/\\3CXDesktopApp\.exe$/i) OR (event_platform=Mac ImageFileName=/\/3CX\sDesktop\sApp/i)
| ImageFileName = /.+(\\|\/)(?.+)$/i
| groupBy([event_platform, FileName, SHA256HashData], function=count(aid, distinct=true, as=endpointCount))
Atomic Indicators
The following domains have been observed beaconing, which should be considered an indication of malicious intent.
CrowdStrike Falcon® Insight customers, regardless of retention period, can search for the presence of these domains in their environment spanning back one year using Indicator Graph: US-1 | US-2 | EU | Gov.
Event Search — Domain Search
event_simpleName=DnsRequest DomainName IN (akamaicontainer.com, akamaitechcloudservices.com, azuredeploystore.com, azureonlinecloud.com, azureonlinestorage.com, dunamistrd.com, glcloudservice.com, journalide.org, msedgepackageinfo.com, msstorageazure.com, msstorageboxes.com, officeaddons.com, officestoragebox.com, pbxcloudeservices.com, pbxphonenetwork.com, pbxsources.com, qwepoi123098.com, sbmsa.wiki, sourceslabs.com, visualstudiofactory.com, zacharryblogs.com)
| stats dc(aid) as endpointCount, earliest(ContextTimeStamp_decimal) as firstSeen, latest(ContextTimeStamp_decimal) as lastSeen by DomainName
| convert ctime(firstSeen) ctime(lastSeen)
We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale.
Update as of 03/22/3023 2:50PM PHT: Updated the prevention and mitigation section for an additional step.
CVE-2023-23397 is a critical privilege elevation/authentication bypass vulnerability in Outlook, released as part of the March Patch Tuesday set of fixes. The vulnerability, which affects all versions of Windows Outlook, was given a 9.8 CVSS rating and is one of two zero-day exploits disclosed on March 14. We summarize the points that security teams need to know about this vulnerability and how they can mitigate the risks of this gap.
What is it?
CVE-2023-23397 is an elevation of privilege (EoP) vulnerability in Microsoft Outlook. It is a zero-touch exploit, meaning the security gap requires low complexity to abuse and requires no user interaction.
Figure 1. General exploitation routine of CVE-2023-23397
How is CVE-2023-23397 exploited?
The attacker sends a message to the victim with an extended Message Application Program Interface (MAPI) property with a Universal Naming Convention (UNC) path to a remote attacker-controlled Server Message Block (SMB, via TCP 445). Share-hosted on a server controlled by the attacker, the vulnerability is exploited whether the recipient has seen the message or not. The attacker remotely sends a malicious calendar invite represented by .msg — the message format that supports reminders in Outlook — to trigger the vulnerable API endpoint PlayReminderSound using “PidLidReminderFileParameter” (the custom alert sound option for reminders).
When the victim connects to the attacker’s SMB server, the connection to the remote server sends the user’s New Technology LAN Manager (NTLM) negotiation message automatically, which the attacker can use for authentication against other systems that support NTLM authentication.
NTLMv2 hashes are the latest protocol Windows uses for authentication, and it is used for a number of services with each response containing a hashed representation of users’ information, such as the username and password. As such, threat actors can attempt a NTLM relay attack to gain access to other services, or a full compromise of domains if the compromised users are admins. While online services such as Microsoft 365 are not susceptible to this attack because they do not support NTLM authentication, the Microsoft 365 Windows Outlook app is still vulnerable.
How easy is it to exploit?
User interaction is not necessary to trigger (even before message preview) it, nor does it require high privileges. CVE-2023-23397 is a zero-touch vulnerability that is triggered when the victim client is prompted and notified (e.g., when an appointment or task prompts five minutes before the designated time). It is difficult to block outbound SMB traffic for remote users. The attacker could use the same credentials to gain access to other resources. We elaborate on this example in our webinar (at 04:23 of the video).
Is it in the wild? What versions and operating systems (OS) are affected?
There have been reports of limited attacks abusing this gap. Microsoft has been coordinating with the affected victims to remediate this concern. All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook, such as Android, iOS, Mac, as well as Outlook on the web and other M365 services, are not affected.
What are the possible attack scenarios?
Figure 2. Beyond the exploit use scenario 1: Data and information theft via NTLM relay attack
1. Lateral movement, malicious navigation using the relayed NTLM hashes
Relay attacks gained notoriety as a use case for Mimikatz using the NTLM credential dumping routine via the sekurlsa module. In addition, pass-the-hat (PtH) (or pass-the hash) attacks and variations of data and information theft can be done. Once attackers are in the system, they can use the network for lateral movement and navigate the organization’s lines over SMB.
Figure 3. Beyond the exploit use scenario 2: WebDAV directory traversal for remote code execution (RCE)
2. WebDAV directory traversal for payload attacker routines
It’s possible for an attacker to leverage WebDAV services in cases where no valid SMB service for Outlook exists (i.e., is not configured) in the client. This is an alternative to the Web/HTTP service that can also be read as a UNC path by .msg and/or Outlook Calendar items. Attackers can set up a malicious WebDAV server to respond to affected victim clients with malicious pages. These pages may contain code that can range from leveraging a directory traversal technique similar to the Microsoft vulnerability CVE-2022-34713 (dubbed as DogWalk) to push any form of payload for remote code execution such as webshells.
What can I do to prevent and mitigate the risk of exploitation of CVE-2023-23397?
Here are some steps that security administrators can perform to reduce the risk of exploitation of CVE-2023-23397:
Apply the vendor patches immediately. Microsoft has released a patch as part of their March 2023 Monthly Security Update.
Block TCP 445/SMB outbound from your network. This will prevent the sending of NTLM authentication messages to remote file shares. If this cannot be done, we recommend monitoring outbound traffic over port 445 for unknown external IP addresses, then identifying and blocking them.
Customers can disable the WebClient service. Note that this will block all WebDAV connections, including intranet.
Add users to the Protected Users Security Group. This prevents the use of NTLM as an authentication mechanism, but note that this could impact applications that rely on NTLM in your environment.
Enforce SMB signing on clients and servers to prevent a relay attack.
Microsoft has provided a PowerShell script as a solution to the issue. The script is designed to scan emails, calendar entries, and task items, and to verify if they have the “PidLidReminderFileParameter” property. By running the script, administrators can locate problematic items that have this property and subsequently remove them or delete them permanently. Download the script here: https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md.
Which Trend Micro solutions can address this vulnerability?
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and Web Reputation Service) for Endpoint, Servers, Mail, and Gateway (e.g., Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security with anti-malware, etc.):
Starting with Trend Micro Smart Scan Pattern version 21474.296.07, known exploits associated with this vulnerability are being detected as Trojan.Win32.CVE202323397.
Trend Micro Vision One: Use this solution as an investigation tool. In the “Search App,” select “Endpoint Activity Data” and enter the following query: – dpt: 445 AND eventSubId: 204 AND processCmd: *OUTLOOK*. This can be saved and added to a watchlist if desired.
Cloud One Workload Security and Deep Security: IPS Rule 1009058, which will need to be changed to Prevent.
TippingPoint Filters:
28471 SMB: SMBv1 Successful Protocol Negotiation
28472 SMB: SMBv2 Successful Protocol Negotiation
Please note: Enabling these filters in Block mode will interrupt legitimate SMB traffic. Customers are advised to add exceptions for their Private IP address space.
If NTLM v1 is configured by default, customers can use this rule to monitor attempts for outgoing NTLM handshakes. Please note this rule only detects and does not block, so it is best used as an investigative tool for follow-up.
