Category: Windows 11

Cisco Talos shares insights related to recent cyber attack on Cisco

UPDATE HISTORY

DATEDESCRIPTION OF UPDATES
Aug. 10th 2022Adding clarifying details on activity involving active directory.
Aug. 10th 2022Update made to the Cisco Response and Recommendations section related to MFA.

 EXECUTIVE SUMMARY

  • On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. 
  • During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. 
  • The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. 
  • CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc. 
  • After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment. 
  • The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful. 
  • We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. 
  • For further information see the Cisco Response page here.

INITIAL VECTOR

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.  

Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms. 

POST-COMPROMISE TTPS

Following initial access to the environment, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment. 

Once on a system, the threat actor began to enumerate the environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and identify the context of the user account under which they were operating. We periodically observed the attacker issuing commands containing typographical errors, indicating manual operator interaction was occurring within the environment. 

After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.  

After obtaining access to the domain controllers, the attacker began attempting to dump NTDS from them using “ntdsutil.exe” consistent with the following syntax:

powershell ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\users\public' q q 

They then worked to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control.

After obtaining access to credential databases, the attacker was observed leveraging machine accounts for privileged authentication and lateral movement across the environment. 

Consistent with activity we previously observed in other separate but similar attacks, the adversary created an administrative user called “z” on the system using the built-in Windows “net.exe” commands. This account was then added to the local Administrators group. We also observed instances where the threat actor changed the password of existing local user accounts to the same value shown below. Notably, we have observed the creation of the “z” account by this actor in previous engagements prior to the Russian invasion of Ukraine. 

C:\Windows\system32\net user z Lh199211* /add 
C:\Windows\system32\net localgroup administrators z /add

This account was then used in some cases to execute additional utilities, such as adfind or secretsdump, to attempt to enumerate the directory services environment and obtain additional credentials. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows hosts.  

reg save hklm\system system 
reg save hklm\sam sam 
reg save HKLM\security sec

On some systems, the attacker was observed employing MiniDump from Mimikatz to dump LSASS. 

tasklist | findstr lsass 
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\windows\temp\lsass.dmp full

The attacker also took steps to remove evidence of activities performed on compromised systems by deleting the previously created local Administrator account. They also used the “wevtutil.exe” utility to identify and clear event logs generated on the system. 

wevtutil.exe el 
wevtutil.exe cl [LOGNAME]

In many cases, we observed the attacker removing the previously created local administrator account.  

net user z /delete

To move files between systems within the environment, the threat actor often leveraged Remote Desktop Protocol (RDP) and Citrix. We observed them modifying the host-based firewall configurations to enable RDP access to systems. 

netsh advfirewall firewall set rule group=remote desktop new enable=Yes

We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn. 

C:\Windows\System32\msiexec.exe /i C:\Users\[USERNAME]\Pictures\LogMeIn.msi

The attacker frequently leveraged Windows logon bypass techniques to maintain the ability to access systems in the environment with elevated privileges. They frequently relied upon PSEXESVC.exe to remotely add the following Registry key values:  

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f

This enabled the attacker to leverage the accessibility features present on the Windows logon screen to spawn a SYSTEM level command prompt, granting them complete control of the systems. In several cases, we observed the attacker adding these keys but not further interacting with the system, possibly as a persistence mechanism to be used later as their primary privileged access is revoked.  

Throughout the attack, we observed attempts to exfiltrate information from the environment. We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from active directory. The Box data obtained by the adversary in this case was not sensitive.  

In the weeks following the eviction of the attacker from the environment, we observed continuous attempts to re-establish access. In most cases, the attacker was observed targeting weak password rotation hygiene following mandated employee password resets. They primarily targeted users who they believed would have made single character changes to their previous passwords, attempting to leverage these credentials to authenticate and regain access to the Cisco VPN. The attacker was initially leveraging traffic anonymization services like Tor; however, after experiencing limited success, they switched to attempting to establish new VPN sessions from residential IP space using accounts previously compromised during the initial stages of the attack. We also observed the registration of several additional domains referencing the organization while responding to the attack and took action on them before they could be used for malicious purposes. 

After being successfully removed from the environment, the adversary also repeatedly attempted to establish email communications with executive members of the organization but did not make any specific threats or extortion demands. In one email, they included a screenshot showing the directory listing of the Box data that was previously exfiltrated as described earlier. Below is a screenshot of one of the received emails. The adversary redacted the directory listing screenshot prior to sending the email.

BACKDOOR ANALYSIS

The actor dropped a series of payloads onto systems, which we continue to analyze. The first payload is a simple backdoor that takes commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor. The commands are sent in JSON blobs and are standard for a backdoor. There is a “DELETE_SELF” command that removes the backdoor from the system completely. Another, more interesting, command, “WIPE”, instructs the backdoor to remove the last executed command from memory, likely with the intent of negatively impacting forensic analysis on any impacted hosts. 

Commands are retrieved by making HTTP GET requests to the C2 server using the following structure: 

/bot/cmd.php?botid=%.8x

The malware also communicates with the C2 server via HTTP GET requests that feature the following structure: 

/bot/gate.php?botid=%.8x

Following the initial request from the infected system, the C2 server responds with a SHA256 hash. We observed additional requests made every 10 seconds.  

The aforementioned HTTP requests are sent using the following user-agent string: 

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.36 Trailer/95.3.1132.33

The malware also creates a file called “bdata.ini” in the malware’s current working directory that contains a value derived from the volume serial number present on the infected system. In instances where this backdoor was executed, the malware was observed running from the following directory location:  

C:\users\public\win\cmd.exe

The attacker was frequently observed staging tooling in directory locations under the Public user profile on systems from which they were operating.  

Based upon analysis of C2 infrastructure associated with this backdoor, we assess that the C2 server was set up specifically for this attack. 

ATTACK ATTRIBUTION

Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$. IABs typically attempt to obtain privileged access to corporate network environments and then monetize that access by selling it to other threat actors who can then leverage it for a variety of purposes. We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations. 

UNC2447 is a financially-motivated threat actor with a nexus to Russia that has been previously observed conducting ransomware attacks and leveraging a technique known as “double extortion,” in which data is exfiltrated prior to ransomware deployment in an attempt to coerce victims into paying ransom demands. Prior reporting indicates that UNC2447 has been observed operating  a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more. 

Apart from UNC2447, some of the TTPs discovered during the course of our investigation match those of the Lapsus$. Lapsus$ is a threat actor group that is reported to have been responsible for several previous notable breaches of corporate environments. Several arrests of Lapsus$ members were reported earlier this year. Lapsus$ has been observed compromising corporate environments and attempting to exfiltrate sensitive information. 

While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements. Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments. 

CISCO RESPONSE AND RECOMMENDATIONS

Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021. Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker’s progression. We created two ClamAV signatures, which are listed below.  

  • Win.Exploit.Kolobko-9950675-0  
  • Win.Backdoor.Kolobko-9950676-0 

Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organizations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information. 

Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious. 

For Duo it is beneficial to implement strong device verification by enforcing stricter controls around device status to limit or block enrollment and access from unmanaged or unknown devices. Additionally, leveraging risk detection to highlight events like a brand-new device being used from unrealistic location or attack patterns like logins brute force can help detect unauthorized access.

Prior to allowing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a baseline set of security controls. This ensures that the connecting devices match  the security requirements present in the environment. This can also prevent rogue devices that have not been previously approved from connecting to the corporate network environment. 

Network segmentation is another important security control that organizations should employ, as it provides enhanced protection for high-value assets and also enables more effective detection and response capabilities in situations where an adversary is able to gain initial access into the environment.  

Centralized log collection can help minimize the lack of visibility that results when an attacker take active steps to remove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed for anomalous or overtly malicious behavior can provide early indication when an attack is underway.  

In many cases, threat actors have been observed targeting the backup infrastructure in an attempt to further remove an organization’s ability to recover following an attack. Ensuring that backups are offline and periodically tested can help mitigate this risk and ensure an organization’s ability to effectively recover following an attack. 

Auditing of command line execution on endpoints can also provide increased visibility into actions being performed on systems in the environment and can be used to detect suspicious execution of built-in Windows utilities, which is commonly observed during intrusions where threat actors rely on benign applications or utilities already present in the environment for enumeration, privilege escalation, and lateral movement activities.  

MITRE ATT&CK MAPPING

All of the previously described TTPs that were observed in this attack are listed below based on the phase of the attack in which they occurred. 

Initial Access 

ATT&CK Technique : Phishing (T1566)

ATT&CK Technique : Valid Accounts (T1078)

Execution 

ATT&CK Technique : System Services: Service Execution (T1569.002)

Persistence 

ATT&CK Technique : Create Account: Local Account (T1136.001)

ATT&CK Technique : Account Manipulation: Device Registration (T1098.005)

Privilege Escalation 

ATT&CK Technique : Event Triggered Execution: Image File Execution Options Injection (T1546.012)

Defense Evasion 

ATT&CK Technique : Indicator Removal on Host (T1070)

ATT&CK Technique : Indicator Removal on Host: Clear Windows Event Logs (T1070.001)

ATT&CK Technique : Masquerading: Match Legitimate Name or Location (T1036.005)

ATT&CK Technique : Impair Defenses: Disable or Modify System Firewall (T1562.004)

ATT&CK Technique : Modify Registry (T1112)

Credential Access 

ATT&CK Technique : OS Credential Dumping: LSASS Memory (T1003.001)

ATT&CK Technique : OS Credential Dumping: Security Account Manager (T1003.002)

ATT&CK Technique : OS Credential Dumping: NTDS (T1003.003)

ATT&CK Technique : Multi-Factor Authentication Request Generation (T1621)

Lateral Movement 

ATT&CK Technique : Remote Services (T1021)

Discovery 

ATT&CK Technique : Query Registry (T1012)

Command and Control 

ATT&CK Technique : Application Layer Protocol: Web Protocols (T1071.001)

ATT&CK Technique : Remote Access Software (T1219)

ATT&CK Technique: Encrypted Channel: Asymmetric Cryptography (T1573.002)

ATT&CK Technique : Proxy: Multi-hop Proxy (T1090.003)

Exfiltration 

ATT&CK Technique : Exfiltration Over Alternative Protocol (T1048)

INDICATORS OF COMPROMISE

The following indicators of compromise were observed associated with this attack. 

Hashes (SHA256) 

184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3 

2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03 

542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d 

61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610 

753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647 

8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a 

8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190 

99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f 

bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7 

eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18 

IP Addresses 

104.131.30[.]201 

108.191.224[.]47 

131.150.216[.]118 

134.209.88[.]140 

138.68.227[.]71 

139.177.192[.]145 

139.60.160[.]20 

139.60.161[.]99 

143.198.110[.]248 

143.198.131[.]210 

159.65.246[.]188 

161.35.137[.]163 

162.33.177[.]27 

162.33.178[.]244 

162.33.179[.]17 

165.227.219[.]211 

165.227.23[.]218 

165.232.154[.]73 

166.205.190[.]23 

167.99.160[.]91 

172.56.42[.]39 

172.58.220[.]52 

172.58.239[.]34 

174.205.239[.]164 

176.59.109[.]115 

178.128.171[.]206 

185.220.100[.]244 

185.220.101[.]10 

185.220.101[.]13 

185.220.101[.]15 

185.220.101[.]16 

185.220.101[.]2 

185.220.101[.]20 

185.220.101[.]34 

185.220.101[.]45 

185.220.101[.]6 

185.220.101[.]65 

185.220.101[.]73 

185.220.101[.]79 

185.220.102[.]242 

185.220.102[.]250 

192.241.133[.]130 

194.165.16[.]98 

195.149.87[.]136 

24.6.144[.]43 

45.145.67[.]170 

45.227.255[.]215 

45.32.141[.]138 

45.32.228[.]189 

45.32.228[.]190 

45.55.36[.]143 

45.61.136[.]207 

45.61.136[.]5 

45.61.136[.]83 

46.161.27[.]117 

5.165.200[.]7 

52.154.0[.]241 

64.227.0[.]177 

64.4.238[.]56 

65.188.102[.]43 

66.42.97[.]210 

67.171.114[.]251 

68.183.200[.]63 

68.46.232[.]60 

73.153.192[.]98 

74.119.194[.]203 

74.119.194[.]4 

76.22.236[.]142 

82.116.32[.]77 

87.251.67[.]41 

94.142.241[.]194 

Domains 

cisco-help[.]cf 

cisco-helpdesk[.]cf 

ciscovpn1[.]com 

ciscovpn2[.]com 

ciscovpn3[.]com 

devcisco[.]com 

devciscoprograms[.]com 

helpzonecisco[.]com 

kazaboldu[.]net 

mycisco[.]cf 

mycisco[.]gq 

mycisco-helpdesk[.]ml 

primecisco[.]com 

pwresetcisco[.]com 

Email Addresses 

costacancordia[@]protonmail[.]com 

POSTED BY NICK BIASINI AT 3:30 PM

Source :
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Open Port Vulnerabilities List

Insufficiently protected open ports can put your IT environment at serious risk. Threat actors often seek to exploit open ports and their applications through spoofing, credential sniffing and other techniques. For example, in 2017, cybercriminals spread WannaCry ransomware by exploiting an SMB vulnerability on port 445. Other examples include the ongoing campaigns targeting Microsoft’s Remote Desktop Protocol (RDP) service running on port 3389.

Handpicked related content:

Read on to learn more about the security risks linked to ports, vulnerable ports that need your attention and ways to enhance the security of open ports.

A Refresher on Ports

Ports are logical constructs that identify a specific type of network service. Each port is linked to a specific protocol, program or service, and has a port number for identification purposes. For instance, secured Hypertext Transfer Protocol (HTTPS) messages always go to port 443 on the server side, while port 1194 is exclusively for OpenVPN.

The most common transport protocols that have port numbers are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is a connection-oriented protocol with built-in re-transmission and error recovery. UDP is a connectionless protocol that doesn’t recover or correct errors in messages; it’s faster  and has less network overhead traffic than TCP. Both TCP and UDP sit at the transport layer of the TCP/IP stack and use the IP protocol to address and route data on the internet. Software and services are designed to use TCP or UDP, depending on their requirements.

TCP and UDP ports are in one of these three states:

  • Open — The port responds to connection requests.
  • Closed — The port is unreachable, indicating that there is no corresponding service running.
  • Filtered — The firewall is monitoring traffic and blocking certain connection requests to the port.

Security Risks Linked to Ports

Numerous incidents have demonstrated that open ports are most vulnerable to attack when the services listening to them are unpatched or insufficiently protected or misconfigured, which can lead to compromised systems and networks. In these cases, threat actors can use open ports to perform various cyberattacks that exploit the lack of authentication mechanisms in the TCP and UDP protocols. One common example is spoofing, where a malicious actor impersonates a system or a service and sends malicious packets, often in combination with IP spoofing and man-in-the-middle-attacks. The campaign against RDP Pipe Plumbing is one of the latest to employ such a tactic. In addition, ports that have been opened on purpose (for instance, on a web server) can be attacked via that port using application-layer attacks such as SQL injection, cross-site request forgery and directory traversal.

Another common technique is the denial of service (DoS) attack, most frequently used in the form of distributed denial of service (DDoS), where attackers send massive numbers of connection requests from various machine to the service on the target in order to deplete its resources.

Vulnerable Ports that Need Your Attention

Any port can be targeted by threat actors, but some are more likely to fall prey to cyberattacks because they commonly have serious shortcomings, such as application vulnerabilities, lack of two-factor authentication and weak credentials.

Here are the most vulnerable ports regularly used in attacks:

Ports 20 and 21 (FTP)

Port 20 and (mainly) port 21 are File Transfer Protocol (FTP) ports that let users send and receive files from servers.

FTP is known for being outdated and insecure. As such, attackers frequently exploit it through:

  • Brute-forcing passwords
  • Anonymous authentication (it’s possible to log into the FTP port with “anonymous” as the username and password)
  • Cross-site scripting
  • Directory traversal attacks

Port 22 (SSH)

Port 22 is for Secure Shell (SSH). It’s a TCP port for ensuring secure access to servers. Hackers can exploit port 22 by using leaked SSH keys or brute-forcing credentials.

Port 23 (Telnet)

Port 23 is a TCP protocol that connects users to remote computers. For the most part, Telnet has been superseded by SSH, but it’s still used by some websites. Since it’s outdated and insecure, it’s vulnerable to many attacks, including credential brute-forcing, spoofing and credential sniffing.

Port 25 (SMTP)

Port 25 is a Simple Mail Transfer Protocol (SMTP) port for receiving and sending emails. Without proper configuration and protection, this TCP port is vulnerable to spoofing and spamming.

Port 53 (DNS)

Port 53 is for Domain Name System (DNS). It’s a UDP and TCP port for queries and transfers, respectively. This port is particularly vulnerable to DDoS attacks.

Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB)

Server Message Block (SMB) uses port 445 directly and ports 137 and 139 indirectly. Cybercriminals can exploit these ports through:

  • Using the EternalBlue exploit, which takes advantage of SMBv1 vulnerabilities in older versions of Microsoft computers (hackers used EternalBlue on the SMB port to spread WannaCry ransomware in 2017)
  • Capturing NTLM hashes
  • Brute-forcing SMB login credentials

Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)

HTTP and HTTPS are the hottest protocols on the internet, so they’re often targeted by attackers. They’re especially vulnerable to cross-site scripting, SQL injections, cross-site request forgeries and DDoS attacks.

Ports 1433,1434 and 3306 (Used by Databases)

These are the default ports for SQL Server and MySQL. They are used to distribute malware or are directly attacked in DDoS scenarios. Quite often, attackers probe these ports to find unprotected database with exploitable default configurations.

Port 3389 (Remote Desktop)

This port is used in conjunction with various vulnerabilities in remote desktop protocols and to probe for leaked or weak user authentication. Remote desktop vulnerabilities are currently the most-used attack type; one example is the BlueKeep vulnerability.

Tips for Strengthening the Security of Open Ports

Luckily, there are ways to enhance the security of open ports. We highly recommend the following six strategies:

1. Patch firewalls regularly.

Your firewall is the gatekeeper to all the other systems and services in your network. Patching keeps your firewalls up to date and repairs vulnerabilities and flaws in your firewall system that cybercriminals could use to gain full access to your systems and data.

2. Check ports regularly.

You should also regularly scan and check your ports. There are three  main ways to do this:

  • Command-line tools — If you have the time to scan and check ports manually, use command-line tools to spot and scan open ports. Examples include Netstat and Network Mapper, both of which can be installed on a wide range of operating systems, including Windows and Linux.
  • Port scanners — If you want faster results, consider using a port scanner. It’s a computer program that checks if ports are open, closed or filtered. The process is simple: The scanner transmits a network request to connect to a specific port and captures the response.
  • Vulnerability scanning tools — Solutions of this type can also be used to discover ports that are open or configured with default passwords.
  1. Track service configuration changes.

Many services on your network connect to various ports, so it is important to monitor the running states of installed services and continuously track changes to service configuration settings. Services can be vulnerable when they are unpatched or misconfigured.

Using Netwrix Change Tracker, you can harden your systems by tracking unauthorized changes and other suspicious activities. In particular, it provides the following functionality:

  • Actionable alerting about configuration changes
  • Automatic recording, analyzing, validating and verifying of every change
  • Real-time change monitoring
  • Constant application vulnerability monitoring

4. Use IDP and IPS tools.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help you prevent attackers from exploiting your ports. They monitor your network, spot possible cybersecurity incidents, log information about them and report the incidents to security administrators. IPS complements your firewalls by identifying suspicious incoming traffic and logging and blocking the attack.

5. Use SSH Keys.

Another option is to use SSH keys. These access credentials are more secure than passwords because decrypting SSH is very difficult, if not impossible. There are two types of SSH keys:

  • Private or identity keys, which identify users and give them access
  • Public or authorized keys, which determine who can access your system

You can use public-key cryptographic algorithms and key generation tools to create SSH keys.

6. Conduct penetration tests and vulnerability assessments.

Consider conducting penetration tests and vulnerability assessments to protect your ports. Although both of these techniques are used to spot vulnerabilities in IT infrastructure, they are quite different. Vulnerability scans only identify and report vulnerabilities, while penetration tests exploit security gaps to determine how attackers can gain unauthorized access to your system.

FAQs

What is an open port vulnerability?

An open port vulnerability is a security gap caused by an open port. Without proper configuration and protection, attackers can use open ports to access your systems and data.

Which ports are most vulnerable?

Certain ports and their applications are more likely to be targeted because they often have weaker credentials and defenses. Common vulnerable ports include:

  • FTP (20, 21)
  • SSH (22)
  • Telnet (23)
  • SMTP (25)
  • DNS (53)
  • NetBIOS over TCP (137, 139)
  • SMB (445)
  • HTTP and HTTPS (80, 443, 8080, 8443)
  • Ports 1433, 1434 and 3306
  • Remote desktop (3389)

Is port 80 a security risk?

Port 80 isn’t inherently a security risk. However, if you leave it open and don’t have the proper configurations in place, attackers can easily use it to access your systems and data. Unlike port 443 (HTTPS), port 80 is unencrypted, making it easy for cybercriminals to access, leak and tamper with sensitive data.

Source :
https://blog.netwrix.com/2022/08/04/open-port-vulnerabilities-list/

Announcing Public Preview of Update management center

We are excited to announce the Public Preview of the Update management center (UMC), the next iteration of the Azure Automation Update Management solution. In addition to zero onboarding steps, and no dependency on Azure Automation and Log Analytics, you also get new capabilities such as flexible scheduling options and on-demand assessments that help you manage a patch workflow that is best suited for your needs. 

Ongoing management of operating system and application patches is critical in order to ensure your machines remain secure and meet compliance policies. With the increasing size of IT estates today, this could be a complex process. UMC eases this process of managing and automating patching of Windows and Linux Operating systems. It provides a consolidated view to centrally manage the process of patching on Azure virtual machines and devices in on-premises or other public clouds (via Azure Arc). It facilitates you to assess and install patches on a single VM or at scale. 

What’s new in the UMC? 

  • The “overview” tab offers a wide range of filters, charts and categories and provides a unified view of patching status of all Windows and Linux machines on Azure and Azure Arc-enabled servers. 
  • UMC leverages native functionality on Azure Compute and Azure Arc for Servers platform to provide a zero-step onboarding with no dependency on Log Analytics or Azure Automation, simplifying the user experience.  
  • UMC offers granular access control at individual resource level instead of that at Automation account and Log Analytics workspace level. It allows RBAC and roles based of ARM in Azure, enabling fine grained control on who can manage, assess and update a machine in Azure. 
  • The enhanced flexibility in UMC allows deployment of patches on a flexible schedule. UMC provides on-demand assessment and installation of patches, customizable scheduled patching, periodic assessment, and offers patching methods such as automatic VM guest patching in Azure, hotpatch or custom maintenance schedules and more. 

Getting Started 

You can find the Update management solution in the “updates” option on your Azure VMs or Azure Arc-enabled servers. 

thumbnail image 1 of blog post titled Announcing Public Preview of Update management center

You can also navigate to the Update management center using the search bar on the Azure portal. The overview tab for UMC enables you to view the patching compliance and status for all your Azure and Non-Azure machines. You can use the filters on top to drill down to a specific set of machines, view a breakdown of machines and their statuses based on multiple categories, and identify the machines that are non-compliant to quickly take corrective action. The “No updates data” status tells you the count of machines that have not been assessed in the past 7 days or do not have Periodic assessment setup. 

thumbnail image 2 of blog post titled Announcing Public Preview of Update management center

The machines tab shows the list of all VMs under a given subscription. You can access the features of UMC from the menu on the top. Broadly, “Check for updates” allows you to assess updates on-demand while “One-time update” allows to install patches on-demand. The Scheduled updates and Updates Settings options allow you to enable customised patching schedules. 

thumbnail image 3 of blog post titled Announcing Public Preview of Update management center

Overall, Update management center offers an easy to use one-stop location for all operating system and application patching scenarios for a single VM or VMs at scale. 

Overall, Update management center offers an easy to use one-stop location for all operating system and application patching scenarios for a single VM or VMs at scale. 

What’s next in UMC? 

  • Extend patch management to all Azure supported distros & OSes, and all Arc workloads such as Azure Arc-enabled private clouds. 
  • Provide additional controls for configuration of patching workflows and orchestration of patch schedules.  

Stay tuned for more announcements! 

Additional Resources 

Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024

Google on Wednesday said it’s once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024.

“The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome,” Anthony Chavez, vice president of Privacy Sandbox, said.

In keeping this in mind, the internet and ad tech giant said it’s taking a “deliberate approach” and extending the testing window for its ongoing Privacy Sandbox initiatives prior to phasing out third-party cookies.

Cookies are pieces of data planted on a user’s computer or other device by the web browser as a website is accessed, with third-party cookies fueling much of the digital advertising ecosystem and its ability to track users across different sites to show targeted ads.

Privacy Sandbox is Google’s umbrella term for a set of technologies that aim to improve users’ privacy across the web and Android by limiting cross-site and cross-app tracking and offering improved, safer alternatives to serve interest-based ads.

CyberSecurity

While Google had originally planned to roll out the feature in early 2022, it revised the timeline in June 2021, pushing its proposal to transition from third-party cookies over a three-month period, starting in mid-2023 and ending in late 2023.

“It’s become clear that more time is needed across the ecosystem to get this right,” the company noted at the time.

3rd-Party Cookies in Chrome

The second extension comes as Google announced Topics API as a replacement for FLoC (short for Federated Learning of Cohorts) in January 2022, following it up with a developer preview of Privacy Sandbox for Android in May.

In February 2022, the U.K. Competition and Markets Authority (CMA) formally accepted commitments from Google over how it develops the technology, pointing out the need to flesh out Privacy Sandbox such that it promotes competition and supports publishers to raise revenue from ads while also safeguarding consumer privacy.

CyberSecurity

Under the new plan, Privacy Sandbox trials are expected to be expanded to users globally next month, with the number of users included in the tests ramped up throughout the rest of the year and into 2023.

Google also emphasized that users will be shown a prompt to manage their participation, adding it intends to make the APIs generally available by Q3 2023, with third-party cookie support tentatively dropped in H2 2024.

The CMA, for its part, acknowledged today that it’s aware of “alternative proposals being developed by third-parties,” and that it’s “working with the [Information Commissioner’s Office] to better understand their viability and likely impacts.”

Source :
https://thehackernews.com/2022/07/google-delays-blocking-3rd-party.html

LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload

A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.

“Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike,” researchers Julio Dantas, James Haughom, and Julien Reisdorffer said.

CyberSecurity

LockBit 3.0 (aka LockBit Black), which comes with the tagline “Make Ransomware Great Again!,” is the next iteration of the prolific LockBit RaaS family that emerged in June 2022 to iron out critical weaknesses discovered in its predecessor.

It’s notable for instituting what’s the first-ever bug bounty for a RaaS program. Besides featuring a revamped leak site to name-and-shame non-compliant targets and publish extracted data, it also includes a new search tool to make it easier to find specific victim data.

LockBit Ransomware

The use of living-off-the-land (LotLtechniques by cyber intruders, wherein legitimate software and functions available in the system are used for post-exploitation, is not new and is usually seen as an attempt to evade detection by security software.

Earlier this April, a LockBit affiliate was found to have leveraged a VMware command-line utility called VMwareXferlogs.exe to drop Cobalt Strike. What’s different this time around is the use of MpCmdRun.exe to achieve the same goal.

MpCmdRun.exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

CyberSecurity

In the incident analyzed by SentinelOne, the initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.

“Tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for,” the researchers said.

“Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.”

The findings come as initial access brokers (IABs) are actively selling access to company networks, including managed service providers (MSPs), to fellow threat actors for profit, in turn offering a way to compromise downstream customers.

In May 2022, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. warned of attacks weaponizing vulnerable managed service providers (MSPs) as an “initial access vector to multiple victim networks, with globally cascading effects.”

“MSPs remain an attractive supply chain target for attackers, particularly IABs,” Huntress researcher Harlan Carvey said, urging companies to secure their networks and implement multi-factor authentication (MFA).

Source :
https://thehackernews.com/2022/08/lockbit-ransomware-abuses-windows.html

Microsoft starts blocking Office macros by default, once again

Microsoft announced today that it resumed the rollout of VBA macro auto-blocking in downloaded Office documents after temporarily rolling it back earlier this month following user feedback.

The change comes after the company improved its user and admin support documentation to make it easier to understand the available options when a macro is blocked.

“Based on our review of customer feedback, we’ve made updates to both our end user and our admin documentation to make clearer what options you have for different scenarios,” Microsoft explained in a new update in the Microsoft 365 message center.

“For example, what to do if your users have files on SharePoint or files on a network share.”

End users can find more information on the next steps after macros are blocked in a downloaded Office document on the A potentially dangerous macro has been blocked support page. IT admins can find dedicated documentation on the Macros from the Internet will be blocked by default in Office page.

“If you ever enabled or disabled the Block macros from running in Office files from the Internet policy, your organization will not be affected by this change,” Microsoft added.

Microsoft Office users who want automatic Office macro auto-blocking enabled and don’t want to wait for the rollout to reach their systems can read our easy-to-follow tutorial on how to auto-block macros in Microsoft Office docs from the Internet using group policies.

Mockup of new Office macros security alert
Mockup of new Office macros security alert (BleepingComputer)

Rolled back due to negative user feedback

This announcement comes after Redmond backtracked on a decision made earlier this year to make it harder to enable Office VBA macros in docs downloaded from the Internet in several Microsoft Office apps (Access, Excel, PowerPoint, Visio, and Word) for customers in the Current Channel (Preview).

The new feature meant that a popular distribution method for malware would effectively be killed since VBA macros embedded in malicious Office documents have been, for a very long time, one of the easiest methods for threat actors to push various malware families in phishing attacks.

The company announced in February 2022 that Microsoft Office would automatically block VBA macros in all downloaded documents after a rollout stage between April and June.

However, as BleepingComputer first reported in early July, soon after the new feature went live for customers last month, Microsoft suddenly and without any real explanation said that this change would be rolled back.

While Microsoft revealed alerted admins in an M365 message center update, it didn’t make a public announcement and updated the original notification several days later to say it was just a temporary rollback.

Redmond pinned this rollback on negative user feedback. Although Microsoft didn’t share more info, users have reported they didn’t know how to re-enable macros after they were automatically blocked because they couldn’t find the Unblock button. In contrast, others found it burdensome to unblock each downloaded Office document multiple times daily.

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-blocking-office-macros-by-default-once-again/

Microsoft Teams outage also takes down Microsoft 365 services

What initially started like a minor Microsoft Teams outage has also taken down multiple Microsoft 365 services with Teams integration, including Exchange Online, Windows 365, and Office Online.

“We’ve received reports of users being unable to access Microsoft Teams or leverage any features,” the company revealed on its official Microsoft 365 Status Twitter account more than 8 hours ago.

Two hours later, Redmond said the issue causing the connection problems was a recent deployment that featured a broken connection to an internal storage service.

However, Teams was not the only product impacted by the outage since users also began reporting failures to connect to various Microsoft 365 services.

Microsoft confirmed the issues saying that the subsequent Microsoft 365 outage only affected services that came with Teams integration.

“We’ve identified downstream impact to multiple Microsoft 365 services with Teams integration, such as Microsoft Word, Office Online and SharePoint Online,” Microsoft explained.

Microsoft Teams outage tweet

As the company further detailed on its Microsoft 365 Service health status page, affected customers experienced issues with one or more of the following services:

  • Microsoft Teams (Access, chat, and meetings)
  • Exchange Online (Delays sending mail)
  • Microsoft 365 Admin center (Inability to access)
  • Microsoft Word within multiple services (Inability to load)
  • Microsoft Forms (Inability to use via Teams)
  • Microsoft Graph API (Any service relying on this API may be affected)
  • Office Online (Microsoft Word access issues)
  • SharePoint Online (Microsoft Word access issues)
  • Project Online (Inability to access)
  • PowerPlatform and PowerAutomate (Inability to create an environment with a database)
  • Autopatches within Microsoft Managed Desktop
  • Yammer (Impact to Yammer experiments)
  • Windows 365 (Unable to provision Cloud PCs)

After redirecting traffic to a healthy service to mitigate the impact, Redmond said its telemetry indicates that Microsoft Teams functionality started to recover.

“Service availability has mostly recovered with only a few service features still requiring attention,” Microsoft added on the service health status page and on Twitter two hours ago, at 4 AM EST.

“We’ll continue to monitor the service as new regions enter business hours to ensure the service health does not fluctuate while the remaining actions are completed.”

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-outage-also-takes-down-microsoft-365-services/

Windows 11 now blocks RDP brute-force attacks by default

Recent Windows 11 builds come with the Account Lockout Policy policy enabled by default which will automatically lock user accounts (including Administrator accounts) after 10 failed sign-in attempts for 10 minutes.

The account brute forcing process commonly requires guessing the passwords using automated tools. This tactic is now blocked by default on the latest Windows 11 builds (Insider Preview 22528.1000 and newer) after failing to enter the correct password 10 times in a row.

“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston, Microsoft’s VP for Enterprise and OS Security, tweeted Thursday.

“This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome!”

As Weston also said, brute forcing credentials is a popular tactic among threat actors to breach Windows systems via Remote Desktop Protocol (RDP) when they don’t know the account passwords.

The use of Windows Remote Desktop Services to breach enterprise networks is so prevalent among cybercriminals that the FBI said RDP is responsible for roughly 70-80% of all network breaches leading to ransomware attacks.

Windows 11 Account Lockout Policy
Windows 11 Account Lockout Policy (David Weston)

Slowly blocking the most popular attack vectors

Coupled with other security-focused changes Microsoft has recently announced, including auto-blocking Office macros in downloaded documents and enforcing multi-factor authentication (MFA) in Azure AD, the company is slowly closing all entry vectors used by ransomware operators to breach Windows networks and systems.

The Account Lockout Policy is also available on Windows 10 systems. However, unfortunately, it’s not enabled by default, allowing attackers to brute force their way into Windows systems with exposed Remote Desktop Protocol (RDP) services.

Admins can configure this policy on Windows 10 in the Group Policy Management Console from Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

This is a crucial security improvement since many RDP servers, especially those used to help teleworkers access corporate assets, are directly exposed to the Internet, exposing the organizations’ network to attacks when poorly configured.

To put things in perspective, attacks targeting RDP services have seen a sharp increase since at least mid-late 2016, starting with the rise in popularity of dark web marketplaces that sell RDP access to compromised networks, per an FBI IC3 report from 2018.

One notable mention is UAS, the largest hacker marketplace for stolen RDP credentials at one point, which leaked login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers.

Source :
https://www.bleepingcomputer.com/news/microsoft/windows-11-now-blocks-rdp-brute-force-attacks-by-default/

How to set up proxy server on Windows 11

On Windows 11, you can set up a proxy server quite easily. A proxy server is a service that works as a man-in-the-middle between the computer and the internet. When using this feature, the requests you make to websites and other services will be handled by the proxy instead.

Usually, you’d see a proxy configuration in organizations and schools, but anyone can set up a proxy server because of its benefits. Using a proxy helps save data usage and reduce bandwidth use because web requests are cached in the server and then served again when the user requests the same content.

It can increase your privacy by hiding the IP address of the client making an internet request. It can improve security by blocking malicious traffic and logging users’ activities. It can also block sites, by using rules, a company can stop users from accessing social networks and other websites, and much more.

In this guide, you will learn three ways to set up a proxy server on your Windows 11 device without the need for third-party tools. (Just to be clear, in this guide, we’re setting proxy settings to connect to a server, not to set up the actual proxy server.)

Configure proxy server on Windows 11

The following instructions will apply to Ethernet and Wi-Fi network connections, but these settings won’t work during a VPN session.

To enable automatic configuration for proxy server on Windows 11, use these steps:

  1. Open Settings on Windows 11.
  2. Click on Network & Internet.
  3. Click the Proxy tab.
  4. Turn on the Automatically detect settings toggle switch to set up a proxy server on Windows 11.Enable automatic proxy detection

Once you complete the steps, Windows 11 will automatically detect the settings using the Web Proxy Auto-Discovery Protocol (WPAD). Organizations and schools typically use this option to automatically configure or change the proxy settings to computers connected to their networks.

If you do not want the computer to detect settings automatically, or you are trying to set up a proxy server manually, you need to turn off the Automatically detect settings toggle switch.

Configure proxy through script on Windows 11

It is also possible to configure a proxy server automatically using the setup script option on Windows 11.

To configure a proxy server using a script, use these steps:

  1. Open Settings.
  2. Click on Network & Internet.
  3. Click the Proxy tab.
  4. Under the “Automatic proxy setup” section, click the “Set up” button for the “Use setup script” setting.Windows 11 use setup script
  5. Turn on the Use setup script toggle switch.
  6. Confirm the address of the script (or .pac file).Proxy script address
  7. Click the Save button.

After you complete the steps, Windows 11 will load the proxy configuration from the specified file.

Configure automatic proxy with manual configuration on Windows 11

To set up proxy server settings manually on Windows 11, use these steps:

  1. Open Settings.
  2. Click on Network & Internet.
  3. Click the Proxy tab.
  4. Under the “Manual proxy setup” section, click the “Set up” button for the “Use a proxy server” setting.Windows 11 setup proxy server manually
  5. Turn on the “Use a proxy server” toggle switch.
  6. In the “Proxy IP address” setting, confirm the address that connects to the proxy server.Proxy manual configuration
  7. In the “Port” setting, confirm the port number required for the proxy to work.
  8. Check the “Don’t use the proxy server for local (intranet) addresses” option.
  9. (Optional) Confirm the addresses that will bypass the proxy in the available section.Quick note: You need to specify these addresses using a semicolon (;) to separate each entry. You can use an asterisk as a wildcard if you have multiple addresses from the same domain. For example, *.website.com will match all the addresses in the asterisk part, including forums.website.comdocs.website.com, etc.
  10. Click the Save button.

Once you complete the steps, the proxy will be configured and the network traffic will automatically pass through the proxy server. However, it is also possible to specify a list of addresses that will not use the proxy.

Source :
https://pureinfotech.com/setup-proxy-server-windows-11/

Install updates manually on Windows 11 in six different ways

On Windows 11, a cumulative update (or quality update) is a service patch that Microsoft rolls out proactively to fix bugs, enhance security, and improve system performance. Although updates download automatically through Windows Update, sometimes it may still be necessary to install a specific patch manually.

For instance, after a new installation of Windows 11 or if the computer hasn’t been connected to the internet for some time. If Windows Update isn’t working, it might be necessary to install an update manually to fix the problem. A specific driver needs an update, or you want to upgrade to a newer version of Windows.

Regardless of the reason, Windows 11 has at least four ways to update the system using the Windows Update settings, manual download, Command Prompt, and PowerShell.

Microsoft offers three main types of updates (quality, optional, and feature updates). “Quality updates” are available every month with security and non-security fixes, improvements, and features (occasionally). “Optional updates” are not critical but necessary, and they include drivers and product updates. Finally, “feature updates” are meant to upgrade the device to a newer version (for example, Windows 11 22H2).

In this guide, you will learn six ways to install updates on Windows 11.

Install updates on Windows 11 with Windows Update

To install Windows 11 updates manually with Windows Update, use these steps:

  1. Open Settings on Windows 11.
  2. Click on Windows Update.
  3. Click the Check for updates button.Windows 11 check and install updates
  4. (Optional) Click the Download and install option to apply a preview of an upcoming update of Windows 11.Quick note: Optional updates usually include non-security changes that Microsoft plans to release in the next Patch Tuesday rollout.
  5. Click the Restart now button.

Once you complete the steps, if an update is available, it will download and install automatically on Windows 11.

Install updates on Windows 11 with Microsoft Update Catalog

To download and install an update manually on Windows 11, use these steps:

  1. Open Microsoft Update Catalog website.
  2. Search for the knowledge base number of the update – for example, KB5015814.Quick tip: If you do not know the latest update reference number, you can check the update history tracker.
  3. Click the Download button for the update to install on Windows 11.Microsoft Update Catalog downloadQuick note: The page usually lists two versions, including ARM64 and x64. Unless you have an ARM-based device, you need to download the x64 version of the cumulative update.
  4. Click the link to download the .msu package to your computer.
  5. Click the Close button.
  6. Double-click the .msu file to launch the installer.
  7. Click the Yes button to install the update on Windows 11.
  8. Click the Restart now button.

After you complete the steps, the cumulative update will apply to Windows 11.

Install updates on Windows 11 with Command Prompt

Windows 11 doesn’t have a Command Prompt tool to check and download updates. However, you can use commands to install update packages manually.

To install Windows 11 updates with Command Prompt, use these steps:

  1. Open Microsoft Update Catalog website.
  2. Search for the knowledge base number of the update – for example, KB5015814.
  3. Click the Download button for the cumulative update you want to install.Microsoft Update Catalog download
  4. Click the link to download the .msu package.
  5. Click the Close button.
  6. Open Start.
  7. Search for Command Prompt, right-click the top result, and select the Run as administrator option.
  8. Type the following command to install a new update on Windows 11 and press Enter:wusa c:\PATH\TO\UPDATE.msu /quiet /norestartIn the command, update the path with the location and name of the .msu update package. This example installs the KB5015814 update:wusa c:\Users\USERACCOUNT\Downloads\windows10.0-kb5015814-x64.msu /quiet /norestartCommand Prompt install Windows 11 update
  9. Type the following command to confirm the update was installed correctly and press Enter:wmic qfe list brief /format:table
  10. Type the following command to restart the device and press Enter:shutdown /r /t 00

After you complete the steps, the quality update will install quietly, and the computer will restart to finish applying the changes on Windows 11.

Install updates on Windows 11 with PowerShell

Alternatively, you can also install a PowerShell module to download and install updates on Windows 11.

To install Windows 11 updates with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to install the PowerShell module to update Windows 11 and press Enter:Install-Module PSWindowsUpdatePowerShell install PSWindowUpdate
  4. Type Y to accept and press Enter.
  5. Type A to accept and install the module and press Enter.
  6. Type the following command to allow scripts to run on PowerShell and press Enter:Set-ExecutionPolicy RemoteSigned
  7. Type the following command to import the installed module and press Enter:Import-Module PSWindowsUpdatePowerShell import module
  8. Type the following command to check for Windows 11 updates with PowerShell and press Enter:Get-WindowsUpdate
  9. Type the following command to select, download, and install a specific update and press Enter:Install-WindowsUpdate -KBArticleID KBNUMBERIn the command, make sure to replace KBNUMBER with the update number you want to install. This example downloads and applies the KB5015814 update for Microsoft Defender:Install-WindowsUpdate -KBArticleID KB5015814 PowerShell install Windows 11 updates
  10. Type A to confirm the installation and press Enter.
  11. (Optional) Type the following command to download and install all available updates and press Enter:Install-WindowsUpdateQuick note: When using this command, you will be applying system updates as well as optional updates that may include driver updates.
  12. Type A to confirm the installation and press Enter.
  13. Type Y to confirm the restart and press Enter (if applicable).
  14. (Optional) Type the following command to view a list of previously installed updates and press Enter:Get-WUHistory

Once you complete the steps, the Windows 11 updates will download and install on your device.

Install optional updates on Windows 11

On Windows 11, optional updates are not critical, but they may be necessary for other functionalities. Typically, these updates are available for Microsoft and other products, feature updates, and third-party drivers (such as printers, cameras, network adapters, graphics cards, and Bluetooth peripherals).

To install optional updates on Windows 11, use these steps:

  1. Open Settings.
  2. Click on Windows Update.
  3. Click the Advanced options tab.
  4. Under the “Additional options” section, click the Optional updates setting.Optional updates
  5. Click the category to see the optional updates – for example, Driver updates.
  6. Check the optional updates to install on Windows 11.Windows 11 install optional updates
  7. Click the Download and install button.

After you complete the steps, Windows Update will install the packages on your computer.

Install feature updates on Windows 11

Feature updates refer to new versions of Windows 11 that bring new changes and features. These updates are optional, and you must install them manually unless the current release of Windows 11 is reaching the end of service, in which case the feature update will install automatically.

To install a feature update on Windows 11, use these steps:

  1. Open Settings.
  2. Click on Windows Update.
  3. Click on Check for updates button (if applicable).
  4. Click the Download and Install now button.Windows 11 install feature update
  5. Click the Restart now button.

In addition to Windows Update, you can also install feature updates using the Installation Assistant or the official ISO file to perform an in-place upgrade.

Source :
https://pureinfotech.com/install-updates-manually-windows-11/

Exit mobile version